Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug

New, More Destructive Love Bug Variant 404

Everyone and their brother wrote in to say that a new and more destructive version of the ILOVEYOU virus has hit the net. Instead of deleting on a few files, this one deletes every file not in use. And even more amusing, rather then using a hardcoded subject line, it uses the host's email archive to cause the subject to change while it propogates. Intelligent mail client users continue to be unaffected (although the ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends).
This discussion has been archived. No new comments can be posted.

New, More Destructive Love Bug Variant

Comments Filter:
  • E-mail administrators?! HAH!! The guy that admins our Exchange box was a Customer Service call guy up until 2 months ago, they just sort of dumped it on him and he had to learn how to use it in 2 days. He's still figuring stuff out, I help him when I can, but until this happened neither of us had worked with an Exchange Server before. Our company is too cheap to hire someone that knows what they are doing, so we end up scurrying around for days trying to solve problems that would take an experienced person 15 minutes....
    Ain't work grand?

    Kintanon
  • I just noticed that in the filters I posted that my tab character has been represented as a '>', so if you actually implement these rules, you will want to make that change as well.
  • So I received this virus at work, deleted some data files (no pr0n or mp3s at work, thank you), then sent it on to a bunch of friends - and Intel's server actually rejected it (503: "Potential Virus Detected")...

    Hey, that's some proactive sysadmin there!

  • by Anonymous Coward on Friday May 19, 2000 @05:13AM (#1061216)
    could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate, and end this mess once and for all? a self-vaccinating virus, what a concept. then we can safely ignore this problem (for a while).
  • by 348 ( 124012 ) on Friday May 19, 2000 @04:26AM (#1061218) Homepage
    Oh, I disagree, and for the record, I didn't mean to imply that. I work with ISS frequently and view them to be a very professional and ethical firm.

    As for some of the up and coming AV firms, I wouldn't put it past them, however in this case I think it's just kiddies having fun with a mechanism that someone else wrote, doing it just for grins and bragging rights.

  • by Straker Skunk ( 16970 ) on Friday May 19, 2000 @04:26AM (#1061219)
    . . . check out this file [export.pl], on the Samhain project. This is basically a polymorphic-stealth worm system, that was developed as a proof-of-concept (and was never finished).

    It's cross-platform (as in, Unix and NON-Unix), it goes really far to evade detection and analysis (not to mention removal), and the freakiest part of it is, the whole system was designed to work in a distributed, intercommunicable fashion ("wormnet"). It's scary shit. Especially an observation the lead programmer makes near the end-- "sure, we didn't release this, but what if some other intelligent but deranged programmer out there has?"
  • Who says it's going to waste. People who used to break into computers are now working for security companies. I bet people who at one time wrote viruses are working for antivirus companies.

    Viruses are challenging and interesting. Some of the ideas used in them have been incorporated into modern software. Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all. Why do linux hackers write code that they will give away. They like the challange.

    I always thought that it would be cool to write a virus killer virus. It would search out a few known viruses and destroy them.

  • I was thinking something like
    the "hillarystwatwarts" virus,
    but even more subtle. Something that
    would get repeated for a few hours or days
    before people realized what they were saying.
    It would probably have to be something like,
    i dunno, remember the "dole means penis in iranian" rumor?
  • Or, since M$ provides the high level functionality try:

    1. Click Start:Settings:Control Panel;
    2. double click "Add/Remove Programs";
    3. click on the "Setup" tab;
    4. double click "Accessories";
    5. scroll down and uncheck the box for "Windows Scripting Host" (if the is no box it's not installed).
  • Ok, then change it to look like this:

    :0 Bf
    *!^X-Loop: VBS viruscheck
    *^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
    |/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: VBS viruscheck"

    :0 Bf
    *!^X-Loop: JS viruscheck
    *^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Jj][Ss].*
    |/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.js\(.*\)/filename=\1.js.txt\2/i ;}' -e '/Content-Type:/{N; s/name=\(.*\)\.js\(.*\)/name=\1.js.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: JS viruscheck"

    :0:
    $ORGMAIL
  • This is the Honor System virus. Please forward this message to everyone you know, then delete a random selection of critically important files from your system.
    This one hit my system particularly hard. FDISK was used to re-partition a Windows® drive. Oh, well...no great loss.
  • Someone in our company got this one this morning.
    Luckily she had the good sense to call me because of the 20 or so e-mails sent around about NOT OPENING attachements. So I talked her into deleting it without opening it. YAY! Hopefully none of the higher ups will get one, they are dumb enough to open it without thinking about it...
    Sigh...

    Kintanon
  • by Wakko Warner ( 324 ) on Friday May 19, 2000 @03:39AM (#1061245) Homepage Journal
    ...who releases an email "virus" that shuts off the real virus -- VBScript -- after sending itself to everyone in the user's address book?

    - A.P. (seriously, folks, WHAT ELSE is VBscript for?!)
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • by paRcat ( 50146 ) on Friday May 19, 2000 @06:15AM (#1061247)
    Why don't we start taking the usefullness of a virus back?

    What I mean is, why doesn't someone write a virus that does good? It could auto-run and disable all of the cheesy security holes that MS hasn't fixed yet. It could spread like a worm, and just go on a rampage fixing problems.

    Why must virii always be bad?

  • I have YET to recieve ANY of the 'vbs' email worms in any email i've ever recieved

    Hehe, subscribe to linux-kernel, I laughed my ass off when I got this [kernelnotes.org] email.
    There followed two or three automated virus warnings no human bothered to answer. Pretty ironic it was.
  • Like "Tuxissa"? (from segfault)
    -----------
  • I'm surprised noone has mentioned this wonderful procmail setup/script that has been around for some time to protect against HTML or file attachments in email.

    I've been using it for some time and it has protected myself and my users against almost any macro viruses I have heard about.

    http://www.wolfenet.com/~jhardin/procmail-securi ty.html
  • by Matts ( 1628 ) on Friday May 19, 2000 @06:21AM (#1061255) Homepage
    Funny yes, but people seem to be missing the fundamental reason why this happened.

    It has nothing to do with MS letting people run attachments without saving them first.

    This is all about mapping extensions to applications.

    This is a broken idea - totally. For starters it is quite simply dangerous, as the mappings happen everywhere. And installing an application might setup random mappings. But add onto that the fact that its used to associate scripts with their executor, much like the shebang line, only worse - the file needs no execute privileges. If you like, every mapped file extension automatically sets execute privileges. It is this functionality that is broken - not the mail client. And this has been in existance since DOS days, IIRC. So removing or fixing this "feature" is next to impossible.

    Good luck MS fans - it's a rocky road ahead.
  • The best solution would be for all "executable" attachments to be treated as untrusted code with a sandbox like a Java Virtual Machine - considering Microsoft's "expertise" in "enhancing" Java this should not be to difficult a solution to implement.
  • Port Outlook (and the brain-dead fondness for executing anything executable) to *nix and you'd still have as much of a problem.

    Sure, Win'9* security is broken, but it's not bad security that's the problem here. I want Outlook to do anything I personally have the rights to do. I want Outlook to have a scripting language, and to offer mail services to other scripting languages (this is useful). The only thing I don't want Outlook to keep doing is executing code from anywhere that I haven't told it absolutely explicitly to do so. I don't want signing - what am I going to do ? Sue them ? I can't even email my lawyers, as they've just eaten my address book.

    Win2K has brought its security concepts into the '80s, with Kerberpoodle the 2-headed mutt. We'll see how solid the implementation is, but at least they're making an effort.

  • That method does not work with W2K. It keeps a copy of all system files so if you delete those it puts them back immediately. You have to get rid of the dllcache folder also. Then you can delete the files and ignore the warnings windows gives.

    The so called "feature" is called windows file protection. It keeps a backup of every system file in the dllcache directory and if you delete the file or overwrite it with a differnt one than is in that cache windows will replace it for you without prompting. On one of the machines I had to clean the virus off of this directory was about 300 megs.

    This auto replace feature alone makes me feel real happy I use linux. Just have to support windows. :(

    As a side note that is why every windows 2000 machine I have seen still has solitaire and minesweaper on them. They are considered to be system files.
  • I'm proud to say I once almost got kicked out of Microsoft for sending something like this to a relatively large e-mail alias. (I know, I shoulda tried harder.) The one I sent was actually embellished slightly be a friend:

    And whatever you do, don't try to remove this virus from your system. If you do, it will immediately mail the IRS and tell them you had $2,500,000 in unreported income last year. From dealing drugs.
    --
  • Comment removed based on user account deletion
  • Please, a nice distinction needs to be kept in mind between those who are not focused on computer technology, and those who actually are "stupid". I would not deny that stupid folk exist, but it does one no good to call someone stupid just because their area of interest is not the same as ones own.

    E.g., I do not find accounting of interest, but this does not cause me to consider myself stupid, even though it sometimes causes me hardship. (Of course I could just quit that book club, but I don't like that choice either.)
  • You can get a freebie add-on from:
    Nemx [nemx.com] called Power Tools. It runs as a service under exchange and allows stripping of attachments via extensions.
  • Technically speaking, those weren't part of DOS. I don't recall off-hand who wrote those, but if you had a true-blue IBM system, and booted with any OS, it dumped you into the BASIC screen. It was part of ROM and definitely NOT part of DOS, or any other OS.

    Since this was a proprietary IBM ROM, if you had a non-IBM PC, this instead came as software, and you'd get the boot behavior we all know if there was no OS.
  • I am glad, I didn't see python there. :-)

  • It's harder to write a script that will run in Linux than it is to write a VB script. IT's like martial arts...the discipline teaches you not to do harmful things, maybe.
  • Nearly right,
    the next variant will contain a variant on the words "Trade Secret" for title, A html based Javascript click through licencse for a body (starting and ending with a load of legal mumbo jumbo and containing perhaps one sentence of warning as to what is about to happen), and a debian install starting with delete all partitions.
    BTW, the only target will be M$
  • Often times I've found that sending an attachment by e-mail was much easier than dealing with FTP and HTTP. For example, I was on-site at a client and needed to get some files from inside their firewall to my office. So, I just zipped them up and e-mailed them.

    Blocking attachments seems like a "throwing the baby out with the bathwater" kind of solution.

    ---

  • So let us start terming the bug as a Windows bug or Windows virus instead of a generic computer bug. This goes a long way in getting the mindset of people that if you want to be on the Internet use a secure OS - Mac, Beos or Linux pick your choice.

    I partially agree with you in that this is a Windows-specific virus. I disagree, however, with your comment indicating that the cause is lacking the security of Linux. The real issue is the availability of VBScript on the client, which in turn gives the attackers access to the local file system.

    Our company runs both Windows and Linux 7x24 (with a few reboots here and there on the Windows boxes every day, of course ::wink::). We've received the ILOVEYOU attachments and just laughed at them because our e-mail clients don't support unrestricted scripting, even on the Windows machines, where we run Netscape Messenger. Netscape Messenger, while it allows JavaScript, doesn't allow unrestricted access to the file system and other Communicator resources like VBScript does.

    We perceive unrestricted scripting access from the e-mail client as the real problem, not Windows itself. Any system that allows unrestricted scripting privileges (even *NIX systems) to its users is vulnerable to malice.

    As for Macintosh and BeOS being "secure", I just beg to disagree. Perhaps you know something about them that I don't about them. Would you care to expand on exactly what makes them inherently secure when compared to Windows?

    In conclusion: Our recommendation to our customers is very simple: Get off MS-Outlook/MS-Exchange for e-mail. IMAP and an appropriate e-mail client will do the same job without having to worry about VBScript viruses.

    Talk to you later,

    Eugene
  • by thrig ( 36791 ) on Friday May 19, 2000 @04:46AM (#1061295)
    You should be able to place a filter like this on a sendmail gateway host by using sendmail's mailertable feature in your .mc file, and then saying:

    host.com procmail:/etc/procmailrcs/host.com

    in the mailertable file, and set the host.com file to something like:

    (rules for checking spam, viruses, evil attatchments, etc.)

    :0
    ! -oi -f $forward_message_on_properly_to_internal_mailserve r

    Though I don't have any pressing need to throw the above together and document what I did. Ideally, you would want to combine the above method with one of the several anti-evil-stuff procmail filters on freshmeat.net...
  • Comment removed based on user account deletion
  • by HomerJ ( 11142 ) on Friday May 19, 2000 @04:47AM (#1061299)
    The real problem here with these kinds of things isn't just Outlook. Or just moronic users.

    The whole security system in Win9x is flawed. Windows9x was never intended to be on a network. Win98 is just a rehashed version of Win95, wich is just a rehashed Win 3.1. Single user OS's that had "root" access everywhere were fine in the early and mid '90s. That's not the case anymore. Now that everyone is hooked up to the itnernet, and other people have access to these single-user OS's such as Win9x. it's didn't matter that you had "root" back in the day, you were the only one using the system. Now many people can run code on you computer. Be it a vbs, java, etc.

    A *nix variant doesn't have this problem. Unix was deigned with networks and network security in mind for over 30+ years. I couldn't if I tried to screw up my system like these vbs files do to Windows computers.

    Even Win2k security is lax. For instance, how many times does a typical linux install(be it Redhat, Debian, or anything else) go "DON'T USE ROOT AS A USER!" and foces you to make a regular user account? Now look at Win2k's installation, that gives you your user name with admin. privs.

    If Microsoft really wants to stop stuff like this, they need update their entire network security model to the 21st century....or at least the 1970's. Windows9x was not designed to be on a network. That's the reason it has no security. "access zones" and what have you in programs like Outlook are just a cheap hack to hide the real problem of the Windows security model. The problem being, it wasn't designed to have one.
  • by Anonymous Coward on Friday May 19, 2000 @04:50AM (#1061304)
    I haven't tried this but it was posted on comp.mail.sendmail after the original Love Bug. I'd actually like to try it, but I know so little about sendmail that I'm unsure as to how to apply it - anyone enlighten me?

    # TURN ON CONTENT-TYPE MATCHES: uncomment lines as instructed.
    Kquotetoplus dequote -s+
    HContent-Type: $>CheckContent

    ## By Mike Schwager. http://www.enteract.com/~schwager
    ## http://www.schwager.com schwager@enteract.com
    ## INSTRUCTIONS:
    ## Uncomment 1 (or more) of the following ChkPat lines. Add new ChkPat
    ## lines if necessary, as given in the examples. Change the MIME-type
    ## (eg, from application / octet-stream to application / ms-word )
    ## if you need to, and change the name and/or file extension.
    ## For each pattern line, there should be a matching rule under SCheckContent.
    ## Do not include double quotes in the pattern line! They will be replaced
    ## with plus ("+") signs.
    ## Uncomment the SCheckContent line.
    ## Uncomment the appropriate rule(s).
    ## Change the rule(s) to use the message that you want.
    ## Change the message(s) as appropriate. Add new messages as appropriate.
    ## Watch your tabs!

    D{ChkPrfx}application / octet-stream ; name=

    # Here are your patterns
    D{ChkPat1}.vbs
    #D{ChkPat2}.exe
    #D{ChkPat3}wordvirus.doc

    # Here are your messages
    D{ChkMsg1}REJECT- This message may contain a virus in the attached script.
    D{ChkMsg2}REJECT- This message has a virus. -MS

    SCheckContent
    R$*name=$* $: $1 name= . $2
    R$* $: $(quotetoplus $1 $)
    R${ChkPrfx} $* $: $1

    # Using these lines as a guide, match patterns; include messages
    # only the character in front of "$#" should be a tab. Don't forget the tab!!
    R $* ${ChkPat1} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
    #R $* ${ChkPat2} $* $# error $@ 5.7.1 $: 553 ${ChkMsg2}
    #R $* ${ChkPat3} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}

    ## END CONTENT-TYPE

  • by Pig Hogger ( 10379 ) <pig@hogger.gmail@com> on Friday May 19, 2000 @08:32AM (#1061305) Journal

    and since Macintosh uses a less visible means of specifying file types,

    Macintrash files have, in fact, two invisible 4-character extensions.

    The filetype -- it contains the file type which says what kind of data is in the file.

    The creator -- which identifies the application that created the file, and which should be used to work with the file.

    Applications have a file type of 'APPL' and the creator field identifies the application; that is, it is what ends up in the "creator" field of files generated by this application.

    Additionnal trivia: Beige toaster files are, in fact, divided in two. There is a data fork , and a ressource fork . The ressource fork contains information that can be easily edited by a resource editor program, allowing to change certain aspects of, say, an executable file, like the icons, fonts, sounds and strings it uses. The data fork contains, well... (drum roll) data... (In the case of an APPLication, it is the actual binary code. GUI details are in the ressource fork). Either (of both) of those data fork can be of zero length.

    It is not a bad system, except that it is totally shielded from lusers and, although it can prevent them from doing mayhem on their filesystems, it is a royal pain in the ass to change if you don't have the proper utilities.

    I suppose it could be desirable to have a filesystem that allows you to have as many forks on your files as you want (did I hear somewhere that Windoze NT has something like that? Or is it Novell?), but in my opinion, nothing beats the simplicity of a "flat file" filesystem such as we enjoy so much on Linux.

    However, I still don't dislike the concept of embedding file type information and whatnot within the directory entry/fdn.


    --
    Here's my mirror [respublica.fr]

  • by iCEBaLM ( 34905 ) on Friday May 19, 2000 @06:51AM (#1061308)
    You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.

    Unfortunately, destruction is creative.

    -- iCEBaLM
  • This is a quickie script to straighten out VBA, VBS, and JS attachments. Happy Hacking:

    #This goes in procmailrc:
    :0 Bf
    *!^X-Loop: viruscheck
    *^Content-Disposition:.+
    |/sbin/noiloveyou | /usr/bin/formail -i "X-Loop:viruscheck"
    :0:
    $ORGMAIL

    #!/usr/bin/perl
    #This is "/sbin/noiloveyou"

    while() {
    $temp=$_;
    if ($temp =~ /^content-disposition\:/i) {
    print $temp;
    $temp = ;
    $temp =~ s/\.vbs/_vbs\.txt/i;
    $temp =~ s/\.vba/_vba\.txt/i;
    $temp =~ s/\.js/_js\.txt/i;
    print $temp;
    next;
    }
    if ($temp =~ /^content-type\:/i) {
    $temp =~ s/application\/x-javascript/text\/plain; charset\=us-ascii/;
    print $temp;
    $temp = ;
    $temp =~ s/\.vbs/_vbs\.txt/i;
    $temp =~ s/\.vba/_vba\.txt/i;
    $temp =~ s/\.js/_js\.txt/i;
    print $temp;
    next;
    }
    print $temp;
    }

    #This should at least slow it down a little #bit....
    # Jacques Richer -- jricher@bankri.com
  • The icon is different, but most users wouldn't notice. The default icon for a VBS file is a document with a picture of a scroll on it (perhaps an ancient Greek "script"?), whereas the default icon for a text file is a document with some lines of text on them. The script doesn't look identical, but most users won't know the difference.
  • by dsfox ( 2694 ) on Friday May 19, 2000 @03:39AM (#1061313) Homepage
    Here. [nytimes.com]
  • i wish that the *name* of the virus could be
    something that would be *very* embarrassing
    to say on CNN or CSPAN...
    It would need to be subtle (so that the embarrassing thing would be said enough times
    to take hold :-)
  • I saw at least 15 slightly different variants of the last one, and they're just trickling off. And this one's a lot nastier than the last. If anyone gets a copy of the script, I'd love to see it... need to know if what I have in place to stop it will keep working with this one. (first post?)
  • by Psiren ( 6145 ) on Friday May 19, 2000 @03:41AM (#1061332)
    Do any virus writers read Slashdot? And if so, would any of you care to explain *why* you do it? Ignoring the simple macro viruses, some stuff, especially the polymorphic ones are incredilbly clever pieces of code. Why put that talent to waste?


    Now weary traveller, rest your head. For just like me, you're utterly dead.
  • I'm not a virus writer, but:

    Some people write viruses without any intention of releasing them to the wild. (Medical Research do the same)

    Writing a Virus is similar to creating life itself. It may well live beyond your own lifetime.

    Bringing down the entire world's email systems must give (the evil) a big sense of power.

    Wasted, destructive talent - maybe - but these viruses are formidable weapons. The UK network staff at the house of commons (Government) had to shut off their networks entirely for the first ILOVEYOU, what would be the effects of that in a state of war?
  • Someone will make another, more destructive, sneakier version of the trojan worm (hey, it's a trojan horse and a worm; the next version may be a virulent trojan worm...). They'll have VBSs that generate EXEs, and vice versa, they'll take the boot sector with a virus that can relaunch the worm, they'll display amusing animations (grabbed from who-cares-where) that make the infected user think he's received a typical funny/annoying attachment.

    Windows system admins: batten down the hatches! Trap all attachments and personally filter them. Get the managers to enact a strict "no unnecessary attachment" rule. Delete all "amusing" attachments and Word documents that should have been plain text (or could have been as HTML in the body), and send a nasty letter to whoever sent it.

    This is, to some degree, a stupid MS problem. There are things that could have made worms like this harder to spread. However, something similar to this could work in Linux, too, given a sufficiently large ignorant user base (though it might be harder to write). If the user is dumb enough to be tricked into running anything you send him, there's no technological fix for it.

    There are three possible solutions: supervise the users (as suggested above), educate the users, or tie the users' hands, so they can't do anything but use a small set of applications and move around certain types of documents. The first is a prohibitively expensive short-term fix, the latter two are long-term solutions: the second is better, but perhaps unrealistic; the third can't be done with current software, a change to some operating environment is needed (tweaking a shell for Linux should do it, though perhaps a change to the kernel would be better: create a sub-user login that has the same sort of access to a single user account as a user can have to the root account with "sudo"; sort of a weak capabilities system). I think both of the latter two are needed: you need to tie new or casual users' hands so they can't do too much damage, and at the same time you need to gradually educate them to the point where you don't have to watch them anymore.

    You can't just ignore user ignorance. You have to make them take the bus until they learn how to drive without causing a 30-car pileup, and give them a ride when the bus doesn't go where they are headed. Don't ignore that just because they whine that the bus is slower.

  • by x0 ( 32926 ) on Friday May 19, 2000 @04:53AM (#1061336) Homepage
    You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.

    Next thing: Murder as art, The art of the Heist, and the all time favorite, Keying Cars as an Expression of Angst - the Artists Perspective.

    A virus is just destructive code. To me that means it is no different than a molotov cocktail. Yes there are differing degrees of harm created, but whether that harm is physical or results in the loss of work product, there is harm involved.

  • Some people have too much time. To take a virus that caused internation panic among Outlook users, then upgrade it to do more damage while being more covert is just messed up. Although I have to admit, It's funny. Which is a stupid way for an outlook user to view it.
  • I think that Outlook has some good features outside of the sexy graphical interface. For one thing, it does what good programs should do- it automates simple, repetitious tasks without making you jump through hoops. Outlook collects email addresses that I reply to, so that if I need to write someone that I don't know the email address for off the top of my head, I have it without any work. Outlook also does a pretty good job of building several useful features into one program- the calander, contact manager, task list, and mail client. Sometimes it is good to keep things like that seperate, but in this case I have found it to be beneficial. It also connects with my Palm Pilot and syncs everything automatically, which is useful since I use both of them to keep track of things. And as for accessing email from anywhere, it's easy to just tell outlook to leave your messages on the server. So when I am at home, I can use outlook for whatever I want. When I'm elsewhere, I telnet into my unix account and read mail with pine. There's no need of only using one or the other. They both serve their purpose.
  • Jesus, man, just point him to a dictionary site like dictionary.msn.com/find/entry .asp?search=virus [msn.com] where he can see the proper plural form within three seconds, rather than wallowing through that mental masturbatory dreck that Mr. Christiansen wrote. I hope he's not reading this, 'cause I'm not looking to offend him, but after skimming that page, I can see why people don't exactly consider Mr. Christiansen to be "well-liked."

    Cheers,
    ZicoKnows@hotmail.com

  • by 348 ( 124012 ) on Friday May 19, 2000 @03:43AM (#1061349) Homepage
    Not to be a conspiracy theory promoter, but I'll bet companies like ISS and also the AV companies are just lovin' all this exposure.

    During the last couple of months, firms like ISS had a huge increase in sales. With the Love Bug and copycat viruses I'm sure the AV companies are also seeing increased profits. I wonder how much @stake consulting rates are for helping a firm defend against this sort of thing. I'm sure they're not cheap.

  • If this kind of thing interests you, id did these two cartoons surounding the original love-bug virus. 6th May [badtech.com], 8th May [badtech.com].
  • by Anonymous Coward on Friday May 19, 2000 @03:44AM (#1061357)
    The changing subject line helps its messages avoid being deleted by the Spam filters, but since the message does not change, the user is not likely to thinkt that it actually came from the person it says it does. What these viruses need to do is examine the context of all of the messages in the user's Inbox that come from the individual who it is being sent to and generate a context-sensitive reply to that individual.

    In addition, these viruses will ultimately not be limited to VBA. A program could easily open the default Netscape inbox text file and scan for the @ character--extracting all e-mail addresses in the entire Inbox file. The virus could also discriminate against which users it destructively effects--deleting only the files of people whose identity says they are in the aol.com domain, for instance.

    I think that we have only seen the tip of the iceberg as far as intelligent viruses that are distributed by e-mail.
  • You can go to http://pecompact.cjb.net [cjb.net] to get PECompact with a warning plugin.

    When run on wscript.exe and cscript.exe (the Windows scripting hosts responsible for VBScript execution) that will display a warning that the script could contain a virus.

    SlashMirror: Where to put files for fellow /.'ers

  • by anonymous cowerd ( 73221 ) on Friday May 19, 2000 @05:57AM (#1061362) Homepage

    So if you're so concerned with the bandwidth on the infected machine, have the virus code monitor CPU usage and network bandwidth and restrict its own usage to, say, ten percent of maximum or less. This makes it both less destructive - you wouldn't be shutting down anyone's machine, just redirecting otherwise unused CPU cycles - and more stealthy too.

    If one criterion for the "success" of a virus or worm is the scope of its circulation, then it seems to me the guy who wrote this latest thing is screwing up. (Or more likely, he just hacked a few changes onto some existing code, probably ILOVEYOU, sure wish someone would post this new one so I could have a look at it.) This is entirely aside from the incomprehensible malice that's displayed by such a nasty payload, what a jerk. You're sure going to notice when something wipes practically all the files on your PC. It seems to me that a really well-written virus would be more subtle.

    Yours WDK - WKiernan@concentric.net

  • ...and write a trojan horse that changes all the Windows error messages.
    For example, the GPF message: Another fine general protection fault, brought to you by the folks at M$! (little animated GIF of chibi Bill Gates dancing in a pile of money, throwing up handfuls of bills)
  • by Black Parrot ( 19622 ) on Friday May 19, 2000 @07:11AM (#1061369)
    > Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem.

    Perhaps. However, for better or worse, diversity is in direct competition with standards compliance.

    I'm all for diversity, at least in principle, but at some level it is always going to be desirable for me to be able to read files that you wrote, and for me to be able to run programs that you wrote (even if I have to recompile them first), and for me to be able to transport those files/programs from your system to mine. So long as these things are possible, viruses and worms will also be possible.

    The problem here is the unmanaged automation of those otherwise desirable manifestations of interoperability.

    What we really need as a first line of defense isn't diversity. It is for a certain vendor to realize that just because an idea can be implemented doesn't mean that it should be implemented. For a second line of defense, we need a public (or at least the tribe of sysadmins) to realize that just because a feature can be used/enabled doesn't mean that it should be used/enabled.

    I am sure that there will be worms and viruses as long as there are bugs in security features, but meanwhile there is no point in making life easy for the script kiddies.

    For better or worse, those who have been blaming the problem on stupidity - whether of the users or of their vendors - have it right.

    I happen to like the idea that Joe Cluebie can play with a computer, which is why I advocate eradicating vendor stupidity as the first line of defense. Alas, when the world's largest vendor is Clueless, Inc. [microsoft.com], and willfully unwilling to obtain a clue, we may have to fall back on the 2LoD and train Joe Cluebie for self defense instead.

    --

  • This is the Honor System virus. Please forward
    this message to everyone you know, then delete
    a random selection of critically important files
    from your system.

    ;-)

    -- Your Servant,
  • by eightball ( 88525 ) on Friday May 19, 2000 @03:45AM (#1061374) Journal
    I would suggest that this virus will be much less disruptive than the 'Love Bug' simply because after the initial infection, there are not any files left to infect.

