<   Prior Home         Share Blog Bloke     Share Blog Bloke Tips       Share to Twitter       Share to Facebook       Share to Twitter       Share to Google Plus       Share to LinkedIn       Pin this       Get Updates            
        Next   >  

MyDoom has Character

MyDoom is clogging up email servers around the world because of its remarkable engineering. It is packaged in a way to entice unwary people open it. There are four characteristics that make it dangerous:

First, unlike the illiterate cretins who spawned prior bugs, MyDoom’s creator had sense enough to create a plausible story to entice unwary people open pandora’s box. In this case the worm arrives with a message that says (s p a c e s added to keep from triggering dumb spam filters):

    Mail t r a n s a c t i o n failed. Partial message is available.

    The message contains Unicode c h a r a c t e r s and has been sent as a binary attachment.

    The message cannot be represented in 7-bit ASCII e n c o d i n g and has been sent as a binary attachment.

At first glance those messages seem reasonable enough to warrant looking at the attachment. The attachment won’t fool anybody who has Windows set up to show file name extensions and already knows that double-clicking a .bat, .cmd, .exe, .pif, or .scr file is as dumb as it gets. And if you use Outlook 2002 or 2003 with the default security settings you won’t see the file anyway.

In some cases however the attached infected file is stored as a zip and that’s a completely different matter. Zips get through Outlook - they are innocuous and of themselves cannot infect you. But the file(s) inside the zip can be infected and that’s how MyDoom gets you. That is also MyDoom’s second characteristic - burying the infected file in a zip so it’ll get through. No need to panic however because you have to open the attached zip file, extract it and run the files enclosed within the zip.

The third characteristic is MyDoom packs an infected file into a zip but it also gives it a very long name. There can be so many spaces that when opened Windows won’t even show the .exe file name extension. Other infected messages can arrive with a zipped copy of readme.txt .exe, another with body.txt .scr, another with data.htm.exe, and so forth. It is astounding to see that when opening a zip Windows Explorer doesn’t always show the file extension if the name is long enough.

The fourth characteristic? The antivirus software sites are reporting that the worm not only spoofs return addresses - but it also spoofs Windows icons. There are examples on-line of files called document.pif and document.scr that have the icon normally associated with text files. Folks who do not make Windows show file name extensions will be in for a very nasty surprise if they click on one of those alleged “document” icons.

Got a MyDoom story to tell? Let me know.

Written February 3rd, 2004 by | Filed under: Miscellaneous Blog Tips

Thanks for Sharing     Share - enable java in your browser Share to Twitter            

Did you enjoy this article? Keep up to date with Blog Bloke Tips the moment it's published by email. Your Privacy is Guaranteed and will not be shared with anyone.


Keep it real with Blog Bloke Thanks for reading the original Blog Bloke. You can read more about me here. Contact me if you have any questions, tip requests or if you would like to be a guest blogger. Keep it real every day and subscribe to the newsfeed, share with friends or follow me.

    Subscribe to the Newsfeed     Share to Twitter     Share to Facebook     Share to Google Plus     Pin this     Share to LinkedIn


MyDoom has Character

MyDoom is clogging up email servers around the world because of its remarkable engineering. It is packaged in a way to entice unwary people open it. There are four characteristics that make it dangerous:

First, unlike the illiterate cretins who spawned prior bugs, MyDoom’s creator had sense enough to create a plausible story to entice unwary people open pandora’s box. In this case the worm arrives with a message that says (s p a c e s added to keep from triggering dumb spam filters):

    Mail t r a n s a c t i o n failed. Partial message is available.

    The message contains Unicode c h a r a c t e r s and has been sent as a binary attachment.

    The message cannot be represented in 7-bit ASCII e n c o d i n g and has been sent as a binary attachment.

At first glance those messages seem reasonable enough to warrant looking at the attachment. The attachment won’t fool anybody who has Windows set up to show file name extensions and already knows that double-clicking a .bat, .cmd, .exe, .pif, or .scr file is as dumb as it gets. And if you use Outlook 2002 or 2003 with the default security settings you won’t see the file anyway.

In some cases however the attached infected file is stored as a zip and that’s a completely different matter. Zips get through Outlook - they are innocuous and of themselves cannot infect you. But the file(s) inside the zip can be infected and that’s how MyDoom gets you. That is also MyDoom’s second characteristic - burying the infected file in a zip so it’ll get through. No need to panic however because you have to open the attached zip file, extract it and run the files enclosed within the zip.

The third characteristic is MyDoom packs an infected file into a zip but it also gives it a very long name. There can be so many spaces that when opened Windows won’t even show the .exe file name extension. Other infected messages can arrive with a zipped copy of readme.txt .exe, another with body.txt .scr, another with data.htm.exe, and so forth. It is astounding to see that when opening a zip Windows Explorer doesn’t always show the file extension if the name is long enough.

The fourth characteristic? The antivirus software sites are reporting that the worm not only spoofs return addresses - but it also spoofs Windows icons. There are examples on-line of files called document.pif and document.scr that have the icon normally associated with text files. Folks who do not make Windows show file name extensions will be in for a very nasty surprise if they click on one of those alleged “document” icons.

Got a MyDoom story to tell? Let me know.

Written February 3rd, 2004 by | Filed under: Miscellaneous Blog Tips

Thanks for Sharing     Share - enable java in your browser Share to Twitter            

Did you enjoy this article? Keep up to date with Blog Bloke Tips the moment it's published by email. Your Privacy is Guaranteed and will not be shared with anyone.


Keep it real with Blog Bloke Thanks for reading the original Blog Bloke. You can read more about me here. Contact me if you have any questions, tip requests or if you would like to be a guest blogger. Keep it real every day and subscribe to the newsfeed, share with friends or follow me.

    Subscribe to the Newsfeed     Share to Twitter     Share to Facebook     Share to Google Plus     Pin this     Share to LinkedIn


Got an opinion? Let's be real and start a conversation:

It's your turn to tell Blog Bloke what you think, ask a question or suggest another blog tip. Don't forget the comments policy and I'm looking forward to reading what you have to say.

Share     Share this article with your friends

Subscribe to Better Blog Tips Newsfeed   SUBSCRIBE to Bloke Bloke's Articles (Newsfeed)

Subscribe to Better Blog Tips Newsfeed   Subscribe to only Comments for this Article | TrackBack URL

You can also use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>