Weird E-Mails...Virus on Mac OS X? (harmless, for now) :-/
Ummmm i have been getting some weird-ass emails lately... 2/3 are "coming from" people i haven't talked to in months and the third is "from" someone i have never spoken to before...
I put from in quotes because after looking at the header information carefully it seems they are all originating from accounts <at> gwu.edu and the 2 emails from people i know do NOT go there... I do have 2 friends who go to GW and they could possibly have a virus, but I am not sure... I talked with them about it and they are not getting weird emails either...
the first 2 addresses are also in my address-book....
here is the header info for all three emails:
Wed Feb 26, 2003 6:57:42 PM US/Eastern
[quote] From: blaze483 <blaze483 <at> aol.com>
Date: Wed Feb 26, 2003 6:57:42 PM US/Eastern
To: psantora <at> mac.com
Subject: Marginwidth
Return-Path: <Celeste <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HAXX7A00.8Y9 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:10 -0800
Received: from laplace.sag.gwu.edu (laplace.sag.gwu.edu [128.164.127.72]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1QNv9ev020429 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:09 -0800 (PST)
Received: from lopes.sag.gwu.edu (lopes.sag.gwu.edu [192.168.61.125]) by laplace.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HAX00G0YX73E0 <at> laplace.sag.gwu.edu> for psantora <at> mac.com; Wed, 26 Feb 2003 18:57:04 -0500 (EST)
Received: from lovelace.nit.gwu.edu (localhost [127.0.0.1]) by lopes.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1QNiYR05587\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:44:34 -0500 (EST)
Received: from Gmqayy ([128.164.210.213]) by lovelace.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1QNvgCG003502\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:57:42 -0500 (EST)
Message-Id: <200302262357.h1QNvgCG003502 <at> lovelace.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_h2aEIE8iz7I1D66kyd9mfQ)"
Attachments: There is 1 attachment
"900-0033_IMG[1].jpg (2.4 KB)"
<hr></blockquote>
Fri Feb 28, 2003 5:27:49 PM US/Eastern
[quote] From: borealis84 <borealis84 <at> aol.com>
Date: Fri Feb 28, 2003 5:27:49 PM US/Eastern
To: psantora <at> mac.com
Subject: Look,my beautiful girl friend
Return-Path: <dflage <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB1IEY00.HZ0 for <psantora <at> mac.com>; Fri, 28 Feb 2003 14:28:10 -0800
Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1SMS9ev004418 for <psantora <at> mac.com>; Fri, 28 Feb 2003 14:28:10 -0800 (PST)
Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HB100J2GIER8D <at> fourier.sag.gwu.edu> for psantora <at> mac.com; Fri, 28 Feb 2003 17:28:03 -0500 (EST)
Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1SMOAp19500\tfor <psantora <at> mac.com>; Fri, 28 Feb 2003 17:24:10 -0500 (EST)
Received: from Xegbow ([128.164.210.213])\tby fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1SMRnBH004428\tfor <psantora <at> mac.com>; Fri, 28 Feb 2003 17:27:49 -0500 (EST)
Message-Id: <200302282227.h1SMRnBH004428 <at> fermi.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_QVbbImSZei5Xdwl6NClv8w)"
Attachments: There is 1 attachment
"bigband[1].html (6.8 KB)"
<hr></blockquote>
Mon Mar 3, 2003 12:41:35 AM US/Eastern
((never heard of this person before))
[quote] From: kclemens <kclemens <at> snet.net>
Date: Mon Mar 3, 2003 12:41:35 AM US/Eastern
To: psantora <at> mac.com
Subject: Eager to see you
Return-Path: <dlsolof <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB5RU700.MY7 for <psantora <at> mac.com>; Sun, 2 Mar 2003 21:42:07 -0800
Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h235fwev016849 for <psantora <at> mac.com>; Sun, 2 Mar 2003 21:42:06 -0800 (PST)
Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HB500BBMRTPF5 <at> fourier.sag.gwu.edu> for psantora <at> mac.com; Mon, 3 Mar 2003 00:41:49 -0500 (EST)
Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h235btk03642\tfor <psantora <at> mac.com>; Mon, 03 Mar 2003 00:37:55 -0500 (EST)
Received: from Mrvkmagfi ([128.164.210.213]) by fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h235fZBH018537\tfor <psantora <at> mac.com>; Mon, 03 Mar 2003 00:41:35 -0500 (EST)
Message-Id: <200303030541.h235fZBH018537 <at> fermi.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_85I+5YxdNluojesMh6Qzgg)"
Attachments: There is 1 attachment
((this was actually a picture that showed up)) "netscape_news_adbackground[1].jpg" ((It is a weird 2-tone blue & turquoise rectangle with a transparent purple box in the bottom right))
<hr></blockquote>
I am running 10.2.4 and Apple's Mail App
If anyone has any insights I would appreciate it...
thanks...
how weird is this?
