How easy is it for people to shoot themselves in the foot with SOBIG-E?

Don't they have to both unzip the file and then choose
to run the included executable? You'd think the two step
process would give their minds time to catch up with their
mouse finger.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

"Gary Flynn" <flynngn@jmu.edu> schreef in bericht
news:3EFB14B0.9000104@jmu.edu...
> Don't they have to both unzip the file and then choose
> to run the included executable? You'd think the two step
> process would give their minds time to catch up with their
> mouse finger.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University

Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
guy?

"Gary Flynn" <flynngn@jmu.edu> wrote in message news:3EFB14B0.9000104@jmu.edu...
> Don't they have to both unzip the file and then choose
> to run the included executable? You'd think the two step
> process would give their minds time to catch up with their
> mouse finger.

I always thought that this was a fallacy. If someone
is going to run an unknown executable, why would
it matter if it took one extra step to do so.

In some peoples minds, it may appear all the more
credible for its being "zipped", and as .zip files are
usually of non-executable filetype, many filters will
allow them to pass right through even though it may
be set up to stop all of the "executable" filetypes.

Then it is perhaps only a context menu click or two
away from being activated.

"Karel" <karel@nomail.com> wrote in message newsQEKa.13723$KF1.276691@amstwist00...
>
> "Gary Flynn" <flynngn@jmu.edu> schreef in bericht
> news:3EFB14B0.9000104@jmu.edu...
> > Don't they have to both unzip the file and then choose
> > to run the included executable? You'd think the two step
> > process would give their minds time to catch up with their
> > mouse finger.
> >
> > --
> > Gary Flynn
> > Security Engineer - Technical Services
> > James Madison University
>
> Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
> guy?

That would be a .exe executable filetype, no?

On Thu, 26 Jun 2003 10:42:20 -0500, Gary Flynn wrote
(in message <3EFB14B0.9000104@jmu.edu>):

> Don't they have to both unzip the file and then choose
> to run the included executable? You'd think the two step
> process would give their minds time to catch up with their
> mouse finger.
>
>

I get the impression from the IT group where I work just using Outlook in the
Auto-preview mode is enough to get it running. Mine came form Tycocorp.com
and was titled Re: your resume.

I get the impression from some of the other posts that it is setup to appear
to come from many different major corporations.

Hud

"Hud" <nospam@nospam.net> wrote in message
news:0001HW.BB20EFFA00AFBD7BF0305600@news.texas.net...
> On Thu, 26 Jun 2003 10:42:20 -0500, Gary Flynn wrote
> (in message <3EFB14B0.9000104@jmu.edu>):
>
> > Don't they have to both unzip the file and then choose
> > to run the included executable? You'd think the two step
> > process would give their minds time to catch up with their
> > mouse finger.
> >
> >
>
> I get the impression from the IT group where I work just using Outlook in
the
> Auto-preview mode is enough to get it running. Mine came form Tycocorp.com
> and was titled Re: your resume.
>
> I get the impression from some of the other posts that it is setup to
appear
> to come from many different major corporations.
>
> Hud
>
My sole copy so far - I'm not popular it seems, I recall getting lots not so
long ago - supposedly came from a university virus list, the file was
"your_details.zi" so it kinda looks like the PIF problem has now extended to
the new version and ZIP extension, however the archive contained
"details.PIF" so he might've fixed the PIF portion.

That's the trouble with VXers, you just don't get any quality control, D- at
best.

Ian

Karel wrote:
> "Gary Flynn" <flynngn@jmu.edu> schreef in bericht
> news:3EFB14B0.9000104@jmu.edu...
>
>>Don't they have to both unzip the file and then choose
>>to run the included executable? You'd think the two step
>>process would give their minds time to catch up with their
>>mouse finger.

> Selfextracting zip file perhaps Mr. Security Engineer-Technical Services
> guy?

no, as a matter of fact it's a plain *.zip file...

of course windows explorer in xp pro (and perhaps xp home) has native
support for zip archives... and even outside of xp, winzip and it's
cousins are pretty ubiquitous...

in spite of that, i think gary is still right, there are extra clicks
involved in activating this thing than you would expect from something
that hopes to be successful... on the other hand, i'm often surprised at
how successful folks can be when plumbing the depths of human stupidity,
so who knows...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."

