Ken, Make sure you check for new definitions today. I'm not sure when the one to include this new variant was entered. I do not spell out the word v*rus because some email list will bounce an email with that word in it. It's name was Badtrans.B@mm. The attachment was some kind of DOC, I forget it's name, and the actual extension was PIF. Problem is, you do not see this unless you attempt to forward the email. All you see is a text file as an attachment. Jeff mailto:Jeff@xxxxxxxxxxxxxxxxxx www.9-11-2001tragedy.com FAX 1-413-280-0677 Intrepid Video & Electronics Harrisburg, PA 17111 717-909-8844 www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com ----- Original Message ----- From: <gulftech@xxxxxxxx> To: <techassist@xxxxxxxxxxxxx> Sent: Monday, November 26, 2001 4:48 PM Subject: [TechAssist] Re: Virus not seen by Norton > > Jeff, > > What is the name of the critter? Is there a particular reason for not > spelling out the "v" word? > > After what happened to me last week, I got rid of McAffee and got Norton. > Update is current. That v---- cost me the better part of two days lost > time and $150 for the pro that fixed it. Lesson learned. > > > Ken Smith > Gulf Technical Services > 3034 Gulf Breeze Parkway > Gulf Breeze, FL 32561 > 850-934-8324 (Voice) 850-932-0819 (Fax) > > ------------------ > > On Mon, 26 Nov 2001 15:22:02 -0500 "Jeff Dougherty" > <jeff@xxxxxxxxxxxxxxxxxx> writes: > > > > Everyone, update your vir*s definitions. > > I received the same one Clint did, three times. > > It looks like it somehow is getting email addresses from > > websites..so if you > > have a website, you are bound to get this one. > > After I updated Norton, it then detected the third one. > > > > Jeff > > mailto:Jeff@xxxxxxxxxxxxxxxxxx www.9-11-2001tragedy.com > > FAX 1-413-280-0677 > > Intrepid Video & Electronics > > Harrisburg, PA 17111 > > 717-909-8844 > > www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com > > ----- Original Message ----- > > From: "OrpheusComputing.com Repair" <techassist@xxxxxxxxxxxxxxxxxxxx> > > To: "TechAssist" <techassist@xxxxxxxxxxxxx> > > Sent: Monday, November 26, 2001 5:47 AM > > Subject: [TechAssist] Virus not seen by Norton > > > > > > > > > > Here's yet another new way (at least I've never seen it) for > > > a virus to be delivered and it is NOT detectable by Norton! > > > > > > I got an email today, no subject line, except for "Re:" in > > > it. This evidently is to make you think they are replying to > > > an email you sent them. Don't buy it...I didn't. I could > > > tell right away it was a virus simply due to the appearance > > > of the email. There was one VISIBLE attachment which was > > > benign. It was text file (.txt Notepad) and it was > > > completely blank. Appears to serve no purpose. However > > > clicking "forward" on the message shows an additional > > > attachment, "hamster.doc.pif". The email message body was in > > > HTML format (glowing white background) but no text AT ALL. > > > Totally blank. When the email was simply highlighted to read > > > it (the way you do any other email in outlook express) the IE > > > download dialog window popped up asking the usual "You have > > > selected to download a file from this location"..."do you > > > want to...'open' or 'save to disk'" that we all see when we > > > download something. It did not say from where the download > > > would come from. I saved the email to a folder, then opened > > > the email in notepad to see the code. You can see > > > "hamster.doc.pif" in the code below. Now what is really odd, > > > is scanning the email shows NO VIRUSES, even after > > > downloading the file and scanning it, that also shows no > > > viruses! When it's downloaded, the file type box states .wav > > > sound file, however, after it's downloaded it shows as dos > > > exe shortcut icon and has the .pif extension. How do I know > > > it's a virus? Experience. Plus, I opened Norton and went to > > > submit it, and low and behold it said "this virus is already > > > known to Symantec and does not need to be submitted". !! > > > Evidently, what is was seeing was some type of > > > "recognizable virus activity" is all I can say. It also > > > never gave the name! And yet remember, scanning or > > > downloading it showed NO VIRUS yet submitting to > > > Symantec says it IS a virus! I searched all computer > > > security search engines, plus Norton, Trend, McAfee, > > > etc, all the sites, and this name hamster.doc.pif was > > > not found