Slashdot Mirror
Latest WinWorm Spreads Via ICQ And Outlook
mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.
It is not non-destructive - it tries to delete anti-virus and firewall software.
Eric Aitala
www.f1m.com
This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.
I would think that a virus that is intending to bog a system would want to be large...
In Soviet Russia, asses suck this joke.
considering I've received 20 virus-laden emails through my @home account in a matter of days.
blank fill for the stupid software. I said n/t, didnt i?
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:
Is this really 159 bytes or does this packet pull something else down? .NET language.
If this is 159 bytes of visual basic it is a good thing Forth is not a standard
my office was hit, since we saw the multiple emails with Hi we obvious knew that it was a virus. It more of a dll that vbs, using the screensaver extention. Its a little hard to screen than a vbs script
Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.
Mailed tech support and didn't get a response. Great.
It seems some people even ran the attachment more than once - probably trying to get the screensaver to work :-)
It only seems to have copied to the first entry in our network wide address book, unfortunately it begins "#All" - ah well, my Macs are safe at least
Shit. I still have people getting Melissa and Nimbda here at work. (Matter-of-fact, I spent hald an hour just yesterday clearing a machine from its second infection.) A 159 byte virus? Using a sentimental pick-up line? I'm going to be busy...
Yes, I know user education and antivirus software would help stop this, but I'm in no position to get those kinds of things done here.
Feminism is the wild notion that women are human beings.
has already sent every one of my fellow employees all over the globe 27 copies of this thing.
.scr.
It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn
Thanks, boss.
Personal me, collaborative you
It wouldn't be the first time that AV companies reported a virus as having a weak payload, only to be proven wrong later. Look at the nimda virus. It was first reported as a simple outlook virus
All I can say is, thank god for procmail....
The rest of my office ground to a halt. I sat here laughing and giggling all the way to the SMTP port.
The story had a few errors:
it has a packed form that is only 159 bytes.
Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.
The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.
As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.
"And like that
Wow! I'm really inpressed 159 bytes in this Windows age is REALLY NICE. Many years ago you had a destructive virus (calles Define) of 30 bytes overwriting all .com files.
But 159 bytes and spreading by outlook and icq. My compliments! Err. For educational value of course.
Privacy is terrorism.
Sheesh people. Someday, the business world will get tired of paying for the privelege of having MS set up their software to fail. Ya think?
During Iloveyou, our whole corporate mail system was down for nearly two days. On this last go-round, it didnt go down, it just got really really ugly as they began scrubbing. Cant wait to see what this one does.
Course.. moderate intelligence could prevent this.. remove the preview pane option from Outlook on the users desktop.. educate your users NOT TO OPEN CRAP LIKE THIS!. (what a concept).
Course, that would take away the jobs of many highly paid professionals who are on retainer just for this sort of outbreak.
*sigh*.. My wife is one of them.. guess I wont see her for a few days again.
Maeryk
Feminine Protection? What is that? A chartreuse flame thrower?
OK, to stem the immediate misinformation to those who don't read the links.
The virus is 39K packed and 159 K unpacked. Not even close to just 139 bytes.
The second is that it DOES have some harmful effects. Primarily, it deletes components of Norton Antivirus which could open the infected PC up to much more deadly viruses.
Jeremy Devers
I can't wait for the Gartner Group to comdemn use of Outlook like they did IIS :)
Might get a few Dozers to switch to *nix and use Kmail, Evolution, Mutt, Pine...or at least get them to try Eudora instead.
Of course the Exchange admins will cry that they can't support POP3/SMTP because they need their neato calendar and scheduling functions of groupware.
Non destructive ... except in time spent cleaning it up. And hassle. Just had a PC guy come check my laptop to determine if I had autopreview enabled in my Outlook. What a waste.
Gah, if my company just let me throw linux on my laptop I wouldn't have to deal with these problems.
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:
<Attachment: Don't_Open_Attachments.eml.vbs>
I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:
"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."
Until Linux can spread worms as well as Outlook, Linux will never be accepted as a true desktop replacement!
This sig has been temporarily disconnected or is no longer in service
First off, the McAffee link in the story is broken. The real link is http://vil.mcafee.com/dispVirus.asp?virus_k=99272& .
Second, I don't know what "non-destructive" means in this context, because when something terminates processes (ZONEALARM.EXE, SAFEWEB.EXE, and VSHWIN32.EXE to name a few) and tries to delete all files in the directory containing the executable of the process, I call that destructive.
Do not read this sig.
The Symantec article says the bug is 159 KILO-bytes, not 159 bytes.
Please check the facts! It's _not_ 159! Not even the first self-replicating Virii were this small (AFAIK). It's aprox. 159 kb if unpacked from its PE-compressed format! The File you have to download to enjoy the virus is aprox. 38 kb.
This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).
Non-destructive? It puts a hit out on its own opposition...
According to the Symantec page, the payload is 159kb, not 159b.
it's either been slashdotted out of existance or was never correct.
the other has info tho.
Quoth McAfee:Under Windows 9x/ME, the worm looks for the following processes in memory:
--A list of processes including AVs and personal firewalls--
If present, the process is terminated and all files in the directory containg that executable are deleted, as well as all files in that subdirectory.
That has my attention. Can anyone confirm this?
the no
F-Secure have a page describing the W32.Goner.A@mm as well.
*** I am the real stylewagon
No doubt this was constructed by a bearded GNU-loving linux zealot to show the weakness in closed software systems like ICQ and Outlook... I wish they would just let us (the computer users of the world) use our horribly insecure applications without fear of virii...
Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.
It strikes me as extremely sad that a virus like this can still work. How many times does it take?
What can we do to save the unknowing?
Let's not stir that bag of worms...
Windows is reliable. Every generation is more and more secure. Boy, next one's gonna be the winner. No problems here. Sheesh, I wish I could use Linux at work, but Windows is what we've settled on, so I guess that's good enough. I need to play games. Without the latest DirectX Flooznithummer, I'm not going to go to some inferior operating system. Windows is really secure if you're not a total luser! Gosh, at work we've settled on sitting on sharp, dirty spikes every day instead of regular chairs, and dammit, it's necessary for efficiency! Horses, too.
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.
Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.
If you're running NTFS, AND you've been hit, *sigh*..
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
I guess if you don't consider the deletion of files as "destructive."
The worm attempts to delete the following files:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
"And like that
At least that's what Symantic says.
Badtrans is hitting my mailbox multiple times harder than Sircam, MTX and CodeRainbow combined. And it's only around since 24th November. Quite "every" Outlook user I know of got infected with it.
But then maybe this virus is hitting only Europe, so US-citizens haven't noticed it, yet.
Needless to say, I'm happy to read my e-mail on a *nix box. :-)
ms
I got it but as I run linux it means nothing
you actually have to execute it as aposed to useing built in scripts that outlook runs
so its the users that are spreading this !
people should not be able to recive attachments IMHO
what do they lose by outlawing attachments from outside the organisation ?
nothing
you want to send something to someone convert it to PDF/HTML and stick it on the web server
there are lots of publishing frameworks even OpenSource ones
deny all attachmenst comeing through your gateway
regards
john jones
As these kinds of worms become more and more common, one has to wonder what more can Microsoft do? They've already released hotfixes that address the problems (Outlook XP strips attachments by default, older versions have fixes that do the same). Short of force-feeding the patches to users (which itself would garner a huge outcry), what more can be done?
First from the CEO, then from about 15 other co-workers. Right now the IT team is running around trying to figure out how to filter it out.
I peeked inside and found that it links to the VB runtime DLL. Unfortantly I can't tell anymore then that at this point.
