# Virus Warning



## Bob Hubbard (Aug 20, 2003)

Notice:
  Some of our clients are getting bounced messages with something similar to the following as part of the message:



>     This message has been rejected because it has
>     a potentially executable attachment "movie0045.pif"
>     This form of attachment has been used by
>     recent viruses or other malware.
>     If you meant to send this file then please
>     package it up as a zip file and resend it.


This is a result of the recent re-explosion of the W32/Sobig.F-mm email worm.  These messages are safe to delete. DONOT! click on the attachment file!

The short version is, someone who is infected has 'your' address on file.  'Your' here being whoever is getting the bounces.  A careful analysis of the headers will determine the true source of the emails.  Our server is setup to reject certain file types.  .exe .com and .pif are 3 of those types rejected. We also strongly recommend that everyone make sure that their anti virus software is up to date. If your own system is clean, and your anti-virus software is up to date and properly running, you should be safe. Please check with your AVS vendor to verify you are up to date.

More info:
The sender appears to be someone from a recognized domain name, such as ibm.com, zdnet.com or microsoft.com. The subject line typically says "Re: Details," "Resume" or "Thank you." 

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif. 

The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address so that the infected message appears to come from someone else. 


This message at Slashdot has more info:
http://slashdot.org/articles/03/08/19/1748206.shtml?tid=109&tid=111&tid=126&tid=128&tid=187

See also here:
http://news.com.com/2100-1002_3-5065494.html

For those interested in digging further, please see here for information on your email client and how to see all the headers:
http://spamcop.net/fom-serve/cache/19.html


----------



## arnisador (Aug 27, 2003)

Our servers at work are being crippled by attacks by virusus (virii?).


----------



## Michael Billings (Aug 28, 2003)

...suffered major problems & sent out bunches (thousands) of infected systems.


----------

