This may not relate directly, but my normal spam/virus count is one or two a day- the last 2 days it has been dozens.
Some jackass keeps sending xxxjenniferthewildgirl.jpg.pif with virus attachments.
To recipients of emails with the subject line: {Spam?} Re: {Spam?} RE: {Spam?} {Virus?} {Spam?} Check this out kid!!!
Okay, since all of you are sending ME stuff, I will send back to you some answers and cures. So far I have received more than four dozen of your emails complaining about me and the others of you sending a virus.
Here is my analysis of what is happening and what you, each of you, can do about it.
First of all, do not send anything to cis-announce or cis-outgoing or any variation thereof. Those might be their entire mailing list! So let's not perpetuate this thing. I am sending this email to all parties, including the firms named herein, and including an office in Homeland Security which is one of the senders to me!
It is possible that this particular virus is adding the word {Spam?} to its outgoing mail because I received from CIS their regular mailing with their regular subject line, but that word in brackets had been added at the beginning of the subject line.
Obviously, we are under attack from a virus, a Hungarian virus called Worm.Zafi.B. Right now, this particular virus is the most "widespread email worm at the moment" and you can read the whole story which came out just about an hour ago: http://www.theage.com.au/articles/2004/06/15/1087244900422.html?oneclick=true. This is truly an international virus, as described here in the Virus Encyclopedia: http://www.viruslist.com/eng/viruslist.html?id=1666973. Down toward the bottom you will find the text of the emails YOU got, along with the description of the attachment that was deleted (hopefully). Note that I have received the original email with the attachment removed and replaced with text telling me what the virus is! Here is that text:
- This is a message from the MailScanner E-Mail Virus Protection Service
- ----------------------------------------------------------------------
- The original e-mail attachment "jennifer the wild girl xxx07.jpg.pif"
- was believed to be infected by a virus and has been replaced by this warning
- message.
- If you wish to receive a copy of the *infected* attachment, please
- e-mail helpdesk and include the whole of this message
- in your request. Alternatively, you can call them, with
- the contents of this message to hand when you call.
- At Sat Jun 12 17:19:29 2004 the virus scanner said:
- ClamAV: jennifer the wild girl xxx07.jpg.pif contains Worm.Zafi.B
- MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (jennifer the wild girl xxx07.jpg.pif)
- Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20040612 (message i5CLDxhq003158).
- --
- Postmaster
- Mailscanner thanks transtec Computers for their support
Someone's computer is infected, and typically a virus will get into one person's computer, look around for email addresses, then send itself out to a whole bunch of the addresses it finds.
You cannot tell who really has the infected computer because the virus "spoofs" the sender's name, making it look like it is coming from someone else, NOT the person se computer is infected. It will just pick at random one of those addresses that it found and use that as the "sender" and send itself to the other email addresses. That is called "spoofing" which is quite commonly done by viruses.
An example: Sharon's computer gets a virus which then sends itself to everyone in her address book but it looks like all those emails came from James! Poor James doesn't even know this is happening
until he starts getting those "bounced" emails saying that he is sending a virus. He is innocent, does not have a virus, because all that is coming from Sharon's computer! And Sharon has absolutely no clue that her computer is infected and doing all this.
Only by looking at the header of one of those spoofed emails very carefully can you get a hint of where it might be really coming from.
The following are two places where you can get a removal tool if you think you might be infected.
This is from
http://vil.nai.com/vil/content/Print126242.htm
- -- Update June 14th, 2004 03:01 PST --
- The risk assessment of this threat has been raised to Medium due to increased prevalence.
- If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
- Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
And this from http://www.f-secure.com/v-descs/zafi_b.shtml
- F-Secure provides the special disinfection utility to eliminate Zafi.B worm infection. You can download this utility from our ftp site:
- ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe
- ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.zip
- Disinfection instructions can be found here:
- ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.txt
I myself started getting these emails from "James Moore" on Saturday. I have received several by now. The header from one of the earlier ones is pasted below. (It is NOT infected as it is a copy and paste rather than any kind of forwarding, which could perpetuate the virus.)
I have bolded some interesting lines. The "return path" appears to be
CIS.ORG.
A couple of other possibilities are these:
Numbers USA and
The Social Contract are both clients of
whetstonelogic.com, which appears in the header. Note that
wslogic.com is another name for
whetstonelogic which specializes in "political intelligence tools". Take a look at the header below.
You will see
byromlaw.com which belongs to a law firm in Florida. Did the emails originate there? Or did they just go through their servers? We don't know. But in any case I sending all the these organizations a copy of this email. Any one or all of the them might be infected and unknowingly sending out the virus to everyone else.
All of these organizations should check for viruses. And so should you, the individuals that have received those emails from the "alleged" James Moore.
Here is the plan of action. I am the webmaster for Terry Anderson and last fall I designed a page when we had another virus outbreak. I called it "Got Virus?" and put up there the results of my research of what you can do to protect yourself and some free virus scans you can go to find out if you are infected. Just finding those scan sites took a great deal of time, so all the work is already done -- all you have to do is run them on your own computers. Everyone that receives this particular email should go to the following webpage and do your scans right away, and then at least once a week thereafter. Bookmark the page and come back every week.
And update your Norton every day! Including the special page that is updated more often than the "Live Update": http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html. I just ran all four scans and my computer is clean.
Also, make sure you have Norton Anti-virus and Zone Alarm (a free firewall). The links are on the "Got Virus?" page. There again, the link for Zone Alarm was hard to find on their website, so I saved you all that time by putting it there.
To summarize, it is imperative that all of these check for viruses and make sure that
1. CIS.org
2. Numbers USA
3. The Social Contract
4. Byrom, Miller & Coleman
4. Everyone else receiving this email
should immediately:
A. Get anti-virus if you don't have it.
B. Get Zone Alarm if you don't have it.
C. Set your "Scheduled Tasks" to update every day,
both Live Update and
http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html.
D. Run all the scans on http://www.theterryandersonshow.com/Viruses.html
E. Run #D at least once a week.
These things need to be done immediately because this virus is proliferating rapidly! While I wrote I received two dozen more of the spoofed emails!
Good luck! If you have questions, please don't hesitate to contact me. We are all in this together, regarding immigration as well as these virii.
Carol
webmaster4terry@dslextreme.com