Junk mail and macros

[drwho9437]

Anybody else getting spam from other skinners? or at least labeled as such. Lots of attachments to, probably some macro thing.

[simon snowflake]

welcome to the club

I get around 60 virus mails a day, i throw them away without opening, but still other people get them from me aswell.
If you have a skin published at winamp.com your e-mail is easy obtained since loads of people come here. cache the pages, then the viri has its playing time.

[drwho9437]

It is the people I get them from though... I have always got them but now I get them from Nullsoft dev and scripters I won't name names (at least the is who it said they were from, I didn't check the headers) guess it is just another fun thing one gets to deal with when giving your hard work away).

[simon snowflake]

well you can name names, since you cant do shit about it, it uses e-mail addres found in the cache for the sender aswell. (as far as i know)

[Xerxes]

Its probably the damned Klez virus. The most persisitant computer worm in history.

[Mr Jones]

For those who might not know...

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/se..*****MS01-020.asp

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.


When the worm is executed, it copies itself to %System%\Wink[random characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

The worm copies itself to local, mapped, and network drives as:

A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.

NOTES:
Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www.microsoft.com/technet/se..*****MS01-020.asp

The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.

[ertmann|CPH]

This is exactly why i don't use Outlook

or Internet Explorer, Explorer, Windows Mediaplayer and MS Office for that matter!

Use: the bat!, opera, Litestep, winamp 3 and Sun StarOffice 6.0 instead

[heidorn]

I've gotten the same E-mail crap for the last 5 days ever since I first submitted a skin.

My system is clean, I've run Norton Antivirus with the newest definitions. I figured the only solutions is to contact the people you get the e-mail from and tell them they've got one.

-Chris

[Naamloos]

I had immediate delete on junk filter of hotmail, keeps me safe, cos my friends arent infested, and when they are, ill let them notice

If anyone sent me an email, please say so now

[Mr Jones]

Quote:

Originally posted by heidorn
I've gotten the same E-mail crap for the last 5 days ever since I first submitted a skin.

Lucky you, I've been getting this for over a year now since klez and the many variants hit the net, often deleting over 200 mails a day somedays

You don't want crap in your mailboxes, don't use a public mailbox on your WA account, I should also tell you that this isn't just a specific WA problem, it will happen from any site that has a public mailbox contact point for you, 1001winampskins, devart, deskmod and a 1000 other skins site that your stuff gets posted on that you don't even know about.

The likelyhood that anyone in here is infected with klez is remote, it's all the fake mail details that it harvests of peoples machines that cause the problem.

Solution, edit your WA.com profile, update the mailbox, change it to idontwantviruses@fuckedup.com

Or set your hotmail filters nice and high

Script kiddies, love em, I remember back in the day when viruses first hit the Amiga scene the most malicious thing they did was make the power light blink above your keyboard

[Cro]

Quote:

Originally posted by ertmann|CPH
This is exactly why i don't use Outlook

or Internet Explorer, Explorer, Windows Mediaplayer and MS Office for that matter!

Use: the bat!, opera, Litestep, winamp 3 and Sun StarOffice 6.0 instead

I do use IE, Windows MP, MS Office, Explorer (but not outlook, because i prefer webmail) and never had any problem with worms. If u do use a firewall and an antivirus and all we be fine (as long as you re not a real true lame) ...