Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Bug Operating Systems Software Windows

Nasty New Virus Variants 1050

Lucidus writes "Numerous journals, such as Mac Daily News and The Motley Fool, are reporting that the latest versions of the Beagle/Bagle virus can infect users' computers whether or not they open an attachment. Apparently, the simple act of selecting the message activates the code. Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?"
This discussion has been archived. No new comments can be posted.

Nasty New Virus Variants

Comments Filter:
  • Simple... (Score:4, Insightful)

    by Anonymous Coward on Sunday March 21, 2004 @11:51PM (#8631069)
    Don't use Microsoft products... or use them and have an up-to-date modern Anti Virus scanner.
    • Re:Simple... (Score:5, Informative)

      by BigHungryJoe ( 737554 ) on Sunday March 21, 2004 @11:59PM (#8631153) Homepage
      AntiVir [free-av.com] might be a good, free choice.

      I has served me well. Catches a lot of the spyware that my favorite pr0n sites try to push me, too.

    • What to do (Score:5, Informative)

      by Alien54 ( 180860 ) on Monday March 22, 2004 @12:07AM (#8631220) Journal
      There are a number of decent free and unfree antivirus programs available, as seen in this list [freebyte.com]

      Also nice are programs that let you delete the email at the server before you download, such as mailwasher [mailwasher.net], and with free versions.

      Of course, there are a number of alternate email clients out there that will also help block this beastie

    • Re:Simple... (Score:5, Insightful)

      by Sarin ( 112173 ) on Monday March 22, 2004 @05:53AM (#8632580) Homepage Journal
      not a bad idea.

      After the latest infection on my parents' computer, though mcaffee was installed and auto-updating and eudora, I decided to choose for the first.
      I wiped microsoft from the computer and installed gentoo with kde, firefox and sylpheed-claws and I made it autologin into their kde account.

      My parents have never been happier with their computer: 'internet is so much faster now' and 'hey that solitaire game is much more fun' and 'that thing allows you to have multiple virtual screens', it even looks better now and I told them they could click on any email virus they wanted.
    • Re:Simple... (Score:5, Insightful)

      by Perseid ( 660451 ) on Monday March 22, 2004 @06:06AM (#8632600)
      People have a tendency to forget that the evil-nasty viruses come out BEFORE the virus-scan developers have a chance to add it to their software. It is very possible to have the newest AV updates and get hit by a virus.

      People who hide behind virus scanners as if they solve all of the world's problems are part of the problem themselves.
      • Re:Simple... (Score:5, Insightful)

        by dustmite ( 667870 ) on Monday March 22, 2004 @09:02AM (#8633083)

        Yes, it's actually impossible to be protected against the 'latest virus that just came out', because it's impossible that your AV vendor has protection against a brand new immediately (unless the AV vendor wrote it themselves). There always must be a "window" between time of discovery of a new virus and the time that your AV is updated to protect against it during which you are vulnerable, and this is typically anything from a few hours to a few days.

        But just try to explain this logic to the damn "if you run an AV and keep your definitions up to date you'll have no problems" crowd ..

    • Re:Simple... (Score:5, Informative)

      by mosschops ( 413617 ) on Monday March 22, 2004 @07:18AM (#8632781)
      Don't use Microsoft products... or use them and have an up-to-date modern Anti Virus scanner.

      Don't forget that the Witty is entirely memory resident so most (if not all) virus scanners will miss it...
  • by bendsley ( 217788 ) <brad[at]floabie[dot]com> on Sunday March 21, 2004 @11:51PM (#8631070) Homepage
    the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ
    • by prat393 ( 757559 ) on Monday March 22, 2004 @12:01AM (#8631164)
      Many of them DO... but these variants have been coming out so often lately that they're hard to catch up with.
      • by afidel ( 530433 ) on Monday March 22, 2004 @12:27AM (#8631359)
        Just strip all executable attachments. We do this and haven't had a single virus hit our network since implementing this simple step. Of course some worms have been distributing themselves inside of zips but that still takes more steps and hence more chances for the user to think about what they are doing, plus MS email clients can't auto-execute them (most people run Groupwise client on the Citrix farm but some do run Outlook via POP).
        • by badriram ( 699489 ) on Monday March 22, 2004 @12:43AM (#8631467)
          Except these worms now are not in attachments, they are part of the email message itself. It uses an activex vulnerability amoung others to attack the computer.

          If people patched their computers, the virus would not have an effect on the computer. Atleast not this one.
        • by LostCluster ( 625375 ) * on Monday March 22, 2004 @12:48AM (#8631493)
          Just what is an executable attachment these days? It used to be possible to say that Word files could never carry a virus, but ever since the Word Macro engine grew up into a full power Visual Basic for Applications that's not so true anymore.

          It used to be possible to say an e-mail with no attachments was safe, but today's virus of the day is proving that wrong... just using an IE bug in an HTML e-mail is enough to cause trouble.

          So, really... nothing's safe. I'm sure somebody will find a buffer exploit for plaintext mail in Outlook someday...
    • by Dominic_Mazzoni ( 125164 ) * on Monday March 22, 2004 @12:15AM (#8631273) Homepage
      the ISPs need to have some server-side virus scan running. we do through our company's email server, and so far, it seems to work like a champ

      This is so true...unlike spam, it's quite possible to detect 100% of known viruses with no false positives. That's because every virus must contain essentially the same payload. Viruses simply can't vary their content as much as spam can, because it has to result in executable code, plus some MIME trick or IE/Outlook exploit, either of which have no legitimate use and could be detected easily.

      I started running ClamAV [clamav.net] on my mail server a couple of weeks ago (after seeing a recommendation for it on Slashdot) and since then I have seen my viruses go down from 500 a day to 1 a week. I manually looked through thousands of the held messages and found no false positives, so now anything that ClamAV scans goes directly to /dev/null.

      I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.
      • by Ironica ( 124657 ) <{pixel} {at} {boondock.org}> on Monday March 22, 2004 @12:50AM (#8631507) Journal
        I have no idea why all ISPs don't use ClamAV! Obviously they don't need to throw messages away, just in case - advanced users might prefer that messages probably containing viruses just be quarantined instead - but that would eliminate the problem for most people.

        My school's mail server, after getting slammed very hard by er... one of them a couple months ago (I can no longer keep up with which virus is which), installed something that I think is called Vscan. What it does is sends you an email which informs you that you were sent a message with a virus attached, and gives you a link with a generated username (usually the "from" email address) and password to view the message... if you really want to.

        I like this system, because it's soooo much easier to filter those messages as Junk than all the random stuff that might be thrown together by a virus ;-) and, if for some reason you get a *real* email that happens to have a virus attached, you can still read it just fine. Remember, back in the old days, when viruses were first learning to use email, and they'd just attach themselves to whatever outgoing messages you'd send? I'll bet there's one or two of those still floating around...
      • by runderwo ( 609077 ) <runderwo@nOSPAm.mail.win.org> on Monday March 22, 2004 @02:37AM (#8631986)
        I manually looked through thousands of the held messages and found no false positives, so now anything that ClamAV scans goes directly to /dev/null.
        Be careful. You might lose some messages you actually want, if anything ClamAV scans goes directly to /dev/null.

        Joking aside, be careful that you check the exact exit code that you need to determine whether ClamAV found a virus or not. I was using a script called clamfilter.pl that someone else wrote. Since I was in a hurry, I went ahead and stuck it in my procmailrc without checking into it much. It seemed to work for quite a while. When one of the MS virus storms hit, I started sending all the viruses to /dev/null like you are. This turned out to be a mistake.

        At some later point, we had a hard drive disaster that left most of /usr unreadable. However, the mail server was still running, and still using clamav to filter mail. Due to one of clamav's files becoming unreadable, clamav started exiting with a nonzero exit code, but not because it was finding a virus in the mail. Hence ALL mail went to /dev/null for a few days while the system was being rebuilt, and we didn't discover it until afterwards. I filed a bug with the clamfilter forum, but up till now the author hasn't fixed his (IMO dangerous) code that he is offering for general use.

