Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

NOT!

[aitala]

It is not non-destructive - it tries to delete anti-virus and firewall software.

Just got goner here

[monkeyfamily]

This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.

Maybe @Home's demise is okay...

[javaaddikt]

considering I've received 20 virus-laden emails through my @home account in a matter of days.

Started here at 16:30ish GMT

[class_A]

Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

Mailed tech support and didn't get a response. Great.

It seems some people even ran the attachment more than once - probably trying to get the screensaver to work :-)

It only seems to have copied to the first entry in our network wide address book, unfortunately it begins "#All" - ah well, my Macs are safe at least

Re:Started here at 16:30ish GMT

Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

It was pretty obvious to me that it was a virus.

• 1. It had an inane message.
• 
  2. It had an attachment.
  3. I simultaneously received it from a gazillion people.

Yeah it's a virus. I setup a rule to auto-delete any future email messages with this virus' text.

I'm still flabbergasted at how many people willingly double click on anything that comes into their inbox. Please use some sense people!

That's Why We Get Paid...

[Electric+Angst]

Shit. I still have people getting Melissa and Nimbda here at work. (Matter-of-fact, I spent hald an hour just yesterday clearing a machine from its second infection.) A 159 byte virus? Using a sentimental pick-up line? I'm going to be busy...

Yes, I know user education and antivirus software would help stop this, but I'm in no position to get those kinds of things done here.

Re:That's Why We Get Paid...

[CoolVibe]

Even _after_ education, users remain stupid. They are almost like computers, they do what you say, but not what you mean.

*sigh*

Re:That's Why We Get Paid...

[Moonshadow]

Even worse. I live in a dorm, and regularly play around on the network. There are probably 900 computers with shared resources in a 90.xxx - 100.xxx block here on campus. About 600 of those have read-only unprotected resources, to share with the general public. You can't imagine how many Nimda emails I've seen in those directories. College students love screensavers. This one's going to be a booger.

Anyone know if this one attacks Tiny Personal Firewall? That's my standard installation when I set people up in the dorms.

I'm not even on the IT staff - just a student with a reputation for knowing how to fix computers. People knock on my door at 4:00 AM to fix their printer. Lord help me with this one.

Re:That's Why We Get Paid...

[peccary]

Lord help me...

Why, what's your beef? Don't have a cow -- you're in gravy, man! Just put up a little sign that says "GONER REPAIR: $10". It only takes five minutes to fix. Script it, put it on a floppy and carry it with you, and you can clean it up in two minutes flat.

Re:That's Why We Get Paid...

[psych031337]

Why, what's your beef? Don't have a cow -- you're in gravy, man! Just put up a little sign that says "GONER REPAIR: $10". It only takes five minutes to fix. Script it, put it on a floppy and carry it with you, and you can clean it up in two minutes flat.

Well, and ironically exactly that might "educate" them enough to remember being cautious about attachments in the long run. If it burns a hole into their pockets they might start thinking before clicking sooner or later.

Re:That's Why We Get Paid...

[Jeremi]

Even _after_ education, users remain stupid.

I disagree. Users aren't stupid, software is. Users are taught that when they see an icon on screen, they can click it and something useful will happen. This is as it should be. If something bad happens because they clicked the icon, (e.g. they get or spread a virus), that is the fault of the software, not the user. With a properly secure operating system, viruses would not be possible, and no amount of blaming the user changes that fact that Windows (amongst other OS's) is insecure.

Re:That's Why We Get Paid...

[GlassUser]

I just got through telling both of my primary users (I work closely with two out of about a hundred). Just this morning we'd talked about not running attachments we weren't expecting. Not six hours later, Luser X spews on my server, I send off emails, then get a flood of virii in my inbox, and I notice attachment-laden emails from my two main users just as my server teeters on the brink, then dies hard. This is in a matter of thirty seconds. Users are stupid. Plain and simple.

Remember, computers do exactly what you tell them to. If a computer makes a mistake, it's because somewhere, a user told it to.

Re:That's Why We Get Paid...

[opkool]

Man, I just wish you understood Spanish!

There's what it's called Praingao HOWTO. It is a (mostly humoristic) view of what happens to friendly people that knows about computers.

It is here.

In short, it will convince you that, instead being nice, either you sould be charging money (even to your family) or either you shouyld install Linux instead so the computer won't break.

If you do not do it, you are in danger of expending many many hours fixing computers for free and letting grow the untrue legend that Windows is easy and can be used by anyone.

Try using Babelfish. It is worth it.

Re:That's Why We Get Paid...

[Jeremi]

You have got to be fucking kidding...

No, I'm quite serious.

Blaming the software because the user does something stupid is like blaming your car when you run it into a pole

No, it's more like blaming the car because turning up the volume knob on the radio on Tuesdays causes the engine to explode. ("I've told the users again and again, don't turn up the volume on Tuesdays, but they always forget....")

See the distinction? Clicking icons in your email program is reasonable behaviour 99% of the time, but 1% of the time it's catastrophic? That's a horrible design flaw in either the email program, or the OS, or both, and it's no big surprise that people get tripped up by it.

The CEO of my technology company

[v4sudeva]

has already sent every one of my fellow employees all over the globe 27 copies of this thing.

It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn .scr.

Thanks, boss.

Re:The CEO of my technology company

[JThaddeus]

My sympathies on the PHB.

The PHBs running our school district's networks wiped Netscape off all school computers and is forcing Windows/Outlook/IE down everyone's throats. Last Friday, a similar worm hit the high school and took out **everything**. I've told my wife (a teacher) to bring nothing home or disk and to remove our home e-mail from her school PC.

IDEA: Why don't UNIX/Linux sys admins start suing networks running IIS and IE for DoS when they send crap from Windows to Linux? Kill the use of Windows by punishing those stupid enough to use if for enterprise computing!

Re:The CEO of my technology company

[xmutex]

And that's the guy running your company.

Time to find a new job.

Re:The CEO of my technology company

[Webmoth]

CEO's are masters at running businesses. They are not masters at using computers or making them work better.

As evidence, I'd like to direct your attention to this little company. It's former CEO is a proven master -- probably one of the best in the world -- at making a business successful. However, I don't believe that any code he has ever produced has ever been labeled as well-written. For that matter, I'm not sure he has ever written any code. Instead, the CEO in question bought the rights to an existing product and found a way to sell it to the masses. Later "innovations" and "improvements" to the product were not his, but the ideas of people he hired. Heck, he probably can't even set up user accounts in Windows XP (one of the most basic administrative tasks, in his company's flagship product no less). He doesn't need to, he can pay someone to do that!

The point? To make a company a success, the leaders of it must be able to sell the product, regardless of its quality. Management is what makes a company successful, and that is the realm of the CEO. Not technical prowess.

No matter the quality, no matter the technical merits, no matter the price of the product, if the company is poorly managed it will fail.
--

Re:The CEO of my technology company

[sharkey]

I'll send you the bill...

Shouldn't that be, "I send you this bill to ask your repair"?

Re:The CEO of my technology company

[GTRacer]

True, nobody really expects a CEO to have a hand in day-to-day operations. They're the "big picture" people".

BUT...they should have at least a marginal understanding of what goes on around them, and if you're in a tech-driven company, I'd hope that would include knowing how to print from IE or logging into an email client.

I've worked for PHB's that couldn't. It's one thing to surround yourself with great minds. It's another entirely when they serve as a replacement, not an augmentation!

GTRacer
- This has "long day" written all over it

Re:The CEO of my technology company

[OsCarJ]

I hear you. No more than two minutes after talking to my supervisor about this the VP walks in and asks if he should be concerned about this satanist thing he just opened on his computer.

Moron!

Of course the plus side of all of this is I get to try to reinforce my attempts to teach them halfway decent security habits. I usually try to put the fear of god in them by first asking if they have anything important saved on their computer.

Re:The CEO of my technology company

[PugMajere]

I read that as "ruining".

story is wrong

[joshwa]

The story had a few errors:

1. The McAfeelink is here.
2. It's 159 KB, not 159 bytes.
3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.

Re:story is wrong

[HMC+CS+Major]

And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah). On a slightly related note, I espescially like the popup message displayed when you run the virus ... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?

nope, sorry.

[tswinzig]

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Re:nope, sorry.

[sharkey]

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Yeah, the /. editors will get their asses kicked by script kiddies in the next 1337 hAx0r Spelling Bee. Then the kiddies will look at Slashcode, and discover that "where" is constantly misspelled as "were", the fixing of which will eliminate those annoying form_key errors.

Re:nope, sorry.

[tswinzig]

Even I can realize a clever attempt to give the Joe Sixpack user the true sense of the sender's "urgency" by misspelling one obvious word, while keeping the rest of the message grammatically correct.

Clever attempt? Huh?

The "error" message displayed by this virus is also grammatically incorrect:

"Error While Analyze DirectX!"

I seriously doubt the mis-spelling in the email was done on purpose. By the way, if you really think the rest of the message was "grammatically correct," then I'd suggest an investment in a book on grammar is in order.

What? Still?

Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

&ltAttachment: Don't_Open_Attachments.eml.vbs&gt

Pure Wisdom

[Phartx2]

I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:

"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."

Re:Pure Wisdom

[Computer!]

Instead of blocking subject lines, they could have just added the following code to the Application_ItemSend event in Outlook 2000:


If Item.Attachments.Count > 0 Then
blsure = MsgBox("A message is being sent with attachments. Do you want to send this message?", vbOKCancel)
If blsure = vbCancel Then
For i = 0 To Item.Attachments.Count
Item.Attachments.Remove (i)
Next
Item.Delete
Cancel = True
MsgBox "The message has not been sent."
End If
End If


What makes virus writing so easy for Windows is the ability to churn through the Outlook address book with a convenient object model. Of course, you could switch to another client, but then you wouldn't be able to write your own code to customize the behavior of the sending of attachments. Kind of a double-edged sword.

Once you've gotten your Outlook installation "patched", read this article to learn how to deploy the fix to other users. Of course, if they get infected, they may have to click "Cancel" 1500 times, but that's what they get for double-clicking an untrusted .exe.

Re:Pure Wisdom

[FFFish]

Please provide dummy-compatible instructions for adding this to one's personal copy of Outlook Express, such that it's a permanent and automatically executed whenever one starts Outlook Express. Thanks!

Re:Pure Wisdom

[joshwa]

Unfortunately, OE doesn't have the same object model as Outlook; in fact, it has no publicly scriptable API at all. Score 1 for OE-- since it can't be scripted, it isn't vulnerable to these types of worms.

Re:Pure Wisdom

[Ratbert42]

"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."

Will someone please write a virus that uses the subject lines "Timesheets" or "Status"?

Re:Pure Wisdom

[Computer!]

I got a few requests to give simple instructions on how to code to Outlook 2000 events. Although I'm sure there's an msdn article on this already, I am too lazy to find it. Here:

Choose "Visual Basic Editor" From the Tools:Macro menu in Outlook 2000, or just hit ALT-F11. When the code window pops up, just choose Application from the left drop-down, and ItemSend from the right. When you're done, hit "Save". I'd like to see if anyone can post improvements, since the code is pretty sparse.

Social Engineering

[FatRatBastard]

This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).

More information here

[stylewagon]

F-Secure have a page describing the W32.Goner.A@mm as well.

This is a sad statement on security

[JMZero]

Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

It strikes me as extremely sad that a virus like this can still work. How many times does it take?

What can we do to save the unknowing?

Symantec's writeup is wrong..

[Havokmon]

It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.

If you're running NTFS, AND you've been hit, *sigh*..

Re:Symantec's writeup is wrong..

[Rentar]

If you're running NTFS, AND you've been hit, *sigh*..

If you're in a german-speaking country you might want to fetch the most recent issue of c't. They got an article about Virus-Cleaning on NTFS-Platforms (from DOS and Win9x). Take a look at The download Links for the article. I don't think the article itself is available on the net. It's german but I'm sure even those of you, who don't speak this language will find a way through ("NTFS", "DOS" and "Download" are the same ;-)

Re:Symantec's writeup is wrong..

[Snowfox]

If you're running NTFS, AND you've been hit, *sigh*..

Correct me if I'm wrong, but I believe Windows allows you to rename an open file. If the worm isn't smart enough to check for this, you should be able to reboot and start cleaning up.

Re:Symantec's writeup is wrong..

[Hanno]

Correct me if I'm wrong, but I believe Windows allows you to rename an open file.

You are wrong.

What about Badtrans?

[MS]

Did I miss a post or something?

Badtrans is hitting my mailbox multiple times harder than Sircam, MTX and CodeRainbow combined. And it's only around since 24th November. Quite "every" Outlook user I know of got infected with it.

But then maybe this virus is hitting only Europe, so US-citizens haven't noticed it, yet.

Needless to say, I'm happy to read my e-mail on a *nix box. :-)

ms

Our office just got em'

[jon_c]

First from the CEO, then from about 15 other co-workers. Right now the IT team is running around trying to figure out how to filter it out.

I peeked inside and found that it links to the VB runtime DLL. Unfortantly I can't tell anymore then that at this point.

-Jon

Re:Our office just got em'

[sharkey]

Right now the IT team is running around trying to figure out how to filter it out.

Using a clawhammer, apply filter briskly to the foreheads of those who cannot understand simple commands, such as DO NOT OPEN.

Already received it

[Anml4ixoye]

I have already received 17 copies of the virus. But you know, following the rules that I teach in my Internet Basic class - don't open anything you aren't expecting, verify it first - worked charms in this case. The first person I got it from I called and they had no idea about it, which raised little red flags with me.

Is Outlook to blame? Sure, partially. But is stupid users who open attachments at random without verifying it also to blame? Absolutely.

Finding the culprit

[rkent]

Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."

Re:159 Bytes? Not!

[Rentar]

It's _not_ 159!

Of course I've seen the missing "Bytes" in the split second between pressing submit in the Preview-Page and the loading of the newly posted comment ... Sigh ...

Quite Obvious

[Cylix]

This one was very obvious. However, the bottom line is, never open any unknown executables and stay away from clients that have security issues.

An interesting question arose out of all this... I have had more then a few emails from people here at work that I don't know. I have to wonder how my email address ends up in so many address books.

Unfortunately most people won't have the benefit of strangers sending this message.

Oh beautiful corporate america, may your mail servers be forever fruitful.

An interesting quote

[SomeoneYouDontKnow]

NEWS.COM has an interesting quote from David Perry of Trend Micro. He says, "Every time enough time goes by that people forget to be wary of these things, it pops up again. Apparently, we have to resign ourselves to the fact that education doesn't work."

How sad...but true. It's almost like that quote on the (I believe) CDW commercial, where the woman tells the IT manager something to the effect of, "I opened that virus just like you told us not to."

All it takes is a little dilligence, and these things would be far less of a problem. Not even real dilligence, just less stupidity on the part of users. I mean, a person would have to be living in a cave not to have heard about Melissa, I Love You, Code Red, SirCam, etc. When is it going to sink in that you shouldn't open unexpected e-mail attachments?

Oh, BTW, the original post stated that this thing is mostly non-destructive. I'm not so sure I'd agree with that assessment. If this thing is stripping out virus scanners and firewalls, it's opening up a machine for other types of attacks. I'd be a little concerned about that.

Re:An interesting quote

[(H)elix1]

One of the kickers here is it uses your (outlook) contact list - this way when my Mom gets hit with one of these things, she mails all of my siblings the virus. Its an email from an expected source - thus the "social hack" that makes this thing work as well as it does...

To add insult to injury, she does not do anything but email. You think she knows about the mess that is out there or the little things called patches on the www thing? I use my Mom as a bar for the unwashed masses - these viri are never going to stop from user education...

Re:An interesting quote

[SomeoneYouDontKnow]

A friend of mine has said he thinks that many people aren't ready, in an evolutionary sense, for the complexities of the Internet and computers. I don't know if I agree with that, but I sure do know that many people have little idea what tools to use on the Net in order to accomplish a goal. At an ISP I worked for, I had a guy call up and ask why he couldn't receive an engineering drawing from someone by e-mail. I asked him how big it was, and he said about 20 MB. He also said that he'd want to be swapping files like this on a daily basis. I told him that our mail servers didn't allow messages that big to be stored, and I also said that it'd take forever to transfer them over the connection he had (dial-up). He then got a little bent out of shape, as if this was somehow something that I should be able to fix for him. I suggested that he could use FTP, but the transfer would still be slow as hell. No, FTP was no good because e-mail was easier, and he wanted to know why he couldn't do it with e-mail. When I explained that the Internet's e-mail system was designed around 30 years ago and was never intended for sending 20 MB files, I think he began to understand.

I really think that many Internet users haven't a clue as to how the technology works. They seem to liken it in many ways to magic. When they do things within their narrow scope of semi-understanding, they can manage, but when something new and/or unexpected presents itself, they're lost. Worse, many of them seem to be content with that low level of understanding. When a problem happens, no matter how minor, they run to their service provider rather than try to educate themselves. I realize that ISPs should provide support, but you don't see the cable company telling people how to change channels on their TVs or program their VCRs. These are things you're expected to figure out for yourself. It should be the same with computers. If someone is going to spend a large sum of money on one, it would seem that they'd want to know how to use it. As for viruses, you'd think that they'd want to be at least a little clueful, if only to prevent them from losing all their data or from infecting their grandmother's machine. At least, you'd think they would...

I'm just waiting for a truly destructive worm to come along, something that spreads as fast as the ones we've seen lately but that totally hoses a machine after it's moved along to other users. I'm not saying I want to see this happen--I don't, but we all know it will, sooner or later. Maybe after an attack like that, at least some of the clueless will educate themselves.

Re:An interesting quote

[Error27]

I guess I have to disagree with most people in this thread about the users needing education to, "not open attachments."

The problem is a matter of user interface more than education. Microsoft products should not make it so easy to execute data.

