Slashdot Mirror
Virus Piggybacks Microsoft Mail Worm
metacell writes "A virus (a version of the Chernobyl virus) infects an email worm executable (the Klez worm), and is spread along with it. "
It's a damn good *delete* thing that Microsoft has been *delete* spending the last few weeks
doing a *delete* security audit *delete* of all of *delete* ah never mind. My wrist hurts
from deleting over a meg of mail worm viruses a day.
Hmm, maybe Microsoft could just disable scripts in their email software? That sounds like a good option.
No one uses Outlook macros anyway, except worm writers. It's common sense that I don't want any software, not just viruses, automatically sending email without my consent or confirmation (or even knowledge!)
Now that someone's thought of infecting a virus with another virus, when will a white hat think of infecting Klez with some sort of antivirus. Let Klez think its doing its work, but don't actually delete the files its trying to delete. Then, a few weeks later, have code that just shuts down the Klez virus altogether.
Since Outlook is propogating virii, it is responsible for electronic havoc. According to the new legislation, that classifies Outlook as an electronic terrorism program. Ok, so I'm dreaming, but wouldn't you love to see SWAT teams breaking down doors to sieze copies of Outlook?
I am !amused.
Just deleted this klez mail:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.
Ofcourse, an infected file was attached with the mail..
Why isn't there a version of Evolution for windows? It's great software - I'd pay for it if it wasn't free. And, NO VIRUSES!!!
Unitarian Church: Freethinkers Congregate!
Alright. I've been in the field for some time but have never really pursued this: What other options for email clients do we HAVE besides Outlook/Outlook express in a windows environment?
I'm pretty sure that Eudora is still around, but what is out there for windows-based, user friendly software? It'd almost be worth the switch just to avoid all these damn Outlook-friendly virii.
Because, there hasn't been an Outlook patch kicking around for some time now. And because no open-source software has bugs. Ever.
So, in short, there's two lines of Microsoft bashing there, accompanying a really dull story about a virus that no AV software has any trouble detecting?
Must be the slow season I guess.
Score:-1, Funny
no mather how good a patch is, some people will always remain unpatched/unupgraded. And some of those people also gets viruses and everybody gets irritated by that, I mean, everytime I check at someone's else's PC it ain't patched.
If at first you don't succeed, then sky diving definitely isn't for you.
Legislation containing the language "BWUHAHAHAHA", while not specifically prohibited by the Constitution, has historically been held in disdain by the Supreme Court.
Karma: Good (despite my invention of the Karma: sig)
Anyone else wonder why GnomeKing is using Outlook?
Karma: Good (despite my invention of the Karma: sig)
I'm a half-owner of a small web development company in Ottawa, Ontario (Canada). When we discuss email with our clients (new and old) we *strongly* warn them about the dangers of using MS Outlook (well, MS anything, really). Many are dumbfounded to find out that all the viruses, worms and macros are targeted at MS software. We urge them to change to something else. We should all be doing this. The more users we can get away from MS Outlook, will directly translate into less trouble for ourselves because who do they call? Certainly not Ghostbusters. ;-)
Even if it means setting up just a few systems that don't use outlook, the next time around something clever and nasty is released, those systems won't get infected. Then we bring that to the attention of the PHB's (Pointy Headed Boss, for you non-Dilbert readers). Explain that because those systems weren't infected, it saved x hours.
Just about everyone that we have infuence with has stopped using outlook (with the exception of uncle Bob, but hey, thats his problem). Its saved us time and energy.
In a way, its our duty, as people in the know, to move them away from MS software. Why use software that is going to cause problems? Is Outlook so amazing that it is worth the hours of problems caused by virus outbreaks? I would say no.
I like the kind of software that you install, it works and doesn't cause any troubles.
Besides, migrating users to something else (Opera, Mozilla.. anything!) takes licencing bucks away from MS. ;-) And thats always a good thing.
It's ridiculously funny how email apps (outlook in particular) spread virii.
:)
Think back on a bunch of the copyright issues. Basically, one of the problems is that you are in trouble if your work can be used in illegal ways with great ease. Thats why napster got busted--the courts found that their system was often used for illegaly violating copyright laws, and that they didn't do enough about it (saying "Don't steal music != enough).
well, I am seeing potential lawsuits against microsoft here. Clearly their software is commonly used for spreading virii, and clearly they, too, aren't doing enough about it.
Suuuuuure. They say that security is a "focus," but nothing has really changed. So they obviously are condoning, even promoting, virus writing! Microsoft must be sued to stop them from spreading email virii. It's for the good of the country that this evil corporation must be kept from promoting the internet terrorism which costs taxpayers millions every year.
Just a thought to keep you smiling.
First of all, I did some calculations, and found that there are over 1600 different subject line possibilities alone with this virus! This takes into consideration the number of variable words within the subject lines, and doesn't even account for the number of different message bodies. All things considered, there are probably over 10,000 possibilities!
The second thing about Klez that I find interesting is the payload... You often get totally random files from people's computers (if they survive virus removal)... For example, one of my coworkers got the 2001 operating budget of her church, and was able to see how much everyone was paid, how much they blew on projects, etc... Opening your inbox is like opening presents on christmas morning... most of the stuff is pretty boring, but every once in awhile you open something interesting!
Okay, as a long-time Mac user and a reader of Linux sites like this, I know that Windows carries a massively larger burden of virii than other Operating Systems out there. Time and time again, I have heard it said that this is due to their market share - hackers want to be seen and thus make their virii attackers of the software that most people have. But this really rings hollow for me - the MacOS has always been relatively free of virii, as has Linux, as has BSD, as has AmigaOS, as has BeOS etc. This seems to imply that maybe aside from marketshare, Microsoft engineers (or marketting staff) are doing something wrong.
