Is this genuine '.mac support Email or a virus?

kelib · July 29, 2004 3:49PM

Is this genuine '.mac support Email or a virus? Got a little suspicious after receiving this Email, supposedly from Apple's .mac team. I first saw it when accessing my .mac account from my NT Wintel machine at work. When I tried opening the zip file I got a virus warning and the puter refused to open it!

Quote:

Dear user of mac.com,

We have detected that your email account was used to send a large amount of unsolicited email during this week.

Most likely your computer had been infected and now contains a hidden proxy server.

Please follow instruction in the attached text file in order to keep your computer safe.

Best regards,

mac.com support team.

?

Should I dare open it on me Mac?

Cheers

kelib

jambo · July 29, 2004 4:03PM

It's a new strain of MyDoom virus. Don't open it on a Windows machine!

Your Mac is safe though.

aslan^ · July 29, 2004 4:04PM

is it really a text file ? if so you can look at it with a text editor to see what it is. It does sound fake though, If you want to open it on your mac you could always create a user account just for this purpose. This would negate the damage from the text file being some kind of trojan that will delete your home folder.

EDIT: Really, MyDoom eh, these guys never give up. The two places in the email where it says mac.com, are those like generic fields that the virus engine rips out of the target email address before sending ?

kelib · July 29, 2004 4:15PM

It's not a real text file. I did open it however and the file automatically opened and updated some dat files in Virex and then ran it afterwards.

panther · July 29, 2004 4:43PM

Post full headers of the mail, all details. I'll check where that's supposed to be coming from.

kelib · July 29, 2004 5:44PM

Quote:

Originally posted by Panther

Post full headers of the mail, all details. I'll check where that's supposed to be coming from.

Here you go:

\tFrom: \t noreply@mac.com

\tSubject: \tReturned mail: Data format error

\tDate: \t29. jÃºlÃ* 2004 17:52:45 GMT+02:00

\tTo: \t askell@mac.com

1 Attachment

Dear user of mac.com,

We have detected that your email account was used to send a large amount of unsolicited email during this week.

Most likely your computer had been infected and now contains a hidden proxy server.

Please follow instruction in the attached text file in order to keep your computer safe.

Best regards,

mac.com support team.

Name of the attached file: askell@mac.com.zip (28,3kb)

rhoq · July 30, 2004 8:02AM

Just the fact that the attached file is a ".zip" would indicate to me that this is malicious. I don't think anyone at Apple (or in this case .mac) would send a Zip file.

the general · July 30, 2004 9:10AM

Quote:

Originally posted by kelib

Is this genuine '.mac support Email or a virus? Got a little suspicious after receiving this Email, supposedly from Apple's .mac team. I first saw it when accessing my .mac account from my NT Wintel machine at work. When I tried opening the zip file I got a virus warning and the puter refused to open it!

Should I dare open it on me Mac?

Cheers

kelib

its malware. I think apple would not send you an email with an attachment to warn you. they would put it in the email itself. most companies are getting stuff like this, they just ad aol.com, mac.com. yourcompanynamehere.com to the emails trash it. dont open on windows pc.

luca · July 30, 2004 9:11AM

Quote:

Originally posted by kelib

Here you go:

(snip)

He said FULL headers. There should be an option somewhere.

kelib · July 30, 2004 8:03PM

king chung huang · August 1, 2004 1:52AM

To get the full headers, select View->Message->Long Headers (Command-Shift-H).

kelib · August 1, 2004 9:52AM

From: noreply@mac.com

Subject: Returned mail: Data format error

Date: 29. jÃºlÃ* 2004 17:52:45 GMT+02:00

To: askell@mac.com

Return-Path: <noreply@mac.com>

Received: from mac.com (smtpin06-en2 [10.13.10.151]) by ms35.mac.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I1M0024EES9V8@ms35.mac.com> for askell@mac.com; Thu, 29 Jul 2004 08:52:57 -0700 (PDT)

Received: from mac.com (host27.atlanta.is [194.144.131.27] (may be forged)) by mac.com (Xserve/smtpin06/MantshX 4.0) with ESMTP id i6TFqjw4021845for <askell@mac.com>; Thu, 29 Jul 2004 08:52:47 -0700 (PDT)

Message-Id: <200407291552.i6TFqjw4021845@mac.com>

Mime-Version: 1.0

X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_D0098275.A11F8CA3"

X-Priority: 3

X-Msmail-Priority: Normal

Original-Recipient: rfc822;askell@mac.com

voxapps · August 1, 2004 7:02PM

As others in this thread have written, this is fraudulent without a doubt. (1) Apple would never send a .mac subscriber message out that a computer is "infected" and "contains a hidden proxy server" with no explanation of what that actually means. (2) "Please follow instruction" is incorrect English and would never get past the tech writers at Apple who create such messages. (3) If the attachment is a small text file, why zip it? (4) Why would the file be named with your specific account, rather than a generic name like "instructions.txt"? (5) If they know your account name well enough to name the file attachment after it, why don't they use it in the salutation ("Dear Askell")? (6) "mac.com support team." is also incorrect English (there is no need for a period after "team").

Finally, based on the complete headers, the message is coming to you via the domain "atlanta.is". This is the domain for Air Atlanta Aviation in Iceland. Apple would send e-mail via its own domain(s). If anyone has an open proxy, it's Air Atlanta.

Is this genuine '.mac support Email or a virus?

Comments