Subject change, was Re: clever virus attack
From: "Herb Chong" <[EMAIL PROTECTED]> > after they introduced the security patch that prevented opening JPG and GIF, > it took several months for them to remove that particular part of the patch. > i saw a lot of support calls go by on the online help forums. Please continue this discussion without my last name in the subject. Thanks, Mark
Re: clever virus attack (Att. Dalal)
after they introduced the security patch that prevented opening JPG and GIF, it took several months for them to remove that particular part of the patch. i saw a lot of support calls go by on the online help forums. Herb... - Original Message - From: "David Miers" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 05, 2004 12:21 PM Subject: RE: clever virus attack (Att. Dalal) > There is no problem in viewing either jpeg or gif files on my system at this > point in Outlook. Possibly in Microsoft's ongoing wisdom(meant to be > sarcastic!)(to Microsoft, not you Herb) they changed this around at some > point.
RE: clever virus attack (Att. Dalal)
There is no problem in viewing either jpeg or gif files on my system at this point in Outlook. Possibly in Microsoft's ongoing wisdom(meant to be sarcastic!)(to Microsoft, not you Herb) they changed this around at some point. -Original Message- From: Herb Chong [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: Re: clever virus attack (Att. Dalal) the attachments in this case were JPG and GIF files. since MS normally configured these to open with IE, they were deemed unsafe and would not open and could not be detached either, so you could never access them, but they were still there. Herb - Original Message - From: "David Miers" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 05, 2004 1:19 AM Subject: RE: clever virus attack (Att. Dalal) > I don't think you can configure the level one file extensions. What they > have eliminated though I don't consider a bad thing. Anytime you need to > send someone something though whether it be on a network or email a > compressed zip or rar file is always a better choice. A lot less chance of > a file being corrupted this way and if a virus was in a compressed file it > would be isolated until opened. At least it cannot start a problem just > because I opened an email with it attached.
Re: clever virus attack (Att. Dalal)
the attachments in this case were JPG and GIF files. since MS normally configured these to open with IE, they were deemed unsafe and would not open and could not be detached either, so you could never access them, but they were still there. Herb - Original Message - From: "David Miers" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 05, 2004 1:19 AM Subject: RE: clever virus attack (Att. Dalal) > I don't think you can configure the level one file extensions. What they > have eliminated though I don't consider a bad thing. Anytime you need to > send someone something though whether it be on a network or email a > compressed zip or rar file is always a better choice. A lot less chance of > a file being corrupted this way and if a virus was in a compressed file it > would be isolated until opened. At least it cannot start a problem just > because I opened an email with it attached.
RE: clever virus attack (Att. Dalal)
I don't think you can configure the level one file extensions. What they have eliminated though I don't consider a bad thing. Anytime you need to send someone something though whether it be on a network or email a compressed zip or rar file is always a better choice. A lot less chance of a file being corrupted this way and if a virus was in a compressed file it would be isolated until opened. At least it cannot start a problem just because I opened an email with it attached. -Original Message- From: Herb Chong [mailto:[EMAIL PROTECTED] Sent: Thursday, March 04, 2004 8:30 PM To: [EMAIL PROTECTED] Subject: Re: clever virus attack (Att. Dalal) i don't remember MS allowing the end user to configure what constituted Level 1. a lot of angry users called up to ask what happened to their attachments for several months. Herb - Original Message - From: "David Miers" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 1:59 PM Subject: RE: clever virus attack (Att. Dalal) > It does not allow any files attached that match the definitions in what is > termed level 1. The mail will come in with the attachment deleted. This > does not 100% stop virus attachments from coming in, but it does kill most > of them. If you run in restricted mode scripts are not supposed to run > period if I understand correctly.
Re: clever virus attack
Windows 2.0 came with two kernals an 8086/8088 version and the 286 version. It would recognize which processor and how much memory you had available at load time and loaded the proper version. Herb Chong wrote: i'm pretty sure Windows 1 never shipped standalone. i still have the disks to a game that used it for the runtime though. the earliest version of Windows i used was 2.03 and i have used and developed software on every version since then. by the time it was called Windows 286, it was version 2 of Windows. i have the manuals but no disks anymore. Windows 1 could run on a 8086 and didn't require a 286. Herb - Original Message - From: "John Mustarde" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 6:23 PM Subject: Re: clever virus attack The neatest thing in that sale was an original box containing Windows 286. I'm pretty sure it was considered Windows 1.0 but not called that. I am almost positive it pre-dated Windows 2.0, but all that was a long time ago in computer years. I bought it from a guy who worked for Microsoft at the time, and he got it through his job.
RE: clever virus attack
I received the exact same e-mail but knew it had to be false so I forwarded it to my e-mail server and asked for confirmation. David Madsen mailto:[EMAIL PROTECTED] http://www.davidmadsen.com -Original Message- From: Stan Halpin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 1:49 PM To: PDML list Subject: clever virus attack I just received the following from someone spoofing me. But it is very believable... --- Dear user of Stans-photography.info e-mail server gateway, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For further details see the attach. For security purposes the attached file is password protected. Password is "16120". Have a good day, The Stans-photography.info team http://www.stans-photography.info I am sure you will all be happy to know that there is now a "Stans-photography.info team " I did not know that before either. Be careful - you can get hurt out there. Stan
Re: clever virus attack (Att. Dalal)
i don't remember MS allowing the end user to configure what constituted Level 1. a lot of angry users called up to ask what happened to their attachments for several months. Herb - Original Message - From: "David Miers" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 1:59 PM Subject: RE: clever virus attack (Att. Dalal) > It does not allow any files attached that match the definitions in what is > termed level 1. The mail will come in with the attachment deleted. This > does not 100% stop virus attachments from coming in, but it does kill most > of them. If you run in restricted mode scripts are not supposed to run > period if I understand correctly.