Let's take a constructive approach to this topic. With so many SysAdmins out there, what are the TOP TEN things that Microsoft (or any OS maker) can do to prevent virii? I am just a humble Business Analyst, but here are a few ideas that come to mind for me (I hope the coders will forgive my ignorance on some of the finer points):
10. Disable scripting in certain programs (e-mail) by default.
9. Automatically download security pactches to PCs if they are of a sufficient severity level (but put measures in place to make sure the same mechanism is not used to transmit virii/worms)
8. Auto-detect large numbers of e-mails being sent at once and alert users before sending
7. Make the default install for all systems the most secure install
6. Create a system to auto-report virus/worm infections to a central (independent) agency for monitoring (user-selectable kill switch for this functionality should be available tho)
5. Allow purchase of "health insurance" for PCs by Microsoft to reimburse for lost productivity/hardware due to infection - monetary incentive for MS to push quality and security
4. Create a module of the OS to track virus reports/alerts and display them in the taskbar - produces one trusted source for alerts and to decrease the effectiveness of e-mail hoaxes
3. Integrate virus alert into mail program for incoming e-mails - advise users when a known large-scale e-mail virus/worm is out there to decrease openning of infected mail.
2. Give sysadmins the ability to change e-mail setting for all users when a large-scale outbreak is going, to specifically turn off scripting, html reading, java, etc.
1. Provide a method for a daily audit of all processes running on a machine to identify all those not initiated by the user, and flag those taking part in suspicious activity.
Not sure if those are insightful or lame. But feel free to improve upon this list, ad infinitum.
So Klez works even by simply previewing the message and launches itself. It has its own mail sending engine, and forges the From: field to look like it's real. It also copies past Subject: fields to fool the recipient.
But this time, our little friend Klez has brought his little friend Elkern32. This nasty little guy infects executables on the infected computer, and is also network aware and infects files across the network. So even people who didn't use Outlook were infected. Some people had hundreds of infected programs on their computer.
And a cool thing about Elkern is that it can randomly overwrite a files bytes with all zeroes, while maintaining the file length. It can be nasty.
All this because no one updates their virus definitions.
Muerte
You don't have to remove the functionality; just make it REQUIRE the script to be CRYPTOGRAPHICALLY SIGNED by a known entity, like the sysadmin.
Fucking simple solution, unless you wanna argue that clients should execute code from UNKNOWN and UNTRUSTED sources for some reason?
Belief is the currency of delusion.
Can't patch this! (stupid repetitive music) Can't patch this!
I say this because it isn't the first time 2 viruses have bonded together. I recall many moons ago when a couple other viruses got together.
Viruses usually employ a mechanism to detect if a file is already infected, so they don't keep adding to the size of the file. One used a marker at the beginning of the file to decide if it was infected, one at the end. So the first virus infected the file, the second came along (modifying the beginning as per normal virus behavior, and adding it's marker to the end), then the first came along again and saw the file was not infected so infected it again. THen things stayed the same.
So it would show up as containing virus A, but you could not disinfect it properly, because it would just re-infect as soon as it was run. B wouldn't show up because B was actually a layer down.
On a side note.. the #1 thing that has reduced the number of viruses coming out of my office has been to ban the use of outlook/outlook express.
This is really cool. From the article:
"As far as (Chernobyl) is concerned, the Klez worm is just another file to infect," Weafer said. "It's quite common to see piggybacking effects when you have worms that have been propagating for a long time in the world."
So it is likely not that someone was trying to make Klez worse, it just happened on its own.
metacell writes "A virus (a version of the Chernobyl virus) infects an email worm executable (the Klez worm), and is spread along with it. " It's a damn good *delete* thing that Microsoft has been *delete* spending the last few weeks doing a *delete* security audit *delete* of all of *delete* ah never mind. My wrist hurts from deleting over a meg of mail worm viruses a day.
Maybe you should tell the people on your contact list to stop opening attachments (or at least get the latest patches). Microsoft is all but Moron proof.
linux machines get hacked into every day. Is it a linux flaw? no...it's a user flaw. So why should Microsoft be nay different? Maybe because they're against open source?
I'm telling you, software makers NEED liability. It's the only way we will ever have responsible programs released. Right now, software makers can get away with selling products that have defects in them on the order of ones that if they were in cars, would send Ford or GM into receivership.
Before you go asking for something like this think about how it will impact the open source and free software community. All software has bugs. Bugs for the most part are not intentional. Would a free software project have the resources to fight off litigation caused by exploit? Punish the script kiddies if you want to punish someone but don't go after the industry because of a few bad apples. This is very similar to copy protecting CD's because a few people might pirate the contents.
'Same speed C but faster'
Then again, with the grammar and spelling skills on display around here, maybe most /.ers don't count as "native English speakers".
;)
First, Outlook != Outlook Express. Once again, I will say, I agree, it's a joke that scripting is on by default in Outlook. It doesn't take a brain surgeon to figure that one out. Furthermore, I will say that I don't see ANY reason to have Outlook Express (the POP3 client) to have scripting AT ALL (or at the very least requiring a separate download to install)
Also, I don't write Outlook scripts for a living (although I do have several I've writen myself to clean up my mailbox, etc). But, to say it is a feature no one uses (or should use) is wrong. There are businesses that do large portions of there business on Outlook Forms, just as there are lots of folks who have done custom Notes development, and just as there are firms that have done customized oracle forms/applications/workflow development.
DO NOT DISTURB THE SE