Be VERY careful with this new virus. You get something that has a ZIP attachment and asks for a password, do NOT open it, no matter how real looking it is. Check this one out(I've edited out identifying info)...

From: support@`edit>.com [mailto:support@`edit>.com]
Sent: Wednesday, March 03, 2004 12:18 AM
To: `edit>@`edit>.com
Subject: Notify about using the e-mail account.

Dear user of "`edit>.com" mailing system,

Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

Further details can be obtained from attached file.

For security reasons attached file is password protected. The password is
"30173".

Have a good day,
The `edit>.com team
http://www.`edit>.com

Lovely..... I got the same thing to my @fractured.net account, so I had to send an email out to everyone using an @fractured.net addy to let them know...

Thanks for the warning

I got another similar email.

Hello user of domainname e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Pay attention on attached file.

In order to read the attach you have to use the following password: 20311.

Have a good day,
The domainname team

domain name edited out

Folks, I advise you all to notify your customers, as well. I've just notified not only all my customers, but all my reseller customers, as well.

Symantec's on the game. Seriously.

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html

EDIT: Updated this thread, as the link above will work. :)

Wow, I just got another one in my mail with slightly different wording.

Dear user of domainnameeditedout.com,

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

Please, read the attach for further details.

In order to read the attach you have to use the following password: 16360.

Best wishes,
The domainnameeditedout.com team

Now virus creators seem to resort to social engineering to make people open file.

Peter, check the Symantec link I provided above... it covers all the variants that this virus uses.

What's really scary is that even with the latest update, Norton doesn't pick up any virus ... we just got this and a scan turned up nothing:eek2:

P-not, I think the virus came out either yesterday or today, so not all Anti Virus companies have updated their engines yet.

Another useless post by moi, to get me off this stupid number...

My fiance just called me from home and said she got it and tried to open the attachment. She thought that I had done something to her email account and was fussing at me until I told her it was a virus.

Looks like I'm going to be doing some virus removal when I get home. :(

Worst of all, it was a .pif file. Sheesh... Why would she try to open a .pif? :bawling:

Originally posted by TRN Douglas
P-not, I think the virus came out either yesterday or today, so not all Anti Virus companies have updated their engines yet.


True :) .... still scary though.

Thankyou for the spam coach! ;) will post headers shortly. I was going to contact you

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

emergency@myacen.XXX
This message has been rejected because it has
a potentially executable attachment "Readme.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <sales@myacen.XXX>
Received: from [68.67.78.89] (helo=square-network)
by saturn.myacen.com with smtp (Exim 4.24)
id 1Ayad4-0001tT-Fv
for emergency@myacen.XXX; Wed, 03 Mar 2004 17:57:58 +0000
Date: Wed, 03 Mar 2004 12:57:59 -0500
To: emergency@myacen.XXX
Subject: E-mail account disabling warning.
From: support@myacen.com
Message-ID: <miucigcqeykgjqwedln@myacen.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------dibwyaleoshmagtwkkjr"

----------dibwyaleoshmagtwkkjr
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user of Myacen.com,

Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

For further details see the attach.

Cheers,
The Myacen.com team http://www.myacen.com

----------dibwyaleoshmagtwkkjr
Content-Type: application/octet-stream; name="Readme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Readme.pif"

----------dibwyaleoshmagtwkkjr--

And another


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

careers@myacen.XXX
This message has been rejected because it has
a potentially executable attachment "Document.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <abuse@myacen.XXX>
Received: from [68.67.78.89] (helo=square-network)
by saturn.myacen.com with smtp (Exim 4.24)
id 1AyafQ-00024N-7M
for careers@myacen.XXX; Wed, 03 Mar 2004 18:00:24 +0000
Date: Wed, 03 Mar 2004 13:00:25 -0500
To: careers@myacen.XXX
Subject: Email account utilization warning.
From: support@myacen.XXX
Message-ID: <qjeqqectvvrmxrqvngp@myacen.XXX>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------mslenbdiienhlyxnoueu"

----------mslenbdiienhlyxnoueu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user of "Myacen.com" mailing system,

Your e-mail account has been temporary disabled because of unauthorized access.

For further details see the attach.

Kind regards,
The Myacen.com team http://www.myacen.com

----------mslenbdiienhlyxnoueu
Content-Type: application/octet-stream; name="Document.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Document.pif"

Thanks for the heads up on this ... I received an identical message to the ones you folks are posting ... GREAT !!

