ATTN: jvaguy [Archive] - WinDrivers Computer Tech Support Forums

PDA

Click to See Complete Forum and Search --> : ATTN: jvaguy

silencio

June 11th, 2002, 06:22 PM

Hey man, is this you?

jvaguy@thegeeksinc.com

DANIMAL

June 11th, 2002, 07:16 PM

yeah thats him from the site in my Sig line

DocPC

June 11th, 2002, 08:11 PM

<blockquote>quote:<hr />Originally posted by DANIMAL:
yeah thats him from the site in my Sig line<hr /></blockquote>Who asked ya????? :rolleyes:

DANIMAL

June 11th, 2002, 08:22 PM

<blockquote>quote:<hr />Originally posted by DocPC:
 <blockquote>quote:<hr />Originally posted by DANIMAL:
yeah thats him from the site in my Sig line<hr /></blockquote>Who asked ya????? :rolleyes: <hr /></blockquote>JVA doesnt frequent here very often so I answered him is there a problem?

SubZero

June 11th, 2002, 08:22 PM

1. This topic doesn't belong in Security Forum.
2. Be civil when someone answers correctly.
3. He could have sent a PM to JvaGuy to confirm the information.

silencio

June 12th, 2002, 02:47 AM

It belongs in security. Here's why.

Someone is spamming viruses in his name and he may be interested in that fact because he may have a virus. I've two emails from this location. One of the emails was sent to an email address that less than 12 people know about. There is no way to send an email to that address without being on that short 12 person list. The email address has only existed for 3 weeks. Follow my logic there?

Here's some info on the virus and email.

Microsoft Mail Internet Headers Version 2.0
Received: from server.net ([172.16.10.201]) by my.frontend.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Tue, 11 Jun 2002 14:26:09 -0400
Received: from cordoba.com.ar ([200.61.160.134] RDNS failed) by my.frontendserver.net with Microsoft SMTPSVC(5.0.2195.4905);
Tue, 11 Jun 2002 14:17:50 -0400
Received: from Obscecx [12.248.197.242] by cordoba.com.ar
(SMTPD32-6.06) id ADCC98400C2; Tue, 11 Jun 2002 14:05:16 -0300
From: jvaguy (jvaguy@thegeeksinc.com)
To: deleted to protect the innocent
Subject: Meeting notice
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q5d0zrJgcyn5196r8
Message-Id: <200206111405281.SM00174@Obscecx>
Date: Tue, 11 Jun 2002 15:15:11 -0300
Return-Path: info@teknus.com.ar
X-OriginalArrivalTime: 11 Jun 2002 18:17:51.0097 (UTC) FILETIME=[4C21FE90:01C21174]

--Q5d0zrJgcyn5196r8
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--Q5d0zrJgcyn5196r8
Content-Type: audio/x-wav;
name=c45929c22c1fd6c110.inv.bat
Content-Transfer-Encoding: base64
Content-ID: <VG504586D4B27>

--Q5d0zrJgcyn5196r8
--Q5d0zrJgcyn5196r8
Content-Type: application/octet-stream;
name=c45929c22c1fd6c110.inv.bak
Content-Transfer-Encoding: base64
Content-ID: <VG504586D4B27>

--Q5d0zrJgcyn5196r8--

Need an email campaign consultant? Software developer?
Need an abuse desk consultant? Run an abuse desk and need tools?

dns 12.248.197.242

12.248.197.242 has valid reverse DNS of 12-248-197-242.client.attbi.com

whois -h magic 12.248.197.242
Trying whois -h whois.arin.net 12.248.197.242
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US

Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW

Coordinator:
Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET
1-919-319-8249

Domain System inverse mapping provided by:

DBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.106
DMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.70
CBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.105
CMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.69

For abuse issues contact abuse@att.net

Record last updated on 06-Nov-2000.
Database last updated on 10-Jun-2002 20:01:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Trying whois -h whois.arin.net 12.248.197.242
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US

Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW

Coordinator:
Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET
1-919-319-8249

Domain System inverse mapping provided by:

DBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.106
DMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.70
CBRU.BR.NS.ELS-GMS.ATT.NET 199.191.128.105
CMTU.MT.NS.ELS-GMS.ATT.NET 12.127.16.69

