Ok, sounded weird but it probably caught your attention. I looked thru the security databases on the web and open forums but didn't find anything. I recieved an email that was a recipe about making chocolate balls in the text of the message. But it then had an attachment called "floaf.exe", it also came from someone I didn't know. I didn't know the person so I didn't open the attachment, and then I forwarded it to the abuse@ prodigy.net (server where the original senders email came from). Does anyone know if this was a virus or malicious attachment? Or was I just being paranoid?

It sounded really strange, .exe email attachment for a text message about a recipe.

Uh...yeh, probably a virus. Tried scanning the thing, though?

I just checked Symantec for it, and it returned nothing.
http://securityresponse.symantec.com/avcenter/vinfodb.html/
It could be a new virus.
Either way, you did the right thing :D by not opening it and letting Prodigy Know.
Good Luck.

I would have done the same thing, but then I'm psycho about my email....I deleted a message from my best friend the other day, cause she sent it from her parents house and I didn't recognize the address, and the subject was Hey you....so sometimes I may go overboard....lol.
But I would have done the same thing... :D

I didn't scan the attachment pretty much just steered clear of it. Here's a newbie question though: even if the attachment had come back clean from the virus scan, because it was an executeable file, couldn't it still have been malicious?

I recieved an auto reply from Prodigy, letting me know that the email had been recieved. The attachment was also broken down to the code level and while there was a lot of "apparent encoding" there seemed to be some identifiable strings similar to the "REGEDIT4" string of a .reg file. I could be wrong about this but it sure looked familiar.

P.S. I watch the forum off and on a bit but don't post a whole lot, just wanted to say thanks to those who have taken the time to reply.

remember that a lot of virus/worm infectors come with random filenames/attachments...so floaf.exe could mean nothing...and still be dangerous...and i'd bet my last drink that it is....

rule number one....never everevereverevereverever run an exe you recieve in the mail...from ANYONE...even someone you know...we all know enoguh about mail-everyone-in-outlook-address-book to know that even your friends can send nasty stuff...

you did the right thing...consider yourself pleased with yourself...btw....you can always run a v-scan on your attachment dir ....should tell you what you got...

No prob for taking the time to say my so-called helpful sentences, hehe. And you're right in saying that it could still have been malicious. I was just asking if you had scanned it anyway, just so I'd know about the file if it came back virus-positive. You did the right thing in just sending it to them, though. Good man!

even if the attachment had come back clean from the virus scan, because it was an executeable file, couldn't it still have been malicious?

absolutement.....it could be new...or a simple vb exe which says basically...format c: or del *.* which might not be classified as a 'virus"...

think of your computer as your tongue....someone gives you something and says go ahead...lick it...it's ok...are you going to?....
:D

Hey thanks again to everyone, I didn't scan the attachment though. I pretty much stay clear of .exe files. I unfortunately share the system with others and have made it a point as the self appointed B.M.O.C. (big mutha on computer), that they also not open .exe files. This particular attachment was on another users email and was brought to my attention. I forwarded the email to Prodigy and deleted it from the system, lots of precaution has kept this system virus free for almost 3.5 yrs. I appreciate all the advice from everyone.

:eek: After the replies I got on this discussion, I got to thinking, while I did not scan or open the attachment "floaf.exe", I went back to the Norton report log and found that the file was an infected attachment:

Date: 4/1/02, Time: 08:37:30, ###### on OEMCOMPUTER
The email attachment fLOAF.exe is infected with the W32.Magistr.39921@mm virus.
The file was repaired.

Apparently the user whose email this was sent to either attempted to open the attachment (argh!!!) or Norton caught the infected file when the email was retrieved from the server. I'm sure that Prodigy would catch it and send a reply, but that saves me some additional thumb twidling and unnecessary searching the net.

Thanks to all who replied for at least getting me to think about some other possibilities and finding out more about this virus and viruses in general.

Thumbs up to the board!!!

P.S. ac1dsp3ctrum I will post the Prodigy reply as soon as I get it, it it helps anyone out in watching out for the origin of the email.

txwebman, is it possible for you to post the reply that Prodigy sent you on the boards (excluding headers and email addys of course) It would be interesting to see :)

Some info on the virus found so anyone reading this post dont have to go off to find it. This was just copy and pasted from the sourse site.

Kindred69

source;http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html


W32.Magistr.39921@mm
Discovered on: September 3, 2001
Last Updated on: March 8, 2002 at 07:31:44 AM PST


Printer-friendly version Tell a Friend

Due to an increased number of submissions, Symantec has upgraded this virus to a Category 3 rating on September 6, 2001.

W32.Magistr.39921@mm is a variant of W32.Magistr.24876@mm.


