Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Worms Security

New IM Worm On The Loose 407

elfarto writes "Techweb is reporting that a new worm that spreads via Microsoft's instant messaging client began badgering users Monday, several security firms said. Dubbed Funner, the worm propagates by sending itself to all the contacts listed in the user's copy of MSN Messenger, Microsoft's IM client. There is an analysis on Symantec Security Response Site; apparently the worm tries to download stuff from www.78p.com and adds entries to the hosts file pointing to more that 400 Chinese porn sites. The worm also sends itself to the whole contact list as funny.exe so it requires the user interaction to actually execute it. "
This discussion has been archived. No new comments can be posted.

New IM Worm On The Loose

Comments Filter:
  • Had to be the first - I enjoyed the Screen Savers segment!
  • by Anonymous Coward on Monday October 11, 2004 @06:31PM (#10498436)
    How is this a bad thing?
  • by bob65 ( 590395 ) on Monday October 11, 2004 @06:32PM (#10498438)
    Because we all know everyone executes a file called "funny.exe" without thinking.

    Geez, who cares. If a dumbass like me thinks that would be ridiculous, I'm sure everyone else in the world would think so too.

    • by mr_don't ( 311416 ) on Monday October 11, 2004 @06:35PM (#10498482)
      I'm with you, but you know, my users a t work will run ANYTHING...

      Users can be psychotic sometimes...!
      • When I heard about it, first thing I thought was "Hey, at last a practical use for those Turing test AI's"

        virus: hey its [nick gotten of settings] here, you gotta check this out.
        * virus sends file
        bob: did you check it for virus
        (match word virus) virus: yeah, I checked it out, its safe.

        Also could check for 'is it...you', various 'bye's, etc. Actually get around the 'don't run stuff you shouldn't trust thing'.

        Now mod me down before a worm author sees this comment and actually writes a messenger w

      • by GMFTatsujin ( 239569 ) on Monday October 11, 2004 @08:45PM (#10499498) Homepage
        Everything except a virus checker...

        *sigh*
    • by Zakabog ( 603757 ) <john@NoSPam.jmaug.com> on Monday October 11, 2004 @06:42PM (#10498562)
      Let's see, the average persons friend sends them a file called funny.exe. The average person really enjoying the kind of crap that their friend's send them online, executes funny.exe (which by the way will show up as just "Funny" on the average computer as extensions are hidden by default) gets infected by the worm, notices they get a ton of pop ups, porn sites, all kinds of junk and their computer runs really slow, blames the manufacturer of the PC (Gateway, Dell, IBM, whatever.) Never realizes it was an issue with MSN to begin with, continues on with their life promising to never buy another computer from Gateway, Dell, IBM, whatever. I've seen it happen so many times. My uncle even blames me for the crap that gets installed on his computer (usually while I'm not there, as I live 300 miles away) and doesn't really thank me when I install ad-aware and get rid of the junk (thinking whatever he just did on the computer made everything work right.)
    • by Ghostgate ( 800445 ) on Monday October 11, 2004 @06:46PM (#10498605)
      You are seriously underestimating the general cluelessness of the average computer user. I think it could be named "worm.exe" and a lot of people would still run it.

      The knowledge (or lack thereof) of the average computer user is the real reason that security is such an issue today.
  • by kgbspy ( 696931 ) on Monday October 11, 2004 @06:32PM (#10498443)
    Just like everyone urged their friends and family to switch from IE to Firefox, now could be the time to recommend gaim [sourceforge.net] to them in place of their regular IM client. Except, maybe, those who like chinese porn.
    • by tangent3 ( 449222 ) on Tuesday October 12, 2004 @03:34AM (#10501298)
      Actually, you might just be on to something. The XUL framework seems to be perfect for developement of a cross platform multi-protocol IM client. Gaim is nice and all, I use it and love it, but the gtk requirement (esp on Windows) is quite a put-off. The reason I'm still sticking to gaim and haven't gone back to miranda is the lack of unicode support in miranda. Now if someone developes a XUL based multi-IM client (maybe a plugin architecture to standalone chatzillas?) that would be perfect.
  • Woohoo! (Score:5, Funny)

    by Gogo Dodo ( 129808 ) on Monday October 11, 2004 @06:32PM (#10498444)
    Time to cash in! [slashdot.org]
  • by Anonymous Coward on Monday October 11, 2004 @06:33PM (#10498451)
    Is this why MSN messenger seems to have been down for about 12 of the last 24 hours?
  • Impact? (Score:5, Informative)

    by mind21_98 ( 18647 ) on Monday October 11, 2004 @06:33PM (#10498452) Homepage Journal
    Fourty-two million users worldwide [msn.co.in] verses far more for AIM. The impact shouldn't be too big, although one has to wonder why people blindly accept and run files in the first place. It boggles the mind.
  • Dammit (Score:5, Funny)

    by badfrog ( 45310 ) on Monday October 11, 2004 @06:33PM (#10498455)
    Guess my workday tomorrow has been planned out in advance. (I have dumb users.)
  • LUA (Score:4, Insightful)

    by dioscaido ( 541037 ) on Monday October 11, 2004 @06:33PM (#10498462)
    I'm dissapointed that MS hasn't done a big enough push to get people accustomed to running as a limited user, versus running as Administrator all the time. This is the main reason why linux/OSX are more 'secure' -- programs like these would execute as user, not as root, given the OS's both discourage people from runnin their every day tasks as root. If the users who get this funny.exe were not running as Administrator, their system wouldn't get infected. The app may be able to propagate itself, but a quick log off/log on would kill the virus.
    • Not exactly. Their system would still get infected, and if any of these virus/trojan/worm writers actually felt like using a malicious payload, totally fubar their data even if permissions protect the rest of the system.
    • Re:LUA (Score:5, Insightful)

      by BurritoWarrior ( 90481 ) on Monday October 11, 2004 @07:01PM (#10498744)
      ...because a TON of windows software won't run or install if they do?

      Seriously, they would have 19 gazillion support calls the next day.
      • Re:LUA (Score:5, Funny)

        by myowntrueself ( 607117 ) on Monday October 11, 2004 @07:09PM (#10498809)
        In my experience the main cause of applications failing to run as non-admin user is copy protection on games.

        Frequently, these start up a service when they run. It would be very hard to make these work as non-admin.

        Personally, the first thing I do when I find a game like this is download a no-cd patch/crack. Then I can run it unprivileged.

        There are exceptions; the last icq client I tried won't even run as 'power user' and must be run as administrator.

        The developers of this sort of rubbish need electric shocks applied to their genitalia every time someone gets infected through their crap application.

    • Re:LUA (Score:5, Insightful)

      by RAMMS+EIN ( 578166 ) on Monday October 11, 2004 @07:11PM (#10498826) Homepage Journal
      You can still do a lot of harm using a regular user account. Deleting a user's files (often more valuable than the software, which can be reinstalled), propagating over the network, to name a few. You can also try to exploit local vulnerabilities to gain full privileges, or trick the user into giving them to you.

      And don't think loggin out and back in would solve the problem; you just install in the user's logon scripts rather than the system boot scripts.

      Apart from protecting other users' files, non-privileged accounts don't add a whole lot of security. And on Windows, it hardly works anyway. There are many things that should work for regular accounts but don't, and other things that shouldn't but do.
    • Re:LUA (Score:3, Informative)

      by Phisbut ( 761268 )
      I'm dissapointed that MS hasn't done a big enough push to get people accustomed to running as a limited user, versus running as Administrator all the time

      There are 2 reasons why this doesn't work at the moment.
      1) non-power-user don't even know what I limited-user account is (or that it even exists).
      2) power-user usually use other OSes for day-to-day tasks, but keep Windows handy for gaming. However, 95% of the games won't work in limited-user mode... not because the game developpers are lousy and can't

  • by rackhamh ( 217889 )
    I'm not up to speed on the terminology (yes, I've been living under a rock, and it's very cozy under here). Is it really a "worm" if it requires the user to execute it?
  • Worms... (Score:5, Insightful)

    by TrancePhreak ( 576593 ) on Monday October 11, 2004 @06:35PM (#10498484)
    Doesn't sound like a worm to me at all.
    A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.
    Computer Worm [wikipedia.org]
  • d'oh (Score:5, Funny)

    by Anonymous Coward on Monday October 11, 2004 @06:35PM (#10498493)
    "..and adds entries to the hosts file pointing to more that 400 Chinese porn sites"