-Jon
this is my sig.
to personnally sign the messages that you send to your friends and NOT use the built-in outlook signature feature? It makes the mail much more personal, and can alert your friends that something might be wrong if they don't see your personal touch at the end of the message
--ac
WTF does "moderately unique" mean?
Either something is unique or it's not, by crikey! Soon we'll have things described as "marginally special" or "slightly dead."
Avoiding off-topic flames like this is just ONE reason to avoid sloppy English.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Is Outlook to blame? Sure, partially. But is stupid users who open attachments at random without verifying it also to blame? Absolutely.
Random Musings
Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."
Someone at my office got the virus by ICQ then it killed our exchange server. we had over 10,000 copys of the virus in the out que before we could pull the server off the network. All this because one of the 2000 admins forgot to add *.scr back into the filter rules when he upgraded the anti-virus app last week.
Aint life GRAND!
(lost some karma with THAT subject.)
.txt or .zip?
Is it so tough to punt all attachments that arent
nimda aside (which go in here on developer's IIS boxes) Doing the above will prevent 99% of the stuff hitting outlook in an enterprise.
(And having a really good virus scanner on the exchange server helps, too)
"Draco dormiens nunquam titillandus."
159 KILO-bytes that is...
a @mm.html
symantec : http://www.sarc.com/avcenter/venc/data/w32.goner.
The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.
Privacy is terrorism.
Linux
Apache
Sendmail
This one was very obvious. However, the bottom line is, never open any unknown executables and stay away from clients that have security issues.
An interesting question arose out of all this... I have had more then a few emails from people here at work that I don't know. I have to wonder how my email address ends up in so many address books.
Unfortunately most people won't have the benefit of strangers sending this message.
Oh beautiful corporate america, may your mail servers be forever fruitful.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
NEWS.COM has an interesting quote from David Perry of Trend Micro. He says, "Every time enough time goes by that people forget to be wary of these things, it pops up again. Apparently, we have to resign ourselves to the fact that education doesn't work."
How sad...but true. It's almost like that quote on the (I believe) CDW commercial, where the woman tells the IT manager something to the effect of, "I opened that virus just like you told us not to."
All it takes is a little dilligence, and these things would be far less of a problem. Not even real dilligence, just less stupidity on the part of users. I mean, a person would have to be living in a cave not to have heard about Melissa, I Love You, Code Red, SirCam, etc. When is it going to sink in that you shouldn't open unexpected e-mail attachments?
Oh, BTW, the original post stated that this thing is mostly non-destructive. I'm not so sure I'd agree with that assessment. If this thing is stripping out virus scanners and firewalls, it's opening up a machine for other types of attacks. I'd be a little concerned about that.
That light you see at the end of the tunnel might be from an oncoming train.
Has anybody else noticed:
1. These attachments usually get opened by the non-technical people in HR, or the supposedly technical people in remote offices, and the same people just keep opening them?
2. The actions of these few people limit the productivity of *everybody*.
I think companies should implement harsh policies against this. Open an attachment once, you get chastized by the IT department. Open another one and you get fined/fired. Natural selection... if they can't figure this stuff out, then they probably aren't smart enough for their job.
-FF
SQUEAK, the Death of Rats explained.
To explain to others why Windows-based firewalls like ZoneAlarm and BlackIce are inherently less secure than dedicated firewall devices and dedicated Linux firewall solutions...the fact that they run on Windows means they can be knocked dead by a virus.
, 00 .html
And speaking of antivirus software...everyone at my company received a warning email about this virus today from the admin. I took the opportunity to reply back to his email with the following:
*****
On the topic of virii, Mcafee and Symantec's Norton AV may be leaving a "backdoor" open in its future product updates to accomodate the FBI's Magic Lantern virus for Outlook. I doubt the government really wants to spy on us, but think of this:
As soon as someone figures out how to mimmick Magic Lantern's signature/fingerprint/code/etc., crackers everywhere will have an easy way into any computer protected by Mcafee or Norton AV. Wave good-bye to confidentialty. This is rather alarming. Here's a link to an article from Wired:
http://www.wired.com/news/conflict/0,2100,48648
Here is a link to an article on the topic from the Forum on Risks to the Public in Computers and Related Systems
http://catless.ncl.ac.uk/Risks/21.77.html
This is just a junior analyst's opinion, but I would begin seeking virus protection alternatives.
*****
Bill Clinton: Pimp we can believe in. - The Shirt!!!
CEO's are funny. Usually so out of touch with the actual running of their business that they have time to play golf. My favorite CEO story is at a large Mortgage company I was working for we had a change in the way we submit mortgage bid sheets and the change would allow us (the company, not me) to make an additional 150,000 in the first 3 days. However, since to make a change we had to get 30 VP signatures before implementing a change (the reason it took 3 days) we lost that money. Pathetic when companies get so big noone has the balls to make a decision. Such is corporate life.
...I was in a harry.
"And like that
According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.
Even Slashdot wants to hide some things
We're getting hit every day by a virus, although our virus detection software picks it up, I help wondering why microsoft products have so many security flaws.
Wouldn't you think that they would pull their socks up by now? It's not enough to say that microsoft makes bad software because they're microsoft or some large conglomerate. There must be a reason why (besides saying use linux).
Finds those processes, kills them, and tries to clear those directories. I'd call that destructive.
The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.
That's KB, as in Kilo Bytes. Or KB, as in KayBee, the toystore you go to to amuse your childlike mind. God ya'll is some dumbasses. I admit though, had this bug compressed to 159, that truly would be remarkable. Sadly, that is not the case here at all, and the only remarkable fact is... well, you know.
corporate IT folks ought to be blocking .scr extensions by default, at either the email gateways or using any virus scanning products that scan email before the mail is delivered to the mail server. doing so would have ensured that your organization was not infected with this evil virus.
.scr attachments being stripped, and we're handling only around 2000 email boxes!
within the first 12 hours since being notified of this virus, our organization has seen almost 1000 reports of
By this time in history, sysadmins of windows networks and email servers who have a majority of users running Outlook should already have setup their systems to be unaffected by this type of worm.
.scr at the server level.
Things like this can simply be disabled at the root by disallowing suspect extensions, like
C'mon, why would you need to email screensavers around anyway... zip it and save some bandwidth.
True, many people need to send every other type of attachment, and it doesn't fix the basic problem M$ has with security in their products, but if the sysadmins don't do their job, it just help guarantee the proliferation of these things.
that's my 2 cents; and I'd like a rebate.
This is the last straw. I have already talked to all of the relevant managers and we are slated to migrate all of our users e-mail action to Eudora starting in January.
We have always used Outlook/Outlook Express because it's "free" and requires a little less work setting up than Eudora (it's already installed for example).
But that convenience comes at a huge price, thanks to the freaks at Microsoft who decided that it was a good idea to create such promiscuous software.
"Hey guys, let's try to create an email client that runs untrusted code (Visual Basic of course) automatically! After that's done, we'll do the same thing with our word processing and spreadsheet software. And while we're at it, let's integrate it all really tightly with the OS -- for maximum destructive effect ^H^H^H^H^H^H usability. Excellent!"
The time for change has come. Just say NO to Outlook Express and Outlook!
"If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks."
I think I'll stop here.
Note that the most recent version of outlook says "This is a .scr, don't open this you moron." and prevents the user from opening it.
This virus has two real goals:
1 -- Proagate
2 -- Disable Anti Virus
This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.
I love being a Win Sys Admin
Anyone need a an OSX admin?
This
Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.
Per the Symantec virus warning, it will also use IRC bots to commit DoS attacks.
"Mod, mod, mod...and another troll bites the dust."
I got one today and didn't get bit, I keep the Preview pane turned to OFF, Works well to keep those HTML email that register who is opening their mail so they can keep you on as an active victim. (err, client). Using simple precautions keeps away most virii.