For abuse issues contact abuse@att.net

Record last updated on 06-Nov-2000.
Database last updated on 10-Jun-2002 20:01:34 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

traceroute 12.248.197.242

3 130.152.180.21 6.618 ms DNS error [AS226] Los Nettos origin AS
4 4.24.4.249 8.796 ms gigabitethernet5-0.lsanca1-cr3.bbnplanet.net [AS1] GTE Internetworking
5 4.24.4.2 9.449 ms p6-0.lsanca1-cr6.bbnplanet.net [AS1] GTE Internetworking
6 4.24.5.49 8.323 ms p6-0.lsanca2-br1.bbnplanet.net [AS1] GTE Internetworking
7 4.24.5.46 9.924 ms p15-0.lsanca2-br2.bbnplanet.net [AS1] GTE Internetworking
8 4.25.111.1 7.060 ms p1-0.lsanca2-cr1.bbnplanet.net [AS1] GTE Internetworking
9 4.25.111.10 6.574 ms p5-1.xlsanca26-att.bbnplanet.net [AS1] GTE Internetworking
10 12.122.11.221 9.987 ms tbr2-p012402.la2ca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
11 12.122.10.46 58.310 ms tbr2-p012301.sl9mo.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
12 12.122.11.209 64.901 ms tbr2-p012702.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
13 12.122.11.50 58.407 ms gbr1-p40.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
14 12.123.5.73 64.591 ms gar1-p360.cgcil.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
15 12.244.72.225 57.412 ms DNS error [AS7018] AT&T WorldNet Service Backbone
16 12.244.106.5 59.987 ms DNS error [AS7018] AT&T WorldNet Service Backbone
17 12.248.197.242 72.336 ms 12-248-197-242.client.attbi.com [AS7018] AT&T WorldNet Service Backbone

Sam Spade Home © Contact Change Skin Search

The "from" part is easy to spoof but I find it odd that it's in both emails. The tracert shows both emails coming from dialups on attbi which is easy enough to track via dialup logon records from the ISP if I want to contact the ISP. I've dealt with ISPs regarding this same thing with klez, and the new sql worm and all it takes to get the ball rolling is a few phone calls and the right logs.

I'm not accusing jvaguy. I'm saying that someone is spoofing him from a server named Obscecx on the attbi dialup/dsl network. He should know.

Mustang

June 12th, 2002, 07:11 AM

Actually those arent dialup ip's

attbi is att's broadband service.

and since jvaguy lives in texas and doesnt use any att internet services it cannot be him.

also the ip address for the mail server on that email is not the correct mail server address for his email service.

so it looks like someone is trying to make you believe that he is sending out viri when he is actually not.

i will look into the origins of this and respond to you in pm.

SubZero

June 12th, 2002, 07:43 AM

Forward a copy of your info to admin@thegeeksinc.com. This is something I will need to contact my webhost about, and possibly ATT Broadband.

kingtbone

June 12th, 2002, 08:47 AM

Doesnt Klez spoof the "from" portion of your email based on another contact in your Outlook book? Maybe I just maybe that up though...

Mayet

June 12th, 2002, 09:01 AM

<blockquote>quote:<hr />Originally posted by iateyourcat:
Hey man, is this you?

jvaguy@thegeeksinc.com<hr /></blockquote>not its not me ..but JVA is not the type of person to do this ...

hey Iateyourcat

Your a fellow student of the thelemic Abbey I see

DANIMAL

June 12th, 2002, 09:40 AM

LOL at the idiot that did that?
leaving his freaking IP addy.
MUUHHAHAHHAHAHAHA

Matt_29

June 12th, 2002, 12:57 PM

thanx guys sorry i only am on at nite 90% of the time .. heres the story

ok i have norton Antivirus 2002 (constantly updated), and eudora 5.1 so check the headers of the email and see what program is being used also i dont open attachments in emails cut and dry i havent for yrs and dont plan on it now .. and also I dont have a address book so even if i did have this virus there would be no way to send out emails since i have then on a text log. (i learned when I love you virus first came out and my company was hit all cept my computer)

now for the next best thing while ATT&T is the cable provider here i use uu.net dialup .. thanks for trying to clear things up but something else is going on .. however i can show as of late ive been getting emails from

Delivered-To: jvaguy@1
From: matridom <matridom@sympatico.ca>
To: jvaguy@thegeeksinc.com
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

Content-Type: text/html;

I have a dozen in my list from this email showing a virus was in a .pif file which was destroyed before i could get to it

also heres screen shot of showing my antivirus .. which also reflects my formatting things going from windows xp to win2k on the first and i do a complete scan of things every 2 weeks which next one is in 2 days

<img src="http://jvaguy.thegeeksinc.com/shirt/nav.gif" alt=" - " />

MacGyver

June 12th, 2002, 01:54 PM

Poor JvaGuy, why does this crap happen to you?

