Virus/worm alert

Ed Kotkiewicz ekotkie at EZL.COM
Tue Oct 1 15:21:15 EDT 2002


Yesterday I received a worm from a friend.  It came in the form of
an answer that he had made to a Heath reflector member some time
in the past.  Fortunately I use Norton Anti-virus, MailWasher and
ZoneAlarm Pro.  What I received was duly noted in MailWasher as an
e-mail that was potentially bad.  The e-mail address was incorrect
for my friend so "my shields were up".  There was an attachment
that related to a car and was labeled as a xxxxxx.doc.pif.

Well, Mailwasher allowed me to bounce/delete.  I elected to accept
since I had two more barriers for the msg to cross.  Sure enough,
ZoneAlarm nabbed it and changed the .pif to .zlo.  This made it a
bit more safe to handle.  Upon receipt, I flagged my friend with a
warning and he then took action on his system.  The msg had a
number of clues.  His address was listed wrong.  The note appeared
to be a response to a Tempe note to another reflector member but
the Tempe trailer was missing.  The attachment had a strange file
extention set.  The attached file had absolutely nothing to do
with Heath stuff. There was no "To:" line with my name.

I stripped data from the msg. header and found that my
name/address was embedded inside the msg. header.  The msg was
routed through Turkey.  The attachment was a very recent version
of the W32.Bugbear at mm mass mailing worm.  All of these actions
were done through backdoor access that my friend was not aware was
going on.

My warning is that you need to keep your system protection
current.  Symetac has just upgraded the threat of this worm as of
yesterday!  Stay alert to things that just don't make much sense.
I use a wide range of system tools that allow me to slice and dice
these bad boys.  It is kinda a sad hobby to have but it keeps me
aware of the jerks who have nothing better to do.

For more information about this worm go to the Symantic site.  The
W32.Bugbear at mm infor is on the front page.  You can also print out
a 6 page fix for this problem

To all you Heathens out there, have a great day.

Ed
{Married to a Former Ham at Heath}

-----------------------------------------------------------
This list is a public service of the City of Tempe, Arizona
-----------------------------------------------------------

Subscription control - http://www.tempe.gov/lists/control.asp?list=HEATH
To post - HEATH at LISTSERV.TEMPE.GOV
Archives - http://interactive.tempe.gov/archives/HEATH.html




More information about the Heath mailing list