        The moral of the story is, if you are sending mail to /dev/null in ANY case, be damn sure that you are properly checking clamscan's exit code.

    • by FalconZero ( 607567 ) <[FalconZero] [at] [Gmail.com]> on Monday March 22, 2004 @12:22AM (#8631328)
      My company outsources email virus protection to a dedicated service (Star Internet [star.co.uk]) which checks and forwards.
      Its pretty cheap, and I've not had to worry about any email virii for years.
      I'd (personally) like to see more companies (or even ISPs) going this sort of route as not only does it take the hassle away from sysadmins
      (so you don't have to drive in at X in the morning to apply a patch), but it consequently helps reduce the rate of spread.
    • by cs ( 15509 ) <cs@cskk.id.au> on Monday March 22, 2004 @12:24AM (#8631346) Homepage
      And ISP filtering can readily be a PITA depending on the lists you read. Example: I'm on several Yahoo lists. Naturally the odd virus (or virus-looking) email gets onto one of the lists and (apparently) my ISP bounces it (even though I've got "no filtering please" chosen with them). Anyway, the bounce is an SMTP 553 bounce. Yahoo considers this a "hard" bounce (which it is) and TURNS OFF ALL MY YAHOO DELIVERY. Very very very annoying.

      Now, one side of this is that SMTP needs (and lacks) a "this particular message will always be refused" error code. That would work well for virus filters, since the delivering system (eg Yahoo) could them just discard that message and continue with everything else.

      The real fix is not to use these buggy mail clients. Like M$ LookOut!

      And, though it's not applicable to the outright-buffer-overflow viruses like this one, not to use systems with the vile design flaw of letting users click on attachments and execute stuff. For example, my mutt mail reader has a mailcap that drives its attachment handling. Every clause runs a viewer. If I get a .exe I get told its size or offered an opportunity to save it to disc. It does not offer or try to run it. This core distinction is the weakness in the windows mail world: no attachment should have executable power. An explicit user driven install ritual should be needed to get such a thing into a context where it can be run. i.e. it should be a safe action for a user to double click any attachment - that act should always invoke a viewer of some kind.

      • by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Monday March 22, 2004 @01:08AM (#8631603) Homepage Journal
        The newer viruses send an encrypted zip file and a password. The user has to save the zip file, unzip the file, type in the password (!!!), and then execute the extracted executable. And there are STILL millions of infected boxen!!!

        Obviously the mail client is not the problem. The user is :(

        (And if you're wondering why the virus is encrypted, it's so it passes through filters. Encrypting with a random password has the nice side effect of randomizing the data. So there are no known strings to filter on. Pretty clever.)
    • Yes and No (Score:5, Informative)

      by macdaddy ( 38372 ) on Monday March 22, 2004 @12:54AM (#8631529) Homepage Journal
      Yes mail admins should implement AV solutions at their borders and within the central mail system itself. All outbound/inbound, inbound/outbound, and inbound/inbound mail should be scanned. However, the providers should not bear the full burden of AV filtering by itself.

      AV solutions can and do break. Our's did at my provider. We still haven't got it back online. Our users have had to endure the full brunt of infected email for far too long.

      No single AV solution can be up-to-date at all times. For starters we can't update our virus definitions within minutes of a newly discovered virus. It just doesn't happen. AV companies couldn't afford the bandwidth without raising our costs beyond what's considered reasonable. Free solutions such as ClamAV [clamav.net] certainly couldn't afford it. Also, not all AV companies discover viruses at the same time. F-Prot might find the latest version of MyDoom before Symantec does. The fact that they found it means it's already in the wild as someone has had to analize it, create a patch for the defs to match this virus, get the patch through Q&A, and get it approved for the next release. There could be numerous hours between the virus getting into the wild, being discovered, being analyzed, and being caught in the latest virus defs.

      Finally no defense of any kind should ever be one layer thick. One layer thick means you have no backup plan. No backup plan means you have no contingency for failures. No contingency for failures means your DRP (disaster recovery plan) has either been written fraudulently or you don't have one. In today's business world that means you'd better start updating your resume. A provider's mail system should not be the only line of defense from email-based viruses. Every single end-user desktop should have an up-to-date AV tool scanning all mail ahead or as a companion to the MUA. This is the *only* acceptable means of defense. You have to have end to end protection.

      Many AV company's licensing scheme take both mail system users and desktops into account. Read the wording carefully because you may very well be able to use the end-user license to cover that user's part of the mail system....

  • Switch!!! (Score:4, Insightful)

    by Anonymous Coward on Sunday March 21, 2004 @11:51PM (#8631073)
    Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

    Well, this one is gonna start a whole slew of flaming and trolling over the virtues of one platform over another as it is kinda a loaded question with a simple answer:


    So let's start right off with a big razz towards Windows users from both the Linux and Macintosh communities.........


    Seriously though, when are you guys gonna get the picture? Microsoft if chasing a moving target here and they will always be behind the curve, reacting to the latest virus outbreak until they fix what is fundamentally wrong with the Windows architecture. Hopefully this will happen with Longhorn in 2006......or 2007.........or whenever.

    • Re:Switch!!! (Score:4, Insightful)

      by NemesisEnforcer ( 654033 ) on Monday March 22, 2004 @12:14AM (#8631268)
      Your solution is to switch to an entirely new OS because their "default" email program is poop?

      How about all the windows users check out Mozilla Thunderbird. You can keep your nice, friendly OS, and still not have to worry about insanely sad security. http://www.mozilla.org

      However, if you're feeling a tad adventurous, then by all means check out the alternative OS choices. Need some names? Check out FreeBSD, Red Hat (Fedora Project), Mandrake, and there are plenty more on distrowatch.

    • Re:Switch!!! (Score:5, Insightful)

      by golgotha007 ( 62687 ) on Monday March 22, 2004 @12:22AM (#8631319)
      you don't really need to go so far as to switch operating systems. perhaps this is a wake up call for those to switch to different applications that have the same or similar functionality.

      i use both windows and linux machines day to day.
      on my windows machines, i've activated the built-in firewall and use Mozilla Thunderbird for mail and Mozilla Firefox for web browsing.

      i have zero problems with viruses or worms.

      The real culprits here are IE, MS Outlook (& Express).
      • by 0x0d0a ( 568518 ) on Monday March 22, 2004 @01:40AM (#8631757) Journal
        Even if you don't switch to a client that's more secure, switching to one that's *less used* will work equally well. How many viruses are going to target, say, Pegasus Mail, even if it's riddled with overflows? Not a hell of a lot. I can understand interoperability issues with Word, Excel, etc, but this is *email*. All the clients out there work fine together, and it's not as if it takes long to learn an email client. The main concern in such a switch would be moving old stored email, and I would guess that any major Windows-based email client would provide Outlook import.

        Email is also a good candidate for a piece of software to be written in eiffel or ocaml or some other safe language (Java might use too much memory, but there are safe languages that aren't as RAM-intensive). An email client does very little that's computationally expensive.
    • by Brightest Light ( 552357 ) on Monday March 22, 2004 @12:43AM (#8631470) Journal
      That's funny, I'm typing this on a Windows 2000 machine, and I've yet to get infected with the virus/worm/trojan of the week. Maybe its because i use a mail client that isn't riddled with security holes [mozilla.org] and an anti-virus program [symantec.com]. Might I also add that I encrypt/sign all of my email, and I don't open attachments unless I've confirmed the veracity of the email (either by decrypting it (if the sender is clueful) or by talking to the person that "sent" the email (if they aren't)).

