Date: Sat, 27 Mar 1999 14:15:14 -0600
Reply-To: Marshall Ruskin <mruskin@PANGEA.CA>
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Marshall Ruskin <mruskin@PANGEA.CA>
Subject: Porno Virus in Email Attachments
Content-Type: multipart/related; type="multipart/alternative";
This is a multi-part message in MIME format.
------=_NextPart_000_0063_01BE785C.3BA27720
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0064_01BE785C.3BA27720"
------=_NextPart_001_0064_01BE785C.3BA27720
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Refered to me by a collegue at EDS.
Marshall Ruskin
84 Westy
=20
=20
=20
Just a quick heads up....there is a bad virus running =
around....please read. If you get an email message with "important =
message from ..." in the subject line and an attachment - pls delete the =
email message immediately.....here's more information below
=20
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
The virus, W97M_Melissa, uses a combination of Microsoft Word macros =
and Microsoft Outlook to send a list of 80 pornographic Web sites. It =
works with either Word 97 or Word 2000, according to antivirus companies =
TrendMicro, McAfee, and Network Associates.=20
The program is somewhat devious in that it sends itself from the =
email addresses of people who are likely to be familiar contacts, =
arriving as email with the subject line "Important message from..." =
followed by the sender's name. The body says "Here is that document you =
asked for ... don't show anyone else ;-)." The email includes an =
attached Word file "list.doc," which includes the porn sites' addresses. =
The virus doesn't appear to cause any damage to infected computers =
except in rare cases when the minutes of the current time match the =
date--for example at 3:26 p.m. on March 26. In this instance, the virus =
will insert the Bart Simpson quotation, "Twenty-two points, plus =
triple-word-score, plus fifty points for using all my letters. Game's =
over. I'm outta here," into a user's active document.=20
Because the virus sends itself to potentially thousands of contacts =
contained in a user's address distribution list, however, there's a =
possibility that the virus could overwhelm mail servers.=20
"We've been swamped all day with customers calling in with this," =
said Dan Schrader, director of product marketing at TrendMicro. "It's =
spreading extremely quickly. Twenty major corporate sites have called =
us."=20
The virus first was spotted today, according to TrendMicro and =
others.=20
...There have been viruses that spread through the address books in =
the past, "but never this effectively," Schrader said.=20
Network Associates estimated the virus has already hit hundreds of =
thousands of computers.=20
Twenty of the company's largest clients were infected; one firm =
alone said it had reached 60,000 computers. "The propagation rate has =
been alarming," a company spokesperson said.=20
Tom Moske, a network administrator at USWeb/CKS, ran into the virus =
this afternoon when the virus spread itself from people in his company =
who had opened the attachment.=20
And he had cause to appreciate the devious nature of the virus, =
since it spread from employees in his company spread it to the business =
clients of USWeb/CKS.=20
"It's the most intrusive I've ever seen," he said. "This is =
worldwide spam."=20
...Because the virus spreads itself automatically, it could be =
termed a "worm." The author apparently appreciated this, remarking in =
the virus code: "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You =
Decide!"=20
=20
__________________________________
The distance between you and I, is time.
