[Dshield] Polish Baloney

Keith Bergen keith at keithbergen.com
Wed Oct 22 19:05:36 GMT 2003

A lot of these viruses will infect your system, and then pick 
two names out of the address book. They will make the email 
to one name, and appear to be from the other.

When the recieving email server gets the email, it then 
reports back to the spoofed sender saying you are infected.

Of course, you are not infected, but somebody that has your 
address in their address book likely is. You can narrow it 
down by looking at the headers, and in some cases identify 
friends with particular ISP's but it's likely you won't find 
out who truly is infected.

Hope this helps,

---- Original message ----
>Date: Wed, 22 Oct 2003 10:14:56 -0700 (PDT)
>From: snuffy smith <snuffy at emailaccount.com>  
>Subject: [Dshield] Polish Baloney  
>To: list at dshield.org
> What follows is an email I recieved that says that
>my computer is sending infected emails to everyone 
>in my address book.
>First of all I don't have an address book. And
>second of all there is no email program installed 
>on my machine.
>I use Opera 6.5 Browser, and web based email, that 
>is, I go to emailaccount.coms' website to send and 
>recieve  email.  If I click on a "send an email" link
>while surfing, I get the pop-up message "there is no 
>email  client configured on this machine, would you
>like to configure one now?"  Of course I always say
>no and use Opera to extract the email addy from the
>link. When I installed win98se I purposley left out
>the address book in the config process. I purposley
>declined to install Outlaw Express mail prog.  
>How could I possibly be sending Bugbear to every
>which way and yon??
>Can anybody spot any clues as to what this is all about
>by simply looking at the header??
>I suspect it is some kind of spam but it doesn't seem
>to be selling anything.  Puzzled.
>If someone with my email addy in their address book is
>guilty, how can I find out who it is so I can tell them?
>Thanks in advance.             Mel.  
>                  *full header *
>Subject:  RAV AntiVirus scan results
>X-Rav-Antivirus:  Ten e-mail zostal przeskanowany 
>przez: azoty.pulawy.pl
>Importance:  high
>From:  "RAV AntiVirus" <ravms at azoty.pulawy.pl>
>X-Priority:  1
>X-Msmail-Priority:  1
>from firewall.azoty.pulawy.pl (hel.azoty.pulawy.pl 
[])by imta14.mta.everyone.net (Postfix) with 
SMTP id D40C11857DEfor <snuffy at emailaccount.com>; Wed, 22 Oct 
2003 00:43:47 -0700 (PDT)
>from krypton.azoty.pulawy.pl 
(IDENT:root at krypton.azoty.pulawy.pl
>[])by azoty.pulawy.pl (8.12.9/8.12.9) with SMTP id 
h9M7njAv017004;Wed, 22 Oct 2003 09:49:45 +0200
>Mime-Version:  1.0
>Date:  Wed, 22 Oct 2003 09:49:46 +0200
>Message-Id:  <200310220749.h9M7njAv017004 at azoty.pulawy.pl>
>X-Mailer:  ravmd/8.4.2
>                    * Body of the email *
>This e-mail is generated by the krypton.azoty.pulawy.pl mail 
server to
>warn you that the e-mail
>sent by <not disclosed> to <not disclosed> is infected with 
virus: Win32/Bugbear.B at mm.
>Please contact your system administrator for further 
>If you are the sender:
>The scanned e-mail has your address in the <From> header 
field. Either
>computer is infected or someone's computer having your e-
mail address in
>the address book has been infected.
>(Please note that some viruses are sending e-mails directly 
from your
>Our advise is to check your computer using an up-to-date 
>If you are the receiver:
>Please contact the sender: most likely he/she doesn't know 
he/she has a
>computer virus.
>Actions taken for the infected files:
>The infected file was saved to quarantine with name: 
>The file (part0001:Damages_In_Trademark_Cases.pdf.scr) 
attached to mail
>(with subject: Re: Web of Science) sent by <not disclosed> 
to <not
>is infected with virus: Win32/Bugbear.B at mm.
>Cannot clean this file.
>The file was successfully deleted by RAV AntiVirus.
>this is a copy of the e-mail header:
>RAV AntiVirus for Linux i386 version: 8.4.2 (snapshot-
>Scan engine 8.11 for i386.
>Last update: Mon, 20 Oct 2003 20:59:52 +02
>Scanning for 83766 malwares (viruses, trojans and worms).
>        *end of email body *
>Finally an email address your friends will remember!
>Become you at EmailAccount.com at http://www.emailaccount.com/
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
"Life is like an analogy"

More information about the list mailing list