Try again?

-----Original Message-----
From: L-Soft list server at St. John's University (1.8c)
Sent: Friday, June 11, 1999 9:09 AM
To: I. Stephen Margolis
Subject: Rejected posting to [log in to unmask]

Your message cannot  be distributed to the C-PALSY list  because it exceeds
the
maximum message size  of 600 lines. This  limit has been set by  the list
owner
and   does   not   necessarily   apply   to   the   other   lists   hosted
at
MAELSTROM.STJOHNS.EDU. If you have any question, please contact the list
owner,
who can be reached at [log in to unmask]

From: "I. STEPHEN MARGOLIS" <[log in to unmask]>
To: "St. John's University Cerebral Palsy List"
<[log in to unmask]>
Subject: FW: VIRUS ALERT
Date: Fri, 11 Jun 1999 09:07:45 -0400

These virii (Had to say that Derri Flower.) are getting interesting.  What
kind of person takes the time and effort to do this stuff?

Stay vigilant.

ism

-----Original Message-----
From: RBL [mailto:[log in to unmask]]
Sent: Thursday, June 10, 1999 2:38 PM
To: Recipient list suppressed
Subject: PCA: VIRUS ALERT
Importance: High
-= via RBL's PC ALERT http://www.RBLevin.net

[x] News

Source: RBL

REMINDER: NEVER OPEN FILE ATTACHMENTS IN E-MAIL. SCAN THEM WITH AN ANTIVIRUS
FIRST.

Certain members of this list are infected with a new Internet worm,
discovered by antivirus researchers on 6/6/99.  How do I know?  My list
server has received auto-replies back from some users, and the worm was
attached.

If you receive the following e-mail message or something similar, even if it
is from someone you know, do NOT run the attachment.  If you do, you will be
infected.

Hi  !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye.
 <<zipped_files.exe>>

 zipped_files.exe

WHAT TO DO:
- If you have not updated your antivirus software, it will not detect this
worm.  UPDATE your antivirus software immediately, and scan your system.
- If you are not using antivirus software, GET one here:
http://www.sarc.com. Then scan your system immediately.

More information here:
http://www.sarc.com/avcenter/venc/data/worm.explore.zip.html

Basic information:

Virus Name: Worm.ExploreZip
Aliases: W32.ExploreZip Worm
Infection Length: 210,432 bytes
Area of Infection: C:\Windows\System\, Email Attachments
Likelihood: Common
Detected as of: June 6, 1999
Characteristics: Worm, Trojan Horse

Description:
Worm.ExploreZip is a worm that contains a malicious payload. The worm
utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate
itself. Worm.ExploreZip was first discovered in Israel and submitted to the
Symantec AntiVirus Research Center on June 6, 1999.

The worm e-mails itself out as an attachment with the filename
"zipped_files.exe". The body of the e-mail message may appear to come from a
known e-mail correspondent, and contains the following text:

Hi Receipient Name!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye

The worm determines whom to mail this message to by going through your
received messages in your Inbox. Once the attachment is executed, it may
display the following window:


The worm then proceeds to copy itself to the c:\windows\system directory
with the filename "Explore.exe", and then modifies the WIN.INI file so the
program is executed each time Windows is started. The worm then utilizes
your e-mail client to harvest e-mail addresses in order to propagate itself.
You may notice your e-mail client start when this occurs.

Payload:
In addition, when Worm.ExploreZip is executed, it searches drives C through
Z of your computer system and selects a series of files to destroy based on
file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by making
them 0 bytes long. This can result in non-recoverable data.