Additionally You can look and see what attachments are in a message in outlook without reading the message.
In Outlook Right-Click and select view attachment. It will display something like "gone.src"
BTW, The actual URL of Mcafee's site is http://www.mcafee.com/anti-virus/
Is it too much to expect the editors of Slashdot to even begin to do their jobs?
EOF
I'd still consider it non-destructive. It is only trying to keep itself alive, not destroy "unrealted" parts of your system.
Slashdot 's editors are dickheads
So what if the virus uses the outlook address book to spread? it wouldn't have the ~chance~ to if moronic users would stop fricken opening attachements they don't know anything about!
Great -- someone's finally figured out that they can create a Trojan horse that not only digs a back door into your system, but silently kills off the guards at the front as well.
Next thing we know they'll be rewriting Microsoft's system auto-updater to download even more viral code into your system. Won't that be nice?
This one is --deadly-- on the mail services. Unfortunately, only the virus defs. from TODAY (12/4, at least for Norton) can detect the bastard. On W2k you can kill the process, but on 9x you're screwed because it, of course, edits the registry and starts on bootup. It will actually keep the outlook.exe process running as well, pumping out the email, even if you exit the Outlook program.
Also deletes personal firewall software and anti-virus software. Full list here.
compared to the 'I Love You' virus. By now many people are wary of anything ending in .vbs that they are sent in their email. This virus ends in .scr. As we know, the dull masses have not been conditioned to fear a file ending in .scr. Plus they will never fear a screensaver. I mean, come on, how dangerous can a screensaver be? :rolleyes: I watched this virus devestate our network and talked to a few friends with the same problems.
'mmmmmmmmm.... forbidden donut'
Some of us really do need attachments. My clients and I frequently send spreadsheets back and forth for projects. Each of us makes additions and changes to the spreadsheets and sends it back. Therefore, it is not feasible to put a static document up on a web server.
There is a really easy step we take to make sure that our attachments don't fsck us...we email or phone one another to let the other know that a spreadsheet is coming along. We also use descriptive names for the files that relate to the task at hand, like "Company XYZ Projections."
Any attachment that arrives outside of this protocol is suspect.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
Poster says: Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.
According to Symantec: Deletes files: Attemps to delete several files, including NAV
Poster says: Two is its small size -- it has a packed form that is only 159 bytes.
According to Symantec: The size of the worm unpacked is approximately 159 KB and Size of attachment: 38,912 bytes.
So, when are we going to do some checking first? Deleting files is pretty damn harsh for a "non destructive" virus, and a "packed form that is approximately 159 bytes" is NOT the same as an unpacked form of "159 KB", packed to 38,192 bytes.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
Got some great teen pic's or something! lol... gotta love porn. Now if my wife can just get a job I can afford 6 more websites a month instead of the 2 i've got now!~!
Hello all,
During my college days, I remember a friend telling me about somebody who's hobby was collection computer viruses. They had them all on a separate disk, labeled and displayed.
I thought that would be something cool to do. Maybe burn each of them on a CD-R and make a cool plexiglass lighted display for them.
Now I'm wondering the best way to go about collecting virii. Especially the classic ones like Michealango, as well as the latest infamous ones.
Anybody have ideas how to find them in a safe way? i.e. getting the source code, or a binary file which *won't* give me trouble when burning them on a cd? probably just raw text of the source would be fine...
Let me know!!
(bonus points if anybody can find resources on the man who had a similar collection)
www.Beyond7.com Insane modern art water sculpture.
See the attack came as predicted, just in a totally unexpected way. ;)
'mmmmmmmmm.... forbidden donut'
Okay, so Microsloth is too big to challenge, right? So, why don't UNIX/Linux sites sue the owners of Windows servers when IIE, IE, Outlook, etc. starts bombarding the UNIX boxes with crap. It's a DoS, right? And those Windows boobs are too stupid to manage their software correctly, right? Get those bastards to wise up or run a **real** OS! Maybe we can drive Microsoft out of the enterprise computing business by making the cost of running their software too high!
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
No comments from the peanut gallery.
On a local address book of 20k exchange users.
thank God it's so easy to turn on a filter in outlook. This is really something you just can't blame MS for any more. They fixed this problem more than a year ago (remember Iluvyou?) I hate moronic people. Why are they allowed computers?
We're running NT 4.0 and using Lotus Notes as our e-mail client. Despite regular and repeated admonishments we've had two users open these damn things. Well, this was predictable and that's one big reason we're using Notes instead of Outlook: at least we won't be spreading this crap.
:)
Funny, though: both computers were infected but only one had gotten around to adding itself to the registry, and neither one deleted McAfee. I wonder if these things are on a timer where they don't do their bad shit right away upon infection? Probably a bug...
We started getting copies of this about 2 hours ago and already our bandwith is off the scale from normal opps. We dont run outlook and got lucky there, but it is nasty on our systems. It attempts to delete several files and most interestingly Norton AntiVirus itself. The one system I have attempted to clean reinfected as soon as I attempted to reinstall Norton.
Norton had updated there Virus Definition files for download, to catch this one you should be up to 12-4.
How do inexperienced people like you acquire such high karma? You can't spell, your grammar is flawed, and you have little sense of how things work in the real world. Not everyone has the infrastructure needed to implement your web server mechanism. This leaves you with ftp for transferring files, but ftp isn't available for everyone, either. So what they lose by outlawing attachments is an important file transfer mechanism.
If you reboot without cleaning the system then the virus stops the 3 major Antivirus packages. It then deletes the entire directory where the stopped file was found.
As one user put it here, these guys are pretty dumb, they need to learn to be more creative. When they come out with one that says free beer click here then I'll be scared.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)
I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I got several of these emails this morning, and obviously thought it was a virus, but my McAfee software didn't identify it as such. It passed, no problem.
.dat file (dated 11/28). Still, the virus passed, with no problems.
So, thinking I needed an update, this afternoon, I downloaded the most recent version of their
I'm pretty disappointed with McAfee for this. An update should have been made immediately available as in, this morning. I imagine a lot of people were stung because the virus definitions weren't updated quickly enough.
Thankfully, I never use Outlook, so no damage was done.
I've disabled the preview pane, and automatic send and receive. I have also been using Mailwasher which sits between you and your email box. Its been a useful free Win32 tool in dealing with SPAM, and that is its primary benefit, but I have noticed that it acts as a nice quarantine for incoming mail before it gets to Outlook. I have had plenty of opportunities to squelch virii before they even get to Outlook. Of course it won't save you it you get infected, but it certainly helps reduce the chance of infection.
What's NTFS have to do with it? Or is that part of your sig?
On NT:
"gone.scr" is a task that's running. It's easily killed.
"pentagone" is shown as a running app. It's easily ended.
c:\winnt\system32\gone.scr is HSR, that doesn't stop you from deleting it.
Then make the registry changes and you're set.
Well, that's if you're not running outlook. If you are, then you need smack yourself around a while, do the above, uninstall outlook, then you're pretty much set.
Before I ran the virus, I ran Arkosoft's System Snapshot to see what the virus was doing. Did this at 10:30AM before I knew it was a virus so I could at least figure out how to undo the damage if it hit. Great little app.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
The virus writers target Windows for the simple reason that almost everyone is running Windows.
If almost everyone were to switch to Brand X then yes, that would stop Windows viruses, but only because all the virus writers would now be writing for Brand X.
It takes someone clicking on the .scr file to activate it, uh.. thats not a worm. if it looks like a trogan, smells like a trogan, acts like a trogan....
"Shut up brain or ill stab you with a Q-tip" Homer Simpson
micro29. search google for "micro29 source". ;-)
its a pretty terrible virus... it infects the first file *.C* in the current directory by overwriting the first 29 bytes.
