Return-Path: <majordom@post.thorcom.com>
Received: (qmail 7449 invoked from network); 1 Aug 2001 07:44:22 -0000
Received: from unknown (HELO warrior-inbound.services.quay.plus.net) (212.159.14.227)  by excalibur.plus.net with SMTP; 1 Aug 2001 07:44:22 -0000
Received: (qmail 14734 invoked from network); 1 Aug 2001 07:43:52 -0000
Received: from unknown (HELO post.thorcom.com) (212.172.148.70)  by warrior with SMTP; 1 Aug 2001 07:43:52 -0000
Received: from majordom by post.thorcom.com with local (Exim 3.16 #2) id 15RqXe-0005YH-00 for rsgb_lf_group-outgoing@blacksheep.org; Wed, 01 Aug 2001 08:35:42 +0100
Received: from protactinium.btinternet.com ([194.73.73.176] helo=protactinium) by post.thorcom.com with esmtp (Exim 3.16 #2) id 15RqXd-0005YC-00 for rsgb_lf_group@blacksheep.org; Wed, 01 Aug 2001 08:35:41 +0100
Received: from [62.7.15.98] (helo=dave) by protactinium with smtp (Exim 3.22 #9) id 15RqWx-0007HQ-00 for rsgb_lf_group@blacksheep.org; Wed, 01 Aug 2001 08:34:59 +0100
Message-ID: <002901c11a5c$e365d660$620f073e@dave>
From: "Dave Sergeant" <dsergeant@connectfree.co.uk>
To: "rsgb_lf_group" <rsgb_lf_group@blacksheep.org>
References: <000301c119f9$0891ab80$1f0f7bd5@default>
Subject: LF: Re: Alan infected ??
Date: Wed, 1 Aug 2001 08:36:54 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Precedence: bulk
Reply-To: rsgb_lf_group@blacksheep.org
X-Listname: rsgb_lf_group
Sender: <majordom@post.thorcom.com>

Alan Melia wrote:
>Hi All, Brian CT1DRP reported a strange file with no subject but using a
>title I had previously used on a message to Brian as a filename, and
>appending the extensions .xls.bat

This sounds like the W32.Badtrans@MM virus which has been doing the rounds lately.
It sends itself as replies to unread mails in the victims inbox.  Like all these
things it causes no harm unless the attachment is opened, and in any case all the
current virus packages will detect it.  However as it is a reply to one of your own
mails it can take one unawares, but the double extension is a give away. Note that
the mails will come direct from the sender, not via the reflector.

Good practice in this case is to always read your mail then move it to a different
folder - leave your inbox empty so it will have nothing to work on - and check for
any unexpected outgoing mail before you connect and send it. Those who have always on
connection and have configured their system to send mail immediately have a problem
in this respect.

Cheers Dave G3YMC
dsergeant@iee.org
dsergeant@btinternet.com
http://www.dsergeant.btinternet.co.uk