New Worm Spreads Via MSN Messenger 380
vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."
ITS A VIRUS!!! (Score:4, Funny)
Re:ITS A VIRUS!!! (Score:3, Interesting)
Tom
Re:ITS A VIRUS!!! (Score:3, Funny)
I assume you are refering to the windows directory.
Re:ITS A VIRUS!!! (Score:3, Informative)
For those who don't know how, you can uninstall the thing by running:
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
Jituxramon... (Score:5, Funny)
Re:Jituxramon... (Score:5, Funny)
Sounds like something from Pokemon.
Ah, it must be a Bug-type then.
Re:Jituxramon... (Score:5, Funny)
It is... it evolved from Outlookramon.
Re:Jituxramon... (Score:3, Insightful)
Well, I can't speak for the mods, but I thought the spirit of the parent was to be funny. He accomplished that, although he was slightly inaccurate. You pointing out what you did was like someone dissecting a joke until it's no longer funny.
a la "well, technically, a chicken may not really have the mental sophistication to
Re:Sounds like a non-story (Score:3, Insightful)
Slashdot tends to report anything new and significant. Slashdot ignores most all of the same-old same-old Microsoft malware. It's Microsoft that waits until it's actually doing anything (unless the target is Microsoft's update servers;)
There is a genuine bias and propaganda going on against Microsoft
Right. I use Microsoft software. I am biased against it.
Any inkling of a worm, no matter how minor and
Re:Sounds like a non-story (Score:3, Insightful)
If you're reading security sites, then you're "doing it right", and that's what you need to focus on
So what does it actually do? (Score:5, Funny)
As it stands, it sounds a lot like a slashdot discussion
Re:So what does it actually do? (Score:5, Interesting)
I would guess that this is the trial run, to validate the theory behind a virus spreading in this manner. Once they know it works, the next one will have a payload.
Re:So what does it actually do? (Score:5, Insightful)
Re:So what does it actually do? (Score:5, Funny)
I've got one idea on what that payload could be. Disclaimer: I am not involved in and do not condone writing and distributing virii/worms, invading and abusing others' property, or any other illegal activities; it's just a thought that occurred to me while reading this thread.
Jitux, sounding a lot like "JIT (just-in-time) Linux" could carry a windows program that would accomplish following on each host:
0. Propagate;
1. Check whether host's hardware (modem, network card, etc.) and ISP connectivity are compatible and can be used in Linux;
2. Check for broadband connection;
3. If either (1) or (2) are false, propagate and do nothing else (exit);
4. Find an extra space on the hard drive and create one small and one or more larger new partitions; if no extra space is found (as is likely), quietly defragment and resize FAT32 or NTFS to free up space;
5. Place a small Linux bootable image on the small partition, and format other partitions;
6. Gradually, over the course of next few hours (or days) download and place common packages available for Linux on larger partition(s);
7. Once all required data has been downloaded, modify MBR to boot from the smaller Linux partition that was created.
On the following boot this should happen:
1. Display bootup screen similar to Windows; maybe display - "Windows is updating settings" while Linux is being set up on hardware and packages are being installed;
2. Copy settings from Windows partition - e.g., start menu items, background, O/OE settings, etc.; make sure to install comparable packages like OpenOffice.org, KMPlayer/Xine/etc., IMs with Linux; run whatever you can with WINE from Windows partition;
3. Boot into Linux with the WM/DE that looks as much like Windows as possible - adjusted KDE or GNOME - make sure the button says "Start" on it - that part is of utmost importance;
4. When they do "open -> my documents/pictures/music/etc." always display items from both Windows and Linux partitions; when they save, only save on Linux partitions; when duplicates occur only display files from Linux partition.
Voila! JIT Linux, or Jitux! Easier said than done (and I realize there could be problems), but if successful I am guessing 90% of home desktop users will not even notice any difference.
Disclaimer (again): I do not condone distributing virii/worms, etc. or illegally messing with others' property without permission. This was just an idea that occurred to me while reading this thread.
Re:So what does it actually do? (Score:2)
And what's keeping you from trying out one? Install SuSE 9 from FTP if you have broadband - it will do most things as described - minus moving your Windows settings over.
Re:So what does it actually do? (Score:2, Informative)
Re:So what does it actually do? (Score:5, Interesting)
Re:So what does it actually do? (Score:5, Funny)
Yeah, it's very similar to a Slashdot discussion - the only difference being that the Worm actually does something.
solution (Score:5, Insightful)
Re:solution (Score:5, Informative)
According to Network Associates [nai.com] "at the time of writing the the worm was unavailable from this URL".
Welcome to Security 2004... (Score:3, Funny)
Here comes the New Worm...
It's just a New Year Worm - nothing much different
But a Linux worm was set loose yesterday - the first in 2004.
Yes, but that didn't hit as many sites...
Fine.. this new patch will fix the worm...
Hmmm.. but it also messes up Outlook 2003...
And so on and so on... Happy New Year!
-
Re:Welcome to Security 2004... (Score:2, Interesting)
Re:Welcome to Security 2004... (Score:3, Insightful)
Re:Welcome to Security 2004... (Score:4, Funny)
If you are able to read this, you have just been infected with the Honor System Virus. This virus is a cross platform virus.
If you are running a MS Windows Box, please insert a DOS disk, reboot, and type FORMAT C: /q press Enter, Y, and then Enter again.
If you are running a Linux or other Unix based OS, please open a Bash Shell as root and type in rm -rf / and press Enter.
Mac User's need not do anything at this time, since your computer will likely crash on its own before you could successfully and intentionally format your own hard drive.
Thank you for your participation in the Honor System Virus. Have a nice day!
Helpful little program (Score:5, Informative)
After all, (simpsonism) "no one who speaks german could be evil (/simpsonism)
Re:Helpful little program (Score:5, Informative)
Re:Helpful little program (Score:5, Informative)
They simply make the executable a hidden file and remove the shortcut.
MSN will still work when you start the executable manually after "removing" it.
(Same goes for Outlook express btw).
Re:Helpful little program (Score:2)
(I don't remember why I launched OE, but there you go...)
Apart from that, though, I've not been bothered by Messneger *at all*. On first login to a new system, I merely tell it (in the preferences controls) to go away and never bother me again, and that's exactly what it does.
Re:Helpful little program (Score:2)
Re:Helpful little program (Score:3, Interesting)
and where is the reg entry or ini file located , so I can get rid of it when I set up a client pc? I don't wont to install antispy on every desktop I set up...
Re:Helpful little program (Score:2)
Re:Helpful little program (Score:2)
All I know is that on the four XP machines (three Pro, one Home) that I have use of, Messenger did what it was told for all users (myself on all four machines, my gf and daughter on va
Re:Helpful little program (Score:3, Informative)
So, I nipped the problem by renaming msnmsgs.exe. Now whatever Windows *thinks* needs Messenger won't be able to start it. Don't get any errors about it either. Since I don't actually *use* Messenger for anything, this has pretty much solved my probl
Re:Helpful little program (Score:5, Informative)
Re:Helpful little program (Score:2)
Re:Helpful little program (Score:5, Informative)
Re:Helpful little program (Score:4, Informative)
Oh and just to give you an idea of how stupid the article was, you actually have to click on a URL that this messege sends to you and unless you have been living under a rock, you can pretty much eliminate this problem by ignoring IM's from anyone that is not on your list. If most of your list does this, then there's no chance of infection. As most IM users have already discovered, there are enough SPAM IM's that are not harmful out there that you should probably set this up from the beginning. Hence the reason why there's only a handful of infections. This is NOT a hole in MSN Messenger....it's just users being the typical idiots that they are and that's only that handful of idiots that have been infected. Most MSN Messenger users would be unaffected by this.
Re:Helpful little program (Score:5, Funny)
Think of all the extra time you'll have when all your games stop working!
What about... (Score:2, Interesting)
Re:What about... (Score:2)
Serious question: What's to stop this type of exploit from affecting Linux or OSX?
Re:What about... (Score:5, Insightful)
Re:What about... (Score:4, Insightful)
Could you elaborate on this a little? From what little I understand of permissions in *nix, this might prevent data from being written in the wrong spot (i.e. overwriting of system files), but would it prevent a headless app from running and sending out messages to other machines?
Ah if only application firewalls were standard issue like virus scanners. At least Microsoft's forcing that evolution to happen.
Re:What about... (Score:4, Informative)
OS X comes with ipfw preinstalled, and it can be turned on with a couple of mouse-clicks:
Apple Menu->System Preferences
Select 'Sharing'
Select 'Firewall' tab
Click 'Start' button
There is also a tab with a list of service that one can check on or off, and it is easy to add new ones (click the 'New...)
Seems that I've read some debate of the merits of ipfw vs. other firewalls, but it seems to work fine for me. Also, there is the debate about whether or not it should be on or off by default. Personally, I think it should be on.
As far as headless apps, like daemons, I don't know. OS X asks for an admin password any time it needs 'root' access; if one makes sure they know what they're installing, and trusts the source, then I don't think anything too bad could happen.
Although, this just occurred to me. Could something like this launch an app in the background that captured keystrokes and saved them to a non-secure file/folder? That could be a problem.
(tig)
Re: firewalls (Score:3, Informative)
As far as disrupting some functionality, I hear you, but OS X seems to be mostly free from these issues, at least
Re:What about... (Score:4, Informative)
Programs execute with the same permissions as the user, though this happening is not very likely. For this to occur, two things have to happen;
Neither are impossible, though these are unlikely. (Some apps might skip the first step, though this is also rare.)
Keep in mind that unlike Windows, Unix-style systems don't use the name of the file or it's extention (suffix) to determine if a file is an executible. If Windows followed the same model, you could click on worm.exe and Worm would not run automatically.
Re:What about... (Score:2)
Re:What about... (Score:4, Informative)
Re:What about... (Score:2, Interesting)
Re:What about... (Score:2)
Re:What about... (Score:2)
Unix isn't magic, it is a tool, though in comparison to Windows it's much less likely to be an issue [slashdot.org].
Process over product is and remains the rule.
Re:What about... (Score:4, Informative)
Re:What about... (Score:2)
Because no-one keeps valuable data in their home directory, right ?
And no-one has their unix boxes setup so that normal users can run shells, make outgoing network connections and send email, right ?
Right ?
Re:What about... (Score:2)
Not necessarily. You'd be prevented from binding to ports 0-1023, which is hat mail servers use. You could use an ephermal port, but expect to be rejected by most ISPs. So less of a problem here.
>delete your MP3s
You didn't have backups? You're a moron.
Nothing can protect you completely from user idiocy except pulling the plug. Unix based OSes still do a lot better than anything else on the market. This is a lot better than the complete format and reinstall you need to do t
Low risk (Score:5, Informative)
Now what responsible user would do that. NAI's web site claims that the worm code itself has been removed from the web server, thus rendering the worm harmless:
http://vil.nai.com/vil/content/v_100931.htm
-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.web-user.co.uk/news/47502.html
This detection is for a worm intended to propagate via MSN Messenger instant messaging. The worm is written in Visual Basic.
It propagates by sending messages to the MSN messenger contact list. The messages contain a link to the worm itself:
http://www.home.no/( removed )/jituxramon.exe
When the link is clicked, the worm is downloaded to the target machine.
Note: at the time of writing the the worm was unavailable from this URL.
Re:Low risk (Score:3, Interesting)
But if you are an IE user and you don't check carefully the URLs you click, you might be in trouble anyway (because these days the download of the trojan horse starts immediately, and it's silently executed).
On the other hand, I've been seeing such "worms" on IRCnet for months, and I'm sure they must have hit MSN messenger before.
Re:Low risk (Score:5, Insightful)
This is the kind of vunerability that we'll basically never be able ot get rid of, barring some kind of orwellian palladium thing. Dumb users will run shit they shouldn't, and infect their boxes. You can do things to reduce the probability, but you can't eliminate it.
I deal with this at work all the time. We have a user that just loves to run every damn attachment she gets her hands on. Despite a virus scanner and as restrictive privledges as we are allowed to give her, she STILL gets infected form time to time. There's just no stopping it. The only way would be to disallow her to run apps that admins don't install, which we aren't allowed to do (adn doesn't apply to home users).
So we just have to accept this crap. Hopefully OS/app makers will do what they can to make it as hard as practical for this to ahppen, but you'll never eliminate it. YOu also have to be careful not to go too overboard. I mean I can think of many measures that would make these things much safer. However they generally involve things that would make them a bitch to use and piss people off.
Re:Low risk (Score:3, Interesting)
This is the kind of vunerability that we'll basically never be able ot get rid of, barring some kind of orwellian palladium thing. Dumb users will run shit they shouldn't, and infect their boxes. You can do things to reduce the probability, but you can't eliminate it.
Palladium is only bad because it's done in h
Human-activated (Score:5, Interesting)
It can't be harmful if it comes from a friend!
Just great.... (Score:3, Funny)
NOT A WORM (Score:5, Insightful)
Re:NOT A WORM (Score:2)
Re:NOT A WORM (Score:2)
I had something similiar (Score:4, Funny)
The fix was to download the newest MSM, which upon reboot overwrote the pesky trojan.
Sorry I don't have more info than that.
Sharepoint compatability (Score:2)
Not the first time (Score:5, Interesting)
The face of our attacker? (Score:4, Funny)
Seems to be a webcam up on the same site that hosts the worm. What worm maker would link to a site that hosts their webcam as well? I guess it shows that some people are really that stupid.
Re:The face of our attacker? (Score:2, Insightful)
Well it does say "Retard-CAM".....
Re:The face of our attacker? (Score:5, Interesting)
I think a lot of people who wind up unleashing worms are just playing around, seeing if it works. They aren't thinking about the consequences because they probably weren't intending to "release a worm" in the first place. Again operating under the assumption that the homepage you posted belongs to the Jitux author, it's quite possible that he wrote the code and sent it to a couple of friends to see if it would work. Before he knew what had happened, it was in the wild. The malicious file is apparently gone, so for all we know, he deleted it himself once he figured out that his creation was alive.
Naturally, all of this is speculation. It's equally possible, and perhaps even more likely, that the "jberg" user's FTP space has been compromised to host the malicious file.
If you must use MSN... (Score:4, Informative)
I've done it already, and my MSN account is redundant!
Re:If you must use MSN... (Score:2)
i.e I'm on jabber.org and I can use the gateway on amessage.de
Also that means that your friends don't need to be on the same server.
(I've successfully been able to message between an account on jabber.org and jabber.com)
And this explains (Score:3, Funny)
Self propagating? (Score:4, Insightful)
why is MS always the target? (Score:3, Insightful)
i mean, for once the excuse can't be: "well, they attacked [insert MS software title here] because it's the most popular". AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...
Re:why is MS always the target? (Score:5, Insightful)
Yes, [symantec.com] they [symantec.com] have [symantec.com].
Did you actually check before making that claim?
Re:why is MS always the target? (Score:2)
Of course not. That's almost forgivable, though - everyone says dumb stuff occasionally. Gotta wonder at the mods that sent it to +5, though:
a) the problem isn't that you can use VB to control it, it's that it exposes a programmable interface; the language used is irrelevant
b) as you've pointed out, the claims made about Messenger being the only IM client to have been hit by a worm are simply false.
But hey, let's not let the facts get in the way of a good
Re:why is MS always the target? (Score:5, Informative)
There are worms for ICQ, AIM and MSN. Yahoo IM is the only one that doesn't have a worm right now.
MSN worms have been around for a while now. This isn't news in any way. The worm relied on a website that is now shut, so the worm is effectively disabled.
If you want to know about IM spreading worms, read this [symantec.com] or this [securityfocus.com]
to remove msn messenger (Score:5, Informative)
@echo off
echo Removing Microsoft Messenger...
rundll32 advpack.dll,LaunchINFSection %WinDir%\inf\msmsgs.inf,BLC.Remove
echo Disabling it from running in the future...
echo REGEDIT4>%temp%\nomsngr.reg
echo
[HKEY_LOCAL_MA
msngr.reg
echo "PreventRun"=dword:00000001>>%temp%\nomsngr.reg
echo "PreventAutoRun"=dword:00000001>>%temp%\nomsngr.r
echo "PreventAutoUpdate"=dword:00000001>>%temp%\nomsng
echo "PreventBackgroundDownload"=dword:00000001>>%temp
echo "Disabled"=dword:00000001>>%temp%\nomsngr.re g
regedit
run and bam! messenger is gone for good
Re:to remove msn messenger (Score:5, Funny)
c:
cd \
del
>:)
Re:to remove msn messenger (Score:2)
Don't run this blindly (Score:4, Insightful)
Re:Don't run this blindly (Score:2)
Re:to remove msn messenger (Score:3, Informative)
Also, remember to clean up afterwards...
del %temp%\nomsngr.reg
Orphaned temporary files will build up your temp directory to *scary music* BILLIONS of bytes if you don't watch it.
MSN Messenger is like a Swinging Sex Club (Score:5, Funny)
So basically, after reading the article and seeing that it only spreads to peeps on your contact list, I can now view my use of MSN messenger the same as swinging.
I smelll a new MSN Msgr advertising campaign. "All the danger and excitement of swinging. Come on over, we're waiting to fuck you!"
progress (Score:4, Funny)
2005: MSN Virus Spreads Through Talking About Windows
2010: Virus Becomes Airborne
2012: Virus Overwrites C:\Brain\Personality
2015: Kalahari Bushmen last remaining humans on planet arguing about whether Linux or FreeBSD is better
New Worm: Bored_Friend (Score:5, Funny)
Infection rate: Global
This worm usually begins like this, but many variations have been seen in both the wild and in the lab.
John: Yo wazzup?
Me: No time to chat. I'm a little busy, gotta do some work.
John: Then why is your IM on?
Me: Because I need it for work.
