Clever New Windows Worm

freakboy303 sent in linkage to a new worm that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP service to increase chance of success, as well as using a bunch of spaces to disguise the true extension of the executable. No doubt countless copycats will soon follow and our inboxes will be cluttered by countless copies of the thing. Not that there's a problem with windows security.

There's a few differences

[BadDoggie]

Differences:

• 1) "Legitimate"-looking Subject line.
• 2) Legitimate-looking warning message straight out of Outlook.
• 3) Good social engineering
• 4) Own SMTP engine, so an Outlook script to warn that there's mail w/ attachments going out is useless.
• 5) New "method" of hiding file extension which is harder to see even if extensions are displayed.

We were all talking about this a week or two ago, but I'm too busy trying to get this pinball machine on eBay, so no time to search through old articles.

woof.

Get a Mail FIlter Already!!!

[seigniory]

Mail worms/virii/sausage - whatever - can be unbelievably contained with a simple attachment checking process - after Melissa, I implemented Mail Essentials (www.gfi.com) at my company - one server - 200k+ messages a day capacity - extention filtering ON.

Since then, we got hit with evey major email worm, but got infected by none - 1,000's of messages per incident blocked at the server - none made it to the internal Exchange box... they all get blocked at the "mailman" (block EXE, VBS, PIF, whetever)

The sender gets a "kindly" message saying "Sorry, we don't accept this extention type - try again".

It'll even scan for uncertified macros in Office Docs, filter spam (i.e. GREP searches), autorespond, basically a nice .procmail GUI. Works with any SMTP server.

It's amazing how a small company like us can spend the $1,500 to protect our mail system, while larger ones (i.e. employers of my roommates) would rather lose 4 hours of mail to one of these buggers.

It makes no sense NOT to use a simple filter - when will people learn. Until then, I'll just laugh.

Re:Get a Mail FIlter Already!!!

[ethereal]

I'd rather filter for a couple weeks until I installed a mail client that wasn't susceptible to this kind of stuff, and then quit worrying about the filter. But I suppose you could also use the filter for other somewhat useful things, like limiting attachment size, scanning for dirty words, etc. And if the bounce message informs the worm-ridden sender that they have a problem, then that's all for the better I guess.

Re:Get a Mail FIlter Already!!!

[ralmeida]

Put this in your server's /etc/procmailrc:

#LOGFILE=/var/log/procmail
#VERBOSE
VIRUSDUMP='/var/spool/virus'
GOTCHA=`formail -xTo:`

:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
:0 HB
*^Content-Disposition: attachment;
*filename=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|ex e|js)"
{
:0 fhwc
| (formail -r -I"Precedence: junk" ; echo -e "Our mail server refuses e-mail messages with suspect attachments, like: \n\n vbs, wsf, vbe, wsh, hta, scr, pif, com, exe ou js.\n\nYour e-mail was not delivered.\n\nPlease contact webmaster@host if you have any questions.") | $SENDMAIL -t
:0
${VIRUSDUMP}
}
}

Re:This isn't a windows problem..

[Steveftoth]

Actually this is not an outlook problem at all. It doesn't even depend on outlook as it has it's own smtp engine. If you have an exploitable version of IE, then IE can be made to execute the content. Or it tries to trick the user into executing the text file included ( which is really a .pif file )

This isn't a problem if you use netscape or other non-ie code to view your mail. Pine works great, just not point and click.

Re:Where is the useful information?

[Howie]

Based on previous posts in the last week, there's not much reason not to rely on extensions - after all, IE and Windows do.

The reason the thing is treated as an executable is because the the .pif extension... there's no really good reason for anyone to want to send you a PIF file these days - they are more or less a DOS/Win3.x hangover. Block *.pif.

[agreed that useful info about the worm would be good too]

Re:Wrong again!

[cperciva]

Actually, ELF executables running under a normal user account CANNOT do the most interesting part, namely run their own SMTP server. Root access is required to open a low-numbered port.

Root access is required to bind to a low-numbered port, but not to connect to a remote service, which is all you need in order to send email.

Geez, don't people know at least the rudiments here?

Re:This would be worse in Linux

[afidel]

4) Own SMTP engine, so an Outlook script to warn that there's mail w/ attachments going out is useless. Linux is the perfect environment for a rouge program to set up its own little SMTP server and start spamming out copies of itself. The system is much more open to this kind of infection than a Windows-based machine.

Umm no only root can bind to low numbered ports (of which port 25 is a member)

5) New "method" of hiding file extension which is harder to see even if extensions are displayed. Again, for example, the worm writer could just make the file with a . in front of it and it would be hidden on most people's displays.

And no, it would need to be chmod executable. Now this part could be automated by a stupid mail client writer but there is no currently popular unix/linux email client that does this!

Not sure why this would only have a LOW risk....

