Re: Antigen found address@hidden (Norman) virus

From: Michael Poole
Subject: Re: Antigen found address@hidden (Norman) virus
Date: 25 Jul 2001 07:31:32 -0400
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Academic Rigor)

Lars von Wedel <address@hidden> writes:

> Hi all,
> we're having a similar system installed here, and it complains for 2 or
> 3 emails per day since last week or so. Anyone knows what this is?
> Any automake driectives which look like a virus? Or a real one?
> Lars

They're set off by real virus-carrying emails; for some reason, the
automake list seems to get more than "usual" (the Sircam virus is a
fairly aggressive one, and through some bad luck is hitting automake
frequently).  Sircam-infected mails are mime/multipart messages
containing a text/plain section saying "I send you this file in order
to have your advice" and a application/mixed section carrying a copy
of the virus (and a name ending with two extensions; for example,
"View Sonic Lead.xls.pif").

The virus can infect a new user if that the recipient uses Windows,
Windows hides the second extension, the recipient doesn't realize that
the sender probably souldn't be sending them mail in the first place
(and hopefully has better diction than the text/plain section does),
and the recipient doesn't scan it with an up-to-date virus scanner
before opening it.

(I'm a little surprised that after all the other two-extension viruses
going through email that people are still getting infected, especially
by such an "obvious" one.  Sigh.)

-- Michael

