TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post

29-11-2007, 08:29 AM

On Nov 28, 9:36 pm, Robert Colgan <RobertECol...@gmail.com> wrote:
> I'm worried that I've somehow gotten the W32.Mytob virus. Earlier this
> afternoon, I received the below email:
>
> | from xxxxxx...@gmail.com
> | to xxxxxx...@gmail.com (me)
> | date Nov 28, 2007 9:50 PM
> | subject Virus Found in message "Hello"
> |
> | Symantec AntiVirus found a virus in an attachment from
> xxxxxx...@gmail.com.
> |
> | Attachment: bbkiu.zip
> | Threat: W32.Mytob.AG@mm
> | Action taken: Quarantine succeeded
> | File status: Infected
> |
> | The message contains Unicode characters and has been sent as a
> binary attachment.
> |
> | bbkiu.zip
> | 1K Download
>
> It surprised me, and while I do have Symantec AntiVirus, I'm not sure
> how Symantec got to this email, since it was on Gmail's webmail
> interface (it didn't look like Gmail's built-in anti-virus either --
> it will display something about a virus next to the attachment, I
> believe). Or, even, that it did at all -- I know many viruses
> masquerade as anti-virus messages. So, I didn't download anything and
> went on my merry business, thinking that whatever it was, as long as I
> didn't download anything, I wouldn't get infected.
>
> But later, I got the below "returned-to-sender" email. I'm concerned
> that the virus somehow got on to one of my computers and is sending
> emails. I'm running virus scans on both my computers, neither of which
> have turned up anything, and I'm about to run the W32.Mytob@mm Removal
> Tool from Symantec.
> Is this something I need to be worried about?
> P.S. "xx...@mail.hs.columbia.edu" is not anyone I know or that would
> be in my address book
>
> This is the returned-to-sender email I got:
> | from Mail Delivery System <MAILER-DAE...@alipes.hs.columbia.edu>
> | to xxxxxx...@gmail.com, (me)
> | date Nov 28, 2007 8:35 PM
> | subject Undelivered Mail Returned to Sender
> | mailed-by alipes.hs.columbia.edu
> |
> | This is the mail system at host alipes.hs.columbia.edu.
> |
> | I'm sorry to have to inform you that your message could not
> | be delivered to one or more recipients. It's attached below.
> |
> | For further assistance, please send mail to <postmaster>|
> |
> | If you do so, please include this problem report. You can
> | delete your own text from the attached returned message.
> |
> | The mail system
> |
> | <xx...@mail.hs.columbia.edu>: mail for mail.hs.columbia.edu loops
> back to
> | myself
> |
> | Final-Recipient: rfc822; xx...@mail.hs.columbia.edu
> | Original-Recipient: rfc822;xx...@mail.hs.columbia.edu
> | Action: failed
> | Status: 5.4.6
> | Diagnostic-Code: X-Postfix; mail for mail.hs.columbia.edu loops back
> to myself
> |
>
> | ---------- Forwarded message ----------
> | From: xxxxxx...@gmail.com
> | To: xx...@mail.hs.columbia.edu
> | Date: Thu, 29 Nov 2007 08:33:56 -0500
> | Subject: Virus Found in message "HELLO"
> | Symantec AntiVirus found a virus in an attachment from
> xxxxxx...@gmail.com.
> |
> |
> | Attachment: readme.scr
> | Threat: W32.Mytob.AG@mm
> | Action taken: Quarantine succeeded
> | File status: Infected
> and then there was this underneath:
>
> ät¶
> ó¯îþ0û\oq|mÌñÉþA4Q(tm)û(c)×Ÿø3/4 EU´ØOEÁ3³ë\
> |xþ"†FÌ%(c)-\úcXÉ5.ë;{3/4 OŽS4ÚÕÁ(tm){\X(tm)]Úí|À6§(tm)Ë†ë‰Øu.5åkºBOE![·oÞ-^i"´
> ‹Wu03l4I...1/4;Î '<<ÜÑR --dvî"ëÞi20ž†_,9^ây'mx j
> Že„ê‰ ÓCÙŠLkòS '}§]PÛF8Í×ÞîCŠ,¨(R)(R)VKµ&ÆÒÅËM³µÍ¬>>{/<Ÿ~Ã-
> „FJ|4Ão§*ùÍUeC`¨ôkÐ|´[9B£Žêsás±²->§O± ~^‡ô_Ö~Tõ·.P||2)üR-ef
> ÉàÅÈqM&‡jeµó\ëÀ·f:%Q<àã&Ó‡„Ù I)ða!Hè....27dù^.5qB?qãÈ£6)ž4$10ßÉàÙVÊP§...
