Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

Just got goner here

[monkeyfamily]

This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.

nope, sorry.

[tswinzig]

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Social Engineering

[FatRatBastard]

This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).

What about Badtrans?

[MS]

Did I miss a post or something?

Badtrans is hitting my mailbox multiple times harder than Sircam, MTX and CodeRainbow combined. And it's only around since 24th November. Quite "every" Outlook user I know of got infected with it.

But then maybe this virus is hitting only Europe, so US-citizens haven't noticed it, yet.

Needless to say, I'm happy to read my e-mail on a *nix box. :-)

ms

We got it via ICQ.

[Anonymous Coward]

Someone at my office got the virus by ICQ then it killed our exchange server. we had over 10,000 copys of the virus in the out que before we could pull the server off the network. All this because one of the 2000 admins forgot to add *.scr back into the filter rules when he upgraded the anti-virus app last week.
Aint life GRAND!

Re:*LOL*.. virus.. outlook.. *yawn*

[Lemmy Caution]

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

pretty crafty

[afidel]

If you reboot without cleaning the system then the virus stops the 3 major Antivirus packages. It then deletes the entire directory where the stopped file was found.

As one user put it here, these guys are pretty dumb, they need to learn to be more creative. When they come out with one that says free beer click here then I'll be scared.

In defense of Microsoft......

[cscx]

OK, I want all you Outlook-haters to read this: In outlook xp, you have to edit the registry if you want to be able to open .exe, .vbs, et cetera attachments. No ifs, ands or buts from Outlook. Which brings me to my next point... If people are generally so stupid they open attachments like this, they need to pack up their computer and put the box in their closet. I mean, shit, I could write a .vbs file, send it to someone running Pine under Win32 - what stops them from saving it and running the file. What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

#!/bin/sh
rm -rf /*

and say "Hey, run this!". Thing is, most Linux users are geekier than the average windows user, and will think twice before doing so! See, the problem here is not Outlook itself, but the incompetence of the people using it. Yay MS for disabling exes by default... just reminds me of all those Flash animations that make the e-mail rounds that could be virus laden.....

Re:who uses scripting in outlook?

[Chris Johnson]

And pass up the possibility of "stopping a variety of antivirus and security applications and deleting all the files in the folders containing those applications. Kaspersky Lab's AVP, Zone Labs' ZoneAlarm, and Internet Security Systems' Black Ice are among the programs affected."? (CNet)

Those ARE all Microsoft competitors, are they not?

Microsoft DOES have an inferior product bundled with XP that they wish to prevail against this technically superior (and two-way: no spyware-friendliness like with MS's version) competition, do they not?

Let me say that I don't know whether Microsoft has spread this worm themselves to take out their competitors, because I don't know where it came from in the first place and I won't have to deal with it except shoveling it out of my Mac/Eudora Light inbox. But you have to ask, 'who benefits?'. And you can't seriously expect Microsoft to get rid of their scripting, when they can use it in so many ways to damage their competitors- and their competitors are not only 'any other software company' but the fundamental technologies of the Internet itself, which they don't own. They _want_ this to happen.

Re:Not an outlook worm, an outlook express worm

[Zico]

Nope. With Outlook 2002 (XP), Outlook 2000 with SP2, or Outlook 98 or 2000 with the Email Security Update, you can't even save the attachment elsewhere, or open it or forward it to someone else. See http://www.slipstick.com/outlook/esecup.htm#attsec [slipstick.com] .

NTFS (programmers perspective)

[DarkEdgeX]

You'd use MoveFileEx to get rid of the file, like so--

MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

UINT GetSystemDirectory(
LPTSTR lpBuffer, // buffer for system directory
UINT uSize // size of directory buffer
);

) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).

Re:Won't work

[mrseigen]

People would still open and run it anyway.

Disclaimer of liability for loss of profit

[Robin Lionheart]

Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?

The EULA distributed with Office 2000 specifically disclaims liability for "loss of profit":

"To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide Support Services, even if Microsoft has been advised of the possibility of such damages."

Under the USA's Uniform Commercial Code, there is by default an implied warranty that any product sold is "merchantable", meaning fit for the customary use that the product is put to. Unless the terms of sale change that implied warranty, a buyer could sue over dysfunctional software.

Software licenses generally disclaim those implied warranties, an innovation that began with VisiCalc's "as is" license. If you read the fine print of Microsoft EULAs, you will find a capitalized sentence like "TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES."

Whether the EULA has any legal weight is questionable. Software licenses are rarely presented at the time of sale. Installation programs try to impose them after the fact by demanding your agreement before installing the program on your computer.

Like many click-wrap agreements, Microsoft's EULAs are very one-sided, offering you nothing in return for restricting you from installing the software more than one computer, from making more than one backup copy, from lending the software to anyone else, from reverse-engineering the software, and sometimes even from reselling the software or from criticizing the product. Such "agreements" may not constitute valid contracts, and even if they were, may be invalid as "contracts of adhesion".

So, Microsoft and other software corporations lobby for UCITA [4cite.org] (Uniform Computer Information Transactions Act) laws giving software the special ability to impose terms and restrictions after purchase. UCITA has already passed in Maryland and Virginia and has been introduced in the legislatures of many other states.

Re:In defense of Microsoft......

[mattACK]

Profiles directory - Creator Owner FC (or modify)

In the shell, for me this is:

cacls "Documents and Settings" /E /G "Creator Owner":C

Geez that was tough. I don't think you'll find anyone defending Win9x, but you don't often see people attacking it anymore (unless they are desperate to make a point). Don't take offense to that, but NTFS does work if you ask it to.

Anyway, there is no such thing as a short, simple explanation of security best practices, framework, etc. It is a mindset. Secure it until it doesn't work, open it until it does, standardize on it, and be fluid enough to rip it all out and start over if necessary. OS specifics are detailed out in the man pages/.hlp/.chm/whatever.

Re:In defense of Microsoft......

[Afrosheen]

In the latest Mandrake 8.1, there are many facilities that discourage this lame practice. One is that the root account in KDE has a bright red background and no icons on the desktop. When a user logs in normally, he/she gets all the normal stuff. This was a brilliant move because most newbies will think 'I don't have shit if I login as root and that red background pisses me off'. Another nice touch is that telnet server isn't installed unless you install it by hand. Props to mandrake for preventing newbies from aiming that double-barrel shotgun root account at their tender feet.