BEWARE, YET ANOTHER NASTY VIRUS......
Join Date: Mar 2000
Location: Bothell WA
Posts: 2,809
Likes: 0
Received 0 Likes
on
0 Posts
Norton AntiVirus Web Site
http://www.symantec.com/avcenter/[email protected]
W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 19, 2001 at 06:56:06 PM PDT
SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Also Known As: W32/SirCam@mm, Backdoor.SirCam
http://www.symantec.com/avcenter/[email protected]
W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 19, 2001 at 06:56:06 PM PDT
SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Also Known As: W32/SirCam@mm, Backdoor.SirCam
Join Date: Mar 2001
Posts: 190
Likes: 0
Received 0 Likes
on
0 Posts
InFinRetirement:
Don't know where you are looking, but McAfee listed this one on the same date (17 July 2001) as Norton. (Actually, about an hour and a half earlier
)
See Virus Info
Snooze
Don't know where you are looking, but McAfee listed this one on the same date (17 July 2001) as Norton. (Actually, about an hour and a half earlier
)See Virus Info
Snooze
Guest
Posts: n/a
That is truly odd, as I only found out about it via an alert email from McAfee???????
I immediately updated my McAfee Activeshield with the patch that was available, just passing on the info to help others, ignore it at your peril, it is NOT a hoax........
I immediately updated my McAfee Activeshield with the patch that was available, just passing on the info to help others, ignore it at your peril, it is NOT a hoax........
Guest
Posts: n/a
Virus Profile
W32/SirCam@MM is a Medium Risk Virus
Virus Name:
W32/SirCam@MM Date Added:
7/17/01 5:20:40 PM
VIRUS FAMILY STATISTICS
Over the Past 30 Days
Virus Name Infected
Files Scanned
Files % Infected
Computers
W32/SirCam@MM 4,929 16,641 0.31
Virus Characteristics:
This mass-mailing virus attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).
It may be received in an email message containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C
RECYCLED folder and then opened while the virus copies itself to CRECYCLED\SirC32.exe folder to conceal its presence and creates the following registry key value to load itself whenever .EXE files are executed:
HKCR\exefile\shell\open\command
\Default="Crecycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=CWINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.
The program creates a registry key to store variables for itself (such as a run count, and SMTP information):
HKLM\Software\Sircam
--------------------------------------------------------------------------------
W32/SirCam@MM is a Medium Risk Virus
Virus Name:
W32/SirCam@MM Date Added:
7/17/01 5:20:40 PM
VIRUS FAMILY STATISTICS
Over the Past 30 Days
Virus Name Infected
Files Scanned
Files % Infected
Computers
W32/SirCam@MM 4,929 16,641 0.31
Virus Characteristics:
This mass-mailing virus attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).
It may be received in an email message containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C
RECYCLED folder and then opened while the virus copies itself to CRECYCLED\SirC32.exe folder to conceal its presence and creates the following registry key value to load itself whenever .EXE files are executed: HKCR\exefile\shell\open\command
\Default="C
recycled\SirC32.exe" "%1" %* As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C
WINDOWS\SYSTEM\SCam32.exe A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.
The program creates a registry key to store variables for itself (such as a run count, and SMTP information):
HKLM\Software\Sircam
--------------------------------------------------------------------------------
Join Date: Jan 1997
Location: UK
Posts: 7,737
Likes: 0
Received 0 Likes
on
0 Posts
Here at the Towers we've received that virus 27 times in the last 48 hours, originally in Spanish but latterly the English version.
Usual tag onto the address book disemination by the look of it.
Also been receiving one which is just a note apparently regarding human physiology. It is a sentence describing the structure of the arm. We received about 6 of those.
Then again - we do get a lot of mail and perhaps someone just wanted to give us a break from our RSI inducing pounding of the keyboards here at the Towers............
Usual tag onto the address book disemination by the look of it.
Also been receiving one which is just a note apparently regarding human physiology. It is a sentence describing the structure of the arm. We received about 6 of those.