> ÎÆˆˆ4äÕ‹ž1/4 hd8ö(c)5*D‡\§nz4(R)£¤çžÐQN...gSÁ
> '¶ón>Ê?>1ˆ" m 1/2¯ºÏ...¬>>(tm)¤mJÀÒí(tm)Ü°)f×J...´kà¤Õ,ŽŽgŽ*åHÖ¡¯Ù ¢p"ÓRùÛÔÖü 2glL¿¥¨;
> 6ûvU„_C-c-TU-vÒÆ¬|ËKEw¯§%,3mìªšaãÁòÜËËeÌ-Ÿ¸‰êg '7CÒÞ*a1‡ó_À *.R§‡!
> DSeòªFns î}ùKV[kç±l`Ý.,MŸ x"&9KP.Å„-v|NØ0J0É-eåsa¢¬ åý[7hº-
> ¡bëãÃ1/2 WáÜ²T*RÕð1/2þMêDÞäF3²(R)Úpd¬ÉÐ¥$p|"aƒT>>FhU›ºle<<ÙåI›ô3/43/4 oôñþetáÔ"Ò¥]$l...
> #žx_
> ý(tm)Ÿ²ðÅ2þ†'zÕÓ
> Ò Ëq:--üºä""PB[Ú‰Äþ l÷ï--8qÎöÂÎg;G:!¨mÌ °sG{(R)ÃSÊ<<ÀX„~´åuGP\ÓuNH&×XLpm}¨
> &*¥áv×'?ŠîßéÊÓÙ#‹->Úï‰3&vŠtéù j
> ' ŽåŒS?]å O/£Uú6Ü1/4›#èÝÌªæøæxJk:wÒ'¹¹ÛÏ[³&cDß³ñÏä6\>âù&0(c)(c)<<·WdÔÂù\%OEý¢N
> Ê`FYÜŠÇ×Ó§þòÔI¤äBhìÈ;]wHÌ^Z}´((tm)jñéHLÝÞFPÄ
> gß±^Ëu(ÂPAÉÊ¿~ÙÐ û¯<<!Zìàz3¤b³¯\('ØdIyýñPI†¢sâïlEh‡6å~`sEø6^¨ü ×Äñ‹ðú
> $'à÷m·¬ð-cjÎŽèSÔÚ0§Œ^ÇÍÛžŸ¹ç{: Ç¨?ÀÃÖPË‹ÖŠO3OEÊa¹ã3/4 ÈÝDcK²à:
> 5NÐ¨¶(ëy(tm)`6Ö|ºµµIn...ð-XFÃ v›PÍm¯)áÓjàÅÌéxgöÏK...|-
> |}<*,›IÛõ~l(tm)‡>ÚŽrÎõ'FWÀ"¹Úže
> >„~dn&`--Êb;...ì¿,ÃéUzâ"*|õ)~
> *‰b
> šW
> ‡<á-5Ó×Bïs'(tm)x÷ üÅ÷Ã4‡³1I†'|¬>û´cÌv>>£Ô-2#3/4 lw† a
> ¢KÌŸY 1/2 fŸ&WÙªJp,"îÃê¯Ò|XÝ³ÝjUýõ(tm)~!´ *--àëÐ"ø¿xª¹&%¨!g H¬T²k^3/4&s²F"Öô`rº:
> eÙ ¤À.Å2Zx†³"Ô¬C8|
> ÈY‹vçPÍ(tm)†Rò'„l_ÃPÝš2Ù.(~å´§Ã??áj°þ4Îq}^-³£5èa £„1/4 mIiVz,ò)TD
> ³¬š0ÚÕ¥íÊEæ
> << tŸþ #sk :ÕòxH~Û'I‰§¶\á
> ïøåJËZ¢ó9áÐ1/2¸"Rn0 1/4 2L0 3/4·"ï1/2Ï]÷üŽi[7(R)Éû"×ëOE†r56o<u‰øür|ÉöãÊú"¶<Á‡|S¡:
> ,ÒÙ?!ý*ìÇ ¹ÜÛ~ ljð¶¢H¯1/4 W^ý ô...³¯º--'3/4ÅÂ |c]š1f h
> qÈxqÛ3/4ÚyQß¶1/4 SÊÄH³×Ó(tm)òÜÍÕ'ŽÎÃ3nøˆçc¿r
> ±xðF47DL¶*¬"zöâïVe}X'Ñ†köüìfvÞ5YÜ¸ïâTÓbHa £rt±´²Ã{°\(tm)±ÏjÂ(R)33(tm)'"4±3/4Ó‰
> $>>w_}wöuGøWÈ¯ž>>XGŸÁcaûÇÁiÌ&|ÇŒ_Ø'}ŠttpOELÄÆPôCDû Y5"î#Dê"°s,‡)j²óµ{OEé¿J'(R)„Fl>>ÖÑÖ<›Â|"MæoÔyy(tm) IB¯áíÝ0Õòa9ØÇï'çe>I 1/2 tüŸ¿¿Œ"%gõë¡~>
> "ÛÛ
> S¶Q[¤áÅg|...1/2óQx Žç)Œ"ý3
> 9ÝÆdQHŸ\J(c) Š
> ä"GÌÆÄó- :>-YÝÏfhÆî.°Þ µ
> òMÚŸ\{"a"MtO<<n5¿dÂ^ýÓÜþÇß...¶ÐÃ:~H,ŽC"1/4ò/KŽpÂ
> úä[Þä‡)<<(tm)úáƒÆ|Î‡0Gù# YñbñÚéð$Ò·µU/êð0¯^ð(tm)Ê×ß õØYÈë-npÅ3~...4^§11#ÚD
> ZgHÅnC9'ò(c)(c)ÇzE Ç÷ [c&*rWE#)<<··(c))ÔV ÝãB¹YÞrYfÏ*YfvT‰

btw if you use Google Groups make sure to click "show quoted text" in
