To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/malware/0,3800003100,39159684,00.htm

Yahoo! 'virus writer' claims he just wants a job
Mystery email says he's looking for work - but is he going about it the wrong way?

By Will Sturgeon

Published: Friday 16 June 2006

silicon.com has been contacted by an individual claiming to have written the Yamanner virus which targeted users of the Yahoo! webmail service earlier this week. The man claims to be from Iran and says he is just trying to find work by advertising his programming credentials.

While a number of antivirus experts who have seen the email claim it is quite likely the sender is indeed the culprit, there is no sure-fire way of confirming this. However, one added that whether or not the man in question wrote the Yamanner worm it is certainly "an unusual way to try to land a job".

The email, sent from a webmail address, stated: "I don't like to disturb no one. I am from Iran. I just looking for good job in good computer company and I wrote this worm only to prove that I have some abilities in web programming."

Mikko Hypponen, chief research officer at F-Secure, told silicon.com: "I think he might be the real deal," though he conceded it is almost impossible to be sure.

Carole Theriault, senior security consultant at Sophos, told silicon.com that the technical knowledge displayed in the email certainly suggests the man was very familiar with the virus: "It is possible that he authored this threat, however it is a script virus, so if he received it, it would be easy for him to see the source.

"Whether he is the author or not, claiming to have written it to find work outside Iran is certainly an unusual way to try to land a job. It's not an approach I'd recommend."

However, it is an approach which has proven successful in the past when Sven Jaschan, who wrote the Sasser virus, landed a job with German security company SecurePoint on the back of his notoriety.

Pete Simpson, ThreatLab manager at Clearswift, said: "It appears technically plausible. He may well be the author."

However, Simpson offered a word of caution, saying it is possible the email could have been "a false flag operation" trying to implicate Iran and warning of an "increasing drumbeat of anti-Iranian propaganda".

silicon.com has forwarded the email onto Yahoo!.