Re: clever virus attack
On Thu, 4 Mar 2004 21:38:02 -, you wrote: > I was not impressed to be told I couldn't have a 5.5 inch >drive. I have stacks of those, including a copy of Windows v2.0, in those >dark days before the launch of 3.1 which made it famous. I collect and enjoy >using old software. Someone has too ;-) Ah, the good old days when I dragged my computer to school on a four-wheel cart, uphill both ways, in the snow. A couple of years ago I sold a box of software for $5. The guy got a bargain - it was all very functional registered stuff that he could have transferred title if he wanted. Full version of MS Word 4.0 for DOS, and even an decent Office 95 for Windows that was on about 110 disks. Boy was I glad to get rid of it - I had moved that box of discs and floppies so many times. I gleefully waved it goodby for the last time and danced a little jig. The neatest thing in that sale was an original box containing Windows 286. I'm pretty sure it was considered Windows 1.0 but not called that. I am almost positive it pre-dated Windows 2.0, but all that was a long time ago in computer years. I bought it from a guy who worked for Microsoft at the time, and he got it through his job. I remember I could not get it to run worth a hoot on my fancy 286 - 12mHz computer with 512k of RAM and 10 Mb HD. I couldn't justify the week's salary it would have cost to upgrade from 512k to 640k of RAM to try to get it to run faster. An Excel file took ten minutes to open and fifteen to save, and five minutes or more for every computation, if it did not crash at the first sign of data entry. But that little 286 was a real workhorse without Windows. Word for DOS was very fast, and I even knew a whole lot of the formatting shortcuts. Printing on a dot matrix printer from a 286 machine could get really slow, though. It wasn't until Pentium 3 - 450mHz age that I got as fast using MS Word (for Windows) as I was using Word 4.0 for DOS. Oh well, trip down memory lane. Most likely other PDMLers go back much further than me with computers. I still like to remember how well that old 286 served me. It only crashed once in two years, and that was when a spider took up residence in it, and hatched little spiderettes which one day all of a sudden came scurrying by the dozens out of the floppy drive slot like lemmings over the cliff, heading right across the desk towards me and scattering in every direction at once. Eeek, I went scurrying myself that day, you can be sure. -- John Mustarde www.photolin.com
Re: clever virus attack
inline Cotty wrote: On 4/3/04, GRAYWOLF disgorged: Probably wouldn't make a difference if you were using Windows on a Power PC. Actually I have heard tell that a PC virus will infect the Windows environment on a Mac running a PC emulator software. I have no idea how true that is. HAR. Yes, the emulator software could translate the intel code virus to Power PC code. Useful little bugger, eh? Most of the viruses are Intel specific, as well as Windows specific. However you could run BSD on a PC and be safe. Same OS as yours without the cutesy stuff added. I watched too many cartoons as a kid. BTW, do you know why they chose BSD rather than Linux for the basis of OS X? Tom that's too technical for me. I'll just ask my mate Steve ;-) Talk to your solicitor instead, it is a legal issue. 1. With Linux any changes they made to the code they would have to publish and provide the source code for. With BSD they just have to leave the copyright notices in. 2. Linux is too much of a moving target, it changes faster than anyone in Redmond could believe possible. Real upgrades 2-3 times a year, new stuff almost daily. -- graywolf http://graywolfphoto.com "You might as well accept people as they are, you are not going to be able to change them anyway."
Re: clever virus attack
Some of us have more time than money, Cotty. Sneaker net is still the cheapest WAN. Interesting, I have a LAN, but nothing to plug into it any more. Of course there is the school of thought that if they are not on the internet they are too primative to worry about anyway (g). -- Cotty wrote: On 4/3/04,MALCOLM disgorged: There seem to be no end of these viruses now. I can see me partitioning the hard disc and running Linux on one part for e-mail. My laptop is really on it's last legs now and I would like a Mac to replace it. The only niggle is the lack of floppy disc drive - and many PC manufacturers are now not fitting them. I use these discs a great deal, and I dislike the thought of having to burn a CD just for a few files which sit easily on a floppy. Malc, external USB floppy disk drives can be purchased and will work on a Mac as well as a PC. May I make a suggestion? If you have a computer, I would hope that you would be backing up at the very least all the user data you create? And preferably backing up the whole lot, say on an external drive or whatever. If you do so, why the need for a floppy drive or indeed the floppy disks? I have a Zip (100) drives in my PowerBook, and we have an external Zip 100 knocking about somewhere, but to be honest they do not get used very much at all, and when I get a wireless LAN set up in the house, they will be almost obsolete. However, to each their own. Floppies can still be used in this day and age, Mac or PC. No problem. You can even still buy an internal one and fit it in your computer, just like they used to . HTH Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk -- graywolf http://graywolfphoto.com "You might as well accept people as they are, you are not going to be able to change them anyway."
RE: clever virus attack
Cotty wrote: > Malc, external USB floppy disk drives can be purchased and > will work on a Mac as well as a PC. May I make a suggestion? > If you have a computer, I would hope that you would be > backing up at the very least all the user data you create? Oh yes! Having learnt the hard way, once a week I back up my files to ZIP discs - chosen as they are simple and quick to back up too. External floppy drives are still available new? Great, I'll be next door to a computer shop on Sunday, I'll take a mooch. > And preferably backing up the whole lot, say on an external > drive or whatever. If you do so, why the need for a floppy > drive or indeed the floppy disks? It's either that or 5.5 inch floppies, some of my friends have yet to get computers with CD drives. So I use floppy discs. One of them refuses to get internet connected because the net is full of viruses. It's not all cutting edge stuff you know! This machine has a multi-card reader, DVD,CD,ZIP and floppy drive. I was not impressed to be told I couldn't have a 5.5 inch drive. I have stacks of those, including a copy of Windows v2.0, in those dark days before the launch of 3.1 which made it famous. I collect and enjoy using old software. Someone has too ;-) > I have a Zip (100) drives in my PowerBook, and we have an > external Zip 100 knocking about somewhere, but to be honest > they do not get used very much at all, and when I get a > wireless LAN set up in the house, they will be almost obsolete. You're years ahead of me. > However, to each their own. Floppies can still be used in > this day and age, Mac or PC. No problem. You can even still > buy an internal one and fit it in your computer, just like > they used to . Fine. I don't much like modern computers, even though I can now use them quite well. In this respect, I would be better off with a Mac for myself, so I can concentrate on my hobby and not the computer. Thanks, M
Re: clever virus attack
So called macro viruses will if you have vba on your system. Cotty wrote: On 4/3/04, GRAYWOLF disgorged: Probably wouldn't make a difference if you were using Windows on a Power PC. Actually I have heard tell that a PC virus will infect the Windows environment on a Mac running a PC emulator software. I have no idea how true that is. Most of the viruses are Intel specific, as well as Windows specific. However you could run BSD on a PC and be safe. Same OS as yours without the cutesy stuff added. I watched too many cartoons as a kid. BTW, do you know why they chose BSD rather than Linux for the basis of OS X? Tom that's too technical for me. I'll just ask my mate Steve ;-) Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk
RE: clever virus attack
