Forgot your password?
typodupeerror
Security

Latest WinWorm Spreads Via ICQ And Outlook 598

Posted by timothy
from the how-vastly-creative dept.
mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.
This discussion has been archived. No new comments can be posted.

Latest WinWorm Spreads Via ICQ And Outlook

Comments Filter:
  • NOT! (Score:5, Informative)

    by aitala (111068) on Tuesday December 04, 2001 @05:34PM (#2655980) Homepage
    It is not non-destructive - it tries to delete anti-virus and firewall software.
  • Just got goner here (Score:3, Interesting)

    by monkeyfamily (161555) on Tuesday December 04, 2001 @05:35PM (#2655984) Homepage
    This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.
    • My office just got it as well. Our Exchange servers have at least 2000 contacts and groups in the global e-mail list, so it seems to go through most of that list and e-mail everyone. We seem to have some sort of virus "catcher" running that removes most of the viruses, but those that get through send out thousands, so the e-mail groups are almost getting a few thousand e-mails each. Even with the virus removed, that's a lot of e-mails going around just within an hour or so.

      Now that I think about it, it's spreading amazingly slow in my office (we have approx. 20 international offices). This is sort of a good load test of our servers. Seems my company's setup of Exchange servers suck when hit with that many e-mails in a short period of time. But then again, I don't really know how another comparative e-mail server setup would fare.
  • considering I've received 20 virus-laden emails through my @home account in a matter of days.
  • Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

    Mailed tech support and didn't get a response. Great.

    It seems some people even ran the attachment more than once - probably trying to get the screensaver to work :-)

    It only seems to have copied to the first entry in our network wide address book, unfortunately it begins "#All" - ah well, my Macs are safe at least

  • Shit. I still have people getting Melissa and Nimbda here at work. (Matter-of-fact, I spent hald an hour just yesterday clearing a machine from its second infection.) A 159 byte virus? Using a sentimental pick-up line? I'm going to be busy...

    Yes, I know user education and antivirus software would help stop this, but I'm in no position to get those kinds of things done here.
    • Even _after_ education, users remain stupid. They are almost like computers, they do what you say, but not what you mean.

      *sigh*

    • Even worse. I live in a dorm, and regularly play around on the network. There are probably 900 computers with shared resources in a 90.xxx - 100.xxx block here on campus. About 600 of those have read-only unprotected resources, to share with the general public. You can't imagine how many Nimda emails I've seen in those directories. College students love screensavers. This one's going to be a booger.

      Anyone know if this one attacks Tiny Personal Firewall? That's my standard installation when I set people up in the dorms.

      I'm not even on the IT staff - just a student with a reputation for knowing how to fix computers. People knock on my door at 4:00 AM to fix their printer. Lord help me with this one.
      • Lord help me...

        Why, what's your beef? Don't have a cow -- you're in gravy, man! Just put up a little sign that says "GONER REPAIR: $10". It only takes five minutes to fix. Script it, put it on a floppy and carry it with you, and you can clean it up in two minutes flat.
        • Why, what's your beef? Don't have a cow -- you're in gravy, man! Just put up a little sign that says "GONER REPAIR: $10". It only takes five minutes to fix. Script it, put it on a floppy and carry it with you, and you can clean it up in two minutes flat.


          Well, and ironically exactly that might "educate" them enough to remember being cautious about attachments in the long run. If it burns a hole into their pockets they might start thinking before clicking sooner or later.
  • by v4sudeva (156187) <<moc.daragem> <ta> <avedusav>> on Tuesday December 04, 2001 @05:39PM (#2656021) Homepage
    has already sent every one of my fellow employees all over the globe 27 copies of this thing.

    It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn .scr.

    Thanks, boss.
    • My sympathies on the PHB.

      The PHBs running our school district's networks wiped Netscape off all school computers and is forcing Windows/Outlook/IE down everyone's throats. Last Friday, a similar worm hit the high school and took out **everything**. I've told my wife (a teacher) to bring nothing home or disk and to remove our home e-mail from her school PC.

      IDEA: Why don't UNIX/Linux sys admins start suing networks running IIS and IE for DoS when they send crap from Windows to Linux? Kill the use of Windows by punishing those stupid enough to use if for enterprise computing!
    • And that's the guy running your company.

      Time to find a new job.
    • CEO's are masters at running businesses. They are not masters at using computers or making them work better.

      As evidence, I'd like to direct your attention to this little company [microsoft.com]. It's former CEO is a proven master -- probably one of the best in the world -- at making a business successful. However, I don't believe that any code he has ever produced has ever been labeled as well-written. For that matter, I'm not sure he has ever written any code. Instead, the CEO in question bought the rights to an existing product and found a way to sell it to the masses. Later "innovations" and "improvements" to the product were not his, but the ideas of people he hired. Heck, he probably can't even set up user accounts in Windows XP (one of the most basic administrative tasks, in his company's flagship product no less). He doesn't need to, he can pay someone to do that!

      The point? To make a company a success, the leaders of it must be able to sell the product, regardless of its quality. Management is what makes a company successful, and that is the realm of the CEO. Not technical prowess.

      No matter the quality, no matter the technical merits, no matter the price of the product, if the company is poorly managed it will fail.
      --
      • True, nobody really expects a CEO to have a hand in day-to-day operations. They're the "big picture" people".

        BUT...they should have at least a marginal understanding of what goes on around them, and if you're in a tech-driven company, I'd hope that would include knowing how to print from IE or logging into an email client.

        I've worked for PHB's that couldn't. It's one thing to surround yourself with great minds. It's another entirely when they serve as a replacement, not an augmentation!

        GTRacer
        - This has "long day" written all over it

  • story is wrong (Score:5, Informative)

    by joshwa (24288) on Tuesday December 04, 2001 @05:39PM (#2656025) Homepage Journal

    The story had a few errors:

    1. The McAfeelink is here. [mcafee.com]
    2. It's 159 KB, not 159 bytes.
    3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.
    • Great -- someone's finally figured out that they can create a Trojan horse that not only digs a back door into your system, but silently kills off the guards at the front as well.

      Next thing we know they'll be rewriting Microsoft's system auto-updater to download even more viral code into your system. Won't that be nice?
      • Surely an attempt to delete [virusscanner].EXE is one of the first things any respectable virus scan program should monitor and attempt to prevent, or at least warn of?
    • Re:story is wrong (Score:2, Informative)

      by HMC CS Major (540987)
      And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here [hmc.edu] (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah). On a slightly related note, I espescially like the popup message [nai.com] displayed when you run the virus ... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?
  • nope, sorry. (Score:5, Interesting)

    by tswinzig (210999) on Tuesday December 04, 2001 @05:39PM (#2656026) Journal
    it has a packed form that is only 159 bytes.

    Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

    The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

    As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.
    • As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

      Yeah, the /. editors will get their asses kicked by script kiddies in the next 1337 hAx0r Spelling Bee. Then the kiddies will look at Slashcode, and discover that "where" is constantly misspelled as "were", the fixing of which will eliminate those annoying form_key errors.
  • by Anonymous Coward on Tuesday December 04, 2001 @05:40PM (#2656037)
    Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

    &ltAttachment: Don't_Open_Attachments.eml.vbs&gt
  • Pure Wisdom (Score:5, Funny)

    by Phartx2 (79490) on Tuesday December 04, 2001 @05:40PM (#2656040)
    I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:

    "The Bearcat Online email system is now blocking all messages with "Hi" as the subject."
    • Why do you insist on using only one subject line when having your virus replicate itself? That's the easiest form of detection! If you'd use something less static, say, a random subject out of 50 preset ones, then your virus would spread a LOT more before anyone got wise.

      In addition, it would similarly help to rename the attachment at every iteration too.
    • I got an email (as did everyone else) from someone in the company who gave detailed instructions on how to use the "Rule Wizard" (first clue) to delete these emails permanently upon receiving them.

      The problem? The steps outlined how to check the subject line for the word "hi" and permanently delete it and the message flag.

      I tested this out, and Outlook isn't case sensitive, nor does it recognize if the target word is embedded. So any email with the word 'hi' anywhere in the subject would get deleted. (e.g. this, Chicago, chickenpoop, etc) It was also suggested that the exception be if your name was in the To or CC, but we use so many distribution lists, that wouldn't matter too much.

      *sigh*

    • Re:Pure Wisdom (Score:3, Informative)

      by Computer! (412422)
      Instead of blocking subject lines, they could have just added the following code to the Application_ItemSend event in Outlook 2000:


      If Item.Attachments.Count > 0 Then
      blsure = MsgBox("A message is being sent with attachments. Do you want to send this message?", vbOKCancel)
      If blsure = vbCancel Then
      For i = 0 To Item.Attachments.Count
      Item.Attachments.Remove (i)
      Next
      Item.Delete
      Cancel = True
      MsgBox "The message has not been sent."
      End If
      End If


      What makes virus writing so easy for Windows is the ability to churn through the Outlook address book with a convenient object model. Of course, you could switch to another client, but then you wouldn't be able to write your own code to customize the behavior of the sending of attachments. Kind of a double-edged sword.

      Once you've gotten your Outlook installation "patched", read this article [microsoft.com] to learn how to deploy the fix to other users. Of course, if they get infected, they may have to click "Cancel" 1500 times, but that's what they get for double-clicking an untrusted .exe.
  • Social Engineering (Score:4, Interesting)

    by FatRatBastard (7583) on Tuesday December 04, 2001 @05:40PM (#2656047) Homepage
    This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).
  • F-Secure have a page describing the W32.Goner.A@mm [f-secure.com] as well.

  • by JMZero (449047) on Tuesday December 04, 2001 @05:41PM (#2656058) Homepage
    Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

    It strikes me as extremely sad that a virus like this can still work. How many times does it take?

    What can we do to save the unknowing?
  • by Havokmon (89874) <rick@hav[ ]on.com ['okm' in gap]> on Tuesday December 04, 2001 @05:42PM (#2656060) Homepage Journal

    It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

    Shutdown to DOS, then del windows\system\gone.scr
    (It's hidden attrib -s-r-h first), then reboot.
    You can't delete it before you shutdown, it's 'in-use'.

    If you're running NTFS, AND you've been hit, *sigh*..
    • If you're running NTFS, AND you've been hit, *sigh*..

      If you're in a german-speaking country you might want to fetch the most recent issue of c't. They got an article about Virus-Cleaning on NTFS-Platforms (from DOS and Win9x). Take a look at The download Links [heise.de] for the article. I don't think the article itself is available on the net. It's german but I'm sure even those of you, who don't speak this language will find a way through ("NTFS", "DOS" and "Download" are the same ;-)

    • If you're running NTFS, AND you've been hit, *sigh*..

      Correct me if I'm wrong, but I believe Windows allows you to rename an open file. If the worm isn't smart enough to check for this, you should be able to reboot and start cleaning up.

    • by DarkEdgeX (212110) on Tuesday December 04, 2001 @07:41PM (#2656907) Journal
      You'd use MoveFileEx to get rid of the file, like so--

      MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

      The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

      UINT GetSystemDirectory(
      LPTSTR lpBuffer, // buffer for system directory
      UINT uSize // size of directory buffer
      );

      ) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

      DWORD ExpandEnvironmentStrings(
      LPCTSTR lpSrc, // string with environment variables
      LPTSTR lpDst, // string with expanded strings
      DWORD nSize // maximum characters in expanded string
      );

      Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).
  • What about Badtrans? (Score:2, Interesting)

    by MS (18681)
    Did I miss a post or something?

    Badtrans is hitting my mailbox multiple times harder than Sircam, MTX and CodeRainbow combined. And it's only around since 24th November. Quite "every" Outlook user I know of got infected with it.

    But then maybe this virus is hitting only Europe, so US-citizens haven't noticed it, yet.

    Needless to say, I'm happy to read my e-mail on a *nix box. :-)

    ms

  • First from the CEO, then from about 15 other co-workers. Right now the IT team is running around trying to figure out how to filter it out.

    I peeked inside and found that it links to the VB runtime DLL. Unfortantly I can't tell anymore then that at this point.

    -Jon
    • Right now the IT team is running around trying to figure out how to filter it out.

      Using a clawhammer, apply filter briskly to the foreheads of those who cannot understand simple commands, such as DO NOT OPEN.
  • I have already received 17 copies of the virus. But you know, following the rules that I teach in my Internet Basic class - don't open anything you aren't expecting, verify it first - worked charms in this case. The first person I got it from I called and they had no idea about it, which raised little red flags with me.

    Is Outlook to blame? Sure, partially. But is stupid users who open attachments at random without verifying it also to blame? Absolutely.

  • by rkent (73434) <rkent@noSPAM.post.harvard.edu> on Tuesday December 04, 2001 @05:43PM (#2656084)
    Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."
  • This one was very obvious. However, the bottom line is, never open any unknown executables and stay away from clients that have security issues.

    An interesting question arose out of all this... I have had more then a few emails from people here at work that I don't know. I have to wonder how my email address ends up in so many address books.

    Unfortunately most people won't have the benefit of strangers sending this message.

    Oh beautiful corporate america, may your mail servers be forever fruitful.
  • NEWS.COM has an interesting quote from David Perry of Trend Micro. He says, "Every time enough time goes by that people forget to be wary of these things, it pops up again. Apparently, we have to resign ourselves to the fact that education doesn't work."

    How sad...but true. It's almost like that quote on the (I believe) CDW commercial, where the woman tells the IT manager something to the effect of, "I opened that virus just like you told us not to."

    All it takes is a little dilligence, and these things would be far less of a problem. Not even real dilligence, just less stupidity on the part of users. I mean, a person would have to be living in a cave not to have heard about Melissa, I Love You, Code Red, SirCam, etc. When is it going to sink in that you shouldn't open unexpected e-mail attachments?

    Oh, BTW, the original post stated that this thing is mostly non-destructive. I'm not so sure I'd agree with that assessment. If this thing is stripping out virus scanners and firewalls, it's opening up a machine for other types of attacks. I'd be a little concerned about that.

    • One of the kickers here is it uses your (outlook) contact list - this way when my Mom gets hit with one of these things, she mails all of my siblings the virus. Its an email from an expected source - thus the "social hack" that makes this thing work as well as it does...

      To add insult to injury, she does not do anything but email. You think she knows about the mess that is out there or the little things called patches on the www thing? I use my Mom as a bar for the unwashed masses - these viri are never going to stop from user education...
  • To explain to others why Windows-based firewalls like ZoneAlarm and BlackIce are inherently less secure than dedicated firewall devices and dedicated Linux firewall solutions...the fact that they run on Windows means they can be knocked dead by a virus.

    And speaking of antivirus software...everyone at my company received a warning email about this virus today from the admin. I took the opportunity to reply back to his email with the following:

    *****
    On the topic of virii, Mcafee and Symantec's Norton AV may be leaving a "backdoor" open in its future product updates to accomodate the FBI's Magic Lantern virus for Outlook. I doubt the government really wants to spy on us, but think of this:

    As soon as someone figures out how to mimmick Magic Lantern's signature/fingerprint/code/etc., crackers everywhere will have an easy way into any computer protected by Mcafee or Norton AV. Wave good-bye to confidentialty. This is rather alarming. Here's a link to an article from Wired:

    http://www.wired.com/news/conflict/0,2100,48648, 00 .html

    Here is a link to an article on the topic from the Forum on Risks to the Public in Computers and Related Systems

    http://catless.ncl.ac.uk/Risks/21.77.html

    This is just a junior analyst's opinion, but I would begin seeking virus protection alternatives.
    *****
  • by Proud Geek (260376) on Tuesday December 04, 2001 @05:48PM (#2656122) Homepage Journal
    According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.
  • It doesn't just delete files. As Symnatec reports [symantec.com]:

    "If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks."

  • by ellem (147712) <ellem52NO@SPAMgmail.com> on Tuesday December 04, 2001 @05:52PM (#2656153) Homepage Journal
    This virus has two real goals:

    1 -- Proagate
    2 -- Disable Anti Virus

    This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.

    I love being a Win Sys Admin

    Anyone need a an OSX admin?
  • Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

    Per the Symantec virus warning, it will also use IRC bots to commit DoS attacks.
  • Poster says: Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

    According to Symantec: Deletes files: Attemps to delete several files, including NAV

    Poster says: Two is its small size -- it has a packed form that is only 159 bytes.

    According to Symantec: The size of the worm unpacked is approximately 159 KB and Size of attachment: 38,912 bytes.

    So, when are we going to do some checking first? Deleting files is pretty damn harsh for a "non destructive" virus, and a "packed form that is approximately 159 bytes" is NOT the same as an unpacked form of "159 KB", packed to 38,192 bytes.

  • We're running NT 4.0 and using Lotus Notes as our e-mail client. Despite regular and repeated admonishments we've had two users open these damn things. Well, this was predictable and that's one big reason we're using Notes instead of Outlook: at least we won't be spreading this crap.

    Funny, though: both computers were infected but only one had gotten around to adding itself to the registry, and neither one deleted McAfee. I wonder if these things are on a timer where they don't do their bad shit right away upon infection? Probably a bug... :)
  • pretty crafty (Score:2, Interesting)

    by afidel (530433)
    If you reboot without cleaning the system then the virus stops the 3 major Antivirus packages. It then deletes the entire directory where the stopped file was found.

    As one user put it here, these guys are pretty dumb, they need to learn to be more creative. When they come out with one that says free beer click here then I'll be scared.
  • by Matts (1628) on Tuesday December 04, 2001 @06:04PM (#2656251) Homepage
    I work for a managed security provider [messagelabs.com] and we stopped this using heuristics for all our customers. It's growth rate has been phenomenal, considering it doesn't even use any hacks - it's just a stupid social engineering virus! It was very funny listening to our anti-virus guy on the phone to reporters saying "We've stopped 4000 in the last two hours. No wait, 5000. ... oh, and now 6000".

    The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

    I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

    • Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client

      That's not even a root cause, it just makes things a little easier for the virus to propagate. If they made it completely impossible to execute attachements in the client, users would simply do what they then learn they're "supposed" to do with attachments -- save them to a file, and then run/view them from the shell. Boom, same result.

      There is no sure-fire fix to prevent this sort of virus. It's not, at it's core, a problem with either the basic functionality of the email software (well written software can only slow down the propagation, not stop it), nor the scope of the user's permissions (it's well within the user's scope to read his own mail, execute software, read his own address book, and send mail). It's a problem with the behaviour of the user.

      As long as it's possible to attach arbitrary files to emails, and run arbitrary code on a machine, they'll propagate. Making it technically impossible to do either of those things a) is difficult, and b) makes the system far less useful.

      • Well, as other posters have pointed out, you need to set the execute bits. That's always going to be a task my mother would shy away from. Of course that may also be something that prevents widespread adoption of Unix on the desktop :-)
    • by tswinzig (210999) on Tuesday December 04, 2001 @06:52PM (#2656605) Journal
      The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

      Apparantly your people need to do some research. Microsoft has had a patch out for about a year now that can be installed to prevent Outlook from giving access to any executable file, AND this is the default behavior in Outlook XP/2002.
  • I got several of these emails this morning, and obviously thought it was a virus, but my McAfee software didn't identify it as such. It passed, no problem.

    So, thinking I needed an update, this afternoon, I downloaded the most recent version of their .dat file (dated 11/28). Still, the virus passed, with no problems.

    I'm pretty disappointed with McAfee for this. An update should have been made immediately available as in, this morning. I imagine a lot of people were stung because the virus definitions weren't updated quickly enough.

    Thankfully, I never use Outlook, so no damage was done.
  • by Anonymous Coward
    Microsoft has had a patch available that disables .src and many of the other extensions that these virii use. The thing is, the patch has been there, ready to download, since JUNE of 2000!!! Holy shit people, why don't you all have this already taken care of already?

    My shop NEVER gets these things. When you IT geeks are bitching to your bosses about how much MS sucks and begging to be able to switch the whole shop over to *nix, do you tell him/her that there has been a patch available for well over a year that would have stopped this?

    I bet you guys all leave that part out, don't you?

    I have uses for both Windows and various *nix's, so I use them both. But I at least attempt to keep the windows environment in tip top shape.

    How many of you "IT professionals" are sacrificing your shops systems by not applying obvious security updates, like the one I mentioned, just because you resent having to use Windows?

    I just happened to bump into some upper management of one of my companies associates, he was complaining about his shop getting destroyed by this virus today. His ears really perked up when I told him about the MS security patch that had been around since June of 2000. I think he will be looking for a new "IT professional" to run his place of business soon. I hate to get a guy fired, but such is life.

    The blame for this mess is on 1. Lazy/Ignorant IT people or 2. Linux loving geeks who want to use *nix at work, so they want to see MS fail, so they don't bother taking care of windows security.

    I don't know which category the guy I probably got fired fell under. How about the rest of you guys who said your shops were hit? Which one are you?
  • by Goner (5704) <nutateNO@SPAMhotmail.com> on Tuesday December 04, 2001 @06:18PM (#2656361) Homepage

    I am ashamed that anyone would intentionally use my Slashdot account name to bolster the popularity and reputation of their sick virus. I'm sure the hackers [adequacy.org] who created this monstrosity were well versed in such hacker tools as Bonzi Buddy [bonzi.com] and Lunix [lunix.org]. If they think I would come out and support such a destructive screen saver they are very, very wrong. If God wanted toasters to fly [macworld.com], he would have given them wings.

    So, you hackers, where ever you are, Goner (of Slashdot lore) does not approve!