      If a user does not know how to run a windows machine (keeping up to date on patches, running antivirus software, etc) then please explain to me how they'll be able to admin a linux machine. The truth of the matter is, they can't and they won't. The ranting of *nix fanbois aside, the problem exists between chair and keyboard. The email viruses that require you to open a password-protected .zip file prove that.

      I'm certainly not trying to hold up windows as the platform of choice, because it sure as hell isn't mine; but regardless of your operating system of choice, if you're clueless you're clueless; and unless you fix that first, you're not going to fix the overall problem.

    • Re:Switch!!! (Score:4, Informative)

      by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Monday March 22, 2004 @12:59AM (#8631567) Journal
      Even on Windows, a simple download of Mozilla Thunderbird will solve this, among other problems.

      It's ridiculous that more viruses (or worms) come through email than through any other means. I predict that someday soon, people will stop using Outlook [Express] and start getting their viruses through Internet Explorer, Samba shares, or straight through the wire (smashing the IP stack). Maybe then it really will be important to switch to Linux.

      I agree, people should switch, but if people used Windows with more intelligence... Well, maybe people wouldn't want to switch, which would be a Bad Thing, so maybe I should keep my mouth shut.
  • Two Words: (Score:5, Funny)

    by Limecron ( 206141 ) on Sunday March 21, 2004 @11:52PM (#8631086)


    One word, hyphenated.
  • 1 answer. (Score:4, Insightful)

    by numbski ( 515011 ) * <numbskiNO@SPAMhksilver.net> on Sunday March 21, 2004 @11:52PM (#8631090) Homepage Journal
    Use thunderbird, connect to exchange via IMAP4, use the web interface for calendaring.
  • by Anonymous Coward on Sunday March 21, 2004 @11:53PM (#8631093)
    I head straight to the Motley Fool. Likewise, when I want financial info, I'm on Slashdot.
  • Aside from... (Score:5, Insightful)

    by ZiZ ( 564727 ) * on Sunday March 21, 2004 @11:53PM (#8631099) Homepage
    ...applying the patch which the article says was out last October?

    I don't know. Webmail, one of the numerous non-vulnerable email clients for Windows, maybe give up email entirely [stanford.edu]?

  • Monoculture is bad (Score:5, Insightful)

    by lavalyn ( 649886 ) on Sunday March 21, 2004 @11:54PM (#8631103) Homepage Journal
    The viruses have mutated in the wake of developed resistance (slightly more educated users). It's an evolutionary battle being fought...

    But as there are way too many deployments of Outlook as it is, and because it is Outlook/IE that is being exploited, the first solution would be to increase diversity in that field. Other mail clients, such as Thunderbird, or Eudora, will thrive while Outlook continues to succumb to these new diseases.

    Oh who am I kidding, Outlook will continue to wreak its wrath upon the Net and cause us to all suffer as a result.
    • by Black Parrot ( 19622 ) on Monday March 22, 2004 @12:02AM (#8631175)

      > But as there are way too many deployments of Outlook as it is, and because it is Outlook/IE that is being exploited, the first solution would be to increase diversity in that field.

      IMO e-mail viruses don't result from monoculture; they result from bad software design. Namely, e-mail clients that execute attachments.

      We'd have Linux e-mail viruses in a minute if the popular e-mail clients added support for automatic execution of attachments. (Assuming anyone was foolish enough to use them.)

  • by Unordained ( 262962 ) <unordained_slashdotNOSPAM@csmaster.org> on Sunday March 21, 2004 @11:54PM (#8631108)
    As per the article (Motley, at least) ... the virus is executed by some malicious HTML in the message, which would be activated if the message is viewed in full or preview(pane) modes. Simply clicking on the message in the list (you -did- turn the preview pane off, didn't you?) won't infect the machine. However, this does mean that similar HTML, from a web browser, might also be dangerous. Anyone have info on that idea? (Malicious websites giving you the virus by visiting the site?)
  • how to fix (Score:5, Insightful)

    by AnonymousCowheart ( 646429 ) on Sunday March 21, 2004 @11:54PM (#8631109) Homepage
    How to fix this? Install mozilla!
    Anyway, according to this article here, [newsfactor.com]
    "Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk."
    If you run an MS machine, and don't know that you have to update regularly, you need your head checked. Besides, updating an MS machine really is easy.
  • by Boyceterous ( 596732 ) on Sunday March 21, 2004 @11:57PM (#8631138)
    One feature of MS Outlook that is missing from most other email clients is the ability to download just email headers. I use this feature to review sender/subject and I can identify all spam just from that.

