ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
virus alert (cross-posted to all groups) (Sdk)
virus alert (cross-posted to all groups) // SdkbowenFeb 20, 2004, 1:09am
Just giving everyone a headsup on a virus being spread around again via
billing at activeworlds.com or similar. As always, don't run attachments from people you don't know. As far as I could coerce, it was W32.Netsky.B at mm in the file information.com. Nice try though Matt. --Bowen-- wizard myrddinFeb 20, 2004, 5:17am
W32.netsky.b at mm is a mass mailing worm and as discovered by the following
url: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b at mm.html Share and enjoy [View Quote] wizard myrddinFeb 20, 2004, 3:05pm
lol or even the worm in Cabo Wabo Tequila, I share a drink with the best of
them Share and consume [View Quote] builderzFeb 20, 2004, 3:23pm
Are you sure it is really coming from AWI and not someone else's
computer? The other recent e-mail worms spoofed the "from" address of the e-mails they sent out. For example, let's say that I did not have the worm and all of my anti-virus signatures were up to date. However, one of my friends had *my* address in *their* address book and *they* get infected with the worm. Now, that worm looks through my friend's address book and sees that *my* address is there. So the worm decides to use it and sends out mail using *my* (not their) address as the sender. Even though my system is totally nice and secure, uneducated people will think *I'm* the one sending the worm, when in reality it is from another computer that is just forging the sender's address. Look at the e-mail you supposedly got from AW and post the headers here. We can then tell if it really did some from them or not. Builderz http://www.3dhost.net [View Quote] binarybudFeb 20, 2004, 3:46pm
hey there Builderz..... I think that Bowen was actually referring to a "spoofed" header with this last comment:
" Nice try though Matt." Leo :) ps; #1 rule NEVER open attachments unless it's someone you are EXPECTING an attachment from. AND you trust them to take care of their PC on their own....AND your prepared to lose everything on your hard drive and reformat it tomorrow....LOL [View Quote] builderzFeb 20, 2004, 5:44pm
Just wanted to make sure we are all on the "same page." :)
Builderz http://www.3dhost.net [View Quote] bowenFeb 20, 2004, 6:20pm
[View Quote]
Yes, Spoofed header carrying the "from" address billing at activeworlds.com.
bowenFeb 20, 2004, 6:26pm
[View Quote]
He's still trying, Now he's trying to spoof a "delivery failed" so I'll read the attachment through that. Still has the W32.Netsky.B at mm worm on it. --Bowen-- andrasFeb 21, 2004, 5:58am
[View Quote]
First - if you feel the urge to crosspost to all the groups, set the follow-up to community (where this topic belongs to)
Second - before you start to spread FUD, study the case :) This (and several other) worm picks its "From" address from the infected computer's address book and sends its payload to all the addresses it found within the address book. According to Symantec's discovery the worm uses not only the address book but: "8. Retrieves email addresses from files on the computer that have the following extensions: * .msg * .oft * .sht * .dbx * .tbb * .adb * .doc * .wab * .asp * .uin * .rtf * .vbs * .html * .htm * .pl * .php * .txt * .eml " In other words: someone in AW has an infected machine (should be an AW user - why else would he/she have the billing address of AWI?) and your email address is on that machine too - this is how the mail ended up on your machine with the sender mentioned above. I'm not an advocate of MATT but it is not his job :) FU set to community. -- Andras "It's MY computer" (tm Steve Gibson) |