On 4/3/04,MALCOLM disgorged: >There seem to be no end of these viruses now. I can see me partitioning the >hard disc and running Linux on one part for e-mail. My laptop is really on >it's last legs now and I would like a Mac to replace it. The only niggle is >the lack of floppy disc drive - and many PC manufacturers are now not >fitting them. I use these discs a great deal, and I dislike the thought of >having to burn a CD just for a few files which sit easily on a floppy. Malc, external USB floppy disk drives can be purchased and will work on a Mac as well as a PC. May I make a suggestion? If you have a computer, I would hope that you would be backing up at the very least all the user data you create? And preferably backing up the whole lot, say on an external drive or whatever. If you do so, why the need for a floppy drive or indeed the floppy disks? I have a Zip (100) drives in my PowerBook, and we have an external Zip 100 knocking about somewhere, but to be honest they do not get used very much at all, and when I get a wireless LAN set up in the house, they will be almost obsolete. However, to each their own. Floppies can still be used in this day and age, Mac or PC. No problem. You can even still buy an internal one and fit it in your computer, just like they used to . HTH Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk
RE: clever virus attack
Bruce Dayton wrote: > Zip disks or what they now call "Jump drives" are the ticket. > The jump drives are really just a SD card or some such with > the USB interface. All you do is plug it in and you have an > instant drive. > If you need more permanence then the zip disks work quite > well. I haven't used a floppy for a few years now. Hi Bruce, I am a great ZIP disc user too, but the people I share these files with aren't. Many of my friends still use Windows 95 with a similar age computer. I think ZIP discs are a bit pricey (although I have acquired most of mine new via eBay at a substantial discount) but floppies are dirt cheap. I don't worry about losing them either, as so many people no longer have the drives to read them ;-) Thanks, Malcolm
RE: clever virus attack (OT)
On 4/3/04, ZOOMSHOT ZIGGY disgorged: >Would you like a large G&T to cool you down? > >Ziggy > > >On 3/3/04, [EMAIL PROTECTED] disgorged: > >>Password protetected Zip files scramble the contents enough to keep >>virus protection software from itdetifing the contents you shouldn't >>worry. The virus can't do anything unless you use the password and >>open it. > >Hey, I did that. Oh my god. Help me, help me, I'm m-m-m-m-e-l-t-i-n-g... Just got in, opened a bottle of London Pride. Toasting the PDML... Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk
Re: clever virus attack
So put them on that tiny digital card that came with your digicame. You know, the one that was too small to hold ten photos. -- Malcolm Smith wrote: The only niggle is the lack of floppy disc drive - and many PC manufacturers are now not fitting them. I use these discs a great deal, and I dislike the thought of having to burn a CD just for a few files which sit easily on a floppy. -- graywolf http://graywolfphoto.com "You might as well accept people as they are, you are not going to be able to change them anyway."
Re: clever virus attack
Probably wouldn't make a difference if you were using Windows on a Power PC. Most of the viruses are Intel specific, as well as Windows specific. However you could run BSD on a PC and be safe. Same OS as yours without the cutesy stuff added. BTW, do you know why they chose BSD rather than Linux for the basis of OS X? -- Cotty wrote: I received this silly email as well. It contained a Zip file that needed a code to unzip it, containing an exe file. I followed the instructions and unzipped the attachment and looked at the exe file. I shrugged my shoulders and deleted it. And some people wonder why I like the Mac OS. Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk -- graywolf http://graywolfphoto.com "You might as well accept people as they are, you are not going to be able to change them anyway."
Re: clever virus attack
Zip disks or what they now call "Jump drives" are the ticket. The jump drives are really just a SD card or some such with the USB interface. All you do is plug it in and you have an instant drive. If you need more permanence then the zip disks work quite well. I haven't used a floppy for a few years now. -- Best regards, Bruce Thursday, March 4, 2004, 11:05:20 AM, you wrote: MS> Cotty wrote: >> I received this silly email as well. It contained a Zip file >> that needed a code to unzip it, containing an exe file. I >> followed the instructions and unzipped the attachment and >> looked at the exe file. I shrugged my shoulders and deleted it. >> >> And some people wonder why I like the Mac OS. MS> I regularly get e-mails from Waitrose, telling me they have deleted e-mails MS> with viruses in them. I wasn't sure about this one, so I forwarded it back MS> to them to see if it was genuine. MS> There seem to be no end of these viruses now. I can see me partitioning the MS> hard disc and running Linux on one part for e-mail. My laptop is really on MS> it's last legs now and I would like a Mac to replace it. The only niggle is MS> the lack of floppy disc drive - and many PC manufacturers are now not MS> fitting them. I use these discs a great deal, and I dislike the thought of MS> having to burn a CD just for a few files which sit easily on a floppy. MS> Malcolm
RE: clever virus attack
Cotty wrote: > I received this silly email as well. It contained a Zip file > that needed a code to unzip it, containing an exe file. I > followed the instructions and unzipped the attachment and > looked at the exe file. I shrugged my shoulders and deleted it. > > And some people wonder why I like the Mac OS. I regularly get e-mails from Waitrose, telling me they have deleted e-mails with viruses in them. I wasn't sure about this one, so I forwarded it back to them to see if it was genuine. There seem to be no end of these viruses now. I can see me partitioning the hard disc and running Linux on one part for e-mail. My laptop is really on it's last legs now and I would like a Mac to replace it. The only niggle is the lack of floppy disc drive - and many PC manufacturers are now not fitting them. I use these discs a great deal, and I dislike the thought of having to burn a CD just for a few files which sit easily on a floppy. Malcolm
RE: clever virus attack (Att. Dalal)
Whether or not it protects you or not I can't say for sure, but the documentation plainly states, with a Outlook 2000 updated to current security patches, that until you open the mail all the way scripts cannot run. It also tells you when a email contains scripts ahead of time. From what I can see Outlook is actually way more secure then Outlook express 6. It does not allow any files attached that match the definitions in what is termed level 1. The mail will come in with the attachment deleted. This does not 100% stop virus attachments from coming in, but it does kill most of them. If you run in restricted mode scripts are not supposed to run period if I understand correctly. I simply turn off preview when downloading emails so I can see who they are from etc and if attachments are present. This way I can delete the file without it having any opportunity to run. Then I turn on preview and read my mail as usual. I believe the updates and patches for Office 2000 make a big difference for security in the Outlook your referring to. I believe the only way your going to be completely secure is to run a email client that supports text only email and/ or Linux, which to be quite frank is quite bring!!! There is a lot of nice attributes to html and scripts that I truly enjoy. I have friends that send me very creative stationary that would be missed otherwise. I have to turn off the restricted zone security settings to view them after I verify who they are from. The main thing is just be careful. If you can't enjoy your computer what's the sense of it all in my opinion. A computer is a tool, but it also can deliver a lot of pleasure. Learn how to work the security features of the programs your running to their full advantage IMHO. Just my 2cents worth -Original Message- From: Herb Chong [mailto:[EMAIL PROTECTED] Sent: Thursday, March 04, 2004 6:21 AM To: [EMAIL PROTECTED] Subject: Re: clever virus attack (Att. Dalal) i refuse to install Outlook 2000 on my machines because it still remains vulnerable to scripting viruses in emails. they run whenever you have preview enabled. Herb... - Original Message - From: "Jostein" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 3:44 AM Subject: Re: clever virus attack (Att. Dalal) > It does not "depend on an exchange server". Outlook can be configured to > use perfectly ordinary SMTP servers, IMAP servers, POP3 servers, and the > secure variants. During installation you get all the necessary questions to > configure it properly, it's all about installing the right services to use. > You can modify your installation later as well if you like.
