Zafi.B - Cannot find infected PC - Need some help

From: Axel Schwenke (usenet_spam_at_gmx.de)
Date: 09/30/04 

Date: 30 Sep 2004 07:13:36 GMT

Hi there!

It's a bit strange with this Zafi.B Virus and I hope there is someone who
might help me out of this bad thing.

We use an exchange2000-server.
The server catches all emails which are sent to our domains.
If a mail can't be delivered to one of our users, it is stored in the
admin-Inbox so it can be manually send to the user of the adress was
misspelled or what ever.
On tuesday morning (28.09.2004) there were about 2400Mails in the admin-
inbox. These mails were all sent to different adresses of our domains
(like: mezdina@{ourdomain.tld} or duhubu{ourdomain.tld} and so on) and
they're all like this: 

--
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender: Petra Menke
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php25affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
--
I was quite sure that this virus is faking the senders adress, but our user 
told me, that he found hundreds of error-messages in his inbox. These 
messages said that the exchange-client wasn't able to send that mail to 
e.g. mezdina@{ourdomain.tld}. There were as many inbox-errors as mails in 
the admin-inbox.
This happened everyday since tuesday with about 1500-2500 mails a day.
So I was sure that the client-pc (one of our last Win95'ers) itself is 
infected with zafi.b.
By the way... We use an antivirus-system for all our client-pcs. It is 
always uptodate and is updated automatically.
I downloaded the fixtool for zafi.b and searched for the virus and found... 
nothing!
So, now my question:
How is it possible, that a client gets these messages that the sent mails 
are undeliverably because of wrong adresses, when he doesn't send them?
These mails were send between 8pm and 4am. There is no one working during 
the evening. 
I searched the registry in HKLM/Softw./MS/Win/CV/Run, but there was nothing 
wrong.
Is there any possibility to find the infected pc?
I hope I didn't wrote to long, but I will be sure to tell about all details 
.
Thanks in advance!
Greetings
Axel

Relevant Pages

  • Re: Zafi.B - Cannot find infected PC - Need some help
    ... These mails were all sent to different adresses of our ... Try our new virtual VoiceMessage Empire! ... > I was quite sure that this virus is faking the senders adress, ... > This happened everyday since tuesday with about 1500-2500 mails a day. ...
    (microsoft.public.security.virus)
  • Re: Norten Antivirus
    ... Antivir schlägt spätestens dann Alarm und blockt den Zugriff, ... ACK! ... Mails gelöscht, als ein Virus in einem Anhang bei mir aufschlug und die ... Einstellung auf Virus löschen war. ...
    (microsoft.public.de.german.windowsxp.sonstiges)
  • Re: Can Virus create contents of a mail on its own?
    ... > mails are not sent by him. ... > address book and the contents of the hard disk and for the ... > subject and content the virus uses whatever information is ... Both as a sender address, ...
    (microsoft.public.security.virus)
  • Re: Can Virus create contents of a mail on its own?
    ... I don't remember the name of the virus, ... |> While I agree that virus can create mails by selecting ... They harvests addresses ... Most worms ...
    (microsoft.public.security.virus)
  • Re: rules for messages
    ... forward copies of mails to a secondary mailbox. ... Milly Staples [MVP - Outlook] ... the (insert latest virus name here) virus, all mail sent to my personal ... | i have a rule to forward a message to another inbox and i ...
    (microsoft.public.outlook)