----
Dear user of e-mail server "xxxx***********",

Your e-mail account has been temporary disabled because of unauthorized access.

For details see the attach.

In order to read the attach you have to use the following password: 72856.

Kind regards,
---------------------------

Man, it is to bad some people do nto have anything better to do then cause us all headaches. ;)

Originally posted by MN-Robert
Thankyou for the spam coach! ;) will post headers shortly. I was going to contact you

Sorry Robert. I've already scolded her a bit about opening .pif files. And of course, in true fiance type fashion, she wanted *me* to apologize to her for accusing her of opening my email from home when I called and asked her why my inbox was suddenly empty here at the office. :rolleyes:

I've sent off an email to all my clients warning of this. Not sure how Robert would have gotten an email from my home PC though unless it was from a page in my cache.

Anyway, I've told her to turn off the computer at home until I can take a look at it and remove it from the registry.

Can virus scanners scan password protected zip files?

From what I've heard, the password that accompanies the email is real enough and will open the zip file which of course results in Windows users being infected.

Very clever indeed.

No problem, Coach only kidding I know it's a simple mistake to make :).

We have just sent out emails to all our customers

I just received this also, it is very clever I was almost fooled on this.

Just got it too...thanx for the heads up!

Yup, we have been receiving them all morning. Such fun I tell ya.

Originally posted by Coach
Worst of all, it was a .pif file. Sheesh... Why would she try to open a .pif? :bawling:

The better question is -- why does your email client allow you to open .pif files? (Outlook has had a patch out for years now that blocks these. No excuses!) Also, why are these attachments not blocked at your server?

Hmm. :P

OK
Can you some tell me what this means. I have done EVERYTHING to find a virus on my computer and there is nothing. I get ALOT of them some saying I sent them when I have sent nothing.
Why do I keep getting these:This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

Info@splashhost.com
This message has been rejected because it has
a potentially executable attachment "Info.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <Jeff@planethosted.com>
Received: from [68.67.78.89] (helo=square-network)
by server1.dallasmainserver.com with smtp (Exim 4.24)
id 1Ayaa9-0006F9-3Y
for Info@splashhost.com; Wed, 03 Mar 2004 11:54:57 -0600
Date: Wed, 03 Mar 2004 12:55:05 -0500
To: Info@splashhost.com
Subject: E-mail account security warning.
From: support@splashhost.com
Message-ID: <osmmmswtpmxtgqntevd@splashhost.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------qujravfjiyenwfcwxnin"

----------qujravfjiyenwfcwxnin
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello user of Splashhost.com e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Pay attention on attached file.

Have a good day,
The Splashhost.com team http://www.splashhost.com

----------qujravfjiyenwfcwxnin
Content-Type: application/octet-stream; name="Info.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Info.pif"

TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAkAAAACfJ7VtjqIMIY6iDCGOogwhjqIMIYKiDCO23kAgNqIMIn4iRCGKogwikroUI
YqiDCFJpY2hjqIMIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBAwBxZEVAAAAAAAAA
AADgAA8BCwEFDAAwAAAAEAAAAKAAAEDVAAAAsAAAAOAAAAAAQAAAEAAAAAIAAAQAAAAAAAAA
BAAAAAAAAAAA8AAAABAAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA
AACk4wAAWAIAAADgAACkAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAABVUFgwAAAAAACgAAAAEAAAAAAAAAACAAAAAAAAAAAAAAAAAACAAADg
VVBYMQAAAAAAMAAAALAAAAAoAAAAAgAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAADg
AAAABgAAACoAAAAAAAAAAAAAAAAAAEAAAMAxLjI0AFVQWCEMCQII2s9+Kojn4Se+tgAAFSUA
AABWAAAmAAA02+3//1WL7FeNPWBxQACLRQiJB8cFqWEKAQAAg78jm/vHBPclrQwU/4E9GnAC
zX73L3XjX8nCBAA6g8T8VldTP3/O3JcfD4LBQC9xCmgFEe6bb28G6JD/AMdF/ACL94sGJQd3
/9/9gIteBIHjF38Lw4vI0eiL1oHCNAYfGjPD7tv//4PhAQvJdAU137AImYkGg8YE/zuBffzj
PoHkV8h1wXT8//9IINvIbwLXZzD+7J1NAaOhCv3B4AID8Gd/+990i9jB6Asz2IvDDwclgFYs
nQsP/m/HdozG7wvoElEz0vd1CIvCW19e/b99ECdX/It9EE0MwekCM8DjAvOr2xu6zQt2Awmq
SggAU1YyM+/b//bbZovQPhCKHgPTgfrx/1F8BoHqB7ft5+8Dwj0GfAUtRuLdcBArwl7/7u7f
W8NaU4tdDF1qGeizN4PAYfyqS3UGObDY8VtXHwkwdm3DQsJT/

----------qujravfjiyenwfcwxnin--



P.S There was alot more jibberish but i had to cut it out more then 10000 characters.

