Sunday, July 16, 2006

Believe me! I am not guilty!

Believe me, I had not send you that @ # $ mail with Virus

A lot of Internet users, that includes writer of this article are facing dilemma these days, courtesy viruses like Netsky and it’s more than half a dozen variants. Every day, users receive mails containing variants of Netsky virus from senders they never know or never expect to get mails from. Similarly, users are receiving dozens of undelivered mail containing viruses which they had never sent to any body. The viruses, actually use your email ID which they extracts by various means and put it in the FROM field of mail which it sends copy of itself to every other e-mail address it could extract from an infected computer. Now if the destination address is true, either it gets delivered or bounced back to you from recipient’s firewall with the tag that your mail contains virus. If the address is not true (some virus randomly guess email address of which a large number are, obviously wrong) it obviously gets returned to you since the virus had put your e-mail ID in the mail’s From field. When some one else use other’s mail address for unauthorized use, it is called e-mail spoofing. It is the E-mail spoofing done by the viruses and spammers which is causing those bloody #@%^& mails clogging your Inboxes.

E-mail every where

If you use Internet substantially and send and receive mails regularly and have web pages that contain your e-mail IDs, then your e-mail address are stored in multiple locations in cache and temporary internet files of computers all across the globe. Earlier, the viruses targeted address books of e-mail clients for extracting e-mail IDs, but now they have capabilities to scan every part of your computer’s hard disk to get e-mail IDs. The virus thus extracts e-mail IDs and then sends a copy of itself with the help of its own tiny SMTP server. It does not need your e-mail client or any other support to sent mail, but only presence of Internet connection is sufficient for their working. The virus simply detects presence of available Internet connection and start sending its own copies from an infected computer. Situation is getting worse as days are passing by. Already, more than 80% of all mail is categorized as Spam; and virus like Netsky/Lovegate/Sasser are making things even worse.

Every possible trick to fool you

These days, virus and worms were written so smartly that they need little interactions from users. For example, Blaster and Sasser type virus/worm randomly scan IP addresses and infect vulnerable system automatically. Some versions of virus comes to you as HTML pages, wherein, the virus is buried deep in a false link that look tempting enough to click upon by the users. For example, a variant of Netsky virus is designed to propagate through HTML mail. The HTML page looks like a plain text page like this:

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:

Now, if you are tricked and you click on the link, it will run the virus which is embedded in the HTML page with ZERO dimensions, so that it will not appear in page (visible only on its HTML source). When you see the source of above HTML page, it will reveal things clearly like this:

<*<META content=3D"text/html; charset=3Diso-8859-1" =


<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>

If the message will not displayed automatically,

follow the link to read the delivered message.

Received message is available at:



Content-Type: audio/x-wav;


Content-Transfer-Encoding: base64



AAAAAAAAYAAAAA4fug4AtAnNIbgBTM0hV (Rest part, that represents virus is snipped)>

Apparently, as the code shows, the virus file named message.scr is made hidden from the HTML page by changing the link property of HTML Link (see the highlighted text). When you click the link, the virus will run and install itself and infect the computer. On some computers, it runs automatically since it has been defined as content type Audio/wav file, which runs automatically while loading of HTML page. The infected mails randomly select most common subject line such as Hi, Hello, Request, Important, Request, Re: etc. A few mails try to trick you by claming to have its attachments scanned and found Virus free from Antivirus firms Like Pandasoftware or Mcafee etc.

Tips to reduce such mails

Well, unless the entire e-mail system is revamped, wherein, it should be made mandatory to register every email user like Domain Names and probably with a token fee, so that no e-mail ID can be spoofed, Spam and E-mail with Viruses are destined to fill most portion of the your In-Boxes. Yahoo! and Microsoft are working separately to address these issues, and may be a new mail protocol should be designed soon enough so that we should have option to receive mail from existing SMTP or from better & secured, new version of SMTP. However, you can curb and put a little control on retrieving and using (spoofing) your e-mail ID by these spammers and Viruses. Follow these simple steps till a better solution, hopefully will come soon enough.

  • Use multiple E-mail IDs for different work. For example, one for personal or close use by the close group and one for work. Do not give personal / close group E-mail ID to the mass and configure your e-mail client to out right reject unwanted mails.
  • For work and in business, you cannot discriminate whether a mail is genuine unless you read it, and hence, often, you can not put effective filters on mails. But you can configure your mail client to do not download / open an attachment in any case.
  • You can use / configure your e-mail client to work only on plain text mode, so that an HTML page containing virus cannot be rendered automatically.
  • If you post your e-mail IDs on the Internet pages, then post it with small jpeg/png file which contain your e-mail ID as picture so that it can never be intercepted by e-mail extractor programs. You can also put it as plain text instead of mail to: link. For example, you can put as “EDITOR AT LFY DOT COM” in the web pages so that it can be easily intercepted by humans but will be a little hard to be intercepted by e-mail address hunter robots.
  • You can fool e-mail extractor programs by writing your e-mail IDs in web pages in different manner. For example, you can write as “ (Remove NOSPAM if you are human sending me mail)” This will make life a little hard for users, but then only genuine mail will reach to you.
  • Use advanced services of e-mail providers. For example, Yahoo!, with its paid account, lets you define advanced spam rules and give you full control over spam mails and mail containing viruses.
  • In any case, if you are using Internet, use properly configured Firewall. At least you can stop propagating virus from your computer un-knowingly. There is good, simple to configure, free for personal use firewall called Zonealarm that you can use.

Screenshot Descriptions:

Email01 The Inbox filled with mails having attachments of viruses. See that they have different subject line and body part that look genuine enough that we use in our every day use.

Email02 Virus attachments comes normally as .zip, .pif, .scr file extensions, but may have other extensions as well to fool users.

Email03 Mail containing virus claimed that it had attachment that had no virus and to prove their claim, had put address of Antivirus Firm.

Email04 Virus writers make every possible effort to trick innocent users. If you confirm their request, your computer will get infected immediately.

Email05 Some web mail like Indiatimes scan every attachment for viruses and stripped them before delivery of the mail thus some how curbing further spread of virus.

Email06 Use mail client’s advanced features that disables automatic display of HTML page as well as disallow you to open attachments.

Email07 The mail in HTML format that contains Virus file message.scr, made hidden in HTML page. The file type of virus has also been changed to Audio, so that it will run automatically as the page is rendered.

Email08 Source of HTML mail that contains virus. The virus is linked to a fake web address, and has defined zero dimensions so that it will not display in page unless you see the source.

No comments:

More Articles...

Translate in your own language

Want to translate this article in your own language? Just click the Flag below