Searching \ for '[OT]: Virus Again' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=virus+again
Search entire site for: 'Virus Again'.

Exact match. Not showing close matches.
PICList Thread
'[OT]: Virus Again'
2001\04\03@140012 by Dan Michaels

flavicon
face
I just received another e-mail from the HaHaHa guy labelled

Snow White .....

Comes around about once a week. Contains an attachment named
Joke.exe which has the virus:

W32/Hybris.gen@M

I presume they got my email address from piclist - anyone
else seeing the same thing?

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@140516 by John Pfaff

flavicon
face
It's not actually coming from the HaHaHa guy, it's coming from somebody who
opened joke.exe on their own computer and you're in that person's address
book.  I don't know if you can tell where it came from by examining the
headers.  I've gotten it twice in the last week myself, but the virus
scanner on our server doesn't pass the executable, just a message saying
that the executable was stopped.

{Original Message removed}

2001\04\03@140705 by Rob S

flavicon
face
>I presume they got my email address from piclist - anyone
>else seeing the same thing?
>
Ja, I receive the same funny stuff.
Doesn't do much unless you have for instance Lookout Express auto-executing
the file...

Just deleted it (again).

Rob

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@141920 by Dan Larson

flavicon
face
I've seen it on my company email account, but not on this one.

When I see something like Joke.exe attached, I always assume, that if
I run it, the Joke's on ME! ...

Dan

On Tue, 3 Apr 2001 14:00:12 -0400, Dan Michaels wrote:

{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@143001 by Dan Michaels

flavicon
face
Rob S wrote:
>>I presume they got my email address from piclist - anyone
>>else seeing the same thing?
>>
>Ja, I receive the same funny stuff.
>Doesn't do much unless you have for instance Lookout Express auto-executing
>the file...
>
>Just deleted it (again).
>

Speaking of which - I deleted Lookout Express months ago :).

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@144347 by Chris Carr

flavicon
face
Dan Michaels wrote


> I just received another e-mail from the HaHaHa guy labelled
>
> Snow White .....
>
> Comes around about once a week. Contains an attachment named
> Joke.exe which has the virus:
>
> W32/Hybris.gen@M
>
> I presume they got my email address from piclist - anyone
> else seeing the same thing?
>
Yes I got it, but I forgot to look at the header to see where it had
actually originated from before I deleted it. Duh

Regards

Chris

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@154912 by jamesnewton

face picon face
My copy came from 196.31.123.75 (i.e. the first line of the message header
is from 196.31.123.75)

If that matches yours then report it to:
Re:196.31.123.75 (Administrator of network where email originates)
  To: spam_OUTpostmasterTakeThisOuTspammweb.co.za (Notes)
  To: .....abuseKILLspamspam@spam@mweb.co.za (Notes)


Re:196.31.123.75 (ORBS open relay automated testing system)
  To: relaysspamKILLspamorbs.org (Notes)

---
James Newton (PICList Admin #3)
.....jamesnewtonKILLspamspam.....piclist.com 1-619-652-0593
PIC/PICList FAQ: http://www.piclist.com or .org

{Original Message removed}

2001\04\03@160135 by Nigel Goodwin

flavicon
face
In message <00e001c0bc6d$3acf5fa0$4b47073e@dougal>, Chris Carr
<EraseMEnyedspam_OUTspamTakeThisOuTBTINTERNET.COM> writes
>Dan Michaels wrote
>
>
>> I just received another e-mail from the HaHaHa guy labelled
>>
>> Snow White .....
>>
>> Comes around about once a week. Contains an attachment named
>> Joke.exe which has the virus:
>>
>> W32/Hybris.gen@M
>>
>> I presume they got my email address from piclist - anyone
>> else seeing the same thing?
>>
>Yes I got it, but I forgot to look at the header to see where it had
>actually originated from before I deleted it. Duh

I don't think it would help?, this virus uses a forged header - so you
can't tell who it's coming from. I've been getting 2-3 a week for the
past few months, and haven't been able to find where they are coming
from. Luckily I don't use Outlook or Outlook Express, and I run Norton
Internet Security which identifies it nicely (I've still got a few
copies in quarantine!).
--

Nigel.

       /--------------------------------------------------------------\
       | Nigel Goodwin   | Internet : nigelgspamspam_OUTlpilsley.co.uk           |
       | Lower Pilsley   | Web Page : http://www.lpilsley.co.uk       |
       | Chesterfield    | Official site for Shin Ki and New Spirit   |
       | England         |                 Ju Jitsu                   |
       \--------------------------------------------------------------/

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\04\03@163741 by jamesnewton

face picon face
IP addresses are not spoofable except under very extreme conditions
requiring a fault in the receiving program as well as the transmitting one.

spamcop.net uses the reported IP address to track back to the source rather
than the name that the joke.exe program reports itself as. Of course, when I
say source, I mean the machine that joke.exe is running on, not the machine
that the programmer who wrote joke.exe is working from.

