What just happened? I'm puzzled about Norton Virus notice

Not sure what happened. I received an email (supposedly) from my server informing me "email account disabling warning" in the subject line. The body of the text said (and I'm substituting the name of my server to maintain privacy):

__________________

Dear user of Servername.net e-mail server gateway,

Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

Further details can be obtained from attached file.

For security purposes the attached file is password protected. Password --

Cheers,

The Servername.net team (and then a highlighted email address)

_______________

This message came with an attachment file.

Prior to opening this email I got a virus alert from Norton

Norton AntiVirus removed the attachment: TextDocument.zip.
The attachment was infected with the W32.Beagle@mm!zip virus.


So what just happened? Was the email really from my server or the results of a particular virus that accesses and uses the person's server name to send it's virus thru an attachment?

Don't download anything from this email. Delete it immediately. It's not really Norton. It's somebody trying to send you a virus disguised as a virus warning.

I got e-mails for everyone. Probably even the pope send a few, I just to search to find it. The titles I think they're random and e-mails are taken from those who opened the virus. Keep the virus scanner running and ignore those with attachments and funny names.

I'm still confused. Did my Norton anti-Virus work or what?

it deleted or quarantined it.

don't open the attachment. You could email your provider directly and ask them about it. They probably have an address for that -- abuse@providername.net/com.

Give it a try. They'll understand your caution.

At first I thought it was from my server...but the fact that my Norton Anti-Virus warned me about this email made me think that it probably was not. But I took the email that seemed to be from my server (management@myservername.net) and put the address in a new email message (rather than clicking reply to the original message).

I got back a postmaster failure notice that said this:

________________

Hi. This is the qmail-send program at smtp.myserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<myservername.net>:
query: select alias_username, alias_host from alias where username='alias' and alias='management';
query: select alias_username, alias_host from alias where username='alias' and alias='@';
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: MY EMAIL
Received: (qmail 6489 invoked by uid 0); 13 Mar 2004 22:49:42 -0600
Received: from myaddress by myservername.net by uid 92 with qmail-scanner-1.12 (avp. Clear:. Processed in 0.731396 secs); 14 Mar 2004 04:49:42 -0000
Received: from unknown (HELO calvtlt2d4qydc) (204.96.221.64)
by smtp.myservername.net with SMTP; 13 Mar 2004 22:49:41 -0600
Message-ID: <002201c4097f$c1d513c0$40dd60cc@calvtlt2d4qydc>
From: MY ADDRESS
To: <MYSERVERNAME.net>
Subject: Norton virus found in your email
Date: Sat, 13 Mar 2004 22:49:37 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001F_01C4094D.76391240"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

This is a multi-part message in MIME format.

------=_NextPart_000_001F_01C4094D.76391240
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I received the following message from my Norton AntiVirus.......

Infection found in this email message.

Sender: MYSERVERBNAME.net
Recipient: Subject: E-mail account disabling warning

Not sure whether this means your own email has a virus or whether the =
problem is all mine. I will use your attachment file to see if I can =
clean up my software virus problem.
------=_NextPart_000_001F_01C4094D.76391240
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I received the following message from =
my Norton=20
AntiVirus.......</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Infection found in this email =
message.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sender: <A=20
href=3D"mailto:management@myservername.net">myservername.net</A></FONT></D=
IV>
<DIV><FONT face=3DArial size=3D2>Recipient: <A=20
href=3D"mailto:MY EMAIL ADDRESS HERE </A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Subject: E-mail account disabling=20
warning</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Not sure whether this means your own =
email has a=20
virus or whether the problem is all mine.  I will use your =
attachment file=20
to see if I can clean up my software virus =
problem.</FONT></DIV></BODY></HTML>

------=_NextPart_000_001F_01C4094D.76391240--

... of the email you received. It's likely not the precise address of your provider.

Any virus trap actually used by your ISP would not include a virus attachment.

This is likely bogus, and invites you to open the attachment, thus infecting your computer.

Cheers.

Delete them.

Anyone can use your email address for crappy stuff.

Delete/Ignore

open an attachment you aren't expecting. If it seems to be legit, but you're not sure about it, email the sender to double check.

These days I get at least two or three emails a day with an attachment that I'm certain contains a virus. I simply delete them all.

That's what threw me off the track. Somehow this virus accessed my server name.

is to 'spoof' email addies, and pretend to be from a reliable source ...

Dont open ANYTHING cept what you already expect from a known sender ...

This one almost fooled me...and I'm glad my Norton Anti-Virus weeded it out before I made the mistake of opening the attachment.

has been busy. I received the same thing and called my server. He told me it is a virus. Luckily I did not open the attachment.

.
.
.

"Virus type: Worm

Destructive: No

Aliases: W32/Bagle.n@MM

Pattern file needed: 815

Scan engine needed: 6.810

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:

As of March 13, 2004 10:45 AM (PST), TrendLabs HQ received several reports of this new BAGLE variant.

This file infector searches for files with certain extension names, from which it gathers target recipients. Using its own SMTP (Simple Mail Transfer Protocol) engine, it sends out email messages with a spoofed return address to the gathered email addresses and adds itself as an attachment.

This virus also spreads by dropping files in folders that have the text string "shar", for example, C:\Program Files\Kazaa\My Shared Folder.

It also has the ability to terminate certain process, which are usually related to antivirus and firewall applications.

It runs on Windows 95, 98, ME, 2000 and XP.

............................................................

Clik on graphic for the whole information

I did two things....I attempted to open the attachment but could not (my Norton Anti-virus wouldn't permit it).

And I created a new email and typed in the phoney server return address to see if it was for real, and got a mail failure notice.

So did either of those two things infect my system or am I okay?

.
.
.

It tells you what to check for

certain files and registry keys depending on which system you have

It's all there in the link

- the trend micro image I put in my post is the link -

oh

ok

here's the "naked" link

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.N

and DON"T do any more "responding" - because even though you ot a "failure" - the receiving end can sometimes detect you, and so you just "verified" that they "gotcha" ! ?? (that's just a maybe, don't get unglued on that)

READ the whole article thoroughly, and take your time about anything you do -

there are different measures depending on your system - -

..