the first message to see the whole thing, which was a copy of a
forwarded message Groups is interpreting as quoted text.

29-11-2007, 08:29 AM	#2
Robert Colgan Guest Posts: n/a	Re: Possible virus? On Nov 28, 9:36 pm, Robert Colgan <RobertECol...@gmail.com> wrote: > I'm worried that I've somehow gotten the W32.Mytob virus. Earlier this > afternoon, I received the below email: > > \| from xxxxxx...@gmail.com > \| to xxxxxx...@gmail.com (me) > \| date Nov 28, 2007 9:50 PM > \| subject Virus Found in message "Hello" > \| > \| Symantec AntiVirus found a virus in an attachment from > xxxxxx...@gmail.com. > \| > \| Attachment: bbkiu.zip > \| Threat: W32.Mytob.AG@mm > \| Action taken: Quarantine succeeded > \| File status: Infected > \| > \| The message contains Unicode characters and has been sent as a > binary attachment. > \| > \| bbkiu.zip > \| 1K Download > > It surprised me, and while I do have Symantec AntiVirus, I'm not sure > how Symantec got to this email, since it was on Gmail's webmail > interface (it didn't look like Gmail's built-in anti-virus either -- > it will display something about a virus next to the attachment, I > believe). Or, even, that it did at all -- I know many viruses > masquerade as anti-virus messages. So, I didn't download anything and > went on my merry business, thinking that whatever it was, as long as I > didn't download anything, I wouldn't get infected. > > But later, I got the below "returned-to-sender" email. I'm concerned > that the virus somehow got on to one of my computers and is sending > emails. I'm running virus scans on both my computers, neither of which > have turned up anything, and I'm about to run the W32.Mytob@mm Removal > Tool from Symantec. > Is this something I need to be worried about? > P.S. "xx...@mail.hs.columbia.edu" is not anyone I know or that would > be in my address book > > This is the returned-to-sender email I got: > \| from Mail Delivery System <MAILER-DAE...