Also Known As: I-Worm.Magistr.b, W32.Magistr.B@mm, W32/Magistr.b@MM, Magistr.32768@mm, PE_Magistr.B, W95/Magistr.28672@mm
Type: Virus, Worm
Infection Length: 39,921 bytes

Virus Definitions (Intelligent Updater): September 4, 2001
Virus Definitions (LiveUpdateTM): September 4, 2001



Wild:

Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:

Payload:
Large scale e-mailing: Uses email addresses from the Windows and Eudora Address Book files, Outlook Express Sent Items folder, and Netscape Sent Items files.
Causes system instability: Overwrites hard drives, erases CMOS, flashes the BIOS.
Releases confidential info: It could send confidential Microsoft Word documents to others.
Distribution:

Subject of email: Randomly generated text that can be up to 60 characters long.
Name of attachment: One randomly named infected executable and several randomly selected text or document files
Target of infection: All Windows PE files that are not .dll files.

Technical description:

Here is a list of the additional features and behavioral differences between W32.Magistr.39921@mm and W32.Magistr.24876@mm:

Aware of Eudora address books (listed in Eudora.ini.)
Deletes *.ntz while searching for files.
Attempts to disable ZoneAlarm's user interface (this does not disable the ZoneAlarm firewall functionality).
Adds an entry to the Shell=explorer.exe line in the Boot section of System.ini, calling the W32.Magistr.Trojan. In some cases, it may add one or more registry entries.
Searches for more Windows folders (Winnt, Windows, Win95, Win98, Winme, Win2000, Win2k, Winxp.)
Emails an attachment that has a random extension (.exe, .bat, .pif, or .com.)
Occasionally attaches .gifs to emails.
The payload overwrites the files Ntldr (Windows NT/2000/XP) and Win.com (all Windows 32 OSs) on all drives with code that causes it to store garbage data in the first sector of the first IDE hard drive.



Removal instructions:


To remove W32.Magistr.39921@mm and the Trojan that it drops, run NAV and repair any infected files. Files that cannot be repaired should be deleted. Then remove the W32.Magistr.Trojan entry in the Shell= line of System.ini and any entries that it added to the registry.

To remove W32.Magistr.39921@mm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. If any files are detected as infected by W32.Magistr.39921@mm, write down the file names and then click Repair. Files that cannot be repaired should be deleted. If necessary, restore any deleted files from a clean backup.

CAUTION: Files detected as W32.Magistr.Trojan (note the Trojan extension) must be restored from backup copies or extracted from the original installation CD. (These are the system files Ntldr and Win.com. Ntldr is found on Windows NT/2000/XP computers. Win.com is found on all Windows 32 OSs). Your system will not function properly without them. For information on how to do this, refer to your Windows documentation, or to one of the following documents:
How to extract files in Windows 98 and Windows Me.
How to extract files using Windows 2000 or Windows NT 4.0.

To remove the W32.Magistr.Trojan entry from the System.ini:
1. During the scan with NAV, note the name of any files infected by W32.Magistr.Trojan.
2. Click Start, and click Run.
3. Type the following, and then click OK.

edit c:\windows\system.ini

The MS-DOS Editor opens.

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

4. In the [boot] section of the file, look for the following entry

shell=Explorer.exe

5. Position the cursor immediately to the right of Explorer.exe.
6. Press Shift+End to select all of the text to the right of Explorer.exe and then press Delete.
7. Click File, and Exit.
8. Click Yes when you are prompted whether to save the changes.

NOTE: If you still have problems after following these removal instructions, follow the instructions in the Removal section of W32.Magistr.24876@mm.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for a value that has a random file name with the .exe extension, and that points to the \WinNT\System or \Windows\System folder. This may be the name of a file that was detected as W32.Magistr.39921@mm when you ran the full system scan.
5. Delete any such values that you find.
6. Do one of the following:
If you are running Windows 95/98/Me, click Registry, and then click Exit.
If you are running Windows NT/2000/XP, go on the step 7.

7. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon


8. In the right pane, double-click the following value:

Shell

9. Look in the value data box. It should contain only the text Explorer.exe, as shown.



10. If it contains any text to the right of Explorer.exe, for example, warm.exe,



remove that text so that only Explorer.exe remains, as shown in step 9.

11. Click Registry, and then click Exit.

sigh...all this and it was just magistr...hehe...nothing at all to be worried about provided your av defs are up to date...while magistr is nasty...and still very active...it's old news to av software....

got a magistr infected attachment today...from a lawyer...with private, probably confidential information...silly man...

btw...there is a 99% chance whoever "sent" you magistr had no idea....send them a note...let em and know....

Like Zigar said, most of the time you get a virus sent to you, the sender doesn't know it. You would be amazed at the number of times I have had to contact other companies to get them to clean up their systems (6 different companies because of SirCam). Normally they are very thankful, but sometimes they try to deny it came from them (until you contact their isp and get a copy of thier router logs ;))

Always be wary of any executable attachment, if it is .exe, .scr, .lnk, etc etc. Many virii are changing their executable names, and also have many different options for the email message. Many are now comming from people you know, so just because your sister sends you a file, don't assume anything. Always verify it. Call her, or ask send her a message asking if she ment to send you the file. Finally, don't always trust your av software. My company got badtrans and goner both sent to us atleast 24 hours before I saw the first warning, and 36 hours before I was able to get an update. Fortunately, I have gotten my end users well trained.