cancel
Showing results for 
Search instead for 
Did you mean: 

'Your_details.zip'

N/A

'Your_details.zip'

I've been away for the weekend and have just picked up my mail. I have two suspicious mails with the attachment 'your_details.zip' and the subject of Re: Movie and Re: Application. It looks like the W32/Sobig-E worm.

The odd thing is that they both came from plusnet adressed that I've never heard of before:
postmaster@belper.plus.com and postmaster@intertoy.plus.com.

Hopefully you won't be too curious to find out what 'your_details' are.

Col.
13 REPLIES
N/A

'Your_details.zip'

Yes, these are a virus, and a pitty it is doing the rounds too.

The two addresses you see are false, and are infact not coming from these two. The virus just folls you into thinking as such.

I get them addressed from support@btopenworld.com, yet they come via a means 100% unrelated to the ISP or there customers.

Can you post the headers of the e-mail.

Outlook Express, right-click ont he mail, and select properties, then select the Details tab. Paste everything in the displayed box.

This will give us a far better idea of extactly who is sending the e-mails, and who to contact to have them stopped.
N/A

'Your_details.zip'

I would post the headers unfortunately I've deleted the emails.

Col.
N/A

'Your_details.zip'

While we're on the subject...

Today I got three emails with subjects like "Mail delivery failed: returning message to sender," all of which contain your_details.zip. Is this just a more elaborate method of getting me to open messages or does it mean that my email address has been used as a forged "From" header?

BTW, my machine certainly doesn't have the worm/virus. The headers say that the message came from Outlook Express 6 while I use a the MacOS X Mail client.

Cheers,
--> Stephen
N/A

'Your_details.zip'

Yes, you are the unwitting victim of forged headers.

However, you are also on the end of a fake bounce too.

Some programs like mail washer, can generate fake failure reports. However, in many cases they go to the wrong place, due to forged headers.

People should never use this mode, as if you can prove (not too hard with some ISP's) they are fake, you may soon be able to take them to court, as this will be classed as spam (Because you didn't opt in).
N/A

'Your_details.zip'

God, that little barsteward's a real pain in the rear Sad - it's doing the rounds at the college where I work at the moment, and of course we have plenty of staff members who've opened the attached file, despite an advisory from us that the threat was there and not to open suspicious attachments........ :roll:
N/A

'Your_details.zip'

Any idea what this little bunny is? nascent5.plus.com: 212.159.88.15. Is it part of Plus Net's mail server cluster? I've had this virus sent to me, and this is the originating ip.
N/A

'Your_details.zip'

Just another innocent victim (using dig -x):

15.88.159.212.in-addr.arpa. 21600 IN PTR badgers4.force9.co.uk.

--> Stephen
N/A

'Your_details.zip'

My bad. Missed a digit with copy 'n' paste. Shoulda read: 212.159.88.157
N/A

'Your_details.zip'

Yes, just another inocent customer.

You may like to try sending a e-mail to postmaster@nascent5.plus.com to inform them of the infection, otherwise these is little you can do.
N/A

'Your_details.zip'

Are you sure? Ping times that fast can't be dial-up, and wouldn't a DSL connection traceroute through a BT home gateway router? Also, reverse DNS on nascent5.plus.com throws up a range of IPs:

Name: nascent5.plus.com
Addresses: 212.159.88.156, 212.159.88.157, 212.159.88.158, 212.159.88.159
N/A

'Your_details.zip'

+Net customers can get ranges of IP's and yes DSL and dial-up pings can be that low.

If a DSL ping can be 32ms to a external amaerican site, it can be that low to a local DSL account.

Beyond that, the IP is now offline, and I doubt that +Net server would drop off of a night (to my understanding, most of +net servers are on the internal network, and routers are used to forward connections, thus it would ping regardless of the lan machine).

Quote

--- <private>.plus.com ping statistics ---
10 packets transmitted, 10 received, 0% loss, time 9020ms
rtt min/avg/max/mdev = 34.732/36.543/38.835/1.136 ms

They are stats from a +Net DSL customer, which I can gurentee (considering I remotly manage the connection 24/7).
N/A

'Your_details.zip'

I think you misunderstood me. I was saying that the ping time was too low for dial, not dsl. I thought it didn't look like dsl because it doesn't trace through a bt home gateway, not because of the ping time.

Still, I don't know how plus net route dsl traffic. Is it ip stream? If it is, then does dsl traffic not have to backhaul through a bt home gateway?

If you think this is a dsl connection, are you saying that you think it's a NO NAT connection, with a range public ips, with the same reverse dns entry set up for every ip? Guess that could make sense. So does this look like the route you'd expect to see for a plus net dsl connection?


1. *private*
2. *private*
3. *private*
4. *private*
5. GigabitEthernet5-0.linx1.lon1.level3.net
6. unknown.Level3.net
7. gige9-0.ipcolo1.London1.Level3.net
8. unknown.Level3.net
9. plusnet-gw1.nildram.net
10. gi9-0.vlan3.pth-ag1.plus.net
11. nascent5.plus.com
N/A

'Your_details.zip'

+Net manage there own Reback 10K Carrier class Gateways. ISP's are free to use there own gateways, or a BT supplied one (like +Net used to use).

Here is a trace from the +Net monitors tools
Quote

1 vlan212.rhogan1.core.quay.plus.net (212.159.0.18Cool 0.411 ms 0.327 ms 0.315 ms
2 fa3-0.bhunajnr.core.plus.net (212.159.15.241) 0.843 ms 0.415 ms 0.394 ms
3 atm1-0.pth-gw1.core.telehouse.plus.net (212.159.1.66) 5.942 ms 5.881 ms 6.023 ms
4 gi1-1.pth-gw3.telehouse.core.plus.net (195.166.129.17) 5.981 ms 6.582 ms 6.227 ms
5 gi9-0.vlan3.pth-ag2.plus.net (212.159.1.4) 6.231 ms 6.379 ms 6.440 ms
6 acarr.plus.com (212.159.100.243) 21.720 ms 21.704 ms 21.960 ms


However, I don't have any dial customers usernames to hand that are online, to show the route to such an address.

The fact is has multiple addresses assigned to it, suggests a subnet which is normaly only provided for DSL customers.