I do NOT think you can do anything:
If the system date is between April 14, 2004 to April 23, 2004, the worm will try to perform a DoS attack against the following Web sites:
If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine to send itself to all the email addresses that it finds.
Note: If the worm finds the email address "email@example.com," it will attempt to use the server, "hostname.com," as the SMTP server.
The email has the following characteristics:
Grif's response is posted below under "Message has been deleted" 04/15/04 11:30 AM
Sorry Grif I didn't realize that the virus code was included in my original post sorry. That was everything that was mailed to my inbox.
The reason I think that the originator of the virus is at that IP is because my email was not compromised by the virus and after I contacted Comcast I began to receive a great # of emails containing the virus all with the same IP. Then even though my email was not compromised, that same IP started sending out emails to others with my email address as the sender.
It's as though the originator got mad at me and in an attempt to get back at me they tried to get me in trouble by using my email address as the sender of the virus. Then a couple of days later the IP changed but the attack continued.
Since Wed April 7th I have been under attack by who I believe is the originator of this virus. I have been sent over 60 emails containing this virus.
I tracked the IP 22.214.171.124 by means of
It is a Comcast IP. I informed firstname.lastname@example.org
nine times now and also my email provider email@example.com of each of the emails and sent a copy to them with full headers.
I also informed http://www.ifccfbi.gov/index.asp
of the attacks.
So far I have heard nothing back from any of the abuse centers.
You might think that this is just a virus attacking someones address book and sending more emails out containing the virus, but now I know it is not. After the first or second complaint to Comcast, I started receiving between ten and twenty emails per day which each contain the virus with different hook lines to get you to open the attachment. I figured that Camcast informed the perpetrator of this attack and that I had reported them, and also gave the perp my email address.
I was certain of this when I started to receive automated emails from others attacked by this person which contain my email address as the sender! But the senders IP was still 126.96.36.199 . See these below.
Either Comcast disconected service to this person or they have a variable IP or they are using public internet access because now I am receiving the same attack from IP 188.8.131.52 . I have informed Comcast and the feds again but have received no info back from them.
Do you have any advice? Does it seem to you that this is an attack on me by the virus originator?
This is the scan that yahoo provides as part of their service which shows the name of the attached virus
File name: story3.pif
File type: application/octet-stream
Scan result: Virus "W32.Netsky.T@mm" found.
You can not download this attachment. You have two options:
1. Sign up for Yahoo! Mail Plus to get automatic cleaning of infected attachments. Learn more.
(Note: Not all viruses can be cleaned.)
2. Contact the message sender and request that they resend the attachment to you after cleaning it with anti-virus software.
Here are the emails sent to others with my email address forged as the sender
Subject: Re: Phone number
Date: Thu, 8 Apr 2004 12:09:32 -0700
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01C41D9E.D592F778"
Plain Text Attachment [ Download File | Save to my Yahoo! Briefcase ]
Please, phone number.
Scan and Download Attachment
Scan and Save to my Yahoo! Briefcase
From System Anti-Virus Administrator Thu Apr 8 10:49:16 2004
X-Apparently-To: firstname.lastname@example.org via 184.108.40.206; Thu, 08 Apr 2004 10:49:19 -0700
Received: from 220.127.116.11 (EHLO mx1.luxurylink.com) (18.104.22.168) by mta132.mail.sc5.yahoo.com with SMTP; Thu, 08 Apr 2004 10:49:17 -0700
Received: (qmail 25206 invoked by uid 79); 8 Apr 2004 17:49:16 -0000
Date: 8 Apr 2004 17:49:16 -0000
From: "System Anti-Virus Administrator" <email@example.com> Add to Address Book
Subject: Disallowed attachment type found in sent message "Re: Information"
A Disallowed attachment type was found in an Email message you sent.
This Email scanner intercepted it and stopped the entire message
reaching its destination.
The Disallowed attachment type was reported to be:
PIF files not allowed per LuxuryLink security policy
Please contact your I.T support personnel with any queries regarding
Your message was sent with the following envelope:
MAIL FROM: firstname.lastname@example.org
RCPT TO: email@example.com
... and with the following headers:
Received: from c-24-12-43-24.client.comcast.net (HELO luxurylink.com)
by mx1.luxurylink.com with SMTP; 8 Apr 2004 17:49:15 -0000
Subject: Re: Information
Date: Thu, 8 Apr 2004 12:49:16 -0500
From Mail Delivery System Thu Apr 8 08:06:27 2004
X-Apparently-To: firstname.lastname@example.org via web20503.mail.yahoo.com; Thu, 08 Apr 2004 09:16:57 -0700
Received: from 22.214.171.124 (EHLO host7.indyserv.net) (126.96.36.199) by mta287.mail.scd.yahoo.com with SMTP; Thu, 08 Apr 2004 08:06:28 -0700
Received: from mailnull by host7.indyserv.net with local (Exim 4.24) id 1BBb6p-00068W-Sm for email@example.com; Thu, 08 Apr 2004 11:06:27 -0400
From: "Mail Delivery System" <Mailer-Daemon@host7.indyserv.net> Add to Address Book
Subject: Mail delivery failed: returning message to sender
Date: Thu, 08 Apr 2004 11:06:27 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host7.indyserv.net
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
This message has been rejected because it has
a potentially executable attachment "description2.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
------ This is a copy of the message, including all the headers. ------
Received: from [188.8.131.52] (helo=winfreegiftcertificates.com)
by host7.indyserv.net with esmtp (Exim 4.24)
for firstname.lastname@example.org; Thu, 08 Apr 2004 11:06:25 -0400
Subject: Re: Description
Date: Thu, 8 Apr 2004 10:06:27 -0500
This is a multi-part message in MIME format.