This page contains additional information about warnings issued by the TELUS Internet Abuse Department. You may have been referred here because Internet abuse has been tracked to your Internet account. You may or may not be aware of these activities originating from your computer and Internet connection; however, as the account holder, you are ultimately responsible for your Internet account.
- What is Internet abuse?
- How was the reported Internet abuse tracked to my account?
- I am unaware of these activities from my Internet connection, what can I do?
- Do you have specific suggestions for removing specific viruses:
- What can I do to minimize the spam coming into my telus.net mail box?
- My firewall tells me that somebody from the Internet is trying to access my computer; how and where do I report these intrusions?
- I didn't receive an e-mail from TELUS; where did you send the e-mail?
- I don't use my telus.net e-mail address, why did I get a virus warning?
- I have checked my computer for viruses and the anti-virus program did not find any virus. What else can I do?
- What is the impact when my computer has a virus?
- How did my computer get a virus?
- If my computer was infected through TELUS' Internet connection, shouldn't TELUS be able to stop it?
- Can TELUS send someone to remove the virus from my computer?
- Who complained about this Internet abuse?
- What is this copyright infringement warning?
- I thought downloading files was OK in Canada. What did I do wrong?
- I don't use my telus.net e-mail address, how can my computer be sending e-mails with virus?
- Do you have specific suggestions for removing specific viruses: (a) slammer (b) phatbot (c) korgo
- Your warning says my IP address was 220.127.116.11. When I run ipconfig, my computer's IP address is 192.168.0.12. Are you sure you're correct?
What is Internet Abuse?
Generally, Internet abuse is any action that violates the Acceptable Use Policy (AUP). These violations will include the following:
- Sending spam or unsolicited e-mail
- Port scans which may or may not probe another computer's or network's vulnerability. Many computer or network administrators view port scans as a prelude to a full-scale attack
- Denial-of-service (DoS) attacks which flood a particular computer/server or network with many requests such that the server or network cannot process any other request from other Internet users, thus making the server unavailable to other Internet users
- Copyright infringement - unauthorized distribution of copyrighted materials
- Offensive communication
How was the reported Internet abuse tracked to my account?
To track down an IP at the time of activity, Internet Abuse needs at least 3 pieces information:
- IP address at the time of activity
- Date of the activity
- Time of the activity
- GMT (UTC) offset of preceding time - remember, the complainant can be from a different time zone (GMT is Greenwich Mean Time, also called UTC, Universal Time Coordinated)
Every computer that is connected to the Internet has a unique IP address. ISP's have server log files showing which account the IP address was assigned during a certain date and time. The TELUS Internet Abuse Team does not have access to another ISP's server log files. This is why it is important to send the complaint to the appropriate ISP. To find the ISP for a specific IP address, many Internet users use ARIN (American Registry for Internet Numbers) WHOIS lookup tool at http://www.arin.net/. ARIN's database is currently being updated to include Abuse contact information.
