Yep, this is a virus. Seems like they just added their .exe file to the bottom of a security bulletin. Here's what good ol symantec has to say about it. http://www.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
> > From: John Hebert <[EMAIL PROTECTED]> > Date: 2002/03/09 Sat PM 11:34:09 EST > To: [EMAIL PROTECTED] > Subject: [brluglist] M$ virus writers are getting clever was Fwd: Internet > Security Update > > Dang, but virus writers are getting clever. I just > received this. The tip off was that I had never > received software updates via email from M$ before. I > know that I had registered with M$ in the past at a > previous job, but damn, that was 3 years ago. I'm > pretty sure it is an attempt by a virus writer to get > me to run an infected file. What do you think? > > --- Microsoft Corporation Security Center > <[EMAIL PROTECTED]> wrote: > > From pop_server."john"@mail.eatel.net Sat Mar 9 > > 20:17:29 2002 > > From: "Microsoft Corporation Security Center" > > <[EMAIL PROTECTED]> > > To: "Microsoft Customer" <'[EMAIL PROTECTED]'> > > Subject: Internet Security Update > > Reply-to: <[EMAIL PROTECTED]> > > Date: Sat, 9 Mar 2002 21:51:00 +0000 > > > > > > Microsoft Customer, > > > > this is the latest version of security update, > > the > > "5 Mar 2002 Cumulative Patch" update which > > eliminates all > > known security vulnerabilities affecting Internet > > Explorer and > > MS Outlook/Express as well as six new > > vulnerabilities, and is > > discussed in Microsoft Security Bulletin MS02-005. > > Install now to > > protect your computer from these vulnerabilities, > > the most serious of which > > could allow an attacker to run code on your > > computer. > > > > > > Description of several well-know vulnerabilities: > > > > - "Incorrect MIME Header Can Cause IE to Execute > > E-mail Attachment" vulnerability. > > If a malicious user sends an affected HTML e-mail or > > hosts an affected > > e-mail on a Web site, and a user opens the e-mail or > > visits the Web site, > > Internet Explorer automatically runs the executable > > on the user's computer. > > > > - A vulnerability that could allow an unauthorized > > user to learn the location > > of cached content on your computer. This could > > enable the unauthorized > > user to launch compiled HTML Help (.chm) files that > > contain shortcuts to > > executables, thereby enabling the unauthorized user > > to run the executables > > on your computer. > > > > - A new variant of the "Frame Domain Verification" > > vulnerability could enable a > > malicious Web site operator to open two browser > > windows, one in the Web site's > > domain and the other on your local file system, and > > to pass information from > > your computer to the Web site. > > > > - CLSID extension vulnerability. Attachments which > > end with a CLSID file extension > > do not show the actual full extension of the file > > when saved and viewed with > > Windows Explorer. This allows dangerous file types > > to look as though they are simple, > > harmless files - such as JPG or WAV files - that do > > not need to be blocked. > > > > > > System requirements: > > Versions of Windows no earlier than Windows 95. > > > > This update applies to: > > Versions of Internet Explorer no earlier than 4.01 > > Versions of MS Outlook no earlier than 8.00 > > Versions of MS Outlook Express no earlier than 4.01 > > > > How to install > > Run attached file q216309.exe > > > > How to use > > You don't need to do anything after installing this > > item. > > > > > > For more information about these issues, read > > Microsoft Security Bulletin MS02-005, or visit link > > below. > > > http://www.microsoft.com/windows/ie/downloads/critical/default.asp > > If you have some questions about this article > > contact us at [EMAIL PROTECTED] > > > > Thank you for using Microsoft products. > > > > With friendly greetings, > > MS Internet Security Center. > > ---------------------------------------- > > ---------------------------------------- > > Microsoft is registered trademark of Microsoft > > Corporation. > > Windows and Outlook are trademarks of Microsoft > > Corporation. > > > > > ATTACHMENT part 2 application/x-msdownload > name=q216309.exe > > and here is the original header: > > > From pop_server."john"@mail.eatel.net Sat Mar 9 > 20:17:29 2002 > > Received: from mail.eatel.net by > web10702.mail.yahoo.com with YMEXTPOP; Sat, 09 Mar > 2002 20:17:29 PST > > Received: from spf8.us4.outblaze.com > (205-158-62-35.outblaze.com [205.158.62.35]) by > ens1.eatel.net (8.12.0/8.12.0) with SMTP id > g29Lp7OM019567 for <[EMAIL PROTECTED]>; Sat, 9 Mar 2002 > 15:51:08 -0600 (CST) > > Received: from mtiwmhc22.worldnet.att.net > (mtiwmhc22.worldnet.att.net [204.127.131.47]) by > spf8.us4.outblaze.com (8.11.6/8.11.6/us4-srs) with > ESMTP id g29Lp1j19179 for <[EMAIL PROTECTED]>; Sat, 9 > Mar 2002 21:51:02 GMT > > Received: from pfuckie ([12.90.11.176]) by > mtiwmhc22.worldnet.att.net (InterMail vM.4.01.03.27 > 201-229-121-127-20010626) with SMTP id > <[EMAIL PROTECTED]>; > Sat, 9 Mar 2002 21:50:01 +0000 > > From: "Microsoft Corporation Security Center" > <[EMAIL PROTECTED]> | Block Address | Add to > Address Book > > To: "Microsoft Customer" <'[EMAIL PROTECTED]'> > > Subject: Internet Security Update > > Reply-to: <[EMAIL PROTECTED]> > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; > boundary="NextPart_000235" > > Message-Id: > <[EMAIL PROTECTED]> > > > Date: Sat, 9 Mar 2002 21:51:00 +0000 > > X-UIDL: #UF!!8h<!!kV*"!JM3"! > > Content-Length: 112380 > > > > I'm not sure if I should report this or let it run its > course. If anybody wants the attached file, email me. > > John Hebert > > __________________________________________________ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! > http://mail.yahoo.com/ > ================================================ > BRLUG - The Baton Rouge Linux User Group > Visit http://www.brlug.net for more information. > Send email to [EMAIL PROTECTED] to change > your subscription information. > ================================================ > ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
