I keep getting the below virus with a .pi extension. Be sure that if you are doing blocking that you add that extension. This is starting to be pretty rampant and appears to be not only coming from Bill@xxxxxxxxxxxxx I have gotten it under 3 other names also today. Look out! Regards, Jim Kenzig http://thethin.net VIRUS WARNING ISSUED BY CENTRALCOMMAND® on June 01, 2003 for Worm/Sobig.C VIRUS WARNING The Central Command® Emergency Virus Response Team? (EVRT?) has received virus infection reports for the new Internet Worm/Sobig.C. Due to increased customer inquires and infection reports the EVRT is issuing a VIRUS ALERT. You are receiving this news letter because you are a subscriber to the Central Command Virus News mailing list. [ EVRT? Virus Warning issued for Worm/Sobig.C ] Details: Name: Worm/SoBig.C Alias: Win32.Sobig-C Type: Internet Worm Discovered: June 1, 2003 Size: 59.948KB Platform: Microsoft Windows 9x/ME/NT/2000/XP Description: Worm/Sobig.C is an Internet worm that spreads through e-mail by using addresses it collects in the files with the following extensions, .dbx, .eml, .htm, .html, .txt, and .wab. The worm may arrive in via email in the following format: From: bill@xxxxxxxxxxxxx Subject: (it will contain one of the following) - Approved - Re: 45443-343556 - Re: Application - Re: Approved - Re: Movie - Re: Submited (004756-3463) - Re: Your application Body: Please see the attached file. Attachment: (it will contain one of the following) - 45443.pif - application.pif - approved.pif - document.pif - documents.pif - movie.pif - screensaver.scr - submited.pif - _submited.pif If executed, the worm copies itself in the \windows\ directory under the filename "mscvb32.exe". So that it gets run each time a user restart their computer the following registry key gets added: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System Tray"="%Windows%\mscvb32.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "System MScvb"="%Windows%\mscvb32.exe" ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense designed to increase the user capacity of your servers. http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm