Slashdot Mirror
Latest WinWorm Spreads Via ICQ And Outlook
mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.
First off, the McAffee link in the story is broken. The real link is http://vil.mcafee.com/dispVirus.asp?virus_k=99272& .
Second, I don't know what "non-destructive" means in this context, because when something terminates processes (ZONEALARM.EXE, SAFEWEB.EXE, and VSHWIN32.EXE to name a few) and tries to delete all files in the directory containing the executable of the process, I call that destructive.
Do not read this sig.
Please check the facts! It's _not_ 159! Not even the first self-replicating Virii were this small (AFAIK). It's aprox. 159 kb if unpacked from its PE-compressed format! The File you have to download to enjoy the virus is aprox. 38 kb.
I guess if you don't consider the deletion of files as "destructive."
The worm attempts to delete the following files:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
"And like that
Correctamundo. I think the article needs an update. This payload is not non-destructive:
from symantec
Once the registry key has been added, the worm will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts.
"Electric Relaxation" - ATCQ
- Bwana
To explain to others why Windows-based firewalls like ZoneAlarm and BlackIce are inherently less secure than dedicated firewall devices and dedicated Linux firewall solutions...the fact that they run on Windows means they can be knocked dead by a virus.
, 00 .html
And speaking of antivirus software...everyone at my company received a warning email about this virus today from the admin. I took the opportunity to reply back to his email with the following:
*****
On the topic of virii, Mcafee and Symantec's Norton AV may be leaving a "backdoor" open in its future product updates to accomodate the FBI's Magic Lantern virus for Outlook. I doubt the government really wants to spy on us, but think of this:
As soon as someone figures out how to mimmick Magic Lantern's signature/fingerprint/code/etc., crackers everywhere will have an easy way into any computer protected by Mcafee or Norton AV. Wave good-bye to confidentialty. This is rather alarming. Here's a link to an article from Wired:
http://www.wired.com/news/conflict/0,2100,48648
Here is a link to an article on the topic from the Forum on Risks to the Public in Computers and Related Systems
http://catless.ncl.ac.uk/Risks/21.77.html
This is just a junior analyst's opinion, but I would begin seeking virus protection alternatives.
*****
Bill Clinton: Pimp we can believe in. - The Shirt!!!
Is it too much to expect the editors of Slashdot to even begin to do their jobs?
EOF