[Dshield] MacIntosh Virus Question

Fred fretz at pacbell.net
Fri Mar 5 05:40:26 GMT 2004


Hi,

Someone suggested that people who just read but have questions should ask them.  I'm going to avail myself of that invitation.  
I would like to first offer my observation that the rapport existing between the members of DShield group is extraordinary and outstanding.  I very much appreciate the information DShield members make available.  I've also seen that discussions which sometimes occur here between folks who hold differing views are respectful and courteous.  I wish there was such "harmony" between the people exchanging views on other lists I belong to.  (The one small flaw I see sometimes, if I may say so, is in the occasional use of "sarcasm" which can be difficult for people with English as a second language to interpret.  Well, the other thing is that I think belittling a person seeking assistance doesn't help much either, and may increase a reluctance some people may have toward asking questions.)
And certainly, I would thank the host, moderator, and "Chief Digital Officer" (CDO?), Mr. Ulrich, for all the work he does making this list available, and for the energy he devotes to trying to help the Internet be a safer facility.

...I am a home computer user -that's all- and so I feel sort of like a high school kid (I'm 53) sitting in on a graduate course at some college. 
My question doesn't concern my own computer or connection to the Internet - I think I've done fairly well securing those.  
But a person from a "social issue" list asked me a question the other day about her Mac (I don't know which OS).  She sent me a copy of a message she'd received and asked me if I thought she was infected with a virus.  I dont' use a Mac, but I tried to find some info for her.  Based upon what I saw I told her I thought she didn't have too much to worry about, but I also gave her the website for both Sopho's and Symantec's AV trialware.  

Also, I use NAV and update my definitions everyday.  I don't pay too much attention to it, but I have noticed that there is a listing for the Mac definitions on the page I see when getting my NAV definitions, and normally, it seems to me, the Mac definitions are only rarely updated.  I also told her that.  Later though, I noticed that the Mac AV definitions on Symantec's page were updated on 2/27, and so I began to wonder if there was a new threat to Macs.  I tried looking using all the search combinations I could think of and I couldn't find any mention of any new threats to Macs.

So I'd be interested if anyone could help me with some info or a pointer to a site with some.  
I've pasted the copy of the email my friend received below, hoping that I've done that correctly, and the copy is useful in understanding the situation.

Once again thank you for the help you've all (unknowingly) provided me in the past, and thanks in advance for any assistance with this dilemma I'm trying to help my friend with.  
(I hope I don't get plastered for my comment about sarcasm, but if I do, what the heck, it's only "virtual" plaster. ;-) )

Fred 

(I used "munged-name" in place of my friend's actual user name.  I doubt that my friend actually sent any message implied by the "Delivery Notification".  I recognize the form of the message, ie, the "Subject" and the sentence about "Unicode", to be similar to one of the recent viruses, but it's not exactly the same according to what I could find.  There was one virus that used "file.zip for the attachment, but that virus didn't seem to match the content of this message either.)

    From: Internet Mail Delivery <postmaster at a34-mta02.direcway.com>
Date: Sat, 28 Feb 2004 00:35:42 -0500 (EST)
To: munged-name at earthlink.net
Subject: Delivery Notification: Delivery has been delayed

This report relates to a message you sent with the following header fields:

  Return-path: <munged-name at earthlink.net>
  Received: from a34-mta02.direcway.com by a34-mta02.direcway.com
   (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
   id <0HTS00CH04VI5Y at a34-mta02.direcway.com>; Sat,
   28 Feb 2004 00:35:42 -0500 (EST)
  Received: from earthlink.net (dpc69190001.direcpc.com [69.19.0.1])
   by a34-mta02.direcway.com
   (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
   with ESMTP id <0HTP007WNB1HMW at a34-mta02.direcway.com> for
andrew at sonitel.com;
   Thu, 26 Feb 2004 11:56:29 -0500 (EST)
  Date: Thu, 26 Feb 2004 09:45:34 -0700
  From: munged-name at earthlink.net
  Subject: hi
  To: andrew at sonitel.com
  Message-id: <0HTP007X3B1KMW at a34-mta02.direcway.com>
  MIME-version: 1.0
  Content-type: multipart/mixed;
boundary="Boundary_(ID_fWmoYVXwj5Hmg2NEFVuHBg)"
  X-Priority: 3
  X-MSMail-priority: Normal

Your message has been enqueued and undeliverable for 1 day
to the following recipients:

  Recipient address: andrew at sonitel.com
  Reason: unable to deliver this message after 1 day


Delivery attempt history for your mail:

Fri, 27 Feb 2004 22:28:55 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Fri, 27 Feb 2004 14:20:30 -0500 (EST)
Too many failures to this host during this run; skipping this host: Basic no

Fri, 27 Feb 2004 06:17:07 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Fri, 27 Feb 2004 02:01:12 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Thu, 26 Feb 2004 21:47:06 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Thu, 26 Feb 2004 17:38:58 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Thu, 26 Feb 2004 15:28:41 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Thu, 26 Feb 2004 13:16:55 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

Thu, 26 Feb 2004 12:08:47 -0500 (EST)
Error reading SMTP packet; response to dot-stuffed message expected

The mail system will continue to try to deliver your message
for an additional 2 days.


Return-path: <munged-name at earthlink.net>
Received: from a34-mta02.direcway.com by a34-mta02.direcway.com
 (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
 id <0HTS00CH04VI5Y at a34-mta02.direcway.com>; Sat,
 28 Feb 2004 00:35:42 -0500 (EST)
Received: from earthlink.net (dpc69190001.direcpc.com [69.19.0.1])
 by a34-mta02.direcway.com
 (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
 with ESMTP id <0HTP007WNB1HMW at a34-mta02.direcway.com> for
andrew at sonitel.com;
 Thu, 26 Feb 2004 11:56:29 -0500 (EST)
Date: Thu, 26 Feb 2004 09:45:34 -0700
From: munged-name at earthlink.net
Subject: hi
To: andrew at sonitel.com
Message-id: <0HTP007X3B1KMW at a34-mta02.direcway.com>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_fWmoYVXwj5Hmg2NEFVuHBg)"
X-Priority: 3
X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_fWmoYVXwj5Hmg2NEFVuHBg)
Content-type: text/plain; charset=Windows-1252
Content-transfer-encoding: 7BIT

The message contains Unicode characters and has been sent as a binary
attachment.


--Boundary_(ID_fWmoYVXwj5Hmg2NEFVuHBg)
Content-type: application/octet-stream; name=file.zip
Content-transfer-encoding: base64
Content-disposition: attachment; filename=file.zip

UEsDBAoAAAAAALGFWjDKJx+eAFgAAABYAAAIAAAAZmlsZS5zY3JNWpAAAwAAAAQAAAD//wAAuAAA
AAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEDAAAAAAAAAAAAAAAAAOAA
DwELAQcAAFAAAAAQAAAAYAAAYL4AAABwAAAAwAAAAABKAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAA
AADQAAAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOjBAAAwAQAA 


More information about the list mailing list