  • by cscx (541332) on Tuesday December 04, 2001 @06:19PM (#2656373) Homepage
    OK, I want all you Outlook-haters to read this: In outlook xp, you have to edit the registry if you want to be able to open .exe, .vbs, et cetera attachments. No ifs, ands or buts from Outlook. Which brings me to my next point... If people are generally so stupid they open attachments like this, they need to pack up their computer and put the box in their closet. I mean, shit, I could write a .vbs file, send it to someone running Pine under Win32 - what stops them from saving it and running the file. What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you


    #!/bin/sh
    rm -rf /*


    and say "Hey, run this!". Thing is, most Linux users are geekier than the average windows user, and will think twice before doing so! See, the problem here is not Outlook itself, but the incompetence of the people using it. Yay MS for disabling exes by default... just reminds me of all those Flash animations that make the e-mail rounds that could be virus laden.....

    • Mmmm, one important point you missed:

      What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

      #!/bin/sh
      rm -rf /*
      Gee, I just tried that, and all it did was print a million "Permission denied" messages. Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.

      Anyone else out there got some email viruses they want me to try out on my Linux box? They probably won't work either.

      Warning to Linux non-experts: if you want to try this yourself, note that running rm -rf /* will delete any file owned by the person who runs the command.

      Before you run anything off the network, you should switch your user (using the su command) to a "test" user that doesn't own any important files. You can set up a test user account by doing an "su root", "adduser test", and then "passwd test" to set the test user's password.

      Carry on mocking Windows at your leisure... Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that.

      (snicker)
      • Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.
        Oh, and for all you 'Linux non-experts' if you do this to an actual user's directory, well, they're not going to be happy. Hope you've got those backups. The point he was trying to make is that it's not a matter of system security, it's a matter user education. How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on? Lots.
      • by cscx (541332) on Tuesday December 04, 2001 @08:06PM (#2657020) Homepage
        Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that

        Mmmkay, let's give this a try shall we?

        1. Set up NTFS ACLs properly - this includes giving SYSTEM rights to what needs to have it, along with the Administrators group, etc. Users should only have read access. (Most experienced NT end-users should already have done this a long time ago; if you're on a properly set-up network, it should have been done already!)

        2. Open up the MMC, go to users and groups, and add a user. Make it a member of the Users group, which you have already set up as to only have read access (heck, you can set it up to everything BUT delete access... NTFS ACLs are so specific and expansive it beats rwxrwxrwx hands down :-/) and also give it full access to its home directory under "Documents and Settings\user"

        3. Log in as that user.

        4. Open up a command prompt.

        C:\>del /F/Q *.*
        C:\New Text Document (2).txt
        Access is denied.
        C:\New Text Document.txt
        Access is denied.
        etc...

        Oh wait, I didn't ever have to log in! Ever seen 2000's oh-so-cool "Run as different user" option on the property sheets? Guess not.

        I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.

        • So, cscx says:

          Mmmkay, let's give this a try shall we?

          [...](sketchy explanation of how to set up a throwaway test account deleted)[...]

          I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.
          Sorry, you lose. Here's why:

          1. That doesn't work on Windows 95, 98, or ME. Those systems just don't have security. Period.

          2. It doesn't work if you aren't using NTFS. A LOT of NT, 2K, and XP systems don't.

          3. You don't have a short, simple description of how to "Set up NTFS ACLs properly". But I don't blame you - a short, simple explanation of that subject is impossible.

          Compare that to Linux. The instructions I gave for setting up a throwaway test account are very simple, can be executed in seconds, and will work on any Linux distribution from the last five years at least.

          That's impossible on Windows, and your post basically proved the point. Thanks!
  • by Sokie (60732)
    http://www.grisoft.com [grisoft.com], in my opinion, about the best virus program out there.

    1. It's free (with no ads or other annoyances)
    2. It scans both incoming *and* outgoing e-mails for virii if you so choose. (It will even tag them as certified virus free by Grisoft if you want.)
    3. Just because it's free (although they do sell commercial versions) doesn't mean you don't get updates or anything. They already have an updated database (out today) for Goner.

    Anyway, just something for the Windows people who don't have one of the commercial virus apps already, I've loved AVG since I put it on.

