Virus Scam?

[LABachlr]

A buddy of mine has a Mac and received the following emails.

He received this one yesterday:

> From: administration@[hisdomain].com
> Date: Wed Mar 10, 2004 02:11:43 PM US/Pacific
> To: [hisusername]@[hisdomain].com
> Subject: E-mail account disabling warning.
>
> Dear user of [hisdomain].com,
>
> Some of our clients complained about the spam (negative e-mail
> content)
> outgoing from your e-mail account. Probably, you have been infected
> by
> a proxy-relay trojan server. In order to keep your computer safe,
> follow the instructions.
>
> Please, read the attach for further details.
>
> Attached file protected with the password for security reasons.
> Password is 84054.
>
> Cheers,
> The [hisdomain].com team
> http://www.[hisdomain].com

Very bizarre seeing that no one has access to his domain except me, and "administration@[hisdomain].com" is not even a valid email address. There is only one valid email address on his domain, and that's his. This is pretty much a joke seeing that there are no known trojan's for Mac's, right? My guess is the attached file is a trojan itself, or some sort of program that would send info back to the sender of this email if he were to execute the attachment, which he didn't.

He then received this email this morning (this is a worm for Windows!):

> From: MadWeb01/Antena3TV@antena3tv.es
> Date: Fri Mar 12, 2004 12:50:08 AM US/Pacific
> To: "Antigen_Notification_List:_Default"@antena3tv.es
> Subject: ALERT: Message from [his name] was purged; Detected worm:
> Win32.Netsky.D (aka W32/Netsky.d@MM, Win32/Netsky.D.Worm)
>
>
>
>
>
>
>
> INCIDENT
> ------------------------------------------------------------------------------------------------------------------------
>
> Scan Time: 12/03/2004 09:50:08
> Detection: Detected worm: Win32.Netsky.D (aka W32/Netsky.d@MM,
> Win32/Netsky.D.Worm)
> Disposition: Note has been purged
> Incident doc: (Document link: Antigen Incident and Quarantine Area
> document) CN=MadWeb01/O=Antena3TV!!antqarea2.nsf
> Version: Antigen 7.0 SR1 (Build 711)
>
>
> MESSAGE
> ------------------------------------------------------------------------------------------------------------------------
>
> Message ID: 003087D9
> Sender: [hisusername]@[hisdomain].com
> Subject: Re: Here
> Recipients: asanz@antena3tv.es
> Routing:
>
>
> SYNOPSIS
> ------------------------------------------------------------------------------------------------------------------------
>
> FILE ATTACHMENT 'yours.pif'
> << Detected worm:Win32.Netsky.D (aka W32/Netsky.d@MM,
> Win32/Netsky.D.Worm) >>
> File size: 17424 bytes
> Host type: MSDOS
> Content type: Exe.Win32
> Compression: OFF
> Attributes: PUBLIC READ-WRITE
> File flags: 2
> Created: 12/03/2004 09:50:05
> Modified: 12/03/2004 09:50:05
> Status: Purged
> Scanner: CA(Vet) 11.4.0.1 [11.4.32.12] Win32.Netsky.D
> Scanner: NAI 4.2.0.60 [4.3.0.35] W32/Netsky.d@MM
> Scanner: CA(InoculateIT) 23.64.0.1 [23.64.0.33]
> Win32/Netsky.D.Worm
> Scanner: Sybari 6.0.664 [119.115.5157] Matched WormPurge
> filter: *netsky*

Can anyone tell me what the deal is with this? I assume all of this is totally bogus.

 

[bobw]

It's just a scam. Trash any emails like this.

 

[LABachlr]

It's just a scam. Trash any emails like this.

That's what I figured. Thanks.

 

[perfessor101]

The first email you received is a variety of the Bagle virus that has been spreading very rapidly among PC users. There have been as many as three new variants initiated on the same day.

The second email you received is neither a virus, nor a scam. It is from the antivirus software on an ISP's POP server. Some virus picked up your email address from a PC user's address book and used it as "trusted source" from address to send itself to other users in the same PC's address book. The message is warning you that your machine may be infected with the virus that it detected. These messages, although well intentioned, are pointless because the from address is never, or almost never, the actual source of the virus. To me these messages are almost in the category of SPAM.

You can't do anything about either one except delete them.

 

[Gnomo]

The first email you received is a variety of the Bagle virus

Actually the correct name of the virus is Beagle. Probably just a typo. My IT department made the same mistake earlier, ever since we've been joking about creating a virus called Bagle and having it spread via the file wickedcreamcheese.scr. ::ha::

 

[LABachlr]

Cool. Thanks, perfessor. Guess it really pays to have a Mac.

 

[bobw]

Actually Bagle is the correct spelling;

http://www.microsoft.com/security/incident/mass_mailer.asp

 

[LABachlr]

Actually the correct name of the virus is Beagle. Probably just a typo. My IT department made the same mistake earlier, ever since we've been joking about creating a virus called Bagle and having it spread via the file wickedcreamcheese.scr. ::ha::

LOL. Thanks.

 

[LABachlr]

Thanks for the clarification, Bob.

 

[Gnomo]

Actually Bagle is the correct spelling;

Not according to Norton. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

 

[bobw]

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

Also Known As:
W32/Bagle.j@MM [McAfee], WORM_BAGLE.J [Trend], Win32.Bagle.J [Computer Associates], W32/Bagle-J [Sophos]

Variants:
W32.Beagle.I@mm

 

[perfessor101]

For the record the European F-Secure antivirus organization also calls it the Bagle not Beagle virus. It may be the typo was on the part of the originator.

 

[Timmargh]

It's spelt Bagle or Beagle but it's pronounced Throat Warbler Mangrove ...

 

[symphonix]

This virus looks like it's more consistent with w32.Netsky.K@mm than any of the Beagle/Bagle variants.