How to notify an infected broadband user

[Beauregard T. Shagnasty]

I'm getting about one to two dozen Worm.Mytob.T-2 infected messages
daily from a clueless Shaw cable subscriber who has my web site email
address on his computer. This has been going on for over a week. All I
know is the IP address, which has been constant.

Emails sent to several Shaw abuse addresses, complete with many of the
headers have been ignored.

Does anyone know how to send this computer some kind of visible notice
to tell Mr./Mrs. Clueless to clean the computer? I tried using ping
with large number of bytes and repeated for several minutes, but no joy.

 

[Heather]

I'm getting about one to two dozen Worm.Mytob.T-2 infected messages
daily from a clueless Shaw cable subscriber who has my web site email
address on his computer. This has been going on for over a week. All I
know is the IP address, which has been constant.

Emails sent to several Shaw abuse addresses, complete with many of the headers have been ignored.

Does anyone know how to send this computer some kind of visible notice to

tell Mr./Mrs. Clueless to clean the computer? I tried using ping

with large number of bytes and repeated for several minutes, but no joy.

It is a rather clandestine Canadian CSIS-backed operation destined to drive
Yanks nuts. (G) Seems to be working!!

In all honesty, they are a very large west coast (as in BC) outfit and
should pay attention to you.

My daughter just subbed this week......shall I see if she has any phone
numbers or abuse addresses that might work??? I am assuming they have an
800 number like my ISP does.

XX Figgs

 

[Virus Guy]

I'm getting about one to two dozen Worm.Mytob.T-2 infected
messages daily from a clueless Shaw cable subscriber

Shaw is one of the worst ISP's as far as zombie-infected customers
sending spam (and when you saw a viral post to usenet half the time it
was from Shaw).

I've suggested in the past that in these situations it's logical to
take advantage of the infection and do what-ever is possible to inform
the owner that their box is infected.

Is there enough known about Worm.Mytob.T-2 to be able to use a
back-door into that computer and do something to it so the user knows
something is wrong with it?

(yea yea just hold off on the moral comments about how wrong that is.
Sometimes you've got to fight fire with fire).

If you operate your own e-mail server then it's easy to block the IP
(or the whole sub-net).

 

[Beauregard T. Shagnasty]

It is a rather clandestine Canadian CSIS-backed operation destined
to drive Yanks nuts. (G) Seems to be working!!

In all honesty, they are a very large west coast (as in BC) outfit
and should pay attention to you.

I'm familiar with the ISP, and yes, I figured they should respond.
I've sent to:
(e-mail address removed), (e-mail address removed), (e-mail address removed)
and no response of any kind, not even bounces.

My daughter just subbed this week......shall I see if she has any
phone numbers or abuse addresses that might work??? I am assuming
they have an 800 number like my ISP does.

That would be loverly. I've been over their site, and nary a phone
number. Their Contact page is only about buying service, and still no
phone. Do you think they have an 800 number that works from the
states? <g>

 

[Beauregard T. Shagnasty]

Is there enough known about Worm.Mytob.T-2 to be able to use

Not by me... :-(

If you operate your own e-mail server then it's easy to block the IP
(or the whole sub-net).

No, I do not, so can't do that.

 

[Art]

I'm getting about one to two dozen Worm.Mytob.T-2 infected messages
daily from a clueless Shaw cable subscriber who has my web site email
address on his computer. This has been going on for over a week. All I
know is the IP address, which has been constant.

Emails sent to several Shaw abuse addresses, complete with many of the
headers have been ignored.

Does anyone know how to send this computer some kind of visible notice
to tell Mr./Mrs. Clueless to clean the computer? I tried using ping
with large number of bytes and repeated for several minutes, but no joy.

What about taking a long shot on Windows Messenger? Not sure, but
I'm under the impression that if the target IP address is known, and
the target has WM active, a message can be sent.

Art

http://home.epix.net/~artnpeg

 

[Heather]

I'm familiar with the ISP, and yes, I figured they should respond.
I've sent to:
(e-mail address removed), (e-mail address removed), (e-mail address removed)
and no response of any kind, not even bounces.


That would be loverly. I've been over their site, and nary a phone
number. Their Contact page is only about buying service, and still no
phone. Do you think they have an 800 number that works from the
states? <g>

I will give it a try....but she is probably out somewhere enjoying the
sunshine. As for our 800 numbers working for the US.....not sure. Some of
yours work for us, others don't. But worth a try.

Back atcha when i contact her.

Heather

 

[me]

I'm getting about one to two dozen Worm.Mytob.T-2 infected
messages daily from a clueless Shaw cable subscriber who
has my web site email address on his computer. This has
been going on for over a week. All I know is the IP
address, which has been constant.

Emails sent to several Shaw abuse addresses, complete with
many of the headers have been ignored.

Does anyone know how to send this computer some kind of
visible notice to tell Mr./Mrs. Clueless to clean the
computer? I tried using ping with large number of bytes
and repeated for several minutes, but no joy.

