Thanks For The Viruses!

February 2, 2004

Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool!

Edited February 2, 2004 by Firehouse16 & Code3

6.4k · February 2, 2004

Sure they arent just spoofing that they are coming from GC.com? Did you check the full headers? It's possible, but I'm guessing it's more likely being sent from a fellow geocacher who has you in his address book.

1.8k · February 2, 2004

I believe the virus scans people's address books, then sends out emails out at random using other names in the "from:" header. Even though GC.com is there, it didn't necessarily come from them.

You would think that everyone here would be getting them as well, but I have not received a single virus from GC.

Other schmucks I know, yes, but not from here.

3.1k · February 2, 2004

no virus's here either

February 2, 2004

8 total until I killed the query. All were the same size 1.2mb's.

for <firehouse16@kissalive.com>; Mon, 2 Feb 2004 05:39:07 -0800 (PST)

Received: from mail pickup service by bender.Groundspeak.com with Microsoft SMTPSVC;

Mon, 2 Feb 2004 05:39:13 -0800

Thread-Topic: [GEO] Pocket Query: Customized Search

thread-index: AcPpkfGkeNKrq0wdQK+l2vQzJ2ESug==

X-Mailer: Groundspeak .NET Mailer 0.9

From: <contact@geocaching.com>

To: <firehouse16@kissalive.com>

Subject: [GEO] Pocket Query: Customized Search

Date: Mon, 2 Feb 2004 05:39:13 -0800

Message-ID: <768201c3e991$f1a4e070$ada3fb3f@Groundspeak.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_7683_01C3E94E.E381A070"

Content-Class: urn:content-classes:message

Importance: normal

Priority: normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0

X-OriginalArrivalTime: 02 Feb 2004 13:39:13.0015 (UTC) FILETIME=[F1A4E070:01C3E991]

This is a multi-part message in MIME format.

------=_NextPart_000_7683_01C3E94E.E381A070

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

Here are the Pocket Query search results in the formats you requested.

41606.gpx: GPX is an extended GPS exchange format that can be read by both EasyGPS and ExpertGPS, as well as various other software applications. The latest version of EasyGPS for Groundspeak can be downloaded from the links section of Geocaching.com. You will need the latest version to read this format.

------=_NextPart_000_7683_01C3E94E.E381A070

Content-Type: application/octet-stream;

name="41606.gpx"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: attachment;

filename="41606.gpx"

1.8k · February 2, 2004

Are they your pocket queries or somebody else's?

6.4k · February 2, 2004

That looks pretty legit, I'm not sure how well a spoofing job mydoom is doing, since I haven't had a single instance get thru here. It's also possible that the unzipped GPX is triggering a false positive, that's pretty common on some of the web-based email accounts like Yahoo. With the rush to get mydoom updates out on virus software, it's not unreasonable to suspect it's not very well refined. I still think if the gc.com mail server was infected, there would be tons of people getting it, and the added server load would probably triggered an alarm somewhere by now.I agree it needs looking into, though.

Edited February 2, 2004 by Mopar

5.3k · February 2, 2004

I notice you're not getting your PQ as a zipped file. Zipping might avoid the problems of "false-positive" virus detection.

6.4k · February 2, 2004

I'm leaning toward a false positive as well. The GPX file is not executable, I don't think there is any way for it to be infected.

Unless you arent actually getting a GPX file, of course. Many email virus's pretend to look safe, like" 41606.gpx.exe". Since the default windows setting is to not display extenstions like exe, you might not notice.

Edited February 2, 2004 by Mopar

1.8k · February 2, 2004

From Symantec's site:

# Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics:

From: The "From" address may be spoofed.

Subject: The subject will be one of the following:

test

hi

hello

Mail Delivery System

Mail Transaction Failed

Server Report

Status

Error

Message: The message will be one of the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

test

I'd lean towards a false positive as well...

9.4k · February 2, 2004

Looks like a false positive to me as well.

