E-mail Virus Wreaking Havoc Worldwide

Talon News ^ | June 17, 2004 | By Jimmy Moore

[MountainPatriot]

SPARTANBURG, SC (Talon News) -- A threatening new e-mail virus debuted last Friday and is quickly circulating worldwide across the Internet, affecting computers of countless numbers of individuals, government officials, and media.

In a message entitled "{Spam?} {Virus?} {Spam?} Check this out kid!!!," the e-mail simply states, "Send me back bro, when you'll be done...(if you know what i mean...) See ya, ..."

Worse yet, the attachment to this e-mail, "jennifer the wild girl xxx07.jpg.pif," is a virus that has severely infected computers internationally.

The virus, known as Worm.Zafi.B, sends as many as 100 or more e-mail messages daily with the aforementioned message delivered from various e-mail addresses.

The recipient list in the e-mails received by Talon News indicates that the e-mail virus has been sent to members of the media, such as CNN, the Washington Post, Seattle-based KIRO radio, and Talon News, as well as elected officials like House Speaker Dennis Hastert and House Minority Leader Nancy Pelosi, just to name a few.

In addition, the White House has received this e-mail virus along with governors and Congressman in every state.

The e-mail originates from a listserve entitled cis-announce or cis-outgoing. When someone receives this e-mail virus thinking it is spam and replies to everyone on the list about it, the virus spreads even further to the entire database of e-mail addresses found in the address book of the victim of the virus.

The Department of Homeland Security and Federal Bureau of Investigation have already been notified of this virus and are currently conducting research on it.

Each time a person responds to the virus e-mail, the virus adds "{Spam?}" to the outgoing message.

The official name of this Hungarian virus is Worm.Zafi.B, also known as Erkez.b, and has been described in a statement by Graham Cluley, senior technology consultant for Sophos Anti-virus (web site), as the most "widespread e-mail worm at the moment."

VirusList.com (web site) describes in detail the various forms of the Worm.Zafi.B e-mail virus that have shown up since it first began last week.

The worm was originally written in Hungarian and has been sent in many different languages, including English, Italian, Spanish, Swedish, and Russian.

This international e-mail virus infects a computer when the attachment is opened by looking for new e-mail addresses and sending a new message out to everyone in that person's address book.

Since the e-mail virus appears to come from someone familiar with the recipient, also known as "spoofing," the likelihood of the virus spreading is even greater.

To see if a computer has been infected by this e-mail virus, Symantec (web site) recommends that a complete scan be performed.

Although there may be an e-mail alert showing the virus originating from someone's e-mail address, that does not necessarily mean that person has the virus, because the virus "spoofs" the name of the sender at random among the e-mail addresses in its database.

As for disinfecting this virus, a special utility called F-Secure has been developed to eliminate the Zafi.B worm infection and can be downloaded at their web site.

Recipients of this e-mail virus are being asked to refrain from replying to this message in any form because it only sustains the life of the virus.

Copyright © 2004 Talon News -- All rights reserved.

[MountainPatriot]

I've received 250 of these emails. I've been lucky so far to have not gotten the virus, but I update by anti-virus software everday, sometimes twice a day.

[Snowy]

I've received 250 of these emails. I've been lucky so far to have not gotten the virus, but I update by anti-virus software everday, sometimes twice a day.

The problem is your firewall gets POUNDED. Even though you don't have the virus, others who do have it will send you numerous emails. My company received 1000+ in 45 minutes,and my husband's company received over 100,000. This one is nasty and very time-consuming.

[2banana]

In a message entitled "{Spam?} {Virus?} {Spam?} Check this out kid!!!," the e-mail simply states, "Send me back bro, when you'll be done...(if you know what i mean...) See ya, ..."

Worse yet, the attachment to this e-mail, "jennifer the wild girl xxx07.jpg.pif," is a virus that has severely infected computers internationally.

If you are dumb enough to open read or open an attachment to an email like this - you deserve to get a virus...