at ANY of them. I know that is not the virus > > > name, but they are also listed under aliases and how > > > they appear in emails. Watch out for this one, this > > > is the oddest I have ever seen. If you are going > > > through your emails NEVER choose to download a file > > > that just automatically pops up. Also be SURE you have in > > > your download dialog window the box checked "Always ASK > > > before opening or downloading this type of file"!! > > > [later] > > > Ahhh, here we go, I just clicked 'properties' while it was in > > > quarantine and it said w32.badtrans.b@mm Now, since > > > that is a known virus, I'd like to know why Norton did not > > > see it during a scan, opening of email, downloading the file, > > > or moving the file. Perhaps a mutation. ? > > > > > > http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm > .ht > > ml > > > and note on that page this is a brand new one, only > > > recognized since Nov. 24th. and 'hamster' is not listed on > > > that page as any of the attachment names. > > > > > > (no surprise it's from AOL, see below##) > > > X-POP3-Rcpt: sales@xxxxxxxxxxxxxxxxxxxx > > > Received: from dte.vsnl.net.in (dte.vsnl.net.in [202.54.8.4]) > > > by host40.hostingcheck.com (8.10.2/8.10.2) with ESMTP id > > > fAQ3pH415996 > > > for <sales@xxxxxxxxxxxxxxxxxxxx>; Sun, 25 Nov 2001 > > > 22:51:28 -0500 > > > ############Received: from aol.com (ppp135-115.doter.vsnl.net.in > > > [61.0.135.115]) > > > by dte.vsnl.net.in (Postfix) with SMTP id 3347559489 > > > for <sales@xxxxxxxxxxxxxxxxxxxx>; Mon, 26 Nov 2001 09:20:27 > > > +0530 (IST) > > > From: "aptech" <_aptechpb@xxxxxxxxxxxxxxxx> > > > To: sales@xxxxxxxxxxxxxxxxxxxx > > > Subject: Re: > > > MIME-Version: 1.0 > > > Content-Type: multipart/related; > > > type="multipart/alternative"; > > > boundary="====_ABC1234567890DEF_====" > > > X-Priority: 3 > > > X-MSMail-Priority: Normal > > > X-Unsent: 1 > > > Message-Id: <20011126035027.3347559489@xxxxxxxxxxxxxxx> > > > Date: Mon, 26 Nov 2001 09:20:27 +0530 (IST) > > > > > > --====_ABC1234567890DEF_==== > > > Content-Type: multipart/alternative; > > > boundary="====_ABC0987654321DEF_====" > > > > > > --====_ABC0987654321DEF_==== > > > Content-Type: text/html; > > > charset="iso-8859-1" > > > Content-Transfer-Encoding: quoted-printable > > > > > > <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> > > > <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> > > > </iframe></BODY></HTML> > > > --====_ABC0987654321DEF_====-- > > > > > > --====_ABC1234567890DEF_==== > > > Content-Type: audio/x-wav; > > > name="HAMSTER.DOC.pif" > > > Content-Transfer-Encoding: base64 > > > Content-ID: <EA4DMGBP9p> > > > > > > (then several dozen lines of letters & numbers). > > > -Clint > > > > > > Happy Thanksgiving & > > > God Bless Us All > > > Clint Hamilton, Owner > > > http://OrpheusComputing.com > > > http://ComputerHardware-ConsumerElectronics.com > > > sales@xxxxxxxxxxxxxxxxxxxx > > > Fax: 209-882-9602 > > > TechAssist Administration > > > http://tech-assist.org > > > techassist@xxxxxxxxxxxxx > > > > > > > > > > > > ================================= > > > Help make your TechAssist database better! > > > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips > > > ================================= > > > To UNSUBSCRIBE your email address, click here: > > > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > > > > > > > ================================= > > Help make your TechAssist database better! > > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips > > ================================= > > To UNSUBSCRIBE your email address, click here: > > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > ________________________________________________________________ > GET INTERNET ACCESS FROM JUNO! > Juno offers FREE or PREMIUM Internet access for less! > Join Juno today! For your FREE software, visit: > http://dl.www.juno.com/get/web/. > ================================= > Help make your TechAssist database better! > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips > ================================= > To UNSUBSCRIBE your email address, click here: > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe > > ================================= Help make your TechAssist database better! Submit your fixes here: http://circuitwork.com/techassist/tip/#tips ================================= To UNSUBSCRIBE your email address, click here: mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe