Re: Messed up message
Neil Hodgson <nhodgson <at> bigpond.net.au>
2002-10-04 10:52:05 GMT
> I received a message, seemingly from you, with subject starting as: "Re:
> [scintilla] Re: Re: [ scinti" (the webmail I have to use truncate sujects
> them in the Web page). It seems to have an attached file, the message
As best I can tell this is a virus/worm with a forged return address.
Some 'recipients' sent me a notice that I am infected with W32/Bugbear.A <at> mm
but I just did a scan with a recent (Oct 2) Symantec tool specific to this
virus with no hits. A generic virus scan found nothing active.
My advice is to never open attachments, even from me, if they have no
apparent reason to exist.
It is best to never send attachments to the list. If you want to publish
some code or an image put it on a web server and publish the address. If you
want me to see some code send it only to me (nhodgson <at> bigpond.net.au) rather
than to the list.
> Return-Path: <nhodgson <at> bigpond.net.au>
> X-Flags: 0000
> Delivered-To: GMX delivery to philho <at> gmx.net
> Received: (qmail 29508 invoked by uid 0); 4 Oct 2002 07:35:20 -0000
> Received: from fegkx2.vip.hr (HELO fepkx2.vip.hr) (22.214.171.124)
> by mx0.gmx.net (mx016-rz3) with SMTP; 4 Oct 2002 07:35:20 -0000
> Received: from gogsica-y4482qd ([126.96.36.199]) by fepkx2.vip.hr with
> id <20021004073456.GIQN10068.fepkx2 <at> gogsica-y4482qd>;
> Fri, 4 Oct 2002 09:34:56 +0200
"gogsica" was on the virus report which came (purportedly) from a
net4u.hr address. The address chain does not reveal either a bigpond server
(my normal ISP) or scintilla.org or lyra.org (the host of the Scintilla
mailing lists). Therefore (along with the clean report), I don't think this
was generated by my machine but rather from the host that was complaining
about the virus and that possibly one of the forms of the virus is to appear
in reports about itself like Klez offers Klez removal tools. It looks to me
as though the virus read one of the messages in the "Scrolling long lines"
thread and was sent itself to every address in the message. David Ascher
should receive a virus in that case.
The Scintilla mailing lists will not automatically forward messages >
40K, so any message hosting this virus will be reported to me.
Your email which contained parts of the virus triggered further virus
reports because they contained the text of the iframe exploit.
I have disabled mail to one net4u.hr account mentioned in one of the