Possible new virus email? pack426.exe

TheMSsForum.com: The Microsoft Software Forum

Just received html-based email that looks like it was cloned from html code
on MS site; attachment is a file named: pack426.exe Subject is "Current
Update"

Virus scan with latest Computer Associates EZAntivirus and Awil-Avast comes
up negative, but I sure won't open this puppy...

Headers areas follows:


Return-Path: <pjlm.jennissen@planet.nl>
Received: from smtp05.wxs.nl ([195.121.6.57])
by fep03-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP
id
<20030918123314.LTSM322285.fep03-mail.bloor.is.net.cable.rogers.com@smtp05.w
xs.nl>
for <------my email removed------>; Thu, 18 Sep 2003
08:33:14 -0400
Received: from odtrovl (ip3e83d606.speed.planet.nl [62.131.214.6])
by smtp05.wxs.nl
(iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with SMTP id
<0HLE007EPTK4GB@smtp05.wxs.nl> for ------my email removed------; Thu,
18 Sep 2003 14:34:01 +0200 (MEST)
Date: Thu, 18 Sep 2003 14:33:41 +0200 (MEST)
Date-warning: Date header was inserted by smtp05.wxs.nl
From: MS Corporation Public Services <tubfvhoao-mwqqjg@newsletters.com>
Subject: Current Update
To: <catjc_brtjysja@newsletters.com>
Message-id: <0HLE007ERTK4GB@smtp05.wxs.nl>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_yoNwYuiDWWdZViO3VsQTOg)"
Top

Re: Possible new virus email? pack426.exe by Bill

Bill
Thu Sep 18 13:02:14 CDT 2003

Send the sucker on to your antivirus vendors please?

"Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
news:elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl...
> Just received html-based email that looks like it was cloned from html
code
> on MS site; attachment is a file named: pack426.exe Subject is "Current
> Update"
>
> Virus scan with latest Computer Associates EZAntivirus and Awil-Avast
comes
> up negative, but I sure won't open this puppy...
>
> Headers areas follows:
>
>
> Return-Path: <pjlm.jennissen@planet.nl>
> Received: from smtp05.wxs.nl ([195.121.6.57])
> by fep03-mail.bloor.is.net.cable.rogers.com
> (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with
ESMTP
> id
>
<20030918123314.LTSM322285.fep03-mail.bloor.is.net.cable.rogers.com@smtp05.w
> xs.nl>
> for <------my email removed------>; Thu, 18 Sep 2003
> 08:33:14 -0400
> Received: from odtrovl (ip3e83d606.speed.planet.nl [62.131.214.6])
> by smtp05.wxs.nl
> (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with SMTP
id
> <0HLE007EPTK4GB@smtp05.wxs.nl> for ------my email removed------; Thu,
> 18 Sep 2003 14:34:01 +0200 (MEST)
> Date: Thu, 18 Sep 2003 14:33:41 +0200 (MEST)
> Date-warning: Date header was inserted by smtp05.wxs.nl
> From: MS Corporation Public Services <tubfvhoao-mwqqjg@newsletters.com>
> Subject: Current Update
> To: <catjc_brtjysja@newsletters.com>
> Message-id: <0HLE007ERTK4GB@smtp05.wxs.nl>
> MIME-version: 1.0
> Content-type: multipart/mixed;
> boundary="Boundary_(ID_yoNwYuiDWWdZViO3VsQTOg)"
>
>


Top

Re: Possible new virus email? pack426.exe by Kerry

Kerry
Thu Sep 18 13:51:40 CDT 2003

Already on the way (two variants)!


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:eeWGB8gfDHA.3228@tk2msftngp13.phx.gbl...
> Send the sucker on to your antivirus vendors please?
>
> "Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
> news:elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl...
> > Just received html-based email that looks like it was cloned from html
> code
> > on MS site; attachment is a file named: pack426.exe Subject is
"Current
> > Update"
> >
> > Virus scan with latest Computer Associates EZAntivirus and Awil-Avast
> comes
> > up negative, but I sure won't open this puppy...
> >
> > Headers areas follows:
> >
> >
> > Return-Path: <pjlm.jennissen@planet.nl>
> > Received: from smtp05.wxs.nl ([195.121.6.57])
> > by fep03-mail.bloor.is.net.cable.rogers.com
> > (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with
> ESMTP
> > id
> >
>
<20030918123314.LTSM322285.fep03-mail.bloor.is.net.cable.rogers.com@smtp05.w
> > xs.nl>
> > for <------my email removed------>; Thu, 18 Sep 2003
> > 08:33:14 -0400
> > Received: from odtrovl (ip3e83d606.speed.planet.nl [62.131.214.6])
> > by smtp05.wxs.nl
> > (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with
SMTP
> id
> > <0HLE007EPTK4GB@smtp05.wxs.nl> for ------my email removed------; Thu,
> > 18 Sep 2003 14:34:01 +0200 (MEST)
> > Date: Thu, 18 Sep 2003 14:33:41 +0200 (MEST)
> > Date-warning: Date header was inserted by smtp05.wxs.nl
> > From: MS Corporation Public Services <tubfvhoao-mwqqjg@newsletters.com>
> > Subject: Current Update
> > To: <catjc_brtjysja@newsletters.com>
> > Message-id: <0HLE007ERTK4GB@smtp05.wxs.nl>
> > MIME-version: 1.0
> > Content-type: multipart/mixed;
> > boundary="Boundary_(ID_yoNwYuiDWWdZViO3VsQTOg)"
> >
> >
>
>