P.S. i changed all the "@" symbols to " <at> " to confuse any spiders...
[ 03-10-2003: Message edited by: Paul ]</p>
I put from in quotes because after looking at the header information carefully it seems they are all originating from accounts <at> gwu.edu and the 2 emails from people i know do NOT go there... I do have 2 friends who go to GW and they could possibly have a virus, but I am not sure... I talked with them about it and they are not getting weird emails either...
the first 2 addresses are also in my address-book....
here is the header info for all three emails:
Wed Feb 26, 2003 6:57:42 PM US/Eastern
[quote] From: blaze483 <blaze483 <at> aol.com>
Date: Wed Feb 26, 2003 6:57:42 PM US/Eastern
To: psantora <at> mac.com
Subject: Marginwidth
Return-Path: <Celeste <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HAXX7A00.8Y9 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:10 -0800
Received: from laplace.sag.gwu.edu (laplace.sag.gwu.edu [128.164.127.72]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1QNv9ev020429 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:09 -0800 (PST)
Received: from lopes.sag.gwu.edu (lopes.sag.gwu.edu [192.168.61.125]) by laplace.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HAX00G0YX73E0 <at> laplace.sag.gwu.edu> for psantora <at> mac.com; Wed, 26 Feb 2003 18:57:04 -0500 (EST)
Received: from lovelace.nit.gwu.edu (localhost [127.0.0.1]) by lopes.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1QNiYR05587\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:44:34 -0500 (EST)
Received: from Gmqayy ([128.164.210.213]) by lovelace.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1QNvgCG003502\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:57:42 -0500 (EST)
Message-Id: <200302262357.h1QNvgCG003502 <at> lovelace.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_h2aEIE8iz7I1D66kyd9mfQ)"
Attachments: There is 1 attachment
"900-0033_IMG[1].jpg (2.4 KB)"
<hr></blockquote>
Fri Feb 28, 2003 5:27:49 PM US/Eastern
[quote] From: borealis84 <borealis84 <at> aol.com>
Date: Fri Feb 28, 2003 5:27:49 PM US/Eastern
To: psantora <at> mac.com
Subject: Look,my beautiful girl friend
Return-Path: <dflage <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB1IEY00.HZ0 for <psantora <at> mac.com>; Fri, 28 Feb 2003 14:28:10 -0800
Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1SMS9ev004418 for <psantora <at> mac.com>; Fri, 28 Feb 2003 14:28:10 -0800 (PST)
Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HB100J2GIER8D <at> fourier.sag.gwu.edu> for psantora <at> mac.com; Fri, 28 Feb 2003 17:28:03 -0500 (EST)
Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1SMOAp19500\tfor <psantora <at> mac.com>; Fri, 28 Feb 2003 17:24:10 -0500 (EST)
Received: from Xegbow ([128.164.210.213])\tby fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1SMRnBH004428\tfor <psantora <at> mac.com>; Fri, 28 Feb 2003 17:27:49 -0500 (EST)
Message-Id: <200302282227.h1SMRnBH004428 <at> fermi.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_QVbbImSZei5Xdwl6NClv8w)"
Attachments: There is 1 attachment
"bigband[1].html (6.8 KB)"
<hr></blockquote>
Mon Mar 3, 2003 12:41:35 AM US/Eastern
((never heard of this person before))
[quote] From: kclemens <kclemens <at> snet.net>
Date: Mon Mar 3, 2003 12:41:35 AM US/Eastern
To: psantora <at> mac.com
Subject: Eager to see you
Return-Path: <dlsolof <at> gwu.edu>
Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB5RU700.MY7 for <psantora <at> mac.com>; Sun, 2 Mar 2003 21:42:07 -0800
Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h235fwev016849 for <psantora <at> mac.com>; Sun, 2 Mar 2003 21:42:06 -0800 (PST)
Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HB500BBMRTPF5 <at> fourier.sag.gwu.edu> for psantora <at> mac.com; Mon, 3 Mar 2003 00:41:49 -0500 (EST)
Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h235btk03642\tfor <psantora <at> mac.com>; Mon, 03 Mar 2003 00:37:55 -0500 (EST)
Received: from Mrvkmagfi ([128.164.210.213]) by fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h235fZBH018537\tfor <psantora <at> mac.com>; Mon, 03 Mar 2003 00:41:35 -0500 (EST)
Message-Id: <200303030541.h235fZBH018537 <at> fermi.nit.gwu.edu>
Mime-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_85I+5YxdNluojesMh6Qzgg)"
Attachments: There is 1 attachment
((this was actually a picture that showed up)) "netscape_news_adbackground[1].jpg" ((It is a weird 2-tone blue & turquoise rectangle with a transparent purple box in the bottom right))
<hr></blockquote>
I am running 10.2.4 and Apple's Mail App
If anyone has any insights I would appreciate it...
thanks...
how weird is this?
