A virus seems to have affected some Doomers

Today I received a flurry of junk email, many with attachments that contained the following virus: W32.Yaha.F@mm Practically all of these email messages were from someone in the DooM community, including the following:

Cyb
brandori
arioch
Chris Hansen
bloodshedder

The subject header is one of the following:

FW: goldfish
New Text Document
Nice Screenshot to Enjoy !
FW: Wonderfool Stuff for You

Keep an eye out for this shit, and delete the entire email if you come across it.

Thanks for warning us, though I haven't gotten one yet.

I doubt its them, most viruses now are clever (and annoying) enough to spoof their source address. The virus is undoubtedly pretending to be those people.

I'm completely virus free. Despite having used outlook exclusively for the past 3 years.

Check not the address but the e-mail headers. It is there that you'll find the true victim.

yeah I get quite a few of those myself, sometimes from 'myself'

what viruses do (and spam companies as well, further proving that they are a virus) is often spoof the return address or return path with someone found in the inbox, making the virus impossible to trace

all of my current mail servers strip any sort of attachments that are executable in any way (exe, vbscript or otherwise), so it's highly unlikely it was from me, or any of those people in fact

Thread moved to EE.

Keep this crap out of the Doom forums.

Just in case someone does have the virus, here's some information on it and maybe how to get rid of it.

Thanks for the heads up. /me checks his email

Fraggle, Arioch, and Cyb said that viruses often spoof the return address

Thanks for clarifying that. I suspected that there was something deeper than a simple forwarded email, as I was getting them from so many different DooMers.

E-mail viruses still outsmart the computer users? Heh.

Hasn't this been going around for like a year?

Fredrik said:

E-mail viruses still outsmart the computer users? Heh.

Not really, the creators of the virus' may though. :P

The infected person will probably be a Doomer, given that they have these addresses in their address book.

The "Sender:" line in the message header should give a better idea of whose computer it is really from than the "From:" line (which the virus fakes).

my rules for email
never open anything FWD:
never open anything with a clip
if it looks like someone's email address but is incorrect in some way, dont open it
i open nothing that dsoesnt sound like a subject that person would send
i never open Re: messages unless i know i sent the original message.
nothing is opened that is sent to more than one user

i also almost never open anything from AOL, mainly cause AOL users are the most common virus transmiters( the whores of the internet, and these whore dont use condoms)

Grazza said:

The infected person will probably be a Doomer, given that they have these addresses in their address book.

Not necessarily. Certain worms/viruses have been known to troll browser caches, picking up addresses there on an infected machine. So even someone who visited DW once could be sending some of these out.

The "Sender:" line in the message header should give a better idea of whose computer it is really from than the "From:" line (which the virus fakes).

The Sender line can be easily faked as well. The only true indication is to look at the Received: lines. Bogus Received: lines can be added, but there's always at least one that is real.

More of the same shit in my Bulk Mail folder. There's another variant of the regular and forwarded mail -- an Undelivered Mail Returned to Sender message. These are being "returned" from the same people from whom I got the original mail and forwarded mail.

Curious that Yahoo recognizes these as Bulk Mail. You'd think that mail from cyb, arioch, etc. would be put into my Inbox

Hey bs, post that huge email analysis you gave to me a week or so ago.

heh, okay.

Viruses, spammers, etc. can falsify any sort of SMTP header information they wish, including Received: lines, Message-ID: lines, Return-path: lines, and so on. Here's an example of a typical junk mail header, along with another copy with my comments.

Return-Path:
Received: from millersace.com (pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net [68.168.162.198]) by middleearth.telefragged.com (8.12.8/8.12.6) with ESMTP id 3UL4Mn1008146 for ; Wed, 30 Apr 2003 16:04:22 -0500
Received: from kimo.com.tw [61.62.4.252] by millersace.com with ESMTP (SMTPD32-7.06) id A7904501F8; Wed, 30 Apr 2003 02:05:04 -0400
From: swsc@seed.net.tw
Subject: =?Big5?B?s8zCsrPmqfbAtKq6pEikT7vIpuY=?=
To: angelscott@kimo.com.tw
Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="CHINESEBIG5"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: swsc@seed.net.tw
Reply-To: sib00585@ms34.hinet.net
Date: Wed, 30 Apr 2003 14:06:19 +0800
X-Priority: 1
X-Library: Indy 9.00.10
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
Message-Id: <200304300206885.SM01240@kimo.com.tw>

Return-Path: Forged. As you'll see from the next line, this message did not come from anywhere in Taiwan.
Received: from millersace.com (pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net [68.168.162.198]) by middleearth.telefragged.com (8.12.8/8.12.6) with ESMTP id h3UL4Mn1008146 for ; Wed, 30 Apr 2003 16:04:22 -0500 This line, the last Received: line, is the only one that cannot be forged. As you can see, the Telefragged server received this message from 68.168.162.198, which it resolved to pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net. Adelphia is the ISP of the user who sent this message.
Received: from kimo.com.tw [61.62.4.252] by millersace.com with ESMTP (SMTPD32-7.06) id A7904501F8; Wed, 30 Apr 2003 02:05:04 -0400 Forged. kimo.com.tw does not resolve to 61.62.4.252, but to 64.58.79.230 and 66.218.71.198.
From: swsc@seed.net.tw Forged; see Return-Path above.
Subject: =?Big5?B?s8zCsrPmqfbAtKq6pEikT7vIpuY=?= Just the subject.
To: angelscott@kimo.com.tw May be true; the reason my address was not in any To: list was most likely because the sender used BCC (Blind Carbon Copy), which does not show who it is sent to.
Content-Type: multipart/alternative; boundary="=_NextPart_ 2rfkindysadvnqw3nerasdf"; charset="CHINESEBIG5" This line defines the MIME (Multiple Internet Mail Exchange) format. As you can see, the message should be in Chinese, but since I don't have that character set installed...
MIME-Version: 1.0 See above.
Content-Transfer-Encoding: quoted-printable Not sure what this means.
Sender: swsc@seed.net.tw See Return-Path.
Reply-To: sib00585@ms34.hinet.net Can be set to basically anything in any e-mail client.
Date: Wed, 30 Apr 2003 14:06:19 +0800 Just the date.
X-Priority: 1 This means "High" priority in Outlook/Outlook Express.
X-Library: Indy 9.00.10 Not sure what this means.
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000 Mircosoft? An obvious forgery.
Message-Id: <200304300206885.SM01240@kimo.com.tw> Forged as well, since this message never passed through any of kimo.com.tw's mail servers.

SARS is attacking fellow doomers!!!
ARRRGHHHHHHHH