Annexe - Sécurité

Virus détectés par NOD32 dans notre messagerie - septembre/décembre 2006-janvier 2007

Win32/Mydoom.R worm & Win32/Mydoom.Q worm & Win32/VB.NEI worm

2006I21a : Nod32 : virus Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <MAILER-DAEMON@vinosoft.com>
Received: from vinosoft.com (unverified [165.165.191.216]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008094181@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 21 Sep 2006 12:34:45 +0200
Message-ID: <B0008094181@mail.register.be>
From: "Mail Administrator" <MAILER-DAEMON@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] VINOSOFT@VINOSOFT.COM
Date: Thu, 21 Sep 2006 12:34:14 +0200
Dear user vinosoft@vinosoft.com, administration of vinosoft.com would like to let you know that,
Your e-mail account has been used to send a huge amount of spam messages during this week.
Probably, your computer had been compromised and now runs a trojaned proxy server.
Please follow the instruction in order to keep your computer safe.
Best wishes, The vinosoft.com team.
Warning: NOD32 antivirus system found the following in the message: vinosoft@vinosoft.com.zip - Win32/Mydoom.R worm
Content-Type: application/octet-stream; name="vinosoft@vinosoft.com.zip"

dsl-165-191-216.telkomadsl.co.za (165.165.191.216) - Telkom SA Limited - Integrated Network Planning - Pretoria - Gauteng - Markus Stoltz - stoltzmr@telkom.co.za

2006I22a : Nod32 : virus Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <colin.webster@hcl.com>
Received: from hcl.com (unverified [165.145.146.53]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008273023@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 22 Sep 2006 12:46:06 +0200
Message-ID: <B0008273023@mail.register.be>
From: colin.webster@hcl.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail
... Dear user of vinosoft.com,
Your e-mail account was used to send a large amount of spam messages during this week.
Probably, your computer had been infected and now contains a trojan proxy server.
Please follow the instructions in order to keep your computer safe.
Have a nice day,
vinosoft.com support team.
Warning: NOD32 antivirus system found the following in the message: document.zip - Win32/Mydoom.R worm

dsl-145-145-53.telkomadsl.co.za (165.145.146.53) - Telkom SA Limited - Integrated Network Planning - Pretoria - Gauteng - Markus Stoltz - stoltzmr@telkom.co.za

2006I22b : Nod32 : virus Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <noreply@vinosoft.com>
Received: from vinosoft.com (unverified [80.32.185.3]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008340118@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 22 Sep 2006 21:21:11 +0200
Message-ID: <B0008340118@mail.register.be>
From: "Post Office" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm]
... Your message was not delivered due to the following reason:
Your message was not delivered because the destination server was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 4 days:
Host 54.251.83.233 is not responding.
The following recipients could not receive this message:
<vinosoft@vinosoft.com>
Please reply to postmaster@vinosoft.com
if you feel this message to be in error.
Warning: NOD32 antivirus system found the following in the message: vinosoft@vinosoft.com.zip - Win32/Mydoom.R worm

Expéditeur du virus :180.32.185.3

SPAIN

TELEFONICA DE ESPANA - 3.Red-80-32-185.staticIP.rima-tde.net

2006I23a : Nod32 : virus Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-path: <MAILER-DAEMON@vinosoft.com>
Received: from vinosoft.com (unverified [61.232.7.1]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008368604@mail.register.be> for <vinosoft@vinosoft.com>; Sat, 23 Sep 2006 03:20:11 +0200
Message-ID: <B0008368604@mail.register.be>
From: "Automatic Email Delivery Software" <MAILER-DAEMON@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered
... This message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 1 days:
Mail server 196.206.174.113 is not responding.

The following recipients did not receive this message:
<vinosoft@vinosoft.com>
Please reply to postmaster@vinosoft.com
if you feel this message to be in error.
Warning: NOD32 antivirus system found the following in the message: vinosoft@vinosoft.com.zip - Win32/Mydoom.R worm

2006I23b : Nod32 : virus Win32/Mydoom.R worm dans un fichier compressé (zip)

Return-Path: <hr-wsis@iris.sgdg.org>
Received: from iris.sgdg.org (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx008.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8NKMwJ3007061 for <vinosoft@skynet.be>; Sat, 23 Sep 2006 22:22:59 +0200 (envelope-from <hr-wsis@iris.sgdg.org>)
Message-Id: <200609232022.k8NKMwJ3007061@inmx008.isp.belgacom.be>
From: hr-wsis@iris.sgdg.org
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail
... Your message was undeliverable due to the following reason: Your message was not delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 2 days: Mail server 102.241.249.18 is not responding. The following recipients did not receive this message: <vinosoft@skynet.be>
Please reply to postmaster@skynet.be if you feel this message to be in error.
Warning: NOD32 antivirus system found the following in the message: document.zip - Win32/Mydoom.R worm

2006I24-25a : Nod32 : virus Win32/Mydoom.R worm

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx002.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8P2GPC9025292 for <vinosoft@skynet.be>; Mon, 25 Sep 2006 04:16:26 +0200 (envelope-from <postmaster@skynet.be>)
Message-Id: <200609250216.k8P2GPC9025292@inmx002.isp.belgacom.be>
From: "Post Office" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] hi

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx009.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8OHVStJ012971 for <vinosoft@skynet.be>; Sun, 24 Sep 2006 19:31:28 +0200 (envelope-from <noreply@skynet.be>)
Message-Id: <200609241731.k8OHVStJ012971@inmx009.isp.belgacom.be>
From: "MAILER-DAEMON" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS

Received: from vinosoft.com (unverified [213.228.83.79]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008502484@mail.register.be> for <vinosoft@vinosoft.com>; Sun, 24 Sep 2006 11:31:04 +0200
Message-ID: <B0008502484@mail.register.be>
From: "MAILER-DAEMON" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] [virus Win32/Mydoom.R worm] Sdkeklgmzf

2006I25b-26a : Nod32 : virus Win32/Mydoom.R worm : suite

Received: from vinosoft.com (unverified [195.131.162.170]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008633023@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 12:41:12 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [81.23.101.3]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008633570@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 12:45:32 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [195.131.162.170]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008638077@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 13:19:44 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [195.131.162.170]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008653981@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 15:05:04 +0200 - virus Win32/Mydoom.R worm

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx014.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8PFXQKi011299 for <vinosoft@skynet.be>; Mon, 25 Sep 2006 17:33:27 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [71.215.216.94]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008701479@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 20:16:51 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [69.81.213.30]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008711630@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 25 Sep 2006 21:40:08 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [195.131.162.170]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008767239@mail.register.be> for <vinosoft@vinosoft.com>; Tue, 26 Sep 2006 08:23:58 +0200 - virus Win32/Mydoom.R worm

2006I26b-27a : Nod32 : virus Win32/Mydoom.R worm : suite

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx014.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8QCopBO016862 for <vinosoft@skynet.be>; Tue, 26 Sep 2006 14:50:53 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [166.114.54.230]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008866661@mail.register.be> for <vinosoft@vinosoft.com>; Tue, 26 Sep 2006 20:12:28 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [166.114.54.230]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008892257@mail.register.be> for <vinosoft@vinosoft.com>; Wed, 27 Sep 2006 00:57:14 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [69.81.213.30]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008907170@mail.register.be> for <vinosoft@vinosoft.com>; Wed, 27 Sep 2006 04:18:28 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [213.228.83.57]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008941256@mail.register.be> for <vinosoft@vinosoft.com>; Wed, 27 Sep 2006 10:21:11 +0200 - Message-ID: <B0008941256@mail.register.be> - From: "Returned mail" <noreply@vinosoft.com> - To: vinosoft@vinosoft.com - Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

Received: from vinosoft.com (unverified [165.146.67.73]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0008948479@mail.register.be> for <vinosoft@vinosoft.com>; Wed, 27 Sep 2006 11:08:57 +0200 - Message-ID: <B0008948479@mail.register.be> - From: "Post Office" <noreply@vinosoft.com> - To: vinosoft@vinosoft.com - Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

2006I28a : Nod32 : virus Win32/Mydoom.R worm : suite

Received: from vinosoft.com (unverified [166.114.54.230]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009047318@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 28 Sep 2006 00:41:23 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [69.81.213.30]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009052930@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 28 Sep 2006 01:43:51 +0200 - virus Win32/Mydoom.R worm

Received: from skynet.be ([212.103.168.65]) by inmx006.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8S7lvHf018096 for <vinosoft@skynet.be>; Thu, 28 Sep 2006 09:47:57 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [195.131.89.145]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009123639@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 28 Sep 2006 12:48:07 +0200 - virus Win32/Mydoom.R worm

Received: from vinosoft.com (unverified [165.145.136.138]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009124533@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 28 Sep 2006 12:55:03 +0200 - virus Win32/Mydoom.R worm

Received: from skynet.be ([89.120.16.179]) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k8SBWfai003697 for <vinosoft@skynet.be>; Thu, 28 Sep 2006 13:32:41 +0200 - virus Win32/Mydoom.R worm
 

2006I28ss - 2006j02 : Nod32 : virus Win32/Mydoom.R worm : suite

Les expéditeurs de ces 15 virus Mydoom.R :

Les expéditeurs de ces 3 virus Mydoom.R du 30/09/2006 :

2006j01a : Nod32 : virus Win32/Mydoom.R worm - suite du 01/10/2006 :
Received: from vinosoft.com (unverified [220.207.8.217]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009447889@mail.register.be> for <vinosoft@vinosoft.com>; Sun, 1 Oct 2006 04:14:43 +0200 - Message-ID: <B0009447889@mail.register.be>
From: "Returned mail" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] gxbdua

Expéditeur du virus : 220.207.8.217

CHINA

BEIJING

CHINA UNITED TELECOMMUNICATIONS CORPORATION

Received: from skynet.be ([212.103.168.65]) by inmx016.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k918PYj5026240 for <vinosoft@skynet.be>; Sun, 1 Oct 2006 10:25:35 +0200 (envelope-from <noreply@skynet.be>)
Message-Id: <200610010825.k918PYj5026240@inmx016.isp.belgacom.be>
From: "The Post Office" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Pmo

