I got this email sent directly to me and it had an attachment, the attachment was a virus, it was the W32.Magistr.24876@mm worm. If any of you get this email sent directly to you, don't run the attachment!!!
The attached file will be named: Kalkaji.com
Below is a paste from Symantec about the virus...
-Steve Gregory-
When a file that is infected by W32.Magistr.24876@mm is executed, it searches in memory for a readable, writable, initialized section inside the memory space of Explorer.exe. If one is found, a 110-byte routine is inserted into that area, and the TranslateMessage function is hooked to point to that routine. This code first appeared in W32.Dengue.
When the inserted code gains control, a thread is created and the original TranslateMessage function is called. The thread waits for three minutes before activating. Then the virus obtains the name of the computer, converts it to a base64 string, and depending on the first character of the name, creates a file in either the \Windows folder, the \Program Files folder, or the root folder. This file contains certain information, such as the location of the email address books and the date of initial infection. Then it retrieves the current user's email name and address information from the registry (Outlook, Exchange, Internet Mail and News), or the Prefs.js file (Netscape). The virus keeps in its body a history of the 10 most recently infected users, and these names are visible in infected files when the virus is decrypted. After this, the virus searches for the Sent file in the Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows and \Program Files folders.
If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses a random number of words from one of these files. These words are used to construct the subject and message body of the email message. Then the virus searches for up to 20 .exe and .scr files smaller than 128 KB, infects one of these files, attaches the infected file to the new message, and sends this message to up to 100 people from the address books. In addition there is a 20-percent chance that it will attach the file from which the subject and message body was taken, and an 80-percent chance that it will add the number 1 to the second character of the sender address. This last change prevents replies from being returned to you and possibly alerting you to the infection.
??????
Anil Kher wrote:
> Dear Sir ,
>
> Due to space problem we have now moved from G-4A,Kalkaji to the following address.:-
>
> BHARTI TELETECH LTD.
> C-87, BASEMENT
> NEAR PETROL PUMP/
> POLICE STATION
> KALKAJI
> NEW DELHI – 19.
> TELPHONE NO. : 6233113
>
> CONTACT PERSON: MR. VIJAY SINGH NEGI.
>
> WE HOPE THAT YOU SURELY SUPPORT US IN SENDING THE MATERIALS PERTAINING TO LUDHIANA FACTORY IN THE ABOVE ADDRESS WITH IMMEEIDATE EFFECT.