Matt_29

June 12th, 2002, 04:34 PM

not sure why its me but ohh well .. im glad i take precations for things like this heres some more info i decided to just do the scan today as well and here it is ..

<img src="http://jvaguy.thegeeksinc.com/shirt/nav2.gif" alt=" - " />

the reason im making a deal about this is cause my email addy is being used, also i want people to know im extremly careful about this stuff .. and also im trying to help whoever is the one who has this and get it removed .. now it goes back to this email

Delivered-To: jvaguy@1
From: matridom <matridom@sympatico.ca>
To: jvaguy@thegeeksinc.com
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. again im not accusing anyone but I would like this solved as well as anyone .. so lets this solved ..

silencio

June 12th, 2002, 05:13 PM

<blockquote>quote:<hr />Originally posted by JvaGuy:
someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. <hr /></blockquote>Exactly. With PPPOE on DSL and with regular dialup you can trace a user back to an IP for a given time and date. I wonder if it would do any good to forward this to ATT? I don't know how their authentication works or if thier logs are capable of tracing a DHCP request to a user via the MAC but it might be worth a shot.

Mustang

June 12th, 2002, 06:47 PM

They do have that ability and i have forwarded this issue to them using my work email id which is a company that also uses the att backbone

they told me in a reply that they are looking into the matter and will keep me informed

i have a feeling that whoever this is will have thier account suspended until the get this issue resolved.

silencio

June 13th, 2002, 05:10 PM

It looks to me like some little girl has an axe to grind with internet.com.

The same IP is still sending out this virus. It appears that they enjoy spoofing some of the guys here.

Microsoft Mail Internet Headers Version 2.0
Received: from external.server.net ([172.16.10.xxx]) by internal.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Thu, 13 Jun 2002 13:40:14 -0400
Received: from cordoba.com.ar ([200.61.160.134] RDNS failed) by external.server.net with Microsoft SMTPSVC(5.0.2195.4905);
Thu, 13 Jun 2002 13:22:43 -0400
Received: from Ylok [12.248.197.242] by cordoba.com.ar
(SMTPD32-6.06) id A43A47350138; Thu, 13 Jun 2002 14:19:54 -0300
From: jmaher (jmaher@internet.com)
To: my.email.address.com
Subject: CELLSPACING
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Message-Id: <200206131419718.SM00174@Ylok>
Date: Thu, 13 Jun 2002 14:20:03 -0300
Return-Path: ariel@teknus.com.ar
X-OriginalArrivalTime: 13 Jun 2002 17:22:44.0987 (UTC) FILETIME=[EE5D24B0:01C212FE]

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: audio/x-wav;
name=CONTENT.bat
Content-Transfer-Encoding: base64
Content-ID: <L16g0D08cxH229m4>

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: application/octet-stream;
name=search[3].html
Content-Transfer-Encoding: base64
Content-ID: <L16g0D08cxH229m4>

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e--

Mustang

June 13th, 2002, 05:12 PM

This is very interesting

Matridom

June 13th, 2002, 05:40 PM

<blockquote>quote:<hr />Originally posted by JvaGuy:


Delivered-To: jvaguy@1
From: matridom <matridom@sympatico.ca>
To: jvaguy@thegeeksinc.com
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. again im not accusing anyone but I would like this solved as well as anyone .. so lets this solved ..<hr /></blockquote>That's odd. something funny is going on. I don't recall ever mailing you Jvaguy. For my E-mail address here, i use Netscape (OE is for my work e-mail.. attachments striped off)

I don't think i got hit, but i'll try a different scanner just to be safe. BTW, can you PM me with the originating IP address?

Edit: This is something i thought was unrelated.. but someone signed me up to "FunnyWebsite.com" list server.
It's actualy a good list server and auto unsubscribed me when i mailed back "Remove my name". The big coincidence is that this happened on the 10th......

Matt_29

June 13th, 2002, 06:18 PM

yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up

Matridom

June 13th, 2002, 06:23 PM

<blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html</a>

Now, the question is, who has all of us in their address book?

SubZero

June 13th, 2002, 06:38 PM

<blockquote>quote:<hr />Originally posted by Matridom:
 <blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html</a>

Now, the question is, who has all of us in their address book?<hr /></blockquote>I'm doing some investigating and contacting some persons. We'll see what comes from it...

silencio

June 13th, 2002, 09:35 PM

Well, the messages that I'm getting are coming from this IP 12.248.197.242. I'm sure it's a virus and I've emailed ATT.