Below are sample complaint information showing the required information (IP addresses xxx'd to protect privacy):
- e-mail's full header information for spam or any e-mail related complaints, including threats, harassments, etc.:
Received: from rly-yb05.mx.aol.com (rly-yb05.mail.aol.com [172.18.205.137])
by air-yb02.mail.aol.com (v104.18) with ESMTP id MAILINYB21-19d4217064c363; Sat, 19 Feb 2005 04:26:59 -0500 Received: from mail.com (s216-x-y-205.bc.hsia.telus.net [216.xxx.yy.205])
by rly-yb05.mx.aol.com (v104.18) with ESMTP id MAILRELAYINYB53-19d4217064c363; Sat, 19 Feb 2005 04:26:38 -0500 Reply-To:
From: "Á¦•Î´Ï¸ðÄ³³ª´Ù" Subject: ÃÖ´Ü±â ¹Ì±¹ Ãë¾÷ºñÀÚ (H-1) Ãëµæ Date: Sat, 19 Feb 2005 01:26:38 -0800 MIME-Version: 1.0
- unedited firewall logs in text format for port scan or intrusion complaints or virus complaints: All timestamps are in GMT
Feb 19 09:54:07 DENY proto tcp 66.xxx.xxx.123:4259 199.aaa.bbb.194:1433 L=48 S=0x00 I=40625 F=0x4000 T=112 SYN Feb 19 09:54:07 DENY proto tcp 66.xxx.xxx.123:4260 199.aaa.bbb.195:1433 L=48 S=0x00 I=40628 F=0x4000 T=112 SYN Feb 19 09:54:07 DENY proto tcp 66.xxx.xxx.123:4261 199.aaa.bbb.196:1433 L=48 S=0x00 I=40641 F=0x4000 T=112 SYN Feb 19 09:54:07 DENY proto tcp 66.xxx.xxx.123:4262 199.aaa.bbb.197:1433 L=48 S=0x00 I=40642 F=0x4000 T=112 SYN Feb 19 09:54:07 DENY proto tcp 66.xxx.xxx.123:4263 199.aaa.bbb.198:1433 L=48 S=0x00 I=40643 F=0x4000 T=112 SYN Feb 19 09:54:10 DENY proto tcp 66.xxx.xxx.123:4259 199.aaa.bbb.194:1433 L=48 S=0x00 I=41217 F=0x4000 T=112 SYN Feb 19 09:54:10 DENY proto tcp 66.xxx.xxx.123:4260 199.aaa.bbb.195:1433 L=48 S=0x00 I=41214 F=0x4000 T=112 SYN Feb 19 09:54:10 DENY proto tcp 66.xxx.xxx.123:4263 199.aaa.bbb.198:1433 L=48 S=0x00 I=41230 F=0x4000 T=112 SYN
- copyright infringement complaint:
Title: Billy Madison Infringement Source: FastTrack Initial Infringement Timestamp: 18 Feb 2005 10:39:01 GMT Recent Infringment Timestamp: 18 Feb 2005 10:39:01 GMT Infringer Username: lakai_x@fileshare Infringing Filename: Billy Madison (1 of 2).AVI Infringing Filesize: 185837056 Infringers IP Address: 205.xxx.yyy.13 Infringers DNS Name: d205-xxx-yyy-13.bchsia.telus.net Infringing URL: FastTrack:?ip=205.xxx.yyy.13&port=1214&sip=205.xxx.y.32&sport=1991&pip=24.x.y.171&user=lakai_x
I am unaware of these activities from my Internet connection, what can I do?
If you are unaware of this sort of activity originating from your computer you may want to check with other users in the household as well as for viruses on every computer using the connection. This could account for unwanted/unauthorized activity originating from your system.
If you are using a router with wireless capabilities, please ensure it is configured securely. For more information on how to secure your wireless router please check with the manufacturer. Preventing unauthorized access to your router will likely result in better network performance. If you have a router supplied by TELUS, then contact our helpdesk at 310 TECH (8324). They can help you secure your wireless connection. If you have a router purchased elsewhere, then contact your router's manufacturer for further help.
Do you have specific suggestions for removing specific viruses:
- Torpig Trojan(aka Sinowal, Win32, Mebroot, Asernin)
- Other common viruses: Trojan YoyodDos, Ponmocop, Sality, Secunia, Zbot/Zeus
- Torpig Trojan(aka Sinowal, Win32, Mebroot, Asernin) - This trojan application is a data miner meaning it steals and transmits personal information from your computer, including bank account and credit card numbers. Sinowal will log keystrokes, as well as capture the titles of open windows and text documents, and send this highly sensitive information to a remote user over the Internet. Sinowal's main destructive payload is infecting the Master Boot Record code and wreaking havoc on the infected system. Sinowal installs a rootkit in early stages of the system boot process, were it hides on your system and makes detection extremely difficult.
- Rustock - The Rustock botnet infects computers running Windows. It is capable of sending large amount of spam messages from an infected PC. Rustock is capable of spreading by sending malicious e-mails to infect other computers opening them, thus incorporate the newly infected computer into the botnet. As Rustock is a rootkit, it is difficult to detect as it can subvert antivirus software intended to find it.