@alipes.hs.columbia.edu> > \| to xxxxxx...@gmail.com, (me) > \| date Nov 28, 2007 8:35 PM > \| subject Undelivered Mail Returned to Sender > \| mailed-by alipes.hs.columbia.edu > \| > \| This is the mail system at host alipes.hs.columbia.edu. > \| > \| I'm sorry to have to inform you that your message could not > \| be delivered to one or more recipients. It's attached below. > \| > \| For further assistance, please send mail to <postmaster>\| > \| > \| If you do so, please include this problem report. You can > \| delete your own text from the attached returned message. > \| > \| The mail system > \| > \| <xx...@mail.hs.columbia.edu>: mail for mail.hs.columbia.edu loops > back to > \| myself > \| > \| Final-Recipient: rfc822; xx...@mail.hs.columbia.edu > \| Original-Recipient: rfc822;xx...@mail.hs.columbia.edu > \| Action: failed > \| Status: 5.4.6 > \| Diagnostic-Code: X-Postfix; mail for mail.hs.columbia.edu loops back > to myself > \| > > \| ---------- Forwarded message ---------- > \| From: xxxxxx...@gmail.com > \| To: xx...@mail.hs.columbia.edu > \| Date: Thu, 29 Nov 2007 08:33:56 -0500 > \| Subject: Virus Found in message "HELLO" > \| Symantec AntiVirus found a virus in an attachment from > xxxxxx...@gmail.com. > \| > \| > \| Attachment: readme.scr > \| Threat: W32.Mytob.AG@mm > \| Action taken: Quarantine succeeded > \| File status: Infected > and then there was this underneath: > > ät¶ > ó¯îþ0û\oq\|mÌñÉþA4Q(tm)û(c)×Ÿø3/4 EU´ØOEÁ3³ë\ > \|xþ"†FÌ%(c)-\úcXÉ5.ë;{3/4 OŽS4ÚÕÁ(tm){\X(tm)]Úí\|À6§(tm)Ë†ë‰Øu.5åkºBOE![·oÞ-^i"´ > ‹Wu03l4I...1/4;Î '<<ÜÑR --dvî"ëÞi20ž†_,9^ây'mx j > Že„ê‰ ÓCÙŠLkòS '}§]PÛF8Í×ÞîCŠ,¨(R)(R)VKµ&ÆÒÅËM³µÍ¬>>{/<Ÿ~Ã- > „FJ\|4Ão§ùÍUeC`¨ôkÐ\|´[9B£Žêsás±²->§O± ~^‡ô_Ö~Tõ·.P\|\|2)üR-ef > ÉàÅÈqM&‡jeµó\ëÀ·f:%Q<àã&Ó‡„Ù I)ða!Hè....27dù^.5qB?qãÈ£6)ž4$10ßÉàÙVÊP§... > ÎÆˆˆ4äÕ‹ž1/4 hd8ö(c)5D‡\§nz4(R)£¤çžÐQN...gSÁ > '¶ón>Ê?>1ˆ" m 1/2¯ºÏ...¬>>(tm)¤mJÀÒí(tm)Ü°)f×J...