I got this and assume that it's genuine. I've gotten about 1200 such=20 virus attacks in the past 24 hours. Some were purged in transit, most=20 blocked by ieee, a few by my incoming inspection, and about three, most=20 of them 1000 ago, got through but weren't opened. I just got another=20 like that, but I haven't loaded a new dat file in the past two hours. Does anyone know what's happening? Jerry -------- Original Message -------- From: - Fri Sep 19 18:06:01 2003 X-UIDL: 1037656014.9930 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <HOL_Virus_Alert@logos.hol.gr> Received: from 207.172.4.20 (207.172.4.20 [207.172.4.20]) by=20 ms01.mrf.mail.rcn.net (Mirapoint Messaging Server MOS 3.2.2-GA=20 FastPath) with ESMTP id DRV11167; Fri, 19 Sep 2003 17:08:18 -0400 (EDT) Received: from mx05.mrf.mail.rcn.net (mx05.mrf.mail.rcn.net=20 [207.172.4.54]) by mr01.mrf.mail.rcn.net (Mirapoint Messaging Server=20 MOS 3.2.2-GA) with ESMTP id EGZ23260; Fri, 19 Sep 2003 17:07:58 -0400 (ED= T) Received: from listserv.ieee.org ([140.98.193.23] helo=3Dengine.ieee.org)= =20 by mx05.mrf.mail.rcn.net with esmtp (Exim 3.35 #7) id 1A0STv-0001XQ-00=20 for jyavins@erols.com; Fri, 19 Sep 2003 17:07:59 -0400 Received: from orion3.ieee.org (gemini3.ieee.org [140.98.193.188]) by=20 engine.ieee.org (Switch-3.1.2/Switch-3.1.2) with ESMTP id=20 h8JL4x0Y010494; Fri, 19 Sep 2003 17:04:59 -0400 (EDT) Received: from logos.hol.gr (logos.hol.gr [194.30.192.15]) by=20 orion3.ieee.org (Switch-2.2.8/Switch-2.2.8) with ESMTP id h8JL7km28711;=20 Fri, 19 Sep 2003 17:07:47 -0400 (EDT) Received: from logos.hol.gr (kosmos.mail.dc.hol.net [192.168.20.32]) by=20 logos.hol.gr (8.11.6/8.11.6) with SMTP id h8JL7AE29301; Sat, 20 Sep 2003 = 00:07:10 +0300 From: HOL_Virus_Alert@hol.gr Message-Id: <200309192107.h8JL7AE29301@logos.hol.gr> To: nikoskj@hol.gr Cc: comp-dsp-faq@bdti.com Cc: lukin@ixbt.com Cc: xguy@hotmall.com Cc: beihai@hotmail.com Cc: oen_br@yahoo.com.br Cc: an2or@mailcircuit.com Cc: rkrishnan@ti.com Cc: fmarshallx@remove_the_x.acm.org Cc: eng_ak@link.net Cc: sholle@link-comm.com Cc: vlv@abvolt.com Cc: santosh.nath@ntlworld.com Cc: bg_ie@yahoo.com Cc: jya@ieee.org Cc: jhonyl@netscape.net Cc: adsp40.rem0ve-th1s@yahoo.co.uk Cc: rbj@surfglobal.net Cc: parlous@hotmail.com Cc: yates@ieee.org Cc: steveu@coppice.org Cc: suma_kin@yahoo.com Cc: sumit_thatte@yahoo.com Cc: gcouriot@free.fr Cc: h2vic@yahoo.com Cc: robert@suesound.co.za Cc: ian_buckner@agilent.com Cc: porterboy76@yahoo.com Cc: fonzarelli@bonbon.net Cc: vimal_bhatia2@yahoo.com Cc: dsp@danvillesignal.com Subject: HOL AntiVirus scan results Date: Sat, 20 Sep 2003 00:07:10 +0300 Importance: high X-Priority: 1 X-Mailer: ravmd/8.3.2 RAV AntiVirus for Linux i686 version: 8.3.2 (snapshot-20020108) ----------------------- HOL Antivirus results ----------------------- The file (part0000:)->(IFRAME0000) attached to mail (with subject:Error=20 Announcement) sent by nikoskj@hol.gr to comp-dsp-faq@bdti.com,=20 lukin@ixbt.com, xguy@hotmall.com, beihai@hotmail.com,=20 oen_br@yahoo.com.br, an2or@mailcircuit.com, rkrishnan@ti.com,=20 fmarshallx@remove_the_x.acm.org, eng_ak@link.net, sholle@link-comm.com,=20 vlv@abvolt.com, santosh.nath@ntlworld.com, bg_ie@yahoo.com,=20 jya@ieee.org, jhonyl@netscape.net, adsp40.rem0ve-th1s@yahoo.co.uk,=20 rbj@surfglobal.net, parlous@hotmail.com, yates@ieee.org,=20 steveu@coppice.org, suma_kin@yahoo.com, sumit_thatte@yahoo.com,=20 gcouriot@free.fr, h2vic@yahoo.com, robert@suesound.co.za,=20 ian_buckner@agilent.com, porterboy76@yahoo.com, fonzarelli@bonbon.net,=20 vimal_bhatia2@yahoo.com, dsp@danvillesignal.com, is