Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

NOT!

[aitala]

It is not non-destructive - it tries to delete anti-virus and firewall software.

hit off the left bow

my office was hit, since we saw the multiple emails with Hi we obvious knew that it was a virus. It more of a dll that vbs, using the screensaver extention. Its a little hard to screen than a vbs script

Started here at 16:30ish GMT

[class_A]

Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

Mailed tech support and didn't get a response. Great.

It seems some people even ran the attachment more than once - probably trying to get the screensaver to work :-)

It only seems to have copied to the first entry in our network wide address book, unfortunately it begins "#All" - ah well, my Macs are safe at least

story is wrong

[joshwa]

The story had a few errors:

1. The McAfeelink is here.
2. It's 159 KB, not 159 bytes.
3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.

Re:story is wrong

[HMC+CS+Major]

And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah). On a slightly related note, I espescially like the popup message displayed when you run the virus ... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?

Misinformation

OK, to stem the immediate misinformation to those who don't read the links.

The virus is 39K packed and 159 K unpacked. Not even close to just 139 bytes.

The second is that it DOES have some harmful effects. Primarily, it deletes components of Norton Antivirus which could open the infected PC up to much more deadly viruses.

Jeremy Devers

Symantec's writeup is wrong..

[Havokmon]

It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.

If you're running NTFS, AND you've been hit, *sigh*..

installs takeover script

[Proud+Geek]

According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.

Re:That's Why We Get Paid...

[CoolVibe]

Even _after_ education, users remain stupid. They are almost like computers, they do what you say, but not what you mean.

*sigh*

Submitter did not read own references...

[Kymermosst]

Poster says: Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

According to Symantec: Deletes files: Attemps to delete several files, including NAV

Poster says: Two is its small size -- it has a packed form that is only 159 bytes.

According to Symantec: The size of the worm unpacked is approximately 159 KB and Size of attachment: 38,912 bytes.

So, when are we going to do some checking first? Deleting files is pretty damn harsh for a "non destructive" virus, and a "packed form that is approximately 159 bytes" is NOT the same as an unpacked form of "159 KB", packed to 38,192 bytes.

Yes, destructive

[mj01nir]

The parent didn't mention that it deletes the entire directory and all subdirectories of that file as well. I wouldn't call that non-destructive.

If you run Windows, get AVG

[Sokie]

http://www.grisoft.com, in my opinion, about the best virus program out there.

1. It's free (with no ads or other annoyances)
2. It scans both incoming *and* outgoing e-mails for virii if you so choose. (It will even tag them as certified virus free by Grisoft if you want.)
3. Just because it's free (although they do sell commercial versions) doesn't mean you don't get updates or anything. They already have an updated database (out today) for Goner.

Anyway, just something for the Windows people who don't have one of the commercial virus apps already, I've loved AVG since I put it on.

Also, doesn't look like AVG was targetted for deletion by this virus, course that just means AVG isn't very well known, but nice to know for me anyway....

Filtering SMTP forwarder?

[Spacelord]

What I don't get is ... why doesn't everyone just add a forwarding SMTP server between the internet and their exchange server and set it up to deny .vbs,.scr ;... style attachments.

We use exchange at work too, and I just set up a linux box running postfix in front of it. With a simple oneline regular expression, every dangerous attachment gets blocked. (hint: use the body_checks parameter) We haven't been hit by a single worm or virus since then.

Re:Watched this happen

[tswinzig]

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

Apparantly your people need to do some research. Microsoft has had a patch out for about a year now that can be installed to prevent Outlook from giving access to any executable file, AND this is the default behavior in Outlook XP/2002.

Re:a real "Trojan horse"

[Dahan]

Under Win9x, how would a virus scanner stop a virus from killing its process? Programs in Win9x have full control of the system; there really isn't much a determined program can't do. Think kill -9 from a root program in Unix; there's nothing you can do to stop it. I guess a Robin Hood and Friar Tuck arrangement might be able to put up some sort of warning, but I suspect there's a way to work around even that.

Re:In defense of Microsoft......

[PenguiN42]

Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that.

What the hell?

win2000: Save your executable, make it executable by everyone, then log out and log back in as "guest." The default guest account on win2000 doesn't have access to shite.

winxp: same thing, except you can log in as guest without logging out from your previous account (yeh i know, not that special).

Re:Pure Wisdom

[Computer!]

Instead of blocking subject lines, they could have just added the following code to the Application_ItemSend event in Outlook 2000:


If Item.Attachments.Count > 0 Then
blsure = MsgBox("A message is being sent with attachments. Do you want to send this message?", vbOKCancel)
If blsure = vbCancel Then
For i = 0 To Item.Attachments.Count
Item.Attachments.Remove (i)
Next
Item.Delete
Cancel = True
MsgBox "The message has not been sent."
End If
End If


What makes virus writing so easy for Windows is the ability to churn through the Outlook address book with a convenient object model. Of course, you could switch to another client, but then you wouldn't be able to write your own code to customize the behavior of the sending of attachments. Kind of a double-edged sword.

Once you've gotten your Outlook installation "patched", read this article to learn how to deploy the fix to other users. Of course, if they get infected, they may have to click "Cancel" 1500 times, but that's what they get for double-clicking an untrusted .exe.

Re:Not an outlook worm, an outlook express worm

[Zico]

Au contraire, mon frere! Just go to http://www.slipstick.com/outlook/esecup/getexe.htm #ol2002 and get the registry-editing instructions or downloadable tools to let you determine the Outlook 2000/2002 (XP) security settings on any type of file you want. I recommend the "Attachment Security Options" tool, myself.

Procmail can easily fix this

[JoshuaDFranklin]

Honestly, how many people really send raw screensavers?? Make people at least zip them. If you're running a *NIX mail server, put this in your /etc/procmailrc NOW:

VIRUSDUMP=/var/virusdump/virus
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

:0
*^Content-type:.*
{
:0 HB
*name=".*\.
(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe| bat|js)"
{
:0 fhw
| (formail -r; \
echo -e "This is an auto-generated message\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@your-name.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"
:0
${VIRUSDUMP}
}
}

We get about 50MB/day of these. Archive them for a week, then delete them. If anybody really sent something useful, someone at the address listed can get it back for them. Hasn't happened yet.

Re:*LOL*.. virus.. outlook.. *yawn*

[MtViewGuy]

Actually, if you're running Outlook Express 6.0 from Internet Explorer 5.5 SP2 and 6.0, you can set up in Options the ability for the program to NOT allow the execution of any file attachment. In that case, the virus is useless other than hogging local disk space as the virus file is downloaded.

Re:exactly...

[zootie]

Yep, the Outlook security patch has been out for a while. This virus (and most of the virus out there) have more to do with user education than with Microsoft's competence. If you have the patch installed, this virus doesn't deserve much attention, it's interesting that is is starting to use other APIs (like ICQ and mIRC).

If you have Outlook with Exchange Server, you can disable the warning about a virus when sending bulk mails (or programmatic mails), and you can gain access to those dangerous attachments (like MDBs or EXE), and you can get rid of the warning depending on the user. Just check the documentation for the patch. It is a bit of a pain (you can't specify groups/distribution lists, you have to specify the specific users), but it gets the job done (restricts most users, and allows you to give permissions to responsible users).

Also, if you have applications using CDO, but which to port them to an API that is less attacked, you might want to consider Outlook Redemption. It is code compatible with CDO, and even has additional MAPI functionality.

About the fourth last straw?

[leonbrooks]

This is the last straw. I have already talked to all of the relevant managers and we are slated to migrate all of our users e-mail action to Eudora starting in January.

This will reduce the problem but not fix it.

Migrate your clients to Linux on PPC (iMacs are nice for this, StarOffice on LinuxPPC is just about happy enough to use) and never fear an attachment again. Plan ahead to include some Alpha and MIPS boxes as well (you can do that on the server end now), so when some meathead eventually produces the first serious LinuxPPC virus it doesn't get everyone in your office.