------=_NextPart_001_0064_01BE785C.3BA27720
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 =
Transitional//EN"><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 =
Transitional//EN">
<STYLE>BODY {
BACKGROUND-REPEAT: repeat-y; COLOR: #000000; FONT-FAMILY: "Verdana", =
"sans serif"; FONT-SIZE: 10pt; MARGIN-LEFT: 68px
}
HR {
COLOR: #000000; HEIGHT: 1px; WIDTH: 100%
}
</STYLE>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY background=3Dcid:005b01be788e$86354600$10e1e1df@marshall =
bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 face=3DArial>Refered to me by a collegue at=20
EDS.</FONT></DIV>
<DIV><FONT color=3D#000000 face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>Marshall Ruskin</FONT></DIV>
<DIV><FONT face=3DArial>84 Westy</FONT></DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 solid 2px; MARGIN-LEFT: 5px; PADDING-LEFT: =
5px">
<DIV><FONT face=3DArial size=3D2><BR><BR> </DIV></FONT>
<DIV align=3Dleft class=3DOutlookMessageHeader dir =3D ltr><FONT =
color=3D#0000ff=20
face=3D'"Verdana"' size=3D3><SPAN =
class=3D320175917-27031999><STRONG><EM>Just a=20
quick heads up....there is a bad virus running around....please =
read. If you=20
get an email message with "important message from ..." in =
the=20
subject line and an attachment - pls delete the email message=20
immediately.....here's more information=20
below</EM></STRONG></SPAN></FONT></DIV>
<DIV align=3Dleft class=3DOutlookMessageHeader dir =3D ltr><FONT=20
face=3D'"Verdana"'><SPAN =
class=3D320175917-27031999></SPAN></FONT> </DIV>
<DIV align=3Dleft class=3DOutlookMessageHeader dir =3D ltr><FONT=20
face=3D'"Verdana"'><SPAN=20
=
class=3D320175917-27031999>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</SPAN></FONT></DIV>
<DIV align=3Dleft class=3DOutlookMessageHeader dir =3D ltr>The =
virus,=20
W97M_Melissa, uses a combination of <A=20
href=3D"http://www.microsoft.com/">Microsoft</A> Word macros and =
Microsoft=20
Outlook to send a list of 80 pornographic Web sites. It works with =
either=20
Word 97 or Word 2000, according to antivirus companies <A=20
href=3D"http://www.trendmicro.com/">TrendMicro</A>, <A=20
href=3D"http://vil.mcafee.com/vil/vm10120.asp">McAfee</A>, and <A=20
href=3D"http://www.nai.com/">Network Associates.</A> </DIV>
<DIV>
<P>The program is somewhat devious in that it sends itself from the =
email=20
addresses of people who are likely to be familiar contacts, arriving =
as=20
email with the subject line <FONT color=3D#ff0000>"Important =
message=20
from..."</FONT> followed by the sender's name. The body says =
"Here=20
is that document you asked for ... don't show anyone else ;-)." =
The=20
email includes an attached Word file <FONT=20
color=3D#ff0000>"list.doc</FONT>," which includes the porn =
sites'=20
addresses.=20
<P>The virus doesn't appear to cause any damage to infected =
computers except=20
in rare cases when the minutes of the current time match the =
date--for=20
example at <SPAN class=3D970155817-27031999>3</SPAN>:26 p.m. on =
March 26.=20
In this instance, the virus will insert the Bart Simpson quotation,=20
"Twenty-two points, plus triple-word-score, plus fifty points =
for using=20
all my letters. Game's over. I'm outta here," into a user's =
active=20
document.=20
<P>Because the virus sends itself to potentially thousands of =
contacts=20
contained in a user's address distribution list, however, there's a=20
possibility that the virus could overwhelm mail servers.=20
<P>"We've been swamped all day with customers calling in with=20
this," said Dan Schrader, director of product marketing at =
TrendMicro.=20
"It's spreading extremely quickly. Twenty major corporate sites =
have=20
called us."=20
<P>
<P><STRONG>The virus first was spotted today, according to =
TrendMicro and=20
others. </STRONG>
<P><SPAN class=3D800350316-27031999></SPAN>.<SPAN=20
class=3D800350316-27031999>..</SPAN>There have been viruses that =
spread=20
through the address books in the past, "but never this=20
effectively," Schrader said.=20
<P>Network Associates estimated the virus has already hit hundreds =
of=20
thousands of computers.=20
<P>Twenty of the company's largest clients were infected; =
<STRONG>one firm=20
alone said it had reached 60,000 computers</STRONG>. "The =
propagation=20
rate has been alarming," a company spokesperson said.=20
<P>Tom Moske, a network administrator at <A=20
href=3D"http://www.uswebcks.com/">USWeb/CKS</A>, ran into the virus =
this=20
afternoon when the virus spread itself from people in his company =
who had=20
opened the attachment.=20
<P>And he had cause to appreciate the devious nature of the virus, =
since it=20
spread from employees in his company spread it to the business =
clients of=20
USWeb/CKS.=20
<P><STRONG>"It's the most intrusive I've ever seen," he =
said.=20
"This is worldwide spam." </STRONG>
<P><SPAN class=3D800350316-27031999></SPAN>.<SPAN=20
class=3D800350316-27031999>..</SPAN>Because the virus spreads itself =
automatically, it could be termed a "worm." The author =
apparently=20
appreciated this, remarking in the virus code: <STRONG>"Worm? =
Macro=20
Virus? Word 97 Virus? Word 2000 Virus? You Decide!" =
</STRONG></P></DIV>
<DIV> </DIV>
<DIV><FONT =
face=3DArial>__________________________________</FONT></DIV>
<DIV><FONT face=3DArial>The distance between you and I, is=20
time.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0064_01BE785C.3BA27720--
------=_NextPart_000_0063_01BE785C.3BA27720
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <005b01be788e$86354600$10e1e1df@marshall>
R0lGODlhIANyAKL/AAAAADMzM2ZmZpmZmcDAwAAAAAAAAAAAACH5BAEAAAQALAAAAAAgA3IAQAP/
SCqi/jAOQIcC8QmKMxSWJ45kaZ5oqq5s675wLM90bd94ru987/80SwPGAYQyRUeRAgIBn9CodEqt
Wq/YrHbL3R4XSkBgNNgUA+UkYTyhZIbduHxOr9vv+Lx+jxt8MwMBFGMjHRFLHH98i4yNjo+QkZKT
cW2IHoYegmKKEXCUoKGio6SlpqcxThCJBENngUuEImYOn62ouLm6u7y9vjxNlxccIpaZLQ2dv8vM
zc7P0Hh+Jhy2qwqWyiUM0d3e3+Dh4i1l2g+smIDEJ4HW4+/w8fLzpscRm8qZANabHp/u9AIKHEiw