    Actually, I use my own program to download headers, score them for likely spam, delete the garbage emails(without ever downloading the actual content), then start outlook to get the real ones.

    Obviously, if a legit sender transmits a virus, it's a problem, but I guess that's why I pay Symantec.
  • well... (Score:5, Funny)

    by LBArrettAnderson ( 655246 ) on Sunday March 21, 2004 @11:57PM (#8631140)
    Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

    place 2 other junk emails around it, select the top 1, hold shift, select the bottom one.... DELETE.
  • How about... (Score:5, Insightful)

    by Spacejock ( 727523 ) on Monday March 22, 2004 @12:02AM (#8631174) Homepage
    ... using email software which doesn't render HTML [spacejock.com], and instead shows it as plain text without images?

    Yes, I wrote it. I wrote it because 99% of the messages I receive in HTML format are advertising. Most of those use dinky little images with referrer IDs to verify your email address is valid. The 1% I really need to see in HTML ... well the program has a link so you can view it in your default browser, if you really have to.

    I know it's going back to the dark ages, but maybe NOT running javascript, html, etc is actually GOOD when it comes to emails.

    I'm not advertising this thing, it's freeware anyway. I was a moderately happy Outlook Express user for years, but the lack of spam torturing implements drove me to write my own. Yes, I tried Mozilla, Eudora, etc etc. I think Thunderbird looks interesting too, and I recommend it. But personally I can't do without my POP3 preview window with colour tagging for spam, valid mail, blocked senders, ignored, etc. And deleting stuff before download. And bayesian filtering. And anything else I feel like adding, whenever I want to.

  • by GillBates0 ( 664202 ) on Monday March 22, 2004 @12:03AM (#8631179) Homepage Journal
    I pity you so :'( tsk tsk
    Proud user of Pine since 1994. Thank you, Univ. of Washington!

    ? HELP - Get help using Pine

    C COMPOSE MESSAGE - Compose and send a message

    I MESSAGE INDEX - View messages in current folder

    L FOLDER LIST - Select a folder to view

    A ADDRESS BOOK - Update address book

    S SETUP - Configure Pine Options

    Q QUIT - Leave the Pine program

    Copyright 1989-2003. PINE is a trademark of the University of Washington.
    ? Help P PrevCmd R RelNotes
    O OTHER CMDS > [ListFldrs] N NextCmd K KBLock

  • by gvc ( 167165 ) on Monday March 22, 2004 @12:04AM (#8631195)
    The mime-type bug has been known for a long time. Microsoft has corrected it (twice :-)). I know this because my parents' computer was infected between their first and second attempts to fix the problem.

    In a nutshell, Microsoft uses the filename extension, not the mime type, to decide how to open a particular file. On the other hand, Outlook uses the mime type to decide whether or not to automatically launch images, sound files, etc. So all you had to do was to send a mail with an embedded image with a filename ending in .exe, and it was executed.

    It has been more than a year since Microsoft crippled^H^H^H^H^H^H^H^Hfixed IE/OE sufficiently to remove this vulnerability.

    I must concur with previous posters that the best approach is to avoid these software products.
  • Generic Rant (Score:4, Insightful)

    by _Potter_PLNU_ ( 627430 ) on Monday March 22, 2004 @12:06AM (#8631211)

    <Insert Generic Windows Rant Here>
    <Insert Generic Praise about Linux/Mac Here>
    <Submit knowing that anyone that has the problem will never see it here>
  • by DroopyStonx ( 683090 ) on Monday March 22, 2004 @12:08AM (#8631228)
    I've said it before, and I'll say it again: people need to start being responsible for THEMSELVES. It's not Outlook's fault that the user didn't patch their system.

