Possible Virus Alert

PhilO · June 23, 2002, 4:41pm

I received an e-mail from Stephenpower2@eircom.net with a README.MP3.scr download yesterday, and thinking (not thinking actually)quickly that I recognized this as from Steve at Shanna Quay, I tried to open it. The real Steve later alerted re non-authentic message. Also, I received e-mail from a fellow member asking whether to open e-mail purportedly from me - this must be a virus, as I did not send the e-mail. Please do not open any e-mails from me at this time; I am only posting to the Board. Regards to all, Philo

avanutria · June 23, 2002, 6:16pm

As a general rule, don’t open any received file with two periods in it, as this often indicates a disguised file of some sort. The .scr is a screensaver extension which (as I understand it) is used by viruses as an excecutable file.

peeplj · June 23, 2002, 6:16pm

This looks like W32/Badtrans-B, a common worm.

Info is at

http://www.sophos.com/virusinfo/analyses/w32badtransb.html

Removal instructions and a link to a removal tool at

http://www.sophos.com/support/faqs/w32badtransb.html

Best wishes,

–James
http://www.flutesite.com

StevePower · June 23, 2002, 6:18pm

I was alerted that an e-mail with the address stevepower2 (not sure where ‘at’) was being sent around with a virus. I never had a ‘stevepower2’ address - and so it is obviously some sort of malicious hoax.

If it is from an ‘eircom.net’ address, then the hoax is being perpetrated from Ireland, but I’m not sure about this.

I do have a ‘stephenpower1@eircom.net’ address, but don’t use it for business. All Steve@shannaquay, and @shannaquay.com addresses are safe.

Maybe it’s a jealous rival. Sorry if anyone got caught by this - but it really is nothing to do with me directly.

Steve

carrie · June 23, 2002, 6:49pm

I’m the person (possibly among many) who received the suspicious e-mail from PhilO. The attached file was called info.DOC.scr. I read the e-mail, which contained html coding, but did not open the attachment.

Just for everybody’s information.

Carol

Wandering_Whistler · June 23, 2002, 6:59pm

actually, the .scr extension usually denotes a SCRipt file, which outlook/express (and a whole host of other microsoft products, like word) can use to run executable content.

On 2002-06-23 14:16, avanutria wrote:
As a general rule, don’t open any received file with two periods in it, as this often indicates a disguised file of some sort. The .scr is a screensaver extension which (as I understand it) is used by viruses as an excecutable file.

John_Allison · June 24, 2002, 2:47am

The .SCR extension is used in Windows to denote a screensaver. It is actually an executable file like the .EXE and .COM files but with a newer, easy to recognize extension. You can usually rename any executable file to .SCR and it will still run properly.

Also beware of any file you get with the .PIF extension. This is also a Windows executable file for running programs under DOS. I’ve encountered it most frequently with supposed MP3 files (ex: Music.MP3.pif) downloaded from websites.

JMcCYoung · June 24, 2002, 3:45am

On 2002-06-23 12:41, PhilO wrote:
I received an e-mail from > Stephenpower2@eircom.net > with a README.MP3.scr download yesterday, and thinking (not thinking actually)quickly that I recognized this as from Steve at Shanna Quay, I tried to open it. The real Steve later alerted re non-authentic message. Also, I received e-mail from a fellow member asking whether to open e-mail purportedly from me - this must be a virus, as I did not send the e-mail. Please do not open any e-mails from me at this time; I am only posting to the Board. Regards to all, Philo

Whatever may be the case with these particular messages, be aware that a bug currently in wide distribution is the Klez worm/virus hybrid (in a number of variants). One feature of Klez is that it forges the From: header, using a random e-mail address from somewhere on the infected computer’s hard drive, and sends it to another address taken from the hard drive. Note that it’s not limited to the address book of an e-mail program; even addresses in cached web pages are eligible for either To: or From: use.

This also means that you can get bounce messages if an infected computer has forged your address as the From: and sent it to an invalid address, even if you are utterly incapable of spreading the infection (e.g., have a Unix or MacOS machine).

I’m getting a few copies a day of the worm, and it’s causing great consternation on the Mediev-l list, including discussion of whether the list should be moderated to prevent the worm being spread via the list.

An interesting article:

http://www.wired.com/news/technology/0,1282,52174,00.html

John

garycrosby · June 24, 2002, 6:28am

The moral of the story (despite some moron possibly trying to slight StevePower) is that anyone who runs Windoze should have a decent virus scanner that is always up-to-date. If you don’t have a virus scanner you will get burned eventually

Wandering_Whistler · June 24, 2002, 12:45pm

whoops..my mistake
I was thinking .sct (windows script component)

On 2002-06-23 22:47, John Allison wrote:
The .SCR extension is used in Windows to denote a screensaver.

Topic		Replies	Views
Possible virus Whistle	10	740	January 6, 2003
VIRUS ALERT Whistle	4	775	October 20, 2002
Virus trouble - not OT Whistle	9	689	September 16, 2002
Chiff & Fipple Community Virus Whistle	11	6981	December 3, 2001
Possible Virus Email circulating Poststructural Pub	9	2785	December 22, 2004
viruswarning Uilleann Pipes	11	6113	December 6, 2001
caution, virus, dale somehow involved Whistle	19	3497	March 5, 2004
But I don't have a virus. Poststructural Pub	15	6171	May 29, 2004

Possible Virus Alert

Related topics