FromTheRafters wrote:
> "Gary Flynn" <flynngn@jmu.edu> wrote in message news:3EFB14B0.9000104@jmu.edu...
>
>>Don't they have to both unzip the file and then choose
>>to run the included executable? You'd think the two step
>>process would give their minds time to catch up with their
>>mouse finger.
>
>
> I always thought that this was a fallacy. If someone
> is going to run an unknown executable, why would
> it matter if it took one extra step to do so.

true, but don't you have to be *more* click-happy in this case? it's not
a simple double click here...

> In some peoples minds, it may appear all the more
> credible for its being "zipped", and as .zip files are
> usually of non-executable filetype, many filters will
> allow them to pass right through even though it may
> be set up to stop all of the "executable" filetypes.

that is probably the most reasonable explanation, right there... the zip
file is to get it past content filters...

fewer folks, per capita, may click far enough in to do themselves any
harm, but the trade off is to potentially reach a much larger audience...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."

"kurt wismer" <kurtw@sympatico.ca> wrote in message news:5iPKa.5211$iM4.798298@news20.bellglobal.com...
> FromTheRafters wrote:
> > "Gary Flynn" <flynngn@jmu.edu> wrote in message news:3EFB14B0.9000104@jmu.edu...
> >
> >>Don't they have to both unzip the file and then choose
> >>to run the included executable? You'd think the two step
> >>process would give their minds time to catch up with their
> >>mouse finger.
> >
> >
> > I always thought that this was a fallacy. If someone
> > is going to run an unknown executable, why would
> > it matter if it took one extra step to do so.
>
> true, but don't you have to be *more* click-happy in this case? it's not
> a simple double click here...

True enough, it is the difference between being incredibly stupid,
and being *more* incredibly stupid. ;o)

> > In some peoples minds, it may appear all the more
> > credible for its being "zipped", and as .zip files are
> > usually of non-executable filetype, many filters will
> > allow them to pass right through even though it may
> > be set up to stop all of the "executable" filetypes.
>
> that is probably the most reasonable explanation, right there... the zip
> file is to get it past content filters...
>
> fewer folks, per capita, may click far enough in to do themselves any
> harm, but the trade off is to potentially reach a much larger audience...

I think that you might be overestimating the difficulty of the extra
clicking vs. the benefit of not being as often filtered. Perhaps this
Sobig family is time constrained in order to provide the coder with
a statistical analysis of these different methods.

I still use pkunzip (from the pk204g package) to unzip files. The other
user of this machine (my sister ~ pretty savvy, but is still learning how
to be {overly} cautious), has been shown several times how to make
use of this utility for her zipped receipts. She still asks me to extract
the files (and scan them) for her. If I install FreeZip (or another really
easy to use context menu or double-click associated utility), she will
do it herself and likely forget the "and scan them" part.

"akhibby" <akhibby@hotmail.com> wrote in message news:vfnedogclp6l72@corp.supernews.com...
>
> "Hud" <nospam@nospam.net> wrote in message
> news:0001HW.BB20EFFA00AFBD7BF0305600@news.texas.net...
> > On Thu, 26 Jun 2003 10:42:20 -0500, Gary Flynn wrote
> > (in message <3EFB14B0.9000104@jmu.edu>):
> >
> > > Don't they have to both unzip the file and then choose
> > > to run the included executable? You'd think the two step
> > > process would give their minds time to catch up with their
> > > mouse finger.
> > >
> > >
> >
> > I get the impression from the IT group where I work just using Outlook in
> the
> > Auto-preview mode is enough to get it running. Mine came form Tycocorp.com
> > and was titled Re: your resume.
> >
> > I get the impression from some of the other posts that it is setup to
> appear
> > to come from many different major corporations.
> >
> > Hud
> >
> My sole copy so far - I'm not popular it seems, I recall getting lots not so
> long ago - supposedly came from a university virus list, the file was
> "your_details.zi" so it kinda looks like the PIF problem has now extended to
> the new version and ZIP extension, however the archive contained
> "details.PIF" so he might've fixed the PIF portion.
>
> That's the trouble with VXers, you just don't get any quality control, D- at
> best.

The missing letter is evidently due to the interaction of the coder
not sticking strictly to the protocol, and only some mail handlers
taking exception to that fact. It may be that the coder now wants
to leave that error in so as to not skew the statistical differences
between the other (minor) changes being tested.