    First good reason i hear to switch to Windows.
  • by Indy1 ( 99447 ) on Monday October 11, 2004 @06:36PM (#10498495)
    host www.78p.com
    www.78p.com has address 1.10.5.89
    • Traceroute to www.78p.com
      08:21:54 MDT (-0600) Tue Oct 12, 2004

      1. blah.blah.net (aaa.bbb.ccc.ddd) 0.8 ms
      2. blah2.blah.net (aaa.bbb.ccc.ddd) 5.1 ms
      3. blah3.blah.net (aaa.bbb.ccc.ddd) 6.7 ms
      4. *
      5. *
      6. *
      7. *
      8. *
      9. *
      10. *
      11. *
      12. *
      13. *
      14. border10.s6-4.pcisys-1.den.pnap.net (216.52.42.13) 7.4 ms !H

      Trace complete.
  • Am I the only one with no compulsive need to open each and every funny.exe files I receive, even from people I know? Send me jokes on my email with 40cc repeatetly might get you an ignore, even if you're a good friend. Same for 'funny' executables... Jokes as text or images I can understand... maybe I'm just too serious, sometimes. I can't believe people STILL don't pay attention to extensions?

    But 400 chinese porn sites? Add me to your MSN, quick!
    • I'm pretty sure that if you sent out a worm named fuckupyourcomputer.exe enough people would run it to keep it going.

      I've read the descriptions on this one and I see no social engineering at all other than the name "funny" - the bar on the human element is far too low.
    • Windows XP hides extensions by default. You have to find and uncheck the "Hide extensions for known file types" checkbox which renders "ILOVEYOU.TXT.vbs" as "ILOVEYOU.TXT".

      The sole purpose of hiding extensions is to avoid scaring imbeciles who freak out at the sight of a period and three letters.
  • "adds entries to the hosts file pointing to more that 400 Chinese porn sites."

    So...horrible virus...yes...only affects MS Messenger people..horrible..um......

    Ok look, anybody have a copy of it? Or at least the URLs?

  • A step back (Score:5, Funny)

    by Sheepdot ( 211478 ) on Monday October 11, 2004 @06:37PM (#10498512) Journal
    Wow. We've gone from viruses pretending to be porn in order to do funny things to your computer to viruses pretending to be something funny that give you porn.
  • Trolling... (Score:5, Funny)

    by Mori Chu ( 737710 ) on Monday October 11, 2004 @06:40PM (#10498537)
    Well this shouldn't be any problem; it requires the user to actively click an attachment, and users are educated enough not to do that...

    And they don't run as Admin anyway, so the worm couldn't even infect them if they did click it...

    And Microsoft will surely release a prompt fix to address this issue...

    So I don't see what the problem is here. :-)

    • ``And they don't run as Admin anyway, so the worm couldn't even infect them if they did click it...''

      I don't know about Windows, but on unices I can install software just fine as a regular user. I can even make it start automatically from my login script, or periodically from a cron job. It has full access to all my files and regular network access...you see where I'm going: malware can still do a lot of damage when run by a normal user.
    • Re:Trolling... (Score:3, Informative)

      by magefile ( 776388 )
      Informative? Funny, I can see. Insightful, maybe. Troll, at a stretch. But WhoTF modded this "Informative"?!
  • Clever! (Score:5, Funny)

    by ATomkins ( 564078 ) on Monday October 11, 2004 @06:40PM (#10498543)

    Ohhhh... I see the plan... we slashdot 78p.com, thus limiting the 'worm's damage!

    Good thinking, guys!

    Just [78p.com] doing [78p.com] my [78p.com] part. [78p.com] ;) [78p.com]

  • by diagnosis ( 38691 ) on Monday October 11, 2004 @06:42PM (#10498561) Homepage
    It should be 'more fun', not 'funner'.

    ------------------
    Rate free iPod offers: RateTheOffers.com [ratetheoffers.com]
    (Flat screens and Desktop PCs too)

  • Symantec Analysis (Score:3, Informative)

    by a7244270 ( 592043 ) on Monday October 11, 2004 @06:44PM (#10498576) Homepage Journal
    The analysis at symantec is a little skimpy on the details of how an infection starts, but from what I gather, the recipient of the instant message still has to click on the executable (unless I'm mistaken). Seems like this is destined to propagate only among the stupid. (insert obligatory comment about MSN Messenger users here).