infected with virus: HTML/IFrame_Exploit*. Cannot clean this file. The file was successfully deleted by HOL AntiVirus. The file (part0001:cdmqltc.exe) attached to mail (with subject:Error=20 Announcement) sent by nikoskj@hol.gr to comp-dsp-faq@bdti.com,=20 lukin@ixbt.com, xguy@hotmall.com, beihai@hotmail.com,=20 oen_br@yahoo.com.br, an2or@mailcircuit.com, rkrishnan@ti.com,=20 fmarshallx@remove_the_x.acm.org, eng_ak@link.net, sholle@link-comm.com,=20 vlv@abvolt.com, santosh.nath@ntlworld.com, bg_ie@yahoo.com,=20 jya@ieee.org, jhonyl@netscape.net, adsp40.rem0ve-th1s@yahoo.co.uk,=20 rbj@surfglobal.net, parlous@hotmail.com, yates@ieee.org,=20 steveu@coppice.org, suma_kin@yahoo.com, sumit_thatte@yahoo.com,=20 gcouriot@free.fr, h2vic@yahoo.com, robert@suesound.co.za,=20 ian_buckner@agilent.com, porterboy76@yahoo.com, fonzarelli@bonbon.net,=20 vimal_bhatia2@yahoo.com, dsp@danvillesignal.com, is infected with virus: Win32/NewMalware.gen!. Cannot clean this file. The file was successfully deleted by HOL AntiVirus. ------------------------ this is a copy of the e-mail header: --=20 Engineering is the art of making what you want from things you can get. =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF
[Fwd: HOL AntiVirus scan results]
Started by ●September 19, 2003
Reply by ●September 19, 20032003-09-19
Jerry Avins wrote:> > I got this and assume that it's genuine. I've gotten about 1200 such > virus attacks in the past 24 hours. Some were purged in transit, most > blocked by ieee, a few by my incoming inspection, and about three, most > of them 1000 ago, got through but weren't opened. I just got another > like that, but I haven't loaded a new dat file in the past two hours. > > Does anyone know what's happening?Its a YAMEW (Yet Another Microsoft Email Worm). I got about 20 before I reconfigured my span filter to delete them. Erik -- +-----------------------------------------------------------+ Erik de Castro Lopo nospam@mega-nerd.com (Yes it's valid) +-----------------------------------------------------------+ "I'm not proud .... We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security." -- Brian Valentine, Senior Vice President of Microsoft's Windows development team
Reply by ●September 20, 20032003-09-20
Erik de Castro Lopo wrote:> Jerry Avins wrote: >=20 >>I got this and assume that it's genuine. I've gotten about 1200 such >>virus attacks in the past 24 hours. Some were purged in transit, most >>blocked by ieee, a few by my incoming inspection, and about three, most=>>of them 1000 ago, got through but weren't opened. I just got another >>like that, but I haven't loaded a new dat file in the past two hours. >> >>Does anyone know what's happening? >=20 >=20 > Its a YAMEW (Yet Another Microsoft Email Worm).=20 >=20 > I got about 20 before I reconfigured my span filter to delete=20 > them. >=20 > ErikErik, They're still coming at around 40 an hour. How do I block them in=20 Netscape without blocking some group mailings I'm happy to get? I'm=20 leery about going to sleep! Jerry --=20 Engineering is the art of making what you want from things you can get. =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF
Reply by ●September 20, 20032003-09-20
Jerry,
I'm recieving a lot of mails saying things like "microsoft security
patch", etc. But I'm now filtering them with a program based in ANN, and
pattern recognition techniques, I'm not sure it works with Netscape, but it
does with outlook, the program is located in http://mail.giantcompany.com/ ,
I think it is the best program I've encountered so far that deals with
unwanted mail
Horacio.
"Jerry Avins" <jya@ieee.org> wrote in message
news:bkghmt$mg5$1@bob.news.rcn.net...
Erik de Castro Lopo wrote:
> Jerry Avins wrote:
>
>>I got this and assume that it's genuine. I've gotten about 1200 such
>>virus attacks in the past 24 hours. Some were purged in transit, most
>>blocked by ieee, a few by my incoming inspection, and about three, most
>>of them 1000 ago, got through but weren't opened. I just got another
>>like that, but I haven't loaded a new dat file in the past two hours.
>>
>>Does anyone know what's happening?
>
>
> Its a YAMEW (Yet Another Microsoft Email Worm).
>
> I got about 20 before I reconfigured my span filter to delete
> them.
>
> Erik
Erik,
They're still coming at around 40 an hour. How do I block them in
Netscape without blocking some group mailings I'm happy to get? I'm
leery about going to sleep!
Jerry
--
Engineering is the art of making what you want from things you can get.
�����������������������������������������������������������������������
Reply by ●September 20, 20032003-09-20
Jerry Avins wrote:> > Erik, > > They're still coming at around 40 an hour. How do I block them in > Netscape without blocking some group mailings I'm happy to get? I'm > leery about going to sleep!Well I've got a highly customized, rather specific solution that requires Linux. My guess is that this will not help your situation. Maybe you could contact your ISP because they should be able to block them en-masse. Erik -- +-----------------------------------------------------------+ Erik de Castro Lopo nospam@mega-nerd.com (Yes it's valid) +-----------------------------------------------------------+ "An older MS internal whitepaper from August 2000 on switching Hotmail, which MS acquired in 1997, from front-end servers running FreeBSD and back-end database servers running Solaris to a whole farm running Win2K, reads like a veritable sales brochure for UNIX" -- http://www.theregister.co.uk/content/4/28226.html
Reply by ●September 20, 20032003-09-20
"Erik de Castro Lopo" <nospam@mega-nerd.com> wrote in message = news:3F6BD528.BD3FC784@mega-nerd.com...> Jerry Avins wrote: > >=20 > > Erik, > >=20 > > They're still coming at around 40 an hour. How do I block them in > > Netscape without blocking some group mailings I'm happy to get? I'm > > leery about going to sleep! >=20 > Well I've got a highly customized, rather specific solution > that requires Linux. My guess is that this will not help=20 > your situation. >=20 > Maybe you could contact your ISP because they should be able to > block them en-masse.=20 >=20unless you isp is like mine and charges for mail filtering. $5 per month per account. And the filtering tends to delete quite a few good messages. I've just been using mailwasher to delete them. Alex
Reply by ●September 20, 20032003-09-20
Thanks, everyone. I posted the message here because many on its=20 recipient list frequent comp.dsp. Jerry --=20 Engineering is the art of making what you want from things you can get. =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF Alex Gibson wrote:> "Erik de Castro Lopo" <nospam@mega-nerd.com> wrote in message news:3F6B=D528.BD3FC784@mega-nerd.com...>=20 >>Jerry Avins wrote: >> >
Reply by ●September 22, 20032003-09-22
"Jerry Avins" <jya@ieee.org> wrote in message news:bkhmro$i44$1@bob.news.rcn.net... Thanks, everyone. I posted the message here because many on its recipient list frequent comp.dsp. Jerry -- Engineering is the art of making what you want from things you can get. ���������������������������������������������������������������������� � Alex Gibson wrote:> "Erik de Castro Lopo" <nospam@mega-nerd.com> wrote in messagenews:3F6BD528.BD3FC784@mega-nerd.com...> >>Jerry Avins wrote: >> >I also got "bombed" on Friday, about 8-900 messages with attachments, mostly from "microsoft...", "internet...", etc. They were arriving at around 10 second intervals, so I was expecting a real mess when I got in this morning. I flagged it to our IT, and they seem to have fixed it. I saw somewhere a statement from Microsoft that they never e-mail patches, so any message claiming to be from them is bogus. Regards Ian
