From jwc at snf.stanford.edu  Wed Mar 16 10:35:27 2005
From: jwc at snf.stanford.edu (James Conway)
Date: Wed, 16 Mar 2005 10:35:27 -0800
Subject: [Fwd: MESSAGE COULD NOT BE DELIVERED]
Message-ID: <42387C6F.2020700@snf.stanford.edu>

Gentlemen and if watching Gentle ladies:

I am receiving many messages like this presumably from the host 
fotofab.com but they appear to be coming through our mail server.  For 
your protection I have deleted the attachment named document.zl6.
I have it quarantined on my computer if you wish to examine it or 
headers more fully. I plan to ditch it at the end of the day.

james conway


Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: W32.Mydoom.L at mm
File:  C:\DOCUME~1\JWC\LOCALS~1\TEMP\nsmail.tmp
Location:  Quarantine
Computer:  EL-WIZARD
User:  jwc
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Wed Mar 16 10:31:17 2005

-------- Original Message --------
Subject: 	MESSAGE COULD NOT BE DELIVERED
Date: 	Wed, 16 Mar 2005 08:59:17 -0600
From: 	Automatic Email Delivery Software <MAILER-DAEMON at snf.stanford.edu>
To: 	jwc at snf.stanford.edu



The original message was received at Wed, 16 Mar 2005 08:59:17 -0600
from snf.stanford.edu [15.15.166.93]

----- The following addresses had permanent fatal errors -----
<jwc at snf.stanford.edu>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://snf.stanford.edu/pipermail/computer/attachments/20050316/4336140f/attachment.html>

From jwc at snf.stanford.edu  Thu Mar 17 12:53:09 2005
From: jwc at snf.stanford.edu (James Conway)
Date: Thu, 17 Mar 2005 12:53:09 -0800
Subject: [POSSIBLE VIRUS:###] Interview with Robert Dean
In-Reply-To: <20050317192453.29B6013DA8@cis.Stanford.EDU>
References: <20050317192453.29B6013DA8@cis.Stanford.EDU>
Message-ID: <4239EE35.3060507@snf.stanford.edu>

janine:

You likely have a virus in your email attachment resume2.doc.zm9 file 
and your system may have been compromised.
I have been seeing a lot of this problem with attachments on the network 
this week.

Please update your virus definitions and run spy sweeper.
I would recommend you go to the stanford essential system software and 
download and install all the appropriate spy ware and antivirus software 
they recommend.

Could you please printout the resume for me and drop it off to me when 
you can.

Thank you,

James Conway




Janine Hannibal wrote:

>Hello Everyone,
>As per Paul's message, I will be setting up an interview with Robert Dean.
>Will you let me know several available days/times so I can have him come in
>to see as many of you as possible in one visit?
>
>Thanks so much for your assistance.
>Janine
>
>____________________________________________________________________________
>___________________________________________________
>Janine Hannibal . Stanford University . 330 Serra Mall . Room CISX204 .
>Stanford, CA . 94305-4075 . ph:650-724-0068 . janineh at stanford.edu
>-----Original Message-----
>From: Paul Rissman [mailto:rissman at stanford.edu] 
>Sent: Thursday, March 17, 2005 11:20 AM
>To: Janine Hannibal
>Cc: Mary Tang; John Shott; jwc at stanford.edu; Mahnaz Mansourpour; Ed Myers;
>Robert Dean
>Subject: Fwd: [POSSIBLE VIRUS:###] process and ebeam guy
>
>Hi Janine,
>
>Can you setup an interview with (Mary/John/Mahnaz/James Conway/Ed) with 
>Robert Dean?
>
>Thanks,
>
>Paul
>
>  
>
>>X-Sieve: CMU Sieve 2.2
>>X-Ironport-AV: i="3.90,114,1107763200";
>>   d="scan'208,32,48"; a="106900170:sNHT48841956"
>>To: rissman at stanford.edu
>>Subject: [POSSIBLE VIRUS:###] process and ebeam guy
>>Sensitivity:
>>X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004
>>From: Robert_Dean at Etec.com
>>Date: Thu, 24 Feb 2005 10:08:49 -0800
>>X-MIMETrack: Serialize by Router on EMAUSTGW02/APPLIED MATERIALS(Release 
>>6.5.2|June 01, 2004) at
>> 02/24/2005 12:08:53 PM
>>
>>
>>Hi Paul,
>>
>>I got an email from Bob Sills about a job possibilty in your group at 
>>Stanford. The job, as it is described, is to interface with vendors, do 
>>processing and exposures. This sounds like a good fit to me as I have been 
>>doing resist development, process development and e-beam evaluation on all 
>>MEBES tools for 20 years at Etec. As of the end of March I will not be at 
>>Applied/Etec and will be looking for a job. I've taken the liberty of 
>>attaching a resume.  I do need a couple of things. First, the job must be 
>>full time and second I have a minimum salary requirement that must be met. 
>>If you are interested or want to talk about it give me a call.
>>
>>Thanks,
>>
>>Robert Dean
>>(510) 552-0443
>>
>>
>>
>>
>>
>>The content of this message is Applied Materials Confidential.  If you are 
>>not the intended recipient and have received this message in error, any 
>>use or distribution is prohibited.  Please notify me immediately by reply 
>>e-mail and delete this message from your computer system.  Thank you.
>>    
>>