Test du fichier attaché par NAV : Event: Threat Found! - Threat: W32.Mydoom.M@mm - File: message.zip

Expéditeur du virus : 212.103.168.65

EGYPT

AL QAHIRAH

CAIRO

TE-DATA-NETWORKS

Received: from skynet.be ([212.103.168.65]) by inmx019.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k919VOSA011851 for <vinosoft@skynet.be>; Sun, 1 Oct 2006 11:31:30 +0200 (envelope-from <postmaster@skynet.be>)
Message-Id: <200610010931.k919VOSA011851@inmx019.isp.belgacom.be>
From: "MAILER-DAEMON" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

Expéditeur du virus, idem précédent : 212.103.168.65

EGYPT

AL QAHIRAH

CAIRO

TE-DATA-NETWORKS

Received: from m-net.arbornet.org (unverified [62.133.162.22]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009486394@mail.register.be> for <vinosoft@vinosoft.com>; Sun, 1 Oct 2006 15:29:21 +0200 - Message-ID: <B0009486394@mail.register.be>
From: amol@m-net.arbornet.org
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Vinosoft@vinosoft.com

Expéditeur du virus : 62.133.162.22

RUSSIAN FEDERATION

BASHKORTOSTAN

UFA

BASHINFORMSVYAZ COMPANY

Received: from vinosoft.com (unverified [195.131.89.145]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009509626@mail.register.be> for <vinosoft@vinosoft.com>; Sun, 1 Oct 2006 21:57:56 +0200 - Message-ID: <B0009509626@mail.register.be>
From: "The Post Office" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

195.131.89.145

RUSSIAN FEDERATION

SANKT-PETERBURG

ST. PETERSBURG

Black List : IP 195.131.89.145 was found in the CBL (http://cbl.abuseat.org/lookup.cgi?ip=195.131.89.145&.submit=Lookup)

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx001.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k920Hu55030796 for <vinosoft@skynet.be>; Mon, 2 Oct 2006 02:17:56 +0200 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200610020017.k920Hu55030796@inmx001.isp.belgacom.be>
From: "MAILER-DAEMON" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]

Expéditeur du virus : 80.32.185.3

SPAIN

TELEFONICA DE ESPANA - cette IP crache régulièrement depuis le 22/09/2006

Name: 3.red-80-32-185.staticip.rima-tde.net - IP Address: 80.32.185.3 - Location: MADRID

-

Black Lists : 80.32.185.3 listed in bl.spamcop.net (http://spamcop.net/w3m?action=checkblock&ip=80.32.185.3) [SpamCop users have reported system as a source of spam less than 10 times in the past week] - IP Address 80.32.185.3 was found in the CBL (http://cbl.abuseat.org/lookup.cgi?ip=80.32.185.3)

Received: from vinosoft.com (unverified [81.196.148.44]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009537933@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 2 Oct 2006 08:07:09 +0200 - Message-ID: <B0009537933@mail.register.be>
From: "Mail Administrator" <MAILER-DAEMON@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

Expéditeur du virus : 81.196.148.44

ROMANIA

BUCURESTI

BUCHAREST

ROMANIA DATA SYSTEMS

Received: from dtnspeed.net ([89.120.16.179]) by inmx008.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k9266xix020572 for <vinosoft@skynet.be>; Mon, 2 Oct 2006 08:07:00 +0200 (envelope-from <nick77@dtnspeed.net>)
Message-Id: <200610020607.k9266xix020572@inmx008.isp.belgacom.be>
From: nick77@dtnspeed.net
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

Expéditeur du virus : idem 28/09/2006 - 89.120.16.179

ROMANIA

ROMTELECOM DATA NETWORK

Black Lists : IP Address 89.120.16.179 was found in the CBL (http://cbl.abuseat.org/lookup.cgi?ip=89.120.16.179)

Received: from skynet.be ([212.103.168.65]) by inmx003.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k927ju5Z026871 for <vinosoft@skynet.be>; Mon, 2 Oct 2006 09:45:56 +0200 (envelope-from <MAILER-DAEMON@skynet.be>) - Message-Id: <200610020745.k927ju5Z026871@inmx003.isp.belgacom.be>
From: "MAILER-DAEMON" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

Expéditeur du virus : idem 28/09/2006 & 01/10/2006 : 212.103.168.65

EGYPT

AL QAHIRAH

CAIRO

TE-DATA-NETWORKS

Registrant information is not available - Location: CAIRO

Black Lists : IP Address 212.103.168.65 was found in the CBL (http://cbl.abuseat.org/lookup.cgi?ip=212.103.168.65)

Received: from vinosoft.com (unverified [213.85.149.4]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009569365@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 2 Oct 2006 12:52:04 +0200 - Message-ID: <B0009569365@mail.register.be>
From: "Mail Administrator" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: DATA FORMAT ERROR

Expéditeur du virus : 213.85.149.4

RUSSIAN FEDERATION

MOSKVA

MOSCOW

OAO GAO VVC

Name: gate.vvcnet.ru - IP Address: 213.85.149.4 - Location: MOSKVA

Received: from lightsky-china.com (unverified [202.101.10.137]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009576627@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 2 Oct 2006 14:00:52 +0200 - Message-ID: <B0009576627@mail.register.be>
From: flydragon@lightsky-china.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm]

Expéditeur du virus : 202.101.10.137

CHINA

SHANGHAI

SHANGHAI TELECOM CO. QINGPU TELECOM BREAURE

Received: from listbot.com (unverified [194.105.199.246]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009576932@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 2 Oct 2006 14:03:27 +0200 - Message-ID: <B0009576932@mail.register.be>
From: buzz_dev@listbot.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] mczej

Expéditeur du virus : 194.105.199.246

RUSSIAN FEDERATION

SANKT-PETERBURG

ST. PETERSBURG

DIALUP POOL

Black Lists : 194.105.199.246 is listed in dynablock.njabl.org - 194.105.199.246 resolves to ppp246.leivo.ru

Received: from vinosoft.com (unverified [220.207.77.39]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009578771@mail.register.be> for <vinosoft@vinosoft.com>; Mon, 2 Oct 2006 14:15:25 +0200 - Message-ID: <B0009578771@mail.register.be>
From: "The Post Office" <postmaster@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] e ypngl

Expéditeur du virus : 220.207.77.39

CHINA

BEIJING

CHINA UNITED TELECOMMUNICATIONS CORPORATION

Les expéditeurs de ces 5 virus Mydoom.R des 02-03/10/2006 :

IP 81.13.91.42 was found in the CBL (OOO Institut energoeffektivnosti)

IP 81.13.91.42 - DSBL State: Listed - Listed in unconfirmed (unconfirmed.dsbl.org): yes
Listed in singlehop (list.dsbl.org): yes - Reverse DNS identifies server as: 81.13.91.42.stroylux.rmt.ru

83.237.221.95 is listed in dynablock.njabl.org - 83.237.221.95 resolves to ppp83-237-221-95.pppoe.mtu-net.ru

IP Address 85.117.63.49 was found in the CBL

62.133.162.22 : idem 01/10/2006 - (Russia - Bashinformsvyaz Company) was found in the CBL
 

2006j03b : Nod32 : virus Win32/Mydoom.R worm : suite

Received: from skynet.be ([89.120.16.179]) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k935VW08016157 for <vinosoft@skynet.be>; Tue, 3 Oct 2006 07:31:33 +0200 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200610030531.k935VW08016157@inmx004.isp.belgacom.be>
From: "The Post Office" <MAILER-DAEMON@skynet.be> - To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

IP 89.120.16.179 - idem 28-29/09 & 02/10/2006 - (Romania - Registrant information is not available - Location: Bacau) was found in the CBL

2006j03c : Nod32 : virus Win32/Mydoom.R worm : suite

Les expéditeurs de ces 8 virus Mydoom.R du 03/10/2006 :

2006j04a : Nod32 : virus Win32/Mydoom.R worm : suite

Apparition du Win32/Mydoom.Q

Les expéditeurs de ces 9 virus :  7 Mydoom.R et 2 Mydoom.Q du 04/10/2006 :

2006j04b-5a : Nod32 : virus Win32/Mydoom.R & Win32/Mydoom.Q worms : suite

Apparition du "variant of Win32/Stration worm"

Received: from skynet.be (3.Red-80-32-185.staticIP.rima-tde.net [80.32.185.3]) by inmx017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k94A0UtE021615 for <vinosoft@skynet.be>; Wed, 4 Oct 2006 12:00:30 +0200 (envelope-from <postmaster@skynet.be>)
Message-Id: <200610041000.k94A0UtE021615@inmx017.isp.belgacom.be>
From: "Returned mail" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Expéditeur du virus : 80.32.185.3

ES

SPAIN

TELEFONICA DE ESPANA

idem des 22-23-24-25-26/09/2006 & 02/10/2006 : IP 80.32.185.3 (Spain) was found in the CBL & listed in bl.spamcop.net

Received: from ira.uka.de ([89.120.16.179]) by inmx006.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k94AgROM014618 for <vinosoft@skynet.be>; Wed, 4 Oct 2006 12:42:34 +0200 (envelope-from <thiel@ira.uka.de>)
Message-Id: <200610041042.k94AgROM014618@inmx006.isp.belgacom.be>
From: thiel@ira.uka.de
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] aovp

IP 89.120.16.179 - idem 28-29/09/2006 & 02-03/10/2006 - found in the CBL Blacklist

Received: from kgb-x ([82.207.57.24]) by inmx016.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with SMTP id k94Bc1nE025254 for <vinosoft@skynet.be>; Wed, 4 Oct 2006 13:38:07 +0200 (envelope-from <Donna.lewis@heatwave.com>)
Message-Id: <200610041138.k94Bc1nE025254@inmx016.isp.belgacom.be>
Received: (qmail 3565 invoked by uid 0); Wed, 4 Oct 2006 14:36:08 -0000)
Received: from unknown (HELO cgkwqro) (82.207.57.187) by 82.207.57.24 with SMTP; Wed, 4 Oct 2006 14:36:08 -0000
Date: Wed, 4 Oct 2006 14:28:08 +0300
From: Donna lewis <Donna.lewis@heatwave.com>
Mime-Version: 1.0
To: vinosoft@skynet.be
Subject: [virus a variant of Win32/Stration worm] Mail Delivery System

Received: from skynet.be ([89.120.16.179]) by inmx020.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k94CiU4f029968 for <vinosoft@skynet.be>; Wed, 4 Oct 2006 14:44:30 +0200 (envelope-from <noreply@skynet.be>)
Message-Id: <200610041244.k94CiU4f029968@inmx020.isp.belgacom.be>
From: "Post Office" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Delivery reports about your e-mail

idem 28-29/09/2006 & 02-03/10/2006

Received: from skynet.be ([195.5.3.55]) by inmx002.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k94DO8Jx026434 for <vinosoft@skynet.be>; Wed, 4 Oct 2006 15:24:10 +0200 (envelope-from <noreply@skynet.be>)
Message-Id: <200610041324.k94DO8Jx026434@inmx002.isp.belgacom.be>
From: "Automatic Email Delivery Software" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.Q worm] Returned mail: Data format error

195.5.3.55

UKRAINE

MISTO KYYIV

KIEV

UKRTELECOM IP ACCESS NETWORK IN SIMPHEROPOL

Received: from vinosoft.com (unverified [80.32.185.3]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009967013@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 5 Oct 2006 04:55:45 +0200
Message-ID: <B0009967013@mail.register.be>
From: "Mail Administrator" <postmaster@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

IP 80.32.185.3 déjà répertoriée (Spain) was found in the CBL &  IP 80.32.185.3 listed in bl.spamcop.net

Received: from vinosoft.com (unverified [212.23.228.18]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0009974206@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 5 Oct 2006 07:03:36 +0200
Message-ID: <B0009974206@mail.register.be>
From: "Mail Delivery Subsystem" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS

212.23.228.18

SWITZERLAND

GENEVA

GENEVA

SA DES HOTELS PRESIDENT

Received: from solair1.inter.nl.net ([89.120.16.179]) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k955PT2r006707 for <vinosoft@skynet.be>; Thu, 5 Oct 2006 07:25:30 +0200 (envelope-from <felipe.rodriquez@solair1.inter.nl.net>)
Message-Id: <200610050525.k955PT2r006707@inmx004.isp.belgacom.be>
From: felipe.rodriquez@solair1.inter.nl.net
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

IP 89.120.16.179 déjà répertoriée (Romania - Registrant information is not available - Location: Bacau) was found in the CBL

2006j05b : Nod32 : virus Win32/Mydoom.R worm : suite

Received: from tiscali.co.za (unverified [165.165.183.22]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010002727@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 5 Oct 2006 11:13:40 +0200 - Message-ID: <B0010002727@mail.register.be>
From: sales.eca@tiscali.co.za
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

IP 165.165.183.22 déjà répertoriée (South Africa - Telkom - telkomadsl.co.za) was found in the CBL

Received: from debian.org (unverified [212.23.228.18]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010012993@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 5 Oct 2006 12:17:18 +0200 - Message-ID: <B0010012993@mail.register.be>
From: dwn@debian.org
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Hi

212.23.228.18

SWITZERLAND

GENEVA

GENEVA

SA DES HOTELS PRESIDENT

IP 212.23.228.18 déjà répertoriée ci-dessus : 5 Oct 2006 07:25:30 +0200 - not in any blacklists on 5 Oct 2006 13:01

Received: from uk2mxserver1-9.uk2.net (unverified [83.170.64.224]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010015531@mail.register.be> for <vinosoft@vinosoft.com>; Thu, 5 Oct 2006 12:37:26 +0200
Received: from root by uk2mxserver1-9.uk2.net with local (Exim 4.54) id 1GVQbB-00040R-3T for vinosoft@vinosoft.com; Thu, 05 Oct 2006 11:37:05 +0100
X-Failed-Recipients: office@bwy.org.uk
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon@uk2mxserver1-9.uk2.net>
To: vinosoft@vinosoft.com
Subject: [virus probably a variant of Win32/Mydoom.R worm] Mail delivery failed: returning message to sender

Note : il n'y a pas de pièce jointe mais le ver est dans le corps du message :

Autre extrait du corps du message :

This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: office@bwy.org.uk
(sa) Message rejected by abuse@bwy.org.uk - (sa) User profile spam level exceeded
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 40359 characters long; only the first
------ 16384 or so are included here.
Return-path: <vinosoft@vinosoft.com>
Received: from [83.136.244.26] (helo=vinosoft.com) by uk2mxserver1-9.uk2.net with esmtp (Exim 4.54) id 1GVQb5-0003xc-Vm for office@bwy.org.uk; Thu, 05 Oct 2006 11:37:05 +0100
From: vinosoft@vinosoft.com
To: office@bwy.org.uk
Date: Thu, 5 Oct 2006 14:36:55 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_10D0E911.3AC9D736"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-SA-Exim-Connect-IP: 83.136.244.26
X-SA-Exim-Mail-From: vinosoft@vinosoft.com
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
uk2mxserver1-9.uk2.net
X-Spam-Level: *****
X-Spam-Status: No, score=5.2 required=99.0 tests=FORGED_MUA_OUTLOOK,
NO_REAL_NAME,UNIQUE_WORDS,UPPERCASE_25_50 autolearn=no version=3.1.0
Subject: Delivery reports about your e-mail
X-SA-Exim-Version: 4.0 (built Sat, 24 Jul 2004 09:53:34 +0200)
X-SA-Exim-Scanned: Yes (on uk2mxserver1-9.uk2.net)

Signifiant qu'un message a été envoyé par 83.136.244.26 en usurpant une de nos adresses vers office@bwy.org.uk mais que ce courrier a été éliminé par abuse@bwy.org.uk car "spam level exceeded" - L'expéditeur réel du message est soviétique :

-

IP Address 83.136.244.26 was found in the CBL Blacklist - It was detected at 2006-10-05 08:00 GMT (+/- 30 minutes).
IP Address 83.136.244.26 is listed in bl.spamcop.net Blacklist

Note : nous recevons une grosse quantité de Mail Delivery Problems depuis une quinzaine de jours mais jusqu'avant le message ci-dessus, les soit-disant messages que nous envoyons n'étaient pas vérolés; exemples :

On notera que toutes les adresses usurpées sont totalement inventées; aucune n'existe réellement;

nous recevons ces messages suite à l'option EMAIL CATCH-ALL sur le domaine vinosoft.com

2006j06a : Nod32 virus suite

Apparition du "virus Win32/VB.NEI worm" [ = NAV W32.Blackmal.E@mm!enc ]

Received: from simone-nt2000 (unverified [83.103.81.227]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with SMTP id <B0010115222@mail.register.be> for <info@vinosoft.be>; Fri, 6 Oct 2006 01:45:53 +0200 - Message-ID: <B0010115222@mail.register.be>
From: "vinosoft" <vinosoft@vinosoft.com>
To: <info@vinosoft.be>
Subject: [virus Win32/VB.NEI worm] Fw: Sexy

Selon les headers, c'est une de nos adresses qui envoie un message à une autre de nos adresses, ...

... à 1H45 du matin !

Le courrier a pour sujet "Sexy" !

Et comprend un fichier attaché d'extension.HQX qui est un "Macintosh BinHex 4 Compressed Archive"; nous ne disposons pas de Macintosh !

Comme piège, c'est vraiment grossier.

Note : selon NAV, le virus est : Event: Threat Found! - Threat: W32.Blackmal.E@mm!enc - File: Attachments00.HQX

Expéditeur du virus : 83.103.81.227

ITALY

SOFTEAM WARE S.R.L. PUBLIC SUBNETS

Deuxième exemplaire de ce virus, même date, même heure, même expéditeur (fake), même IP italienne expéditrice, même corps, même fichier joint :

Received: from simone-nt2000 (unverified [83.103.81.227]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with SMTP id <B0010115215@mail.register.be> for <administrator@vinosoft.com>; Fri, 6 Oct 2006 01:45:46 +0200 - Message-ID: <B0010115215@mail.register.be>
From: "vinosoft" <vinosoft@vinosoft.com>
To: <administrator@vinosoft.com>
Subject: [virus Win32/VB.NEI worm] Re:

Cette même IP expéditrice envoie le même virus à plusieurs autres destinataires, en notre nom.

L'adresse visée étant erronnée, le Postmaster du domaine de ce destinataire nous prévient de la non distribution du message.

Exemple 1 :

1/ la notification du Postmaster :

Received: from m5-115.163.com (unverified [202.108.5.115]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with SMTP id <B0010116871@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 02:05:55 +0200
From: Postmaster@163.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/VB.NEI worm] ϵͳÍËÐÅ

2/ le message non distribué est joint à cette notification :

Received: from simone-nt2000 (unknown [83.103.81.227]) by mx16 (Coremail) with SMTP id wKjR4bBriwEOnSVFqehrDQ==.59612S2; Fri, 06 Oct 2006 08:02:24 +0800 (CST)
From: "vinosoft" <vinosoft@vinosoft.com>
To: <cncixi@163.com>
Subject: Fwd: Photo

Exemple 2 :

1/ la notification du Postmaster :

Received: from mail.esa.t-systems.com (unverified [81.7.200.81]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010116827@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 02:05:15 +0200
Received: from mail-distr.esa.t-systems.com (mailrelay8 [127.0.0.1]) by mail.esa.t-systems.com (Postfix) with ESMTP id 7617626C029 for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 00:04:57 +0000 (UTC)
Received: from mail.tomtom.com (unknown [82.210.249.94]) by mail.esa.t-systems.com (Postfix) with ESMTP id 410CF1AC145 for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 00:04:56 +0000 (UTC)
From: postmaster@tomtom.com
To: vinosoft@vinosoft.com
Message-ID: <IjdzsvRtT000313a1@mail.tomtom.com>
Subject: Delivery Status Notification (Failure)

2/ le message non distribué est joint à cette notification :

Received: from simone-nt2000 ([83.103.81.227]) by mail.tomtom.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 6 Oct 2006 02:08:42 +0200
From: "vinosoft" <vinosoft@vinosoft.com>
To: <palmsupport@tomtom.com>
Subject: Fwd: Photo

à mettre en rapport avec le paragraphe précédent "nous recevons une grosse quantité de Mail Delivery Problems"

Note : le rapport entre la "vague des Mydooms", la " vague des Mail Delivery Problems" et ce virus Win32/VB.NEI worm n'est pas formellement établi. Mais il reste une probabilté (simultanéité des évènements avec diversité des sources, adresses visées, ...).

