[Orion27]

Recieved a notice of udeliverable mail to a recipient that I did not send mail to. it returned to me via AOL describing the content of the email as containing a virus. I also recieved an email containing an .pif doc which I did not open, Subject header: My details. My system appears o.k OSX 10.2.6. Mail client Entourage. What steps need I take to protect my system? Virus scan? ( Virex is all I have ) Just trash the offending mail? Are we about to be flooded with email? Thanks. P.S I am a DSL
client of BellSouth.net and do not have an AOL
account. The .pif was sent to me via Yahoo. I don't have a Yahoo account either.

[proton]

This is (at least at the moment), mostly caused by W32/Sobig-F@mm, a Windows mass mailing virus. It does not affect the Mac OS at all. To get an idea of how many copies of it are going around, the mail server here blocked over 28000 copies of it yesterday (around 2.8 gig worth of viral content).

Just delete the email and ignore it.

- proton

[Developer]

Someone using Windows and having you in his address book is infected by the Klez virus. This virus sends itself to others making it look you (some random person in the infected machine's address book) did send it. There is nothing you can do about it.

http://service1.symantec.com/SUPPORT...02041911334611

[Diggory Laycock]

I've been getting that a lot today as well - I use Mail.app


It's not you that's infected - it's some Windows user - who has your email address in their address book.

The virus then uses this info to send mail containing the virus through its own SMTP server (purporting to be you!):

see more info here:

http://hq.mcafeeasap.com/dispVirus.asp?virus_k=100561

[Arkham_c]

Originally posted by Orion27:
Recieved a notice of udeliverable mail to a recipient that I did not send mail to. it returned to me via AOL describing the content of the email as containing a virus. I also recieved an email containing an .pif doc which I did not open, Subject header: My details. My system appears o.k OSX 10.2.6. Mail client Entourage. What steps need I take to protect my system? Virus scan? ( Virex is all I have ) Just trash the offending mail? Are we about to be flooded with email? Thanks. P.S I am a DSL
client of BellSouth.net and do not have an AOL
account. The .pif was sent to me via Yahoo. I don't have a Yahoo account either.

Don't worry about it. Someone is sending out viral spam with your address as the return address. It's entirely likely that somewhere along the line, someone who had you in their address book got the virus, and it decided to send out spam with your "from" to make it seem more credible.

.pif files are of no concern to a Mac user. They are Windows executables. Same for .scr files, .exe files and .bat files.

[Diggory Laycock]

hmm - got about 20 of these emails so far - thinking about writing a rule to filter them.

Is there a legitimate use for .pif files? Do many people attach them normally?

[Telusman]

A PIF file is a Program Information File, used under windows to tell Windows2000 and XP how a legacy program is meant to operate under it's "advanced" environment. A lot of older 16 bit Windows apps and old DOS apps don't run as expected unless they have a PIF file linked telling Windows how to run the program.

They are almost NEVER sent through e-mail unless two users want the same program on two different 2000 or XP systems to run the exact same way....

The files have no relavence under Mac OS and never will. There is virtually no way this file can hurt you're system, write a rule, filter them to the trash and hit delete.

-Telusman

(P.s. The file you're getting i dont think is a real PIF file, its viral information in the guise of a PIF File)

[ambush]

SOBIG IZ BACK IN THAT HOUSE!@

[Orion27]

Thanks guys, appreciate all the great info.

[Zadian]

Originally posted by Diggory Laycock:
hmm - got about 20 of these emails so far - thinking about writing a rule to filter them.

I got 63 of those sobig.f mails. I created a rule to filter them out but that rule only works for sobig.f as it relies on Text in the mail.

Is there a way to create a rule to filter attachments in Mac OS X Mail? That way it would be very easy to filter those .pif and .scr worms.

[Diggory Laycock]

Originally posted by Zadian:
I got 63 of those sobig.f mails. I created a rule to filter them out but that rule only works for sobig.f as it relies on Text in the mail.

Is there a way to create a rule to filter attachments in Mac OS X Mail? That way it would be very easy to filter those .pif and .scr worms.

Alas no - I looked into it this afternoon. Mail's applescriptablity doesn't goes down to the attachment level - you can get the body of the mail (including MIME attachment text) however.

