Spyware, Viruses, & Security forum

General discussion

Do I have W32.Netsky.T@mm virus originators IP address?

by mattnlinda99 / April 16, 2004 9:13 PM PDT

Grif's response is posted below under "Message has been deleted" 04/15/04 11:30 AM

Sorry Grif I didn't realize that the virus code was included in my original post sorry. That was everything that was mailed to my inbox.
The reason I think that the originator of the virus is at that IP is because my email was not compromised by the virus and after I contacted Comcast I began to receive a great # of emails containing the virus all with the same IP. Then even though my email was not compromised, that same IP started sending out emails to others with my email address as the sender.
It's as though the originator got mad at me and in an attempt to get back at me they tried to get me in trouble by using my email address as the sender of the virus. Then a couple of days later the IP changed but the attack continued.

Since Wed April 7th I have been under attack by who I believe is the originator of this virus. I have been sent over 60 emails containing this virus.

I tracked the IP 24.12.43.24 by means of
http://www.arin.net/whois/index.html

It is a Comcast IP. I informed abuse@comcast.net
nine times now and also my email provider abuse@yahoo.com of each of the emails and sent a copy to them with full headers.
I also informed http://www.ifccfbi.gov/index.asp
of the attacks.

So far I have heard nothing back from any of the abuse centers.

You might think that this is just a virus attacking someones address book and sending more emails out containing the virus, but now I know it is not. After the first or second complaint to Comcast, I started receiving between ten and twenty emails per day which each contain the virus with different hook lines to get you to open the attachment. I figured that Camcast informed the perpetrator of this attack and that I had reported them, and also gave the perp my email address.
I was certain of this when I started to receive automated emails from others attacked by this person which contain my email address as the sender! But the senders IP was still 24.12.43.24 . See these below.

Either Comcast disconected service to this person or they have a variable IP or they are using public internet access because now I am receiving the same attack from IP 24.12.45.85 . I have informed Comcast and the feds again but have received no info back from them.

Do you have any advice? Does it seem to you that this is an attack on me by the virus originator?

This is the scan that yahoo provides as part of their service which shows the name of the attached virus


File name: story3.pif
File type: application/octet-stream

Scan result: Virus "W32.Netsky.T@mm" found.

You can not download this attachment. You have two options:
1. Sign up for Yahoo! Mail Plus to get automatic cleaning of infected attachments. Learn more.
(Note: Not all viruses can be cleaned.)
2. Contact the message sender and request that they resend the attachment to you after cleaning it with anti-virus software.


Here are the emails sent to others with my email address forged as the sender

-------------------------------------------------------


From: myemail@yahoo.com
To: customerservice10@naturaljourneys.com
Subject: Re: Phone number
Date: Thu, 8 Apr 2004 12:09:32 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
X-MS-Embedded-Report:
Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01C41D9E.D592F778"


Plain Text Attachment [ Download File | Save to my Yahoo! Briefcase ]


Please, phone number.



Attachment




phone_number3.pif
.pif file

Scan and Download Attachment
Scan and Save to my Yahoo! Briefcase

-------------------------------------------------------

From System Anti-Virus Administrator Thu Apr 8 10:49:16 2004
X-Apparently-To: myemail@yahoo.com via 216.136.226.138; Thu, 08 Apr 2004 10:49:19 -0700
Return-Path: <>
Received: from 130.94.91.147 (EHLO mx1.luxurylink.com) (130.94.91.147) by mta132.mail.sc5.yahoo.com with SMTP; Thu, 08 Apr 2004 10:49:17 -0700
Received: (qmail 25206 invoked by uid 79); 8 Apr 2004 17:49:16 -0000
Date: 8 Apr 2004 17:49:16 -0000
From: "System Anti-Virus Administrator" <root@mx1.luxurylink.com> Add to Address Book
To: myemail@yahoo.com
Subject: Disallowed attachment type found in sent message "Re: Information"
Message-ID: <mx1.luxurylink.com108144655642625200@mx1.luxurylink.com>
X-Tnz-Problem-Type: 40
MIME-Version: 1.0
Content-type: text/plain
Content-Length: 566




Attention: myemail@yahoo.com


A Disallowed attachment type was found in an Email message you sent.
This Email scanner intercepted it and stopped the entire message
reaching its destination.

The Disallowed attachment type was reported to be:

PIF files not allowed per LuxuryLink security policy


Please contact your I.T support personnel with any queries regarding
this
policy.


Your message was sent with the following envelope:

MAIL FROM: myemail@yahoo.com
RCPT TO: news@luxurylink.com

... and with the following headers:

---
MAILFROM: myemail@yahoo.com
Received: from c-24-12-43-24.client.comcast.net (HELO luxurylink.com)
(24.12.43.24)
by mx1.luxurylink.com with SMTP; 8 Apr 2004 17:49:15 -0000
From: sweepershomepage@yahoo.com
To: news@luxurylink.com
Subject: Re: Information
Date: Thu, 8 Apr 2004 12:49:16 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal



-------------------------------------------------------

From Mail Delivery System Thu Apr 8 08:06:27 2004
X-Apparently-To: myemail@yahoo.com via web20503.mail.yahoo.com; Thu, 08 Apr 2004 09:16:57 -0700
X-YahooFilteredBulk: 207.238.213.17
Return-Path: <>
Received: from 207.238.213.17 (EHLO host7.indyserv.net) (207.238.213.17) by mta287.mail.scd.yahoo.com with SMTP; Thu, 08 Apr 2004 08:06:28 -0700
Received: from mailnull by host7.indyserv.net with local (Exim 4.24) id 1BBb6p-00068W-Sm for myemail@yahoo.com; Thu, 08 Apr 2004 11:06:27 -0400
X-Failed-Recipients: info@winfreegiftcertificates.com
Auto-Submitted: auto-generated
From: "Mail Delivery System" <Mailer-Daemon@host7.indyserv.net> Add to Address Book
To: myemail@yahoo.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1BBb6p-00068W-Sm@host7.indyserv.net>
Date: Thu, 08 Apr 2004 11:06:27 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host7.indyserv.net
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Content-Length: 18707




This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:

info@winfreegiftcertificates.com
This message has been rejected because it has
a potentially executable attachment "description2.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <myemail@yahoo.com>
Received: from [24.12.43.24] (helo=winfreegiftcertificates.com)
by host7.indyserv.net with esmtp (Exim 4.24)
id 1BBb6n-00068Q-MZ
for info@winfreegiftcertificates.com; Thu, 08 Apr 2004 11:06:25 -0400
From: myemail@yahoo.com
To: info@winfreegiftcertificates.com
Subject: Re: Description
Date: Thu, 8 Apr 2004 10:06:27 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1BBb6n-00068Q-MZ@host7.indyserv.net>

This is a multi-part message in MIME format.


Hi!
Please, description.

Discussion is locked
You are posting a reply to: Do I have W32.Netsky.T@mm virus originators IP address?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Do I have W32.Netsky.T@mm virus originators IP address?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re:Do I have W32.Netsky.T@mm virus originators IP address?

HI,
I do NOT think you can do anything:

If the system date is between April 14, 2004 to April 23, 2004, the worm will try to perform a DoS attack against the following Web sites:

www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us


If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine to send itself to all the email addresses that it finds.

Note: If the worm finds the email address "someone@hostname.com," it will attempt to use the server, "hostname.com," as the SMTP server.

The email has the following characteristics:

From: <Spoofed>

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.t@mm.html

Collapse -
Re:Do I have W32.Netsky.T@mm virus originators IP address?
by Grif Thomas Forum moderator / April 17, 2004 1:40 PM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?