John Baymore on sat 16 jun 01
Hi all in CLAYART land. =
WARNING!!!!!!! One of you out there has a virus!!!!!
I just got a direct email with the topic header "RE: Firing with Oil Hel=
p"
from someone whose name was listed on the incoming mail box only as
"morgan". My antivirus email download scan nailed it as soon as it start=
ed
to download as being infected. Unfortunately, I missed the name of the
virus it reported so I can't tell you that right now. Sorry.
The file that was sent protects itself from being cleaned by denying acce=
ss
to itself........ and it had to be completely deleted unread. So it is
not that I am ignoring whoever sent it..... I just never read it . T=
he
overall email file size was something like about 14K if I remember
correctly, and the infected portion came through as a file called
"pics.zip.scr".
I thought everyone out there on the list should be aware....watch out for=
email from "morgan", and I am sure that "morgan" should know about this
.
Best,
........................john
John Baymore
River Bend Pottery
22 Riverbend Way
Wilton, NH 03086 USA
603-654-2752 (s)
800-900-1110 (s)
JohnBaymore.com
JBaymore@compuserve.com
John.Baymore@GSD-CO.com
"Earth, Water, and Fire Noborigama Woodfiring Workshop August 17-26,
2001" (Full- now on waiting list.)
pammyam on sat 16 jun 01
It sounds like it could be the BadTrans worm. If so, it
might come from someone other than "morgan," as well.
http://www.europe.f-secure.com/v-descs/badtrans.shtml
The following is an excerpt from the website noted above.
If it's the BadTrans worm, it is very insidious and spreads
on the basis of emails on individual systems. The worm has
a slightly delayed execution after the first reboot
following infection. The message subjects will be based on
emails that you might have sent or received, so they will
appear to be okay, and will appear to come from someone you
know, possibly.
In general, I think it's a good idea to be suspicious of any
files with two extensions like .txt.pif or .zip.scr, for
instance.
====
The infected message has text and attached file. Attached
file name is randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in worm messages is the same as in
original message with prepended "Re:" prefix.
The message body is a "reply" to the original message. For
example, if original message is sent from "John Doe" and has
two lines like:
message line1
message line2
the worm will reply with the following text then:
'John Doe' wrote:
====
- message line1
- message line2
> Take a look to the attachment.
If a message has no body (empty message), the worm's "reply"
has just one line:
> Take a look to the attachment.
----- Original Message -----
From: John Baymore
To: CLAYART@LSV.CERAMICS.ORG
Sent: Saturday, June 16, 2001 8:27 AM
Subject: VIRUS from "Morgan" (RE: Firing with Oil Help?)
Hi all in CLAYART land.
WARNING!!!!!!! One of you out there has a virus!!!!!
I just got a direct email with the topic header "RE: Firing
with Oil Help"
from someone whose name was listed on the incoming mail box
only as
"morgan". My antivirus email download scan nailed it as
soon as it started
to download as being infected. Unfortunately, I missed the
name of the
virus it reported so I can't tell you that right now.
Sorry.
(snipped)
I thought everyone out there on the list should be
aware....watch out for
email from "morgan", and I am sure that "morgan" should know
about this
.
Best,
........................john
John Baymore
(snip)
| |
|
