Second, here's what happened. Around 01:30 I logged in as
hsuwhand got an offline IM from a former student in my computer graphics class who's an old friend of zengeneral's. The URL itself looked unsavory, so I figured that it was from some remailer that had IMs as a side effect, but instead of just IMing him back or looking up the URL in the online CERT advisories, what did I do? I thought, "meh, I have Norton Antivirus" and clicked on it.
The next morning, kaladhwen IMs me back with the URL and asks me what's up. I immediately reply "oh, no, that must be an IM virus" and copy that to
fob-L @ yahoogroups.comand 6 other friends.
What's wrong with this picture:
- 1. Never click on strange URLs. The cardinal rule in this case. You'd think I'd know that, but apparently not. I wish I could say that I just hadn't looked, but I was actually thinking it'd be cool if I IMed the student back and explained how he probably had a virus amok... ironic, ne? Hoist by my own petard.
- 2. Remessenger viruses can propagate via IM if your IM account is compromised, or if your firewall or policy permits software to access your IM client. I'm not sure how it happened. Does anyone know how these things work, or can anyone tell if I give you the URL (and it hasn't been taken down)? This was the first IM or web-based Trojan horse virus I've ever had to my knowledge, and certainly the first on that sent out IMs. It is a link to a Yahoo! GeoCities redirector page that seems to bring you to a Yahoo! Photos login prompt. I logged in and later found that the portal links go to a Chinese Yahoo site. (I've since changed my PW and security code.)
- 3. Norton Antivirus (NAV) is not firewall software. Trust not to anti-viruses or spyware detectors, for they detect specific signatures, and cannot save the user from his or her own stupidity. Case in point.
- 4. Viral URLs should be mangled in public service advisories. gondhir, figgylicious, and sui_degeneris pointed this out, and on reflection, it's probably a good idea to munge URLs just in case they get accidentally clicked on (or people don't read the context). Originally gondhir just said that people might click on any embedded URL if it seems to be from a friend, which I disagreed with, on the grounds that my message header was "
IM virus - thanks for the alert". Thinking about it, though, the trusted source assumption should mean that any resource in the body of a message from a trusted sender may be accessed.
Anyhow, my bad, and sorry again if you received it.