Just recieved a suspicious e-mail (subject = re: )

Details: -
--------------------------

X-From_: pat.eaton3@virgin.net Sun Dec 16 11:07:00 2001
Envelope-to: vic@revi.fsnet.co.uk
Delivery-date: Sun, 16 Dec 2001 11:07:00 +0000
Received: from [128.242.207.107] (helo=linux1587.dn.net)
by imailg1b.svr.pol.co.uk with esmtp (Exim 3.33 #1)
id 16FZ8F-0005Qj-00
for vic@revi.fsnet.co.uk; Sun, 16 Dec 2001 11:06:59 +0000
Received: from [62.253.164.43] (helo=mta3-svc.virgin.net)
by linux1587.dn.net with esmtp (Exim 3.22 #2)
id 16FYwn-0008RC-00
for vic@revi.co.uk; Sun, 16 Dec 2001 05:55:09 -0500
Received: from aol.com ([62.252.68.74]) by mta3-svc.virgin.net
(InterMail vM.4.01.02.27 201-229-119-110) with SMTP
id <20011216110645.QTVX6091.mta3-svc.virgin.net@aol.com>
for <vic@revi.co.uk>; Sun, 16 Dec 2001 11:06:45 +0000
From: "Pat Eaton" <_pat.eaton3@virgin.net>
To: vic@revi.co.uk
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <20011216110645.QTVX6091.mta3-svc.virgin.net@aol.com>
Date: Sun, 16 Dec 2001 11:06:58 +0000
--------------------------------------
Note the underscore at 'from'

How do I determine if this contains a virus? there is no mention of an attachment. But it has familiarities to the others which infected my machine, & from what i've read it appears that some become active upon viewing.


------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Looks like the badtrans virus to me. What was the size of the email? If it was around the 40K mark then it is highly likely to be badtrans.

I'm sure this has been discussed before on here, but if you want to protect yourself against worms or viruses which execute their payload simply by being previewed in Outlook/Outlook Express then you need to upgrade your browser to either I.E 5.5 (SP2) or I.E 6.

------------------
Up every evening 'bout half eight or nine,

I give my complete attention to a very good friend of mine.

Yes I had the Badtrans a couple of weeks ago. which is what made me suspicious. Don't know the size, how do I establish that?

I haven't opened it. I have put it in my 'infected' folder. Is there anything special about that folder ? I can't find any info on it.

I am using IE6.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Hi Vic. The underscore makes it look like BadTrans but the absence of an attachment makes it not look like it. Do you have A/V running and, if so, could it have stripped-off the attachment and put just the eMail in your infected folder?

I had thought that previewing/viewing in effect just opened the attachment (and therby the virus); others may be able to confirm this or elaborate on the detail.

Good Luck.

------------------
Take nice care of yourselves - Paul

Hi Paul,


------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Hi Paul,
The others that I recieved didn't show an attachment, but I got a dialogue box when I opened them. I 'sort of accidentally' clicked the box which released the virus. but I've read a lot since then & it seems that some variations can become active just by viewing the e-mail, which is why I haven't opened it.
I have PcCillon running (did have McAfee as well but it went down yesterday, & I had to re-install windows last night) (then got the e-mail this morning !!!!!!)

Don't know if PcCillon has done anything (it's bang up to date as of last night) but I think it's IE6 that brings up the box, which is 'supposed' to protect the system.
It came to my 'inbox' & I transferred it to 'infected' folder. don't know whether or not that is encrypted as I can not find any info.
I am holding it for now to see if I can find any further info. & will probably end up deleting it without opening.



------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Vic, believe me I can fully understand any paranoia after the bad times you have had with your websites etc. I have never seen or used IE6.0 - so there I go shooting in the dark! I just had a peep at the Newsgroup MSN.News.Microsoft - Microsoft.public.windows.internetexplorer.ie6_outl ookexpress and the following quote was all news to me! LOL But may make sense to you.


