Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

NOT!

[aitala]

It is not non-destructive - it tries to delete anti-virus and firewall software.

Just got goner here

[monkeyfamily]

This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.

The CEO of my technology company

[v4sudeva]

has already sent every one of my fellow employees all over the globe 27 copies of this thing.

It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn .scr.

Thanks, boss.

Re:The CEO of my technology company

[sharkey]

I'll send you the bill...

Shouldn't that be, "I send you this bill to ask your repair"?

Re:The CEO of my technology company

[GTRacer]

True, nobody really expects a CEO to have a hand in day-to-day operations. They're the "big picture" people".

BUT...they should have at least a marginal understanding of what goes on around them, and if you're in a tech-driven company, I'd hope that would include knowing how to print from IE or logging into an email client.

I've worked for PHB's that couldn't. It's one thing to surround yourself with great minds. It's another entirely when they serve as a replacement, not an augmentation!

GTRacer
- This has "long day" written all over it

story is wrong

[joshwa]

The story had a few errors:

1. The McAfeelink is here.
2. It's 159 KB, not 159 bytes.
3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.

nope, sorry.

[tswinzig]

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

What? Still?

Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

&ltAttachment: Don't_Open_Attachments.eml.vbs&gt

Pure Wisdom

[Phartx2]

I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:

"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."

Re:Pure Wisdom

[Computer!]

Instead of blocking subject lines, they could have just added the following code to the Application_ItemSend event in Outlook 2000:


If Item.Attachments.Count > 0 Then
blsure = MsgBox("A message is being sent with attachments. Do you want to send this message?", vbOKCancel)
If blsure = vbCancel Then
For i = 0 To Item.Attachments.Count
Item.Attachments.Remove (i)
Next
Item.Delete
Cancel = True
MsgBox "The message has not been sent."
End If
End If


What makes virus writing so easy for Windows is the ability to churn through the Outlook address book with a convenient object model. Of course, you could switch to another client, but then you wouldn't be able to write your own code to customize the behavior of the sending of attachments. Kind of a double-edged sword.

Once you've gotten your Outlook installation "patched", read this article to learn how to deploy the fix to other users. Of course, if they get infected, they may have to click "Cancel" 1500 times, but that's what they get for double-clicking an untrusted .exe.

Social Engineering

[FatRatBastard]

This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).

This is a sad statement on security

[JMZero]

Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

It strikes me as extremely sad that a virus like this can still work. How many times does it take?

What can we do to save the unknowing?

Symantec's writeup is wrong..

[Havokmon]

It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.

If you're running NTFS, AND you've been hit, *sigh*..

Finding the culprit

[rkent]

Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."

Sorry about the double-post...

[tswinzig]

...I was in a harry.

installs takeover script

[Proud+Geek]

According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.

Re:*LOL*.. virus.. outlook.. *yawn*

[Lemmy+Caution]

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

Re:OT: "moderately unique"??

[heliocentric]

WTF does "moderately unique" mean?

I consider myself moderately unique in that my shirt size is an extra medium. I don't know many other people who take an extra medium, but if the shirt companies make 'em then I can't be fully unique.

Either something is unique or it's not, by crikey! Soon we'll have things described as "marginally special"

Well, at the local food store the manager often has things that are getting old on special... oh, you were talking about marginally...

or "slightly dead."

Ever see the Princess Bride? Wesley was not all dead when they took him to Miracle Max's....

This is nothing. Wait a few days

[ellem]

This virus has two real goals:

1 -- Proagate
2 -- Disable Anti Virus

This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.

I love being a Win Sys Admin

Anyone need a an OSX admin?

a real "Trojan horse"

[mblase]

Great -- someone's finally figured out that they can create a Trojan horse that not only digs a back door into your system, but silently kills off the guards at the front as well.

Next thing we know they'll be rewriting Microsoft's system auto-updater to download even more viral code into your system. Won't that be nice?

