Virus/Trojan/WORM- with TFL return address

Hal · May 12, 2002, 10:27 AM

From :
webmaster <[email protected]>

To :
[email protected]

Date :
Fri, 10 May 2002 03:58:15 -0700

MIME-Version: 1.0
Received: from [] by hotmail.com (3.2) with ESMTP id MHotMailBEA4F2CC007340043762CFD9787BCF340; Fri, 10 May 2002 03:58:21 -0700
Received: from user-2ivf486.dsl.mindspring.com ([165.247.145.6] helo=Ozwi)by swan.prod.itd.earthlink.net with smtp (Exim 3.33 #2)id 17686I-0006U3-00for [email protected]; Fri, 10 May 2002 03:58:15 -0700
From [email protected] Fri, 10 May 2002 03:58:36 -0700
Message-Id: <[email protected]>

The size of the mail was 149KB and it contains a destructive .pif.

This seems to be the new one going around. From the return address it appears to be from TFL. It isn't. I repeat, it isn't coming from TFL What this one seems to do is search the address book of the infected user and use random legitimate email addresses as the return address so that it apperas the mail was sent from that person.

**Rich Lucibella** · May 12, 2002, 01:08 PM

RAE-
I get a lot of these warnings since all the bounced TFL mail comes to me. It appears that [email protected] used the TFL mailer innocently, perhaps using the"email this page to a friend" feature. The TFL Mailserver filters for viruses and notified you of the quarantine.

Could you foward me that email?
[email protected]

Rich

**Rich Lucibella** · May 12, 2002, 01:34 PM

RAE-
Ummm...c ould you email me in any case.
Your email is blocked and my PM feature is disabled.
Rich

[email protected] · May 12, 2002, 08:06 PM

We're getting tons of these as well, Rich - 1SKS and BladeForums.com both.

I've got Nortons on every computer that has either domain name access, and no Klez's are detected... must be someone else with our names as a mask.

Kevin

May 12, 2002, 10:27 AM	#1
Hal Senior Member Join Date: October 9, 1998 Location: Ohio USA Posts: 8,563	Virus/Trojan/WORM- with TFL return address From : webmaster <[email protected]> To : [email protected] Date : Fri, 10 May 2002 03:58:15 -0700 MIME-Version: 1.0 Received: from [] by hotmail.com (3.2) with ESMTP id MHotMailBEA4F2CC007340043762CFD9787BCF340; Fri, 10 May 2002 03:58:21 -0700 Received: from user-2ivf486.dsl.mindspring.com ([165.247.145.6] helo=Ozwi)by swan.prod.itd.earthlink.net with smtp (Exim 3.33 #2)id 17686I-0006U3-00for [email protected]; Fri, 10 May 2002 03:58:15 -0700 From [email protected] Fri, 10 May 2002 03:58:36 -0700 Message-Id: <[email protected]> The size of the mail was 149KB and it contains a destructive .pif. This seems to be the new one going around. From the return address it appears to be from TFL. It isn't. I repeat, it isn't coming from TFL What this one seems to do is search the address book of the infected user and use random legitimate email addresses as the return address so that it apperas the mail was sent from that person.

May 12, 2002, 01:34 PM	#3
Rich Lucibella Staff Join Date: October 6, 1998 Location: South Florida Posts: 10,229	RAE- Ummm...c ould you email me in any case. Your email is blocked and my PM feature is disabled. Rich __________________ S.W.A.T. Magazine Weapons, Training and Tactics for the Real World Join us at TFL or at AR15.com or on Facebook

May 12, 2002, 08:06 PM	#4
[email protected] Wise Guy Join Date: October 10, 1998 Posts: 665	We're getting tons of these as well, Rich - 1SKS and BladeForums.com both. I've got Nortons on every computer that has either domain name access, and no Klez's are detected... must be someone else with our names as a mask. Kevin __________________ Kevin Jon Schlossberg Owner, BladeForums.com www.bladeforums.com

May 12, 2002, 01:08 PM	#2
Rich Lucibella Staff Join Date: October 6, 1998 Location: South Florida Posts: 10,229	RAE- I get a lot of these warnings since all the bounced TFL mail comes to me. It appears that [email protected] used the TFL mailer innocently, perhaps using the"email this page to a friend" feature. The TFL Mailserver filters for viruses and notified you of the quarantine. Could you foward me that email? [email protected] Rich __________________ S.W.A.T. Magazine Weapons, Training and Tactics for the Real World Join us at TFL or at AR15.com or on Facebook