Strange mail recived

Hi, my first day here, but for sure there will be more..

I recived a mail from symantec support today that looked strange to me, and read like this

 

Fecha: 18/12/2008 12:20:06
Asunto: Re: Virus Sample
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds
---------------

As far as I know, I had not sent any sample, and  when I clicked on the attachement it read. norton 360 removed attached..Of course i didn open it...have any of you seen something like that..

Thks and see you later...

Did your 360 anytime quarantained something? Maybe it sent something to be analized…

Well no, I didn t do it, and if it was made by the program itself I cant tell, but in the history there isn t anything eather, and I have never seen an anwer like this before.

What really matters to me is that it could be a virus or something like that, because searching in norton for buppa.k, there is nothing found..And you never know if they are using the name of symnatec so people trust the mail , and jus open it up.. 

As I didn t know how/where to contact or just report it, I thought that asking here first would be a good idea.

So you haven t heard anything abt buppa .k ?

Thanks for trying to help

Could you forward it to me?

 

I will PM you my e-mail address; look for a gold in the top right corner. 

This would seem to be a known scam attack involving a virus in the attached file that I hope you did not run.

 

The following is from a Google search on the Keria Reynolds name! It's one of the other av program suppliers but it came up first. I'll come back with something from Symantec I hope shortly

 

 


 

Email 14

Subject: <any of the following>
• Re: Submit a Virus Sample
• Re: Virus Sample

Message Body: <any of the following>
• The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew


The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds

Attachment: <any of the following> signature
• datfiles


 

Delete the email and the attachment and then if you use Outlook Express go and Empty the Deleted folder and then go and empty your recycle bin!

 

Then run a full scan with your Norton 360 after running LiveUpdate to make sure it is uptodate.


Here's some more information based on the belief that this is a version of Netsky that goes back to 2004!

 

Here's a link to a Symantec page about it including how to remove it -- this is fairly complex so hang on for suggestions from others who may actually have had to do this sort of thing.

 

Do you have your Norton 360 set to check your incoming mail? Which version of N360 is it? V1 or V2? Were the definitions uptodate?

 

I sure hope you did not get infected by having clicked on the attachment!

Message Edited by huwyngr on 12-18-2008 05:12 PM

 You are are really fast in this forum, a real pleasure to see. I am very suspisious when I see something not fittting in, and don t open any attachments  unless Im 100% sure.....My first PC got so infected I had to buy a new one, and since then I chech very carefully, ..of course I can get fooled too, but not from a stranger...

You can clearly see the same pattern in your examples, as in the one i recieved..What a pity that there are so many people trying to fool you, and using the symantec name, so it will look official and serious.

I will follow your advice right away, and warn some friends with even less experience than mine...

So thanks a lot , and have a merry x-mas bouth of you...and everybody else too ofcourse 

This is important: Please come back and tell us what result you got when N360 scanned your computer.

 

Before you run this complete scan, as I suggested earlier, do one thing: If N360 has a History or whatever it's called section where it says what it has done look in there and see if it says it spotted this attack and dealt with it. I'm not in N360 at the moment so I can't check and someone has said that N360 does not list History.

 

Please come back and tell us because that is how we learn to help others!

 

And even if N360 says it dealt with this attack, run a complete scan anyway.

Lissa, I have recieved no e-mail as of yet. What e-mail provider do you use? It may be filtered by Gmail -.-

Hi again, Im trying to find as much info as poss, and it takes some time.. And the "normal" norton had it much easier as you cold check a history list, but none  in N360.

As far as I can see today the only virus the spotted was 2 w32netsky and some traking cookies, I found them under elements that you can restore.

The last post sent to symantec was 10dec to norton comunity watch, but no comments required and i think is was abt a tracking cookie...And nothing else in any historylist, but I will search a little more in the PC.

.

I have never had something called buppa.k, or at least I have never seen that name before.

Neather anything abt a spotted attack these days, and almost all my configs are set as ask, so if I have had an attack i should have been warned and/or asked...

I will come back after doing the scan, most probably tomorrow as it is late at night here in spain now.

 I really like the interes you show in wanting to know our problems, so you can help us later on,so thank you again..

Brgds lissa

 

Hi Lissa,

 

The attachment you received along with this false email consists of Worm_Netsky.P. This new NETSKY variant propagates via email and shared folders. Upon execution, it creates the following files in the Windows folder:

  • FVPROTECT.EXE
  • USERCONFIG9X.DLL

The worm .EXE file executed by the infected user then executes USERCONFIG9X.DLL, which contains the worm's malicious routines (i.e. mass-mailing, shared folder propagation, etc.).

