I have recieved 2 e-mails, that do not contain any text.....,

X-From_: rmulvey1@twcny.rr.com Sun Apr 21 22:00:34 2002
Return-path: <rmulvey1@twcny.rr.com>
Envelope-to: vic@****.fsnet.co.uk
Delivery-date: Sun, 21 Apr 2002 22:00:34 +0100
Received: from [128.242.207.107] (helo=linux1587.dn.net)
by imailg2b.svr.pol.co.uk with esmtp (Exim 3.35 #1)
id 16zORl-0006dz-00
for vic@****.fsnet.co.uk; Sun, 21 Apr 2002 22:00:33 +0100
Received: from [24.92.226.122] (helo=mailout5.nyroc.rr.com)
by linux1587.dn.net with esmtp (Exim 3.22 #2)
id 16zOAS-0005gZ-00
for vic@****.co.uk; Sun, 21 Apr 2002 16:42:40 -0400
Received: from Nxvfjqqb (syr-66-24-63-239.twcny.rr.com [66.24.63.239])
by mailout5.nyroc.rr.com (8.11.6/Road Runner 1.12) with SMTP id g3LKqoM29061
for <vic@****.co.uk>; Sun, 21 Apr 2002 16:52:51 -0400 (EDT)
Date: Sun, 21 Apr 2002 16:52:51 -0400 (EDT)
Message-Id: <200204212052.g3LKqoM29061@mailout5.nyroc.rr.com >
From: mnorthrop <mnorthrop@sikids.timeinc.com>
To: vic@****.co.uk
Subject: Introduction on ADSL
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=TZ53jtPU70g38PjB06


X-From_: mnotslight@mindspring.com Sun Apr 21 13:32:43 2002
Return-path: <mnotslight@mindspring.com>
Envelope-to: vic@****.fsnet.co.uk
Delivery-date: Sun, 21 Apr 2002 13:32:43 +0100
Received: from [128.242.207.107] (helo=linux1587.dn.net)
by imailm2.svr.pol.co.uk with esmtp (Exim 3.35 #1)
id 16zGWI-0003bo-00
for vic@****.fsnet.co.uk; Sun, 21 Apr 2002 13:32:42 +0100
Received: from [207.69.200.246] (helo=smtp10.atl.mindspring.net)
by linux1587.dn.net with esmtp (Exim 3.22 #2)
id 16zGF1-0001cJ-00
for Vic@****.co.uk; Sun, 21 Apr 2002 08:14:51 -0400
Received: from user-112103q.dsl.mindspring.com ([66.32.128.122] helo=Esp)
by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1)
id 16zGVx-0001M8-00
for Vic@****.co.uk; Sun, 21 Apr 2002 08:32:21 -0400
From: sockeyeltd <sockeyeltd@aol.com>
To: Vic@****.co.uk
Subject: Climbing Gear
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=R75U02d0g4x67ro93v20E82
Message-Id: <E16zGVx-0001M8-00@smtp10.atl.mindspring.net>
Date: Sun, 21 Apr 2002 08:32:21 -0400

I do not regard them as particularly suspicion (but have done a virus check anyway)

is there any reason why there should be no text?



------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Hi Vic,
I cant answer your question.
But I've had a couple that dose'nt show who there from.
Dont no how they do that, but I trashed them anyway.
kfh.


------------------
-------
Sequitur Patrem Non Passibus Aequis

I see one thing in common with both of them...MIME Type 1.0, check some of your other emails and see if that MIME type is getting through...

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

In Outlook Express when you click Properties to get full headers, click the Details tab, look at the bottom right and click Message Source.

Resize it to full screen and scroll down, you should see something like this below the headers:

--D2RzdC12R6jF6434eCW03646XL95V4lk7
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Gw1v9F7U96ysv9xK height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--D2RzdC12R6jF6434eCW03646XL95V4lk7
Content-Type: audio/x-midi;
name=HREF.bat
Content-Transfer-Encoding: base64
Content-ID: <Gw1v9F7U96ysv9xK>

The bold text is the attachment type and filename.

If you see something like that, it's most likely the W32.Klez.H@mm (http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html) virus. I've received 6 copies, the header info above was copied from one of them. It came from an AOL user. 3 came from Malaysia.

This virus is not easy to spot, it uses random filenames drawn from files existing on the infected computer, random subject lines, and can use any of a long list of file types to carry itself. It also sends itself to your entire address book and ICQ list.

