+Firehouse16 Posted February 2, 2004 Share Posted February 2, 2004 (edited) Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool! Edited February 2, 2004 by Firehouse16 & Code3 Link to comment
+Mopar Posted February 2, 2004 Share Posted February 2, 2004 Sure they arent just spoofing that they are coming from GC.com? Did you check the full headers? It's possible, but I'm guessing it's more likely being sent from a fellow geocacher who has you in his address book. Link to comment
+The Cheeseheads Posted February 2, 2004 Share Posted February 2, 2004 I believe the virus scans people's address books, then sends out emails out at random using other names in the "from:" header. Even though GC.com is there, it didn't necessarily come from them. You would think that everyone here would be getting them as well, but I have not received a single virus from GC. Other schmucks I know, yes, but not from here. Link to comment
+Lazyboy & Mitey Mite Posted February 2, 2004 Share Posted February 2, 2004 no virus's here either Link to comment
+Firehouse16 Posted February 2, 2004 Author Share Posted February 2, 2004 8 total until I killed the query. All were the same size 1.2mb's. for <firehouse16@kissalive.com>; Mon, 2 Feb 2004 05:39:07 -0800 (PST) Received: from mail pickup service by bender.Groundspeak.com with Microsoft SMTPSVC; Mon, 2 Feb 2004 05:39:13 -0800 Thread-Topic: [GEO] Pocket Query: Customized Search thread-index: AcPpkfGkeNKrq0wdQK+l2vQzJ2ESug== X-Mailer: Groundspeak .NET Mailer 0.9 From: <contact@geocaching.com> To: <firehouse16@kissalive.com> Subject: [GEO] Pocket Query: Customized Search Date: Mon, 2 Feb 2004 05:39:13 -0800 Message-ID: <768201c3e991$f1a4e070$ada3fb3f@Groundspeak.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_7683_01C3E94E.E381A070" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-OriginalArrivalTime: 02 Feb 2004 13:39:13.0015 (UTC) FILETIME=[F1A4E070:01C3E991] This is a multi-part message in MIME format. ------=_NextPart_000_7683_01C3E94E.E381A070 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Here are the Pocket Query search results in the formats you requested. 41606.gpx: GPX is an extended GPS exchange format that can be read by both EasyGPS and ExpertGPS, as well as various other software applications. The latest version of EasyGPS for Groundspeak can be downloaded from the links section of Geocaching.com. You will need the latest version to read this format. ------=_NextPart_000_7683_01C3E94E.E381A070 Content-Type: application/octet-stream; name="41606.gpx" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="41606.gpx" Link to comment
+The Cheeseheads Posted February 2, 2004 Share Posted February 2, 2004 Are they your pocket queries or somebody else's? Link to comment
+Mopar Posted February 2, 2004 Share Posted February 2, 2004 (edited) That looks pretty legit, I'm not sure how well a spoofing job mydoom is doing, since I haven't had a single instance get thru here. It's also possible that the unzipped GPX is triggering a false positive, that's pretty common on some of the web-based email accounts like Yahoo. With the rush to get mydoom updates out on virus software, it's not unreasonable to suspect it's not very well refined. I still think if the gc.com mail server was infected, there would be tons of people getting it, and the added server load would probably triggered an alarm somewhere by now.I agree it needs looking into, though. Edited February 2, 2004 by Mopar Link to comment
+Stunod Posted February 2, 2004 Share Posted February 2, 2004 I notice you're not getting your PQ as a zipped file. Zipping might avoid the problems of "false-positive" virus detection. Link to comment
+Mopar Posted February 2, 2004 Share Posted February 2, 2004 (edited) I'm leaning toward a false positive as well. The GPX file is not executable, I don't think there is any way for it to be infected. Unless you arent actually getting a GPX file, of course. Many email virus's pretend to look safe, like" 41606.gpx.exe". Since the default windows setting is to not display extenstions like exe, you might not notice. Edited February 2, 2004 by Mopar Link to comment
+The Cheeseheads Posted February 2, 2004 Share Posted February 2, 2004 From Symantec's site: # Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics: From: The "From" address may be spoofed. Subject: The subject will be one of the following: test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error Message: The message will be one of the following: Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. test I'd lean towards a false positive as well... Link to comment
Jeremy Posted February 2, 2004 Share Posted February 2, 2004 Looks like a false positive to me as well. The Pocket Query generator is programmed by me, and there is no possible way that MyDoom (or any virus, for that matter) would be able to be sent through that machine. All it does is build pocket queries and doesn't even have a mailserver installed. Try zipping your queries so you don't get false positives. There has been a staggering number of poor virus filters implemented by system administrators lately. Link to comment
+sbell111 Posted February 2, 2004 Share Posted February 2, 2004 This sounds like one of the false positives that were reported well before the current round of viruses (viri?) were released. In one of my other email addresses, I've received a couple of suspect emails in the last week or so. If any email makes it through the filters and has one of the suspect headers, just delete it without opening it. Also, remember to update your anti-virus software often. Link to comment
Jeremy Posted February 2, 2004 Share Posted February 2, 2004 All it does is build pocket queries and doesn't even have a mailserver installed. Oops. I meant it doesn't have a mail client, like Outlook. This, and many of the other viruses around today are not self-spreading viruses, meaning someone has to consciously click to extract and run one of these scripts for it to do damage on your computer. Since the Pocket Query generator is separate and untouched by human hands, the idea of a virus is unlikely. And even if the machine had MyDoom, there is no address book anyway, so it would just eat away at the poor Pocket Query machine but the virus would not spread. The files coming from the Pocket Query generator are text files, so they couldn't have a payload anyway. Link to comment
+GeckoGeek Posted February 2, 2004 Share Posted February 2, 2004 (edited) Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool! Because of the spoofing, most likely it's someone else who has your email address who also get PQ. Since CG generally shields the email addresses, it sounds like it's probably someone you know and communicate with directly. Edited February 3, 2004 by GeckoGeek Link to comment
+trippy1976 Posted February 2, 2004 Share Posted February 2, 2004 There's no way an XML file can contain a virus. It's just text... Unless it's some other file disguised as an XML file, but in this case I agree... your virus protection is throwing a false positive. Also, yahoo, etc. have been noted to cry that the GPX files are viruses if not zipped. Link to comment
+Stunod Posted February 2, 2004 Share Posted February 2, 2004 Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool! One thing I don't think has been asked...did you request the 5 PQ's, or did they just show up? Link to comment
+sbell111 Posted February 2, 2004 Share Posted February 2, 2004 Perhaps TPTB can check the magic machine to verify 1) whether these files were sent by gc.com and 2) that they were not infected. I know, I know... This does not have the earmarks of the current virus and the gpx files cannot be infected in this manner. However, it would put an end to this issue. Link to comment
Jeremy Posted February 2, 2004 Share Posted February 2, 2004 ------=_NextPart_000_7683_01C3E94E.E381A070Content-Type: application/octet-stream; name="41606.gpx" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="41606.gpx" Umm.. Hello? There is no issue. The header listed above indicates that a GPX file was attached. Not an scr file, or a pif file, or even an exe. It was a GPX file. And the virus software incorrectly tagged it as a virus. Link to comment
Cholo Posted February 3, 2004 Share Posted February 3, 2004 Oops. That's not a word we want to hear from our top computer geek! Link to comment
+CompassCollector Posted February 3, 2004 Share Posted February 3, 2004 ------=_NextPart_000_7683_01C3E94E.E381A070Content-Type: application/octet-stream; name="41606.gpx" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="41606.gpx" Umm.. Hello? There is no issue. The header listed above indicates that a GPX file was attached. Not an scr file, or a pif file, or even an exe. It was a GPX file. And the virus software incorrectly tagged it as a virus. Jeremey's right. This is a false positive. I've had this issue myself with Yahoo which uses Norton to scan for viruses. Zipped GPX files are fine, but uncompressed GPX gets flagged as a virus. The OP should edit their queries and select zipped format. Link to comment
+IV_Warrior Posted February 3, 2004 Share Posted February 3, 2004 Jeremey's right. This is a false positive. I've had this issue myself with Yahoo which uses Norton to scan for viruses. Zipped GPX files are fine, but uncompressed GPX gets flagged as a virus. The OP should edit their queries and select zipped format. That's weird, I have Norton on my computer, and it doesn't give me any false positives on the one PQ that I didn't think to zip, and have been too lazy to think about doing it........Although I do agree you probably should zip your PQ's for several reasons, and I do with all mine except that one..... Link to comment
Recommended Posts