O/T: virus

Aloha all,

[There's another virus going around.] You will receive a virus in a mystery email. Please do NOT open the attachment, just trash the email immediately. I have informed them and offered advice.

I know technically this ought to be in "Beyond Tiki", but I also know not everyone here uses that forum.

yours for a safer online experience,
emspace.

[Edited by Hanford to remove the name from the subject line and to change it to O/T]

[ Edited by: hanford_lemoore on 2004-01-26 22:41 ]

Hey Em, I got an email at an address tonight, an email address that went unperturbed. It was spam-free, but I closed it for about a year and a half because I didn't need it. I recently opened it up again and all was quiet until tonight when I got an email from a "[email protected]". The text that preceeded an attachment labeled "file.zip" said something about the file being in "Unicode" and that it was a binary attachment.

This email is not registered at Caliente. I just registered it at paypal and at Tiki Central. These are the ONLY places. Did the virus you got arrive at an address that is registered here? I also received an email telling me that I had an unsuccessful email delivery to an address that I didn't recognise. This tells me that there might be one of those programs involved that forwards mail to people without your consent. I closed the email address again. If anyone needs to contact me, I reckon they will have to PM me!

[ Edited by: floratina on 2004-01-26 22:31 ]

FYI:
Don't fall for this latest virus. It emails complete RANDOM email addresses (I got an email addressed to "[email protected]", and that for sure is an email that is not used ANYWHERE on this planet!)

It sends a .zip file, and claims that the mail transmission failed but a partial file is attached. Something like this:

The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.

My guess is there's a virus in the .zip file. The contents of Zip files don't get scanned by email virus detectors, so this will slip right through most (all?) virus detection software.

I'm sure we'll be reading about this virus tomorrow.

~Hanford

[ Edited by: hanford_lemoore on 2004-01-26 22:32 ]

Does this sound familiar? I am concerned about what to look for? Yikes!

http://www.tikicentral.com/viewtopic.php?topic=7206&forum=6&6

[ Edited by: DawnTiki on 2004-01-26 23:22 ]

Ooh, good eye. I don't know what is in it. I was surprised to get a friggin' ZIP file in my webtv, so I wonder what is in that thing. Say what you want about webtv, (one of the things you might say is, "Buy a computer, already!") but it isn't a computer. We don't get viruses. The fact that I don't ever receive these kinds of files could be attributed to MSN's IT watchdogs, so again, it is interesting that it got through. If I tried to open an honest to G*d .zip or .exe, I don't know if the box would know what to do with it.

We had a virus last year that somehow forwarded a virus, though. In that case, my email was as good as any. Baxdog had to break the news to me that I sent him something unclean. The problem was hardly confined to that one incident as i got this virus carrier email (webtv scrubbed the actual file out on my side) from TCers for like, a month and a half. I guess "it" got ahold on some address book or other. There was nothing toxic left in the emails I received. I just kept deleting them until they died out.

As for Paypal, I had been alerted that there were phony emails sent on their "behalf" so I didn't fall for it. I got one asking me to reaffirm my vitals an I forwarded it to Paypal and they confirmed that the email was from the depths of evil.

It will be interesting to see how this shakes out. As for the random nature of the selection of the addressees, my email was pretty bizarre (surprise) and the fact that Hanford got one addressed to a .tikicentral.com addressee is pretty interesting. Who thinks of this stuff?

[ Edited by: floratina on 2004-01-26 23:16 ]

I just found this on Yahoo....
E-Mail Worm Spreading Quickly Across Web

SAN JOSE, Calif. - Network administrators were working to stop a fast-spreading e-mail worm that looks like a normal error message but actually contains a malicious program that spreads itself and installs a program that leaves an open door to infected computers.

The worm — called "Mydoom,""Novarg" or "WORM_MIMAIL.R" — was replicating itself so quickly that some corporate networks were clogged with infected traffic within hours of its appearance Monday. Its mail engine could send out 100 infected e-mail messages in 30 seconds, experts said.

It runs on computers running Microsoft Corp.'s Windows operating systems, though other computers were affected by slow network and a flood of bogus messages. About 3,800 infections were confirmed within 45 minutes of its initial discovery, according to the security firm Central Command.

"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.

It appeared to first target large companies in the United States — and their computers' large address books — and quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

"As far as I can tell right now, it's pretty much everywhere on the planet," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, senior director of research at the computer security company Symantec.

Subject lines also vary but can include phrases like "Mail Delivery System" and "Mail Transaction Failed." The attachments have ".exe,"".scr," ".cmd" or ".pif" extensions, and may be compressed as a Zip file.

