Troops.bat Virus?

[Joe Shaw]

Sorry if this is the wrong place but I wanted to get this out to as wide a distribution as possible. I just got an email with the following message: <blockquote>quote:</font><hr>You most likely would want to assign a value of zero for the opposing side since the enemy doesn't receive any reward for taking a supply source. You could assign a value for the opposing side if you wanted to reward them for breaking through the enemy lines and breaching their territory.<hr></blockquote> There was an attachment called "Troops.bat" that was listed as an MS-DOS Batch file.

Since I'm not dealing with any games that use supply right now I was suspicious and didn't open the file but emailed the sender. He replied that he hadn't sent it or anything to me and I certainly didn't recognize his email. I haven't (and won't) open that file since I'm not sure if my virus software will pick it up.

The disturbing thing about this is, of course, the wargaming tone of the thing. While we are all on the lookout for the more generic bogus emails, this one is pretty specific.

Maybe I need to stop posting on the General Forum about the War

Joe

[Mr. Johnson--]

I think thats the Code Red worm. I think it uses names of files on your harddrive, makes a little viruse package and then the virus sends itself out to eveyone in your address book.

I had the problem for awhile after it hit. Qwest, my dsl provider got hit and gave it to me. Lucky nobody who recived it from my computer was dunb enough to open it.

[Juju]

Got one too just now. Only the file is called 'handle.bat'

Enclosed text is yet again military oriented, though different than Joe's:

Thanks to several players who sent us saved games).

CAMPAIGNS: The Weapon Purchase Screen will now correctly show the number of attacks that a unit participated in during the previous battle. These display as bullet holes on the flip side of the leader's portrait, just as during gameplay.[/]

Guess I'd better reply to the sender...

[PawBroon]

Just got one.

Here is the text:

Combat VP derive from many variables. The base amount awards you 1 VP for each enemy killed or wounded, and penalizes you 0.75 VP for each friendly loss. This base number is modified by adding the overall percentage of casualties suffered by the unit in the battle so far times the number of casualties just sustained. Example: an enemy unit that began the battle with 1000 men has already suffered 200 casualties.

Mail originated from jfson@viaccess.net with a reply to jgson@viaccess.net.

Those are fakes and parsing of the headers told me that the most likely culprit is 208.30.98.79 who can't be traced to the last hop.

The attached file was Signals.pif.

Since I'm firewalled and use and anti-virus, the infected file was detected and deleted before I had even the chance to read my mail...

It seems that someone is after wargamers.

Take care, go download some demo version of some anti virus softwares and install ZoneAlarm.

[Juju]

Thanks for the info, Pawbroon.

[MrPeng]

Gentleworms:

I got this from my AV vendor at www.antivirus.com

(don't know how to do the link thing)

Virus Encyclopedia

TROJ_SIRCAM.A

Aliases:

SCAM.A, TROJ_SCAM.A,

W32.Sircam.Worm@mm

Description:

This worm is a high-level program created in Delphi that propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book and in temporary Internet cached files. It arrives with a random subject line, and an attachment by the same name.

Bolding added.

Looks Like Sircam, Guys. The attachments fit with what Sircam does: adds a .pif, .bat, or .exe to a random file. Then sends itself with a subject line of the same name as the file.

It amazes me that people don't keep their pattern files updated. TrenMicro has a free scanner that will run from their site if you do not have AV installed or if your pattern files are out of date.

Peng

[Stuka]

Whats a pattern file?

[Joe Shaw]

<blockquote>quote:</font><hr>It arrives with a random subject line, and an attachment by the same name.<hr></blockquote> Hmmm, well you certainly know more about this than I do Peng BUT ... the subject on mine was "Normally You Would Want To Assign." while the file attachment was "Troops.bat"

In addition, all of the emails so far have been wargame related. As I say, I don't know much about this but from your description it doesn't seem to fit.

Joe

[Foobar]

<blockquote>quote:</font><hr>It seems that someone is after wargamers<hr></blockquote>

Ack! This time Al Queda has gone too far!!!!!

