Fact Check

Mail Server Report

Information about the Mail Server Report mass-mailing worm.

Published Oct. 4, 2006

Claim:

Virus:   Mail Server Report


MIXTURE OF REAL VIRUS WARNING AND HOAX


Example:   [Collected via e-mail, October 2006]


Services Alert Notification

Description of Problem. We have identified a new computer virus that arrives in an e-mail with the subject line "Mail Server Report".

Outage Duration. None. Email services and Internet access currently remain available.

Impact. We are working with our anti-virus vendor to obtain more information. The email arrives with an attached .zip file. It claims a worm was detected in an email you sent. You are asked to use the attached file to install updates that will eliminate the virus it has supposedly detected.

Action To Be Taken. Please do NOT open any Emails with attachments from individuals or organizations you are NOT familiar with. Also, since it is possible for viruses to "spoof" or fake the sender's address, do NOT open Emails with attachments from people you know, but from whom you were not expecting an attachment or if the attachment is a file type or file name that you customarily do not receive from this person. We have put filters in place to block future messages and have swept the e-mail system removing all messages that match the above description.


 

Origins:   The "IT Services Alert Notification" reproduced above was a valid warning from October 2006 that cautioned users of Windows-based PCs about a real mass-mailing worm which arrived via e-mail with a subject line of "Mail server report" and a body containing the following text:


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service


 

In the guise of offering users an update to stop their computers from being used to spread mass-mailing worms, the "Mail server report" messages included attachments that when opened actually infected PCs with just such a worm, one known as Warezov.W or W32/Warezov.X.

In March 2008, a new warning began circulating that erroneously linked the name of the 'Mail Server Report' worm with elements of the 'Life is Beautiful' virus hoax and claimed that the resulting amalgam "HAS BEEN CONFIRMED BY SNOPES," thereby creating a combination that fused a real virus warning with aspects of a hoax virus warning:


Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on.

This information arrived this morning, Direct from both Microsoft and Norton.

Please send it to everybody you know who has access to the Internet.

You may receive an apparently harmless e-mail titled "Mail Server Report"

If you open either file, a message will appear on your screen saying:
'It is too late now, your life is no longer beautiful.'

Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person who
sent it to you will gain access to your name, e-mail and password.

This is a new virus which started to circulate on Saturday afternoon.
AOL has already confirmed the severity, and the anti virus software's
are not capable of destroying it.

The virus has been created by a hacker who calls himself 'life owner'.

PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to
PASS IT ON IMMEDIATELY!

THIS HAS BEEN CONFIRMED BY SNOPES

https://www.snopes.com/computer/virus/mailserver.asp

Snopes also advises NOT TO OPEN MAIL WITH ATTACHMENTS unless you are expecting it.


 

This latter version is difficult to classify as either "true" or "false": The virus it references (i.e., the Mail Server Report worm) was a real one, but it's neither new nor currently rampant (as claimed in the warning text), nor does it manifest itself in the fashion described (since the "symptoms" provided in the warning are merely a reworking of the text of an earlier virus hoax). All in all, that message doesn't really merit the dire warning to "SEND A COPY OF THIS TO ALL YOUR FRIENDS, And ask them to PASS IT ON IMMEDIATELY!"

Additional information:





Warezov.W Warezov.W (F-Secure)

Last updated:   30 November 2008

David Mikkelson founded the site now known as snopes.com back in 1994.