|
Author
|
|
Topic: Warning message for sorethroat | Topic page views:
|
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 07-11-2003 09:32 AM
   
Hi Sorethroat,My ISP bounced back a virus today, alledgely coming from you From: sorethroat sorethroat@xxxxxx.com
Subject: A WinXP patch
MIME-Version: 1.0
Content-Type: multipart/alternative;
{message} is infected with Exploit-MIME.gen.exe Viruses: 1
Trojans: 0
Jokes: 0
Tests: 0 Just letting you and other chemtrail activists know.
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 07-11-2003 02:01 PM
mr. paranoid's passing around a virus !LOL ! damn that made my day.... oh yeah...looks like we are going to warm up throat...how much of that upswing can be attributed to man ? 
lemme answer that 0 
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 07-11-2003 02:56 PM
Ah did the real culprit come to visit to the scene of her crime seektress?
[Edited 1 times, lastly by suckingeggs on 07-11-2003]
|
Thermit
Tech
Houston, TX
2691 posts, Jul 2000
|
posted 07-11-2003 03:35 PM
I too got some sort of virus email, addressed from "sorethroat". I don't know where it actually came from, but tis possible to be from ST. It could also be a fake 'from name', which the viruses do sometimes to get people annoyed at the wrong person. It could be that someone has a virus on their computer, where sorethroat is just in their contacts list......
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 07-11-2003 04:40 PM
I have had it sent to me three times now?
[Edited 1 times, lastly by suckingeggs on 07-12-2003]
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 07-12-2003 03:38 AM
I have has it sent to me three times now?where are you from again !
[Edited 1 times, lastly by theseeker on 07-12-2003]
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 07-12-2003 07:27 AM
Same virus attack now coming from thermonuclear@xxxxxxxxxxxxx.com is that you Thermit? I guess the Jim Phelps stuff must be pushing the debunkers buttons.
[Edited 1 times, lastly by suckingeggs on 07-12-2003]
|
Thermit
Tech
Houston, TX
2691 posts, Jul 2000
|
posted 07-12-2003 10:12 AM
Not from here, suckingeggs.I use webmail exclusively for CTC, and so it is impossible for viruses to start going out from the site in email. Apparently whoever has this virus on their machine, has sorethroat and thermonuclear in their address book.
|
Sore Throat
Senior Member
x
722 posts, Sep 2000
|
posted 07-12-2003 02:35 PM
Sorry to hear about the virus issues.Some things to consider. 1. Those in the Rumpus Room have an email address that I have used. 2. Anyone can create an email using the name "sorethroat". 3. Many of the new virus/worms spread through ALL names in someone's address book. 4. The debunkers are increasingly desperate, resorting to increasing levels of distortions, lies and threats. So you're right, they are like worms on the frying pan with the heat being turned up. Sizzle, squirm...and worst of all...STINK !
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 07-12-2003 02:46 PM
I got two from more faked e mails wit viruses from Thermit and one from EMFx13, well at least I am able to get the genuine activists e mail addresses :-)These paid debunkers will one day realise that they will be charged with crimes against humanity and the stupid mind controlled Freaks will have nowhere to hide. The money men would have done a bunk and they will be left with full archives of their twisted sick BS. Remember this well if you are paid for stalling the truth, for the truth will come about, the curtains of deception will fall and you ignorant SOB's will be looking through the bars with very sore arses...opps sorry Mr. big I thought it was a game to let your children die in the name of the transnational corporations I was paid to help pull the wool over you and your families eyes...boohoo
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 07-12-2003 03:42 PM
what was the file size of these virus mails eggs ?and the SMTP id's ? post the full headers and let's see what's up.... I really don't believe what you say...and considering how you don't get along with others very well...you could be just starting shit... at any rate...you probably scared the barium out of throat...with this post...and for that I thank you
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 07-12-2003 06:48 PM
.^.
|
Lulu
ice behaving badly
right here
2553 posts, Dec 2000
|
posted 08-11-2003 02:57 PM
HEADS UP PEOPLE!!
I just received (to my Outlook Express e-mail account) an email from danrocktmc1@hotmail.com with header "Language" ... blank body of e-mail... with attachments "Norton Antivirus Deleted1.txt" and "index-03-quicklinks[1[.jpg"
I am highly suspicious of these attachments, and by clicking on properties of e-mail it really does look like a possible virus? the origin/source of sender has two IPs 205.152.59.73 and 68.18.83.241 ... the first traces back to Orlando FLA with 66% probabilty using "Try It" locale http://www.networldmap.com/TryIt.htm and using ARIN WHOIS http://www.arin.net/whois/ to BellSouth.net Inc. Atlanta, GA...the second IP traces to BellSouth. net Inc. as well in Atlanta, GA, and can't be traced using Try It Locale. I'm not saying this e-mail was, in fact, from Dan Rockwell, aka ManDannyRock, I am just giving a heads up in case anyone else receives similar. I urge y'all NOT to open attachments!
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 08-11-2003 04:15 PM
whew ! glad we don't get along anymore ....I appreciate the heads up...be careful retrieving header info...got nabbed real good doing that using norton...traceroute : 100% | 68.18.83.241 | adsl-18-83-241.sdf.bellsouth.net | Lousisville, KY, USA | | 62 | x | BellSouth.net Inc. BELLSNET-BLK13 |
|
Lulu
ice behaving badly
right here
2553 posts, Dec 2000
|
posted 08-11-2003 05:50 PM
>>got nabbed real good doing that using norton<<Whoa!!! not good at all... What WHOIS are you using to bring up KY origin?
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 08-11-2003 07:10 PM
a free trial of some ip trace software...uses virtual machine...I'd send it to ya...but with all you got going now...
|
emfx13
Moderator
Hayward Ca.U.S.A.
784 posts, May 2002
|
posted 08-11-2003 07:23 PM
quote:
I got two from more faked e mails wit viruses from Thermit and one from EMFx13,
Wow! this is the first time read this thread,i don't like the idea of someone useing my name AT ALL!In the future it would be wise to inform us about this,i would have had people look into it sooner!Sound's like somebody is out to "tarnish"some name's??It ain't gonna happen!If you recieve an E-mail from me/MOD i will use a subject name that you will be able to identify that it's from me.
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 08-11-2003 10:05 PM
baton rouge la. on the second one (mail)...louisville confirmed with another choice of software... btw no telling whether it was dan or not...I'd say not...and it's probably the same character that has been doing this sort of thing for a while around these parts... worlds definately getting smaller though...
oh yeah...emfx who the hell are you going to have look in to it.... inquiring minds want to know (smirking)
[Edited 1 times, lastly by theseeker on 08-11-2003]
|
Rogue
New Member
11 posts, Aug 2003
|
posted 08-12-2003 02:42 AM
Seeker you misspelled the word definitely, which is an amazing feat. I commend you. As far as all these sporatic emails are concerned, it could be related to the vulnerability found in most windows OS (namely XP or MS2000). Whatever the case, it definitely sounds like a worm, first and foremost, not only a virus. Being that as it may, it isn't even necessarily an issue if you click on attachments anyway. Newer versions of these worms have been coded to automatically seek vulnerabile machines which are then infected by no action of the owner/user. I would recommend that if you are running any windows system to get the most recent critical update released by MS. It will alledgedly patch this vulnerability, although it appears the newest version of worms may be quite unstoppable. It's funny to me how those fools at DARPA created a semantic web of which they have since slowly lost control.
|
theseeker
One moon circles
Damnit...I'm a doctor jim
3403 posts, Jul 2000
|
posted 08-12-2003 03:28 AM
don't you mean an amazing feet...welcome rogue...glad you could join in !and yes...yes...attention to detail is a marked trait...my friend...like a wart on the end of your nose...sitting back...you know when I reply to posts like these...a few for qualified ears...and...they hit...I just go >> damn << almost every time I do... fun coversing old boy...but by the time you've looked at this pretty picture I gotcha....or not....bwhaaawww ! 
theatre' is very important...moo 
|
David
Chemtrail Information Agent
1280 posts, Oct 2000
|
posted 08-12-2003 07:51 PM
Virus Profile
Virus Information
Name: W32/Lovsan.worm
Risk Assessment
- Home Users: Medium-On-Watch
- Corporate Users: Medium-On-Watch
Date Discovered: 8/11/2003 Virus Information
Name: W32/Lovsan.worm
Risk Assessment
- Home Users: Medium-On-Watch
- Corporate Users: Medium-On-Watch
Date Discovered: 8/11/2003
Date Added: 8/11/2003
Origin: Unknown
Length: 6,176 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 4284
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Virus Characteristics
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing. When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69]. Once run, the worm creates the registry key (may be either of the following): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
This will appear in regedit as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe
Indications of Infection
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Method of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com. Computers that have up-to-date antivirus software will detect the worm executable upon download. However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash due upon receiving malformed exploit code.
|
Lulu
ice behaving badly
right here
2553 posts, Dec 2000
|
posted 08-12-2003 10:23 PM
Good info, thanks David. I heard on the local news tonight that the worm was probably invented by a 13 yr. old kid and will affect 50% of computers...???Check for updates here ~
http://www.microsoft.com/security/security_bulletins/ms03-026.asp Thankfully my pc automatically alerts me to new updates and I install those right away, so I am safe...for now...
|
Rogue
New Member
11 posts, Aug 2003
|
posted 08-13-2003 01:37 AM
As long as you get port 135 patched there should be no problem. Funny how this worm utilizes a very unique protocol. I highly doubt a 13 year old is responsible for this.
|
David
Chemtrail Information Agent
1280 posts, Oct 2000
|
posted 08-13-2003 10:44 AM
So far this week, my firewall has blocked 863 attempted intrusions, most originating in Cologne,Germany, routing through Washington DC to the west coast, Glendale, then on to the bay area. Two more this a.m. so far.
|
suckingeggs
Senior Member
343 posts, Mar 2003
|
posted 08-13-2003 10:55 AM
Had the RPC message for two days, could not even download the patch as it shut me down, fortunately e mail still worked so a friend sent the patch and I can surf again. Funny thing is that I have upto date virus checkers and very good firewall and an exce;llent ISP...so how did the worm get it and even with the patch, what happens to the worm?
|
Chemtrail Central Forum
UBBFriend: Email This Page to Someone! 
This topic is 2 pages long: 1 2 
