Slashdot Mirror
Another Nasty Outlook Virus Strikes
Goldberg's Pants writes: "ZDNet and Wired are both reporting on a new virus that spreads via Outlook. Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does, such as emailing random documents from your harddrive to people in your address book, and hiding itself in the recycle bin which is rarely checked by virus scanners." I talked by phone with a user whose machine seemed determined to send me many megabytes of this virus 206k at a time; he was surprised to find that his machine was infected, as most people probably would be. The anti-virus makers have patches, if you are running an operating system which needs them.
I believe it was called the One-Half virus which was somewhat like this. It was even more insiduous because it installed itself in memory at boot time. Then it proceeded to slowly encrypt blocks of your hard drive over time. The memory resident portion decrypted them on the fly, keeping the user completely unaware.
If you remove the virus, you can't easily get the encrypted blocks back. The only "safe" method to get rid of it was to back everything up to another machine while the virus was in memory, disinfect the backed up stuff, then reformat, then copy your data back over. Nasty.
Of course luckily it's not an email virus so it doesn't have the ability to spread worldwide in a few hours...
I have a better idea (not mine, though). Write a virus/worm/whatever that resets the region code on your DVD-ROM repeatedly, leaving it on, say, region 4. Then let the hardware manufacturers try to figure out what to do with hundreds of thousands of computer illiterate customers who are pissed that their DVD drive is horked. They manufacturers would just about have to release a firmware patch to reset/unlock them (yes, I realize such things already exist unofficially). I would do it myself, but I would just as soon not get thrown in jail. And I would worry about it not reaching "critical mass" and leaving just a few hundred people SOL.
Woov. Nice.
I once made one that stopped the mouse a few milliseconds, randomly (but it stopped doing it for a few minutes when you stopped moving). You ended up cleaning your mouse several times a day.
I never put in the viral code, and only used it as a practical joke...
Cheers,
--fred
> The average luser will click on anything, regardless of whether its .vbs or .pl
Ever heard of something called the 'execute permission bit' ?
Cheers,
--fred
Ever heard about 'local root exploits' ?
This is what I do with untrusted executable atachment:
/bin/rm -f attachment.exe
Cheers,
--fred
You sir are a dolt.
You spout off how to do something but have no clue how to do it. You have to reboot win2k on exactly ONE occasion, adding the pc to a domain which can and in our environment is done when the machine is first imaged. Hell I believe that you can now combine multiple SP's and hotfixes and reboot only once. To run an executable with no permissions I simply unattach the file and right click on it and chose runas->guest. Simple No?
rightclick->runAs takes you quite a bit on the way already...
If microsoft cares so much about giving the users what they want, why don't they actually strive to create a situation where the users have what they want?
What i mean: Users want the ability to run email attachments indiscriminately. They do not currently have this ability, not safely.
Microsoft could make this safe. Microsoft could (at the LEAST, this could be done within the context of XP; create a user with no priviliges?) throw together something that would run executables attached to email in a sandbox that couldn't touch the hard drive or do anything "evil". Then the users would be happy.
Hm. A secure sandbox that programs in emails or webpages can run inside of. You know what would be a good way to give the users this? Give them the ability to double click and run java applets from their email, then encourage joe cartoon and everyone to distribute their attachments as if for the java vm. Oh, wait, i just remembered-- Microsoft just struck java vm access from outlook for "security" reasons, didn't they? silly me. Well, i guess it's good to know that microsoft is doing something to send a signal that security is more important to them than the things the users frivolously want.
Perhaps you have no friends TO send you mail.
Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.
Don't be rediculous here. How can you say that ANY MAILER that renders HTML is vulnerable to an attack? Does that apply to my browser accessing my webmail account?
Though Outlook may have some problems here, it is entirely acceptable to believe that a mailer can render HTML emails in a safe and protected way. And the same for Javascript - Javascript can be annoying, but the security holes it has introduced have not been severe. The security problems here are not inherent to HTML and Javascript, they are caused by poor mail clients. It is important to not confuse the problem.
setup your mailcap files and use almost every unix mail app. WHOOPS, they autoexecute code too! hell, EMACS was one of the first apps to make the 'execute untrusted code' screwup.
everything old is new again!
--
yeah, there are NO viruses for outlook express. oh wait, i was thinking of netscape on macintosh, my bad!
--
F-Secure (the F-Prot people) have more information on One Half.
Alex Bischoff
Alex Bischoff
HTML/CSS coder for hire
I did hear of one that used your browser to sign a couple of petitions or something, popped up a messagebox to appologize for using your resources and thanking you for understanding, and then mailed itself off to everyone. Some sort of political activist or something. Interesting, but probably still a big annoyance.
;)
Glad I don't run an OS where the mail and browser are integrated so closly into the OS as to allow that sort of thing though
I have received the first email sent by that thing three days ago and reported some brief analysis to bugtraq, got a "rejected, send to incidents" response, sent to incidents, and apparently there is still nothing in the archives -- I have no idea why, incidents list posts all kinds of "I have seen a big spider hanging over my keyboard, I think he tried to hack me" stuff.
.For everyone interested, messages with virus and extracted infected documents are here.
Contrary to the popular belief, there indeed is no God.
I got it too, as a supposed .doc file. But when I opened it in a hex editor there was indeed what looked like legitimate content. Don't be too sure it's not a privacy concern.
> Why can't these virus writers do something cool?
You don't want virus writers with imagination. You *really* don't. A truly imaginative virus writer would likely devote all sorts of creative energy toward thinking up nasty things to do to your computer.
I'm still waiting for the trojan that silently installs itself, then once every day looks for spreadsheets on your system and randomly changes three numbers in every fifth file. Or perhaps it finds your Word documents and randomly removes the words "do not" from a few places. Or maybe it flips a few bits in your swap file, or munges your C++ compiler so that your programs randomly destroy the user's partition table one time out of a thousand. Maybe it sends death threats in your name to president@whitehouse.gov, or anonymously tells Microsoft that your company is pirating Windows.
No, I'm quite happy with the current crop of dull, stolid, entirely *un*imaginative virus writers, thank you very much!
I'm on MacOS using _eudora_ and all these sorts of files are dead inanimate matter to me.
Almost a megabyte of dead inanimate matter over a 56K modem just since this afternoon alone...
I am _so_ _pissed_ _off_ at this crap. I've taken to spamcopping the victims, using this note to their postmasters (where applicible):
"Please suspend this user's account. They are propagating the SirCam worm, and that must stop directly.
-postmaster@airwindows.com"
I have it as a clipping ready to be dragged into the spamcop personalize box, which is what I do when I am so overloaded with spam that I can't get time to type, but not so overloaded that I just give up- which has been the case until recently and this is what brought me back into the fray. _I_ _hate_ _this_... can't we declare Outlook illegal or something? Classify it as a weapon for denial of service attacks.
(you do you oil computers, right?
Well I do, got a squeaky fan? Pull the sticker off the axle cover, and the rubber plug if it has one two, put a drop or two of sewing machine oil in theres and its nice and quiet again.
This is irrelevent. The implication here is that outlook is being used or required to spread the virus. This is nonsence and a potentialy dagerous assumption!
Well, then it wouldn't get very far unless it's attacking Unix boxes. How many Windows or Mac machines have you seen with a C compiler on them? (well, barring MacOS X which is Unix). Now... a Perl worm would be funny.
Windows NT has had user level security for something like 8 years. Windows 2000 added the "runas" command which is a lot like "su" and some other improvements. What they both lack is sufficiently restricted permissions by default and don't discourage putting user accounts in the Administrators. Since Win2k, having an account in only the Users group and applying the Basic security template, makes it reasonably restricted.
So why doesn't Outlook do this automatically? Seriously - Outlook could set up a dummy user account at installation time and whenever an attachment is to be executed it could use the previously created dummy user to execute it. To all the posters who wrote that setting up a dummy user to execute attachments is too hard for most users, too cumbersome, or too inconvenient, what's the problem if this is built into Outlook and transparent to the user?
-----
Free P2P Backup, Windows & Linux
hawk
> be stopped is by making it socially unacceptable (improper netiquette)
> for anyone to send executables through email.
For crying out loud, we can't even get people not to send messages in html . . .
absolutely not. One of the things I learned practicing law is that the reason we're not in serious danger from the criminal element is because *criminals are stupid*. They don't draw the connection between crime and punishment. THeir planning is lousy. I actually had one where five of them stole 70,000 (using my client's mother'ss car as a getaway vehicle), and each took their $5,000 share. It took the police ten minutes to get it through to them that the ringleader ripped them off.
Or the one that had to be rescued by the police after getting toasted, robbing a bar with a toy uzi, and then *going back in*, whereupon it was recognized and he was stabbed nearly to death . . .
If they had what we generally think of as "Average intelligence," we'd be in serious trouble (of course, this would in many cases keep them from criminal behgavior, too).
virus writers are just another kind of criminal . . .
hawk, esq., etc.
He's not saying you can't do this in Windows, but he is pointing out that you couldn't do this in Windows until RECENTLY.
P.S. How is it that you can STILL be infected by Word Macro viruses under WinNT/2K/XP even though they have user level security?!
Ok, I have to respond to some of the folks here who believe that "Don't run Outlook" is an option. Well, pray tell, what should I do if I'm on a corporate Exchange server? With no other option? It's all well and good to suggest things, but the fact is, if the Exchange Admin won't use LDAP, you're out of luck, and quite stuck.
That said, the SP2 release of Office/Outlook prevents anything from accessing your address book, and will pop up a confirmation. It doesn't prevent idiots from opening the attachments, but it does create some thought beforehand.
I can appreciate the idealism of using Linux for everything (I'm a Debian developer for god's sake) but for my job, I have to use Outlook, so I do, because I like my job, and I'm not going to quit because of that minor inconvenience.
I suppose this qualifies as a rant, and possibly will be modded to "Flamebait" or "Troll" but let's try and tolerate some dissent on this board for a change.
----------------- "I have a bone to pick, and a few to break." - Refused -------------------
a high level solutions:
be warned.
These suggestions could possibly be implemented using some plug-ins. If, instead, new linux distributions include similar solutions as a core feature, GNU/Linux can be very attractive to organizations.
-Vinod
I get to laugh at viruses/html/javascript mail dangers. Viruses are just another ignorable (except for the size) attachment, and obnoxious HTML mail is converted to text with 'lynx -dump'; which is fine by me. After all, who needs dancing baloney in their mail?
But a charatcter-mode mail reader like mutt, no matter how full-featured, is probably too much for Outlook lusers who are addicted to click-and-drool interfaces... *sigh*. People forget that email is first and formost a text application.
--
An esoteric scratched itch:
Homeworld Map Maker Tool
(Example not provided beacuse of the /. lameness filter mangled it.)
To operate on an attachment, move your cursor to the line in question, and perform the action you wish.
The essence of mutt is that it is totally mime-controlled. You could set it up to do dangerous things (like pop up HTML in Netscape, or worse). But you get to choose, and it won't do these things by default.
--
An esoteric scratched itch:
Homeworld Map Maker Tool
<>
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Seems this one is pretty popular. I never got any I LOVE YOU mail or anything of that ilk, but I've had a couple of copies already today, both with attachments named after somebody's Excel spreadsheets.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
There was an Office macro worm a while back that altered Excel spreadsheets somewhat at random. There have also been versions that tweaked Word documents.
