Author Topic: weird virus thing ?!??!? (Read 416 times)

JB73 · « **on:** November 02, 2003, 10:56:53 PM »

i have gotten 10 emails today from weird places with this same message:

Quote

ScanMail for Microsoft Exchange has detected virus-infected attachment(s).

Sender = Microsoft
Recipient(s) = packers-outlist@dmi2.dminteractive.com
Subject = Use this patch immediately !
Scanning Time = 11/01/2003 12:31:27
Engine/Pattern = 6.640-1001/669

Action on virus found:
The attachment patch.exe contains PE_DUMARU.A virus. ScanMail has Deleted it.

Warning to recipient. ScanMail has detected a virus.

WTF is this?!?!??!

i did a full scan and nothing. but still these from all sorts of odd addresses coming to me

anyone know whats up?

BlckMgk · « **Reply #1 on:** November 02, 2003, 11:03:19 PM »

If your e-mail addy is on someones computer who has a virus could also be a possibility.

What the virus will do is "mask" itself by spoofing a false return e-mail address using any address it finds on the host computer.

So technically it might not be you who's sending the e-mail's. But either way carefull cause you've had contact with the "infected" computer before.

-BM

JB73 · « **Reply #2 on:** November 02, 2003, 11:08:50 PM »

but is this "notification" i got "legit"... a real server sending a reply to an addy it got a virus from? (ie virus masked sender addy to mine so this exchange server thinks im sending out the viruses)?

reminder .. like i said i got like 10 of these all with basically the same message some had an *.exe attachment (no i didnt open it or anything they are all deleted out of trash bin too) but all were from "exchange server" or something.

BlckMgk · « **Reply #3 on:** November 02, 2003, 11:14:37 PM »

No its not a legitimate replay... that "Patch" is the virus

________
This virus infects .EXE files using Alternate Data Stream (ADS). It searches the entire system for target executables but is only able to infect files in the root directory.

It propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine. It arrives on email with the following format:

From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Message body: Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe

It drops a Trojan detected as TROJ_NAROD.A, which connects to IRC via port 6667 to allow remote users to manipulate infected systems. This Trojan allows remote users to perform a Denial of Service (DoS) attack against other machines using infected systems.
______________

Virus Report and Removal Instructions

-BM

JB73 · « **Reply #4 on:** November 02, 2003, 11:23:24 PM »

yeah .. just found this:

http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=dumaru

its odd though cause i KNOW im clean... wonder who i know that isnt? (not an AH player cause these came to an addy noone in AH has.. its my personal addy)

rpm · « **Reply #5 on:** November 02, 2003, 11:43:36 PM »

Quote

Originally posted by JB73
yeah .. just found this:

http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=dumaru

its odd though cause i KNOW im clean... wonder who i know that isnt? (not an AH player cause these came to an addy noone in AH has.. its my personal addy)

Anyone who has your addy in their address book.

Roscoroo · « **Reply #6 on:** November 03, 2003, 12:35:04 AM »

Sings the virous song .....

Somebooooooooody Youuuuuuuu knoooooow has it ....
Annnn theeeeeeeere trying to give it toooooo yoooooou oooo OOO !!!

AN of coursssssse theeeeeey have nooooooo ideaerrrrrrrrrrrr that they have iTTTTTTTTT !!! OOOOOOO OOOO.....