In article , wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

My antivirus site (eTrust) has the lollowing:

Total Results [2]
Name Last Modified Aliases
Win32.Torvil.B 12 Jan 2004 W32/Torvil-mm (Wildlist), Win32/P2P.Unknown.Worm,
W32/Torvil@MM (McAfee), W32/Torvil.A (F-Secure), I-Worm.Torvil.c
(Kaspersky), WORM_TORVIL.B (Trend), W32.HLLW.Torvel.B@mm (Symantec)
Win32.Torvil.D 23 Oct 2003 Win32/Torvil.D.Worm , W32/Torvil@MM (McAfee),
I-Worm.Torvil.d (Kaspersky), W32.HLLW.Torvil@mm (Symantec), W32/Torvil.A
(F-Secure)

John.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
"DoN. Nichols" wrote in message
...
In article ,
wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On 5 Feb 2005 22:02:31 -0500, (DoN. Nichols)
wrote:

In article , wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.

Fortunately many of us are too smart to use OE. Or IE.
But thanks for the warning.

--RC

Knowledge is knowing a tomato is a fruit;
Wisdom is not putting it in a fruit salad

-- Suzie B

On Sun, 06 Feb 2005 05:53:53 GMT, the inscrutable
spake:

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.

Fortunately many of us are too smart to use OE. Or IE.
But thanks for the warning.

I got stuck with OE when I moved to Starband, but I immediately
turned off the preview feature which would have automatically
loaded every virus as it came in. Thankfully, NAV catches the bad
code for me in both email and news proggies.

OE is probably one of M$' best programs to date and I don't mind
using it.

LJ--who never thought he'd ever make that last statement.


--
The clear and present danger of top-posting explored at:
http://www.netmeister.org/news/learn2quote2.html
------------------------------------------------------
http://diversify.com Premium Website Development

On Sun, 6 Feb 2005 12:49:55 -0600, the inscrutable "Tim Williams"
spake:

"Larry Jaques" wrote in message
.. .
I got stuck with OE when I moved to Starband, but I immediately
turned off the preview feature which would have automatically
loaded every virus as it came in.

I really don't get it, you missing critical updates or settings? Like I

Not that I'm aware of. I run the Windows Update every month or two
and let it further ruin my machine with the latest M$ hacks. sigh
One of these days I'm going to buy another hard drive and set the
old computer up with Mandrake on it...


said elsewhere, OE doens't autorun anything. I've clicked on hundreds of
viruses with no effect (I use preview pane because I'm lazy like that).

AFAIK, OE does open messages by default when the preview option is
turned on. That, in turn, can launch virii and/or worms. I choose to
avoid that.


--------------------------------------------
Proud (occasional) maker of Hungarian Paper Towels.
http://www.diversify.com Comprehensive Website Design
================================================== ====

"Tim Williams" wrote:
"Larry Jaques" wrote:
I got stuck with OE when I moved to Starband, but I immediately
turned off the preview feature which would have automatically
loaded every virus as it came in.

I really don't get it, you missing critical updates or settings? Like I
said elsewhere, OE doens't autorun anything. I've clicked on hundreds of
viruses with no effect (I use preview pane because I'm lazy like that).

He likely had his security settings too low. Regarding OE, I've been using
it for almost five years now, and have *never* been infected through it. It
works just fine for my purposes, is safe and secure, and is easy to use..

I've never been one to make more work for myself when it's not necessary, so
OE is what I use. YMMV.

Jom

In article ,
Tim Williams wrote:
"DoN. Nichols" wrote in message
...
So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system.

Don't forget people, that OE doesn't run attachments automatically (except
images, which are convieniently embedded in-line, and aren't executables
anyway so don't count) and most certainly is NOT smart enough to know what a
ZIP file is, let alone how to open it. Okay!?

But the "iframe" HTML tag can pass it off to another program.
An early example of this trick was (supposed) audio files (.wav), which
it did not explicitly pass to a program to play files. It instead just
attempted to *run* the file, depending on the system to recognize the
type and feed it to the appropriate program to play it. The file, in
reality, had an filename something like

name-of-song.wav.exe

or

name-of-song.wav.scr

which *are* executables, so when it tried to run it to play it, it
really *ran* it.

Enjoy,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On Sun, 6 Feb 2005 19:57:42 -0800, Jon Danniken wrote:
"Tim Williams" wrote:
"Larry Jaques" wrote:
I got stuck with OE when I moved to Starband, but I immediately
turned off the preview feature which would have automatically
loaded every virus as it came in.

I really don't get it, you missing critical updates or settings? Like I
said elsewhere, OE doens't autorun anything. I've clicked on hundreds of
viruses with no effect (I use preview pane because I'm lazy like that).

He likely had his security settings too low. Regarding OE, I've been using
it for almost five years now, and have *never* been infected through it. It
works just fine for my purposes, is safe and secure, and is easy to use..

I missed the start of this, but does it help knowing that any virus that
claims to be from a specific person, is nearly guaranteed to _not_ have
come from that person? All you know if it say sit's from Tim, is that
it's from someone with Tim in their address book.

On Mon, 7 Feb 2005 13:31:19 -0600, Tim Williams wrote:
"Dave Hinz" wrote in message
...
All you know if it say sit's from Tim, is that
it's from someone with Tim in their address book.

Ha! I think I've even had viruses sent to me by "myself" before...

Yup. I get 'em (in my spam/virus filter bucket) all the time, and I'm
fairly sure that none of my Unix systems have a virus (all things
considered...)

Dave