New, More Destructive Love Bug Variant

Everyone and their brother wrote in to say that a new and more destructive version of the ILOVEYOU virus has hit the net. Instead of deleting on a few files, this one deletes every file not in use. And even more amusing, rather then using a hardcoded subject line, it uses the host's email archive to cause the subject to change while it propogates. Intelligent mail client users continue to be unaffected (although the ILOVEYOU sympathy virus has been annoying the heck out of us for days now... it works on the honor system: Please delete some files and mail to all your friends).

Re:First Victim!

[Kintanon]

E-mail administrators?! HAH!! The guy that admins our Exchange box was a Customer Service call guy up until 2 months ago, they just sort of dumped it on him and he had to learn how to use it in 2 days. He's still figuring stuff out, I help him when I can, but until this happened neither of us had worked with an Exchange Server before. Our company is too cheap to hire someone that knows what they are doing, so we end up scurrying around for days trying to solve problems that would take an experienced person 15 minutes....
Ain't work grand?

Kintanon

Re:Procmail filter to protect your users

[qi3ber]

I just noticed that in the filters I posted that my tab character has been represented as a '>', so if you actually implement these rules, you will want to make that change as well.

Intel blocks this!

[pq]

So I received this virus at work, deleted some data files (no pr0n or mp3s at work, thank you), then sent it on to a bunch of friends - and Intel's server actually rejected it (503: "Potential Virus Detected")...

Hey, that's some proactive sysadmin there!

Re:virus vaccine

could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate, and end this mess once and for all? a self-vaccinating virus, what a concept. then we can safely ignore this problem (for a while).

I disagree

[348]

Oh, I disagree, and for the record, I didn't mean to imply that. I work with ISS frequently and view them to be a very professional and ethical firm.

As for some of the up and coming AV firms, I wouldn't put it past them, however in this case I think it's just kiddies having fun with a mechanism that someone else wrote, doing it just for grins and bragging rights.

If you want to see something scary . . .

[Straker+Skunk]

. . . check out this file, on the Samhain project. This is basically a polymorphic-stealth worm system, that was developed as a proof-of-concept (and was never finished).

It's cross-platform (as in, Unix and NON-Unix), it goes really far to evade detection and analysis (not to mention removal), and the freakiest part of it is, the whole system was designed to work in a distributed, intercommunicable fashion ("wormnet"). It's scary shit. Especially an observation the lead programmer makes near the end-- "sure, we didn't release this, but what if some other intelligent but deranged programmer out there has?"

Re:If you want to see something scary . . .

[Matts]

Sorry I already debunked this virus when the details were posted to Linux Today. You can read my post at 0 5-12-003-06-SC</a>.

If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.

Re:If you want to see something scary . . .

[Matts]

Damn slashdot - many moons ago Extrans worked for links...

Sorry I already debunked this virus when the details were posted to Linux Today. You can read my post at http://linuxtoday.com/news_story.php3?ltsn=2000-05 -12-003-06-SC.

If you don't want to click the link, the summary is this virus is stopped by firewalls. It would be dead in the water in the modern internet.

Re:I'm curious...

[|deity|]

Who says it's going to waste. People who used to break into computers are now working for security companies. I bet people who at one time wrote viruses are working for antivirus companies.

Viruses are challenging and interesting. Some of the ideas used in them have been incorporated into modern software. Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all. Why do linux hackers write code that they will give away. They like the challange.

I always thought that it would be cool to write a virus killer virus. It would search out a few known viruses and destroy them.

Re:i wish...

[fishbowl]

I was thinking something like
the "hillarystwatwarts" virus,
but even more subtle. Something that
would get repeated for a few hours or days
before people realized what they were saying.
It would probably have to be something like,
i dunno, remember the "dole means penis in iranian" rumor?

Re:Who will be the hero.. A more high level method

[Anonymous._.Coward]

Or, since M$ provides the high level functionality try:

1. Click Start:Settings:Control Panel;
2. double click "Add/Remove Programs";
3. click on the "Setup" tab;
4. double click "Accessories";
5. scroll down and uncheck the box for "Windows Scripting Host" (if the is no box it's not installed).

Re:Procmail filter to protect your users

[qi3ber]

Ok, then change it to look like this:

:0 Bf
*!^X-Loop: VBS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: VBS viruscheck"

:0 Bf
*!^X-Loop: JS viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Jj][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.js\(.*\)/filename=\1.js.txt\2/i ;}' -e '/Content-Type:/{N; s/name=\(.*\)\.js\(.*\)/name=\1.js.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: JS viruscheck"

:0:
$ORGMAIL

Re:The Honor System Virus

[Sir+Tristam]

This is the Honor System virus. Please forward this message to everyone you know, then delete a random selection of critically important files from your system.

This one hit my system particularly hard. FDISK was used to re-partition a Windows® drive. Oh, well...no great loss.

First Victim!

[Kintanon]

Someone in our company got this one this morning.
Luckily she had the good sense to call me because of the 20 or so e-mails sent around about NOT OPENING attachements. So I talked her into deleting it without opening it. YAY! Hopefully none of the higher ups will get one, they are dumb enough to open it without thinking about it...
Sigh...

Kintanon

Re:First Victim!

[Kiz315]

Someone in our company got one this morning.

Just goes to show the speed of the Internet, eh?

Luckily she had the good sense to call me because of the 20 or so e-mails sent around about NOT OPENING attachments.

You think she still would've called if she hadn't gotten those other 20(!) emails? Neither do I.

So I talked her into deleting it without opening it. YAY!

You sound like a hostage negotiator. *grin* Kudos for talking her out of it. We need more people like you.

Hopefully none of the higher ups will get one, they are dumb enough to open it without thinking about it...

Isn't every member of the Pointy Hair Brigade like that?


--
Star Trek vs Star Wars.

Who will be the hero...

[Wakko+Warner]

...who releases an email "virus" that shuts off the real virus -- VBScript -- after sending itself to everyone in the user's address book?

- A.P. (seriously, folks, WHAT ELSE is VBscript for?!)
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Who will be the hero...

[Ambassador+Kosh]

That method does not work with W2K. It keeps a copy of all system files so if you delete those it puts them back immediately. You have to get rid of the dllcache folder also. Then you can delete the files and ignore the warnings windows gives.

The so called "feature" is called windows file protection. It keeps a backup of every system file in the dllcache directory and if you delete the file or overwrite it with a differnt one than is in that cache windows will replace it for you without prompting. On one of the machines I had to clean the virus off of this directory was about 300 megs.

This auto replace feature alone makes me feel real happy I use linux. Just have to support windows. :(

As a side note that is why every windows 2000 machine I have seen still has solitaire and minesweaper on them. They are considered to be system files.

Re:Who will be the hero...

[ucblockhead]

Technically speaking, those weren't part of DOS. I don't recall off-hand who wrote those, but if you had a true-blue IBM system, and booted with any OS, it dumped you into the BASIC screen. It was part of ROM and definitely NOT part of DOS, or any other OS.

Since this was a proprietary IBM ROM, if you had a non-IBM PC, this instead came as software, and you'd get the boot behavior we all know if there was no OS.

Re:Who will be the hero...

[Stavr0]

DEL C:\WINDOWS\SYSTEM\WSCRIPT.EXE
DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE

This will get rid of the VBScript interpreter on your system. Mail this to all your friends!
---

Re:Who will be the hero...

[Vanbo]

> DEL C:\WINDOWS\SYSTEM\WSCRIPT.EXE
> DEL C:\WINDOWS\SYSTEM\CSCRIPT.EXE

This is really the solution if people refuse to switch from lookout. (I had switched everyone I could when I arrived at the company, but some refuse to leave "what they know.")

So here is my solution in a Novell Netware enviroment.

-Using NAL (Novell Application Launcher), create a new application object in NWAdmin. Don't have it launch any program, Name it something like "Remove VBS."

-Modify the "Files" tab by adding "wscript.exe" and "cscript.exe" to be deleted (In otherwords click file, in target select those programs, and put the check in "Target to be deleted.)

-Associate with everyone group with force run status

Now everyone is going to be better off. Some would complain that now people can't write scripts in VB on their machines, but guess what I never got any complaints. Maybe it has something to do with the fact that anyone writing scripts knows better then to open unknown attachements, or even to use outlook.

Note- This process could be done with the login script but NAL gives you more control. For instance I have used NAL to remove registry entries (or add), reset Netscape preferences, and similar to above, have NAL delete "normal.dot" every login to help prevent the spread of Macros. At my previous job, I even went so far as to have NAL rename the vbe folder in office to turn off macros all together, and created a NAL application called "Word with Macros, Excel with Macros" that would rename the directory before launching, and rename it at close, but alas, they use the macros in Excel at the current place...

Re:Who will be the hero...

[ucblockhead]

A less drastic action:

(For those forced to do Windows/Outlook.)

My Computer
-Tools
-Folder Options
-File Types
-VBScript Script File
-Advanced
-Click on "Edit" in the list box
-Set Default

After you do this, the default action for a VBS file is to edit it in notepad. (And you can still run it by right clicking and selecting "open" from the menu.)

Repeat for any other dangerous filetypes.

Here's a NEW idea:

[paRcat]

Why don't we start taking the usefullness of a virus back?

What I mean is, why doesn't someone write a virus that does good? It could auto-run and disable all of the cheesy security holes that MS hasn't fixed yet. It could spread like a worm, and just go on a rampage fixing problems.

Why must virii always be bad?

Re:Here's a NEW idea:

[Wanker]

This topic comes up in virtually all intelligent virus discussions. In summary, it is not a good idea to use viral properties, even for something useful. I refer you to item F7 in the comp.virus FAQ (circa 1995):

A very hotly debated topic that has flared-up dramatically several times in Virus-L/comp.virus. The answer to this is not simple and largely hinges on your definition or interpretation of the term computer virus.

