Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Bugbear Windows Virus Making the Rounds 516

lysurgon writes "CNN.com is reporting that the "BugBear" virus (Windows/Outlook only) is spreading quickly. Unlike ILovYou-type viri, instead of deleting files or just propagating itself, this animal disables firewall software and opens a port to receive remote commands. The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses. Also worth noting is the puzzlement of anti-virus guys as to why they haven't been able to make the virus spread in the lab. "One of the theories is that this requires an Internet connection in order to spread." Gee, you don't say?"
This discussion has been archived. No new comments can be posted.

Bugbear Windows Virus Making the Rounds

Comments Filter:
  • by airrage ( 514164 ) on Friday October 04, 2002 @03:39PM (#4389705) Homepage Journal
    Probably coded to sit idle if it's domain is symantec.com, etc.
  • Removal tool (Score:5, Informative)

    by Anonymous Coward on Friday October 04, 2002 @03:39PM (#4389709)
    Get it here [symantec.com]
  • by swissmonkey ( 535779 ) on Friday October 04, 2002 @03:41PM (#4389726) Homepage
    http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp

    Blame the admin
    • 404 -- file not found. Gee, that's a handy patch. I think you meant this [microsoft.com].
  • by bytesmythe ( 58644 ) <bytesmythe@@@gmail...com> on Friday October 04, 2002 @03:42PM (#4389731)
    this animal disables firewall software

    Whew! Good thing I don't use any firewall software!

  • by thelenm ( 213782 ) <mthelen@gmai l . com> on Friday October 04, 2002 @03:43PM (#4389734) Homepage Journal
    Unlike ILovYou-type viri,

    A bit off-topic, I know, but here's an interesting link about the word "viri", the alleged plural of "virus": What 's the Plural of 'Virus'? [perl.com]
    • At the very least it's virii, or viruses.
    • by iabervon ( 1971 ) on Friday October 04, 2002 @04:16PM (#4390065) Homepage Journal
      There are a number of bits of that page that make it clear that the author doesn't actually know Latin.

      And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative.

      Except that viri (from vir, mentioned just above) uses the same thing for the genitive singular and nominative plural, as do all regular 2nd declension masculine nouns that don't end in -ius. For that matter, spoken English doesn't normally distinguish the singular possessive from the nominative plural (written uses an apostrophe, which doesn't affect pronunciation).

      As far as how such a noun should work in the plural, there's a perfectly good example: cetus (whale) has a perfectly normal plural ceti, following the masculine pattern despite being neuter, just like virus.

      On the other hand, the plural of virus is not attested in any form. The logical conclusion of this fact is that virus is a word like "sheep" or "fish", which doesn't have a distinguished plural form. It makes more sense, anyway, because you're not generally dealing with individual copies; you're dealing with an infection as a whole.

      Of course, if you really want a plural that's obviously a plural and refers to multiple different entities, use "worms".
    • by heikkile ( 111814 ) on Friday October 04, 2002 @06:14PM (#4390838)
      It is a latin word, so it uses roman numerals:
      1 viri
      2 virii
      3 viriii
      4 viriv
      5 virv
      6 virvi
      7 virvii
      8 virviii
      9 virix
      10 virx
  • by jukal ( 523582 ) on Friday October 04, 2002 @03:44PM (#4389740) Journal
    IMHO Bugbear's spreading relies solely on social engineer. Labs have nothing to do with social-anything. That's why you can reproduce it in there :))
  • by reezle ( 239894 ) on Friday October 04, 2002 @03:44PM (#4389745) Homepage
    2 workstations at a client of mine caught this bug. The AV system kicked in shortly thereafter, and stopped the spread. (I had to manually clean the machines, though)
    Strange symptoms appeared just before we knew there was a virus: All of the printers in the network started printing garbage. I had to reload the print drivers from CD for all the server's printers to stop the effect.

    Anyone else seen the virus in a network? Anyone else seen similar print symptoms?
    • by b0r1s ( 170449 ) on Friday October 04, 2002 @03:49PM (#4389807) Homepage
      We've trapped a few in the email system (prior to infection), but I've been noticing a lot of port 137 activity that I believe is tied to the virus. The main difference between legitimate traffic and the viral traffic is the lack of a broadcast bit (real ms network traffic will be sent broadcast, the virus sends machine to machine), and a source port of 1024-1030 rather than 137.

      The junk from the printer is probably due to the random network traffic it sends out.

