Stephanie's computer had a virus a couple weeks ago, before all this Blaster nonsense. It didn't
do any harm, and I was able to remove it relatively easily, but it annoyed me. I had to waste a
Saturday morning cleaning it up, and when I found out where it came from, I thought I
would try to do something as a Good Internet Citizen. As I wrote to the contact at one of the
involved sites, I'm no security expert, but I am in the IT field, and I have dealt with virus attacks
in the past at work. I realize that shutting down this exploit will probably not even make
a dent in the problem that industry has with this type of malicious activity, but if everyone did
what they could, we might stem the tide of these petty annoyances.
I had updated Stephanie's copy of Norton AntiVirus
on Friday night before I went to bed, but I
didn't scan her drive before powering off. She was already up on Saturday morning when I got up,
and when I went into the office, I saw the big blue "You have a virus" message on her screen. She
turned her computer on and when she did, the anti-virus program scanned her files and found the
virus, so she left it for me to take care of.
Digging through her computer files, I found that she had been infected with the
Cleaning the machine was relatively easy, since it's not a real destructive virus, but I wanted to
know how she got it. I was under the impression that our firewall was supposed to protect us from
most of the riff-raff that seems to be giving the Internet a bad name, so my first thought was
that she had opened an infected e-mail attachment. I asked her if she had recently opened
any attachments that didn't seem to do anything when opened. She said the only one she got was
from one of her friends, but that it had contained what it was supposed to. I figured that wasn't the
So I looked at the information about the infected file. It was dated the previous Sunday, at about
11:45PM. She couldn't remember where she was on the Internet at that time, only that she was browsing
art-related sites. I used the Windows Find function to search for files dated Sunday from 11:30 to
midnight. I found HTML files (the files that make up a web site) in her browser's cache (temporary
storage) from exactly the time that the virus was installed, so I looked at the files using Notepad.
Luckily, I just took a Web design class, so I knew what I was looking at. After the last line in
one of the files, there was a couple lines of code opening a file from another web site. That
file, which I also found in the cache, called a Perl script (a little program) if the browser is IE6
without a service pack, which is exactly what Stephanie's computer has. I have no way of seeing what
the Perl script does, but if I try to run the code on her computer, BAM! Norton Antivirus jumps in
and says that a virus is trying to install itself on the computer. Since Norton stopped the virus,
I figured there was no harm in trying the web site, and I got the same result. This was where the
virus came from!
I sent an e-mail to the contact name on the art website that the original HTML file came from,
and to the "webmaster" at the site, explaining what I found and telling them what happened to
Stephanie's computer. I probably made a mistake here,
since I wrote it as if I were Stephanie, saying that "my husband found the problem, and while I did
not fully understand what he's talking about, it sounds like there's a problem." The next day, we
received a somewhat snotty, (what I thought was a) very condescending e-mail from the web site:
Viruses come from opening attachments not visiting webpages or no one would visit the web and there
would be open panic on cable news. The line you refer to in my html does not exist. The last line is
"thank you for visiting" something else must have infected your system... sorry to hear you're having
I was ticked, to say the least! I checked his web site, and the offending code was indeed gone. I
tried to shrug it off, figuring that the problem was gone, which was the desired result of the
exercise in the first place,
and that they were just trying to cover their own behind so that we wouldn't accuse them of
harming our computer, but the tone of the message bothered me. So, of course, I had to reply on Monday:
Hi. I had my wife forward your reply to me at work so I could look into it a little deeper.
You are correct that the line I found does not now exist in your HTML, but you are not correct that
you cannot get a virus from visiting a web page. According to Microsoft (because the vulnerability
is in most versions of IE), their Knowledge Base article here
"A security vulnerability exists because, if an attacker altered the HTML header information in a
certain way, it could be possible to make Internet Explorer interpret that an executable (.exe) file
was actually a different type of file, one that it is appropriate to open without asking the user for
confirmation. This could enable the attacker to create a Web page or HTML e-mail message that, when
opened, would automatically run an .exe file on the user's computer."
And according to this message
(http://lists.boost.org/MailArchives/boost/msg49943.php) the Boost.org site had the same problem
last week that yours did, as it describes almost exactly what I found. The follow-up to that message
> I just got off the phone with Interland (the host). All their machines for
> shared hosting got infected this morning; they've had calls coming in from
> customers all day. They "have engineers working on it right now."
> They confirmed that the actual pages on the server's disk are OK, but that
> their server has been compromised to add the offending code.
Just thought you'd like to know.
I never did get a reply to this message.
I did, however, receive a reply to one of the other two messages I sent out about this problem.
Even though everyone at work that I told about this said that I should just drop it, I e-mailed the
contacts on the default pages of the other two sites that contained the bad code. The second one,
which actually contained the Perl code that loaded the file, never received the message, because it
was returned immediately as having a bad e-mail address. Bad e-mail address as the primary contact for
a web site. Yeah, there's nothing shady going on there!
The other one sent me a very nice reply a week later, that made me feel like I actually did the right thing:
Thank you for telling me about the virus. I called my Internet Service
Provider - Interland, and this is what was discovered:
1. xxx.xxx.xxx.xxx is my old URL which was never reassign to anyone and looks very much
like my current one, which is xxx.xxx.xxx.xxx
2. Interland tech support will try to fix the problem by deleting all files associated with obsolete
URL - xxx.xxx.xxx.xxx
3. You can get in touch with Interland by calling 1-800-xxx-xxxx, ticket number xxxxxx.
I apologize that due to my absence I was unable to take care of the situation at the earlier time.
In the interim, I also realized
that I had been feeling guilty for a couple reasons. I never installed the IE service patch on
Stephanie's computer, and her virus signatures were a couple weeks old. I never paid much
attention to the patch, because I
kept reading about how the patches Microsoft was putting out were frequently causing more problems
than they were resolving, and it was just sloth that prevented me from updating her anti-virus. I
didn't feel so bad about the anti-virus, though, because it turns out that she got the virus four
days before Norton released the code to check for it.
I guess the moral of the story is if you're on the Internet, you had better keep up with the security
patches and don't go too long between updates of your virus signatures. Although this bug got past
our firewall, I firmly believe a firewall, even a software-based one, is also a smart investment.
You can't be too careful nowadays.
(As a funny side note to this story, when all was said and done, I considered upgrading Stephie's computer
from Windows 98 to Windows 2000, figuring that it might be safer. Now that the Blaster worm is attacking
Windows 2000 PCs and not Windows 98, it's a good think I put that little upgrade off!)
Here's are some virus- or security-oriented web sites that I use regularly:
Symantec - update your Norton Anti-Virus
McAfee Security - update your McAfee Anti-Virus
CERT Coordination Center - more info about
DataFellows Hoax Site - check this site before
forwarding any warning chain e-mails
GRC.com - use "Shields Up" to check how secure
your computer is!
Microsoft - download the
SpamNet - Stop the Spam! (I don't use this myself, but I have
friends that swear by it.)
Pop-Up Blocker - blocks most pop-ups, and is easy to use, too
Mozilla - an open-source alternative to Internet Explorer, without a
lot of the problems that IE has
While there are no ads, there are a couple pop-up windows with extra content. You may have
problems viewing parts of this site if you are using any kind of pop-up blocker, such as
Pop-Up Blocker. I recommend disabling the blocker
while viewing Cheyenne's Pages, but make sure you turn it back on before you leave! And refresh
the page for more pictures!