Please correct me if anyone knows more.

Compiling a list of the headers that people are receiving this with will
allow us to track down the exact source and email him to fix it.

---
James Newton (PICList Admin #3)
@spam@jamesnewtonKILLspamspampiclist.com 1-619-652-0593
PIC/PICList FAQ: http://www.piclist.com or .org

{Original Message removed}

2001\04\03@164819 by Brian Reed

flavicon
face
>it's coming from somebody who opened joke.exe on their own computer
>and you're in that person's address book.

IIRC this is not an address book exploit - the virus modifies part of the
PCs connection to the internet (it's 'socket' software perhaps) and then
filters ALL incoming and outgoing data looking for email addys.

- Bri


>It's not actually coming from the HaHaHa guy, it's coming from somebody
>who
>opened joke.exe on their own computer and you're in that person's address
>book.  I don't know if you can tell where it came from by examining the
>headers.  I've gotten it twice in the last week myself, but the virus
>scanner on our server doesn't pass the executable, just a message saying
>that the executable was stopped.
>
>{Original Message removed}

2001\04\04@015551 by Nigel Goodwin

flavicon
face
In message <KILLspam200104031650290594.13501DC2KILLspamspamfemail14.sdc1.sfba.home.com>,> Brian Reed <RemoveMEpiclistTakeThisOuTspamREEDONLINE.COM> writes
>>it's coming from somebody who opened joke.exe on their own computer
>>and you're in that person's address book.
>
>IIRC this is not an address book exploit - the virus modifies part of the
>PCs connection to the internet (it's 'socket' software perhaps) and then
>filters ALL incoming and outgoing data looking for email addys.

If you look at Norton's website (http://www.norton.com), there are full
details about it!.

I received another copy this morning, this was the address it supposedly
came from.

Received: from fred.centsys.co.za (ndf-dial-196-31-123-75.mweb.co.za
[196.31.123.75])

--

Nigel.

       /--------------------------------------------------------------\
       | Nigel Goodwin   | Internet : spamBeGonenigelgspamBeGonespamlpilsley.co.uk           |
       | Lower Pilsley   | Web Page : http://www.lpilsley.co.uk       |
       | Chesterfield    | Official site for Shin Ki and New Spirit   |
       | England         |                 Ju Jitsu                   |
       \--------------------------------------------------------------/

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@031858 by Caisson

flavicon
face
> Van: Dan Michaels <TakeThisOuToricomEraseMEspamspam_OUTUSWEST.NET>
> Aan: RemoveMEPICLISTspamTakeThisOuTMITVMA.MIT.EDU
> Onderwerp: [OT]: Virus Again
> Datum: dinsdag 3 april 2001 20:00

Hello Dan,

 I received a message from this guy (girl ?) allso.  But mine had an
attachment "midgets.scr" ...

Regards,
 Rudy Wieser

{Quote hidden}

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@040312 by Ben Suffolk

flavicon
face
Our email system scans for viruses and it recently (yesterday) sent me an email
saying that it had detected a virus in joke.exe and thus woudl not let me have
the email so I don't know who it came from but I guess the email address was
found via the piclist alos.

Ben




Please respond to pic microcontroller discussion list <PICLISTEraseMEspam.....MITVMA.MIT.EDU>
{Quote hidden}

*******************************************************************************
Important. This E-mail is intended for the above named person and may be
confidential and/or legally privileged. If this has come to you in error you
must take no action based on it, nor must you copy or show it to anyone; please
inform the sender immediately.
*******************************************************************************

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@055551 by Alan B. Pearce

face picon face
I have not had any copies of this, nor any notification from the corporate mail
server, despite recently sending a mail with my address embedded in it, so if it
does scan mails it is either someone no longer on the list, or someone not
connected with the list.

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@072625 by Wynn Rostek

flavicon
face
> IIRC this is not an address book exploit - the virus modifies part of the
> PCs connection to the internet (it's 'socket' software perhaps) and then
> filters ALL incoming and outgoing data looking for email addys.
>
> - Bri
>

What does IIRC stand for?