Check the PC World forum, I also posted a notice about this virus a few days ago. It has the same link as above, McAffee probably has a write up about it too. I haven't checked.

If this turns out to be possible that it is this virus, you can either delete it or forward it as an attachment to the ISP it came from so they can inform their customer of the presence of the virus on their computer. That's what I do, but you have to know how to trace it back to the originating ISP to do it. I'm not going into that much detail...

Another caution: This virus can install itself without actually opening the message. Previewing it in the Preview Pane can allow it to install, so be careful of any emails with attachments.

All of the copies of this virus I received had no text, and various attachments included. All had subject lines listed on the Symantec page linked above. It looks like this virus is spreading really fast, Symantec has upgraded it to a level 3 threat, and their front page is a warning about it now. www.symantec.com (http://www.symantec.com) is the URL.

I hope this thing didn't manage to install itself, and if it did, I hope you don't have my email address in your address book...Sorry, but that's the honest truth...I've already seen my share of copies of this virus, and will probably see more before it's over with...

------------------
If your nose runs and your feet smell...
You're built upside down!
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

Decided to look into it a bit further...

I ran the IP address they came from through Dshield (http://www.dshield.org/ipinfo.php?ip=128.242.207.107&Submit=Submit) and another IP lookup, both said it came from the same place, Verio. Verio has been the source of a LOT of spam I have received in the past year, so much I started calling them "Spamio". You can forward the emails to abuse@verio.net with a note explaining that you suspect that the emails contain the Klez virus and that they need to inform their customer of its presence.

One of the subject lines Introduction to ADSL is on the Symantec list posted in my first response, the other, Climbing Gear[/b[] is not, but that doesn't mean it's not the virus. Everything I see so far indicates this is the Klez virus, BE CAREFUL WITH THOSE EMAILS.

I wish I could see the message source, I would know for sure. If you can locate it from the above instructions, post it up to the point it starts into random characters, I'll know when I see it.

------------------
If your nose runs and your feet smell...
You're built upside down!
[b]Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

Pete,

first let me put your mind at rest. I do NOT have your addy in my address book, as I lost it when my previous pc crashed.

Thanks for the replies:

I have d/l the detect/repair prog and it has not found any klez viruses, also my AVG is bang up to date & that has not found any either, I have also done an online scan with PcCillon, which didn't find the KLEZ virus, but DID find JS LOOP A in 1st Page 2000. I know that some of you are using 1st Page so its worth checking.
haven't done anything with that yet, I will follow it up after posting.

so it looks like my pc is clear of KLEZ (maybe AVG got it on arrival !)

so what do you suggest I do with the e-mails ? my instinct is to delete, but if I could do something with them to help others then I will.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

here's some links for JS LOOP.
http://www.dslreports.com/forum/remark,2670366~root=security,1~mode=flat
http://www3.ca.com/Virus/Virus.asp?ID=9763
http://vil.nai.com/vil/content/v_99220.htm


there seems to be some argument as to whether this is part of 1st page packet & a fault with pcCillon or a trojan.


------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

I had a user that got an email that had no text. Turns out the sender was using white lettering on a dark background. The text came across white but the background didn't make it. So, white on white looks like no text. Just a thought.

jim that's a thought as you say . but how would one know (without the sender telling them) there seems to be no way to format incoming mail.

besides with the now very suspicious nature of the mail I don't want to risk opening it again, even though my pc came up 'clean' of the suspected virus.

I've put the 2 e-mails in my 'infected' folder for now.

I thought someone would have come back re 1st page as I know several use it, maybe they haven't noticed it in this post. maybe I'll put it in a new topic.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

[quote]but how would one know (without the sender telling them) there seems to be no way to format incoming mail.[/b]

In OE highlight the message title and click Properties. Click the Details tab then Message Source. That lets you see a text only version of the email.

Or you can open it and highlight it, any text should show through the highlight. Still can't edit it, but should be able to copy & paste into a text file or just read it.

------------------
If your nose runs and your feet smell...
You're built upside down!
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

it's different in outlook, no properties just options, but I did try opening (2nd one: subject = climbing gear) & highlighting the text nothing there.