RE: clever virus attack
I received this silly email as well. It contained a Zip file that needed a code to unzip it, containing an exe file. I followed the instructions and unzipped the attachment and looked at the exe file. I shrugged my shoulders and deleted it. And some people wonder why I like the Mac OS. Cheers, Cotty ___/\__ || (O) | People, Places, Pastiche ||=| http://www.macads.co.uk/snaps _ Free UK Mac Ads http://www.macads.co.uk
Re: clever virus attack (Att. Dalal)
I think the password protection of the ZIP file makes virus detection not possible. My McAfee didn't found it before it was unzipped. On Thu, 2004-03-04 at 17:30, Jostein wrote: > - Original Message - > From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> > > My virus definitions in Norton's are dated 2nd March. > > The latest incarnations of Bagle emerged on the 2nd. It is possible that > your update missed it, but it sounds unlikely... > > Icky stuff, these virii. > > Jostein -- Frits Wüthrich <[EMAIL PROTECTED]>
Re: clever virus attack (Att. Dalal)
- Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> > My virus definitions in Norton's are dated 2nd March. The latest incarnations of Bagle emerged on the 2nd. It is possible that your update missed it, but it sounds unlikely... Icky stuff, these virii. Jostein
Re: clever virus attack (more MiMail virus info)
Yes, You are correct, one can't be too careful.
On Thu, 2004-03-04 at 16:16, Lasse Karlsson wrote:
> From: "Frits Wüthrich" <[EMAIL PROTECTED]>
> > On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote:
> > > > When I opened the zip file using the password, McAfee was able to find
> > > > it and identify it as W32/[EMAIL PROTECTED]
> > >
> > > Wow, I am quite shocked that some of you would continue to open attached
> > > file from unknown source. DON'T RELY ON YOUR ANTI-VIRAL PROGRAM!
> > > Unless you fully expected to receive such a file, JUST DELETE IT if you
> > > don't know what it is all about.
> > I didn't open the .exe file, I opened the ZIP file, that is quite
> > something different. I wouldn't dream of opening the exe file, or pif or
> > scr or whatever, I don't rely on my anti virus software to stop it, I
> > just wanted to find out what the virus was.
> > I don't receive nor read in a Windows environment to begin with.
> > So: no need to be shocked in my case.
>
> At
> http://www.pchell.com/virus/mimail.shtml
> (where there are more removal instruction links)
>
> I found the following information, which would indicate that simply unzipping the
> file could trigger the exe-file to automatically run and infect you:
>
> What is the MiMail.A Worm?
> MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The
> zip file has an html file attached. The html file "message.htm" takes advantage of
> two known security vulnerabilities, MHTML exploit and the codebase exploit. The
> virus arrives as an email similar to:
>
>
>
>
> From: admin@ (The from address may be spoofed to appear that it is
> coming from the current domain)
>
> Subject: your account [random string]
>
> Message:
> Hello there,
> I would like to inform you about important information regarding your email address.
> This email address will be expiring. Please read attachment for details.
>
> Best regards,
> Administrator
>
> Attachment: Message.zip
>
>
>
>
> How Does MiMail.A Worm Infect My System?
>
> Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet
> Files directory and runs it.
>
> The following files are then created in the Windows directory
>
> videodrv.exe
> exe.tmp (temporary copy of message.html_
> zip.tmp (temporary copy of message.zip)
> It also adds the following registry key to the system.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
>
> "VideoDriver" = C:\Windows\videodrv.exe
>
> as well as
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
> Units\{----}
>
> What Does the MiMail.A Worm Do?
>
> Once a computer is infected, the virus checks to see if the system is connected to
> the Internet by trying to contact google.com. If it can contact google, then the
> worm attempts to gather email addresses from the infected computer. It grabs
> addresses from all files on the system, EXCEPT files that have the following
> extensions:
>
> COM
> WAV
> CAB
> PDF
> RAR
> ZIP
> TIF
> PSD
> OCX
> VXD
> MP3
> MPG
> AVI
> DLL
> EXE
> GIF
> JPG
> BMP
> These addresses are then stored in a file named eml.tmp in the Windows directory.
> The worm has its own SMTP engine. For each email address the worms sends, it will
>
> Look up the MX record for the domain name using the DNS server of the current host.
> If a DNS server is not found, it will default to 212.5.86.163.
> Acquire the mail server associated with that particular domain.
> Directly contact the destination server.
> How Can I Remove the MiMail.A worm?
>
> Follow these steps in removing the MiMail worm.
>
> 1) Terminate the running program
>
> Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or
> CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
> Locate the following program, click on it and End Task or End Process
>VIDEODRV.EXE
>
> Close Task Manager
> 2) Remove the Registry entries
>
> Click on Start, Run, Regedit
> In the left panel go to
> HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
>
> In the right panel, right-click and delete the following entry
> "VideoDriver"="%Windows%\videodrv.exe"
>
> Repeat this procedure for
>
> HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units
>
> In the right panel, locate and delete the entry:
> {----}
> Close the Registry Editor
> 3) Delete the infected files (for Windows ME and XP remember to turn off System
> Restore before searching for and deleting these files to remove infected backed up
> files as well)
>
> Click Start, point to Find or Search, and then click Files or Folders.
