Blog content
Active categories:
- Vista (12)
- Office 2007 (1)
- Logitech (1)
- Darwin at work (1)
- Blog (1)
By date:
(No recent posts)
Blog calendar
| Mo | Tu | We | Th | Fr | Sa | Su |
|---|---|---|---|---|---|---|
| << Oct | Dec >> | |||||
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
2007-07-26 | MSN viruses
In the last two days I've received viruses over MSN messenger on two different occasions. Both times, they seemed to come from friends of mine. The first one was in the form of the following message and came with a simple link:
Vote for me: http://22460.vasedrunjinsaterfuns.com/2215/67179/
At the time of this writing the link above still works and downloads a file called vote.zip. The file is not actually a ZIP archive, instead it's a simple Windows executable. Now, I don't know how people are supposed to be tricked into executing it, because simply double clicking it obviously won't do any damage, but maybe something to do with MSN users' habits of renaming .exe to .zip before sending them?
A scan of the file with the pretty good multi-engine scanner over at Virus Total found a Stration worm, which originated as an e-mail worm and is now apparently broadening it's infection horizon.
The second one was a little trickier, it actually managed to infect my boss and a co-worker of mine from whom I then received the following message, immediately followed by an incoming file request for images.zip:
Sup, seen the pictures from the other night?
A few things were obviously suspicious here:
- My friend just doesn't talk like that. As a matter of fact, few people use uppercase in IM nowadays and I think the last time somebody used "Sup" was last decade. (I may be wrong on the latter one though ...)
- The file was called images.zip yet contained only a single file. Nobody zips a single image because they can't be compressed anyway, and especially not one of some 40 kB.
- The "image" that was contained was called IMG34814.pif, with an extension that is more than suspicious, but might slip the eye of someone who hasn't been suspicious up until now.
I can hardly blame the average Joe for becoming infected with the second one, so the blame goes--*fanfare*--to Microsoft for two reasons.
Apparently, the current version of Windows Messenger is scriptable to an extent that is so obviously dangerous that I can't believe the functionality is still in there.
Despite Microsoft proclaiming Vista to be the most secure Windows ever, .pif files are still executed without warning.
The second point is especially grave for a number of reasons. Because of the nature of the PIF file format it does not contain any executable code but only meta information, so it could be easily be checked for authenticity. What's worse is that extremely few people have used .pif files ("program information files") after Windows 3.1, so either displaying a very obvious warning message or dropping the registration of the .pif extension altogether would not disrupt anyone.
If you want to disable .pif files on your system, you can use the following registry change to do so (or download this .reg file and double click it):
HKEY_CLASSES_ROOT\.pif\(Default) = "piffile_disabled"
2007-07-30 at 04:08
My husband and I just got the same "Sup, seen the pictures from the other night?" message. I'm on Trillian so I never got a file transfer request, but my husband got it on MSN and downloaded/opened the folder.
Was wondering if you know how the problem was solved for your co-workers. We have Norton and we're running multiple virus scans but nothing seems to be showing up.
2007-08-04 at 07:46
Charlene,
I don't know how they eventually solved the problem, but one guy sent around this link. The site currently seems down but you can find it in Google's cache. Don't know if the instructions are very helpful, but at least you should be able to get some info on how to delete the virus files.
On a side note: From my personal experience (and from reading test reports) Norton AntiVirus has a horrible success rate, especially with recent viruses. You might be better off with some other product. They all have quirks but BitDefender gave me the best impression so far.
2008-06-28 at 23:19
Hello there,
The other day a friend of mine signed on, gave me a link and signed off. I clicked the link and it came up with this magic millions website. I thought nothing of it and then closed the window. Then my friend told me that she had recived the same link from me later that week! How can I get rid of this?
xxx :]
2008-08-29 at 04:21
recently i have had a friend pop online..send a web link and pop offline..he wasnt even home..this a new virus?
2008-10-29 at 23:46
I am getting a virus sent through pictures. And it also makes me log off occasionally (which is WICKED annoying)
does anyone know how to solve this problem? I am not sure if it is the same as charlene's and i'm not gonna risk it.
Thankz