I get a ****load of virus/security attacks on the outside of the PIX every day and I don't have time to run them down. This one has my email though, as well as other people here.

The box just needs a virus cleaning. If somebody had the time they could scan it and prolly shut it down.

I don't think it's klez though... I think klez has a web server component. If you hit an IIS server with klez on it you'll know. :D It could be a variant though...

Matt_29

June 13th, 2002, 09:41 PM

<blockquote>quote:<hr />Originally posted by Matridom:
 <blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html</a>

Now, the question is, who has all of us in their address book?<hr /></blockquote>now after all this time i know why i dont keep a address book and things .. heres a screen shot of my eudora 5.1 address book

<img src="http://jvaguy.thegeeksinc.com/shirt/addybook.gif" alt=" - " />

which goes to the point make a text file and put all your addys there .. not only is it easy to save and thigns for backup but its simple to copy and paste when you need it

silencio

June 14th, 2002, 07:26 AM

<blockquote>quote:<hr />Originally posted by JvaGuy:
[QB
which goes to the point make a text file and put all your addys there .. not only is it easy to save and thigns for backup but its simple to copy and paste when you need it[/QB]<hr /></blockquote>And that's why my mail is viewed as straight text first. I got a couple more virus today at that email address so it's hosed. No problem though, it's already changed. ...one of the perks of being the admin <img border="0" title="" alt="[Wink]" src="wink.gif" />

Microsoft Mail Internet Headers Version 2.0
Received: from external.server.net ([172.16.10.xxx]) by internal.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Fri, 14 Jun 2002 00:32:58 -0400
Received: from super_exchange.supermicro.com ([66.120.31.2] unverified) external.server.net with Microsoft SMTPSVC(5.0.2195.4905);
Fri, 14 Jun 2002 00:25:38 -0400
Received: by SUPER_EXCHANGE with Internet Mail Service (5.5.2653.19)
id <MJT24R9X>; Thu, 13 Jun 2002 21:18:40 -0700
Message-ID: <2DA7F1611EE8D511B945003048310C620BAA2F@66-120-31-3.supermicro.com>
From:
"DSAVSUPER_EXCHANGE2001(Network Associates Anti-Virus - Mailbox Agent)"
<DSAVSUPER_EXCHANGE2001@supermicro.com>
To: 'cltaylor' (cltaylor@iateyourcat.com)
Subject: ALERT - Virus W32/Klez.h@MM found; an attachment/message has been
quarantined
Date: Thu, 13 Jun 2002 21:19:58 -0700
X-MS-TNEF-Correlator: <2DA7F1611EE8D511B945003048310C620BAA2F@66-120-31-3.supermicro.com>
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C2135A.BE560CD0"
Return-Path: DSAVSUPER_EXCHANGE2001@supermicro.com
X-OriginalArrivalTime: 14 Jun 2002 04:25:38.0407 (UTC) FILETIME=[892B6770:01C2135B]

------_=_NextPart_000_01C2135A.BE560CD0
Content-Type: text/plain

------_=_NextPart_000_01C2135A.BE560CD0
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64

------_=_NextPart_000_01C2135A.BE560CD0--

Matridom

June 14th, 2002, 11:50 AM

I got mine today..

info@teknus.com.ar>
Received: from cordoba.com.ar ([200.61.160.134]) by tomts20-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020614005949.ZCIJ25296.tomts20-srv.bellnexxia.net@cordoba.com.ar> for <matridom@sympatico.ca>; Thu, 13 Jun 2002 20:59:49 -0400
Received: from Roxedm [12.248.197.242] by cordoba.com.ar (SMTPD32-6.06) id A79120C021E; Thu, 13 Jun 2002 14:34:09 -0300
From: PrincessBabzy <PrincessBabzy@aol.com>
To: matridom@sympatico.ca
Subject: A IE 6.0 patch
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=VM4t9J8MTz4t0n1P996k935S0
Message-Id: <200206131434375.SM00174@Roxedm>

an .SCR attachment contains the KLEZ virus...

e-mail has been sent to ATT

silencio

June 14th, 2002, 06:21 PM

Is ATT asleep at the wheel or what? How many complaints to they need?

geoscomp

July 1st, 2002, 05:59 PM

BTW..i know this is a late response, but just read the thread..klez does have a web server component..it does spoof the "from" address, it doesnt have to be opened as an attachment to activate, and it can get email addresses from temp files as easily as from address books

Matt_29

July 1st, 2002, 11:34 PM

i changed my email and things and stuff and no longer have my stuff public to avoid this from happening again ..