Return-Path: Received: (qmail 26784 invoked from network); 1 Nov 2002 19:28:19 -0000 Received: from warrior.services.quay.plus.net (212.159.14.227) by mailstore with SMTP; 1 Nov 2002 19:28:19 -0000 Received: (qmail 16017 invoked from network); 1 Nov 2002 19:29:35 -0000 Received: from post.thorcom.com (193.82.116.70) by warrior.services.quay.plus.net with SMTP; 1 Nov 2002 19:29:35 -0000 Received: from majordom by post.thorcom.com with local (Exim 4.10) id 187hSr-0002t7-00 for rsgb_lf_group-outgoing@blacksheep.org; Fri, 01 Nov 2002 19:28:17 +0000 Received: from [165.254.158.18] (helo=mail.mcf.com) by post.thorcom.com with esmtp (Exim 4.10) id 187hSr-0002sy-00 for rsgb_lf_group@blacksheep.org; Fri, 01 Nov 2002 19:28:17 +0000 Received: from parissn2 (213.41.137.138) by mail.mcf.com with ESMTP (Eudora Internet Mail Server 3.1.4) for ; Fri, 1 Nov 2002 14:28:25 -0500 Message-ID: <014801c281dc$c4932100$0700000a@parissn2> From: "Stewart Nelson" To: rsgb_lf_group@blacksheep.org References: <002d01c2819b$ac403c00$0504210a@c.scope> Date: Fri, 1 Nov 2002 20:27:49 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: Don't open "Re:LF:Capacity hat puzzle" from Rik Strobbe (bug bear virus again!) Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-0.3 required=5.0tests=QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT_OEversion=2.42 Sender: Precedence: bulk Reply-To: rsgb_lf_group@blacksheep.org X-Listname: rsgb_lf_group Hi all, The infected message certainly has nothing to do with Rik -- the From: address is forged. Hugh is also correct about the fen-net.de origin. There are three things about a Bugbear message that are not faked: The outgoing mail server (here hugo.fen-net.de aka mail.fen-net.de) is the one normally used by the victim. The IP address (here dialin-nbg-018.fen-net.de [212.204.116.18]) is the address the machine had when the virus was sent. And the machine name (here 'PC') is also not forged. A search through recent postings found only Walter DJ2LF with an address at fen-net.de . But his messages (last one that I had saved was July 28) all came from a machine named 'DEFAULT'. So that machine is not the culprit. IMO, there are two possibilities: Walter got a new computer named 'PC' (or a fresh OS install) and it is infected. More likely, there is another member, in the Nürnberg area, with a fen-net.de address, who has not posted recently, but who has the virus. If this might be you, there is information about bugbear at http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html (Symantec), at http://www.mcafee.com/anti-virus/viruses/bugbear/ (McAfee) or at many other anti-virus sites. 73, Stewart KK7KA ----- Original Message ----- From: "Hugh Burnham" To: "LF-Group" Sent: Friday, November 01, 2002 12:41 PM Subject: Don't open "Re:LF:Capacity hat puzzle" from Rik Strobbe (bug bear virus again!) > Hi all > Norton has just thrown up a Virus Alert (Bugbear) on a message > "Re:LF:Capacity hat puzzle" purporting to be from Rik Strobbe (but > necessarily his machine that is infected). > This is an old message regurgitated by the Virus, to look plausible and > refers to a message dated 18/09/2002 > It seems to have come from the domain name "hugo.fen-net.de" if that means > anything to anyone ... > 73 > Hugh M0WYE