The Pocket Query generator is programmed by me, and there is no possible way that MyDoom (or any virus, for that matter) would be able to be sent through that machine. All it does is build pocket queries and doesn't even have a mailserver installed.

Try zipping your queries so you don't get false positives. There has been a staggering number of poor virus filters implemented by system administrators lately.

20.7k · February 2, 2004

This sounds like one of the false positives that were reported well before the current round of viruses (viri?) were released.

In one of my other email addresses, I've received a couple of suspect emails in the last week or so. If any email makes it through the filters and has one of the suspect headers, just delete it without opening it. Also, remember to update your anti-virus software often.

9.4k · February 2, 2004

All it does is build pocket queries and doesn't even have a mailserver installed.

Oops. I meant it doesn't have a mail client, like Outlook.

This, and many of the other viruses around today are not self-spreading viruses, meaning someone has to consciously click to extract and run one of these scripts for it to do damage on your computer.

Since the Pocket Query generator is separate and untouched by human hands, the idea of a virus is unlikely. And even if the machine had MyDoom, there is no address book anyway, so it would just eat away at the poor Pocket Query machine but the virus would not spread.

The files coming from the Pocket Query generator are text files, so they couldn't have a payload anyway.

1.4k · February 2, 2004

Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool!

Because of the spoofing, most likely it's someone else who has your email address who also get PQ. Since CG generally shields the email addresses, it sounds like it's probably someone you know and communicate with directly.

Edited February 3, 2004 by GeckoGeek

1.4k · February 2, 2004

There's no way an XML file can contain a virus. It's just text...

Unless it's some other file disguised as an XML file, but in this case I agree... your virus protection is throwing a false positive. Also, yahoo, etc. have been noted to cry that the GPX files are viruses if not zipped.

5.3k · February 2, 2004

Well here in the last hour I've received no less than 5 identical pocket queries from gc.com, all have contained the Mydoon.eml virus! This is not cool!

One thing I don't think has been asked...did you request the 5 PQ's, or did they just show up?

20.7k · February 2, 2004

Perhaps TPTB can check the magic machine to verify 1) whether these files were sent by gc.com and 2) that they were not infected.

I know, I know... This does not have the earmarks of the current virus and the gpx files cannot be infected in this manner. However, it would put an end to this issue.

9.4k · February 2, 2004

------=_NextPart_000_7683_01C3E94E.E381A070
Content-Type: application/octet-stream;

name="41606.gpx"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: attachment;

filename="41606.gpx"

Umm.. Hello? There is no issue.

The header listed above indicates that a GPX file was attached. Not an scr file, or a pif file, or even an exe. It was a GPX file. And the virus software incorrectly tagged it as a virus.

February 3, 2004

Oops.

That's not a word we want to hear from our top computer geek!

February 3, 2004

------=_NextPart_000_7683_01C3E94E.E381A070
Content-Type: application/octet-stream;

name="41606.gpx"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: attachment;

filename="41606.gpx"

Umm.. Hello? There is no issue.

The header listed above indicates that a GPX file was attached. Not an scr file, or a pif file, or even an exe. It was a GPX file. And the virus software incorrectly tagged it as a virus.

Jeremey's right. This is a false positive. I've had this issue myself with Yahoo which uses Norton to scan for viruses. Zipped GPX files are fine, but uncompressed GPX gets flagged as a virus.

The OP should edit their queries and select zipped format.

2.4k · February 3, 2004

Jeremey's right. This is a false positive. I've had this issue myself with Yahoo which uses Norton to scan for viruses. Zipped GPX files are fine, but uncompressed GPX gets flagged as a virus.

The OP should edit their queries and select zipped format.

That's weird, I have Norton on my computer, and it doesn't give me any false positives on the one PQ that I didn't think to zip, and have been too lazy to think about doing it........Although I do agree you probably should zip your PQ's for several reasons, and I do with all mine except that one.....

Thanks For The Viruses!

Recommended Posts

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment