Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Evaman Worm Attacks Email Servers 182

An anonymous reader writes "CoolTechZone is reporting that the mail servers of various popular email services such as Hotmail and Yahoo to be bogged down with a new worm, code-named Evaman. The headings are common to the ones users encounter everyday in their inbox - "Failed Transaction" or "Delivery Failure". This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003."
This discussion has been archived. No new comments can be posted.

Evaman Worm Attacks Email Servers

Comments Filter:
  • Sweet Zombie Jesus (Score:5, Informative)

    by linzeal ( 197905 ) on Monday July 05, 2004 @07:39AM (#9612315) Journal
    This is not a Microsoft exploit, just a trojan that targets MS products. What is the world coming to when I can't get my machine rooted without the work of logging into a free email service to check my pr0n mail?
    • by sploo22 ( 748838 ) <`dwahler' `at' `gmail.com'> on Monday July 05, 2004 @07:41AM (#9612319)
      Not only that, but despite the headline, it doesn't attack the email servers in any way whatsoever, other than sending itself through them like every other email worm.
      • What's more, I'm pretty sure it's not a worn, but a worm. Sheesh, didn't the submitter get ANYTHING right?
      • ..well im not so sure about that since a DoS is a form of attack.
        Consider the following situation:
        1- one user logs into his mail server and naively executes britneynaked.gif.exe and starts spreading the worm to all of his contacts.
        2- now, if all users that receive the worm do the same thing, the serve will start to bog his way down.
        3- Some users will not be able to connect to the server since it is to busy processing millions of worms going back and forth.
        4- The server has ben attacked.

        All worms ar
    • "This is not a Microsoft exploit, just a trojan that targets MS products."

      That isn't the best logic I've ever read.

      The trojan worm (new term, I know; get over it) targets a Microsoft application, which encourages malware distribution through a well known entry vector caused by a well known defective Microsoft design, running on a Microsoft operating system. How exactly is this not a Microsoft exploit?
      • If it requires a user to run an executable they get in their email, then it's not a microsoft exploit. It's a dumb user exploit. Just because said dumb user is running microsoft software, doesn't make it their fault.
  • Better Version (Score:5, Informative)

    by BenBenBen ( 249969 ) on Monday July 05, 2004 @07:42AM (#9612322)
    If you want the Symantec release re-written by someone who knows what they're talking about, look here. [theinquirer.net]

    "Evaman occupies a false email address" doesn't fill me with respect for CoolTechZone's credentials.
    • Re:Better Version (Score:5, Insightful)

      by pedantic bore ( 740196 ) on Monday July 05, 2004 @08:01AM (#9612390)
      They lost me in the first paragraph, with "a new worn" In fact the English is uniformly stilted throughout.

      Upon more investigation -- noting that every article on the page is written by the same person, and that person is the person who registered the domain, and nearly every article contains the same info (and sometimes the same text) as available from other widely known sources -- I wonder whether this site exists only to generate ad revenues from people who trip over it. Well, thanks to SlashDot, it's payday for Mr. Hora.

    • The trojan horse uses a false email address to generate messages with the usual attachment that carries the code.
      If users are dumb enough to open the attachment, their PC will be turned into a zombie sending out dozens of new messages.
      Oh, the utter disdain for the end-user. The Inquirer *must* know what they are talking about!
    • Better Versions (Score:5, Informative)

      by TubeSteak ( 669689 ) on Monday July 05, 2004 @08:20AM (#9612463) Journal
      If you want the Symantec release re-written by someone who knows what they're talking about, look here.


      "Evaman occupies a false email address" doesn't fill me with respect for CoolTechZone's credentials.
      And in the spirit of good journalism, wouldn't you think CoolTechZone would want to link to Symantec or directly to the advisory [symantec.com]. And not just CoolTechZone, but CmdrTaco too. Was the news that CoolTechZone reported this, that Symantec reported this or that there's a new worm out? As the news spreads, so does the crummy reporting, this time from The Inquirer [theinquirer.net]. They don't link to Symantec either & have winning lines like " If users are dumb enough to open the attachment".