Done another virus test as well: all clear.

is it worth doing anything with these? or shall I just delete them?

also any thoughts on "JS LOOP A" in 1st Page 2000. I thought there would have been some comments on this as I know several members use it.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Yes I am one of the 1st Page users, but I haven't been able to find anything about that yet.

Ok, Vic it is a non-destructive trojan, that opens browser windows until all available memory is used and the browser then crashes.....it is one of the pre-packaged javascripts, called "Six Buttons from Hell"; more of an annoying gag than a virus, but if it disturbs you sitting there just go and delete that particular file (evrsoft\1stpage200\iscripts\buttons\Six buttons from hell.izs). It is just a prepackaged script you can add to a web page. It also seems that not all AV companies consider it an actual trojan/virus. It seems that some of them consider like the annoying scripts to call up unending ad-popups, an exercise in very poor taste.

Open it up in notepad and take a look at it...basically it like the old BASIC continuous loops; funny, if you are about 5 yrs old.



------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

05/01/02 00:15:45 Fast traceroute 128.242.207.107
Trace 128.242.207.107 ...
1 1X.4.2.1 23ms 29ms 25ms TTL: 0 (No rDNS)
2 151.1XX.4.6X 26ms 26ms 24ms TTL: 0 (F6-0.Q-RTR2.BALT.verizon-gni.net probable bogus rDNS: No DNS)
3 205.171.61.145 35ms 33ms 38ms TTL: 0 (wdc-edge-07.inet.qwest.net ok)
4 205.171.24.129 33ms 33ms 33ms TTL: 0 (wdc-core-03.inet.qwest.net ok)
5 205.171.8.213 37ms 33ms 34ms TTL: 0 (dca-core-03.inet.qwest.net ok)
6 205.171.9.49 37ms 38ms 35ms TTL: 0 (dca-core-02.inet.qwest.net ok)
7 205.171.9.58 33ms 35ms 40ms TTL: 0 (dca-brdr-02.inet.qwest.net ok)
8 205.171.14.46 34ms 36ms 39ms TTL: 0 (p4-0.qwest.stngva01.us.bb.verio.net ok)
9 129.250.3.157 39ms 36ms 39ms TTL: 0 (p16-1-0-0.r01.mclnva02.us.bb.verio.net ok)
10 129.250.17.58 39ms 40ms 34ms TTL: 0 (p4-9-0.a00.alxnva02.us.da.verio.net ok)
11 216.167.88.100 37ms 40ms 39ms TTL: 0 (No rDNS)
12 216.167.88.133 42ms 36ms 38ms TTL: 0 (No rDNS)
13 128.242.207.107 37ms 35ms 38ms TTL:243 (No rDNS)

as we see, the last identafieable "hop" was #10 which was a verio address block-

however- spamcop reports:

Saved email:
This page may be saved for future reference:
<http://spamcop.net/sc?id=z36897702z8e7cf3c751c0ebf6aeb948126c7f49d6z>
Parsing header:

Received: from [128.242.207.107] (helo=linux1587.dn.net) by imailg2b.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 16zORl-0006dz-00 for vic@****.fsnet.co.uk; Sun, 21 Apr 2002 22:00:33 +0100
no from
no auth from
Possible spammer: 128.242.207.107
Taking name from IP...
[show] </sc?action=showcmd&cmd=nslookup%20128.242.207.107> "nslookup 128.242.207.107" (getting name) no name
Received line partially untrusted

Received: from [24.92.226.122] (helo=mailout5.nyroc.rr.com) by linux1587.dn.net with esmtp (Exim 3.22 #2) id 16zOAS-0005gZ-00 for vic@****.co.uk; Sun, 21 Apr 2002 16:42:40 -0400
no from
no auth from
[show] </sc?action=showcmd&cmd=nslookup%20128.242.207.107> "nslookup 128.242.207.107" (getting name) no name
Possible spammer: 24.92.226.122
Taking name from IP...
[show] </sc?action=showcmd&cmd=nslookup%2024.92.226.122> "nslookup 24.92.226.122" (getting name) 24.92.226.122 = 'mailout5-0.nyroc.rr.com'
[show] </sc?action=showcmd&cmd=nslookup%20mailout5-0.nyroc.rr.com> "nslookup mailout5-0.nyroc.rr.com" (checking ip) ip = 24.92.226.122
Chain test:linux1587.dn.net =? 128.242.207.107
[show] </sc?action=showcmd&cmd=nslookup%20linux1587.dn.net> "nslookup linux1587.dn.net" (checking ip) ip = 128.242.207.107
ips are identical
linux1587.dn.net and 128.242.207.107 have close IP addresses - chain verified
Possible relay:128.242.207.107
[show] </sc?action=showcmd&cmd=nslookup%20107.207.242.128.relays.ordb.org.> "nslookup 107.207.242.128.relays.ordb.org." (checking ip) not found
128.242.207.107 has already been sent to relay testers
Received line accepted

