FW: Returned mail: see transcript for details (RE: [Dshield] New Agobot infection here?)

john beck jbeck80 at hotmail.com
Thu Mar 4 15:56:34 GMT 2004


I sent a reply to the list and my post went through, but I got this strange 
reply, do you know why?
Is this your provider, or spam filter service, or maybe you were doing 
maintenance?

John

>From: anonymous at videotron.ca
>To: jbeck80 at hotmail.com
>Subject: Returned mail: see transcript for details (RE: [Dshield] New 
>Agobot infection here?)
>Date: Wed,  3 Mar 2004 19:57:42 -0500 (EST)
>
>
>
>    ----- The following addresses had permanent fatal errors -----
><list at dshield.org>
>     (reason: 550 Recipient <list at dshield.org> is no user here)
>
>
>    ----- Transcript of session follows -----
>.. while talking to smtp.:
> >>> RCPT To:<list at dshield.org>
><<< 550 Recipient <list at dshield.org> is no user here
>550 5.1.1 <list at dshield.org>... User unknown
>
>
>    ----- Transcript of mail follows -----
>Return-path: <list-bounces at dshield.org>
>Received: from VL-MO-MR003.ip.videotron.ca
>  (VL-MO-MR003.ip.videotron.ca [10.23.32.23]) by 
>VL-MO-MS004.ip.videotron.ca
>  (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
>  with ESMTP id <0HU1003NF17S7B at VL-MO-MS004.ip.videotron.ca> for
>  madirish at videotron.ca; Wed, 03 Mar 2004 19:55:04 -0500 (EST)
>Received: from c009.snv.cp.net ([209.228.34.111])
>  by VL-MO-MR003.ip.videotron.ca
>  (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
>  with SMTP id <0HU100E8S17S8T at VL-MO-MR003.ip.videotron.ca> for
>  madirish at videotron.ca (ORCPT madirish at videotron.ca); Wed,
>  03 Mar 2004 19:55:04 -0500 (EST)
>Received: (cpmta 10161 invoked from network); Wed, 03 Mar 2004 16:55:04 
>-0800
>Received: (cpmta 10121 invoked from network); Wed, 03 Mar 2004 16:55:02 
>-0800
>Received: from 65.173.218.103 (HELO mail.giac.net)
>  by smtp.c009.snv.cp.net (209.228.34.111) with SMTP; Wed,
>  03 Mar 2004 16:55:02 -0800
>Received: (qmail 9669 invoked from network); Thu, 04 Mar 2004 00:55:01 
>+0000
>Received: from  (HELO dshield.com) (@) by 0 with SMTP; Thu,
>  04 Mar 2004 00:55:01 +0000
>Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])
>	by dshield.com (8.11.6/8.11.6) with ESMTP id i240swi12122; Thu,
>  04 Mar 2004 00:54:58 +0000 (GMT)
>Received: from mail.giac.net (iceman1 [65.173.218.103])
>	by dshield.com (8.11.6/8.11.6) with SMTP id i23MIPi05007	for
>  <list at maverick12.sans.org>; Wed, 03 Mar 2004 22:18:25 +0000 (GMT)
>Received: (qmail 9711 invoked from network); Wed, 03 Mar 2004 22:18:24 
>+0000
>Received: from  (HELO dshield.org) (@)	by 0 with SMTP; Wed,
>  03 Mar 2004 22:18:24 +0000
>X-Received: 4 Mar 2004 00:55:02 GMT
>Date: Wed, 03 Mar 2004 16:15:36 -0600
>From: john beck <jbeck80 at hotmail.com>
>Subject: RE: [Dshield] New Agobot infection here?
>X-Originating-IP: [63.224.176.50]
>Sender: list-bounces at dshield.org
>X-Sender: jbeck80 at hotmail.com
>To: list at dshield.org
>Errors-to: list-bounces at dshield.org
>Reply-to: General DShield Discussion List <list at dshield.org>
>Message-id: <Sea2-F16Fc83tWyzURc0005415e at hotmail.com>
>MIME-version: 1.0
>Content-type: text/plain; CHARSET=ISO-8859-1; format=flowed
>Content-transfer-encoding: 8BIT
>Precedence: list
>X-BeenThere: list at dshield.org
>Delivered-to: canada.com%carlow at canada.com
>Old-Received: (qmail 6546 invoked from network); 3 Mar 2004 22:15:38 -0000
>Old-Received: from mail2.giac.net (HELO iceman.incidents.org) 
>(63.100.47.43)	by
>  0 with SMTP; 3 Mar 2004 22:15:38 -0000
>Old-Received: (qmail 24445 invoked from network); 3 Mar 2004 22:15:37 -0000
>Old-Received: from sea2-f16.sea2.hotmail.com (HELO hotmail.com) 
>(207.68.165.16)
>	by 0 with SMTP; 3 Mar 2004 22:15:37 -0000
>Old-Received: from mail pickup service by hotmail.com with Microsoft 
>SMTPSVC;
>	Wed, 3 Mar 2004 14:15:36 -0800
>Old-Received: from 63.224.176.50 by sea2fd.sea2.hotmail.msn.com with 
>HTTP;	Wed,
>  03 Mar 2004 22:15:36 GMT
>Old-X-Envelope-To: list at dshield.org
>X-Originating-Email: [jbeck80 at hotmail.com]
>X-Seen-By: bob list
