UncleFista
|
| posted on 28/4/02 at 08:31 PM |
|
|
F.A.O. Chris Gibbs (long but very important)
Have you been opening dodgy attachments on yer mail ? I'm asking cos I received a mail from "Microsoft" but when examined it has the return address
as chris@gibbs111.fsnet.co.uk . It comes complete with an executable file which you're supposed to run.
Check your PC dude 
(sorry to be the bearer of bad news)
Update, my brother received the same too, he's on T.O.L. as well as me, maybe a link ?
The e-mail source is cut and pasted here in its entirety, bar the file of course 
Sorry for the length of the post.
Received: from imailg2.svr.pol.co.uk ([195.92.195.180]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75);
Sun, 28 Apr 2002 16:22:16 +0100
Received: from modem-817.grommet.dialup.pol.co.uk ([62.25.159.49] helo=pfuckie)
by imailg2.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 171qTj-00070a-00; Sun, 28 Apr 2002 16:20:45 +0100
From: "Microsoft Corporation Security Center"
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="NextPart_000235"
Message-Id:
Date: Sun, 28 Apr 2002 16:20:45 +0100
Return-Path: chris@gibbs111.fsnet.co.uk
This is a multi-part message in MIME format.
You should read this with client which
supported MIME standard.
--NextPart_000235
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Microsoft Customer,
this is the latest version of security update, the
"24 Apr 2002 Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.
- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a
malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension
do not show the actual full extension of the file when saved and viewed with
Windows Explorer. This allows dangerous file types to look as though they are simple,
harmless files - such as JPG or WAV files - that do not need to be blocked.
System requirements:
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
--NextPart_000235
Content-Type: application/x-msdownload;
name="q216309.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="q216309.exe"
|
|
|
|
|
chrisg
|
| posted on 28/4/02 at 08:56 PM |
|
|
Cheers Tony,
I've been bombed with virus e-mails, I think we know where they're coming from( think pissed off IT guru)
Appologies to all
I wonder if Microsoft would like to know who is taking thier name in vain?
Thanks again
Chris
Note to all: I really don't know when to leave well alone. I tried to get clever with the mods, then when they gave me a lifeline to see the
error of my ways, I tried to incite more trouble via u2u. So now I'm banned, never to return again. They should have done it years ago!
|
|
|
UncleFista
|
| posted on 28/4/02 at 09:09 PM |
|
|
No probs, was a bit worried in case you weren't on the ball
Tony Bond / UncleFista
Love is like a snowmobile, speeding across the frozen tundra.
Which suddenly flips, pinning you underneath.
At night the ice-weasels come...
|
|
|
MarkD
|
| posted on 28/4/02 at 09:27 PM |
|
|
Check out Symantec's site regarding this virus and how to get rid of it. http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html
/>
|
|
|
chrisg
|
| posted on 28/4/02 at 10:18 PM |
|
|
Thanks Mark,
It's Done!
Cheers
Chris
Note to all: I really don't know when to leave well alone. I tried to get clever with the mods, then when they gave me a lifeline to see the
error of my ways, I tried to incite more trouble via u2u. So now I'm banned, never to return again. They should have done it years ago!
|
|
|
Dunc
|
| posted on 28/4/02 at 10:19 PM |
|
|
Hey guys, I got the same email, tell me who the IT guru?!? is and I'll send one of my laser guided missiles through his roof, I feel like kicking his
arse just for being a knob and making me read a crap email from MS. Is it the prick from the other list, can't remember his name, who posted about
the alien shite.
|
|
|
James
|
| posted on 29/4/02 at 02:25 PM |
|
|
I received it aswell- was a little surprised to be receiving a mail from M$ to say the least!
Were you suggesting that it was Wally from TOL? I'd be interested to know as I've certainly never had any dealings with him at all other than being
a member of TOL.
As far as I know I haven't made too many enemies between the lists (well, none that have let themselves be known to me anyway!  )
Who else has recieved it? Guess it could be all people who are on both lists or something? In which case I'd have thought Bob and TheConrod would
have got it too and probably quite a few others.
