There are emails going out from a sender in the Venice FLA area that seem to be viral in nature. The TO and FROM fields are being spoofed. Messages have been recieved that would indicate that it's someone fairly well versed with our e34 community here at bimmer.info.

The messages seen so far have the subject line of "HEY!" and contain a picture of a girl (not pornographic), as well as a VBS attachment. Both attachments scan clean for viruses, however, the VBS script writes and then attempts to execute an executable called bbbs.exe. This behavior, combined with the spoofed TO and FROM's would certainly indicate a virus, perhaps a brand-new one. Interestingly, bbbs.exe is a Bulletin Board server. Why would someone craft a spoofed VBS script that clandistinely creates a Bulletin Board on various local machines? Perhaps that BBS has some security holes that can be exploited. Who knows.

Anyone in the VENICE FLA area - please check your current IP address. These messages are being sent from the IP address 68.56.197.209.

Be careful out there--Update your anti-virus software and signatures.

It would appear that what is moving around is a new virus or an old virus wrapped up in a new way, and someone that knows a few of us is an early adopter. Digging into the code of the VBS script reveals a few strings that are legible, things like "UNIQUE PEOPL MAKE THINGS" and "Author of agle." Bagle has certainly been an active virus on the world scene lately. This may be related. In any event, what gets written to the hard drive is most definitely NOT the bbbs.exe that runs bulletin boards.

As for the 'insidious' part - scanning this guy may not show a virus at all - the VBS script is written to create the executable and then run it, so the scanner would need to look through a level of obfuscation to see any real code. Sneaky! At least they are getting more creative!


Okay - McAfee has information - it's about as new as it gets:
Bagle.Z, 26th April 09:37 PST (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=122415)

Even a better reason for Mailwasher that people can purchase through this home page!

hmmm...my mother uses Comcast and is from the Venice Florida area. Don't know if this is coincidence or not but thought I would register my comment to you Micah if you have any advice. I post on the board using MSN and am in the Detroit area.
George

me, coz, i only use webmail now, don't have a mail client anymore for that exact reason.

If you got the script via your webmail and it ran, you're infected. This one comes with it's own SMTP engine and does not rely on the presence of any address books to build it's emails (though they help to speed things along).
We've even seen wrappers that were specifically designed to get through Yahoo's attachment scanners, and quite effectively too.

Web mail is no protection!




me, coz, i only use webmail now, don't have a mail client anymore for that exact reason.

let me clarify what i meant to say.....the virus filter on my webmail has consistently caught virus infected email that norton likely wouldn't have because of their "newness", and i run updates every thursday, so its one less thing for me to think aobut...not being forced to do very much on my end to stay clean.

ryan...if that isn't your IP address then likely it isn't you. I will verify if it is my Mom's I.P. address out of Venice Florida...she is not home at the present time. I ran a scan of my system with the latest Stinger software and nothing detected. Possible Stinger will not detect this particular worm however.
George

There are emails going out from a sender in the Venice FLA area that seem to be viral in nature. The TO and FROM fields are being spoofed. Messages have been recieved that would indicate that it's someone fairly well versed with our e34 community here at bimmer.info.

The messages seen so far have the subject line of "HEY!" and contain a picture of a girl (not pornographic), as well as a VBS attachment. Both attachments scan clean for viruses, however, the VBS script writes and then attempts to execute an executable called bbbs.exe. This behavior, combined with the spoofed TO and FROM's would certainly indicate a virus, perhaps a brand-new one. Interestingly, bbbs.exe is a Bulletin Board server. Why would someone craft a spoofed VBS script that clandistinely creates a Bulletin Board on various local machines? Perhaps that BBS has some security holes that can be exploited. Who knows.

Anyone in the VENICE FLA area - please check your current IP address. These messages are being sent from the IP address 68.56.197.209.

Be careful out there--Update your anti-virus software and signatures.

to think I have had NO antivirus protection since '96 and no major viruses... must be doing something right. And NO I'm not a very lucky individual either.
:D
Has a few tricks up his sleeves.

Good operational controls will beat out antivirus software any day, true. But you can't be there all the time, and sooner or later you've had a few too many beers while you're sitting at the controls. AV's a good latch (not lock) on the front door......

[QUOTE=MicahO] you've had a few too many beers while you're sitting at the controls.QUOTE]

is that statment even possible?

;)