Re:a real "Trojan horse"

[Dahan]

Under Win9x, how would a virus scanner stop a virus from killing its process? Programs in Win9x have full control of the system; there really isn't much a determined program can't do. Think kill -9 from a root program in Unix; there's nothing you can do to stop it. I guess a Robin Hood and Friar Tuck arrangement might be able to put up some sort of warning, but I suspect there's a way to work around even that.

Watched this happen

[Matts]

I work for a managed security provider and we stopped this using heuristics for all our customers. It's growth rate has been phenomenal, considering it doesn't even use any hacks - it's just a stupid social engineering virus! It was very funny listening to our anti-virus guy on the phone to reporters saying "We've stopped 4000 in the last two hours. No wait, 5000. ... oh, and now 6000".

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

Re:Watched this happen

[tswinzig]

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

Apparantly your people need to do some research. Microsoft has had a patch out for about a year now that can be installed to prevent Outlook from giving access to any executable file, AND this is the default behavior in Outlook XP/2002.

No support here!

[Goner]

I am ashamed that anyone would intentionally use my Slashdot account name to bolster the popularity and reputation of their sick virus. I'm sure the hackers who created this monstrosity were well versed in such hacker tools as Bonzi Buddy and Lunix. If they think I would come out and support such a destructive screen saver they are very, very wrong. If God wanted toasters to fly, he would have given them wings.

So, you hackers, where ever you are, Goner (of Slashdot lore) does not approve!

In defense of Microsoft......

[cscx]

OK, I want all you Outlook-haters to read this: In outlook xp, you have to edit the registry if you want to be able to open .exe, .vbs, et cetera attachments. No ifs, ands or buts from Outlook. Which brings me to my next point... If people are generally so stupid they open attachments like this, they need to pack up their computer and put the box in their closet. I mean, shit, I could write a .vbs file, send it to someone running Pine under Win32 - what stops them from saving it and running the file. What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

#!/bin/sh
rm -rf /*

and say "Hey, run this!". Thing is, most Linux users are geekier than the average windows user, and will think twice before doing so! See, the problem here is not Outlook itself, but the incompetence of the people using it. Yay MS for disabling exes by default... just reminds me of all those Flash animations that make the e-mail rounds that could be virus laden.....

Re:In defense of Microsoft......

[Azog]

Mmmm, one important point you missed:

What also pisses me off is the people that say "oh I run Linux so I'm fine"... well buddy, I could send you

#!/bin/sh
rm -rf /*

Gee, I just tried that, and all it did was print a million "Permission denied" messages. Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.

Anyone else out there got some email viruses they want me to try out on my Linux box? They probably won't work either.

Warning to Linux non-experts: if you want to try this yourself, note that running rm -rf /* will delete any file owned by the person who runs the command.

Before you run anything off the network, you should switch your user (using the su command) to a "test" user that doesn't own any important files. You can set up a test user account by doing an "su root", "adduser test", and then "passwd test" to set the test user's password.

Carry on mocking Windows at your leisure... Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that.

(snicker)

Re:In defense of Microsoft......

[SuiteSisterMary]

Oh, and it messed up my test account, but I fixed that with "su, deluser test, rm -rf /home/test, adduser test", and everything's back to normal.

Oh, and for all you 'Linux non-experts' if you do this to an actual user's directory, well, they're not going to be happy. Hope you've got those backups. The point he was trying to make is that it's not a matter of system security, it's a matter user education. How many 'oh look I installed linux' users are running vulnerable versions of wu-ftpd, bind, lpr, and so on? Lots.

Re:In defense of Microsoft......

[cscx]

Or maybe the Microsoft apologists could write a little explanation of how to set up a safe testing account on Windows? Oh, that's right you can't, too bad about that

Mmmkay, let's give this a try shall we?

1. Set up NTFS ACLs properly - this includes giving SYSTEM rights to what needs to have it, along with the Administrators group, etc. Users should only have read access. (Most experienced NT end-users should already have done this a long time ago; if you're on a properly set-up network, it should have been done already!)