Wynn

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@073653 by Michael Rigby-Jones

flavicon
face
> -----Original Message-----
> From: Wynn Rostek [SMTP:EraseMEwynnrspamGOLDENPRS.COM]
> Sent: Wednesday, April 04, 2001 12:25 PM
> To:   RemoveMEPICLISTEraseMEspamEraseMEMITVMA.MIT.EDU
> Subject:      Re: [OT]: Virus Again
>
> > IIRC this is not an address book exploit - the virus modifies part of
> the
> > PCs connection to the internet (it's 'socket' software perhaps) and then
> > filters ALL incoming and outgoing data looking for email addys.
> >
> > - Bri
> >
>
> What does IIRC stand for?
>
> Wynn
>
If I Recall Correctly

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@113255 by Dan Michaels

flavicon
face
Rudy Wieser wrote:
>> Van: Dan Michaels <RemoveMEoricomspam_OUTspamKILLspamUSWEST.NET>
>> Aan: RemoveMEPICLISTTakeThisOuTspamspamMITVMA.MIT.EDU
>> Onderwerp: [OT]: Virus Again
>> Datum: dinsdag 3 april 2001 20:00
>
>Hello Dan,
>
>  I received a message from this guy (girl ?) allso.  But mine had an
>attachment "midgets.scr" ...
>

Rudy, I also received an e-mail about a week ago with an .SCR attachment
[forget the exact name]. I absentmindly clicked on it, thinking it was
something mailed from someone I knew, as I had received e-mail from
him at the same time - and he always sends me little pics/jpgs/etc
[but your name shall not be revealed to piclist, Captain J :)].

Anyway, after clicking on the stupid attachment, I ran a scan on my
HD and found a virus file ABCDEFGH.EXE in my windows directory. I
am not completely sure that it was not on the HD before that, but
you might check anyway.

best regards,
-da michaels
=================

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@153211 by Alan Brumley

flavicon
face
.SCR = .EXE


-----Original Message-----
From: pic microcontroller discussion list
[EraseMEPICLISTspamspamspamBeGoneMITVMA.MIT.EDU]On Behalf Of Dan Michaels
Sent: Wednesday, April 04, 2001 10:33 AM
To: RemoveMEPICLISTKILLspamspamMITVMA.MIT.EDU
Subject: Re: [OT]: Virus Again


Rudy Wieser wrote:
{Quote hidden}

Rudy, I also received an e-mail about a week ago with an .SCR attachment
[forget the exact name]. I absentmindly clicked on it, thinking it was
something mailed from someone I knew, as I had received e-mail from
him at the same time - and he always sends me little pics/jpgs/etc
[but your name shall not be revealed to piclist, Captain J :)].

Anyway, after clicking on the stupid attachment, I ran a scan on my
HD and found a virus file ABCDEFGH.EXE in my windows directory. I
am not completely sure that it was not on the HD before that, but
you might check anyway.

best regards,
-da michaels
=================

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\04@172806 by Nigel Goodwin

flavicon
face
In message <KILLspam200104040715.JAA08706spamBeGonespamdegas.telebyte.nl>, Caisson
<EraseMEcaissonspamEraseMETELEBYTE.NL> writes
>> Van: Dan Michaels <@spam@oricom@spam@spamspam_OUTUSWEST.NET>
>> Aan: spamBeGonePICLISTspamKILLspamMITVMA.MIT.EDU
>> Onderwerp: [OT]: Virus Again
>> Datum: dinsdag 3 april 2001 20:00
>
>Hello Dan,
>
>  I received a message from this guy (girl ?) allso.  But mine had an
>attachment "midgets.scr" ...

The virus also changes the name of the attachment, it comes under
various alias's :-).
--

Nigel.

       /--------------------------------------------------------------\
       | Nigel Goodwin   | Internet : .....nigelgspam_OUTspamlpilsley.co.uk           |
       | Lower Pilsley   | Web Page : http://www.lpilsley.co.uk       |
       | Chesterfield    | Official site for Shin Ki and New Spirit   |
       | England         |                 Ju Jitsu                   |
       \--------------------------------------------------------------/

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.


2001\04\05@161615 by Peter L. Peres

picon face
>Please correct me if anyone knows more.

In theory one can trace the hosts the message went through backwards
through the header list. In practice, some internal relay domains will
often appear in the list and those cannot be checked or reached from the
outside (not even NS or reverse lookup). Plus some evil programs seem to
forge more than one header. People who look through the list and go for
its head may mistakenly send abuse complaints to hostmasters of hosts that
never saw that message. You really need to build a list of IPs backwards
through the header, checking each for name (is resolvable). Do not assume
that the first or last found forgery is really the one you are looking
for. Good luck.

Peter

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email TakeThisOuTlistserv.....spamTakeThisOuTmitvma.mit.edu with SET PICList DIGEST in the body



'[OT]: Virus again'
2003\02\26@131725 by Attila Muhi
flavicon
face
Hi,

Got a virus contaminated mail, must be from piclist, with Bob Ammerman as originator. I erased it immediately and of course denied the prompt for the script file.

Regards

Attila - SM4RAN

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

More... (looser matching)
- Last day of these posts
- In 2003 , 2004 only
- Today
- New search...