[ale] brochure 2000=VIRUS
Leonard Thornton
leonard at intelis-inc.net
Tue Jul 24 20:27:37 EDT 2001
phrostie wrote:
>
> been there, got one, but mine was called "rolodex.doc.bat"
>
> On Tuesday 24 July 2001 03:45, you wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > There is a Windows email virus that seems to have started spreading
> > again Monday, July 23, 2001. Note the subject of "2000 brochure".
> > Don't even think about opening this email on a Windows system. Just
> > delete it and notify your SysAdmin.
> >
> > > It's the W32/SirCam virus
> > >
> > > I've gotten about 5 copies today.
> > >
> > > Nasty - wipes your hard drive, sends itself to many people
> > > in your address book.
> > >
> > >
> > > -----Original Message-----
> > > From: Bob Toxen at cavu.com [mailto:bob at cavu.com]
> > > Sent: Tuesday, July 24, 2001 12:50 AM
> > > Subject: Email virus at XXX
> > >
> > >
> > > I just got the following email from a company that a friend works at.
> > > I suspect that it is a virus and left him voice mail at work and email
> > > at home. You may recognize it (I don't but I'm behind in my Winbloz
> > > vulnerability worrying) or it may be new.
> > >
> > > XXX,
> > >
> > > I received the following email that may have been from you. (I don't
> > > know anyone else at XXX.)
> > >
> > > It looks suspiciously like an email virus, in which case the sending
> > > system has been compromised and needs repair. This probably means saving
> > > any recent data, restoring from backup, carefully re-adding the recent
> > > data without adding the compromise, and then installing all applicable
> > > security patches.
> > >
> > > I do this for living for Linux and Unix systems but not Windows or NT
> > > systems. I may be able to recommend a frient who does, however.
> > >
> > > The following is how the email starts off (I've edited out any possible
> > >
> > > virus):
> > > > From: "XXX Company"<XXX at mindspring.com>
> > > > To: bob at cavu.com
> > > > Subject: 2000 brochure
> > > > date: Mon, 23 Jul 2001 23:14:56 -0500
> > > > Content-Disposition: Multipart message
> > > >
> > > > ------25E92E9C_Outlook_Express_message_boundary
> > > > Content-Type: text/plain; charset=ISO-8859-1
> > > > Content-Transfer-Encoding: quoted-printable
> > > > Content-Disposition: message text
> > > >
> > > > Hi! How are you=3F
> > > >
> > > > I send you this file in order to have your advice
> > > >
> > > > See you later=2E Thanks
> > > >
> > > > ------25E92E9C_Outlook_Express_message_boundary
> > > > Content-Type: application/mixed; name="2000 brochure.doc.pif"
> > > > Content-Transfer-Encoding: base64
> > > > Content-Disposition: attachment; filename="2000 brochure.doc.pif"
> > > >
> > > > TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > > >A
> > > > AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5
> > > >k
> > > > ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > > >A
> >
> > Bob Toxen, CTO
> > Fly-By-Day Consulting, Inc. "Experts in Linux & UNIX security"
> > +1 770-662-8321 Office
> > +1 404-216-51oo Cell 24x7
> > bob at cavu.com
> > http://www.cavu.com [Linux & UNIX Consulting]
> > http://www.realworldlinuxsecurity.com [My 5* book: Real World Linux
> > Security] http://www.cavu.com/sunset.html [Sunset Computer]
> > Quality Linux & UNIX security and software consulting since 1990.
> >
> > GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
> > and at http://pgp5.ai.mit.edu/pks-commands.html#extract
> > pub 1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
> > Key fingerprint = 30BA AA0A 31DD B68B 47C9 601E 96D3 533D E3A1 C540
> > sub 2048g/03FFCCB9 2000-06-21
> > From: "Mike O'Shaughnessy" <mikeo at cmpsolv.com>
> > To: "Bob Toxen at cavu.com" <bob at cavu.com>
> > Subject: RE: Email virus at XXX
> > Date: Tue, 24 Jul 2001 02:04:18 -0400
> >
> > It's the W32/SirCam virus
> >
> > I've gotten about 5 copies today.