[TheDisaster]

I got two of the emails today from people I had never seen the address of before, both subjects containing the phrase "Thank you!". Does emailing the person back let them know that they have the virus, or is it too late by now/do they know by now?

[proton]

The virus forges the "From:" address, so whoever it appears to have come from isn't who it came from. They just happened to be in the address book of someone who does have the virus, and have probably already got a whole pile of messages from mail servers that stupidly send replies to virus emails even though they know the virus forges the from address....

- proton

[gatorparrots]

Originally posted by Zadian:
Is there a way to create a rule to filter attachments in Mac OS X Mail? That way it would be very easy to filter those .pif and .scr worms.

http://www.macosxhints.com/article.p...30820063155258

Andrew Stone of Stone Design sent in a submission for dealing with the w32.sobig.f worm that's currently filling many OS X users' mailboxes with hundreds of junk emails. I had also received a couple emails from users about the flood of email, and had started working on the same thing last night. Since it appears to be hitting a large number of people, here's Andrew's Mail rule which will automatically delete the vast majority of these worm spams. You can read more about the worm on Symantec's site.

Create a new Mail rule, and set "If 'any' of the following conditions are met," and add all of these conditions:

* Subect - Ends with - My details
* Subect - Ends with - Your details
* Subect - Ends with - Your application
* Subect - Ends with - Wicked screensaver
* Subect - Ends with - That movie
* Subect - Ends with - Approved
* Subect - Ends with - Details
* Subect - Ends with - Thank you!
* From - Is equal to - [email protected]

In the "Perform the following actions" section of the dialog, set the first action to "Delete message" and the second to "Stop evaluating rules." Make this new rule the first rule in your rules list, so it runs before everything else. Andrew created an image that displays the finished rule.

[Earth Mk. II]

Originally posted by gatorparrots:
http://www.macosxhints.com/article.p...30820063155258

Good... but here's one that's less likely to filter out honest e-mail ending in "Thank you!" and such...
[list=1][*]Go to "Edit Header List..." in the Mail.app rules prefpane.[*]Add "Content-Type" to the list of headers.[*]Set this rule: Content-Type Contains boundary="_NextPart_000_[/list=1]

As far as I can tell, only W32.Sobig uses that for a MIME boundary, and that has been catching ALL my incoming mail from that worm.

[DigitalEl]

From my company's IT "geniuses."

We are currently experiencing a high volume of virus reports.
The W32.Sobig.F@mm virus is being detected by the virus scanners on the e-mail servers and on many people's workstations.

If you receive an attachment from someone you do not know, please do NOT open the attachment. This virus will send out e-mail from both valid and fake return addresses.

Be very cautious if you receive any e-mail with any of the following characteristics:

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

More Information can be found at:
http://www.sarc.com/avcenter/venc/[email protected]

Silly Windows users.

[Diggory Laycock]

Originally posted by Earth Mk. II:
Good... but here's one that's less likely to filter out honest e-mail ending in "Thank you!" and such...
[list=1][*]Go to "Edit Header List..." in the Mail.app rules prefpane.[*]Add "Content-Type" to the list of headers.[*]Set this rule: Content-Type Contains boundary="_NextPart_000_[/list=1]

As far as I can tell, only W32.Sobig uses that for a MIME boundary, and that has been catching ALL my incoming mail from that worm.

Nice one - this works.

[jsiburt]

[list=1][*]Go to "Edit Header List..." in the Mail.app rules prefpane.[*]Add "Content-Type" to the list of headers.[*]Set this rule: Content-Type Contains boundary="_NextPart_000_[/list=1]

As far as I can tell, only W32.Sobig uses that for a MIME boundary, and that has been catching ALL my incoming mail from that worm. [/B]

I got one this morning that it didn't work with. It may mutate as it spreads depending on what computer it comes from. Just speculating.

[rlorenc]

Where is the "Edit Header List..." option? I loooked in Mail-->Preferences-->Rules and I couldn't find it.

Thanks.

[Diggory Laycock]

Originally posted by rlorenc:
Where is the "Edit Header List..." option? I loooked in Mail-->Preferences-->Rules and I couldn't find it.

Thanks.

Make a new rule - then in the sheet choose the "From" pop-up