>This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
>>Furthermore, Outlook actually helps out the "idiot" users.
There is a principle in the Toyota Production System that goes something like this: "If a worker makes a mistake once, it may be the workers fault. If a worker makes a mistake twice, it is the supervisors fault. If a worker makes a mistake three times, it is management's fault".
Most human beings on the face of the earth are not technically minded and DO NOT WANT to understand the details of how the tools they use work. If every time Joe Homeowner flipped on a light switch there was a 1% chance of a nuclear power plant melting down, we wouldn't be using much electricity, now would we?
While Microsoft is to blame for creating insecure tools (keeping in mind that larger market share means more attaraction for attackers), responses along the line of "stupid users don't understand how to use e-mail" are not acceptable, either.
sPh
Bynari Insight client/server
Lotus Notes
GroupWise
These all provide the same general functionality as Exchange/Outlook does.
Of them, Bynari works both on Windows and on Linux.
And, I'd beg to differ about the "hard to beat" since most companies can get the same functionality and most of them don't really use the thing to it's fullest anyhow.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Please to note that many Linux distributions have done this for a long time, and not just a web server, either.
There've been distributed.net-installing trojans.
--j
I'm a nature photographer.
Cheer up, it's better than that. It just means that the folks who have you on their contact lists are smart enough to use something besides Outlook. :)
--j
I'm a nature photographer.
Yes. It's an interesting, and I think poor, design choice. Frustratingly, it is almost usable with other clients else, "new meeting" requests are just funneled into what appears as an IMAP4 "Calendar" folder, which is something that's trivial to manage with a filter. However, updates/cancellations to existing meetings, etc., require a little more "smarts" to do the right thing.
If your company puts up with apps that force you to use particular other apps to get generic functionality (like, say, MicroSquish Exchange), then it has a serious management problem.
Relax, dude, get a life. :)
This particular decision
was poor, but on the whole, it's a very high
quality organization, probably the most
talented managment team I've worked for in the
last twenty years. My personal
stuff is well-separated, my anti-virus protection
is updated quite often, and I have good
"attachment hygeine". I'll live.
--j
I'm a nature photographer.
You know that for a fact, do you?
--j
I'm a nature photographer.
For my own stuff, I'm a fan of Eudora.
--j
I'm a nature photographer.
Seems like folks using a "Trojan" should be safe from getting a "Virus". :-)
--j
I'm a nature photographer.
Not available in Windows 2000. Care to give more details? BTW, I hate it when moderators decide to give points without checking the facts first.
___
___
If you think big enough, you'll never have to do it.
the two I received had the extension .pif but digging around with a hex editor just about convinced me they were a standard executable. I'm not sure how windows handles .pif files though, there are definately some different things going on there.
Chris Cothrun
Curator of Chaos
Bleh!
Windows also brought up a different right click context menu with the file.
don't ask about accidently double clicking the thing...
Chris Cothrun
Curator of Chaos
Bleh!
However, this brings up an interesting point that Robert Cringely wrote - if we all standardize to any given system, a single exploit could wipe everything out.
Many people really want all computers to be the same. However, it appears that variety may save us from the "one true exploit". If we didn't all run the same freaking programs, problems like this would have a much milder effect.
Engineering and the Ultimate
Haha! :) Ain't that the truth. Remember that Good Times email virus that was all the rage?
You'd laugh at whoever "warned" you about it, because it was unthinkable that an email would transmit a virus to your terminal.
But now, thanks to Microsoft Innovation(TM) it really is possible for your email to wipe out your machine. :)
--
#include <malloc.h>
--
#include <malloc.h>
free(your.mind);
No, what's really dumb is forwarding executable attachments to yourself. WHY WOULD YOU DO THAT?
Suppose maybe you want to email yourself an executable (from home to work), or you want your friend to send you an executable file.
Or suppose you know the executable is good. (You specifically requested it from someone) You can't even mail it to an account which you don't access through outlook to retrieve it.
Of course you can rename the file, but this is an irritating in itself, especially if you forget. Round-trip time between home and work (or whatever) can be a day if it's not convenient to go home at lunch...
--
#include <malloc.h>
--
#include <malloc.h>
free(your.mind);
Agreed - it's not that bad. You'd have to deliberately run a binary executable to get infected. Which also means Netscape + all others on windoze can be afflicated.
But, technically, you can't *get* this virus on M$ Outlook, if you're reasonably up to date on patches. Outlook "protects" users from viruses by simply disallowing you to look at *.exe attachments. You can't even forward them to yourself through Outlook. Dumbest solution I've ever heard of.
--
#include <malloc.h>
--
#include <malloc.h>
free(your.mind);
What security is their with a single-user operating system? Clearly there is some, but not even close to that required on a multi-user system. I guarantee these type of viruses affect the Win9x line of OSs much more than the NT/2k line. Win NT/2k have (essentially) all of the same security safeguards in place as any UNIX that would prevent a virus like this from damaging the system, provided the system is being used safely and correctly (like any UNIX system must be).
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I've been using Outlook for far too long and get far too much functionality out of it to switch to another app because macro viruses for it are spreading. I've got the ultimate in Outlook macro virus protection-- it's called a BRAIN.
.vbs, yet somehow others cannot? These viruses are the tamest you could ask for-- don't run the damned script file and you won't be infected! Oh wow! True genius, I know!
First off, the only way to make macro capabilities even worth a damned was to include functionality that could also possibly be used for - *gasp* - viruses! Oh no! Shit man, big deal. Why is it that I can look at the attachments on my emails and plainly see an attachment that ends with
I certainly understand that these viruses are capable of creating better disguised files (such as spreadsheets with autorun macros), but every Office app has an option to NOT autorun macros. IIRC, this is the default option (at least on Office 2000-- havent touched XP). And beyond that, that virus started off at some point as a script file. It took some jackass who wasn't paying attention to get it going.
As well, the only reason this is even an issue is because of the number of people that use Outlook. Say someone wrote a "macro virus" for some Linux GUI mail client which supported scripting of some kind (Python, for arguments sake). It could disguise itself into other files, send random files to random people and generally spread itself just like these Outlook ones do. The only reason we'd never see news about something like that is because there arent the numbers of people using such clients that are using Outlook clients and as such, I imagine there aren't very many virus kiddies out there looking to target the Linux geeks of the world.
Now, don't get me wrong. I'm no GO MICROSOFT! guy or anything, but at the same time I realize that when it comes to them, many people on this site don't even give a second thought before finding them guilty of murder...
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Cool, then I can participate!
:)
If we don't need Outlook, then I can run this virus/trojan/worm/stink-bomb under wine with no MS code installed. Everyone complaining about being left out can rejoice and join-in.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Why can't these virus writers do something cool? Like install the SETI@home client on every infected machine? Or install something to DOS the RIAA/MPAA/Bad-guy-of-the-week (how about having the DOS daemon check Slashdot to determine who the current bad guy is)?
I'm sure that someone can come up with even more interesting things than this...
--
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Create them, maybe. But to run anything under such accounts is a lot more complicated than simply "su -c suspicious sandbox".
Microsoft does still have some issues with true multi user concepts. One point I run into frequently is that you can't connect to the same remote host using two different user IDs for different shares or that it's pretty hard to make Windows forget authentication info you once supplied (I used to have some external developers who stopped by once a week, and I could access their W2k shares for months after they had once typed their password in my Explorer (yeah, my NT workstation really had 68 days of uptime, then! :))) And though the NT kernel can run processes as different users fine, there's not way for the common user to access that functionality.
Unix on the other hand is so multi-user that it's sometimes remarkably difficult to do single user things.
--
Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.
And if that was all Microsoft did here to cause a problem, you'd probably be right.
But most users do not want the system to lie to them about a file's name, causing them to think it's NOT an executable file when it in fact is.
Most users do NOT want their email to be able to destroy their entire system, and thus would be perfectly happy if said executables ran in a "jail" that couldn't affect the rest of the filesystem without a prompt. "This program is attempting to delete c:\windows\SOMEFILE.EXE, should I allow it to do that? (OK/CANCEL)".
Most users do NOT want their email to be able to run scripts without them even having opened the message, much less clicked on something.
Microsoft themselves have admitted that a number of things have been included because exactly one large customer wanted it, that affect how everything else on the system is designed. This is more than likely one of those things.
-
The problem is people hate account security and won't use it. They don't like the bother of having to log out, closing everything they were doing, and log in as someone else just to install a new app. Heck, half the *linux* users I know log in as root all the time!
... even my mother doesn't mind logging into her GNU/Linux box), it is no excuse for building a system which even the most conscientious user cannot secure because the design (or lack thereof) simply makes it impossible.
... I've had numerous Windows users ask me how they can secure their system ("firewall" I tell them and, if they are serious, "switch to GNU/Linux or FreeBSD, because even a firewall can't effectively protect a system as ridden with exploits as Windows." You'd be surprised at how many of them fall over themselves to install and learn a new system.)
Be that as it may (and you certainly know a different breed of GNU/Linux users than I
It is one thing for foolish users to undermine or gut existing security features. It is another to make the features non-existent, then blame the users with "well, it's what they would have done on their own anyway." People aren't generally as stupid as we like to think
The Future of Human Evolution: Autonomy
I'm sure a lot of people here are going to go out and blame Microsoft for the Outlook-virus-of-the-week. But the fact is, Microsoft is just giving the user what they want.
Good Lord.
This reminds me, almost word for word, of statements typically made by rapists and child molesters. While the situation is vastly different (thankfully), the behavior of the guilty party, Microsoft, is appallingly similar: refuse responsibility for one's own actions and blame the victim.
The cause of these (now almost cliched) viruses is, quite simply, the appallingly lax security in the Microsoft Operating System and mail utilities, a lack of which is unequaled anywhere else in the computing world. Whether by design, negligence, or simple incompetence the fact remains: if you run any version of Windows, IIS, or Outlook, you are vulnerable to this sort of thing regardless of how savvy or cautious a user you are, and there is little or nothing you can do to protect yourself. Indeed, by the time you know of the exploit (assuming you are savvy enough to keep up on such things, which IMHO is asking far more of the user than simply learning a few basic commands a la GNU/Linux or DOS, much less a few GUI variations from with Windows paradigm a la Mac, KDE, or Gnome) chances are the malicious crackers have been exploiting it for weeks or even months.
Contrast this with the rest of the computing world, in which exploits are published and fixed as soon as they are found (and usually found by the product developers and/or testers before they are exploited), and in which the basic security paradigms allow one to secure the system in as paranoid a fashion as the situation requires, and the mind truly boggles at Microsoft's inability to at least match the quality of competing products such as Mac OS/X, the various *BSD flavors, and GNU/Linux.
It is bad enough that Microsoft appears incapable of building a secure system. It is even worse that they knowingly market an insecure and unstable system as though it were secure and stable (were there still any kind of "truth in advertising" requirements they would certainly be paying hefty fines for falsly marketing their products). It is unconscionable that they refuse to accept responsibility for their own engineering, choosing instead to blame the victims of its failure: their customers.
The Future of Human Evolution: Autonomy
Is that I've never recieved one.
:(
Nobody has me in their contact list
They can't do anything *too* malicious without calling enough attention to it that the spreading slows down.
There has to be a balance.
Sure, Melissa could have wreaked much much much more havoc than it did and got away with it, but that's hindsight for you.
