On Wed, 20 Aug 2003, Jill Lasker wrote:

+++++ [CLIP] +++++
> Have other members of this list suddenly been besieged in the last 2-3 days
> with junk?  I keep getting emails with a subject line "RE: details" and they
> all simply say "Please see the attached file for details."  All the files
> have a .pif extension (what is that?).  They're all from seemingly
> legitimate addresses, but no one I actually know.
>
> At least one of the addresses it came from was a legitimate display company,
> which is why I wondered if any of you were getting them too.
>
=============================
Jill:

There is currently a surge of millions (or more) of fake e-mails being
self-transmitted by the W32/Sobig-F worm-type virus, from infected PCs -
probably without the owner knowing that this is happening.  To cover its
tracks it substitutes a genuine e-mail address (eg. from the machine's
address book or from received mail box) for the actual originating
address so that the message looks like a genuine one from a known and
probably trusted e-mail address. You infect your machine by opening the
attachment to the e-mail - which can appear in several forms, typically
a free screensaver offer or other excecutable file (such as .pif).

Sobig-F and its "family" of related viruses seems to be restricted to
Windows systems: apparently UNIX, Linux and Mac systems shouldn't be
affected.

It should be possible to track down the machine sending the fake e-mails
(and I've had more than a dozen from a single source within less than an
hour - though each apparently from a different sender).  Don't "flame" the
person who's name is at the top.  Bring up "Full Headers" and you should
then find the real IP address (consisting of 4 numbers of up to three
digits each). You can then check out the real originating system through
one of the IP directory and search systems, such as the American Registry
 for Internet Numbers - ARIN (http://www.arin.net/), and send a message
about the problem, including the fake e-mail in Full Headers mode to
"abuse@...." (the domain name - eg. [log in to unmask]).

Above all, however, it's absolutely essential to keep your anti-virus
protection system completely up to date.  Symantec/Norton Anti-Virus
report that they are identifying and producing treatments for more than
200 new viruses or variants PER WEEK at the moment, so if you haven't
updated you virus protection within the past few days you may be already
infected - and sending out hundreds of fake e-mails complete with copies
of one of the new viruses.



Patrick Boylan
City University London

=========================================================
Important Subscriber Information:

The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).

If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).