>
> Make sure that "Look in" is set
Re: clever virus attack (more MiMail virus info)
From: "Frits Wüthrich" <[EMAIL PROTECTED]>
> On Thu, 2004-03-04 at 06:20, Lawrence Kwan wrote:
> > > When I opened the zip file using the password, McAfee was able to find
> > > it and identify it as W32/[EMAIL PROTECTED]
> >
> > Wow, I am quite shocked that some of you would continue to open attached
> > file from unknown source. DON'T RELY ON YOUR ANTI-VIRAL PROGRAM!
> > Unless you fully expected to receive such a file, JUST DELETE IT if you
> > don't know what it is all about.
> I didn't open the .exe file, I opened the ZIP file, that is quite
> something different. I wouldn't dream of opening the exe file, or pif or
> scr or whatever, I don't rely on my anti virus software to stop it, I
> just wanted to find out what the virus was.
> I don't receive nor read in a Windows environment to begin with.
> So: no need to be shocked in my case.
At
http://www.pchell.com/virus/mimail.shtml
(where there are more removal instruction links)
I found the following information, which would indicate that simply unzipping the file
could trigger the exe-file to automatically run and infect you:
What is the MiMail.A Worm?
MiMail.A is a mass mailing worm that arrives as a zipped attachment in an email. The
zip file has an html file attached. The html file "message.htm" takes advantage of two
known security vulnerabilities, MHTML exploit and the codebase exploit. The virus
arrives as an email similar to:
From: admin@ (The from address may be spoofed to appear that it is
coming from the current domain)
Subject: your account [random string]
Message:
Hello there,
I would like to inform you about important information regarding your email address.
This email address will be expiring. Please read attachment for details.
Best regards,
Administrator
Attachment: Message.zip
How Does MiMail.A Worm Infect My System?
Once unzipped, the worm creates an exe file named foo.exe in the Temporary Internet
Files directory and runs it.
The following files are then created in the Windows directory
videodrv.exe
exe.tmp (temporary copy of message.html_
zip.tmp (temporary copy of message.zip)
It also adds the following registry key to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
"VideoDriver" = C:\Windows\videodrv.exe
as well as
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{----}
What Does the MiMail.A Worm Do?
Once a computer is infected, the virus checks to see if the system is connected to the
Internet by trying to contact google.com. If it can contact google, then the worm
attempts to gather email addresses from the infected computer. It grabs addresses from
all files on the system, EXCEPT files that have the following extensions:
COM
WAV
CAB
PDF
RAR
ZIP
TIF
PSD
OCX
VXD
MP3
MPG
AVI
DLL
EXE
GIF
JPG
BMP
These addresses are then stored in a file named eml.tmp in the Windows directory. The
worm has its own SMTP engine. For each email address the worms sends, it will
Look up the MX record for the domain name using the DNS server of the current host. If
a DNS server is not found, it will default to 212.5.86.163.
Acquire the mail server associated with that particular domain.
Directly contact the destination server.
How Can I Remove the MiMail.A worm?
Follow these steps in removing the MiMail worm.
1) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or
CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
Locate the following program, click on it and End Task or End Process
VIDEODRV.EXE
Close Task Manager
2) Remove the Registry entries
Click on Start, Run, Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
In the right panel, right-click and delete the following entry
"VideoDriver"="%Windows%\videodrv.exe"
Repeat this procedure for
HKEY_LOCAL_MACHINE>Software>Microsoft>Code Store Database>Distribution Units
In the right panel, locate and delete the entry:
{----}
Close the Registry Editor
3) Delete the infected files (for Windows ME and XP remember to turn off System
Restore before searching for and deleting these files to remove infected backed up
files as well)
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:
eml.tmp
zip.tmp
exe.tmp
Click Find Now or Search Now.
Delete the displayed files.
4) Reboot the computer and run a thorough virus scan using your favorite antivirus
program.
5) Apply the patches, MHTML exploit and codebase exploit, to avoid viruses like this
in the futur
Re: Re[2]: clever virus attack (Att. Dalal)
- Original Message - From: "Mark Dalal" Subject: Re[2]: clever virus attack (Att. Dalal) > > BTW: I've just tried these other mail programs. I've suddenly remembered > why past attempts to use them have resulted in returning outlook > express, risks and all... Thats my problem too. I happen to like Outlook Express more than any of the half dozen or so other mail programs I have tried. William Robb
Re: clever virus attack (Att. Dalal)
your updates are available under Office Updates and there aren't many of them. they are rolled up into Service Packs for Office. you have a choice of installing the service packs or digging through all of the Microsoft Security Bulletins and seeing which updates are available for Outlook. they issue them very infrequently and except when they are issued as part of a service pack, are all separate. it's up to you to figure out if they apply to you or not. it's a lot of work. i really think you want to use a different email client and use Outlook only for Calendaring. Herb - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 9:20 PM Subject: RE: clever virus attack (Att. Dalal) > I don't know which "Outlook 2000" you are referring to, but I assure you > that when I go to the "Help" menu and click on "About Microsoft Outlook" it > says that I am using "Microsoft Outlook 2000 - (9.0.0.2711) Internet Mail > Only". It is the email software that comes with Microsoft Office 2000, and > I really like using it as it keeps track of my in and outgoing emails to my > individual clients, and also my appointments etc. I have no idea which > "Outlook 2000" you are thinking of?
Re: clever virus attack (Att. Dalal)
i think that the mail administrators have removed all options on my work Outlook except Exchange servers. Herb - Original Message - From: "Rob Brigham" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 6:32 AM Subject: RE: clever virus attack (Att. Dalal) > Go into 'Tools', 'Email Accounts' 'Add a new account' and hey presto it > should show you the options.
RE: clever virus attack (Att. Dalal)
Go into 'Tools', 'Email Accounts' 'Add a new account' and hey presto it should show you the options. > -Original Message- > From: Herb Chong [mailto:[EMAIL PROTECTED] > Sent: 04 March 2004 11:28 > To: [EMAIL PROTECTED] > Subject: Re: clever virus attack (Att. Dalal) > > > alright, i have installed when it came out with Office 2000 > and removed it pretty much right away. it took MS almost a > year to fix several scripting security bugs in Outlook when > they issued a fix for Outlook Express within a couple of > weeks. i have to use Outlook at work and there it does't > contain any settings for configuring any other type of server. > > Herb... > - Original Message - > From: "Jostein" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, March 04, 2004 3:44 AM > Subject: Re: clever virus attack (Att. Dalal) > > > > It does not "depend on an exchange server". Outlook can be > configured > > to use perfectly ordinary SMTP servers, IMAP servers, POP3 servers, > > and the secure variants. During installation you get all > the necessary > > questions > to > > configure it properly, it's all about installing the right > services to > use. > > You can modify your installation later as well if you like. > > >
Re: clever virus attack (Att. Dalal)
alright, i have installed when it came out with Office 2000 and removed it pretty much right away. it took MS almost a year to fix several scripting security bugs in Outlook when they issued a fix for Outlook Express within a couple of weeks. i have to use Outlook at work and there it does't contain any settings for configuring any other type of server. Herb... - Original Message - From: "Jostein" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 3:44 AM Subject: Re: clever virus attack (Att. Dalal) > It does not "depend on an exchange server". Outlook can be configured to > use perfectly ordinary SMTP servers, IMAP servers, POP3 servers, and the > secure variants. During installation you get all the necessary questions to > configure it properly, it's all about installing the right services to use. > You can modify your installation later as well if you like.
