riddler 0 #1 March 4, 2004 This is no ordinary SPAM virus. This one is targetted specifically at Qwest.net users. If you are a Qwest.net user, and receive the following email today, do not open the attachment. Quote Return-Path: Delivered-To: riddler@mail-dnvr.uswest.net Received: (qmail 83580 invoked by uid 0); 4 Mar 2004 05:42:37 -0000 Received: from unknown (HELO mpls-cmx-01.inet.qwest.net) (63.226.138.1) by mpls-mailin-14.inet.qwest.net with SMTP; 4 Mar 2004 05:42:37 -0000 Received: (qmail 67634 invoked by uid 0); 4 Mar 2004 05:42:37 -0000 Received: from rdbck-4029.palmer.mtaonline.net (HELO VALUED-B8142DE8) (12.18.171.230) by mpls-cmx-01.inet.qwest.net with SMTP; 4 Mar 2004 05:42:37 -0000 Date: Wed, 03 Mar 2004 20:42:38 -0900 Message-ID: From: staff@qwest.net To: riddler@qwest.net Subject: Notify about using the e-mail account. MIME-Version: 1.0 Status: U X-UIDL: 1078378957.83587.18497.mpls-mailin-14.inet.qwest.net Content-Type: multipart/mixed; boundary="--------pksafsfwsrspiuvuinha" X-DCC-Qwest.net-Metrics: mpls-cmx-01.inet.qwest.net 1211; Body=1 Fuz1=1 Fuz2=5 Dear user of Qwest.net gateway e-mail server, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For more information see the attached file. Attached file protected with the password for security reasons. Password is 73602. Kind regards, The Qwest.net team http://www.qwest.net Information.zip This one has been carefully crafted by a sneaky person. It looks like an official email from staff@qwest.net and has a URL to the Qwest site and is signed by the Qwest.net team. Don't open the attachment. I'll post more if I find out more. Quote Share this post Link to post Share on other sites
PhreeZone 20 #2 March 4, 2004 Not all the way true. It takes the domain name its sending the mail to and plugs it in to the fields. I've seen that same email on about 25 domains now. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.htmlYesterday is history And tomorrow is a mystery Parachutemanuals.com Quote Share this post Link to post Share on other sites
Nightingale 0 #3 March 4, 2004 nope. its the same virus going around. I get it spam looking like its coming from my own website. it looks like its from either Staff@nightingalesnest.net or support@nightingalesnest.net or admin@nightingalesnest.net. and the email says the exact same thing. Quote Share this post Link to post Share on other sites
riddler 0 #4 March 4, 2004 From the real Qwest.net customer service reps: Quote I apologize, but the email you received is not actually from Qwest. It contains an attachment that may have a virus. If you have attempted to open the attachment, you may want to run a virus scan on your system to clean out any potential threats. It appears someone is sending these emails to Qwest customers, and we are aware of the issue. Qwest.net is not in the practice of sending any attachments in their email communications. Please delete this email from your mailbox immediately. Quote Share this post Link to post Share on other sites
riddler 0 #5 March 4, 2004 Thanks for the info - that'll help me check to see if it infected me. I don't think it did, but I want to make sure. edit - turns out it was a variant - W32/Bagle.j@MM. But the link really helped narrow it down - thanks again.Trapped on the surface of a sphere. XKCD Quote Share this post Link to post Share on other sites