Nowadays people are slightly more clueful and I don't think a HD reformatting worm would propegate very far.
Actually no, it's not.
you just set up your email server to automatically destroy any attachment that is not an accepted attachment.
and if your users whine, tell them to work at another place you arent going to allow it.
Simple, to the point. and Voila... No more problems...
In fact I have my servers set to reject all html email. bouncing the message back to sender stating the fact why it's not allowed.
Works great, and as a gigantor corperation, we can get away with it.
Do not look at laser with remaining good eye.
perhaps have the virus check a pre-determined URL every 12-36 hours. If it can't reach the site, or it detects you have modified the HTML to a pre-defined trigger, it drops the payload.
Use free web space, and update it through myriad web-anonymizer sites.
± 29 dB
You can't receive an email attachment when using mutt? Sounds like a real piece of shit. Yeah, I'm sure that feature combined with that oh-so-attractive console interface is just wayyyy too much for anyone to handle.
Cheers,
I was just being coy. I know that Mutt (or any email client with more than 5 users) can handle attachments. The point is that this virus has nothing to do with Outlook -- the user only gets infected if they actually run the executable. Forget all the extra stuff like the built-in SMTP server or different languages; it's just an executable that needs to be run by the user before it can do any damage, and any email client that can receive attachments can make it available to an unsuspecting user.
Cheers,
No, the problem is with the applications. NT is multiuser (even though everyone logs in as administrator anyway, since NT doesn't have a "su" command and logging out/in whenever you want to install something is too much trouble). Having the apps run scripts as a sandboxed user wouldn't be very hard to do. But Microsoft just doesn't care enough about the problem to actually bother doing it. (And since their apps are closed, no other party can add this feature, so what Microsoft cares about actually matters.)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It is hard to get into the heads of virus writers, so this is mostly just speculation, but...
I suspect the reason we haven't seen any seriously malicious email viruses yet, is because the virus writers don't want the problem to get addressed. They are enjoying seeing their viruses spread. Right now, the industry tolerates the viruses and doesn't mind losing a few million dollars here, a few million dollars there, etc.
If a truly malicious virus appears on the scene, and the loss figures go into the billions of dollars area, then the industry will stop tolerating the viruses and the software that executes them. Outlook/Word/Excell/IE will get fixed or be replaced, and that will be the end of the virus writers' fun.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'm no fan of Microsoft, but to be fair, Win2k Professional does not start IIS by default. Win2K server, advanced server, enterprise, (whatever other names they gave it so they can chrage more for the same product here) do. If you install *server*, you should really expect to start the services to run as a server. If he was using Win2K *server* as his desktop (which you never said he did), well, he deserves his bill. As always stupidity will eventually cost you.
For a good time call www.sawkie.com
I've been getting this for about a week or so I think.. 4 copies today.. I thought it was just more porn spam at first..
.. :)
Cheers to mutt
BilldaCat
$ su /home/fred123 /home/fred123/* /home/fred123/* ./suspicious.exe
/etc/shadow: permission denied
Password:
# useradd fred123
# passwd fred123
Changing password for user fred123
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
# cp suspicious.exe
# chown fred123.fred123
# chmod 700
# exit
$ su - fred123
Password:
fred123$
suspicious.exe:
Aha!
fred123$ exit
$ su
Password:
# userdel -r fred123
# exit
The problem here isn't even gullible users. It's the fact that under Win9x, you're running as god all the time, and can seriously hurt yourself. Under Linux, I can create a temporary user in about 30 seconds, go crap all over the resulting sandbox, and I *might* release a forkbomb or fill up /home... if I was being lazy. If I was really worried about it, I could ulimit the bejeezus out of the new userid, and whatever little surprises lay in that exe wouldn't get past first base.
And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits? BeOS, MAYBE?
Yes, there are a lot of clueless Windows users. There is still no excuse for deliberate insecurity on the part of the OS. As for Microsoft "giving the users what they want"... As Norm Schwartzkopf would say, bovine scatology. See previous comment.
> > Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins.
> Good idea... but who assigns virus names?
This one would surely be called The Slashdot Virus, since all the probes would leave everyone thinking that Wired had been slashdotted.
--
Sheesh, evil *and* a jerk. -- Jade
Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins.
-sam
You could mount the home directory with the noexec option this will prevent users from
running programs from thier home dirctory.
Knud
I still don't use HTML mail... I saw the Exchange servers usage grow when the upper management wanted to use HTML enabled mail because it looked pretty.
I'm with you....I don't use HTML e-mail either. Mainly 'cause I'm just kind of old-school that way and think that e-mail should be text. But it's hard to make a case against HTML (to the PHBs) when you can get 45GB for $100 US. For that amount of money they'd rather have their pretty e-mail, with 7 differnt fonts in 4 colors.
Thankfully, I work at a new company and their policy is - NO MS OUTLOOK PERIOD.
Well, it's nice to see some enlightened people out there. It gives hope to the rest of us.
Admit nothing, deny everything and make counter-accusations.
You can add German to that list
realkiwi
stay away from the yellow kiwis please...
realkiwi
You missed the point,
To be infected in the first place, you've got to receive the file by email. Obvously the sircam code won't be running on your machine before you got infected.
I didn't see any definitive information on whether it requires user stupidity for them to double-click on the file or if it leverages an outlook vulnerability to cause the file to be run automatically.
The discussion on SMTP was to point out that it can send itself out using its own resources and not depend on any email client.
Tim Towers
-- Don't believe everything you read, hear or think
If your email client allows attachments and you download and run it you will get infected.
Even things like hushmail (encrypted).
Unfortunately people can't be protected from determined stupidity.
Tim
-- Don't believe everything you read, hear or think
You should not open anything remotely suspicious no matter what platform you are on!
I mean... it's not like other platforms are immune to stupid users...
Well, that's always true but in all honesty I've never really heard of a *NIX/MAC/QNX/BeOS virus or script that executes evil commands. I just wrote "Win32 platform" because it is by far the most susceptible OS to viruses.
But if other systems are known to have attempts of attacks, I'd be interested in read about it.
----------
----------
Check out my blackbox styles
For me I just use...
mozilla.exe -mail
It's basically the old school Netscape Communicator email client with a dash of red lizard hehe.
I don't believe it has the email attachment flaws Outlook is prone to, but anyone who decides to see the attachments included deserve what they get. It should be common sense to not open anything remotely suspicious if you're on a Win32 platform.
Anyways, I like using Mozilla's mail client. Reminds me of the days when Netscape was decent.
----------
----------
Check out my blackbox styles
Reformating really isn't the worst thing that could happen. It'll hurt anyone who doesn't keep backups, but they're likely to get hit by a random non-virus windows bug anyways. Something that is really nasty would SLOWLY corrupt documents, so they get backed up and it will be months before the damage is realized and simply restoring the previous night's backup won't work, because you never know what's dangerous and what isn't and how far back it goes and what other payload is sitting around waiting.
-Restil
Play with my webcams and lights here
150Mb? What the hell is in there? Does incoming mail get some kind of virtual reality tour of the Universe?
dave
:0:
* ^To: *
/dev/null
# this script ensures no further virus attacks.
dave "HTH, HAND."
That said, I popped in to work this weekend to upgrade my servers AV protections (liveupdate refuses to work on my email servers. grr.) and, sure enough, I've been averaging one infected document every two hours. So it's possible we'll see a whole host of fun come Monday, 9am, when all those folks who got infected emails over the weekend open them up...
-EvilMagnus
I run Outlook and Outlook Express and I've never had a problem with the "viruses". I attribute this to the fact that I do not open attachments and am generally wise in the way of the internet. As the virus issue is a non-issue for me and I really, really like the way OE works (and Outlook, to a smaller degree), I have no intention of switching to anything else.
Except maybe pine.
Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it?
The last point is untrue. Since in order for this to work you need mail software which treats emails as executable code. Something which is rather specific to Windows apps (and Windows itself.)
Not strictly true, as it relies on two Outlook behaviours: 1) hiding the file extension and 2) automatic execution of attachment that you click on.
I had three copies of it yesterday, all with attachments called something like:
filename.doc.com
If I'd be using Windows & Outlook I would have seen:
filename.doc
This is correct. So far, Outlook viruses have been mostly just an irritation. Nothing of any substance will be done by Microsoft or users in general until the shit really hits the fan. If half the PCs on Earth were suddenly wiped out, Microsoft would actually take some heat. Virus writers need to grow some balls!
You're either incorrect or a lucky recipient. The largest infected e-mail I've received so far had an attachment of 17.5MB.
Oh, I forgot, that's the average size of a Windows-binary.
saferun doesn't quite solve all problems though.
The malicious code could do something even more clever, like not dropping or revealing its payload unless it can figure out that the current user has some realistic-looking number of files in its home directory. For example.
The saferun idea is useful but not totally foolproof.
Umm yea but if I got this virus in linux it would not effect me at all right?
War is necrophilia.
"If it were a Linux binary it would"
.VBS file with eudora The virus could not propagate.
No it would not really. I know of no linux email readers which let you execute an attachment by clicking on it. Also There is no such thing as a "standard address book" in linux so the virus would not be able to spread itself so easily. BTW the same applies for eudora. If doubleclicked on a
The point is that windows and outlook have a myraid of security holes which are very easy to exploit by any body who can hack out a few lines of VB. Other systems don't.
War is necrophilia.
This of course would make it so easy to find you, that my blind grandmother could do it while baking cookies.
Mad Software: Rantings on Developing So
But all that rebooting gives me time to leaf through my certifications.
This is relatively old news. There is a previous Wired article from Friday discussing this virus. I would say the only thing new is that all of the anti-virus house have come to an agreement about its name, what it does, and how it does it.
Errhm, you might as well make the magic word "the", or let the second phase start immediately. Indeed, considering how many viruses are out there, it would be hard to avoid triggering the new virus by talk about other virii...
I dunno about this virus, but the Magistr virus only mails out full documents with a certain (low) probability. I.e. most of this virus' mails will just use the title of the document, or small extracts as the mail subject, but every now and then, a full .doc attachment would be sent out. Probability of this happening is very low, but not zero.
The interesting thing about this is that it gives "cover" to disgruntled employees who wish to deliberately leak confidential stuff to suppliers or to competitors: as the virus exists, and its modus operandi is "well known", those people now have an easy excuse ready if they're caught. Quite a cunning move of the virus writer actually!
Actually, there is a simple cure to this, and it has even been used by Code Red: operate in two phases:
- A spreading phase, where you don't do anything malicious, except infect other machines. Best if done as low-key as possible: only attempt to infect those people that use Outlook (analize headers of recently received mails), attach yourself to documents that the user sends, rather than making up documents of your own, etc.
- An active phase, where the fun really starts: DOS the withehouse, mail out confidential
.doc files, thrash the BIOS and hard disk, etc.
The difficult part of course is timing. If the active phase starts too early, you may not have enough of an "installed base" to really wreak havoc. And if it starts too late, a cure may already exist by then.Good idea... but who assigns virus names? It was my understanding that the names under which a virus is known is usually not chosen by the author, but by the anti-virus community once it is "discovered". Thus, it would be rather hard to scan for its name, as it will not be known at the time of writing...
Wow!
That means I can pull the pencils out of my power supplies now.
Thanks!
Are Macintosh running Outlook also vulnerable to these shits ?
