Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

nope, sorry.

[tswinzig]

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Social Engineering

[FatRatBastard]

This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).

Re:*LOL*.. virus.. outlook.. *yawn*

[Lemmy+Caution]

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

NTFS (programmers perspective)

[DarkEdgeX]

You'd use MoveFileEx to get rid of the file, like so--

MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

UINT GetSystemDirectory(
LPTSTR lpBuffer, // buffer for system directory
UINT uSize // size of directory buffer
);

) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).