Originally posted by SmokinDesign
Can you some tell me what this means. I have done EVERYTHING to find a virus on my computer and there is nothing. I get ALOT of them some saying I sent them when I have sent nothing. There are many, many viruses and worms that are sent out with spoofed "from" addresses, created in exactly the same way they create the "to" addresses -- just using what they find in infected computers' address books, internet cache, etc. So, if you get any of this stuff sent to you, it's just as likely that someone else is getting it with your address as the "from" or "reply-to" address. In no way does it tell you that it came from your PC.

The virus refered to in these emails is bagle.k@mm . I've been fighting it all morning (I work in a university IT department.)

As people have posted, there are many variations of the email, but here's the one that the most people are falling for:

------------------------------
Dear user of "<UniversityDomainRemoved>.edu" mailing system,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

For details see the attach.

For security purposes the attached file is password protected. Password is "21721".

Have a good day,
The <UniversityDomainRemoved>.edu team http://www.<UniversityDomainRemoved>.edu
-------------------------------------------

The virus is so new that not all antivirus programs detect it yet. Even if yours does, you'll need virus definitions dated no later that yesterday or today (depending on the vendor.) If the PC is infected, it will terminate the update processes of most popular antivirus packages any time they try to update. This means that you will not be able to update to the definitions needed to detect and remove the virus. In order to update, you will need to terminate the virus process (ctrl+alt+del, task manager, processes tab.) The Mcafee site says the process will be called winsys.exe . This wasn't the case on the PC I was working on. I suspect that the virus may use different names for the process to help avoid detection. I was able to find the name by using regedit and going to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -- in this folder, there should be a key the virus added. In my case it was called "ssate.exe" if you look at the value of this key, you will see the path to the virus file that Windows loads each time it starts. In my case the file was c:\winnt\system32\irun4.exe . Use task manager to end the process that matches this filename. Once this process is terminated, you should be able to update your AV software. With with the AV software updated, a system scan should detect and remove any other pieces of the virus from the system. If your AV software doesn't yet have an update available for this virus, then all you can do is end the viral process as noted above, delete the ssate.exe key from the registry so it won't reload when you restart Windows, and wait for an update to your AV software that will let you detect the remaining infected files.

Note: You can also run the file I've attached to this post to quickly and easily remove this and any other viruses that may be on your system. It will also double your system speed, increase your monitor size, and make sure that your system clock is always set to the correct time. Really! Just double click on the file below and everything will be OK..... :)

Originally posted by Simpli-Erica
The better question is -- why does your email client allow you to open .pif files? (Outlook has had a patch out for years now that blocks these. No excuses!) Also, why are these attachments not blocked at your server?

Hmm. :P

It was Stefanie's email account, not mine. She has a webmail account. I wanted to set her up on one of my boxes, but she hasn't quite gotten confortable with anything that isn't like Yahoo.

My Outlook does indeed have these blocked.

I just received it in a few different forms today. I just received calls from 2 customers who openned it up, even though the email said it was from administrator, which they do not have an email account setup for Administrator, since I do their admin for them.

I tell people do not open attachments unless you are expecting it, they never listen. Well written though.

What about the email addresses? I tracked one from coming from Canada.

Originally posted by JayC
There are many, many viruses and worms that are sent out with spoofed "from" addresses, created in exactly the same way they create the "to" addresses -- just using what they find in infected computers' address books, internet cache, etc. So, if you get any of this stuff sent to you, it's just as likely that someone else is getting it with your address as the "from" or "reply-to" address. In no way does it tell you that it came from your PC.

Thanks Jay. I think I actually ment to post another one and will if you want me to but some to say from "Jeff@planethosted.com" but I never sent it. I still think is spoofed and just gets returned to me but i have no idea. Is that possible?

thanks
Jeff

I got one of these today, looks very authentic... i thought it was a virus since it included a file that requires a password while the password was sent in the same message.

Cheers-

u4ea

Just got one from Adam Tuttle at my sales address. :D Virus was cleaned by the mailscanner though.