      Okay, fine, users are dumb. How how about we give them a slight break in this case? Failed deliveries are far enough out of most people's 'normal' e-mail experience that i can understand why they'd read the message. No it doesn't excuse opening anything with .scr, but txt.scr, html.scr, outlook.scrtxt.exe might dupe your avg users.

      Anyways, here's a better article [news.com.au] linked by McAfee and The Article That Started It All [smh.com.au] from the Sydney Morning Herald. Perusing the summaries off of Google News [google.com] makes it seem like this will either be "unlikely to have a major impact on Australian businesses." or (now this is really crazy because it's from the same website, but a different article [smh.com.au]) "clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today"

      I love that everyone can quote the Sydney Morning Herald to report that the sky is falling, or that things will mostly be okay. how do two journalists end up with such completely different viewpoints? They both quote Tim Hartman

      "Tim Hartman, senior technical director at the security firm Symantec, said Evaman had the potential to be "every bit as bad as MyDoom. It's really shaping up like that. Mr Hartman estimated the virus would spread at an uncontrollable rate as people returned to work"
      and/or
      "We don't think it's going to be a major outbreak... most businesses had been able to filter out the affected emails" Mr Hartman said.
      /Rant
  • by ofdm ( 748594 ) * on Monday July 05, 2004 @07:43AM (#9612325)
    Rather than reading a journalists munged interpretation of what Symantec said, you can look at Symatec's original statement [symantec.com]
  • Also been seeing lots of those "MS Security Update" mails too. Anyone know if the two are related?
  • Hype (Score:5, Informative)

    by Lumpish Scholar ( 17107 ) on Monday July 05, 2004 @07:45AM (#9612336) Homepage Journal
    The article says, "The security firm, Symantec, has given this worm a critical warning and states that this worm could be as as dangerous as the MyDoom virus." Funny, Symantec's description [sarc.com] isn't nearly so dire: "Threat containment: Easy; Removal: Moderate."
  • by pdaoust007 ( 258232 ) on Monday July 05, 2004 @07:46AM (#9612343)
    Some good additional available here [nai.com]
  • Microsoft will do anything to get in the news :oP
  • We should be OK. The virus requires people to open the attachement on the mail in order for it to work. So unless people are stupid enough to open attachements after we've been telling them for years and years and after countless virus plauges not to we should all be fine... .......

    Oh God!! We're all DOOOOOMED!!!!!
    • No kidding (Score:3, Insightful)

      by Sycraft-fu ( 314770 )
      Never ceases to amaze me how people will continually open attachments. We warn them at work verbally, we send out memos, we post cheezy posters, we alter default mail client behaviour to make it harder. STILL some users insist on opening executable attachments. I will never understand what compells them to do so. I understand the first time, you don't know, and it is a nasty supprise, no problem. However after the third time a computer support person has chewed you out, you've AGAIN gotten the memo, etc, pe
      • The really scary thing is we have a virus scanner running on our mail server to filter this. However it is only updated once a day max, and the company (Sophos, not what we want but it's a government contract) isn't always on the stick with the updates. So people will do this within the first 48 hours of a new worm comming out. I hate to think what it would be like without filtering.

        How about if your "virus scanner" just deleted ANY file with a name like "report.doc.pif?" There is NEVER a legit file th

        • Yea, good idea, but it screws people up. The heuristics filtering on the software we use at work does this. Anything with two extensions gets borked. We didn't notice until our UNIX developers started bitching that their messages were being blocked.

          Really the servers should be blocking pifs and scrs at all times. Unfortunately after that got common, they started zipping the viruses. The idiot users still got infected after they unzipped and ran the program.
          • --Easy fix:

            $LUSER receives memo and verbal chewing-out from $SYSADMIN not to do this EVER again.

            $LUSER deliberately opens an infected attachment for the SECOND TIME.

            $LUSER is IMMEDIATELY FIRED and escorted from the building for:

            1) Incompetence
            2) Ignoring established and reasonable safety precautions
            3) Causing damage/downtime to the company's daily operations.

            --Make a VERY PUBLIC example of this idiot, explain WHY they were fired and that it WILL happen again if somebody else is stupid enough to f
            • In this case $LUSER is a tenured professor. You can't fire them for ANYTHING short of sexual harassment or something like that.

