Here's yet another new way (at least I've never seen it) for a virus to be delivered and it is NOT detectable by Norton! I got an email today, no subject line, except for "Re:" in it. This evidently is to make you think they are replying to an email you sent them. Don't buy it...I didn't. I could tell right away it was a virus simply due to the appearance of the email. There was one VISIBLE attachment which was benign. It was text file (.txt Notepad) and it was completely blank. Appears to serve no purpose. However clicking "forward" on the message shows an additional attachment, "hamster.doc.pif". The email message body was in HTML format (glowing white background) but no text AT ALL. Totally blank. When the email was simply highlighted to read it (the way you do any other email in outlook express) the IE download dialog window popped up asking the usual "You have selected to download a file from this location"..."do you want to...'open' or 'save to disk'" that we all see when we download something. It did not say from where the download would come from. I saved the email to a folder, then opened the email in notepad to see the code. You can see "hamster.doc.pif" in the code below. Now what is really odd, is scanning the email shows NO VIRUSES, even after downloading the file and scanning it, that also shows no viruses! When it's downloaded, the file type box states .wav sound file, however, after it's downloaded it shows as dos exe shortcut icon and has the .pif extension. How do I know it's a virus? Experience. Plus, I opened Norton and went to submit it, and low and behold it said "this virus is already known to Symantec and does not need to be submitted". !! Evidently, what is was seeing was some type of "recognizable virus activity" is all I can say. It also never gave the name! And yet remember, scanning or downloading it showed NO VIRUS yet submitting to Symantec says it IS a virus! I searched all computer security search engines, plus Norton, Trend, McAfee, etc, all the sites, and this name hamster.doc.pif was not found at ANY of them. I know that is not the virus name, but they are also listed under aliases and how they appear in emails. Watch out for this one, this is the oddest I have ever seen. If you are going through your emails NEVER choose to download a file that just automatically pops up. Also be SURE you have in your download dialog window the box checked "Always ASK before opening or downloading this type of file"!! [later] Ahhh, here we go, I just clicked 'properties' while it was in quarantine and it said w32.badtrans.b@mm Now, since that is a known virus, I'd like to know why Norton did not see it during a scan, opening of email, downloading the file, or moving the file. Perhaps a mutation. ? http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@xxxxxxx and note on that page this is a brand new one, only recognized since Nov. 24th. and 'hamster' is not listed on that page as any of the attachment names. (no surprise it's from AOL, see below##) X-POP3-Rcpt: sales@xxxxxxxxxxxxxxxxxxxx Received: from dte.vsnl.net.in (dte.vsnl.net.in [202.54.8.4]) by host40.hostingcheck.com (8.10.2/8.10.2) with ESMTP id fAQ3pH415996 for <sales@xxxxxxxxxxxxxxxxxxxx>; Sun, 25 Nov 2001 22:51:28 -0500 ############Received: from aol.com (ppp135-115.doter.vsnl.net.in [61.0.135.115]) by dte.vsnl.net.in (Postfix) with SMTP id 3347559489 for <sales@xxxxxxxxxxxxxxxxxxxx>; Mon, 26 Nov 2001 09:20:27 +0530 (IST) From: "aptech" <_aptechpb@xxxxxxxxxxxxxxxx> To: sales@xxxxxxxxxxxxxxxxxxxx Subject: Re: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 Message-Id: <20011126035027.3347559489@xxxxxxxxxxxxxxx> Date: Mon, 26 Nov 2001 09:20:27 +0530 (IST) --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="HAMSTER.DOC.pif" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> (then several dozen lines of letters & numbers). -Clint Happy Thanksgiving & God Bless Us All Clint Hamilton, Owner http://OrpheusComputing.com http://ComputerHardware-ConsumerElectronics.com sales@xxxxxxxxxxxxxxxxxxxx Fax: 209-882-9602 TechAssist Administration http://tech-assist.org techassist@xxxxxxxxxxxxx ================================= Help make your TechAssist database better! Submit your fixes here: http://circuitwork.com/techassist/tip/#tips ================================= To UNSUBSCRIBE your email address, click here: mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe