Hi,
I just received an email with following message:
"Symantec AntiVirus found a virus in an attachment you (my email address) sent to [EMAIL PROTECTED]
To ensure the recipient(s) are able to use the files you sent, perform a virus scan on your computer, clean any infected files, then resend this attachment.
Attachment: thank_you.pif Virus name: [EMAIL PROTECTED] Action taken: Quarantine succeeded : File status: Infected "
This is extremely nasty! See news article posted below...
It also has an attached file named: winmail42.dat (I didn't open it yet)
That isn't the virus... it's just one of those annoying "business card" attachments that many email clients add as a "feature".
The tricky thing here is that I have never sent such an email to anyone including the sender/recipient: [EMAIL PROTECTED]
Your computer may or may not be infected. Do you have any websites with uncloaked "MailTo" links? The article posted below indicates that this is spread via email only, but I am beginning to suspect a 'bot that harvests uncloaked "MailTo's" from web pages is also spreading this.
I have one website that is several years old for a local rock group. It hadn't been updated in a couple of years. Five of the pages were individual "bio" pages for the band members - each containing the member's individual email address as a "MailTo" that wasn't cloaked (I've since gone back in and cloaked all five after this morning's shenanegans - read on!)
This morning, I began getting bounces from the domain this site is hosted on. Every one had one of those five addresses in the "From:" field and the SoBig.F virus attached in one of the names listed in the article below! These are still coming in! No where that I am aware of are all five addresses in the same place! They are not the band member's actual addresses, but addresses I created for each at my domain forwarded to their actual addresses.
So, how else could this be happening if not from a malicious harvestor 'bot? Check your websites for any uncloaked "MailTos" and either remove them or cloak them!
Read the article below...
Cheers, Tom Fosson
So, what is this? what's going on? Was my computer infected by the virus mentioned? I have AVG running and checking my machine (WinME) every day and upgrading virus definition every 3 days. Anyone has any idea what should or should not do about this? Thanks
KoaFar
This article is reprinted from http://www.eweek.com/article2/0,3959,1225395,00.asp
August 19, 2003 SoBig Virus Returns By Dennis Fisher
Welcome to the summer of the worm.
Hard on the heels of the Blaster worm outbreak , yet another version of the resilient and ever-popular SoBig virus began spreading rapidly on the Internet Tuesday morning. Known as SoBig.F, the new variant behaves much like its older siblings, infecting Windows machines via e-mail and sending out dozens of copies of itself.
The variant began spreading early Tuesday Eastern time, and by 9 a.m. Tuesday, MessageLabs Inc. had stopped more than 10,000 copies. The virus size is approximately 73 KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. Among the file names seen so far are:
application.pif document_all.pif details.pif document_9446.pif movie0045.pif thank_you.pif your_details.pif your_document.pif wicked_scr.scr
The subject line of the e-mail message that carries the attachment is also randomized, and many of the subjects are similar to previous SoBig variants. They include:
Re: Details Re: Approved Re: Re: My details Re: That movie Re: Thank you! Re: Your application Re: Wicked screensaver Thank you! Your details
SoBig.F installs a copy of itself in the Windows registry, in a file named "winppr32.exe." MessageLabs lists the worm as originating in the Netherlands, and its statistics show that SoBig.F has spread mainly in that country and Norway at this point. However, that is likely to change as workers in North America begin checking their e-mail Tuesday.
SoBig.F's appearance comes just eight days after the initial onset of the Blaster worm, which has infected several hundred thousand Windows PCs.
-----------------------
NOTE: In accordance with Title 17 U.S.C. section 107,
this material is distributed without profit or payment
to those who have expressed a prior interest in receiving
this information for non-profit research and educational
purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------
Let me give you a free ISP business to compliment you own! http://www.seventhpower.biz/simple/?userid=31637 You never have to pay a penny! Everything supplied Free!
____ � The WDVL Discussion List from WDVL.COM � ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED]
To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email.
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
