Post by thread:[OT]:NMX a virus?

> Hello, > > Im wondering if anyone has recvd an e-mail with a subject > line NMX attached. Sender want me to look at this file. > Just got one from someone I dont know > > rgds, > > Robert Francisco Anything like that from anyone I don't know goes straight in the bin. Are they chatty, did they ask nicely, is there a reason why they think you should look at it ? If not, screw them, bin it. Just because "the world's a smaller place" because of email doesn't mean people can take liberties -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email .....listservKILLspam@spam@mitvma.mit.edu with SET PICList DIGEST in the body

At 01:44 PM 8/14/01 +1200, Jinx wrote: > > Hello, > > > > Im wondering if anyone has recvd an e-mail with a subject > > line NMX attached. Sender want me to look at this file. > > Just got one from someone I dont know Email them back, and ask them to send it as a zip. few (no?) viruses/worms use zipfiles. -- Dave's Engineering Page: http://www.dvanhorn.org I would have a link to http://www.findu.com/cgi-bin/find.cgi?KC6ETE-9 here in my signature line, but due to the inability of sysadmins at TELOCITY to differentiate a signature line from the text of an email, I am forbidden to have it. -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email listservKILLspammitvma.mit.edu with SET PICList DIGEST in the body

At the risk of proliferating the dread virus discussions - This is very very likely the Sir_Cam virus. Its standard message is along the lines - Hi! How are you? I send you this file in order to have your advice See you later. Thanks If you get a message with this message text the attachment will be a randomly chosen file from their PC with the virus embedded in it. Delete without opening !!! Russell McMahon > Hello, > > Im wondering if anyone has > recvd an e-mail with a subject > line NMX attached. Sender want > me to look at this file. > Just got one from someone I > dont know. -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam.....mitvma.mit.edu

> > > Im wondering if anyone has recvd an e-mail with a subject > > > line NMX attached. Sender want me to look at this file. > > > Just got one from someone I dont know I just look at them with a hex viewer, they always start with MZ, which marks the file as an .exe and yes its a virus. The hex viewer also lets you see other data in the file. You can save it as a .txt file and look at it in notepad or other text editor. Just be careful that windows doesn't try to run it, normally if it is tagged .txt windows will just load the data into the text viewer and it's pretty safe. -Roman -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestspam_OUTTakeThisOuTmitvma.mit.edu

On Tue, Aug 14, 2001 at 11:38:55PM +1000, Roman Black wrote: > > You can save it as a .txt file and look at it in > notepad or other text editor. Just be careful that > windows doesn't try to run it, normally if it is > tagged .txt windows will just load the data into > the text viewer and it's pretty safe. However be REALLY sure, that it is .txt, and not .txt.exe or .txt.pif or something like this. Many worms/viruses send themselves in attachments with such extensions. When window$ displays filenames with hidden extensions (the default setting), the user may think that she/he is opening the safe "txt" file, while in fact she/he is running the infected EXE or script :-(. BTW. Has someone estimated the losses in global economy caused by crappy design of M$ OS'es? -- Wojciech M. Zabolotny http://www.ise.pw.edu.pl/~wzab <--> wzabspam_OUTise.pw.edu.pl http://www.debian.org Use Linux - save your data and time -- http://www.piclist.com hint: To leave the PICList @spam@piclist-unsubscribe-requestKILLspammitvma.mit.edu

Ned Seith wrote: > > Roman, > > Again, please excuse my ignorance. > > I wasn't aware that virus files started with 4D5Ah. > > I would then imagine that 4D5Ah must be Norton and McAffee's first filter? Ha ha! Not quite so simple, small .exe files start with MZ. This has been a dos standard since very early days. If a file starts with MZ you can be pretty sure that it is a program that does something. So don't delete all these files from your computer! That's all we need, an Anti-Virus program that deletes every MZ file from your hard disk... ;o) -Roman -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestKILLspammitvma.mit.edu

O'Reilly John E NORC wrote: > > .pif is like a shortcut IIRC. The reason the file has two extensions is > that the default windows setup is to hide extensions of know file types. > So, this file would show up as ??????.xls, making you think it's an excel > spreadsheet. The very first thing I do when using a Windows computer is disable write cacheing and make it UN-hide file extensions. Both are very smart things to do when you're dealing with Bill's software. :o) -Roman -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

> BTW. Has someone estimated the losses in global economy caused by crappy > design of M$ OS'es? > -- Hadn't you noticed, since George W Bush (pronounced Toxic Texan) became World President, the World has shrunk to the size of the USA. Now the Global Economy doesn't matter, only the American Economy and as Micro$oft IS the American Economy..... It costs money to produce good software, and as aliens (i.e. Non US Citizens) are prepared to pay for crappy software why should Micro$oft hurt it's bottom line and hence the American Economy by producing good software. Of course I am not serious, I'm just giving the Menwith Hill Computers something to do. 8-) Regards Chris Carr -- http://www.piclist.com hint: To leave the PICList spamBeGonepiclist-unsubscribe-requestspamBeGonemitvma.mit.edu