- Conficker - http://en.wikipedia.org/wiki/Conficker
To remove Conficker please download and run one of the removal tools available on this page: http://download.cnet.com/1770-20_4-0.html?query=conficker&searchtype=downloads&tag=mncol;txt
- Botnet- 'Botnet' is a term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. 'Botnet' is generally used to refer to a collection of compromised computers running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
- Ensure you are using the latest version of the programs running on your computer(s). Infections of this type can infiltrate computers using out of date versions of Flash, Adobe Acrobat, and Java. Secunia.com offers a free software inspector that detects vulnerable and out of date programs http://secunia.com/vulnerability_scanning/personal/*
Please scan **all** computers using the Internet connection with one of the following free online scanners, or refer back to our original email for online scan suggestions.
Microsoft Online Scanner: http://www.microsoft.com/security/scanner/en-us/default.asp *
McAfee's Stinger: http://vil.nai.com/vil/stinger/ * (once downloaded, please select 'Preferences', under the 'Scan these targets' check 'Boot sectors')
Symantec Mebroot Removal Tool: http://www.symantec.com/security_response/writeup.jsp?docid=2008-020817-4716-99
Sophos Anti-Rootkit scanner: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html *
F-Secure's Online Scanner: http://www.f-secure.com/en_EMEA/security/tools/online-scanner *
What can I do to minimize the spam coming into my telus.net mail box?
To report spam not tagged by TELUS Spam Control filter, you will need to forward the untagged spam as as attachment to email@example.com.
If you are receiving spam with "*TELUS Detected Spam*" on the subject line, you may want to visit the Change Spam Control options page. You'll find information on how to configure Spam Control so that *TELUS Detected Spam* e-mail's are automatically deleted.
My firewall tells me that somebody from the Internet is trying to access my computer; how and where do I report these intrusions?
The complaints should be sent to the originating ISP (Internet Service Provider). The IP address will have to be looked up in something like ARIN (American Registry for Internet Numbers) at http://ws.arin.net/cgi-bin/whois.pl to identify the ISP. If the Internet abuse contact is not listed in the ARIN record, use "Look up an address in the abuse.net contact database" at http://abuse.net/lookup.phtml to lookup the Internet abuse contact. Perhaps the best way to report the intrusions is to use public service Web sites like:
Both sites allow the public to create free accounts to report intrusions. The reports are then analysed, combined and reported to the appropriate ISP. The Web sites provide client software to analyse and submit firewall logs from different firewall vendors.
I didn't receive an e-mail from TELUS; where did you send the e-mail?
Warning e-mail's are sent to the telus.net e-mail address associated with your account. If you prefer us to send the warning e-mail to a different address, please send e-mail to firstname.lastname@example.org. Please remember to tell us your telephone number so we know to which account we need to associate the e-mail address.
I don't use my telus.net e-mail address, why did I get a virus warning?
Most modern viruses are equipped with their own server to send mail. These viruses are also programmed to harvest e-mail addresses from address books and other documents within the computer. As soon as the computer is connected to the Internet, the virus will start sending mail to propagate itself without help from the computer user. Also, not all virus are propagated through e-mail; some are propagated through port scans.
(Port scan - Wikipedia definition: A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to compromise it.)
I have checked my computer for viruses and the anti-virus program did not find any virus. What else can I do?
Anti-virus programs detect and clean viruses based on its own 'virus definition file'. If the 'virus definition file' is too old (over a week old), the anti-virus program will not be able to detect new viruses. It is important to verify the date of the 'virus definition file'. Please check the anti-virus program's help file for instructions in determining the virus definition file date or date of the last update.
For computers using Windows XP or ME, it may be necessary to temporarily disable the 'System Restore' function before scanning for viruses. Here's more information from Microsoft: How to turn on and turn off System Restore in Windows XP.
What is the impact when my computer has a virus?
