Virus Warning learning-org-digest V1 #2879 LO29259

From: Richard Karash (
Date: 10/03/02

Replying to LO29251 --

I've done a little more research on this... it is the W32/Bugbear@MM

I suspect, from the way this virus works, that the bogus Digest issue
w/virus was sent to many people who have posted messages on the LO list. I
received two bogus messages in my personal mail, and I have similar
reports from a couple of you readers.

If you have either of these messages, delete them (without viewing).
  - Subject: learning-org-digest V1 #2879
  - Subject: learning-org-digest V1 #2856

For information about this virus, see

This is a new and dangerous virus which has appeared in the past few days.
For what it's worth, the worm exploits a security hole in Microsoft
products which was publicized in March. Microsoft has updates available to
close the hole, but Microsoft's updates are a very confusing tangle.

The W32/Bugbear@MM virus finds email addresses and recent messages on an
infected machine. It sends a new virus-laden message using a recent
subject line and "from" address to every address it finds. This is
especially dangerous for us because the message appears to be our normal
digest distribution (if you don't look closely). If your address was on
the infected machine, you probably received the messages above. If you've
posted on the LO list, and the recipient saved your message, the virus
probably found your address.

The virus also propagates through network shares. It has a keyboard
listening feature designed to capture passwords, account numbers, etc. The
descriptions are scary enough that I wonder if this virus was created by
someone with resources behind them, not a lone hacker in a closet!

These viruses and spam are a real threat to practical use of email and
mailing lists like ours!

Update your virus protection!

   -=- Rick

>i have just received the attached message - with a virus-infected
>attachment - thomas.doc.scr - that may have been sent to the entire
>subscription base of
>if the attachment was not deleted automatically by your virus protection
>program, please delete the file and update your anti-virus software - or
>install anti-virus software if you do not already have it installed.
>robert pollard
>[Host's Note: This is the second report I've received of this rogue
>message. The file Robert mentions, thomas.doc.scr, is certainly a type
>that is used to distribute viruses. Please be assured that the virus-laden
>message was not distributed from our server... You can see the wrong
>"From" address in the msg below, but even that can be faked. I highly
>doubt that anyone but me can see the subscriber list. As I've said before,
>beware of strange email msgs. ..Rick]


Richard Karash ("Rick") | <> Speaker, Facilitator, Trainer | "Towards learning organizations" | Host for Learning-Org Discussion (617)227-0106, fax (617)812-5365 | <>

With reluctance, mail to is being filtered for SPAM/Virus.

Learning-org -- Hosted by Rick Karash <> Public Dialog on Learning Organizations -- <>

"Learning-org" and the format of our message identifiers (LO1234, etc.) are trademarks of Richard Karash.