2. Open up the MMC, go to users and groups, and add a user. Make it a member of the Users group, which you have already set up as to only have read access (heck, you can set it up to everything BUT delete access... NTFS ACLs are so specific and expansive it beats rwxrwxrwx hands down :-/) and also give it full access to its home directory under "Documents and Settings\user"

3. Log in as that user.

4. Open up a command prompt.

C:\>del /F/Q *.*
C:\New Text Document (2).txt
Access is denied.
C:\New Text Document.txt
Access is denied.
etc...

Oh wait, I didn't ever have to log in! Ever seen 2000's oh-so-cool "Run as different user" option on the property sheets? Guess not.

I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.

Re:In defense of Microsoft......

[Azog]

So, cscx says:

Mmmkay, let's give this a try shall we?

[...](sketchy explanation of how to set up a throwaway test account deleted)[...]

I think it's about time the zealots pull their heads out of their asses before they go and flame someone on a topic they know nothing about.

Sorry, you lose. Here's why:

1. That doesn't work on Windows 95, 98, or ME. Those systems just don't have security. Period.

2. It doesn't work if you aren't using NTFS. A LOT of NT, 2K, and XP systems don't.

3. You don't have a short, simple description of how to "Set up NTFS ACLs properly". But I don't blame you - a short, simple explanation of that subject is impossible.

Compare that to Linux. The instructions I gave for setting up a throwaway test account are very simple, can be executed in seconds, and will work on any Linux distribution from the last five years at least.

That's impossible on Windows, and your post basically proved the point. Thanks!

Re:*LOL*.. virus.. outlook.. *yawn*

[CoolVibe]

I can vouch that we have tried at my office ... REPEATEDLY .... to do just that. Some users just don't learn. After many attempts and incidents, they continue to open and execute every darn thing they are sent. These are usually the same people who send out all the "cute little utilities" that will run supposedly humorous animations and whatever. Sure, the next step would be some sort of administrative control/intervention, but as expected .. management (non-IT dept) is more interested in keeping people happy than in properly run systems. Our hands our tied.

That's why the LART was invented. If you can't get sense into 'em, beat it into 'em.

Yes, I actually kicked a user off the network one time because he already gotten _three_ warnings from me. And yet he still opened untrusted attachements.

*clicketyclick* no more DHCP lease, blocked by MAC address. His e-mail was directed to a temporary mailbox (so he couldn't get it from someone else's machine)

He never did it again. Good luser. After a few days I couldn't stand his whimpering and copied his mail back and reactivated his lease. Now he listened and behaved. Actually, it had a more positive effect: that story went around the office, and they now think twice before opening something they get from someone they don't know. Heck, some even switched from OutLook to something else (I've seen copies of Eudora and filled up Netscape Mail folders appearing on the workstations all of a sudden).

Sometimes you have to make it smart a little before they listen.

True to some extent

[Chuck+Chunder]

But a fundamental difference on Unix type systems is that files aren't inherantly executable based simply on their extension, someone can't just save a file from their email and execute it, they need to know at least enough to "chmod u+x" the file which should at least make them think about it.

Of course, that doesn't mean it's impossible to make an email client or desktop environment that would launch an attachment with "/usr/bin/sh" but hopefully that is so blindingly stupid that no-one would do it.

Ready for the desktop?

[Asic+Eng]

I guess this shows that Windows is not ready for the desktop. Sure, playing games, maybe coordinating meetings and using a calendar, work - but email? Leave that to serious systems.

I know, I know, other email clients, etc.

However there is one thing I don't understand, why are flaws which convert your office network into a disaster area, somehow acceptable, whereas some esoteric calendar tool is so vitally necessary that people straight-faced claim that Linux isn't ready for the desktop?

It's not just Outlook either - every damn document format that MS produces is an attack waiting to happen. Apart from being susceptible to bit-rott and bloated.

