[TechAssist] Re: Virus not seen by Norton

• From: "Jeff Dougherty" <jeff@xxxxxxxxxxxxxxxxxx>
• To: <techassist@xxxxxxxxxxxxx>
• Date: Mon, 26 Nov 2001 23:41:27 -0500

Ken,
Make sure you check for new definitions today. I'm not sure when the one to
include this new variant was entered.
I do not spell out the word v*rus because some email list will bounce an
email with that word in it.
It's name was Badtrans.B@mm. The attachment was some kind of DOC, I forget
it's name, and the actual extension was PIF.
Problem is, you do not see this unless you attempt to forward the email. All
you see is a text file as an attachment.

Jeff
mailto:Jeff@xxxxxxxxxxxxxxxxxx  www.9-11-2001tragedy.com
FAX 1-413-280-0677
Intrepid Video & Electronics
Harrisburg, PA 17111
717-909-8844
www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com
----- Original Message -----
From: <gulftech@xxxxxxxx>
To: <techassist@xxxxxxxxxxxxx>
Sent: Monday, November 26, 2001 4:48 PM
Subject: [TechAssist] Re: Virus not seen by Norton


>
> Jeff,
>
> What is the name of the critter?  Is there a particular reason for not
> spelling out the "v" word?
>
> After what happened to me last week, I got rid of McAffee and got Norton.
>  Update is current.  That v---- cost me the better part of two days lost
> time and $150 for the pro that fixed it.  Lesson learned.
>
>
> Ken Smith
> Gulf Technical Services
> 3034 Gulf Breeze Parkway
> Gulf Breeze, FL  32561
> 850-934-8324 (Voice) 850-932-0819 (Fax)
>
> ------------------
>
> On Mon, 26 Nov 2001 15:22:02 -0500 "Jeff Dougherty"
> <jeff@xxxxxxxxxxxxxxxxxx> writes:
> >
> > Everyone, update your vir*s definitions.
> > I received the same one Clint did, three times.
> > It looks like it somehow is getting email addresses from
> > websites..so if you
> > have a website, you are bound to get this one.
> > After I updated Norton, it then detected the third one.
> >
> > Jeff
> > mailto:Jeff@xxxxxxxxxxxxxxxxxx  www.9-11-2001tragedy.com
> > FAX 1-413-280-0677
> > Intrepid Video & Electronics
> > Harrisburg, PA 17111
> > 717-909-8844
> > www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com
> > ----- Original Message -----
> > From: "OrpheusComputing.com Repair" <techassist@xxxxxxxxxxxxxxxxxxxx>
> > To: "TechAssist" <techassist@xxxxxxxxxxxxx>
> > Sent: Monday, November 26, 2001 5:47 AM
> > Subject: [TechAssist] Virus not seen by Norton
> >
> >
> > >
> > > Here's yet another new way (at least I've never seen it) for
> > > a virus to be delivered and it is NOT detectable by Norton!
> > >
> > > I got an email today, no subject line, except for "Re:" in
> > > it.  This evidently is to make you think they are replying to
> > > an email you sent them.  Don't buy it...I didn't.  I could
> > > tell right away it was a virus simply due to the appearance
> > > of the email.  There was one VISIBLE attachment which was
> > > benign.  It was text file (.txt Notepad) and it was
> > > completely blank.  Appears to serve no purpose.  However
> > > clicking "forward" on the message shows an additional
> > > attachment, "hamster.doc.pif".  The email message body was in
> > > HTML format (glowing white background) but no text AT ALL.
> > > Totally blank.  When the email was simply highlighted to read
> > > it (the way you do any other email in outlook express) the IE
> > > download dialog window popped up asking the usual "You have
> > > selected to download a file from this location"..."do you
> > > want to...'open' or 'save to disk'" that we all see when we
> > > download something.  It did not say from where the download
> > > would come from.  I saved the email to a folder, then opened
> > > the email in notepad to see the code.  You can see
> > > "hamster.doc.pif" in the code below.  Now what is really odd,
> > > is scanning the email shows NO VIRUSES, even after
> > > downloading the file and scanning it, that also shows no
> > > viruses!  When it's downloaded, the file type box states .wav
> > > sound file, however, after it's downloaded it shows as dos
> > > exe shortcut icon and has the .pif extension.  How do I know
> > > it's a virus?  Experience.  Plus, I opened Norton and went to
> > > submit it, and low and behold it said "this virus is already
> > > known to Symantec and does not need to be submitted".  !!
> > > Evidently, what is was seeing was some type of
> > > "recognizable virus activity" is all I can say.  It also
> > > never gave the name!  And yet remember, scanning or
> > > downloading it showed NO VIRUS yet submitting to
> > > Symantec says it IS a virus!  I searched all computer
> > > security search engines, plus Norton, Trend, McAfee,
> > > etc, all the sites, and this name hamster.doc.pif was
> > > not found at ANY of them.  I know that is not the virus
> > > name, but they are also listed under aliases and how
> > > they appear in emails.  Watch out for this one, this
> > > is the oddest I have ever seen.  If you are going
> > > through your emails NEVER choose to download a file
> > > that just automatically pops up.  Also be SURE you have in
> > > your download dialog window the box checked "Always ASK
> > > before opening or downloading this type of file"!!
> > > [later]
> > > Ahhh, here we go, I just clicked 'properties' while it was in
> > > quarantine and it said w32.badtrans.b@mm  Now, since
> > > that is a known virus, I'd like to know why Norton did not
> > > see it during a scan, opening of email, downloading the file,
> > > or moving the file.  Perhaps a mutation. ?
> > >
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm
> .ht
> > ml
> > > and note on that page this is a brand new one, only
> > > recognized since Nov. 24th. and 'hamster' is not listed on
> > > that page as any of the attachment names.
> > >
> > > (no surprise it's from AOL, see below##)
> > > X-POP3-Rcpt: sales@xxxxxxxxxxxxxxxxxxxx
> > > Received: from dte.vsnl.net.in (dte.vsnl.net.in [202.54.8.4])
> > >  by host40.hostingcheck.com (8.10.2/8.10.2) with ESMTP id
> > > fAQ3pH415996
> > >  for <sales@xxxxxxxxxxxxxxxxxxxx>; Sun, 25 Nov 2001
> > > 22:51:28 -0500
> > > ############Received: from aol.com (ppp135-115.doter.vsnl.net.in
> > > [61.0.135.115])
> > >  by dte.vsnl.net.in (Postfix) with SMTP id 3347559489
> > >  for <sales@xxxxxxxxxxxxxxxxxxxx>; Mon, 26 Nov 2001 09:20:27
> > > +0530 (IST)
> > > From: "aptech" <_aptechpb@xxxxxxxxxxxxxxxx>
> > > To: sales@xxxxxxxxxxxxxxxxxxxx
> > > Subject: Re:
> > > MIME-Version: 1.0
> > > Content-Type: multipart/related;
> > >   type="multipart/alternative";
> > >   boundary="====_ABC1234567890DEF_===="
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Unsent: 1
> > > Message-Id: <20011126035027.3347559489@xxxxxxxxxxxxxxx>
> > > Date: Mon, 26 Nov 2001 09:20:27 +0530 (IST)
> > >
> > > --====_ABC1234567890DEF_====
> > > Content-Type: multipart/alternative;
> > >   boundary="====_ABC0987654321DEF_===="
> > >
> > > --====_ABC0987654321DEF_====
> > > Content-Type: text/html;
> > >    charset="iso-8859-1"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
> > > <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
> > > </iframe></BODY></HTML>
> > > --====_ABC0987654321DEF_====--
> > >
> > > --====_ABC1234567890DEF_====
> > > Content-Type: audio/x-wav;
> > >   name="HAMSTER.DOC.pif"
> > > Content-Transfer-Encoding: base64
> > > Content-ID: <EA4DMGBP9p>
> > >
> > > (then several dozen lines of letters & numbers).
> > > -Clint
> > >
> > > Happy Thanksgiving &
> > > God Bless Us All
> > > Clint Hamilton, Owner
> > > http://OrpheusComputing.com
> > > http://ComputerHardware-ConsumerElectronics.com
> > > sales@xxxxxxxxxxxxxxxxxxxx
> > > Fax: 209-882-9602
> > > TechAssist Administration
> > > http://tech-assist.org
> > > techassist@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > =================================
> > > Help make your TechAssist database better!
> > > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
> > > =================================
> > > To UNSUBSCRIBE your email address, click here:
> > > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe
> > >
> > >
> >
> > =================================
> > Help make your TechAssist database better!
> > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
> > =================================
> > To UNSUBSCRIBE your email address, click here:
> > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
>
> ________________________________________________________________
> GET INTERNET ACCESS FROM JUNO!
> Juno offers FREE or PREMIUM Internet access for less!
> Join Juno today!  For your FREE software, visit:
> http://dl.www.juno.com/get/web/.
> =================================
> Help make your TechAssist database better!
> Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
> =================================
> To UNSUBSCRIBE your email address, click here:
> mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>

=================================
Help make your TechAssist database better!  
Submit your fixes here: http://circuitwork.com/techassist/tip/#tips
=================================
To UNSUBSCRIBE your email address, click here:
mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe

• References:
  • [TechAssist] Re: Virus not seen by Norton
    • From: gulftech

Other related posts:

• » [TechAssist] Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton
• » [TechAssist] Re: Virus not seen by Norton

1. Home
2. techassist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---