Warning: Do not communicate with Ben

Ben Harmless · December 15th, 2003, 01:40 PM

A fellow TDPRI member recieved a message recently from benharmless@aol.com containing an executable file of unknown origin.

Funny thing is, I don't remember signing up for an AOL address. Ever. My e-mail address had been benharmless@yahoo.com for years, and before that it was benharmless@hotmail.com.

If any of you fine folks get a message from me that contains an attachment of any sort that wasn't discussed beforehand - delete away. In fact, if you recieve a message from me that is in any way comprehensible, then it's probably not from me, so you can go ahead and delete that too. :D

I just ad-aware'd my computer, and I haven't fed Zone Alarm in a couple of days, so it should be really vicious by now. Hopefully this won't happen to anyone else.

Thanks all.

John E · December 15th, 2003, 02:26 PM

of obviously bogus emails, mostly from TDPRI members... ie. Barron(Fuzzy), GuitarJonz, Inertian, that are obviously not really from these guys... even got one from Paypal - just a blank email. Somebody on the board must have a worm... Luckily earthlink strips most of the attachments from my incoming email....

halouis · December 15th, 2003, 05:21 PM

yup me too. but it aint me. i swear. i am on a Mac and aint infected. but sometimes folks think its me.

dang worms and viruses.

Dacious · December 15th, 2003, 05:55 PM

Nobody needs have a worm. There are 'bots which just specialise in stripping headers and replacing contents. Just need to be attached to the internet. Same thing applies - look for attachments in unsolicited mail.

You can cirumvent a lot of nasties by the use of webmail instead of Outlook/Mail etc.

TDPRI · December 15th, 2003, 06:29 PM

It's obviously a TDPer with this virus. I found the true sender's IP address but whomever it is has not posted on the TDPRI. When people visit here the IP address is captured... but then deleted every few days. When they post the IP is captured and it stays in the record. So, if someone doesn't post I can't run down their IP address.

It is someone with a Comcast or attbi.com email address, I can tell you that.

Sometimes I get lucky and can run down the person from the IP address. However it's NEVER the person that's listed as the sender with the virus.

Paul Green

Baard · December 16th, 2003, 04:34 PM

The all say

returning massage....
Either because of a virus or because of something else...recipient unknown...weird. Most of these people that i get it back from I have never communicated...but the attatchment sometimes have email.adresses that i know...webmaster@tdpri.com is one of them.

I got one with sent back with this:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

getdirc887@rcp.net.pe
SMTP error from remote mailer after RCPT TO:<getdirc887@rcp.net.pe>:
host amauta5.rcp.net.pe [161.132.8.38]: 550 unknow user

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 133219 characters long; only the first
------ 106496 or so are included here.

Return-path: <bths@orangenet.dk>
Received: from rawdeal.mobilixnet.dk ([212.97.204.25])
by kuntur.rcp.net.pe with esmtp (Exim 4.24)
id 1AWKv1-00044s-Us
for getdirc887@rcp.net.pe; Tue, 16 Dec 2003 14:31:44 -0500
Received: from Jguo (ras-17-041.mobilixnet.dk [212.97.247.41])
by rawdeal.mobilixnet.dk (8.12.9/8.9.3) with SMTP id hBGJV3Pf088434
for <getdirc887@rcp.net.pe>; Tue, 16 Dec 2003 20:31:04 +0100 (CET)
Date: Tue, 16 Dec 2003 20:31:03 +0100 (CET)
Message-Id: <200312161931.hBGJV3Pf088434@rawdeal.mobilixnet.dk >
From: le <le@yahoo.co.kr>
To: getdirc887@rcp.net.pe
Subject: A special new game
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=WO24Y4Y3vu0N

--WO24Y4Y3vu0N
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>This is a new game

This game is my first work.

You're the first player.

I wish you would like it.</FONT></BODY></HTML>

--WO24Y4Y3vu0N
Content-Type: application/octet-stream;
name=install.exe
Content-Transfer-Encoding: base64
Content-ID: <G2s4zue483DW4Fv>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIG Nhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+ Qfs1j4E7Pf5B2zT/gTs7Tn
GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7 NSaWNoXPgTswAAAAAAAAAA
UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAA AAAFiEAAAAEAAAANAAAAAA
QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAYAkAABAAAAAAAA ACAAAAAAAQAAAQAAAAABAA
ABAAAAAAAAAQAAAAAAAAAAAAAAAg1gAAZAAAAABQCQAQAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA

etc...

Can anybody tell me how to get rid of this thing, as it´s causing trouble...

Sorry for bothering you on the page, but I dont know what to do I never had one of those before.

Baard

OK...I think it´s the

W32/Klez.h@MM virus.....

Baard · December 16th, 2003, 05:58 PM

it was the virus mentioned above, i downloaded a fix programme. Took care of it.(I hope) phew...what a stinker.

