August 13, 2003

My first virus

Like probably thousands of other people, I have been hit by the MSBlaster virus.  I hadn't really noticed anything until an advisory suggested that I took a closer look.  And lo and behold, I had an msblast.exe process running and I also had that executable in \WINNT\SYSTEM32.

This is my first virus ever.  I am so excited.

Cleaning it was relatively easy.  For future references, you want to

Although I recognize viruses as a very real threat, I have never really been proactive at stopping them.  My work machine has an antivirus because it came with one, but none of my other machines do.  I use Outlook (well, used to) and other reputedly dangerous software, but I have always relied on my common sense to keep me out of trouble.

I am not saying this is a good idea.

One day, I expect to click on an unsafe attachment and infect myself.  We all have lapses in our attention and relying on our human senses to keep us safe from viruses is not just stupid, it's suicidal.  But well, habits die hard.

One word about Outlook:  there is this myth that it is the main enabler for virus propagation out there and that if you are using another client, such as Eudora or Mozilla Mail, you are safe.  This is incorrect.  Viruses typically travel through email attachments.  You can launch an attachment with any mail client and you will get infected just the same, so just be vigilant regardless of your mail client.  It is true that Outlook used to have unreasonable security defaults, but this is no longer the case.  Even Word and Excel now come with a high security default, not allowing you to run macros and other mechanisms that viruses use to propagate.

What's interesting is that I have always thought that I would be infected one day through email, but I ended up receiving a virus through another means (tftp and RPC).  Fortunately for me, this virus is relatively harmless for the user:  its main purpose seems to trigger a SYN attack on a Microsoft site on August 16th.  I am curious to see how this is going to unfold.  I am confident Microsoft has taken all the necessary precautions to foil the upcoming onslaught, but we will see.

I remember when I saw my first virus.  It was circa 1988 on the Amiga.  Viruses were totally unheard of back then.  This virus, called SCA, was probably not the first but definitely a very early one.  It propagated by copying itself on the boot sector of floppies and all it did is wait for the third invocation and then display a message saying "Something wonderful has happened, your Amiga is alive, etc...".  I remember finding this cool the very first time I saw it, probably because I had no idea it was based on a concept that would cause billions of dollars in losses in the coming years.

I disassembled the SCA virus back then and published an article about it in the French Amiga magazine I was working for.  As the assembly code was unfolding in front of my eyes, I remember feeling much more fascination than anger at the author.  It was such a neat idea (and also a pretty cool Copper list).

These days are gone. Protect yourself and if you don't like to use anti-viruses because they slow down your I/O operations, at least make sure your machine is reasonably up-to-date with security patches.

Posted by cedric at August 13, 2003 08:06 AM

I tried to make sure my machines were patched last night, but I was unable to get through to WindowsUpdate.... Wonderful virus, it achievs its aim through social engineering and code.

Posted by: Lance at August 13, 2003 09:31 AM

Using Windows is very good sometimes. You can make lots of interesting stories out of it. this blog entry for example, I won't have the chance of writing such blog entry, simply because my desktop runs Linux. Hopefully sometime in the future, i will have to run Windows and will have such mysterious email-virus stories to blog about. How cool is to be able to say "I have got virus today". Even cooler thing is to get a sound enabled notifier (like AOL email one) saying something like "You have got virus!"...super cool idea.

Posted by: Talip Ozturk at August 13, 2003 09:39 AM

How did you expose rpc port to public ?

No firewall ?

Posted by: Ricky Datta at August 13, 2003 10:50 AM

At home, I use AVG antivirus. Its free for home use, effective, fast, and gentle on CPU cycles.

Posted by: Paul Watson at August 13, 2003 11:27 AM

You're still using Windows? Try OS X. ;) Actually, Outlook was less secure than other e-mail clients. The problem was a mime type mapping mismatch between outlook and the OS. You could trick Outlook for example into thinking that an exe attachment was of an image mime type, in which case it would pass it off to the OS without question. The OS would recognize that it was actually an exe and run it. The problem here is that you didn't have to opt to open the attachment. Simply previewing the message would result in executing the exe. If you have an unpatched install of Windows, you problem have this problem.

Posted by: Bob Lee at August 13, 2003 03:29 PM

Funny to read one of your current google ads : "Avoid the Blaster Worm"

Posted by: Pierre CARION at August 18, 2003 07:59 PM

I'm new to this site, just browsing around

Posted by: email virus at June 26, 2004 09:07 PM


Posted by: Baha at June 30, 2004 02:41 AM


Posted by: Baha at June 30, 2004 02:41 AM


Posted by: Baha at June 30, 2004 02:46 AM

Interesting thoughts, just wanted to mention I came from blogspot.

Posted by: email virus at August 31, 2004 02:06 AM

Was browsing through blogspot when I stumbled here

Posted by: email virus at August 31, 2004 02:06 AM
Post a comment

Remember personal info?