As far as evolution goes, I would say that developers as well as users are at the caveman stage. It should be much easier to do ordinary things with computers.

Yesterday, a professor was me about setting up a web page. She wanted to do much of it herself because she wanted to do more advanced things then the school provided web pages did. She was talking about setting up a webserver and some can of a "chat board" where students could discuss things. The thing that makes this interesting is that she has no idea about anything to do with computers.

Somehow she got the idea that just because setting up a web server and a bbs should be easy to do that it actually was easy to do. Hah! In fact the average computer user has a better chance of getting struck by lighting than being able to set up a bbs on their own.

You brought up transferring files between computers. This really should be as simple as sending an email. But frankly it's not. I once took hours to set up an ftp server. ICQ is my current favorite so far as ease of use goes but even then there are problems with fire walls etc.

At school I often want to transfer files from my home computer. But unfortunately, I am behind a firewall at home so I can't do it directly. What I end up doing is, when I'm at home I ftp the files to a temporary ftp site. Then I ssh to the computer on campus where I want to put the files. (This computer doesn't have an ftp server). Then from that computer I ftp to the temporary ftp site and download my files.

What a horrible horrible mess! Also the ftp protocol is utter crap itself... It's insecure. It continually seems to get binary and text files confused so your data gets screwed up. It doesn't have let you continue a download if you started but got disconnected.

I really can't blame the users if they don't want to deal with computers any more than they have to.

Re:An interesting quote

[(H)elix1]

A fair question.

The box in question is a 486dx2/50 with 16M of RAM - which will still run Win95. At the time I gave it up as a doorstop, I set it up with Juno with the hope she would figure out that might be the best way to contact us. In 96-97, she was not ready for using a shutdown button, much less Pine...

She did get an ISP through the U when she started taking classes again, and Juno dropped 28.8 modem support. They had docs, an install cd, and handheld her setup. You can imagine my shock!

Your right, however. Last week my Mom either got hit with CHX? or the CMOS battery is dead and she is really not hitting F1. I will be tossing them a 700mhz duron when we return home this Christmas - pre-loaded with Netscape 6.2 mail client (I blame my spelling on genetics and this is a must for her - I'm reading the pspell and ispell info, but I'm not to the point where I could contribute code yet for Moz)

Re:An interesting quote

[Error27]

>>But standard LAN fileshares (samba etc.) are fairly easy to use, which is something.

SMB has a very insecure user interface. Most people who share stuff with SMB do it by mistake.

Now I have some extra ammo...

[Rude+Turnip]

To explain to others why Windows-based firewalls like ZoneAlarm and BlackIce are inherently less secure than dedicated firewall devices and dedicated Linux firewall solutions...the fact that they run on Windows means they can be knocked dead by a virus.

And speaking of antivirus software...everyone at my company received a warning email about this virus today from the admin. I took the opportunity to reply back to his email with the following:

*****
On the topic of virii, Mcafee and Symantec's Norton AV may be leaving a "backdoor" open in its future product updates to accomodate the FBI's Magic Lantern virus for Outlook. I doubt the government really wants to spy on us, but think of this:

As soon as someone figures out how to mimmick Magic Lantern's signature/fingerprint/code/etc., crackers everywhere will have an easy way into any computer protected by Mcafee or Norton AV. Wave good-bye to confidentialty. This is rather alarming. Here's a link to an article from Wired:

http://www.wired.com/news/conflict/0,2100,48648, 00 .html

Here is a link to an article on the topic from the Forum on Risks to the Public in Computers and Related Systems

http://catless.ncl.ac.uk/Risks/21.77.html

This is just a junior analyst's opinion, but I would begin seeking virus protection alternatives.
*****

Sorry about the double-post...

[tswinzig]

...I was in a harry.

installs takeover script

[Proud+Geek]

According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.

Re:*LOL*.. virus.. outlook.. *yawn*

[Lemmy+Caution]

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

Re:OT: "moderately unique"??

[heliocentric]

WTF does "moderately unique" mean?

I consider myself moderately unique in that my shirt size is an extra medium. I don't know many other people who take an extra medium, but if the shirt companies make 'em then I can't be fully unique.

Either something is unique or it's not, by crikey! Soon we'll have things described as "marginally special"

Well, at the local food store the manager often has things that are getting old on special... oh, you were talking about marginally...

or "slightly dead."

Ever see the Princess Bride? Wesley was not all dead when they took him to Miracle Max's....

DDoS

[Reckless+Visionary]

It doesn't just delete files. As Symnatec reports:

"If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks."

This is nothing. Wait a few days

[ellem]

This virus has two real goals:

1 -- Proagate
2 -- Disable Anti Virus

This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.

I love being a Win Sys Admin

Anyone need a an OSX admin?

Not just DoS from e-mail forwarding...

[Cutriss]

Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

Per the Symantec virus warning, it will also use IRC bots to commit DoS attacks.

Re:*LOL*.. virus.. outlook.. *yawn*

[Maeryk]

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

No.. I remember them.. but it still seems that Microsofts very design and failure to treat VB as something security-wise risky has contributed a lot too the spread of this stuff. Not to mention the ease of use of "autoreply" and "autoforward" and all manner of other things that just about any monkey can use now. (Thanks Bill!)

Hell.. my wife got notified that she is "propagating" it because her work account (corporate) is tryign to autoforward it to our home account (which is a setup that has been in effect for three years, at least).

She hasnt even read the work account in a month.

Unix has fewer exploitable aspects that it used to, and the main difference is when we find em, we find and publish fixes for em. Windows first says "ignore the man behind the curtain" and then says "here.. run this patchall, and life will be grand."

Maeryk

Yes, non-destructive

[Mdog]

I'd still consider it non-destructive. It is only trying to keep itself alive, not destroy "unrealted" parts of your system.

a real "Trojan horse"

[mblase]

Great -- someone's finally figured out that they can create a Trojan horse that not only digs a back door into your system, but silently kills off the guards at the front as well.

Next thing we know they'll be rewriting Microsoft's system auto-updater to download even more viral code into your system. Won't that be nice?

Re:a real "Trojan horse"

[jayhawk88]

Surely an attempt to delete [virusscanner].EXE is one of the first things any respectable virus scan program should monitor and attempt to prevent, or at least warn of?

Re:a real "Trojan horse"

[jayhawk88]

But again, if a virus can just arbitrarily stop a virus scanner, without the scanner flagging up so much of a warning (think the "warning" virus scanners throw up if you try to modify the boot record), what good is the scanner?

Maybe I've just answered my own question, but it seems to me as much practice as they've had at it in the Windows world, virus scanners ought to be a little more bullet-proof.

Re:a real "Trojan horse"

[Dahan]

Under Win9x, how would a virus scanner stop a virus from killing its process? Programs in Win9x have full control of the system; there really isn't much a determined program can't do. Think kill -9 from a root program in Unix; there's nothing you can do to stop it. I guess a Robin Hood and Friar Tuck arrangement might be able to put up some sort of warning, but I suspect there's a way to work around even that.

Re:a real "Trojan horse"

[Happy+Monkey]

When the executable is copied to the computer, scan the file for strings that match the antivirus software files. Perhaps not foolproof, but an idea.

Re:a real "Trojan horse"

[Happy+Monkey]

For example, Goner is compressed--the antivirus EXE names aren't visible. There are a million and one ways of hiding a string in the trojan.

Of course. There are also a million and one ways to undo that obfuscation. And that's what antivirus companies do - they look at the latest viruses, and reverse engineer them.

And if the antivirus software simply scanned for its own EXE name, you couldn't have text file, Word document, or whatever that had that EXE name.

Well, I did say "when the executable is copied to the computer". There aren't many valid reasons to have another program's filename in an executable. Some, but not many.

Re:159 Bytes? Not!

[Rentar]

Wow! almost ...

A quick search on vil.nai.com for "Tiny" turns up sever small Virii. The smallest beeing Tiny Di with 94-110 Bytes.

But I think that is only possible because .com (the only files those virii infect) are much simpler in design than .exe (not to speak of .exe-files running in win32) and those virii had no way of spreading over a network on themselfes (they depended on some person to distribute the infected file in some way).

Aliz has the ability to distribute via the network and is much smaller than Goner (just 4098 Bytes).

All those Virii definitley don't come out of a Virus-Construction-Set (yet).

Submitter did not read own references...

[Kymermosst]

Poster says: Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

According to Symantec: Deletes files: Attemps to delete several files, including NAV

Poster says: Two is its small size -- it has a packed form that is only 159 bytes.

According to Symantec: The size of the worm unpacked is approximately 159 KB and Size of attachment: 38,912 bytes.

So, when are we going to do some checking first? Deleting files is pretty damn harsh for a "non destructive" virus, and a "packed form that is approximately 159 bytes" is NOT the same as an unpacked form of "159 KB", packed to 38,192 bytes.

Re:Submitter did not read own references...

[fobbman]

Slashdot: Timeliness First, Acuracie Sekond

You can lead a horse to water...

[Rocketboy]

We're running NT 4.0 and using Lotus Notes as our e-mail client. Despite regular and repeated admonishments we've had two users open these damn things. Well, this was predictable and that's one big reason we're using Notes instead of Outlook: at least we won't be spreading this crap.

Funny, though: both computers were infected but only one had gotten around to adding itself to the registry, and neither one deleted McAfee. I wonder if these things are on a timer where they don't do their bad shit right away upon infection? Probably a bug... :)

pretty crafty

[afidel]

If you reboot without cleaning the system then the virus stops the 3 major Antivirus packages. It then deletes the entire directory where the stopped file was found.

As one user put it here, these guys are pretty dumb, they need to learn to be more creative. When they come out with one that says free beer click here then I'll be scared.

Watched this happen

[Matts]

I work for a managed security provider and we stopped this using heuristics for all our customers. It's growth rate has been phenomenal, considering it doesn't even use any hacks - it's just a stupid social engineering virus! It was very funny listening to our anti-virus guy on the phone to reporters saying "We've stopped 4000 in the last two hours. No wait, 5000. ... oh, and now 6000".

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

Re:Watched this happen

[CaseyB]

Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client

That's not even a root cause, it just makes things a little easier for the virus to propagate. If they made it completely impossible to execute attachements in the client, users would simply do what they then learn they're "supposed" to do with attachments -- save them to a file, and then run/view them from the shell. Boom, same result.

There is no sure-fire fix to prevent this sort of virus. It's not, at it's core, a problem with either the basic functionality of the email software (well written software can only slow down the propagation, not stop it), nor the scope of the user's permissions (it's well within the user's scope to read his own mail, execute software, read his own address book, and send mail). It's a problem with the behaviour of the user.

As long as it's possible to attach arbitrary files to emails, and run arbitrary code on a machine, they'll propagate. Making it technically impossible to do either of those things a) is difficult, and b) makes the system far less useful.

Re:Watched this happen

[Matts]

Well, as other posters have pointed out, you need to set the execute bits. That's always going to be a task my mother would shy away from. Of course that may also be something that prevents widespread adoption of Unix on the desktop :-)

Re:Watched this happen

[tswinzig]

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

Apparantly your people need to do some research. Microsoft has had a patch out for about a year now that can be installed to prevent Outlook from giving access to any executable file, AND this is the default behavior in Outlook XP/2002.

Re:Watched this happen

[rjamestaylor]

I'm running Linux (2.4.7-10, yes, RedHat 7.2) Mozilla 0.9.6 and using the email client primarily. Last week I received an email from an Australian client and selected it for preview -- up poped the "Save As or Open" dialog box. This was BadTrans. I didn't open the email - just preview. It would have been easy for me to mistakenly press a key (I wasn't expecting a dialog box, afterall). If this same email with the corrupted MIME header had a destructive ELF executable, everything accessible to my user id would have been threatened (assuming I choose to Open the self-initiating download file either purposefully or accidentally). Of course, since I'm not running as root on my Laptop (an aside: I love how SuSE shows skulls and stuff when a user runs X11 and Gnome/KDE as root), the impact would be minimized, but potentially disasterous nonetheless.

I've not heard others complain about Mozilla getting tricked by the MIME header...and, yes, this behavior is reproducible.

Re:Watched this happen

[FattMattP]

But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type.

Yet mime types are based on file suffixes.

Re:Watched this happen

[Matts]

I said "stop". That patch is an option that users can enable or disable. And lots of users will likely disable it so they can run the next silly game, or coke commercial, or screen saver.

Do you really think we don't research these things? Do some research into the company before you lambast us.

Re:Watched this happen

[smaughster]

So what you are proposing basically is virus-security through obscurity of exex bits? Where have I heared similar things....

McAfee really dropped the ball

[HEbGb]

I got several of these emails this morning, and obviously thought it was a virus, but my McAfee software didn't identify it as such. It passed, no problem.

So, thinking I needed an update, this afternoon, I downloaded the most recent version of their .dat file (dated 11/28). Still, the virus passed, with no problems.

I'm pretty disappointed with McAfee for this. An update should have been made immediately available as in, this morning. I imagine a lot of people were stung because the virus definitions weren't updated quickly enough.

Thankfully, I never use Outlook, so no damage was done.

Re:non-destructive?

[ocie]

If it were really destructive, it would work like a screensaver. Wait until nobody is using the machine, then start switching between resolutions. This should fry quite a few monitors.

Yes, destructive

[mj01nir]

The parent didn't mention that it deletes the entire directory and all subdirectories of that file as well. I wouldn't call that non-destructive.

A note to virus writers:

[dimator]

Why do you insist on using only one subject line when having your virus replicate itself? That's the easiest form of detection! If you'd use something less static, say, a random subject out of 50 preset ones, then your virus would spread a LOT more before anyone got wise.

In addition, it would similarly help to rename the attachment at every iteration too.

Re:A note to virus writers:

[Saint+Nobody]

i find that the best way to block these things is by matching attachments with the following regular expression (pcre syntax):

.+\.(?i:exe|com|bat|dll|scr|ocx|vbx|pif|js|vbs|shs )

i have a perl script which scans for lines that match /Content-(?:Disposition|Type):/ and checks for potentially viral attachments (i.e. windows executables) and redirects them into a separate mail folder. i have another one that appends a configurable extention to windows executables so that users would have to rename them to run them.

honestly, though, i'm not sure what would happen on the windows side of things if you called a virus ".exe". windows doesn't like filenames that start with a period, and i've never seen it used, so i'll let it slide for now.

admittedly, these would use a lot of cpu time if implemented for all users on a mail server, but i find it works beautifully for my account on my workstation.

Re:Gartner Group

[moof1138]

I would like to see Gartner condemn the use of ICQ and ScreenSavers, recommending IRC and turning off displays instead.

Same here

[truthsearch]

My office just got it as well. Our Exchange servers have at least 2000 contacts and groups in the global e-mail list, so it seems to go through most of that list and e-mail everyone. We seem to have some sort of virus "catcher" running that removes most of the viruses, but those that get through send out thousands, so the e-mail groups are almost getting a few thousand e-mails each. Even with the virus removed, that's a lot of e-mails going around just within an hour or so.

Now that I think about it, it's spreading amazingly slow in my office (we have approx. 20 international offices). This is sort of a good load test of our servers. Seems my company's setup of Exchange servers suck when hit with that many e-mails in a short period of time. But then again, I don't really know how another comparative e-mail server setup would fare.

bah, put the blame where it belongs

Microsoft has had a patch available that disables .src and many of the other extensions that these virii use. The thing is, the patch has been there, ready to download, since JUNE of 2000!!! Holy shit people, why don't you all have this already taken care of already?

My shop NEVER gets these things. When you IT geeks are bitching to your bosses about how much MS sucks and begging to be able to switch the whole shop over to *nix, do you tell him/her that there has been a patch available for well over a year that would have stopped this?

I bet you guys all leave that part out, don't you?

I have uses for both Windows and various *nix's, so I use them both. But I at least attempt to keep the windows environment in tip top shape.

How many of you "IT professionals" are sacrificing your shops systems by not applying obvious security updates, like the one I mentioned, just because you resent having to use Windows?

I just happened to bump into some upper management of one of my companies associates, he was complaining about his shop getting destroyed by this virus today. His ears really perked up when I told him about the MS security patch that had been around since June of 2000. I think he will be looking for a new "IT professional" to run his place of business soon. I hate to get a guy fired, but such is life.

The blame for this mess is on 1. Lazy/Ignorant IT people or 2. Linux loving geeks who want to use *nix at work, so they want to see MS fail, so they don't bother taking care of windows security.

I don't know which category the guy I probably got fired fell under. How about the rest of you guys who said your shops were hit? Which one are you?

Re:bah, put the blame where it belongs

[Chris+Johnson]

OK- how many clicks does it take to get to this patch you speak of, assuming the person going on the web to get the patch KNOWS EXACTLY where to go?

And- how many Microsoft operating systems have been released since the patch was made public- with the vulnerability intact?

This is not an oversight. This is policy.

Re:bah, put the blame where it belongs

[SuiteSisterMary]

Go to www.microsoft.com/office Click 'downloads' Click 'Outlook.' There's the list. Look for things like 'E-mail Security.' Or just run a damn virus scanner. You lock your doors for a reason.

No support here!

[Goner]

I am ashamed that anyone would intentionally use my Slashdot account name to bolster the popularity and reputation of their sick virus. I'm sure the hackers who created this monstrosity were well versed in such hacker tools as Bonzi Buddy and Lunix. If they think I would come out and support such a destructive screen saver they are very, very wrong. If God wanted toasters to fly, he would have given them wings.

So, you hackers, where ever you are, Goner (of Slashdot lore) does not approve!

Re:No support here!

[aozilla]

Hahahahaha. Have fun when the FBI comes to your door and detains you as a material witness in a terrorist activity! You picked the wrong handle, man.

In defense of Microsoft......

[cscx]

OK, I want all you Outlook-haters to read this: In outlook xp, you have to edit the registry if you want to be able to open .exe, .vbs, et cetera attachments. No ifs, ands or buts from Outlook. Which brings me to my next point... If people are generally so stupid they open attachments like this, they need to pack up their computer and put the box in their closet. I mean, shit, I could write a .vbs file, send it to someone running Pine under Win32 - what stops them from saving it and running the file. What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

#!/bin/sh
rm -rf /*

and say "Hey, run this!". Thing is, most Linux users are geekier than the average windows user, and will think twice before doing so! See, the problem here is not Outlook itself, but the incompetence of the people using it. Yay MS for disabling exes by default... just reminds me of all those Flash animations that make the e-mail rounds that could be virus laden.....

Re:In defense of Microsoft......

[Azog]

Mmmm, one important point you missed:

What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

#!/bin/sh
rm -rf /*

Gee, I just tried that, and all it did was print a million "Permission denied" messages. Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.

Anyone else out there got some email viruses they want me to try out on my Linux box? They probably won't work either.

Warning to Linux non-experts: if you want to try this yourself, note that running rm -rf /* will delete any file owned by the person who runs the command.

Before you run anything off the network, you should switch your user (using the su command) to a "test" user that doesn't own any important files. You can set up a test user account by doing an "su root", "adduser test", and then "passwd test" to set the test user's password.

Carry on mocking Windows at your leisure... Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that.

(snicker)

Re:In defense of Microsoft......

[PenguiN42]

Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that.

What the hell?

win2000: Save your executable, make it executable by everyone, then log out and log back in as "guest." The default guest account on win2000 doesn't have access to shite.

winxp: same thing, except you can log in as guest without logging out from your previous account (yeh i know, not that special).

Re:In defense of Microsoft......

[SuiteSisterMary]

Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.

Oh, and for all you 'Linux non-experts' if you do this to an actual user's directory, well, they're not going to be happy. Hope you've got those backups. The point he was trying to make is that it's not a matter of system security, it's a matter user education. How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on? Lots.

Re:In defense of Microsoft......

[cscx]

Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that

Mmmkay, let's give this a try shall we?

1. Set up NTFS ACLs properly - this includes giving SYSTEM rights to what needs to have it, along with the Administrators group, etc. Users should only have read access. (Most experienced NT end-users should already have done this a long time ago; if you're on a properly set-up network, it should have been done already!)

2. Open up the MMC, go to users and groups, and add a user. Make it a member of the Users group, which you have already set up as to only have read access (heck, you can set it up to everything BUT delete access... NTFS ACLs are so specific and expansive it beats rwxrwxrwx hands down :-/) and also give it full access to its home directory under "Documents and Settings\user"

3. Log in as that user.

4. Open up a command prompt.

C:\>del /F/Q *.*
C:\New Text Document (2).txt
Access is denied.
C:\New Text Document.txt
Access is denied.
etc...

Oh wait, I didn't ever have to log in! Ever seen 2000's oh-so-cool "Run as different user" option on the property sheets? Guess not.

I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.

Re:In defense of Microsoft......

[ColaMan]

In outlook xp, you have to edit the registry if you want to be able to open

That'd be great except that not everyone can afford Office XP.

We're stuck with office 97 because to upgrade to Office(n+1) is equivalent to a *whole years wages* for one of our employees.

I'd prefer to keep that employee, as they are the ones making the money :-)
It's a non-issue if you can install an upstream filter to weed out all the executable attachments.

I like this procmail scanner myself

Re:In defense of Microsoft......

[Azog]

So, cscx says:

Mmmkay, let's give this a try shall we?

[...](sketchy explanation of how to set up a throwaway test account deleted)[...]

I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.

Sorry, you lose. Here's why:

1. That doesn't work on Windows 95, 98, or ME. Those systems just don't have security. Period.

2. It doesn't work if you aren't using NTFS. A LOT of NT, 2K, and XP systems don't.

3. You don't have a short, simple description of how to "Set up NTFS ACLs properly". But I don't blame you - a short, simple explanation of that subject is impossible.

Compare that to Linux. The instructions I gave for setting up a throwaway test account are very simple, can be executed in seconds, and will work on any Linux distribution from the last five years at least.

That's impossible on Windows, and your post basically proved the point. Thanks!

Re:In defense of Microsoft......

[Azog]

You are correct, user education is critical, and that was the main point of the original "In defense of Microsoft..." message. And yes, Linux distributions tend to install too many services. Recently this has improved, though, and modern distributions are very easy to keep up to date with point-and-click tools.

But the point I am trying to make is: Linux will never have the kinds of email worms and viruses that plague the Microsoft world. It just ain't gonna happen.

Why? Several reasons. Basically, Linux has facilities for security that Windows doesn't, and this really limits the damage that a Linux "virus" can do.

Imagine two average home users. One is running Windows 98, the other is some modern distro of Linux, Red Hat for example. They get an "email virus". First of all, it's a lot easier to get infected from Outlook than from any Linux email client, and most viruses are for Windows... but ignore all that, suppose they both get an email with a malicious attachment.

The Windows 98 user double-clicks the file. They are infected. The mail to the Linux user arrives with instructions to save it to disk, chmod +x it, and run it. Suppose they are smart enough to do that, but ignorant enough to not wonder if it is a good idea. So, it's difficult, but they get infected too.

What is the worst that can happen to these two users?

The Windows 98 user can lose everything. Maybe even hardware damage - there are viruses that trash the CMOS. The Linux user can only lose their own document files. Yes, that's pretty bad. But the hardware and system software is safe.

Assume both users have backups of their document files on a CDR, and they have paid for support contracts from Microsoft / Red Hat respectively. So they call for help and explain what happened. Who will be up and running first, with the least amount of pain?

The Red Hat tech support can find out what happened, walk the user through logging in as root, cleaning up, and restoring documents from backup. This can really be as simple as typing in a half-dozen short commands. It might take half an hour, including the time to update a few RPMs for good measure.

Microsoft tech support will say: "Reinstall Windows. Reinstall all your drivers. Reinstall all your applications. Set up your system settings all over again. Don't click on email attachments. "

If the user is lucky (remember they have probably never installed Windows before, it is not really a simple process) they may be up and running after three or four stressful, painful hours.

Re:In defense of Microsoft......

[SuiteSisterMary]

You are correct to point out in every instance that you assume the person is using windows 98. With 2000 professional and XP, though, all of your arguments fall flat, as both operating systems provide for finer security models than the UNIX world generally has, until you hit trusted solaris level 'secure' distributions, or heavily modified versions of Linux/*BSD or what have you. ACLs, security tokens, and what not. Also, I'll point out that in your tech support example, it's the Microsoft rep that would be correct. It's a given in the world of disaster recovery that a compromised box is restored from system install, then the last KNOWN GOOD (emphasis mine) backups of data, but NEVER the apps. Here's an example. At my last job, there was a 2K server that was out of IT's perview; it was a dev box that they guarded jealously. Fine. After it got spectacularly hacked, it fell under our purview. But we wern't allowed to reformat and reinstall. Fine. A bit later, I was doing a routine check for any NIMDA that might have fallen through our three or four layers of defense; shit happens. I wrote an app that looks for 'root.exe' in various places; great for scanning a subnet remotely for the very backdoor that crackers would use to get in. Anywho, I find a root.exe on this box. Do some frantic checking, and realize that this root.exe was placed there by sadmind a very long time ago. Well sheee-it.

Re:In defense of Microsoft......

[sharkey]

How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on?

And how many of them do everything as root? Windows luser or Linux luser, deluser still won't de-luser them.

Re:In defense of Microsoft......

[SuiteSisterMary]

And how many of them do everything as root? Windows luser or Linux luser, deluser still won't de-luser them.

EXACTLY!

Re:In defense of Microsoft......

[mattACK]

Profiles directory - Creator Owner FC (or modify)

In the shell, for me this is:

cacls "Documents and Settings" /E /G "Creator Owner":C

Geez that was tough. I don't think you'll find anyone defending Win9x, but you don't often see people attacking it anymore (unless they are desperate to make a point). Don't take offense to that, but NTFS does work if you ask it to.

Anyway, there is no such thing as a short, simple explanation of security best practices, framework, etc. It is a mindset. Secure it until it doesn't work, open it until it does, standardize on it, and be fluid enough to rip it all out and start over if necessary. OS specifics are detailed out in the man pages/.hlp/.chm/whatever.

Re:In defense of Microsoft......

[Afrosheen]

In the latest Mandrake 8.1, there are many facilities that discourage this lame practice. One is that the root account in KDE has a bright red background and no icons on the desktop. When a user logs in normally, he/she gets all the normal stuff. This was a brilliant move because most newbies will think 'I don't have shit if I login as root and that red background pisses me off'. Another nice touch is that telnet server isn't installed unless you install it by hand. Props to mandrake for preventing newbies from aiming that double-barrel shotgun root account at their tender feet.

Fired-fighting

[virg_mattes]

> Do *you* want to try to fire the CEO?

Actually, that's quite easy. Leak the fact that the CEO did this, and that it cost a buttload of money to clean it up. The shareholders will take it from there.

Virg

Re:*LOL*.. virus.. outlook.. *yawn*

[CoolVibe]

I can vouch that we have tried at my office ... REPEATEDLY .... to do just that. Some users just don't learn. After many attempts and incidents, they continue to open and execute every darn thing they are sent. These are usually the same people who send out all the "cute little utilities" that will run supposedly humorous animations and whatever. Sure, the next step would be some sort of administrative control/intervention, but as expected .. management (non-IT dept) is more interested in keeping people happy than in properly run systems. Our hands our tied.

That's why the LART was invented. If you can't get sense into 'em, beat it into 'em.

Yes, I actually kicked a user off the network one time because he already gotten _three_ warnings from me. And yet he still opened untrusted attachements.

*clicketyclick* no more DHCP lease, blocked by MAC address. His e-mail was directed to a temporary mailbox (so he couldn't get it from someone else's machine)

He never did it again. Good luser. After a few days I couldn't stand his whimpering and copied his mail back and reactivated his lease. Now he listened and behaved. Actually, it had a more positive effect: that story went around the office, and they now think twice before opening something they get from someone they don't know. Heck, some even switched from OutLook to something else (I've seen copies of Eudora and filled up Netscape Mail folders appearing on the workstations all of a sudden).

Sometimes you have to make it smart a little before they listen.

True to some extent

[Chuck+Chunder]

But a fundamental difference on Unix type systems is that files aren't inherantly executable based simply on their extension, someone can't just save a file from their email and execute it, they need to know at least enough to "chmod u+x" the file which should at least make them think about it.

Of course, that doesn't mean it's impossible to make an email client or desktop environment that would launch an attachment with "/usr/bin/sh" but hopefully that is so blindingly stupid that no-one would do it.

Re:True to some extent

[tshak]

But a fundamental difference on Unix type systems is that files aren't inherantly executable based simply on their extension,

No, the fundamental difference is that the average consumer wants to send self-executing greeting cards, videos, and interactive multimedia nonsense. Although MS could tighten security, the bottom line is that the consumer does not want to learn, nor cares about, chmod.

Of course, if everything was executing inside of a sandbox, it would be much more difficult for this to happen.

Re:True to some extent

[Nater]

...hopefully that is so blindingly stupid that no-one would do it.

I think it's fairly well understood that virus writers will by and large target the most popular platforms. But so will the herds of developers of legitimate software. As has been pointed out, some developers of software for Windows have thought that such "blindingly stupid" techniques were a good idea. They'd be doing things just as stupid regardless of the platform they were doing it on.

Re:True to some extent

[Chuck+Chunder]

No, the fundamental difference is that the average consumer wants to send self-executing greeting cards, videos, and interactive multimedia nonsense. Although MS could tighten security, the bottom line is that the consumer does not want to learn, nor cares about, chmod.

Indeed, and perhaps this is an opportunity for Linux/Unix to be marketed as a "Corporate" rather than a "Consumer" OS. In a corporate setting such 'multimedia nonsense' is a headache, not a bonus.

Re:True to some extent

[Glytch]

This got me thinking. Has anyone tried to mate sshd with icq? With proper security (maybe an ssh client plugin?), it would be extremely useful for those of us with fascist ISPs that change user IPs with every connection (thus making dynamic IP services almost useless). Time to scour freshmeat and sourceforge...

Re:True to some extent

[SurfsUp]

...the fundamental difference is that the average consumer wants to send self-executing greeting cards, videos, and interactive multimedia nonsense.

True enough, and this is a role that Java could and should have played, except for the startling inability of Sun to come up with a light, tight implementation and to an even greater extent, Microsoft's malicious plan to subvert and contain the deployment of Java on Windows boxes.

Perhaps we could look at a sandboxed version of Python. Oh wait, hey - we've got a Linux sandbox, it's called UML.

/me heads off to find jdike

--
Daniel

Worminess

[virg_mattes]

> if it looks like a trogan, smells like a trogan, acts like a trogan....

Then it's probably a trojan.

Virg

Re:Worminess

[RollingThunder]

But I thought Trojans reduced the risk!

If you run Windows, get AVG

[Sokie]

http://www.grisoft.com, in my opinion, about the best virus program out there.

1. It's free (with no ads or other annoyances)
2. It scans both incoming *and* outgoing e-mails for virii if you so choose. (It will even tag them as certified virus free by Grisoft if you want.)
3. Just because it's free (although they do sell commercial versions) doesn't mean you don't get updates or anything. They already have an updated database (out today) for Goner.

Anyway, just something for the Windows people who don't have one of the commercial virus apps already, I've loved AVG since I put it on.

Also, doesn't look like AVG was targetted for deletion by this virus, course that just means AVG isn't very well known, but nice to know for me anyway....

Is this really so hard to fix?

[90XDoubleSide]

All Microsoft has to do is tell the outlook team to go over to their Macintosh Business Unit and steal this dialog. This could at least stop the smartest 60% of users from spreading these things. And how about another warning about running script files? Last time I checked there weren't too many people using script attachments for legitimate purposes. Of course making the two most popular versions of your internet software automatically execute files doesn't help either. Yes, users should have patched their software, but just go to any site that tracks browser usage and you'll see that most people are running a vulnerable version of MS Outlook/Explorer; once you let that much vulnerable software out of the bag, it's hard to get it all back in.

I would also like to know how the worm was labeled as non-destructive if it, "will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts." Granted it doesn't try to fry your BIOS chip, but I last time I checked anything that deleted files was destructive.

Where are the *really* destructive viruses?

[MongooseCN]

I'm still suprised no one has made a really destructive worm that trashes someones system. It shouldn't be too hard to modify one of these worms to do something like that. You'd think with all the worm/virus makers out there some of them would have different intents, unless all these worms are all being written by the same group of people.

Re:Where are the *really* destructive viruses?

[ColaMan]

You can't make them really destructive , as it is difficult to find the balance between replication and damage ... too much damage (too soon) and the virus won't reproduce.

I suppose a counter to wipe any attached drives after X replications would do the trick though.
Do all attached drives and leave your windows directory until last.

But you didn't hear me say that :-)

Re:*LOL*.. virus.. outlook.. *yawn*

[Maeryk]

Or, her company should have some kind of firewall up to keep these things from hitting their internal account in the first place!

Ready for the desktop?

[Asic+Eng]

I guess this shows that Windows is not ready for the desktop. Sure, playing games, maybe coordinating meetings and using a calendar, work - but email? Leave that to serious systems.

I know, I know, other email clients, etc.

However there is one thing I don't understand, why are flaws which convert your office network into a disaster area, somehow acceptable, whereas some esoteric calendar tool is so vitally necessary that people straight-faced claim that Linux isn't ready for the desktop?

It's not just Outlook either - every damn document format that MS produces is an attack waiting to happen. Apart from being susceptible to bit-rott and bloated.

The average user does simply not have the competence to operate a Windows system safely in an office environment. It's not enough to consider training costs when switching to Linux, you also need to consider TCO. That means your downtime, additional maintenance to repair user machines and lost or corrupted data, when using Windows systems.

Re:who uses scripting in outlook?

[Chris+Johnson]

And pass up the possibility of "stopping a variety of antivirus and security applications and deleting all the files in the folders containing those applications. Kaspersky Lab's AVP, Zone Labs' ZoneAlarm, and Internet Security Systems' Black Ice are among the programs affected."? (CNet)

Those ARE all Microsoft competitors, are they not?

Microsoft DOES have an inferior product bundled with XP that they wish to prevail against this technically superior (and two-way: no spyware-friendliness like with MS's version) competition, do they not?

Let me say that I don't know whether Microsoft has spread this worm themselves to take out their competitors, because I don't know where it came from in the first place and I won't have to deal with it except shoveling it out of my Mac/Eudora Light inbox. But you have to ask, 'who benefits?'. And you can't seriously expect Microsoft to get rid of their scripting, when they can use it in so many ways to damage their competitors- and their competitors are not only 'any other software company' but the fundamental technologies of the Internet itself, which they don't own. They _want_ this to happen.

Apropos Icon

[sharkey]

The silouhette of Darth Vader in the icon is a nice touch, to my way of thinking.

Re:Pure Wisdom (better)

[gosand]

I got an email (as did everyone else) from someone in the company who gave detailed instructions on how to use the "Rule Wizard" (first clue) to delete these emails permanently upon receiving them.

The problem? The steps outlined how to check the subject line for the word "hi" and permanently delete it and the message flag.

I tested this out, and Outlook isn't case sensitive, nor does it recognize if the target word is embedded. So any email with the word 'hi' anywhere in the subject would get deleted. (e.g. this, Chicago, chickenpoop, etc) It was also suggested that the exception be if your name was in the To or CC, but we use so many distribution lists, that wouldn't matter too much.

*sigh*

Re:who uses scripting in outlook?

[90XDoubleSide]

The macro (VB script) is a very useful feature of any spreadsheet program

But how many people need macros embedded in documents? And the real problem is that VBScript has may too much power. The macro language needs no access to the system beyond Office files.

Filtering SMTP forwarder?

[Spacelord]

What I don't get is ... why doesn't everyone just add a forwarding SMTP server between the internet and their exchange server and set it up to deny .vbs,.scr ;... style attachments.

We use exchange at work too, and I just set up a linux box running postfix in front of it. With a simple oneline regular expression, every dangerous attachment gets blocked. (hint: use the body_checks parameter) We haven't been hit by a single worm or virus since then.

Re:Filtering SMTP forwarder?

[SuiteSisterMary]

We just used a decent antivirus on the server (as well as a centrally managed one on the desktop, but that's a different story) that was told, outright, to strip attachements with such useless extentions as .scr, .vbs, .js, .bat, and so on, before it even bothered to check for virii. Gosh, nothing ever bothered us after that....

Re:exactly...

[brunes69]

If you worked at a support desk for even one week, you'd soon realize that no one ever saves their email, or any attachments within. They leave it in their inbox, until it reaches their quota limit of 500 megs or so. By this time, 95% of the stuff is so old it's useless, and they delete it all. The rest of it, instead of saving the humongious attachments, what do they do??? They create outlook folder son their HD, and move the emails there! Then they wonder what happened when their files get corrupted, maybe has something to do with the fact you have this one .pst file that is 1.5 GB.

Re:Smart SMTP

[AnimeFreak]

Problem here.

What happens if I have to send out a document to 50 people via e-mail?

Ah, the brilliance of mainstream news...

[Rob.Mathers]

While watching my local news, i heard the following quote: "The goner virus can also strike through ICQ programs like MSN Messenger." I'm beginning to dread any newscasts on tech related issues.

unique

[sheetsda]

"Always remember you're unique, just like everyone else." I wish I knew who said it.

Why do we put up with this...

[linuxci]

http://www.monkeyontoast.com/rant/microsoft_layz.h tm is an interesting article about why Microsoft should be liable for the quality of their software.

Personally, now I think that it should be the system administrators of company networks that continue to use Outlook as well as the ISP's that continue to recommend OE to their customers to blame. These are not email viruses as they only affect poorly designed software and not the vast majority of decent email software out there. I don't run ICQ but that client has always striked me as a shoddy IM client, better to use something like Trillian instead. I like Jabber but it's having problems communicating with ICQ and AIM the last time I tried it.

Re:Why do we put up with this...

[FFFish]

You've made an interesting point. Other manufacturers are held liable for end-user incompetence: why isn't Microsoft?

Ever wonder why your hair-dryer has a warning that you shouldn't use it in the shower? It's very likely because some evolutionary dead-end once actually did use it in the shower, and a lawsuit came of it.

Hell, it even happens in Canada: some dumbshit teenager pulled a Coke machine onto himself, and his parents are trying to sue Coke for his abuse of the property!

Obviously, it's quite acceptable to find companies liable for the carelessness, incompetence, stupidity, or maliciousness of their products' users.

I fail to see why Microsoft isn't held accountable.

We haven't even touched the surface..

[defile]

Thank god the people that write this kind of code are completely incapable of writing evil IDE command sequences that can fry hard drive firmware.

Imagine the destruction you could cause if after every infection and replication to everyone in your address book, it wrecked your hard drive and required it to be sent back to the manufacturer for repair?

Hmm, interesting sales pitch you could offer to Maxtor, Seagate, etc if you want to make a quick buck at the expense of the global economy. (unless the 90-day warranty covers "act of hacker").

Re:We haven't even touched the surface..

[Malcontent]

well don't just stand there post an example.

Re:Not an outlook worm, an outlook express worm

[Zico]

Nope. With Outlook 2002 (XP), Outlook 2000 with SP2, or Outlook 98 or 2000 with the Email Security Update, you can't even save the attachment elsewhere, or open it or forward it to someone else. See http://www.slipstick.com/outlook/esecup.htm#attsec .

NTFS (programmers perspective)

[DarkEdgeX]

You'd use MoveFileEx to get rid of the file, like so--

MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

UINT GetSystemDirectory(
LPTSTR lpBuffer, // buffer for system directory
UINT uSize // size of directory buffer
);

) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).

Re:NTFS (programmers perspective)

[DarkEdgeX]

I haven't been infected with the virus, so I have no clue-- the guy prior to me was making it sound like NTFS presented some sort of difficult challenge to delete files in, and I was merely pointing out that it's possible to just MoveFile() it and reboot and it's gone.

Easier way, yeah-- open Task Manager | Processes and find it in there (if it is, even), right-click on it and End Process. Then deleting the file should be easy (should be able to do it with Explorer).

But, then there's a reason I threw in 'programmers perspective' in the subject line...

Re:NTFS (programmers perspective)

[Malcontent]

And they say linux is hard to use. You have to fire up a C compiler just to delete a file. Sheesh..

Re:Won't work

[mrseigen]

People would still open and run it anyway.

Re:Not an outlook worm, an outlook express worm

[Zico]

Au contraire, mon frere! Just go to http://www.slipstick.com/outlook/esecup/getexe.htm #ol2002 and get the registry-editing instructions or downloadable tools to let you determine the Outlook 2000/2002 (XP) security settings on any type of file you want. I recommend the "Attachment Security Options" tool, myself.

Who to sue?

[andkaha]

(I'm using the word "sue" here since most merkins seems to use it as a synonym for "blame").

Most Microsoft software is manager-ware, meaning it is expensive, it looks nice, it is user friendly, and Bob Mustermann can learn how to use its basic features from a out-of-town one week course. This in turn usually means that large corporations depend upon it.

Just a thought: Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?

Other software, licensed under free licenses, always have NO WARRANTY. This means [I believe] that you ought to think before depending on it, because if it breakes, or makes something else break, you can't blame the author or ask for compensation.

Hmmm... If we don't sue Microsoft for providing us with a faulty product, who should we sue? Is it the fault of the manager that adviced us to install the crap, or is it the fault of the script kiddie that wrote the virus?

I would argue that it's not the fault of the script kiddie that wrote the virus. He (presumably a he, anyway) can't be blamed for the errors of Microsoft. Don't give me the knocking on doors parallel, because it's not the same thing. Well, partly. If Microsoft built the house. But then, why won't they fix that bloody door?

I would also argue that it's not the fault of the manager. She (this is a large corporation, they try to be PC as part of their PR) probably got a nice PowerPoint presentation and a lunch from a Microsoft sales person. Maybe even a dinner and some wine-and-cheese.

I don't know... I'm just feeling a bit random at the moment.

Procmail can easily fix this

[JoshuaDFranklin]

Honestly, how many people really send raw screensavers?? Make people at least zip them. If you're running a *NIX mail server, put this in your /etc/procmailrc NOW:

VIRUSDUMP=/var/virusdump/virus
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

:0
*^Content-type:.*
{
:0 HB
*name=".*\.
(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe| bat|js)"
{
:0 fhw
| (formail -r; \
echo -e "This is an auto-generated message\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@your-name.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"
:0
${VIRUSDUMP}
}
}

We get about 50MB/day of these. Archive them for a week, then delete them. If anybody really sent something useful, someone at the address listed can get it back for them. Hasn't happened yet.

Re:*LOL*.. virus.. outlook.. *yawn*

[MtViewGuy]

Actually, if you're running Outlook Express 6.0 from Internet Explorer 5.5 SP2 and 6.0, you can set up in Options the ability for the program to NOT allow the execution of any file attachment. In that case, the virus is useless other than hogging local disk space as the virus file is downloaded.

Re:exactly...

[zootie]

Yep, the Outlook security patch has been out for a while. This virus (and most of the virus out there) have more to do with user education than with Microsoft's competence. If you have the patch installed, this virus doesn't deserve much attention, it's interesting that is is starting to use other APIs (like ICQ and mIRC).

If you have Outlook with Exchange Server, you can disable the warning about a virus when sending bulk mails (or programmatic mails), and you can gain access to those dangerous attachments (like MDBs or EXE), and you can get rid of the warning depending on the user. Just check the documentation for the patch. It is a bit of a pain (you can't specify groups/distribution lists, you have to specify the specific users), but it gets the job done (restricts most users, and allows you to give permissions to responsible users).

Also, if you have applications using CDO, but which to port them to an API that is less attacked, you might want to consider Outlook Redemption. It is code compatible with CDO, and even has additional MAPI functionality.

Re:got two this morning you have to run it

[generic-man]

How do inexperienced people like you acquire such high karma? You can't spell, your grammar is flawed, and you have little sense of how things work in the real world.

You must be new here.

Disclaimer of liability for loss of profit

[Robin+Lionheart]

Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?

The EULA distributed with Office 2000 specifically disclaims liability for "loss of profit":

"To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide Support Services, even if Microsoft has been advised of the possibility of such damages."

Under the USA's Uniform Commercial Code, there is by default an implied warranty that any product sold is "merchantable", meaning fit for the customary use that the product is put to. Unless the terms of sale change that implied warranty, a buyer could sue over dysfunctional software.

Software licenses generally disclaim those implied warranties, an innovation that began with VisiCalc's "as is" license. If you read the fine print of Microsoft EULAs, you will find a capitalized sentence like "TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES."

Whether the EULA has any legal weight is questionable. Software licenses are rarely presented at the time of sale. Installation programs try to impose them after the fact by demanding your agreement before installing the program on your computer.

Like many click-wrap agreements, Microsoft's EULAs are very one-sided, offering you nothing in return for restricting you from installing the software more than one computer, from making more than one backup copy, from lending the software to anyone else, from reverse-engineering the software, and sometimes even from reselling the software or from criticizing the product. Such "agreements" may not constitute valid contracts, and even if they were, may be invalid as "contracts of adhesion".

So, Microsoft and other software corporations lobby for UCITA (Uniform Computer Information Transactions Act) laws giving software the special ability to impose terms and restrictions after purchase. UCITA has already passed in Maryland and Virginia and has been introduced in the legislatures of many other states.

How destructive can it be...

[neema]

How destructive can it be if it's removing virus protection software that failed to detect and prevent it in the first place?

Kmail, Evolution, Mutt, Pine...

[leonbrooks]

or at least get them to try Eudora instead.

Done. That's how the entire IT section operates at this site: they use ssh (PuTTY) to a Linux box and Pine to read their mail there. Being the black sheep of the family, I use KMail.

Badtrans? That's so *Last*Week* !!

[billstewart]

You guys just haven't caught up with Today's Holiday Gift from Microsoft yet. My company's got tens of thousands of people using LookOut, and mailing lists that reach large parts of the company, so it only took one or two clueless people or people with machines that weren't updated after the previous few viruses to send it to everybody, at which point some fraction of either clueless or mis-configured mailers started blasting everybody.

So, "hi", we're in a "harry" here, and MS Outlook has been turned into a really lame screensaver as the mailerservers either crash under load or get shut down or put into heavy-duty-filter mode. The payload is about 45KB of compressed data, expanding to the now-well-known 159KB, so multiply that by the 2000+ messages I succeeded in receiving today is about 90MB. The folks on dialup fortunately can't transmit that fast :-)

IM Viruses, and Jabber vs AIM/ICQ

[Nonesuch]

Jabber has difficulty communicating with AIM/ICQ because AOL intentionally takes action to block Jabber servers from proxying user communications with AIM/ICQ users from jabber clients.

From my limited review of the source code, Jabber is not inherently worm-proof, it's just not popular enough to attract much attention from worm authors.

Any security advantages that Jabber does have are unrelated to the open source code, but rather are almost entirely due to the communications protocol itself, which makes extensive use of XML and generally does not permit direct client-to-client communications.

I'm not so sure that Goner speading via ICQ has anything to do with the 'shoddy' nature of the client software, there've been other similar malware that used AIM or Messenger to spread their payload.

About the fourth last straw?

[leonbrooks]

This is the last straw. I have already talked to all of the relevant managers and we are slated to migrate all of our users e-mail action to Eudora starting in January.

This will reduce the problem but not fix it.

Migrate your clients to Linux on PPC (iMacs are nice for this, StarOffice on LinuxPPC is just about happy enough to use) and never fear an attachment again. Plan ahead to include some Alpha and MIPS boxes as well (you can do that on the server end now), so when some meathead eventually produces the first serious LinuxPPC virus it doesn't get everyone in your office.

Re:Outlook _can_be_ secure

[mach-5]

I rarely see any Outlook virii where I work. Although, we are such a large company so we have a crack IT team. I received a notice that they were pushing the extra.dat file for McAffee before I even saw the slashdot post. Also, I never received *anything* in my inbox, so yes, you are correct that good filtering on the exchange server helps...a lot!

If I had Mod Points...

[wirefarm]

You'd get 'em.
Your post was the most useful I've seen on Slashdot in quite a while.
Now my boss can't tell me not to read Slashdot at work anymore.

Thanks -
Jim in Tokyo

Re:exactly...

[Arlet]

The real issue here is that the files shouldn't get corrupted, even if your .pst file is 1.5GB. I keep a lot of stuff in my outlook folders too, organized by topic, including any attachments people may have used. This makes it really easy to view the same thread a year later. There is no fundamental reason why putting 1.5G worth of documents straight on the disk should be any better or more efficient than leaving them in your mailboxes. People aren't supposed to know this, anyway. They're supposed to do their work, and not have to worry how big their mail database has gotten.

We have a sysadmin be forceful like that...

[Blackwulf]

Back when one of the other lovely vbs viruses was going around (not ILOVEYOU, but a later one...There have been so many I've lost track) our sysadmin ran around our office saying to not open the attachment if they got it. This was because one of my coworkers opened it. He told her not to open it.

Well, it got sent back to her, and what did she do...OPEN IT AGAIN.

So he got out of his office, and went to her, and asked her if she opened it again.

"Oh, I wasn't supposed to?"

So he goes back to his office, and what does she do? SHE OPENS IT AGAIN. "I wanted to see the picture!"

The sysadmin ran out of his office, YANKED the network cable out of her machine and said "GO TO LUNCH. NOW."

She didn't return for the rest of the day, and the incident allowed our sysadmin to receive the funding neccessary to install virus scanners on all of our servers and workstations. Goner only hit one person, and she was smart enough to not open it.

Re:What do you suggest?

[NumberSyx]

How would you improve on the way MS issues patches?

I would like them to start with accessablity, Patches are useless if no one knows about them and/or can't find them.

What about Windows Update do you not like?

It is usually several weeks, if not months out of date. The patch for these email viruses has been available a very long time, but has never made its way into Windows Update.

What would you change,

More frequent Updates, say weekly, maybe even daily. A single point of information on the MS website, where users can go to find the latest patches and information. Maybe even a mailing list or a listserv. Fast and Complete discloser of problems, no "we will get back to you in two or three weeks" answers.

and why do you think it would help the average user?

I am not even going to answer this one, I think the benfits to the end user are obvious.

Re:What do you suggest?

[JMZero]

I agree that MS's implementation is sometimes off. They're often slow/negligent.

My defense was of the model. Windows Update is MEANT to be the single point of access for patches that you talk about. As to finding Windows Update, it's been on the first layer of the start menu for some time. They've certainly tried to make it visible.

You're right, MS should have disabled opening executable attachments long ago, instead of waiting for XP. For a long time they've had the option of disabling opening - I don't know why it hasn't been default.

Re:What? Still?

[Chelloveck]

When I write my Über Virus, it'll look something like this:

To: {target}@{somedomain.com}
From: Help Desk <helpdesk@{somedomain.com}>
Subject: Virus Alert!

Warning! An especially dangerous new computer virus has been discovered. Please run the attached program to secure your system.

<Attachment: MSHOTFIX.EXE>

Then, of course, the "HOTFIX" pops up a notice saying you're secure, and goes into stealth mode. None of this pansy-ass "mail-to-everyone-on-earth" business, but something that'll go through and transpose random digits in any Excel spreadsheet it comes across.

And then, the world will be mine! Muah-ha-ha-ha-ha-ha!

Re:*LOL*.. virus.. outlook.. *yawn*

[Lemmy+Caution]

Specifically, I'm thinking of the nasty Jerusalem B virus that would infect LOGIN.EXE and BTRIEVE.EXE files, and thus reinfect each machine on the network at login.

Re:*LOL*.. virus.. outlook.. *yawn*

[MikeBabcock]

Or just use a filter on your Linux mail server if you run one ... like we do.

Oh well, I guess you prefer needing 512MB of RAM to run an office mail system ...

Some great mail that will be lost!

[Erris]

Anything mentionining your "sHIpment". Oh the boys in the warehouse are going to love that.

That letter from your teacher about your cHIld.

tHIs, you thought of it!

wHIch.

wHIle

anytHIng and everytHIng.

It's hard to imagine the tHIng that won't be HIt.

Re:What do you suggest?

[NumberSyx]

Windows Update is visible enough, and certianly fits the bill for "Single Point Disttibution". The problem is Microsoft neglects it. All of these email viruses have had a patch available for at least a year. Why haven't these patches made it into Windows Update ? If someone wants to install these patches, they must dig around the MS website to find it. Also there has been little or no notification of these patches. Bottom line is the patches are useless if no one knows about them or can not find them.

Re:Pure Wisdom (even freaking better)

[Erris]

I got this on 12/10/01:

Due to the message we received from the Exchange group, we recommend that you do not sync your palm pilot with Outlook until this mailbox data has been restored. Your palm pilot my contain the only available copy of this data. We will let you know when we receive an update from the Exchange group.
Thanks,
IT Field Services
-----Original Message-----
From: XXXXX
Sent: Thursday, December 06, 2001 9:06 PM
To: Server XXX-XXXX
Subject: Virus Update
Importance: High

In an effort to purge Outlook on the gone.scr virus, inbox messages, contacts, task, etc with the characters "hi" in the subject line have been affected. Exchange is investigating the timeline to restore the data.

Thanks!

Exadmin

--End transmision--

Thanks indeed. I thought the rule message was a joke. Now I see just how powerful M$ Admin tools really are! Nice work, Exchange Group.