P.S. i changed all the "@" symbols to " <at> " to confuse any spiders...
[ 03-10-2003: Message edited by: Paul ]</p>
Comments
<strong>Spammers are the biggest assholes equal to Tele-marketers.</strong><hr></blockquote>
this isnt spam.... that is the whole body of the email... i think they are from virii hmmmm maybe i will run virex....
but that may be true... i don't know i haven't had much experience with tele-marketers (or spam) ::Crosses fingers, hopes he didn't just jinx himself::
[ 03-03-2003: Message edited by: Paul ]</p>
Contact the people at the return-paths and tell them to get a current virus scanner and run it *immediately*.
I've gotten e-mails like this before. Most likely the sender has either the Exploit-MIME.gen.exe virus or W32.Klez.H@mm virus.
edit: By the way, like all Windows-based viruses, these are completely benign and harmless to your Mac. If you run Virex, though, it will catch them and can remove them for you.
[ 03-03-2003: Message edited by: Brad ]</p>
how did it get my email?
how did it get my friends' emails?
[ 03-03-2003: Message edited by: Paul ]</p>
Return-Path: <Celeste <at> gwu.edu>
Return-Path: <dflage <at> gwu.edu>
Return-Path: <dlsolof <at> gwu.edu>
Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender. Most likely one of these people (or someone *else* that is infected) has your e-mail address in his or her address book. These viruses will send copies of themselves to everyone in the address book, spoofing the "From" header to appear to originate from someone else in the address book. Its possible that someone that knows you but that has a virus unknowingly sent off e-mails to these people with your name spoofed on the headers. These people then had your name from that first round of virus-sharing and continued to send viruses off.
See how it works?
It looks like the folks at George Washington aren't too savvy with their PeeCees. <img src="graemlins/lol.gif" border="0" alt="[Laughing]" />
<strong>The return path is, well, clearly labeled as "Return-path".
<strong> [quote]Return-Path: <Celeste <at> gwu.edu>
Return-Path: <dflage <at> gwu.edu>
Return-Path: <dlsolof <at> gwu.edu>
</strong><hr></blockquote> I have never heard of these people
<strong> [quote]Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender. </strong><hr></blockquote> yes I understand that, which is weird because I have no idea how they got my email address<strong> [quote]Most likely one of these people (or someone *else* that is infected) has your e-mail address in his or her address book. These viruses will send copies of themselves to everyone in the address book, spoofing the "From" header to appear to originate from someone else in the address book. Its possible that someone that knows you but that has a virus unknowingly sent off e-mails to these people with your name spoofed on the headers. These people then had your name from that first round of virus-sharing and continued to send viruses off.
See how it works?
It looks like the folks at George Washington aren't too savvy with their PeeCees. <img src="graemlins/lol.gif" border="0" alt="[Laughing]" /> </strong><hr></blockquote>
IC IC....
ok that makes much more sense....for now anyway
[quote]Originally posted by Brad:
<strong>Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender.</strong><hr></blockquote>
ok, i get that, but the problem is that I DON'T KNOW THE PEOPLE WHO ARE SENDING THE MESSAGES... but i DO know the people that are being "spoofed".... also the people that are being "spoofed" DO NOT KNOW THE PEOPLE SENDING THE MESSAGE...
the only common link in these things is me... so somehow the "worm" is taking names from my address book... I am sure of it, there is no other way it could have gotten these email addresses... right?
the people whose email addresses are being used know me through HS, and they all go to different colleges...
what is going on here..... a Mac OS X virus?!
Maybe you know someone who knows someone, and you ended up on an email sent to a bunch of friends of a friend, some of whom you knew and some of whom you didn't?
This particular virus is written in VBA. Mail doesn't know VBA from a text file (I've opened attached viruses and looked at them in Mail - they literally are just text files on Macs) and Mail isn't in the habit of running attached scripts behind your back, so this isn't a problem.
on my PC, NAV always catches email with that and returnst hem to the sender...i gues its nice they find out they have a virus...this one is the most prevalent...probably cuz its assoiciated with kazaa
anyways... i ran norton and it didn't pick up anything... I'll be sending a series of emails out soon...
thanks for the help guys!