[Dshield] Taking the courtesy of warning about links to infected or malicious web pages

Ed Truitt ed.truitt at etee2k.net
Sat Mar 20 17:50:28 GMT 2004

Peter Stendahl-Juvonen wrote:

>Taking the courtesy of warning about links to infected or malicious web pages
>You may have noticed references in a few posts to this list (on March 9 and 10)
>containing a hyperlink to one of the web pages of Columbia University (in the
>City of New York).
>After clicking the hyperlink for this specific page, auto-protect features of
>anti-virus programs alarmed that a specific virus resides in the browser's
>cache. For instance, NAV2004 detected and identified the threat as
>W32.Sobig.F at mm.enc.
>Would someone with in-depth understanding on the incident kindly shed light on
>the following?
>1) Does this university's web page actually contain viral code?
>2) Or does the web page merely contain enough of the viral code to match the
>virus' signature, and hence cause the alert?
>3) Is the existence of the viral code in the browser's temporary cache file
>harmful or harmless?
>4) If the code is actually viral, is it also hostile?
>5) Could the viral code activate, if left unnoticed in the browser's cache
>6) Should the university be notified about the web page causing alerts by
>anti-virus programs?
>I assume that sender(s) of post(s) containing link(s) targeting to infected or
>malicious web pages take the courtesy of warning about the possible danger.
>For your convenience, I repeat the link of this sample case below.
>*** Please note that the following link targets to a web page that possibly
>contains viral code: ***
>(If memory serves well, the certificate for this web server has expired.)
>- Pete
>     "The cause is hidden. The effect is visible to all."
>                  Ovid (43BC-17AD); Roman poet.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
1) and 2) I sucked down the page using "wget" on a Liinux box.  It 
appears to be an email message, with a subject of "failure notice", and 
a rather large base64-encoded attachment named "application.pif".  Looks 
like the page actually does contain a virus.
3) If it is Sobig.F, it is most likely harmful, if you execute it.
4) The SoBig series of malware were pretty darn hostile, if I recall.
5) Only if someone executed it.  Pretty hard to do remotely, but I guess 
it is possible.
6) Yes.  In fact, I am cc'ing their "abuse" address on this email.
6a)  Unfortunately, the scanning engines of many A/V products will "hit" 
on things that look (to them) like viruses, but in reality aren't.  This 
is one of the problems with pattern-based scanning.  Therefore, while 
putting such a warning on the email/post is a nice 'Netiquette-y thing 
to do, the lack of such a warning should not be taken as an indication 
the web page is safe.  When in doubt, act paranoid (like I did above.)  
Better safe than sorry.

Note to abuse at columbia.edu:  It appears that a message posted on one of 
your Web-based bulletin boards contains a copy of the SoBig virus.  The 
URL is


Please investigate this, and take corrective action as needed.  Thanks.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list