Besides sending out tainted e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

Symantec said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers. Network Associates, however, did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux (news - web sites) operating system in an intellectual property dispute. An SCO spokesman did not return a telephone call for comment Monday.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering — enticing users to take actions that are not in their best interest," he said.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly. So far, it's too early to say whether Mydoom will continue to be a problem or peter out, experts said.

"Over the next 24 to 48 hours, we'll have a much better sense," Trilling said. "Right now, the trend is only up."

On the Net:

Microsoft security tips: http://www.microsoft.com/security/protect/default.asp

Hi Hanford,

that is SO damn weird about it using a calientetropics.com return address. It's like TC people are being targeted (which can't be the case). I don't blame you for rewriting that opening statement if it's really random.

Yes, there most certaily is a virus. It's one with a .scr (Windows screensaver) file extension. This is a common method of tranmsmitting viruses. Hope nobody caught this worm...

em.

DawnT, that sounds exactly like what I received! Unicode-blahblah and all. Thanks for digging that up.
Em - after I saw the email I figured the right place to go for the info was TC and I am glad that you initiated this thread. Thank you...and Hanford! TC can be counted on to bring us the latest. Even if the "latest" is a pain in the ass.

Well, I don't think it's random per se, I'm just saying it can come from anywhere. Who knows how it is getting it's list. Most virus programs spoof emails so it's impossble to tell where it's really coming from.

I posted this info last week but it turned into a "How great Mac is" thread, I was just trying to get some information out there to help protect PC users. Now, I'm more confused than I was when I read the first article.

I received 2 of these emails yesterday, with different titles and different 'senders' but they both had ZIP files attached.

I use mailwasher. I have the pro version which I paid for but they still have a free version available at their old site.

http://www.mailwasher.net/

Not sure if the freebie version works on the web based email like AOL, Yahoo and Hotmail.

It allows you to access the email on the ISP server so it never gets loaded onto your computer. You can read, filter and delete at the ISP server then process the remaining good emails to your computer. It's the best.
It's easy to use I set it up on my parents computer and my mom uses it. You can set up as many accounts on it as you want. I have about 18 email addresses on it. They also now have a program called B9 which strips the nasties out of email so even if one did slide through it would be rendered useless. It's great. Check them out. I don't know how I ever dealt with the email before I set used it. The other benefit is when someone sends something that is huge and jamming your account you can delete it via mailwasher instead of having to call your ISP and get some techie there to delete it off their server.

email addresses are found by:

1. being autogenereated by software that the spammers use

2. taken from pages of websites including cached pages in the search engines

3. if a virus gets on a computer, it searches the hard drive for email addresses stored on it including the address book, webpages cached in your temporary internet files, saved emails, etc.
   then it forwards a copy of the virus to any and all of those email addresses so if one person from TC has it and has the cached pages of TC on their computer then it will go out to all the emails that are listed on the site. Always best to spamproof your address when possible.
   Best advice is don't ever open any ZIP or EXE files unless you KNOW what they are.

I have a new PC, which has an updated version of Norton antivirus utilities on it.

Just a few minutes ago it detected and removed a virus from the email address of 'bob @ tikimania.com' With Hanford receiving one from 'brenda @ tikicentral.com' there is a fair chance that additional virus e-mails could come from tiki related addresses.

This is reminding me of 'Invasion of the Body Snatchers' as evil viruses are stealing and assuming the identities of fun-loving tiki folk.

Vern

I once got a virus email from myself! Right. The problem with anti-virus is it can only protect what it knows about. My anti-virus was updated about 4 times in the last days. The virus or worm can lie dormant and spread like wildfire, then get kicked on and before they can unravel a cure, it's everywhere. You're number one fix is to run Windows Update all the time, or better yet, get the Update monitor that will do it for you. Fix the holes where it gets in rather than the virus.

Swanky is so right - once you have the infection, it is an enormous pain to remove. You may have lost and/or corrupted many key files, you may have to (argh!) reformat and reinstall everything. Here's a damn good free antivirus prog: http://www.grisoft.com/us/us_dwnl_free.php . A firewall is also a very good idea esp. for those of us on cable or DSL: http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp .

And yes, ignore all attachments unless the sender is someone you know AND mentions it in the body of the email in langugage you know they would use. People shouldn't be sending each other executables anyway.

aloha,
em.

I have been using Avast! and it has worked well. It is free for home users I think.

I have received 15 to 20 of these emails since last night. At least three of them had @tikicentral in the name. Has anyone had this many? Scary stuff.

For the record, I've had 4 of these emails sent to me with bogus email addresses which contain my domain name as well.

the latest update on it from ad-aware site (lavasoft)
http://www.lavasoftsupport.com/index.php?showtopic=18480&st=0