-- Pure FTP server - Upgrade your FTP server to something simple and secure.
{{.sig}}
Make the word "virus". Yeah, but once they discover he forbidden word, it will be really funny see they having to avoid mentioning it in the news :
This new v1rus is set to spread once the word "v1rus" is out.
( ... ) is a subshell. The gunzip does nothing. if the ".gz" file isn't actually gzipped, it will be executed by the "source" command.
------
Not using outlook isn't quite enough to solve this problem. The long-term solution, is not to use anything from a company that's so bloody incompetent that they'll not only put a Turing-complete interpreter into all kinds of apps that don't need one (like mail clients, word processor apps, etc,) but having done so, they give the interpreter access to EVERYTHING.
The long and short of it is, that microsquish still fails to understand even the rudiments of multi-user systems, let alone networked systems that require serious security. MicroSquish apps and OS's are unsecure and unsecureable, and it's about fucking time that people started to get fired for buying this kind of shit.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
>I have Outlook running for my work email, even though it is the viral target of choice, becuase having it run is required for the Exchange Calendar system to work
Let's see... A mail-based calendaring system requires a particular client to work?
Back in 1986, I wrote a mail-based calendaring system (using NeXTSTEP as the GUI), which worked just fine with generic text-based mail clients if you didn't have NeXTMail to show you the spiffy 'RSVP' envelope icons.
If your company puts up with apps that force you to use particular other apps to get generic functionality (like, say, MicroSquish Exchange), then it has a serious management problem.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Does anyone have any pointers toward a sendmail filter to keep the Sircam virus from spreading? I've installed a recipe in my .procmailrc for my own account, but it would be nice if I could screen the virus out for the other users on my system...
--
http://www.aikiweb.com - AikiWeb Aikido Information
Yeah, or you could put ANSI codes in zip file headers to bind 'e' to format c:. (if they had ansi.sys loaded)
It isn't like MS invented this type of security hole, you would just think that after this many years, things would have gotten better, not worse. It used to be that when a problem like this was discovered, the author would do something about it: strip ANSI codes, etc. Instead, MS, dealing with an audience about 100 times less computer literate on average than the people above, insits on using user education, rather than the "right" solution of making a language and sandbox that lets people have dancing babies but not damage their system.
I don't mean to knock user education: I am all for it. But in this case, even if possible, user education can't solve this problem. There is *no* way for a user to determine if a file is safe to open, without actually doing so.
All this thing requires is that you can run a windows executable. Receive it in mutt, save to harddrive and run from wine and you should get the same results.
Rod Taylor
It should be mentioned that Outlook XP will complete block .BAT and other 'dangerous' extensions, While this is annoying, it does protect the user. In other words, if people had Outlook XP the virus wouldn't be spreading (not that I'm plugging XP here).
------------------------------------
I really don't know how one company's "good" name can dissuade those with decision making power (read: IT departments) to not choose a more secure solution for their firms/comapnies/clients. I mean, it's kind of important.
Maybe this is the software equivalent of "it's not what you know, it's who you know."
(Btw, you really can't compare Communicator's mail program to Outlook in terms of features and functionality, unless you meant Outlook Express.)
---
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Biggest step to preventing this --
... but at least Outlook will show you that a file is a .PIF -- too bad most users haven't got a clue what one is.
/Y C:\WHATEVER\*.* >C:\WHATEVER\OWN3D.TXT is all it takes... and after clicking the pretty little (cleverly named and disguised) icon and not getting any results they won't even know they've just wiped something off of their system. *sigh*
Don't execute the attachment!
Even with the preview pane turned on, a user still has to click an EXE attachment.
Most users with any sense turn off the preview pane to keep java and html type messages from automatically downloading images (more than likely web-bugs), but more importantly, to keep your system from always showing at least one e-mail if your Outlook window is opened.
The only thing worse than security threats from the outside is security threats from the inside.
Naturally - I don't even open e-mail with attachments from people I don't know. And attachements from people I do know are only looked into if they are data files of some kind. (Real common sense stuff here, people.)
And most importantly - I show all file extensions. I think hiding the file extension, EVEN on known file types is something Microsoft should never, ever, ever, EVER even allow, but the OS ships with this "feature" on by default.
It's bad enough that the OS relies on filename extensions, but to turn around and hide them and dummy users as to the true names of their files just makes things worse.
The damange one can do with shortcuts alone is scary
One link to DELTREE.EXE
"Everything you know is wrong. (And stupid.)"
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Or, even better: every now and then, download the signature updates from McAffee, Norton, Symantec, Kaspersky, whatever, and as soon as its own signature appears, let the fun begin ;-)
Say no to software patents.
From reading the articles, it doesnt look like you can really blame outlook for this one..
.exe...NOT vbs, so naturaly it can do whatever it wants....it does the SMTP stuff itself, and just happens to look at the Outlook address book to get it's list of email addresses. (as well as going through the temporary internet files directory)
The file is a
There's no real reason why it couldn't have been written to look at the netscape address book too.....except that it probably wasn't worth the effort...
Advanced users are users too!
um i only get it for *.vbs *.exe and
so on..
never ahd it for *.rts *.txt and so on
Maybe I'm using an old version, but Windows Update hasn't offered a "critical update" to make the dialog come up less often.
The shareholder is always right.
This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
Outlook Express, at least, has a horrible user interface for attachments. First, *any* attachment with *any* extension will trigger the dialog, which means users will ignore the dialog after seeing it several times. Second, it conveys the possible threat from the file type only by displaying the extension, and many users haven't memorized what extensions are safe and which aren't. Third, it only asks that you "be certain that [the] file is from a trustworthy source", which doesn't help much if the "trustworthy source" is infected by the same attachment.
The shareholder is always right.
Find an executable file somewhere in the explorer interface of your Windows 2000 machine (e.g. on the desktop).
Shift-Right Click on the file and select "Run As..."
You can then type in the username and password of the account you want to use to run the executable.
It's handy for doing things like running something that needs to be an admin, without logging out and back in.
It could also be used for the purposes discussed here, but you would need still need to worry about locking the account down somewhat.
If it were a Linux binary it would. And what if it is a CLR binary? If you want a reason to fear Mono/.NET, there it is.
This sort of trojan can theoretically be ported to any platform that has an email client and an address book.
It is exactly the same as if the user downloaded the trojan from an FTP site or through Gnutella, it's strictly an application. It doesn't rely on being received via email, all it needs is for the user to choose to execute it. Now if that application (trojan) happens to be a Linux executable, it's going to run when the user tells it to run. It's going to go ahead and read whatever address book it can find and spam everyone with a copy of itself.
It's naive to think this problem only affects Windows users. It's only a matter of time before someone creates a Mac or Linux port.
Of course, then the headline would have to be "Idiot Users Still Exist, Nobody Surprised" -- doesn't really have the same aire of panic though, does it?
Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it? You can't patch user stupidity.
Anyhoo, let the Microsoft bashing begin! Everyone get your pitchforks and flaming torches, but leave your dictionaries at home.
what about those of us who have the recycle bin disabled? aka we have the automattically delete files? does it still exist then?
Right. They only have to understand how to use them, and that includes understanding possible consequences of using them incorrectly.
Morale: "Messer, Schere, Gabel, Licht, ist für kleine Kinder nicht." Don't give someone who does not know how to use it, a tool that could become hazardous.
Just as an example: Today's internet is swamped by users who want to send e-mail "cuz its c00l" but probably don't know what an attachment is. They don't need to know - as long as their email client does not support attachments.. As soon as they get the possibility to send attachments, they must learn
You don't give a 15-year old a 200mph racing car just because "everyone has one". Similarly, you don't give someone without training a gun. (Yes, I know it's different in the US. Does that make me wrong?)
Use the tool that do the job. And make sure the user is educated. Simple tool: simple education. Powerful, complex tool - detailed education. Simple as that.
(Yes, I know I'm dreaming. Please reply to slashdot at jensbenecke dot de if you are interested in serious discussion. I might miss you here.)
Home Page
Yes, it's old news and yes it's been fixed but I think it illustrates quite well that you can never blindly trust your apps to be secure, not matter what platform you're on.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
[blockquote]I have to run Lotus Notes at work (pity me! :-)) [/blockquote[br][br]I, too, use Notes at work, and I'd prefer the virii...
Buckets,
pompomtom
Buckets,
pompomtom
"There's an exception to every rule. Except for some rules"
It should be common sense to not open anything remotely suspicious if you're on a Win32 platform.
You should not open anything remotely suspicious no matter what platform you are on!
I mean... it's not like other platforms are immune to stupid users...
--
Ner lbh sebz gur HFN? Gura lbh'ir whfg ivbyngrq gur QZPN!
You now need an IQ greater than that of a pebble to use email.
thank you
Buying a Dell computer is equivalent to dropping the soap in a prison shower.
Microsoft released a patch ages ago to turn off executable attachments et. al.
Nobody installed it. The kind of people who went looking for it already knew better than to run attached executables. The kind of people who are victims of these trojans hated the patch because, those people WANT to be able to click on attachments and have them run. Living without the latest animated christmas card is intolerable to them.
(Or rather, they are unable to perform any more complicated procedure, so it's single-click or nothing for that user base.)
-- veni vidi nuclei deceri --- I came, I saw, I dumped core.
Actually - Try Outlook XP if you must outlook and are stupid enough to become infected. If anything (sadly including palm syncs) trys to access Outlook - it gives you a delayed pop up asking if it is all good.
The ultimate network admin tool needs HELP!
Hell, i wouldn't even call it a virus. more like a worm. I don't belive it uses VBA or VBScript, from what i can tell it's just an executable.
.exe, .bat, .tif., .com, or .link. If it uses .link or .bat, the virus will essentially "neuter" itself, Trilling says, ceasing to operate.
.bat, .tif etc.. can all be executables, but in difference contexts. if you rename a .bat to .exe it won't run, so for this to work it would need to change the structure of the file each time; this would make it a polymorphic worm.
the interesting text from the ZDnet artical:
it will append the file name with either
.exe,
I would also like to note that the exact same type of worm could work on any operating system, the only reason it targets windows is because of the large user base of people who don't know better.
btw, i got this one in my yahoo account. it was marked at "bulk/junk" mail my yahoo's filters, and yahoo's virus scanner flagged it.
-Jon
this is my sig.
I don't think this worm uses any features of outlook, it's simply an executable attachment that does BadThings(tm).
you could probably use whatever email client you want, as long as it's under windows it'll probably work.
-Jon
this is my sig.
first thoughtfull post i've seen, thank you.
-Jon
this is my sig.
after all, procmail is the basic unix tool of the trade in mail-worm-stopping. so - whoever wants a quick +5 informative should just come up with a nice procmail filter for the rest of us to benefit from..
Stop the brainwash
i'll remember that one if i ever get to be BOFH anywhere..
Stop the brainwash
This marked as flamebait is an abuse of moderation! Parent is reasonable, non offensive and should be reviewed.
Friends don't help friends install M$ junk.
Too bad they are like that.
Friends don't help friends install M$ junk.
So what do you do with the Boss's Word attachments? How do you keep him and his secretary from running comet cursor or some other more malicious trojaned piece of fluff off the web? Have you disabled Java in Netscape and MSIE?
If you are so big, you might make a real difference and run a real OS! Good luck if you don't.
