What did I get. 
Author Message
 What did I get.

I could use some help. I got a virus attached to an email
claiming to be from Microsoft. Norton cought it, but I
don't know wahat it is or where it came from. I tried to
email back to the MS address in the email, but it was not
real. I did not save the .exe attachment, but I did same
the text and header information. Here goes.
Any clues? Thanks in advance.
Gary

Reporting-MTA: dns;inet-imc-02.redmond.corp.microsoft.com
Received-From-MTA: dns;smtp02.mrf.mail.rcn.net
Arrival-Date: Sun, 10 Mar 2002 13:17:57 -0800


Action: failed
Status: 5.1.1

Subject:  Microsoft Security Bulletin MS02-005. 4 Mar 2002
Cumulative Patch
Date:   Sun, 10 Mar 2002 16:16:55 -0500

Organization: Hands on Optics

I tried to downolad this file in accordance with the
instructions, but Norton Internet Security recognized it as
a virus. It this a hoax.
Gary Hand


Received:                  from mx03.mrf.mail.rcn.net
([207.172.4.52]
[207.172.4.52]) by mta05.mrf.mail.rcn.net with ESMTP id

ail.rcn.net>;
Fri, 8 Mar 2002 18:58:18 -0500
Received:                  from smtp.comcast.net
([24.153.64.2]) by
mx03.mrf.mail.rcn.net with esmtp (Exim 3.35 #5) id
16jUFe-00009R-00;
Fri, 08 Mar 2002 18:58:18 -0500
Received:   from {*filter*}ie
(bgp01003446bgs.plyntv01.mi.comcast.net [68.41.177.31]) by
 mtaout45-02.icomcast.net (iPlanet Messaging Server 5.1
(built Feb 6 2002)) with SMTP id

Mar 200218:58:17 -0500 (EST)
Date:  Fri, 08 Mar 2002 18:58:02 -0500 (EST)
Date-warning:  Date header was inserted by
mtaout45-02.icomcast.net
From:  Microsoft Corporation Security Center

Subject: Internet Security Update



MIME-version:  1.0
Content-type:    multipart/mixed;
boundary="Boundary_(ID_L4vlVJXwPYDG4YE9y9d+jQ)"
X-Mozilla-Status:    8001
X-Mozilla-Status2:  00000000

Microsoft Customer,

this is the latest version of security update, the "4 Mar
2002 Cumulative Patch" update which eliminates all known
security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install
now to protect your computer from these vulnerabilities,
the most serious of which could allow an attacker to
run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail
Attachment" vulnerability. If a malicious user sends an
affected HTML e-mail or hosts an affected e-mail on a Web
site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable
on the user's computer.

- A vulnerability that could allow an unauthorized user to
learn the location of cached content on your computer. This
could enable the unauthorized user to launch compiled HTML
Help (.chm) files that contain shortcuts to executables,
thereby enabling the unauthorized user to run the
executables on your computer.

- A new variant of the "Frame Domain Verification"
vulnerability could enable a malicious Web site operator to
open two browser windows, one in the Web site's domain and
the other on your local file system, and to pass
information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with
a CLSID file extension do not show the actual full
extension of the file when saved and viewed with Windows
Explorer. This allows dangerous file types to look as
though they are simple, harmless files - such as JPG or WAV
files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft
Security Bulletin MS02-005, or visit link below.
http://www.*-*-*.com/
ult.asp If you have some questions about this article

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft
Corporation.

   q216309.exe

Content-type:   application/x-msdownload; name=q216309.exe
Content-transfer-encoding:   base64
Content-disposition:  attachment; filename=q216309.exe



Fri, 27 Aug 2004 21:10:44 GMT  
 What did I get.
I just received this same email.  Postini stopped it
before it got to my mailbox.  "From: "Microsoft

    Subject: Internet Security Update

You would think that Microsoft would have something about
this on their virus alert page!  But nothing there so far.

Quote:
>-----Original Message-----
>I recieved the same message. when I tried to download it,
>I was warned by Norton that it was a virus "Gibe.32" or
>something like that. What I am wondering is how they
found
>out that I recieve the security bulletins from Microsoft.
>Here is the message sent to me:


>From: "Christophe Galeota"


Quote:
>| Block Address  | Add to Address Book























>Subject: Watch this - Microsoft Security Update

>Date: Mon, 11 Mar 2002 16:13:22 +0100

>Microsoft Customer,

>     this is the latest version of security update, the

>----------------------------------------------------------
-
>---------------------

>Attachment  
> q216309.exe
>Type .exe : Scanning recommended    Scan With Norton
>Antivirus  
>  Save to my Yahoo! Briefcase  
>  Download File  

>Remember: You need to scan and clean your attachments
>every time you download or open them.

>>-----Original Message-----
>>I could use some help. I got a virus attached to an
email
>>claiming to be from Microsoft. Norton cought it, but I
>>don't know wahat it is or where it came from. I tried to
>>email back to the MS address in the email, but it was
not
>>real. I did not save the .exe attachment, but I did same
>>the text and header information. Here goes.
>>Any clues? Thanks in advance.
>>Gary

>>Reporting-MTA: dns;inet-imc-02.redmond.corp.microsoft.com
>>Received-From-MTA: dns;smtp02.mrf.mail.rcn.net
>>Arrival-Date: Sun, 10 Mar 2002 13:17:57 -0800


>>Action: failed
>>Status: 5.1.1

>>Subject:  Microsoft Security Bulletin MS02-005. 4 Mar
>2002
>>Cumulative Patch
>>Date:   Sun, 10 Mar 2002 16:16:55 -0500

>>Organization: Hands on Optics

>>I tried to downolad this file in accordance with the
>>instructions, but Norton Internet Security recognized it
>as
>{ w ?        . <of
>'m ?

>>a virus. It this a hoax.
>>Gary Hand

>>Return-Path:                  


- Show quoted text -

Quote:
>>Received:                  from mx03.mrf.mail.rcn.net
>>([207.172.4.52]
>>[207.172.4.52]) by mta05.mrf.mail.rcn.net with ESMTP id
>><20020308235818.ZAZC19155.mta05.mrf.mail.



Sat, 28 Aug 2004 10:18:04 GMT  
 What did I get.
I saw your message , Charlie , and I immediately saw the similarity
with  one message containing W32 Gibe  I received : both contain
contain recipient lists containing emails of people having their last
name starting
in a similar way . that means that either the attacker got his address
lists
from an "Internet white pages" site  and started sending the virus
randomly to emails he obtained ,or the virus itself connects to these
sites to obtain names and send messages automatically .Can some
security expert here tell us more ?
Also I received 6 messages containing that trojan .Can somebody
tell me what that means ? How it happens I got it 6 times ?
Finally ,how is the attacker able to conceal his identity ?
What is that "p{*filter*}ie" bogus address in the email headers ?
I made a web search and it is possible  he might be exploiting a
sendmail
bug ,but how can he guarantee that the messages  go through sendmail
servers ?

OK here are the headers of some of the messages that were sent to me :
Status: U

Received: from data40.dm.net.lb ([193.227.163.242]) by
data30.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA13C9;
          Mon, 11 Mar 2002 00:08:03 -0200
Received: from cgpf1.cgp.netins.net ([167.142.225.202]) by
data40.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA4765;
          Mon, 11 Mar 2002 01:12:23 -0200
Received: from [199.120.85.148] (HELO p{*filter*}ie)
  by cgpf1.cgp.netins.net (CommuniGate Pro SMTP 3.4.8)
  with SMTP id 38294301; Sun, 10 Mar 2002 16:11:15 -0600
From: "Microsoft Corporation Security Center"


Subject: Internet Security Update

MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="NextPart_000235"
Date: Sun, 10 Mar 2002 16:11:16 -0600

This is a multi-part message in MIME format.
You should read this with client which
supported MIME standard.

--NextPart_000235
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Status: U

Received: from data40.dm.net.lb ([193.227.163.242]) by
data30.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA12B8;
          Wed, 13 Mar 2002 18:29:16 -0200
Received: from imf02bis.bellsouth.net ([205.152.58.22]) by
data40.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA4978;
          Wed, 13 Mar 2002 19:33:40 -0200
Received: from p{*filter*}ie ([65.80.75.111]) by imf02bis.bellsouth.net
          (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with
SMTP

          Wed, 13 Mar 2002 11:34:30 -0500
From: "Microsoft Corporation Security Center"


Subject: Internet Security Update

MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="NextPart_000235"

Date: Wed, 13 Mar 2002 11:34:37 -0500

This is a multi-part message in MIME format.
You should read this with client which
supported MIME standard.

--NextPart_000235
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Status: U

Received: from data40.dm.net.lb ([193.227.163.242]) by
data30.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA558A;
          Thu, 14 Mar 2002 04:47:15 -0200
Received: from smtp1.rdc-kc.rr.com ([24.94.162.200]) by
data40.dm.net.lb
          (Netscape Messaging Server 3.6)  with ESMTP id AAA1A41;
          Thu, 14 Mar 2002 05:51:38 -0200
Received: from p{*filter*}ie (mkc-65-28-1-147.kc.rr.com [65.28.1.147])
        by smtp1.rdc-kc.rr.com (8.12.2/8.12.2) with SMTP id g2E2nOhe002261;
        Wed, 13 Mar 2002 20:49:55 -0600 (CST)
Date: Wed, 13 Mar 2002 20:49:24 -0600 (CST)

From: "Microsoft Corporation Security Center"


Subject: Internet Security Update

MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="NextPart_000235"

This is a multi-part message in MIME format.
You should read this with client which
supported MIME standard.

--NextPart_000235
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



Mon, 30 Aug 2004 21:59:54 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. Getting a program to inform you when it's done

2. Doing emacs bindings or getting modifiers

3. HttpDist - getting errors, What I'm doing wrong

4. Doing emacs bindings or getting modifiers

5. Doing assembly and really doing assembly

6. Doing assembly and really doing assembly

7. Getting X focus when getting Tk focus

8. A2P, keep getting an error message 'EMX not found'. What am I doing wrong?

9. I am getting error -10086 while doing an external calibration of PCI-MIO-16E4 board.

10. Ada versus language-X and "getting real work done" (was): 64 bit addressing and OOP

11. What can be done in FORTRAN that cannot be done in C/C++?

12. How can view styles be done?

 

 
Powered by phpBB® Forum Software