2006j06b : Nod32 virus Win32/Mydoom.R : suite

Received: from peschan.donpac.ru (unverified [80.254.125.73]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010138422@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 07:23:37 +0200
Received: from vinosoft.com (pe-salsk.donpac.ru [80.254.110.72]) by peschan.donpac.ru (8.11.6/8.11.6/cae2.2.0.4) with ESMTP id k965NFA24589 for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 09:23:15 +0400 (MSD) (envelope-from postmaster@vinosoft.com)
Message-Id: <200610060523.k965NFA24589@peschan.donpac.ru>
From: "Post Office" <postmaster@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Report

Expéditeur du virus : 80.254.110.72

RUSSIAN FEDERATION

JSC UTK ROSTOVELECTROSVIAZ AND ITS DEPARTMENTS

IP Address 80.254.110.72 was found in the CBL

IP Address 80.254.110.72 listed in bl.spamcop.net

IP Address 80.254.110.72 listed in www.de.sorbs.net (database of servers sending to spamtrap addresses) - Spam Sending Trojan or Proxy 09/2006

Received: from skynet.be ([89.120.16.179]) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k968ZGnC013816 for <vinosoft@skynet.be>; Fri, 6 Oct 2006 10:35:17 +0200 (envelope-from <noreply@skynet.be>) - Message-Id: <200610060835.k968ZGnC013816@inmx004.isp.belgacom.be>
From: "The Post Office" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

IP 89.120.16.179 déjà répertoriée (Romania - Registrant information is not available - Location: Bacau) was found in the CBL

Received: from one.lt (unverified [213.190.45.83]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010194307@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 14:14:03 +0200 - Message-ID: <B0010194307@mail.register.be>
From: domi@one.lt
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

Received: from msa.hinet.net (unverified [213.190.45.83]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010253169@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 21:01:37 +0200 - Message-ID: <B0010253169@mail.register.be>
From: david.taiwan@msa.hinet.net
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Ivyai

Received: from vinosoft.com (unverified [213.190.45.83]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010265374@mail.register.be> for <vinosoft@vinosoft.com>; Fri, 6 Oct 2006 23:08:23 +0200 - Message-ID: <B0010265374@mail.register.be>
From: "MAILER-DAEMON" <postmaster@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Expéditeur de ces 3 virus : 213.190.45.83

LITHUANIA

KAUNO APSKRITIS

KAUNAS

LIETUVOS-TELEKOMAS

IP Address 213.190.45.83 was found in the CBL - Name: adsl-213-190-45-83.zebra.lt - Location: VILNIUS - Ilmaras Kuuzeorgas - abuse@takas.lt

-

VIRBL is a project to make it harder for viruses to spread and get the load down on virusscanners by blocking e-mail

from IP addresses that are known to spread viruses : IP déjà répertoriée comme expéditrice de virus Mydoom.

Note : Mydoom.M de NAV = Mydoom.R de Nod32

2006j07a : Nod32 virus Win32/Mydoom.R : suite

Received: from piermont.com (pe-salsk.donpac.ru [80.254.110.72]) by inmx007.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k974YlsP027724 for <vinosoft@skynet.be>; Sat, 7 Oct 2006 06:34:48 +0200 (envelope-from <perry@piermont.com>)
Message-Id: <200610070434.k974YlsP027724@inmx007.isp.belgacom.be>
From: perry@piermont.com
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

IP 80.254.110.72 déjà répertoriée (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & Spamcop & Sorbs Databases

Received: from vinosoft.com (unverified [213.190.45.83]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010306332@mail.register.be> for <vinosoft@vinosoft.com>; Sat, 7 Oct 2006 08:31:38 +0200 - Message-ID: <B0010306332@mail.register.be>
From: "Mail Administrator" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

IP 213.190.45.83 déjà répertoriée (Lithuania - Lietuvos-Telekomas) was found in the CBL & in VIRBL (expéditeur de virus Mydoom)

Received: from vinosoft.com (unverified [213.190.45.83]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010315798@mail.register.be> for <vinosoft@vinosoft.com>; Sat, 7 Oct 2006 10:07:22 +0200 - Message-ID: <B0010315798@mail.register.be>
From: "Automatic Email Delivery Software" <noreply@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

IP 213.190.45.83 déjà répertoriée (Lithuania - Lietuvos-Telekomas) was found in the CBL & in VIRBL (expéditeur de virus Mydoom)

Received: from vinosoft.com (unverified [212.23.228.18]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0010367159@mail.register.be> for <vinosoft@vinosoft.com>; Sat, 7 Oct 2006 17:53:43 +0200 - Message-ID: <B0010367159@mail.register.be>
From: "Mail Administrator" <MAILER-DAEMON@vinosoft.com>
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

212.23.228.18

SWITZERLAND

GENEVA

GENEVA

SA DES HOTELS PRESIDENT

IP 212.23.228.18 déjà répertoriée 30/09/2006 & 05/10/2006 - not in any blacklists on 05/10/2006 but now : IP 212.23.228.18 was found in the CBL. - It was detected at 2006-10-07 14:00 GMT (07/10/2006).

John William - SA des Hotels President - 47, Quai Wilson - 1201 Geneve - j.william@hotelpwilson.com - resa@hotelpwilson.com

2006j07b-08a : Nod32 virus Win32/Mydoom.R : suite

Expéditeurs des 5 Mydoom.R :

- IP 80.254.110.72 déjà répertoriée (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & in Spamcop & Sorbs Databases

- pour 3 exemplaires - IP 212.23.228.18 déjà répertoriée (Switzerland - SA des Hotels President) was found in the CBL

- IP 203.156.212.66

China

BEIJING

SHANGHAI GLOBAL NETWORK CO.LTD

IP 203.156.212.66 was found in the CBL - It was detected at 2006-10-08 03:00 GMT (= today, 08/10/2006)

Un "vieux" Netsky.Z (Discovered: December 3, 2004) dans cette série 2006j07b-08a mais il est irrécupérable :

From: faq@guppylake.com - Subject: [virus Win32/Netsky.Z worm] Information
Warning: Spamihilator could not restore this message, because it was empty.
More information about this message: Sender: faq@guppylake.com - Subject: [virus Win32/Netsky.Z worm] Information

Le contenu a été détruit par NAV : Scan type: Auto-Protect Scan - Event: Threat Found! - Threat: W32.Netsky.Z@mm!enc
File: ...\Spamihilator\recycle\2454017_063140_4aed27.recycle - Delete succeeded : Access denied - Date found: dimanche 8 octobre 2006 6:31:40

Autre Netsky.Z, détruit par NAV : 09/10/2006 - 06:15

Scan type: Auto-Protect Scan - Event: Threat Found! - Threat: W32.Netsky.Z@mm!enc
File: ...\Spamihilator\recycle\2454018_053401_2539c9.recycle - Location: D:\Program Files\Spamihilator\recycle - Date found: lundi 9 octobre 2006.

Le message intercepté par Spamihilator est directement envoyé à la poubelle (recycle) car l'expéditeur (everybody@w3.org) est dans notre liste noire. Lors du transfert vers "recycle", sa destruction est irréversible selon le paramètrage de NAV; cette destruction définitive (même avant que Nod32 n'intervienne) est due au caractère !enc (très dangereux) du virus (les versions !enc sont en effet caractérisées par le fait que le malware s'exécute sans qu'il ne soit nécessaire d'ouvrir un fichier attaché; l'ouverture du simple volet de visualisation du message suffit).

Remarque : nous utilisons la combinaison Spamihilator + Nod32 + NAV depuis décembre 2005 sur notre PC " Email Master " avec pour résultat : moins de 1% des spam's arrivent au destinataire prévu par l'expéditeur et aucun virus n'a franchi la double/triple barrière. Ce qui a ramené la messagerie au stade d'outil convivial.

