UncleScooter
I once was SatManWorkin
Premium
join:2002-04-15
Tallahassee, FL
 ·Embarq
| How to get an infected PC shut down.
For the past week or so I have been receiving about 15-20 emails a day that are infected with the Sober X virus. All appear to be coming from a single PC. The headers all show a single hop from the sender to our mail server.
I have sent a copy of all the emails with the header info attached to the ISP abuse department, I called the customer support number listed in the whois lookup. While I was on the line with CS, they contacted the abuse dept. which said they had warned the user to correct the problem or face disconnection of service. That was 3 days ago. All of this has not resolved the problem.
My AV is catching these messages, but it just a PITA to deal with. Is there anything else I can try to get this resolved?
Here is the header from one of the emails, (my info is replaced with X's):
Received: from gdmlvot.gov ([71.34.30.37]) by server.XXXXXXX.com with Microsoft SMTPSVC(6.0.3790.211);
Sat, 10 Dec 2005 16:41:41 -0500
From: Post@cia.gov
To: XXXXXX@XXXXXXX.com
Date: Sat, 10 Dec 2005 20:58:47 GMT
Subject: You visit illegal websites
Importance: Normal
X-Priority: 3 (Normal)
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===8f0ce61b3ce.bd2b"
Content-Transfer-Encoding: 7bit
Return-Path: Post@cia.gov
X-OriginalArrivalTime: 10 Dec 2005 21:41:41.0796 (UTC) FILETIME=[821F0E40:01C5FDD2]
Every email has come from the same address: 71.34.30.37
Any suggestions are appreciated.
--
I know you think you understand what you thought I said, but what I'm not sure about is that what you heard isn't exactly what I meant. |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
1 edit | If you find out let me know ever since this Sober attack started I have been getting at least 6 a day.:)
And I am getting tired of it to,although I have not really paid attention to where they have been coming from I try to ignore them as much as possible.
I can't believe people that are infected with this just keep on chugging along on the internet not even knowing there infected.;)
After checking some of the e-mails mine are all coming from this address 24.8.249.254 as is yours from one infected computer.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
GKJUG
@ziplink.net | reply to UncleScooter
I thought the recent Sober worm episode had ended. I stopped receiving them about a week ago. |
|
B
Premium,MVM
join:2000-10-28
1 edit | reply to UncleScooter
Re: How to get an infected PC shut down.
I don't see why this was moved from Security. It has nothing to do with scams or spam or phishing.
It's a straightforward question about a Sober infector.
Has the "Spam Scam and Charge Busters" forum's charter been expanded to include worm tracing?
-- B
--
In a realm outside causality and function |
|
s0tet
join:2005-06-08
| quote:
about 15-20 emails a day that are infected with the Sober X virus.
I get way more spam than that per day. Just delete it. If you were getting DOSs attacked or something like that, I would be on the phone, but for excessive spam complaints, just let the Abuse or Security at the ISP handle it (they could have higher priorities than infected PC at this time). I would just continue to forward to the ISP some of the freshest complaints. I do think considering the amount of time that has gone by, the infected PC should be pulled offline. It may have generated some blacklistings by now. I would check on DNSstuff.com if you are inclined.
This thread could probably be posted in Security or here as it is related to spamming and or compromising activity. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to UncleScooter
Over a week is ample time for the ISP to act. They should pull the plug 24 hours after giving the customer notice, if not corrected.
A long-shot, do you know anyone on qwest in Minneapolis that may have your email address saved in their address book.
MGD |
|
UncleScooter
I once was SatManWorkin
Premium
join:2002-04-15
Tallahassee, FL
·Embarq
| reply to B
Sorry if this is the wrong place for this, I asked that it be moved here. I was just looking for any more info on anything I could or should try to get this one stopped.
I checked with everyone I know that could possibly be the infected PC and they all are clean.
I also agree that qwest has had more than enough time to stop this, especially after I called them and sent god knows how many emails to the abuse address.
--
I know you think you understand what you thought I said, but what I'm not sure about is that what you heard isn't exactly what I meant. |
|
izy
Premium,MVM
join:2000-09-21
Naples, FL | Another good excellent reason for ISP's to block port 25 traffic unless going through their mail server.  |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to UncleScooter
said by UncleScooter  :Sorry if this is the wrong place for this, I asked that it be moved here. I was just looking for any more info on anything I could or should try to get this one stopped...... That's cool, we all try and contribute to resolve issues.
Maybe B thought that it was an unsolicited move, when it still met the original forum criteria.
I do not see that IP on any block lists, so it may have a small target list.