...Sure, sorry if I skipped some detail. Click Tools|Options|Security and
put a check mark for "Do not allow attachments to be saved or opened
that could potentially be a virus." That protects you against ALL
viruses in attachments because it prevents you from doing anything at
all with ALL attachments. If you receive a message that has an
attachment you want, just go back to Tools|Options|Security and remove
the checkmark. Then re-open the message with the attachment and save the
attachment to disk, scan it with your anti-virus software, and then do
what you want with it. Then return to Tools|Options|Security and turn
the block on again.


Happy disinfecting/deleting. http://www.PCGuide.com/ubb/tongue.gif

------------------
Take nice care of yourselves - Paul

subject line Re: sure makes it look like Badtrans, I got about 10 of them not long ago. Fortunately none managed to install, and I've formatted and reinstalled since then to deal with other problems.

Right click the email and click Properties, then the Details tab. At bottom right you'll see a button that says Message Source. CLick that button and you can read the email in text form without actually opening it.

Look just below the headers and you should see a section with HTML code, and if it has an attachment it should also have the filename, which usually has a dual extension. pic.jpg.scr would be an example, while a normal picture file would be pic.jpg.

TIP: Some viruses like Badtrans can execute when viewing the message in the Previesw Pane or by opening the email itself, rather than the attachment. To prevent this the best idea is to turn the preview pane off. IN OE got to View\Layout and in the bottom half of the box UNCHECK the box before the line that says "Show Preview Pane". Then you have to actually open the email or run the attachment to execute it, but you can safely check Properties\Details and Message Source also if it's a supicious email.

I know many of you are already aware of this, and how to do it, but we have new people here all the time who may not...I thought it might be a good idea to post it again for their benefit.

Another side note, I got one a few days ago with an attachment that had a filename Dc19.exe and can't find out anything about it. McAffee never answered me, and I can't find a thing about it on the net. Watch for it, I'm suspicious of it but can find no proof it's anything unfriendly.

------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

Thanks all, BUT,

I'm using Outlook Not Outlook Express.

PaulOption in Outlook is...,

High http://www.PCGuide.com/ubb/frown.gifrecommended All Users)
You are warned of security problems,You can choose whether or not to view potentially unsafe attachments or links.
(Which is what it is set at)
----------------------------------
PeteNo Properties tab, only options (which gives the details I have listed) Layout is different also, each folder can be set up differently, I have 'Inbox' & 'Infected' NOT to show preview pane.
----------------------------------
I cannot find a way to 'read' any of this without opening (which I don't intend to do)

By the way I have just recieved Snow White again for the umpteenth time !!!! re-emerged after many weeks. !!


------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

aaaah! http://www.PCGuide.com/ubb/rolleyes.gif I havent used Outlook for ages. Which version are you using?


------------------
Take nice care of yourselves - Paul

Two long-shots that might explain the "absence" of an attachment.

(1) E-mail Contains Text Instead of Attachment - This problem may occur when there is a mismatch in encoding types between the sending e-mail client and the receiving e-mail client (Outlook) MKB(Q171436) (http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q171436) i.e. Was there a lot of encoded stuff in the message source or did you show it all in your original post?

(2)E-Mail File Attachments Display as Empty Outlined Box MKB(Q170954) (http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q170954)

also Is your "infected" folder a standalone part of your A/V or is your A/V actually integrated into Outlook (which McAfee, for one, can do).

By the way, what made you suspicious of the eMail in the first place or do you carefully read each message source!! Happy hunting. http://www.PCGuide.com/ubb/wink.gif

------------------
Take nice care of yourselves - Paul

I treat anything that comes as .exe as a Virus.

Has to be executable for a reason.

It's gotten so bad, now you can't trust any attachment not to be a Virus. The way this stuff will attach itself to somone's outgoing e-mail. And the sender doesn't know it happened. Could be innocent mail from Grannie.

See where four teenagers were busted for the Goner Virus.


RD

------------------
....How long is a minute... depends on which side of the Bathroom door you're on. ......Indecision may or may not be my problem......
..........

Thanks for the links Paul, they seem logical, but they both refer to Outlook 97 & I'm using 2000. also the second link regards Word as the e-mail editor, which I'm Not using.