If your computer is infected with a virus, it will either send e-mail's to other Internet users or connect to other computers to propagate the virus. If we don't stop the virus propagation from TELUS customers, other ISP's may decide not to accept e-mail's or connections from TELUS IP's. This is why the infected computer has to be cleaned/dis-infected.
How did my computer get a virus?
There are many ways for a computer to get infected. Some of the more common methods are:
- Opening unknown and/or unexpected e-mail attachments.
- Executing (double-clicking) on downloaded files or software from sources you're unfamiliar with or from peer-to-peer file sharing programs.
- While browsing the Internet, a computer can be redirected to a malicious web page.
- An unpatched operating system.
If my computer was infected through TELUS' Internet connection, shouldn't TELUS be able to stop it?
The virus was likely on the Internet, and the Internet connection through TELUS provided the virus access to your computer. Now that the virus has infected your computer, you will need to remove it, and take steps to prevent future infection. Our warning e-mail has generic information which you may find helpful in removing the virus. However, if for some reason the suggestions don't seem to work on your computer, please contact the computer vendor/dealer.
Can TELUS send someone to remove the virus from my computer?
TELUS does not provide "on location" service. However, TELUS does offer Premium Care service to help you resolve these issues. Our Premium Care team is a fee based support department that specializes in virus and spyware removal. You can view their list of services and contact details on www.telus.com/hightechhelp
Alternately, we recommend contacting your computer vendor/dealer.
Who complained about this Internet abuse?
Complaints are received from other Internet users. We are not able to provide any information about the complainants to respect their privacy.
TELUS does not censor content or otherwise exercise editorial control over the public message sace on its Internet Service nor does TELUS Internet services monitor nor control the content and activities of its customers.
What is this copyright infringement warning?
The issue with copyright infringement is unauthorized distribution of copyrighted material.
Most songs, movies, television shows, software programs, books, etc. are copyrighted materials. As such, only the copyright holders and their authorized agents can distribute the materials. Peer-to-peer file sharing programs such as Kazaa, BitTorrent, etc., file servers such as FTP (File Transfer Protocol) servers, IRC (Internet Relay Chat) servers, allow other Internet users to download or copy shared files from those computers running the peer-to-peer file sharing programs and/or file server's programs. Those computers are allowing other Internet users to download or copy copyrighted materials, thus those computers are now distributing those copyrighted materials and are infringing the owner's copyright.
I thought downloading files was OK in Canada. What did I do wrong?
While it may be all right to download files to your computer, the copyright holder reserves the right to distribute the file. Allowing other Internet users to download the file from your computer, technically makes the computer a 'distributor'. Only the copyright holder and their authorized distributor(s) can distribute the copyrighted material. Some file-sharing programs may "share" the file while you are downloading.
I don't use my telus.net e-mail address, how can my computer be sending e-mails with virus?
Many new viruses/worms have their own mail server and can harvest e-mail addresses from various documents within a computer. Once established/installed in a computer, all the virus needs is an Internet connection to propagate/infect other computers through the Internet. Virus-infected e-mails are automatically sent out without help from the computer user.
Do you have specific suggestions for removing specific viruses: (a) slammer (b) phatbot (c) korgo.
- Slammer is a memory resident virus. Once the computer is turned off, the virus goes away until the computer is re-infected. To prevent future re-infection, see Microsoft: PSS Security Response Team Alert - New Worm: W32.Slammer
- Phatbot is a trojan horse program and a descendant of "Agobot". Phatbot has the ability to polymorph on installation in order to evade antivirus signatures as it spreads. Using your favorite search engine to search for "phatbot" to find links/web pages to more information and even removal tools.
- Korgo or Padobot is a network worm. It spreads throughout the Internet using a vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS) vulnerability. More information in Microsoft Security Bulletin MS04-011.
Your warning says my IP address was 18.104.22.168. When I run ipconfig, my computer's IP address is 192.168.0.12. Are you sure you're correct?
It sounds like the computer is connected to a router which is a device that also assigns private/local IP addresses to computers connected to it. To obtain your current public IP address, check WhatIsMyIP.com.