[BipolarBob]

Worse yet, the attachment to this e-mail, "jennifer the wild girl xxx07.jpg.pif," is a virus that has severely infected computers internationally.

"All I wanted was to see Jennifer the wild girl and I got this nasty virus that ate my homework." Latest excuse why Johnny didn't have his womework done for class.

[MountainPatriot]

I've not received it. Just received the emails. My system is catching it before it comes. Just thought I'd pass this story, sorry to have offended.

[2banana]

sorry to have offended.

No offense taken, it was a general statement to all those "countless numbers of individuals, government officials, and media..."

[Blood of Tyrants]

No kidding. Absolutely no one I know would send something like that to me and I simply do not open emails from people I have never heard of.

[BipolarBob]

womework=homework

[OldFriend]

LOL....I'm to the point where I won't open email attachments from my kids even they are on the phone with me telling me it's okay!!!

For now tho, I'm still struggling with whatever it is that hit microsoft, google, and yahoo the other day.

Evidently my computer doesn't know the attack is over, if it is.

[raybbr]

If you are dumb enough to open read or open an attachment to an email like this - you deserve to get a virus...

What a childish statement. There many of elderly, children and novice computer users that, through no fault of their own, will get zapped by this virus. What you said is like saying that since you didn't bolt your car down to the ground it's your fault that someone stole it. Blame the innocent victim. Real intelligent.

[thoughtomator]

It's more like a stranger asking you if they can borrow your car "just for a few minutes", saying OK, then being surprised when it gets totaled. This far into the Internet age, it's simply irresponsible not to know how to deal with unexpected email attachments.

[ruiner]

True but I think his real intent was to say that a simple firewall, antivirus program and windows update will prevent you from almost EVER having a problem with this stuff. This is the equivalent of the leaving your car door open with the keys in the ignition and the engine running in a bad neighborhood.

[JoJo Gunn]

Are you saying that such a name of an attachment, with it's blaringly obvious prurient connotations, wouldn't give you pause?

Not very intelligent....

[PMCarey]

In a message entitled "{Spam?} {Virus?} {Spam?} Check this out kid!!!," the e-mail simply states, "Send me back bro, when you'll be done...(if you know what i mean...) See ya, ..."

Worse yet, the attachment to this e-mail, "jennifer the wild girl xxx07.jpg.pif," is a virus that has severely infected computers internationally.

... the White House has received this e-mail virus ...

Thank goodness that Bubba isn't President - the news story today would've been the "mysterious crash of the White House server due to unknown causes ..."

[RandallFlagg]

Bums who make these things should be keelhauled.

[solo gringo]

I got This VIRUS on my computer and i was getting about 900 messages a day some times i would get as many as 150 Per hour.This is one mean Mother hard to detect and destroy.Ran a scan on it was updating every quarter,half hour and hour in order for me to clean my computer we scanned on odd minutes not on set hours.Good luck everyone.

[CJ Wolf]

Arrgh, aye aye captain! And may there be some blistering barnacles on the hull.

[maridee]

You owe MountainPatriot and apology. This person is just alerting everyone to a virus and you insult him.
Go Figure..........

[BipolarBob]

Yeah. What maridee said.

[Samwise]

If you are dumb enough to open read or open an attachment to an email like this - you deserve to get a virus...

I'd be interested in knowing which of our esteemed politicians and media elite have opened it.

[boomop1]

Your shorts too tight?

[Steve_Seattle]

When is the government going to get serious about finding and prosecuting the assholes who create these things? There should be a minimum 10 year sentence for anyone creating a virus.

[2banana]

See post #6

[kayak]

We have a code number set up between us and our kids. If we're sending files to each other, we include that code in the Subject line. If we get email with attachments from our kids and that code isn't there we don't open it. Period. We write them back (a new message, not a Reply) and tell them and, if it's legit, they resend with the code in place.

[OldFriend]

Thanks for that great idea!!!

I am so dependent upon the computer that they understand my concerns and don't complain..... but a code word in the subject line would be the perfect solution.