My server
Okay, before you mod me offtopic, someone was telling me their sys admins were telling the office staff that this worm pretty much destroyed your antivirus software and you'd have to reinstall it.
Now, wouldn't it be something if the antivirus software you had to reinstall came with all those FBI backdoors we've been hearing about?
Okay. NOW mod me offtopic.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
The parent didn't mention that it deletes the entire directory and all subdirectories of that file as well. I wouldn't call that non-destructive.
the no
I was wondering when an e-mail worm was going to meet up with a software firewall killer. I hear 3Com is working on a firewall firmware image that runs on one of their network cards. Worms like this, while still being able to do some damage, might not be able to do as much...
Viruses, not virii, as is pointed out ever time a story about a virus comes up on Slashdot ;-)
Chris
Hi I asked timothy about this and I thought I should pass it along.
I was wondering if this new virus would cause problems on my Linus beowulf cluster. He said he couldn't imagine why it would, since my beowulf cluster runs Lniux not Windows.
Phew.
Still, I think it's better to be safe than sorry so I'm going to reinstall all of the os's on all of my machines. Then I'm gonna reboot, just to be sure all of my RAM is cleared out.
he who laughs longest and hardest is he who uses pine.
those fools laugh at me for my archaic email client.. well, laugh it up lads.. i'm off to the pub while you try and teach your moronic users time and time again not to open attachments, and not to run them again and again when they haven't appeared to do anything..
lusers...
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
with the new Xinian Evolution Goner plugin. Of course, it is closed source and is not free
The war with islam is a war on the beast
The war on terror is a war for peace
First time I've ever had a virus faxed to me!!
Evidently, it tries anything listed as a form of data contact. It came to work from one of my vendors.
Why do you insist on using only one subject line when having your virus replicate itself? That's the easiest form of detection! If you'd use something less static, say, a random subject out of 50 preset ones, then your virus would spread a LOT more before anyone got wise.
In addition, it would similarly help to rename the attachment at every iteration too.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
This isn't a security flaw (it was, about a year ago, but that flaw was patched). This is users who don't update their software. If linux was on all of these desktops, and a flaw showed up (they do) you can be sure that most users wouldn't ever fix this.
.js, .scr, .bat and other extensions of those types.
I know this because I have office XP, and Outlook won't even let me glance sideways at
That's one nice thing about winXP. It defaults to the following update scheme "Hey stupid. I've done all the work, click this big flashy button and everything will be OK."
Microsoft makes some doozies, but there comes a point when there's nothing more a software vender can do to stem the idiocy of their users.
How would you (the slashdot community) suggest this could be stopped? Don't let script files do mass mailings? I happen to know that there are several beneficial applications of this. In fact, Outlook XP doesn't even let you do that... you have to confirm for every send, so they've basically taken that functionality away. How does linux solve this problem? Obviously it doesn't have attachements, but with GUIs and Ximian become more sophisticated, is it really that far off that you could run malicious code attached to an email?
My office just got it as well. Our Exchange servers have at least 2000 contacts and groups in the global e-mail list, so it seems to go through most of that list and e-mail everyone. We seem to have some sort of virus "catcher" running that removes most of the viruses, but those that get through send out thousands, so the e-mail groups are almost getting a few thousand e-mails each. Even with the virus removed, that's a lot of e-mails going around just within an hour or so.
Now that I think about it, it's spreading amazingly slow in my office (we have approx. 20 international offices). This is sort of a good load test of our servers. Seems my company's setup of Exchange servers suck when hit with that many e-mails in a short period of time. But then again, I don't really know how another comparative e-mail server setup would fare.
Developers: We can use your help.
What boggles me is why they (the slashcode writers) don't have errors with their SQL syntax all the time if they do that consistently.
Just a thought... Yeah offtopic. There goes my karma...
Has anyone run any statistics on the frequency of these worms? Seems like it's a very regular basis.
Also, I suggest someone start a sourceforge project for a "email virus subject generator" to make it easier on these guys!
That's probably the only way these people will ever read the memo.
After reading articles like this every second week, I ask my self, when will people learn NOT to use any M$ toy "OS" beside using it for something like playing games, not attachet to the internet of course.
Yes, NT got once C2 security, if it was in a locked room, all network devices ripped of and floppy/CD removed, guess why? It's a piece of crap....
Michael
Microsoft has had a patch available that disables .src and many of the other extensions that these virii use. The thing is, the patch has been there, ready to download, since JUNE of 2000!!! Holy shit people, why don't you all have this already taken care of already?
My shop NEVER gets these things. When you IT geeks are bitching to your bosses about how much MS sucks and begging to be able to switch the whole shop over to *nix, do you tell him/her that there has been a patch available for well over a year that would have stopped this?
I bet you guys all leave that part out, don't you?
I have uses for both Windows and various *nix's, so I use them both. But I at least attempt to keep the windows environment in tip top shape.
How many of you "IT professionals" are sacrificing your shops systems by not applying obvious security updates, like the one I mentioned, just because you resent having to use Windows?
I just happened to bump into some upper management of one of my companies associates, he was complaining about his shop getting destroyed by this virus today. His ears really perked up when I told him about the MS security patch that had been around since June of 2000. I think he will be looking for a new "IT professional" to run his place of business soon. I hate to get a guy fired, but such is life.
The blame for this mess is on 1. Lazy/Ignorant IT people or 2. Linux loving geeks who want to use *nix at work, so they want to see MS fail, so they don't bother taking care of windows security.
I don't know which category the guy I probably got fired fell under. How about the rest of you guys who said your shops were hit? Which one are you?
At least on my current version of Outlook (XP), the mail reader won't let you open any exe, com, pif, hlp, vbs or scr sent with a file. It is even a pain in the butt since there's no possible way to open such attachement even if you really want to (I have to remail it to myself and open with outlook express).
If "a lot of people were stung" it's because they deliberately chose to run executables that they unexpectedly received via email. After being told not to how many times?
Unlike being shackled with outlook as some of us are, no one has to use mirc. And no one should.
If anyone gets a hold of this bugger, I'de be curiouse in seeing what IP it targets for the DOS attacks.
-"Love thine enemies"...hehe...yeah right...
I am ashamed that anyone would intentionally use my Slashdot account name to bolster the popularity and reputation of their sick virus. I'm sure the hackers who created this monstrosity were well versed in such hacker tools as Bonzi Buddy and Lunix. If they think I would come out and support such a destructive screen saver they are very, very wrong. If God wanted toasters to fly, he would have given them wings.
So, you hackers, where ever you are, Goner (of Slashdot lore) does not approve!
#!/bin/sh
rm -rf
and say "Hey, run this!". Thing is, most Linux users are geekier than the average windows user, and will think twice before doing so! See, the problem here is not Outlook itself, but the incompetence of the people using it. Yay MS for disabling exes by default... just reminds me of all those Flash animations that make the e-mail rounds that could be virus laden.....
It has the update for this virus.
Mcafee virusupdate 4174 datfile in tar format.
Fatz.
http://www.freebsd.org
If not a setup than a window of oppurtunity. The virus writers are dying to try out all those virii that they've been saving for christmas.
An Education is the Font of All Liberty
how surprising! Another worm that infects the herds of sheeple that run ICQ and Outlook, two of the shittiest programs out there.
Glad I don't run either one.
> Do *you* want to try to fire the CEO?
Actually, that's quite easy. Leak the fact that the CEO did this, and that it cost a buttload of money to clean it up. The shareholders will take it from there.
Virg
And as many posters have pointed out, "destructive" is in the eye of the beholder.