Then again - we do get a lot of mail and perhaps someone just wanted to give us a break from our RSI inducing pounding of the keyboards here at the Towers............
Join Date: Oct 2000
Posts: 17
Likes: 0
Received 0 Likes
on
0 Posts
Guys! Guys!
SOS--ASAP--HELP PLEASE ASAP.
I am struck with this crap from last night.
I used the norton anto virus, scanned all files folders, C drive and also used VOPT to do it. All said no viruses found,
But each time my Outlook Express is opened about 50 to 60 emails of Mail Administrator, Mail system Error emails flood in.
This is a copy of one of the SuperUser that was sent in my email.
MAIL DELIVERY STOPPED FOR YOUR MAIL TO [email protected]
Our viruschecker stopped delivery of this message due to:
./Resume2.doc.lnk: Contains a virus
If you feel this is an error contact [email protected]
within seven days and reference message virus20450
This message has also been sent to the recipient.
What am I to do? Please advice ASAP.
Should I download Zone Alarm / How do I get rid of it? I am not very well versed in this, So a step by step guidance will be VERY APPRECIATED
SOS--ASAP--HELP PLEASE ASAP.
I am struck with this crap from last night.
I used the norton anto virus, scanned all files folders, C drive and also used VOPT to do it. All said no viruses found,
But each time my Outlook Express is opened about 50 to 60 emails of Mail Administrator, Mail system Error emails flood in.
This is a copy of one of the SuperUser that was sent in my email.
MAIL DELIVERY STOPPED FOR YOUR MAIL TO [email protected]
Our viruschecker stopped delivery of this message due to:
./Resume2.doc.lnk: Contains a virus
If you feel this is an error contact [email protected]
within seven days and reference message virus20450
This message has also been sent to the recipient.
What am I to do? Please advice ASAP.
Should I download Zone Alarm / How do I get rid of it? I am not very well versed in this, So a step by step guidance will be VERY APPRECIATED
Join Date: Jun 2001
Location: Udon Thani, Thailand
Posts: 12
Likes: 0
Received 0 Likes
on
0 Posts
Yup, got it 3 times today and twice on Friday.
Thank you Norton for saving me a lot of grief .....
Look for the words;
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
BASTARDS!
Thank you Norton for saving me a lot of grief .....
Look for the words;
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
BASTARDS!
Moderator
Join Date: May 1998
Location: .
Posts: 250
Likes: 0
Received 0 Likes
on
0 Posts
I had it too, e.g. I got in from a flight at 1am this morning and it looks like the wife had earlier decided to read two new emails sent to me - one started with the ubiquitous "Hi there,.... " and the other with "I send you this file in order to have your advice", and both of which included an attachment.
Now what tipped me off was my ZoneAlarm firewall software asking me if it was ok to allow an application called Sirc32.exe to access the internet ( "Uhm, what the bloody'ell is that ?!" thought I ) - no doubt so that it could make use of its embedded SMTP connectivity to spread itself about to all the contacts in my email list.
Nb. That warning from ZoneAlarm occurred literally as I opened MS-Outlook, as apparently what triggers the virus to run is you running any .exe program.
I then spent the next 10 minutes getting rid of it, via the instructions from Symantec (see below).
Nb. It has not been mentioned above, but the Symantec anti-virus centre reports that there is a 1 in 20 chance that this virus can delete all the files on your C: drive !!!
I'd accordingly highly recommend a good read of: Symantec - Security Updates - W32.Sircam.Worm@mm
Of course, as many of us PPRuNers have each others email address, one can see just why we are all simultaneously experiencing this virus.
Ps. I normally instantly bin all emails with attachments from unknown sources - which is what I subsequently did in this instance - I've also since bollocked the wife about opening emails, and I've also (re)applied passwords to my computer - talk about Pandora's box !
PPs. When / if you get infected by this virus, have a look in CWindows\Applog folder for a file with a name like Sirc32 and open it with Notepad / Wordpad and you might be able to see from who's computer the virus was spread to you, or to whom it was trying to send itself next....
