A new Virus?

[Jahnava Nitai Das 2]

I noticed in the last two days there have been many,many different people sending me an email with an attached file. The email always reads the exact same, something like:

 

"Hi, I am sending this for you to check."

 

Or something like that. I notice the emails are all people who have written to me sometime or another. And I have received these types of virus in several accounts.

 

The attachement file name is always different, usually a .pif file or something.

 

I am just posting this here in case any of you are also getting these emails.

 

It only started two days back, so I assume it is a new virus, and quite active and fast at propagating (judging from the various people who have sent it to me).

 

[Maitreya 0]

Hey Jndas,

 

I remember reading within the last two or three weeks something about a virus being sent to devotee's web sites.

 

Someone had their files erased or something.

 

YS MC

[livingentity 0]

Yes, that is a new virus and it is called the sircam or something like that. If you open it will attach itself to many different files in your computer and fill up your drives until your computer crashes. I have mcafee and they sent me an alert on that one yesterday.

[Puru Das Adhikari 0]

bject:

Virus Alert W32/SirCam@MM (Sir Cam Virus)

Thu, 19 Jul 2001 20:41:58 -0700

"McAfee.com Dispatch" <dispatch@mcafee.com>

"purudas@compuserve.com" <purudas@compuserve.com>

 

 

(((((((((((((((((( McAfee.com Dispatch )))))))))))))))))))))

 

 

---------------------------

**VIRUS ALERT - W32/SirCam@MM (Sir Cam Virus)**

---------------------------

 

[This message is brought to you as a r to the

McAfee.com Dispatch. To , please follow the

instructions at the bottom of the page.]

 

 

McAfee.com has seen a large and growing number of consumer

computers infected with W32/SirCam@MM. This is a HIGH RISK

VIRUS FOR CONSUMERS. The infected email can come from

addresses that you recognize. Attached is a file with two

different extensions. The file name itself varies.

 

The email message can appear as follows:

 

[filename (random)]

Body: [content varies]

 

 

Hi! How are you?

I send you this file in order to have your advice

or I hope you can help me with this file that I send

or I hope you like the file that I sendo you

or This is the file with the information that you ask for

See you later. Thanks

 

--- the same message may be received in Spanish ---

 

Hola como estas ?

Te mando este archivo para que me des tu punto de vista

or Espero me puedas ayudar con el archivo que te mando

or Espero te guste este archivo que te mando

or Este es el archivo con la información que me pediste

Nos vemos pronto, gracias.

 

The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG,

.PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder

and attempts to send copies of these documents to email

recipients found in the Windows Address Book and addresses

found in cached files.

 

For detection and removal instructions for the Sir Cam Virus,

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2371

 

McAfee.com VirusScan Online and Clinic rs:

If you don't have ActiveShield installed and updated, you

are not protected from this virus. Click here to download

ActiveShield.

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2372

 

Retail VirusScan Users:

Version 4.0.70 and above with DAT file 4148 will detect and

remove this virus. To download the latest DAT files,

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2253

__________

 

If you would like to receive the McAfee.com Dispatch in a

graphical (HTML) format in the future, please

-> http://dispatch.mcafee.com/default2.asp?id=640762

 

 

________________________Virus Fixes_________________________

 

Find out more about this virus. Click here to go to the

W32/SirCam@mm Help Center.

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2371

 

Become a McAfee.com r and check your system online.

 

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2377

 

Buy the latest VirusScan in the McAfee Store!

-> http://mcafeestore.beyond.com/AF77887-VS_700/Product/0,1057,3-18-SN101924,00.html

 

Is your VirusScan current? Purchase the VS Maintenance Plan

for $22.45 (USD) and upgrade to the most current version.

 

-> http://mcafeestore.beyond.com/AF77887-SMP_400/Product/0,1057,3-18-SN102899,00.html

 

Download the latest DAT files,

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2253

 

 

_____________________Anti-Virus Tips!_______________________

 

Find out how to detect and prevent viruses with these handy

tips.

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=1589

 

 

______________________Special Offers_________________________

 

SAVE UP TO 33% on security for your computer AND get 20 hot

songs from MP3.com.

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2366

 

Get a 2-year subscription of VirusScan Online now only

$39.90 (USD)! SAVE $10!

-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2367

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[ You are currently d as: purudas@compuserve.com ]

 

McAfee.com Support: To contact us about this dispatch,

-> http://www.mcafee.com/support/cust_serv/default.asp

 

Subscribe: If you received this message from a friend and

would like to to McAfee.com Dispatch,

-> http://dispatch.mcafee.com/sub.asp?s=22

 

Un: If you do not wish to receive email,

-> http://dispatch.mcafee.com/unsub.asp

 

Note: Promotions are subject to change without notice.