[boomop1]

Thanks disregard my bellicose and my belly.

[Lazamataz]

When is the government going to get serious about finding and prosecuting the assholes who create these things? There should be a minimum 10 year sentence for anyone creating a virus.

I'll go you one better. There should be a minimum 10 year sentence for anyone who even catches a virus.

[Lazamataz]

It's more like a stranger asking you if they can borrow your car "just for a few minutes".

You mean it's NOT okay to lend your car to strangers?

I gotta stop doing that,

[raybbr]

My computer is very well protected. However, there are a lot of people who aren't computer savvy. Are you blaming them or the writer of the virus?

[raybbr]

Geez, I can't believe you two. Blaming the victim. Yes, try to protect yourself but when you get attacked you blame the poor schlub who's computer go wrecked? I don't get that at all.

[AppyPappy]

Anyone smart enough to have email should know better than to open unknown attachments.

[thoughtomator]

Okay, so someone who can't drive takes a car, crashes, and destroys it. Is he not to blame just because he is also the victim? Just like a car, a computer is a machine that requires some basic skills to operate, and the first responsibility of the user is to be, at the bare minimum, an adequate operator.

[Use It Or Lose It]

Perhaps you or someone else could explain this one: I received a "returned" email that I supposedly sent to the Toledo Symphony. The message I got in the returned email was that the one I sent had a virus that could not be repaired. I did not send anything to the Toledo Symphony.

[Cicero]

I haven't seen this one, although I've been affected by past email plagues.

If you have Norton AV properly configured and updated, it will remove this kind of attachment before you even have a change to open it. It doesn't just give you a warning; it quarantines the attachment and substitutes a brief text message saying that Norton has just saved you from infection.

If kids use your computer you need to have that kind of setup. And if your kids or grandmother uses a laptop, then you need to help them keep it updated.

[JoJo Gunn]

Let's examine the e-mail in question, shall we?

Check this out kid!!!

Send me back bro, when you'll be done...(if you know what i mean...) See ya

jennifer the wild girl xxx07.jpg.pif

It's not a question of being "computer savvy" when someone's curiousity is piqued by something advertised as sexual in nature. It's more a question of how savvy you are at keeping your pants up.

Even a newbie has the ability to trust it's instincts when it gets an e-mail like this, to be able to tell itself "Hey, that's not like something my friend/cousin/Momma is drawn to. Why is she/he sharing this with me?".

You're coming across as an Enabler.

[solo gringo]

This Virus does not only come in with the headings they have listed.If some one that has opened one of these things and email you then you get it also.It will also infect your virus scan.I have macafee and trend it by passed both and infected both of them.

[Cicero]

Many email viruses use false return addresses, or many of them simply claim to be returned email.

If your computer tests out to be infected, then it could actually have sent the message out on its own while your back was turned. If not, then it's a false address or a false message.

[chilepepper]

This international e-mail virus infects a computer...

This is not exactly correct, and should read, "...infects computers running Microsoft operating systems.

[hummingbird]

I'm getting server error messages when trying to search in Yahoo & Google...obviously, I can get into FR (unless this is an illusion!) and other websites, but my searches are coming back with 'server cannot be located' or something like that. Fruitless.....it was really bad Tuesday, got better on Wednesday and my first search on Yahoo today is 'server cannot be located.' What's a novice to do?!

[LibKill]

A couple of years ago a woman at work got an attachment which started out "annakournikova.jpg" and ended in ".exe".

She clicked on it and it immediately infected her computer, and sent emails to everyone on her mailing list, which included everyone at work, a few thousand people.

She kind of "outed" herself. :)

[backhoe]

Here's an email with the best advice, info, & links so far:

---

To recipients of emails with the subject line:  {Spam?} Re: {Spam?} RE: {Spam?} {Virus?} {Spam?} Check this out kid!!!

Okay, since all of you are sending ME stuff, I will send back to you some answers and cures.  So far I have received more than four dozen of your emails complaining about me and the others of you sending a virus.

