October 8, 2004

Not very nice viruses

One of the beauties of having your own server, or virtual server, is that you can set it up to do just about anything, including scanning email for viruses and quarantining them — not delivering them but saving them on the server so that you can inspect them. I spent a bit of time reading through virus-laden email (how's that for "needs a life"!) and was dismayed by the tone I found running throughout.

The senders of these virus-laden emails make clever attempts to get the recipient to click on the attachment (thus launching the virus). Among the tricks are using a recognizable and "safe" file extension, followed by miles of spaces and the real extension which would cause the virus to launch; the point is that email program windows are only so wide, so that the file extension is hidden. Here are some examples:

I have attached your file. Your password is jkl44563.
Attachment: your_doc.zip


I was surprised, too! :-(??
Who could suspect something like that? (profanity deleted)

» Attachment: oh_no_7256.doc.bat


Subject: Postcard
Best wishes,
your friend.

» Attachment:


Subject: Does it matter?
Your photo, uahhh…. , you are naked!
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus – www.mcafee.com

» Attachment: text01_info.zip


Please confirm!
Attachment: detail3.zip

» Attachment: Novarg/My Doom Virus


Your pictures are good!
your_picture01.pif


The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

++++ Attachment: No Virus found
++++ Norman AntiVirus – www.norman.com
Attachment: datfiles_dough.zip

» Despite the claim that the "signature" is a "virus cleaner",
and the email specifies "Attachment: No Virus found",
the attachment itself IS the Novarg/My Doom Virus.


Subject: important message
Please read the attached file!

» Attachment: message.doc.pif


Subject: hello
Try this, or nothing!
» Attachment: game_xxo.txt[large space snipped].pif

» The attachment file name contains some 67 spaces, ensuring that it extends to the right beyond what email programs can normally display, making the .pif extension virtually disappear and allowing the file to appear to be a simple text file.


Anybody use your accounts and (or) passwords!
For further details see the attachment.

+-+-+ X- Mail_Scanner: No Virus found
+-+-+ BURLINGTON-NJ- AntiVirus Service

» Attachment: check_this.TXT.zip


Fwd: Warning again
Do not visit this illegal websites!

++++ Attachment: No Virus found
++++ F-Secure AntiVirus – www.f-secure.com

» Attachment: abuses.exe


Re: your bill
I have attached your document.

» Attachment: bill.doc (huge space snipped) .pif


Mail Delivery (failure)
If the message will not displayed automatically,
follow the link to read the delivered message.
Received message is available at:
(snipped link with tracking ID)

» Attachment: message.scr


Subject: Pictures
Your pictures are good!

» Attachment: your_picture01.pif


Subject: Hi
I hope the patch works.
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus – www.messagelabs.com

» Attachment: software.zip [Novarg/MyDoom Virus]


Subject: Shocking document
I am shocked about your document!

» Attachment: document_with_notice.zip


Re: Order
Thank you for your request, your details are attached!
+++ Attachment: No Virus found
+++ Panda AntiVirus – www.pandasoftware.com

» Attachment: all_in_all.exe


One truly useful link is to virus.gr's comparative tests of antivirus programs. The folks at virus.gr apparently tested what appear to be the majority of anti-virus programs by throwing a large number of viruses at them (75,000+) … and give the results of their anti-virus testing, ranked best to worst. See their left menu for links to past anti-virus testing.You may be surprised. UNFORTUNATELY, virus.gr seems no longer to be providing this information.

I'd also suggest MailWasher Pro which enables one to check email while it's still on the server … that is, before downloading it in an email program.

3 Comments to "Not very nice viruses"

  1. Dan Renner says:

    Diane,

    I believe the term for the methodology these emails fall under is 'social engineering', as opposed to the virus writer (or 'script-kiddie' as in many of the above) attempting to fool the machine itself.

    In addition to your aforementioned virus.gr site, here are a couple of links to other anti-virus test sites:

    http://www.anti-virus-software-review.com
    http://www.virusbtn.com/vb100/archives/products.xml?table

    You'll find in these test that the heavily marketed 'names' don't do that well. It is interesting that this seems to also be the case in the Operating System field as well… :-)

  2. Mark says:

    I have had tremendous success using Virus Hunter. I recommend it hands down.

  3. DianeV says:

    Thanks. I don't let virus-laden emails download to my computer; that's the reason I could compile a list like the above.

Have your say ...

First-time comments will be held for moderation (but comments are appreciated). Otherwise, just be courteous. If your name is a bunch of keywords, your comment will be deleted. Don't post links unless highly pertinent. Posters must be 16 or older.

Manage your subscriptions

Archives
© 2004-2017 DianeV Web Design Studio. All Rights Reserved.
34 queries. 0.243 seconds.