[ sarcasm ] Good luck w/ Shaw's abuse. [ /sarcasm ]

The only reaction (auto-resp) I ever received was from
(e-mail address removed). That was about 2 years ago and rare
(~1/10)

J

 

[Beauregard T. Shagnasty]

What about taking a long shot on Windows Messenger? Not sure, but
I'm under the impression that if the target IP address is known,
and the target has WM active, a message can be sent.

Never used it ... :-(

 

[Beauregard T. Shagnasty]

[ sarcasm ] Good luck w/ Shaw's abuse. [ /sarcasm ]
Heh...

The only reaction (auto-resp) I ever received was from
(e-mail address removed). That was about 2 years ago and rare (~1/10)

I've not even gotten an auto-responder... sent at least a half-dozen
to those three addresses.

 

[kurt wismer]

Art wrote:
[snip]

What about taking a long shot on Windows Messenger? Not sure, but
I'm under the impression that if the target IP address is known, and
the target has WM active, a message can be sent.

only if the messaging service is running and the traffic isn't blocked
by some firewall (which is getting increasingly unlikely these days)...

 

[Roger Wilco]

Never used it ... :-(

DOS box - net send ? should give you the format.

 

[Art]

Art wrote:
[snip]

What about taking a long shot on Windows Messenger? Not sure, but
I'm under the impression that if the target IP address is known, and
the target has WM active, a message can be sent.

only if the messaging service is running and the traffic isn't blocked
by some firewall (which is getting increasingly unlikely these days)...

One would _hope_ it's increasingly unlikely, but with something like
this it's likely that the user is running a "out of the box" install
of XP. I say it's definitely worth trying. The syntax is simple:

net send 192.168.1.1 Hi there! You are infected with ...

You put in the actual IP address, of course, and not the one
I typed.

Art

http://home.epix.net/~artnpeg

 

[Beauregard T. Shagnasty]

One would _hope_ it's increasingly unlikely, but with something
like this it's likely that the user is running a "out of the box"
install of XP. I say it's definitely worth trying. The syntax is
simple:

net send 192.168.1.1 Hi there! You are infected with ...

I've tried this before, and it never seems to work, from my W2K
system, at least.

You put in the actual IP address, of course, and not the one I
typed.

"An error occurred while sending a message to nn.nn.nn.nn

The message alias could not be found on the network."

(The clueless' IP masked.)

I believe "net send" is for use between/among the computers within a
Windows Workgroup network.

 

[Art]

I believe "net send" is for use between/among the computers within a
Windows Workgroup network.

Then why are spammers successful using it? I was just reading up
on it, and all the advice to disable it, and one of the many reasons
to disable it is its use by spammers. I'm still under the impression
that it would work if the target has WMS running and no firewall/
router blocking.

Art

http://home.epix.net/~artnpeg

 

[Beauregard T. Shagnasty]

Then why are spammers successful using it? I was just reading up on
it, and all the advice to disable it, and one of the many reasons
to disable it is its use by spammers. I'm still under the
impression that it would work if the target has WMS running and no
firewall/ router blocking.

Can't answer the question, Art. Maybe the spammers have some other
hacker method. I know little about hacking. <g>

 

[Beauregard T. Shagnasty]

Found this, which seems to reinforce that it's for the local network
only. Scroll down to "net send" of course.
http://www.computerhope.com/nethlp.htm

 

[Art]

Found this, which seems to reinforce that it's for the local network
only. Scroll down to "net send" of course.
http://www.computerhope.com/nethlp.htm

Found this which says different:

http://www.webopedia.com/TERM/N/Net_send.html

Makes sense to me that it can be used on the WAN as well as on
LANs

Art

http://home.epix.net/~artnpeg

 

[Beauregard T. Shagnasty]

Found this which says different:
http://www.webopedia.com/TERM/N/Net_send.html

Makes sense to me that it can be used on the WAN as well as on LANs

Hmm. You may be right. I discovered that *my* Windows Messenger was
disabled (well, I knew that 'cause I didn't want the spam popups). So
I re-enabled it, sent a message to the guy's IP, and got the response:

"The message was successfully sent to nn.nn.nn.nn"

So ... we'll see. Thanks, guys.

Figgs, if you find a phone number, I'll take that in case he didn't
really get it.

 

[Heather]

Hmm. You may be right. I discovered that *my* Windows Messenger was
disabled (well, I knew that 'cause I didn't want the spam popups). So
I re-enabled it, sent a message to the guy's IP, and got the response:

"The message was successfully sent to nn.nn.nn.nn"

So ... we'll see. Thanks, guys.

Figgs, if you find a phone number, I'll take that in case he didn't
really get it.

I wrote Elayne and asked her to find an 800 number......and if not, just the
local one. Hopefully she will return from the beach and let me know. I
will fire it off to you as soon as I get it.

Figgs