Weird E-Mails...Virus on Mac OS X? (harmless, for now) :-/

Posted:
in Genius Bar edited January 2014
Ummmm i have been getting some weird-ass emails lately... 2/3 are "coming from" people i haven't talked to in months and the third is "from" someone i have never spoken to before...

I put from in quotes because after looking at the header information carefully it seems they are all originating from accounts <at> gwu.edu and the 2 emails from people i know do NOT go there... I do have 2 friends who go to GW and they could possibly have a virus, but I am not sure... I talked with them about it and they are not getting weird emails either...



the first 2 addresses are also in my address-book....



here is the header info for all three emails:



Wed Feb 26, 2003 6:57:42 PM US/Eastern



[quote] From: blaze483 <blaze483 <at> aol.com>

Date: Wed Feb 26, 2003 6:57:42 PM US/Eastern

To: psantora <at> mac.com

Subject: Marginwidth

Return-Path: <Celeste <at> gwu.edu>

Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HAXX7A00.8Y9 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:10 -0800

Received: from laplace.sag.gwu.edu (laplace.sag.gwu.edu [128.164.127.72]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1QNv9ev020429 for <psantora <at> mac.com>; Wed, 26 Feb 2003 15:57:09 -0800 (PST)

Received: from lopes.sag.gwu.edu (lopes.sag.gwu.edu [192.168.61.125]) by laplace.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0HAX00G0YX73E0 <at> laplace.sag.gwu.edu> for psantora <at> mac.com; Wed, 26 Feb 2003 18:57:04 -0500 (EST)

Received: from lovelace.nit.gwu.edu (localhost [127.0.0.1]) by lopes.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1QNiYR05587\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:44:34 -0500 (EST)

Received: from Gmqayy ([128.164.210.213]) by lovelace.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1QNvgCG003502\tfor <psantora <at> mac.com>; Wed, 26 Feb 2003 18:57:42 -0500 (EST)

Message-Id: <200302262357.h1QNvgCG003502 <at> lovelace.nit.gwu.edu>

Mime-Version: 1.0

Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_h2aEIE8iz7I1D66kyd9mfQ)"

Attachments: There is 1 attachment



"900-0033_IMG[1].jpg (2.4 KB)"

<hr></blockquote>



Fri Feb 28, 2003 5:27:49 PM US/Eastern



[quote] From: borealis84 &lt;borealis84 &lt;at&gt; aol.com&gt;

Date: Fri Feb 28, 2003 5:27:49 PM US/Eastern

To: psantora &lt;at&gt; mac.com

Subject: Look,my beautiful girl friend

Return-Path: &lt;dflage &lt;at&gt; gwu.edu&gt;

Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB1IEY00.HZ0 for &lt;psantora &lt;at&gt; mac.com&gt;; Fri, 28 Feb 2003 14:28:10 -0800

Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h1SMS9ev004418 for &lt;psantora &lt;at&gt; mac.com&gt;; Fri, 28 Feb 2003 14:28:10 -0800 (PST)

Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id &lt;0HB100J2GIER8D &lt;at&gt; fourier.sag.gwu.edu&gt; for psantora &lt;at&gt; mac.com; Fri, 28 Feb 2003 17:28:03 -0500 (EST)

Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1SMOAp19500\tfor &lt;psantora &lt;at&gt; mac.com&gt;; Fri, 28 Feb 2003 17:24:10 -0500 (EST)

Received: from Xegbow ([128.164.210.213])\tby fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h1SMRnBH004428\tfor &lt;psantora &lt;at&gt; mac.com&gt;; Fri, 28 Feb 2003 17:27:49 -0500 (EST)

Message-Id: &lt;200302282227.h1SMRnBH004428 &lt;at&gt; fermi.nit.gwu.edu&gt;

Mime-Version: 1.0

Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_QVbbImSZei5Xdwl6NClv8w)"

Attachments: There is 1 attachment



"bigband[1].html (6.8 KB)"

<hr></blockquote>



Mon Mar 3, 2003 12:41:35 AM US/Eastern



((never heard of this person before))



[quote] From: kclemens &lt;kclemens &lt;at&gt; snet.net&gt;

Date: Mon Mar 3, 2003 12:41:35 AM US/Eastern

To: psantora &lt;at&gt; mac.com

Subject: Eager to see you

Return-Path: &lt;dlsolof &lt;at&gt; gwu.edu&gt;

Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms03.mac.com (Netscape Messaging Server 4.15) with ESMTP id HB5RU700.MY7 for &lt;psantora &lt;at&gt; mac.com&gt;; Sun, 2 Mar 2003 21:42:07 -0800

Received: from fourier.sag.gwu.edu (fourier.sag.gwu.edu [128.164.127.73]) by smtpin04-en2.mac.com (Xserve/MantshX 2.0) with ESMTP id h235fwev016849 for &lt;psantora &lt;at&gt; mac.com&gt;; Sun, 2 Mar 2003 21:42:06 -0800 (PST)

Received: from fuchs.sag.gwu.edu (fuchs.sag.gwu.edu [192.168.61.126]) by fourier.sag.gwu.edu (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id &lt;0HB500BBMRTPF5 &lt;at&gt; fourier.sag.gwu.edu&gt; for psantora &lt;at&gt; mac.com; Mon, 3 Mar 2003 00:41:49 -0500 (EST)

Received: from fermi.nit.gwu.edu (localhost [127.0.0.1]) by fuchs.sag.gwu.edu (8.10.2+Sun/8.10.2) with ESMTP id h235btk03642\tfor &lt;psantora &lt;at&gt; mac.com&gt;; Mon, 03 Mar 2003 00:37:55 -0500 (EST)

Received: from Mrvkmagfi ([128.164.210.213]) by fermi.nit.gwu.edu (8.12.1/8.12.1) with SMTP id h235fZBH018537\tfor &lt;psantora &lt;at&gt; mac.com&gt;; Mon, 03 Mar 2003 00:41:35 -0500 (EST)

Message-Id: &lt;200303030541.h235fZBH018537 &lt;at&gt; fermi.nit.gwu.edu&gt;

Mime-Version: 1.0

Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="Boundary_(ID_85I+5YxdNluojesMh6Qzgg)"

Attachments: There is 1 attachment



((this was actually a picture that showed up)) "netscape_news_adbackground[1].jpg" ((It is a weird 2-tone blue & turquoise rectangle with a transparent purple box in the bottom right))

<hr></blockquote>



I am running 10.2.4 and Apple's Mail App



If anyone has any insights I would appreciate it...



thanks...



how weird is this?



P.S. i changed all the "@" symbols to " &lt;at&gt; " to confuse any spiders...



[ 03-10-2003: Message edited by: Paul ]</p>

Comments

  • Reply 1 of 10
    defiantdefiant Posts: 4,876member
    Spammers are the biggest assholes equal to Tele-marketers.
  • Reply 2 of 10
    paulpaul Posts: 5,278member
    [quote]Originally posted by Defiant:

    <strong>Spammers are the biggest assholes equal to Tele-marketers.</strong><hr></blockquote>



    this isnt spam.... that is the whole body of the email... i think they are from virii hmmmm maybe i will run virex....



    but that may be true... i don't know i haven't had much experience with tele-marketers (or spam) ::Crosses fingers, hopes he didn't just jinx himself::



    [ 03-03-2003: Message edited by: Paul ]</p>
  • Reply 3 of 10
    Definitely viruses.



    Contact the people at the return-paths and tell them to get a current virus scanner and run it *immediately*.



    I've gotten e-mails like this before. Most likely the sender has either the Exploit-MIME.gen.exe virus or W32.Klez.H@mm virus.



    edit: By the way, like all Windows-based viruses, these are completely benign and harmless to your Mac. If you run Virex, though, it will catch them and can remove them for you.



    [ 03-03-2003: Message edited by: Brad ]</p>
  • Reply 4 of 10
    paulpaul Posts: 5,278member
    where are the return address emails from?

    how did it get my email?

    how did it get my friends' emails?



    [ 03-03-2003: Message edited by: Paul ]</p>
  • Reply 5 of 10
    The return path is, well, clearly labeled as "Return-path".



    Return-Path: &lt;Celeste &lt;at&gt; gwu.edu&gt;

    Return-Path: &lt;dflage &lt;at&gt; gwu.edu&gt;

    Return-Path: &lt;dlsolof &lt;at&gt; gwu.edu&gt;



    Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender. Most likely one of these people (or someone *else* that is infected) has your e-mail address in his or her address book. These viruses will send copies of themselves to everyone in the address book, spoofing the "From" header to appear to originate from someone else in the address book. Its possible that someone that knows you but that has a virus unknowingly sent off e-mails to these people with your name spoofed on the headers. These people then had your name from that first round of virus-sharing and continued to send viruses off.



    See how it works?



    It looks like the folks at George Washington aren't too savvy with their PeeCees. <img src="graemlins/lol.gif" border="0" alt="[Laughing]" />
  • Reply 6 of 10
    paulpaul Posts: 5,278member
    [quote]Originally posted by Brad:

    <strong>The return path is, well, clearly labeled as "Return-path". </strong><hr></blockquote> yes, I know



    <strong> [quote]Return-Path: &lt;Celeste &lt;at&gt; gwu.edu&gt;

    Return-Path: &lt;dflage &lt;at&gt; gwu.edu&gt;

    Return-Path: &lt;dlsolof &lt;at&gt; gwu.edu&gt;

    </strong><hr></blockquote> I have never heard of these people :confused:

    <strong> [quote]Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender. </strong><hr></blockquote> yes I understand that, which is weird because I have no idea how they got my email address<strong> [quote]Most likely one of these people (or someone *else* that is infected) has your e-mail address in his or her address book. These viruses will send copies of themselves to everyone in the address book, spoofing the "From" header to appear to originate from someone else in the address book. Its possible that someone that knows you but that has a virus unknowingly sent off e-mails to these people with your name spoofed on the headers. These people then had your name from that first round of virus-sharing and continued to send viruses off.



    See how it works?



    It looks like the folks at George Washington aren't too savvy with their PeeCees. <img src="graemlins/lol.gif" border="0" alt="[Laughing]" /> </strong><hr></blockquote>



    IC IC....



    ok that makes much more sense....for now anyway
  • Reply 7 of 10
    paulpaul Posts: 5,278member
    after getting more emails....

    [quote]Originally posted by Brad:

    <strong>Those are the accounts from which the e-mails originated. The "From" header is spoofed and is NOT the original sender.</strong><hr></blockquote>

    ok, i get that, but the problem is that I DON'T KNOW THE PEOPLE WHO ARE SENDING THE MESSAGES... but i DO know the people that are being "spoofed".... also the people that are being "spoofed" DO NOT KNOW THE PEOPLE SENDING THE MESSAGE...

    the only common link in these things is me... so somehow the "worm" is taking names from my address book... I am sure of it, there is no other way it could have gotten these email addresses... right?



    the people whose email addresses are being used know me through HS, and they all go to different colleges...



    what is going on here..... a Mac OS X virus?!
  • Reply 8 of 10
    amorphamorph Posts: 7,112member
    I got a few of those. It's not a Mac OS X virus. I'm not sure how my email address got on those emails either, but Klez, like 90% of Windows viruses, exploits specific holes ("features" in MS speak) in Outlook for Windows and Office, specifically the ability of a script to a) run silently, and b) access Outlook's address book silently, and c) send email silently. If you're on a PC running Eudora and AppleWorks 5, I don't think most of them would be able to affect you either. In that respect it's an application-specific virus, not an OS-specific virus (although MS does make the situation worse by conflating certain applications with system software...).



    Maybe you know someone who knows someone, and you ended up on an email sent to a bunch of friends of a friend, some of whom you knew and some of whom you didn't?



    This particular virus is written in VBA. Mail doesn't know VBA from a text file (I've opened attached viruses and looked at them in Mail - they literally are just text files on Macs) and Mail isn't in the habit of running attached scripts behind your back, so this isn't a problem.
  • Reply 9 of 10
    ast3r3xast3r3x Posts: 5,012member
    W32.Klez.H@mm is the most annoying



    on my PC, NAV always catches email with that and returnst hem to the sender...i gues its nice they find out they have a virus...this one is the most prevalent...probably cuz its assoiciated with kazaa
  • Reply 10 of 10
    paulpaul Posts: 5,278member
    figured it out... a friend of mine from HS runs a newsletter out of Vassar... ALL of the "spoofed" email addresses are on that list... i STILL don't know the addresses @gwu.edu but who knows..... all I know is that it definately did not get into my address book :cool: ::whew!::



    anyways... i ran norton and it didn't pick up anything... I'll be sending a series of emails out soon...



    thanks for the help guys!
Sign In or Register to comment.