    I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus. However, you won't get the same type of media coverage that the others written for mainstream products will get. And yes, MS does write some exploitable code.

    Most users who aid in the spread of these viruses/worms are ignorant. Time after time, news report after news report, they CONTINUE to fail to keep their systems up to date.

    What's funny is each and every mainstream worm has been written AFTER the patch has been released.. and it's not like the day/week after, it's 5-6 months after. That's sad.

    • by lone_marauder ( 642787 ) on Monday March 22, 2004 @12:49AM (#8631500)
      I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus.

      The virus writers have the source code for Outlook? No wonder there are so many viruses for it!
    • by Ironica ( 124657 ) <{pixel} {at} {boondock.org}> on Monday March 22, 2004 @01:15AM (#8631641) Journal
      I'm sure that if someone wanted to take the time and analyze the source for Thunderbird, they could easily write the same type of worm/virus.

      I'm not, for several reasons:

      1. Thunderbird has never thought implementing auto-launch of executables embedded in email was a good idea.

      2. If you're using Thunderbird, you're probably using Firebird, and it's not as likely to try to do what the malformed HTML tells it to.

      3. Even if you *do* manage to get Firebird to do it, it's not part of the operating system, and isn't likely to be able to do really nasty stuff to your computer.
    • by kurt_cagle ( 410798 ) on Monday March 22, 2004 @02:11AM (#8631877) Homepage
      I have had received more than a few patches from Microsost which:
      a) Failed to solve the problem in the first place,
      b) Caused another problem to appear in a seemingly unrelated application, resulting in significant time spent debugging, uninstalling, and otherwise wasting time for something I had no control over,
      c) Ended up adding significantly to the amount of unusable space on my Windows XP system,
      d) Added considerably to the bloat of the System Registry.

      I moved our entire company off Windows to SuSE Linux after one of our primary public facing servers became infected with a worm which enterprising hackers used to store (and later serve) German porn movies. This despite our sysadmin religiously installing patches.

      That is a big part of the reason why I no longer find the argument that Windows is just simply the largest target even remotely accurate. My sysadmin also does some coding work, and every patch that needs to be uploaded reduces his profitable time; to have something that compromises the integrity of our system in such an egregious manner is not acceptable.

      I would rather have a good sysadmin that knows what he's doing maintaining a secure Linux system than having a less competent sysadmin maintaining a Windows system because the system tools are easier to use, even if it means paying more to the Linux admin.
  • by windside ( 112784 ) <pmjboyle@nOSpaM.gmail.com> on Monday March 22, 2004 @12:28AM (#8631368)

    It occurs to me that both of the articles in the post are extremely light on facts. Furthermore, one of them has the rather pithy headline "Five new Windows Bagle virus variants break nasty new ground; Macintosh unaffected". Frankly, I don't care enough about the story to go hunting for news from appropriate sources like Symantec or McAffee, but it would be nice to see /. posters and/or editors go the extra mile to get out there and find information that is slightly higher than tabloid-quality.

    Normally, I would bite my tongue on something like this, but it seems pretty obvious that in this case, the underlying theme of the article is "ha ha, isn't Microsoft terrible", which is pretty juvenile and meaningless. Here's a company that provided - in October - a working patch to prevent the flaw that is exploited by this virus. I'd say that's pretty reasonable, given the circumstances.

    [Cue flames.]

  • Nothing New (Score:5, Informative)

    by rixstep ( 611236 ) on Monday March 22, 2004 @01:57AM (#8631819) Homepage
    Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

    This is nothing new. Leigh Stivers of DP Technology, researching in the wake of ILOVEYOU from May 2000, demonstrated in the fall of that same year [com.com] that anything goes with poor products like Microsoft Outlook.

    This revelation, like ILOVEYOU and all that followed, did nothing to move the masses away from their bad habits. AnnaK followed, and after that things only got worse, and still we find people trying to batten down the hatches and still use Outlook and Swiss cheese Microsoft technology.

    So how do you avoid threats like these new Bagles? Easy. You stop using Windows because you're supposed to be smarter than that at this point in time - after getting the shit kicked out of you for four years straight.

    Second, if you're simply too lame to abandon your beloved Windows, then you at least abandon Outlook and all IE-related email technologies such as Eudora. Any email client relying on Internet Explorer is a sitting duck, and you know it.

    I am not telling anyone anything they do not already know; even posing such a question - 'how in heavens will we protect ourselves now?' - is so lame it's beyond description.

    The Bagles are hardly the worst threat right now anyway. Phatbot is out there, harvesting machines like they're going out of style, and coming ever closer to the first million mark. This is outright organised crime. The machines are left as backdoored P2P bots and can harvest bank account details, credit card details, passwords all over the place, and the corrupted machines can be used in further spam attacks - where the unwitting, claiming ignorance and helplessness, go ahead and click on things and use Windows and Outlook and then ask 'how can we protect ourselves?'

    It's not interesting anymore. There's no point in trying to help those who categorically refuse to help themselves and take the necessary steps to be safe. The only concern, voiced for years now, is that these ignoramuses are ruining the Internet for the rest of us - and that is a very real and very justified concern.

  • Four Years Old (Score:5, Informative)

    by rixstep ( 611236 ) on Monday March 22, 2004 @02:07AM (#8631861) Homepage
    New Outlook Hole Found
    May 8, 2000 0:00 AM UTC
    This is getting ridiculous. An email appears in Outlook's inbox, and even before the user does anything, a message pops up on the screen. 'Had this been a real virus, you would not be happy', it reads. The relieved user clicks 'OK' and another box pops up.

    'Deleting hard drive now... Just kidding!'

    It was written by Leigh Stivers of DP Technology, who is trying to draw attention to a hole in Outlook that is far more dangerous than the ones ILOVEYOU found - this hole allows any email to be loaded invisibly with a destructive program that could go as far as deleting an entire hard drive.

    Unlike viruses like ILOVEYOU or Melissa, these programs have no attachment and give no indication that they are anything other than ordinary email.

    And with Outlook's factory defaults, this program - which might have been set to wipe your entire hard drive clean - can start running without you having to click a thing, before Outlook even tells you mail is there.

    'The script can do almost anything', said Stivers. ''We were amazed to see how open everything was in house here, and we take security pretty seriously.'

    You shouldn't have been amazed, Mr. Stivers. But thanks for the tip. We shall now visit the C|net link and read the article and within 30 minutes be running a better email client - for this writing on the wall is surely enough for even the lamest Outlook user?


  • by dtfinch ( 661405 ) * on Monday March 22, 2004 @02:42AM (#8632004) Journal
    If you refuse to use a mail client besides Outlook Express:
    1) Disable the preview pane. View messages by double clicking them. That way you're never forced to view a message you haven't made the decision to view, either by trying to delete it or by it being the top message in your inbox. This also helps to reduce spam, because spams with linked images can be used to verify that you read the email.
    2) Only view email you trust. For the rest, view the message source or ignore the message.
    3) The above will stop 99% or more of email viruses out there. To further reduce the risk, patching frequently and using a spam filter helps. Virus scanners like AVG also help but you can expect a noticeable slowdown in system response if you use one. I don't. No virus problems ever in 12 years.
  • Solution (Score:5, Informative)

    by Idaho ( 12907 ) on Monday March 22, 2004 @06:14AM (#8632616)
    Given that you have to select an E-mail to delete it, how are users supposed to protect themselves from this one?

    From best solution to workaround:

    1. Don't use a Microsoft E-mail client
    2. Use a virus-scanner that catches it before it is opened
    3. You do not *have* to view an e-mail in order te delete it, if you close the preview pane you can delete it without viewing (even in Outlook Express). This is not exactly what I'd call convenient, though.

(null cookie; hope that's ok)