DavidCopperfield pps attachment

[Derek N]

Recently I read how the "Elf Bowl" programme was the first to include
inbuilt spyware. I have received an e-mail (from my son) with a pps
attachment (DavidCopperfield1_13.pps). I have scanned this file, run the
Power Point file and then scanned my computer with Microsoft AntiSpyware,
Ad-Aware SE, CounterSpy etc. and cannot find any apparent evidence of
Spyware/Adware, Trojans or viruses.
The e-mail has a long history of being forwarded on and originating from an
author located in MAHINDRA-BRITISH TELECOM LTD, India.
Has anyone experienced problems with this particular Power Point file?
Derek N

 

[Bill Sanderson]

If you are in doubt about a particular file, there are a couple of
multi-vendor antivirus sites you can submit the file to and get quick
results:

http://www.virustotal.com/flash/index_en.html (see the browse button at the
top right)
http://virusscan.jotti.org/ (similar)

 

[Derek N]

Thank you Bill, I got the impression that both those sites checked for a
virus whereas I suspect that a spyware may be lurking in my suspect file.
Derek N

 

[Bill Sanderson]

They submit to the current virus scanning engines. Some of these engines
have expanded to include spyware, so this is a reasonable thing to try in
either case--virus or spyware.

I'm not aware of spyware inhabiting .PPS files, but I wouldn't say my
knowledge is exhaustive--far from it!

 

[Derek N]

Probably I'm being paranoid but after reading that "Elf Bowl" (an early
favourite of many people) was the first vehicle to carry spyware & knowing
how cunning these spyware writers are becoming, I was suspicious. This file
has been forwarded on to many people like a chain letter, with the
instruction to forward it to friends (of course we haven't done so).
Derek N

 

[Bill Sanderson]

I found this critter on "the Internet" and downloaded it.

It is a card trick. If you want a hint, scroll down:

















Think forest, not trees.

 

[Derek N]

Thanks Bill, as I said I have already run it and sussed the tick.
Derek N

 

[Ron Chamberlin]

Hi Derek,
I thought I recognized this one and checked it out.
Your magic answer is found here:
http://www.snopes.com/humor/iftrue/takecard.htm

Ron Chamberlin
MS-MVP

 

[Derek N]

Hi Ron,
Solving the card trick was never my issue, we had solved it within minutes.
My problem is that if one can by-pass Anti-virus scanners by implanting a
virus in a zip file, was/is it possible to hide a spyware/virus in a *.pps
file? I an gradually reaching the conclusion that probably it is not
possible.
Derek N

 

[Bill Sanderson]

You're not wrong to think along these lines. A buffer overflow can exist in
any code--and code "facing" the Internet is especially vulnerable. When you
run a downloaded Powerpoint slideshow, Powerpoint qualifies as "facing the
Internet."

There have been such vulnerabilities found in the past:

http://www.microsoft.com/technet/security/bulletin/MS01-002.mspx

 

[Derek N]

Thank you Bill for the link to Microsoft Security Bulletin MS01-002.
Derek N

 

[Bill Sanderson]

It's old--I'm sure you are patched--but it's illustrative of your specific
issue, and the more general issue. You do need to worry about third-party
apps on your machine that deal with Internet content. An antivirus
application, for example, can easily have this kind of security issue.

 

[Derek N]

Bill, I am beginning to think that I have more Firewall, AntiVirus, Anti
Adware & Anti Spyware programmes on my computer than normal programmes. As
I said before I think I am being driven to paranoia extremes.
Derek N

 

[JohnF.]

I would like to know what that article is because it sounds like bogus
information to me. There is no spyware that I am aware of in Elf Bowl.
There was a hoax perpetrated against NStorm back in 2001 that claimed their
stuff was dangerous and spreading viruses but that all it was - a hoax.

JohnF.

 

[Derek N]

JohnF,

It is an extract from paragraph 4 of http://spyware.gadget-info.com/

Another item found on the bottom of the page http://securityresponse.symantec.com/avcenter/venc/data/y2kgame.hoax.html
"As part of the specifications, these games may report information over the Internet each time the game(s) is played. For more information, please contact the developers of these programs directly (referring to Elf Bowl.exe along with two others)."

Derek N

 

[JohnF.]

My kids play Elf Bowl all the time and their machine is not hooked up to the Internet - there is no networking of any kind installed and it works without any problems.


JohnF,

It is an extract from paragraph 4 of http://spyware.gadget-info.com/

Another item found on the bottom of the page http://securityresponse.symantec.com/avcenter/venc/data/y2kgame.hoax.html
"As part of the specifications, these games may report information over the Internet each time the game(s) is played. For more information, please contact the developers of these programs directly (referring to Elf Bowl.exe along with two others)."

Derek N

 

[Derek N]

That does not prove that this programme does not install spyware on a computer running this game.
Derek N
My kids play Elf Bowl all the time and their machine is not hooked up to the Internet - there is no networking of any kind installed and it works without any problems.


JohnF,

It is an extract from paragraph 4 of http://spyware.gadget-info.com/

Another item found on the bottom of the page http://securityresponse.symantec.com/avcenter/venc/data/y2kgame.hoax.html
"As part of the specifications, these games may report information over the Internet each time the game(s) is played. For more information, please contact the developers of these programs directly (referring to Elf Bowl.exe along with two others)."

Derek N

 

[JohnF.]

True - just don't see it behaving like others see it - maybe there is more than one version.
That does not prove that this programme does not install spyware on a computer running this game.
Derek N
My kids play Elf Bowl all the time and their machine is not hooked up to the Internet - there is no networking of any kind installed and it works without any problems.


JohnF,

It is an extract from paragraph 4 of http://spyware.gadget-info.com/

Another item found on the bottom of the page http://securityresponse.symantec.com/avcenter/venc/data/y2kgame.hoax.html
"As part of the specifications, these games may report information over the Internet each time the game(s) is played. For more information, please contact the developers of these programs directly (referring to Elf Bowl.exe along with two others)."

Derek N

 

[Steve Wechsler [MVP]]

http://www.virusbtn.com/resources/hoaxes/elf_bowl.xml
IF the executable is 1MB or less, it can be scanned at Kapersky:
http://www.kaspersky.com/remoteviruschk.html

Larger than 1MB : http://virusscan.jotti.dhs.org/

And as you've already read in the first article, there is the possibility

Should one of these be executed on an infected machine prior to being
redistributed via email, then it is perfectly feasible for the 'originally
harmless' games/jokes to become infected and viral.

I'd tend to believe this Sophos article ONLY after you're 100% certain
that the file is not infected. But note the date :
http://www.sophos.com/virusinfo/articles/elfbowl.html


Steve Wechsler (akaMowGreen)

MS-MVP 2004-2005


............... In memory of our dear friend, MVP Alex Nichol ...........
........................... 1935-2005 .................................