              While it's nice to think that tech guys rule the world and can make policies like that, it's not true in many cases.

              Like management of systems. We mangage most, but not all, of the computers in the building. Manage meaning have root/admin, have them joined to the domain/NIS, and take care of patching/updates. Most users are happy with this, since the only inconvinenece is you have
              • Yea, short of your boss stepping up to the plate and working with your dean/vp to set up a policy that the faculty have to adhere to.

                Working at a University myself, I know that there's phat chance of that unless someone broke in and stole research or something public, embarasing and destructive. Even then you may only get a knee-jerk reaction, but no real change.

                With some groups and some organizations, you can't do much more than strongly suggest.
      • When's the last time you got a Windows executable by email that wasn't a worm/virus?

        Just have your mail server reject all email with executable attachments. It fixes the problem without having to worry about antivirus scanner updates.
        • I don't know why we don't do that (I'm not the one that runs the mail server). Either Sophos doesn't support it or, more likely, there is politics involved. I do support for a university department so we can't just do things, we have to get them cleared with the faculty first. Thus there are some security things we'd really like to do, but simple are not allowed to.

          Also, as others have noted, some of the new ones have taken to zipping the files. Hell, some even zip and encrypt the files, and provide the ke
  • by rozz ( 766975 ) on Monday July 05, 2004 @07:53AM (#9612363)
    This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003.

    i'm using Windows 3.1, you insensitive clod.

    • I'm using Windows 1.4 you insensitive clod!! *Attempt to open Paint followed by crash and ear-piercing beeping* AAAAAH!!
    • Re:you forgot some (Score:2, Insightful)

      by Anonymous Coward

      This worm has the potential to take control over Windows 95, 98, ME, 2000, XP, NT, and Windows Server 2003.

      I prefer to be explicit when telling people which software it affects.

      This worm has the potential to take control over Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows ME, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT, and Microsoft Windows Server 2003.

      You see my point?

      Can anybody tell me why executing programs people send you by email is a desirable featu

    • by account_deleted ( 4530225 ) on Monday July 05, 2004 @08:54AM (#9612639)
      Comment removed based on user account deletion
      • Nothing to see here, time to get back to editing autoexec.bat and config.sys to try and eek out another couple K of conventional memory...
        What, you're not using QEMM? Just tell me you're not doing MemMaker, for god's sake...

        ((very) ex-QDeck Tech Support)
    • Ah, I'm safe then, I'm using office 97
  • by foidulus ( 743482 ) * on Monday July 05, 2004 @07:56AM (#9612371)
    is that the mail(at least the variant that I receieved) has a fake little message about the attatchment being scanned for viruses. Are people that gullible and/or stupid? I would hope people would be smart enough to realize that it's really easy to type a message saying that something has been scanned for viruses.
    Ugh, it's not even like you have to be computer savvy to figure these things out. Do people open their houses to random drifters who say they work for the city and need to do some work without at least checking for ID?
    Actually, yeah, they do, oy.,,what a world...
    • by Halo1 ( 136547 ) on Monday July 05, 2004 @08:28AM (#9612499)
      Many people are like that. One day, my landlady thought I had missed a payment. She called me and when I told her I just checked using the online interface to my bank account that the payment was really made, she asked me to print a copy of the receipts as "proof". Simply the date of the transfer was not enough for some reason.

      It took me quite a while to explain to her that I could save the html ("But surely you can't edit the web pages of your bank, can you?"), type in anything I wanted to, print it and send it to her. After I went through all this trouble to explain how I could cheat her, she seemed to assume I was telling the truth and that I did pay it.
      • Well, there is always some way you can cheat. You could print phony receipts, you could forge a bank statement... but what matters is that every business transaction you make involves some level of trust. You trust that when you pump gas in your car that it isn't water, and the guy at the counter trusts that the credit card is yours and that is really your ID (if he checks it). I don't think it's necesssarily a bad thing, either. I think a healthy society needs to be able to trust each other.

    • by rasjani ( 97395 )
      Writing email saying its been virus checked is just a simple form of "Social [securityfocus.com] Engineering [kuro5hin.org]" ...
      • And man does SE work well. I remember one of the worms receantly that claimed to be from computer support, or something of the like. Man did we get a lot of people fall for that one. Each time we asked them if we EVER told them to run things through e-mail. Of course we never do, if we need something run on a system, we walk ourselves over there and run it. However they'd claim "well I though maybe you changed how you do things".

        I was amazed at how effective this bit of SE was, espically since we support a
    • That isn't a new twist. It's been done before by one of the Netsky or Bagle variants if I remember right.
  • by TheLoneCabbage ( 323135 ) on Monday July 05, 2004 @07:58AM (#9612377) Homepage

    This would be the windows catastrophie of the week huh?

    Can someone please, please, please write a decent Unix worm so we can get some interesting headlines?

    And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers (and more than that if your only counting the DMZd webservers). It's the code stupid.

    • Please don't give them ideas...
    • by Black Parrot ( 19622 ) on Monday July 05, 2004 @08:52AM (#9612625)


      > This would be the windows catastrophie of the week huh?

      It's only Monday; let's wait a few days before deciding.

    • by Richard_at_work ( 517087 ) on Monday July 05, 2004 @09:03AM (#9612691)

      And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers

      Yes SERVERS. Servers dont tend to have stupid users with email clients on them running whatever they are told to by the email message, which is exactly how this (and many before it) spread. Thats the difference here.

      (Yes I know Linux is more proactively secure, but its security still doesnt protect from user stupidity. And before anyone says that users wouldnt be stupid to chmod permissions or untar a tgz with permissions retained, think about the recent worm that required users to enter a freaking password to unzip and run it. That one got around fairly well.)

    • Comment removed based on user account deletion
      • "Perhaps you would like to tell me what single application is run on 95% of the world's UNIX/Linux boxes that becomes a similar point of attack for a UNIX worm?"

        Actually the worms are mainly exploiting human ignorance and stupidity not Windows or MS stuff.

        It's a _fact_ that MANY windows users were actually willing to _unzip_ a password encrypted worm and then run it, means that the corresponding apps for Linux could be: tar, gunzip and make. Anyway, most Linux and *BSD systems have sshd running, and opens
    • Can someone please, please, please write a decent Unix worm so we can get some interesting headlines?

      First we need a sufficient concentration of dumb/ignorant users on Unix - easily 5 years away.

      And don't tell me it's just because MS is a bigger target. Linux runs between 35%-40% of the worlds servers (and more than that if your only counting the DMZd webservers). It's the code stupid.

      35 - 40% of the world's servers (which sounds ridiculously high, but anyway) is still an insignificant proportion of all

  • by holgie ( 588031 ) on Monday July 05, 2004 @08:18AM (#9612456)
    Can anyone tell me why it uses an smtp server?
    I mean - modern vira all include a built in smtp server. Makes them much better distributed...

    I hate sloppy virus writers! :p
  • No! your not serious!! surely it cant attach Windows 2003, Bill PROMISED me it was more secure.

    now COULD he do such a thing.

    Thats it, i want a divorce.

    :-)
  • long term solution (Score:3, Interesting)

    by ajs318 ( 655362 ) <sd_resp2@earthsh ... minus herbivore> on Monday July 05, 2004 @08:35AM (#9612536)
    I see the real long term solution to the problem of unwanted software execution being a form of public-key cryptography at the hardware level -- effectively, for every processor to have its own unique instruction set, so that only code compiled for that particular processor can be run on it. (Maybe there would need to be a compatibility-mode switch, to install a kernel and a compiler just to get you going; but please let it be something like a jumper on the motherboard which you have to put on -- certainly there should be no way that software could subvert this security feature.) Also, the installation of new software should require a conscious action on the part of the user, and involve a hardware operation -- such as operating a normally-concealed switch. If you bought a new computer, you would have to recompile all your software from source, but that's a small price to pay. Alternatively, you could allow the user to flash the thing with a new key pair; so you could just give your new computer the same instruction set as the old one. Or a corporation with many desktops to administer need only give all their machines the same keys, and then compile application software once to run on any of them.

