From: tgpedersen
Message: 11888
Date: 2001-12-19
> O-: From: tgpedersenhas
>
> O-: _api1161v@...
> O-:
> O-: In contrast, the e-mail address of Carlos Padilla in the Members
> list
> O-: does not contain an underscore.
> O-: Therefore, perhaps it is an outside job? Perhaps Carlos Padilla
> O-: registered a null password (as some people do out of laziness)?
--- In cybalist@..., "Rex H. McTyeire" <rexbo@...> wrote:
> Torsten: you are going a bit beyond the situation on the virus. It
is
> transmitted automatically by the infected system without the
knowledge
> of the owner, if not sufficiently protected. No one is singling you
out
> for attack. Badtrans (current variant .b, there are several)
appends the
> underscore to the real sending address (or a random one) for
outgoing
> autosend mail, so that replies do not get back to the machine
spreading
> the thing. It sets up with several files from attachments: a .pif
and
> .scr; then searches ALL incoming new, or stored (unopened or opened)
> mail in the infected machine to find new recipients to facilitate
spread
> until it is stopped. Any mail received by an infected machine from
> [tied] that was originated by you would give it the addresses of the
> list, you, and any other list members included in your response.
It can
> and does also take random real email addresses from its < own list
> and
> uses them appended with the underscore to send. The only guilty
party
> is the originator/designer of the virus and variants, unless you
want to
> call everybody communicating without state of the art anti-virus
> protection quilty by negligence. By the same coin, however, those
who
> are not protected enough to stop it are equally negligent. This
virus
> beats some older Norton and other AntiVirus systems, particularly if
> passive system protection, and email in/out protection, are not
turned
> on (two separate areas of protection.) It does not use an
attached .exe
> file to infect the receiving machine, and doesn't have to be
actively
> opened by the unprotected recipient (which may be how it gets
through
> yahoo sometimes, as at least enough of this one did to trigger my
Norton
> defense.) In the current environment (last couple of months) if
you do
> list and email traffic: you must have a current AV system, updated
> often: WITH passive system, and in/out email protection turned on
(or
> you are vulnerable.)
>
> This McAfee support site will give you some more specific
information on
> the virus (and variants), how it works and spreads, as well as the
> symptoms to look for in your machine (most you can find with file
> search)
>
> < http://vil.nai.com/vil/virusSummary.asp?virus_k=99069 >
>
>
> SlĂ inte mhath;
> Rex H. McTyeire
>
Thank you for the explanation. Normally I don't receive e-mails from
cybalist; I access it directly on the net. Therefore, when I received
a single e-mail from cybalist titled "Re: Mercury and lead"
containing a virus, I assumed that it was directed to me, which was
not completely improbable, I think, considering some of the reactions
on the list to my postings; but now I understand from your
explanation that the title might also have been taken automatically
by the virus from some posting on cybalist.
The reason I pointed out that there was an extra underscore in the
sender address was that Piotr had given Carlos warning that he might
be stricken from the list and since the underscore indicated to me
that Carlos was *not* the culprit, but possibly someone else using
his name, I wanted to point that out. But, as I said, obviously your
explanation supersedes the above.
Torsten