Here is my analysis of what is happening and what you, each of you, can do about it.

First of all, do not send anything to cis-announce or cis-outgoing or any variation thereof.  Those might be their entire mailing list!  So let's not perpetuate this thing.  I am sending this email to all parties, including the firms named herein, and including an office in Homeland Security which is one of the senders to me!

It is possible that this particular virus is adding the word {Spam?} to its outgoing mail because I received from CIS their regular mailing with their regular subject line, but that word in brackets had been added at the beginning of the subject line.

Obviously, we are under attack from a virus, a Hungarian virus called Worm.Zafi.B.  Right now, this particular virus is the most "widespread email worm at the moment" and you can read the whole story which came out just about an hour ago:  http://www.theage.com.au/articles/2004/06/15/1087244900422.html?oneclick=true. This is truly an international virus, as described here in the Virus Encyclopedia:  http://www.viruslist.com/eng/viruslist.html?id=1666973. Down toward the bottom you will find the text of the emails YOU got, along with the description of the attachment that was deleted (hopefully).  Note that I have received the original email with the attachment removed and replaced with text telling me what the virus is!  Here is that text:

This is a message from the MailScanner E-Mail Virus Protection Service

----------------------------------------------------------------------

The original e-mail attachment "jennifer the wild girl xxx07.jpg.pif"

was believed to be infected by a virus and has been replaced by this warning

message.

If you wish to receive a copy of the *infected* attachment, please

e-mail helpdesk and include the whole of this message

in your request. Alternatively, you can call them, with

the contents of this message to hand when you call.

At Sat Jun 12 17:19:29 2004 the virus scanner said:

   ClamAV: jennifer the wild girl xxx07.jpg.pif contains Worm.Zafi.B

   MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (jennifer the wild girl xxx07.jpg.pif)

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20040612 (message i5CLDxhq003158).

--

Postmaster

Mailscanner thanks transtec Computers for their support

Someone's computer is infected, and typically a virus will get into one person's computer, look around for email addresses, then send itself out to a whole bunch of the addresses it finds.

You cannot tell who really has the infected computer because the virus "spoofs" the sender's name, making it look like it is coming from someone else, NOT the person se computer is infected.  It will just pick at random one of those addresses that it found and use that as the "sender" and send itself to the other email addresses.  That is called "spoofing" which is quite commonly done by viruses.

An example:  Sharon's computer gets a virus which then sends itself to everyone in her address book but it looks like all those emails came from James!  Poor James doesn't even know this is happening until he starts getting those "bounced" emails saying that he is sending a virus.  He is innocent, does not have a virus, because all that is coming from Sharon's computer!  And Sharon has absolutely no clue that her computer is infected and doing all this.

Only by looking at the header of one of those spoofed emails very carefully can you get a hint of where it might be really coming from.  The following are two places where you can get a removal tool if you think you might be infected.

This is from http://vil.nai.com/vil/content/Print126242.htm

-- Update June 14th, 2004 03:01 PST --

The risk assessment of this threat has been raised to Medium due to increased prevalence.

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

And this from http://www.f-secure.com/v-descs/zafi_b.shtml

F-Secure provides the special disinfection utility to eliminate Zafi.B worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.txt

I myself started getting these emails from "James Moore" on Saturday.  I have received several by now.  The header from one of the earlier ones is pasted below.  (It is NOT infected as it is a copy and paste rather than any kind of forwarding, which could perpetuate the virus.)

I have bolded some interesting lines.   The "return path" appears to be CIS.ORG.

A couple of other possibilities are these:  Numbers USA and The Social Contract are both clients of whetstonelogic.com, which appears in the header.  Note that wslogic.com is another name for whetstonelogic which specializes in "political intelligence tools".  Take a look at the header below.

You will see byromlaw.com which belongs to a law firm in Florida.  Did the emails originate there?  Or did they just go through their servers?  We don't know.  But in any case I sending all the these organizations a copy of this email.  Any one or all of the them might be infected and unknowingly sending out the virus to everyone else.

