Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

New IM Worm On The Loose

Posted by CmdrTaco on Mon Oct 11, 2004 06:28 PM
from the head-for-the-hills dept.
Security Worms
elfarto writes "Techweb is reporting that a new worm that spreads via Microsoft's instant messaging client began badgering users Monday, several security firms said. Dubbed Funner, the worm propagates by sending itself to all the contacts listed in the user's copy of MSN Messenger, Microsoft's IM client. There is an analysis on Symantec Security Response Site; apparently the worm tries to download stuff from www.78p.com and adds entries to the hosts file pointing to more that 400 Chinese porn sites. The worm also sends itself to the whole contact list as funny.exe so it requires the user interaction to actually execute it. "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New IM Worm On The Loose 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • it finds porn? (Score:5, Funny)

    by Anonymous Coward on Monday October 11 2004, @06:31PM (#10498436)
    How is this a bad thing?

  • This will be successful..... (Score:3, Funny)

    by bob65 (590395) on Monday October 11 2004, @06:32PM (#10498438)
    Because we all know everyone executes a file called "funny.exe" without thinking.

    Geez, who cares. If a dumbass like me thinks that would be ridiculous, I'm sure everyone else in the world would think so too.

    • Re:This will be successful..... (Score:5, Insightful)

      by mr_don't (311416) on Monday October 11 2004, @06:35PM (#10498482) Homepage
      I'm with you, but you know, my users a t work will run ANYTHING...

      Users can be psychotic sometimes...!

    • Re:This will be successful..... (Score:5, Insightful)

      by Zakabog (603757) <john@j[ ]g.com ['mau' in gap]> on Monday October 11 2004, @06:42PM (#10498562)
      Let's see, the average persons friend sends them a file called funny.exe. The average person really enjoying the kind of crap that their friend's send them online, executes funny.exe (which by the way will show up as just "Funny" on the average computer as extensions are hidden by default) gets infected by the worm, notices they get a ton of pop ups, porn sites, all kinds of junk and their computer runs really slow, blames the manufacturer of the PC (Gateway, Dell, IBM, whatever.) Never realizes it was an issue with MSN to begin with, continues on with their life promising to never buy another computer from Gateway, Dell, IBM, whatever. I've seen it happen so many times. My uncle even blames me for the crap that gets installed on his computer (usually while I'm not there, as I live 300 miles away) and doesn't really thank me when I install ad-aware and get rid of the junk (thinking whatever he just did on the computer made everything work right.)

    • Re:This will be successful..... (Score:5, Interesting)

      by Ghostgate (800445) on Monday October 11 2004, @06:46PM (#10498605)
      You are seriously underestimating the general cluelessness of the average computer user. I think it could be named "worm.exe" and a lot of people would still run it.

      The knowledge (or lack thereof) of the average computer user is the real reason that security is such an issue today.

      • Re:This will be successful..... (Score:5, Insightful)

        by PhoenixFlare (319467) on Monday October 11 2004, @07:32PM (#10499025) Journal
        Gotta love how insulting generalizations are "Insightful" around here when you're referring to a MS product. Just because some MSN users are ignorant, does not mean all of them are.

        That's like saying "All Linux users are elitist snobs", just because there's some jerks mixed in out there.

        • Re:This will be successful..... (Score:5, Insightful)

          by bmo (77928) on Monday October 11 2004, @09:19PM (#10499712)
          "Gotta love how insulting generalizations are "Insightful" around here when you're referring to a MS product. Just because some MSN users are ignorant, does not mean all of them are."

          Not only are MSN users ignorant, most Joe and Josephine users are that ignorant *in general*.

          I just spent 3 hours today cleaning up a machine that had upwards of 60 trojans and other malware on it. One of which was a keylogger. It was amazing that this machine ran at all.

          Does the owner of said computer have any clue about how all this malware got there? Nope. He's got 3 kids, though, that all use the same computer. I

          He is ignorant, in the truest sense of the word. He is also *typical* of most home computer owners. People these days expect their machines to simply work, like toasters, because the interface hides the real complexity. I have been trying to educate him, and it's been a battle.

