In article , wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

My antivirus site (eTrust) has the lollowing:

Total Results [2]
Name Last Modified Aliases
Win32.Torvil.B 12 Jan 2004 W32/Torvil-mm (Wildlist), Win32/P2P.Unknown.Worm,
W32/Torvil@MM (McAfee), W32/Torvil.A (F-Secure), I-Worm.Torvil.c
(Kaspersky), WORM_TORVIL.B (Trend), W32.HLLW.Torvel.B@mm (Symantec)
Win32.Torvil.D 23 Oct 2003 Win32/Torvil.D.Worm , W32/Torvil@MM (McAfee),
I-Worm.Torvil.d (Kaspersky), W32.HLLW.Torvil@mm (Symantec), W32/Torvil.A
(F-Secure)

John.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
"DoN. Nichols" wrote in message
...
In article ,
wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On 5 Feb 2005 22:02:31 -0500, (DoN. Nichols)
wrote:

In article , wrote:

Warning. I took a look at this thing (carefully, on a *non*
Windows system), and found:

1) Html with a iframe tag.

2) A base64-encoded zipfile, in which was:

3) A file which contained more html, with yet another iframe tag, and

4) A final file named "torvil.exe".

5) Torvil.exe includes the string:

"This program must be run under Win32"

so it isn't an MS-DOS executable.

6) Except for a very few diagnostic messages (unable to access the
needed dll and such), all other strings are apparently at least
minimally encrypted, except for .dll names and function call
names. Nothing to print to the user in operation is visible.

With all of that, the odds are probably 99:1 that it is a virus.
And it certainly does not belong here.

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.

Fortunately many of us are too smart to use OE. Or IE.
But thanks for the warning.

--RC

Knowledge is knowing a tomato is a fruit;
Wisdom is not putting it in a fruit salad

-- Suzie B

On Sun, 06 Feb 2005 05:53:53 GMT, the inscrutable
spake:

So -- if you have looked at the preceding message with a
Windows system and OE, please run a virus scan on your system. (And note
that this may be too new to show up in the virus signature files, so it
won't be identified until after the next update.

Good Luck,
DoN.

Fortunately many of us are too smart to use OE. Or IE.
But thanks for the warning.

I got stuck with OE when I moved to Starband, but I immediately
turned off the preview feature which would have automatically
loaded every virus as it came in. Thankfully, NAV catches the bad
code for me in both email and news proggies.

OE is probably one of M$' best programs to date and I don't mind
using it.

LJ--who never thought he'd ever make that last statement.


--
The clear and present danger of top-posting explored at:
http://www.netmeister.org/news/learn2quote2.html
------------------------------------------------------
http://diversify.com Premium Website Development