Received: from Nxvfjqqb (syr-66-24-63-239.twcny.rr.com [66.24.63.239]) by mailout5.nyroc.rr.com (8.11.6/Road Runner 1.12) with SMTP id g3LKqoM29061 for <vic@****.co.uk>; Sun, 21 Apr 2002 16:52:51 -0400 (EDT)
[show] </sc?action=showcmd&cmd=nslookup%2024.92.226.122> "nslookup 24.92.226.122" (getting name) 24.92.226.122 = 'mailout5-0.nyroc.rr.com'
Possible spammer: 66.24.63.239
[show] </sc?action=showcmd&cmd=nslookup%20syr-66-24-63-239.twcny.rr.com> "nslookup syr-66-24-63-239.twcny.rr.com" (checking ip) ip = 66.24.63.239
Chain test:mailout5.nyroc.rr.com =? mailout5-0.nyroc.rr.com
mailout5.nyroc.rr.com and mailout5-0.nyroc.rr.com have same hostname - chain verified
Possible relay:24.92.226.122
[show] </sc?action=showcmd&cmd=nslookup%20122.226.92.24.relays.ordb.org.> "nslookup 122.226.92.24.relays.ordb.org." (checking ip) not found
24.92.226.122 has already been sent to relay testers
Received line accepted
Tracking message source:66.24.63.239:
[show] </sc?action=showcmd&cmd=nslookup%2066.24.63.239> "nslookup 66.24.63.239" (getting name) 66.24.63.239 = 'syr-66-24-63-239.twcny.rr.com'
[show] </sc?action=showcmd&cmd=nslookup%20syr-66-24-63-239.twcny.rr.com> "nslookup syr-66-24-63-239.twcny.rr.com" (checking ip) ip = 66.24.63.239
Paranoid reverse DNS passes
abuse.net twcny.rr.com = abuse@rr.com
Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on Sun, 21 Apr 2002 22:00:33 +0100


Initiating server query ...
Looking up the domain name for IP: 128.242.207.107
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 401 Authorization Required
Date: Wed, 01 May 2002 04:13:47 GMT
Server: Apache/1.3.14 (Unix)
WWW-Authenticate: Basic realm="Test"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Query complete.

on the first one, and the second:

Saved email:
This page may be saved for future reference:
<http://spamcop.net/sc?id=z36898136zc04b1a1d1fc7dd270fce8c89856c2672z>
Parsing header:

Received: from [128.242.207.107] (helo=linux1587.dn.net) by imailm2.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 16zGWI-0003bo-00 for vic@****.fsnet.co.uk; Sun, 21 Apr 2002 13:32:42 +0100
no from
no auth from
Possible spammer: 128.242.207.107
Taking name from IP...
[show] </sc?action=showcmd&cmd=nslookup%20128.242.207.107> "nslookup 128.242.207.107" (getting name) no name
Received line partially untrusted

Received: from [207.69.200.246] (helo=smtp10.atl.mindspring.net) by linux1587.dn.net with esmtp (Exim 3.22 #2) id 16zGF1-0001cJ-00 for Vic@****.co.uk; Sun, 21 Apr 2002 08:14:51 -0400
no from
no auth from
[show] </sc?action=showcmd&cmd=nslookup%20128.242.207.107> "nslookup 128.242.207.107" (getting name) no name
Possible spammer: 207.69.200.246
Taking name from IP...
[show] </sc?action=showcmd&cmd=nslookup%20207.69.200.246> "nslookup 207.69.200.246" (getting name) 207.69.200.246 = 'smtp10.atl.mindspring.net'
[show] </sc?action=showcmd&cmd=nslookup%20smtp10.atl.mindspring.net> "nslookup smtp10.atl.mindspring.net" (checking ip) ip = 207.69.200.246
Chain test:linux1587.dn.net =? 128.242.207.107
[show] </sc?action=showcmd&cmd=nslookup%20linux1587.dn.net> "nslookup linux1587.dn.net" (checking ip) ip = 128.242.207.107
ips are identical
linux1587.dn.net and 128.242.207.107 have close IP addresses - chain verified
Possible relay:128.242.207.107
[show] </sc?action=showcmd&cmd=nslookup%20107.207.242.128.relays.ordb.org.> "nslookup 107.207.242.128.relays.ordb.org." (checking ip) not found
128.242.207.107 has already been sent to relay testers
Received line accepted