>X-Mailman-Approved-At: Thu, 04 Mar 2004 00:48:15 +0000
>X-Mailman-Version: 2.1.4
>List-Post: <mailto:list at dshield.org>
>List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
>	<mailto:list-request at dshield.org?subject=subscribe>
>List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
>	<mailto:list-request at dshield.org?subject=unsubscribe>
>List-Archive: <http://www.dshield.org/pipermail/list>
>List-Help: <mailto:list-request at dshield.org?subject=help>
>List-Id: General DShield Discussion List <list.dshield.org>
>Original-recipient: rfc822;madirish at videotron.ca
>X-OriginalArrivalTime: 03 Mar 2004 22:15:36.0973 (UTC)
>	FILETIME=[0DEA2BD0:01C4016D]
>
>
>X-Bounce: msd
>
>To me this looks like browser hi jacking by malware (spyware/adware), run
>spybot s&d scan and clean (imunize and modify the host file using spybot)
>and ad aware (scan and clean, it catches more than spybot but does not have
>the tools to prevent reinfection)  This is very typical of spam coming into
>email and user opening or clicking link.  Antivirus does not pick up all
>malware, I work at many places (work a holic) at local college where we can
>not content filter (get labeled as Nazi's) the malware walks all over and
>sophos stands quitely doing nothing.  Antivirus is only half way to keeping
>systems clean.  And even now I have seen countermeasures of spybot get
>trashed by malware (host file gets remodified to connect to malserver,
>imunize made ineffective, etc).  If you have ever seen someones email
>(outlook) get hi jacked by "popnav" and held hostage as it displays its ad,
>you would know what I mean, and if you are like many other engineers and
>think, "I don't go to those sites so I do not have it, run the formentioned
>utils and see:)  Just like all the others I have edificated:)
>
>>
>
> >From: TRushing at hollandco.com
> >Reply-To: General DShield Discussion List <list at dshield.org>
> >To: list at dshield.org
> >Subject: [Dshield] New Agobot infection here?
> >Date: Wed, 3 Mar 2004 15:02:53 -0600
> >
> >We have one of our PC techs who was trying to help a remote user debug a
> >problem.  The remote user was complaining about pop-ups and other
> >strangeness and mentioned a link on the desktop of his machine.  Our tech
> >decided to check out the link.  This on a machine that is fully patched
> >Win XP machine with all MS patches and an updated Sophos virus definition
> >from this morning.  Upon checking out the link, there were Sophos 
>warnings
> >on
> >
> >'Troj/Seeker-F' and
> >'Troj/Myss-C'
> >
> >Sophos claimed to have deleted the files.  However, his browser was now
> >redirected to an html file on his local machine and attempting to browse
> >to anything else brought up full-screen popups advertising software for
> >wiping evidence from your computer that could be used by the government 
>to
> >convict you of child pornography.
> >
> >The machine is now pulled from the network and will likely be wiped soon.
> >However, I am concerned that there was some additional infection vector 
>at
> >the link he tried that was not caught by up to date virus software.
> >
> >I have yet to give the link because it is ostensibly a pornographic site.
> >So, with that warning, anyone who is curious can check out
> >
> >http://www.ipiku.com/?desk
> >
> >I have not examined the html coming from that URL.  I've been looking at
> >the various processes and they look like a variant of AGOBOT.  I see that
> >Sophos has updated their virus definitions for numerous AGOBOT variants
> >this morning, but I believe we have that update.
> >
> >Tim Rushing
> >Holland Company
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www.dshield.org/mailman/listinfo/list
>
>_________________________________________________________________
>Get a FREE online computer virus scan from McAfee when you click here.
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Store more e-mails with MSN Hotmail Extra Storage – 4 plans to choose from! 
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/




More information about the list mailing list