Zyra International NET //// Zyra's front page //// anti-virus measures //// INTERNET //// e-mails //// ROGUES GALLERY OF SUSPICIOUS E-MAILS //// Another "Microsoft" hoax //// site index


The following are examples of viruses which have arrived to various addresses. Don't worry; they've been neutralised! These are shown here stuffed and mounted to help you to recognise the kinds of disguises which viruses can adopt to try to fool you, and to get an idea of the level of deviousness involved. For example, a virus can say on it "+++ no virus found +++" - what a surprise - they tell lies! But fortunately, they are not very convincing. Here are a few examples to help to show how easy it is to get wise to these things and to avoid being fooled by them!

Attached file: Informations.zip

----- Original Message -----
From: conradi@ cs.utwente.nl
To: spam.dustbin@ zyra.org.uk
Sent: Thursday, June 10, 2004 3:54 PM
Subject: Information

Important informations!

In this first message, it's kept simple. You've received an IMPORTANT file, and you're expected to open the attachment just because it's "IMPORTANT". Obviously a virus, as no-one with any forethought would send a message which was of any importance with the only stuff in the message body as "Important informations!" Other points: The message has arrived to a spam dustbin test address, Zipped files are often used by viruses to try to get through antivirus filters. Also, minor point, pluralising of the word "information" is odd.


Attached old_photos_zyra.pif (29.6 KB)

----- Original Message -----
From: someone @squirrel.com.au
Sent: Sunday, June 27, 2004 8:30 AM
Subject: Re: Old times

Have a look at these.

+++ Attachment: No Virus found
+++ Kaspersky AntiVirus -

Now this has some clever tricks about it, but the dead-giveaway that it's a virus is the fact that the attached file is ".pif". PIF files are Microsoft Piffle files which are an obvious danger in e-mails. If you've followed the advice at the page of Anti-Virus Measures you'll not have allowed "hide file extension", so will clearly see the dreaded .PIF!

The virus message has several devious points about it which are notable. The first is the "+++ Attachment: No Virus found". This is simply a lie. It means nothing having that on a message, and even if it links to re reputable antivirus company, this is still not a sign that the message is honest. Anyone can link to an antivirus company!

Psychologically this message tries to give the impression that it might convincingly be from an old friend wanting to talk about "Old Times". This notion is also backed up by the villains cunningly placing the name of the recipient in the attached filename. Remember, this could have YOUR name in it, so watch out for it!

What makes this message foolishly obvious as a virus, in addition to the PIF problem, is the fact that an old friend would never write to you with so brief a message, and would instead write a lengthy letter saying how glad they were to see you again and how people were doing. There's be personal information in there that only you and your friend would know about, and if your friend had read this page they'd make sure they didn't just expect you to fall for the "open the attachment" trick!


Attached: naked2.zip

----- Original Message -----
From: hotmail.com address
To: testing.return.address at zyra.org.uk
Sent: Friday, June 11, 2004 12:53 AM
Subject: attachi#

I have your password!

In this message, fear is the key to try to get you to open the attachment. Various forms of this kind of thing are about. They try to convince you that they've got a photo of you naked, or that they've got your password. Some ask you to "confirm it", but expect you to open the attachment first. But think about this! If they really had got your password, they'd not say "I've got your password", they'd demonstrate this by telling you what some of it was, or at least give some evidence that they weren't just being a joke. Plus, regarding naked photos, they'd send you a specimen copy in the message. This also assumes that your security is so poor that someone has managed to get a photo of you in the nude. Unlikely, don't you think?!

Another point of note which is common with virus messages and with spam in general to a great extent, is that the subject line and the message content are mismatched. See spam senders make it easy for us. In the above case, "naked" and "password" are a clear mismatch. If they'd got your password AND a naked photo, this would be so unlikely that they'd boast about it considerably more than in the nonsensically short virus message.


Attached: msg.zip

----- Original Message -----
From: [random address] at surfree.com
To: [another random address] at zyra.org.uk
Sent: Friday, June 11, 2004 1:41 AM
Subject: Re: SMTP Server

Forwarded message is available.

+++ Attachment: No Virus found
+++ McAfee AntiVirus -

Here again, a blatant lie is put in about there being NO VIRUS FOUND. This is not to be believed. Suspicion has to be seen immediately at the subject "Re: SMTP Server" when you didn't sent a message like that. Plus, no-one ever says "Forwarded message is available" and includes it in an attachment. That's silly!


Attached file: details.zip

----- Original Message -----
From: barbara.stoll/@.rumpold.at
To: mlawww#.zyra.org.uk
Sent: Thursday, June 10, 2004 2:46 PM
Subject: Re: Extended Mail System

You have received an extended message. Please read the instructions.

Similar idea, again on the assumption that you're foolish enough to read an attachment. There is no such thing as "You have received an extended message" as far as I know. Don't be fooled by this kind of thing. They are relying on your lack of knowledge about e-mail.

Also note that the message was sent to a random address which someone just made up. Not a good sign, and possibly indicative that your chess playing was better than someone else.

Incidentally, the sender addresses in these things are almost always not real. They are faked-up, and if you reply you'll find either than the message bounces or that your reply goes to someone who has nothing to do with any of it.


Attached files: dinner.zip

----- Original Message -----
From: cappuccino[#]interpc.fr
To: a random address
Sent: Thursday, June 10, 2004 6:24 AM
Subject: something for you

is that your account?

Another example of muddled-thinking assumed. Subject "something for you", but then instead of receiving some kind of gift, we get "is that your account?". Is WHAT my account? Are people assumed to be so shallow that they have only one track of mind and can't notice the mismatch already between the subject and the message? Worse to come, as the only attachment, for from being anything to do with your account, is "dinner.zip". Don't open it!


Attached files: readme.doc         .pif

----- Original Message -----
From: abuse@gov.us
To: Anyone
Sent: Thursday, June 10, 2004 1:43 AM
Subject: Internet Provider Abuse

You have visited illegal websites.
I have a big list of the websites you surfed.

Before we get into taking this apart carefully, let's get something straight: What kind of a society do we live in? Is it a cruel despotic tyranny where reading is strictly controlled and information forbidden? Or is it a place where there's FREEDOM OF SPEECH? Having answered that question, you can now ask yourself whether there are such things as "illegal websites". Answer: No! In a free society like the Internet, there are no illegal websites. If some country wants to get heavy-handed and to clamp down on freedom of speech, then there would be "illegal websites", ie anything that the evil government doesn't want you to see.

So, have you visited any sites that the government doesn't like? Probably not, but even if you are a keen student of the philosophy of anarchy through the ages, you'd still not have anyone send you a very brief and somewhat informal message saying "I have a big list of the websites you surfed".

Incidentally there is no such address as abuse@gov.us , and even if there was, it would not appear like that. Plus, Internet Service Providers are proud enough to put their own tradename in their title and not just anonymously put "Internet Provider Abuse".

Besides that, the attachment has a double file-extension .doc.pif , so this makes it a virus anyway! See this mentioned at AntiVirus Measures


[ActiveX found is this message]

----- Original Message -----
From: k00002cb8@mc2-f29.hotmail.com
Sent: Thursday, June 10, 2004 1:45 AM
Subject: Mail Delivery (failure [address])

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:

ActiveX Controls found in an e-mail is a bad sign and generally means it's a virus. You can easily avoid this by having ActiveX set to prompt. Then such things become transparently obvious. Anyway, in this virus message they are hoping you'll believe the scam that it's a "mail returned" message from an e-mail which you sent. You are asked to read the message at a link which is then given. Don't click on it! It's not real, and will probably do something nasty. Incidentally, your ISP does not send you messages that look like this. They don't say "Received message is available at:" etc!