Re: clever virus attack (Att. Dalal)
i refuse to install Outlook 2000 on my machines because it still remains vulnerable to scripting viruses in emails. they run whenever you have preview enabled. Herb... - Original Message - From: "Jostein" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 3:44 AM Subject: Re: clever virus attack (Att. Dalal) > It does not "depend on an exchange server". Outlook can be configured to > use perfectly ordinary SMTP servers, IMAP servers, POP3 servers, and the > secure variants. During installation you get all the necessary questions to > configure it properly, it's all about installing the right services to use. > You can modify your installation later as well if you like.
Re: clever virus attack (Att. Dalal)
Tan, As has been mentioned, the virus in question is a Beagle (Bagle) variant. If you don't have any antivirus (AV) software, download a trial and scan your system. Or use one of the online scan engines. If you have AV software that just wasn't updated, try downloading a disinfection tool. Preferably from your AV vendor, but if they don't have any, try this one: http://www.f-secure.com/tools/f-bagle.zip What scares the willies out of me is that there seems to be an ongoing war between two teams of virus developers, the Beagle bunch and the Netsky team... I think we will see more creative variants in the future, unfortunately. Jostein - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 12:21 AM Subject: RE: clever virus attack (Att. Dalal) > > Hey guys, I just went to the microsoft site to download the patch and > discovered that it varies depending on the Outlook Express version you are > running. This is fine, BUT, I am running Microsoft Outlook 2000 and it > isn't indicated anywhere. Any idea what I should do? > > tan. > > -Original Message- > From: Mark Roberts [mailto:[EMAIL PROTECTED] > Sent: Thursday, 4 March 2004 9:05 AM > To: [EMAIL PROTECTED] > Subject: Re: clever virus attack (Att. Dalal) > > > "Lasse Karlsson" <[EMAIL PROTECTED]> wrote: > > >Got one too a few hours ago. > >Mark Dalal's email address noted as sender in the mailinfo (while the > sender in my reader gave a "noreply" + my isp as sender). Whether it means > Mark is infected, or just got his address stolen I don't know. > >(The same password that others reported). > > With these viruses, you can be certain that the person whose computer > sent it to you is anyone *but* the person listed in the "From" line. > > That's about the only thing you can be certain of, though... > > -- > Mark Roberts > Photography and writing > www.robertstech.com > >
Re: clever virus attack (Att. Dalal)
Herb, I seriously doubt that you have ever installed Outlook 2000. :-) It does not "depend on an exchange server". Outlook can be configured to use perfectly ordinary SMTP servers, IMAP servers, POP3 servers, and the secure variants. During installation you get all the necessary questions to configure it properly, it's all about installing the right services to use. You can modify your installation later as well if you like. Windows Update is a good idea to have active, but just like Antivirus software, there's always a lag before patches are published. There's no substitute for a good measure of caution. Jostein - Original Message - From: "Herb Chong" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 2:58 AM Subject: Re: clever virus attack (Att. Dalal) > i seriously doubt you are running Outlook 2000. the program depends on an > Exchange server running on a separate machine for handling mail and is > designed for medium to large businesses. ISP's don't use Exchange servers > for email because they are too easy to hack, cost too much money, and > require much bigger machines than running POP3 servers. run Windows Update > from your Start Menu and it takes care of everything automatically. > > Herb > - Original Message - > From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 03, 2004 6:21 PM > Subject: RE: clever virus attack (Att. Dalal) > > > > > > Hey guys, I just went to the microsoft site to download the patch and > > discovered that it varies depending on the Outlook Express version you are > > running. This is fine, BUT, I am running Microsoft Outlook 2000 and it > > isn't indicated anywhere. Any idea what I should do? > >
RE: clever virus attack
> When I tried to open the atatched zip-file my virus program (Norton) > stopped it! > When I opened the zip file using the password, McAfee was able to find > it and identify it as W32/[EMAIL PROTECTED] Wow, I am quite shocked that some of you would continue to open attached file from unknown source. DON'T RELY ON YOUR ANTI-VIRAL PROGRAM! Unless you fully expected to receive such a file, JUST DELETE IT if you don't know what it is all about. -- --Lawrence Kwan--SMS Info Service/Ringtone Convertor--PGP:finger/www-- [EMAIL PROTECTED] http://www.vex.net/~lawrence/ -Key ID:0x6D23F3C4--
Re: clever virus attack (Att. Dalal)
you need to find a different email program. MS Outlook is porous to virus writers without a server in front of it that is filtering them for you. MS updates Outlook far less often than Outlook Express and it remains vulnerable for much longer, even with addon antivirus programs. MS relies on Exchange server to do all of the heavy work and that is where they put their security fixes. you're running a much larger risk of a virus sneaking through and damaging things than users of Outlook Express, and they already are considered porous. there are many email clients that can keep track of your incoming and outgoing emails at least as well if not a lot better, although none of the lightweight ones come with calendaring. virtually all of them are more secure against virus attacks than any of the MS products. Herb... - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 9:20 PM Subject: RE: clever virus attack (Att. Dalal) > I don't know which "Outlook 2000" you are referring to, but I assure you > that when I go to the "Help" menu and click on "About Microsoft Outlook" it > says that I am using "Microsoft Outlook 2000 - (9.0.0.2711) Internet Mail > Only". It is the email software that comes with Microsoft Office 2000, and > I really like using it as it keeps track of my in and outgoing emails to my > individual clients, and also my appointments etc. I have no idea which > "Outlook 2000" you are thinking of?
Re: clever virus attack (Att. Dalal)
From: "Anthony Farr" <[EMAIL PROTECTED]> > It just means Mark Dalal's address is in the infected computer's address > book. Are you sure? I can't seem to find a virus on my computer but I want to be sure before I go emailing people. Thanks, Mark
RE: clever virus attack (Att. Dalal)
Herb, I don't know which "Outlook 2000" you are referring to, but I assure you that when I go to the "Help" menu and click on "About Microsoft Outlook" it says that I am using "Microsoft Outlook 2000 - (9.0.0.2711) Internet Mail Only". It is the email software that comes with Microsoft Office 2000, and I really like using it as it keeps track of my in and outgoing emails to my individual clients, and also my appointments etc. I have no idea which "Outlook 2000" you are thinking of? tan. -Original Message- From: Herb Chong [mailto:[EMAIL PROTECTED] Sent: Thursday, 4 March 2004 11:59 AM To: [EMAIL PROTECTED] Subject: Re: clever virus attack (Att. Dalal) i seriously doubt you are running Outlook 2000. the program depends on an Exchange server running on a separate machine for handling mail and is designed for medium to large businesses. ISP's don't use Exchange servers for email because they are too easy to hack, cost too much money, and require much bigger machines than running POP3 servers. run Windows Update from your Start Menu and it takes care of everything automatically. Herb - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 6:21 PM Subject: RE: clever virus attack (Att. Dalal) > > Hey guys, I just went to the microsoft site to download the patch and > discovered that it varies depending on the Outlook Express version you are > running. This is fine, BUT, I am running Microsoft Outlook 2000 and it > isn't indicated anywhere. Any idea what I should do?
Re: clever virus attack (Att. Dalal)
i seriously doubt you are running Outlook 2000. the program depends on an Exchange server running on a separate machine for handling mail and is designed for medium to large businesses. ISP's don't use Exchange servers for email because they are too easy to hack, cost too much money, and require much bigger machines than running POP3 servers. run Windows Update from your Start Menu and it takes care of everything automatically. Herb - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 6:21 PM Subject: RE: clever virus attack (Att. Dalal) > > Hey guys, I just went to the microsoft site to download the patch and > discovered that it varies depending on the Outlook Express version you are > running. This is fine, BUT, I am running Microsoft Outlook 2000 and it > isn't indicated anywhere. Any idea what I should do?
Re: clever virus attack (Att. Dalal)
It just means Mark Dalal's address is in the infected computer's address book. regards, Anthony Farr - Original Message - From: "Lasse Karlsson" <[EMAIL PROTECTED]> > Got one too a few hours ago. > Mark Dalal's email address noted as sender in the mailinfo .. > (snip)
Re: clever virus attack
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software." As far as I've seen, these things are never in proper English. It is a consistent tipoff. Joe
Re: clever virus attack
This backs up what I speculated on Feb 26, that there must be a 'honeymoon period' for a virus between its first release into the wild, and the time that the big AV companies produce an update for it. The first they'd know about a new virus is when their customers complain they've been infected despite having an up-to-date AV. A company like Symantec would NEVER admit that they offered no protection for a new virus, so trust your own instinct (that it IS a virus) rather that a clean bill of health from Symantec that might be based on out of date information. regards, Anthony Farr - Original Message - From: "Tanya Mayer Photography" <[EMAIL PROTECTED]> > Ok guys, this is VERY scary! > > I too got the same email with it using www.tanyamayer.com as the server etc. > BUT, I suspected immediately that it was a virus, and neither my email > server (which is set up to remove viruses before they get to me) NOR my > Norton's picked it up. I immediately sent it to Symantec, who then sent me > an email back saying that they had scanned it and it was clean!! > > My virus definitions were update on the 2 March!! > > I am SO worried now! Do you think it was missed because it was a zip file? > I was SO close to opening it when Symantec said it was "clean", jeez I am > glad that I didn't now!! > > tan. >
Re: clever virus attack
We got a bunch of these at work allegedly from our admin ([EMAIL PROTECTED]), but again they were spoofed addresses. After you've been around email for a while you get a pretty good feel about which are legit and which aren't. chris On Wed, 3 Mar 2004, Stan Halpin wrote: > I just received the following from someone spoofing me. But > it is very believable... > > --- > Dear user of Stans-photography.info e-mail server gateway, > > Some of our clients complained about the spam (negative > e-mail content) > outgoing from your e-mail account. Probably, you have > been infected by > a proxy-relay trojan server. In order to keep your computer > safe, > follow the instructions. > > For further details see the attach. > > For security purposes the attached file is password > protected. Password is "16120". > > Have a good day, > The Stans-photography.info team > http://www.stans-photography.info > > > I am sure you will all be happy to know that there is now a > "Stans-photography.info team " I did not know that before > either. > > Be careful - you can get hurt out there. > > Stan >
Re: clever virus attack (Att. Dalal)
Gee, I was thinking the same thing. If you want a client with a similar interface, try The Bat (www.ritlabs.com). I have had way fewer problems in general since getting away from MS Outlook Express. -- Best regards, Bruce Wednesday, March 3, 2004, 3:36:11 PM, you wrote: MR> "Tanya Mayer Photography" <[EMAIL PROTECTED]> wrote: >>Hey guys, I just went to the microsoft site to download the patch and >>discovered that it varies depending on the Outlook Express version you are >>running. This is fine, BUT, I am running Microsoft Outlook 2000 and it >>isn't indicated anywhere. Any idea what I should do? MR> Get rid of Outhouse Express. MR> http://www.pmail.com (It's free)
Re: clever virus attack (OT)
Hi, > I got the same thing. It comes from email harvesters that found our > email address on the PUG site. I've just received 51 of them in one go, addressed to non-existent email addresses. Anything that ends '@ my domain name' is routed by my isp to a postmaster account. The spammers try out different things, like '[EMAIL PROTECTED]', '[EMAIL PROTECTED]' etc. -- Cheers, Bob
Re: clever virus attack
Hi, > "Our antivirus software has detected a large ammount of viruses outgoing > from your email account, you may use our free anti-virus tool to clean up > your computer software." > Bad spacing between words and the word "ammount" gave me a cue... ...to say nothing of using 'amount' with a countable noun. Shocking! -- Cheers, Bob
Re: clever virus attack (OT)