From jwc at snf.stanford.edu  Fri Mar 18 09:23:56 2005
From: jwc at snf.stanford.edu (James Conway)
Date: Fri, 18 Mar 2005 09:23:56 -0800
Subject: [POSSIBLE VIRUS:###] Interview with Robert Dean
In-Reply-To: <20050317221108.45DB613DA7@cis.Stanford.EDU>
References: <20050317221108.45DB613DA7@cis.Stanford.EDU>
Message-ID: <423B0EAC.6030409@snf.stanford.edu>

Hello Janine:



Just for your information:

The virus was contained in the Resume.doc and appears with a 
filename.***.zlo extension. (Resume.doc.zlo)  I identified it this 
morning as the W32.MYDOOML at mm virus and today's semantic antivirus 
definitions file has this new variant's definition in it's package. 
These are old yet persistent level two viruses that have been wandering 
around and creating backdoors on many systems.

I too run the same software including spysweeper on my system and it did 
not catch it as of yesterday until the noon sweep I ran on my system 
just after I received your message.   On launch of my PC today it 
flagged me again as evidently the attachment and your previous email was 
not deleted from the trash directory of my mailer app. despite me 
manually deleting it.

  The SNF network and SU has been swamped with these problems since 
about noon Thursday last week.

I have also seen several others on several other PC's I administrate 
this week at SNF:
 Alexa 
<http://securityresponse.symantec.com/avcenter/venc/data/spyware.alexa.html> 
-- W32.NETSKY at dd 
<http://www.sarc.com/avcenter/venc/data/w32.netsky.u at mm.html> --several 
morphs of W32.MYDOOML at mm 
<http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.l at mm.html>   
--> [Removal tool information 
<http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom at mm.removal.tool.html>] 
I attached the removal tool for this one.

I see other email from you in the queue. 

If you have a clean copy of the resume.doc go ahead and send it to me again.

Thank you,

James Conway


Janine Hannibal wrote:

