|
virus alert (cross-posted to all groups) (Community)
virus alert (cross-posted to all groups) // Community
Feb 20, 2004, 1:09am
Just giving everyone a headsup on a virus being spread around again via
billing at activeworlds.com or similar. As always, don't run attachments
from people you don't know. As far as I could coerce, it was
W32.Netsky.B at mm in the file information.com.
Nice try though Matt.
--Bowen--
Feb 20, 2004, 5:11am
thanx for the heads up. I thought matt was gone
[View Quote]"bowen" <newoB at sardna.ten> wrote in message
news:40357a6f$2 at server1.Activeworlds.com...
> Just giving everyone a headsup on a virus being spread around again via
> billing at activeworlds.com or similar. As always, don't run attachments
> from people you don't know. As far as I could coerce, it was
> W32.Netsky.B at mm in the file information.com.
>
> Nice try though Matt.
>
> --Bowen--
|
Feb 20, 2004, 5:17am
W32.netsky.b at mm is a mass mailing worm and as discovered by the following
url:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b at mm.html
Share and enjoy
[View Quote]"bowen" <newoB at sardna.ten> wrote in message
news:40357a6f$2 at server1.Activeworlds.com...
> Just giving everyone a headsup on a virus being spread around again via
> billing at activeworlds.com or similar. As always, don't run attachments
> from people you don't know. As far as I could coerce, it was
> W32.Netsky.B at mm in the file information.com.
>
> Nice try though Matt.
>
> --Bowen--
|
Feb 20, 2004, 2:45pm
Share the worm or the info about it? LOL
~John
[View Quote]"wizard myrddin" <admin at rdescape.co.uk> wrote in message
news:4035b487$1 at server1.Activeworlds.com...
> W32.netsky.b at mm is a mass mailing worm and as discovered by the following
> url:
>
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b at mm.html
>
>
> Share and enjoy
>
>
> "bowen" <newoB at sardna.ten> wrote in message
> news:40357a6f$2 at server1.Activeworlds.com...
>
>
|
Feb 20, 2004, 3:05pm
lol or even the worm in Cabo Wabo Tequila, I share a drink with the best of
them
Share and consume
[View Quote]"johnf" <johnf at 3d-reality.com> wrote in message
news:403639b2 at server1.Activeworlds.com...
> Share the worm or the info about it? LOL
>
> ~John
>
> "wizard myrddin" <admin at rdescape.co.uk> wrote in message
> news:4035b487$1 at server1.Activeworlds.com...
following
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b at mm.html
via
>
>
|
Feb 20, 2004, 3:21pm
Lol!
~John
[View Quote]"wizard myrddin" <admin at rdescape.co.uk> wrote in message
news:40363e3d$1 at server1.Activeworlds.com...
> lol or even the worm in Cabo Wabo Tequila, I share a drink with the best
of
> them
>
> Share and consume
>
>
> "johnf" <johnf at 3d-reality.com> wrote in message
> news:403639b2 at server1.Activeworlds.com...
> following
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b at mm.html
> via
attachments
>
>
|
Feb 20, 2004, 3:23pm
Are you sure it is really coming from AWI and not someone else's
computer? The other recent e-mail worms spoofed the "from" address of
the e-mails they sent out.
For example, let's say that I did not have the worm and all of my
anti-virus signatures were up to date. However, one of my friends had
*my* address in *their* address book and *they* get infected with the worm.
Now, that worm looks through my friend's address book and sees that *my*
address is there. So the worm decides to use it and sends out mail using
*my* (not their) address as the sender. Even though my system is totally
nice and secure, uneducated people will think *I'm* the one sending the
worm, when in reality it is from another computer that is just forging
the sender's address.
Look at the e-mail you supposedly got from AW and post the headers here.
We can then tell if it really did some from them or not.
Builderz
http://www.3dhost.net
[View Quote]bowen wrote:
> Just giving everyone a headsup on a virus being spread around again via
> billing at activeworlds.com or similar. As always, don't run attachments
> from people you don't know. As far as I could coerce, it was
> W32.Netsky.B at mm in the file information.com.
>
> Nice try though Matt.
>
> --Bowen--
|
Feb 20, 2004, 3:46pm
hey there Builderz..... I think that Bowen was actually referring to a "spoofed" header with this last comment:
" Nice try though Matt."
Leo :)
ps; #1 rule NEVER open attachments unless it's someone you are EXPECTING an attachment from. AND you trust them to take care of their PC on their own....AND your prepared to lose everything on your hard drive and reformat it tomorrow....LOL
[View Quote]"builderz" <contact at 3dhost.net> wrote in message news:403642ac$1 at server1.Activeworlds.com...
> Are you sure it is really coming from AWI and not someone else's
> computer? The other recent e-mail worms spoofed the "from" address of
> the e-mails they sent out.
>
> For example, let's say that I did not have the worm and all of my
> anti-virus signatures were up to date. However, one of my friends had
> *my* address in *their* address book and *they* get infected with the worm.
>
> Now, that worm looks through my friend's address book and sees that *my*
> address is there. So the worm decides to use it and sends out mail using
> *my* (not their) address as the sender. Even though my system is totally
> nice and secure, uneducated people will think *I'm* the one sending the
> worm, when in reality it is from another computer that is just forging
> the sender's address.
>
> Look at the e-mail you supposedly got from AW and post the headers here.
> We can then tell if it really did some from them or not.