    Also, doesn't look like AVG was targetted for deletion by this virus, course that just means AVG isn't very well known, but nice to know for me anyway....
  • All Microsoft has to do is tell the outlook team to go over to their Macintosh Business Unit and steal this dialog [f2s.com]. This could at least stop the smartest 60% of users from spreading these things. And how about another warning about running script files? Last time I checked there weren't too many people using script attachments for legitimate purposes. Of course making the two most popular versions of your internet software automatically execute files doesn't help either. Yes, users should have patched their software, but just go to any site that tracks browser usage and you'll see that most people are running a vulnerable version of MS Outlook/Explorer; once you let that much vulnerable software out of the bag, it's hard to get it all back in.

    I would also like to know how the worm was labeled as non-destructive if it, "will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts." Granted it doesn't try to fry your BIOS chip, but I last time I checked anything that deleted files was destructive.

  • I'm still suprised no one has made a really destructive worm that trashes someones system. It shouldn't be too hard to modify one of these worms to do something like that. You'd think with all the worm/virus makers out there some of them would have different intents, unless all these worms are all being written by the same group of people.
  • by Asic Eng (193332) on Tuesday December 04, 2001 @06:42PM (#2656553)
    I guess this shows that Windows is not ready for the desktop. Sure, playing games, maybe coordinating meetings and using a calendar, work - but email? Leave that to serious systems.

    I know, I know, other email clients, etc.

    However there is one thing I don't understand, why are flaws which convert your office network into a disaster area, somehow acceptable, whereas some esoteric calendar tool is so vitally necessary that people straight-faced claim that Linux isn't ready for the desktop?

    It's not just Outlook either - every damn document format that MS produces is an attack waiting to happen. Apart from being susceptible to bit-rott and bloated.

    The average user does simply not have the competence to operate a Windows system safely in an office environment. It's not enough to consider training costs when switching to Linux, you also need to consider TCO. That means your downtime, additional maintenance to repair user machines and lost or corrupted data, when using Windows systems.

  • by sharkey (16670)
    The silouhette of Darth Vader in the icon is a nice touch, to my way of thinking.
  • by Spacelord (27899) on Tuesday December 04, 2001 @06:49PM (#2656588)
    What I don't get is ... why doesn't everyone just add a forwarding SMTP server between the internet and their exchange server and set it up to deny .vbs,.scr ;... style attachments.

    We use exchange at work too, and I just set up a linux box running postfix in front of it. With a simple oneline regular expression, every dangerous attachment gets blocked. (hint: use the body_checks parameter) We haven't been hit by a single worm or virus since then.
  • by defile (1059) on Tuesday December 04, 2001 @07:18PM (#2656756) Homepage Journal

    Thank god the people that write this kind of code are completely incapable of writing evil IDE command sequences that can fry hard drive firmware.

    Imagine the destruction you could cause if after every infection and replication to everyone in your address book, it wrecked your hard drive and required it to be sent back to the manufacturer for repair?

    Hmm, interesting sales pitch you could offer to Maxtor, Seagate, etc if you want to make a quick buck at the expense of the global economy. (unless the 90-day warranty covers "act of hacker").

  • by JoshuaDFranklin (147726) <joshuadfranklin.NOSPAMNO@SPAMyahoo.com> on Tuesday December 04, 2001 @08:01PM (#2657002) Homepage
    Honestly, how many people really send raw screensavers?? Make people at least zip them. If you're running a *NIX mail server, put this in your /etc/procmailrc NOW:
    VIRUSDUMP=/var/virusdump/virus
    :0 # Use procmail match feature
    * ^From:\/.*
    {
    HFR = "$MATCH"
    }

    :0
    *^Content-type:.*
    {
    :0 HB
    *name=".*\.
    (vbs|wsf|vbe|wsh|hta|scr|pif|com|exe| bat|js)"
    {
    :0 fhw
    | (formail -r; \
    echo -e "This is an auto-generated message\n\
    \n\
    The email referenced above, which was sent from your address, \n\
    had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
    This mail server no longer accepts mail with virus-vulnerable \n\
    attachments and the email has been quarantined.\n\
    Please try resending your attachment in a safe format such as ZIP. \n\
    Contact support@your-name.com if you have any questions")\
    | mail -s "Possible virus deleted" "${HFR}"
    :0
    ${VIRUSDUMP}
    }
    }
    We get about 50MB/day of these. Archive them for a week, then delete them. If anybody really sent something useful, someone at the address listed can get it back for them. Hasn't happened yet.

Genius is ten percent inspiration and fifty percent capital gains.

Working...