2006j08b-09a : Nod32 virus Win32/Mydoom.R : suite

Expéditeurs des 4 Mydoom.R : tous déjà répertoriés plus haut dans cette page

- IP 80.32.185.3 (Spain) was found in the CBL &  IP 80.32.185.3 listed in Spamcop.net

- IP 81.198.160.89 (Latvia - Lattelekom Ltd.) was found in the CBL

- IP 80.254.110.72 (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & Spamcop & Sorbs Databases

- IP 212.23.228.18 (Switzerland - SA des Hotels President) was found in the CBL

2006j09b : Nod32 virus Win32/Mydoom.R : suite

Received: from galbani.com (pe-salsk.donpac.ru [80.254.110.72]) by inmx013.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k994TRN3013887 for <vinosoft@skynet.be>; Mon, 9 Oct 2006 06:29:27 +0200 (envelope-from <umorelli@galbani.com>) - Message-Id: <200610090429.k994TRN3013887@inmx013.isp.belgacom.be>
From: umorelli@galbani.com
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]

IP 80.254.110.72 déjà répertoriée (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & Spamcop & Sorbs Databases

Received: from skynet.be ([89.120.16.179]) by inmx008.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k996opIs023152 for <vinosoft@skynet.be>; Mon, 9 Oct 2006 08:50:56 +0200 (envelope-from <noreply@skynet.be>) - Message-Id: <200610090650.k996opIs023152@inmx008.isp.belgacom.be>
From: "Mail Delivery Subsystem" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]

IP 89.120.16.179 déjà répertoriée (Romania - Bacau) was found in the CBL

2006j09c : Nod32 virus Win32/Mydoom.R : suite

Expéditeurs des 6 Mydoom.R

- pour 2 exemplaires : IP 80.254.110.72 déjà répertoriée (Russia) was found in the CBL & Spamcop & Sorbs

- IP 62.133.162.22 déjà répertoriée (Russia - Bashinformsvyaz Company) was found in the CBL

- IP 89.120.16.179 déjà répertoriée (Romania - Bacau) was found in the CBL

Not in any Blacklists 09/10/2006 at 18:00

IP Address 85.140.252.55 was found in the CBL - It was detected at 2006-10-09 09:00 GMT ( = today 09/10/2006)

2006j10-11a : Nod32 virus Win32/Mydoom.R : suite

Received: from skynet.be (pe-salsk.donpac.ru [80.254.110.72]) by inmx020.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k9A4gUrQ032319 for <vinosoft@skynet.be>; Tue, 10 Oct 2006 06:42:30 +0200 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200610100442.k9A4gUrQ032319@inmx020.isp.belgacom.be>
From: "Mail Delivery Subsystem" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

IP 80.254.110.72 déjà répertoriée (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & Spamcop & Sorbs Databases

Expéditeurs des 6 Mydoom.R

- pour 2 exemplaires : IP 80.32.185.3 déjà répertoriée (Spain) was found in the CBL &  IP 80.32.185.3 listed in Spamcop.net

- pour 2 exemplaires : IP 89.120.16.179 déjà répertoriée (Romania) was found in the CBL

- IP 203.156.212.66 déjà répertoriée (China - Shanghai Global Network Co.Ltd) was found in the CBL

- 86.214.34.129

FRANCE

Wanadoo - IP2000-ADSL-BAS

IP Address 86.214.34.129 was found in the CBL. - It was detected at 2006-10-10 19:00 GMT

STOP REPORTING

SUIVI-1 : l'infection continue ...

... mais le relevé des IP's expéditrices ne nous apportera probablement plus d"information interressante.

Nous nous bornerons à signaler la fin de la nuisance.

Un Netsky.Z, du bloc soviétique, perdu dans la série des Mydoom.R - 13/10/2006

Return-Path: <dichenko.of@mail.ru> - Received: from skynet.be (pe-salsk.donpac.ru [80.254.110.72]) by inmx005.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k9DAaFHs022135 for <vinosoft@skynet.be>; Fri, 13 Oct 2006 12:36:15 +0200 (envelope-from <dichenko.of@mail.ru>)
Message-Id: <200610131036.k9DAaFHs022135@inmx005.isp.belgacom.be>
From: dichenko.of@mail.ru
To: vinosoft@skynet.be
Subject: [virus Win32/Netsky.Z worm] Important
Important informations!
Warning: NOD32 antivirus system found the following in the message: Informations.zip - Win32/Netsky.Z worm - renamed to Informations.vzip

Norton Antivirus : Scan type: Auto-Protect Scan - Event: Threat Found! - Threat: W32.Netsky.Z@mm - File: Informations.vzip

Un Netsky.Z, perdu dans la série des Mydoom.R - 16/10/2006 - détruit par la combinaison Spamihilator-NAV-Nod32

Scan type: Auto-Protect Scan - Event: Threat Found! - Threat: W32.Netsky.Z@mm!enc
Date found: lundi 16 octobre 2006 7:10:52

Un Netsky.Z, perdu dans la série des Mydoom.R - 25/10/2006

Nous avons désactivé NAV pour pouvoir récupérer le message et voir si un rapport peut être établi avec les Mydoom's :

Return-Path: <gerry.pesavento@alloptic.com>
Received: from skynet.be (pe-salsk.donpac.ru [80.254.110.72]) by inmx003.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id k9P5G3RU006594 for <vinosoft@skynet.be>; Wed, 25 Oct 2006 07:16:03 +0200 (envelope-from <gerry.pesavento@alloptic.com>)
Message-Id: <200610250516.k9P5G3RU006594@inmx003.isp.belgacom.be>
From: gerry.pesavento@alloptic.com
To: vinosoft@skynet.be
Subject: [virus Win32/Netsky.Z worm] Information
Content-Type: application/octet-stream; name="Textfile.vzip"

IP 80.254.110.72 (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & in Spamcop.net Blacklist & Sorbs Database
Conclusion : l'expéditeur du Netsky fait partie de la liste (ci-dessous) des expéditeurs des Mydoom's

SUIVI-2 : l'infection s'éteint à petit feu ...

(7 exemplaires en 7 jours vs la dose de debut octobre à 7 - 10 exemplaires / jour)

Expéditeurs de cette série (tous déjà répertoriés dans la liste ci-dessous) : Ukraine, Russia, Latvia et Egypt.

(7 exemplaires en 8 jours vs la dose de debut octobre à 7 - 10 exemplaires / jour)

Expéditeurs de cette série (déjà répertoriés dans la liste ci-dessous) : 212.103.168.65 (Egypt) - 195.161.9.63 (Russia) - 194.93.171.25 (Ukraine)

Un petit nouveau : 87.67.130.47 = 47.130-67-87.adsl-dyn.isp.belgacom.be (Bruxelles, Belgique) - not in any blacklists 13/11/2006 12:45

SUIVI-3 : 14 - 17/11/2006 (les quatre virus en provenance de la même IP russe)

Return-Path: <noreply@skynet.be>
Received: from skynet.be ([195.161.9.61]) by inmx015.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id kAFB7R7I023334 for <vinosoft@skynet.be>; Wed, 15 Nov 2006 12:07:28 +0100 (envelope-from <noreply@skynet.be>)
Message-Id: <200611151107.kAFB7R7I023334@inmx015.isp.belgacom.be>
From: "The Post Office" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] error
The message was undeliverable due to the following reason: Your message could not be delivered because the destination server was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 6 days: Server 207.123.95.58 is not responding. The following recipients could not receive this message: <vinosoft@skynet.be> - Please reply to postmaster@skynet.be - if you feel this message to be in error.
Warning: NOD32 antivirus system found the following in the message: readme.scr - Win32/Mydoom.R worm - renamed to readme.vscr

Expéditeur du virus : 195.161.9.61

RUSSIAN FEDERATION

KARELIYA

PETROZAVODSK

RTCOMM

IP Address 195.161.9.61 was found in the CBL. - It was detected at 2006-11-15 08:00 GMT.

16/11/2006 (en provenance de la même IP russe que les deux précédents)

Return-Path: <truscott@research.att.com>
Received: from research.att.com ([195.161.9.61]) by inmx019.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id kAG99iIw031760 for <vinosoft@skynet.be>; Thu, 16 Nov 2006 10:09:44 +0100 (envelope-from <truscott@research.att.com>)
Message-Id: <200611160909.kAG99iIw031760@inmx019.isp.belgacom.be>
From: truscott@research.att.com
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail
Warning: NOD32 antivirus system found the following in the message: readme.exe - Win32/Mydoom.R worm - renamed to readme.vexe

17/11/2006 (en provenance de la même IP russe que les trois précédents)

Return-Path: <postmaster@skynet.be>
Received: from skynet.be ([195.161.8.61]) by inmx016.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id kAH93B5I007696 for <vinosoft@skynet.be>; Fri, 17 Nov 2006 10:03:12 +0100 (envelope-from <postmaster@skynet.be>)
Message-Id: <200611170903.kAH93B5I007696@inmx016.isp.belgacom.be>
From: "Returned mail" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]
Warning: NOD32 antivirus system found the following in the message: text.zip - Win32/Mydoom.R worm - renamed to text.vzip

SUIVI-4a : 18/11/2006 - 13/12/2006 (part A)

SUIVI-4b : 18/11/2006 - 14/12/2006 (part B)

IP des expediteurs du virus : Russie et Belgique

- 1 exemplaire : 87.66.162.130 : 130.162-66-87.adsl-dyn.isp.belgacom.be

- 1 exemplaire : 87.66.161.182 : 182.161-66-87.adsl-dyn.isp.belgacom.be

SUIVI-5 : 15/12/2006 - 20/12/2006

IP Address: 195.161.9.61 - Network: ROSOBRAZOVANIE - Petrozavodsk City - Network Owner: Federal Agency of Education - Moskow - vaz@ministry.ru

2 received from 195.161.8.61

1 received from (131.128-66-87.adsl-dyn.isp.belgacom.be [87.66.128.131])

SUIVI-6 : pas de virus entre le 21/12/2006 et le 02/01/2007.

Après la trêve des fêtes de fin d'année, un Mydoom Antillais :

Received: from peach.ease.lsoft.com (unverified [209.59.100.142]) by mail.register.be (Rockliffe SMTPRA 7.0.3) with ESMTP id <B0032446291@mail.register.be> for <vinosoft@vinosoft.com>; Wed, 3 Jan 2007 21:41:53 +0100
Message-ID: <B0032446291@mail.register.be>
From: archives@peach.ease.lsoft.com
To: vinosoft@vinosoft.com
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

IP Address 209.59.100.142 was found in the CBL. - It was detected at 2007-01-03 18:00 GMT.

