Re: Virus Alert from Renteria22@aol.com on 2001-11-26 (www-patentpolicy-comment@w3.org from November 2001)

From: <Renteria22@aol.com>
Date: Mon, 26 Nov 2001 02:05:32 EST
To: freepacifica@recordist.com, newpacifica@yahoogroups.com, freekpfk@yahoogroups.com, www-patentpolicy-comment@w3.org, response@wamu.com, thom.marshall@chron.com, reall@wt.net, ssteele@eff.org, merriman@neosoft.com, freeradiohouston@yahoo.com, senator@hutchison.senate.gov, sarabande@brandeis.edu, rowdy@kiltemail.com, rdswart@yahoo.com, rgibbs@sapient.com, chickpea_@hotmail.com, relewis55@earthlink.net, plu-kpft@yahoogroups.com, patty@inch.com, maliknp@hotmail.com, MMMARINI@telemundo.com, ditherous@yahoo.com, slasher_@prodigy.net, mcmireles@netscape.net, barcelona1936@nonprofit-directory.org, bethvedder@vitalogy.org, markh@repairnet.com, marwhite@igc.org, lkloe@intrex.com, lh@pressroom.com, leeloe@igc.org, toadhall@vonl.com, kenfree@ev1.net, karlitas_way@yahoo.com
Message-ID: <9d.1edd42fc.293343bc@aol.com>

In a message dated 11/25/01 7:04:28 PM Pacific Standard Time, 
strangefriend@hotmail.com writes:

> I just thought i better give everyone on this list a forewarning.  I 
> have received 2 messages today from Carol Spooner that had viruses attached 
> and have confirmed with Carol herself that she did not send them.  She 
> stated someone else is using her email address to carry out this dirty 
tricks.
> 

I have gotten emails with viruses attached 3 times in the last two days, all 
from "recognizable" email addresses. The catch is that the sender put an 
underscore before the address - otherwise, it all looks normal. I've received 
these from "_wildrose", supposedly Carol Spooner, from "_pieman" supposedly 
Aaron Kay, and from "_Slasher", supposedly Michael Pimentel.

In a message dated 11/25/01 7:04:28 PM Pacific Standard Time, 
strangefriend@hotmail.com writes:

> seem
> to be early infectees and now infectors.
> The virus/worm  apparently resides in the attachments and when opened it
> goes into the e-mail system and automatically sends itself to randomly
> selected addresses.
> 
> From Symantec's security reponse page: </DIV><DIV> </DIV><DIV>W32.
> Badtrans.B@mm is a MAPI worm that emails itself out as one of several 
> different file names. This worm also drops a backdoor trojan that logs 
> keystrokes.  <!-- end list --><!-- end list --><!-- distribution - 
> section --><!-- distribution header and start list --><!-- 
distribution_email_
> subject --><!-- distribution_attachment_name --><!-- 
distribution_attachment_
> size --><!-- distribution_attachment_stamp --><!-- distribution_ports 
--><!-- 
> distribution_shared_drive --><!-- distribution_target --><!-- end list 
--><!--
>  technical description --></DIV>
> 
> <A HREF="http://216.33.240.250/cgi-bin/linkrd?_lang=EN&
lah=f1b413ddd6698b1b8560dbb4c1a32043&lat=1006743500&
hm___action=http%3a%2f%2fsecurityresponse%2esymantec%2ecom%2favcenter%2frefa%2

ehtml%23tech">Technical description:</A> 
> 
> This worm arrives as an email with one of several attachment names and a 
> combination of two appended extensions.
> 
> The list of possible file names is:
> HUMOR
> DOCS
> S3MSONG
> ME_NUDE
> CARD
> SEARCHURL
> YOU_ARE_FAT!
> NEWS_DOC
> IMAGES
> PICS
> 
> The first extension that is appended to the file name is one of the 
following:
> 
> <TT>.</TT><TT>DOC</TT>
> <TT>.MP3</TT>
> <TT>.ZIP</TT>
> 
> The second extension that is appended to the file name is one of the 
> following:
> <TT>.pif</TT>
> <TT>.scr</TT>
> 
> The resulting file name would look something like this:
> CARD.DOC.PIF
> NEWS_DOC.MP3.SCR
> etc.
> 
> When executed, this worm copies itself as kernel32.exe in the "\windows\
> system" directory. It then adds the following registry value:
> 
> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=
> kernel32.exe.<BLOCKQUOTE style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; 
BORDER-
> LEFT: #000000 2px solid; xmargin-LEFT: 5px; xmargin-RIGHT: 0px"><DIV style="
> FONT: 10pt arial">----- Original Message ----- </DIV><DIV 
style="BACKGROUND: #
> e4e4e4; FONT: 10pt arial; font-color: black">From: <A 
HREF="http://lw8fd.law8.hotmail.msn.com/cgi-bin/compose?curmbox=F000000004&
a=a3e7ea80ca768f11e389e67126f58a1d&mailto=1&msg=MSG1006737470.4&start=1073419&
len=7965&src=&type=x&to=ShiuHung%40pacbell%2enet&cc=&bcc=&subject=&body=">
Shiu M. Hung</A> </DIV><
> DIV style="FONT: 10pt arial">To: <A 
HREF="http://lw8fd.law8.hotmail.msn.com/cgi-bin/compose?curmbox=F000000004&
a=a3e7ea80ca768f11e389e67126f58a1d&mailto=1&msg=MSG1006737470.4&start=1073419&
len=7965&src=&type=x&to=alliance%40lists%2efreespeechnow%2eorg&cc=&bcc=&
subject=&body=">Alliance</A> </DIV><DIV style="FONT: 10pt 
> arial">Sent: Sunday, November 25, 2001 5:10 PM</DIV><DIV style="FONT: 10pt 
> arial">Subject: [alliance] virus</DIV><DIV>
> </DIV><DIV>Hi everyone,</DIV><DIV> </DIV><DIV>I just thought i better 
> give everyone on this list a forewarning.  I have received 2 messages 
> today from Carol Spooner that had viruses attached and have confirmed with 
> Carol herself that she did not send them.  She stated someone else is 
> using her email address to carry out this dirty tricks.</DIV><DIV> </DIV>
> <DIV>Shiu</DIV>---
> </BLOCKQUOTE>---

Received on Monday, 26 November 2001 02:06:42 UTC