    Other than that, not much info there, except it points out the obvious, that osX users are not affected, since this appears to be a Visual Basic bug.

    If nothing else, the listing of some 940-odd asian porn sites on the Symantec page will be useful to someone...

  • ...and adds entries to the hosts file pointing to more that 400 Chinese porn sites.


    In other news, Firefox and Linux usage dropped dramatically today and Apple has just declared bankruptcy.

  • "In other news, the virus actually only attempts to connect to 127.0.0.1 on port 80 or 8080 and use the host as a proxy server"
  • Technically it is a virus and not a worm. Virii (physical and electronic) cannot spread by themselves; they need someone else to help them spread. Worms, on the other hand, can spread and multiply without anyone else's help.

    Since this virus requires human interaction, it is a virus and not a worm.
    • No, it's a trojan. The difference between a virus and a trojan being that a virus spreads itself as a side effect of normal user behavior (inserting a floppy into the disk drive, running an infected executable, ...), whereas a trojan spreads itself by seducing the user into running it.
  • by mcrbids ( 148650 )
    apparently the worm tries to download stuff from www.78p.com [78p.com]

    Slashdotted already. (sigh)
  • by ganhawk ( 703420 ) on Monday October 11, 2004 @06:59PM (#10498720)
    Is the worm author most benovelant guy or what ?

    China rewards porn snitches [slashdot.org]
    1)run windows 2)get infected 3)receive list and fwd to the chineese authority 4)profit!!
  • MSN downtime (Score:3, Informative)

    by secolactico ( 519805 ) * on Monday October 11, 2004 @07:11PM (#10498821) Journal
    Does any of you know if this worm might be the cause for the sporadic outage in MSN messenger service yesterday and today? At first I thought it was my Trillian (yay!) client being blocked, MSN's own client was unable to log in as well.

    Almost all of my contact list confirmed having the same problem.
    • I was logged on MSN yesterday evening.

      First, I got messages opening in a window, from people that I don't know.

      Then, some messages from people I know, appearing in that same window, instead of their own window.

      And after that, a pop up message, from MS, stating the service was going down for maintenance.

      It lasted more than one hour.
  • by Ratcrow ( 181400 ) on Monday October 11, 2004 @07:18PM (#10498883) Homepage
    "pointing to more that 400 Chinese porn sites"

    How do they know that all 400 are porn sites? Did someone actually sit down and visit every one?

    Also, are they hiring?
  • Wasn't the Chinese government paying a reward for porn sites? Wo-ho! Maybe we can forward the list and collect! Cha-ching, baby.
  • What type of file is that anyway, exe file.

  • someone point me to a FAQ or help page that will tell me how to permanently remove MS instant messaging? If its typical MS crap, the devil is in the DLLs.
  • by Lurgen ( 563428 ) on Monday October 11, 2004 @07:58PM (#10499198) Journal
    A worm that spreads via IM? Or a worm that spreads via stupid dumb-ass users who don't know better than to run a .exe they weren't expecting to receive?

    One day, with a bit of luck, people opening attachments/files/emails/whatever like this will be considered much the same as people eating strange pieces of food that they find in the street.

    For those in the support side of the field, remember that as long as there are stupid people (and there always will be) security vulnerabilities will always be a poor second cousin to humans. The bulk of your support calls won't come from clever little worms that capitalise on obscure security flaws in a product, they'll come as a result of idiots thinking that "nakedwoman.exe" is actually something they want to see.

    Yet another reason we should embed cattle-prods into keyboards... "wow, some stranger sent me some naughty pictures of herself! Pity they're archived, I'll just double-click and let them extract themsel *zaaaaaaaap!!!*"
  • Suspicious... (Score:3, Insightful)

    by LavaDevil94 ( 712490 ) <junkm@riversdell.com> on Monday October 11, 2004 @09:07PM (#10499649) Homepage
    Methinks this might have something to do with the recent ban on porn in China...
  • Hell (Score:5, Insightful)

    by papasui ( 567265 ) on Monday October 11, 2004 @09:25PM (#10499749) Homepage
    When I was still doing phone cable modem support (I'm the network engineer now) I spoke with more than one person that said they opened the attachement in their email because they wanted to see if it a was a virus. This thing will spread like that goatse.cx guys ass.

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Working...