          But regardless of that, MSFT has never done any User Education itself. Bill prefers it that way, and that's a shame. Keeping the users ignorant allows MSFT to Blame The User when it comes to exploits (You Failed to Upgrade!), allows them to force DRM down their throats, and basically allows the company to run roughshod over its customer base, without complaints.

          So yes, MS users are ignorant. They simply do not know better, and their precious vendor, Microsoft, is aiding and abetting this ignorance.

          So what are *you* doing to educate your users?

          --
          BMO

  • Time to switch, perhaps? (Score:5, Insightful)

    by kgbspy (696931) on Monday October 11 2004, @06:32PM (#10498443)
    Just like everyone urged their friends and family to switch from IE to Firefox, now could be the time to recommend gaim [sourceforge.net] to them in place of their regular IM client. Except, maybe, those who like chinese porn.

    • Re:Time to switch, perhaps? (Score:4, Informative)

      by tangent3 (449222) on Tuesday October 12 2004, @03:34AM (#10501298)
      Actually, you might just be on to something. The XUL framework seems to be perfect for developement of a cross platform multi-protocol IM client. Gaim is nice and all, I use it and love it, but the gtk requirement (esp on Windows) is quite a put-off. The reason I'm still sticking to gaim and haven't gone back to miranda is the lack of unicode support in miranda. Now if someone developes a XUL based multi-IM client (maybe a plugin architecture to standalone chatzillas?) that would be perfect.
      • Although I don't see a 30% cpu usage, I do notice that Gaim is currently consuming 19MB of memory. I'm almost certain that's due to some memory leak because it increases over time. That's ludicrous for a program who's purpose is to send TEXT messages.

        I have almost considered helping them instead of complaining, but I have no idea where to get started on an open source project.

        I'll still continue to use Gaim until another GPL/LGPL multiple IM client comes along.

  • Woohoo! (Score:5, Funny)

    by Gogo Dodo (129808) on Monday October 11 2004, @06:32PM (#10498444)
    Time to cash in! [slashdot.org]

    • Re:Woohoo! (Score:5, Funny)

      by pHatidic (163975) on Monday October 11 2004, @06:43PM (#10498566) Homepage
      No way this is just a hoax. More likely what really happened is the sysadmin who removed the virus found 400 chinese porn sites and when the user was confronted about this he just blamed the virus.

  • why MSN is having trouble? (Score:4, Interesting)

    by Anonymous Coward on Monday October 11 2004, @06:33PM (#10498451)
    Is this why MSN messenger seems to have been down for about 12 of the last 24 hours?

  • Impact? (Score:5, Informative)

    by mind21_98 (18647) on Monday October 11 2004, @06:33PM (#10498452) Homepage Journal
    Fourty-two million users worldwide [msn.co.in] verses far more for AIM. The impact shouldn't be too big, although one has to wonder why people blindly accept and run files in the first place. It boggles the mind.

    • Re:Impact? (Score:5, Interesting)

      by RAMMS+EIN (578166) on Monday October 11 2004, @07:14PM (#10498854) Homepage Journal
      You mean AIM is a bigger target than MSN Messenger?

      Well, here's another argument against "Microsoft software gets broken into more, because it is more widely deployed". (Besides Apache vs. It Isn't Secure.)

  • Dammit (Score:5, Funny)

    by badfrog (45310) on Monday October 11 2004, @06:33PM (#10498455)
    Guess my workday tomorrow has been planned out in advance. (I have dumb users.)

  • LUA (Score:4, Insightful)

    by dioscaido (541037) on Monday October 11 2004, @06:33PM (#10498462)
    I'm dissapointed that MS hasn't done a big enough push to get people accustomed to running as a limited user, versus running as Administrator all the time. This is the main reason why linux/OSX are more 'secure' -- programs like these would execute as user, not as root, given the OS's both discourage people from runnin their every day tasks as root. If the users who get this funny.exe were not running as Administrator, their system wouldn't get infected. The app may be able to propagate itself, but a quick log off/log on would kill the virus.

    • Re:LUA (Score:5, Insightful)

      by BurritoWarrior (90481) on Monday October 11 2004, @07:01PM (#10498744)
      ...because a TON of windows software won't run or install if they do?

      Seriously, they would have 19 gazillion support calls the next day.

      • Re:LUA (Score:5, Funny)

        by myowntrueself (607117) on Monday October 11 2004, @07:09PM (#10498809)
        In my experience the main cause of applications failing to run as non-admin user is copy protection on games.

        Frequently, these start up a service when they run. It would be very hard to make these work as non-admin.

        Personally, the first thing I do when I find a game like this is download a no-cd patch/crack. Then I can run it unprivileged.

        There are exceptions; the last icq client I tried won't even run as 'power user' and must be run as administrator.

        The developers of this sort of rubbish need electric shocks applied to their genitalia every time someone gets infected through their crap application.

    • Re:LUA (Score:5, Insightful)

      by RAMMS+EIN (578166) on Monday October 11 2004, @07:11PM (#10498826) Homepage Journal
      You can still do a lot of harm using a regular user account. Deleting a user's files (often more valuable than the software, which can be reinstalled), propagating over the network, to name a few. You can also try to exploit local vulnerabilities to gain full privileges, or trick the user into giving them to you.

      And don't think loggin out and back in would solve the problem; you just install in the user's logon scripts rather than the system boot scripts.

      Apart from protecting other users' files, non-privileged accounts don't add a whole lot of security. And on Windows, it hardly works anyway. There are many things that should work for regular accounts but don't, and other things that shouldn't but do.

  • Worms... (Score:5, Insightful)

    by TrancePhreak (576593) on Monday October 11 2004, @06:35PM (#10498484)
    Doesn't sound like a worm to me at all.
    A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.
    Computer Worm [wikipedia.org]

  • d'oh (Score:5, Funny)

    by Anonymous Coward on Monday October 11 2004, @06:35PM (#10498493)
    "..and adds entries to the hosts file pointing to more that 400 Chinese porn sites"

    First good reason i hear to switch to Windows.
  • host www.78p.com
    www.78p.com has address 1.10.5.89

  • A step back (Score:5, Funny)

    by Sheepdot (211478) on Monday October 11 2004, @06:37PM (#10498512) Journal
    Wow. We've gone from viruses pretending to be porn in order to do funny things to your computer to viruses pretending to be something funny that give you porn.

  • Trolling... (Score:5, Funny)

    by Mori Chu (737710) on Monday October 11 2004, @06:40PM (#10498537)
    Well this shouldn't be any problem; it requires the user to actively click an attachment, and users are educated enough not to do that...

    And they don't run as Admin anyway, so the worm couldn't even infect them if they did click it...

    And Microsoft will surely release a prompt fix to address this issue...

    So I don't see what the problem is here. :-)

  • Clever! (Score:5, Funny)

    by ATomkins (564078) on Monday October 11 2004, @06:40PM (#10498543)

    Ohhhh... I see the plan... we slashdot 78p.com, thus limiting the 'worm's damage!

    Good thinking, guys!

    Just [78p.com] doing [78p.com] my [78p.com] part. [78p.com] ;) [78p.com]

  • Worm name in article is wrong (Score:5, Funny)

    by diagnosis (38691) on Monday October 11 2004, @06:42PM (#10498561) Homepage
    It should be 'more fun', not 'funner'.

    ------------------
    Rate free iPod offers: RateTheOffers.com [ratetheoffers.com]
    (Flat screens and Desktop PCs too)

  • Symantec Analysis (Score:3, Informative)

    by a7244270 (592043) on Monday October 11 2004, @06:44PM (#10498576) Homepage Journal
    The analysis at symantec is a little skimpy on the details of how an infection starts, but from what I gather, the recipient of the instant message still has to click on the executable (unless I'm mistaken). Seems like this is destined to propagate only among the stupid. (insert obligatory comment about MSN Messenger users here).

    Other than that, not much info there, except it points out the obvious, that osX users are not affected, since this appears to be a Visual Basic bug.

    If nothing else, the listing of some 940-odd asian porn sites on the Symantec page will be useful to someone...

  • You can be rich !! (Score:5, Funny)

    by ganhawk (703420) on Monday October 11 2004, @06:59PM (#10498720)
    Is the worm author most benovelant guy or what ?

    China rewards porn snitches [slashdot.org]
    1)run windows 2)get infected 3)receive list and fwd to the chineese authority 4)profit!!

  • MSN downtime (Score:3, Informative)

    by secolactico (519805) * on Monday October 11 2004, @07:11PM (#10498821) Journal
    Does any of you know if this worm might be the cause for the sporadic outage in MSN messenger service yesterday and today? At first I thought it was my Trillian (yay!) client being blocked, MSN's own client was unable to log in as well.

    Almost all of my contact list confirmed having the same problem.

  • Fact checking? (Score:5, Funny)

    by Ratcrow (181400) on Monday October 11 2004, @07:18PM (#10498883) Homepage
    "pointing to more that 400 Chinese porn sites"

    How do they know that all 400 are porn sites? Did someone actually sit down and visit every one?

    Also, are they hiring?

  • So much for natural selection (Score:5, Funny)

    by Lurgen (563428) on Monday October 11 2004, @07:58PM (#10499198) Journal
    A worm that spreads via IM? Or a worm that spreads via stupid dumb-ass users who don't know better than to run a .exe they weren't expecting to receive?

    One day, with a bit of luck, people opening attachments/files/emails/whatever like this will be considered much the same as people eating strange pieces of food that they find in the street.

    For those in the support side of the field, remember that as long as there are stupid people (and there always will be) security vulnerabilities will always be a poor second cousin to humans. The bulk of your support calls won't come from clever little worms that capitalise on obscure security flaws in a product, they'll come as a result of idiots thinking that "nakedwoman.exe" is actually something they want to see.

    Yet another reason we should embed cattle-prods into keyboards... "wow, some stranger sent me some naughty pictures of herself! Pity they're archived, I'll just double-click and let them extract themsel *zaaaaaaaap!!!*"

  • Hell (Score:5, Insightful)

    by papasui (567265) on Monday October 11 2004, @09:25PM (#10499749)
    When I was still doing phone cable modem support (I'm the network engineer now) I spoke with more than one person that said they opened the attachement in their email because they wanted to see if it a was a virus. This thing will spread like that goatse.cx guys ass.

    • Re:Obligitory windoze comment... (Score:5, Interesting)

      by dioscaido (541037) on Monday October 11 2004, @06:43PM (#10498565)
      Well, if you are running as root, well, the answer to your question is EVERY OS. Run your desktop as root, and it'd take me 5 minutes to write an executable that will hose your whole system.

      The fact is, Windows has a solid, well implemented, priviledge system. The second fact is that they gave this up in favor of app compatiblity (crappy programs that expect to write to the windows directory just to run, versus to user directories) and ease of use. This is biting them in the ass, and they are working on getting people away from running as Administrators. Just not as heavy a push as I'd like.

      • Re:Obligitory windoze comment... (Score:5, Informative)

        by san (6716) <[ ] ['' in gap]> on Monday October 11 2004, @07:01PM (#10498737)
        The problem with Windows and these worms is that you do not explicitly have to give execute permission to the file in question. It's just recognized as an '.exe' file by Windows and treated as an executable.

        The kind of people who would execute this file, are the same kind of people who wouldn't know how to give some file execute permissions if they were running a Unix-based workstation (probably even OS X).

    • Re:400 porn sites? (Score:5, Funny)

      by Daniel Ellard (799842) on Monday October 11 2004, @06:44PM (#10498575)
      Imagine the time and persistance it took to find 400 Chinese porn sites, what with the Chinese government breathing down your neck and all that. This author is no simple script kiddie; this is a wormer who has corporate sponsorship and/or does all his browsing with one hand...

      • I'm watching the show too... "cache" is a bit of a misnomer, I mean, pretty much every chunk of data in Slash is cached, but basically we just post stories n minutes ahead of time. During that time (for n < 20) they are visible to subscribers -- and then they go live for the rest of the world whenever we've scheduled them to.
    • No, it's a trojan. The difference between a virus and a trojan being that a virus spreads itself as a side effect of normal user behavior (inserting a floppy into the disk drive, running an infected executable, ...), whereas a trojan spreads itself by seducing the user into running it.
    • With enough publicity the average Joe User will learn safe IMing habits...

      The average Joe won't learn safe computing habits until Dell, Gateway, HP, and Compaq start issuing keyboards and mice complete with 10,000 volt negative reinforcement "bad user, no treat" features. People with no computer knowledge are the last to admit their ignorance caused their problems.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.