>James,
>
>I appreciate your concern but I run a virus program (with updated
>definitions) and spysweeper every single day. I do not have a virus.
>
>Thank you.
>Janine
>
>____________________________________________________________________________
>___________________________________________________
>Janine Hannibal . Stanford University . 330 Serra Mall . Room CISX204 .
>Stanford, CA . 94305-4075 . ph:650-724-0068 . janineh at stanford.edu
>
>-----Original Message-----
>From: James Conway [mailto:jwc at snf.stanford.edu] 
>Sent: Thursday, March 17, 2005 12:53 PM
>To: janineh at stanford.edu
>Cc: computer at snf.stanford.edu
>Subject: Re: [POSSIBLE VIRUS:###] Interview with Robert Dean
>
>janine:
>
>You likely have a virus in your email attachment resume2.doc.zm9 file 
>and your system may have been compromised.
>I have been seeing a lot of this problem with attachments on the network 
>this week.
>
>Please update your virus definitions and run spy sweeper.
>I would recommend you go to the stanford essential system software and 
>download and install all the appropriate spy ware and antivirus software 
>they recommend.
>
>Could you please printout the resume for me and drop it off to me when 
>you can.
>
>Thank you,
>
>James Conway
>
>
>
>
>Janine Hannibal wrote:
>
>  
>
>>Hello Everyone,
>>As per Paul's message, I will be setting up an interview with Robert Dean.
>>Will you let me know several available days/times so I can have him come in
>>to see as many of you as possible in one visit?
>>
>>Thanks so much for your assistance.
>>Janine
>>
>>___________________________________________________________________________
>>    
>>
>_
>  
>
>>___________________________________________________
>>Janine Hannibal . Stanford University . 330 Serra Mall . Room CISX204 .
>>Stanford, CA . 94305-4075 . ph:650-724-0068 . janineh at stanford.edu
>>-----Original Message-----
>>From: Paul Rissman [mailto:rissman at stanford.edu] 
>>Sent: Thursday, March 17, 2005 11:20 AM
>>To: Janine Hannibal
>>Cc: Mary Tang; John Shott; jwc at stanford.edu; Mahnaz Mansourpour; Ed Myers;
>>Robert Dean
>>Subject: Fwd: [POSSIBLE VIRUS:###] process and ebeam guy
>>
>>Hi Janine,
>>
>>Can you setup an interview with (Mary/John/Mahnaz/James Conway/Ed) with 
>>Robert Dean?
>>
>>Thanks,
>>
>>Paul
>>
>> 
>>
>>    
>>
>>>X-Sieve: CMU Sieve 2.2
>>>X-Ironport-AV: i="3.90,114,1107763200";
>>>  d="scan'208,32,48"; a="106900170:sNHT48841956"
>>>To: rissman at stanford.edu
>>>Subject: [POSSIBLE VIRUS:###] process and ebeam guy
>>>Sensitivity:
>>>X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004
>>>From: Robert_Dean at Etec.com
>>>Date: Thu, 24 Feb 2005 10:08:49 -0800
>>>X-MIMETrack: Serialize by Router on EMAUSTGW02/APPLIED MATERIALS(Release 
>>>6.5.2|June 01, 2004) at
>>>02/24/2005 12:08:53 PM
>>>
>>>
>>>Hi Paul,
>>>
>>>I got an email from Bob Sills about a job possibilty in your group at 
>>>Stanford. The job, as it is described, is to interface with vendors, do 
>>>processing and exposures. This sounds like a good fit to me as I have been
>>>      
>>>
>
>  
>
>>>doing resist development, process development and e-beam evaluation on all
>>>      
>>>
>
>  
>
>>>MEBES tools for 20 years at Etec. As of the end of March I will not be at 
>>>Applied/Etec and will be looking for a job. I've taken the liberty of 
>>>attaching a resume.  I do need a couple of things. First, the job must be 
>>>full time and second I have a minimum salary requirement that must be met.
>>>      
>>>
>
>  
>
>>>If you are interested or want to talk about it give me a call.
>>>
>>>Thanks,
>>>
>>>Robert Dean
>>>(510) 552-0443
>>>
>>>
>>>
>>>
>>>
>>>The content of this message is Applied Materials Confidential.  If you are
>>>      
>>>
>
>  
>
>>>not the intended recipient and have received this message in error, any 
>>>use or distribution is prohibited.  Please notify me immediately by reply 
>>>e-mail and delete this message from your computer system.  Thank you.
>>>   
>>>
>>>      
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://snf.stanford.edu/pipermail/computer/attachments/20050318/d73decd8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FxMydoom.exe
Type: application/x-msdownload
Size: 161416 bytes
Desc: not available
URL: <http://snf.stanford.edu/pipermail/computer/attachments/20050318/d73decd8/attachment.bin>