Looking at what the worm does (on Symantec) I wonder if it might just be some other locoster (who therefore has our e-mail addresses) who's got
infected and the worm has then worked it's way throughout their address list sending it to all of us (with a disguised sender address).
Or maybe I'm too trusting of people!
Maybe we'll one day meet whoever it is at a show....
James
|
|
|
James
|
| posted on 29/4/02 at 02:31 PM |
|
|
Ok, re-reading the posts I think I'm just being a pleb.
Nothing new there...
The point being it's Chris who inadvertantly sent it to us- having been bombed/infected with it by a "pissed IT guru".
But hey, atleast we know who it was in the first place.
Or have I now got it all wrong?
Oh well, gotta go weld my chassis now.
James
|
|
|
Dunc
|
| posted on 29/4/02 at 03:23 PM |
|
|
Hey James, a bit off topic but you got me thinking about all this IT poo and how they steal all the exciting words to make what they do seem
exciting, bombed, virus, infected, surf, guru. Hmmmm. It's a bit like advertising isn't it, all the most exciting adverts are for the most boring
products, washing powder, banks, car insurance. Hell I'd never try and make my job sound more exciting, I just don't tell anyone that way they
won't fall asleep on me. 
Sorry, Monday afternoon ramblings, time for my medication I think then back to my cubicle to sit at my PC, D'oh! I'm already there.
|
|
|
David Jenkins
|
| posted on 29/4/02 at 03:42 PM |
|
|
I wouldn't get too excited about an "IT guru" conspiracy theory... this "worm" moves around by picking up the addresses from a PC and shipping
itself to those locations.
The person who sent it to Chris probably didn't know he had it himself.
David
(Who's very grateful that his AVG virus checker blocked this e-mail worm last night)
|
|
|
Dunc
|
| posted on 29/4/02 at 04:00 PM |
|
|
What not even the theories that norton and symantic write these worms in the first place to boost sales. Sure there was a MI2 plot in there too.
Too much tele, not enough building.
Anyway I like the 'IT guru' conspiracy theory, it gives me someone to h8 and shout about when I put my bare hand on my newly welded butt joint, its
not much fun blaming yourself for doing something that stoopid.
|
|
|
bob
|
| posted on 29/4/02 at 06:22 PM |
|
|
Yep i got it too 
|
|
|
merlin
|
 posted on 29/4/02 at 08:17 PM |
|
|
If you recieve an email you're not sure of try looking at it's 'properties' before opening the attachments. You can see where it originated etc. I
was a little unsure when I saw the 'helo-pfuckie' line, so binned it!
|
|
|
chrisg
|
| posted on 29/4/02 at 10:03 PM |
|
|
Hi all,
Once again, massive appologies to you all...Sorry x many
I might buy the random virus theory if I hadn't had 60 odd similar e mails (which my anti virus has caught)since I annoyed someone who we know.
60+ in three months suggests that it's not random to me, It suggests someone who
a. Dosen't like me
b. works in an environment where they could gather viri.
Anyway, chaps, It's a large round of norton anti-virus all round!
Appologies again
Cheers
Chris
Note to all: I really don't know when to leave well alone. I tried to get clever with the mods, then when they gave me a lifeline to see the
error of my ways, I tried to incite more trouble via u2u. So now I'm banned, never to return again. They should have done it years ago!
|
|
|
Dunc
|
| posted on 29/4/02 at 10:11 PM |
|
|
No problem Chris, it's not your fault some sad bastard feels like he's nothing better to do than send dodgy emails. He must lead a very sad sad
life. So if he's out there and reading this I challenge him to send me one of his dodgy emails, I'll track the puss down. I have the technology and
the resources. Sorry but lowlifes like this really make me mad as fuck.
|
|
|
David Jenkins
|
| posted on 30/4/02 at 08:05 AM |
|
|
quote:
I might buy the random virus theory if I hadn't had 60 odd similar e mails (which my anti virus has caught)since I annoyed someone who we know.
