Hi All, Being a relatively new user of The Bat (I previously used Becky Mail), until today, I had not received a virus or worm in my e-mail. Today, one of the users on one of my mailing lists sent an e-mail that had the IFrame Exploit worm. I've seen this worm before, when I used Becky. I do know it is an older worm, and it takes advantage of a security hole in Internet Explorer 5.01, 5.5, and Outlook (and I'm guessing Outlook Express). I also know it does not affect Internet Explorer 6.0 or Windows XP (both of which I have). I use Kaspersky Personal as my anti-virus program, and it caught this worm, as I was pulling in my e-mail off the server.
My experience in the past has been with Becky...and when I received such an e-mail, Kaspersky wouldn't let me *touch* the thing, even to delete it. The only way to get rid of it was to go into my Becky directory, find the offending temp and mailbox files, turn off my Kaspersky Monitor, and directly delete the thing holding down my SHIFT key, as to bypass the Recycle Bin. I then scanned everything on my system thoroughly, to make sure that all was well. With the Bat, things seemed to work a bit differently. When I went through the process of pulling the file off of the server, Kaspersky flagged the infected mail immediately...so quickly in fact, that I later found the message was still on the server. The only remnant on my system was in a temp file located in the Local Settings\Temp folder, in a file called bat130.tmp (Local Settings being a hidden folder nestled in the file of origination which was "Documents and Settings"). I originally thought the infected e-mail was from a friend of mine as I had just opened her e-mail (on a different e-mail account) at the same time the new headers were downloading from this account, and Kaspersky screeched at me. I always check the headers on the server before bringing anything in, just for this reason, but since all were from my mailing lists, I figured all were safe. Anyway, I found out after scanning for the worm that the file indeed came from an address originating from one of my subscribed mailing lists. I have gotten verification of this since, from another user on the same list that received the same infected e-mail on his e-mail server. To make a long story shorter, I never got to actually *see* if the infected e-mail was ever downloaded to my Inbox in The Bat, but I suspect not (and it's definitely not there now). Since I thought it was being brought in from my other e-mail account, I never looked. After Kaspersky gave me the name of the sender of the infected e-mail, and I was later able to identify the same e-mail on the server, it appears it made it only as far as The Bat temp file listed above. Where are The Bat temp files usually housed on Windows XP machines? When using The Bat following the deletion of the temp file I mentioned above, I noticed that a similar temp file was *not* created in that directory. Is a Bat temp file only located there when The Bat is pulling e-mail off the server, and then the temp file gets deleted? I guess what I'm wondering the locations where The Bat temp files are kept so that in the future, I can scan those areas if I suspect an infected e-mail. Also, by deleting the Bat temp file I'd mentioned above, how much e-mail can I expect to lose? Just the one e-mail, or all from that day? With Becky, I lost an entire day's e-mail when this problem occurred. Not good. :( Thanks in advance. -- Best regards, Kim ________________________________________________ Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
