Re: Zafi.B - Cannot find infected PC - Need some help
From: Malke (malke_at_nospoonnotreally.com)
Date: 09/30/04
- Next message: Lanwench [MVP - Exchange]: "Re: pc eats jpg files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Sep 2004 09:21:38 -0700
Axel Schwenke wrote:
> Hi there!
>
> It's a bit strange with this Zafi.B Virus and I hope there is someone
> who might help me out of this bad thing.
>
> We use an exchange2000-server.
> The server catches all emails which are sent to our domains.
> If a mail can't be delivered to one of our users, it is stored in the
> admin-Inbox so it can be manually send to the user of the adress was
> misspelled or what ever.
> On tuesday morning (28.09.2004) there were about 2400Mails in the
> admin- inbox. These mails were all sent to different adresses of our
> domains
> (like: mezdina@{ourdomain.tld} or duhubu{ourdomain.tld} and so on)
> and they're all like this:
>
> --
> Dear Customer!
>
> You`ve got 1 VoiceMessage from voicemessage.com website!
> Sender: Petra Menke
> You can listen your Virtual VoiceMessage at the following link:
> http://virt.voicemessage.com/index.listen.php25affv
> or by clicking the attached link.
>
> Send VoiceMessage! Try our new virtual VoiceMessage Empire!
> Best regards: SNAF.Team (R).
> --
>
>
> I was quite sure that this virus is faking the senders adress, but our
> user told me, that he found hundreds of error-messages in his inbox.
> These messages said that the exchange-client wasn't able to send that
> mail to e.g. mezdina@{ourdomain.tld}. There were as many inbox-errors
> as mails in the admin-inbox.
> This happened everyday since tuesday with about 1500-2500 mails a day.
> So I was sure that the client-pc (one of our last Win95'ers) itself is
> infected with zafi.b.
> By the way... We use an antivirus-system for all our client-pcs. It is
> always uptodate and is updated automatically.
> I downloaded the fixtool for zafi.b and searched for the virus and
> found... nothing!
>
> So, now my question:
> How is it possible, that a client gets these messages that the sent
> mails are undeliverably because of wrong adresses, when he doesn't
> send them? These mails were send between 8pm and 4am. There is no one
> working during the evening.
> I searched the registry in HKLM/Softw./MS/Win/CV/Run, but there was
> nothing wrong.
> Is there any possibility to find the infected pc?
>From your description, probably no one on your network is infected. What
has probably happened is that someone who has mezdina@yourdomain in
*their* addressbook is infected and *their* machine is busily sending
out viral emails, including spoofed "From" lines.
Malke
-- MS MVP - Windows Shell/User Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!"
- Next message: Lanwench [MVP - Exchange]: "Re: pc eats jpg files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
