Kristian,
Unfortunately the attachment was NOT an acroreader file,
but actually a .PIF file, which is a common virus propogation mechanism.
The file was called AcroReader51_NLD_full.exe.pif.
Could just as easily been called mycar.jpg.pif, in which case
you might have thought it was a picture/jpeg of "mycar" and you would
now be the proud host of the offending virus.
Virus propogation has become an excersise in social engineering,
where the trick is to find a catch phrase the compells the vary and
unwary to click on the attachment.
Windows and users are easily fooled to think that the extension prior to
the .pif ending is the real extension, it is not.
Obviously windows is too dumb to know that the real filetype is a .PIF
file,
which has no business (.PIF) to be run on 99.9% of all home computers.
You might consider setting up windows to show you the "full" filename.
and not to "hide" the extension of known filetypes.
This will prevent many people from letting windows' short-comings
from confusing the user into becoming being the method of infection.
Jarrid Gross
kkj wrote:
>
> I also got something similar.
> I had won an Ebay auction and it had this suspicious AcroReader attachment.
> I deleted it as I never open attachments and it was on something I had newer
>bid on. It was "red alert" clearly on this mail.
> I have run the virusremover to be safe.
> Virus senders obviously try to go into chatlists and similar and call the
>attachment car related names. Yesterday it was "Big tits" and that kind of
>interesting things.
> Look up for attachment called "list of free Rootes parts" or other things
>that is hard to resist!
>
> Kristian J
>
> ----- Original Message -----
> From: Jarrid Gross <jarrid_gross@earthlink.net>
> To: Alpine List <alpines@autox.team.net>
> Sent: Saturday, July 05, 2003 2:49 PM
> Subject: Someone on the list has a virus!!!
>
> > Some sunbeam content, see below...
> >
> > Just received this "quaranteined of course".
> > It had an attachment that was infected with W32.Bugbear.B@mm.
> >
> >
> > If you are the sender or orginator of the original message, (not this
> > one)
> > you should look very carefully at your system.
> >
> > This is a case where either the sender or the receiver (most likely the
> > receiver) is infected.
> >
> > Good luck,
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Status:
> > U
> > Return-Path:
> > <bidconfirm@dingoblue.net.au>
> > Received:
> > from smtp02.wxs.nl ([195.121.6.54]) by killdeer
> > (EarthLink SMTP Server) with ESMTP id 19yIjQ4uX3NZFlr0 for
> > <jarrid_gross(AT)earthlink.net>; Sat, 5 Jul 2003 01:22:54
> > -0700 (PDT)
> > Received:
> > from evert (ip503cd777.speed.planet.nl [80.60.215.119])
> > by smtp02.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
> > 2003)) with SMTP id
> > <0HHJ00LWPM2QOW@smtp02.wxs.nl> for
> > jarrid_gross(AT)earthlink.net; Sat, 05 Jul 2003 10:25:55 +0200 (MEST)
> > Date:
> > Sat, 05 Jul 2003 10:25:42 +0200 (MEST)
> > Date-warning:
> > Date header was inserted by smtp02.wxs.nl
> > From:
> > bidconfirm@dingoblue.net.au
> > Subject:
> > eBay Bid Notice - Item 1636080688: SUNBEAM " Tiger "
> > Baujahr 1925 s. Bild
> > Message-ID:
> > <0HHJ00LWQM2QOW@smtp02.wxs.nl>
> > MIME-version:
> > 1.0
> > Content-type:
> > multipart/mixed;
> > boundary="Boundary_(ID_3ru05nlkRQHm5Ey0cZafyA)"
> > X-Mozilla-Status:
> > 8001
> >
> >
> >
> >
> > Thank you for bidding in the Auto and Motorrad:Automobilia:Bilder and
> > Pos=
> > ter category, rootesholland!
> >
> > We appreciate the trading you do on eBay and want to confirm the details
> > =
> > of your bid.
> >
> > Item name: SUNBEAM " Tiger " Baujahr 1925 s. Bild
> > Item number: 1636080688
> > Your current bid: DM 2.00
> > Your maximum bid: DM 15.00
> > End date: Sep-14-01 09:04:50 PDT
> > Current price: DM 2.00
> >
> > To v
> >
> >
> >
> >
> > This file: "AcroReader51_NLD_full.exe.pif" was infected with:
> > "W32.Bugbear.B@mm" virus.
> >
> > The file was deleted by Norton AntiVirus. Saturday, July 05, 2003 05:39
|