      Some stats for people who like numbers:

      1944 viruses ( 18 different strains ) found since Sat, 31 Aug 2002

      Virus: W32/Klez-H found 1603 times (82 %)
      Virus: W32/Yaha-E found 166 times (8 %)
      Virus: W32/Sircam-A found 93 times (4 %)
      Virus: W32/Bugbear-A found 23 times (1 %)
      Virus: W32/Magistr-B found 20 times (1 %)
      Virus: W32/Nimda-D found 7 times ( Virus: W95/CIH-10xx found 5 times ( Virus: W32/Yaha-D found 5 times ( Virus: W32/Klez-E found 5 times ( Virus: W32/Nimda-A found 4 times ( Virus: W32/Hybris-B found 4 times ( Virus: VBS/Redlof-A found 2 times ( Virus: W32/Cervivec-A found 1 times ( Virus: W32/Hybris-C found 1 times ( Virus: W32/Weird-10240 found 1 times ( Virus: W32/Klez-Fam found 1 times ( Virus: WM97/Marker-Fam found 1 times ( Virus: W32/Magistr-A found 1 times (
      • by ninthwave ( 150430 ) <slashdot@ninthwave.us> on Friday October 04, 2002 @04:12PM (#4390033) Homepage
        From what I have read on the virus it does more than the cnn article goes into quotes from the symantec faq on the virus. We have two machines isolated at work now that I have to check on Monday for this. Off network and turned off waiting for me to get through my weekend. It is a pretty interesting read on what it does. It seems to be a klez variant with some extra functionality. So like klez it trys to disable antivirus software and it has added more processes to kill read symantec read on it. Though I believe sometimes symantec overstates virus threats, this one seems to do a lot in a little package.

        The keyboard logging and the open port 80 makes it very interesting to see if it is waiting for a cracker to come along or if it is waiting for other payload from another infected machine or from a variant.

        http://securityresponse.symantec.com/avcenter/ve nc /data/w32.bugbear@mm.html

        "Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

        It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22."

        "The third thread that the worm creates is a backdoor routine. It opens port 36794 and listens for commands from the hacker. The commands permit the worm to perform the following actions:

        Delete files.
        Terminate processes.
        List processes and deliver the list to the hacker.
        Copy files.
        Start processes.
        List files and deliver the list to the hacker.
        Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
        Deliver the system information to the hacker in the following form:

        User:
        Processor:
        Windows version:
        Memory information:
        Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics

        List network resourses and their types, and deliver the list to the hacker.

        If the operating system is Windows 95/98/Me, the worm attempts to obtain access to the password cache on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others. This is done using an officially undocumented function-- WNetEnumCachedPasswords--that exists only in Windows95/98/Me versions of the Mpr.dll file.

        One of the commands permits the Trojan component to deliver data using HTTP port 80. The results of the backdoor activity may be represented in the form of HTML pages. This gives a hacker a convienient way to browse the compromised computer resources.

        The fourth worm thread replicates across the network. To do this, the worm lists all of the resources in the network. If it locates open administrator shares, it attempts to copy itself to the Startup folder of the remote computer. This leads to the infection of the compromised network computers as soon as they are restarted.

        Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality."
    • by Theatetus ( 521747 ) on Friday October 04, 2002 @03:51PM (#4389838) Journal

      We had one get into our network. It didn't disable NAV on the machine and it was pretty easy to remove (just clear out the "Startup" folder in %root_drive%:\Documents and Settings\%username%\Start Menu\Programs, reboot and backup to a known-good registry. You keep a known-good registry backup, right?... If not, delete any keys in HKLM->Software->Microsoft->Windows->RunOnce)

      Also, run Task Manager and kill-9 (or whatever the Windows equivalent is) any random 3- or 4-letter processes after you've cleared the Run Once keys and Startup folder.

      I think the executable is printing its own binary when it tries to infect a printer.

      As always, patched machines should do OK; the one that got through only did because it was still running IE 5 without any updates. YMMV.

      • If not, delete any keys in HKLM->Software -> Microsoft -> Windows -> RunOnce

        Also, run Task Manager and kill-9 (or whatever the Windows equivalent is) any random 3- or 4-letter processes after you've cleared the Run Once keys and Startup folder.

        The reg key is ... -> Windows -> CurrentVersion -> RunOnce (sorry, had to nitpick).

        I disagree with your second recommendation. There are several services (smss.exe,for example) that run as part of a normal Windows installation. Killing them is ill-advised.

        • haha

          if you succeed in killing smss.exe, the machine goes away :)

          similarly, if csrss.exe exits, smss.exe bluescreens the machine.

          lsass is the local security agent subsystem server. (i always read this is "ls ass"

          SMSS is the session management subsystem. it spawns Csrss.exe (Client Server Run Time SubSystem - the Win32 layer on top of NT)

          If you have a suitably old smss.exe, it also spawns the OS/2 1.x layer or the POSIX layer. If you have Services for UNIX, there is a new posix.exe layer and psxrun.exe servers that you'll also see.

    • Accoring to the analysis by Sophos [sophos.co.uk]

      Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

      Judging from the questions I've had over the past two days (from users, about incoming emails which have been 'disinfected') its also worth noting...

      the worm can spoof the From and Reply To fields in the emails it sends. [Like Klez & YaHa do]

      We use MailScanner [mailscanner.info] along with a Sophos engine to filter our incoming mail - and we've caught dozens of this worm in the last two days. Remembering the trouble from Nimda last year I'd recommend MailScanner to everyone, its free & can be used with a variety of engines. [I'm not associated wuth the MailScanner project BTW]
    • I have, in my hand, 2 reams of garbage, starting with a few characters, then "This program cannot be run in DOS mode." 2 reams with 1-15 lines at the top of each page, some of it overprinted. At least my 10-year-old won't run out of drawing paper before college. (Don't know where it came from, it was just sitting by the printer this morning. It actually might not be BB, it's just my guess based on timing and what I've heard.)
    • by sharkey ( 16670 ) on Friday October 04, 2002 @04:25PM (#4390119)
      All of the printers in the network started printing garbage.

      Sure it was a virus? Maybe the Marketing department has a big project.
    • by sw155kn1f3 ( 600118 ) on Friday October 04, 2002 @04:27PM (#4390128)
      Did it print "Follow the white rabbit?" :)
  • by Christopher_G_Lewis ( 260977 ) on Friday October 04, 2002 @03:46PM (#4389765) Homepage
    It's pretty impressive that this virus disables anti-virus software, and covers quite a large list of AV/Firewall programs.

    tech details [symantec.com]

    Have any other virii in the past done this, or is this a first?

  • by Pedrito ( 94783 ) on Friday October 04, 2002 @03:47PM (#4389779)
    Man, I'm terrified. My mother got this and now a whole series of e-mails I sent to her about 3 years ago are suddenly being sent to almost everyone she has ever e-mailed or received e-mail from. People who were CC:ed on things I sent her are receiving personal e-mails I sent to her.

    I'm waiting for the one where I said really terrible things about someone to land in the wrong hands and start causing all sorts of disasters. After this, I'm going to be a lot more careful about what I say in e-mails.

    My machine is relatively safe, but I can't vouch for the person I'm sending e-mails to. I wouldn't be surprised if a lot of relationship get screwed up before this is all over.
    • by Pedrito ( 94783 ) on Friday October 04, 2002 @03:50PM (#4389818)
      I just noticed the "Windows/Outlook Only" part of the post. Maybe Windows, but not Outlook only. My mother uses Netscape mail (at least a 3 year old version), and it's obviously quite compatible with the virus.
    • Don't worry. As long as those other people don't have your mother's PGP key, everything will work out just fi-- what? You didn't encrypt? Well, sheesh, you were sharing your email with the whole world anyway.
    • I'm waiting for the one where I said really terrible things about someone

      You need to learn what my dad drilled into us as kids:
      "Never put anything in writing you wouldn't want to read aloud in open court."

  • by RailGunner ( 554645 ) on Friday October 04, 2002 @03:48PM (#4389789) Journal
    Unless your company forces you to connect to an Exchange Server, why would anyone purposely run Outlook or Outlook Express as their mail client? Especially when there's several free alternatives.

    Eudora - http://www.Eudora.com
    Opera Mail - http://www.opera.com
    Mozilla - http://www.mozilla.org
    Netscape - http://www.netscape.com

    I hate to sound callous, but if you're on a standard PPP or SLIP internet connection at home, and you're running Outlook or Outlook Express, then you get what you deserve. If your company is running Exchange Server, then your company is getting what it deserves.

    Fool me once, shame on you. Fool me twice, shame on me. Except between Melissa, ILoveYou, Sircam, Klez, and now this, it's what, fool me a dozen times? Do people just enjoy getting kicked in the teeth repeatedly?

    • by gblues ( 90260 ) on Friday October 04, 2002 @03:54PM (#4389859)
      Unfortunately, people who use MSN as their ISP are forced to use MS LookOut as their e-mail client because the SMTP servers require "Secure Password Authentication" support, and none of the clients you have listed support it.

      Score one for vendor lock-in!

      Nathan
    • by SirSlud ( 67381 ) on Friday October 04, 2002 @03:56PM (#4389881) Homepage
      I agree.

      People seem to dislike this attitude, but its true. Why should anyone deserve sympathy for driving a car thats already rolled over 3 times ...

      Eventually its up to the user to practice safe computing.
    • by Osty ( 16825 ) on Friday October 04, 2002 @03:58PM (#4389899)

      why would anyone purposely run Outlook or Outlook Express as their mail client?

      I can't personally speak for OE, as I've not used it in years, but I use Outlook XP because it's the best mail client I've found. I've never been infected by a virus in Outlook XP, because by default it strips malicious attachments (no, I'm not confusing that with an Exchange or mail server stripping those attachments -- we do that at work, sure, but I use Outlook at home with my postfix setup, and I know I'm not stripping attachments there, yet Outlook XP still strips the dangerous attachments). Out of the box, Outlook XP requires you to screw around to shoot yourself in the foot -- it warns you when you try to open an attachment, it'll tell you when there's possibly malicious script in a message and not let you view it in the preview pane, and so on. In short, you actually have to take action to get infected by a virus if you're using Outlook XP.


      Just to clear up any possible misconceptions, Outlook and Outlook Express are two completely different products, with completely different codebases, developed by two completely different teams. The only thing they share is the word "Outlook".

      • If Outlook and Outlook Express are so unrelated, why are you REQUIRED to have Outlook Express installed to run Outlook 2000?

        Been there, tried this. There is NO way around having to have OE installed to run Outlook2K.

        (The only reason I use any MS emailer is because my office uses it. I actually had to convince someone here that using OE to pop our one email account that is allowed to receive attachments was a Bad Idea, and finally got him to change to Eudora...)
    • The reason we use Outlook 2002 is because it does IMAP and Extended MAPI. There are NO OTHER email clients that run on Windows, do IMAP and support extended MAPI. We need extended MAPI for integration into Maximizer (crm type thing).
    • Granted: Some people are morons.

      That aside, Outlook is not the real problem. (OE...maybe...)

      Our office uses Outlook because it's a nice e-mail system overall. The group calendar thing is still not there in the solutions you mention.

      At any rate, we use Outlook...and nobody here has been infected by this virus, NOR WILL THEY BE.

      How is it I can say this? Because of this nifty patch Microsoft put out oh...about two years ago, called the "Outlook Security Patch" that lets my server automatically block these attachments. You can't open them if you want to.

      The fact of the matter is, I've personally received the BugBear virus attached to more than one e-mail...so somebody I know has been hit. But I won't get the virus...because when I open it, there's this nifty little text at the top of the window that says "Outlook blocked access to the following potentially unsafe attachments: whatever.jpg.pif"
    • The vulnerability that this exploits in Outlook and Outlook Express has been patched since March 29, 2001. [microsoft.com]

      If you run Apache and haven't patched since March 2001, you're vulnerable.

      If you run OpenSSL and haven't patched since March 2001, you're vulnerable.

      If you run WU-FTPd, Sendmail, or any other numerous programs with vulnerabilities and haven't patched since March 2001, you're vulnerable.

      At this point, there is no one left to blame but people who simply never update their computers. It's the same g&^damn hole that this exploits every single time, folks. Outlook 2000's patch has been out for well over a year. Outlook XP doesn't even HAVE this vulnerability!

      Stop whining about what programs other people choose to run, and encourage them to learn how to patch their systems. No matter what OS you run, patching it is going to be important. Windows XP, Mac OS X, Debian, and Red Hat all make it incredibly easy to patch your system. People spreading this crap around no longer have an excuse.
      • Unless you run SE Linux. SE Linux will prevent the Apache/OpenSSL/WU-FTPd/Sendmail exploits from working.
      • There are serious differences here.
        You can just act like every OS is as secure as then next.
        I'll take unpatched OpenBSD over unpatched Win2k any day.
        To make informed statements, you have to conside the severity of a security flaw. Ex: a buffer overflow, vs a string formatting error. One theoretically allows you access, if you are a skilled assembly programmer, the othermakes it trivially easy to get access.
        Patching your boxes is important, but so is security by design.
    • What about Ximian Evolution [ximian.com] as a secure Outlook replacement?