This worm propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine. The email that this worm sends may have similar details like what you received.

 

Symantec had already released the virus definitions when one of it's varients(W32.Netsky.P@mm!enc) reported in the year 2004. That is why the Norton 360 detected and removed the attachment. Since the virus definitions for Netsky varients are already updated in Norton, you need not worry about the protection for your computer.

 

Yogesh

 

Hi yogish...

Thanks a lot..As I didnt execute it ,I dont have to worry then, and then I dont tell you abt the results of the scanning ether?

I have had that virus attached before, but when Norton has removed something, I have always been told so by Norton. I have never seen a little note under an attachment, reading that it has been removed...

Everything is so strange, but if it is solved, perfect for me, and all my mailing list has been warned. It is really very easy to belive that the mail comes from Norton support.

Nice to meet you all, and again. thanks a lot ..

BRGS from Lissa

If you download the file, right click on it and hit scan w/ Norton.

 

Lissa, have you uploaded the file yet? 

And a question to the masses:

 

Is there a way to restore a risk to an e-mail; Lissa's malicious attachment was removed by Norton.

Lissa

 

<< the only virus the spotted was 2 w32netsky  >>

 

That's the netsky I referred to -- different names for different versions and by different AV companies.

 

The name in the email does not matter -- it could be anything.

 

So your Norton did spot it.

 

Do run the full system scan for safety however, after doing LiveUpdate just before you do.

 

Thanks for the feedback.

 

Don't even think of trying to get the file to send it to anyone even when asked in here unless they are one of the Symantec Staff with names in Red.

Message Edited by huwyngr on 12-18-2008 09:48 PM

Tech0utsider wrote:

If you download the file, right click on it and hit scan w/ Norton.

 

Lissa, have you uploaded the file yet? 


 


Tech0utsider wrote:

If you download the file, right click on it and hit scan w/ Norton.

 

Lissa, have you uploaded the file yet? 


 

For goodness sake, leave well alone please! The last thing you want a user to do is to possibly risk attack just to have Norton scan it when it has already.

 

Please don't encourage this.

Now I have removed everythig I had ref that mail, trash can is empty and tomorrow I run the whole scan. Right now it is past 4 in the morning/night, and soon it will be too late to go to sleep...

Thank you so much to all of you, Im greatful for your kindness and it feels fine to know that you are here to help.

I ll come back after the scanning...bye bye for now

This has been a confusing thread. Lissa reported that there were threats in her e-mail. I did not realize that N360 nuked them. I asked for her to upload them; however N360 had already disinfected them.

 

 

Look forward to hearing the outcome – didn’t realize you were in Spain!


Tech0utsider wrote:

This has been a confusing thread. Lissa reported that there were threats in her e-mail. I did not realize that N360 nuked them. I asked for her to upload them; however N360 had already disinfected them.

 

 


 

Try using the Threaded View option then you can see who is replying to whom.

Hello..Here I am again with my homework done. I run the whole scan, and everything was OK, Only a new tracking cookie. Impossible to see if N320 had stopped an attack from the mail we are talking about. The only thing showed in the history is a virus from dec 11th.

In statistics (Don't know how you spell that?) I saw that in all the time I ve had N320, there has been 17 virus removed, but you can't see that in the history, a pity really, cause it is so much easier just to go to history and find every thing there.. However, the most important just now is that I am safe and clean.

 

By the way, I don't really understand this thing about recover files that has been cleaned from the risk or virus it had. Is that really safe? Why should I want them , and most important, is there a way to get rid of all that list, or part of it ? I´ve been searching but can´t see that possibility. It is a lot of space you loose with files you don't want.

 

Tech0utsider, I am really sorry if my question wasn't t clear from the beginning,and I don't know where I failed as  I tried to describe it the best I could, and I did write that in the clip with the attachment, it said that N320 had removed the attachment.

I am a newbie in this kind of things, and  I need a full explication if I have to do something, and Im a bit slow writing and finding things,  as I¨m unsure where to find the info you need here to solve a problem, or report something wrong.

All of you have been so helpful to me, and if you got all the info you needed I think this is solved..but I don't know if you mark that, or if there is something I have to do...

Thanks again and have a merry x-mas with a lot of fun...

Lissa