At 10:54 AM 11/28/01 -0800, Mike Rambour wrote:
>At 10:52 AM 11/28/2001 -0500, cystanton@earthlink.net wrote:
>....
>.... In Eudora, the message I get is a reply from someone but there are no
>attachments, its just a blank reply. I have had probably a dozen already
>with nothing in them according to Eudora. ....
Watch it. This one is tricky. It is definitely the W32/BadTrans@MM
virus. Rather than an attachment you get an embedded file. The most
recent version of Eudora is capable of receiving and displaying HTML coded
messages (among other things). I have gotten at least a dozen of these
messages in the last few days (never tagged as HTML coded), all
similar. The body of the message is blank on the screen, but the message
is not empty.
The Eudora software maintains some folders, among them are "attach" and
"Embedded". Attachments go into the "attach" folder (unless otherwise
specified at setup), but files embeded in the message go into the
"Embedded" folder. In nearly every case of receiving one of these messages
I find the file containing the virus in the "Embedded" folder. In many
cases my McAfee anti-virus (updated on the 24th and 25th) catches the bug
at download and deletes the file containing the virus. In some cases there
is no warning, but there will be some file left in the "Embedded"
folder. This file usually (but not always) has a file extension of or DOC
or PIF, often appended to an MP3 file name but occasionally appended to
another executable file name.
Another common trait without exception is that the sender's address in the
"From:" line of the headers always has an underscore mark prepended to the
sender's address. If you want to respond to the sender you have ro remove
that underscore mark or the address will not be recognized and your message
will bounce.
I have been busy notifying everyone of the senders (more than a dozen so
far). I get responses to nearly half of my advisements. In most cases the
original sender is thanking me for the notification, having had no idea
what was going on. On a couple of occasions the original sender has
scoured their machine and found no virus, so some of these messages may
have forged "From:" addresses. Also it is not certain that every one of
these Embeded files will actually contain the virus, but many do.
So far I'm keeping up with the notifications to the senders, but the
traffic is pretty heavy. Also note that I have not received any of these
virus laden messages from any of the mailing lists. I believe the embeded
files are stripped from the messages by the list server, same as
attachments, as the list server only forwards plain text messages.
Barney Gaylord
1958 MGA with an attitude
http://www.ntsource.com/~barneymg
|