      It can even talks to Exchange servers.

      Oh-yeah, it runs on Linux, so I guess that rules it out as an Outlook replacement for you windows people.
    • We run Exchange as our mail server at work and we haven't gotten any. Did we get what we deserved? Are you saying we deserve nothing?

      It's a client side virus dumbass, not a server side virus.

      Why run a mail client at all? Why not use the web based client that most ISP's provide?
  • \Bug"bear`\, n. 1.

    Same as Bugaboo. -- a. Causing needless fright. --Locke.

    2. To alarm with idle phantoms.

  • I've always wondered what genius thought it was a good idea for an e-mail program to accept and execute whatever macros and executable files happen to be in the incomming mail. And at this late stage, why does Outlook continue to have this functionality? If somebody needs to send me an executable (a rare event, and I'm in the computer biz), he can simply zip it or tar it.
  • It would go a long way to change people's mindsets
    if every time CNN mentioned a new computer virus,
    the last sentence is always "This virus only infects Microsoft Windows operating systems." It would help people realize that there are other, safer OSs out there.
  • by wunderhorn1 ( 114559 ) on Friday October 04, 2002 @03:50PM (#4389821)
    Also worth noting is the puzzlement of anti-virus guys as to why they haven't been able to make the virus spread in the lab. "One of the theories is that this requires an Internet connection in order to spread." Gee, you don't say?
    Hey, man, haven't you heard? The black-hat community has followed the popular media they so enjoy in succumbing to the retro-80s fad. Boot-sector viruses are all the rage these days.

    So naturally the security researchers are walking back and forth, workstation to workstation with floppies in hand, trying to study the damn virus in action by giving it the ideal medium to spread over: 5 1/4" floppies.

    The next step will be to make a mock-up of a BBS and try uploading and downloading files via a 300 baud modem.

  • by Mysticalfruit ( 533341 ) on Friday October 04, 2002 @03:51PM (#4389833) Homepage Journal
    Considering I have hundreds of Code Red and Nimda requests bouncing off my webservers every single day, it's not surprising.

    What I'd really like to see is a virus that does something funny, like take your credit card number and order you pizza. You figure in the future once MS has all your personal information rolled into passport, we'll hear of viruses that manipulate your 401K, change your health insurance and sell your house and car (since all your loans will be through passport)

    Then we'll see people on the side of the road with signs like "Please Help Virus took my money house car God Bless" (Unless that person is me, in which case, the grammar won't be hobo and it won't be funny!...)
  • by Anonymous Coward on Friday October 04, 2002 @03:51PM (#4389834)
    Bugbear doesn't scare
    me because I use Linux
    Also, I am gay
  • In addition to the following list of subjects, the worm can create a new message as a reply to or forward of an existing message on the infected system.

    Get 8 FREE issues - no risk!
    Your Gift
    Get a FREE gift!
    150 FREE Bonus!
    25 merchants and rising
    New bonus in your cash account
    etc..

    If you have to write a mailing virus that relies on people opening it, why would you make it use spam-like subjects?

  • by croftj ( 2359 ) on Friday October 04, 2002 @03:52PM (#4389841) Homepage
    Is there a patch for KMail? I'd hate to be caught off guard on this one!
  • by Weasel Boy ( 13855 ) on Friday October 04, 2002 @03:57PM (#4389895) Journal
    I learned about this virus *from my mom* an hour before it was posted on Slashdot. If that isn't a sign that this site has jumped the shark, I don't know what is. ;-)
    • by Maledictus ( 52013 ) on Friday October 04, 2002 @05:05PM (#4390401)
      If I'd had kids when I was first married, my oldest child would be in college right now. I know women programmers who have grandchildren. So maybe it's getting so that it's not so unusual for mom to know best.

      "Son! Didn't I tell you to download the latest virus protection? Isn't that on your chore list? But you didn't, did you... Now your sister has to do it and furthermore, you're grounded!"

