New Virus!

[shane94]

I have gotten about 10 emails with different names on them to my adult email accounts. When you clcik the email in Outlook it instantly tries to open and ask if you want to save it to disk or open.

The files says:
C:/Windows Temporary Internet
Files\Content.IE5\SE5V8XAJ\stuff.mp3.pif

Of course I elect to close =)


Here is the message source:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 68392 invoked from network); 25 Nov 2001 18:37:20 -0000
Received: from unknown (HELO mail7.wlv.netzero.net) (209.247.163.57)
by 64.62.104.68 with SMTP; 25 Nov 2001 18:37:20 -0000
Received: (qmail 27427 invoked from network); 25 Nov 2001 18:00:54 -0000
Received: from dialup-64.154.123.49.dial1.omaha1.level3.net (HELO aol.com) (64.154.123.49)
by mail7.wlv.netzero.net with SMTP; 25 Nov 2001 18:00:54 -0000
From: "kira lefholtz" <[email protected]>
To: [email protected]
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1


And on one of the others:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 65328 invoked from network); 25 Nov 2001 10:08:29 -0000
Received: from unknown (HELO harrier.prod.itd.earthlink.net) (207.217.120.12)
by 64.62.104.68 with SMTP; 25 Nov 2001 10:08:29 -0000
Received: from pool-63.53.131.67.nwrk.grid.net ([63.53.131.67] helo=aol.com)
by harrier.prod.itd.earthlink.net with smtp (Exim 3.33 #1)
id 167vdv-0004nU-00
for [email protected]; Sun, 25 Nov 2001 01:32:07 -0800
From: "Greg Hoggatt" <[email protected]>
To: [email protected]
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <[email protected]>
Date: Sun, 25 Nov 2001 01:32:07 -0800

Looks like it attaches and sends out in your email possibly. If someone wants the file I can send it to you.

Shane

[shane94]

And all of the subjects have been just
RE:

Shane

[quiet]

yeah, just got up and dled my email. over 100 of these damn things today. got around 20 the day before.

[Amputate Your Head]

I got about a dozen of them before I got bored with the antics and filtered them out.

[pornsuite]

I've been getting those too.

[pornsuite]

Open it with winamp it has a really nice message too

[h0st]

heh, just got my first these kind of mails deleted right away..

.:h0st

[pornsuite]

What about an email that says something like:

"I send you this file in order to have your advice."


they always have re: in the subject as well, anybody knows what this one is? Most of the time is a 300k attackment, one time I got like 200 of these in a day.

[Amputate Your Head]

Quote:

Originally posted by pornsuite:
What about an email that says something like:

"I send you this file in order to have your advice."

hehe.... you too huh? I get those damn things all the time.... hard to filter out too cuz they're always coming from somewhere new...

[quiet]

Quote:

Originally posted by pornsuite:
What about an email that says something like:

"I send you this file in order to have your advice."


they always have re: in the subject as well, anybody knows what this one is? Most of the time is a 300k attackment, one time I got like 200 of these in a day.

that's the sircam virus. real bitch, cause of the big attachments. I was getting like 200+/day at one point. shut down that mailbox for a little while - don't really seem them anymore.

[pornsuite]

if you are dumb enough to open the attachment or you just feel like taking a crap in your pc it sends the file to everyone in your address book and so on to everyone who opens it. I think thats why it never ends and it has been going on for months.

[shane94]

Those are easy to get rid of =) If you are using outlook express go into TOOLS/MESSAGE RULES and set a rule to delete anything more then 100 or 150kb in size. I mean how often do you get a legitmate email that big? I know i sure don't hehe. When I did that that stopped 99% of them. I may get 1 a week now.

Shane

[pornsuite]

what about outlook 2000?

[Amputate Your Head]

Actually, instead of eliminating your option to receive larger attachments, why not make a rule that filters and send them to a special directory.... or even the Deleted Items directory... base the new rule on something else unique to those mails... like some of the text, since it always seems to be the same, or pretty close... then whenever you see new mail in that directory, it'll be easy enough to scan through the titles and know if they're all junk or if someone's legit email got mixed in. Do a mass select and delete all the crap.

[Amputate Your Head]

Normally, I would filter shit like that at the server level so that it never even makes it beyond that... but like I said, those particular mails are tricky to filter because they're always coming from somewhere new.

I got one this morning that automatically installed as soon as I viewed the message. I'm not stupid enough to click on attachments, but this sucker autoinstalled.

The bitch of it is that I could have sworn I had all the latest critical updates installed from windows update. I specifically remember installing them on that computer. The only thing I can think happened is that when I downloaded the critical updates before they didn't install properly. I've had that happen on other computers.

Just spent the last 2 hours fucking around getting rid of it. ARGGHHH!!!

[pornsuite]

I wonder I get a prompt from Win ME every night to see If I want to download updates.

[Pete]

I've been getting a shit load of virus's in my mail lately. My virus program is going crazy everytime I read my mail

------------------
Nude Central 60% Partnership
Also Earn 10% on referrals
Nude Central

[quiet]

Quote:

Originally posted by Amputate Your Head:
Normally, I would filter shit like that at the server level so that it never even makes it beyond that... but like I said, those particular mails are tricky to filter because they're always coming from somewhere new.

yeah. what i was doing is setting my mail server to not send email to my local box with attachments larger than 200K. then I'd just login directly to the mail server once a day and scan the subjects to be sure I didn't miss anything important. don't see them really at all anymore though.

[Viper2K1]

I got 20+ of those emails today, I never open attachments from people I don't know but after 5 emails i knew it had to be an other virus

It came to an addy I've just put up on my website a couple days ago, looks like we're gonna see alot more of them the comming days

[TSB]

VIRUS NAME:
W32.Badtrans.B@mm

Discovered on: November 24, 2001

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.

Type: Worm

Damage:

Payload:
Large scale e-mailing: Sends email from addresses found in the default MAPI program.

Compromises security settings: Installs keystroke logging Trojan.

Technical description:


This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS

The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP

The second extension that is appended to the file name is one of the following:
.pif
.scr

The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe.

Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.

2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.

[FreeOnes]

This rule will filter all your shit away:

[PersianKitty]

When Sircam first hit I was getting hundreds of them an hour, because the virus grabs email addresses from a PC's internet cache. I have always used a stand-alone email client so I don't have to mess with all the problems of Outlook. The problem then became the sheer volume of the downloads.

In the last few days I've been getting an increasing number of the Badtrans emails. The biggest threat with them is that there is not really an attachment to have to click on to view. The virus installs itself when the user clicks on the email to read it in Outlook.

I finally found a small program that downloads headers only, lets me delete the emails I want to (anything suspicious) and then I can download the *real* email in my regular email client.

The program I'm using is called Email Remover . It's freeware, very basic and small, but it's getting the job done for me. It's available at http://www.tucows.com/preview/194114.html

[This message has been edited by PersianKitty (edited 11-26-2001).]

[timethief]

I dont keep adress books. The best solution to keep such viruses or worms from activating or spreading.