To: rita_aprahamian@ziffdavis.com From: Fred Koschara Subject: Magazine article query letter Cc: Bcc: X-Attachments: In-Reply-To: References: Hello -- I would like to know who I should contact about writing an article regarding a way virus files can be hidden on Windows machines because the operating system does not reveal all filename extensions. I would also like to get a copy of your writer's guidelines, but don't know where to find them on your Web site. My proposed article will discuss: 1. how virus files can masquerade on a Windows machine, and the filename extensions Windows never reveals in Explorer (I've found .pif, .lnk, .cnf, and .url, so far) 2. how to safely examine a suspected file using an ASCII file viewer (I use PC Magazine's DR.COM) 3. how and when to contact CERT if you find an infected file 4. details on the virus file that alerted me to this problem (this information is included below) Please advise me who I should contact about writing such an article, and tell me where I can find your writer's guidelines. Thank you for your time and cooperation. -- Fred Koschara ---------------------- begin virus information report ---------------------- A friend forwarded email messages recently with attached files named "ANTI_CIH.EXE" and "INTERNET_SECURITY_FORUM.DOC.pif" with a request to see if I could determine if they contain a virus. Both files proved to be the same, and, indeed, are a virus carrier. According to CERT, this is an occurrence of the "Windows32 Apology" virus, first spotted in October, 2000. It propogates itself by replacing some system files, then sending a copy of itself each time the infected system sends a mail message. Within the file, I found this list of names the program will call itself. DO NOT LAUNCH, DOUBLE-CLICK OR OTHERWISE EXECUTE THESE FILES, OR YOU WILL INFECT YOUR COMPUTER WITH THIS VIRUS: ALANIS_Screen_Saver.SCR ANTI_CIH.EXE AVP_Updates.EXE BILL_GATES_PIECE.JPG.pif BLINK_182.MP3.pif FEITICEIRA_NUA.JPG.pif FREE_xxx_sites.TXT.pif FUCKING_WITH_DOGS.SCR Geocities_Free_sites.TXT.pif HANSON.SCR INTERNET_SECURITY_FORUM.DOC.pif IS_LINUX_GOOD_ENOUGH!.TXT.pif I_am_sorry.DOC.pif I_wanna_see_YOU.TXT.pif JIMI_HMNDRIX.MP3.pif LOVE_LETTER_FOR_YOU.TXT.pif MATRiX_2_is_OUT.SCR MATRiX_Screen_Saver.SCR METALLICA_SONG.MP3.pif Me_nude.AVI.pif NEW_NAPSTER_site.TXT.pif NEW_playboy_Screen_saver.SCR Protect_your_credit.HTML.pif QI_TEST.EXE READER_DIGEST_LETTER.TXT.pif README.TXT.pif SEICHO-NO-IE.EXE Sorry_about_yesterday.DOC.pif TIAZINHA.JPG.pif WIN_$100_NOW.DOC.pif YOU_are_FAT!.TXT.pif zipped_files.EXE The virus file is 18483 bytes. The email messages forwarded to me had no subject and no message body, only the attached file. Within the file were also found these text strings: Software provide by [MATRiX] VX team: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos Greetz: All VX guy on #virus channel and Vecna I guess these clowns are sufficiently "proud" of their work they feel the need to sign their name to it. Personally, I find this virus particularly insidious because of the file name extension it uses: Microsoft Windows HIDES the .pif extension, even if you have your system configured with "Hide file extensions for known file types" turned off. PIF (in this case) stands for "Program Information File" and is supposed to contain information Windows will use to launch a DOS application. (Microsoft has also chosen to hide the ".lnk" extension in all cases, because they use it for the "link" file of a shortcut.) Because the .pif (or .lnk) extension is hidden, a quick glance at your directory listing would lead you to believe that "JIMI_HMNDRIX.MP3.pif" is a music file. When you double-click the directory entry, rather than hearing Jimi's tune, your system becomes infected with the virus! Your _only_ hope is to notice that the icon associated with the file is a minature MS-DOS icon with the little "shortcut" arrow in the lower-left corner. If your system is like mine and forgets which icons it's supposed to use, there's a very real danger here. Personally, I think we should all file a complaint at Microsoft and tell them when we want "Hide file extensions" turned off, we want it turned off for **ALL** files, including ones the system uses. ----------------------- end virus information report -----------------------