Même expéditeur Antillais, le lendemain, sur une autre de nos adresses :

Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx011.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l04J7ueG030222 for <vinosoft@skynet.be>; Thu, 4 Jan 2007 20:07:57 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701041907.l04J7ueG030222@inmx011.isp.belgacom.be>
From: "Bounced mail" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Même expéditeur Antillais (8-10/01/2007) :

Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx009.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l08DSnYs007948
for <vinosoft@skynet.be>; Mon, 8 Jan 2007 14:28:49 +0100 (envelope-from <noreply@skynet.be>)
Message-Id: <200701081328.l08DSnYs007948@inmx009.isp.belgacom.be>
From: "The Post Office" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]

Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx002.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l09EBIhT001216
for <vinosoft@skynet.be>; Tue, 9 Jan 2007 15:11:18 +0100 (envelope-from <postmaster@skynet.be>)
Message-Id: <200701091411.l09EBIhT001216@inmx002.isp.belgacom.be>
From: "Mail Delivery Subsystem" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Hi

Received: from freebsd.org (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx019.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0ADZcRZ008919
for <vinosoft@skynet.be>; Wed, 10 Jan 2007 14:35:39 +0100 (envelope-from <mezz@freebsd.org>)
Message-Id: <200701101335.l0ADZcRZ008919@inmx019.isp.belgacom.be>
From: mezz@freebsd.org
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] hi

Même expéditeur Antillais (11-12/01/2007) :

Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx020.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0BDvsWj001635 for <vinosoft@skynet.be>; Thu, 11 Jan 2007 14:57:54 +0100
(envelope-from <postmaster@skynet.be>)
Message-Id: <200701111357.l0BDvsWj001635@inmx020.isp.belgacom.be>
From: "Post Office" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

Notification comme quoi une de nos adresses a expédié un virus :

Received: from nlpi007.sbcis.sbc.com (nlpi007.sbcis.sbc.com [207.115.36.36]) by inmx017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0BJ3ZgA015339 for <vinosoft@skynet.be>; Thu, 11 Jan 2007 20:03:35 +0100 (envelope-from <>)
X-Originating-IP: [209.59.100.142]
Received: from localhost (localhost) by nlpi007.sbcis.sbc.com (8.13.8 inb/8.13.8) id l0BJ3SMJ003628;  Thu, 11 Jan 2007 13:03:30 -0600
From: Mail Delivery Subsystem <MAILER-DAEMON@nlpi007.sbcis.sbc.com>
Message-Id: <200701111903.l0BJ3SMJ003628@nlpi007.sbcis.sbc.com>
To: <vinosoft@skynet.be>
Content-Type: multipart/report; report-type=delivery-status; boundary="l0BJ3SMJ003628.1168542210/nlpi007.sbcis.sbc.com"
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

Notre "soit-disant message" mais il est en réalité envoyé par notre Antillais (de notre part à normanfox@sbcglobal.net) :

X-Originating-IP: [209.59.100.142]
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by nlpi007.sbcis.sbc.com (8.13.8 inb/8.13.8) with ESMTP id l0BJ3SMI003628 for <normanfox@sbcglobal.net>; Thu, 11 Jan 2007 13:03:28 -0600
Message-Id: <200701111903.l0BJ3SMI003628@nlpi007.sbcis.sbc.com>
From: vinosoft@skynet.be
To: normanfox@sbcglobal.net
Subject: Message could not be delivered
Date: Thu, 11 Jan 2007 15:05:04 -0400
... This message was not delivered due to the following reason(s): Your message was not delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. ... Content-Type: application/octet-stream; name="text.zip" - virus Win32/Mydoom.R worm

Received: from skynet.be ([209.59.100.142]) by inmx002.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0CDsrqh003614 for <vinosoft@skynet.be>; Fri, 12 Jan 2007 14:54:54 +0100 (envelope-from <postmaster@skynet.be>)
Message-Id: <200701121354.l0CDsrqh003614@inmx002.isp.belgacom.be>
From: "Returned mail" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: DATA FORMAT ERROR

Même expéditeur Antillais (16-25/01/2007) :

Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx009.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0GE49id020289
for <vinosoft@skynet.be>; Tue, 16 Jan 2007 15:04:10 +0100 (envelope-from <noreply@skynet.be>)
Message-Id: <200701161404.l0GE49id020289@inmx009.isp.belgacom.be>
From: "Automatic Email Delivery Software" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Received: from inmx016.isp.belgacom.be (inmx016.isp.belgacom.be [195.238.4.219]) by inas028.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0IDlrNl017365 for <vinosoft@skynet.be>; Thu, 18 Jan 2007 14:47:54 +0100 (envelope-from <carolandeedee@juno.com>)
Received: from juno.com (209-59-100-142.candw.ag [209.59.100.142] (may be forged))by inmx016.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0IDlii8005046 for <vinosoft@skynet.be>; Thu, 18 Jan 2007 14:47:45 +0100 (envelope-from <carolandeedee@juno.com>)
Message-Id: <200701181347.l0IDlii8005046@inmx016.isp.belgacom.be>
From: carolandeedee@juno.com
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

Received: from inmx023.isp.belgacom.be (inmx023.isp.belgacom.be [195.238.6.142]) by inas007.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0JDxwwa018089 for <vinosoft@skynet.be>; Fri, 19 Jan 2007 14:59:58 +0100 (envelope-from <noreply@skynet.be>)
Received: from skynet.be (unknown [209.59.100.142]) by inmx023.isp.belgacom.be (Postfix) with ESMTP id 83D97C147 for <vinosoft@skynet.be>; Fri, 19 Jan 2007 14:59:57 +0100 (CET)
From: "Automatic Email Delivery Software" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm]

Received: from inmx012.isp.belgacom.be (inmx012.isp.belgacom.be [195.238.5.90]) by inas029.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0MEHOri007108 for <vinosoft@skynet.be>; Mon, 22 Jan 2007 15:17:26 +0100 (envelope-from <noreply@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx012.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0MEHGve010537
for <vinosoft@skynet.be>; Mon, 22 Jan 2007 15:17:17 +0100 (envelope-from <noreply@skynet.be>)
Message-Id: <200701221417.l0MEHGve010537@inmx012.isp.belgacom.be>
From: "Mail Delivery Subsystem" <noreply@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

Received: from inmx005.isp.belgacom.be (inmx005.isp.belgacom.be [195.238.5.148]) by inas023.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0NE5DHX002230 for <vinosoft@skynet.be>; Tue, 23 Jan 2007 15:05:13 +0100 (envelope-from <ennoiasidhe@earthlink.net>)
Received: from earthlink.net (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx005.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0NE4vrh028956
for <vinosoft@skynet.be>; Tue, 23 Jan 2007 15:04:57 +0100 (envelope-from <ennoiasidhe@earthlink.net>)
Message-Id: <200701231404.l0NE4vrh028956@inmx005.isp.belgacom.be>
From: ennoiasidhe@earthlink.net
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] MAIL SYSTEM ERROR - RETURNED MAIL

Received: from inmx004.isp.belgacom.be (inmx004.isp.belgacom.be [195.238.5.48]) by inas035.isp.belgacom.be (8.12.11/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0NHQjrN009011 for <vinosoft@skynet.be>; Tue, 23 Jan 2007 18:26:47 +0100 (envelope-from <postmaster@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0NHQdZ6026233 for <vinosoft@skynet.be>; Tue, 23 Jan 2007 18:26:40 +0100 (envelope-from <postmaster@skynet.be>)
Message-Id: <200701231726.l0NHQdZ6026233@inmx004.isp.belgacom.be>
From: "Automatic Email Delivery Software" <postmaster@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Delivery reports about your e-mail

Received: from inmx019.isp.belgacom.be (inmx019.isp.belgacom.be [195.238.5.138]) by inas017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0OEPSWw023585 for <vinosoft@skynet.be>; Wed, 24 Jan 2007 15:25:28 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx019.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0OEPIXB019785 for <vinosoft@skynet.be>; Wed, 24 Jan 2007 15:25:19 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701241425.l0OEPIXB019785@inmx019.isp.belgacom.be>
From: "MAILER-DAEMON" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Message could not be delivered

Received: from inmx017.isp.belgacom.be (inmx017.isp.belgacom.be [195.238.4.129]) by inas036.isp.belgacom.be (8.12.11/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0OGRvZ0016210 for <vinosoft@skynet.be>; Wed, 24 Jan 2007 17:27:57 +0100 (envelope-from <eug-lug@efn.org>)
Received: from efn.org (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0OGRqO2009031 for <vinosoft@skynet.be>; Wed, 24 Jan 2007 17:27:53 +0100 (envelope-from <eug-lug@efn.org>)
Message-Id: <200701241627.l0OGRqO2009031@inmx017.isp.belgacom.be>
From: eug-lug@efn.org
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: DATA FORMAT ERROR

Même expéditeur Antillais (25-26/01/2007) :

- cwhost@cw.net; UKServiceDesk@cw.com

Received: from inmx015.isp.belgacom.be (inmx015.isp.belgacom.be [195.238.4.218]) by inas017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0PDwwWA007056 for <vinosoft@skynet.be>; Thu, 25 Jan 2007 14:59:03 +0100 (envelope-from <l.j.vanvliet@tnw.tudelft.nl>)
Received: from tnw.tudelft.nl (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx015.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0PDwpa0018288 for <vinosoft@skynet.be>; Thu, 25 Jan 2007 14:58:52 +0100 (envelope-from <l.j.vanvliet@tnw.tudelft.nl>)
Message-Id: <200701251358.l0PDwpa0018288@inmx015.isp.belgacom.be>
From: l.j.vanvliet@tnw.tudelft.nl
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Received: from inmx002.isp.belgacom.be (inmx002.isp.belgacom.be [195.238.5.7]) by inas013.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0PFsrT0005672 for <vinosoft@skynet.be>; Thu, 25 Jan 2007 16:54:55 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx002.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0PFspJ9015461 for <vinosoft@skynet.be>; Thu, 25 Jan 2007 16:54:51 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701251554.l0PFspJ9015461@inmx002.isp.belgacom.be>
From: "Mail Administrator" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] MESSAGE COULD NOT BE DELIVERED

Received: from inmx004.isp.belgacom.be (inmx004.isp.belgacom.be [195.238.5.48]) by inas025.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0QE3h9h031274 for <vinosoft@skynet.be>; Fri, 26 Jan 2007 15:03:45 +0100 (envelope-from <prefes@asiaaccess.net.th>)
Received: from asiaaccess.net.th (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx004.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0QE3VKu025764  for <vinosoft@skynet.be>; Fri, 26 Jan 2007 15:03:32 +0100 (envelope-from <prefes@asiaaccess.net.th>)
Message-Id: <200701261403.l0QE3VKu025764@inmx004.isp.belgacom.be>
From: prefes@asiaaccess.net.th
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: see transcript for details

Note : (may be forged) : it means that the DNS data for the host is inconsistent, and hence the name is not used for the relaying check but only the IP number. If the host name would be used, it would be simple to circumvent basic anti-relaying checks because the PTR records might be under the control of an attacker, so he can chose any name he wants for his IP address. That is, he can select a name for which you allow relaying because that name is one that you control (your domain name).

