[TechAssist] Re: VIRUS WARNING " LHJDHKLH.EXE "

• From: "Jeff Dougherty" <jeff@xxxxxxxxxxxxxxxxxx>
• To: <techassist@xxxxxxxxxxxxx>
• Date: Thu, 22 Nov 2001 11:28:07 -0500

Here is the info on this one from another list.
Maybe everyone that gets this should report them.

Yes. I find it easiest to work the headers from bottom up as this indicates
the path the e-mail message traveled. Some people prefer top-down method.

The general format of a Received: line is ["from" host] "by" host
["via"network] ["with" protocol] "unique id" string ["for recipient"
address] ";" date.

Optionally you can think of it as Received from Named Server[ receiving
server IP address] by Receiving server (receiving server software)

So the sender was ps99bnwq.willinet.net which has an IP address of
65.114.216.84 You should always verify the IP address and name by using
nslookup.

nslookup results for: 65.114.216.84
Server:  ns1.superb.net
Address:  207.228.225.5

Name:    ps99bnwq.willinet.net
Address:  65.114.216.84

Next I use nslookup and an MX request to find the mail exchanger records.
nslookup results for: -q=mx willinet.net
Server:  ns1.superb.net
Address:  207.228.225.5

Non-authoritative answer:
willinet.net    preference = 10, mail exchanger = intrigue.willinet.net

Authoritative answers can be found from:
willinet.net    nameserver = land.willinet.net
willinet.net    nameserver = ns2.cw.net
intrigue.willinet.net   internet address = 198.49.30.38
land.willinet.net       internet address = 198.49.30.33

So the user and mail server are both at willinet.net and the user identified
himself to the mailer as kennyb (from the standard SMTP [Simple Mail
Transfer Protocol] HELO command which also shows the userid).

Well, lets' see what we can find out about willinet.net. To do so we use a
whois server.

Registrant:
Williams & Company Consulting, Inc (WILLINET-DOM)
    814 Pierce St
    Sioux City, IA 51101
    UNITED STATES

    Domain Name: WILLINET.NET

    Administrative Contact:
       Hostmaster  (HO11224-OR)  hostmaster@xxxxxxxxxxxxxxx
       Williams & Company
       814 Pierce St
       Sioux City , IA 51101
       UNITED STATES
       712-252-4041
       Fax- 712-252-5974
    Technical Contact:
       Hostmaster, Willinet Internet  (PD84)  hostmaster@xxxxxxxxxxxx
       Williams & Company Consulting Inc
       814 Pierce St
       Sioux City, IA 51101
       712-252-4041
    Billing Contact:
       Accounts Payable  (AP18793-OR)  ap@xxxxxxxxxxxxxxx
       Williams & Company
       814 Pierce St
       Sioux City , IA 51101
       UNITED STATES
       712-252-4041
       Fax- 712-252-5974

    Record last updated on 12-Apr-2001.
    Record expires on 20-Dec-2002.
    Record created on 19-Dec-1995.
    Database last updated on 21-Nov-2001 05:30:00 EST.

    Domain servers in listed order:

    LAND.WILLINET.NET            198.49.30.33
    NS2.CW.NET                   204.70.57.242

>If I read this correctly, this certain one was sent to two addresses at the
>same time?

Not really as the "for" is horribly mangled. Look where the double quotation
marks start and end. This is the main reason for you seeing them in the
header. Your POP3 client correctly specifies to whom the message was sent --
jeff@....

Looking at the whois information (no real names, just bogus user names),
I'd bet
that "spam" actually was sent by this site and the spammer and domain owner
are one and the same.

If you have to complain about the spam, here are a couple of things to do:

1) Try the actual domain first (give them the benefit of doubt), that is,
address a complaint to "hostmaster@xxxxxxxxxxxx"

2) If satisfied by results from 1) you are done, if not, turn them into to
Spamcop (http://spamcop.net/) and at the same time send a complaint to the
upstream provider. The upstream provider is determined by looking at the
results of the whois search and the domain name servers, in this case,
NS2.CW.NET. A whois search on CW.NET will give you the administrative
contact address. You can also look for an abuse or spam reporting address at
http://www.cw.net/



Jeff
mailto:Jeff@xxxxxxxxxxxxxxxxxx  www.9-11-2001tragedy.com
FAX 1-413-280-0677
Intrepid Video & Electronics
Harrisburg, PA 17111
717-909-8844
www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com
----- Original Message -----
From: "DOCVIDEO" <DOCVIDEO@xxxxxxxxxx>
To: <techassist@xxxxxxxxxxxxx>
Sent: Thursday, November 22, 2001 12:59 AM
Subject: [TechAssist] VIRUS WARNING " LHJDHKLH.EXE "


>
> Just received a virus " Troj_HYBRAIS.B" which virus program states is
non-cleanable
> and quarantined.
>
> There was no sender name just a blank email with an attachment.....
> On checking sender source only return address was ...
> intrigue.willnet.net
> 65.114.216.108
> 198.49.30.38
>
>
>
> MONTE MONCRIEF
> BAKERSFIELD, CA.
> DOCVIDEO@xxxxxxxxxx
>
> =================================
> Help make your TechAssist database better!
> Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
> =================================
> To UNSUBSCRIBE your email address, click here:
> mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>

=================================
Help make your TechAssist database better!  
Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
=================================
To UNSUBSCRIBE your email address, click here:
mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe

• References:
  • [TechAssist] VIRUS WARNING " LHJDHKLH.EXE "
    • From: DOCVIDEO

Other related posts:

• » [TechAssist] VIRUS WARNING " LHJDHKLH.EXE "
• » [TechAssist] Re: VIRUS WARNING " LHJDHKLH.EXE "
• » [TechAssist] Re: VIRUS WARNING " LHJDHKLH.EXE "
• » [TechAssist] Re: VIRUS WARNING " LHJDHKLH.EXE "

1. Home
2. techassist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---