Soon the worm spreads.
Jane: Hey, why are you giving John the cold shoulder?
Me: Shit, I just want to get something done here. I'm sending someone a file with IM then I'm gone.
Jane: You're full of it. John knows you're still pissed at him about blah blah.
The worm may even infect unaffiliate third-parties.
Joe: Hey man, you don't know me, but I work with Jane at Curuthers and Magalby and the way you treat her and your so-called pal John is fucking bullshit. You shoud be ashamed of yourself.
Me: Seriously, I just want to get some work done here.
Joe: Yeah, like I'm going to trust a liar like you.
Fix: None.
Stopgap: Forever stop using IM with crazy paranoid social primates.
Dont just remove it, DENY its ability to run (Score:2, Informative)
Works for XP pro only I believe
Re:Dont just remove it, DENY its ability to run (Score:4, Informative)
that's Windows Messenger you are referring to, a completely different beast than MSN Messenger. Windows Messenger is an old component for sending explorer events to domain clients, for saying things like 'The Network is Going Down. Save Your Work Now." and such to your users. MSN Messenger is for "lol cyber u a/s/l/ here's a link to my plush toy auction on ebay" style messages to your social circle (and random people).
MSN Worm (Score:3, Insightful)
Well, people that accept these kind of file transfers without knowing what it is and then _opens_ the executable only have themselves to blame... (for not getting a Mac
Open-source to the rescue! (Score:2)
but we are (so far) worm free! Start to convert your friends for their own safety!
Just try to keep from discussing anything involving bytestreams... or play it up! "Hey, if you can't receive files, you can't receive worms!"
User intervention Part 2 (Score:5, Insightful)
Sure, I love the Microsoft bashing mosh pit just as much as the next Mac/FreeBSD user, however, in all honesty, when is the end user going to take responsibility for their actions? doesn't this sound like the a-typical senario in the "real world", something bad happens and the government is blamed for not stopping the idiot from hurting themself.
The fact remains that the end user does VERY little to protect themselves. Sure, we'll have a chorus of ranters claiming that in their zyx operating system world, they would *NEVER* need that and through some miracle, some how their operating system of choice is immune to all vunerabilities.
The fact remains that no matter what operating system you run, you HAVE to take precautions. Run an anti-virus, make sure your software and virus definitions are updated, run a GOOD firewall and actually learn how to use the computer so that you can set up the firewall so that is it beneficial rather than a hindrance.
If you follow these VERY basic precautions, I would be VERY surprised if you get infected.
In a perfect world, one WOULDN'T need to take these precautions, software would be bug free, everyone would be honest Joe's and Jane's, however, that isn't the case, the fact is, the world is filled with losers, script kiddies and other parasites and unfortunately the only way to defeat these people is to make their conquests so meaningless that they'll go back to nicking car badges off cars and boasting to their friends about what level of "Rainbow Islands" they got up to on their SEGA.
Btw, does any one remember that game?
Re:User intervention Part 2 (Score:4, Interesting)
Because Microsoft's marketing blows sunshine up people's asses. People believe they are buying a simple system that will just run, never need maintenance, and protect them from messing it up. In reality Windows is a complex system that needs a fair bit of maintenance, or at least care on the part of the user to not do something that will cause problems (like open any old e-mail attachment in their inbox, no matter who the sender, or download any old file from Kazaa, or install Bonzi or other stupid shit like that).
When you try to explain to people that they need to run Software Update and virus scans and do other system maintenance once in a while, they don't want to hear it. "You mean I paid all this money (read: $399) for this computer and it doesn't do all that stuff for me? Forget it!"
~Philly
XP AntiSPy (Score:3)
XP AntiSPy [xpantispy.org]
Re:XP AntiSPy (Score:3, Funny)
Clients (Score:3, Insightful)
Almost like REALPHX for AIM (Score:3, Informative)
I kept getting IM bots sending me links to random porn sites since its 'peak' time when it appeared on almost all my friends' profiles. I found the fix here [rsaisp.com] and sent it to my friends. Since their fix, I've been getting less spam.
I would use gAIM but I found that AIM with the final free DeadAim saves more resources on my system.
Re:Ha! (Score:2, Funny)
Re:This is why we use linux (Score:5, Insightful)
Re:User Intervention Required? (Score:2, Informative)
Re:User Intervention Required? (Score:3, Insightful)
News submitters have been wrong before.
Argh... Now you reminded me of that recent stupid & incorrect double-posted "Oooh Earth Is Moving Slower Through Space" article.
Re:Some notify mechanism (Score:2, Insightful)