Fog Creek Software
Discussion Board




Subtle virus aimed at programmers

I usuallly ignore viri, but this one is so subtle and so specifically aimed at programmers I thought I'd mention it.

I recieved this mail today:

subject = "Improved example for jls-15.11.2.html"

body = "I noticed another case where super.field and ((S)this).field differ in
legality, and thought it would be appropriate"

The attachment is a Win32.bugbear virus according to Norton.  The file is a .scr rather than .exe.

I've never seen such a well targeted and disguised virus.  Normally they say something such as 're: what you said' 'A note from John.'

Ged Byrne
Wednesday, July 23, 2003


On a personal note, I find amusing that is very improbable that I will catch any of these virus. First, I don't use Outlook, so a big percent of the outlook-specific virus don't affect me. Second, it's unlikely that I will receive such a letter from a coworker, since they all speaks spanish :-)

5 years and counting without catching a virus in my home computer. Never installed an antivirus...

Leonardo Herrera
Wednesday, July 23, 2003

Perhaps you have a virus that is hiding well. ;-)

John Ridout
Wednesday, July 23, 2003

How is this mail subtle and aimed at programmers?

Ignore my ignorance
Wednesday, July 23, 2003

I think this newest incarnation of the bugbear virus is taking snippets of old emails and using them as the subject and content of the message. Hence the appearance of topicality. (I got one on a scribal mailing list I'm on. Both the subject and the content were on-topic for the list, although the subject was misspelled and the content didn't really justify the presence of an attachment.)

Martha
Wednesday, July 23, 2003

To 'Ignore my ignorance' - how is it not!?

Patrick Lioi
Wednesday, July 23, 2003

Ignore my ignorance,

It's subtle because it looks just like a bug report, or something technical.

Whenever I get something like this I usually dive straight in to the attachment to get on with it.

It's aimed at the programmer because nobody else would expect a mail like this.

Ged Byrne
Wednesday, July 23, 2003

Martha,

I thought somebody has actually composed and sent out this mail.

I can see now how it could have been autogenerated.

Curse those virus writers.

Ged Byrne
Wednesday, July 23, 2003

How is it not subtle?

If I received a mail with source code or with technical
docos or something similar that is aimed at programmers, I'd still treat this mail like those "re: when will we see us again" mails.

Obviously from the ongoing thread, it looks like this particular virus is copy/pasting text from mails that would
make sense to the receiver. I didn't know this fact and
find this fact much more subtle.

Ignore my ignorance
Wednesday, July 23, 2003

More subtle, but not aimed at programmers.

Even worse, it can target you based on mailing lists you subscribe to.

Ged Byrne
Wednesday, July 23, 2003

There's an increasing overlap between viruses and spam. OK we all know not to run attachments, exes, js files etc but if you get tons of spam it's easy to slip up. In my view the ideal email client would:

1. Not run EXEs, JSs, screen savers etc without checking about twice.
2. If you delete an EXE or JS or whatever without running it, it should really remove it so it doesn't show up a false positive in email trash when running a scanner.
3. Not render any HTML apart from basic text attributes. Spammers use linked gifs to validate email addresses.
4. Use adaptive filtering or some similar advanded filtering technique.

I've recently moved from hotmail to thunderbird, mainly because the latter has an adaptive filter. Unfortunately I configured it not to download files over 500k, and to delete files from the server once they're read, so the net result is that large messages get deleted without being read (as Ged will testify :) )

If anyone knows an email client that can do 1 .. 4 please let me know!

Bill Rayer
Wednesday, July 23, 2003

A couple of things I use (with Outlook Express - oh please, don't groan!)

- Sygate Personal Fire Pro with advanced rules to block outlook accessing anywhere but the mail servers I specify

- no preview pane (obviously)

- I also look at the message source if I think the msg is bogus and check who it's from and what the content is.

There's bound to be a thousand ways to get around what I do... but I don't remember the last time I had a virus - it's been a long long time.

antivirus, ad-ware, firewalls, sniffers... I have them all, but when will it end?

Jack of all
Wednesday, July 23, 2003

Bill.... PegasusMail might do those things.

http://www.pmail.com

When I had to use an e-mail client, I liked Pegasus Mail. Now all my mail is web based... even the pop3 stuff I use Squirrel Mail for.

www.marktaw.com
Thursday, July 24, 2003

Leonardo, have you forgotten the virus that would delete files on computers that had certain legal terms in Spanish in the names on the computer?

Stephen Jones
Thursday, July 24, 2003

*  Recent Topics

*  Fog Creek Home