YJQ/mcqsMoLkkD0ClmYZnEixosWLJfLtcxCI/6Obaw6HoPG4jiPGkyhTqhz3x9ogCRuVeGhjzpa5
lThz6tz5SMgJdIdEbJI1IhnPo0iTKpUzbYUZfUVfZry5tKrVq1jJPUyxhARQEQyzih1LtiyEplRL
dK319OMbk2bjyp27s6lDt2ohbEJkaCtEuoADCzbYLkAAAYYR742FuHFiQY4VK+Yr5vBjy2kHa97M
uVe+MHyJEvB712/mzqhTq5YUAuDoItxA4yUHd7Xt27gdkcZWEpMaF2FzCx9OvEvaiGAXzjahqrjz
59Cf7IbYG+Rf5duwRd/OvXsMRa6ryzz3sKS7097Tq4eu8G9bhkf8DAIRYkJ9P/iu/11cH6Lr9f8A
BlicXR9ItRBCvnUiC3oCNuhgak39J95IF4C1nCcPZqghbhOowIFooxVyYUMblmhiYO2xkE2IIk53
y4kwxjhWOUSIpxyIZ/0n4448qjSEjsx9+MARsA0ySAgdMNjjkkzOYxccNhby2oftIXdPk1hmiZGC
1AU3ZCwdykaSlzgqqeWZaP5C4F0/eUJZTGnGKaeTxfBlQSCK2IMnZSSYOeefgLLmlZ1oIHhWocZ8
9UGgjDaKijmJwhYUNSPW5uilmEaiiGhAFUEkLJ6qwxCOQGZq6qmVOIDjlHeCsBgGLpJnyCd+omrr
rT9YkORQTPz2xV6lkvAjrsQWi0VzmkQp5gv/7Rjr7LNArOmbl0GtSE6w0GarrQppbSKhrNgOWeu2
5JbLolqVnluLspiMa+67zt5pwlDJTXuCUfDmq+9ZtaDrlyEdYVcMNu7ua3CmX0hL0mfrbrrcHwUf
LDHCqoqazpcPmeFauBN3jClCQAVMy6TkHUFhKyNG7PHKWiJrDCHxtYEob/eBOo28icLhh8os97yk
wlO6s9xDbZz1hZ4+J32qtLLYONtWyp6n9NSX2rWqgeueMxPWJFLttaPDDop0hdNSleTXaMtJ408V
dA1TuhxxnPbcGwLd4jGkKToTz3T3vZ3d/rpCBruW+m14jGG2sJe6b7sY6+GQr7cBDG2JbXbk/5iX
2AQMlqw6zGz2oWwE35mX3hngKBhjoVtrkW7665u1JoOk2n0OJ8Sw575efEZ7uBcbTKRRaX+6Fx8d
ra21nVEDRqx1y1NvFW789Lnx8/ngztPepT2iuU7991UBNAYTGVBIpAZnOM84+OznZk5+1JS2hAWe
e9/+/TndxEChed3DJxn4C6BmXCO8V9TLTXwBoAAXSBf61O5OoWlVNdLgqgmKbglDIB7qGMjBqqCl
QIhIxlMYsIFgBE8Br1LeAzfYwRbyxByUAYhpUngyCbjwhlYxW2jctjc0/IeFOAziUYD3P62ZQGbF
sJ8QlygPgMVCe+eqjzv6USYlMvGKztjUXf+OUDnbqRAJHwGRFbFIRl8krBOsgJKnMICsOsXkjGWM
40m0MUEzCKEajyMYvyAyRjn6ERe4W4Cv1kW4e/Hxj4gMCPGyp6xQfaePiYwka9qQDGr9pnx6U4ED
JcnJcCTOjbuBIguo1clSPsNxcGse1zwESVO6Eg+lyuR4FkeOVr7yllx4ky53ycte7hKXwATkcdiV
CeitIEXBTKYpPtkiKWGMlF6xpTKnOYVYEROM0ASLNKnJzWjF8ovWUU5mNtnNcmpKP6A8IAKP8yJz
upMRxBPbAe1hR2GB4Z345MN95Hkx6rxNG7zLp0DvkLAfgnM8wwAjeGI20IbuwXOvkeEqxPj/xe5t
06EYPWI/QbhRlFmDkmsAxEUzStKZ5KhfDunoa0RFwJK6NJe2ONlB1/fFgM0UiC/NaQ0gpj6IGOZC
9OREDYfx0ZHqtKSKscyrLmMZX8biMoh5qlLldtSqHhM8D0MDZEhGnsOATFFGtapDAVK0NSRsaBbD
hmgmJ9a29kAbI0tpOMkjAS4mzK14DYImRIdVTvlGojbMq2BfYL2F+W+uhBwBRAfLWBQg721gNOI/
ixLQxlpWo7UTVZ7OZy97ovOyoAXEPd3oEoSyKSOfDa1q9XhE8qkUNFQJ62qnubnWjsg0hWyFbGcL
TGb2yWnNpMZueftKtqZOUXmDm2mJC9o2FLINTuuTFTuZe1mnWve616XuYBMAADvO3Ie7e6Vxi+qT
zRfp5r1pnSde4ZOfwEpUxgHhxIncmtMShSWwNDkoZmycyrCSpJ5BLsyFyIrcNUSmLzvahEcSTJO4
4EcnsjhsJWIco4LQeJcaCSWT5tKhFRkZk9EIRTYwOqMbsVVEG6FpQSnyygs3ucXbAWsib/Rg1xbn
lV9OiU5SGl4uS0YnVQ4JYSzblCNZqb7x9KmQDhMmSXI4mJ9VylL4ypyLJmcpjS1KV7iy2KHaN5ZN
qUo8quIU9+CpKk3R01TKcdW8pvP/zZLgi1fj3BW5InLORUEmh+UcE3ZuFs1nWYmXvczUkH5GR/20
Czf/kokGG+OSaHHSkZf6ZHkE4lFO8iyTMYnYYUzppA2Sr5D1yqRRuMZLZ2qGoYQbVjPhxjUHimk7
cmFNu5CnyV2i52wJyhOJjikbjFiIXXn0UwuVWsnzjG+DaPLhNEFpoOE4LGJ9BF/FTDi7paKtOaNs
DB9fyq6wLrSiY7mJMGVCShqp8I0KKmZLJ6nVEmmtWXvBV+5sqUiqcvJlsGPXVdCik0sVppaNkZJH
Yyk8HHKksBcsz0MjpNgSsjGkf8sdT2nitAXuzpmfWV1Us6pVvB5lI4YR6Q0NWBMzWtVPlZKpCvq6
9KCtFooyPoUiLJ2227qIFGjsCyBlKxuwJAlphi4tkdN6GJVG+u5yyy3kAbe4V7G4DrCt7Z82gwvA
qM7QtIUFamLsY9eaCHV1bZmnfOc732sEBAA7
------=_NextPart_000_0063_01BE785C.3BA27720--