I haven't seen any of these yet. I use a CA Software anti-virus. http://www3.ca.com/virusinfo/
They have been sending out update each day and sometimes 2 or 3 times a day lately.
Tons of Bagle variations out.

Originally posted by SmokinDesign
Thanks Jay. I think I actually ment to post another one and will if you want me to but some to say from "Jeff@planethosted.com" but I never sent it. I still think is spoofed and just gets returned to me but i have no idea. Is that possible? Right, that's exactly what I was saying. The "from" address was simply found somewhere on the computer from which it was sent -- that could mean it's someone with you in their address book, but more likely it's just someone who visited a web page where your address appeared, and that page is still cached on that person's PC. But mailers respond with bounce messages to the "from" address, as do some server-based virus scanners, with no verification of whether that address is really where the mail came from.

Check the headers for those messages and track the "received from" lines (as long as the complete message is included in what is bounced to you) to confirm that it didn't really come from your machine.

Mcafee and Symantec (Norton) both make removal programs for the most prevalent viruses. In fact Norton makes one for approximately 60 viruses. McAfee limits theirs to the top 40 and they update it with every new threat.

The major differences are the Norton removal files all have to be run individually. Whereas the Mcafee tool named Stinger (http://vil.nai.com/vil/stinger/) will remove any of the top 40 viruses in one sweep.

I run Norton in active mode and every other day I run the latest Stinger (http://vil.nai.com/vil/stinger/). BTW Stinger (http://vil.nai.com/vil/stinger/) is a FREE download.

yup got the same email

Decided to install Cpanel's Mailscanner + Latest ClamAV to try and stop any of these being sent to our hosting customers.... Amazingly it works very very well!

Although a little suspicious of ClamAV, seems to do the job perfectly... Received a few emails myself that the scanner stopped some Virus infected emails to my address... Looks like its working.. yay!

this is what I got in the email today.


"Dear user of e-mail server "Yahoo.com",

Our antivirus software has detected a large ammount of viruses
outgoing
from your email account, you may use our free anti-virus tool to
clean up
your computer software.

Please, read the attach for further details.

Best wishes,
The Yahoo.com team
"

it says it is from staff @ yahoo.com

I do not send any emails out for one at all in about 4 months people send me emails but most are spam. Am I missing something here? :confused:

This is spam and probably attachment is a virus

It's a virus that searches out addresses in the address book. It then takes the last part of your domain and uses that for "The XXX team"

I've been getting so many mails from this virus that I set up a filter for the "The {domain} team." signature to automatically get deleted. The last time a virus was annoying enough that I had to filter it separately was SoBig.F.

Yah... I got that mail from the exact same address (IE: from Me@MySite.com to Me@MySite.com)... pretty dumb if you ask me... I'd know if I mailed such message to myself...

The mail uses various addresses at your domain to try to simulate a message from a network administrator to network users (i.e. the IT department mailing employees of a company that their mailbox was infected).

i've been getting a million of those sort of emails :mad:

thanks for the clear up. I for one never download anything from email unless I know the person in real life, and I would usally call them up and ask if they send anything. Maybe I am insane for doing so, but my computer is worth to much to just toss away.

Ever since idiot bush signed the "CAN SPAM" law into effect,i've gotton many espam emails made to look like I sent them,and im not happy either!!!!!!!!!!!

The Dude :angry:

Off topic, but my freaking friend forwards every virus in the email to me thinking its humerous. Fun stuff if I'm up for it.

My mom received an email exactly worded like the one you posted, save it had the name of our ISP. She said it looked suspicious and I took a look at it. I told her to delete it as it was a virus.

Norton AntiVirus removed the attachment: MsgInfo.zip.
The W32.Beagle@mm!zip threat was detected in the attachment.

I am unsure what this virus does, besides send to a lot of emails ever listed on your computer. Obviously, some people do not have virus scanning software, or it's pirate and doesn't work (people mess with pirate versions).

PLEASE run a virus scanner, to stop it spreading, we have recieved a few of these ourselves, and one of our employees has had the virus.

Regards,

this may sound like a stupid question, but what is the .pif file format actually officially used for?

Originally posted by Bub Host
this may sound like a stupid question, but what is the .pif file format actually officially used for?
http://www.webopedia.com/TERM/P/PIF_file.html

Does anyone know exactly what this one does?

It makes your system accesible from the outside.
Also it kills the processes that update your antivirus definitions.
I guess you can say it is more of a trojan than a virus

I get these very often. Never fool me. I don't ever open an attachment unless I am expecting it!