Friends don't help friends install M$ junk.
OK, so you've shown that if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K and Windows XP. So what's your point?
.sig).
All you've shown is that you are an extremely paranoid person and not that your OS of choice is some fantastically secure manifestation of operating system design. Most Linux users I know would not go through all that trouble if mailed a perl script or executable (or heck, compiling some obsfucated source from someones
And it's not just Linux, or other Unixes... VMS, NOS, NOS/VE, VM/CMS... IS there another OS out there that DOESN'T have proper ACL's and CPU/process limits?
Windows' ACL support has been more mature than Linux's for a long time. Because you don't know about it doesn't mean it doesn't exist.
--
Better yet - scan /. for the phrase "Linux sux", then post some flamebait when you are ready to go to phase 2.
I dont believe that the virus spreads by getting addresses from the address book, I have recieved 3 emails with random attachments to far and they are all from addresses I have never seen before and can't think of any reason why I would be in their address book.
A friend of mine has also gotten one of these emails, and has no idea who the (apparent) sender is. Is this the same virus that I am thinking of? the one with the "Hi, I would like your opinion on this" kind of main text (I cant remember what it really is, but it's the same every time)
Oh, ok. It gets addresses from that Temporary internet files place too, which I guess has cached webpages in it. That would explain the random mails (even though I put .[AT]. instead of @ on any web-accessible stuff..) :)
I should have read the wired article too before posting
and email software needs to honor that request to stay competitive.
Umm... There are only a small number of companies that charge for an email client, and MicroSoft isn't one of them. Where does comepetition come into this picture? The email client is usually used *because* other programmes that many people like (as the afore mentioned Calendar) to use with it. The competition is in the suite of products, not the individual parts.
EveryDNS. Use it. It works.
AC's need not reply
Your imagination lags far behind reality. This is exactly how the first really widely spread virus, the Internet Worm spread in 1988.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
I have noticed the same thing. The only time I get viruses at my home address is when I need to go update my grandmother's virus protection & clean her machine. But lately she's either learned how to do it herself (very possible) or learned not to blindly click on attachements (yah, right).
jred
www.cautioninc.com
jred
I'm not a mechanic but I play one in my garage...
makes me glad to have my .sig
good 'ol fashion virus, right here
user stupidity required to operate properly =)
~z
sig?
Perhaps we need to make a Tuberculosis colony on the net for the people stupid enough to use outlook, partition them away from the rest of us.
As for your mysterious .pif, it is a dos loader file, a kind of batch/link file, DOOM was the last game that I can remember making one on install. It basically calls command.com $CONTENTS_OF_PIF_FILE
Read my plan to save the Bengals
Instead of random files from an infected computer, why can't somebody write a virus that would send me a job offer!
Heck - all of these years forced to work with Outlook in corporate America ought to be worth something.
PS - anybody needing an out-of-work CTI Systems Engineer, please let me know!
(I also do sprinklers...)
One thing I've noticed is that it's always my work address that seems to get the viruses. In the 10+ years that I've had personal email addresses, I think I've only had maybe 2 even delivered to any account. (This includes free Outlook-enabled web accounts).
There's only a couple conclusions I could draw from this:
1) I am a supreme personal system administrator and do not let any common mundane virus issue affect the harmony of my smoothly oiled machine. (you do you oil computers, right?)
2a) All of my personal friends are apparently not as stupid as they look (this one is hard to believe).
2b) All of my work collegues are definately more stupid than they look (ok this one isn't so hard to believe). heh
3) There is some kind of shield made up of impervious virus-fighting smurfs that protect my personal computer 24 hours a day.
4) Karma (no not that kind)
or most probable:
5) Someone has been reading and deleting my personal email for years.
I use Outlook, every once in a while I hop on over to Windows Update and get the latest security patches. It's painless.
Guess what? I haven't been hit by SirCam or Code Red. I've gotten more than a few SirCam messages from people I don't even know (including one that was mailed to me by a stranger through my Slashdot sneakemail account).
An up-to-date and properly configured Outlook will not arbitrarily execute EXE/COM/BAT binaries. It won't even open HTML attachments without permission. Mine won't even let me see the attachment I was getting from SirCam victims. I had to ssh to my mail server, use Mutt to save the attachment and run "strings" on it to see what it was.
Not to mention, the really poor English in those SirCam messages is a dead giveaway.
--
"It relies on the user executing the attachment, it doesn't execute itself."
Unless, of course, it's something like Javascript code, or an unruly image tag. Exploits of this nature have been discussed on BUGTRAQ (more recently as an example of how poor PHP programming can cause security problems [duh!], so don't think I'm picking on Outlook here). Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.
Sotto la panca, la capra crepa
WMBC freeform/independent online radio.
Microsoft is a big ole' relational database. It will use all available RAM. When other programs request RAM, outlook will relinquish some. This is normal behaviour, it is by design, and my usual response is 'if you don't want your programs using that RAM, why is it in your box?'
Vintage computer games and RPG books available. Email me if you're interested.
However, our intrepid IT support person was also COMFORTABLE IN THE KNOWLEGE THAT THEY WERE RUNNING A FUCKING VIRUS SCANNER ON THE MAIL SERVER, thus removing any and all possibility of users receiving nastyness through their email, or accidently propegating it should it come in through another vector.
Vintage computer games and RPG books available. Email me if you're interested.
Holy CRAP I'm incoherent this morning. Microsoft EXCHANGE is a big ole' relational database (as opposed to being an OLE relational database) which will use all available RAM. When other programs want some, EXCHANGE will relinquish some.
Vintage computer games and RPG books available. Email me if you're interested.
The other thing to remember is that Exchange is NOT an email server. Exchange is a corporate groupware server. If you're not running a whack of people on an intranet who want to use Outlook for shared calanders, contacts, etc etc, you really don't want to use exchange.
Vintage computer games and RPG books available. Email me if you're interested.
I agree with you, users really want these features with their email client. They are generally not going to be happy with a plain ASCII world. Not to mention the fact I use Outlook on one of my installations and it has the ability to TURN OFF all the features that allow these exploits (minus that one which over flowed the buffer just by receiving the message.. that was impressive). The sad fact is the market departments get to dictate that all this stuff (cool flashy not so secure and always prone to a million attacks user requests) get defaulted to ON. Less then 1% of users probobly even change configurations on a regular basis or explore these options for that matter.
I'm not sure I want to get rid of the practice of exectuables in my email tho. With the progression of bandwidth into the multiGigabyte range I forsee the day when people will send the latest VCD copy of the Final Fantasy 8 sequel as an attachment. What I'd rather see is a VMWare container that can run these attachements in to ensure they are safe.
ne0
if a friend emails you a suspicious .exe, you create a phony account with no permissions then run it from that account. This is also possible in Win2K
Most home users would rather be 0wn3d than spend $200 to upgrade.
and Windows XP.
This virus is here now, and Windows XP isn't in stores yet. Besides, most home users would rather be 0wn3d than spend $1000 to upgrade to a new computer that counteracts the effects of Gates' Law[?] that makes each operating system release run twice as slow and take up twice as much disk space as the one 18 months before.
Will I retire or break 10K?
This file may be of use to all you network security guys wishing to investigate the stuff for yourselves. I do not recommend running it outside of a secured lan that has NO internet connectivity. You've been warned.
A valid URL to download this "worm"
that is going around right now in Outlook is:
http://206.106.0.240/~x-empt/FEDEX1.doc.com
x-empt
Ever need an online dictionary?
dd if=somefile.doc.pif of=somefile.doc bs=137216 skip=1
will recover the original document. A couple of these got sent to a mailing list I'm on, and one of them contained an Excel spreadsheet with all the guy's logins/passwords for various websites! (Seems like a bad idea to keep those around in a file in the first place... I'd at least encrypt 'em).
- The 'Melissa' virus named after the subject line (or was it sender?).
- The 'Stoned' virus, after the 'Your computer is stoned!' message displayed on boot time.
- The 'Concept' word macro virus, named simply after the macro itself. (Which was named 'concept' as it was a proof of concept virus)
And there are heaps more.The point is, though, that if one wanted to write a virus that could scan for its own name on news sites, all one would have to do would be put some unique, memorable name or catchphrase somewhere within their infection/payload scheme. From there it would be trivial to predict what it would be labeled by the media...
"It's either buy Outlook "
Outlook Express is free with IE.
I wrote an executable that would remap the CAPS LOCK key to function just like an ordinary Shift key
Ewww. Everyone knows that the CapsLock key should be remapped to the Ctrl key.
Slashdot is jumping the shark. I'm just driving the boat.
this virus has already been spreading actively since last thursday or something...
;)
anyway, one stupid thing is that all the reports call it "privacy" sensitive because it sends out personal documents from your drive... but from all the stuff I received over the weekend, I noticed it's just the name of the document it uses... the actual content is the virus itself; an executable disguised as a document...
of course, since lots of windows users use 50% of the document contents in the name of the file, it could be quite emberassing if it picks the right document
...How long is it before the Chinese hackers sue eEye under the terms of the DMCA?
I think you're right. After all, this is precisely the prescription for a really deadly real-world disease.
For example, Ebola has very high mortality, but the onset is so fast the epidemic potential is limited. On the other hand, AIDS is awful because of its long dormancy; someone can transmit it for years before they realize they have it. The real nightmare would be a highly contagious form of AIDS-- that would be pretty much end the human race. As you point out, there is no reason why one couldn't craft an analogous computer virus... and so someone probably will shortly.
Stolen from .sig of RSS:
Look, Ma, 4299 accidents waiting to happen:
find pine4.21 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l
4299
It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad
But has anybody (specially Timothy) actually paid any attention to the damn stories?
Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.
Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!
In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.
The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.
All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:
http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A
http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A
http://www.sophos.com/virusinfo/analyses/w32sircam a.html
http://www.europe.f-secure.com/v-descs/sircam.shtm l
http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1
http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010
I hate to be the one to say this (well, no, not really, but it's almost midnight and I haven't been fed yet), but this is fairly old news. It tried to attack my Win machine last Thursday, and again Friday...Eudora(TM) sort of chuckled and said "You're kidding, right?".
It's amazing how many Win users don't even realize there are (much better!) alternatives to Outlook and its minions.
Okay, that's the obligatory combination anti-Windows and "old news on /." post for the day. Mod down at will, if for nothing else than the alcohol-induced .sig line.
All the world's an analog stage, and digital circuits play only bit parts.
You know... maybe somebody should figure out how to send mail thru it. It could be used instead of MS Exchange... I bet this thing is smaller, qucker and uses much less resources than Exchange... ;>
---------------
I never wanted to go anywhere. I'm happy here...
The Sig, the sig
My Visor Deluxe can access the Contacts without question if Outlook XP is not running, but the question is raised when it is. Makes me wonder what starts the security model, although I do appreciate the added step when it is running. I also like the extension lockdown in Outlook XP. I can't wait for my company to deploy it, although we will have to open up a handful of extensions, like .exe for the self-executing zip files that are occasionally sent.
You can never go home again... but I guess you can shop there.
It affects Outlook Express also. I got a "please help me with my home PC" voice mail from one of our users on Friday. He's using OE and got hit with it. The virus associated .exe files with itself and he has no virus scanning software, leaving me with the unenviable task of either blowing him off or talking him through Regedit over the phone.