Oh come on! In the eye of the beholder? IT FUCKING DELETES FILES.
Admit when you are wrong. It isn't too hard.
Feed the need: Digitaladdiction.net
Anyone know if Evolution will spread this virus? Since it's supposed to be compatible with Outlook? And if not, does that mean that the Ximian people will have to take the compatibility claim off of the website? ;)
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
What I want to know is who uses scripting in outlook, word or anyother MS Office applications, my suggesting to Microsoft is to take the damn this out of there software and leaving in only where It would be extremely nessesary or at least make it optional in the install so no one will think of installing it unless they actually needed it.
I share an office with two other developers. One of the two is almost always silent. So I knew something was up when I hear: "Hmmm. Hmmmmm? Uh, guys." For him, this was a novel's worth of communication. I glanced over at his display, which showed an open Outlook *filled* with messages that read "Hi!" for the subject. (Very) shortly afterwards, company-wide email (an exchange server) was completely trashed.
More likely a 1337 script kiddie that wants to anonymously annoy someone without much effort. Putting together a vbs to email itself and delete certain programs when it's run is not hard at all, and similar things can be done on any platform.
Most GNU hippies would rather find a REAL security hole (manually downloading a file is not a hole, it's a stupid user) and use that to dirty MS's image. All a vbs would do is prove that Outlook users are morons and linux users can't cr/hack worth crap.
Is there a rule one could use with Sendmail to block/strip *.scr attachments? I have 0 expierence with sendmail but have been told this is NOT possible.
If somebody could give me direction this would be great.
to all Anti-Virus companies for creat...er attempting to stop another virus. What a coincidence every month or so a new personal computer virus...
Me thinks there is a strong possibility that this latest worm/virus/trojan is an attempt to wipe out AV software to cripple their support for a backdoor servicing Magin Lantern. And yes...I am the real MrRabbit...whoever stole my handle and alias I've held since 1991 can rot in hell!!! =8-)
But a fundamental difference on Unix type systems is that files aren't inherantly executable based simply on their extension, someone can't just save a file from their email and execute it, they need to know at least enough to "chmod u+x" the file which should at least make them think about it.
Of course, that doesn't mean it's impossible to make an email client or desktop environment that would launch an attachment with "/usr/bin/sh" but hopefully that is so blindingly stupid that no-one would do it.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I put a Linux partition in each of the 2 most important computers in my office. One of them got the "goner" 10X, I guess you could say it had goner-rhea.
..
...
The anti-virus software got taken out, too. I found a posting giving the name of the files the virus writes
booted my trust Corel Linux 1.1, did a file search of the Win 98 and Win 2000 file systems on the box, located all copies of the virus, and deleted the same. Then I went into the "wininit" file and remarked out all the bad lines with my text editor.
On reboot, the compuer was clean. I deleted all the offending e-mail, including emptying the "deleted items" folder
reloaded Norton antivirus, got the latest updates and did a scan. It's been 30 minutes now, so far so good.
jon norstog
thursday@allidaho.com
When will corporate America wake up and tell Microsoft to go to hell?
When will the IT drones wake up and learn something other than right-clicking and double-clicking?
This is the classic case of the elephant in the living room that everyone sees but no one acknowledges it.
Techies preach to the choir about this and that but the rest of the country WORSHIPS Microsoft and their products. Do you understand?
The rest of the country WORSHIPS Bill Gates because they see the same tired mentality of HE HAS MONEY = HE MAKES BETTER PRODUCT. Do you understand?
Using Microsoft is embedded into the thick skulls of 99% of corporate America and 98% of IT drones.
This will not stop until people-in-the-know stop focusing on Linux vs BSD vs Mac.
Stop supporting Microsoft and their monopolistic practices.
Stop buying Windows to play games--buy a console.
Stop buying x86 hardware for once. Learn something new. True techies can and WANT to.
All Linux "users" that dual-boot. Yeah, right.
This is a joke. The revolution is NOT taking place and NEVER will.
We will continue to preach to ourselves until even we are sick of hearing about it.
No doubt this was constructed by a bearded GNU-loving linux zealot to show the weakness in closed software systems like ICQ and Outlook... I wish they would just let us (the computer users of the world) use our horribly insecure applications without fear of virii...
Nope more like a clean-shaven, square-jawed, business suit & tie wearing "software engineer" employed by a certain federal law enforcement agency testing deployment mechanisms for "Magic Lantern".
Ummm, an old POS box running windows98 and PWS (at worst case, granted) could do this. Have a passworded file share on it for heaven sakes, how hard now a days is a "web infrastructure" anyways? :P NT 4.0 comes with IIS and will run on P133 with low RAM.......
No I didnt spell check this post...
> if it looks like a trogan, smells like a trogan, acts like a trogan....
Then it's probably a trojan.
Virg
http://www.grisoft.com, in my opinion, about the best virus program out there.
1. It's free (with no ads or other annoyances)
2. It scans both incoming *and* outgoing e-mails for virii if you so choose. (It will even tag them as certified virus free by Grisoft if you want.)
3. Just because it's free (although they do sell commercial versions) doesn't mean you don't get updates or anything. They already have an updated database (out today) for Goner.
Anyway, just something for the Windows people who don't have one of the commercial virus apps already, I've loved AVG since I put it on.
Also, doesn't look like AVG was targetted for deletion by this virus, course that just means AVG isn't very well known, but nice to know for me anyway....
------
Where are the slash-groupies? I distinctly remember being promised slash-groupies!
I would also like to know how the worm was labeled as non-destructive if it, "will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts." Granted it doesn't try to fry your BIOS chip, but I last time I checked anything that deleted files was destructive.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
I'm still suprised no one has made a really destructive worm that trashes someones system. It shouldn't be too hard to modify one of these worms to do something like that. You'd think with all the worm/virus makers out there some of them would have different intents, unless all these worms are all being written by the same group of people.
Outdoor digital photography, mostly in New Engl
Would you prefer that MS made auto-forward impossible, because it could be used to forward a virus? Would you like them to make features more difficult to use? Would you like it to automatically switch off auto-forward if you don't read the mail for a month?
How would you improve on the way MS issues patches? What about Windows Update do you not like? What would you change, and why do you think it would help the average user? Does patching need to be made more difficult (like autoreply does)?
Let's not stir that bag of worms...
I know, I know, other email clients, etc.
However there is one thing I don't understand, why are flaws which convert your office network into a disaster area, somehow acceptable, whereas some esoteric calendar tool is so vitally necessary that people straight-faced claim that Linux isn't ready for the desktop?
It's not just Outlook either - every damn document format that MS produces is an attack waiting to happen. Apart from being susceptible to bit-rott and bloated.
The average user does simply not have the competence to operate a Windows system safely in an office environment. It's not enough to consider training costs when switching to Linux, you also need to consider TCO. That means your downtime, additional maintenance to repair user machines and lost or corrupted data, when using Windows systems.
I suprised it hasn't occurred to ISP's to make their SMTP server, then automatically stop sending when someone tries to send 120 copies of an email with an attachment. In addition to stopping attachment virii cold, it could stop the morons from thinking everyone they know should see that stupid dancing penis radio add again. Seriously my ISP blocks port 80 in the name of security, but can block an outlook Virus bouncing around their network.
Maybe ISP's wouldn't need need to cap our bandwidth if morons didn't run Outlook and open Vb attachments.
The silouhette of Darth Vader in the icon is a nice touch, to my way of thinking.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
The problem? The steps outlined how to check the subject line for the word "hi" and permanently delete it and the message flag.
I tested this out, and Outlook isn't case sensitive, nor does it recognize if the target word is embedded. So any email with the word 'hi' anywhere in the subject would get deleted. (e.g. this, Chicago, chickenpoop, etc) It was also suggested that the exception be if your name was in the To or CC, but we use so many distribution lists, that wouldn't matter too much.