Toujours le même expéditeur Antillais depuis le 03/01/2007 (20-31/01/2007)

Received: from inmx006.isp.belgacom.be (inmx006.isp.belgacom.be [195.238.4.106]) by inas007.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0TEBwdn029472 for <vinosoft@skynet.be>; Mon, 29 Jan 2007 15:12:02 +0100 (envelope-from <mognio@terra.com.pe>)
Received: from terra.com.pe (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx006.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0TEBpkX017517 for <vinosoft@skynet.be>; Mon, 29 Jan 2007 15:11:52 +0100 (envelope-from <mognio@terra.com.pe>)
Message-Id: <200701291411.l0TEBpkX017517@inmx006.isp.belgacom.be>
From: mognio@terra.com.pe
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Mail System Error - Returned Mail

Received: from inmx008.isp.belgacom.be (inmx008.isp.belgacom.be [195.238.5.88]) by inas031.isp.belgacom.be (8.12.11/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0TG2Kon008311 for <vinosoft@skynet.be>; Mon, 29 Jan 2007 17:02:21 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx008.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0TG27Bg015903 for <vinosoft@skynet.be>; Mon, 29 Jan 2007 17:02:07 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701291602.l0TG27Bg015903@inmx008.isp.belgacom.be>
From: "Automatic Email Delivery Software" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS

Received: from inmx019.isp.belgacom.be (inmx019.isp.belgacom.be [195.238.5.138]) by inas035.isp.belgacom.be (8.12.11/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0UDgGc1007104 for <vinosoft@skynet.be>; Tue, 30 Jan 2007 14:42:19 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx019.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0UDg4e0019117 for <vinosoft@skynet.be>; Tue, 30 Jan 2007 14:42:04 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701301342.l0UDg4e0019117@inmx019.isp.belgacom.be>
From: "Bounced mail" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Delivery reports about your e-mail

Received: from inmx017.isp.belgacom.be (inmx017.isp.belgacom.be [195.238.4.129]) by inas031.isp.belgacom.be (8.12.11/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0UMxwOA009144 for <vinosoft@skynet.be>; Wed, 31 Jan 2007 00:00:00 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx017.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0UMxqUX021943 for <vinosoft@skynet.be>; Tue, 30 Jan 2007 23:59:53 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701302259.l0UMxqUX021943@inmx017.isp.belgacom.be>
From: "Post Office" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Hi

Received: from inmx013.isp.belgacom.be (inmx013.isp.belgacom.be [195.238.4.216]) by inas021.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-AS-2.03) with ESMTP id l0VE7pn2022519 for <vinosoft@skynet.be>; Wed, 31 Jan 2007 15:07:53 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Received: from skynet.be (209-59-100-142.candw.ag [209.59.100.142] (may be forged)) by inmx013.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-IN-2.32) with ESMTP id l0VE7f93027628 for <vinosoft@skynet.be>; Wed, 31 Jan 2007 15:07:42 +0100 (envelope-from <MAILER-DAEMON@skynet.be>)
Message-Id: <200701311407.l0VE7f93027628@inmx013.isp.belgacom.be>
From: "The Post Office" <MAILER-DAEMON@skynet.be>
To: vinosoft@skynet.be
Subject: [virus Win32/Mydoom.R worm] Returned mail: Data format error

Plus de message contenant le Mydoom entre le 01/02/2007 et le 09/03/2007; infection considérée comme éradiquée.

Cette diversité des sources : FRANCE - SWITZERLAND - SPAIN - ROMANIA - LATVIA - RUSSIA - UKRAINE - GEORGIA - LITHUANIA - EGYPT - BANGLADESH - CHINA - SOUTH AFRICA - USA - BOLIVIA (16 pays [couvrant les continents : Europe -> Bloc Soviétique <- Asie, Afrique, Amerique du Nord, Amérique du Sud] en 21 jours [21/09 - 11/10/2006]) :

- met à mal la probabilité que ces "vieux" virus soient envoyés par un ou deux ordinateurs infectés contenant notre adresse email comme cela est souvent le cas et comme le mode de propagation de ce virus le prévoit (cfr. ci-dessous - "bestiole" - )

[Nous avons du mal à croire que des Internautes (tous vérolés en trois semaines) issus de ces 16 pays différents dont la plupart sont très loin de notre zone d'activité (professionelle comme privée), dispose de notre adresse email ou de pages "Internet Temporaires" contenant notre adresse - France, Suisse, Espagne, USA : d'accord mais "Bloc de l'Est", Afrique du Sud et Asie : non]

- nous laisse à penser que cette pollution a été orchestrée (via zombies, par exemple),

En sécurité informatique, un zombie est un ordinateur contrôlé à l'insu de son utilisateur par un pirate informatique. Ce dernier peut alors l'utiliser afin d'attaquer d'autres machines en dissimulant sa véritable identité. Des « armées de zombies », c'est-à-dire de grandes quantités d'ordinateurs compromis, sont utilisés dans les attaques de type Distributed Denial of Service [ http://fr.wikipedia.org/wiki/Zombie_(informatique) & http://fr.wikipedia.org/wiki/Machine_zombie_%28informatique%29 ] - désigne un ordinateur, généralement d'un propriétaire particulier, infesté par un ver ou troyen, dirigé à distance pour participer à des attaques informatiques ou des tâches diverses.

- nous suggère (par analogie, selon nos relévés précédents) que ces virus ont la même origine que les spam's qui polluent nos mailboxes; suggestion qui est confirmée par la reconnaissance de la plupart des adresses expéditrices de ces virus dans une ou plusieurs (Spam)-BlackLists comme Spamcop et/ou CBL et/ou NJABL et/ou Distributed Sender Blackhole List DSBL et/ou Sorbs Database (au moment de l'infection : septembre-octobre 2006) - quelques exemples :

- IP 62.133.162.22 (Russia - Bashinformsvyaz Company) was found in the CBL

- IP 69.81.213.30 (USA - Earthlink) was found in the CBL

- IP 69.88.28.77 (Bangladesh - Hawaii Pacific Teleport) was found in the CBL

- IP 80.32.185.3 (Spain) was found in the CBL &  IP 80.32.185.3 listed in Spamcop.net

- IP 80.254.110.72 (Russia - JSC UTK Rostovelectrosvi) was found in the CBL & in Spamcop.net Blacklist & Sorbs Database

- IP 81.13.91.42 (Russia - OOO Institut energoeffektivnosti) was found in the CBL & IP 81.13.91.42 - DSBL State: Listed

- IP 81.181.199.219 (USA - Williamsburg/Virginia - Registrant : Open Systems SRL - Bucharest) was found in the CBL

- IP 81.196.148.44 (Romania - Romania Data Systems) was found in the CBL

- IP 81.198.160.89 (Latvia - Lattelekom Ltd.) was found in the CBL

- IP 82.207.21.242 (Ukraine - JSC UKRTELECOM) was found in the CBL & 82.207.21.242 is listed in dynablock.njabl.org

- IP 82.207.57.24 (Ukraine - Ukrtelecom IP access network in Kharkiv) was found in the CBL - "double vérolé" : Mydoom.R & Q

- IP 83.136.244.26 (Russia - telrostelecom.ru) was found in the CBL Blacklist & is listed in Spamcop.net Blacklist
- IP 83.237.221.95 (Russia - ZAO MTU-Intel) is listed in dynablock.njabl.org

- IP 84.15.44.90 (Lithuania - Bite GSM & Internet services) was found in the CBL

- IP 85.117.63.49 (Georgia - Rustavi 2 Online) was found in the CBL

- IP 85.140.252.55 (Russia - ZAO MTU-Intel) was found in the CBL

- IP 86.214.34.129 (France Telecom - Wanadoo) was found in the CBL

- IP 89.120.16.179 (Romania - Registrant information is not available - Location: Bacau) was found in the CBL

- IP 165.145.136.138 (South Africa - Telkom SA Limited) was found in the CBL

- IP 165.165.183.22 (South Africa - Telkom - telkomadsl.co.za) was found in the CBL

- IP 166.114.54.230 (Bolivia - Red Bolivina de Comunicacion de Datos) was found in the CBL

- IP 194.105.199.246 (Russia - leivo.ru) is listed in dynablock.njabl.org

- IP 195.131.89.145 (Russia - WEBPlus Ltd.) was found in the CBL

- IP 202.101.10.137 (China - Shanghai Telecom Co. Qingpu Telecom Breaure) was found in the CBL

- IP 203.156.212.66 (China - Shanghai Global Network Co.Ltd) was found in the CBL

- IP 212.23.228.18 (Switzerland - SA des Hotels President) was found in the CBL

- IP 212.103.168.65 (Egypt - TE-Data-Networks) was found in the CBL

- IP 213.190.45.83 (Lithuania - Lietuvos-Telekomas) was found in the CBL & listed in VIRBL (expéditeur de virus)

- IP 220.207.8.217 (China - United Telecommunications Corporation) was found in the CBL

Quelques IP expéditrices du virus Mydoom après notre STOP REPORTING (du 11/10/2006), différentes de celles listées ci-dessus :

IP Address 61.50.206.2 was found in the CBL & is listed in bl.spamcop.net

IP Address 80.237.10.67 was found in the CBL. - It was detected at 2006-10-16 11:00 GMT

IP Address 82.107.68.49 was found in the CBL. - It was detected at 2006-10-16 11:00 GMT

IP Address 83.237.238.21 was found in the CBL & is listed in dynablock.njabl.org

IP Address 87.249.236.190 was found in the CBL. - It was detected at 2006-10-20 15:00 GMT

IP Address 194.93.171.25 was not found in the CBL. (17/10/2006)

IP Address 195.5.19.83 was found in the CBL. - It was detected at 2006-10-19 06:00 GMT

IP Address 195.161.9.63 was found in the CBL. - It was detected at 2006-10-28 04:00 GMT

IP Address 209.200.139.171 was found in the CBL & is listed in bl.spamcop.net

IP Address 218.145.189.39 was found in the CBL. - It was detected at 2006-10-16 08:00 GMT

IP Address 218.145.188.97 was found in the CBL. - It was detected at 2006-10-19 05:00 GMT

IP Address 218.246.83.242 was found in the CBL. - It was detected at 2006-10-14 02:00 GMT

Not in any blacklists, 22/10/2006 11:50

IP Address 203.155.221.253 listed in bl.spamcop.net

Hypothèse finale, en tenant compte du comportement de la "queue d'infection" (13/10/2006 - 31/01/2007) : une bande de spammeurs aurait créé un réseau de zombies qui crachent leurs courriers non sollicités; ils y auraient ajouté un virus qui suit le même chemin que leurs spam's; les PC's infectés se seraient progressivement débarrassés de l'infection ?

C'est la la technique du spamming (comme par exemple pour Tibs.JY) :

Le spamming désigne l'action d'envoyer un message non souhaité et dérangeant - appelé "spam" - à une personne ou à un groupe de personnes, généralement dans un but promotionnel ou publicitaire. Sont notamment considérés comme des actes de spamming :

• le fait d'envoyer un mail à un ou plusieurs inconnus pour leur suggérer de visiter un site web ou d'acheter un produit ;

• le fait de poster dans un forum de discussion ou un newsgroup un message sans rapport avec le thème abordé, dans un but provocateur ou commercial ;

• le fait d'utiliser le système de messagerie interne à Windows pour faire apparaître sur le poste d'un internaute une boîte de dialogue contenant un message publicitaire ;

• le fait d'inclure un individu dans une liste de diffusion sans son consentement préalable et/ou de l'empêcher de se désabonner.

De manière plus globale, le spamming peut être défini comme l'usage abusif d'un système de messagerie électronique ou de traitement automatisé de données destiné à exposer délibérément et généralement de manière répétée tout ou partie de ses utilisateurs à des messages ou à des contenus non pertinents et non sollicités couramment appelés "spams", en faisant en sorte de les confondre avec les messages ou les contenus habituellement échangés ou recherchés par ces utilisateurs. Le support utilisé importe peu (courriel, messagerie instantanée, SMS, forum, moteur de recherche, etc.), de même que le nombre de messages envoyés par le spammer. Le spamming s'accompagne souvent de la part du spammer d'une ou plusieurs pratiques généralement reconnues comme illégales au niveau mondial (usurpation d'identité, collecte déloyale de données personnelles, contrefaçon de marque, escroquerie, entrave volontaire à un système,...), mais ces pratiques sont à considérer comme des circonstances aggravantes et non des caractéristiques intrinsèques du spamming.

Comment réagir face à un spammer ?
Dans le cas d'un internaute inexpérimenté qui veut que vous veniez visiter son site, ne répondez pas ou expliquez-lui gentiment que ce qu'il fait c'est du spamming, et que le spamming c'est contraire aux bonnes pratiques du Net. S'il persévère ou dans le cas d'un message non sollicité envoyé par une entreprise française, passez à l'offensive et adressez-vous directement au propriétaire du serveur de mails utilisé (souvent celui du fournisseur d'accès du spammer). Il s'agit de déposer plainte, donc il faut fournir des preuves : joignez à votre email la copie de l'entête du message non sollicité (sélectionnez le mail dans votre boîte de réception, puis "Affichage des propriétés" ou du "Source de la page").

On notera que si cette infection est volontairement ciblée, elle est vraiment grossière car vu l'âge du virus, il est impossible de se faire infecter. Même les antivirus gratuits interceptent cet ancêtre de malware avant qu'il ne puisse faire des dégâts (qui sont d'ailleurs mineurs et faciles à erradiquer).

Qui va ouvrir le fichier attaché à ce genre de message ?

ou

Et quel antivirus va rater cette vieille bestiole ?

Scan type: Auto-Protect Scan - Event: Threat Found!

Threat: W32.Mydoom.M@mm - File: vinosoft.com.zip & File: vinosoft@vinosoft.com.zip

Une "vieille" bestiole : Win32/Mydoom.R worm (Nod32) = W32.Mydoom.M@mm (Norton Antivirus)

Virus découvert le 26/07/2004, il y a plus de deux ans !

C'est un ver d’envoi en masse de courrier électronique qui dépose et exécute une porte dérobée, détectée comme Backdoor.Zincite.A écoutant sur le port TCP 1034.

Le ver utilise son propre moteur SMTP pour s'expédier aux adresses électroniques qu'il a trouvées sur l'ordinateur infecté.
L'adresse utilisée dans le champ "De" du courrier électronique est usurpée.

L'objet et le corps du message varient.

Le nom de la pièce jointe varie également : avec l'extension de fichier .cmd, .bat, .com, .exe, .pif, .scr ou .zip.
W32.Mydoom.M@mm est compressé avec UPX.
Egalement appelé : W32/Mydoom.o@MM [McAfee], W32/MyDoom-O [Sophos], WORM_MYDOOM.M [Trend Micro], Win32.Mydoom.O [Computer Associates], I-Worm.Mydoom.m [Kaspersky], W32/Mydoom.N.worm [Panda].
Systèmes affectés : Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP.
Dommages :
- Envoie du courrier électronique à grande échelle.
- Dégrade les performances : l'envoi en masse de courrier peut bloquer les serveurs de messagerie ou dégrader les performances du réseau.
 

Lorsque W32.Mydoom.M@mm s'exécute, il réalise les opérations suivantes :
- Il crée les entrées de registre suivantes, indiquant ainsi que le système compromis a été infecté par le ver :
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon & HKEY_CURRENT_USER\Software\Microsoft\Daemon
- Il se copie comme %Windir%\java.exe
- Il dépose et exécute %Windir%\services.exe, détecté comme Backdoor.Zincite.A. Lorsque ce fichier est exécuté, il ouvre le port TCP 1034 et écoute les connexions distantes. La porte dérobée analysera également des adresses IP aléatoires sur le port 1034 à la recherche d'autres hôtes infectés.
- Il ajoute les valeurs : "Services" = "%Windir%\services.exe" & "JavaVM" = "%Windir%\java.exe" à la clé de registre :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run de sorte que le ver s'exécute au démarrage de Windows.
- Il peut créer les fichiers suivants afin de consigner les événements dans un journal :
%Temp%\zincite.log  & %Temp%\<fichier nommé de façon aléatoire>.log
- Il récupère des adresses électroniques dans les fichiers possédant les extensions suivantes : .adb - .asp - .dbx - .ht* - .php - .pl  - .sht - .tbb - .tx* - .wab
- Il consulte les moteurs de recherche suivants afin de récupérer davantage d'adresses électroniques pour une distribution éventuelle : search.lycos.com - search.yahoo.com - www.altavista.com - www.google.com
- Lorsque le ver trouve une fenêtre Outlook ouverte, il tente de s'expédier lui-même aux adresses électroniques trouvées.
 

Outil de suppression de W32.Mydoom@mm :
http://www.symantec.com/region/fr/techsupp/avcenter/venc/data/fr-w32.mydoom@mm.removal.tool.html

FxMydoom.exe :

- Termine les processus viraux de W32.Mydoom@mm, Backdoor.Zincite.A, W32.Zindos.A, Backdoor.Nemog et Backdoor.Nemog.D.
- Termine le thread viral s'exécutant sous Explorer.exe.
- Supprime les fichiers de W32.Mydoom@mm, Backdoor.Zincite.A, W32.Zindos.A, Backdoor.Nemog et Backdoor.Nemog.D.
- Supprime les clés ajoutées au registre par tous les risques indiqués précédemment.
- Rétablit les paramètres par défaut de Microsoft Windows des clés modifiées par les risques.
- Répare le fichier Hosts si l'ordinateur est infecté par Backdoor.Nemog et Backdoor.Nemog.D.

Note : vous devez disposer de droits d’administrateur pour exécuter cet outil sous Windows NT/2000/XP

Autres infos sur le virus :

- Alerte Virus Niveau 4 sur 5 W32.Mydoom.M@mm : http://www.mag-securs.com/article.php3?id_article=1101 (07/2004)

- Un virus nommé Zindos.A (également appelé W32.Zindos.A ou W32/Zindos.worm) a été identifié : spécialement créé pour exploiter la porte dérobée de Mydoom.M : http://www.secuser.com/alertes/2004/mydoomm.htm (07/2004)

Win32/Mydoom.Q (Nod32) = W32.Mydoom.L@mm (NAV) - Découvert le : 19/07/2004

Dommages :
- Envoie du courrier électronique à grande échelle : Utilise son propre serveur SMTP pour s'expédier par courrier électronique aux adresses trouvées dans les fichiers comportant certaines extensions.
- Dégrade les performances : L'envoi en masse de courrier peut bloquer les serveurs de messagerie ou dégrader les performances du réseau.
- Divulgue des informations confidentielles : contient un programme d'enregistrement des frappes du clavier.

Distribution :
- Objet du courrier électronique : Variable
- Nom de la pièce jointe : Variable, avec une extension .bat, .cmd, .com, .exe, .pif ou .scr.
- Taille de la pièce jointe : 21 000 octets
- Ports : TCP 1042
- Lecteurs partagés : Tente de se copier dans tous les dossiers dont les noms contiennent les chaînes suivantes : incoming, ftproot, download, shar, USERPROFILE, yahoo.com.

Météo locale