Virus distribution in action
August 25th, 2006
I received a typical spam email a few days ago. The type that has a subject of you've received a postcard from SomeOneYouDont Know.
For some reason I decided to have a look at the email. It has a link with a title suggesting that it went to Postcards.com. Of course the link went to another site and pointed to a file called postcard.exe file (a file that will run on the computer). I downloaded the file and it is actually a zip file containing a bunch of files.
In the zip file there was a virus file (rundll.exe) that Norton AntiVirus detected as IRC.Backdoor.Trojan virus and deleted immediately. the file also contained several files containing first names, last names, and IP addresses. I can only assume that the virus uses these other files to spread itself around and tries to send email using combinations of the bogus first and last names. Furthermore I would guess that it uses the IP addresses to relay the mail. These are all guesses but it would work something like that.
I followed the link (http://www.esva.net/~sydney/) and found an ftp directory containing the file. Then I checked out www.esva.net which is a legitimate looking site based in Hungary. I emailed the owner of the site and told them that they were hosting viruses. I didn't receive any reply and I checked again today and now the site has 4 extra virus file. Perhaps I reminded them to upload them?
I posted the web site url to a few blacklists including www.stopbadware.org but I couldn't find a central repository of bad sites. I guess there are a couple of problems here. Firstly the spammers and virus writers can easily create a new web site in a matter of seconds. Thousands of hosts all over the world offer free hosting and there are potentially millions of sites that are not secured properly and allow uploading of malicious files. Secondly any attempt at creating a central blacklist is prone to abuse as people can easily report valid sites to the blacklist.
The solution is probably to just make sure that you have good AntiVirus software and make sure that your subscription is up to date. This problem is going to continue for a long time.