By definition (see B1), viruses do not have to do something "bad" (although many people argue that the uninvited "resource wasting" that is almost inherent in viral activity is necessarily bad). From this point (and based on his somewhat esoteric definition of the term computer virus) Fred Cohen has argued that "good" or "useful" computer viruses are a serious possibility. In fact, Dr. Cohen offered a reward of $1000 for the first clearly "useful" virus--despite several potential claimants, however, he hasn't paid up.

Although there has never been a position that was widely agreed upon as a result of any of these discussions, many contributors to this forum believe that there are serious problems with the idea of implementing useful computing functionality through self-replicating programs. Vesselin Bontchev's paper originally delivered at the 1994 EICAR conference, titled "Are `Good' Computer Viruses Still a Bad Idea?", is available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP = 134.100.4.42), as pub/virus/texts/viruses/goodvir.zip. *Anyone* wishing to raise this discussion in Virus-L/comp.virus again should read and carefully consider this paper before posting. It contains many strong arguments against the idea of "good computer viruses", and some prescriptions of how good viruses would have to be implemented and distributed to deserve the label "good". To date no strong arguments countering the points in this paper or otherwise arguing in favor of the concept of good viruses have been posted to the group.

The summary of points made in this paper are:

1. Lack of Control
   Even features such as defined lifetimes, central verification, etc. can't control self-replicating code perfectly. It is very easy for viruses to "get away". A great number of the viruses in the wild started out as merely research projects and were never intended to be released.
2. Recognition Difficulty
   Allowing one program which has viral properties through one's defenses makes it easy for other programs to exploit the same hole. It's hard to tell when a "good" virus is doing its work versus a "bad" virus.
3. Resource Wasting
   The process of infection will use up system resources-- what happens when the program hits a host that has few resources to spare?
4. Bug Containment
   What happens if you discover a bug in the viral code? How do you update all the installed copies?
5. Compatibility Problems
   The software could break certain systems while it works fine on others. This could make for difficult-to-track problems.
6. Effectiveness
   There are always increased risks with viral code, and they can't do anything that nonviral code couldn't do with lower risks.

Vesselin even goes so far as to describe some mechanisms to help mitigate the above problems, but the crux of the story is that it's still simpler and safer to rely on non-replicating code.

There are some examples of failed attempts at "good" viruses in Vesselin's brief. They include The "Anti-Virus" Virus, The "File Compressor" Virus, The "Disk Encryptor" Virus, and The "Maintenance" Virus. Some of these same ideas have been brought up in this very Slashdot discussion.

Amazing what history can teach. Damn, I'm starting to feel old...

Re:Has anyone here recieved one?

[platypus]

I have YET to recieve ANY of the 'vbs' email worms in any email i've ever recieved

Hehe, subscribe to linux-kernel, I laughed my ass off when I got this email.
There followed two or three automated virus warnings no human bothered to answer. Pretty ironic it was.

Re:I'm curious...

[Mark+J+Tilford]

Like "Tuxissa"? (from segfault)
-----------

Re:Procmail filter to protect your users (tool)

[skull]

I'm surprised noone has mentioned this wonderful procmail setup/script that has been around for some time to protect against HTML or file attachments in email.

I've been using it for some time and it has protected myself and my users against almost any macro viruses I have heard about.

http://www.wolfenet.com/~jhardin/procmail-securi ty.html

Re:Linux is at fault here...

[Matts]

Funny yes, but people seem to be missing the fundamental reason why this happened.

It has nothing to do with MS letting people run attachments without saving them first.

This is all about mapping extensions to applications.

This is a broken idea - totally. For starters it is quite simply dangerous, as the mappings happen everywhere. And installing an application might setup random mappings. But add onto that the fact that its used to associate scripts with their executor, much like the shebang line, only worse - the file needs no execute privileges. If you like, every mapped file extension automatically sets execute privileges. It is this functionality that is broken - not the mail client. And this has been in existance since DOS days, IIRC. So removing or fixing this "feature" is next to impossible.

Good luck MS fans - it's a rocky road ahead.

Re:Javalike sandbox needed

[Analysis+Paralysis]

The best solution would be for all "executable" attachments to be treated as untrusted code with a sandbox like a Java Virtual Machine - considering Microsoft's "expertise" in "enhancing" Java this should not be to difficult a solution to implement.

Re:Here'e the real problem

[dingbat_hp]

Port Outlook (and the brain-dead fondness for executing anything executable) to *nix and you'd still have as much of a problem.

Sure, Win'9* security is broken, but it's not bad security that's the problem here. I want Outlook to do anything I personally have the rights to do. I want Outlook to have a scripting language, and to offer mail services to other scripting languages (this is useful). The only thing I don't want Outlook to keep doing is executing code from anywhere that I haven't told it absolutely explicitly to do so. I don't want signing - what am I going to do ? Sue them ? I can't even email my lawyers, as they've just eaten my address book.

Win2K has brought its security concepts into the '80s, with Kerberpoodle the 2-headed mutt. We'll see how solid the implementation is, but at least they're making an effort.

Re:You think that's bad.

[Our+Man+In+Redmond]

I'm proud to say I once almost got kicked out of Microsoft for sending something like this to a relatively large e-mail alias. (I know, I shoulda tried harder.) The one I sent was actually embellished slightly be a friend:

And whatever you do, don't try to remove this virus from your system. If you do, it will immediately mail the IRS and tell them you had $2,500,000 in unreported income last year. From dealing drugs.
--

Re:These are great for Linux - we need more

[finkployd]

Yes, I could write a bash script or perl script that deletes files. Guess what, not everyone uses bash and has perl on their unix system, and if they did, it would only delete their user files, and NO system files would be affected. Unix was build off of a concept of security. With Windows, security was an afterthought, and not a very complete one.

Besides, unix users (as a whole) tend to be a little more tech-savvy and know not to run things like that.

As CmdrTaco said, intelligent e-mail users continue to be uneffected.

Finkployd

Please, a nice distinction...

[HiThere]

Please, a nice distinction needs to be kept in mind between those who are not focused on computer technology, and those who actually are "stupid". I would not deny that stupid folk exist, but it does one no good to call someone stupid just because their area of interest is not the same as ones own.

E.g., I do not find accounting of interest, but this does not cause me to consider myself stupid, even though it sometimes causes me hardship. (Of course I could just quit that book club, but I don't like that choice either.)

Re:Please, a nice distinction...

[SoftwareJanitor]

Please, a nice distinction needs to be kept in mind between those who are not focused on computer technology, and those who actually are "stupid".

Fair enough. I was just continuing the terminology of the article I was replying to. I don't necessarily believe that people are really stupid just because they are not computer smart.

Re:When will microsoft users learn?

[mackga]

You can get a freebie add-on from:
Nemx called Power Tools. It runs as a service under exchange and allows stripping of attachments via extensions.

Re:All Scripting Languages are Evil

[segmond]

I am glad, I didn't see python there. :-)

Re:Should have been called: IHATEWINDOWS

[sumana]

It's harder to write a script that will run in Linux than it is to write a VB script. IT's like martial arts...the discipline teaches you not to do harmful things, maybe.

Re:I see where this is going...

[bfree]

Nearly right,
the next variant will contain a variant on the words "Trade Secret" for title, A html based Javascript click through licencse for a body (starting and ending with a load of legal mumbo jumbo and containing perhaps one sentence of warning as to what is about to happen), and a debian install starting with delete all partitions.
BTW, the only target will be M$

Something to be said for mail

[sterno]

Often times I've found that sending an attachment by e-mail was much easier than dealing with FTP and HTTP. For example, I was on-site at a client and needed to get some files from inside their firewall to my office. So, I just zipped them up and e-mailed them.

Blocking attachments seems like a "throwing the baby out with the bathwater" kind of solution.

---

Re:Windows Virus instead of computer virus

[ciurana]

So let us start terming the bug as a Windows bug or Windows virus instead of a generic computer bug. This goes a long way in getting the mindset of people that if you want to be on the Internet use a secure OS - Mac, Beos or Linux pick your choice.

I partially agree with you in that this is a Windows-specific virus. I disagree, however, with your comment indicating that the cause is lacking the security of Linux. The real issue is the availability of VBScript on the client, which in turn gives the attackers access to the local file system.

Our company runs both Windows and Linux 7x24 (with a few reboots here and there on the Windows boxes every day, of course ::wink::). We've received the ILOVEYOU attachments and just laughed at them because our e-mail clients don't support unrestricted scripting, even on the Windows machines, where we run Netscape Messenger. Netscape Messenger, while it allows JavaScript, doesn't allow unrestricted access to the file system and other Communicator resources like VBScript does.

We perceive unrestricted scripting access from the e-mail client as the real problem, not Windows itself. Any system that allows unrestricted scripting privileges (even *NIX systems) to its users is vulnerable to malice.

As for Macintosh and BeOS being "secure", I just beg to disagree. Perhaps you know something about them that I don't about them. Would you care to expand on exactly what makes them inherently secure when compared to Windows?

In conclusion: Our recommendation to our customers is very simple: Get off MS-Outlook/MS-Exchange for e-mail. IMAP and an appropriate e-mail client will do the same job without having to worry about VBScript viruses.

Talk to you later,

Eugene

Re:Procmail filter to protect your users

[thrig]

You should be able to place a filter like this on a sendmail gateway host by using sendmail's mailertable feature in your .mc file, and then saying:

host.com procmail:/etc/procmailrcs/host.com

in the mailertable file, and set the host.com file to something like:

(rules for checking spam, viruses, evil attatchments, etc.)

:0
! -oi -f $forward_message_on_properly_to_internal_mailserve r

Though I don't have any pressing need to throw the above together and document what I did. Ideally, you would want to combine the above method with one of the several anti-evil-stuff procmail filters on freshmeat.net...

Re:These are great for Linux - we need more

[finkployd]

That's true, and it that could happen on ANY OS I know of (well, OS/390 being an exception), so I guess it really boils down to the user and how well educated he/she is about such matters. Unfortunatly (I believe) Windows attempts to dumb down users while Linux has the opposite effect. I also don't buy that Windows is more productive, it all comes down (again) to the user and what they learn. Windows IS however, less secure.

Finkployd

Here'e the real problem

[HomerJ]

The real problem here with these kinds of things isn't just Outlook. Or just moronic users.

The whole security system in Win9x is flawed. Windows9x was never intended to be on a network. Win98 is just a rehashed version of Win95, wich is just a rehashed Win 3.1. Single user OS's that had "root" access everywhere were fine in the early and mid '90s. That's not the case anymore. Now that everyone is hooked up to the itnernet, and other people have access to these single-user OS's such as Win9x. it's didn't matter that you had "root" back in the day, you were the only one using the system. Now many people can run code on you computer. Be it a vbs, java, etc.

A *nix variant doesn't have this problem. Unix was deigned with networks and network security in mind for over 30+ years. I couldn't if I tried to screw up my system like these vbs files do to Windows computers.

Even Win2k security is lax. For instance, how many times does a typical linux install(be it Redhat, Debian, or anything else) go "DON'T USE ROOT AS A USER!" and foces you to make a regular user account? Now look at Win2k's installation, that gives you your user name with admin. privs.

If Microsoft really wants to stop stuff like this, they need update their entire network security model to the 21st century....or at least the 1970's. Windows9x was not designed to be on a network. That's the reason it has no security. "access zones" and what have you in programs like Outlook are just a cheap hack to hide the real problem of the Windows security model. The problem being, it wasn't designed to have one.

Sendmail patch to block .vbs

I haven't tried this but it was posted on comp.mail.sendmail after the original Love Bug. I'd actually like to try it, but I know so little about sendmail that I'm unsure as to how to apply it - anyone enlighten me?

# TURN ON CONTENT-TYPE MATCHES: uncomment lines as instructed.
Kquotetoplus dequote -s+
HContent-Type: $>CheckContent

## By Mike Schwager. http://www.enteract.com/~schwager
## http://www.schwager.com schwager@enteract.com
## INSTRUCTIONS:
## Uncomment 1 (or more) of the following ChkPat lines. Add new ChkPat
## lines if necessary, as given in the examples. Change the MIME-type
## (eg, from application / octet-stream to application / ms-word )
## if you need to, and change the name and/or file extension.
## For each pattern line, there should be a matching rule under SCheckContent.
## Do not include double quotes in the pattern line! They will be replaced
## with plus ("+") signs.
## Uncomment the SCheckContent line.
## Uncomment the appropriate rule(s).
## Change the rule(s) to use the message that you want.
## Change the message(s) as appropriate. Add new messages as appropriate.
## Watch your tabs!

D{ChkPrfx}application / octet-stream ; name=

# Here are your patterns
D{ChkPat1}.vbs
#D{ChkPat2}.exe
#D{ChkPat3}wordvirus.doc

# Here are your messages
D{ChkMsg1}REJECT- This message may contain a virus in the attached script.
D{ChkMsg2}REJECT- This message has a virus. -MS

SCheckContent
R$*name=$* $: $1 name= . $2
R$* $: $(quotetoplus $1 $)
R${ChkPrfx} $* $: $1

# Using these lines as a guide, match patterns; include messages
# only the character in front of "$#" should be a tab. Don't forget the tab!!
R $* ${ChkPat1} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
#R $* ${ChkPat2} $* $# error $@ 5.7.1 $: 553 ${ChkMsg2}
#R $* ${ChkPat3} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}

## END CONTENT-TYPE

Re:In theory. . .

[Pig+Hogger]

and since Macintosh uses a less visible means of specifying file types,

Macintrash files have, in fact, two invisible 4-character extensions.

The filetype -- it contains the file type which says what kind of data is in the file.

The creator -- which identifies the application that created the file, and which should be used to work with the file.

Applications have a file type of 'APPL' and the creator field identifies the application; that is, it is what ends up in the "creator" field of files generated by this application.

Additionnal trivia: Beige toaster files are, in fact, divided in two. There is a data fork , and a ressource fork . The ressource fork contains information that can be easily edited by a resource editor program, allowing to change certain aspects of, say, an executable file, like the icons, fonts, sounds and strings it uses. The data fork contains, well... (drum roll) data... (In the case of an APPLication, it is the actual binary code. GUI details are in the ressource fork). Either (of both) of those data fork can be of zero length.

It is not a bad system, except that it is totally shielded from lusers and, although it can prevent them from doing mayhem on their filesystems, it is a royal pain in the ass to change if you don't have the proper utilities.

I suppose it could be desirable to have a filesystem that allows you to have as many forks on your files as you want (did I hear somewhere that Windoze NT has something like that? Or is it Novell?), but in my opinion, nothing beats the simplicity of a "flat file" filesystem such as we enjoy so much on Linux.

However, I still don't dislike the concept of embedding file type information and whatnot within the directory entry/fdn.

--
Here's my mirror

Re:I'm curious...

[iCEBaLM]

You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.

Unfortunately, destruction is creative.

-- iCEBaLM

Adjusted scripts

[JezusPhreak]

This is a quickie script to straighten out VBA, VBS, and JS attachments. Happy Hacking:

#This goes in procmailrc:
:0 Bf
*!^X-Loop: viruscheck
*^Content-Disposition:.+
|/sbin/noiloveyou | /usr/bin/formail -i "X-Loop:viruscheck"
:0:
$ORGMAIL

#!/usr/bin/perl
#This is "/sbin/noiloveyou"

while() {
$temp=$_;
if ($temp =~ /^content-disposition\:/i) {
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
if ($temp =~ /^content-type\:/i) {
$temp =~ s/application\/x-javascript/text\/plain; charset\=us-ascii/;
print $temp;
$temp = ;
$temp =~ s/\.vbs/_vbs\.txt/i;
$temp =~ s/\.vba/_vba\.txt/i;
$temp =~ s/\.js/_js\.txt/i;
print $temp;
next;
}
print $temp;
}

#This should at least slow it down a little #bit....
# Jacques Richer -- jricher@bankri.com

Re:ZDTV says avoid email w subject FW: and .vbs fi

[generic-man]

The icon is different, but most users wouldn't notice. The default icon for a VBS file is a document with a picture of a scroll on it (perhaps an ancient Greek "script"?), whereas the default icon for a text file is a document with some lines of text on them. The script doesn't look identical, but most users won't know the difference.

The N.Y. Times has an article

[dsfox]

Here.

i wish...

[fishbowl]

i wish that the *name* of the virus could be
something that would be *very* embarrassing
to say on CNN or CSPAN...
It would need to be subtle (so that the embarrassing thing would be said enough times
to take hold :-)

Urgh... not another one.

[scrain]

I saw at least 15 slightly different variants of the last one, and they're just trickling off. And this one's a lot nastier than the last. If anyone gets a copy of the script, I'd love to see it... need to know if what I have in place to stop it will keep working with this one. (first post?)

I'm curious...

[Psiren]

Do any virus writers read Slashdot? And if so, would any of you care to explain *why* you do it? Ignoring the simple macro viruses, some stuff, especially the polymorphic ones are incredilbly clever pieces of code. Why put that talent to waste?


Now weary traveller, rest your head. For just like me, you're utterly dead.

Re:I'm curious...

[GC]

I'm not a virus writer, but:

Some people write viruses without any intention of releasing them to the wild. (Medical Research do the same)

Writing a Virus is similar to creating life itself. It may well live beyond your own lifetime.

Bringing down the entire world's email systems must give (the evil) a big sense of power.

Wasted, destructive talent - maybe - but these viruses are formidable weapons. The UK network staff at the house of commons (Government) had to shut off their networks entirely for the first ILOVEYOU, what would be the effects of that in a state of war?

Re:I'm curious...

[x0]

You can't possibly consider a virus writer to be an artist? I'm sure that some of code they produce is elegant, or at least quite advanced and technical. But to call the result of that work 'art' is just fallacy.

Next thing: Murder as art, The art of the Heist, and the all time favorite, Keying Cars as an Expression of Angst - the Artists Perspective.

A virus is just destructive code. To me that means it is no different than a molotov cocktail. Yes there are differing degrees of harm created, but whether that harm is physical or results in the loss of work product, there is harm involved.

Re:I'm curious...

[segmond]

You can not tell an artist that what he has produced is a waste just because you do not understand it or find it useful. There is some excitement in creating something that is sort of "alive". I have seen very smart virus writers, crackers and shit, and they are very clever, but don't think by putting them into a different environment, they will start cranking out really impressive code. Nah, they have the ability, but what drives them to write their viruses or crack a software is probably not what drives them to write "productive software". As a matter of fact, they probably feel that their viruses is an utilization of their talents.

This won't end...

[TheDullBlade]

Someone will make another, more destructive, sneakier version of the trojan worm (hey, it's a trojan horse and a worm; the next version may be a virulent trojan worm...). They'll have VBSs that generate EXEs, and vice versa, they'll take the boot sector with a virus that can relaunch the worm, they'll display amusing animations (grabbed from who-cares-where) that make the infected user think he's received a typical funny/annoying attachment.

Windows system admins: batten down the hatches! Trap all attachments and personally filter them. Get the managers to enact a strict "no unnecessary attachment" rule. Delete all "amusing" attachments and Word documents that should have been plain text (or could have been as HTML in the body), and send a nasty letter to whoever sent it.

This is, to some degree, a stupid MS problem. There are things that could have made worms like this harder to spread. However, something similar to this could work in Linux, too, given a sufficiently large ignorant user base (though it might be harder to write). If the user is dumb enough to be tricked into running anything you send him, there's no technological fix for it.