MGD
Edit=typo |
|
B
Premium,MVM
join:2000-10-28
| Yeah, I did.
I still maintain that an ordinary mass mailing worm (which this is) has nothing to do with Spam or Scambusters -- 'cause if it did then every worm thread could theoretically be moved from Security into »Spam, Scam and Phishbusters ... but if the poster asked for it, then not a big deal I guess.
If your ISP continues to refuse to deal with it, then of course you could block the sucker by any of a number of filtering techniques (such as spam or content filters).
I suppose you could try to "scare" Qwest by mentioning and cc'ing the FBI, or threatening to cancel, but I doubt it would help...
Good luck.
-- B
--
In a realm outside causality and function |
|
UncleScooter
I once was SatManWorkin
Premium
join:2002-04-15
Tallahassee, FL
·Embarq
| reply to UncleScooter
The funny thing is that the emails from 71.34.30.37 have stopped as of this afternoon.
Now I've started to get them from here:
WHOIS results for 63.226.150.102
Generated by www.DNSstuff.com
Location: United States [City: Minneapolis, Minnesota]
NOTE: More information appears to be available at ZU24-ARIN.
Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
OrgName: U S WEST Internet Services
OrgID: USW
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US
LOL, it never stops!
--
I know you think you understand what you thought I said, but what I'm not sure about is that what you heard isn't exactly what I meant. |
|
B
Premium,MVM
join:2000-10-28
|
Another Qwest block -- might be the same guy with a different address.
As I'm sure you've realized, it's someone who has you in his or her address book or somewhere in a file on his or her machine.
-- B
--
In a realm outside causality and function |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to UncleScooter
There is a good chance that it is the same box. They may have taken it off line to clean it, and got a new IP afterwards. If so it didn't work.
The original IP 71.34.30.37 no longer responds, the new one is fed through the same DSL gateway as the original:
Gateway for dsl 71.34.30.37
207.225.140.101 AS0
IANA-RSVD-0 mpls-dsl-gw05-101.mpls.qwest.net
Gateway for dsl 63.226.150.102
207.225.140.101 AS0
IANA-RSVD-0 mpls-dsl-gw05-101.mpls.qwest.net
There are other possibilities, though I am betting it is the same one.
MGD |
|
B
Premium,MVM
join:2000-10-28
|
Let's assume for a moment that Infector went off-line because Qwest finally got off their corporate buttocks and banned Infector. Any idea what their resolution procedure is? Did they just kill the connection? Do they demand any proof that Infector is clean before re-enabling their connection?
Or is it entirely more likely that Qwest's done nothing at all?
-- B
--
In a realm outside causality and function |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| Good question,
They may have been working with the account, and he came back on line to check, and it started spewing again right away.
It's hard to tell, though for sure his modem had to be down for a while in order for the "sticky" IP to change.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to UncleScooter
Well, If there is any good news to report, it is that the new IP quickly made it into the CBL blocking list at 5pm this evening, and is identified as being sober infected. It will also be auto listed in the SBL.
It now appears the later of B 's scenarios may be wining out in this case.
quote: "Or is it entirely more likely that Qwest's done nothing at all?"
MGD |
|
izy
Premium,MVM
join:2000-09-21
Naples, FL
| Honestly, what can quest do besides block all port 25 traffic?
From »www.sarc.com/avcenter/venc/data/···@mm.html
W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German. Now how is Qwest suppose to stop this? One computer gets infected. It in turn sends out 1000 infected emails. Of those 100 emails it infects 20 PC's...etc, etc.
The *ONLY* way these worms propogate is through SMTP, or port 25.
Now assume Qwest blocks all port 25 traffic *EXCEPT* to it's own email servers. The worm is now unable to send emails without authenticating on Qwest servers.
A number of ISP's already do this. A minor inconvenience if you want to send email through other SMTP servers besides the ISP's BUT this worm does not stand a chance without an open port 25. |
|
B
Premium,MVM
join:2000-10-28
| said by izy :Now how is Qwest suppose to stop this? Uh, stop it by contacting this specific, infected customer of theirs and refusing to allow them access until they're cleaned up?
I don't see why you're turning this into a port 25 block campaign -- that's a horrible practice that I wish ISPs would quit (some have). It turns legitimate customers into suspects, does nothing to protect its own customers from spam, and is a royal pain.
-- B
--
In a realm outside causality and function |
|
izy
Premium,MVM
join:2000-09-21
Naples, FL | Sounds great but when you have hundreds or maybe thousands of infected pc's on your network what's the fastest most effective way to stop the spread of the worm. I don't think it takes a genius to figure this one out....uh, yeah! |
|