> >
> > Nasty - wipes your hard drive, sends itself to many people
> > in your address book.
> >
> >
> > - - -----Original Message-----
> > From: Bob Toxen at cavu.com [mailto:bob at cavu.com]
> > Sent: Tuesday, July 24, 2001 12:50 AM
> > To: mikeo at cmpsolv.com; ozy at applianceware.com
> > Subject: Email virus at XXX
> >
> >
> > I just got the following email from a company that a friend works at.
> > I suspect that it is a virus and left him voice mail at work and email
> > at home. You may recognize it (I don't but I'm behind in my Winbloz
> > vulnerability worrying) or it may be new.
> >
> > XXX,
> >
> > I received the following email that may have been from you. (I don't
> > know anyone else at XXX.)
> >
> > It looks suspiciously like an email virus, in which case the sending
> > system has been compromised and needs repair. This probably means saving
> > any recent data, restoring from backup, carefully re-adding the recent
> > data without adding the compromise, and then installing all applicable
> > security patches.
> >
> > I do this for living for Linux and Unix systems but not Windows or NT
> > systems. I may be able to recommend a frient who does, however.
> >
> > The following is how the email starts off (I've edited out any possible
> >
> > virus):
> > > From: "XXX Company"<XXX at mindspring.com>
> > > To: bob at cavu.com
> > > Subject: 2000 brochure
> > > date: Mon, 23 Jul 2001 23:14:56 -0500
> > > Content-Disposition: Multipart message
> > >
> > > ------25E92E9C_Outlook_Express_message_boundary
> > > Content-Type: text/plain; charset=ISO-8859-1
> > > Content-Transfer-Encoding: quoted-printable
> > > Content-Disposition: message text
> > >
> > > Hi! How are you=3F
> > >
> > > I send you this file in order to have your advice
> > >
> > > See you later=2E Thanks
> > >
> > > ------25E92E9C_Outlook_Express_message_boundary
> > > Content-Type: application/mixed; name="2000 brochure.doc.pif"
> > > Content-Transfer-Encoding: base64
> > > Content-Disposition: attachment; filename="2000 brochure.doc.pif"
> > >
> > > TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > > AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
> > > ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> >
> > Bob Toxen, CTO
> > Fly-By-Day Consulting, Inc. "Experts in Linux & UNIX security"
> > +1 770-662-8321 Office
> > +1 404-216-5100 Cell 24x7
> > bob at cavu.com
> > http://www.cavu.com [Linux & UNIX Consulting]
> > http://www.realworldlinuxsecurity.com [My 5* book: Real World Linux
> > Security] http://www.cavu.com/sunset.html [Sunset Computer]
> > Quality Linux & UNIX security and software consulting since 1990.
This one is making the rounds....I got it as did half the people in my
office today. Fortunately, we have a policy of seriously maiming people
(with public demonostrations) in our office who open these things, so
everyone knows better. For more info on SirCam, see
www.symantic.com/avcenter. They have a decent description of the
effects. Due to a bug (feature) in NT and 200, it doesn't seem to work
on them, but chews up 98 machines....
> >
> > GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
> > and at http://pgp5.ai.mit.edu/pks-commands.html#extract
> > pub 1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
> > Key fingerprint = 30BA AA0A 31DD B68B 47C9 601E 96D3 533D E3A1 C540
> > sub 2048g/03FFCCB9 2000-06-21
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE7XSUZltNTPeOhxUARAj1lAJ4icXf+c7bMJOVV/xUe4twNwLwl/wCgnX65
> > r3oEcoTSUDLC5PEiXYLDJd0=
> > =nWnt
> > -----END PGP SIGNATURE-----
> >
> > Bob Toxen
> > transam at cavu.com [Bob's ALE Bulk email]
> > bob at cavu.com [Please use for email to me]
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> > body.
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
--
The difficult while you wait...the impossible overnight.
Leonard Thornton
Intelis, Inc
leonard at intelis-inc.net
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list