Information about virus that hit FPN

[Admin]

The following was sent to all members. If your profile does not have your current email address, please update it:

 

The email pretending to be from fpnadmin and instructing you to download a new JavaScript version and ignore any virus warning messages did not originate from fpnadmin. If you check the headers it will be clear that it didn't originate from FPN, but that it is a spoof.

 

If you did activate the link in that message, and you ignored the virus warnings, your computer will now be infected with a virus. This virus spreads itself via message boards as well. If you log in to a message board, like FPN, The board gets infected with it, and via FPN it can then be spread faster than only via email.

 

In order to get rid of this virus, please first get the latest virus updates, next scan your pc, and delete any viruses found.

 

Next, turn your computer off, completely. Wait 10 seconds and then restart your computer. The virus should be gone now.

 

Fortunately it is very easy to remove the virus from FPN itself.

 

However, since we won´t reach everybody in time before they log in to FPN, it is likely that the virus will get injected a few times again. If you do get virus messages from your scanner, do not ignore them, but log out from FPN.

 

We will attend to it as fast as possible, every time it reappears. In this case you can try occasionally to see if it has disappeared. Once everybody who has an infected computer has it cleaned, things should return to normal again.

 

Kind regards,

the FPN Admin Team

[kathywc]

Thanks to the admin team for jumping on this problem and fixing it (at least fixing it the first time ) so quickly.

 

I appreciate all of your efforts!

 

kathy wc

[jd50ae]

Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.

 

I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.

[Admin]

Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.

 

I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.

If you really want to give us a bonus:

 

Donation Link

 

[jd50ae]

Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.

 

I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.

If you really want to give us a bonus:

 

Donation Link

 

Done, wish it could be more.

[Oxonian]

Hi Admins one and all,

 

Thank you for sorting out the virus hit, as usual brilliant work and much appreciated.

 

Cheers John

[OnPoint]

Donation sent.

 

Thanks.

Edited February 9, 2007 by OnPoint

[Johnson]

Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)

 

I even plumbed through the depths of my *shudder* spam folder, but I didn't see anything. Maybe gmail just rox my sox and deleted the mail before it even went into my spam folder.

[Gerry]

Could be. I didn't get one either, and am glad I didn't. Another admin did.

 

There appears to be some randomness for whatever reason.

 

Regards,

 

Gerry

[johnr55]

Donation sent, and thank you!

[Col]

The email pretending to be from fpnadmin and instructing you to download a new JavaScript version and ignore any virus warning messages did not originate from fpnadmin. If you check the headers it will be clear that it didn't originate from FPN, but that it is a spoof.

Hi Admins

 

Actually, I don't think it was spoofed - it was sent through your network. I'm reporting this only because it may help in dealing with problems like this in future. Here are the headers of the offending message (my email address and domain obscured):

 

----------

Return-Path: <nobody@host.refactored.com>

Received: from host.refactored.com (unknown97.36.157.204.defenderhosting.com [204.157.36.97])

by smtp.midair.net with ESMTP (Mailtraq/2.8.0.2048) id SMTP53BCDC63

for *@*; Fri, 09 Feb 2007 12:25:14 -0000

Received: from nobody by host.refactored.com with local (Exim 4.52)

id 1HFUlk-0008Tc-3M; Fri, 09 Feb 2007 05:22:24 -0700

To: fpnadmin@gmail.com

Subject: Fountainpennetwork administration ( From The Fountain Pen Network )

From: "The Fountain Pen Network" <fpnadmin@gmail.com>

X-Priority: 3

X-Mailer: IPB PHP Mailer

Message-Id: <E1HFUlk-0008Tc-3M@host.refactored.com>

Date: Fri, 09 Feb 2007 05:22:24 -0700

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - host.refactored.com

X-AntiAbuse: Original Domain - *

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]

X-AntiAbuse: Sender Address Domain - host.refactored.com

----------

 

And from your genuine message:

 

----------

Return-Path: <nobody@host.refactored.com>

Received: from host.refactored.com (unknown97.36.157.204.defenderhosting.com [204.157.36.97])

by smtp.midair.net with ESMTP (Mailtraq/2.8.0.2048) id SMTP53BEDC6B

for *@*; Fri, 09 Feb 2007 14:04:18 -0000

Received: from nobody by host.refactored.com with local (Exim 4.52)

id 1HFWK5-00034I-P7; Fri, 09 Feb 2007 07:01:57 -0700

To: fpnadmin@gmail.com

Subject: Urgent! Previous email from spoofed FPN address! ( From The Fountain Pen Network )

From: "The Fountain Pen Network" <fpnadmin@gmail.com>

X-Priority: 3

X-Mailer: IPB PHP Mailer

Message-Id: <E1HFWK5-00034I-P7@host.refactored.com>

Date: Fri, 09 Feb 2007 07:01:57 -0700

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - host.refactored.com

X-AntiAbuse: Original Domain - *

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]