    The average user won't really notice much. They will simply see an extra step taking place after downloading and before installing, as an automatic configure and make are performed. And they will have to validate the install, but I can't see how anybody would think that unusual: if it can affect the way your computer works, you damn well should have to tell it you're sure you want to go ahead.

    Since every piece of downloaded software would have to include the source code, it would be much simpler to chase up infections if they occurred. And if every software installation required users to validate it, drive-by downloads -- arguably a form of virus infection -- would become a thing of the past.

    It would still be possible to sell closed-source software; but you would either have to insist that users programmed their machine to a key pair you specified {which is great for locking out your competitors, but rather defeats the entire point of personalised instruction sets} or supply you with the public key of their machine so you can compile software for it {a little more secure for the user, but very expensive to implement}.


    BTW, why is anti-virus software closed-source? What don't the likes of Symantec want us to know?
    • I see the real long term solution to the problem of unwanted software execution being a form of public-key cryptography at the hardware level -- effectively, for every processor to have its own unique instruction set, so that only code compiled for that particular processor can be run on it.

      I can't see Microsoft allowing their source code out, even if encrypted in source form. Even very complex keys can be extracted, given time and enough power. It is very likely that MS source would be considered high en

      • You, as the owner of the box, would obviously get to create the public and private keys required to run software on it. The source code would not be encrypted; it would be in the clear. It would be the compiled code that would be encrypted. Ordinarily you would do the encryption during compilation, because you would be the one in the best position to compile all the software your box ran. Otherwise you would have either to send your public key to Microsoft for them to encrypt against, or change your pri
        • IMHO, the greater part of the problem is that people are too willing to run software on their machine that was compiled by someone else and never checked.

          Windows, for instance.

          Sorry, but your idea simply isn't workable. First, get Joe Six pack, who can install a copy of Office now, do the same for a copy he has to compile. Oh, that's right, Windows doesn't come with a compiler. Well, add in the cost of a compiler to the OS. In fact, intergate it. Next, since a machine can't boot source code, somewhere yo

          • First, get Joe Six pack, who can install a copy of Office now, do the same for a copy he has to compile.

            I think you're assuming compilation would be a more or less interactive process; I'm assuming it would be completely non-interactive. After all, properly-managed packages search for and download any missing essentials, so they can just compile without you having to do anything. A less kind person than myself would say forget your bad experience with RPM and try something like FreeBSD Ports.

            Oh, that

    • Wow, you're asking a lot from the average user. Oh well, Slashdot has its avearage users too.
    • You are talking there as the only possible worm/virus are binary, mean to be run directly by the processor.

      But you are forgetting:

      • macro virus
      • scripting-language based worms (well, that is an extension of the above)
      • Not remember one of the latest "successful" worms for linux/unix, but what it did was to download the worm code into /tmp, compile it and run, exploiting a vulnerability not remember if in ftp server or something like that
      • The most important part of latest worms is the social engineering one.
  • Yahoo and Hotmail are being protected by these puppies from Ironport [ironport.com]. They use Brightmail to filter to the Bulk folder and Sophos for AV. Hopefully they turned on both features.
  • by WoodstockJeff ( 568111 ) on Monday July 05, 2004 @09:41AM (#9612911) Homepage
    Selects an SMTP server from the following hard-coded list:

    The security advisory then lists a dozen or so popular multi-stage relays, from some major ISPs. This explains why my system was being hit by Verizon servers over a thousand times this weekend, targeting a non-existant address.

    And here I thought it was just their normal "ignore the 550 response code, just retry endlessly" configuration! Turns out, it was just their "Relay anything for anyone" configuration!

  • this doesnt mean windows is any less secure or vulnerable than its evil insecure unix counterparts ;P

    http://slashdot.org/article.pl?sid=04/07/05/1530 25 3

    and just because those systems dont get as many virii as windows doesnt mean they're secure, just shows they're incompatible with the latest virus technology!
  • *yawn* not again. Caught more than two years before the fact. By Outlook itself (yes, as in Outlook 98, Outlook 2000, 2002, 2003, Outlook Express 6 SP1). No?

    Hands up all you sysadmins who aren't keeping your users' mail programs up to date. OK, Users: Avoid these people like the plague and hire yourselves some real consultants.

You can be replaced by this computer.

Working...