Top

Re: Possible new virus email? pack426.exe by Bill

Bill
Thu Sep 18 14:55:54 CDT 2003

Here's one thing folks are seeing today:

http://www.f-secure.com/v-descs/swen.shtml

"Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
news:e9yBtbhfDHA.1732@TK2MSFTNGP12.phx.gbl...
> Already on the way (two variants)!
>
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:eeWGB8gfDHA.3228@tk2msftngp13.phx.gbl...
> > Send the sucker on to your antivirus vendors please?
> >
> > "Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
> > news:elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl...
> > > Just received html-based email that looks like it was cloned from html
> > code
> > > on MS site; attachment is a file named: pack426.exe Subject is
> "Current
> > > Update"
> > >
> > > Virus scan with latest Computer Associates EZAntivirus and Awil-Avast
> > comes
> > > up negative, but I sure won't open this puppy...
> > >
> > > Headers areas follows:
> > >
> > >
> > > Return-Path: <pjlm.jennissen@planet.nl>
> > > Received: from smtp05.wxs.nl ([195.121.6.57])
> > > by fep03-mail.bloor.is.net.cable.rogers.com
> > > (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with
> > ESMTP
> > > id
> > >
> >
>
<20030918123314.LTSM322285.fep03-mail.bloor.is.net.cable.rogers.com@smtp05.w
> > > xs.nl>
> > > for <------my email removed------>; Thu, 18 Sep 2003
> > > 08:33:14 -0400
> > > Received: from odtrovl (ip3e83d606.speed.planet.nl [62.131.214.6])
> > > by smtp05.wxs.nl
> > > (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with
> SMTP
> > id
> > > <0HLE007EPTK4GB@smtp05.wxs.nl> for ------my email removed------; Thu,
> > > 18 Sep 2003 14:34:01 +0200 (MEST)
> > > Date: Thu, 18 Sep 2003 14:33:41 +0200 (MEST)
> > > Date-warning: Date header was inserted by smtp05.wxs.nl
> > > From: MS Corporation Public Services
<tubfvhoao-mwqqjg@newsletters.com>
> > > Subject: Current Update
> > > To: <catjc_brtjysja@newsletters.com>
> > > Message-id: <0HLE007ERTK4GB@smtp05.wxs.nl>
> > > MIME-version: 1.0
> > > Content-type: multipart/mixed;
> > > boundary="Boundary_(ID_yoNwYuiDWWdZViO3VsQTOg)"
> > >
> > >
> >
> >
>
>


Top

Re: Possible new virus email? pack426.exe by dave

dave
Thu Sep 18 17:49:18 CDT 2003

"Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message news:<elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl>...
> Just received html-based email that looks like it was cloned from html code
> on MS site; attachment is a file named: pack426.exe Subject is "Current
> Update"
>
> Virus scan with latest Computer Associates EZAntivirus and Awil-Avast comes
> up negative, but I sure won't open this puppy...

I've seen about 30 or so of these emails day.... It's getting pretty
annoying....

And the EXE file names vary... mine have had names like update61.exe
and final.exe ...
Top

Re: Possible new virus email? pack426.exe by Kerry

Kerry
Fri Sep 19 06:40:47 CDT 2003

Yeah - CA verified that it was that virus, but they did not have new sigs
(at that point). Overnight I received about 40 more with varying filenames
etc.


"David Orriss Jr" <dave@davenet.net> wrote in message
news:c5bf7a0c.0309181449.53c61ef0@posting.google.com...
> "Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
news:<elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl>...
> > Just received html-based email that looks like it was cloned from html
code
> > on MS site; attachment is a file named: pack426.exe Subject is
"Current
> > Update"
> >
> > Virus scan with latest Computer Associates EZAntivirus and Awil-Avast
comes
> > up negative, but I sure won't open this puppy...
>
> I've seen about 30 or so of these emails day.... It's getting pretty
> annoying....
>
> And the EXE file names vary... mine have had names like update61.exe
> and final.exe ...


Top

Re: Possible new virus email? pack426.exe by Bill

Bill
Fri Sep 19 21:39:00 CDT 2003

CA is reputed to have an automated cleaner tool at this point, fwiw.

"Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
news:OhKhLRqfDHA.620@TK2MSFTNGP11.phx.gbl...
> Yeah - CA verified that it was that virus, but they did not have new sigs
> (at that point). Overnight I received about 40 more with varying filenames
> etc.
>
>
> "David Orriss Jr" <dave@davenet.net> wrote in message
> news:c5bf7a0c.0309181449.53c61ef0@posting.google.com...
> > "Kerry Liles" <kerryliles@rogers.nospam.com> wrote in message
> news:<elqp0lefDHA.392@TK2MSFTNGP12.phx.gbl>...
> > > Just received html-based email that looks like it was cloned from html
> code
> > > on MS site; attachment is a file named: pack426.exe Subject is
> "Current
> > > Update"
> > >
> > > Virus scan with latest Computer Associates EZAntivirus and Awil-Avast
> comes
> > > up negative, but I sure won't open this puppy...
> >
> > I've seen about 30 or so of these emails day.... It's getting pretty
> > annoying....
> >
> > And the EXE file names vary... mine have had names like update61.exe
> > and final.exe ...
>
>


Top