  • Crazy Printer (Score:2, Interesting)

    by imevil ( 260579 )
    The virus has a "bug": when it does its filthy things with window shares it also does something with shared printers, so if one morning you find a stack of paper on the printer with one line of gibberish per sheet (and something about a DOS program not being able to execute) it could be BearBug. Or someone who printed out and exe file from notepad.
  • by Pac ( 9516 ) <paulo...candido@@@gmail...com> on Friday October 04, 2002 @04:08PM (#4390003)
    My son received this beauty this afternoon, Norton got it whitout problems.

    But that is not the point. His machine resides in our home network, behind a Linux gateway/firewall. My Linux gateway/firewall, mind you. This lousy little Outlook inhabitant has zero chances of disabling our firewall or opening a arbitrary port somewhere. Anything going in or out has a name in rc.firewall. Anything not mentioned there is not going anywhere.

    Granted, I don't have much experience with "personal" firewalls and Windows firewall in general. Are they that easy to disable?
    • Any firewall is easy to disable if you have adequate permission and knowhow- you either kill the process or unload the library. These days the knowhow is transmitted by the script, so that leaves the permission issue.

      Aside from the issue that XP users normally un as root, if you can root the box, then you can disable a firewall - on Linux or Windows, all of which leaves us back at the same weakest link problem as always.
    • You have to realize, everything on Win9x effectively runs as root. (As well as a lot of things on NT, but that's a different story). Last time I checked, IP Tables and any personal firewall software out there does port filtering/blocking, it doesn't try to prevent itself from being killed. No matter if its windows or linux, if its running on the machine with the right privileges, it can kill the firewall.

      Now there are a lot of viruses out there that will try to disable anti-virus software, and more then a few will try to evade it by using obscure methods of accessing the system. From what I understand of win32 'real-time' virus scanners, for performance and complexity reasons, they can't monitor all system activities. They try to monitor the most common and the most exploitable. There is also a method of attack that tries to introduce enough delay in the realtime scanning so that the virus can disable the AV software before the AV software realizes something is wrong. Therefore, we see viruses that tend to be rather effective at disabling AV software. (Solution, btw, is to boot off a floppy and run antivirus software that way - F-Prot works well for that purpose).

      Anyways, like the *Nix world, the solutions are not to run unneeded services, and to PATCH PATCH PATCH. AV shouldn't be your only line of defense.

  • by JohnMunsch ( 137751 ) on Friday October 04, 2002 @04:24PM (#4390114) Homepage
    While everybody else speculates about how to get rid of the virus, why it won't spread in the lab, etc. I'd like to address the person who shipped this in the first place.

    Have you taken the time to carefully consider your DDOS targets? For example, is the RIAA on your list (http://www.riaa.org/)? What about the MPAA (http://www.mpaa.org/)? Fritz Hollings, Senator from Disney (http://hollings.senate.gov/)? Adobe, Blizzard, or anyone else abusing the DMCA? Microsoft?

    When you've got a dangerous weapon in your hands, use it wisely...
  • ...who is it that sends in these virus discoveries? I mean, I think we've all had weird things happen to us and most of my BSOD experiences I've chalked up to random occurences. Sure, if I found my hard drive wiped out tommorow I'd probably think a virus was afoot, but who is it that says "I think I have a virus" and is right?

    On the other side of the spectrum though have to be those who think everything that goes wrong is a virus. I can't find my document, it's a virus! (no it's not, you saved it somewhere else, doofus) I can't highlight this word in Excel - it's a virus! (no, you just need to RTFM) I'm getting spam, so I must have a virus! (sigh...)

    It's true - getting some people online is a Sisyphean ordeal [theonion.com]. My parents bought a Dell because of the kid in the commercials...

  • by Cervantes ( 612861 ) on Friday October 04, 2002 @04:29PM (#4390144) Journal
    It's been a bad day, so - ::begin true it-happened-to-me BOFH-style rant:: ::Sorry for the length, but I feel better now::

    Yanno, I've been telling my users for years now that the easiest way to stay safe is to keep updating. I even (choke cough sputter) turned on "Automatic Update" in Windows, just so it would keep them up-to-date. They disabled it, claiming "Every once in a while things would get slow for a bit, but now it's fine" or my favorite "I got funny messages". (PS: Also had to reimage 7 machines because somebody decided he was a geek and he could just copy his registry between machines).