´kà¤Õ,ŽŽgŽåHÖ¡¯Ù ¢p"ÓRùÛÔÖü 2glL¿¥¨; > 6ûvU„_C-c-TU-vÒÆ¬\|ËKEw¯§%,3mìªšaãÁòÜËËeÌ-Ÿ¸‰êg '7CÒÞa1‡ó_À .R§‡! > DSeòªFns î}ùKV[kç±l`Ý.,MŸ x"&9KP.Å„-v\|NØ0J0É-eåsa¢¬ åý[7hº- > ¡bëãÃ1/2 WáÜ²TRÕð1/2þMêDÞäF3²(R)Úpd¬ÉÐ¥$p\|"aƒT>>FhU›ºle<<ÙåI›ô3/43/4 oôñþetáÔ"Ò¥]$l... > #žx_ > ý(tm)Ÿ²ðÅ2þ†'zÕÓ > Ò Ëq:--üºä""PB[Ú‰Äþ l÷ï--8qÎöÂÎg;G:!¨mÌ °sG{(R)ÃSÊ<<ÀX„~´åuGP\ÓuNH&×XLpm}¨ > &¥áv×'?ŠîßéÊÓÙ#‹->Úï‰3&vŠtéù j > ' ŽåŒS?]å O/£Uú6Ü1/4›#èÝÌªæøæxJk:wÒ'¹¹ÛÏ[³&cDß³ñÏä6\>âù&0(c)(c)<<·WdÔÂù\%OEý¢N > Ê`FYÜŠÇ×Ó§þòÔI¤äBhìÈ;]wHÌ^Z}´((tm)jñéHLÝÞFPÄ > gß±^Ëu(ÂPAÉÊ¿~ÙÐ û¯<<!Zìàz3¤b³¯\('ØdIyýñPI†¢sâïlEh‡6å~`sEø6^¨ü ×Äñ‹ðú > $'à÷m·¬ð-cjÎŽèSÔÚ0§Œ^ÇÍÛžŸ¹ç{: Ç¨?ÀÃÖPË‹ÖŠO3OEÊa¹ã3/4 ÈÝDcK²à: > 5NÐ¨¶(ëy(tm)`6Ö\|ºµµIn...ð-XFÃ v›PÍm¯)áÓjàÅÌéxgöÏK...\|- > \|}<,›IÛõ~l(tm)‡>ÚŽrÎõ'FWÀ"¹Úže > >„~dn&`--Êb;...ì¿,ÃéUzâ"\|õ)~ > ‰b > šW > ‡<á-5Ó×Bïs'(tm)x÷ üÅ÷Ã4‡³1I†'\|¬>û´cÌv>>£Ô-2#3/4 lw† a > ¢KÌŸY 1/2 fŸ&WÙªJp,"îÃê¯Ò\|XÝ³ÝjUýõ(tm)~!´ --àëÐ"ø¿xª¹&%¨!g H¬T²k^3/4&s²F"Öô`rº: > eÙ ¤À.Å2Zx†³"Ô¬C8\| > ÈY‹vçPÍ(tm)†Rò'„l_ÃPÝš2Ù.(~å´§Ã??áj°þ4Îq}^-³£5èa £„1/4 mIiVz,ò)TD > ³¬š0ÚÕ¥íÊEæ > << tŸþ #sk :ÕòxH~Û'I‰§¶\á > ïøåJËZ¢ó9áÐ1/2¸"Rn0 1/4 2L0 3/4·"ï1/2Ï]÷üŽi[7(R)Éû"×ëOE†r56o<u‰øür\|ÉöãÊú"¶<Á‡\|S¡: > ,ÒÙ?!ýìÇ ¹ÜÛ~ ljð¶¢H¯1/4 W^ý ô...³¯º--'3/4ÅÂ \|c]š1f h > qÈxqÛ3/4ÚyQß¶1/4 SÊÄH³×Ó(tm)òÜÍÕ'ŽÎÃ3nøˆçc¿r > ±xðF47DL¶¬"zöâïVe}X'Ñ†köüìfvÞ5YÜ¸ïâTÓbHa £rt±´²Ã{°\(tm)±ÏjÂ(R)33(tm)'"4±3/4Ó‰ > $>>w_}wöuGøWÈ¯ž>>XGŸÁcaûÇÁiÌ&\|ÇŒ_Ø'}ŠttpOELÄÆPôCDû Y5"î#Dê"°s,‡)j²óµ{OEé¿J'(R)„Fl>>ÖÑÖ<›Â\|"MæoÔyy(tm) IB¯áíÝ0Õòa9ØÇï'çe>I 1/2 tüŸ¿¿Œ"%gõë¡~> > "ÛÛ > S¶Q[¤áÅg\|...1/2óQx Žç)Œ"ý3 > 9ÝÆdQHŸ\J(c) Š > ä"GÌÆÄó- :>-YÝÏfhÆî.°Þ µ > òMÚŸ\{"a"MtO<<n5¿dÂ^ýÓÜþÇß...¶ÐÃ:~H,ŽC"1/4ò/KŽpÂ > úä[Þä‡)<<(tm)úáƒÆ\|Î‡0Gù# YñbñÚéð$Ò·µU/êð0¯^ð(tm)Ê×ß õØYÈë-npÅ3~...4^§11#ÚD > ZgHÅnC9'ò(c)(c)ÇzE Ç÷ [c&rWE#)<<··(c))ÔV ÝãB¹YÞrYfÏ*YfvT‰ btw if you use Google Groups make sure to click "show quoted text" in the first message to see the whole thing, which was a copy of a forwarded message Groups is interpreting as quoted text.