Now what tipped me off was my ZoneAlarm firewall software asking me if it was ok to allow an application called Sirc32.exe to access the internet ( "Uhm, what the bloody'ell is that ?!" thought I ) - no doubt so that it could make use of its embedded SMTP connectivity to spread itself about to all the contacts in my email list.
Nb. That warning from ZoneAlarm occurred literally as I opened MS-Outlook, as apparently what triggers the virus to run is you running any .exe program.
I then spent the next 10 minutes getting rid of it, via the instructions from Symantec (see below).
Nb. It has not been mentioned above, but the Symantec anti-virus centre reports that there is a 1 in 20 chance that this virus can delete all the files on your C: drive !!!
I'd accordingly highly recommend a good read of: Symantec - Security Updates - W32.Sircam.Worm@mm
Of course, as many of us PPRuNers have each others email address, one can see just why we are all simultaneously experiencing this virus.
Ps. I normally instantly bin all emails with attachments from unknown sources - which is what I subsequently did in this instance - I've also since bollocked the wife about opening emails, and I've also (re)applied passwords to my computer - talk about Pandora's box !
PPs. When / if you get infected by this virus, have a look in C
Windows\Applog folder for a file with a name like Sirc32 and open it with Notepad / Wordpad and you might be able to see from who's computer the virus was spread to you, or to whom it was trying to send itself next....
Chief PPRuNe Pilot
I am getting it too but at least i use a Mac and it wont infect my machine but it does cause messages with long attachments to be sent to me.
For heaves sake, why do people still insist on opening emails with attachaments when they don't know who they are from or waht they are.
If you ever receive email from soemone or an address you don't know and it has an attachment then just delete it. Because fo some prople not bothering with anti virus software or just being too naive and opening every attachment we now have a serious problem with emails being sent and attached to them are the virus/worm and also some other documents off their computer.
Check your email software for viruses and DO NOT OPEN attachments from anyone if you don't know what it is ir have not specifically requested it. Better still, get yourselves a Mac and stop getting attacked by these PC viruses.
For heaves sake, why do people still insist on opening emails with attachaments when they don't know who they are from or waht they are.
If you ever receive email from soemone or an address you don't know and it has an attachment then just delete it. Because fo some prople not bothering with anti virus software or just being too naive and opening every attachment we now have a serious problem with emails being sent and attached to them are the virus/worm and also some other documents off their computer.
Check your email software for viruses and DO NOT OPEN attachments from anyone if you don't know what it is ir have not specifically requested it. Better still, get yourselves a Mac and stop getting attacked by these PC viruses.
The Reverend
Join Date: Oct 1999
Location: Sydney,NSW,Australia
Posts: 2,020
Likes: 0
Received 0 Likes
on
0 Posts
I got the Spanish version first. Unfortunately I opened the attachment as I have a Spanish friend who often sends me some cartoons in Spanish. Eventually cleared it with McAfee but to day another two attacks, one in Spanish and one in English. Both of them I blocked sender which deletes the entire message and the attachment without even opening the message.
Chief Tardis Technician
Join Date: Jan 2001
Location: Western Australia S31.715 E115.737
Age: 71
Posts: 554
Likes: 0
Received 0 Likes
on
0 Posts
From the VET Virus definition Encyclopedia
Win32.SirCam.137216
Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The Spanish message looks like:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
The middle line is from the following list, but once again only the first line is ever chosen:
Te mando este archivo para que me Des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es El archivo con la información que me pediste
The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "CRECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices\Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""Crecycled\S irC32.exe" "%1" %*"
The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.
The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:
@win \recycled\SirC32.exe
Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".
The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C. The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.
Detection for this worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:
CA Anti-Virus Product Engine/Signature
InoculateIT 4.x 26.10
InoculateIT 6.0 23.44.10
InoculateIT Personal Edition 5.2/1344
VET 10.3/1344
Once again, looks like taking the trouble to get a good virus detector and installing Zone Alarm can help protect you from others.