The average user does simply not have the competence to operate a Windows system safely in an office environment. It's not enough to consider training costs when switching to Linux, you also need to consider TCO. That means your downtime, additional maintenance to repair user machines and lost or corrupted data, when using Windows systems.

Re:who uses scripting in outlook?

[Chris+Johnson]

And pass up the possibility of "stopping a variety of antivirus and security applications and deleting all the files in the folders containing those applications. Kaspersky Lab's AVP, Zone Labs' ZoneAlarm, and Internet Security Systems' Black Ice are among the programs affected."? (CNet)

Those ARE all Microsoft competitors, are they not?

Microsoft DOES have an inferior product bundled with XP that they wish to prevail against this technically superior (and two-way: no spyware-friendliness like with MS's version) competition, do they not?

Let me say that I don't know whether Microsoft has spread this worm themselves to take out their competitors, because I don't know where it came from in the first place and I won't have to deal with it except shoveling it out of my Mac/Eudora Light inbox. But you have to ask, 'who benefits?'. And you can't seriously expect Microsoft to get rid of their scripting, when they can use it in so many ways to damage their competitors- and their competitors are not only 'any other software company' but the fundamental technologies of the Internet itself, which they don't own. They _want_ this to happen.

Re:Pure Wisdom (better)

[gosand]

I got an email (as did everyone else) from someone in the company who gave detailed instructions on how to use the "Rule Wizard" (first clue) to delete these emails permanently upon receiving them.

The problem? The steps outlined how to check the subject line for the word "hi" and permanently delete it and the message flag.

I tested this out, and Outlook isn't case sensitive, nor does it recognize if the target word is embedded. So any email with the word 'hi' anywhere in the subject would get deleted. (e.g. this, Chicago, chickenpoop, etc) It was also suggested that the exception be if your name was in the To or CC, but we use so many distribution lists, that wouldn't matter too much.

*sigh*

Filtering SMTP forwarder?

[Spacelord]

What I don't get is ... why doesn't everyone just add a forwarding SMTP server between the internet and their exchange server and set it up to deny .vbs,.scr ;... style attachments.

We use exchange at work too, and I just set up a linux box running postfix in front of it. With a simple oneline regular expression, every dangerous attachment gets blocked. (hint: use the body_checks parameter) We haven't been hit by a single worm or virus since then.

unique

[sheetsda]

"Always remember you're unique, just like everyone else." I wish I knew who said it.

We haven't even touched the surface..

[defile]

Thank god the people that write this kind of code are completely incapable of writing evil IDE command sequences that can fry hard drive firmware.

Imagine the destruction you could cause if after every infection and replication to everyone in your address book, it wrecked your hard drive and required it to be sent back to the manufacturer for repair?

Hmm, interesting sales pitch you could offer to Maxtor, Seagate, etc if you want to make a quick buck at the expense of the global economy. (unless the 90-day warranty covers "act of hacker").

NTFS (programmers perspective)

[DarkEdgeX]

You'd use MoveFileEx to get rid of the file, like so--

MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

UINT GetSystemDirectory(
LPTSTR lpBuffer, // buffer for system directory
UINT uSize // size of directory buffer
);

) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).

Re:NTFS (programmers perspective)

[Malcontent]

And they say linux is hard to use. You have to fire up a C compiler just to delete a file. Sheesh..

Re:Not an outlook worm, an outlook express worm

[Zico]

Au contraire, mon frere! Just go to http://www.slipstick.com/outlook/esecup/getexe.htm #ol2002 and get the registry-editing instructions or downloadable tools to let you determine the Outlook 2000/2002 (XP) security settings on any type of file you want. I recommend the "Attachment Security Options" tool, myself.

