[ale] brochure 2000=VIRUS

Transam@cavu.com transam at cavu.com
Tue Jul 24 03:45:40 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a Windows email virus that seems to have started spreading
again Monday, July 23, 2001.  Note the subject of "2000 brochure".
Don't even think about opening this email on a Windows system.  Just
delete it and notify your SysAdmin.

> It's the W32/SirCam virus

> I've gotten about 5 copies today.

> Nasty - wipes your hard drive, sends itself to many people
> in your address book.


> -----Original Message-----
> From: Bob Toxen at cavu.com [mailto:bob at cavu.com]
> Sent: Tuesday, July 24, 2001 12:50 AM
> Subject: Email virus at XXX


> I just got the following email from a company that a friend works at.
> I suspect that it is a virus and left him voice mail at work and email
> at home.  You may recognize it (I don't but I'm behind in my Winbloz
> vulnerability worrying) or it may be new.

> XXX,

> I received the following email that may have been from you.  (I don't
> know anyone else at XXX.)

> It looks suspiciously like an email virus, in which case the sending
> system has been compromised and needs repair.  This probably means saving
> any recent data, restoring from backup, carefully re-adding the recent
> data without adding the compromise, and then installing all applicable
> security patches.

> I do this for living for Linux and Unix systems but not Windows or NT
> systems.  I may be able to recommend a frient who does, however.

> The following is how the email starts off (I've edited out any possible
> virus):

> > From: "XXX Company"<XXX at mindspring.com>
> > To: bob at cavu.com
> > Subject: 2000 brochure
> > date: Mon, 23 Jul 2001 23:14:56 -0500
> > Content-Disposition: Multipart message
> > 
> > ------25E92E9C_Outlook_Express_message_boundary
> > Content-Type: text/plain; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> > Content-Disposition: message text
> > 
> > Hi! How are you=3F
> >  
> > I send you this file in order to have your advice
> >  
> > See you later=2E Thanks
> > 
> > ------25E92E9C_Outlook_Express_message_boundary
> > Content-Type: application/mixed; name="2000 brochure.doc.pif"
> > Content-Transfer-Encoding: base64
> > Content-Disposition: attachment;  filename="2000 brochure.doc.pif"
> > 
> > TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
> > ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.           "Experts in Linux & UNIX security"
+1 770-662-8321 Office
+1 404-216-51oo Cell 24x7
bob at cavu.com
http://www.cavu.com                   [Linux & UNIX Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: Real World Linux Security]
http://www.cavu.com/sunset.html       [Sunset Computer]
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
  and at http://pgp5.ai.mit.edu/pks-commands.html#extract
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
From: "Mike O'Shaughnessy" <mikeo at cmpsolv.com>
To: ale at ale.org
To: "Bob Toxen at cavu.com" <bob at cavu.com>
Subject: RE: Email virus at XXX
Date: Tue, 24 Jul 2001 02:04:18 -0400

It's the W32/SirCam virus

I've gotten about 5 copies today.

Nasty - wipes your hard drive, sends itself to many people
in your address book.


- - -----Original Message-----
From: Bob Toxen at cavu.com [mailto:bob at cavu.com]
To: ale at ale.org
Sent: Tuesday, July 24, 2001 12:50 AM
To: mikeo at cmpsolv.com; ozy at applianceware.com
Subject: Email virus at XXX


I just got the following email from a company that a friend works at.
I suspect that it is a virus and left him voice mail at work and email
at home.  You may recognize it (I don't but I'm behind in my Winbloz
vulnerability worrying) or it may be new.

XXX,

I received the following email that may have been from you.  (I don't
know anyone else at XXX.)

It looks suspiciously like an email virus, in which case the sending
system has been compromised and needs repair.  This probably means saving
any recent data, restoring from backup, carefully re-adding the recent
data without adding the compromise, and then installing all applicable
security patches.

I do this for living for Linux and Unix systems but not Windows or NT
systems.  I may be able to recommend a frient who does, however.

The following is how the email starts off (I've edited out any possible
virus):

> From: "XXX Company"<XXX at mindspring.com>
> To: bob at cavu.com
> Subject: 2000 brochure
> date: Mon, 23 Jul 2001 23:14:56 -0500
> Content-Disposition: Multipart message
> 
> ------25E92E9C_Outlook_Express_message_boundary
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: message text
> 
> Hi! How are you=3F
>  
> I send you this file in order to have your advice
>  
> See you later=2E Thanks
> 
> ------25E92E9C_Outlook_Express_message_boundary
> Content-Type: application/mixed; name="2000 brochure.doc.pif"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;  filename="2000 brochure.doc.pif"
> 
> TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
> ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.           "Experts in Linux & UNIX security"
+1 770-662-8321 Office
+1 404-216-5100 Cell 24x7
bob at cavu.com
http://www.cavu.com                   [Linux & UNIX Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: Real World Linux Security]
http://www.cavu.com/sunset.html       [Sunset Computer]
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
  and at http://pgp5.ai.mit.edu/pks-commands.html#extract
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7XSUZltNTPeOhxUARAj1lAJ4icXf+c7bMJOVV/xUe4twNwLwl/wCgnX65
r3oEcoTSUDLC5PEiXYLDJd0=
=nWnt
-----END PGP SIGNATURE-----

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list