Update Announcement a Virus??? -ACID Product Family

Subject:Update Announcement a Virus??? Posted by: davebritton Date:12/29/2001 12:56:01 PM This morning I got an email that said: ====== email body=== What's New in Version 1.0a When ExpressFX is installed with ACID 2.0d or later, ExpressFX will be registered automatically when you register ACID. ExpressFX 2 can now be used as Track FX in Sonic Foundry Vegas( Pro. Issues in the registration process have been resolved. ====== end of email body === This email has an attachment named "instructions.bat" -A bat file should be an ascii text list of DOS commands, but seen under a text editor this one is a binary. Windoze will execute it if I run it, so I suspect this is a nasty virus. Has anyone else seen this? My view is either this is a virus and my email address was insecurely handled by sonicfoundry or it is not a virus and sonicfoundry is irresponsibly transmitting weird undocumented executables.
Subject:RE: Update Announcement a Virus??? Reply by: davebritton Date:12/29/2001 6:16:18 PM Note who the virus email is from - is it sdrapper.com@verizon.net (the return path) or Stacy scrapper.com@verizon.net (the From line) The header file for this probably virus email is: ===== start header ===== Return-Path: Delivered-To: dave@brittonfamily.org Received: (qmail 13613 invoked by uid 500); 29 Dec 2001 14:41:12 -0000 Received: from unknown (HELO out007pub.verizon.net) (206.46.170.107) by 0 with SMTP; 29 Dec 2001 14:41:12 -0000 Received: from smtpout.verizon.net (pool-151-202-83-139.ny5030.east.verizon.net [151.202.83.139]) by out007pub.verizon.net with SMTP ; id fBTEf0I01511 Sat, 29 Dec 2001 08:41:00 -0600 (CST) Date: Sat, 29 Dec 2001 08:41:00 -0600 (CST) Message-Id: FROM: Stacy SUBJECT: To register ExpressFX 2 with Sonic X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00E8_01004EE5.544EE5A0" Content-Transfer-Encoding: 7bit ========= end header ============
Subject:RE: Update Announcement a Virus??? Reply by: Rockitglider Date:12/29/2001 10:03:52 PM Hello, Sonic Foundry does not attatch installation files to their e-mails they attatch reg entry files to activate programs and your e-mail address can be obtained by clicking on your name in this forum. I doubt if SF had anything to do with this e-mail See ya, Rockit
Subject:RE: Update Announcement a Virus??? Reply by: davebritton Date:1/12/2002 10:51:18 AM Rockit, I never used this forum until after the weird email. So how did the spammer know I had a sonic product if not from sonic ?
Subject:RE: Update Announcement a Virus??? Reply by: Chienworks Date:1/12/2002 11:57:04 AM What you got is apparently the SirCAM worm. It picks random subjects and body text from the infected computer's mailboxes, creates a morphed copy of itself and attaches it as an executable, and then mails itself out to many of the addresses in the infected computer's address book. Since you didn't open the attachment, you probably didn't get infected. The person who sent you that eMail is though. You can always reply back to her with these instructions for removing the worm: http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html As to why your eMail address was in her address book? Who knows? Maybe SirCAM has the ability to copy address book entries and take them along as it spreads. As far as the eMail being about a Sonic Foundry product, that's probably one of those weird coincidences. That person is probably also a Sonic Foundry customer and had received an eMail with that text it in at one time.

Subject:Update Announcement a Virus???

Posted by: davebritton

Date:12/29/2001 12:56:01 PM

This morning I got an email that said:
====== email body===
What's New in Version 1.0a

When ExpressFX is installed with ACID 2.0d or later, ExpressFX will be registered automatically when you register ACID.
ExpressFX 2 can now be used as Track FX in Sonic Foundry Vegas( Pro.
Issues in the registration process have been resolved.
====== end of email body ===
This email has an attachment named "instructions.bat" -A bat file should be an ascii text list of DOS commands, but seen under a text editor this one is a binary. Windoze will execute it if I run it, so I suspect this is a nasty virus.
Has anyone else seen this? My view is either this is a virus and my email address was insecurely handled by sonicfoundry or it is not a virus and sonicfoundry is irresponsibly transmitting weird undocumented executables.

Subject:RE: Update Announcement a Virus???

Reply by: davebritton

Date:12/29/2001 6:16:18 PM

Note who the virus email is from - is it
sdrapper.com@verizon.net (the return path) or Stacy scrapper.com@verizon.net
(the From line)

The header file for this probably virus email is:
===== start header =====
Return-Path:
Delivered-To: dave@brittonfamily.org
Received: (qmail 13613 invoked by uid 500); 29 Dec 2001 14:41:12 -0000
Received: from unknown (HELO out007pub.verizon.net) (206.46.170.107)
by 0 with SMTP; 29 Dec 2001 14:41:12 -0000
Received: from smtpout.verizon.net (pool-151-202-83-139.ny5030.east.verizon.net [151.202.83.139])
by out007pub.verizon.net with SMTP
; id fBTEf0I01511
Sat, 29 Dec 2001 08:41:00 -0600 (CST)
Date: Sat, 29 Dec 2001 08:41:00 -0600 (CST)
Message-Id:
FROM: Stacy
SUBJECT: To register ExpressFX 2 with Sonic
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E8_01004EE5.544EE5A0"
Content-Transfer-Encoding: 7bit
========= end header ============

Subject:RE: Update Announcement a Virus???

Reply by: Rockitglider

Date:12/29/2001 10:03:52 PM

Hello,
Sonic Foundry does not attatch installation files to their e-mails they attatch reg entry files to activate programs and your e-mail address can be obtained by clicking on your name in this forum. I doubt if SF had anything to do with this e-mail

See ya, Rockit

Subject:RE: Update Announcement a Virus???

Reply by: davebritton

Date:1/12/2002 10:51:18 AM

Rockit, I never used this forum until after the weird email. So how did the spammer know I had a sonic product if not from sonic ?

Subject:RE: Update Announcement a Virus???

Reply by: Chienworks

Date:1/12/2002 11:57:04 AM

What you got is apparently the SirCAM worm. It picks random subjects
and body text from the infected computer's mailboxes, creates a morphed
copy of itself and attaches it as an executable, and then mails itself out
to many of the addresses in the infected computer's address book.

Since you didn't open the attachment, you probably didn't get infected.
The person who sent you that eMail is though. You can always reply back
to her with these instructions for removing the worm:
http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

As to why your eMail address was in her address book? Who knows?
Maybe SirCAM has the ability to copy address book entries and take them
along as it spreads. As far as the eMail being about a Sonic Foundry
product, that's probably one of those weird coincidences. That person is
probably also a Sonic Foundry customer and had received an eMail with
that text it in at one time.