Virus Piggybacks Microsoft Mail Worm

metacell writes "A virus (a version of the Chernobyl virus) infects an email worm executable (the Klez worm), and is spread along with it. " It's a damn good *delete* thing that Microsoft has been *delete* spending the last few weeks doing a *delete* security audit *delete* of all of *delete* ah never mind. My wrist hurts from deleting over a meg of mail worm viruses a day.

Solution

[Chardish]

Hmm, maybe Microsoft could just disable scripts in their email software? That sounds like a good option.

No one uses Outlook macros anyway, except worm writers. It's common sense that I don't want any software, not just viruses, automatically sending email without my consent or confirmation (or even knowledge!)

Re:Solution

[Hemi+Rodner]

You can do it yourself.
Options > Security > click on "Restricted sites zone". After that, click on "internet options" in the control panel, select "security" > Restricted sites, click on "custom level" and disable everything.

Antiviral?

[Ioldanach]

Now that someone's thought of infecting a virus with another virus, when will a white hat think of infecting Klez with some sort of antivirus. Let Klez think its doing its work, but don't actually delete the files its trying to delete. Then, a few weeks later, have code that just shuts down the Klez virus altogether.

Evolution for Windows

[justanyone]

Why isn't there a version of Evolution for windows? It's great software - I'd pay for it if it wasn't free. And, NO VIRUSES!!!

Options?

[InnereNacht]

Alright. I've been in the field for some time but have never really pursued this: What other options for email clients do we HAVE besides Outlook/Outlook express in a windows environment?

I'm pretty sure that Eudora is still around, but what is out there for windows-based, user friendly software? It'd almost be worth the switch just to avoid all these damn Outlook-friendly virii.

Liability for virus transfer

While it seems a little draconian, holding individual users liable for viruses that spread via their machines makes sense to me. I'd liken it to automobile collisions--if your failure to properly control your car on the road leads to someone else's property being damaged, you get sued. After all, the owner/operator of a computer, even a home PC, does have the ability to prevent their machine from becoming a vector--if not by picking secure software, then simply by disconnecting the machine from the Internet.

If the incentive existed, individual users would tend to take more responsibility for what moves through their computers.

And sure, most people with PCs and email today don't have a clue about virus transmission, but why should that be an excuse to let their irresponsible behavior cause damage to everyone else? Either get a clue, or leave the net to people who have one.

Our duty to our users.

[AmiNTT]

I'm a half-owner of a small web development company in Ottawa, Ontario (Canada). When we discuss email with our clients (new and old) we *strongly* warn them about the dangers of using MS Outlook (well, MS anything, really). Many are dumbfounded to find out that all the viruses, worms and macros are targeted at MS software. We urge them to change to something else. We should all be doing this. The more users we can get away from MS Outlook, will directly translate into less trouble for ourselves because who do they call? Certainly not Ghostbusters. ;-) Even if it means setting up just a few systems that don't use outlook, the next time around something clever and nasty is released, those systems won't get infected. Then we bring that to the attention of the PHB's (Pointy Headed Boss, for you non-Dilbert readers). Explain that because those systems weren't infected, it saved x hours. Just about everyone that we have infuence with has stopped using outlook (with the exception of uncle Bob, but hey, thats his problem). Its saved us time and energy. In a way, its our duty, as people in the know, to move them away from MS software. Why use software that is going to cause problems? Is Outlook so amazing that it is worth the hours of problems caused by virus outbreaks? I would say no. I like the kind of software that you install, it works and doesn't cause any troubles. Besides, migrating users to something else (Opera, Mozilla.. anything!) takes licencing bucks away from MS. ;-) And thats always a good thing.

Re:Our duty to our users.

[error0x100]

Some people here are defending MS by saying that people should just "install all Microsoft security patches". Well, sure, in an ideal world, we would all be able to keep up-to-the-minute up to date with MS patches and anti-virus updates, and we would all have 15 minutes to 1 hour a day available to personally dedicate to updating our MS and AV software.

