Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Possible E-Mail Virus

Status
Not open for further replies.
RSA2000

RSA2000

MIS
Sep 17, 2001
71
US
Hello,

I've got a wierd problem . . . yesterday someone noticed their e-mail not being delivered to its destination. Once the server was checked it was determined that hundreds of e-mails were being sent out every minute which was delaying the official e-mail from being delivered. My first thought was NIMDA! Of course the latest anti-virus signature files were updated and each station was checked for viruses. Two anti-viral programs were used and no viruses were found. Secondly, a NIMDA anti-removal tool was ran on each workstation which yielded no results as well. What the heck is this? I checked for any other viruses out there, but can't find anything. Any ideas?

 
Sort by date Sort by votes
May be Sircam check for Symptoms
- Presence of SCam32.exe in the WINDOWS SYSTEM directory
- Presence of Run32.exe in the WINDOWS directory
or Magistr check for Symptoms
- Icons on the desktop move when the mouse cursor passes over them
- Increase in size in .EXE files (adds 24Kb or more)
- Infected files use a modified access date of the time of the infection
- Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus)

Otherwise it may be a memory resident virus/worm which regular virus checkers have difficulty with, or a spammer using your email server to mass email. Do you have any sort of firewall?
 
Upvote 0 Downvote
Thanks Paul,

Yes, we have a firewall and we are using NAT. I'll check to see if there are any workstations with the files as you indicated. I guess a spammer can get in if our ISP is infected with a virus . . . I guess?
 
Upvote 0 Downvote
Mostly spammers work with programs specifically written, and unfortunately available on the internet, to access mail servers so they don't need an infection as such although a back door trojan would be helpful to them.

As a matter of interest, can you track the email addresses being sent to, and do they have any attachments?
 
Upvote 0 Downvote
The e-mail messages that are non-deliverable I can view and see that they are using our serving to send all of their spam mail out. I spoke with Novell today and installed the latest GWIA patch which fixes the relaying on the server and that worked for 20 minutes and then the bastards were back! It is causing me grey hairs!
 
Upvote 0 Downvote
Bad news! Sounds like they are using an email flooder program, if the patches don't work, maybe changing the name of your smtp server would do it as a last resort. I know this is a real nuisanse for your users, but the spammers test servers by trying smtp.whatever.com until they find a server that is open. Either that, or Novell will have to try a little harder!

Just in case, I assume you have checked for a back door trojan on the system?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SitesMasstec
  • Locked
  • Question
Sending HTML e-mail
Replies
1
Views
235
SitesMasstec
SitesMasstec
MP2023
  • Locked
  • Question
Mail Server
Replies
0
Views
195
MP2023
MP2023
Abubakkar Siddik
  • Locked
  • Question
Migrating users from Mail Enable to Office 365
Replies
0
Views
237
Abubakkar Siddik
Abubakkar Siddik
johncp
  • Locked
  • Question
gmail stopped supporting mail clients signing with username and PW only
Replies
1
Views
419
pjw001
pjw001
dik
  • Locked
  • Question
View Sent Mail in Thunderbird 1
Replies
7
Views
190
dik
dik

Part and Inventory Search

Sponsor

Back
Top