*sigh*
My beliefs do not require that you agree with them.
What I don't get is ... why doesn't everyone just add a forwarding SMTP server between the internet and their exchange server and set it up to deny .vbs,.scr ;... style attachments.
We use exchange at work too, and I just set up a linux box running postfix in front of it. With a simple oneline regular expression, every dangerous attachment gets blocked. (hint: use the body_checks parameter) We haven't been hit by a single worm or virus since then.
Finally, a virus that cares! I am happy to report that we were hit nice and hard after sending warnings to our users concerning this specific virus. It was a nice email too, it even pointed out the appropriate sections of our appropriate usage policy and everything. So 5 of our superusers opened the attachment anyway and away it went. I hate Exchange so I will not admin the box at all and the virus defs were not updated today anyway. It happily slung the virus far and wide like a good Exchange server should I am happy to report. While I would love to take credit for this thing of beauty, I can only say that we did our part. Due to our brilliance we knew from the outset that we should run Exchange and Outbreak 2000. For those or you wondering just how good it is, I am sure that MS still offers eval copies of Exchange and Outbreak. Get in the game foo!
I'm saved from all this, I never even installed Outlook or it's evil cousin Express. Nothing like unchecking the box in the installer... The cure to human engineering based virii is a good spanking to those who open the attachments...
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
This consumed half my day, and half the day of my 20 co-workers. People lost the ability to work because their job relied on Outlook working properly. People are going to have to work long into the night to replace the time lost earlier today because of this 159 kb of malice. This, my friends, cost people time and money.
Non destructive my ass....I've got to agree with Ashcroft...this sort of crap is a crime and you ought to be locked up when you get caught. Time for these lusers to develop a sense of being a responsible world citizen and stop pulling this childish, malicious crap that benefits NO ONE!!!
I know it's supposed to be all that and a bag of something or other, but really. This isn't an anti ms thing, but anyone still running their software deserves everything they're getting.
Really, how fucking dense are you if you're opening this thing up?
No matter how much effort the virus authors expend to dissuade them, people are still acting like total morons.
You're engine's been smoking for two years and bursts into flames every few months. What's that, it's singed your eyebrows? Cry me a river.
there's more than one way to do me.
Procmail
Mail.app on OS X
there's more than one way to do me.
While watching my local news, i heard the following quote: "The goner virus can also strike through ICQ programs like MSN Messenger." I'm beginning to dread any newscasts on tech related issues.
My other sig is funny!
What's NTFS, but a second-class file system?
What's NTFS got to do with it.. got to do with it?
Who needs MS when MS can be broken?
(With apologies to Tina Turner.)
Pretend you're a small business and the only service you've signed up for from your ISP is email. Your server calls up the ISP, gets mail, and distributes it to the local users. This is a very common scenario; it's what the software company I used to work for had, it's what the company my mom works for has, and it's what many of the users of the product I currently work on have. It's not much, but it's all they need, and they can't justify the expense of anything more elaborate.
Here where I work there are unbelieveably stupid people. They write a short email message. But they write it in a Word document that they attach to an empty email message.
"Always remember you're unique, just like everyone else." I wish I knew who said it.
Personally, now I think that it should be the system administrators of company networks that continue to use Outlook as well as the ISP's that continue to recommend OE to their customers to blame. These are not email viruses as they only affect poorly designed software and not the vast majority of decent email software out there. I don't run ICQ but that client has always striked me as a shoddy IM client, better to use something like Trillian instead. I like Jabber but it's having problems communicating with ICQ and AIM the last time I tried it.
Thank god the people that write this kind of code are completely incapable of writing evil IDE command sequences that can fry hard drive firmware.
Imagine the destruction you could cause if after every infection and replication to everyone in your address book, it wrecked your hard drive and required it to be sent back to the manufacturer for repair?
Hmm, interesting sales pitch you could offer to Maxtor, Seagate, etc if you want to make a quick buck at the expense of the global economy. (unless the 90-day warranty covers "act of hacker").
Probably they'll going to block the word "advice" too, since it's worth golden coins these days :x)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Linux Sux0rs *BSD r0x0rs
What's this I hear about you having troubles with your TPS report?
"run" key in registry, and startup group(s). A smart virus writer would exploit these.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
I was looking at the post thinking "159 bytes? how come nothing I've ever done has compiled that small?"
Screw you all! I'm off to the pub
Are you using Outlook? They may be using Word as their editor (one of the basic options in Tools->Properties). For them, they don't even know they're using Word, it's all seamless.
Well, except for the email worms.
Not too long ago, for almost a month, you couldn't turn on the TV without seeing a car chase live on the news. Eventually, they started hauling out the "experts" who were wondering if maybe people were running from cops because 1) they wanted to be on the news and 2) other people did it on live TV.
I'm begining to think that maybe people are writing these MS worms for that reason, rather than the traditional exploit-a-hole or look-how-clever-I-am reasons...
I tested this out, and Outlook isn't case sensitive, nor does it recognize if the target word is embedded.
That's odd. What then, is the purpose of the "with specific words in the subject line" box in the list of rule conditions?
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
You'd use MoveFileEx to get rid of the file, like so--
// buffer for system directory
// size of directory buffer
// string with environment variables
// string with expanded strings
// maximum characters in expanded string
MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--
UINT GetSystemDirectory(
LPTSTR lpBuffer,
UINT uSize
);
) or you could be clever and use ExpandEnvironmentStrings, prototyped as--
DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc,
LPTSTR lpDst,
DWORD nSize
);
Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).
All I know about Bush is I had a good job when Clinton was president.
You can setup safe testing accounts on Win2k, WinNT and WinXP. Win9x was never meant to be totally secure. So go read Windows for dummies and get a good start on your training. Educate yourself.
(I'm using the word "sue" here since most merkins seems to use it as a synonym for "blame").
Most Microsoft software is manager-ware, meaning it is expensive, it looks nice, it is user friendly, and Bob Mustermann can learn how to use its basic features from a out-of-town one week course. This in turn usually means that large corporations depend upon it.
Just a thought: Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?
Other software, licensed under free licenses, always have NO WARRANTY. This means [I believe] that you ought to think before depending on it, because if it breakes, or makes something else break, you can't blame the author or ask for compensation.
Hmmm... If we don't sue Microsoft for providing us with a faulty product, who should we sue? Is it the fault of the manager that adviced us to install the crap, or is it the fault of the script kiddie that wrote the virus?
I would argue that it's not the fault of the script kiddie that wrote the virus. He (presumably a he, anyway) can't be blamed for the errors of Microsoft. Don't give me the knocking on doors parallel, because it's not the same thing. Well, partly. If Microsoft built the house. But then, why won't they fix that bloody door?
I would also argue that it's not the fault of the manager. She (this is a large corporation, they try to be PC as part of their PR) probably got a nice PowerPoint presentation and a lunch from a Microsoft sales person. Maybe even a dinner and some wine-and-cheese.
I don't know... I'm just feeling a bit random at the moment.
It's 11pm, do you know what your deamons are up to?
Buy the X-BOX it rulez and doesn't have Outlook preinstalled! You go dude. Down with Microsoft! Down with capitalism! Up with Linux! Up with Socialism!
I love being a Win Sys Admin
Yep, there's nothing as good as products intentionally manufactured to be defective so they'll need support. The people who work on the defective systems look at all the layoffs happening, then look at the shitty products again, and then realize that recommending Microsoft products is a good move. Sure, it harms the company and the country, but it's better to be captain of a sinking ship than to be thrown overboard from a watertight one. The ship owners never catch on (people are stupid) so there's a bright future in this.
