[lug] Fwd: EP1012a(2) Quake Shoot Sheet F // danger, i think

Alan Robertson alanr at unix.sh
Fri Aug 3 05:22:30 MDT 2001


bill ehlert wrote:
> 
> **  i never heard of this person.
> 
>     the attachment is 219k.
> 
>     it came thru ms outlook express.
> 
>     looks to me like something nasty
>       this way comes!
> 
> --- Michelle Clark <mclark at banyanprod.com> wrote:
> > From Michelle Clark Fri Aug  3 08:35:41 2001
> > X-Apparently-To: bill_ehlert at yahoo.com via
> > web12105.mail.yahoo.com; 03 Aug 2001 08:38:47
> > -0700 (PDT)
> > Received: from 209.125.116.82  (EHLO
> > maintube.banyanprod.com) (209.125.116.82)
> >   by mta514.mail.yahoo.com with SMTP; 03 Aug
> > 2001 08:38:44 -0700 (PDT)
> > Received: from suzann.banyanprod.com
> > ([192.9.222.15])
> >       by maintube.banyanprod.com (Build 101
> > 8.9.3/NT-8.9.3) with SMTP id LAA03502
> >       for <bill_ehlert at yahoo.com>; Fri, 03 Aug 2001
> > 11:36:06 -0400
> > Message-Id:
> > <200108031536.LAA03502 at maintube.banyanprod.com>
> > From: "Michelle Clark"<mclark at banyanprod.com>
> > To: bill_ehlert at yahoo.com
> > Subject: EP1012a(2) Quake Shoot Sheet F
> > Date: Fri, 3 Aug 2001 11:35:41 -0400
> > MIME-Version: 1.0
> > X-MIMEOLE: Produced By Microsoft MimeOLE
> > V5.50.4133.2400
> > X-Mailer: Microsoft Outlook Express
> > 5.50.4133.2400
> > Content-Type: multipart/mixed;
> >
> boundary="----134FEA64_Outlook_Express_message_boundary"
> > Content-Disposition: Multipart message
> > Content-Length: 222746
> >
> > Hi! How are you?
> >
> > I send you this file in order to have your
> > advice
> >
> > See you later. Thanks

Yep.

This is a virus going around.  It reads their address book, and looks
through their web cache looking for mailto: tags.

I've gotten a couple of dozen of them.  It sends you a virus-infected file
which was randomly chosen.  The part that's nasty is name of the file is
"name-of-file".suffix where suffix is randomly chosen from one of about a
half-dozen or so MS executable suffixes.  Outlook hides the suffix, and
shows the part ahead of it only so the user doesn't realize they're running
executable content ;-)

	-- Alan Robertson
	   alanr at unix.sh



More information about the LUG mailing list