Take nothing for granted - AV

[Tedob1]

On the importance of not trusting messages.

This is written for those fairly new to the internet and internet security and sites like AO. the reason i say this, is because you could receive a message like the one below, apparently sent by a member of AO and that would make it all the more believable.

The Message below is from an MSN message but the same could apply to AIM, Yahoo, IRC, or even regular email:


john says:

Hey!! Could you please check out this
program for me? :-) I made it myself and
want people to test it. Its a readme with the
program that explains what it does!
http://<blocked>/downl0ad/BR2002.exe
<-There you can download it! give me
advices on what to upgrade please!!


This is a message that would come from someone you know. Or at least appear to. The file your apparent friend is asking you to test is actually the Internet worm "WORM_RODOK.A" also known as the "Henpeck Worm" discovered Oct 8, 2002

The name John can be interchanged with the name of anyone infected with this worm and sent to everyone in his/her address list as that person.

Many trusting people download and execute this and other programs like it, to help out a friend. All they get for their efforts is a backdoor and a keylogger installed on their system.

This file was not picked up by any virus protection software at the time that it spread. Its signature (the description the AV Software uses to identify it) did not exist yet.

Many worms and viruses are distributed this way, that is, sent to every one whose address you have. This way it appears to be genuine.

Never take for granted a message with a download address is really from someone you know. Confirm it. Even after you confirm it, do an AV scan. And then open it only if you must.

Even if its only a link to a web page without a download....confirm it, ask what its about. their are many malicious scripts put on web pages by people with sick minds and the links are spread around by worms....take nothing for granted.

[Spyder32]

Great tutorial, something that should have been posted earlier (mighta been but I don't know) and it is also something that people really gotta understand because their are new trojans and virii coming out everyday and you need to sort of adapt to the fact that you need to only accept files from people you know. Although, and it's sad, it can still be from someone you know that is a victim of the worm.

[The Old Man]

Tedob1, thanks, this is the first i've heard of this particular technique. i have my firewall set to ask first before email is sent, and i keep track of my outgoing box. But any of us could probably get whacked at some time, and wouldn't it be red-faced embarassing to have your email client send some worm or virus to our entire address book!

[sumdumguy]

yes.. you've given somewhat of a good message to warn ( newbie) folks.. but the comment
you leave i.e. "apparently sent by a member of AO and that would make it all the more believable." almost suggests that there is such message that you could of personally recieved from an AO member.. whereas you might have mentioned that there could be some spoofing going on to achieve that.

[Tedob1]

I have not received such a message, nor do i know anyone who has. I used An AO member to stress the importance of not taking thing for granted, I though i made the spoofing clear, but apparantly i didn't do a good job of it:

"The name John can be interchanged with the name of anyone infected with this worm and sent to everyone in his/her address list as that person."


Most of the common worms/virus today propogate thenselves by sending a copy of the infected file to everyone on the address list of the computer it has infected. they use the actual user name of the owner of the computer, handle of irc account or mail account to make it seem more believable.

This has not happened at AO to my knowledge by that by no means makes it any less of a threat. It can very easily happen if a member becomes infected. Threw their own negligence or that of another who has access to a members computer.

[sumdumguy]

oops.. my bad.. Tedob1.. it WAS fairly clearly stated.. sorry about that