Blog Post RSS ?

Blogs » PHP » Worms harassing PHP Developers?
« Simple Test 1.0 Beta 6 is out
More CSS techniques »
 

Worms harassing PHP Developers?

by Harry Fuecks

+++++++++++++++++++++++++++++++++++++++++++++

From: Ulf Wendel

To: Harry Fuecks

Subject: something for you

do you know the thief?

Attachments: posting.zip
+++++++++++++++++++++++++++++++++++++++++++++

…an impression of one of those NetSky worm mails (Ulf didn’t really send it).

Now Ulf is a pretty well known PHP developer who’s contributed to a number of Open Source projects and, no doubt has put his email address in the source code. So have I.

This isn’t the first virus message I’ve had, claiming to come from a known PHP developer - the first, that surprised me, was one from Adam Trachtenberg (PHP Cookbook) and I’ve lost count since.

Picking a random virus description for MyDOOM, for example;

The mail addresses will be first collected from the victim’s WAB file and from files from Internet Explorer cache folder if they have one of the extensions: “.txt”, “.htm”, “.sht”, “.php”, “.asp”, “.dbx”, “.tbb”, “.adb”, “.pl” and “.wab”. After this, in a separate thread, will continue to collect mail addresses from all the files from the victim’s machine if they have the above extensions.

An irritating but interesting side effect of scanning .php files is it gives the worm a much better chance of targetting a specific community, using email addresses the recepient might even fall for. Don’t know if that was planned or fluke side effect but interesting any way.

But hey - at least it treats PHP, ASP, Perl developers equally ;)

This entry was posted on Wednesday, June 9th, 2004 at 11:05 am, contains 220 words, and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed. The views and opinions in this blog post are those of its author.

This post has 7 responses so far

  1. sweatje Says:
    June 9th, 2004 at 12:05 pm

    At least they were not smart enought to scan for .phps. .php files in the IE cache should just be the output of the php page, not the source itself (which is where I thought you might be thinking the email addresses would be located).

     
  2. Adam Trachtenberg Says:
    June 9th, 2004 at 12:16 pm

    Glad to see I apparently send as many viruses to PHP developers as I receive from them. :) My e-mail address is all over the Internet, so I get spammed and spoofed thousands of times a day. I finally just redirected anything with caught by spam assassin to /dev/null.

     
  3. Toby Says:
    June 9th, 2004 at 12:59 pm

    It’s not said that they must have it from source. As a os developer we post day by day on mailinglists & webforums, there’s pretty much space where an email address may be noted.

     
  4. HarryF Says:
    June 9th, 2004 at 3:56 pm

    As if it reads minds (or Sterlings having fun), one just in;

    ++++++++++++++++++++++++++++++++++++++++++++++

    From: Sterling Hughes

    Subject: its me

    i have received this.

    Attachement: myaunt_information.zip
    ++++++++++++++++++++++++++++++++++++++++++++++

     
  5. Matt Mickiewicz Says:
    June 10th, 2004 at 5:50 pm

    We just plugged in clamav into qmail-scanner on our system and its worked like a charm. Not a single virus has gotten through today vs the usual 30-50+

     
  6. z0s0 Says:
    June 11th, 2004 at 12:16 am

    As an aside, I finally caved into Matt’s protestations and installed a virus scanner on our email server. In the last 24 hours it’s deleted > 600 infected emails.

     
  7. z0s0 Says:
    June 11th, 2004 at 12:17 am

    ahh.. Yep, what he said ;-)

     

Sponsored Links

Leave a response

You are not logged in, log in with your SitePoint Forum username and password.

-OR- Post Anonymously

* Make sure any code samples are escaped (i.e. ‘<b>’ becomes ‘&lt;b&gt;’).

If not logged in, your comments will be placed in a moderation queue. This means your comment may not appear until one of our moderators approves it.

Your Blogmaster is...

Harry Fuecks

Harry Fuecks

Harry has been working in corporate IT since 1994, with everything from start-ups to Fortune 100 companies. Outside of office hours he runs phpPatterns: a site dedicated to software design with PHP that aims to raise standards of PHP development. He also maintains Dynamically Typed: SitePoint's PHP blog.

Subscribe

SitePoint Newsletters

Get all the latest tips by signing up to all of SitePoint’s informative newsletters.

HTML   Plain

SitePoint Blogs

SitePoint Marketplace

Buy, Sell, Trade

Buy and sell Websites, templates, domain names, hosting, graphics and more.

New Release!

The Principles Of Successful Freelancing

Book Cover: The Principles of Successful Freelancing

Become a successful freelancer TODAY!

Find out how!

Posting Code Snippets

Feel free to enter code snippets into your comments in the following format.

Marking Up Your Code
<pre>
<code class='html'> 
code snippet 
</code>
</pre>

Be sure to escape any HTML snippets (i.e. '<' becomes '&lt;' ).

Supported language classes include:

  • XML, HTML, XSLT and any other XML style code
  • CSS
  • C#
  • VB & VB.NET
  • Delphi, Pascal
  • JavaScript
  • PHP
  • Python
  • SQL