[TechAssist] Virus not seen by Norton

• From: "OrpheusComputing.com Repair" <techassist@xxxxxxxxxxxxxxxxxxxx>
• To: "TechAssist" <techassist@xxxxxxxxxxxxx>
• Date: Mon, 26 Nov 2001 04:47:07 -0600

Here's yet another new way (at least I've never seen it) for
a virus to be delivered and it is NOT detectable by Norton!

I got an email today, no subject line, except for "Re:" in
it.  This evidently is to make you think they are replying to
an email you sent them.  Don't buy it...I didn't.  I could
tell right away it was a virus simply due to the appearance
of the email.  There was one VISIBLE attachment which was
benign.  It was text file (.txt Notepad) and it was
completely blank.  Appears to serve no purpose.  However
clicking "forward" on the message shows an additional
attachment, "hamster.doc.pif".  The email message body was in
HTML format (glowing white background) but no text AT ALL.
Totally blank.  When the email was simply highlighted to read
it (the way you do any other email in outlook express) the IE
download dialog window popped up asking the usual "You have
selected to download a file from this location"..."do you
want to...'open' or 'save to disk'" that we all see when we
download something.  It did not say from where the download
would come from.  I saved the email to a folder, then opened
the email in notepad to see the code.  You can see
"hamster.doc.pif" in the code below.  Now what is really odd,
is scanning the email shows NO VIRUSES, even after
downloading the file and scanning it, that also shows no
viruses!  When it's downloaded, the file type box states .wav
sound file, however, after it's downloaded it shows as dos
exe shortcut icon and has the .pif extension.  How do I know
it's a virus?  Experience.  Plus, I opened Norton and went to
submit it, and low and behold it said "this virus is already
known to Symantec and does not need to be submitted".  !!
Evidently, what is was seeing was some type of
"recognizable virus activity" is all I can say.  It also
never gave the name!  And yet remember, scanning or
downloading it showed NO VIRUS yet submitting to
Symantec says it IS a virus!  I searched all computer
security search engines, plus Norton, Trend, McAfee,
etc, all the sites, and this name hamster.doc.pif was
not found at ANY of them.  I know that is not the virus
name, but they are also listed under aliases and how
they appear in emails.  Watch out for this one, this
is the oddest I have ever seen.  If you are going
through your emails NEVER choose to download a file
that just automatically pops up.  Also be SURE you have in
your download dialog window the box checked "Always ASK
before opening or downloading this type of file"!!
[later]
Ahhh, here we go, I just clicked 'properties' while it was in
quarantine and it said w32.badtrans.b@mm  Now, since
that is a known virus, I'd like to know why Norton did not
see it during a scan, opening of email, downloading the file,
or moving the file.  Perhaps a mutation. ?
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@xxxxxxx
and note on that page this is a brand new one, only
recognized since Nov. 24th. and 'hamster' is not listed on
that page as any of the attachment names.

(no surprise it's from AOL, see below##)
X-POP3-Rcpt: sales@xxxxxxxxxxxxxxxxxxxx
Received: from dte.vsnl.net.in (dte.vsnl.net.in [202.54.8.4])
 by host40.hostingcheck.com (8.10.2/8.10.2) with ESMTP id
fAQ3pH415996
 for <sales@xxxxxxxxxxxxxxxxxxxx>; Sun, 25 Nov 2001
22:51:28 -0500
############Received: from aol.com (ppp135-115.doter.vsnl.net.in
[61.0.135.115])
 by dte.vsnl.net.in (Postfix) with SMTP id 3347559489
 for <sales@xxxxxxxxxxxxxxxxxxxx>; Mon, 26 Nov 2001 09:20:27
+0530 (IST)
From: "aptech" <_aptechpb@xxxxxxxxxxxxxxxx>
To: sales@xxxxxxxxxxxxxxxxxxxx
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <20011126035027.3347559489@xxxxxxxxxxxxxxx>
Date: Mon, 26 Nov 2001 09:20:27 +0530 (IST)

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
  boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
   charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
  name="HAMSTER.DOC.pif"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

(then several dozen lines of letters & numbers).
-Clint

Happy Thanksgiving &
God Bless Us All
Clint Hamilton, Owner
http://OrpheusComputing.com
http://ComputerHardware-ConsumerElectronics.com
sales@xxxxxxxxxxxxxxxxxxxx
Fax: 209-882-9602
TechAssist Administration
http://tech-assist.org
techassist@xxxxxxxxxxxxx



=================================
Help make your TechAssist database better!  
Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
=================================
To UNSUBSCRIBE your email address, click here:
mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe

• Follow-Ups:
  • [TechAssist] Re: Virus not seen by Norton
    • From: Jeff Dougherty

Other related posts:

• » [TechAssist] Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton

1. Home
2. techassist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---