X-Message-Number: 18685 Date: Sat, 2 Mar 2002 12:23:34 -0700 Subject: Note to Ettinger References: <> From: (Tim Freeman) Sorry to spam a public mail list with something that ought to go to just Ettinger, but Ettinger hasn't responded to any of my private emails on the subject. I'm guessing that they're blocked somehow. Note to Ettinger: You can call me at 408 774 1298 if the private emails I sent you were not received. >Tim Freeman says the worm going out from a mailer using a similar name >(ettingersomethingor I believe) comes from my machine. I'm not >sure how he knows this, Circumstantial evidence. The "From" field says "Robert Ettinger" and the emails are going out to the sort of people you probably have on your address list. Someone who is pretending to be you would probably generate a better impersonation than appears in the emails, unless it's someone who somehow stole your address list and has the virus installed. Have you had a computer stolen recently? >and if it is true I'm not sure how it gets past my >own anti-virus program "InoculateIt." Good question. It's easy enough to test your virus checker. I can send one of the infected executables back to you and we can see if it triggers your virus checker, but I don't want to do this without your permission and without figuring out why you haven't been responding to my emails. This can be tested without running the infected executable. Running the infected executable would be a bad idea. Have you updated the virus detection rules for InoculateIt since September 4, 2001, when came out according to Symantec? The email headers indicated two sources for the infected emails, one via @home and one via AOL. I would very much like to know if you ever connect to the internet via @home (or comcast, which apparently bought some or all of their accounts). I'm told and I believe you don't normally send email via @home, but I suspect the virus does when you're connected to the internet for some other purpose. You can see if your machine is infected by looking at the instructions at: " + s3 + ""); ">http://securityresponse.symantec.com/avcenter/venc/data/ The part of the disinfection procedure that describes how to fix the registry gives both the old and new values you should expect, so you can compare the old value to the actual value on your machine and manually determine whether you're infected. If patient confidentiality is important to you, you really have to get this fixed, since the virus sends out random documents in emails. -- Tim Freeman ; formerly Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=18685