[Stuka]

Damn right, lets drop Bauhaus on 'em!

[offtaskagain]

<blockquote>quote:</font><hr>Originally posted by Stuka:

Damn right, lets drop Bauhaus on 'em!<hr></blockquote>

Why not Shaw too? Or the worst thing ever spawned by the netherworlds, the Pod himself.

[Edited to bring you that much closer to blindness from staring at this screen.]

[ 11-06-2001: Message edited by: panzerwerfer42 ]</p>

[Ogadai]

Move to linux. That way there are no worries about virii.

[Soddball]

Only because there are four pieces of software written for Linux, and one of those is a Vic-20 emulator

[PawBroon]

Mine was W32.Sircam.Worm@mm.

As the Pod said in his own colloquial Penguism, get an Anti-virus and keep the Virus Definition File up to date.

Mine was or I wouldn't have stopped it.

Eventhough it is SIRCAM, I don't believe it is strictly coincidental.

The wargamer oriented text of the mail fits too closely with our community for it to be random.

Regular subject/text are the classical Here is the memo you requested or Check this it's too funny.

In any case, you should never open an attachment you weren't expecting when the subject/text is weird to the extreme.

Unless you're playing Seanachai that is...

For those who still have the offending mail, do a cut and paste of the headers and send it to me so that I could do a cross trace and report the abuse to the ISP.

[ 11-06-2001: Message edited by: PawBroon ]</p>

[Kurtz]

Some viruses pick text from documents in the "My Documents" folder, thus making it look more authentic. This could be the explanation to the wargaming text.

[Lawyer]

Hehehe.... I see my evil plot to eradicate Joe Shaw from the gaming world is going according to plan. And they'll blame it all on bid Laden...

BUWHA-HA-HA-HA-HA-HA-HA...

[Pascal DI FOLCO]

Wormgamers

By putting end to end the various mails received by the posters here, I think we'll have a new complete wargame design !

[Joe Shaw]

<blockquote>quote:</font><hr>Originally posted by Kurtz:

Some viruses pick text from documents in the "My Documents" folder, thus making it look more authentic. This could be the explanation to the wargaming text.<hr></blockquote>

Nah, I've got nothing in the "My Documents" folder that doesn't have "oh, baby, baby, baby," or "Of course I'll respect you in the morning" in it. Seriously, it's possible I suppose, but it certainly does appear to be targetted.

Pawbroon, as to emails not making sense ... that would pretty much eleminate anything from you wouldn't it? Again, seriously, I'll see if I can pull the header info and send it to you, thanks for the help.

Lawyer, I was too clever for you, I didn't open it ... the forces of GOOD shall prevail.

Joe

[Clubfoot]

Got one of these myself about a month ago.

The heading was "Here are the numbers you requested".

The file was "CMTargetVariables.bat"

The text of the message read:

"From these figures you can discover relative chances to hit depending on distance, type of cover and depth in said cover."

Be careful, fellas.

[Kurtz]

<blockquote>quote:</font><hr>Originally posted by Joe Shaw:

Nah, I've got nothing in the "My Documents" folder that doesn't have "oh, baby, baby, baby," or "Of course I'll respect you in the morning" in it. Seriously, it's possible I suppose, but it certainly does appear to be targetted.

<hr></blockquote>

Ehh... I dont think there are viruses that can extract the "dialogue" from movies.

But seriously, the text is picked from documents on the sender's computer. So if the unfortunate sender is a wargamer, this is a possible explanation.

[Wittmann]

I had just read this post last night, so I was aware of the possibility....

Tonight's incoming had just such a mail, with a .pif attachment, and going on about range and dice roll or something.

Thanks for the timley warning guys, and a big bump so the others see this.

I hope the perpetrator's pc melts :mad:

[ 11-07-2001: Message edited by: Wittmann ]

[ 11-07-2001: Message edited by: Wittmann ]</p>