I received a copy of Bugbear last night. It had changed the sender's address (at least, from the fact that the email address wasn't valid, and someone else has seen a copy with a morph of his address, I think that is the case).
Sorry not to be linear in my reply, but the url below states "The worm also has the ability to construct addresses for the From: field from information harvested off the infected users system. For example, the worm may find the addresses [EMAIL PROTECTED], [EMAIL PROTECTED] and [EMAIL PROTECTED] Then the worm could create an email addressed to [EMAIL PROTECTED] and spoof the from address to report [EMAIL PROTECTED] The spoofed address can also be a valid email address found on the system." I know it tries to steal (via a keylogger) password, credit card information, etc. and tries to terminate firewall and antivirus programs. And it targets TB!: http:[EMAIL PROTECTED] "The second thread is responsible for the mass-mailing payload. It searches for email addresses in the current inbox and in files that have these extensions: .mmf .nch .mbx .eml .tbb .dbx .ocs" Subject headings of email containing the virus are: Hello! update Payment notices Just a reminder Correction of errors history screen Announcement various Introduction Interesting... I need help about script!!! Please Help... Report Membership Confirmation Get a FREE gift! Today Only New Contests Lost & Found bad news fantastic click on this! Market Update Report empty account My eBay ads 25 merchants and rising CALL FOR INFORMATION! new reading Sponsors needed SCAM alert!!! Warning! its easy free shipping! Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift $150 FREE Bonus! Your News Alert Get 8 FREE issues - no risk! Doug -- Doug's Archaeology Site http://www.ramtops.demon.co.uk ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
