On Mon,Jul15,2002at04:56:04PM+0200, Thomas Baker wrote: > I use Cygwin Mutt 1.2.5i (2000-07-05) on Win2000 and just > got messages from two people with a short text message > saying "Your password is 12zxjkjl123kjl12jz". But the > size of each of the messages, according to Mutt, was 65k. > After viewing the message with the default viewer (only), > my virus protector popped up with a message to the effect > that c:\tmp\mutt-mutt-LEPIDUS-2136-12 was infected with > the Exploit.IFrame.FileDownload virus. Before deleting, > I looked at its file entry -- it was roughly 250k and bore > a time-stamp of several minutes earlier, when I had been > reading the message. I saved one of the messages to a file > named "virus" and tried opening it with vim, but got a > message like "file is readonly". I deleted that too. > > According to F-Secure Web site, this is a virus that exploits > a flaw in Internet Explorer, and by extension mail readers > that use it, such as Outlook. No surprise there! The only > surprise to me is that 250k infected file which appeared > in my c:/tmp. What kind of things does Mutt park there, > and where could that big file have come from?? Surely Mutt > would not have uncompressed anything without telling me...?
There is a new variant of a virus called Frethem.K that sends a text file and file called decrypt-password.exe. This virus exploits IE and Outlooks function to be able to run the executable just when the message is viewed. There should have been another attatchment with you mail. We just started getting hit with it at my work this morning. You can check out http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K to read more about it. -- rich
