[36720] in North American Network Operators' Group
Virus warning, was: Re: All your NIC handles are belong to us
daemon@ATHENA.MIT.EDU (Kai Schlichting)
Wed Apr 18 10:59:23 2001
Date: Wed, 18 Apr 2001 10:56:34 -0400
From: Kai Schlichting <kai@pac-rim.net>
Message-ID: <125128055223.20010418105634@conti.nu>
To: nanog@merit.edu
Cc: "Marguerite Reardon" <reardon@lightreading.com>,
postmaster@lightreading.com, <abuse@lightreading.com>,
<postmaster@agora.com>, <abuse@agora.com>, <postmaster@thorn.net>,
<abuse@thorn.net>
In-Reply-To: <019a01c0c813$43afc360$0c01a8c0@ltread.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Hmm, my Norton AV/Win2000 just spit up a warning about the "W32.Badtrans.13312@mm" virus
file being detected in the following mail - as a SETUP.pif attachment.
Given that it quotes a 6-week old NANOG posting of mine, I am almost sure
that I am not the only recipient.
lightreading|agora|thorn copied FYI: you might want to give your user a phone call
about this, in case he doesn't read his email on a regular basis or/and if he is
blissfully unaware of what's transpiring on his machine.
http://www.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=28772 describes this
as a MAPI worm that uses a few more filenames to disguise itself:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
I guess Norton/Symantec can change the "wild" level from "low" to "medium" now.
bye,Kai
> Received: from oboe.agora.com ([199.221.118.30])
> by conti.nu (8.9.3/8.9.3) with ESMTP id KAA02337
> for <kai@pac-rim.net>; Wed, 18 Apr 2001 10:24:28 -0400 (EDT)
> Received-Date: Wed, 18 Apr 2001 10:24:28 -0400 (EDT)
> Received: from maggie2 ([216.213.101.18]) by oboe.agora.com with Microsoft SMTPSVC(5.5.1877.977.9);
> Wed, 18 Apr 2001 10:20:34 -0400
> Message-ID: <019a01c0c813$43afc360$0c01a8c0@ltread.org>
> From: "Marguerite Reardon" <reardon@lightreading.com>
> To: <kai@pac-rim.net>
> Subject: Re: Re: All your NIC handles are belong to us
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0197_01C0C7F1.BC7C91A0"
> X-Mailer: Microsoft Outlook Express 5.00.2615.200
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
> Date: 18 Apr 2001 10:20:34 -0400
> X-UIDL: 55e8d6494df8edb047065b7e1c036c3b
> 'Kai Schlichting' wrote:
> ====
> -
> - *knock knock*
> -
> - ALL YOUR NIC HANDLES ARE BELONG TO US.
> -
> - The mystery with posts going to nowhere has re-appeared. No bounces
> - due to NANOG-post. No moderation notice. Nothing.
> - Does Majordomo mind Subjects starting with "OT:" ?
> -
> - Feb 26 18:10:44 sonet sendmail[27445]: SAA27445: from=<kai@pac-rim.net>, size=2083, class=0, pri=32083, nrcpts=1, msgid=<6669287802.20010226180952@conti.nu>, bodytype=8BITMIME, proto=ESMTP,
> relay=localhost.conti.nu [127.0.0.1]
> ...'
>> Take a look to the attachment.
