What to do?..

[zox]

Hi folks!I am in dilemma on what to do.As some of you know I am getting e-mails with latest worm from "support@microsoft.com".That is not a big of a problem since I am protected and I am using Foxmail powerful filters which deletes all messages with worm on server itself, without downloading to my PC.Since mailing started couple of days ago, it increased to 5-6 e-mails with worm yesterday.I checked header of all e-mails and discovered IP of the person.At first I thought, ok, you've got war.I pinged that IP and scanned it and realized that it is probably not deliberate but some poor schmuck have no idea about his infection.IP is on Rogers network which I am part of too (www.rogers.com) out local cable provider.I figure, it has to be someone who knows me and has my e-mail in address book.I went step further to find out who this person is so I can inform him/her they are infected and they are infecting other people too.I discovered that on that IP is PC running Windows, mailer is OE6, it has open ports 137-139 which are NETBIOS's ports for Windows file and printer sharing and my last step was to find out who the users were on that PC.I've got names of the users but it strikes me that those names don't ring a bell.I asked my wife and brother but noone has any friends with those names.I am in awe, I mean what to do?Do I report them to our ISP?I didn't want to do that since ISP can shut them down and they are probably unaware.C'mon smart folks, help me out. I mean it's not big of a deal but it can be.The first worm I've got infected my inbox so I had to delete inbox with messages from safe mode.Now my AV software is cleaning it properly, but it might continue in changed form and with tougher payload.You all know that your AV software is as good as your latest definitions.What if worm mutates and AV definition is not ready, and I am first on this person's list to get new mutation.I am also curious why this person have me in their address book if I don't know him/her.

[jbredmound]

Without a shadow of a doubt, I would urge you to contact your ISP. You are probably not the only "victim" here, and some of the others may not be sophisticated enough to find out what's happening to them.The neighborly thing to do is help them out by helping your ISP stop this threat.Wouldn't you want someone to tell you, if your machine was suddenly a server for the bad guys?Do it quickly, before anyone else gets hurt.

[Borst]

Since you have the name of this person, give them a call and help them get rid of the problem. You always have the fall back to call the ISP if they don't want to deal with the problem.Your email could have been obtained from the header of an email you sent. If you sent an email to a friend and they forwarded it to another friend... your email could be buried in a header of an email on a friend of a friend of friend's PC.

[zox]

Since you have the name of this person, give them a call and help them get rid of the problem

Well, I only have names of the users, like "Frank" and "Anne" but not actual names etc.I wish I knew who they are so I can give them a call I'll probably end up calling ISp as Jbredmound suggested.I just never dealt with similar situation so I needed advice.Thanks!

[Martini Lover]

I would want to know if it was me who was sending stuff out. Whether I heard it from you, or the ISP. I think you are doing EVERYONE a favor.

[brucekrymow]

You don't have to be infected to be the one "sending out" virii. Keep in mind that w/ most variations these days, the surreptitious malware simply spoofs addresses in both the send to and the from fields quite randomly.You can be seemingly 'sending' infected e-mails and yet without ever having been infected.Since this malware forges at least some of the info included in the header, it is nearly impossible to trace it to the person who is actually infected and the machine from whence it came.You can, however, read the machine ID (the computer workstation name) when using MS products such as OE or OL as it includes it in the header. In the SS below of an e-mail to myself vie OE6, using a right-click of the message > 'Properties' > 'Details' tab > 'Message Source...' button my workstation name is clearly revealed and surely denotes the orginating machine, but unless it isn't too cryptic as mine and you recognize it, say, as part of a workgroup with which you may be associated, this info is useless unless you have a way of extrapolating a means of utilizing it to pinpoint the source.                  By the way, using a right-click of the message > 'Properties' > 'Details' tab > 'Message Source...' button is always a great way to view a suspicious message safely without opening it and in fact would enable you to see beacons (hidden graphic tracking pixels) scripts, html or other maliciously used embedded coding or attachments.

[zox]

+OK 71222 octetsReceived: from JOG-Q7UTIK059IU [65.49.32.248] by dpmail11.doteasy.com with ESMTP  (SMTPD32-7.13) id A79325E70050; Wed, 28 May 2003 08:36:51 -0700From: <support@microsoft.com>To: <xxx@xxx.ca>Subject: Cool screensaverDate: Wed, 28 May 2003 11:18:38 --0400Importance: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MSMail-Priority: NormalX-Priority: 3 (Normal)MIME-Version: 1.0Content-Type: multipart/mixed;	boundary="CSmtpMsgPart123X456_000_0009283A"Message-Id: <20030528083700.SM00544@JOG-Q7UTIK059IU>X-RCPT-TO: <xxx@xxx.ca>Status: UX-UIDL: 316846079This is a multipart message in MIME format--CSmtpMsgPart123X456_000_0009283AContent-Type: text/plain;	charset="iso-8859-1"Content-Transfer-Encoding: 7bitAll information is in the attached file.--CSmtpMsgPart123X456_000_0009283AContent-Type: application/octet-stream;	name="screen_temp.pif"Content-Transfer-Encoding: base64Content-Disposition: attachment;	filename="screen_temp.pif

This is the actual header of one of the received e-mails with worm, I just replaced my e-mail with xxx@xxx.ca.As you can see the From field is spoofed with "support@microsoft.com" but it can't hide it's origin, which in this case is:

Received: from JOG-Q7UTIK059IU [65.49.32.248] by dpmail11.doteasy.com with ESMTP

So this is the actual IP and user name.After I scanned this IP and checked open ports, I found out that actual user accounts on this machine are:"Frank", "Anne" and "JOG-Q7UTIK059IU" which is probably "hidden" worm.Also whois gave me this info:

CPE0040057416f6-CM014280012460.cpe.net.cable.rogers.com

Which is Rogers cable ISP, the same one I am using.It's very big ISP, one of the major ones in Ontario.