virus emails sent to .Mac account

[garzy]

Did anyone receive any emails containg this .pif virus in their .mac account? I got 3 emails today from addresses like @hotmail.com, @microsoft.com, and @rf.com containing what was obviously a virus. I didnt open them, as I was checking from a PC. Do I need to have concern about my account being hijacked and used to send these messages containing visuses?

 

[evolu]

Not sure what you mean by 'hijacked', but you can easily filter out most of the sobig virus related e-mails.

http://www.macosxhints.com/article.php?story=20030820063155258&query=sobig

 

[zimv20]

Re: virus emails sent to .Mac account

Originally posted by garzy
Do I need to have concern about my account being hijacked and used to send these messages containing visuses?

not necessarily. it means that there are infected computers (PCs) that have your email in the address book.

but if you're using a PC, you should ensure you've run all your windows updates and are up-to-date on your virus protection.

from what i understand, Norton Anti-virus, w/ LiveUpdate enabled, updates its virus definitions every 4 hours.

 

[garzy]

But theses are addresses that I have never seen, people ive never received mail from.

 

[Farside161]

its called the sobig.f virus, your email was found somewere and messages where sent from random computers to try to infect you, don't worry it wont effect your mac.

 

[rainman::|:|]

just delete them, ignore them. you can open them on a mac without problems, but it's pointless. pretend they're spam, nothing more.

pnw

 

[SiliconAddict]

FYI

FYI just in case someone gets this. You may receive e-mails from either mail servers or users saying that you sent out an e-mail with an infected file.
Sobig is smart enough to bring its own SMTP engine with it so it can actually spoof an e-mail address such as any @mac.com address which in turn causes the recipient of the e-mail to think you sent them a virus.
Sorry but this is a brilliant worm. Evil but brilliant.

 

[garzy]

That is what im worried about! I am worried that it will mock my address and send emails to people that I have previously contacted with my .mac email account. So that can happe?

 

[Gus]

My wife has received 17 of the same e-mails in the last 3 days, and she has been worried about her account infecting others also. Funny that I haven't received even one of them. Weird.

Regards,
Gus

 

[SiliconAddict]

Originally posted by garzy
That is what im worried about! I am worried that it will mock my address and send emails to people that I have previously contacted with my .mac email account. So that can happe?

Yep. I forgot to add one other feature this worm has. Unlike most mail worms and viruses this thing also goes through any HTML files, txt files, hlp files and a few other types in addition to your contact list in MS Lookout. So if you have a browser cache of web pages and there is a link in there is could possibly read webmaster@company.com and use that address among others.

Unless someone pays particular attention to the headers of the e-mail and watches where the e-mail originates they could easily think it’s from you. The funky thing is that where I work people were getting e-mail from addresses that they've never even heard of simply because whoever has you in their contacts list most likely has other people/contacts/businesses that you've never even heard of. This is why this worm is causing such a major headache. Its flooding mail servers with phony e-mails and the kicker? Unless the ISP takes the time to track down the IP of where the original e-mail came from and NOT the address there is no way to warn the poor SOB who's sending out these e-mails. (Either that or start sniffing SMTP port activity on thir networks for massive traffic. General rule of thumb most people aren’t running mail servers on their home puter.) Again brilliant. It doesn’t take a mastermind to think up something like this but to implement it is another matter. This worm might not have spread so fast if it wasn’t also for the fact that in addition to spreading via e-mail it uses the RPC hole that has been talked about the past few weeks. So it can not only spread to your computer but any other computer on your network and doubly repeat the above process.

This worm is making my life a living hell with all the patches but at the same time I have a permanent smirk on my face. Anything that gives MS a black eye and possible increases Apple’s market share is a good thing. I just wish it didn’t have to be under such harsh conditions. The only saving grace of Sobig and Blaster is that its payload, or what it actually does to the system, can be fixed without much permanent harm.
Whoever’s been putting these things out wasn’t trying to destroy data. They were trying to wake MS and the public at large to the lack of security in Windows. Considering that this made front-page news on the Star Tribune here in MN and on the nightly new broadcast I would say mission accomplished.

 

[edesignuk]

I got sent Sobig TWICE yesterday to my .Mac

 

[garzy]

I AM EMAILING THIS VIRUS TO OTHERS!!!!

I am emailing this virus to others! How do i stop it?

here is a copy of an email i received today...


From: Mail Delivery System <Mailer-Daemon@neutron.liquidweb.com>

To: <garzysemail@mac.com>
Date: Fri Aug 29, 2003 02:23:39 PM EDT
Subject: Mail delivery failed: returning message to sender





This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

andy@esioncentral.com
This message has been rejected because it has
a potentially executable attachment "application.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <garzysemail@mac.com>
Received: from ["my ip address here"] (helo=OKYOS)
by neutron.liquidweb.com with esmtp (Exim 4.20)
id 19snu6-0006QV-6Q
for andy@esioncentral.com; Fri, 29 Aug 2003 14:23:22 -0400
From: <garzysemail@mac.com>
To: <andy@esioncentral.com>
Subject: Re: That movie
Date: Fri, 29 Aug 2003 14:23:25 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_006CD166"
Message-Id: <E19snu6-0006QV-6Q@neutron.liquidweb.com>

This is a multipart message in MIME format

--_NextPart_000_006CD166
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

See the attached file for details
--_NextPart_000_006CD166
Content-Type: application/octet-stream;
name="application.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="application.pif"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADToEjPl8EmnJfBJpyXwSacFN0onI3BJpx/3iyc7cEmnMHeNZyawSacl8Em
nJTBJpyXwSecBsEmnPXeNZyawSacf94tnI3BJpxSaWNol8EmnAAAAAAAAAAAAAAAAAAAAABQRQAA
TAEEAF2zPz8AAAAAAAAAAOAADwELAQYAAAAAAABwAAAAAAAA1usBAAAQAAAAYAEAAABAAAAQAAAA
AgAABAAAAAAAAAAEAAAAAAAAAAAAAgAAEAAAF/EBAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAA
AAAAAAAAAAAAAOLrAQCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfuwBAAgAAAAAAAAAAAAA...(a bunch of numbers/letters continue from here)

 

[garzy]

my home ip address was where i substituted "my ip address"

how can i stop this from using my .mac account???!!

please help

thanks

 

[Rower_CPU]

Originally posted by garzy
my home ip address was where i substituted "my ip address"

how can i stop this from using my .mac account???!!

please help

thanks

garzy, if you look at SiliconAddicts posts above, you will see that Sobig can "steal" email addresses.

Your .mac account is not infected.

Between this, Blaster and Nachi, our campus network has been loads of fun this summer.

 

[Schiffi]

Yeah, and now all the windows users are using firewalls so now I can't get music off their Hard drives. grrrrrr

 

[Xero]

i havent seen a single virus in my account all summer, woohoo!

...kinda surprising to be honest

 

[SiliconAddict]

Found this on Mac OS hints:

Andrew Stone of Stone Design sent in a submission for dealing with the w32.sobig.f worm that's currently filling many OS X users' mailboxes with hundreds of junk emails. I had also received a couple emails from users about the flood of email, and had started working on the same thing last night. Since it appears to be hitting a large number of people, here's Andrew's Mail rule which will automatically delete the vast majority of these worm spams. You can read more about the worm on Symantec's site.

Create a new Mail rule, and set "If 'any' of the following conditions are met," and add all of these conditions:

* Subect - Ends with - My details
* Subect - Ends with - Your details
* Subect - Ends with - Your application
* Subect - Ends with - Wicked screensaver
* Subect - Ends with - That movie
* Subect - Ends with - Approved
* Subect - Ends with - Details
* Subect - Ends with - Thank you!
* From - Is equal to - admin@internet.com

In the "Perform the following actions" section of the dialog, set the first action to "Delete message" and the second to "Stop evaluating rules." Make this new rule the first rule in your rules list, so it runs before everything else. Andrew created an image that displays the finished rule.

The macosxhints mail server has some spam-killing software installed, and it's done a good job at sheltering my inbox from the onslaught, but I still received over 50 of these in the last 24 hours. I've now added the above rule to my Mail rule definitions, though I choose to transfer them to a "Probably Junk" mailbox as opposed to deleting them. That way, I can review them just to be sure none are "real" emails (in particular, the "Thank you!" condition will probably catch a couple real emails).

 

[evolu]

And the virus has a sense of humor - It signed up a friend to an anger management newsletter!

btw - I linked the above hint in my first reply... Worked well for me.