    So I capitulated, and started sending everyone reminders by email when they had to update. I included the URL to windowsupdate and copious instructions. "It's too hard, I don't know what to do", they whined. I tried sending them the enterprise update exe's. They downloaded them, alright... put them right on their desktop, and forgot about them. I rewrote the reminder emails to include a script to do everything for them. It worked, for a bit... then I started noticing machines not being updated, and virii floating around that shouldn't. Turns out they'd started sending my emails right to the trash. "It didn't seem to do anything", they said, "it just popped up some box and then went away, so I figured I didn't need it." The box, of course, said "PERFORMING AN IMPORTANT UPDATE ON WINDOWS, PLEASE WAIT."

    Exasperated, I set up the NT login script to push the updates to the user (which I'd been avoiding, it involved actually getting the NT server working). It seemed to work fine, until one day I browsed the network by accident (hit the wrong button), and noticed that I had 65 computers in the group in an office of almost 200. Turns out some genius had found his way into Network properties and changed the setup to skip login to the NT server. "It was really annoying", they said, "I'd start up my computer in the morning, and then I'd have to wait for, like, a whole minute or two! Sometimes it wasn't even done when I got back from getting coffee! This is so much easier, we just hit 'escape' when the login screen comes up. Why didn't you do this in the first place?". It was at this point that I found out no-one was using the network drives either ("We have a network? Like an internetwork?"), thereby rendering pointless my copius virus scans and backups and RAID setup that I'd blown my monthly budget on. Fine, I say to myself, I'll show these buggers.

    So I set up a dummy machine, with which to do nothing but keep running perfectly and with all updates and latest drivers installed. I burned a bootable CD image from it, and whenever someone called in with a virus complaint, I'd go to their machine, pop in the CD, reboot, and go for an extended coffee break. The image had a boot virus scan to clean everything else up. Happy, was I, as I noticed the drop in virus calls. Soon, they dried up. I was actually starting to feel good, untill one day the VP called me in to find out why we were sending no less than 9 different virii to our clients every day. Their excuse? "When you did that thingy with the thingy, it made all our games disappear, and I've almost gotten to the second level!" Yes, indeed, they were just ignoring the virii now, even though they were getting messages from the antivirus program. Seems they believed clicking "Quarantine" would mean that I'd take their computers away and lock them in the server (clean) room for a while.

    So I tried locking down with PolEdit and SysEdit. They brought in their own windows CD's and reinstalled, because "something was broken and it wasn't letting me do what it used to". I pulled the CD drives (no use for them here anyways, except for games), and came out of the IT room late one night to find one of the file clerks studiously pulling hard drives from the cases to reimage at home and return the next morning. I drilled holes in the side panels and put a padlock on them. The users started bringing in laptops to do their work on from home, which even made the problem worse. I screamed bloody murder, demanded to know what the source of these problems were. Everyone played dumb. I felt my brains rotting and leaking out of my ears.

    Then, salvation. The VP mentions that he's seen alot of people emailing lately, and he wants to make sure that it's all company business. Would I monitor employee email usage, he asks? I try to suppress my snoopy-dance of joy as he gives me the escape clause from the moral dilema I'd been facing about finding out what the problems were. I monitor, I read, I find out who's sleeping with who (including a schedule for a tryst in the closet behind my server room. I consider installing a hidden camera), but most importantly, I find out the source of my headaches. An industrious middle manager has discovered the joys of wholesale computer warehouses, and has been joyously selling the employees games to play at work, and later, the laptops they brought in. I wonder how exactly he managed to charge people $25 to "upgrade their L4 cache so their games go faster". I admire his inginuity, but I know he must go. I feel good about this decision, mostly because I know he's screwing around with my computers, but also because I can justify it as "doing the best thing for the company". That, and productivity has gone in the tank, and everyone is blaming their computers, and at his direction, me. I'll make BOFH yet, I tell myself.

    That was a long time ago, at least in computer years. Once he left, things bounded back up to normal. People started doing what they should, not avoiding security so they could play games all day long. Why do I tell you this long story? Because that is my experience with users, and that is the pain that is caused when they don't do what they're told to. So, as someone who's told users for years to do their updates, I feel no sympathy for users hit by this particular (and moderately ingenious) virus. If they were good users, they would do their updates like their SysAdmin tells them to. They are bad users, users like the ones from above, and so I say "No PC for you!". I wouldn't feel like this, except the story specifically states that this virus takes advantage of known vulnerabilities. I don't see it as a bad thing, I see it as a chance to see who listens to me, and who'll get "upgraded" to a new 486 next month. I'm in a BOFH mood today, can you tell?