Anyone need a an OSX admin?
'fraid not. Why would they?
At the behest of everyone who cares, please stop trolling. You have posted over 10 comments today and none say anything more important than "pirch sucks". If you don't have anything important to say...
> people should not be able to recive attachments IMHO what do they lose by outlawing attachments from outside the organisation ? nothing
.exes, make them zip them first and mail the zip archive. Archive gets auto-virus-scanned, can't auto-execute, only takes one extra step to get the original file back, everyone's happy.
How about a small change to your proposal - people can't receive executable attachments? Data files like spreadsheets are fine - you don't execute data. If folks want to exchange scripts or
Mutt sends the message body as an attachment (which is what the standard specifies). Should you outlaw all valid email!?
My other car is first.
The reason that Microsoft should not be held responsible anymore, is that everyone who gets bitten by Microsoft products, knows they're using Microsoft products. When a Pinto driver in 1973 or a Windows user in 1992 suffers due to the defects of the product, Ford and Microsoft are responsible. If your Windows fouls up in 2001, or your Pinto explodes in 2001 when hit from behind, it's your fault, because you knew it was going to happen but you used the product anyway.
If someone loads a gun, points it at their head, pulls the trigger, and then sues the gun manufacturer because they didn't know what was going to happen, they deserve to be laughed at in the same way that this virus' victims deserve to be laughed at. There is no difference.
Moderators! Mod this down. Blatent karma whoring.
9ish this morning, a voice from the next office...
"hey [my name here]"
"yeah?"
"i got this weird attachment in my hotmail account. you think it's a virus?"
"maybe. do you know who it's from?"
"yeah"
"what's the file name?"
"gone dot ess see are."
".scr? a screensaver?"
"yeah. and the message is all weird. the grammar and spelling are really bad."
"screensavers are just executables anyway... and the grammar's bad? yeah. that's a worm"
"okay. i deleted it"
"i am so proud of you!"
finally, i'm gettting through to the people in my office. they know almost as well as i do how to spot a new worm on the prowl. shortly after she got rid of the first instance in her hotmail account, my mailbox started sprouting them like.. um.. mushrooms on cow pies. yeah.
melissa and all her bitches, and now sircam and the like have taught joe user his lesson (over and over, the lesson), so the more this kind of stuff happens, the better prepared we are.
- Entertaining Bits from the Ancient Kernel Tree
How are you? When I saw this internet link, I immediately thought about you I am in a harry (sic), I promise you will love it!
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
"I opened that virus just like you told us not to."
It seems to me that this points up the ongoing problem with the way virus scanners work. By their very nature the scanners are always behind the script kiddies. What we need is a proactive approach to blocking destructive and/or unautorized code from running on your machine. Even gnu/linux method of not allowing such code to run as root does not perfectly protect the user. I have nothing better to offer, is anyone working on such a thing?
is Jeff Bridges when you need him?
That was classic intercourse!
How do inexperienced people like you acquire such high karma? You can't spell, your grammar is flawed, and you have little sense of how things work in the real world.
You must be new here.
For more information, click here.
Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?
The EULA distributed with Office 2000 specifically disclaims liability for "loss of profit":
Under the USA's Uniform Commercial Code, there is by default an implied warranty that any product sold is "merchantable", meaning fit for the customary use that the product is put to. Unless the terms of sale change that implied warranty, a buyer could sue over dysfunctional software.
Software licenses generally disclaim those implied warranties, an innovation that began with VisiCalc's "as is" license. If you read the fine print of Microsoft EULAs, you will find a capitalized sentence like "TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES."
Whether the EULA has any legal weight is questionable. Software licenses are rarely presented at the time of sale. Installation programs try to impose them after the fact by demanding your agreement before installing the program on your computer.
Like many click-wrap agreements, Microsoft's EULAs are very one-sided, offering you nothing in return for restricting you from installing the software more than one computer, from making more than one backup copy, from lending the software to anyone else, from reverse-engineering the software, and sometimes even from reselling the software or from criticizing the product. Such "agreements" may not constitute valid contracts, and even if they were, may be invalid as "contracts of adhesion".
So, Microsoft and other software corporations lobby for UCITA (Uniform Computer Information Transactions Act) laws giving software the special ability to impose terms and restrictions after purchase. UCITA has already passed in Maryland and Virginia and has been introduced in the legislatures of many other states.
Of course the Exchange admins will cry that they can't support POP3/SMTP because they need their neato calendar and scheduling functions of groupware
:P
They could always switch to notes
How destructive can it be if it's removing virus protection software that failed to detect and prevent it in the first place?
Done. That's how the entire IT section operates at this site: they use ssh (PuTTY) to a Linux box and Pine to read their mail there. Being the black sheep of the family, I use KMail.
Got time? Spend some of it coding or testing
So, "hi", we're in a "harry" here, and MS Outlook has been turned into a really lame screensaver as the mailerservers either crash under load or get shut down or put into heavy-duty-filter mode. The payload is about 45KB of compressed data, expanding to the now-well-known 159KB, so multiply that by the 2000+ messages I succeeded in receiving today is about 90MB. The folks on dialup fortunately can't transmit that fast :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
From my limited review of the source code, Jabber is not inherently worm-proof, it's just not popular enough to attract much attention from worm authors.
Any security advantages that Jabber does have are unrelated to the open source code, but rather are almost entirely due to the communications protocol itself, which makes extensive use of XML and generally does not permit direct client-to-client communications.
I'm not so sure that Goner speading via ICQ has anything to do with the 'shoddy' nature of the client software, there've been other similar malware that used AIM or Messenger to spread their payload.
I do not deploy Linux. Ever.
Everytime I read a story like this, which seems to be once a week, I glibly smile and am glad I run linux.
We use Lotus as well. Still had a few people to open it. One of those bright individual's uses outlook express on the same machine to check his home email.
The virus hopped straight to it and went to work.
Then he has the balls to send me an email asking if this was a terrorist attack.
Yeah Sparky, The WTC, the Pentagon, and your effin' Outlook address book. That's the main targets, alright.
argent
This will reduce the problem but not fix it.
Migrate your clients to Linux on PPC (iMacs are nice for this, StarOffice on LinuxPPC is just about happy enough to use) and never fear an attachment again. Plan ahead to include some Alpha and MIPS boxes as well (you can do that on the server end now), so when some meathead eventually produces the first serious LinuxPPC virus it doesn't get everyone in your office.
Got time? Spend some of it coding or testing
Anyone? Bueller?
;-)
I'm looking for another entry in my "Stupid Windows Viruses" collection.
Someday I hope to have the entire set.
Or better, make it look like a reply to an actual message somebody sent you.
What a stupid comment... Why not, "maybe we can have people stop using computers." Or, maybe we can get people to buy firetrucks in case their house burns down.
Outlook is a Given , however i was jumping up and down and screaming about people at my work using ICQ (IE DAEMON!!!) for instant messaging and spent about 2 and 1/2 hours dealing with customer datafiles that were being ravaged by this . I repeat what others have been saying this one is not non destructive !!! boycott ICQ as well as outlook!!! sincerely lordDarcy
You'd get 'em.
Your post was the most useful I've seen on Slashdot in quite a while.
Now my boss can't tell me not to read Slashdot at work anymore.
Thanks -
Jim in Tokyo
-- My Weblog.
This virus reminds me of AIDS.
To get it you have to do something stupid.
And once your computer is infected ,
it removes your protection from other viruses.
Please talk to me
Back when one of the other lovely vbs viruses was going around (not ILOVEYOU, but a later one...There have been so many I've lost track) our sysadmin ran around our office saying to not open the attachment if they got it. This was because one of my coworkers opened it. He told her not to open it.
