Of course, the problem is not that list members are sending attachments to
the list. This attachment comes from a "non-list member" who somehow got the
list to forward his or her message. The important thing is that we remain
suspicious of attachments from unrecognized sources or with unclear, generic
titles. Personally, I recognized this as suspicious as soon as I saw the
attachment icon and the sender's "name" (I was SPAMmed by anhvu@ once
already). Keeping anti-virus software updated is also a good idea.

I wonder if there is any way we can filter out messages like that one before
they get posted to the list? But I'm not sure how other lists handle this
sort of problem.

Paul E. Doniger

----- Original Message -----
From: Omar <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, August 30, 2001 5:10 AM
Subject: Re: WARNING! Code Red Worm


> >>My computer says the attachments from this recent posting from "anhvu"
on
> >>the listserve are infected.  DO NOT OPEN!!!
> >>
> >>
> >>From:         anhvu <[log in to unmask]>
>
> This was immediately suspicious. A one-hundred kilobyte message?
>
> I hope that list members will refrain from posting attachments to this
> list. And also from posting in HTML fomat. Sending attachments to a
> list is generally a bad idea and virus infections may be spread by
> code imbedded in HTML messages that calls the virus when the message
> is opened from a machine that is still online. Anything that
> absolutely needs to be distributed can be posted on the web and the
> URL announced on the list. The defunct e-groups issued all of their
> electronic forums with a "vault" expressly for file distribution.
>
>
> CODE RED WORM
>
> If you who may be running WinNT or Win2000 operating systems and have
> not expressly taken precautions to protect yourself you are exposed to
> attack. The worm is a parasite that enables those who distribute it to
> control infected machines remotely via the Windows IIS Personal Web
> Server. Estimates are that some 100,000 personal computers around the
> world are now Code Red zombies. Most people operating infected
> machines are unaware of the presence of a virus that has turned their
> machines collectively into a powerful weapon in the hands of persons
> unknown.
>
> The worm enters your computer while you are online by probing your
> ports and entering, typically, through port 80, if it finds it open. A
> friend of mine who is online most of the time intercepts 5 to 10 of
> these worms a day. The first massive attack on July 1st infected more
> than 300,000 machines world wide in the space of twelve hours. A
> second wave occurred on August 1st, a third is expected on Saturday,
> September 1st.
>
> Please investigate this yourselves. Check to see whether or not you
> are running Microsoft Personal Web server - some implementations of
> Windows install this as default. If you are, then assume that you are
> infected. Check the Microsoft web site and take steps to remove the
> worm and then either shut down IIS or download and install the MS
> patch to protect yourself from the worm if you continue to use IIS.
> The patch is not effective if your machine is already infected.
>
> The worm does not appear to be designed to damage your system or your
> hardware, but rather to use your equipment for purposes that are
> impossible to ascertain.
>
>
> Best regards,
>
>
> Omar
>
> To join or leave this LISTSERV list, please visit the list's web interface
at:
>      http://listserv.muohio.edu/archives/ateg.html
> and select "Join or leave the list"
>
> Visit ATEG's web site at http://ateg.org/
>

To join or leave this LISTSERV list, please visit the list's web interface at:
     http://listserv.muohio.edu/archives/ateg.html
and select "Join or leave the list"

Visit ATEG's web site at http://ateg.org/