a weird email

Hey anthony, I myself got a weird email as well, I will be forwarding it to you, I think someone is trying to impersonate me as I am a poster on here, so you would be more apt to read it (why anyone would read an email from me, is beyond me, but hey, I suppose someone would)  Just hopped on the site to check if something weird has been posted about it, and haven’t seen anything.

Posted by steev on 4 replies

Comments:

01. Jul 12, 2003 at 12:17pm by Anthony:

Hey man, I wouldn’t worry too much about someone trying to impersonate ya... it’s just a virus : )

I received an email from a spoofed sender, containing an attachment called "your_details.zip" which contained a *.pif file.  My computer is configured to open any files with unknown extensions in Wordpad, so I double-clicked on the PIF file to see what it contained.  Little did I know, Windows uses PIF as a pseudo-executable format, and it turned out to be a virus, the W32/Sobig.e@MM worm to be exact.  It extracted itself into a file called winssk32.exe in my Windows directory, and started running.

You can read the details and removal instructions here:

http://vil.mcafee.com/dispVirus.asp?virus_k=100429

But basically, it’s just one of those annoying worms that doesn’t do anything but replicate.  It scans text documents on your PC, looking for any email addresses it can find.  It then uses its own built-in mail-sending engine to send itself to those addresses, and usually creates a fake From: address.

However, the scary aspect of this one is that it listens on UDP ports 995 and 999, presumably waiting for instructions to do some actual damage to your computer... or more likely, to launch massively coordinated zombie attacks on some big, important server somewhere on the net.

So the fix is, update your antivirus software and do a full system scan, or download the "Stinger" tool from the above URL, which will remove it for you.  I opened the Task Manager and stopped the winssk32.exe process, then deleted the file, did a full system scan, and finally ran nmap from my linux box to make sure that nothing was listening on ports 995 or 999.

Of course, if you were smart and deleted the email, instead of opening the zip file and running the PIF inside it as I did, then you don’t have to worry.

02. Jul 12, 2003 at 3:12pm by steev:

oddly enough, i actually check my email on my linux box, i don’t use the windows machine at all for email, unless its something i expect and then i forward it to the email that i check with my windows box, which is nice, because it keeps that email clean, but at the same time, its an added step, the thing im wondering is, why does someone have my email address... i mean, does that mean i actually made it into someone’s address book?

03. Jul 12, 2003 at 3:25pm by Anthony:

Um... ok, maybe I didn’t explain that very well.  I got the virus, then it found your email address on my hard drive (as we’ve exchanged emails before), and sent itself to you.

Good call on using the ’nix box for email.  I’m trying to find such a program that 1) has a decent GUI, but not bloated like Outlook, and 2) can import all my mailboxes from Eudora.  Email is one of the increasingly few reasons that I still use my Windows box at all.

04. Jul 15, 2003 at 7:06pm by steev:

Yeah, I would like something that will import my email from Outlook into something, like say, mutt, as i’ve just grown to love it, since it was what I was raised with.  Evolution is nice, but some of the commands are repetitive and don’t quite do what I want.  MozMail, well, I won’t go there...

Reply to this message here:

Your name
Email
Website (optional)
Subject

HomeCreate PostArchivesLoginCMS by Encodable ]