Well, it got sent back to her, and what did she do...OPEN IT AGAIN.
So he got out of his office, and went to her, and asked her if she opened it again.
"Oh, I wasn't supposed to?"
So he goes back to his office, and what does she do? SHE OPENS IT AGAIN. "I wanted to see the picture!"
The sysadmin ran out of his office, YANKED the network cable out of her machine and said "GO TO LUNCH. NOW."
She didn't return for the rest of the day, and the incident allowed our sysadmin to receive the funding neccessary to install virus scanners on all of our servers and workstations. Goner only hit one person, and she was smart enough to not open it.
simple, dont have any friends, it works for me. Everytime i open outlook i never get any virus'... no friends, no contacts....
woohooo
This story prompted me to look in my access logs to see if nimda was still active. I found a lot of stuff like this instead: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
212.90.205.174 - - [03/Dec/2001:14:29:10 +0200] "GET
What is all that about ?
Howabout the countless claims made every year by (puts on asbestos suit) women who wear high heels and then slip on icy surfaces? Up here in Canada, I'm sorry, but you have to be a complete moron to try spike heels outdoors in January. The claimant usually wins these, by the way.
But just to keep this on topic, am I the only one who thinks that news organizations should be required by law to insert one simple sentence into their stories: "DO NOT OPEN EMAIL ATTACHMENTS". Oh wait, then they wouldn't have a story for next time this happened.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
They just closed down internet mail where I work now because of the virus. Ironically, the next message (after the announcement) I got came from an internal user, and had the virus in attachement.
(And if you think having no email is bad, just try to work on a web-based application when all the routers block traffic to port 80, and your test server is behind a firewall.)
WWTTD?
Malicious attchements are not news worthy of slashdot.
This is an old old dead story repeated in various incarnations across many platforms.
Please get a grip on what's news and what is simply the same old stupidity tax.
- Numen
For those of you that have Adelphia's Powerlink service, watch out for this worm, it's all over our servers. I've been spending my last two days at work (at Adelphia) cleaning out thousands of messages with this thing in them. Just an FYI.
If you rename foo.exe foo._xe before you mail the file, Outlook doesn't have a problem with it.
no, it's not non-destructive. it got a high risk rating from trend micro, and that is most unusual (the only one in the last ten or so advisories). read the tech. breakdown on the thing here: here.
-- Despair is an operating system that ANY human being can run, sort of a psychological JAVA --
For Outlook 98: http://office.microsoft.com/downloads/9798/Out98se c.aspx
k se c.aspx
0 03 .aspx
If you have Outlook 2000, this is "extension of the original Outlook 2000 SR-1 Update: E-mail Security." (Available since Aug 16, 2001)
http://office.microsoft.com/downloads/2002/Out2
Same for Outlook 2002:
http://office.microsoft.com/downloads/2002/OLK1
It's wonderful if you have one machine just to patch culmulatively; it's another thing when you have tens, hundreds, or even thousands of machines to support, keeping all those up to the same level of protection (and that's not including machines built from the ground-up).
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
People do that where I work as well. Subject line, blank email body, and Word attachment. They like the pretty clipart......
F-Secure's researchmanager, Mikko Hyppönen, advices people to "update virus scanners and change to Linux, if possible".
Quote taken and translated from finnish newspaper's article.
- blwrd
Maybe they pass it thru sed s/were/where/ first?
Dump it now for goodness sake.
Get yourself something that does not allow you to happily double click attachments to run them.
IANAL but write like a drunk one.
Your
/*
#!/bin/sh
rm -rf
would do nothing to most people running Linux that know why there is a root account and normal users account
Had you said something like:
rm -rf ~/*
then that would be more credible.
That user would be punished badly, but anybody with some UNIX dribling is more aware about security and less likely to blindly run whatever is put down from the Internet.
We are glad that after more than 6 years in the Internet arena MS is realizing how crappy it is to allow things like this to happen.
Better late than ever I guess.
Your argument is toughtless by the way. Things considered harmful will come with obvious ways of securing them and all kinds of warnings. I don;t see any of those in MS products, and that is not the fault of inexperienced users (that believe all the happy about how easy computing is using MS stuff).
You can't have it both ways: if you as a company pretend that computing is easy with your products, inexperienced users should not be able to shoot themselves in the foot.
IANAL but write like a drunk one.
End users have tools that are no suited for secure computing. Don't blame them if they get burned once and again.
The people to blame is firstly System Administrators that if they were worth their salary would get rid of Exchange, Outlook and all the rest. Failing that they would put a draconian filter to drop all attachments (Have you got a file to send me? Mail it in a diskette/Zip disk/CD-R so I can scan it prior to allow it in the network. This is the stupid but responsible SysAdmin alternative).
Second to blame is MS: if they say Windows (and by extension computing) is easy, well, then one would expect that untrained people will not bring down corporate networks? *Right*?
IANAL but write like a drunk one.
Y'know, maybe we shouldn't be calling these trojans attachments, but maybe "attackments"
:-)
Just a thought
I don't know which is sadder,
The fach that the only e-mail virus I get on my parent's computer is from "hahaha@sexyfun.net" (dosen't exist) who sends me "naked dwarfs having sex with sleeping beauty" if I open the attachment.
Or the fact that I am not on enough people's address book to get a virus from somebody.
Hmmm, I have 5 mod pts, its time to metamod, and on top of that I have to meta-metamod? When do I get to read slashdot?
Oh another e-mail virus, well it does not affect the 20 Macs in our office or the 50 Macs in our offices around the state, just delete it, ho hum, back to reading "Dune".
--Another day in IT.
When I write my Über Virus, it'll look something like this:
Then, of course, the "HOTFIX" pops up a notice saying you're secure, and goes into stealth mode. None of this pansy-ass "mail-to-everyone-on-earth" business, but something that'll go through and transpose random digits in any Excel spreadsheet it comes across.
And then, the world will be mine! Muah-ha-ha-ha-ha-ha!
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
I also work for a technology company.
Yesterday morning, our CEO sent email to everyone saying that one of our largest clients had been hit with the virus and we should all be extra super careful about what attachments we open.
Not more than an hour later, he contracted the virus himself.
He was the only one in the company to be infected.
CEOs rock.
my livejournal is interesting and worth reading - I swear. I know everyone thinks their blog is interesting. mine is.
Hey! how many releases has Windows had? yet people continue to use it. This should give a clue that a) it's going to take a LOT of times before people realize, b) sadly, humans are notorious for making the same mistake twice, 3 times, and as many times as it takes. Guess if our mistakes killed us more often, those left would be smarter.
That letter from your teacher about your cHIld.
tHIs, you thought of it!
wHIch.
wHIle
anytHIng and everytHIng.
It's hard to imagine the tHIng that won't be HIt.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You may have something there. Somebody disassemble this sucker quick!
#!/bin/sh find / -type f -name ".sig" -exec rm -rf {} \;
- for great justice!
Due to the message we received from the Exchange group, we recommend that you do not sync your palm pilot with Outlook until this mailbox data has been restored. Your palm pilot my contain the only available copy of this data. We will let you know when we receive an update from the Exchange group.
Thanks,
IT Field Services
-----Original Message-----
From: XXXXX
Sent: Thursday, December 06, 2001 9:06 PM
To: Server XXX-XXXX
Subject: Virus Update
Importance: High
In an effort to purge Outlook on the gone.scr virus, inbox messages, contacts, task, etc with the characters "hi" in the subject line have been affected. Exchange is investigating the timeline to restore the data.
Thanks!
Exadmin
--End transmision--
Thanks indeed. I thought the rule message was a joke. Now I see just how powerful M$ Admin tools really are! Nice work, Exchange Group.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.