Attached files: image12.jpeg, Info.vbs

----- Original Message -----
From: jessie@org.uk
To: tran@
Sent: Friday, May 07, 2004 3:56 PM
Subject: I'm a sad girl...

Who is she?


I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.

Attached file tells everything.

Have a good day, Jessie

This looks initially like a personal message from someone who seems quite friendly. However, the sender address is fake, and even though it's tempting to believe the story, no-one should really be asking you to see the attached file to read the rest of the story. It's such an obvious virus trick that it's not something to do. The files which are supposed to "tell everything" are: A photo (also seen in the message), and a .vbs file. That's a "visual basic script", and is in effect an executable program. An executable attachment on an email can be generally assumed to be a virus.

Extra note: We don't know who she is, but she's probably not the virus writer! Virus writers don't usually include their own photo in virus messages!

Attached files: picture1983.zip

----- Original Message -----
From: balducci@mail.cz
To: circular subscribe address
Sent: Saturday, June 26, 2004 5:17 PM
Subject: Re: Payment approved (invoce # 897)

Dear customer! Thank you for shopping with us!

Sales department approved your payment, you will be billed
within 2 days. Shipping UPS ground insured.

See the attached file for details. (report # 1983)

# No viruses found
# Norton Antivirus (generic update 06/24/2004)

"Dear Customer, Thankyou for shopping with us!" ... Don't you suppose that if you'd actually shopped with these people they'd know your name? Also, wouldn't they know how to spell the word "invoice"? Of course you've no idea who this is from, so that should give you a clue it's not real. Shops like to advertise themselves and to show off their trade name. But the virus writers are hoping to tempt or frighten you into opening the attachment. The attachment is called "picture1983.zip" which is a bit unlikely as a shop invoice, isn't it? Besides that, it's a ".zip" file, so probably contains all sorts of stuff. In this case, a virus.

Yet again, note that virus messages don't tell the truth, and sometimes say, as this virus message does, "no viruses found".

Look, here's another one:

----- Original Message -----
From: David Joyce
To: [address faked up]
Sent: Sunday, January 17, 2010 1:56 PM
Subject: hi!


is it really your photo?!!


David Joyce

The sender is probably real, though unwitting to the scam. The thing that gives it away as a virus is that the LINK goes to...

http;//www,sendspace.com.iko999j7.com.pl/file/shares/upload.php?file_id=3Dland various gobbledegook and then &email=3Dand then some address that was faked up!

The point about this is that it does not go to www,sendspace.com and instead goes to a subdomain within iko999j7.com.pl , so beware! This shows the importance of being able to read a web address properly! Also, don't be fooled by people asking questions like "Is it really your photo?" and giving a LINK. Reply and ask for clarification. You don't need to see the picture (if indeed there was such a picture in the first place) to give the person an answer. If someone jumped out of a dark alley and asked you "Is this your wallet just along here down this dark alley?" you'd surely not be lured into the dark alley, would you? It must surely occur to you that the person could SHOW you the found wallet in the light?

If you receive such a message, please bear in mind that the sender is almost certainly not an evil malicious virus-sender themselves, but a victim whose computer has caught a virus because the person has been duped into opening up a similar message. You could show them the page www.zyra.org.uk/avirus.htm and help them to avoid catching viruses in future.

Other examples and relevant items: Microsoft Critical Patch (HOAX), Scams and other rogue messages at the Rogues Gallery, messages pretending to be from your bank etc Bank Hoax (phishing attacks) and loads of other stuff.

Also see Panicware where they try to fool you by scaring you into acting irrationally and opening up a stupid dangerous attachment.

These are just a few examples of viruses. There are many variations, and yet there are common themes. You can avoid most virus attacks just by knowing a few streetwise clues. Here's some useful advice at the page of Antivirus Measures. If you've already caught a virus by opening an attachment or clicking on a link or by having poor security settings and/or a Microsoft operating systems that leaks like a sieve, you may be able to mend it by Antivirus Software. Good luck!