Black Viper
Black Viper
Nov 172003
 

This is another round of warnings that I feel compelled to inform people. My previous page instructed people how to deal with the MSBlast worm. This one, however, deals with yet another mass mailing worm with its purpose in life to steal PayPal account information.

This discovery was prompted by one E-Mail that fits the Symantec description perfectly:

The subject line contains "YOUR PAYPAL.COM ACCOUNT EXPIRES" and comes from the address of "Do_Not_Reply@paypal.com." It arrived at my inbox at 11:41 AM today.

This information was posted November 14, 2003 by Symantec and the virus signatures were updated that day:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-111317-1701-99

However, just a few messages up (more recent), I received about the same message at 12:16 PM with a slightly different subject line. This one is "IMPORTANT <several spaces and then random characters>". It also comes from the address of "Do_Not_Reply@paypal.com."

This particular message, fitting the bill with another scam to steal PayPal account information, was posted on November 17, 2003. Yes, today:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-111710-5127-99

This one tipped me off because it has the exact type of subject line of a previous virus that I am sent often (12 times yesterday, 3 today) for several months. That particular variant comes from the address of "admin@<what ever domain the email is sent to.com>" with the subject line of "your account <several spaces and then random characters>".

More information on that particular virus is here:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-080109-2046-99

What I am trying to get across is that people could find viruses in their E-Mail box before virus signatures can be updated. I fail to remember the "default" amount of time or "how often" the automatic update service runs for Norton Anti-Virus, but 24 hours is not a guess far from the truth, I am sure.

What this means is that I could have been infected 3 times (by the amount of separate E-Mails) before the signatures could have been updated. Of course, by the time the automatic update is performed, it could be too late.

Knowledge is power. Period. I knew these E-Mails contain viruses without even thinking about it from past experience with known subject lines. I looked them up because my curiosity sometimes overwhelms me and discovered that "I could have received it before they fixed it."

Being careful with the "automatic" actions you perform daily by checking E-Mail and knowing "what is good and what could be bad" is much more powerful than any virus scanner available. Knowing an E-Mail’s intent before even opening it has much more power then "assuming" a person is safe just because an Anti-Virus program is running.

More tips are located in my E-Mail Filtering Guide.