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
Of course somewhere down the track, a .NET worm is way too feasible... And if some folx around here have there way it'd be OS agnostic. Lucky us. WIN-VIRUS for LINUX!
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
If I remember right.. You used to be able to DCC someone a file that overwrote there main mIRC.INI file and fill it with nutty little bad-ass scripts. and the user wouldn't know he's run it.
Of course ppl wouldn't do that anymore wouldn't they.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
FWIW my mail server kicks back any message with an executable attachment. Only a few clueful friends use it so I don't have a security issue, but it was the Right Thing to Do. I hate attachments of all kinds, especially executables.
Unix mail clients have always been my bag. So, thanks Pine for not making me susceptible to such an idiotic virus.
;-)
Don't you think it's about time that MS comes out with a freakin' security patch that stops scripts from broadcasting across your entire contact list? This virus isn't original.
My in-box has just been pounded with these e-mails with 200+K attachments (.xls.pif file extension on one or more of them). Well, one good thing comes from this -- you get to see everyone who has you on their contact list.
Oh wait, oh wait -- I have a patch for all of you Outlook users. Stop using it.
--- outlook Mon Jul 23 00:33:57 2001
+++ outlook Mon Jul 23 00:33:59 2001
@@ -1 +1 @@
-Microsoft Outlook
+# Microsoft Outlook
Oh yeah, one more thing. If you've not yet had the privilege of receiving it, just send me your .vcf file. ;-)
i recall reading that IBM has an email solution for companies who are running Exchange servers. you can keep the Exchange servers, and use (i'm guessing) Lotus email to access the Exchange servers.
will it have the same susceptability to virii? perhaps, perhaps not. is it a viable option? probalby for those companies who dont want to get stuck in the new Microsoft Client Access Licensing prices and want a migration plan instead of a revolution.
Greetings!!
Easiest way to handle this, as a site administrator, is what we do at work. Block all transmission of *.exe (among a few other known risky file types) on our mail server. It was a tough transition, lots of people complained, but the number viral incidents on our network has dropped to almost none. If they want to send or receive one of the blocked file types, all they need to do is zip it. Makes the sending/receiving of files a *conscious* process they have to think about. A painful and annoying activity for some, but they survive. Yes, that can still pass a virus, but the point is to catch the auto-mailed ones.
-Zzyzzx
-----
Just zip your patches and you and your customers will be fine. Legitimite software delivery is a very small percentage of executable e-mail, and you probably don't want people thoughtless executing your patches either. You can say it's 'unacceptable' all day long, but good or bad, Microsoft hath spoken, and it's also unacceptable to for you to expect your customers to change their configuration.
When I hear the word 'innovation', I reach for my pistol.
"Pretty much every consultant or author involved with Office seems to have slammed that one"
Note that Outlook XP ships with this functionality (or lack of), so the protests have not been effective.
(And I can understand why. Everyone can point fingers all day long, but the root issue is the culture of executables in mail, as someone pointed out above. Kill the kulture, kill the problem. Anything else MS did would just be papering over the root problem.)
When I hear the word 'innovation', I reach for my pistol.
also, the number of emails processed increases the probability of infection, spread, etc. for the above class of people, they spend much more time at work on a computer than they do at home.
----
Another Nasty Outlook Virus Strikes
Score: -1 (Redundant =)
-Kef
Windows XP has a new feature called Fast User Switching(FUS), which makes it easy for home users to have multiple accounts (with different permissions) and switch between them easily, leaving programs running.
Also, on windows 2000/XP it is not too painful to run day-in/day-out at a normal user, and then use runas.exe to elevate your priviledges to admin when you need to do something tricky. (its not advised to use runas.exe to reduce privedges (sandboxing), its not really designed for that).
Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does
Umm, excuse me? "Nothing particularly original there", except for the entirity of the trojan's being, which is "pretty unique." Riiight...
Stupid like a fox!
This isn't an Outlook problem as much as it is a Win32/PEBCAK problem.
Here at (unnamed major university, which fortunately is in its non-busy season), I've recieved about 6 different copies of the thing in the last two hours (two form the IT department!!!) from people (faculty, other students, random, outside) using outlook, netscape messenger, pine, and eudora. A major problem are people who aren't clued about stripping attachments when replying/forwarding, and who are indoctrinated at an early age (students) to forward every stupid gif/flash animation they get.
No offense to the local list maintainers and users, but if "subject: unsubscribe events-l" gets through the major domo...
There are 1.1... kinds of people.
For the record, I'd like to point out that not everyone did escape Code Red lightly. The contractor in the office next to ours came back from a holiday this morning to find a $US1500 ISP bill on his desk, which would usually have been about $US50 max for a month.
This bill might seem unusual to people in the states but in lots of non-US places, international traffic isn't cheap.
The irony is that he wasn't even running a web server. His Win2k install had put it on the system and set it up idle by default. Pretty silly if you ask me.
===
Of course, this isn't as bad as plain ol' human stupidity, like the folks who mail me M$ sex-sells spreadshits showing all their employees' personal info including SSNs...
And my cow-orkers wonder why I'm so cynical about humans.
--
Yeah, I know how you feel... I have to run Lotus Notes at work (pity me! :-)) and miss out on all the action...
____________________________
2*b || !(2*b) is a tautology
No, my grouse is about the Notes *client*. That sucks :-(. I run it on Win32 and Linux (with Wine), and I look at things like Groove or Evolution, and I wonder which school of interface design the Notes team attended. Basically, the UI is showing its age. And even the iNotes client is not what I would call the pinnacle of web design.
____________________________
2*b || !(2*b) is a tautology
All the "Outlook/Microsoft is so terrible" posts miss the point that this thing has its own mailer built in and doesn't need Outlook. :)
Won't someone PLEASE mod this up?
How does the ICQ exploit work, do you have a link?
I know it won't effect me with kXicq, but I'm curious.
I remember finding a Windows virus which was also a trojan horse.. it would infect all EXEs in the harddisk (it was an exe.. These new VBScripts aren't really viruses, yeah right, it's a wonder that those who wrote them still got arrested, when its the people who got the virus who are too dumb to listen to Microsoft's "Don't open any unknown attachment.").. a friend got the trojan horse, and it was persistent, killing it through "End Task" (like how it can work with other non-viral trojan horses) wouldn't work. I thought to myself, "Ah, taking care of this will be easy.", executed the exe, and blam, I saw it writing to my EXEs like crazy. Luckily I found the original virus on the net, and the virus-writer had included a program that would remove the virus from an infected computer.. otherwise, I probably would've had to reformat the disk.. :o It was a nice virus, it had a "Stop NATO bombings in Yugoslavia!" message...
What time is it/will be over there? Check with my iPhone app!
Web based e-mail is a pretty good solution for some. However, Netscape Communicator will not stop you from being infected by this virus. It comes as a .COM file that will run on any windows system when you tell the computer to run it. If you get infected, it may choose to wipe out or fill up your hard drive. The virus only relies on the Outlook address book to find e-mail addresses. It would have been just as easy to program it to look at your Netscape address book, once you have run the .COM attachment. If you get an attachment, look at it and figure out what type of file it is. Some people have their computers set to hide file extensions. If none of your other files show extensions, but a certain attachment has an .XLS extension (for example), get the file's real extension. If it's .COM or .EXE, you may be about to open a virus. This is not rocket science. However, since the average user is not this smart, Outlook XP by default keeps you from running program attachments.
Donate background CPU time to fight cancer.
I've Been using Netscape Communicator's E-mail program for years, without a problem.
As an added benefit, it stores all my e-mail as plain text (NOT like Outlook)
Ever heard of a Pine virus?
Nah. The closest I can think of is Dutch Elm Disease.
--
I would be a paid subscriber if Taco and Hemos weren't such cunts
I've used all the email clients, and irregardless of who makes it, Outlook has been the best to use overall. If you want to avoid viruses, just upgrade the client from office.microsoft.com to not allow any executable attachments. I deal with a ton of email every day, and it has not hampered anything. People that really need to receive an executable from someone can get it .zipped, or have the extension renamed to something benign.
"And like that
Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.
Gee, someone better tell Microsoft that, since Outlook 2002 (XP) is bolted down with the same patch that's been available for the other Outlook's for some time -- it disallows all executable attachments. That is most definitely the default (as it should be). I really don't know if there is a way to turn it off, either.
"And like that
It hooked the LPT printer interrupt and looked at the characters going by. Most of the time it didn't do anything. But if it noticed you were printing row after row of numbers (i.e. a spreadsheet), every now and then it would change one of them. Insidious.
Just a tad harsh. All windows is doing is hiding the ending of known filetypes (as set up in its configuration) because ... people asked for that option.
Microsoft have given the people what they want, its hardly their fault that after it has been enabled, the users promptly go and forget that they've enabled it.
Not forgetting that they don't seem to spot that the icon is completely wrong.
--
Avantslash - View Slashdot cleanly on your mobile phone.
But seriously, all these ideas depend on the mailreader program actually executing code received in email attachments. No Unix mail program would ever do such a thing because it's so obviously stupid; for some strange reason, it just seems natural to the folks at Microsoft to do just such a thing, claim it as a "feature", and then wonder why it causes so many problems.
I am a moron. I admit it - I caught this last wed. Even had Norton running. It didn't blink. The email came from a client during the day. The attachment was an excel spreadsheet that I had sent her earlier. Yes, I should have read the email and then I would have been suspicious, yes Norton should have caught it, but I open maybe 15 excel spreadsheets a day sometimes from this client. I don't read every email - or I didn't.
My personal firewall blocked their smtp program from sending - but then it attached itself to ie and ran through IE's security area in my firewall. It is set to send thru the smtp server you have setup in your mail program. It sent thru my local email. The only reason I noticed was paranoia and running netstat.
This virus can and does attack more than just outlook. I run Pegasus. If it infects an outlook machine it sends to emails in their address book, in my case it went thru the cache of IE. I had to send apologies to a bunch of tribes players. It doesn't parse emails very well as I got 10-20 obviously broken emails bounced back.
Norton would not remove it and at that time their was no mention on any site or newsgroup so I was forced to remove it myself. Hiding in the recycle bin took me a second time to catch.
If you read your email from a web client you can still get infected and it can still send out depending on your setup.
If you run an email server - you can block this virus very easily as the text comes in two flavors an English and Spanish version. Here is the text:
I send you this file in order to have your advice
Espero me puedas ayudar con el archivo que te mando
Pretty embarrassing, but don't just dismiss this as another love bug virus hitting outlook.
Chet
bm :)-~
US Democracy:The best person for the job (among These pre-selected choices...)
Please to note that many Linux distributions have done this for a long time, and not just a web server, either.
Well, that's a valid point except for the fact that the web server that many (most or all?) Linux distributions install is Apache. Apache has never exhibited the kind of unbelievable boneheaded security problems that IIS has.
Other people have pointed this out, I'm sure, but the sircam worm has NOTHING to do with Outlook. Any windows user who opens an infected file becomes infected, and then starts sending out the worm. It prowls cached web files to discover emails, not Outlook-related crap.
r cam.worm@mm.html is a good writup by Norton.
