Is this virus or spam?

[divoch]

I am getting quite a few of unexpected messages.
I am wondering if it is virus generated and if yes
what is the explanation and what, if anything, I can
do about it.
I have not opened any of the attachments so I cannot
say what is in them or if they are the type they say
they are

Thanks
Roman




subject: Re: Your text
text of the message: Please have a look at the attached file.
attachment: your_text.pif

subject: Re: Re: Message
text of the message: See the attached file for details
attachment: mesage_details.pif

subject: read it immediately
text of the message: is that true?
attachment: note.zip

 

[David H. Lipman]

If you had AV software you would know the answer.

Most likely it is on of the *many* Bagle variants.

W32/Bagle@MM - http://vil.nai.com/vil/content/v_100965.htm

All you can do is...

1. Install AV software keep the AV package up-to-date
2. Create email "rules" to auto-delete the offending messages
3. Petition your ISP to install AV software on their respective email servers.
4. Install *all* MS Critical Updates via the Windows Update web site.
5. If all else fails, Change your email address.

Dave



| I am getting quite a few of unexpected messages.
| I am wondering if it is virus generated and if yes
| what is the explanation and what, if anything, I can
| do about it.
| I have not opened any of the attachments so I cannot
| say what is in them or if they are the type they say
| they are
|
| Thanks
| Roman
|
|
|
|
| subject: Re: Your text
| text of the message: Please have a look at the attached file.
| attachment: your_text.pif
|
| subject: Re: Re: Message
| text of the message: See the attached file for details
| attachment: mesage_details.pif
|
| subject: read it immediately
| text of the message: is that true?
| attachment: note.zip
|
|

 

[divoch]

If you had AV software you would know the answer.

Most likely it is on of the *many* Bagle variants.

W32/Bagle@MM - http://vil.nai.com/vil/content/v_100965.htm

All you can do is...

1. Install AV software keep the AV package up-to-date
2. Create email "rules" to auto-delete the offending messages
3. Petition your ISP to install AV software on their respective email servers.
4. Install *all* MS Critical Updates via the Windows Update web site.
5. If all else fails, Change your email address.

I do have AVG software, fully updated, which reports no virus. thanks
for tips.
Roman

 

[Tim Downie]

If you had AV software you would know the answer.

Not necessarily. With AVG the file isn't always detected until you actually
try and open the attachment. If he's smart enough not to open an unknown
attachment (always the safest policy rather than relying on your AV
software), then he won't know the identity of the virus.

Tim

 

[David H. Lipman]

With password protected archive files (RAR and ZIP) that's true.
On all the others, a good AV software will catch it, if it has the signatures for it.

Examples:
2/6/2004 3:16 AM Potentially unwanted message body Personal Folders Inbox\Message body
Exploit-MIME.gen.exe
3/4/2004 4:57 PM Deleted-Sec. Action Personal Folders Inbox\freaky_news.zip
W32/Netsky.c@MM!zip
3/8/2004 7:39 PM Deleted-Sec. Action Personal Folders Inbox\my_details.pif W32/Netsky.d@MM

Log events generated by McAfee Enterprise VirusScan v7.1

Dave



| David H. Lipman wrote:
| > If you had AV software you would know the answer.
|
| Not necessarily. With AVG the file isn't always detected until you actually
| try and open the attachment. If he's smart enough not to open an unknown
| attachment (always the safest policy rather than relying on your AV
| software), then he won't know the identity of the virus.
|
| Tim
| --
| Remove the obvious to reply by email.
| Please support rheumatoid arthritis research!
| Visit http://www.justgiving.com/pfp/speyside or
| http://www.justgiving.com/speyside if you're a UK tax payer.
|

 

[Tim Downie]

With password protected archive files (RAR and ZIP) that's true.
On all the others, a good AV software will catch it, if it has the
signatures for it.

Okay, so AVG6 doesn't pass your definition of "good" but it's adequate for
my purposes and it *doesn't* always warn prior to opening messages or their
attachements so your original statement "If you had AV software you would
know the answer." just isn't true. It depends on the AV software (and mail
program).

Tim

 

[Gabriele Neukam]

On that special day, divoch, ([email protected]) said...

I do have AVG software, fully updated, which reports no virus. thanks
for tips.

Hm. There is a new Bagle variant out, which is already active at
"medium" level. This variant doesn't only create zipped archves, but rar
archives, too; and it hides the "password" in a graphical file.

And it *infects* executables. Is this "variant" really done by the same
person as the former ones? The changes are too drastic. It looks like it
has adopted elements of Gibe and Klez, with a change.

I still don't have a link, as the heise people couldn't yet provide it.
They call it Bagle.N


Gabriele Neukam

(e-mail address removed)

 

[Gabriele Neukam]

On that special day, Gabriele "Ingrid" Neukam,
([email protected]) said...

I still don't have a link, as the heise people couldn't yet provide it.
They call it Bagle.N

Ah ha. F-Prot calls it Bagle.P

http://www.f-secure.com/v-descs/bagle_p.shtml


Gabriele Neukam

(e-mail address removed)

 

[David H. Lipman]

Actually there are two new variants Bagle.N and Bagle.P

W32/Bagle.n@MM - http://vil.nai.com/vil/content/v_101095.htm
W32/Bagle.p@MM - http://vil.nai.com/vil/content/v_101098.htm

Dave



| On that special day, Gabriele "Ingrid" Neukam,
| ([email protected]) said...
|
| > I still don't have a link, as the heise people couldn't yet provide it.
| > They call it Bagle.N
|
| Ah ha. F-Prot calls it Bagle.P
|
| http://www.f-secure.com/v-descs/bagle_p.shtml
|
|
| Gabriele Neukam
|
| (e-mail address removed)
|
|
| --
| Ah, Information. A good, too valuable these days, to give it away, just
| so, at no cost.

 

[Axel Pettinger]

Actually there are two new variants Bagle.N and Bagle.P

W32/Bagle.n@MM - http://vil.nai.com/vil/content/v_101095.htm
W32/Bagle.p@MM - http://vil.nai.com/vil/content/v_101098.htm

Well, something is missing here. How about Bagle.o ...? ;-)

So there're three new variants which have the characteristics Gabriele
mentioned before.

Regards,
Axel Pettinger

 

[me]

Well, something is missing here. How about Bagle.o ...? ;-)

So there're three new variants which have the characteristics Gabriele
mentioned before.

Regards,
Axel Pettinger

Or some confusion?

NAI lists (under aliases) "W32/Bagle-O (Sophos)"

J

 

[FromTheRafters]

Well, something is missing here. How about Bagle.o ...? ;-)

So there're three new variants which have the characteristics Gabriele
mentioned before.

Great, so now what happens. Do scanners have to adopt OCR
software and feed the bitmap image to it so that they can remain
competitive?