Win32.SirCam.137216
Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The Spanish message looks like:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
The middle line is from the following list, but once again only the first line is ever chosen:
Te mando este archivo para que me Des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es El archivo con la información que me pediste
The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "C
RECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices\Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C
recycled\S irC32.exe" "%1" %*" The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.
The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:
@win \recycled\SirC32.exe
Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".
The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C
. The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.Detection for this worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:
CA Anti-Virus Product Engine/Signature
InoculateIT 4.x 26.10
InoculateIT 6.0 23.44.10
InoculateIT Personal Edition 5.2/1344
VET 10.3/1344
Once again, looks like taking the trouble to get a good virus detector and installing Zone Alarm can help protect you from others.
Join Date: Jan 2001
Location: The Burrow, N53:48:02 W1:48:57, The Tin Tent - EGBS, EGBO
Posts: 2,297
Likes: 0
Received 0 Likes
on
0 Posts
Earlier today I looked at R&N and followed Crash Dive's advice to check files, fortunately none found. I have just read all the above posts and realise that I was sent the virus but because I did not recognise the sender I did not open it but sent it back to the sender using the "Reply" facility and asking the sender to identify themself before I would open their email. Needless to say I haven't had a reply. The email was sent by "newscafe5" and contained the phrases mentioned earlier in this thread. Thanks everyone, I might have been tempted to open it but your information stopped me. It has now been deleted without being opened and a search shows I am still clear. 
Guest
Posts: n/a
Send Clowns,
I have not actually received this one yet, I had an alert email from McAfee about it, and immediately updated my McAfee Activeshield, as well as posting this thread.
I have only ever had three viruses come in, all caught by Activeshield BEFORE I opened them.
If you like, next time I get one I will forward it???
Best regards,
"lame"
I have not actually received this one yet, I had an alert email from McAfee about it, and immediately updated my McAfee Activeshield, as well as posting this thread.
I have only ever had three viruses come in, all caught by Activeshield BEFORE I opened them.
If you like, next time I get one I will forward it???
Best regards,
"lame"
Join Date: Nov 2000
Location: Perm any one from 3 !
Posts: 310
Likes: 0
Received 0 Likes
on
0 Posts
Yep, its out there .....
We just recieved the following message from Air Vallee (Italy) .....
----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Tuesday, July 24, 2001 12:00 AM
Subject: DO RES SAMPLE
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
........
The attachment contained the virus.
With a previous client (and a message and file name - the same as title - that made logical sense) I nearly ignored the company rule to copy to external disc and scan - fortunately I decided on caution at the last moment. Current edition (updated 20JUL) of Norton Antivirus picked it up but was only able to quarantine (unable to fix).
Phew ... Nearly had to sack myself then !!!!
We just recieved the following message from Air Vallee (Italy) .....
----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Tuesday, July 24, 2001 12:00 AM
Subject: DO RES SAMPLE
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
........
The attachment contained the virus.
With a previous client (and a message and file name - the same as title - that made logical sense) I nearly ignored the company rule to copy to external disc and scan - fortunately I decided on caution at the last moment. Current edition (updated 20JUL) of Norton Antivirus picked it up but was only able to quarantine (unable to fix).
Phew ... Nearly had to sack myself then !!!!
Moderator
Bugger, it got me, it came disguised as a request for a student file. Thanks to the good advice on here, I think I've got rid of it by downloading that file thingy. First time around it said I had been unsuccessful in getting rid of the virus, second time around it worked (or said it did)
I dread to think how many of my confidential files have been disseminated. I only realised when one of them bounced back.
So thank you again to all of you clever computer people here on Pprune for showing the way to get rid of it and I promise I won't open strange attachments again!
I dread to think how many of my confidential files have been disseminated. I only realised when one of them bounced back.
So thank you again to all of you clever computer people here on Pprune for showing the way to get rid of it and I promise I won't open strange attachments again!