I got the same thing. It comes from email harvesters that found our email address on the PUG site. I traced it to some computer in Poland. rg [EMAIL PROTECTED] wrote: today I got this message from [EMAIL PROTECTED] Dear user of Mindspring.com, Your e-mail account has been temporary disabled because of unauthorized access. Advanced details can be found in attached file. Attached file is protected with the password for security reasons. Password is 16120. Cheers, The Mindspring.com team http://www.mindspring.com And it had a nice little .zip attached called "readme.zip" I didn't read it... Christian - Original Message - From: "Mark Cassino" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 4:21 PM Subject: Re: clever virus attack (OT) Something new (for me) that I got yesterday was an eBay spoof asking you to click on a link and "update" your personal info on eBay. What was new was that the text was mixed into a long string of garbage with some sort of HTML formatting that only showed the intended message. SO this: "duringnourgreguiarwupdatekandbverificationmofztheoaccounts,ywelcouidn'tt verifynyourpcurrentvinformation.weitheriyourginformationmhashchangedcorp itsiscincomplete. "aswauresult,eyourmaccessttofbidzorabuyloneebayahaslbeenirestricted.ctoxs tartbusingwebaybaccountgfully,xpieasehupdatesandjverifyoyoureinformation ibyzciicki!" Showed up as "During our regular update and verification of the account, we couldn't verify etc..." Seemed really odd (I only noticed the string of garbage when I highlighted the message to send it to [EMAIL PROTECTED]) I wonder why they bothered to encode the message that way - I doubt it anti-virus or even spam software somehow would block the unscrambled message... - MCC - Mark Cassino Photography Kalamazoo, MI http://www.markcassino.com -
Re: clever virus attack (Att. Dalal)
Got one too a few hours ago. Mark Dalal's email address noted as sender in the mailinfo (while the sender in my reader gave a "noreply" + my isp as sender). Whether it means Mark is infected, or just got his address stolen I don't know. (The same password that others reported). Just deleted it. My McAfee virus scan didn't find anything wrong with the attached "Message.zip"-file. Lasse At http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] where there is more info on it, says: [EMAIL PROTECTED] is a worm that spreads by email and steals information from a user's machine. The email has the following characteristics: Subject: your account [random string] Attachment: message.zip The threat captures information from certain windows on a user's desktop and emails it to specific mail addresses. This threat takes advantage of known vulnerabilities: MS02-15 and MS03-14. A Microsoft patch is located at: http://www.microsoft.com/windows/ie/downloads/critical/330994/default.asp. We encourage system administrators to apply the Microsoft patch to prevent infection by this worm. The worm is packed with UPX. Virus definitions with a version number of 50801r, also known as August 1, 2003 rev 18, or greater will detect this threat. Symantec Security Response has created a tool to remove [EMAIL PROTECTED] "
Re: clever virus attack (OT)
today I got this message from [EMAIL PROTECTED] Dear user of Mindspring.com, Your e-mail account has been temporary disabled because of unauthorized access. Advanced details can be found in attached file. Attached file is protected with the password for security reasons. Password is 16120. Cheers, The Mindspring.com team http://www.mindspring.com And it had a nice little .zip attached called "readme.zip" I didn't read it... Christian - Original Message - From: "Mark Cassino" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 4:21 PM Subject: Re: clever virus attack (OT) > Something new (for me) that I got yesterday was an eBay spoof asking you to > click on a link and "update" your personal info on eBay. > > What was new was that the text was mixed into a long string of garbage with > some sort of HTML formatting that only showed the intended message. SO this: > > "duringnourgreguiarwupdatekandbverificationmofztheoaccounts,ywelcouidn'tt > verifynyourpcurrentvinformation.weitheriyourginformationmhashchangedcorp > itsiscincomplete. > > "aswauresult,eyourmaccessttofbidzorabuyloneebayahaslbeenirestricted.ctoxs > tartbusingwebaybaccountgfully,xpieasehupdatesandjverifyoyoureinformation > ibyzciicki!" > > Showed up as > > "During our regular update and verification of the account, we couldn't > verify etc..." > > Seemed really odd (I only noticed the string of garbage when I highlighted > the message to send it to [EMAIL PROTECTED]) I wonder why they bothered to > encode the message that way - I doubt it anti-virus or even spam software > somehow would block the unscrambled message... > > - MCC > > - > > Mark Cassino Photography > > Kalamazoo, MI > > http://www.markcassino.com > > - > >
Re: clever virus attack (OT)
Something new (for me) that I got yesterday was an eBay spoof asking you to click on a link and "update" your personal info on eBay. What was new was that the text was mixed into a long string of garbage with some sort of HTML formatting that only showed the intended message. SO this: "duringnourgreguiarwupdatekandbverificationmofztheoaccounts,ywelcouidn'tt verifynyourpcurrentvinformation.weitheriyourginformationmhashchangedcorp itsiscincomplete. "aswauresult,eyourmaccessttofbidzorabuyloneebayahaslbeenirestricted.ctoxs tartbusingwebaybaccountgfully,xpieasehupdatesandjverifyoyoureinformation ibyzciicki!" Showed up as "During our regular update and verification of the account, we couldn't verify etc..." Seemed really odd (I only noticed the string of garbage when I highlighted the message to send it to [EMAIL PROTECTED]) I wonder why they bothered to encode the message that way - I doubt it anti-virus or even spam software somehow would block the unscrambled message... - MCC - Mark Cassino Photography Kalamazoo, MI http://www.markcassino.com -
RE: clever virus attack
Hi I got a similar one earlier today, saying my server had been out of order, because someone had tried to get unauthorized access to my email account. The funny thing is, the access code was the same and my mail have been out of order for a day or two!!! When I tried to open the atatched zip-file my virus program (Norton) stopped it! All the best Jens Bladt mailto:[EMAIL PROTECTED] http://hjem.get2net.dk/bladt -Oprindelig meddelelse- Fra: Stan Halpin [mailto:[EMAIL PROTECTED] Sendt: 3. marts 2004 21:49 Til: PDML list Emne: clever virus attack I just received the following from someone spoofing me. But it is very believable... --- Dear user of Stans-photography.info e-mail server gateway, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For further details see the attach. For security purposes the attached file is password protected. Password is "16120". Have a good day, The Stans-photography.info team http://www.stans-photography.info I am sure you will all be happy to know that there is now a "Stans-photography.info team " I did not know that before either. Be careful - you can get hurt out there. Stan
Re: clever virus attack
I got something similar also: "Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software." Bad spacing between words and the word "ammount" gave me a cue... Andre
clever virus attack
I just received the following from someone spoofing me. But it is very believable... --- Dear user of Stans-photography.info e-mail server gateway, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For further details see the attach. For security purposes the attached file is password protected. Password is "16120". Have a good day, The Stans-photography.info team http://www.stans-photography.info I am sure you will all be happy to know that there is now a "Stans-photography.info team " I did not know that before either. Be careful - you can get hurt out there. Stan
