Searching \ for '[OT]: Heads up! Lots of Virus incoming?' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=heads+lots+virus
Search entire site for: 'Heads up! Lots of Virus incoming?'.

Exact match. Not showing close matches.
PICList Thread
'[OT]: Heads up! Lots of Virus incoming?'
2001\07\23@163559 by jamesnewton

face picon face
I've gotten 5 emails today all carrying a virus with .pif or .doc as the
file name extension but that are actually executables. The emails all say
something like "I send you this file in order to have your advice" except
for one which appears to be a mail bounce notice

They have been posted by
142.177.77.1 = hlfx27-1.ns.sympatico.ca
195.80.173.138 = collak.profi.sk spam_OUTpostmasterTakeThisOuTspamprofi.sk
200.52.208.19 = customer-VER-208-19.megared.net.mx
.....grosadoKILLspamspam@spam@megared.com.mx
194.29.160.2 = elektron.elka.pw.edu.pl postmasterspamKILLspampw.edu.pl

Let me know if anyone else get these and NEVER open an attachment that you
didn't expect to receive or that you don't know is not a program. PIF and
DOC can be programs just as easily as EXE, COM, VVS.

---
James Newton, Admin #3 .....jamesnewtonKILLspamspam.....piclist.com
1-619-652-0593 VM 1-208-279-8767 FAX
PIC/PICList FAQ: http://www.piclist.com or .org

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\07\23@170637 by Spehro Pefhany

picon face
At 01:34 PM 7/23/01 -0700, James Newton. Admin 3 wrote:

>Let me know if anyone else get these and NEVER open an attachment that you
>didn't expect to receive or that you don't know is not a program. PIF and
>DOC can be programs just as easily as EXE, COM, VVS.
Isn't .scr an executable as well?

Not from those sources, but I got one from a gal I often talk with at a
supplier in the Far East this morning with the .pif extension. NAV
reports it to contain  W32.Sircam.Worm. It also had the "I send you this
file in order to have your advice" text.

This virus apparently sends itself to people in your address book at
random, and picks a file name to use from the hapless user as well.
The file was named (actual file name).doc.pif, so (l)users who
use software that hides file extensions may only see the ".doc" 8-(

So, you get a fairly plausible message and filename from someone you
*know* and..

Best regards,
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Spehro Pefhany --"it's the network..."            "The Journey is the reward"
EraseMEspeffspam_OUTspamTakeThisOuTinterlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com
Contributions invited->The AVR-gcc FAQ is at: http://www.bluecollarlinux.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\07\23@171332 by Mike

picon face
part 1 1261 bytes content-type:text/plain; charset=us-ascii (decoded quoted-printable)

James Newton. Admin 3 wrote:
> I've gotten 5 emails today all carrying a virus with .pif or .doc as the
> file name extension but that are actually executables. The emails all say
> something like "I send you this file in order to have your advice" except
> for one which appears to be a mail bounce notice
> > They have been posted by
> 142.177.77.1 = hlfx27-1.ns.sympatico.ca
> 195.80.173.138 = collak.profi.sk postmasterspamspam_OUTprofi.sk
> 200.52.208.19 = customer-VER-208-19.megared.net.mx
> @spam@grosadoKILLspamspammegared.com.mx
> 194.29.160.2 = elektron.elka.pw.edu.pl KILLspampostmasterKILLspamspampw.edu.pl
> > Let me know if anyone else get these and NEVER open an attachment that you
> didn't expect to receive or that you don't know is not a program. PIF and
> DOC can be programs just as easily as EXE, COM, VVS.

More information on this one can be had at:
www.sarc.com/avcenter/venc/data/RemoveMEw32.sircam.wormTakeThisOuTspammm.html
-- Mike Werner  KA8YSD   | He that is slow to believe anything and
                     | everything is of great understanding,
'91 GS500E            | for belief in one false principle is the
Morgantown WV         | beginning of all unwisdom.



part 2 233 bytes content-type:application/pgp-signature (decode)

part 3 131 bytes
--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\07\23@172205 by Randy Glenn

picon face
I got one with a file with the extension ".doc.zl3" - anyone have any idea
what a ZL3 file is?

-Randy Glenn

Measure twice, cut once, discard, repeat.
=================================================
    spamBeGonePICxpertspamBeGonespamhome.com - TakeThisOuTPICxpertEraseMEspamspam_OUTyahoo.com
PICxpert.com going away - use picxpert.dyndns.org
   Not that the site works yet, of course...
=================================================

{Original Message removed}

2001\07\23@181501 by Carl
flavicon
face
In the last 3 days I've gotten about 5 emails with a virus attached.
 All different types of attachments. .doc. .xls  .zip.
 This is WAY higher then my normal virus detection (about 1 every couple
of months).

  I was wondering if I was being singled out, but now it appears that
other people are also experiencing this problem.

The headers show all different sources, but for some reason ( I'm not sure
why) I get the feeling that they are in someway mail list list related.
I've noticed one of the virii coming in a  TAPR list I subscribe to.  I'm
not sure what the common denominator is yet, but I'm still looking.

