posted on Friday, November 19, 2004 9:35 AM
by
anoras
Iconfusion
Earlier this week one of my coworkers told me that he’d gotten some sort of virus or spyware that neither the virus scanner nor AdAware was able to detect.
He’d stumbled across the parasite by accident while using the task manager to monitor the memory and CPU usage of a service he was debugging. The parasite was an executable running as the SYSTEM account with a different name for the executable after every reboot.
To be on the safe side, I opened my task manager and found a process with a similar name and the exact same size running as the SYSTEM account.
The actual executable was located in the Windows\temp directory and had a cute little puppy as its icon. I made a copy of the file, before I killed the process.
Viruses often have messages hidden within them, so I opened the file in a hex viewer to take a closer look at it. I was both relived and surprised of what I found.
The file had a reference to a debug symbol database file named OfcDog.pdg (D:\OfficeScan\src\Client\OfcDog\Release\OfcDog.pdb). Trend Micro OfficeScan is the virus scanner we use so this file was probably not hostile. Just to be sure I located OfcDog.exe and it was a verbatim copy of the shady executable I had running on my computer.
I reckon that the reason for renaming the process on every reboot is to make it harder for hostile code, such as a virus, to kill the process. However, when having an executable that does such a thing it should be easy to understand what it is. If the developers at Trend Micro had used the same icon for this file as tray icon, I would have recognized it immediately. Having a cute puppy as an icon might seem like a fun idea since the file has “dog” in its name, but when used with applications that appear to be shady in the first place, it only makes users more suspicious.
The morale of the story is that one should always use icons that make sense to the user. An icon should be a picture or symbol that is universally recognized to be representative of something. Using something different only causes iconfusion.