<OT> Mail Interception: incoming E-mail contained a virus

UCSD virus scanner VirusScan@ucsd.edu
Tue, 3 Jun 2003 00:48:48 -0700 (PDT) 

--UCSD_MailScan_mailbox2.ucsd.edu_v1.2.7_1054626528_60566
Content-Type: Text/Plain
Content-Transfer-Encoding: 7Bit
Content-Disposition: inline
Content-Description: Virus Interception Notice in plaintext

  This is a message from the UCSD E-Mail Virus Protection Service
  ---------------------------------------------------------------

Our virus scanner indicates that an attachment or part of an E-mail
message addressed to you was infected with a virus, so THAT part of
the message has been removed from your mail.

This does NOT mean that your computer has a virus.

The rest of the original message is enclosed below.

The *INFECTED* attachment file is being held in quarantine.

If you do not want this file, you need do nothing
further and it will be destroyed automatically after 30 days.

The mail scanner program may (rarely) remove a valid attachment to a
message, part of which coincidently resembled a known virus.  If you need to
retrieve a removed message part, please read the following:

The attachment you download is likely to still be infected.
Please use EXTREME CARE in handling it.

To download the attachment, please use your browser to access:

has been quarantined and is retrievable at
   HTTP://WWW-NO.UCSD.EDU/Q?c681a8d6e2e85d2b7bd67184b467eef3.gz
   (scan reported VIRUS W32/Sobig-C Found in file ./5.b64)

If you do not have a Web browser, you may use anonymous FTP to
connect to FTP.UCSD.Edu and GET the file directly.

   /quarantine/c681a8d6e2e85d2b7bd67184b467eef3.gz

The /quarantine directory cannot be listed, so you must
specifically retrieve the file by the name given above.

Note that in all cases the file name of the original attachment has
been changed, and the file contents compressed with GNUZip. This
was done to help prevent it from infecting your system automatically
should you actually download it.

The original message headers and the uninfected portion of the
contents follow.  Please remember that the To: and From: addresses in
infected E-mail are often forgeries.  It is not unusual for the author
or site shown in the message to have no knowledge nor actual
responsibility for the message you received.

Following the original message (below), there is a technical data summary
which contains information our help desk personnel will need if you
call with questions about this interception.

	VirusScan@UCSD.Edu

Office of Network Operations
Academic Computing Services
University of California, San Diego
+1 858 534-1857

--UCSD_MailScan_mailbox2.ucsd.edu_v1.2.7_1054626528_60566
Content-Transfer-Encoding: 7Bit
Content-Type: Message/RFC822
Content-Disposition: inline
Content-Description: Incoming E-mail message after disinfection.
	 (Expires Sat, 28 Jun 2003 00:48:48 -0700 (PDT))

Received: from USERS ([211.208.143.126])
	by mailbox2.ucsd.edu (8.12.9/8.12.3) with ESMTP id h537mfnZ061742
	for <optimal@ucsd.edu>; Tue, 3 Jun 2003 00:48:41 -0700 (PDT)
From: <biniazang@daum.net>
To: <optimal@ucsd.edu>
Subject: Re: 45443-343556
Date: Tue, 3 Jun 2003 16:49:56 +0900
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="CSmtpMsgPart123X456_000_005405D5"
X-Spamscanner: mailbox2.ucsd.edu  (v1.2 May 26 2003 01:55:38, 1.6/5.0 2.55)
X-Spam-Level: Level *

This is a multipart message in MIME format

--CSmtpMsgPart123X456_000_005405D5
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file.
--CSmtpMsgPart123X456_000_005405D5
Content-Type: Message/External-Body;
	Access-Type="ANON-FTP"; Site="mailbox2.ucsd.edu"; Directory="/quarantine";
	Name="/quarantine/c681a8d6e2e85d2b7bd67184b467eef3.gz";
	Expiration="Sat, 28 Jun 2003 00:48:48 -0700 (PDT)";
	Mode="IMAGE"
Content-Disposition: Attachment
Content-Transfer-Encoding: Binary
Content-Description: Quarantined file "45443.pif"

Content-Type: Application/Octet-Stream;
	Filename="p/quarantine/c681a8d6e2e85d2b7bd67184b467eef3.gz"
Content-ID: <h537mfnZ061742>
Content-Transfer-Encoding: Binary
Content-Description: CAUTION: Infected file

--CSmtpMsgPart123X456_000_005405D5
Content-Transfer-Encoding: 7Bit
Content-Type: Text/Plain
Content-Disposition: inline
Content-Description: Interception Technical Information

If you call our helpdesk, please have the following
technical information to hand:

mailscan Version 1.2.7 on mailbox2.ucsd.edu at Tue Jun  3 00:48:48 2003

Scan results for h537mfnZ061742 <unknown>
7 parts: 6 clean, 1 virus, 0 filetrap, 0 error
part   0: CLEAN ./qfh537mfnZ061742
part   1: CLEAN ./dfh537mfnZ061742
part   2: CLEAN ./1.preamble
part   3: CLEAN ./2.header
part   4: CLEAN ./3.plain
part   5: VHEAD
part   6: VIRUS W32/Sobig-C Found in file ./5.b64
	start=372, end=-1
	file=5.b64
	tftp=/nfs/ftp/quarantine/c681a8d6e2e85d2b7bd67184b467eef3.gz
	af=45443.pif


Original Message headers:
> Received: from USERS ([211.208.143.126])
> 	by mailbox2.ucsd.edu (8.12.9/8.12.3) with ESMTP id h537mfnZ061742
> 	for <optimal@ucsd.edu>; Tue, 3 Jun 2003 00:48:41 -0700 (PDT)
> From: <biniazang@daum.net>
> To: <optimal@ucsd.edu>
> Subject: Re: 45443-343556
> Date: Tue, 3 Jun 2003 16:49:56 +0900
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> 	boundary="CSmtpMsgPart123X456_000_005405D5"
> X-Spamscanner: mailbox2.ucsd.edu  (v1.2 May 26 2003 01:55:38, 1.6/5.0 2.55)
> X-Spam-Level: Level *

--CSmtpMsgPart123X456_000_005405D5--

--UCSD_MailScan_mailbox2.ucsd.edu_v1.2.7_1054626528_60566--