There are three possible solutions: supervise the users (as suggested above), educate the users, or tie the users' hands, so they can't do anything but use a small set of applications and move around certain types of documents. The first is a prohibitively expensive short-term fix, the latter two are long-term solutions: the second is better, but perhaps unrealistic; the third can't be done with current software, a change to some operating environment is needed (tweaking a shell for Linux should do it, though perhaps a change to the kernel would be better: create a sub-user login that has the same sort of access to a single user account as a user can have to the root account with "sudo"; sort of a weak capabilities system). I think both of the latter two are needed: you need to tie new or casual users' hands so they can't do too much damage, and at the same time you need to gradually educate them to the point where you don't have to watch them anymore.

You can't just ignore user ignorance. You have to make them take the bus until they learn how to drive without causing a 30-car pileup, and give them a ride when the bus doesn't go where they are headed. Don't ignore that just because they whine that the bus is slower.

Upgrading a virus

[Mr+Koffee]

Some people have too much time. To take a virus that caused internation panic among Outlook users, then upgrade it to do more damage while being more covert is just messed up. Although I have to admit, It's funny. Which is a stupid way for an outlook user to view it.

Re:Thank god I don't use outlook

[Spasemunki]

I think that Outlook has some good features outside of the sexy graphical interface. For one thing, it does what good programs should do- it automates simple, repetitious tasks without making you jump through hoops. Outlook collects email addresses that I reply to, so that if I need to write someone that I don't know the email address for off the top of my head, I have it without any work. Outlook also does a pretty good job of building several useful features into one program- the calander, contact manager, task list, and mail client. Sometimes it is good to keep things like that seperate, but in this case I have found it to be beneficial. It also connects with my Palm Pilot and syncs everything automatically, which is useful since I use both of them to keep track of things. And as for accessing email from anywhere, it's easy to just tell outlook to leave your messages on the server. So when I am at home, I can use outlook for whatever I want. When I'm elsewhere, I telnet into my unix account and read mail with pine. There's no need of only using one or the other. They both serve their purpose.

Re:To keep the virus fixers in business

[Zico]

Jesus, man, just point him to a dictionary site like dictionary.msn.com/find/entry .asp?search=virus where he can see the proper plural form within three seconds, rather than wallowing through that mental masturbatory dreck that Mr. Christiansen wrote. I hope he's not reading this, 'cause I'm not looking to offend him, but after skimming that page, I can see why people don't exactly consider Mr. Christiansen to be "well-liked."

Cheers,
ZicoKnows@hotmail.com

Big Money to be made

[348]

Not to be a conspiracy theory promoter, but I'll bet companies like ISS and also the AV companies are just lovin' all this exposure.

During the last couple of months, firms like ISS had a huge increase in sales. With the Love Bug and copycat viruses I'm sure the AV companies are also seeing increased profits. I wonder how much @stake consulting rates are for helping a firm defend against this sort of thing. I'm sure they're not cheap.

Love-Bug cartoons

[JamesSharman]

If this kind of thing interests you, id did these two cartoons surounding the original love-bug virus. 6th May, 8th May.

Next Version

The changing subject line helps its messages avoid being deleted by the Spam filters, but since the message does not change, the user is not likely to thinkt that it actually came from the person it says it does. What these viruses need to do is examine the context of all of the messages in the user's Inbox that come from the individual who it is being sent to and generate a context-sensitive reply to that individual.

In addition, these viruses will ultimately not be limited to VBA. A program could easily open the default Netscape inbox text file and scan for the @ character--extracting all e-mail addresses in the entire Inbox file. The virus could also discriminate against which users it destructively effects--deleting only the files of people whose identity says they are in the aol.com domain, for instance.

I think that we have only seen the tip of the iceberg as far as intelligent viruses that are distributed by e-mail.

Re:Next Version

[B-Rad]

Yeah, I thought of that when the original ILOVEYOU virus got out. I'm sure I wasn't the first, but I feel a little bit of vindication. :)

Here's where I put it up.

Re:Next Version

[kaphka]

Based on what I've heard, that doesn't really matter. I've heard that Outlook will automagically load the .vbs file, spreading the virus before the user ever sees it.

You've heard wrong. Unfortunately, misinformation about this issue has been spreading far too quickly to be contained by the few level-headed folks who've tried.

I won't rehash the arguments here, since I'm a little sick of typing them, but check my posting history if you're interested.

another nifty utility

[Slash+Mirror]

You can go to http://pecompact.cjb.net to get PECompact with a warning plugin.

When run on wscript.exe and cscript.exe (the Windows scripting hosts responsible for VBScript execution) that will display a warning that the script could contain a virus.

SlashMirror: Where to put files for fellow /.'ers

Re:I'm not a virus writer...

[anonymous+cowerd]

So if you're so concerned with the bandwidth on the infected machine, have the virus code monitor CPU usage and network bandwidth and restrict its own usage to, say, ten percent of maximum or less. This makes it both less destructive - you wouldn't be shutting down anyone's machine, just redirecting otherwise unused CPU cycles - and more stealthy too.

If one criterion for the "success" of a virus or worm is the scope of its circulation, then it seems to me the guy who wrote this latest thing is screwing up. (Or more likely, he just hacked a few changes onto some existing code, probably ILOVEYOU, sure wish someone would post this new one so I could have a look at it.) This is entirely aside from the incomprehensible malice that's displayed by such a nasty payload, what a jerk. You're sure going to notice when something wipes practically all the files on your PC. It seems to me that a really well-written virus would be more subtle.

Yours WDK - WKiernan@concentric.net

Who will be MY hero?

[TheDullBlade]

...and write a trojan horse that changes all the Windows error messages.
For example, the GPF message: Another fine general protection fault, brought to you by the folks at M$! (little animated GIF of chibi Bill Gates dancing in a pile of money, throwing up handfuls of bills)

Re:We need more tecnological diversity...

[Black+Parrot]

> Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem.

Perhaps. However, for better or worse, diversity is in direct competition with standards compliance.

I'm all for diversity, at least in principle, but at some level it is always going to be desirable for me to be able to read files that you wrote, and for me to be able to run programs that you wrote (even if I have to recompile them first), and for me to be able to transport those files/programs from your system to mine. So long as these things are possible, viruses and worms will also be possible.

The problem here is the unmanaged automation of those otherwise desirable manifestations of interoperability.

What we really need as a first line of defense isn't diversity. It is for a certain vendor to realize that just because an idea can be implemented doesn't mean that it should be implemented. For a second line of defense, we need a public (or at least the tribe of sysadmins) to realize that just because a feature can be used/enabled doesn't mean that it should be used/enabled.

I am sure that there will be worms and viruses as long as there are bugs in security features, but meanwhile there is no point in making life easy for the script kiddies.

For better or worse, those who have been blaming the problem on stupidity - whether of the users or of their vendors - have it right.

I happen to like the idea that Joe Cluebie can play with a computer, which is why I advocate eradicating vendor stupidity as the first line of defense. Alas, when the world's largest vendor is Clueless, Inc., and willfully unwilling to obtain a clue, we may have to fall back on the 2LoD and train Joe Cluebie for self defense instead.

--

The Honor System Virus

[Bilbo]

This is the Honor System virus. Please forward
this message to everyone you know, then delete
a random selection of critically important files
from your system.

;-)

-- Your Servant,

Less disruptive if you are not dumb..

[eightball]

I would suggest that this virus will be much less disruptive than the 'Love Bug' simply because after the initial infection, there are not any files left to infect.

So, the stupid ones will stop sending mail to the rest of us!

Polymorphic?

[fooyen]

C|Net and ZDNet are reporting that the new variant not only chooses random subject lines for its email carriers, but also adds comments to its own script, in an attempt to thwart fingerprinting.

My question: who actually needs email-attached scripts to have write access to the registry and filesystem? And who thought there were enough of these people to allow such access by default?

Procmail filter to protect your users

[qi3ber]

I posted this filter up on freshmeat as well, but now that there is a more destructive version of this floating about, it should be distributed more. All you admins who are using procmail can add these two rules to your global procmailrc to prevent the execution of .vbs attachments to email messages. The email isn't deleted, just that the files extention is changed so that it will not execute on the end users system.

:0 Bf
*!^X-Loop: viruscheck
*^Content-Disposition:[> ]+.*[Aa]ttachment.*\.[Vv][Bb][Ss].*
|/usr/local/bin/sed -e '/Content-Disposition:/{N; s/filename=\(.*\)\.vbs\(.*\)/filename=\1.vbs.txt\2 /i;}' -e '/Content-Type:/{N; s/name=\(.*\)\.vbs\(.*\)/name=\1.vbs.txt\2/i;}' | /usr/local/bin/formail -i "X-Loop: viruscheck"

:0:
$ORGMAIL

If you have any questions, please feel free to contact me about it.

When you're a hammer..

[jabber]

.. everything looks like a nail.

It's a good filter and all, but what if somoene actually wants to receive vb, js, com, bat, exe and God only knows what else?

This filter will protect the ignorant from themselves, but then again, so does Microsoft's 'solution' to the problem.

Re:Yeah, got it off a mailing list

[Abigail]

found it very amusing seeing as I use Pine and Netscape to read mail and neither one could give two hoots about VB script .

That's only partially true. Many Unix mailreaders, including Netscape and mutt (and probably Pine) use a config file to figure out what to do with attachments - $HOME/.mailcap is a fairly standard file for that; but it can also be set up system wide. It's also being used by browsers in the same way. It's fairly trivial to configure it do something with a VB script, although on a Unix platform VB interpreters will not be very common. But Perl, python, tcl and shells are common. And it takes only one line in a single config file to have browsers and mailers of all users execute a Perl program on an application/perl mime type. (Or Python, or tcl, or whatever)

Email virusses isn't a matter of that can only happen on Windows. It happens only on Windows because Windows is far more popular than Unix. But if more and more less computer literate people move from Windows to Unix, more and more tools out of the box configured with everything turned out will appear on Unix. Including mailers that will happely try to run a program in whatever language you send them. Just look for instance at all the services Joe Q. RedHatUser has running on his Linux box.

Of course, you might argue that Unix has permissions, and users cannot delete system files. But that's details. The most important files on a computer are user files, not system files. A system can usually trivially be replaced; just re-install it from your orginal media, and run your install scripts. Companies often have an install server to make it even more easy. But user files have added value. They are the product of work. At best, they can be restored from backup, but even then there's a loss.

To sum up, the reason virusses aren't a problem on Unix is the popularity of Windows.

Let's keep it that way.

-- Abigail

Re:virus vaccine

[kaphka]

could someone please alter this virus so that its payload turns off the registry setting that allows it to propagate

Would a virus that prevents users from running any programs really be an improvement?

Re:Should have been called: IHATEWINDOWS

[Abigail]

And even then most linux viruses can do little more than delete your home directory,

I don't know what you do with your computer, but on my systems, user files are far, far more important than system files. I can restore /usr/bin/sh from media, and /vmlinuz by downloading the source and recompiling it. All it takes is a little time, but I would almost be able to do it blindfolded.

A thesis someone has been working on for four years, a program you've spend the previous month working on around the clock or a carefully worked picture from the GIMP have to be restored from the last successful backup - if any.

Granted, system files are important on important 24x7 servers - but you wouldn't be using them to read mail on in the first place, would you?

-- Abigail

Heh

[CAIMLAS]

Humorous how such things are called sympathy viruses in linux. I'd hash in the lot of stupid forwards as a type of sympathy virus - they 'delete', so to speak, bandwidth.

I woke up this morning to my radio. (Which is unusual. It usually takes my alarm going off at full volume for about 10 minutes. The alarm goes off after 10 minutes of full-volume radio.) I heard the announcer state that there was a new strand of the ILOVEYOU virus released, much more deadly. I just rolled over and went to sleep. I pitty the fool who subjects himself to such things.

What type of real-life virus might computer viruses be comparable to? STD's? You 'sleep around' without protection, you'll get em. What might that make Microsoft products, then? :)

-------
CAIMLAS

Re:Your motivation

[fishbowl]

>>Viruses are challenging and interesting.

>Yeah, like biological ones. But we don't go
>around spreading them happily, do we?

Happily enough; look at STD's.

>> Some of the ideas used in them have been
>> incorporated into modern software.

> Like? I can only think of BSOD as an example
> of payload.

I've seen a production system that has a component which delivers itself to hosts around the network as a virus. It has brakes, but it's a virus. It does real work in the real world.

Warning: ILOVEYOU virus spreads to Unix systems!

[babbage]

received in my mailbox recently:

-- forwarded text begins --

This is the Unix version of 'I Love You' which works on the honor system.

If you receive this mail, you should delete a bunch of GIFs, MP3s and binaries from your home directory, then send a copy of this e-mail to everyone you know.

-- forwarded text ends --

Re:These are great for Linux - we need more

[Philtho]

Anyone that thinks Linux is immune from virii is a moron. These are just simple attachments that dumb people run on their machine. People can run attachments on any OS, folks. It's the USERS that are stupid, not the client or the OS.

Follow the money

[Animats]

It's always worth asking the question "who profits from viruses". Makers of anti-virus software, obviously. Look at McAfee, which became a billion dollar company selling a stupid virus scanner.

One always wonders if there's some connection between the anti-virus companies and the virus writers.

In theory. . .

[jafac]

I'm not a virus writer, but if there are any out there, wouldn't similar functionality be possible through the use of Outlook/Macintosh and an AppleScript attachment?

I just read a news report about the new virus, and the warning they're giving about it is for people to avoid messages with .VBS attachements, because the subject of the new variant changes dynamically. Since ".VBS" is how DOS signifies file types, and since Macintosh uses a less visible means of specifying file types, I began to think of ways, architecturally, this would work on a Mac. It seems like AppleScript would foot the bill. Most machines have it installed by default, it's executable content, a file, and isn't Outlook scriptable? I'm wondering if AppleScript could get Outlook to do the same sorts of things. . .

I just remembered this old Metallica song. . .

Re:You think that's bad.

[jacobm]

Grin... I remember getting that one. It's pretty old, originally being a parody of the "Good Times" virus hoax. Ironically, the Good Times virus was purported to be a virus that you could get just by reading an infected e-mail, which would have the subject line "Good Times." It would do horrible things to your computer and send it out to all of your friends. At the time, people who were "in the know" laughed off the idea that a virus could actually do that, and the "Bad Times" joke was based on that idea.

And now, it turns out that Good Times was real after all, they just got the name wrong and called it early...

I'm installing a subspace harmonics dampener as we speak. Don't want to take any chances.

Extrans and links (offtopic)

[Trickster+Coyote]

A note about posting as extrans: it seems that that and the "plain text" posting options have been switched since posting as plain text will activate any HTML in your comments.

Re:This won't end...or will it?

[Randym]

the third can't be done with current software...

You've never heard of FortRes?? We use it on some of our WinBloze boxen, and, while it doesn't stop users from trying to install stuff, they get screwed when they try to reboot, because they don't know the box pword OR the FortRes pword. Ha! Plus of course we use (constantly updated) McAfee antiviral software AND we don't run any M$ email programs (on the public boxen).

We run 50 win boxen (half and half public / staff) and the only place I saw the virus was on /. when someone posted the code. (My staff is educated enough not to open unsolicited attachments, even though some of them use Outlook. I took the time to explain the whole thing very carefully at a staff meeting after the Melissa fiasco.) So education *does* work, but only for motivated users.

I certainly agree with your last point: you can't ignore user ignorance.

Re:When will microsoft users learn?

[Rico_Suave]

Uh, I run a MS Exchange server for over 100 users. I simply filter out anything with a vbs attatchment. Didn't have a problem two weeks ago, don't have a problem today.

It has NOTHING to do with the OS used, and everything to do with the administrator.

--

To keep the virus fixers in business

[Rurik]

It's a complex balance between good and evil that must exist. If writers stopped creating virii, there would be no need for protection. Users would go on their blissful way until one person takes advantage of the peacefulness to collapse the system.
Most times, it's just something that would be great to watch, seeing a creation of your own cause mass destruction. Or even, knowing that it is able to cause desctruction, then seeing a naive person steal the code from your machine and send it out.

The first ILOVEYOU hit our company hard. We took the Exchange down, updated all the mail servers, and the network-wide virus scanning for all the users' computers. However, the problem was that idiot users were mapped to production web boxes, and caused the virus to spread to machines that we didn't think would ever have to be checked. It's because of this infection that now we spent hours installing AV clients on 120+ production servers.

As a whole, ILOVEYOU wasn't too drastic. It deleted some web images that we just had to restore. But it was because we got hit that we're now prepared to defend against virii like this new ILOVEYOU, which does drastic damage.

Re:To keep the virus fixers in business

[Bad+Mojo]

Eventually mankind will create a board with a nail in it so big that he will destroy himself. Hahahahaha!


Bad Mojo

Re:These are great for Linux - we need more

[donutello]

I want to be able to execute attachments I receive easily. I want these attachments to be able to do what I can do. What I don't want is for these attachments to be able to do stuff without my explicit permission to do so.

I don't like the idea of sandboxed execution or chmoding the user permissions because they make it a pain-in-the-ass to actually do stuff that I want them to be able to do.

\begin{daydream>
What I'd like to see is to see sandboxed execution or editing (instead of executing) being the default and it should be simple as a right-click "Execute" to allow an attachment to actually execute and do stuff. I'd also like to be able to easily tell it when I want to just view the thing and when I actually want to execute.
\end{daydream}

PS: Damnit, I'm trying to post using Plain Old Text. Why won't Slashdot let me use XML tags for my "daydream"??

We need more tecnological diversity...

[jonr]

If I may quote my favorite CEO: "Pursuing the biological simile, observers pointed out another problem caused by Microsoft's monopoly: the lack of genetic diversity in the PC ecosystem. Because PCs and their software are too similar, one noxious automaton can do much more damage than would occur if we had several alternative life forms.
This argument deserves closer examination. True, BeOS, MacOS, and Linux users were not infected by the Love virus. Had each system had 25% market share, a single virus could only infect 25% of the population."
The ILOVEYOU virus is kindergarden stuff compared to what a real programmer could really do if he/she put their mind to it, but since experienced programmers are (most of the time) fairly matured individuals, but it would only take one fairly good hacker to release a plague on the world...

Re:the simple art of murder

[x0]

You are forgetting one major factor: Choice.

I may choose to read or ignore a book about murder. I happen to like that genre actually, nearly as much as I like film noir. But still, the difference is that I *choose* to read that subject.

On the other hand a virus is basically a hit and run _crime_. As one of the other respondents above remarked, modern art, by my standards would not be considered art. I disagree because I can ignore it. I may not call it art, but someone else may. I cannot ignore a virus, even if I am running a nearly immune system.

To compound the issue, not only do viruses steal your ability ignore them, the nastier ones tend to cost money. Either the viruses destroy work product or they create work for the admin who then has to fix his network.

If you want to call it art, fine, as long as the creator makes it performance art. Like boxing ...so I can add to the performance.

Re:It's a *worm*, not a virus!

[istartedi]

You mean it was a worm written by a cracker, not a virus written by a hacker?

Anyhow, I never really cared much for language purism. Language evolves. That's not to say that these distinctions aren't important within certain technological circles. If I were writing a technical article for some journal on computer security, I would want to get it right. But for the mainstream, "virus written by a hacker" is plainly the accepted terminology.

Another way to look at this is that "virus" is being used as a general term for all potentially destructive computer programs, and that "trojan", "worm" and "hostile applet" are just subclasses of "virus".

Now you /. people can sit there and gripe all day about what people ought to say, but you're not going to win.

Wouldn't it be more interesting to simply look at these things as linguistic trends rather than errors?

In a sense, English and other languages are the first collaborative Open Source project ever. Yet so many /.ers fail to realize that, and refuse to participate, because they are hung up on language purism.

Re:Good Times

[jacobm]

From the Good Times virus hoax FAQ, the original message announcing the Good Times virus read:

Thought you might like to know...

Apparently , a new computer virus has been engineered by a user of America Online that is
unparalleled in its destructive capability. Other, more well-known viruses such as Stoned,
Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a
warped mentality.

What makes this virus so terrifying is the fact that no program needs to be exchanged for a new
computer to be infected. It can be spread through the existing e-mail systems of the InterNet.

Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It
always travels to new computers the same way - in a text e-mail message with the subject line
reading simply "Good Times". Avoiding infection is easy once the file has been received - not
reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good
Times" mainline program to initialize and execute.

The program is highly intelligent - it will send copies of itself to everyone whose e-mail
address is contained in a received-mail file or a sent-mail file, if it can find one. It will
then proceed to trash the computer it is running on.

The bottom line here is - if you receive a file with the subject line "Good TImes", delete it
immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was
surely struck by the virus. Warn your friends and local system users of this newest threat to
the InterNet! It could save them a lot of time and money.

The Good Times virus described by that message never existed. You can claim that the message itself is a virus, but then it wouldn't be the Good Times virus, it would be the "meta-Good Times virus." (And if I get you to repeat this description to your friends, you could call that the "meta-meta-Good-Times virus," and then they could spread the "meta-meta-meta-Good-Times virus" and so on... GEB, here we come! =])

Re:It's a *worm*, not a virus!

[jonathanclark]

I used to think that way about virus/worm and hacker/cracker. But..english terms change meaning weather you like it or not. This faq was written over 5 years ago. Since then the scope of people using these terms changed significantly. The public can't remember hundreds of jargon word so hacker and cracker become one "cracker"- and virus and worm become "virus". "Virus software" has to protect against what we knew as worms and well as viruses. You don't market "Norton anti-worm/virus" software or people are going to think it's a medicinal product. 99% of people have never heard the term worm, yet most know that a virus is something bad you can get. To make matters worse, the distinction on how it propagates is only understandable by technical people. There is no logically reason for most people to call one thing a virus and other thing a worm.

I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.

Skip the login

[blogan]

Here.

Re:It's people stupid

[jon_c]

I'm really sick of people focusing on VBScript as some kind of token of Microsoft Evil(tm). The thing about this Trojan is it could have been done on any system, VBScript or not. Lets look at what is does.

1. Get's sent as an attachment:
2. User executes an attachment (big mistake).
3. Attachment does bad stuff.

Basically it's program that does bad stuff. Well shit, any program could do some pretty nasty things if it wanted to. You could write a little sh or perl script to mail all your friends with some little attachment, then wipe anything with a+rw perms, and hell a lot of the newer linux user's might even run it.

This program has got so well propagated due to the generally low computer literacy of Windows users. All my friends (who are geeks), we're not so foolish as to run this attachment, nor did they run programs like "fun.com", from some kids "3l33e3e" web site. It's just the law of the land.

-Jon

Conspiracy Theory

[Greyfox]

A while back some rather paranoid chaotic individual who shall remain nameless suggested that perhaps the guys who make their living with the virus scanners and virus cleaning software are behind a good portion of the most destructive virusses out there. That theory is patently silly, of course. Isn't it?

Re:Conspiracy Theory

[finkployd]

Not really.
Remember the Michealangalo (I know I spelled it wrong, sue me) virus scare? That was a non event hyped up by the media and ant virus companies.

I'm inclined to believe they have the talent and motivation to pull it off, so it IS possible.

Finkployd

A certain amount of turbulence is good

[gelfling]

It helps to thin out the herd. What you want is a more or less constant nonzero low probability of catching and incurring damage from one worm/virus/trojan or another. This will serve to harden the resistance of the community and cull out the weaklings. Just like in the solid world the most destructive virulent phages do not have the best logevity because they kill too many of their hosts too quickly. Ergo the liklihood of some super Marburg or Ebola with 97%+ mortality spreading all over the world is rather low. Of course the garden variety with 70%+ mortaility is none to good either. OTOH a continual exposure less virulent forms of other types of phages actually hardens both the individual and the community leavingit better prepared to resist the next variant. Exhibit the indigenous peoples of the Americas in the 15th-16th C. exposed to Smallpox for the first time. Infected populations decreased by 90% in <10 years whereas the Europeans were already largely resistant and could survive even many epidemics with <25% mortality.

So it is with a dynamic community of computers. Somebody who doesn't have a scanner will die. Somebody who rarely updates the sig files will die. Somebody who doesn't think it can happen to them will die. Someone who doesn't pay attention and goes on as normal will die. Somebody who is more thorough and less trusting or ignorant will survive. Remember not all of these screaming headlines are about viruses at all. They are simply a matter of benhavior and social engineering. Do you think as many people would have been infected if the ILY worm had a heading that said "opening this note will destroy or damage your machine and the machines of everyone in your addressbook." OF course not.

Which leads me off in another tangent. How to get more people to open destructive messages since everyday we're more jaded and suspicious? Well if I was a badguy what I'd do is use the message header to refer to some online purchase. Sure, if you didn't buy anything then you'd be less likely to open the message but the people who did would probably open the message approaching 100%. So what is a poor website to do? It seems that one avenue that should be pursued for this and for eComm generally is a way to generate a CRC at the point of purchase and then send the confirmation/receipt with the CRC in the header so that before you do anything you manually cross check the numbers to insure they match. Or something like that. I guess I'll stop blathering now.

greenrd IS the hero...

[anonymous+cowerd]

I've been using NT4 since it came out, and I didn't have the slightest idea that QBASIC was in there. I know QBASIC is not the world's greatest programming language but it sure beats nothing at all. And I can assume it is on every one of the NT machines at my office.

I gave up on BASIC about ten years ago when I realized that I had learned at least nine versions of it (including Timex-Sinclair BASIC and Wang BASIC-2), and none of them had anything in common; if you wanted to write something in BASIC #9 all that knowing BASICs #1 through #8 did for you was confuse the Hell out of you. But if there's a programmming language already installed by default on every PC in the office, I guess I'm going to have to brush up my QBASIC skills again. Thanks a million, greenrd, for this unexpected piece of good news!

I'll bet MS took it out of Win2K, though.

Yours WDK - WKiernan@concentric.net

You think that's bad.

[basscomm]

Check out the virus warning I recently came across:

Pay close attention to this warning!

If you receive an email entitled "Bad-times," delete it immediately. Do
not open it. Apparently this one is pretty nasty. It will not only erase
everything on your hard drive, but it will also delete anything on disks
within 20 feet of your computer through the use of subspace field
harmonics. It demagnetizes the stripes on ALL of your credit cards. It
reprograms your ATM access code, screws up the tracking on your VCR and
uses subspace field harmonics to scratch any CD's you attempt to play. It
will program your phone auto dial to call only your mother-in-law's
number. This virus will mix antifreeze into your fish tank. It will drink
all your beer. (For God's sake man are you listening?) It will leave
dirty socks on the coffee table when you are expecting company. It will
replace your shampoo with Nair and your Nair with Rogaine, all the while
dating your current boy/girlfriend behind your back and billing their
hotel rendezvous to your Visa card. It will cause you to run with
scissors and throw things in a way that is only fun until someone loses an
eye. It will rewrite your backup files, changing all your active verbs to
passive tense and incorporating undetectable misspellings, which grossly
change the interpretations of key sentences. If the "Bad-times" message
is opened in a Windows95/98 environment, it will leave the toilet seat up
and leave your hair dryer plugged in dangerously close to a full bathtub.
It will not only remove the forbidden tags from your mattresses and
pillows; it will also refill your skim milk with whole milk.

*********WARN AS MANY PEOPLE AS YOU CAN.*********

Hope I don't get that one.

I've never released a virus.

[|deity|]

Viruses were one of the first memory resident programs on the pc. Many of the memory resident programs used by people that ran dos got their roots from viruses. Also anyone that has ever had AIM(Aol instant messenger) know that only a virus could have inspired it's creation. ;)

Viruses do not have to have a destructive payload. One could create a virus that was self-replicating and benificial. Also their is the challange of creating one. Why climb a mountain? Because it's there. Why write virus code? Because one can.

The challange of writing self replicating code in any language from scrap is just to large for any self respecting hacker to ignore. That is not to say that one should create a destructive virus and release it, but creating a nondisrtuctive self-replicating program for proof of concept purposes is ok.

I've examined the source code to many viruses and most are crap. Only a few are true works of art. Most of these came from Bulgaria and they incorporate features that are truly interesting like stealth and the ability to hide changes in file size and memory used.

I'm not a virus writer...

[FascDot+Killed+My+Pr]

...but only because I'm a coward.

If I was absolutely sure I wouldn't be caught, I'd be putting out viruses to beat the band. Why? Many reasons:

-to see if I can
-to point out security problem in a dramatic manner
-"tough love"
-how does a given virus spread and to whom?
-what can I make a virus do?

As an example of this last one, I was thinking of a hypothetical virus in the shower this morning. The virus is non-malicious. It just installs a daemon on your computer. But the daemon is like a distributed.net client. So once it got propagated pretty good, I could submit tasks to these daemons and get answers back. Pretty neat, huh? Now make the daemons talk to each other. Make them pass MP3s (and DeCSS) back and forth. Hey! I've re-implemented FreeNet! If you read Slashdot you have to admit this idea intrigues you.

