Cronologia di un infezione

Proprio poco tempo fa in due delle mie innumerevoli caselle e-mail mi sono arrivate due email del tipo:

This email has been sent to you from an email content scanning filter
located on the server [server]. If you have any queries relating
to this email, please direct them to postmaster.

Report Details -----------------------------------------------
Administrator Email Reply Address: postmaster
Email sent to: <destinatario>
Inflex ID: 040518488933
Report Details -----------------------------------------------
AntiVirus Results...
SWEEP virus detection utility
Version 3.80, April 2004 [Linux/Intel]
Includes detection for 89198 viruses, trojans and worms
Copyright (c) 1989,2004 Sophos Plc, www.sophos.com

System time 18:49:00, System date 05 April 2004
Command line qualifiers are: -archive -all -rec -sc

IDE directory is: /usr/local/sav

Using IDE file proto-f.ide
Using IDE file bdoorcck.ide
Using IDE file netsky-p.ide
Using IDE file netsky-q.ide
Using IDE file netsky-r.ide
Using IDE file netsky-s.ide
Using IDE file lovgat-x.ide
Using IDE file baglehtm.ide
Using IDE file nackbotd.ide
Using IDE file nyxem-a.ide
Using IDE file agoboted.ide
Using IDE file agobotef.ide
Using IDE file agobotfg.ide
Using IDE file agobotfh.ide
Using IDE file agobotfj.ide
Using IDE file sober-e.ide
Using IDE file agobotex.ide
Using IDE file sober-f.ide
Using IDE file nachi-e.ide
Using IDE file rybot-a.ide
Using IDE file sdbot-gr.ide
Using IDE file prorat-d.ide
Using IDE file bagle-j.ide
Using IDE file bagle-n.ide
Using IDE file bagle-o.ide
Using IDE file bagle-q.ide
Using IDE file bagle-r.ide
Using IDE file bagle-u.ide
Using IDE file bagle-v.ide
Using IDE file ldpinchh.ide
Using IDE file jdownl-a.ide
Using IDE file baglezip.ide
Using IDE file adtoda-a.ide
Using IDE file lovgatez.ide
Using IDE file ranckb-a.ide
Using IDE file badparty.ide

Quick Sweeping

00:02 message.scr>>> Virus 'W32/Netsky-P' found in file /usr/local/inflex/tmp2/inf_040518488933/unpacked/message.scr
00:02 _headers_ 00:02 textfile000:02 textfile100:02 textfile200:02 textfile300:02 textfile4
7 files swept in 2 seconds.
1 virus was discovered.
1 file out of 7 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
End of Sweep.

File NAME/TYPE Scan Results


040518488933 from:<mia casella> to: <destinatario>
Type scanning off.
Name scanning off.
Text scanning off.

END OF MESSAGE.

End.
.
------------------------------------------

This is the Postfix on Linux (TCW) program at host tcw0.tcworks.de.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix on Linux (TCW) program

<info@tcworks.de>: Sorry, your mail has been identified as spam.



Reporting-MTA: dns; tcw0.tcworks.de
Arrival-Date: Mon, 5 Apr 2004 18:53:02 +0200 (CEST)

Final-Recipient: rfc822; info@tcworks.de
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; Sorry, your mail has been identified as spam.



Subject:
Possible Spam: Mail Delivery (failure info@tcworks.de)
From:
<mia casella>
Date:
Mon, 5 Apr 2004 18:51:08 +0200
To:
info@tcworks.de

Spam detection software, running on the system "tcw0.tcworks.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: ------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html;
charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [...]

Content analysis details: (13.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.2 NO_REAL_NAME From: does not include a real name
0.1 HTML_MESSAGE BODY: HTML included in message
1.7 HTML_RELAYING_FRAME BODY: Frame wanted to load outside URL
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.1 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable program
0.1 MIME_SUSPECT_NAME RAW: MIME filename does not match content
3.0 MSGID_FROM_MTA_SHORT Message-Id was added by a relay
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[151.42.189.238 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[151.42.189.238 listed in dnsbl.sorbs.net]
1.6 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.




Subject:
Mail Delivery (failure info@tcworks.de)
From:
<mia casella>
Date:
Mon, 5 Apr 2004 18:51:08 +0200
To:
info@tcworks.de

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
http://www.tcworks.de/inbox/info/rea...sessionid-6963
-------------------------------------------

Ovviamente il mio sistema windows é più pulito del sederino di un neonato appena cambiato, tra l'altro siccome sto usando solo linux la cosa suona stranissima: ho inviato una mail ad un tizio bloccata da un filtro antivirus? Come mai?

Andando a leggere il log in maniera più approfonidta si va a capire che a questa e-mail era allegato un file messagge.scr contenente il virsu netsky-p.

Qua il mistero s'infittisce. Semplicemente ho avvisato tutti i miei amici di controllare il proprio sistema e di eliminarmi dalla rubirca di windows.

Una cosa del genere mi mancava. Quanto mi piacciono i misteri :D

A me ne sono arrivati 4 in ciascuna delle mie due caselle di posta.....ovviamente quelli che erano sfuggiti ai filtri dell'antispam sono stati cestinati direttamente da me.

Solo 4.. ti va ancora parecchio bene fidati..

Infatti...
Diego

Solo 4.. ti va ancora parecchio bene fidati..

Infatti...
Diego

Beh sono mesi che non ricevo virus e log di antivirus via email.

Oggi son arrivati altri 2 log ed un altro virus: sto alzando notevlomente la mia media :D

-------------edit---------------


Che sia uno dei loro server :?

[Ospite]

Tantissime persone che conosco hanno preso il virus netsky, dicono che si prenda con l'anteprima delle mail dai client di posta anche senza aprire l'allegato anche se io ne dubito. Legge i contatti delle rubriche,
C'è un tool per toglierlo cmq http://virus.html.it/virus/cat_3/virus_28/netsky.q.html

[colonnaromana]

Ora rispondo io...
http://securityresponse.symantec.com...tsky.p@mm.html
e in particolare per rispondere alla questione: "come mai mi e' stato detto che io ho inviato un virus quando il mio pc e' pulito?"

W32.Netsky.P@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

Cioe' per chi non sa l'inglese, il virus in questione (come tutta la serie dei netsky) ha un server smtp integrato che fa la scansione di tutti gli indirizzi mail memorizzati sul tuo pc (outlook o qualsiasi file dio testo) e si auto manda da qualli indirizzi a quelli stessi.
In piu' si infila in tutte le cartelle condivise da quelli che usano un programma di fileshare, senza accorgersene.
OK? mi sono meritato un bravo? :D 8)

Grazie per le info, ma già lo sapevo, difatti ho avvisato gli amici che hanno quei due indirizzi inviando il remover di netsky-p :D

[colonnaromana]