Received: from user-112103q.dsl.mindspring.com ([66.32.128.122] helo=Esp) by smtp10.atl.mindspring.net with smtp (Exim 3.33 #1) id 16zGVx-0001M8-00 for Vic@****.co.uk; Sun, 21 Apr 2002 08:32:21 -0400
[show] </sc?action=showcmd&cmd=nslookup%20207.69.200.246> "nslookup 207.69.200.246" (getting name) 207.69.200.246 = 'smtp10.atl.mindspring.net'
Possible spammer: 66.32.128.122
[show] </sc?action=showcmd&cmd=nslookup%20user-112103q.dsl.mindspring.com> "nslookup user-112103q.dsl.mindspring.com" (checking ip) ip = 66.32.128.122
Taking name from IP...
[show] </sc?action=showcmd&cmd=nslookup%2066.32.128.122> "nslookup 66.32.128.122" (getting name) 66.32.128.122 = 'user-112103q.dsl.mindspring.com'
[show] </sc?action=showcmd&cmd=nslookup%20user-112103q.dsl.mindspring.com> "nslookup user-112103q.dsl.mindspring.com" (checking ip) ip = 66.32.128.122
Chain test:smtp10.atl.mindspring.net =? smtp10.atl.mindspring.net
smtp10.atl.mindspring.net and smtp10.atl.mindspring.net have same hostname - chain verified
Possible relay:207.69.200.246
[show] </sc?action=showcmd&cmd=nslookup%20246.200.69.207.relays.ordb.org.> "nslookup 246.200.69.207.relays.ordb.org." (checking ip) not found
207.69.200.246 has already been sent to relay testers
Received line accepted
Tracking message source:66.32.128.122:
[show] </sc?action=showcmd&cmd=nslookup%2066.32.128.122> "nslookup 66.32.128.122" (getting name) 66.32.128.122 = 'user-112103q.dsl.mindspring.com'
[show] </sc?action=showcmd&cmd=nslookup%20user-112103q.dsl.mindspring.com> "nslookup user-112103q.dsl.mindspring.com" (checking ip) ip = 66.32.128.122
Paranoid reverse DNS passes
abuse.net mindspring.com = abuse@abuse.earthlink.net
Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on Sun, 21 Apr 2002 13:32:42 +0100
for the second one.

***********

http://www.PCGuide.com/ubb/wink.gif

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/index.html)

[This message has been edited by sea69 (edited 05-01-2002).]

mjc

there are a couple of links I posted earlier, which is all I found on it so far.

I opened the file up in notepad and see what you mean. trouble is I forgot to knock the tick out of the box, so now I can open up all those files in notepad, so I suppose it has cocked up the attributes, how can I change that back so that it opens up with whatever it is supposed to ?

sea

thanks for all the info (I wish I understood it) from what I can gather it is probably spam, both from the same stable.
is that correct ?

I'll have to go through it again, but probably wont get much of an idea until I wake up properly (which is usually about July)

but can you give a hint in a few words ?

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

SpamCop (http://spamcop.net) created by Julian Haight gave me the data summary you see.

As Pete reported, the IP in a standard tracert comes out to a verio address. The problem is that this only gives you the last identifiable rdns. The site has script files that enable a much more detailed (fine tuned) search which is complete as it identifies the part(ies) to the real orginating IP, over 30 'hops'.

this part:
Initiating server query ...
Looking up the domain name for IP: 128.242.207.107
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 401 Authorization Required
Date: Wed, 01 May 2002 04:13:47 GMT
Server: Apache/1.3.14 (Unix)
WWW-Authenticate: Basic realm="Test"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Query complete.
- I did with a ID Serve (http://grc.com/id/idserve.htm) by Steve Gibson.

http://www.PCGuide.com/ubb/wink.gif




[This message has been edited by sea69 (edited 05-01-2002).]