BTW, I would do this all anonymously. I wouldn't be in it for the attention. Just the intellectual stimulation.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Ah, the sweet symmetry of cross-pollination

[jabber]

I LIKE IT!

We're genetically engineering bacteria to eat oil spills, and designing cancer cells to secrete insulin. We're cloning sheep and making real viruses to attack malignant tumors.

Somehow, the symmetry of a worm that scours the Internet exploiting M$ security holes in an effort to fix them is.. poetic. Sort of like autonomous garbage collection.

Arguably, any virus/worm that deletes Windows system files is already trying to do this; but in a very heavy-handed way. A lighter touch is called for. Disabling the registry settings that allow auto-invokation of scripts attached to email is one good way to make the world a better place.

And hey! How could anyone (besides Micros~1) get upset over a benevolent virus?

Maybe it could even open a pop-up on the screen every 20 minutes, to remind the user to stretch their hands to prevent RSI? :)

Maybe it could replace the talking paper-clip with a talking Penguin? "I see you're trying to write a letter. Wouldn't you rather write it on actual paper, and add some humanity to your interpersonal communicaton?" "I noticed your key-stroke rate drop over the last hour. You seem tired. Shall I have some pizza delivered?"

the simple art of murder

[anonymous+cowerd]

Next thing: Murder as art...

Raymond Chandler considered murder to be art, his art. This is a cool little book.

Yours WDK - WKiernan@concentric.net

Just goes to show you...

[kaphka]

(I hope somebody reads this, I'm posting it too late...)

Everyone from the clueless media to Slashdot's "experts" have been warning people about how bad Outlook's "security" is, and how anyone can send you an email that will make your computer explode. I've been one of the few people struggling to point out that ILOVEYOU was a trojan, not a virus; it cannot run when you read an email, it can only run if you launch the executable attachment.

But the media has been telling everyone to "delete any email with X/Y/Z in the subject line before even opening it!" Whenever I complain that that's not necessary, the response is, "Better safe than sorry."

Well, spreading false information in the name of "better safe than sorry" is almost never safe. That advice is useless against this new program. On the other hand, if folks had spent the past two weeks telling people that protecting against trojans is the user's responsibility, not Outlook's, then this new variant would be a non-issue.

Granted, the false information on Slashdot has probably had less of an impact on the public's misunderstanding of the issue than the false information being spread by CNN, NBC, etc. But considering that Slashdot is (by and large) a community of experts in the field, I think we should be providing some sane leadership, instead of helping the hysteria along.

Re:It's a *worm*, not a virus!

[El+Volio]

Well, that's not the actual definition of a virus/worm. A worm propagates itself, but a virus infects other programs. There's no specification about whether user intervention is required.

And to those who are claiming that "virus" is just as correct: I agree that the meanings of "hacker" and "cracker" are blending. However, these two terms are technical, not social. Definitions of technical terms are specific, based on certain criteria, not on the vagaries of public usage, much like the common misunderstanding between codes and ciphers.

The fact that most people don't understand the difference doesn't mean that the difference doesn't exist.

Re:These are great for Linux - we need more

[teraflop+user]

I agree that it is not an OS issue, (assuming the OS does not allow you to modify system or other users files, i.e. Not Win9x). But I think it is a client, rather than user issue.

Code coming from an unverified source (i.e. not from a trusted installer) should not be allowed to run outside a sandbox. It works fine for Java on the web. The same treatment should apply to anything coming in an email.

Furthermore, any file extracted from an email should be marked non-executable. (The user can chmod it - if they know enough to do that, they can probably understand the risk). Archives are a bit more tricky, but changing umask(2) to 666 before invoking an archive program (such as tar) should do the trick I guess.

The Evolution folks are implementing a Visual Basic clone in their new gnome client. But they are doing it properly, using a Java-like security model.

All Scripting Languages are Evil

[LocalYokel]

VBScript may be causing billions of dollars in semicatastrophic losses -- people have the right to bitch about it and Microsoft.

Has anyone considered blaming Netscape and Sun for the even greater, incremental loss of money from JavaScript? How many billions of dollars in coding, design, and bandwidth have gone into popup windows, status bar theft, and rollovers?

Perl is such a spirit fouling venture that there is even a monastic commune for people who grok it.

bash scripting is by far the greatest sin, for it mimics C in an almost mocking way -- K&R would not be pleased...

--

It's a *worm*, not a virus!

[dmuth]

I hate to bitch, but I really wish people (namely the media) would get the terminology right when writing about these things. This isn't a virus, it's a worm.

Viruses infect other executables, such that the original functionality is still there, but the viral code is executed when the program is first run, which gives it a chance to spread to other executables and/or become resident in memory.

Worms, on the other paw, are self-contained programs which contain nothing but the worm itself.

The definitions of these things are hardly new, they have been around for YEARS. I suggest reading section B2 of the comp.virus FAQ for more information.

Not the old one... the NEW one. =)

[scrain]

I've already got more than enough copies of the old one. =)

I think you can blame me :-) (OT)

[tilly]

Many moons ago an if condition was messed up and extrans was the same as plain text.

When the slash code came out, the first thing that I did was went to make some fixes to bugs in plain text that had been bugging me for ages. While I was doing that I noticed the mistake in the if condition and made extrans be what it was advertised to be also. The patch was accepted. :-)

Amusingly, any Python fans
who find that indenting works
have a Perl bigot to thank.
(Namely me.:-)

Cheers,
Ben

Re:These are great for Linux - we need more

[SoftwareJanitor]

I'd like to add, however, that most computers are single-user devices now and there aren't typically "other users files" on your computer.

That is true of most office computers or home computers of single people, but far less often true of home computers that are used by a couple or a whole family. Some offices have some people sharing computers for various reasons (shift-splitting, receptionists, etc), so the statement isn't 100% true in the office world either.

I also read somewhere that with Win2K it's not possible to overwrite system files.

Its less likely under Windows 2000, supposedly even more so than NT, but most desktop users are using Windows 9x, and the upgrade path for most of those people for the immediate future will be to Windows ME, as Windows 2000 is not really targeted at that audience.

(although I suppose a virus could just as easily destroy non-system applications).

Very true. Unfortunately, security in the Windows world is normally set so that any user can write into program files.

This looks like an "attractive nuisance" to me.

[seebs]

You know the law that lets people sue you if their kids drown in your swimming pool, if you don't have a fence or anything?

It occurs to me that leaving a gigantic security hole in a system with millions of users is roughly similar. After Melissa, I think we knew about this, and I think Microsoft could have actually fixed the problem.

Re:These are great for Linux - we need more

[SoftwareJanitor]

Not really. I don't believe that perl scripts need execute bits set for "perl " to run them. So if someone were to write a unix mail client that automatically ran "perl " on attachments where has a .pl extension, it would be rather dangerous.

That is true, although as far as I know there is no such mail program, and it is highly unlikely that one with such an obvious security flaw would ever become popular in the Linux world.

Of course, I'm increasingly an advocate of using CVS for *any* project that involves extended development time, which would save the user's ass if such a thing happened on unix. But AFAIK, VC tools aren't really ready for nonprogrammers, just yet.

You might want to check out gCVS and/or Cervisia, which are (Gnome and KDE respectively) GUI based front ends for CVS. They are both rather recent products, but they do give a more point-n-drool user interface to CVS.

Symantec/NAI: At fault?

[seebs]

So, here's my theory: Symantec and NAI, et al., are largely at fault for this one.

They put out a band-aid. Because there was a band-aid, millions of computers were not actually fixed. So, thanks to the anti-virus companies, people whose systems are still quite vulnerable *THOUGHT* they were safe.

If, instead of shoving out a band-aid, they had said "this isn't something virus software can stop, you need to turn off your scripting host", millions of people would not just have lost days or weeks of work.

Isn't that weird? Half-assed solutions don't really work.

Re:You Don't Work At A Big Corp?

[toast-]

No, I'm a student =)

One of my workterms standardized into outlook though, and I could only imagine what happened when .vbs worms first hit.

Someone ought to do a statistical analysis of the worms distribution patterns, and come up with some real interesting numbers.

One question that begs to be answered: is how much email was being sent in your corporate network?

If all@blah.com contained HUNDREDS of addresses, and HUNDREDS of people were clicking on a message at around the same time, this could lead to a quite exponential flow of email traffic.

I would imagine if it ever went this high, the email server(s) would just not handle the load.. or, in a worst case, the network could not handle it? (that would be a hell of a lot of exponential growth)

Or, was it shut down to merely stop people from losing data (perhaps)/ stop all the phonecalls to the helpdesk, etc etc.

Re: Before you rip on MS, check your facts

[anonymous+cowerd]

Far be it from me to make a fuss over /. moderation, but the parent message to this, though it is marked down to -1 (troll), really wasn't. Since it may have fallen out of sight, I quote it:

(a) Outlook doesn't modify any files -- Windows does. On NT, no system files can be modified.

But Outlook is so tightly integrated that the distinction is moot, synergy, innovation, blah blah blah... Anyway so I heard you have to make \WINNT\SYSTEM32 accessible to all MS Office 97 users. If it is in a FAT partition you're screwed anyway, security-wise (on the otherb hand you can come up in MS-DOS and fix things), but even if your system drive is an NTFS partition, so you can lock down the \WINNT\SYSTEM32 directory for users, for some ungodly reason Office 97 must write data there so you can't. That's what I read somewhere, and if I'm wrong, please correct me.

(b1) No version of the ILOVEYOU virus executes from the preview pane.