... the country is now recovering from the 'party- on-Garth mentality' that over-took Washington some eight years ago - while Nero fiddled (w/Monica) the seeds to our ills were being planted ... Menwith Hill! Ha! AS IF every danged wireline circuit ran though there! I wish SOMEBODY would tally up just how much *real* compute power would be needed to do 1/100th of what they *claim* Echelon is capable of ... Jim {Original Message removed}

Un-hiding the file extensions is a very good idea, I always do it. However some extensions can't be unhidden without hacking the registry. Among the always hidden extensions are .lnk and .pif, both shortcuts to executables. This is how the SirCam virus bit the IT manager at our parent company. He saved an attachment to his desktop and it showed as filename.xls. He was expecting an updated spreadsheet from the sender so, he opened it. In reality the file was named filename.xls.pif so, SirCam executed and then started Excel and loaded the spreadsheet. To really make all file extensions show, remove all keys in the registry named "NeverShowExt". In addition to the usual warnings about hacking the registry, anyone doing this should be aware that all desktop and start menu items will now show as shortcutname.lnk or shortcutname.pif. It definitely makes the menu and desktop look ugly. Paul {Quote hidden}> > .pif is like a shortcut IIRC. The reason the file has two extensions is > > that the default windows setup is to hide extensions of know file types. > > So, this file would show up as ??????.xls, making you think > it's an excel > > spreadsheet. > > > The very first thing I do when using a Windows > computer is disable write cacheing and make it > UN-hide file extensions. Both are very smart things > to do when you're dealing with Bill's software. > :o) > -Roman -- http://www.piclist.com hint: To leave the PICList TakeThisOuTpiclist-unsubscribe-requestEraseMEspam_OUTmitvma.mit.edu

>You can save it as a .txt file and look at it in >notepad or other text editor. Just be careful that >windows doesn't try to run it, normally if it is >tagged .txt windows will just load the data into >the text viewer and it's pretty safe. >-Roman Better yet, don't view it by clicking on it. Open your favorite viewer first and use Open to read the file in. >The very first thing I do when using a Windows >computer is disable write cacheing Where do I go to change write cacheing? >regarding the attachment, it >is an .xls.pif. > I'd rather not ask the sender >what it is- afraid of being on >more mass mailing list. >rf Since it is a worm or virus, it is exceedingly likely the sender isn't even aware of any of this, and couldn't tell you anything. Barry -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

Barry Gershenfeld wrote: <snip> > >Since it is a worm or virus, it is exceedingly >likely the sender isn't even aware of any of this, >and couldn't tell you anything. > But if you receive a virus from someone that you do know, you really ought to let them know that their system is infected. It's probably best not to be laughing at them when you do though (as much as you might be tempted to). :=) Regards, Bob _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestEraseME.....mitvma.mit.edu

On Tue, Aug 14, 2001 at 03:01:36PM -0500, Jim wrote: > > Menwith Hill! Ha! AS IF every danged wireline > circuit ran though there! I wish SOMEBODY > would tally up just how much *real* compute > power would be needed to do 1/100th of what > they *claim* Echelon is capable of ... > One of my friends loves the Echelon people so much that he configured his mail agent ("mutt" I think) that way that it adds to each message the additionall header lines: X-encr-line1:Pp354232fj65340wdfgmj*^$%45estreretrhfghh X-encr-line2:fbghy6634132we3$%&*&refdsf345344543534545 ... Certainly the each line contains the random characters generated by a really good random number generator, Yes, I know it causes the vasting of bandwith, but probably steals a lot of Echelon computing power as well. BTW. If someone really wants to send something which should be hidden, the best method for him is to hide the message with steganographic techniques (see http://members.tripod.com/steganography/stego/softwareunix.html ) in a big ".jpg" file (eg. "My new wonderful car" or so) and send it not to the real recipient but just to the public forum (eg. alt.binaries.pictures.... ) with a previously agreed subject. The real recipient can retrieve the message without leaving almost any traces that the hidden message was transferred. (Sender can additionally use MixMaster or another anonymizing system). Well, "Echelon" may be good in stealing of trade secrets or investigating of dummiest criminals. The really dangerous people probably know much better methods than described above (which anyway is Echelon-safe). -- Regards, Wojciech M. Zabolotny http://www.ise.pw.edu.pl/~wzab <--> EraseMEwzabise.pw.edu.pl http://www.debian.org Linux - free OS for free people! -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestEraseMEEraseMEmitvma.mit.edu

> regarding the attachment, it is an .xls.pif. I'd rather not ask > the sender what it is- afraid of being on more mass mailing > list. File has been deleted. Problem solved > > Thx, > > rf Beware anything with 2 extensions. SirCam is rife around the mail groups (what an absolute waste of bandwidth worms are) and one of its characteristics is to change and add extensions. If you have AV s/w it should detect a virus when you save the file -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestspam_OUTKILLspammitvma.mit.edu