Flutterby™! : Yet Another MS Virus 2003-09-20 16:25:25.511533+00

Yet Another MS Virus

2003-09-20 16:25:25.511533+00 by Dan Lyke 9 comments

I mention this because I'm getting a hell of a lot of them, which means that someone with me in their address book is infected: If you get an email message allegedly from Microsoft purporting to be security update, don't open it. It's a trojan horse. That is all. Thank you.

#Comment Re: Yet Another MS Virus made: 2003-09-20 16:33:48.205429+00 by: Mars Saxman

I think several infected somebodies must have me in their address books, since close to half of the mail I've been getting for the last three days consists of these "security updates", "last internet patches", "failure notices", and the rest of 'em. It's only my work account, too, and every blasted one of 'em has a 150k attachment...

#Comment Re: Yet Another MS Virus made: 2003-09-20 17:46:06.541654+00 by: Mark A. Hershberger

If you use procmail, you can install clamav to catch these suckers. If you already have SpamAssassin installed and don't want to bother with installing another piece of software, you can add these rules:

Note that I got tired of messing with those rules and decided to use my TUITs to install ClamAV, so they may be incomplete. In particular, the MICROSOFT_EXECUTABLE | MIME_SUSPECT_NAME make it so that if a gateway strips the virus and sends the messasge, you get a message without the attachment. Thankfully, I've not seen enough of those to care too much yet.

#Comment Re: Yet Another MS Virus made: 2003-09-20 17:49:24.38099+00 by: Mark A. Hershberger

Oh, yeah. I think a big part of this problem is the public mailing lists that I'm on. Outlook must have some sort of auto-add feature, 'cause I'm being bombed. 9Mb caught by ClamAV in the past 18 hours. This doesn't include the number I got before I installed ClamAV, of course. I had something like 80+ viruses in my inbox Friday morning.

#Comment Re: Yet Another MS Virus made: 2003-09-20 20:25:56.532946+00 by: Dan Lyke

#Comment Re: Yet Another MS Virus made: 2003-09-20 20:27:11.407979+00 by: Dan Lyke [edit history]

#Comment Re: Yet Another MS Virus made: 2003-09-22 15:04:46.371649+00 by: baylink

60MB of it over the weekend. Running your own pop server has it's advantages: no quotas. ;-)

#Comment Re: Yet Another MS Virus made: 2003-09-22 18:14:04.638856+00 by: Jerry Kindall

This worm obtains its victims' e-mail addresses from Usenet. ("Swen" is "news" backward.) Within minutes of posting to a newsgroup using a virgin e-mail address I received two copies of the worm. I disabled the alias in my mail server shortly after this test -- another e-mail address I had used only on Usenet collected 1300 copies of the worm before I disabled it.

#Comment Re: Yet Another MS Virus made: 2003-09-22 19:42:52.482151+00 by: Mars Saxman

I could deal with this if they had found my personal email address, but Swen found some postings I made on comp.lang.basic.realbasic and is bombarding my work account, over which I have no control... I'm getting 20 or 30 megabytes of virus attachments per day. It sucks. It's clearly having an effect on the networks between here and work, too, since access to the file server, version control, etc. has slowed to around a fifth of its usual rate.

#Comment Re: Yet Another MS Virus made: 2003-09-22 19:43:12.960037+00 by: Mars Saxman [edit history]