Latest WinWorm Spreads Via ICQ And Outlook

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

NOT!

[aitala]

It is not non-destructive - it tries to delete anti-virus and firewall software.

The CEO of my technology company

[v4sudeva]

has already sent every one of my fellow employees all over the globe 27 copies of this thing.

It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn .scr.

Thanks, boss.

Re:The CEO of my technology company

[sharkey]

I'll send you the bill...

Shouldn't that be, "I send you this bill to ask your repair"?

story is wrong

[joshwa]

The story had a few errors:

1. The McAfeelink is here.
2. It's 159 KB, not 159 bytes.
3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.

nope, sorry.

[tswinzig]

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

What? Still?

Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

&ltAttachment: Don't_Open_Attachments.eml.vbs&gt

Pure Wisdom

[Phartx2]

I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:

"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."

This is a sad statement on security

[JMZero]

Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

It strikes me as extremely sad that a virus like this can still work. How many times does it take?

What can we do to save the unknowing?

Symantec's writeup is wrong..

[Havokmon]

It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.

If you're running NTFS, AND you've been hit, *sigh*..

Finding the culprit

[rkent]

Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."

Watched this happen

[Matts]

I work for a managed security provider and we stopped this using heuristics for all our customers. It's growth rate has been phenomenal, considering it doesn't even use any hacks - it's just a stupid social engineering virus! It was very funny listening to our anti-virus guy on the phone to reporters saying "We've stopped 4000 in the last two hours. No wait, 5000. ... oh, and now 6000".

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

Re:Watched this happen

[tswinzig]

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

Apparantly your people need to do some research. Microsoft has had a patch out for about a year now that can be installed to prevent Outlook from giving access to any executable file, AND this is the default behavior in Outlook XP/2002.

No support here!

[Goner]

I am ashamed that anyone would intentionally use my Slashdot account name to bolster the popularity and reputation of their sick virus. I'm sure the hackers who created this monstrosity were well versed in such hacker tools as Bonzi Buddy and Lunix. If they think I would come out and support such a destructive screen saver they are very, very wrong. If God wanted toasters to fly, he would have given them wings.

So, you hackers, where ever you are, Goner (of Slashdot lore) does not approve!

NTFS (programmers perspective)

[DarkEdgeX]

You'd use MoveFileEx to get rid of the file, like so--

MoveFileEx("C:\\WINNT\\System32\\Gone.scr", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

The combination of MOVEFILE_DELAY_UNTIL_REBOOT and a NULL lpNewFileName creates a special condition where Windows deletes the file at startup. This is commonly used by installers, for example, when a file is in use and DeleteFile fails. For anyone going through the trouble of putting this into an executable, you might want to grab the Windows system directory from Windows itself.. this can be done using GetSystemDirectory (prototyped as--

UINT GetSystemDirectory(
LPTSTR lpBuffer, // buffer for system directory
UINT uSize // size of directory buffer
);

) or you could be clever and use ExpandEnvironmentStrings, prototyped as--

DWORD ExpandEnvironmentStrings(
LPCTSTR lpSrc, // string with environment variables
LPTSTR lpDst, // string with expanded strings
DWORD nSize // maximum characters in expanded string
);

Shrug. =) Just thought this might help, for those unable to figure out how to delete a file in NTFS (but that do have a C/C++ or other compatible compiler).

Procmail can easily fix this

[JoshuaDFranklin]

Honestly, how many people really send raw screensavers?? Make people at least zip them. If you're running a *NIX mail server, put this in your /etc/procmailrc NOW:

VIRUSDUMP=/var/virusdump/virus
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

:0
*^Content-type:.*
{
:0 HB
*name=".*\.
(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe| bat|js)"
{
:0 fhw
| (formail -r; \
echo -e "This is an auto-generated message\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@your-name.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"
:0
${VIRUSDUMP}
}
}

We get about 50MB/day of these. Archive them for a week, then delete them. If anybody really sent something useful, someone at the address listed can get it back for them. Hasn't happened yet.