X-Message-Number: 18685
Date: Sat,  2 Mar 2002 12:23:34 -0700
Subject: Note to Ettinger
References:  <>
From:  (Tim Freeman)

Sorry to spam a public mail list with something that ought to go to
just Ettinger, but Ettinger hasn't responded to any of my private
emails on the subject.  I'm guessing that they're blocked somehow.

Note to Ettinger: You can call me at 408 774 1298 if the private
emails I sent you were not received.

>Tim Freeman says the worm going out from a mailer using a similar name 
>(ettingersomethingor  I believe) comes from my machine. I'm not 
>sure how he knows this, 

Circumstantial evidence.  The "From" field says "Robert Ettinger" and
the emails are going out to the sort of people you probably have on
your address list.  Someone who is pretending to be you would probably
generate a better impersonation than appears in the emails, unless
it's someone who somehow stole your address list and has the virus
installed.  Have you had a computer stolen recently?

>and if it is true I'm not sure how it gets past my 
>own anti-virus program "InoculateIt."

Good question.  It's easy enough to test your virus checker. I can
send one of the infected executables back to you and we can see if it
triggers your virus checker, but I don't want to do this without your
permission and without figuring out why you haven't been responding to
my emails.  This can be tested without running the infected
executable.  Running the infected executable would be a bad idea.
Have you updated the virus detection rules for InoculateIt since
September 4, 2001, when  came out according to
Symantec?

The email headers indicated two sources for the infected emails, one
via @home and one via AOL.  I would very much like to know if you ever
connect to the internet via @home (or comcast, which apparently bought
some or all of their accounts).  I'm told and I believe you don't
normally send email via @home, but I suspect the virus does when
you're connected to the internet for some other purpose.

You can see if your machine is infected by looking at the instructions
at:



" + s3 + ""); ">http://securityresponse.symantec.com/avcenter/venc/data/

The part of the disinfection procedure that describes how to fix the
registry gives both the old and new values you should expect, so you
can compare the old value to the actual value on your machine and
manually determine whether you're infected.

If patient confidentiality is important to you, you really have to get
this fixed, since the virus sends out random documents in emails.

-- 
Tim Freeman       
; formerly 

Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=18685