Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Piggybacks Microsoft Mail Worm

Posted by ryuzaki0 on from the you-can't-make-this-stuff-up dept.

metacell writes "A virus (a version of the Chernobyl virus) infects an email worm executable (the Klez worm), and is spread along with it. " It's a damn good *delete* thing that Microsoft has been *delete* spending the last few weeks doing a *delete* security audit *delete* of all of *delete* ah never mind. My wrist hurts from deleting over a meg of mail worm viruses a day.

13 of 534 comments (clear)

  1. For When it's Slashdotted... by TheNecromancer · · Score: 1, Informative

    Chernobyl virus rides Klez's coattails

    By David Becker
    Staff Writer, CNET News.com
    May 6, 2002, 12:30 PM PT

    The Klez worm just keeps on giving.
    The persistent pest, which made a strong comeback last month in the form of the Klez.h variant, is now helping revive the Chernobyl virus, according to a new report from antivirus company Symantec.

    The report says that a virus known as W95.CIH.1049, a slight variation of the W95.CIH bug dubbed the Chernobyl virus when it began spreading four years ago, has been detected in recent infections of the Klez worm. The main difference with the new virus is that it's set to activate on Aug. 2 of every year, as opposed to the April 26 attack date of the original Chernobyl.

    Vincent Weafer, senior director of Symantec's Security Response team, said the company began seeing Chernobyl-infected messages last week, but they continue to account for only a handful of the thousands of Klez infested messages the company sees daily. Weafer said the viral bonus wasn't intentional but rather a by-product of Chernobyl-infected PCs also propagating the Klez worm.

    "As far as (Chernobyl) is concerned, the Klez worm is just another file to infect," Weafer said. "It's quite common to see piggybacking effects when you have worms that have been propagating for a long time in the world."

    Even though Chernobyl is ancient by virus standards and easily detected by almost any antivirus software, Weafer said it's not unusual to have bugs still making the rounds years after their debut.

    "When you look back at viruses, you see recurrences," Weafer said. "They can live for many years out in the wild."

    The first version of the Klez worm surfaced early last year, with subsequent variations causing damage ranging from moderate to minor. Bug writers hit pay dirt with the Klez.h variant, however, which quickly became one of the most active worms ever after it surfaced last month.

    Moscow-based security company Kaspersky Labs recently ranked Klez as by far the most active e-mail threat in April, responsible for 94.5 percent of all incidents reported during the month.

    British e-mail screening firm MessageLabs ranks Klez.h as No. 3 on its list of all-time most active computer pests, with more than 391,000 infections intercepted. At current rates of infection, Klez.h should surpass the No. 2 bug, BadTrans.b, in a few days. It'll have a long way to go, however, to catch the all-time champ, the SirCam worm, still going strong with more than 748,000 interceptions to date.

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
  2. Re:My wrist hurts, blah, blah, blah... by bigberk · · Score: 4, Informative

    For anyone interested, this is all you need by way of procmail filter in order to never see any of this crap (kills executable attachments).

    :0 B
    *^Content-Type: (application|audio)
    *^.*name=.*\.(vb[esx]|jse?|ws [hf]|c[ho]m|bat|cmd|s hb|hta|exe|lnk|pif|scr|shs)
    /dev/null

  3. Re:Options? by cheebie · · Score: 2, Informative

    Forte Agent is what I use for email and newsreading. I'm pretty happy
    with it so far and have gotten 0 virii/worms. It doesn't render HTML, but I
    consider that a feature. I use it on an individual basis, so I can't intelligently talk about its use by a larger group. You can even download it for 30 days free
    to check it out.

    See Agent Product Page for more information.

    (disclaimer: I don't work for Forte, I'm just a satisfied customer.)

  4. Not Always MS's fault by kpetruse · · Score: 2, Informative

    Now I dislike MS as much as the next man, but let's not blame them for all virus emails.

    Most (but not all) email virus/worms are Javascript, Visual Basic or .EXE files that are sent by email. Clueless users double click on these because they are...well...clueless, and think that they are games/pictures/nudey photos of Kournikova, whatever. This activates them, and allows the worm to read the address book and either use Outlook or its own SMTP routine to send itself to all the people in the address book.

    MS put the "double click" functionality in to make people's lives easier, and on the whole, they have. Outlook is very easy to use and this is one of the reasons it's so widespread (another being that it's very powerful, but that's going off topic). Combine this ease of use with how common MS Outlook is, and you'll see why virus writers write viruses for it. If some new Mail client became as popular, don't think for a minute that it wouldn't have similar viruses.

    All that it takes to stop viruses like Klez is for the mail administrator to block attachments with .exe, .js and .vbs extensions (plus some other little tricks) and this kills 99.9% of viruses stone dead. Either that, or get your user base educated enough to not blithely double click on everything they see.

    I'm not talking here about some of the rather more ominous security holes in Outlook - those that allow code to run by previewing the message - because anyone who hasn't patched that yet is a moron. And there are a couple of holes which MS should be hauled over hot coals for, but they aren't exactly the only software firm to produce insecure software.

  5. Never mind Klez, hoaxes are the annoying viruses by galaga79 · · Score: 2, Informative

    Never mind the the Klez virus, those elaborate virus hoaxes are far more annoying because you need to educate the person that emailed you about it that it is in fact a hoax. One only has to look at the latest hoax that tricks user into thinking jdbgmgr.exe, the Microsoft Debugger Registrar for Java is a virus.

    --

    aus.music.scrapbook
  6. Re:Options? by Izeickl · · Score: 4, Informative

    The Bat ofcourse, seriously, check this mail client out, it has all the features you could want...Includes PGP encryption as standard too. I use The Bat all the time.

    --
    Laptop Reviews
  7. Re:Solution by JThaddeus · · Score: 2, Informative

    Unfortunately, my sources tell me the Outlook and Office team at Microsoft insisted on putting it in--over the objections of the Visual Basic team who knew it was a bad idea from the start. The Office logic was "We make more revenue, we want it, you have to do it." Now if only MS would get stuck with some major suits over it the would clean up their act.

    --
    "Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
  8. Re:Options? by Will_TA · · Score: 5, Informative
    Options away from Outlook? In Windows My university uses Pegasus, my favorite is Balsa (Linux/X Windows), Pine ('nix/Cmd Line)or Eudora (Winblows)
  9. Re:Options? by RazzleFrog · · Score: 5, Informative

    How about you just educate yourself and your coworkers instead? Email viruses are not just about the program used - they are also about ignornace. Here is a hint to get you started:

    1) Apply all security patches from Microsoft.

    I was just interupted as I was typing this by a coworker asking me about a virus (talk about synchronicity). We don't use Outlook and she wasn't infected but she printed out the email and showed it to me. Sure enough - whatever.scr. I told her to delete it immediately.

    Why did she ask me first and not print it? Because we have a policy here - which brings me to point 2:

    2) Don't open anything that isn't work related.
    3) All computers show all extensions on files.
    4) Only open files that you expected with .xls or .doc extensions only (no .doc.js, etc.).
    5) If you get anything else - then ask me or somebody else informed about the latest viruses.
    6) When in doubt, call the sender and ask if they intended to send the email.

    With all of these in place, when a virus is sent to one of our employees it does not propogate.

    I leave you with this thought. A few weeks ago somebody in another department received an email warning about a virus go around. The email said to email this warning to EVERYBODY IN YOUR ADDRESS BOOK. One of my coworkers received the email and asked me about it. Of course it was a hoax and I wrote an email back to the original sender telling her that she basically just sent out a manual email. If everybody sent out that email to everybody in their address book it would be a disaster. The moral of the story - ignorance is the worst virus.

  10. Re:Options? by zaphod110676 · · Score: 2, Informative

    The thing to be aware of is that the latest versions of Eudora, by default, use IE to read e-mail that contains HTML. It is the same control that outlook uses to view mail. If you don't turn it off Eudora will also automatically execute attachments if they exploit a vulnerability in IE.

    On the bright side, you can switch it off and use Eudora's built in viewer.

    http://www.iss.net/security_center/static/8609.p hp

    --
    To Do: 1. Take over world 2. Pick up Milk and Bread on the way home
  11. Re:What can Microsoft do? by sheldon · · Score: 3, Informative

    First of all... AmigaOS free of virii? Huh? I encountered a lot of boot sector viruses back in those days. Oh, and my favorite was the arguments about the virus that supposedly embedded itself in A500 memory expansion clock.

    Now as far as what Microsoft can do, let's look at your list and what they have done.

    10. Done. New versions of Outlook by default disable scripting.
    9. Windows XP automatically downloads security patches. This functionality should be extended to universally cover Office and other products as well.
    8. Done. New versions of Outlook by default will warn a user if an external app is trying to use it to send email, and further warn if it's being used rapidly.
    7. Pretty much done with WinXP. There are a few settings relating to domain authentication that can be strengthened by default. I think they are not because it would cause connectivity issues with older NT domains.
    6. That would be virus protection and step on third parties like Norton and McAfee.
    5. That's not Microsoft's responsibility.
    4. Again virus protection.
    3. Again virus protection.
    2. Done. This is part of the Active Directory integration.
    1. Process auditing has been part of NT since the very beginning. What you want is reporting on that, and I don't think you fully appreciate just how big of a task this would be. This functionality is really only useful in more secure DoD installations because of the scope.

  12. CLASS ACTION SUIT! by Anonymous Coward · · Score: 1, Informative

    Hold microshit accountable for their irresponsible coding practices! Sue their asses!

  13. How to secure Outlook Express by Moderator · · Score: 1, Informative

    This how to guide gives step by step instructions (with pictures, yay!) on how to secure an Outlook client.

    --
    The World is Yours.