Announcement

Collapse
No announcement yet.

RARA sending me viruses

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • RARA sending me viruses

    look out the rara page got a virus and is sending it out.

    Steve
    ECVSteve
    E Clampus Vitus SST #1827, #1850
    Reno Fan since around "82"

  • #2
    Re: RARA sending me viruses

    Originally posted by ecvsteve
    look out the rara page got a virus and is sending it out.

    Steve
    More info??

    Wayne
    Wayne Sagar
    "Pusher of Electrons"

    Comment


    • #3
      got an email

      from owner-rarageneral@airrace.org
      subject ID npblikiyit... thanks

      My system here at work deleted the virus.

      watch out.
      ECVSteve
      E Clampus Vitus SST #1827, #1850
      Reno Fan since around "82"

      Comment


      • #4
        Steve, have you looked at the full email headers? I get a TON of bounced email that has somethingorother@aafo.com in the "from" field.. it's spoofed.

        Some of the email virui that are out there (most from what I can tell) dig into the infected computer's address book, *USUALLY* Microsoft Outlook (for this reason, I call it LOOKOUT) which is frequently the target of the virui...

        Anway, getting back on point, the infected computer then sends out tons of messages using the addresses in the book as the "from"....

        Just because the "from" field carries an address, does not necessairly mean that it actually came from that box... if you open full email headers, you can track the IP address of the "from/to" trail and see where it actually came from..

        Anyway.. that might be it but at the moment, it looks as though their site is inop..

        A point to bring up though, even if that message you received was from a valid @airrace.org address, it would not mean that the site was infected, it would indicate that the users computer was.

        Wayne
        Wayne Sagar
        "Pusher of Electrons"

        Comment


        • #5
          how about this

          So does the below info shed any light on this. it does say "(,ay be forged) these machines are a kick but also way above my head.

          I really didn't want to freak anybody out but I didn't want it to go unmentioned.
          Back to lurking, maybe I'll send another picture of the LandStang just for fun.


          Received: from fdns2.rolm.com ([165.218.1.59]) by stca200a.bus.sc.rolm.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72)
          id FD0K0QL0; Tue, 17 Feb 2004 10:02:42 -0800
          Received: from brmx1.fl.icn.siemens.com (brmx1.boca.ssc.siemens.com [165.218.21.132])
          by fdns2.rolm.com (8.12.10/8.12.10) with ESMTP id i1HI2VYn003660
          for <steven.b.wilson@icn.siemens.com>; Tue, 17 Feb 2004 10:02:40 -0800 (PST)
          Received: from airrace.org (ftp.intsysint.intsysint.com [66.70.221.43] (may be forged))
          by brmx1.fl.icn.siemens.com (8.9.3p092403/8.9.3) with ESMTP id NAA08659
          for <steven.b.wilson@icn.siemens.com>; Tue, 17 Feb 2004 13:02:29 -0500 (EST)
          From: owner-rarageneral@airrace.org
          Received: (from airrace@localhost)
          by airrace.org (8.11.6/8.11.6) id i1HH6hb11724
          for rarageneral-outgoing; Tue, 17 Feb 2004 12:06:43 -0500
          X-Authentication-Warning: intsysint.intsysint.com: airrace set sender to owner-rarageneral@airrace.org using -f
          Received: from intsysint.intsysint.com (root@localhost)
          by airrace.org (8.11.6/8.11.6) with ESMTP id i1HH6gK11719
          for <rarageneral@airrace.org>; Tue, 17 Feb 2004 12:06:42 -0500
          X-ClientAddr: 129.42.184.35
          Received: from terra2 ([129.42.184.35])
          by intsysint.intsysint.com (8.11.6/8.11.6) with SMTP id i1HH6gg11715
          for <rarageneral@airrace.org>; Tue, 17 Feb 2004 12:06:42 -0500
          Date: Tue, 17 Feb 2004 09:06:59 -0800
          To: rarageneral@airrace.org
          Subject: ID npblikiyit... thanks
          Message-ID: <nrrhqjwhbnluuwptajy@airrace.org>
          MIME-Version: 1.0
          Content-Type: multipart/mixed;
          boundary="--------881408040821076"
          Sender: owner-rarageneral@airrace.org
          Precedence: bulk

          ----------881408040821076
          Content-Type: text/plain; charset="us-ascii"
          Content-Transfer-Encoding: 7bit

          ----------881408040821076
          Content-Type: application/x-msdownload; name="cqkh.exe"
          Content-Transfer-Encoding: base64
          Content-Disposition: attachment; filename="celxtpmc.exe"

          ----------881408040821076--
          ECVSteve
          E Clampus Vitus SST #1827, #1850
          Reno Fan since around "82"

          Comment


          • #6
            Phew.. too many IP's for me to track it... It does appear to my untrained eye that originally, it came from an address *not* within the system that airrace.org is located in... then somehow got returned to them, and bounced to you...

            I *COULD* be totally wrong though. I'm ok reading these things until you throw in as many back and forth's that this one has!

            Maybe Mark Johnston will pick up on this and be able to decypher this better than I have... I'd not worry about the site though, linux is not normally infected by virui... from what I understand anyway...

            I'm guessing that airrace.org is on a linux box..

            Wayne
            Wayne Sagar
            "Pusher of Electrons"

            Comment


            • #7
              i got the same email and thought it was a special code
              to ride in the pace plane with steve hinton.darn it all!!!

              Comment

              Working...
              X