The 'infected' folder (I believe) is part of Outlook (though not sure), I did have McAfee up until recently, but after updating it the other night both McAfee & windows went corrupt. I re-installed windows (took the opportunity to put w98se in. instead of prev w98) but did'nt re-install 98 plus (which contained McAfee) I still have PcCillin in there though.

The only reason I became suspicious of this e-mail was the title (re http://www.PCGuide.com/ubb/smile.gif

By the way. I did not do a complete 'clean' install, as I figured if I did I would probably get hit by another virus !!!!!! BUT, since the re-install I could access my websites again. (hope I'm not speaking too soon here, but so far so good.)

I was wondering whether to export these e-mails to O express (which I don't use) just so that I can read them, but cowardice has got the better of me at the moment.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Vic When my sister gets something "suspicious" I get her to just forward it to me and then I scan it and take a peep at its "contents/message source". So instead of exporting, how about forwarding it to yourself and then use OE to collect your mail. Or you could forward it to a Hotmail/Webmail account and take a look at it there. I always run a Hotmail account just for testing things out, etc., but dont have it setup inside OE.

Personally I always found Outlook more "messy" than OE for straightforward eMails (though it was nice to be able to delete messages on the server without downloading them) but then I'm not on a LAN and I keep all my contact details, etc on my own access database.

I read about another "trick" of sending/forwarding an email to a non-existent eMail address, and then (when it gets returned) any HTML content may have been converted to text - but dont quote me on this - and I havent tried it out; (yet! HeHe).

Good Luck (and is it safe to go back and learn how to make a bowline???)





------------------
Take nice care of yourselves - Paul

Hi Paul,
When I tried to fwd 're:' I got the attachment dialogue box "_doc.DOC.scr" I was convinced enough & deleted it, I fwd 'Snow White' but I've no doubts about that one anyway, couldn't get any info by right clicking, just came back "no info available" it's still in my hotmail account unopened, should I just delete it or is there a way I can read it without risk ?

Yes,I think it's safe to go back & practice your bowline, there are several ways to do it, my prefered method takes me about 2.5 secs, but another method which I use takes about Half a second.
I have tied several in Howth, Dunlagourie (probably not spelt that right) Wexford & Whitlow. (having sailed across the Irish Sea several times)

my son did some enquiries a few years ago, and apparently my ancestory is from Ireland. also my wife is from Dublin.



------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

That seems to confirm its BadTrans - so I wouldnt worry about the contents - time to get burning the old rubbish!!!

I hear the bowline is good for hauling tree trunks, which is why I want to learn it. I did a bit of Laser sailing in NZ and a little in dingy here on lakes in Ireland when I was a child, but thats about it. I've crossed the Irish Sea a number of times - but only by air or on a ferry!

Best regards - (Irish ancestery is no surprise - The genes are global http://www.PCGuide.com/ubb/biggrin.gif )

------------------
Take nice care of yourselves - Paul

Wouldn't use a bowline myself for hauling timber, I would prefer to use either a timber hitch or a rolling hitch, or even round turn & 2 half hitches,
But a Bowline is a useful knot to have to hand, particularly if you progress to a double bowline, bowline on a bight & rolling bowline, which are used in rescue operations amongst others.
Practice a bowline & try it you will find lots of uses for it, also try the timber hitch which is very easy.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Hi again! http://www.PCGuide.com/ubb/biggrin.gif

The main function of such a knot for me (round the farm) is to have one that can be easily undone again (a bit like restoring ones registry!) which the bowline is - or so my nephew tells me. I have a little "rope trick" of my own, which I learned from an old man, and that is how to make a head-halter for a bull - takes 2 seconds too - using a rope with no knots or ties at all!! http://www.PCGuide.com/ubb/tongue.gif



------------------
Take nice care of yourselves - Paul

Correct, the Bowline is easily undone, & as I said you will never regret learning it. The Timber Hitch is also easily undone & the advantage is that it tightens on the log when drawn.

Pass the Bitter End of the rope over the Standing Part, folding back onto itself, take several turns (4 or 5 usually) & your done.

I Think I,ve seen your rope trick quite a while ago, I'll have to have a practice (think I'll find something a little more reliable than a bull though !!)

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.