[Lawmeister]

warning from McAfee, as look at the file listing that is attempted to be deleted (according to McAfee):

Files being Deleted on an example (win9x) system:
- c:\WINDOWS\1STBOOT.BMP
- c:\WINDOWS\ASD.EXE
- c:\WINDOWS\CLEANMGR.EXE
- c:\WINDOWS\CLSPACK.EXE
- c:\WINDOWS\CONTROL.EXE
- c:\WINDOWS\CVTAPLOG.EXE
- c:\WINDOWS\DEFRAG.EXE
- c:\WINDOWS\DOSREP.EXE
- c:\WINDOWS\DRWATSON.EXE
- c:\WINDOWS\DRWATSON
- c:\WINDOWS\DRWATSON\FRAME.HTM
- c:\WINDOWS\EMM386.EXE
- c:\WINDOWS\HIMEM.SYS
- c:\WINDOWS\HWINFO.EXE
- c:\WINDOWS\JAUTOEXP.DAT
- c:\WINDOWS\Kacheln.bmp
- c:\WINDOWS\Kreise.bmp
- c:\WINDOWS\LICENSE.TXT
- c:\WINDOWS\LOGOS.SYS
- c:\WINDOWS\LOGOW.SYS
- c:\WINDOWS\MORICONS.DLL
- c:\WINDOWS\NDDEAPI.DLL
- c:\WINDOWS\NDDENB.DLL
- c:\WINDOWS\NETDET.INI
- c:\WINDOWS\RAMDRIVE.SYS
- c:\WINDOWS\RUNHELP.CAB
- c:\WINDOWS\SCRIPT.DOC
- c:\WINDOWS\Setup.bmp
- c:\WINDOWS\SMARTDRV.EXE
- c:\WINDOWS\Streifen.bmp
- c:\WINDOWS\SUBACK.BIN
- c:\WINDOWS\SUPPORT.TXT
- c:\WINDOWS\TELEPHON.INI
- c:\WINDOWS\W98SETUP.BIN
- c:\WINDOWS\Wellen.bmp
- c:\WINDOWS\WIN.COM
- c:\WINDOWS\WIN.INI
- c:\WINDOWS\WINSOCK.DLL

That would seem to be pretty destructive to me... Also strange that we can only get a beta DAT file and there is no mention on McAfee's virus alert pages that this thing is out there... tisk tisk how many people will think this is a hoax and run it fscking up their systems...

Re:This would be worse in Linux

[grammar+fascist]

Umm no only root can bind to low numbered ports (of which port 25 is a member)

Contrary to popular belief - and it's really, really prevalent on Slashdot nowadays, of all places - you don't need an SMTP server to send an email. You just need a client.

All you need to do is open a connection to port 25 on an existing SMTP server to send an email to an address it assumes is its own, and send off a bunch of commands: HELO, MAIL FROM, RCPT TO, DATA, and QUIT.

Try it sometime. Telnet to a mail server on port 25, and type the following commands, without using the backspace key:

HELO heaven.gov
MAIL FROM: god@heaven.gov
RCPT TO: <actual email address>
DATA
I've been watching you. Your fly is down.
.

QUIT

Make sure the email address domain is one that the mail server will answer for, otherwise you'll get an error saying it won't relay for you. (Usually.) And make sure the user is a valid user on that domain. If those two requirements are met, you've sent an email - without needing an SMTP server, I might add.

So if you don't need a server, you don't need to bind a port, and a worm like this could spread through Linux systems the way it spreads through Windows systems.

Re:This would be worse in Linux

[moyix]

I've seen quite a few comments along the lines of "you don't need a server running to send e-mail!" While this is technically true, the fact of the matter is that this worm does (if I'm reading what's here correctly), in fact, run its own SMTP server. Therefore, in this specific instance at least, the worm's impact would be minimized by denying non-admins access to low ports.

Re:Am I the only one...?

[mrjohnson]

No, it just takes an idiot administrative staff/person to bring down the whole company.

Look, this virus executes automatically if you haven't applied the security patches to all the desktops in your company. An administrator worth his salt stops the virus at the door, long before the blasted things ever reach a user.

My company's email is first taken off the wire by postfix on Linux, because we trust it's security. Next it's relayed to a special anti-virus smtp server, which scans all the email, blocks any attachment types that we've disallowed, and then relays the email (finally) to our exchange server.

The anti-virus relay updates it's dat files every hour, every day of the week. On top of that, all the desktops in the company have virus scanners installed. When they log in, my python script will take care of updating their dat files from an internal mirror -- and if it's unsuccessful, they're told to contact the helpdesk, and then they're promptly booted out of Windows.

Since I've been at the company, there has not been one exploit of our security. Nor has there been one virus infection. Sometimes we have been lucky, but it's mostly preparation.

Don't blame the users. For god's sake, they think the *monitor* is their computer. Blame the staff, and hire some Linux administrators.

The great Outlook patch that nobody uses

[Mr_Silver]

Since this submission was rejected by the editors, I think that here is going to be as good a place as any for it.

Have a read of this article at Wired entitled "The Great MS Patch Nobody Uses". (brief extract below).

A free, downloadable update that transforms Microsoft's Outlook into a significantly more secure e-mail application has languished virtually ignored on Microsoft's website for more than a year.

Although the majority of recent viral attacks have come compliments of worms that don't rely only on e-mail to spread, the Outlook E-mail Security Update (OESU) can stop or greatly lessen the impact of most malicious code, such as BadTrans and SirCam, if only people would download and install it.

OESU blocks the receipt and transmission of most of the e-mail attachments that typically can contain virus or worm code. The update also stops malicious code from spreading by blocking unauthorized access to Outlook and its address book. Many viruses and worms spread by surreptitiously e-mailing themselves to e-mail addresses culled from an infected computer's system files.

Funny how if the other 99% of people had this patch then virus spreading would drop drastically.