Email Viruses Perhaps.

[bahamut1454]

these are the properties of emails i keep recieving.

Return-Path: <a.gibbo@ntlworld.com>
Received: from PHIL4PAYBACK.com ([62.155.185.193])
by mta02-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031225164836.ZBTU29762.mta02-svc.ntlworld.com@PHIL4PAYBACK.com>;
Thu, 25 Dec 2003 16:48:36 +0000
From: a.gibbo@ntlworld.com
To: bahamut1454@ntlworld.com
Subject: Registration confirmation
Importance: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MSMail-Priority: Normal
Message-ID: <762d78e2191200.970bfxsmailerV06.8@ntlworld.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====PHIL4PAYBACK_ce9f1635d7cadabdd5"
Date: Thu, 25 Dec 2003 16:48:40 +0000



email i got:
Thanks for your registration.
( We say Sorry again, the first mail was delivered to an unknown mail address.
This was a bug in our mailing system! )


The amount of 239.- USD was deducted by your account.

Welcome,
you can now visit more than 1200 very very hot web pages!
Your registration, pages and passwords are in the attachment.

enjoy


this had a file attachent at 74.4kb
and this one:
Return-Path: <servers@adelphia.net>
Received: from PHIL4PAYBACK.net ([217.80.13.148]) by mta07-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031224085816.OZXG2588.mta07-svc.ntlworld.com@PHIL4PAYBACK.net>;
Wed, 24 Dec 2003 08:58:16 +0000
From: servers@adelphia.net
To: hostend@ntlworld.com
Subject: a trojan is on your computer!
Importance: Normal
X-Mailer: Axion
Message-ID: <70086910724639.14110xmailV03.28@adelphia.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="79d41cfa4e8111.46412c92f67b"
Date: Wed, 24 Dec 2003 08:58:21 +0000


had this message with the same 74.4kb attachment:

hello, I am from Norway and you'll don't believe me,
but a trojan horse in on your computer.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the services.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!

Sorry for my bad english!

greets



i had another eamil the same as above but with different details, as follows:
Return-Path: <mime@toi.t-online.de>
Received: from PHIL4PAYBACK.de ([62.155.185.143]) by mta01-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031222165903.WRAD26519.mta01-svc.ntlworld.com@PHIL4PAYBACK.de>;
Mon, 22 Dec 2003 16:59:03 +0000
From: mime@toi.t-online.de
To: steve.marlman@ntlworld.com
Subject: a trojan is on your computer!
X-MailScanner: Nothing was found
Importance: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MSMail-Priority: Normal
Message-ID: <21276848912239.93617@toi.t-online.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="PHIL4PAYBACK7696994266059119d1250f88e0"
Date: Mon, 22 Dec 2003 16:59:07 +0000



i think the 74.4kb file attachment is a virus as it has three different names in these emails, just want to know if anyone else is getting them and what you think. cause they seem tobe from an NTL email address.

nathan.

[quadplay]

I'm pretty sure they are viruses. Can you tell us the names of the files? Just because they're different doesn't always mean they're randomly generated. Secondly, What makes you think they're coming from ntlworld email addresses? The first one has an ntlworld email address as a From header, but since they're obviously spammed mails I'd ignore the From and To headers anyway.

You have three choices really:

• Ignore them - just don't open the attachments
• Forward these details to the abuse department at t-online.de - this is the (German) ISP that those IP addresses belong to
• Forward these details to ntl's abuse department at abuse@ntlworld.com - assuming ntl is your ISP - and let them do the German translation.

Never a bad idea to do a full scan of your system with up-to-date definition files, too!

[Xaccers]

services.exe is a system process, part of NT style OS's hence why win9x wouldn't show it.
You can bet the attachment is a virus.
Another thing, how could he track your email address from your IP address?

[Eric van Uden]

Just for confirmation:

I stumbled upon this forum when I entered a websearch to find specifics in relation to a very similar message.

The transcript below shows the text of the message I received and an addition by my antivirus software stating that the attachment was filtered out as being infected with the Sober-virus.

My reply is only to confirm that this is virus-trickery and that all previous posts were accurate.

Have a nice day.


Transcript follows:


--START-----------------------------------------------------------------
hi, I am from Denmark and you'll don't believe me,
but a trojan horse in on your computer.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the services.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!

================================================== ====================
The attachment "remove-services-patch.exe" has been removed from this message because
it was infected with a virus (Win32:Sober-C [Wrm])
================================================== ====================


greets
mvl5FB/bwbAzKH/KKLqytRkTZKR7od0P9UAYWXIBc690Kqozq34GWsa+0pKJbw8pI N5oarM=
--END-------------------------------------------------------------------

[br3ach]

lol, definately viruses or hoax's

anyone who opens the attachment from the foreign guy must be nuts ...

if you open that you deserve the virus IMO

[Anonymouse]

I had something similar: a warning (with 10 minutes to spare, counting down) that my cloud storge payment had been declined and everything would be deleted.

Very interesting, I thought...since I never applied for cloud storage in the first place. So spam. So deleted and blocked.

How stupid do they think I am? I might have had a stroke and I might be 60, but I haven't lost it yet!

Currently running full Norton system scan; nothing showing, and I don't expect it to. Nothing detected, resolved or requiring attention. This is JIC (Just In Case).

Nothing. Norton is on the case.

[thenry]

The cobwebs omg what have you resurrected

[SnoopZ]

Quote:

Originally Posted by thenry

The cobwebs omg what have you resurrected

Lol he's turning into Dude111, I thought CF had solved that issue.

[Carth]

I keep getting automated calls and the odd email about my Amazon Prime account (nope, don't have one), I usually delete (or hang up on) stuff that's probably crap . . hell I even hang up if NTL ring

[thenry]

Quote:

Originally Posted by SnoopZ

Lol he's turning into Dude111, I thought CF had solved that issue.

Antmans raving to his 8-track tunes

Quote:

Originally Posted by thenry

The cobwebs omg what have you resurrected

LOL, you were (just) a teenager when this was originally posted.

[thenry]

I was 13 doing everything I don't do now

[SnoopZ]

Quote:

Originally Posted by thenry

I was 13 doing everything I don't do now

Like wearing trousers?

[thenry]

When I joined my secondary school there was no uniform which meant I could wear shorts. Then at 13 the school decided to build a new school on premises and slowly introduce uniform. It started with just a t shirt. Then formal black trousers. Then shoes. Towards the end of 14 the new building was ready and the Queen and Prince Philip visited the school at 16.

I got some nice material trousers. It was ribbed but not. Soft suede feel.

Do our head of state mail get filtered for junk mail