Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Nasty Outlook Virus Strikes

Posted by ryuzaki0 on from the hide-the-children-get-the-gun dept.

Goldberg's Pants writes: "ZDNet and Wired are both reporting on a new virus that spreads via Outlook. Nothing particularly original there, except this virus is pretty unique both in how it operates, and what it does, such as emailing random documents from your harddrive to people in your address book, and hiding itself in the recycle bin which is rarely checked by virus scanners." I talked by phone with a user whose machine seemed determined to send me many megabytes of this virus 206k at a time; he was surprised to find that his machine was infected, as most people probably would be. The anti-virus makers have patches, if you are running an operating system which needs them.

14 of 388 comments (clear)

  1. Re:These virus writers have no imagination... by jbuhler · · Score: 5

    > Why can't these virus writers do something cool?

    You don't want virus writers with imagination. You *really* don't. A truly imaginative virus writer would likely devote all sorts of creative energy toward thinking up nasty things to do to your computer.

    I'm still waiting for the trojan that silently installs itself, then once every day looks for spreadsheets on your system and randomly changes three numbers in every fifth file. Or perhaps it finds your Word documents and randomly removes the words "do not" from a few places. Or maybe it flips a few bits in your swap file, or munges your C++ compiler so that your programs randomly destroy the user's partition table one time out of a thousand. Maybe it sends death threats in your name to president@whitehouse.gov, or anonymously tells Microsoft that your company is pirating Windows.

    No, I'm quite happy with the current crop of dull, stolid, entirely *un*imaginative virus writers, thank you very much!

  2. Devil's Advocate by Outlyer · · Score: 5

    Ok, I have to respond to some of the folks here who believe that "Don't run Outlook" is an option. Well, pray tell, what should I do if I'm on a corporate Exchange server? With no other option? It's all well and good to suggest things, but the fact is, if the Exchange Admin won't use LDAP, you're out of luck, and quite stuck.

    That said, the SP2 release of Office/Outlook prevents anything from accessing your address book, and will pop up a confirmation. It doesn't prevent idiots from opening the attachments, but it does create some thought beforehand.

    I can appreciate the idealism of using Linux for everything (I'm a Debian developer for god's sake) but for my job, I have to use Outlook, so I do, because I like my job, and I'm not going to quit because of that minor inconvenience.

    I suppose this qualifies as a rant, and possibly will be modded to "Flamebait" or "Troll" but let's try and tolerate some dissent on this board for a change.

    --
    ----------------- "I have a bone to pick, and a few to break." - Refused -------------------
  3. Re:Why continue using Outlook? by sphealey · · Score: 5

    >This isn't a problem with Outlook, it's a problem with idiot users clicking on every damn thing they're emailed.
    >>Furthermore, Outlook actually helps out the "idiot" users.

    There is a principle in the Toyota Production System that goes something like this: "If a worker makes a mistake once, it may be the workers fault. If a worker makes a mistake twice, it is the supervisors fault. If a worker makes a mistake three times, it is management's fault".

    Most human beings on the face of the earth are not technically minded and DO NOT WANT to understand the details of how the tools they use work. If every time Joe Homeowner flipped on a light switch there was a 1% chance of a nuclear power plant melting down, we wouldn't be using much electricity, now would we?

    While Microsoft is to blame for creating insecure tools (keeping in mind that larger market share means more attaraction for attackers), responses along the line of "stupid users don't understand how to use e-mail" are not acceptable, either.

    sPh

  4. Re:How long? by cyberdonny · · Score: 5
    > Simple solution - the virus should scan Wired for its name every hour. When it finds a match, the fun begins.

    Good idea... but who assigns virus names? It was my understanding that the names under which a virus is known is usually not chosen by the author, but by the anti-virus community once it is "discovered". Thus, it would be rather hard to scan for its name, as it will not be known at the time of writing...

  5. Sheesh... by szcx · · Score: 5
    You know, for all the bitching Slashdot does about the media confusing "Hacker" with "Cracker", it's somewhat ironic that the Slashdot editors don't know the difference between a "Virus" and a "Trojan".

    Of course, then the headline would have to be "Idiot Users Still Exist, Nobody Surprised" -- doesn't really have the same aire of panic though, does it?

    Joe emails a rogue application to Jane, Jane runs the code which then emails itself (and an arbitrary document) to people in Jane's address book. Sounds like something that could be implemented on any OS, doesn't it? You can't patch user stupidity.

    Anyhoo, let the Microsoft bashing begin! Everyone get your pitchforks and flaming torches, but leave your dictionaries at home.

  6. An observation... by brianboru · · Score: 5


    One thing I've noticed is that it's always my work address that seems to get the viruses. In the 10+ years that I've had personal email addresses, I think I've only had maybe 2 even delivered to any account. (This includes free Outlook-enabled web accounts).

    There's only a couple conclusions I could draw from this:

    1) I am a supreme personal system administrator and do not let any common mundane virus issue affect the harmony of my smoothly oiled machine. (you do you oil computers, right?)
    2a) All of my personal friends are apparently not as stupid as they look (this one is hard to believe).
    2b) All of my work collegues are definately more stupid than they look (ok this one isn't so hard to believe). heh
    3) There is some kind of shield made up of impervious virus-fighting smurfs that protect my personal computer 24 hours a day.
    4) Karma (no not that kind)

    or most probable:

    5) Someone has been reading and deleting my personal email for years.

  7. Re:solution: don't use outlook by autechre · · Score: 5

    "It relies on the user executing the attachment, it doesn't execute itself."

    Unless, of course, it's something like Javascript code, or an unruly image tag. Exploits of this nature have been discussed on BUGTRAQ (more recently as an example of how poor PHP programming can cause security problems [duh!], so don't think I'm picking on Outlook here). Any mailer that displays even plain HTML as soon as you view the message can be attacked, and ones that do Javascript are INSANE.


    Sotto la panca, la capra crepa

    --
    WMBC freeform/independent online radio.
  8. GET A DAMN CLUE PEOPLE!!! by cosmicaug · · Score: 5

    It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad

    But has anybody (specially Timothy) actually paid any attention to the damn stories?

    Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.

    Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!

    In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.

    The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.

    All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:

    http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html

    http://vil.mcafee.com/dispVirus.asp?virus_k=99141&

    http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

    http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

    http://www.sophos.com/virusinfo/analyses/w32sircam a.html

    http://www.europe.f-secure.com/v-descs/sircam.shtm l

    http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1

    http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010

  9. This thing has it's own SMTP server... by BigWhale · · Score: 5

    You know... maybe somebody should figure out how to send mail thru it. It could be used instead of MS Exchange... I bet this thing is smaller, qucker and uses much less resources than Exchange... ;>


    ---------------
    I never wanted to go anywhere. I'm happy here...

    --
    The Sig, the sig
  10. Another Nasty Outlook Virus Strikes by Kefabi · · Score: 5

    Another Nasty Outlook Virus Strikes

    Score: -1 (Redundant =)

    -Kef

  11. Re:Why continue using Outlook? by Merkins · · Score: 5
    I've Been using Netscape Communicator's E-mail program for years, without a problem.

    Who would bother writing a virus that will affect 11 people ?

    --

    Learn to Improvise
  12. How long? by imipak · · Score: 5
    How long can it be before one of these uber-worms carries a really malicious payload, or doesn't get reversed in time? We escaped Code Red (if you can call it 'escaping' when the security and network admins of half the world spend 12 hours on Friday working on it) largely because eEye reversed the worm , giving the Whitehouse.gov people enough time to blackhole the IP the worm author had hard-coded. If that hadn't happened - or if the IP was looked up in DNS - or the thing hadn't happened to be programmed to stop spreading itself on the 20th, the day after it exploded around the world (not that the author could have predicted that)... things could have got /really/ messy.

    How long before one of these reformats it's host after reproducing 500 times?

    Rhetorical questions - I hope.
    --
    "I'm not downloaded, I'm just loaded and down"

  13. Unthinkable - Thinkable by flacco · · Score: 5
    To paraphrase an admin at our University during a mailing list discussion about Outlook:

    "Prior to MS Outlook, if you suggested to ANYONE that a mail client should be able to execute foreign code sent to you through e-mail, they'd have looked at you like you just grew an extra head."
    --
    pr0n - keeping monitor glass spotless since 1981.
  14. Once again I miss out on everything by Nathdot · · Score: 5

    I wish I used Outlook...

    I completely missed out on that whole "Anna Kournikova" thing and now I can't even run this one...

    It's either buy Outlook or hope Lotus Notes releases a "Microsoft Virus Enabler" patch

    *sigh*