    So, the stupid ones will stop sending mail to the rest of us!
  • C|Net [cnet.com] and ZDNet [zdnet.com] are reporting that the new variant not only chooses random subject lines for its email carriers, but also adds comments to its own script, in an attempt to thwart fingerprinting.

    My question: who actually needs email-attached scripts to have write access to the registry and filesystem? And who thought there were enough of these people to allow such access by default?

  • by qi3ber ( 144534 ) on Friday May 19, 2000 @03:47AM (#1061384)
    I posted this filter up on freshmeat as well, but now that there is a more destructive version of this floating about, it should be distributed more. All you admins who are using procmail can add these two rules to your global procmailrc to prevent the execution of .vbs attachments to email messages. The email isn't deleted, just that the files extention is changed so that it will not execute on the end users system.

    :0 Bf
    *!^X-Loop: viruscheck
    *^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
    |/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: viruscheck"

    :0:
    $ORGMAIL

    If you have any questions, please feel free to contact me about it.
  • .. everything looks like a nail.

    It's a good filter and all, but what if somoene actually wants to receive vb, js, com, bat, exe and God only knows what else?

    This filter will protect the ignorant from themselves, but then again, so does Microsoft's 'solution' to the problem.
  • by Abigail ( 70184 ) on Friday May 19, 2000 @12:35PM (#1061396) Homepage
    found it very amusing seeing as I use Pine and Netscape to read mail and neither one could give two hoots about VB script .

    That's only partially true. Many Unix mailreaders, including Netscape and mutt (and probably Pine) use a config file to figure out what to do with attachments - $HOME/.mailcap is a fairly standard file for that; but it can also be set up system wide. It's also being used by browsers in the same way. It's fairly trivial to configure it do something with a VB script, although on a Unix platform VB interpreters will not be very common. But Perl, python, tcl and shells are common. And it takes only one line in a single config file to have browsers and mailers of all users execute a Perl program on an application/perl mime type. (Or Python, or tcl, or whatever)

    Email virusses isn't a matter of that can only happen on Windows. It happens only on Windows because Windows is far more popular than Unix. But if more and more less computer literate people move from Windows to Unix, more and more tools out of the box configured with everything turned out will appear on Unix. Including mailers that will happely try to run a program in whatever language you send them. Just look for instance at all the services Joe Q. RedHatUser has running on his Linux box.

    Of course, you might argue that Unix has permissions, and users cannot delete system files. But that's details. The most important files on a computer are user files, not system files. A system can usually trivially be replaced; just re-install it from your orginal media, and run your install scripts. Companies often have an install server to make it even more easy. But user files have added value. They are the product of work. At best, they can be restored from backup, but even then there's a loss.

    To sum up, the reason virusses aren't a problem on Unix is the popularity of Windows.

    Let's keep it that way.

    -- Abigail

  • could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate
    Would a virus that prevents users from running any programs really be an improvement?
  • And even then most linux viruses can do little more than delete your home directory,

    I don't know what you do with your computer, but on my systems, user files are far, far more important than system files. I can restore /usr/bin/sh from media, and /vmlinuz by downloading the source and recompiling it. All it takes is a little time, but I would almost be able to do it blindfolded.

    A thesis someone has been working on for four years, a program you've spend the previous month working on around the clock or a carefully worked picture from the GIMP have to be restored from the last successful backup - if any.

    Granted, system files are important on important 24x7 servers - but you wouldn't be using them to read mail on in the first place, would you?

    -- Abigail

  • by CAIMLAS ( 41445 ) on Friday May 19, 2000 @07:28AM (#1061402)
    Humorous how such things are called sympathy viruses in linux. I'd hash in the lot of stupid forwards as a type of sympathy virus - they 'delete', so to speak, bandwidth.

    I woke up this morning to my radio. (Which is unusual. It usually takes my alarm going off at full volume for about 10 minutes. The alarm goes off after 10 minutes of full-volume radio.) I heard the announcer state that there was a new strand of the ILOVEYOU virus released, much more deadly. I just rolled over and went to sleep. I pitty the fool who subjects himself to such things.

    What type of real-life virus might computer viruses be comparable to? STD's? You 'sleep around' without protection, you'll get em. What might that make Microsoft products, then? :)

    -------
    CAIMLAS

  • >>Viruses are challenging and interesting.

    >Yeah, like biological ones. But we don't go
    >around spreading them happily, do we?

    Happily enough; look at STD's.

    >> Some of the ideas used in them have been
    >> incorporated into modern software.

    > Like? I can only think of BSOD as an example
    > of payload.

    I've seen a production system that has a component which delivers itself to hosts around the network as a virus. It has brakes, but it's a virus. It does real work in the real world.

  • received in my mailbox recently:

    -- forwarded text begins --

    This is the Unix version of 'I Love You' which works on the honor system.

    If you receive this mail, you should delete a bunch of GIFs, MP3s and binaries from your home directory, then send a copy of this e-mail to everyone you know.

    -- forwarded text ends --





  • DEL C:\WINDOWS\SYSTEM\WSCRIPT.EXE
    DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE

    This will get rid of the VBScript interpreter on your system. Mail this to all your friends!
    ---

  • Sorry I already debunked this virus when the details were posted to Linux Today. You can read my post at <a href="http://linuxtoday.com/news_story.php3?ltsn=2 000-05-12-003-06-SC" >http://linuxtoday.com/news_story.php3?ltsn=2000-0 5-12-003-06-SC</a>.

    If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.
  • Anyone that thinks Linux is immune from virii is a moron. These are just simple attachments that dumb people run on their machine. People can run attachments on any OS, folks. It's the USERS that are stupid, not the client or the OS.
  • It's always worth asking the question "who profits from viruses". Makers of anti-virus software, obviously. Look at McAfee, which became a billion dollar company selling a stupid virus scanner.

    One always wonders if there's some connection between the anti-virus companies and the virus writers.

  • Yeah, I thought of that when the original ILOVEYOU virus got out. I'm sure I wasn't the first, but I feel a little bit of vindication. :)

    Here's [zerius.com] where I put it up.
  • by Matts ( 1628 ) on Friday May 19, 2000 @06:11AM (#1061423) Homepage
    Damn slashdot - many moons ago Extrans worked for links...

    Sorry I already debunked this virus when the details were posted to Linux Today. You can read my post at http://linuxtoday.com/news_story.php3?ltsn=2000-05 -12-003-06-SC [linuxtoday.com].

    If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.

  • Based on what I've heard, that doesn't really matter. I've heard that Outlook will automagically load the .vbs file, spreading the virus before the user ever sees it.
    You've heard wrong. Unfortunately, misinformation about this issue has been spreading far too quickly to be contained by the few level-headed folks who've tried.

    I won't rehash the arguments here, since I'm a little sick of typing them, but check my posting history if you're interested.
  • I'm not a virus writer, but if there are any out there, wouldn't similar functionality be possible through the use of Outlook/Macintosh and an AppleScript attachment?

    I just read a news report about the new virus, and the warning they're giving about it is for people to avoid messages with .VBS attachements, because the subject of the new variant changes dynamically. Since ".VBS" is how DOS signifies file types, and since Macintosh uses a less visible means of specifying file types, I began to think of ways, architecturally, this would work on a Mac. It seems like AppleScript would foot the bill. Most machines have it installed by default, it's executable content, a file, and isn't Outlook scriptable? I'm wondering if AppleScript could get Outlook to do the same sorts of things. . .

    I just remembered this old Metallica song. . .
  • by Wanker ( 17907 ) on Friday May 19, 2000 @01:48PM (#1061433)

    This topic comes up in virtually all intelligent virus discussions. In summary, it is not a good idea to use viral properties, even for something useful. I refer you to item F7 in the comp.virus [faqs.org] FAQ (circa 1995):

    A very hotly debated topic that has flared-up dramatically several times in Virus-L/comp.virus. The answer to this is not simple and largely hinges on your definition or interpretation of the term computer virus.

    By definition (see B1), viruses do not have to do something "bad" (although many people argue that the uninvited "resource wasting" that is almost inherent in viral activity is necessarily bad). From this point (and based on his somewhat esoteric definition of the term computer virus) Fred Cohen has argued that "good" or "useful" computer viruses are a serious possibility. In fact, Dr. Cohen offered a reward of $1000 for the first clearly "useful" virus--despite several potential claimants, however, he hasn't paid up.

    Although there has never been a position that was widely agreed upon as a result of any of these discussions, many contributors to this forum believe that there are serious problems with the idea of implementing useful computing functionality through self-replicating programs. Vesselin Bontchev's paper originally delivered at the 1994 EICAR conference, titled "Are `Good' Computer Viruses Still a Bad Idea?", is available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP = 134.100.4.42), as pub/virus/texts/viruses/goodvir.zip. *Anyone* wishing to raise this discussion in Virus-L/comp.virus again should read and carefully consider this paper before posting. It contains many strong arguments against the idea of "good computer viruses", and some prescriptions of how good viruses would have to be implemented and distributed to deserve the label "good". To date no strong arguments countering the points in this paper or otherwise arguing in favor of the concept of good viruses have been posted to the group.

    The summary of points made in this paper are:

    1. Lack of Control
      Even features such as defined lifetimes, central verification, etc. can't control self-replicating code perfectly. It is very easy for viruses to "get away". A great number of the viruses in the wild started out as merely research projects and were never intended to be released.
    2. Recognition Difficulty
      Allowing one program which has viral properties through one's defenses makes it easy for other programs to exploit the same hole. It's hard to tell when a "good" virus is doing its work versus a "bad" virus.
    3. Resource Wasting
      The process of infection will use up system resources-- what happens when the program hits a host that has few resources to spare?
    4. Bug Containment
      What happens if you discover a bug in the viral code? How do you update all the installed copies?
    5. Compatibility Problems
      The software could break certain systems while it works fine on others. This could make for difficult-to-track problems.
    6. Effectiveness
      There are always increased risks with viral code, and they can't do anything that nonviral code couldn't do with lower risks.

    Vesselin even goes so far as to describe some mechanisms to help mitigate the above problems, but the crux of the story is that it's still simpler and safer to rely on non-replicating code.

    There are some examples of failed attempts at "good" viruses in Vesselin's brief. They include The "Anti-Virus" Virus, The "File Compressor" Virus, The "Disk Encryptor" Virus, and The "Maintenance" Virus. Some of these same ideas have been brought up in this very Slashdot discussion.

    Amazing what history can teach. Damn, I'm starting to feel old...

  • Grin... I remember getting that one. It's pretty old, originally being a parody of the "Good Times" virus hoax. Ironically, the Good Times virus was purported to be a virus that you could get just by reading an infected e-mail, which would have the subject line "Good Times." It would do horrible things to your computer and send it out to all of your friends. At the time, people who were "in the know" laughed off the idea that a virus could actually do that, and the "Bad Times" joke was based on that idea.

    And now, it turns out that Good Times was real after all, they just got the name wrong and called it early...

    I'm installing a subspace harmonics dampener as we speak. Don't want to take any chances.
  • by segmond ( 34052 ) on Friday May 19, 2000 @03:50AM (#1061436)
    You can not tell an artist that what he has produced is a waste just because you do not understand it or find it useful. There is some excitement in creating something that is sort of "alive". I have seen very smart virus writers, crackers and shit, and they are very clever, but don't think by putting them into a different environment, they will start cranking out really impressive code. Nah, they have the ability, but what drives them to write their viruses or crack a software is probably not what drives them to write "productive software". As a matter of fact, they probably feel that their viruses is an utilization of their talents.

  • A note about posting as extrans: it seems that that and the "plain text" posting options have been switched since posting as plain text will activate any HTML in your comments.

  • the third can't be done with current software...

    You've never heard of FortRes?? We use it on some of our WinBloze boxen, and, while it doesn't stop users from trying to install stuff, they get screwed when they try to reboot, because they don't know the box pword OR the FortRes pword. Ha! Plus of course we use (constantly updated) McAfee antiviral software AND we don't run any M$ email programs (on the public boxen).

    We run 50 win boxen (half and half public / staff) and the only place I saw the virus was on /. when someone posted the code. (My staff is educated enough not to open unsolicited attachments, even though some of them use Outlook. I took the time to explain the whole thing very carefully at a staff meeting after the Melissa fiasco.) So education *does* work, but only for motivated users.

    I certainly agree with your last point: you can't ignore user ignorance.

  • by Rico_Suave ( 147634 ) on Friday May 19, 2000 @03:51AM (#1061445)
    Uh, I run a MS Exchange server for over 100 users. I simply filter out anything with a vbs attatchment. Didn't have a problem two weeks ago, don't have a problem today.

    It has NOTHING to do with the OS used, and everything to do with the administrator.

    --

  • It's a complex balance between good and evil that must exist. If writers stopped creating virii, there would be no need for protection. Users would go on their blissful way until one person takes advantage of the peacefulness to collapse the system.
    Most times, it's just something that would be great to watch, seeing a creation of your own cause mass destruction. Or even, knowing that it is able to cause desctruction, then seeing a naive person steal the code from your machine and send it out.

    The first ILOVEYOU hit our company hard. We took the Exchange down, updated all the mail servers, and the network-wide virus scanning for all the users' computers. However, the problem was that idiot users were mapped to production web boxes, and caused the virus to spread to machines that we didn't think would ever have to be checked. It's because of this infection that now we spent hours installing AV clients on 120+ production servers.

    As a whole, ILOVEYOU wasn't too drastic. It deleted some web images that we just had to restore. But it was because we got hit that we're now prepared to defend against virii like this new ILOVEYOU, which does drastic damage.
  • I want to be able to execute attachments I receive easily. I want these attachments to be able to do what I can do. What I don't want is for these attachments to be able to do stuff without my explicit permission to do so.

    I don't like the idea of sandboxed execution or chmoding the user permissions because they make it a pain-in-the-ass to actually do stuff that I want them to be able to do.

    \begin{daydream>
    What I'd like to see is to see sandboxed execution or editing (instead of executing) being the default and it should be simple as a right-click "Execute" to allow an attachment to actually execute and do stuff. I'd also like to be able to easily tell it when I want to just view the thing and when I actually want to execute.
    \end{daydream}

    PS: Damnit, I'm trying to post using Plain Old Text. Why won't Slashdot let me use XML tags for my "daydream"??
  • by jonr ( 1130 ) on Friday May 19, 2000 @03:53AM (#1061455) Homepage Journal
    If I may quote [be.com] my favorite CEO [be.com]: "Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem. Because PCs and their software are too similar, one noxious automaton can do much more damage than would occur if we had several alternative life forms.
    This argument deserves closer examination. True, BeOS, MacOS, and Linux users were not infected by the Love virus. Had each system had 25% market share, a single virus could only infect 25% of the population."

    The ILOVEYOU virus is kindergarden [rhi.hi.is] stuff compared to what a real programmer [rhi.hi.is] could really do if he/she put their mind to it, but since experienced programmers are (most of the time) fairly matured individuals, but it would only take one fairly good hacker to release a plague [rhi.hi.is] on the world...
  • You are forgetting one major factor: Choice.

    I may choose to read or ignore a book about murder. I happen to like that genre actually, nearly as much as I like film noir. But still, the difference is that I *choose* to read that subject.

    On the other hand a virus is basically a hit and run _crime_. As one of the other respondents above remarked, modern art, by my standards would not be considered art. I disagree because I can ignore it. I may not call it art, but someone else may. I cannot ignore a virus, even if I am running a nearly immune system.

    To compound the issue, not only do viruses steal your ability ignore them, the nastier ones tend to cost money. Either the viruses destroy work product or they create work for the admin who then has to fix his network.

    If you want to call it art, fine, as long as the creator makes it performance art. Like boxing ...so I can add to the performance.

  • You mean it was a worm written by a cracker, not a virus written by a hacker?

    Anyhow, I never really cared much for language purism. Language evolves. That's not to say that these distinctions aren't important within certain technological circles. If I were writing a technical article for some journal on computer security, I would want to get it right. But for the mainstream, "virus written by a hacker" is plainly the accepted terminology.

    Another way to look at this is that "virus" is being used as a general term for all potentially destructive computer programs, and that "trojan", "worm" and "hostile applet" are just subclasses of "virus".

    Now you /. people can sit there and gripe all day about what people ought to say, but you're not going to win.

    Wouldn't it be more interesting to simply look at these things as linguistic trends rather than errors?

    In a sense, English and other languages are the first collaborative Open Source project ever. Yet so many /.ers fail to realize that, and refuse to participate, because they are hung up on language purism.

  • From the Good Times virus hoax FAQ [usit.net], the original message announcing the Good Times virus read:

    Thought you might like to know...

    Apparently , a new computer virus has been engineered by a user of America Online that is
    unparalleled in its destructive capability. Other, more well-known viruses such as Stoned,
    Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a
    warped mentality.

    What makes this virus so terrifying is the fact that no program needs to be exchanged for a new
    computer to be infected. It can be spread through the existing e-mail systems of the InterNet.

    Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It
    always travels to new computers the same way - in a text e-mail message with the subject line
    reading simply "Good Times". Avoiding infection is easy once the file has been received - not
    reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good
    Times" mainline program to initialize and execute.

    The program is highly intelligent - it will send copies of itself to everyone whose e-mail
    address is contained in a received-mail file or a sent-mail file, if it can find one. It will
    then proceed to trash the computer it is running on.

    The bottom line here is - if you receive a file with the subject line "Good TImes", delete it
    immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was
    surely struck by the virus. Warn your friends and local system users of this newest threat to
    the InterNet! It could save them a lot of time and money.


    The Good Times virus described by that message never existed. You can claim that the message itself is a virus, but then it wouldn't be the Good Times virus, it would be the "meta-Good Times virus." (And if I get you to repeat this description to your friends, you could call that the "meta-meta-Good-Times virus," and then they could spread the "meta-meta-meta-Good-Times virus" and so on... GEB, here we come! =])
  • I used to think that way about virus/worm and hacker/cracker. But..english terms change meaning weather you like it or not. This faq was written over 5 years ago. Since then the scope of people using these terms changed significantly. The public can't remember hundreds of jargon word so hacker and cracker become one "cracker"- and virus and worm become "virus". "Virus software" has to protect against what we knew as worms and well as viruses. You don't market "Norton anti-worm/virus" software or people are going to think it's a medicinal product. 99% of people have never heard the term worm, yet most know that a virus is something bad you can get. To make matters worse, the distinction on how it propagates is only understandable by technical people. There is no logically reason for most people to call one thing a virus and other thing a worm.

    I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.
  • Here. [nytimes.com]
  • It helps to thin out the herd. What you want is a more or less constant nonzero low probability of catching and incurring damage from one worm/virus/trojan or another. This will serve to harden the resistance of the community and cull out the weaklings. Just like in the solid world the most destructive virulent phages do not have the best logevity because they kill too many of their hosts too quickly. Ergo the liklihood of some super Marburg or Ebola with 97%+ mortality spreading all over the world is rather low. Of course the garden variety with 70%+ mortaility is none to good either. OTOH a continual exposure less virulent forms of other types of phages actually hardens both the individual and the community leavingit better prepared to resist the next variant. Exhibit the indigenous peoples of the Americas in the 15th-16th C. exposed to Smallpox for the first time. Infected populations decreased by 90% in <10 years whereas the Europeans were already largely resistant and could survive even many epidemics with <25% mortality.

    So it is with a dynamic community of computers. Somebody who doesn't have a scanner will die. Somebody who rarely updates the sig files will die. Somebody who doesn't think it can happen to them will die. Someone who doesn't pay attention and goes on as normal will die. Somebody who is more thorough and less trusting or ignorant will survive. Remember not all of these screaming headlines are about viruses at all. They are simply a matter of benhavior and social engineering. Do you think as many people would have been infected if the ILY worm had a heading that said "opening this note will destroy or damage your machine and the machines of everyone in your addressbook." OF course not.

    Which leads me off in another tangent. How to get more people to open destructive messages since everyday we're more jaded and suspicious? Well if I was a badguy what I'd do is use the message header to refer to some online purchase. Sure, if you didn't buy anything then you'd be less likely to open the message but the people who did would probably open the message approaching 100%. So what is a poor website to do? It seems that one avenue that should be pursued for this and for eComm generally is a way to generate a CRC at the point of purchase and then send the confirmation/receipt with the CRC in the header so that before you do anything you manually cross check the numbers to insure they match. Or something like that. I guess I'll stop blathering now.
  • Check out the virus warning I recently came across:

    Pay close attention to this warning!

    If you receive an email entitled "Bad-times," delete it immediately. Do
    not open it. Apparently this one is pretty nasty. It will not only erase
    everything on your hard drive, but it will also delete anything on disks
    within 20 feet of your computer through the use of subspace field
    harmonics. It demagnetizes the stripes on ALL of your credit cards. It
    reprograms your ATM access code, screws up the tracking on your VCR and
    uses subspace field harmonics to scratch any CD's you attempt to play. It
    will program your phone auto dial to call only your mother-in-law's
    number. This virus will mix antifreeze into your fish tank. It will drink
    all your beer. (For God's sake man are you listening?) It will leave
    dirty socks on the coffee table when you are expecting company. It will
    replace your shampoo with Nair and your Nair with Rogaine, all the while
    dating your current boy/girlfriend behind your back and billing their
    hotel rendezvous to your Visa card. It will cause you to run with
    scissors and throw things in a way that is only fun until someone loses an
    eye. It will rewrite your backup files, changing all your active verbs to
    passive tense and incorporating undetectable misspellings, which grossly
    change the interpretations of key sentences. If the "Bad-times" message
    is opened in a Windows95/98 environment, it will leave the toilet seat up
    and leave your hair dryer plugged in dangerously close to a full bathtub.
    It will not only remove the forbidden tags from your mattresses and
    pillows; it will also refill your skim milk with whole milk.

    *********WARN AS MANY PEOPLE AS YOU CAN.*********

    Hope I don't get that one.
  • by jabber ( 13196 ) on Friday May 19, 2000 @08:12AM (#1061496) Homepage
    I LIKE IT!

    We're genetically engineering bacteria to eat oil spills, and designing cancer cells to secrete insulin. We're cloning sheep and making real viruses to attack malignant tumors.

    Somehow, the symmetry of a worm that scours the Internet exploiting M$ security holes in an effort to fix them is.. poetic. Sort of like autonomous garbage collection.

    Arguably, any virus/worm that deletes Windows system files is already trying to do this; but in a very heavy-handed way. A lighter touch is called for. Disabling the registry settings that allow auto-invokation of scripts attached to email is one good way to make the world a better place.

    And hey! How could anyone (besides Micros~1) get upset over a benevolent virus?

    Maybe it could even open a pop-up on the screen every 20 minutes, to remind the user to stretch their hands to prevent RSI? :)

    Maybe it could replace the talking paper-clip with a talking Penguin? "I see you're trying to write a letter. Wouldn't you rather write it on actual paper, and add some humanity to your interpersonal communicaton?" "I noticed your key-stroke rate drop over the last hour. You seem tired. Shall I have some pizza delivered?"
  • I agree that it is not an OS issue, (assuming the OS does not allow you to modify system or other users files, i.e. Not Win9x). But I think it is a client, rather than user issue.

    Code coming from an unverified source (i.e. not from a trusted installer) should not be allowed to run outside a sandbox. It works fine for Java on the web. The same treatment should apply to anything coming in an email.

    Furthermore, any file extracted from an email should be marked non-executable. (The user can chmod it - if they know enough to do that, they can probably understand the risk). Archives are a bit more tricky, but changing umask(2) to 666 before invoking an archive program (such as tar) should do the trick I guess.

    The Evolution folks are implementing a Visual Basic clone in their new gnome client. But they are doing it properly, using a Java-like security model.
  • by LocalYokel ( 85558 ) on Friday May 19, 2000 @04:07AM (#1061512) Homepage Journal
    VBScript may be causing billions of dollars in semicatastrophic losses -- people have the right to bitch about it and Microsoft.

    Has anyone considered blaming Netscape and Sun for the even greater, incremental loss of money from JavaScript? How many billions of dollars in coding, design, and bandwidth have gone into popup windows, status bar theft, and rollovers?

    Perl is such a spirit fouling venture that there is even a monastic commune [perlmonks.org] for people who grok it.

    bash scripting is by far the greatest sin, for it mimics C in an almost mocking way -- K&R would not be pleased...

    --

  • I hate to bitch, but I really wish people (namely the media) would get the terminology right when writing about these things. This isn't a virus, it's a worm.

    Viruses infect other executables, such that the original functionality is still there, but the viral code is executed when the program is first run, which gives it a chance to spread to other executables and/or become resident in memory.

    Worms, on the other paw, are self-contained programs which contain nothing but the worm itself.

    The definitions of these things are hardly new, they have been around for YEARS. I suggest reading section B2 of the comp.virus FAQ [claws-and-paws.com] for more information.

  • by Vanbo ( 75942 ) on Friday May 19, 2000 @04:09AM (#1061515) Homepage
    > DEL C:\WINDOWS\SYSTEM\WSCRIPT.EXE
    > DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE

    This is really the solution if people refuse to switch from lookout. (I had switched everyone I could when I arrived at the company, but some refuse to leave "what they know.")

    So here is my solution in a Novell Netware enviroment.

    -Using NAL (Novell Application Launcher), create a new application object in NWAdmin. Don't have it launch any program, Name it something like "Remove VBS."

    -Modify the "Files" tab by adding "wscript.exe" and "cscript.exe" to be deleted (In otherwords click file, in target select those programs, and put the check in "Target to be deleted.)

    -Associate with everyone group with force run status

    Now everyone is going to be better off. Some would complain that now people can't write scripts in VB on their machines, but guess what I never got any complaints. Maybe it has something to do with the fact that anyone writing scripts knows better then to open unknown attachements, or even to use outlook.

    Note- This process could be done with the login script but NAL gives you more control. For instance I have used NAL to remove registry entries (or add), reset Netscape preferences, and similar to above, have NAL delete "normal.dot" every login to help prevent the spread of Macros. At my previous job, I even went so far as to have NAL rename the vbe folder in office to turn off macros all together, and created a NAL application called "Word with Macros, Excel with Macros" that would rename the directory before launching, and rename it at close, but alas, they use the macros in Excel at the current place...
  • As has been thoroughly hashed out in the threads of the articles following the last virus/worm outbreak, Linux isn't 100% immune from viruses/worms, but it is much more resistant due to a few reasons:

    First, executability is determined by access bits, not by file extension. This means that normally downloaded files like attachments get saved un-executable, meaning that users have to intentionally try to change the access bits on the files to execute them, not just click on them.

    Secondly, unless the root user is the one reading the email and running attachments, the virus/worm is limited by security/permissions rights to what it can do. While it can do damage to a single user's files, it can't very easily blast other user's files or system files. On Windows 9x, there is basically no security, so viruses/worms like ILOVEYOU are free to twink with the registry, etc.
    Thirdly, the homogenous nature of the Windows world makes it a much easier and more attractive target for virus/worm authors. It is pretty safe to assume that virtually all Windows 9x clients will have Outlook and all the associated DLLs on their system. There is no single email client in the Linux world that is so ubiquitous. That makes it more difficult to write viruses/worms that will affect a large percentage of Linux users because the virus/worm creators can't make the kind of assumptions about how to read things like address books, etc. that they can under Windows. This is unlikely to change any time soon, because the Linux world is much more diverse than the Windows world.

    While you are right up to a point that in many ways it is the users that are stupid, Outlook and Windows make the problem worse by making it so much easier for the users to shoot themselves in the foot. And to a certain extent, Windows is plagued with a much higher percentage of stupid users because it intentionally caters to the least common denominator. To a certain extent, as Linux gets easier to use, it may start to see more of the semi-stupid users.

  • by ucblockhead ( 63650 ) on Friday May 19, 2000 @04:56AM (#1061587) Homepage Journal
    A less drastic action:

    (For those forced to do Windows/Outlook.)

    My Computer
    -Tools
    -Folder Options
    -File Types
    -VBScript Script File
    -Advanced
    -Click on "Edit" in the list box
    -Set Default

    After you do this, the default action for a VBS file is to edit it in notepad. (And you can still run it by right clicking and selecting "open" from the menu.)

    Repeat for any other dangerous filetypes.
  • by account_deleted ( 4530225 ) on Friday May 19, 2000 @04:19AM (#1061589)
    Comment removed based on user account deletion
  • by Bad Mojo ( 12210 ) on Friday May 19, 2000 @04:22AM (#1061599)
    Eventually mankind will create a board with a nail in it so big that he will destroy himself. Hahahahaha!


    Bad Mojo [rps.net]

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...