Baard

December 15th, 2003, 01:40 PM	#1 (permalink)
Ben Harmless Friend of Leo's Join Date: Mar 2003 Location: Albany, NY US of A Posts: 3,264 6 Photos	Warning: Do not communicate with Ben A fellow TDPRI member recieved a message recently from benharmless@aol.com containing an executable file of unknown origin. Funny thing is, I don't remember signing up for an AOL address. Ever. My e-mail address had been benharmless@yahoo.com for years, and before that it was benharmless@hotmail.com. If any of you fine folks get a message from me that contains an attachment of any sort that wasn't discussed beforehand - delete away. In fact, if you recieve a message from me that is in any way comprehensible, then it's probably not from me, so you can go ahead and delete that too. :D I just ad-aware'd my computer, and I haven't fed Zone Alarm in a couple of days, so it should be really vicious by now. Hopefully this won't happen to anyone else. Thanks all. __________________ "I think I'll go for the life of sin, followed by the last-minute, presto-change-o, deathbed repentance." - B. Simpson

December 15th, 2003, 02:26 PM	#2 (permalink)
John E Tele-Afflicted Join Date: Mar 2003 Location: Connecticut Posts: 1,396	Yeah I been getting a ton... of obviously bogus emails, mostly from TDPRI members... ie. Barron(Fuzzy), GuitarJonz, Inertian, that are obviously not really from these guys... even got one from Paypal - just a blank email. Somebody on the board must have a worm... Luckily earthlink strips most of the attachments from my incoming email....

December 15th, 2003, 05:55 PM	#4 (permalink)
Dacious Friend of Leo's Join Date: Mar 2003 Location: Godzone Posts: 2,612 35 Photos	Nobody needs have a worm. There are 'bots which just specialise in stripping headers and replacing contents. Just need to be attached to the internet. Same thing applies - look for attachments in unsolicited mail. You can cirumvent a lot of nasties by the use of webmail instead of Outlook/Mail etc. __________________ My other Telecaster is a Thinline The Tele Bible, Ch 1, v 10 Love thy Telecaster, covet not thy neighbour's Strat!

December 15th, 2003, 06:29 PM	#5 (permalink)
TDPRI Administrator Poster Extraordinaire Join Date: Mar 2003 Location: TDPRILAND Posts: 5,577 36 Photos	I've been getting them too It's obviously a TDPer with this virus. I found the true sender's IP address but whomever it is has not posted on the TDPRI. When people visit here the IP address is captured... but then deleted every few days. When they post the IP is captured and it stays in the record. So, if someone doesn't post I can't run down their IP address. It is someone with a Comcast or attbi.com email address, I can tell you that. Sometimes I get lucky and can run down the person from the IP address. However it's NEVER the person that's listed as the sender with the virus. Paul Green

December 16th, 2003, 04:34 PM	#6 (permalink)
Baard Tele-Holic Join Date: Mar 2003 Location: Denmark Posts: 668	I get all kinds of mail delivery system messages... The all say returning massage.... Either because of a virus or because of something else...recipient unknown...weird. Most of these people that i get it back from I have never communicated...but the attatchment sometimes have email.adresses that i know...webmaster@tdpri.com is one of them. I got one with sent back with this: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: getdirc887@rcp.net.pe SMTP error from remote mailer after RCPT TO:<getdirc887@rcp.net.pe>: host amauta5.rcp.net.pe [161.132.8.38]: 550 unknow user ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 133219 characters long; only the first ------ 106496 or so are included here. Return-path: <bths@orangenet.dk> Received: from rawdeal.mobilixnet.dk ([212.97.204.25]) by kuntur.rcp.net.pe with esmtp (Exim 4.24) id 1AWKv1-00044s-Us for getdirc887@rcp.net.pe; Tue, 16 Dec 2003 14:31:44 -0500 Received: from Jguo (ras-17-041.mobilixnet.dk [212.97.247.41]) by rawdeal.mobilixnet.dk (8.12.9/8.9.3) with SMTP id hBGJV3Pf088434 for <getdirc887@rcp.net.pe>; Tue, 16 Dec 2003 20:31:04 +0100 (CET) Date: Tue, 16 Dec 2003 20:31:03 +0100 (CET) Message-Id: <200312161931.hBGJV3Pf088434@rawdeal.mobilixnet.dk > From: le <le@yahoo.co.kr> To: getdirc887@rcp.net.pe Subject: A special new game MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=WO24Y4Y3vu0N --WO24Y4Y3vu0N Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY> <FONT>This is a new game This game is my first work. You're the first player. I wish you would like it.</FONT></BODY></HTML> --WO24Y4Y3vu0N Content-Type: application/octet-stream; name=install.exe Content-Transfer-Encoding: base64 Content-ID: <G2s4zue483DW4Fv> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIG Nhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+ Qfs1j4E7Pf5B2zT/gTs7Tn GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7 NSaWNoXPgTswAAAAAAAAAA UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAA AAAFiEAAAAEAAAANAAAAAA QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAYAkAABAAAAAAAA ACAAAAAAAQAAAQAAAAABAA ABAAAAAAAAAQAAAAAAAAAAAAAAAg1gAAZAAAAABQCQAQAAAAAA AAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA etc... Can anybody tell me how to get rid of this thing, as it´s causing trouble... Sorry for bothering you on the page, but I dont know what to do I never had one of those before. Baard OK...I think it´s the W32/Klez.h@MM virus..... __________________ All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident.

December 15th, 2003, 05:21 PM	#3 (permalink)
halouis Tele-Afflicted Join Date: Mar 2003 Location: Virginia Posts: 1,404 7 Photos	yup me too. but it aint me. i swear. i am on a Mac and aint infected. but sometimes folks think its me. dang worms and viruses.

December 16th, 2003, 05:58 PM	#7 (permalink)
Baard Tele-Holic Join Date: Mar 2003 Location: Denmark Posts: 668	It´s gone.... it was the virus mentioned above, i downloaded a fix programme. Took care of it.(I hope) phew...what a stinker. Baard __________________ All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident.