|Comments on Wednesday 20 August 2003:|
|NAV detected a virus in a document you authored.|
InterScan has detected virus(es) in your e-mail attachment.
The virus in both these cases is stated to be Sobig.F. This description of Sobig.F says:
The Sobig worm spoofs email addresses. This means that the worm is able to retrieve addresses from the address book or from other files residing on an infected computer, and use these addresses to disguise who the real sender is when spreading further. Most anti-virus software alert mechanisms are not able to decide whether the address is spoofed or not, and will therefore alert the address which the worm seems to be sent from. Often this address is not the real sender.So, the virus detection programs know what the virus is, the virus is known to spoof 'From' addresses, but the virus detection program sends an email out to the 'From' address anyway? Can there be any reason for this other than to advertise the antivirus program?
It certainly looks like unsolicited bulk mail without removal instructions, to me. Is the spammer the antivirus company, or the company running their software? [23:05]
|What is even more fun is when the virus is spoofing the address of a mailing list. Anti virus people get to spread their message to thousands after sending one "You may be infected" mail. This is especially effective when it's a Linux list.|
The most exciting one I've got so far said something like:
The attachment you sent "This is Mr Sobig worm" seems to be infected with a virus. If you didn't send this attachment it may be the result of the klez virus, which is known to spoof addresses. This means that the virus may not have come from you. You should run our virus protection software on your system.
I expect that technically the spammer is the company running the software, not the anti virus company. It's not spamming to write bulk mailing software, after all.
|Some barely-competent webmasters (such as myself) get their first clue as to the current crop of virii via such returns. My ISDN connection was so clogged on SoBigday that I could not get out to find out what was going on. An email reply let me target the beastie and I finally found one on my clueless boss's system. Once he quit broadcasting, a semblance of order was restored. Some value in that.|