In the real world though it doesn't work that way. We often go through very busy patches at work, and getting the latest AV update or d/ling the latest MS patches fall a few notches on the priority list. Its very easy to go one or two weeks without updating. It is a *practical* impossibility for real people to always keep their stuff up to date; most of us actually have work to get done and don't have the luxury of sitting down every day to do it.

Furthermore, even if everyone did somehow manage to keep their software up to date, miraculous as that would be, it still wouldn't be enough, and it CAN NEVER BE enough, for the simple reason that anyone who discovers yet another exploit in Outlook will always be ahead of the patch writers and anti-virus authors. And downloading the latest updates doesn't always help either: I got hit with an Outlook virus at work in spite of having the AV software 100% up to date with "live update" - the AV auto-updates were at least a few days behind, and sure I was stupid for opening a strange attachment, but I honestly thought that I was safe because my software was up-to-the-minute patched (I did an update right before opening the file, just to be on the safe side, so much for that) (I opened the email because it resembled the sort of email I do sometimes get from foreigners asking me for help ..)

Anyway, even if you manage to educate users to never open strange attachments (which is an annoying enough notion in itself, simply because there is a legimate reason for the existence of email attachments, now some servers/companies dont even allow them at all), it still wouldn't be enough, as history has already shown us that some Outlook exploits don't even require user intervention at all, the email simply needs to drop into the inbox and it will execute. Sure, these are rare, but they exist, and the possibility for more of them is fair to good.

The point is, no matter WHAT you do, as long as you use Outlook, you are NOT safe. And I remember when I used to use Outlook, there was always this constant, nagging 'fear' in the back of my mind whenever I checked my mail, knowing that I might be about to become yet another victim of the next Outlook-flavour-of-the-week virus. Probably what I like most about having switched to Pegasus is the peace of mind that is now possible when checking mail. Somewhat comparable to having protected vs unprotected sex, in the latter case the risk is in the back of your mind the whole time.

You know what I find hilarious?

[Qwerpafw]

It's ridiculously funny how email apps (outlook in particular) spread virii.

Think back on a bunch of the copyright issues. Basically, one of the problems is that you are in trouble if your work can be used in illegal ways with great ease. Thats why napster got busted--the courts found that their system was often used for illegaly violating copyright laws, and that they didn't do enough about it (saying "Don't steal music != enough).

well, I am seeing potential lawsuits against microsoft here. Clearly their software is commonly used for spreading virii, and clearly they, too, aren't doing enough about it.

Suuuuuure. They say that security is a "focus," but nothing has really changed. So they obviously are condoning, even promoting, virus writing! Microsoft must be sued to stop them from spreading email virii. It's for the good of the country that this evil corporation must be kept from promoting the internet terrorism which costs taxpayers millions every year.

Just a thought to keep you smiling. :)

Why I find Klez so interesting...

[bmooney28]

Frankly i've been facinated with the Klez virus for two reasons...

First of all, I did some calculations, and found that there are over 1600 different subject line possibilities alone with this virus! This takes into consideration the number of variable words within the subject lines, and doesn't even account for the number of different message bodies. All things considered, there are probably over 10,000 possibilities!

The second thing about Klez that I find interesting is the payload... You often get totally random files from people's computers (if they survive virus removal)... For example, one of my coworkers got the 2001 operating budget of her church, and was able to see how much everyone was paid, how much they blew on projects, etc... Opening your inbox is like opening presents on christmas morning... most of the stuff is pretty boring, but every once in awhile you open something interesting!

The Klez Worm's Little Friend

[muerte24]

I have psuedo-responsibility for our tiny network of about 15 computers. So some jackass has to use Outlook to sync his email with his expensive handheld, and he gets nailed by Klez.

So Klez works even by simply previewing the message and launches itself. It has its own mail sending engine, and forges the From: field to look like it's real. It also copies past Subject: fields to fool the recipient.