At the instant our AC posted this, it may or may not have been true, and it may or may not be true at the present moment. But if it's possible at all to write vbs code which self-executes in the Outlook preview window, some funloving so-and-so somewhere is busy tonight shoehorning it into the framework of ILOVEYOU - an world-girdling open-source virus in plaintext, proudly signed by the author no less! Gotta love those Filipinos, you know Lynda Barry's candid like that too.

To tell you the truth, to make it automatically self-actuating would take something away from the complexity, elegance and depth of this worm. As curious as the technical details, all generously laid out for our inspection, may be to a casual aesthete appreciating the art of virus composition, the social-engineering aspects of worms like Melissa and ILOVEYOU is even more interesting; it adds an additional depth to the process of propagation if the virus must somehow inveigle or seduce a human user to play a part in its reproductive cycle. At least I think so.

(b2) With a policy file, an admin can force all workstations in a domain to show file extentions.

I'd be interested in you telling me how that's done. It's always been a minor irritation to me, that, and I've got a whole office-full of NT desktop machines and users who jump from one machine to the next.

Yours WDK - WKiernan@concentric.net

Re:Assumptions on mailbox formats

[SoftwareJanitor]

I thought the mailbox format was quite standard across mail programs -- they all use a single text file with standard headers separating the messages.
No, many of the different email clients for Linux store the mailbox in different directories and/or file formats. Some put it in ~/mail, some in ~/Mail, some in ~/nsmail, etc. Several of the clients allow you to split mailboxes into seperate 'folders'. At least one package I've seen stores the mailbox in a binary format. There is a lot of diversity in Linux email clients, and there are at least a dozen different clients available out there. Typical distributions typically ship with at least 4 or 5.

They all read the same inbox, anyway.

That is true, although normally the inbox isn't nearly so dangerous as the user's stored read messages (due to volume), their sent messages, or their address book (obviously). All of those are stored in different directories and sometimes different formats by different Linux mail clients.

Re:These are great for Linux - we need more

[Pont]

Some of this has been said by other's in this thread already, but I'll try and be short.

1) Not all people who get hit by this are actually stupid, they're just victims of bad windows design and made the mistake of trusting the people who designed their software... and have been trained to habitually click through a bunch of dialog boxes if they want to get their work done some time this millenium.

For example, the DEFAULT in windows is to "Hide extensions of known file types." I've always thought this is the most ridiculous option ever, since tiny icons are NOT intuitive, and even Windows friggin 2000 is still 100% trusting of file extensions for file types. What happens here? Well, they get a file attatchment on email that is named ILOVEYOU.TXT with an icon that symbolizes a VBScript, which they don't recognize. They hear their geek friend saying, "You can never get a virus from a .txt file", so they just click through all the dialog boxes. (Correct me if I'm 100% wrong here. I haven't verified this, just writing from memory of the one time in my life I used Outlook on a new machine.)

2) Even though it's possible to be multi-user safe in W2K, it isn't the norm. Windows as a multi-user platform sucks! Even Windows 2000. There is no such thing as a root shell. This means, whenever a user needs to do something that requires Superuser priveleges (like installing a font pack for IE), they must stop everything they are doing and log out, then log back in as Administrator. Sometimes this even involves bugging IT to do it for you (and even the worst MCSEs get bored installing font packs all day because someone sent a URL to a joke on a site in Israel to the whole company). A few pyschological penalties like this, and people just end up giving their normal user full priveleges.

3) Users are conditioned to just click-through everything. This isn't a Windows-only problem. I would say it's mostly Microsoft's fault, since they "innovated" the modern EULA as well as overuse modal dialog boxes. "To use this software you must agree to this 5-page EULA written in lawyerese and for some reason contained in a 20x20 scrollbox with tiny font. (Yes, I agree | No, I don't want to use this software I've already paid for)" "This page requires a plugin of type text/vbscript-hard-drive-eraser. Install now? (Yes | Yes | Yes | No)".

So, when the user gets "Attatchments may contain executable code [insert sound of adults talking in Charlie Brown]", they habitually just click yes. This is reinforced when they were a new user and they were frigthened by a threatening dialog box like "Unable to connect to host. Connection reset by peer", so they asked for help. The lab tech who came over says, "Oh for heaven's sake, just click OK and try again."

[#include apologies_for_wordiness.h]

You Don't Work At A Big Corp?

[Bilbo]

Chances are, you don't work at a Big US Corporation that has chosen to "standardize" on the entire MS product line. I was working at one such corporation (who shall remain nameless, but whos initial is a big "X") and all corporate email is supposed to go through Outlook. Since I wanted to use Netscape, I put an filter in place to forward my email to my Unix account. (Actually, I was running Netscape under NT, but it was using the Unix based POP server.)

When Melissa hit, the big "X" got slammed... HARD! One reason is because, the first address in everyone's address book was "all@corpname.com, so there were literaly hundreds of thousands of emails being sent. Compeletely shut down the mail system for the better part of the day.

When I checked my outlook queues later, I found a couple hundred copies of Melissa in the deleted folder. But, the funny part was, with the filters the Unix sysadmins put in place, not a single copy made it through to my Unix address!

Live and learn.... hopefully.

-- Your Servant,

Fear of Replies

[nevets]

I probably shouldn't post this, because I'll give virus writers some new ideas. But hell, this is /. and I'm going to do it anyway.

I'm also posting this so admins can watch our for it incase a virus writer gets the idea anyway.

Although we had problems with vbs. But thinking back about the Melissa virus coming from a word document. I fear that someone will write a virus that instead of reading you address book, read your inbox, and then send a reply back to all those that have sent you mail. This seems to be more likely something that people will open.

I'm basically forced to use Outlook at work (at home I use pine and netscape) but I deal with documents all day. I constantly mail, forward and reply word documents to my colleagues. But if i receive a reply from someone with a word document, I'm more likely to open it (although I do have macros turned off).

Just a fear of mine, and hopefully there's a solution before there's a virus.

Steven Rostedt

Next obvious mutation

[babbage]

How about a version that gets info from one of the urban legends sites when crafting itself. I can just see it now. "Yeah, I know I told you to ignore any warnings about the Good Times virus, but now it's actually real." "So, I *should* pay attention to those warnings?" "Well, yeah, now it's really dangerous, so yeah." "But you kept telling me to just delete that stuff..." heh there you go, a virus that totally undermines people's sense of trust in the people they know that have a clue about computers...

Someone on one of the mailing lists I'm on half-jokingly suggested that the next obvious step for ILOVEYOU would be dynamically generated content. Little did anyone suspect that it would actually happen. I say the next step is a -- ooh, I got it! -- a version that has it's payload as a message warning about the dangers of Outlook viruses, in effect describing what it's doing to you while doing it.

It's all fun to joke about as an academic exercise, but this is really gonna mess people up. My boss tells me I'm free to set up an Outlook Express account here, but I'm happy to just forward my mail to my pine account. Ascii doesn't scare me, I see no reason to ditch it...

Re:These are great for Linux - we need more

[SoftwareJanitor]

As has been thoroughly hashed out in the threads of the articles following the last virus/worm outbreak, Linux isn't 100% immune from viruses/worms, but it is much more resistant due to a few reasons:

First, executability is determined by access bits, not by file extension. This means that normally downloaded files like attachments get saved un-executable, meaning that users have to intentionally try to change the access bits on the files to execute them, not just click on them.

Secondly, unless the root user is the one reading the email and running attachments, the virus/worm is limited by security/permissions rights to what it can do. While it can do damage to a single user's files, it can't very easily blast other user's files or system files. On Windows 9x, there is basically no security, so viruses/worms like ILOVEYOU are free to twink with the registry, etc.
Thirdly, the homogenous nature of the Windows world makes it a much easier and more attractive target for virus/worm authors. It is pretty safe to assume that virtually all Windows 9x clients will have Outlook and all the associated DLLs on their system. There is no single email client in the Linux world that is so ubiquitous. That makes it more difficult to write viruses/worms that will affect a large percentage of Linux users because the virus/worm creators can't make the kind of assumptions about how to read things like address books, etc. that they can under Windows. This is unlikely to change any time soon, because the Linux world is much more diverse than the Windows world.

While you are right up to a point that in many ways it is the users that are stupid, Outlook and Windows make the problem worse by making it so much easier for the users to shoot themselves in the foot. And to a certain extent, Windows is plagued with a much higher percentage of stupid users because it intentionally caters to the least common denominator. To a certain extent, as Linux gets easier to use, it may start to see more of the semi-stupid users.

Your motivation

[Pseudonymus+Bosch]

Viruses are challenging and interesting.

Yeah, like biological ones. But we don't go around spreading them happily, do we?

Some of the ideas used in them have been incorporated into modern software.

Like? I can only think of BSOD as an example of payload.

Just like anything else if you don't use viruses to harm people or data their is nothing wrong with them at all.

Yes, like anything else. But if you don't use them so, what do you use them for?
__

Linux is at fault here...

[finkployd]

Hear me out. Linux is Microsoft's main competition right now. Because of this we are forcing them to "innovate", something they would usually avoid.

Now if MS Bob has taught us anything, Microsoft is not a company that should be innovating. When they do, they don't come up with things like "better security" or "stability", they come back with "talking paperclips", and "throw in every usless feature we can think of, memory footprint be dammed".

Unfortunatly, they also come up with the bright idea of executing email. Now MIME attachments aren't enough, they want you to be able to run/open attachments right when you get them (presumably to make sure you EXECUTE .exe files to make DAMN SURE you read any EULA contained within). This sounds like a good idea to people who believe renaming directories to folders made computing possible for the common man, but security wise it's like vigorously shaking a package from the Unibomber.

So my friends, we are to blame. We pushed them into frantically trying to invent "necessary" features to stay on top, and look where it got us. Many of us are watching our beloved mail servers go down under the strain and rebuilding our company's PC because of our pointless competition with Micosoft.

I implore you all, please just drop this Linux thing before Micosoft innovates again.

Finkployd