    In closing, I reflect on my outing of the middle manager. I printed out his more venemous emails regarding me, along with copies of invoices for illegally imported computer components and computer games charged to his expense account. I wrote a touching resignation letter for him to sign, explaining how he was leaving for "personal reasons". I left these on his desk as he was out to lunch, pointed his desklamp at them, turned it on, and turned off the room light. On top, I left a short note:

    It is dark.
    You are likely to be eatten by a grue.

    • ROFLMAO.

      If there is such a thing, I think you should be nominated for BOFH of the Month.

      And if you don't mind, I'm going to use a few of those tips...

    • Actually it's often a sign of bad management if something like this happens.

      Employees who repeatedly screw up company property should get verbal warnings, show cause letters, and if they still persist unfortunately they have to be sacked.

      It's a disciplinary and management issue. You should have backing from your management to enforce reasonable policies.

      If employees keep breaking the rules and getting away with it, it's bad management.

      If you don't get backing from management, then it's also bad management. It's bad to have responsibility without power. You get the blame, it's not your fault and you can't do anything about it.

      But if you did have management support, then it's probably your fault things things went that way.

      Link.
  • by EXTomar ( 78739 ) on Friday October 04, 2002 @04:30PM (#4390152)
    The big problem with MS's application is the idea that data can tell programs what do to. THIS IS A BAD BAD BAD IDEA.

    How foolish is this? How many people would open an email that said:

    Hey here is a perl script with my message in it. Go ahead and run it to see what I have to say.

    You'd be a fool on any system to execute what ever it really is but MS wants this behavior by default. The moment you let data run the program you get this bad stuff. Word document with macros that destroy files. A whole slew of Outlook nastiness. Heck nearly all buffer overruns in networked programs are based on the idea that sending bad data to gain control.

    Why does MS continue to cling to this idea that they can make data behave like programs?? It just isn't sound...I wish they would abandon it.
  • by Tsali ( 594389 ) on Friday October 04, 2002 @04:33PM (#4390168)
    haiku

    my baby's left me,
    from secret lover email...
    Thanks, unpatched Outlook.

    /haiku

  • by TrixX ( 187353 ) on Friday October 04, 2002 @04:52PM (#4390295) Journal

    The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses.

    This is only one possibility. Some warez communities use this kind of backdoors (specially code red) to install FTP servers in infected machines, and upload illegal software there. Then they distribute the IP addresses of this "stash" PCs.

    In that way, they have essentially a big farm of servers to provide content to their users. Obviously, the real owners of this servers don't know about that.

    Somebody showed me this some time ago. The guy was receiving warez access in exchange for doing some "work" for the warez admins. I talked to him and he didn't even know that this "IIS scanner" he was running for them was used for cracking into other PCs.

  • by dswensen ( 252552 ) on Friday October 04, 2002 @04:53PM (#4390303) Homepage
    So is the Bugbear's frequency Common, then?
  • well, I gues I need to dust off my +3 sword, call up my magic-user, and cleric friends, and go kick some ass.

    whew, I thought I'd be 8th level forever!
  • by zoombat ( 513570 ) on Friday October 04, 2002 @05:27PM (#4390546)
    I don't have anything to worry about, my computer is completely secure. I run linux with lynx. Who's going to write a virus for that?? That's too obscure, so I know I'm secure.
  • by Artifex ( 18308 ) on Friday October 04, 2002 @06:07PM (#4390796) Journal
    I first heard about this virus in the last few days in the form of spam that came to my box, proclaiming that Bugbear was a new virus on the loose.

    The fact that a spammer knows about this virus way before Slashdot indicates he's either very fast moving, or he may have some relationship with whoever created it. Unless, of course, Slashdot is just behind.
  • Why DDoS? (Score:3, Insightful)

    by Nishi-no-wan ( 146508 ) on Saturday October 05, 2002 @01:17AM (#4392294) Homepage Journal
    Why is it that whenever some new virus/worm sets up a backdoor to receive commands that everyone thinks they're for DDoS attacks? Judging by the huge number of formmail scans I get from computers that, according to DShild, appear to be infected, they're being used to scan for open formmail.[pl|cgi] relays and send spam.

    Viruses aren't just for script kiddies any more. The spam industry needs these infected machines to better cover their tracks in hopes of not getting sued into oblivion.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...