Sounds like the one I got at work today except the subject line was Status. Of course being an attachment (a .zip file) I was pretty suspicious. I checked its properties and then went to source and found the same comments as what I just read inWoody's newsletter on this latest virus. Of course I deleted the email at work simply because it was an attachment. That is my policy always. Here's an extract from Woody's Watch. Hope you find the info useful. MyDoom Boom Boom By now you no doubt know about the latest worm to hit the streets. McAfee calls it MyDoom. So does F-Secure. Symantec/Norton calls it Novarg. MyDoom's remarkable not because of its technical acumen. This sucker is in the process of clogging up all the email servers around the world because of its remarkable 'social engineering' - in other words it is packaged in a way to make unwary people open it. It has four characteristics that make it interesting / dangerous, depending on your point of view: First, unlike the quasi-literate cretins who have been spawning worms lately, MyDoom's creator had the presence of mind to create a plausible story to go along with his dirty package. In this case, the worm arrives with a message that says (s p a c e s added to keep from triggering dumb spam filters): Mail t r a n s a c t i o n failed. Partial message is available. The message contains Unicode c h a r a c t e r s and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII e n c o d i n g and has been sent as a binary attachment. At least at first glance, each of those messages seems reasonable enough to warrant looking at the attachment. In many cases, the attachment won't fool any of you because you have Windows set up to show you file name extensions (as we've recommended in Woody's Watch time and time again), and you know that double-clicking on a .bat, .cmd, .exe, .pif, or .scr file is just about as stupid as pointing a loaded gun at your foot. Besides, if you use Outlook 2002 or 2003 with the default security settings, you won't see the file anyway. But in some cases the attached infected file is stored in a zip, and that's a horse of an entirely different color. Zips get through Outlook - they're innocuous; in and of themselves, zip files can't infect you. But the file(s) that sit inside the zip can be infected, and that's how MyDoom will creep (I use the term intentionally) into any system. That's MyDoom's second interesting twist: burying the infected file in a zip, so it'll get through many systems. Don't immediately panic, you have to open the attached zip file then extract and run the file enclosed within the zip. The third twist is a real killer. MyDoom packs an infected file into a zip, but it gives the infected file a very long name. I got one infected message with an attached zip that contains a file called akhr.doc <followed by a LOT of spaces> .exe. There were so many spaces that when I opened the zip, Windows didn't even show me the .exe file name extension. (Of course, if you double-click on the akhr.doc<spaces>.exe file, it's run directly as is any other .exe file.) Another infected message arrived with a zipped copy of readme.txt <a LOT of spaces>.exe, another with body.txt <spaces>.scr, another with data.htm<spaces>.exe, and so on. I was quite astounded to see that Windows Explorer, when it opens a zip, doesn't always show the file name extension if the file name is long enough. The fourth twist? The antivirus software sites are reporting that the worm not only spoofs return addresses - old-hat in this day and age - but it also spoofs Windows icons. I haven't received any messages with spoofed icons, but there are examples on-line of files called document.pif and document.scr that have the icon normally associated with text files. What's wrong with that? Folks who refuse to make Windows show file name extensions will be in for a very nasty surprise if they click on one of those "document" icons and get infected. You have to force Windows to show you file name extensions. Hiding file name extensions is one of the worst design mistakes Microsoft has ever made, and millions of their customers have paid the price for that decision. Any way, MyDoom opens a back door on your system that would (at least in theory) allow a cretin to take over your machine, and/or download and execute any program. (I say "in theory" because at this point there must be ten million computers with open back MyDoom back doors; what are the odds somebody's going to pick yours?) Between February 1 and 12, infected systems automatically launch a distributed denial of service attack on www.sco.com , a company of scum-sucking... aw, don't get me started. MyDoom scans your files for email addresses and sends out copies of itself, spoofing the return address, and it puts itself in your KaZaA out box. MyDoom is supposed to stop spreading all by itself on February 12. Tonia --------------------------------- BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig> Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi List archives at //www.freelists.org/archives/pchelpers PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig Good advice is like good paint- it only works if applied.