"The Nameless One" <(E-Mail Removed)> wrote in message news:3efa5c6f$0$8262$(E-Mail Removed)...
[snip]
> > But it must be remembered to be wary of those that she *does*
> > know as well. Many worms will still come from people known
> > to the person receiving the e-mail.
>
> the only emails she has kept are 2 emails which have .jpg files in them
> nothing else in her email acound has attachments
Excerpt from the McAfee link Arjan provided:
===
The email will appear to contain no contents or identifiable attachments
however is encoded to contain two files, xromeo.exe and xjuliet.chm.
===
So, it would be better to look at file size than at whether or
not an e-mail *appears* to have an attachment. Embedded
or "inline" content may not appear as attachments.
> > Does she transport e-mail she received through hotmail to
> > her otherwise isolated home PC via floppy disk?
>
> she does not trasnport emails at all, the only thing she transports are word
> documents
<wild assed guess>
I suppose that it is possible that a Word document can contain
some of the exploits known to be used by blebla, and result in
a false positive. Word documents can contain active content as
well, so it could have an embedded blebla executable I think.
</wild assed guess?>
> > Those security reports (or write-ups) are merely dealing with the
> > forms normally found as a direct result of the worms actions. Keep
> > in mind that it is only a program, and as such can also take the forms
> > that any other program can take. Someone could trojanize a popular
> > screensaver (.scr) with it and get it placed on her computer that way.
> > It is not a form normally seen as a direct result of the worms action,
> > so you wont find it on the write-ups, but it is just a program after all.
>
> this is true, but why the time delay for the activation, she reported it to
> me and the system operaters at our local community college on tuesday yet
> the infection is dated to the 11th of this month
How is this date determined?
> > No network connectivity may mean that it hasn't spread from there by
> > its worm routine (which is a *good* thing).
>
> it can not spread from her machine if the machine is not connected to a
> network
Not entirely true (which is why I said "by its worm routine"), if
any files are otherwise shared
> > They might not be scanning *everything* in order to speed
> > things up a little. They may be relying on the "on access"
> > safety net to intervene.
>
> they scan everything on the primary drive which has winXP pro and everything
> else on it that you would expect any self respecting computer freak to have
If I take your word for that (and your assessment of her computing
practices), then I have to believe that either blebla magically appeared
out of nowhere, or it is a false positive detection.
If the only source of inbound files is from a *fully* scanned and
up-to-date machine, then it isn't very likely the infection came from
there.....and yet you have a (fairly new) detection. Does the first
detection date correspond by any chance with a recent Def's update?
> > Does your friend use the "on access" scanning (which should
> > have prevented the "infection"), or only the startup scan (which
> > is a little like a dashboard light that tells you that all of that smoke
> > coming from under your hood is there because you ran out of oil).
>
> i dont know, but the problem still remains why didnt blebla activate til
> tuesday... im baffled
When (and how) do the AV definitions data files get updated
on the "victim" machine?
|
Similar Threads