Contrary to the story, even web-based email isn't safe. I use Yahoo, and it'll scan it for you--and correctly identify--but it still has the option to download the infected file. http://www.symantec.com/avcenter/venc/data/w32.si
This may be redundant and a little late in coming but I personally did receive a copy of the virus from (surprise surprise)a Hotmail account which, if by your logic, the virus should not affect. Just some info.. My solution.. just be vigilant and don't execute files .. especially ones that look like *.doc.bat
"The answers are always inside the problem, not outside"- Marshall McLuhan
if you have to use windows, use outlook express
i am convinced that "/.ers" are homosexuals and imma make that my "sig"
i can hear the barrage of terms that the media will be using to describe it, "trash virus", "garbage trojan", the list goes on
i am convinced that "/.ers" are homosexuals and imma make that my "sig"
A lot of people have to use Outlook at work or whatever. The key is to not click on every email that you get. If it has a suspicious subject line or no subject line then delete it or save it as text and then read it with notepad or something else.
"sweet dreams are made of this..."
But it is also entirely acceptable to believe that a mailer can and will execute HTML-embedded code that is placed in it. It has happened before, it will happen again. I'm just really surprised that it doesn't happen more often. Of course, considering how many virii are spread by script kiddies, maybe it isn't that surprising.
Kierthos
Mr. Hu is not a ninja.
Well, yeah... if you wanted to use the same C code on different systems it would be impractical. But if you wanted the same effects on different systems, you could just as easily write X different virii: one for Windows, one for Mac, one for BeOS (wouldn't that be a waste!)...
Okay, maybe it's still impractical. But interesting, from a theoretical "my computer isn't infected" standpoint.
Kierthos
Mr. Hu is not a ninja.
Not just Outlook: I received a panicked call from a Eudora user who had been infected as well.
Karma: Chameleon (Mostly affected by the 1980s)
I believe that Exchange is setup by default to have POP enabled. At work I'm running KMail as my email client and I connect up just fine to the Exchange server.
Blame the users. Every time a new trojan gets passed around, it's on the news, and every time they have a security expert from Symantec or McAfee on TV warning everybody to please for the love of God stop opening attachments you're not expecting, especially if you get a generic message like "Hey, open this, it's really cool!" And every time without fail they open it anyway.
Blame the ISPs. They ought to be running a filter on their SMTP servers, with signatures updated daily. If you can't send the trojan to other people, it effectively dies. Same goes for POP3. Incidentally they have the greatest incentive out of everybody to kill this sort of thing, since they're the ones paying for the bandwidth and rebooting the flooded mail servers, but from my experience surprisingly few actually run any type of filter at all on mail servers, and fewer keep it up to date.
Blame Microsoft. What were they thinking when they released a mail program that lets external programs silently read your address book? (I'm told recent versions of Outlook/OE warn users now, but that sort of thing should have been in the original version.) And AFAIK no version of Outlook/OE will tell the user that running executables attached to messages is risky, especially if you're not expecting them, so maybe you would like to reconsider? Instead Microsoft releases a brain-dead patch that simply prohibits you from running .EXE attachments at all and declares the problem solved. Trouble is, people are afraid that sometimes there might be a legitmate reason to run .EXE attachments, so they don't install the patch.
Now Microsoft isn't the party at the biggest fault here (IMHO the ISPs who don't run mail server filters are really dropping the ball here) but they're not blameless either.
Curiously, the virus resides in the recycle bin... If you don't run Windows, no worries ;)
Windows is the biggest target because it has a larger percentage of users than other OS's. Of course information warfare specialists attack windows. More hosts for virus= more destruction. w007! 1337 h4>0rz and 5r1p7 k1dd13z!!!!
In the distance you hear an ominous moo.
Still would be laughable. You would have to upload a C compiler to use it effectively if it were to be cross platform... Actually you would have to upload several C compilers (one for each target hardware/OS combination).
"Hey John, why am I downloading 384 MB of material from your Mac?"
I said it as a joke. It is entirely impractical.
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
Actually, it is probably written in VBS, and I wouldn't mind taking a look at it if it comes my way. My employer naturally, probably already has screening up on our email ;) Though, when the Lovebug hit, most of the people in my building downloaded it and opened it in notepad in order to see how it worked... Funny, the people that got infected were mostly the management and a few non-technical people in my environment.
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
I don't know enough about it to determine the extent to which it can affect non-Outlook clients. I do know that, according to CNET, it does try other means of spreading as well.
Curiously, the virus resides in the recycle bin... If you don't run Windows, no worries ;)
A little off-topic but:
Now it would be harder to do, but imagine a worm written in C that would spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
For those unfamiliar with the Bliss Virus, it is/was a research virus written as a proof of concept (complete with all sorts of safety features, like an auto-removing feature) which eventually accidently was released on the net. ig the adminsitrator ran:
bliss --disinfect-files-please
the virus would remove itself from the system (good responsible code design-- it cleans up after itself).
My point is that writing viruses != computer vandalism. They usually coincide but not always. This virus we are following is pretty clearly one covered under computer valdalism (who writes Outlook viruses as proof of concept anymore anyway-- it is too easy and would not do any good). ANY virus with a payload is malicious and probably a criminal offense in most countries. This worm carries a payload, so its intents are clear.
Sig: Tell all your friends NOT to download the Advanced Ebook Processor:
LedgerSMB: Open source Accounting/ERP
"if you are running an operating system that needs them" (needs the patches)
This seems to be a fairly high and mighty comment so soon after we were informed via slashdot that linux and the ilk are just as able to support 'virus' (aka trojan in this case) as the other (win*) os's are.
The problem is the widespread use of Microsoft software in general, particularly the MS Office suite. Although this particular virus sends random files to addresses in the address book, a similar virus could be much more devastating to a company by searching for sensitive documents and posting those to Usenet.
Ask me about my vow of silence!
It relies on the user executing the attachment, it doesn't execute itself.
last time one of my user having his outlook infected with HELP.VBS virus and called me during my vacation.
I were having problem instructing him to fix it over the phone(e.g. after 15 mins in searching for the 'Start' menu I realized that the screensaver was in fact activated). I offered to fix his problem personally once i got back next week. He said he couldn't wait that long.
Since the virus would only delete files on dates when the day and month total 13. I told him not to power up his computer when the total of day and month is 13.
However, regardless of the fact that he's a CFO, he has problem with simple addition....
That's it! It does free me from any legal responsiblity by using this virus to spread my personal creating of p0rns and MP3! (Hey I'm a victim!)
It's even better than Napster....Cool that's very useful!
I did finally move email client last week, tho - from Netscape 4.7 to mozilla; the mail+news client finally seems fast & stable enough for daily use (to me, YMMV)
--
"I'm not downloaded, I'm just loaded and down"
How long before one of these reformats it's host after reproducing 500 times?
Rhetorical questions - I hope.
--
"I'm not downloaded, I'm just loaded and down"
Which just agree with my initial statement (the mutt+w3m comment was kind of a side note).
But this brings another problems that I think we forgot to mention. Almost no software safe of anything. Lets just consider a buffer overflow in glibc (as we had in the past). This would cause havoc on a great number of applications, even tho these applications are safe by themselves.
---
morcego
Any mailer that displays even plain HTML as soon as you view the message can be attacked /. reader). So, if someone create some kind of smart program that decides to do this or that on itself, you can be sure that someone will outwit the program and create a hell.
Errr, I'm still waiting to see any HTML attack agains my mutt+w3m reader.
Now, be serious. The problem is not HTML nor JavaScript, but the bad programing skills used to create some mail readers.
Or simply plain stupidity, like OutLook running lost of things by itself.
The is that it is impossible (thanks God) to create a computer program that is smarted then a human being (at least, smarter then us
---
morcego
I did. There was a buffer overflow in Pine a year or two ago.
---
morcego
Someone said: Another virus that doesn't affect web-based email (not to mention pine or MacOS or whatever). Seems pretty clear that Outlook will continue to be exploited in new ways for the forseeable future.
And then someone else replied: I don't know enough about it to determine the extent to which it can affect non-Outlook clients. I do know that, according to CNET, it does try other means of spreading as well.
Although many virii and worms do rely on Outlook's crappy design and implementation of security issues, this one does not. (There doesn't seem to be any agreement between virus experts (I'm not one) whether SirCam is a worm or a virus. To me, it looks like a hybrid.)
SirCam harvests e-mail addresses through two methods:
- It will search through temporary HTML files (from your Internet Explorer cache only) and use any e-mail addresses it finds.
- It will harvest addresses from *.WAB (Windows Address Book) files on your HD. (I'm not clear on what program uses *.WAB files. I use Eudora for my e-mail on my Windows computer, and although there is a *.WAB file on my system, it is empty.)
According to the Symantec web site, the virus "contains its own SMTP server which is used for the email routine." It's not dependent on Outlook at all.References:. worm@mm.html.
http://www.sarc.com/avcenter/venc/data/w32.sircam
What about that fetchmail exploit that went by the other day?
Are you "up to date" on your distributions security patches?
Have you read http://project.honeynet.org/
I think we linuxers are too complacent and will suffer one day...
- RustyTaco
I think comparing computer viruses with real life viruses reveals a lot similarities.
;o) And please don't come me with because nobody uses it. It's because all the programs run in an isolated sandbox by default, and have no possiblity to alter any sytem files.
For the real life viruses the human body as defender is the "operating system" it tries to keep itself clean from evil attackers. But it doesn't bother to spend energies on harmless intruders. There a dozends of harmless bacterias even one or two harmless viruses, some of these even help the human body. Especially I remember one virus that attacks and spreads only through "unwanted" bacterias. This virus is the human bodies friend, on we all have tousends if not millions of this one on our body.
If an intruder seems to be harmfull your body starts to attack it, it's a common trick for viruses/bacteria to trojan themselfs into the human body, in the beginning they are nice and cute and after some time if they are strong enough they suddendly start to mean, salmonella is such a bakteria, or AIDS that lives quitly and hidden over 10 years or more. BTW, there some brand new cures in evalation building on this knowledge, "telling" the human body early that this introdur is evil.
So each virus goes a small path between being tolerated, survive/spreading itself and how much attention it will receive. Also a virus doesn't gain anything if it's host dies, in history there were viruses which completly killed a whole population (I think there is some proof that it happened to some bird kinds), and at the end the virus dies himself.
Okay what has it to do with computer viruses? Take in example the "parityboot" virus in our capital city (Vienna) this virus was spread every some years ago, why? Because it didn't destroy any data, yes the paritity boot errors were nasty if you didn't know the virus and that it was the cuase, but once you knew it you just had to ignore that message and everything was fine. People knew it. However to completly clean it from a companies net required to scan all discs, that times the main medium, which of course would cost quite an amount and time, so many simply chosed to live with that virus, it was even funny in some kind. Same as the old 'gimma a cookie' virus everybody found it so cute you was even happy if you got it.
However the meaner a virus the harder it counter attacks. If in example I know I've a virus that bombs some IP address I'll think yes I'll clean it, as soon I've time, maybe tomorrow. If I know it might delete my data I want it removed from my harddisk NOW! If I know it sends confidential data to my competitors/costumers I would consider completly wiping all infected harddisks. A virus beeing that mean,ie by altering files it will have no spreading, people will put all afforts in killing it quickly.
BTW: how many viruses for linux exist?
--
Karma 50, and all I got was this lousy T-Shirt.
that is all.
Thanks to the wonders of Microsoft backward-compatibility, the darn things get treated as execuatables in the Win32 environment.