All of these organizations should check for viruses.  And so should you, the individuals that have received those emails from the "alleged" James Moore.

Here is the plan of action.  I am the webmaster for Terry Anderson and last fall I designed a page when we had another virus outbreak.  I called it "Got Virus?" and put up there the results of my research of what you can do to protect yourself and some free virus scans you can go to find out if you are infected.  Just finding those scan sites took a great deal of time, so all the work is already done -- all you have to do is run them on your own computers.  Everyone that receives this particular email should go to the following webpage and do your scans right away, and then at least once a week thereafter.  Bookmark the page and come back every week.  And update your Norton every day!  Including the special page that is updated more often than the "Live Update":  http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html. I just ran all four scans and my computer is clean.

Also, make sure you have Norton Anti-virus and Zone Alarm (a free firewall).  The links are on the "Got Virus?" page.  There again, the link for Zone Alarm was hard to find on their website, so I saved you all that time by putting it there.

To summarize, it is imperative that all of these check for viruses and make sure that

        1.      CIS.org
        2.      Numbers USA
        3.      The Social Contract
        4.      Byrom, Miller & Coleman
        4.      Everyone else receiving this email

                        should immediately:

        A.      Get anti-virus if you don't have it.
        B.      Get Zone Alarm if you don't have it.
        C.      Set your "Scheduled Tasks" to update every day,
                        both Live Update and
                        http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html.
        D.      Run all the scans on http://www.theterryandersonshow.com/Viruses.html
        E.      Run #D at least once a week.

These things need to be done immediately because this virus is proliferating rapidly!  While I wrote I received two dozen more of the spoofed emails!

Good luck!  If you have questions, please don't hesitate to contact me.  We are all in this together, regarding immigration as well as these virii.

Carol
webmaster4terry@dslextreme.com

[raybbr]

You're coming across as an Enabler.

Just who do you think I am enabling. The person who does nothing wrong and accidently opens up a virus? Ok. I accept that.

You, on the other hand, are making excuses for and enabling the criminal. I like my position much better.

[Billthedrill]

For the afflicted, HERE is a removal tool.

I dunno - I'd find an email whose subject line read "SPAM! XXX Nekkid Ladies!! Click on this attachment and trust us!!!" to be pretty tempting, myself. I mean, it's not like pornographers and virus authors are bad people or anything...

[Cuttnhorse]

Bump to save for later

[OldFriend]

Forget all your favorites.......go into the address line and type in Yahoo.com

I did the same thing for google.com bypassing my favorites and the google on my desktop.

I am the original techno-dope but have struggled lately with all kinds of virus attacks and spyware attacks and people out of the kindess of their hearts have helped me so I am hoping this helps you. Good luck.

[Xenalyte]

Why is it considered news that Nancy Pelosi, the White House, and God above (for all I know) RECEIVED an e-mail virus?

I receive a couple virus-laden e-mails a week. My AV scrubs them. I have yet to issue a press release about the event.

[Xenalyte]

Xena's Mom is 62 (and thank God she's not on FR). She is an AOL user and as such, is by definition largely clueless.

Yet she has never gotten a virus, because she never clicks on anything that says "Jennifer the wild girl" or similar.

Avoiding viruses is easy, if you're not stupid or into porn.

[Xenalyte]

Sheesh, y'all calm the hell down.

MP was bringing an article to our notice, and commenting that his server gets many a hit from the virus. He never said he'd opened anything - clearly, MP is not one of the stupid.

2B made a comment that, while obvious, needs to be made occasionally: if you're dumb enough to click on a random attachment, you deserve the hell you're about to get. He didn't call MP stupid.

Now unwad those panties.

[Xenalyte]

That's a good idea!

I've had to call Mom on more than one occasion and tell her that she'll shortly be receiving something safe to open from me.

[Redcloak]

I feel doubly neglected by this worm. First off, I haven't received a copy of it yet. Secondly, since I'm using Linux, I don't get to play along with all of the Windows users.

Yes, I'm being sarcastic!