 

Click here to view our permission policy.

-> http://dispatch.mcafee.com/permission_policy.asp

 

Trademarks 2001 McAfee.com Corporation / .

 

 

 

[JRdd 0]

Something went wrong with my computer Saturday, and now I am limited to whatever half hours I can grab at the library. I never open attached files unless they are from someone I know and are expected, and I always scan first. So i dont know what happened. Except I got less association now.

JR

[mahak 0]

With all the spammin goin on, unsolicited aparadha and apisiddhanta propaganda, it is important to know who you are opening letters from.

 

We are not talking about erasing a few e-mails, I had a worm virus eat up an entire bank of computers that were hooked together (but it served the greedy Kinko's right for charging $12.00 per hour, so I had no compassion for them at all). This virus was set in something that read "remove me", so it may have been a devotee's angst at the unsolicited stuff.

 

Haribol, ys, mahaksadasa

 

Hey, haribol, Puru, hope you are well.

[Gauracandra 1]

Not to change the subject, but I also wanted to use this opportunity to let people know of a problem that has occured to two people I know (one of them twice, so three times in total). In one instance a child of the person went to a Pokeman website, and the website decided to "update" their browser or something like this. They ended up creating two "ratings.pol" configuration files. These are the files that handle what websites a person can go to. The problem is, when this happens you are completely taken out of using the internet. A message keeps popping up saying some sort of error. The way to solve this is easy (it took me literally hours to search for a solution and none came, until someone at work said the same thing happened to them). Basically just do a search on your c: drive for ratings.pol. when you find two of them, delete one (the newest one) and you will be back to normal. I literally (well not LITERALLY literally) went nuts trying to fix the problem at first. It happened again yesterday to my neighbors and I fixed it with no problem. Just sending this out in case it happens to any of you guys.

 

Gauracandra

[Guest guest]

I just received the worm in my email. It is a really long file, about 300K. Deleted it upon arrival. No problemo.

 

Here's some good advice about it:

http://www.sarc.com/avcenter/venc/data/pf/w32.sircam.worm@mm.html

[Jahnava Nitai Das 2]

I have received this virus about 100 times so far. I just delete it. The only problem is in having to download these huge file attachments that come with it!

[Guest guest]

Originally posted by jndas:

I have received this virus about 100 times so far. I just delete it. The only problem is in having to download these huge file attachments that come with it!

Some email clients let you poll your SMTP server before downloading, so you can delete them on the server and not suffer thru waiting for the download.

 

If you have broadband, it doesn't matter.

[Guest guest]

<h3>This Information Pertains To Windows NT 4.0/Windows2000 Professional & Windows2000 Server users. If you are running Windows95/98/ME you are *not* affected by this virus.</h3>

 

A new version of the Code Red Virus has hit the net. Temporarily labeled "Code Red II" this virus has different behavior than the original Code Red virus.

 

After reading the reports on Incidents.org and examining the hex dumps that have been provided, here is the fastest way Windows2000 Professional, Windows2000 Adv. Server and Windows NT 4.0 users can determine if they have the virus:

 

1. In Explorer or a DOS prompt, go to your C:\InetPub\Scripts Directory.

 

2. Look for a file called CMD.EXE in the C:\InetPub\Scripts directory.

 

3. If the file CMD.EXE exists in C:\InetPub\Scripts, you have the new Code Red II virus. Delete the file CMD.EXE from your C:\InetPub\Scripts directory. DO NOT DELETE THE CMD.EXE FILE FROM ANY OTHER DIRECTORY!!

 

If you do not have ZoneAlarm installed, click HERE to download it and install it. Set your INTERNET security on HIGH. Set your LOCAL security on LOW.

 

Once you've done all the above, the best way to protect yourself is to STOP the IIS (Internet Information Service) on your computer. This is for Windows NT 4.0 and Windows2000/Windows2000 Server users only. Once you've stopped the service, click on Properties and set the service to Manual or Disable.

 

Additionally, you'll want to stop and disable the Indexing Service as well.

 

If you're running Windows2000/Windows2000 Adv. Server you can do the above by clicking My Computer, then Administrative Tools, then Component Services. Stop in order:

IIS Admin Service

FTP Publishing Service

Indexing Service

 

Be sure to change the properties of these services to MANUAL or DISABLED startup to ensure you're protected from Code Red.