Re: WARNING: Ridecamp message with attached .exe file

["Keith and Anna" <desautels@cnetco.com>]

I just go this one today on another email list. that may be your bug.

Anna and Keith and all our critters in New Mexico
(horses) Hobo(the old man) Shy Ann (the Mule)
Lizzy (momma) and Lightning (baby)
(Basenjis) Lady Queen of the house, and
her two sons George and Iceman and finally
Lilly (the prairie dog)
visit my website at
http://www.shyann.friendpages.com



Hi Everyone,

    I just received this from McAfee.com Dispatch. This one is for real.

****************************************************

>>W32/NewApt is an email worm. AVERT has given it a risk
assessment of Medium--On Watch.

This worm arrives as an email attachment. The body of the
email appears differently depending on whether the email
client reads HTML. If it does, the email text looks like
this:

       http://stuart.messagemates.com/index.html

    Hypercool Happy New Year 2000 funny programs and
                      animations...

   We attached our recent animation from this site in our
                  mail ! Check it out

If the email client is not HTML-capable, the message reads:

  he, your lame client cant read HTML, haha. click
  attachment to see some stunningly HOT stuff

The worm is in the attachment, which has a name chosen
randomly from the following list:

  baby.exe, bboy.exe, boss.exe, casper.exe, chestburst.exe,
  cooler1.exe, cooler3.exe, copier.exe, cupid2.exe,
  farter.exe, fborfw.exe, goal.exe, goal1.exe, g-zilla.exe,
  irngiant.exe, hog.exe, monica.exe, panther.exe,
  panthr.exe, party.exe, pirate.exe, s.exe, saddam.exe,
  theobbq.exe, video.exe.

If the worm is run, the following dummy error message
appears:

  The dinamic link library giface.dll could not be found in
  the specified path [list of directory names]

Note the misspelling of the word "dynamic".

If the worm detects that Outlook Express is installed, it
will search for messages received and build a list of
addresses. The next time Windows is booted, the worm waits
an unspecified amount of time and then attempts to send
itself to one of the addresses in its list, using the
format described above. <<




> Cardinal rule of computers. Do not open any .exe file unless you know both
> from where it came and its purpose and that the sender is virus free.
There
> is an attached .exe file on recent message that appears to come directly
> from Ridecamp under subject of  'RC:  Re: to the anal orifice who told a
> Lady,  "Respect me or I will DEMOLISH you!"'. The header indicated direct
> from Ridecamp as opposed to resent from Ridecamp, but I suspect a forged
> header. I can't imagine Steph sending a direct message from Ridecamp under
> that subject heading (for that matter she has never sent a direct message,
> but always to ridecamp - there is a distinction). It also did not come or
> pass through fsr.com or fsr.net which a would be the route for ridecamp
> mail. It was a html file with reference to a web site. It also comes with
an
> attached .exe file. This may be innocent, but only a fool would open the
> .exe without knowing more.
>
> In addition to the website, the message contained the following: Hypercool
> Happy New Year 2000 funny programs and animations...
> We attached our recent animation from this site in our mail ! Check it
out.
>
> Anyone else get this message, or is someone gunning for me.
>
>


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ridecamp is a service of Endurance Net, http://www.endurance.net.    
Information, Policy, Disclaimer: http://www.endurance.net/RideCamp   
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=