Reply by ●September 22, 20032003-09-22
I think it is mostly hitting people either from comp.dsp or with ieee.org addresses. Perhaps it's just hitting newsgroup mail addresses at random and ours happened to come up. My McAfee reports that it's filtered 5362 files since Friday (yeah, I'm getting bombed as heavily as Jerry), 49 of which had infected files. In other words, the ieee filter caught the majority of them, but a few still got through. My machine was infected briefly on Friday (I think), but I ran the AV at full tilt and things seem to be okay on this end. A good fraction of the bomb traffic does seem to be reports of failed or returned mail, although I suspect that that is just part of the virus strategy and does not necessarily indicate that my machine is infected. I've run the AV system scan manually several times since Friday to make sure this thing stays clean, but it's definitely a problem keeping up. I sent a note to the IEEE virus administrator, but I suspect that they're aware of the situation and on top it. Sort of glad to hear I'm not the only one... :( Cheers, Eric On Sat, 20 Sep 2003 10:05:40 -0400, Jerry Avins <jya@ieee.org> wrote:>Thanks, everyone. I posted the message here because many on its=20 >recipient list frequent comp.dsp. > >Jerry >--=20 >Engineering is the art of making what you want from things you can get. >=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= >=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= >=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF >Alex Gibson wrote: > >> "Erik de Castro Lopo" <nospam@mega-nerd.com> wrote in message news:3F6B= >D528.BD3FC784@mega-nerd.com... >>=20 >>>Jerry Avins wrote: >>> >> >Eric Jacobsen Minister of Algorithms, Intel Corp. My opinions may not be Intel's opinions. http://www.ericjacobsen.org
Reply by ●September 22, 20032003-09-22
Eric Jacobsen wrote:> I think it is mostly hitting people either from comp.dsp or with > ieee.org addresses. Perhaps it's just hitting newsgroup mail > addresses at random and ours happened to come up. >=20 > My McAfee reports that it's filtered 5362 files since Friday (yeah, > I'm getting bombed as heavily as Jerry), 49 of which had infected > files. In other words, the ieee filter caught the majority of them, > but a few still got through. My machine was infected briefly on > Friday (I think), but I ran the AV at full tilt and things seem to be > okay on this end. >=20 > A good fraction of the bomb traffic does seem to be reports of failed > or returned mail, although I suspect that that is just part of the > virus strategy and does not necessarily indicate that my machine is > infected. I've run the AV system scan manually several times since > Friday to make sure this thing stays clean, but it's definitely a > problem keeping up. >=20 > I sent a note to the IEEE virus administrator, but I suspect that > they're aware of the situation and on top it. >=20 > Sort of glad to hear I'm not the only one... :( >=20 > Cheers, >=20 > Eric >=20I got a new variety about an hour ago that had the same form as many of=20 the "we cleaned up a virus by deleting the file" reports, but this one=20 claimed to have cleaned it successfully and so not deleted it. The=20 message bore no ISPs name nor the name of the software. Neither omission = is normal, so I bet it was infected. A saved one that got through=20 yesterday, but today the scanner flagged it. All this could easily be stopped by ISPs if they chose to. Spam too, but = that's a little more complicated. They don't want to hear it. Jerry --=20 Engineering is the art of making what you want from things you can get. =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF= =AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF=AF