Even better, if you have a file with a double extension, such as .txt.pif, Outlook shows it as a .txt file, but the OS treats it as a .pif file. Microsoft makes things too easy for the virus creators, don't you think?
www.lucernesys.comHorizon: Calendar-based personal finance
Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive
Opening documents via double-click from email is ONE THING. Getting your network infected from opening a WORD PROCESSOR DOCUMENT is ANOTHING THING. Opening and viewing an innocent, benign-looking MSWord document SHOULD NOT allow a user to become infected, and the problem with the "culture" you refer to is the culture that says that that is "normal" and "acceptable". It even happened to me with this Sircam virus - I had an up to date anti-virus guard program running, am clued up technically, and I thought "I'll be safe". I opened a Word document. Thats all I did. There were NO WARNINGS, NO MESSAGES, no indication whatsoever that a program had now installed itself on my PC and was spreading through the network. At the very least, MS Word should warn you before executing any content, but it doesn't. There is no excuse for that, and the fact that Microsoft continues to defend their actions is pathetic. That is the real problem here. I don't even use Outlook, I use Pegasus. I saved the Word document, opened it. Not even a warning that something had been EXECUTED. We're talking about a Word processor document, not an .EXE. If even clued up people make mistakes, I feel sorry for Joe User. What good is having a Word processor if you need to feel afraid to even open a document?
You are correct. However, you imply that thats the ONLY way a user can get this virus. However, if you happen to have your C drive shared (as many people have for some strange reason), and someone else on the LAN becomes infected, you too will become infected, unknowingly, without even doing anything, as the virus will copy itself to your C:\Recycled directory and add an entry to c:\autoexec.bat to run itself. Thus, you don't have to do ANYTHING to become infected. The SirCam is thus a virus, a worm, and a trojan. (It will also run in the background, it copies itself over rundll32.exe in Windows, making it harder to spot, and rundll is very commonly run on Windows).
.. however, all of the security mechanisms that Linux uses make it a helluva lot harder for such a virus to spread on Linux. If you have a basic knowledge of how Unix/Linux work, you will understand that. One often hears that argument though from people who know nothing about Linux security and protection mechanisms, you'll often hear them say "so what someone will sooner or later do the same thing on Linux" .. when you try explain the layers of protection that have been built in, they just look at you funny, or say "so some clever virus writer will figure out a way around them". Maybe it'll happen, yes. But it may happen once a month or once a year on Linux, because of the protections. With Windows, new viruses like this are released EVERY DAY, and a new one that becomes as widespread as Sircam seems to be an almost weekly occurrence lately. With Windows, its a daily part of the package - people have come to accept viruses on Windows in the same way we all just expect to get a cold every Winter. With Linux, it'll be regarded as something strange, unusual. Thats the difference.
Of course, its fine and well to say "only stupid people share their C: drives", but I have three other computers in my office which I've shared the C drives and mapped because I do network programming and it is very convenient that way. NOTE: The shares ARE password protected with a VERY cryptic password, yet this SirCam had no problem with that. Now use your imagination: picture the next version of this virus having Cain-style functionality integrated into it - not only would it be able to find open shares, but fetch passwords out your cache for other password-protected shares, and it might even do brute force cracks, sniff the network for password hashes, grab them off NT servers and crack the lame passwords of EVERYONE on your network, or set itself up to grab password hashes from password-protected shares that you have on your machine. It a matter of if, not when, that someone creates a virus that does this.
This problem MAY be ported to Linux
You are incorrect, the virus WILL infect .zip, .exe, .xls and .doc files that are on the users hard disk and forward THOSE documents to others in the address book. This virus has already emailed me a zip file of the source code to someones commercial project!
You can be infected by this virus from doing something as simple and benign as opening a word processor document or spreadsheet - without even so much as a warning that the Word document is executing a program. Do some research before posting, you say "from reading the articles" but it looks like you only glanced through the articles yourself. It extracts .exe files to your harddisk, but can infect and be spread by .xls, .doc, .zip and .exe.
Please mod his comment down it is false.
From http://www.norton.com/avcenter/venc/data/w32.sirc
10. The worm contains its own SMTP server which is used for the email routine. It obtains email addresses through two different methods:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Cache
for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number).
For whatever it's worth, the copy of the virus I got (I'm on a Mac so it did a whole lot of s**t-all), came as a 1.5MB .text file. Neither of the articles linked by this story list .text as one of the common extensions. Just one more thing to watch out for.
"Reality is merely an illusion, albeit a very persistent one " -Albert Einstein
...spread as source code and then recompile on various client computers, thereby appearing to be different viruses on different platforms...
Is this how java got so damn popular?
<-- You are here.
pr0n - keeping monitor glass spotless since 1981.
Here's some interesting info on how SirCam works.
---
I got nothin'.
I say to the exec, "Aha! This will surely fix your bug" and she said "Yes, please install it post haste, I can not live a second longer while my powerful fonts change so erraticly!". So I diligently installed the SP, which took over an hour of my life. [I even stayed late to do it, as she wanted to take her laptop overseas the next morning.]
The next morning she rings me up at 6am saying "I can't open my mail, when I double click on it, it only gives me the option to save it, not to run it.". I did a bit of investigation, and it turns out that it also installed the latest patches for outlook, including this one.
I explained it all to her, carefully pointing out that this was a benefit as it was more secure, and you also get the benefits of having your powerpoint fixed. [As many as many other bugs in O2K fixed.] She mulled it over for about 2 seconds and said "Remove it".
And so our intrepid IT Support person removed the service pack, and [mentally at least] clubbed the executive around the head.
Not Meta-modding due to apathy.
Yes, but the point was that the executive took CONVENIENCE over BUG FIXES to problems that she was having.
Not Meta-modding due to apathy.
Ever heard of a Pine virus? Exactly.
Toronto-area transit rider? Rate your ride.
This will not be the last time we see a Slashdot headline of this nature (and I seem to recall that it's not the first either...)
You're right.. what gets me are those that are *not* on an Exchange server, but they want to use Outlook "because it's familiar to them" rather than at least using Outlook Express or..gah, anything else but Outlook.
I've got a few lusers that I'm trying to wean away from their outlook dependancy, but it's not going so well so far *sigh*
I'll be good goddamned if I'll ever use Outlook again, simply because it is so easily picked and well susceptable to Vbasic script viruses etc.
Screw 3...
Actually, there is a patch for these sort of problems. Details are here, or just download it directly here. .vbs) etc. Other files (like .zip) _must_ be saved to disk before being opened. This would pretty much stop this virus/trojan in its tracks.
Basically, it will not allow the user to access (run, or save to disk) any executable file (.exe,
It's been out for over a year, but it seems admins aren't deploying it (for whatever reason).
1. Click Start, Settings, Control Panel.
2. Click Add/Remove Programs
3. Select Outlook Express
4. Click Remove or Uninstall (depending on OS version).
5. Go get a copy of Pine compiled for Win32 and install it ASAUC (As soon as you can).
{awaiting the flame-bait}
The M$ OL is ...
wait, i forgot what i was about to say. damnit, must be the guy from the "censorship" icon, he is looking
at me, with his mouth shut, just like my father,
when i was suffacting him to death.
take him away please, and have a picture of a yellow kiwi or something.
That might treat the symptom (sometimes) but it doesn't treat the problem. Contact lists are easily accessible through COM objects, from a trusted process. Untrusted code (like scripts on web pages) are not allowed to access address books.
The root problem is that people run attachments with the same privileges that their user account has. Therefore the attachment runs as a trusted process. As long as A) people still run executable attachments, and B) those attachments run with the same level of access that the user has, there is absolutely no way to prevent the attachments from impersonating the user and flooding the net with virus mail.
As a side note - Eudora and Netscape Mail both allow users to run executable attachments. The reason that their address books are not targeted is not that it's impossible (it is definitely possible to write a program to read them; I have seen it done) - it is because Outlook is the most popular program out there and it's easy to code a virus that accesses Outlook contact lists. If M$ had not driven Netscape into the bit bucket in the 90's and everyone used Netscape Mail today, these virusus would work just the same for that client. (That's not to say that Outlook doesn't have plenty of other faults - it does.)
-all dead homiez
The underlying problem here is that people have come to accept executable attachments as the norm. Years of silly Flash greeting cards, "snowball fight" games, and Joe Cartoon crap sent across offices since the mid-1990's have hooked Windows users on native-binary attachments. The only way that this sort of activity can be stopped is by making it socially unacceptable (improper netiquette) for anyone to send executables through email. Think about what would happen if one of your colleagues sent you a random Linux binary through email and claimed it was a greeting card - would you run it? Well, the drooling masses will run any .exe that a "known" source sends to them, and that is the crux of the problem.
Unfortunately, it is in content producers' best monetary interest not to change their distribution strategy to use a format that requires less trust (such as .swf or even .html). That would artificially limit the quality of their goods, and closes the door to including "value-added features" (like spyware) to their attachments. Therefore, the situation shows few signs of changing anytime soon, and users will simple work around any stopgap measures in their email software so that they can continue to play their "frog in the blender games" in perpetuity.
-all dead homiez
Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does
Hmm. It's unoriginal, yet totally new in how it operates and what it does.
Does this strike anyone else as contradictory?
-- Just your average guy, except with 2 heads and an eye stalk in my chest.
m00.
There's a major new M$ based virus every week. This hardly qualifies as news.
Repeal the DMCA!
Actually,
:)
I'm surprised no one has included a list of 100 to 500 hotmail accounts in the virus. That way they can mail one to your friend and one to a Microsoft Hotmail account.
The virus that keeps on giving!
For once it would be nice for Microsoft to feel the brunt of these attacks.
I don't know, why don't you try it, so you can get arrested and thrown in jail.
I've just realised it doesn't matter what mailer I use. The fact that this virus/worm/whatever even exists means I'm gonna suffer!
With all this media attention my Mom's gonna start sending every freaking bogus virus warning on the planet (She scares very easily; The poor dear!).
I'd rather get the virus.
:)
I wish I used Outlook...
I completely missed out on that whole "Anna Kournikova" thing and now I can't even run this one...
It's either buy Outlook or hope Lotus Notes releases a "Microsoft Virus Enabler" patch
*sigh*
I use Outlook on my Windows machines, and have received email virus quite often. I have never been affected by them though, because I just don't open anything suspicious.
Ridiculous.
I should know.
Ahem, Microsoft issued a warning today that their popular e-mail program Microsoft Outlook has once again been exploited by evil superhackers. At a press conference this morning Mr. Gates said this of Outlook Virus ##23948842^99: "I have never seen a virus as advanced as #23948842^99, those evil superhackers have struck again. The mind boggling intelligence it would take to exploit a product as secure as Microsoft Outlook has me believing that it is the work of advanced alien life-forms with a secret agenda. It is also believed that these aliens are also the cause of all other Microsoft security problems, the incredible size of the Windows OS, and the coming of the antiOS (Linux). Please help us stay strong against the aliens by supporting Microsoft in our hour of need, don't switch e-mail programs or your OS, thats what the aliens want." As always we will keep you informed of any further developments in the Outlook Virus #23948842^99 story. Really if your still using Outlook of your own free will you deserve a virus and a kick in the ass from anyone who receives the virus from you.
http://www.gamedev.net/reference/articles/article
It attaches itself to another file, reporduces iteself, and has a payload. That is therefore a virus ;)
AnthraX101