Thursday, 11 March 2004

Ooo! Is it a virus?

Today I got a virus in my email. It was great. I got an email that read 'open the attached document'. So I opened the attached 'your_document.pif'. *shrug* Don't know what the heck that was about. No program associated with .pif in Gnome so I just cat'd it. Wasn't terribly exciting I'm afraid.

Speaking of catching viruses, I've ranted about this one a couple times, hopefully not too loud, but there's another email virus out this week again. W32/Netsky and variants.

This virus starts on an infected computer by scanning it for email addresses.

For each email address, it takes the domain portion (e.g. for 'isucklemons@hotmail.com it takes 'hotmail.com') and then crafts a letter from an official administrative-looking source. So the letter reads something like:

"From Hotmail Staff: We are going to be shutting down our mail servers blah blah blah to blah blah the hotmail.com mail servers blah blah. Thanks from hotmail.com."

Now the *brilliant*, it's genius, part is that it says there is an attached file with a password '34523'. The attached file is a password-protected zip file. The password protection conveniently prevents many anti virus programs from scanning it.

In this zip file is the payload. The first instance I ran into, it was a text file with a url and as far as I know, the url is for a page where the user fills out her email address and password. The current variant of the virus just has an infecting program in the zip file instead and assumedly harvests passwords on its own.

So that sounds fun. Lets review:

  1. User receives good official-looking email (yes, it is fairly slick),
  2. User then has to read a password from the email,
  3. User then has to open the attachment,
  4. *Then* has to use password to unlock attachment,
  5. And in the later cases she is infected, however:
  6. In the former cases she has to copy a url from a text document,
  7. Paste it in a browser,
  8. *Then* gets to a form that asks for her password information (presumably on some foreign domain as well).

Needless to say, this virus is spreading like wildfire.

Popular Posts