But this time, our little friend Klez has brought his little friend Elkern32. This nasty little guy infects executables on the infected computer, and is also network aware and infects files across the network. So even people who didn't use Outlook were infected. Some people had hundreds of infected programs on their computer.

And a cool thing about Elkern is that it can randomly overwrite a files bytes with all zeroes, while maintaining the file length. It can be nasty.

All this because no one updates their virus definitions.

Muerte

Require PKC!

[eddy]

Just because YOU don't want it doesn't mean it's not useful.

You don't have to remove the functionality; just make it REQUIRE the script to be CRYPTOGRAPHICALLY SIGNED by a known entity, like the sysadmin.

Fucking simple solution, unless you wanna argue that clients should execute code from UNKNOWN and UNTRUSTED sources for some reason?

Re:Braaaa-ziiiilllllll

[pohl]

It was also illegal for you to conduct your own repairs, even if the works were right behind a panel in the wall of your own apartment. There was a scene where the official repairmen finally arrived (a short-fat/tall-skinny pair like Laurel & Hardy) almost catching the rogue repairman in the act, and they were very dubious about the plumbing just "fixing itself". (The source is closed; though shalt not touch...) Add to that the constant restaurant bombs and the botulism toxins that people are injecting to look younger, and you have a movie that was frighteningly accurate prediction of the future.

Did someone think of it, or did it just happen.

[mindstrm]

I say this because it isn't the first time 2 viruses have bonded together. I recall many moons ago when a couple other viruses got together.
Viruses usually employ a mechanism to detect if a file is already infected, so they don't keep adding to the size of the file. One used a marker at the beginning of the file to decide if it was infected, one at the end. So the first virus infected the file, the second came along (modifying the beginning as per normal virus behavior, and adding it's marker to the end), then the first came along again and saw the file was not infected so infected it again. THen things stayed the same.

So it would show up as containing virus A, but you could not disinfect it properly, because it would just re-infect as soon as it was run. B wouldn't show up because B was actually a layer down.

On a side note.. the #1 thing that has reduced the number of viruses coming out of my office has been to ban the use of outlook/outlook express.

Re: New Anti-Terrorism Laws put to good use?

[Black+Parrot]

> but wouldn't you love to see SWAT teams breaking down doors to sieze copies of Outlook?

They already do that, except that it's federal marshals instead of SWAT teams, and it's done for agregated petty theft instead of mass murder.

Oh, well... our society almost has it right.

Klez got infected by accident?

[oldmacdonald]

This is really cool. From the article:

"As far as (Chernobyl) is concerned, the Klez worm is just another file to infect," Weafer said. "It's quite common to see piggybacking effects when you have worms that have been propagating for a long time in the world."

So it is likely not that someone was trying to make Klez worse, it just happened on its own.

Use this for something good

[pommaq]

Hey, why not put an update for Outlook as payload and spread it around?

Re:New Anti-Terrorism Laws put to good use?

[bleckywelcky]

Um, troll, no.

When Boeing originally sells a plane, it works perfectly. When MS sells Outlook, it should work perfectly, but doesn't. As time goes on, the plane ages and stops working perfectly. As time goes on, Outlook does not age, and should continue to work perfectly (theoretically), but still continues to not work perfectly. As time goes on, if flaws are found in a Boeing plane that result in a plane crash (not due to aging), Boeing is responsible. As time goes on, if flaws are found in Outlook and causes electronic havoc, MS is responsible. If someone chooses to take a Boeing plane and intentionally crash it into a building, Boeing is not at fault. If someone takes Outlook and intentionally uses it to spread a virus, or commit other malicious behavior, MS is not at fault.

Capiche? Or is that too complicated for you?

Now, if Boeing designed the navigation systems of its planes with a bug that caused them to direct towards and crash into any nearby buildings by default, then Boeing is at fault.