Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest WinWorm Spreads Via ICQ And Outlook

Posted by timothy on from the how-vastly-creative dept.

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

15 of 598 comments (clear)

  1. This is a sad statement on security by JMZero · · Score: 5, Insightful

    Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

    It strikes me as extremely sad that a virus like this can still work. How many times does it take?

    What can we do to save the unknowing?

    --
    Let's not stir that bag of worms...
  2. This is nothing. Wait a few days by ellem · · Score: 4, Insightful

    This virus has two real goals:

    1 -- Proagate
    2 -- Disable Anti Virus

    This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.

    I love being a Win Sys Admin

    Anyone need a an OSX admin?

    --
    This .sig is fake but accurate.
  3. Re:The CEO of my technology company by JThaddeus · · Score: 2, Insightful

    My sympathies on the PHB.

    The PHBs running our school district's networks wiped Netscape off all school computers and is forcing Windows/Outlook/IE down everyone's throats. Last Friday, a similar worm hit the high school and took out **everything**. I've told my wife (a teacher) to bring nothing home or disk and to remove our home e-mail from her school PC.

    IDEA: Why don't UNIX/Linux sys admins start suing networks running IIS and IE for DoS when they send crap from Windows to Linux? Kill the use of Windows by punishing those stupid enough to use if for enterprise computing!

    --
    "Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
  4. Watched this happen by Matts · · Score: 5, Insightful
    I work for a managed security provider and we stopped this using heuristics for all our customers. It's growth rate has been phenomenal, considering it doesn't even use any hacks - it's just a stupid social engineering virus! It was very funny listening to our anti-virus guy on the phone to reporters saying "We've stopped 4000 in the last two hours. No wait, 5000. ... oh, and now 6000".

    The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

    I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

    --

    Matt. Want XML + Apache + Stylesheets? Get AxKit.
  5. bah, put the blame where it belongs by Anonymous Coward · · Score: 2, Insightful

    Microsoft has had a patch available that disables .src and many of the other extensions that these virii use. The thing is, the patch has been there, ready to download, since JUNE of 2000!!! Holy shit people, why don't you all have this already taken care of already?

    My shop NEVER gets these things. When you IT geeks are bitching to your bosses about how much MS sucks and begging to be able to switch the whole shop over to *nix, do you tell him/her that there has been a patch available for well over a year that would have stopped this?

    I bet you guys all leave that part out, don't you?

    I have uses for both Windows and various *nix's, so I use them both. But I at least attempt to keep the windows environment in tip top shape.

    How many of you "IT professionals" are sacrificing your shops systems by not applying obvious security updates, like the one I mentioned, just because you resent having to use Windows?

    I just happened to bump into some upper management of one of my companies associates, he was complaining about his shop getting destroyed by this virus today. His ears really perked up when I told him about the MS security patch that had been around since June of 2000. I think he will be looking for a new "IT professional" to run his place of business soon. I hate to get a guy fired, but such is life.

    The blame for this mess is on 1. Lazy/Ignorant IT people or 2. Linux loving geeks who want to use *nix at work, so they want to see MS fail, so they don't bother taking care of windows security.

    I don't know which category the guy I probably got fired fell under. How about the rest of you guys who said your shops were hit? Which one are you?

  6. I like the edit by Jailbrekr · · Score: 1, Insightful

    And as many posters have pointed out, "destructive" is in the eye of the beholder.

    Oh come on! In the eye of the beholder? IT FUCKING DELETES FILES.

    Admit when you are wrong. It isn't too hard.

    --
    Feed the need: Digitaladdiction.net
  7. Re:a real "Trojan horse" by jayhawk88 · · Score: 2, Insightful

    But again, if a virus can just arbitrarily stop a virus scanner, without the scanner flagging up so much of a warning (think the "warning" virus scanners throw up if you try to modify the boot record), what good is the scanner?

    Maybe I've just answered my own question, but it seems to me as much practice as they've had at it in the Windows world, virus scanners ought to be a little more bullet-proof.

  8. Re:The CEO of my technology company by Webmoth · · Score: 2, Insightful

    CEO's are masters at running businesses. They are not masters at using computers or making them work better.

    As evidence, I'd like to direct your attention to this little company. It's former CEO is a proven master -- probably one of the best in the world -- at making a business successful. However, I don't believe that any code he has ever produced has ever been labeled as well-written. For that matter, I'm not sure he has ever written any code. Instead, the CEO in question bought the rights to an existing product and found a way to sell it to the masses. Later "innovations" and "improvements" to the product were not his, but the ideas of people he hired. Heck, he probably can't even set up user accounts in Windows XP (one of the most basic administrative tasks, in his company's flagship product no less). He doesn't need to, he can pay someone to do that!

    The point? To make a company a success, the leaders of it must be able to sell the product, regardless of its quality. Management is what makes a company successful, and that is the realm of the CEO. Not technical prowess.

    No matter the quality, no matter the technical merits, no matter the price of the product, if the company is poorly managed it will fail.
    --

    --
    Give me my freedom, and I'll take care of my own security, thank you.
  9. True to some extent by Chuck+Chunder · · Score: 3, Insightful

    But a fundamental difference on Unix type systems is that files aren't inherantly executable based simply on their extension, someone can't just save a file from their email and execute it, they need to know at least enough to "chmod u+x" the file which should at least make them think about it.

    Of course, that doesn't mean it's impossible to make an email client or desktop environment that would launch an attachment with "/usr/bin/sh" but hopefully that is so blindingly stupid that no-one would do it.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
  10. Smart SMTP by MADCOWbeserk · · Score: 1, Insightful

    I suprised it hasn't occurred to ISP's to make their SMTP server, then automatically stop sending when someone tries to send 120 copies of an email with an attachment. In addition to stopping attachment virii cold, it could stop the morons from thinking everyone they know should see that stupid dancing penis radio add again. Seriously my ISP blocks port 80 in the name of security, but can block an outlook Virus bouncing around their network.

    Maybe ISP's wouldn't need need to cap our bandwidth if morons didn't run Outlook and open Vb attachments.

    1. Re:Smart SMTP by AnimeFreak · · Score: 2, Insightful

      Problem here.

      What happens if I have to send out a document to 50 people via e-mail?

  11. Re:The CEO of my technology company by GTRacer · · Score: 3, Insightful
    True, nobody really expects a CEO to have a hand in day-to-day operations. They're the "big picture" people".

    BUT...they should have at least a marginal understanding of what goes on around them, and if you're in a tech-driven company, I'd hope that would include knowing how to print from IE or logging into an email client.

    I've worked for PHB's that couldn't. It's one thing to surround yourself with great minds. It's another entirely when they serve as a replacement, not an augmentation!

    GTRacer
    - This has "long day" written all over it

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  12. We haven't even touched the surface.. by defile · · Score: 4, Insightful

    Thank god the people that write this kind of code are completely incapable of writing evil IDE command sequences that can fry hard drive firmware.

    Imagine the destruction you could cause if after every infection and replication to everyone in your address book, it wrecked your hard drive and required it to be sent back to the manufacturer for repair?

    Hmm, interesting sales pitch you could offer to Maxtor, Seagate, etc if you want to make a quick buck at the expense of the global economy. (unless the 90-day warranty covers "act of hacker").

  13. Re:In defense of Microsoft...... by SuiteSisterMary · · Score: 3, Insightful
    Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.
    Oh, and for all you 'Linux non-experts' if you do this to an actual user's directory, well, they're not going to be happy. Hope you've got those backups. The point he was trying to make is that it's not a matter of system security, it's a matter user education. How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on? Lots.
    --
    Vintage computer games and RPG books available. Email me if you're interested.
  14. Re:Started here at 16:30ish GMT by Anonymous Coward · · Score: 2, Insightful
    Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

    It was pretty obvious to me that it was a virus.

    • 1. It had an inane message.

    • 2. It had an attachment.
      3. I simultaneously received it from a gazillion people.

    Yeah it's a virus. I setup a rule to auto-delete any future email messages with this virus' text.

    I'm still flabbergasted at how many people willingly double click on anything that comes into their inbox. Please use some sense people!