X-AntiAbuse: Sender Address Domain - host.refactored.com

----------

 

As you can see, those headers clearly show an identical forward path. I run my own mail server here, and this extract from my server log is conclusive:

 

----------

00001000 00000000 09/02/2007 12:25:08 SMTP: (Accept) Receiving connection from 204.157.36.97

+ 0000001A host.refactored.com (204.157.36.97) [09/02/2007 12:25]

00000001 0000001A 09/02/2007 12:25:09 EHLO host.refactored.com ---> 250 smtp.midair.net

00000001 0000001A 09/02/2007 12:25:13 MAIL FROM:<nobody@host.refactored.com> ---> 250 receiving from nobody@host.refactored.com

00000001 0000001A 09/02/2007 12:25:13 RCPT TO:<*@*> ---> 250 will send to *@*

00000001 0000001A 09/02/2007 12:25:13 DATA ---> 354 send the message, terminate with "."

00000001 0000001A 09/02/2007 12:25:14 DATA ---> 250 received the message, thanks

00000080 00000000 09/02/2007 12:25:14 Routing (Inbound) SMTP53BCDC63 (0 locked, 0 queued)

00000080 00000000 09/02/2007 12:25:14 Router: (Depth 0) SMTP53BCDC64: "(nobody@host.refactored.com) Fountainpennetwork administration ( From The Fountain Pen Network )" from nobody@host.refactored.com for (2 rcpts) *@*,inbound

00000200 00010003 09/02/2007 12:25:14 nobody@host.refactored.com sent "Fountainpennetwork administration ( From The Fountain Pen Network )"

00000001 0000001A 09/02/2007 12:25:14 QUIT ---> 221 have a nice day (SMTP Closing)

00000001 0000001A 09/02/2007 12:25:14 SMTP Client Disconnected (204.157.36.97): Normal Transaction

----------

 

The HELO argument, MAIL FROM and RCPT TO may all be forged, but not I think your IP address.

 

Hope this helps, apologies for length.

[goodyear]

Kudos for the swift response and for having the nerve to close the forum while it got sorted - would all forum admins 'net-wide had the sense!

 

...

 

Of course, being a Mac-man, I had no problems here

 

/sorry :ph34r:

[southpaw]

As always, many thanks for a job well done (realizing it is an on-going one)!!!!

[lisa]

I didn't get a spoof email, but my browser told me the website was trying to download something on my computer. As I didn't know what that would be and I didnt see the need to download anything I didn't allow the download. But I did get a virus warning from my anti virus software, and I deleted everything my anti virus told me to. So nothing bad happened here.

 

Thanks FPN Admin guys for the email. It explained why this website was acting so weird.

Maybe a tip for next time, mention a few admin names in the real email, that way we'll be even more sure that the email came from you guys.

 

Thanks again for handling this so well!

[Gerry]

We're thinking of all kinds of ideas, but certainly want to hear suggestions that you may have...

 

As a standard type of defense, it would be helpful if every member reading this would remember that Admin would never, never send instructions to download something to the members using the Admin bot. If you are ever in doubt - please always check the FPN site itself for information or news about anything we feel needs to be passed on. Don't click on any links ever. Just go to the site independently of the email, and see if there's something in the News.

 

If it's not there - the email must have been a phoney...

 

Regards,

 

Gerry

 

Ps - regarding similar headers... pretty much anything at all with regard to headers can be forged, and it's becoming rare that a real source of malicious email can be tracked down anymore...

[Judybug]

Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)

Same here. I didn't get the e-mail either. But my virus protection did alert me that I had a virus. I screamed for my husband/resident-computer-doctor. This is what I do any time I have computer problems. He did whatever computer-doctors do to rectify the problem. So now my computer is squeaky clean - for the moment anyway.

 

Judybug

[addio6]

Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)

Same here. I didn't get the e-mail either. But my virus protection did alert me that I had a virus. I screamed for my husband/resident-computer-doctor. This is what I do any time I have computer problems. He did whatever computer-doctors do to rectify the problem. So now my computer is squeaky clean - for the moment anyway.

 

Judybug

Judybug, do you have gmail as well?

 

I'm another one who didn't get anything, and I've got the gmail system tray alert deal going on--so I know that I've gotten every other notification and legitimate messages just fine.

[HyperCamper]

One question remains: whodunnit?

[Viseguy]

I take it that one can't get the virus simply by logging on to FPN. One has to have received the bogus e-mail, and opened it. Yes? (I hope.)

 

P.S. I didn't receive the bogus e-mail.

[Elaine]

I take it that one can't get the virus simply by logging on to FPN. One has to have received the bogus e-mail, and opened it. Yes? (I hope.)

 

P.S. I didn't receive the bogus e-mail.

Sorry, not correct. Once one person opened that email and then opened FPN, thereby infecting it, the virus could be spread from simply signing into FPN.

 

The site has been clear since we re-opened it. We also have no idea what the virus does, nor how harmful it is.

 

My advice, don't surf without virus protection.