 BTW, if you have an attachment with a .zl extension, That's Zonealarm's
active email protection 'quarantining' the attachment by adding/changing
the extension.


Carl


At 01:34 PM 7/23/2001, you wrote:
{Quote hidden}

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\07\23@183749 by John Pfaff

flavicon
face
I actually got Happy99.exe the other day.  I thought I had gone through
a time warp.

jp

Carl wrote:
{Quote hidden}

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\07\23@185637 by Rick Gutleber

picon face
The SirCam Outlook virus is wreaking havok on e-mail.  I've gotten
attachments from about 10 different people and several maegabytes from an
e-mail address in Mexico that overflowed my e-mail account's inbox.  I bet
this one makes the national nightly news because this virus adversely
affects people who are not infected, like me.

Rick

{Original Message removed}

2001\07\24@033607 by spam

flavicon
face
I got a virus this morning on an e-mail stating that I had paid my
dues for 2001 in september 2000, attached my checque number.
The attachment was actually NEWPROF.EXE -
I have not tried it out, but a file of this name exists in windows NT.
It creates a new user profile.
Kent


{Quote hidden}

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email @spam@listserv@spam@spamspam_OUTmitvma.mit.edu with SET PICList DIGEST in the body


2001\07\25@092653 by Dave

flavicon
face
I got that virus that asks for advice or whatever. Seems stupid that an exe
is being renamed like that though. Non computer literate users will not know
how to run it, literate ones should know better.

Take a look inside the executable at the strings contained in it:

---
Before the spy incident Willie was the bully and always used to play
baseball, but Norman was always used to read and he was very smart. Willie
thought Norman was a "Nerd" and Norman thought Willie was a bully.

It plays a big part because if the coincident never happened they would have
never heard the thing that says S.O.S. The town is affected because they
never thought that they both could do such a thing.

I think Willie has changed more because when he grows up he becomes a
sectary when he grows up. I think the story is called "The boy with the
yellow eyes" because Norman, who is the boy with the yellow eyes (because he
reads a lot), is more of a main character in the story.

When Norman was asked if he had missed his friends while grown up and he
replied "Not at all. I had Huck and Tom Sawyer". He meant he had books when
he was growing up.

I think the author is saying is any talent you have rather it's reading
books a lot or always playing baseball or any other sport you be anything
you want to when you grow up as long as you try and you put your head in to
it. I don't know how I would sum up her thoughts.
---

Looks like a kids assignment or something. Any ideas?

Regards,

David Stubbs

WEB: http://www.nti-uk.com
TEL UK: 07968 397782

--
http://www.piclist.com hint: To leave the PICList
spamBeGonepiclist-unsubscribe-requestspamKILLspammitvma.mit.edu


2001\07\25@110521 by Spehro Pefhany

picon face
At 11:15 AM 7/25/01 +0100, you wrote:
>Looks like a kids assignment or something. Any ideas?

It apparently grabs a legitimate file from "My Documents" and
attaches itself to the file. This is probably the biggest risk with
the virus- your private information is being distributed.

As far as not knowing how to run it, I think if you use MS products
such as Outlook Express it would be matter of clicking on the
attachment. Most anybody can do that.

Best regards,

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Spehro Pefhany --"it's the network..."            "The Journey is the reward"
.....speffspam_OUTspaminterlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com
Contributions invited->The AVR-gcc FAQ is at: http://www.bluecollarlinux.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

--
http://www.piclist.com hint: To leave the PICList
TakeThisOuTpiclist-unsubscribe-request.....spamTakeThisOuTmitvma.mit.edu


2001\07\25@112135 by Roman Black

flavicon
face
Spehro Pefhany wrote:
>
> At 11:15 AM 7/25/01 +0100, you wrote:
> >Looks like a kids assignment or something. Any ideas?
>
> It apparently grabs a legitimate file from "My Documents" and
> attaches itself to the file. This is probably the biggest risk with
> the virus- your private information is being distributed.
>
> As far as not knowing how to run it, I think if you use MS products
> such as Outlook Express it would be matter of clicking on the
> attachment. Most anybody can do that.


Hi everyone, this virus is going BESERK on the motorbike
lists, mainly "moms and pops" type people who use their
new computer like a consumer. Most using MS Outlook.
:o(

I expect this to be BIG NEWS in a few days, it has to get
the media's attention soon.

Also a warning re the info above, there is gossip that
the virus picks VALID EMAIL SUBJECTS FROM YOUR ADDRESS BOOK.
That is why it's going beserk, people who you have emailed
re a topic might get emailed back by the virus with the
same subject listed. VERY nasty.

I notice James has been silent and the list has been slow,
anyone guessing the poor guy's going crazy chasing viruses??
:o)
-Roman

--
http://www.piclist.com hint: To leave the PICList
TakeThisOuTpiclist-unsubscribe-requestKILLspamspamspammitvma.mit.edu


2001\07\25@144631 by Dave

flavicon
face
Hey,

Seems stupid that Windows will run any win32 executable even if the
extension is changed. That's just asking for trouble. Has anyone ever run
this file? What does it do? I just wonder what it does with the personal
info it collects and how this is a threat except for people who examine the
file finding the confidential information.

I hate people who write virus's. I hope that somebody catches this kid.

Regards,

David Stubbs

WEB: http://www.nti-uk.com
TEL UK: 07968 397782


> {Original Message removed}

2001\07\25@153426 by Dale Botkin

flavicon
face
On Wed, 25 Jul 2001, David Stubbs wrote:

> Hey,
>
> Seems stupid that Windows will run any win32 executable even if the
> extension is changed. That's just asking for trouble. Has anyone ever run
> this file? What does it do? I just wonder what it does with the personal
> info it collects and how this is a threat except for people who examine the
> file finding the confidential information.
>
> I hate people who write virus's. I hope that somebody catches this kid.

The extension is changed to some other extension that Windows with outlook
will automatically execute, or that will be hidden by the default Windows
settings.  Unfortunately, with Windows you can just about pick any three
letter group and stand a fair chance of Windows thinking it's executable.

As for what it does...  well, it's a worm, it mails itself all over the
place attached to a .doc file from your hard drive, apparently.  I hope
someone caches the kids and beats him to death with a large fish.  On TV.

Dale
--
A train stops at a train station.  A bus stops at a bus station.
On my desk I have a workstation...

--
http://www.piclist.com hint: To leave the PICList
.....piclist-unsubscribe-requestspamRemoveMEmitvma.mit.edu


2001\07\25@215412 by Scott Stephens

picon face
From: David Stubbs <RemoveMEn0p3xspamspamBeGoneN0P3X.WORLDONLINE.CO.UK>
Subject: Re: [OT]: Heads up! Lots of Virus incoming?

>Take a look inside the executable at the strings contained in it:

I got the Fruitex letter-worm, it just had stuff about fruit in it.

>Looks like a kids assignment or something. Any ideas?

From http://www.rain.org/~da5e/nlpfaq.html "5. The meaning of a
communication is the response you get. "

I thought about it, analyzed it, and found, like a Rorschak test, it said
more about me than the perp. Checkout
http://www.mastery.net/_laughsonline/humor02e.htm and
http://www.psych.upenn.edu/humor.html . We think logicaly, our gadgets don't
work if we don't.

Scott

****************************************************************
Freedom is pursuing your carrot, not running from a stick.
The mob only rules what its members are allowed to achieve.

"And the worms ate into his brain" - Pink Floyd
****************************************************************

--
http://www.piclist.com hint: To leave the PICList
spamBeGonepiclist-unsubscribe-request@spam@spamspam_OUTmitvma.mit.edu


2001\07\26@042958 by Alan B. Pearce

face picon face
>As for what it does...  well, it's a worm, it mails itself all over the
>place attached to a .doc file from your hard drive, apparently.  I hope
>someone caches the kids and beats him to death with a large fish.  On TV.
>
>Dale
>--
>A train stops at a train station.  A bus stops at a bus station.
>On my desk I have a workstation...

which has now become a virus station....

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2001\07\26@081229 by Dale Botkin

flavicon
face
On Thu, 26 Jul 2001, Alan B. Pearce wrote:

> >As for what it does...  well, it's a worm, it mails itself all over the
> >place attached to a .doc file from your hard drive, apparently.  I hope
> >someone caches the kids and beats him to death with a large fish.  On TV.
> >
> >Dale
> >--
> >A train stops at a train station.  A bus stops at a bus station.
> >On my desk I have a workstation...
>
> which has now become a virus station....

Nope, not once.  So far the Linux mail gateway, Norton Antivirus and/or I
have intercepted them all.

Dale
--
A train stops at a train station.  A bus stops at a bus station.
On my desk I have a workstation...

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2001\07\27@063142 by P.J. McCauley

picon face
Are you using ZoneAlarm by any chance? ZoneAlarm adds an extra extension to
files to "quarantine" them.

Joe

----- Original Message -----
From: "Randy Glenn" <TakeThisOuTPICxpertspamspamHOME.COM>
To: <PICLISTEraseMEspamMITVMA.MIT.EDU>
Sent: Monday, July 23, 2001 10:20 PM
Subject: Re: [OT]: Heads up! Lots of Virus incoming?


{Quote hidden}

> {Original Message removed}

2001\07\27@100050 by Dave

flavicon
face
> So, you get a fairly plausible message and filename from someone you
> *know* and..

I haven't known any of the people who sent me this virus, and there have
been a lot. Why does everybody have me in their address book :(

Regards,

David Stubbs

WEB: http://www.nti-uk.com
TEL UK: 07968 397782


> {Original Message removed}

2001\07\28@044146 by Dave

flavicon
face
Hmm.

I just found this info about how to extract the files from the virus.

dd if=file.xls.bat bs=512 skip=268 of=file.xls

You need access to linux though as dd is a linux tool. Not sure if their is
a Windows equivelant. I'm sure it wouldn't be too hard to make one though.

Anyway, i'm sure you know the moral implications of looking at other peoples
files... Just thought you may be interested.

Regards,

David Stubbs

WEB: http://www.nti-uk.com
TEL UK: 07968 397782


> {Original Message removed}

More... (looser matching)
- Last day of these posts
- In 2001 , 2002 only
- Today
- New search...