60+ in three months suggests that it's not random to me
Sounds like a case for escalating the problem to either abuse@... (though that might end up with the same person, if I get your drift), or to one of
the virus authorities (you'll find details at the Symantec and AVG sites).
They might be very interested in nailing someone who's wilfully sending viruses around.
|
|
|
Dazza
|
| posted on 30/4/02 at 06:50 PM |
|
|
guys, i got it to, but as always, i only download from people i know, if i am a little usure, i delete it!!!!!
fuckit
|
PLEASE NOTE: This user is a trader who has not signed up for the LocostBuilders registration scheme. If this post is advertising a commercial product or service, please report it by clicking here.
|
chrisg
|
| posted on 30/4/02 at 06:53 PM |
|
|
I've Given it a try David, but whoever it is knows their onions I'm afraid - all the viri are sent from used once "Hotmail" addresses on public
computers - i.e. untracable (yahoo did think they'd got something but it turned out to be a cyber cafe)
Cheers
Chris
PS I've updated my anti-virus again, and all mail now goes through 5 (count'em) programmes
Note to all: I really don't know when to leave well alone. I tried to get clever with the mods, then when they gave me a lifeline to see the
error of my ways, I tried to incite more trouble via u2u. So now I'm banned, never to return again. They should have done it years ago!
|
|
|
StuartA
|
| posted on 1/5/02 at 11:52 AM |
|
|
Just to add my two cents to this, as someone who works in the industry. The people who inadvertently forward the email aren't the ones who should be
blamed for infecting everyone else's machines. The real culprits are the sad little f*cks who sit around and write the viri in the first place.
Just for info, we use Sophos (www.sophos.com). They are very on the ball, and send out updates to the virus software via email. This usually happens
days before all your friends send you an email that says 'dont open this email if you get it'. Personally, my advice is, if in doubt, don't open
the attachment.
|
|
|
Dunc
|
| posted on 1/5/02 at 12:35 PM |
|
|
I agree with you Stu, and Chris you must really pissed someone off if they had to go to a cyber cafe, pay their £, setup a one off address just to
send you some crap. I bet they even took the tape from the security camera when they left. Either that or they aren't getting any if you know what I
mean and their membership for the porn sites just ran out. That reminds me.
|
|
|
James
|
| posted on 1/5/02 at 02:54 PM |
|
|
quote:
I've Given it a try David, but whoever it is knows their onions I'm afraid - all the viri are sent from used once "Hotmail" addresses on
public computers - i.e. untracable (yahoo did think they'd got something but it turned out to be a cyber cafe)
Cheers
Chris
I guess this suggests even more strongly that it is a 'certain person' (him being relatively technically proficient) most people don't realise that
these things are are traceable at all if they're using hotmail/yahoo etc.
It'd be interesting to track the geographical location of the suspects IP address and check this against the location of that cyber cafe- see if they
tie up to the same region or anything.
I remember reading on The Register ( http://www.theregister.co.uk ) once how the FB1 had tracked down someone who'd stolen some classified militay
documents and was trying to sell them. He'd tried various tactics to disguise it being him- even used a different cyber cafe each time to help him
cover tracks. Once the Feds started tracking it they found the location of each cyber cafe and cross-referenced it against the list of employess
addresses. When they found one particular person was at the centre of these cafes they knew who specifically they needed to nail.
James
|
|
|
chrisg
|
| posted on 1/5/02 at 06:03 PM |
|
|
Unsurprisingly James,
Yahoo wouldn't give me the location. I suppose they had visions of me kicking the door in and demanding to know all the names of the people who had
ever been in thier cafe!!!!!!
I don't know who it is, and, legally, I wouldn't want to speculate, but I have my suspicions. I have no proof, and thats the important thing.
Maybe who ever it is will grow up a little or get tired.
If I do meet up with the person in the real world, I'm going to rip their head off and sh*t down their neck !!!!!!!(for starters)
Cheers
Chris 
Note to all: I really don't know when to leave well alone. I tried to get clever with the mods, then when they gave me a lifeline to see the
error of my ways, I tried to incite more trouble via u2u. So now I'm banned, never to return again. They should have done it years ago!
|
|
|
