Misdirection: A New Avenue for Virus Infection

Virus and worm attacks have become a fact of life. Over the past 3 months, my antivirus vendor, Sophos, has sent me an average of one new virus alert per day. Many of these viruses never appear in the wild, but enough of them do to keep IT professionals on their toes. I know that staff members (both IT and non-IT) at my office have made an effort to get the necessary education to make sure they don't become a vector for a virus infection. Antivirus software runs on all our computers, our office automation applications have the latest patches, and, as much as possible, our users practice safe computing.

By educating every user, not just IT staff, about how to prevent these infections, we've avoided the last few rounds of widespread virus attacks. And I know my company isn’t the only one that has clamped down on potential avenues for virus and worm infections. With each attack, the industry ramps up its defenses, reducing the ways virus writers can exploit our computers.

Now virus writers are using misdirection techniques to try to spread their infections. The most recent of these attempts, and possibly the most insidious so far, is the W32/Myparty-mm worm. This worm sends the following email message from an infected system:

Hello!
My party ... It was absolutely amazing!
I have attached my web page with new photos!
If you can, please make color prints of my photos. Thanks!

The message includes an attachment called "www%myparty%yahoo%com," except that the percent-sign characters (%) are periods, making the filename appear to be a URL. Posting personal pictures at a Web site and distributing the site’s URL is a common activity, and this virus takes advantage of the fact that people often click URLS that they receive in email. But many people don't realize that executable files can have the .com extension. Some technically astute people have asked me whether the worm contains an .exe file, and I remind them that .com can be an executable extension.

When I received this worm, Outlook XP’s default configuration blocked access to the executable file; the .com extension in what appears to be a URL might confuse a person, but Outlook recognized the executable file that the pseudo-URL was trying to hide. So, for a change, users of Microsoft’s latest Outlook application are probably protected from a new worm.

Good antivirus practices and standards have prevented the W32/Myparty-mm worm from getting a toehold in my company. I hope your antivirus procedures are up to the test.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish