New Worm Chats with Users on AIM

goldseries writes "CNet is reporting that a new IM worm chats with users to get them to down load a file containing a virus. The virus replicates its self and sends its self out to user's buddy lists. The virus will reply 'lol no this is not a virus.' The virus hides users from seeing the messages sent out to members of their buddy list. Viruses are evolving; now they will even talk to you."

Viruses have always talked to you

[thatguywhoiam]

Anyone remember "give me a cookie? [netlux.org]"

Not too intelligent

[mcb]

I've gotten this from several people on my list in the past few days... it basically spams a message, usually the same one, every hour or so, with the same link. It just fakes the address, the real link is to: http://209.235.17.26/My_Christmas_Card.SCR [209.235.17.26]

(06:41:27) xxxx: This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greetings card?my_christmas_card.scr [aol.com]
This senders personal note: Merry Christmas!
(06:41:27) yyyy : Sorry, I ran out for a bit!
(08:42:59) xxxx: This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greetings card?my_christmas_card.scr [aol.com]
This senders personal note: Merry Christmas!

Re:It's not the first small app that will talk to

[DickBreath]

ELIZA type programs of various flavors have been around for decades, and ran on computers that were very slow / small by today's standards. Heck, an Eliza-style program, and even its LISP interpreter could fit in 64K, or easily on half a megabyte. And that is the runtime requirement. The code itself could easily be a minor addon to a modern day malware.

If you read some classic LISP texts, such as Norvig's book on AI using Common Lisp, or another book The Elements of Artificial Intelligence, and other classic texts, there are probably a lot of algorithms that could be used.

Turn the spread of the malware into some kind of gameplay problem and use AI algorithms to optimize the "gameplay" of the spread?

Re:lol no this is not a virus

[prionic6]

This will come in to you from another AIM-user you KNOW and who is infected. Not some stranger.

Re:People are lazy these days...

[beanyk]

I have received less comprehendable IMs from people who would consider it a mortal sin to be anything other than professional in person or on paper.

Umm ... I think you meant comprehensible [reference.com]. [Yes, I know I'm being petty.]

Integrated AI

[Durzel]

I'm surprised these AIM worms haven't yet integrated with those award-winning AI bots used to fool other humans (e.g. Jabberwacky [jabberwacky.com] or ALICE [alicebot.org]).

Having said that, when I asked Jabberwacky "Is this a virus?" it said "Well, I hope so." Not very reassuring..

Re:lol no this is not a virus

[tpgp]

So people can send out executable jpegs? No thanks.

I said execute bit in the filesystem.

So - the virus would come in from the mail system with the execute bit set to 0, the user would have to download the file, get its properties, and tick the "execute" checkbox.

Note

[Sheepdot]

Note: The slashdot article says 'lol no this is not a virus.' The CNET article says "lol no its not its a virus".

Re:It's not the first small app that will talk to

[AnotherLostAtom]

Send the trillian crew an e-mail about it and/or upgrade to the latest bought version of trillian. The free version sux and the hacked versions concentrate on keeping the chat functionality, but tend to forget about extras. Trillian rules, I use it too :)

Re:lol no this is not a virus

[_xeno_]

Windows NT/2000/XP already have this (sorta). You can set execute privileges on files, just like in UNIX.

However, a default Windows XP install will be set up to inherit all permissions from the root of the drive, and will have the Users group set to Read, Execute, and Traverse Directories. So everything you download is by default executable, and no program I know of ever bothers to unset that. (Actually, the latest version of IE will store some metadata with executable files downloaded through it that marks the file as being "untrusted," but I think that only Windows Explorer (basically, IE itself) actually respects that metadata.)

The other thing you need to understand is that, like UNIX, you can essentially exec (on Windows, ShellExecute [microsoft.com]) any file on the system. Unlike UNIX, though, the kernel won't actually try and interpret the file. Instead the Windows API (I think) will look up the file type and send the file off to the approriate handler. So when you call ShellExecute, you're essentially acting like the user clicked on the file in Windows Explorer. To most programs like AIM, there's no difference between executing another program and opening a file in its viewer. As far as I know, there's really no way of asking Windows "are you going to just look at that, or actually run that?"

The basic point here is that while Windows XP (and NTFS) do support an Executable flag, by default it's always on. Plus the "launch file" API will also run programs, and there's really no way to be certain that a file you're launching won't essentially be an executable.

Re:Does this mean?

[kbahey]

Just to put some context, this is a reference to the September that never ended [wikipedia.org].

Re:lol no this is not a virus

[NatasRevol]

In at least Panther and Tiger:

Finder>Preferences>Advanced

Tick the Show all file extensions box.

Enjoy .app all over the place.

Uhh... Windows DOES have the Execute "bit"

[AKosygin]

On NTFS formatted filesystems, you can use the ACL to default set it so that all files saved will not have the "Execute File" permission. You just deselect "Allow" for the line that says "Traverse Folder / Execute File" for the "CREATOR OWNER" entry and "Apply onto" "Files Only" for the scope and allow propagation down.

Or, you can go into your Group Policy Object (Local Computer or Domain) and by default in your Software Restrictions Policy disallow execution unless they were in areas of the file system you designate, I.E.: "Program Files" folder. And if I remember correctly, saved files from current versions of IM programs are saved in "My Documents" outside of the "Program Files" folder by default.

Re:lol no this is not a virus

[ceoyoyo]

That's my point; hiding the file type in the meta-data makes it *very* each to make "jpeg" file that has the icon for a "jpeg" file but is actually an application. And since you need ResEdit, or an equivalent utility, to see the actual metadata that determines this, it's very hard to detect. Or you can hit apple-i (File|Get Info for the keyboard impaired) and look at the file type. OS X applications are actually folders, which you can't just download (they have to be tarred or zipped, then unpackaged on your end, THEN run). Command line executables cannot be run at all by clicking (unless you jump through some hoops) -- you have to open a terminal. I think the Mac has resisted major trojan attack because its users are less likely to click on anything in reach of their mouse. You're right though. The system keeps track of Apps and gives you a warning if, say, Safari.app has changed. This system should just be extended so the first time you run any app the system says "Hey, this is an app I've never seen before. Shall we really run it?"

Re:AIMFix removes these

[jayloden]

Dammit slashdot...that link was supposed to be http://jayloden.com/aimfix.htm [jayloden.com]

If you want the binary only: http://jayloden.com/AIMFix.exe [jayloden.com]

Re:lol no this is not a virus

[Xyde]

"Show all file extensions" under Preferences in the Finder. OS X is pretty smart too, even if it's turned off, if you make a file like "pamela_nude.jpg.app" it will show the full extension cause it knows you're trying to be sneaky :)

Re:lol no this is not a virus

[Jaruzel]

Well a little bit of playing around on my system (having never tried to conceal an EXE for malicious purposes before), and it seems that if you take MyProgram.exe and rename it to MyProgram.jpg.pif, Windows just runs it as if it was an EXE. The trouble is, like .LNK files, .PIF extensions are permenantly hidden regardless of whether you have 'show extensions for known file types' ticked or not, consequently, MyProgram.jpg.pif appears as MyProgram.jpg, and theres nothing a user can do about it. By manipulating the icon inside MyProgram so it looks like the standard jpeg icon, you can totally fool the user.

Trying to convert a non-pif PIF file into a LNK just would not work, and an error box would be thrown up ('Not a real shortcut file, do you want to delete it?')

-Jar.