>
> Builderz
> http://www.3dhost.net
>
> bowen wrote:
|
Feb 20, 2004, 3:54pm
Would have thought 1st rule would be buy a decent virus checker and make
sure its updated daily..
[View Quote]"binarybud" <leo at realPANTStourvision.com> wrote in message
news:403647d8$1 at server1.Activeworlds.com...
> hey there Builderz..... I think that Bowen was actually referring to a
"spoofed" header with this last comment:
> " Nice try though Matt."
>
> Leo :)
>
> ps; #1 rule NEVER open attachments unless it's someone you are EXPECTING
an attachment from. AND you trust them to take care of their PC on their
own....AND your prepared to lose everything on your hard drive and reformat
it tomorrow....LOL
>
>
>
>
>
> "builderz" <contact at 3dhost.net> wrote in message
news:403642ac$1 at server1.Activeworlds.com...
worm.
via
>
>
|
Feb 20, 2004, 4:28pm
[View Quote]
> Would have thought 1st rule would be buy a decent virus checker and make
> sure its updated daily..
>
Virus writers are one step ahead of virus checkers:(
#1 is still: Don't open any attachment you don't know and you are not expecting!!!!
--
Andras
"It's MY computer" (tm Steve Gibson)
Feb 20, 2004, 5:44pm
Just wanted to make sure we are all on the "same page." :)
Builderz
http://www.3dhost.net
[View Quote]binarybud wrote:
> hey there Builderz..... I think that Bowen was actually referring to a "spoofed" header with this last comment:
> " Nice try though Matt."
>
> Leo :)
|
Feb 20, 2004, 6:20pm
[View Quote]binarybud wrote:
> hey there Builderz..... I think that Bowen was actually referring to a "spoofed" header with this last comment:
> " Nice try though Matt."
>
> Leo :)
>
> ps; #1 rule NEVER open attachments unless it's someone you are EXPECTING an attachment from. AND you trust them to take care of their PC on their own....AND your prepared to lose everything on your hard drive and reformat it tomorrow....LOL
|
Yes, Spoofed header carrying the "from" address billing at activeworlds.com.
Feb 20, 2004, 6:26pm
[View Quote]bowen wrote:
> Just giving everyone a headsup on a virus being spread around again via
> billing at activeworlds.com or similar. As always, don't run attachments
> from people you don't know. As far as I could coerce, it was
> W32.Netsky.B at mm in the file information.com.
>
> Nice try though Matt.
>
> --Bowen--
|
He's still trying, Now he's trying to spoof a "delivery failed" so I'll
read the attachment through that. Still has the W32.Netsky.B at mm worm on it.
--Bowen--
Feb 21, 2004, 5:58am
[View Quote]bowen wrote:
> bowen wrote:
>
>
>
>
> He's still trying, Now he's trying to spoof a "delivery failed" so I'll
> read the attachment through that. Still has the W32.Netsky.B at mm worm on
> it.
>
> --Bowen--
|
First - if you feel the urge to crosspost to all the groups, set the follow-up to community (where this topic belongs to)
Second - before you start to spread FUD, study the case :)
This (and several other) worm picks its "From" address from the infected computer's address book and sends its payload to all the addresses it found within the address book.
According to Symantec's discovery the worm uses not only the address book but:
"8. Retrieves email addresses from files on the computer that have the following extensions:
* .msg
* .oft
* .sht
* .dbx
* .tbb
* .adb
* .doc
* .wab
* .asp
* .uin
* .rtf
* .vbs
* .html
* .htm
* .pl
* .php
* .txt
* .eml
"
In other words: someone in AW has an infected machine (should be an AW user - why else would he/she have the billing address of AWI?) and your email address is on that machine too - this is how the mail ended up on your machine with the sender mentioned above.
I'm not an advocate of MATT but it is not his job :)
FU set to community.
--
Andras
"It's MY computer" (tm Steve Gibson)
Feb 21, 2004, 6:10am
[View Quote]andras wrote:
> First - if you feel the urge to crosspost to all the groups, set the
> follow-up to community (where this topic belongs to)
> Second - before you start to spread FUD, study the case :)
> This (and several other) worm picks its "From" address from the infected
> computer's address book and sends its payload to all the addresses it
> found within the address book.
> According to Symantec's discovery the worm uses not only the address
> book but:
>
> "8. Retrieves email addresses from files on the computer that have the
> following extensions:
>
> * .msg
> * .oft
> * .sht
> * .dbx
> * .tbb
> * .adb
> * .doc
> * .wab
> * .asp
> * .uin
> * .rtf
> * .vbs
> * .html
> * .htm
> * .pl
> * .php
> * .txt
> * .eml
>
> "
> In other words: someone in AW has an infected machine (should be an AW
> user - why else would he/she have the billing address of AWI?) and your
> email address is on that machine too - this is how the mail ended up on
> your machine with the sender mentioned above.
> I'm not an advocate of MATT but it is not his job :)
|
They would have to have my email address that's not given in this
newsgroup (but was used to register my citizen account). Nor did I ever
use the email I recieved it on in the newsgroups. The chances of
someone having both that address and mine are astronomically slim, so
it's either someone who's exploited the database (which is shown to have
been possible in the past with some of those cracks) or someone guessed
really well. Matt is the most plausable of the choices. But I agree
that it might also could've been filmkr or maybe brock.
And the reason it's crossposted is because not everyone reads community.
Computer security shouldn't be taken too lightly, even if USENET
ettiquete is something of a bible to you.
|