Procmail can easily fix this

[JoshuaDFranklin]

Honestly, how many people really send raw screensavers?? Make people at least zip them. If you're running a *NIX mail server, put this in your /etc/procmailrc NOW:

VIRUSDUMP=/var/virusdump/virus
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

:0
*^Content-type:.*
{
:0 HB
*name=".*\.
(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe| bat|js)"
{
:0 fhw
| (formail -r; \
echo -e "This is an auto-generated message\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@your-name.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"
:0
${VIRUSDUMP}
}
}

We get about 50MB/day of these. Archive them for a week, then delete them. If anybody really sent something useful, someone at the address listed can get it back for them. Hasn't happened yet.

Re:*LOL*.. virus.. outlook.. *yawn*

[MtViewGuy]

Actually, if you're running Outlook Express 6.0 from Internet Explorer 5.5 SP2 and 6.0, you can set up in Options the ability for the program to NOT allow the execution of any file attachment. In that case, the virus is useless other than hogging local disk space as the virus file is downloaded.

Re:That's Why We Get Paid...

[psych031337]

Why, what's your beef? Don't have a cow -- you're in gravy, man! Just put up a little sign that says "GONER REPAIR: $10". It only takes five minutes to fix. Script it, put it on a floppy and carry it with you, and you can clean it up in two minutes flat.

Well, and ironically exactly that might "educate" them enough to remember being cautious about attachments in the long run. If it burns a hole into their pockets they might start thinking before clicking sooner or later.

Re:Why do we put up with this...

[FFFish]

You've made an interesting point. Other manufacturers are held liable for end-user incompetence: why isn't Microsoft?

Ever wonder why your hair-dryer has a warning that you shouldn't use it in the shower? It's very likely because some evolutionary dead-end once actually did use it in the shower, and a lawsuit came of it.

Hell, it even happens in Canada: some dumbshit teenager pulled a Coke machine onto himself, and his parents are trying to sue Coke for his abuse of the property!

Obviously, it's quite acceptable to find companies liable for the carelessness, incompetence, stupidity, or maliciousness of their products' users.

I fail to see why Microsoft isn't held accountable.

Disclaimer of liability for loss of profit

[Robin+Lionheart]

Have somebody heard of anyone that have tried to sue Microsoft for loss of profit (or whatever) due to faulty products? Do Microsoft have some kind of protection from this?

The EULA distributed with Office 2000 specifically disclaims liability for "loss of profit":

"To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide Support Services, even if Microsoft has been advised of the possibility of such damages."

Under the USA's Uniform Commercial Code, there is by default an implied warranty that any product sold is "merchantable", meaning fit for the customary use that the product is put to. Unless the terms of sale change that implied warranty, a buyer could sue over dysfunctional software.

Software licenses generally disclaim those implied warranties, an innovation that began with VisiCalc's "as is" license. If you read the fine print of Microsoft EULAs, you will find a capitalized sentence like "TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES."

Whether the EULA has any legal weight is questionable. Software licenses are rarely presented at the time of sale. Installation programs try to impose them after the fact by demanding your agreement before installing the program on your computer.

Like many click-wrap agreements, Microsoft's EULAs are very one-sided, offering you nothing in return for restricting you from installing the software more than one computer, from making more than one backup copy, from lending the software to anyone else, from reverse-engineering the software, and sometimes even from reselling the software or from criticizing the product. Such "agreements" may not constitute valid contracts, and even if they were, may be invalid as "contracts of adhesion".

So, Microsoft and other software corporations lobby for UCITA (Uniform Computer Information Transactions Act) laws giving software the special ability to impose terms and restrictions after purchase. UCITA has already passed in Maryland and Virginia and has been introduced in the legislatures of many other states.

About the fourth last straw?

[leonbrooks]

This is the last straw. I have already talked to all of the relevant managers and we are slated to migrate all of our users e-mail action to Eudora starting in January.

This will reduce the problem but not fix it.

Migrate your clients to Linux on PPC (iMacs are nice for this, StarOffice on LinuxPPC is just about happy enough to use) and never fear an attachment again. Plan ahead to include some Alpha and MIPS boxes as well (you can do that on the server end now), so when some meathead eventually produces the first serious LinuxPPC virus it doesn't get everyone in your office.