Slashdot Mirror
New Worm Spreads Via MSN Messenger
vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."
Trillian? Would something like that, assuming it honestly exists, run through Trillian as well? *begins stockpiling canned goods and cleaning guns to prepare for the dark days ahead*
So let me get this straight, the virus infects a computer, and then infects other computers. Does the virus actually do anything?
I would guess that this is the trial run, to validate the theory behind a virus spreading in this manner. Once they know it works, the next one will have a payload.
Seems like the worm must be "human-activated", a user must manually click the link received through MSN to download the worm; that's what I understand from McAfee
It can't be harmful if it comes from a friend!
As long as the virus does nothing else but propogate itself, then this really isn't a security issue, its an issue of people CHOOSING to run what they want on their computer. If they're dumb enough to click 'open' on anything that downloads without knowing what it does (and indeed if what it does isn't necessarily harmful) then it is not a security problem, its a user problem. If people choose to run a program that messages itself to everyone on their MSN list, then who is Microsoft to stop them? At some point the user has to take responsibility for what he or she runs.
It doesn't seem to be using any particular vulnerabilities in MSN. It depends on users to click on a URL they receive in a message.
But if you are an IE user and you don't check carefully the URLs you click, you might be in trouble anyway (because these days the download of the trojan horse starts immediately, and it's silently executed).
On the other hand, I've been seeing such "worms" on IRCnet for months, and I'm sure they must have hit MSN messenger before.
Around two years ago there was a similar virus for messenger. It was smarter, though, as whenever you open a chat window it would say to the other person "here are some pics I took last week" than request a file transfer of the virus (the virus ended in .jpg.exe). It didn't need a website to download from.
I had to talk many people through the process of removing the virus. (it simply took a ctrl-alt-del to kill the program, then delete it from the recieved files folder)
This virus didn't do anything either, the writer left a note in the virus (viewable through a hex editor) that it was just "to see if he could do it".
It downloads an executable froma website. Obviously the number of downloads increases as the virus spreads. If the virus is thought to be harmless people won't panic about clearing it out. Maybe when there are enough computers (PCs) transmitting the virus, the website owner will change the executable for the real payload, and wammee - fireworks. Or maybe not.
***You learn something Every day. And then you die.***
it seems they are trying to get outlook 2000 and up more integrated with msn messenger. same as the poster above siad, you can uninstall it, then when you open outlook it appears. doesn't that violate the terms they set out in the case about "uninstalling" msn messenger? anyone here know?
and where is the reg entry or ini file located , so I can get rid of it when I set up a client pc? I don't wont to install antispy on every desktop I set up...
> It depends on users to click on a URL they receive in a message.
> Now what responsible user would do that
For which browsers is this a problem? Shouldn't you be able to visit any website in the world without fear of virus (or other) damage?
Does anyone know which browsers don't have this problem, or if they can be configured to be 100% safe? I don't mind missing out on a little fluff if I can be sure of safe browsing.
OK, it's probably pointless to reply to an AC, and ironic to reply to an AC as an AC while pointing out how pointless it is, but-
Who's going to gain anything from this monitarily? I mean, other than anti-virus software makers, How does this generate cashflow for anyone?!
SHOW ME THE MONEY!
I think a lot of people who wind up unleashing worms are just playing around, seeing if it works. They aren't thinking about the consequences because they probably weren't intending to "release a worm" in the first place. Again operating under the assumption that the homepage you posted belongs to the Jitux author, it's quite possible that he wrote the code and sent it to a couple of friends to see if it would work. Before he knew what had happened, it was in the wild. The malicious file is apparently gone, so for all we know, he deleted it himself once he figured out that his creation was alive.
Naturally, all of this is speculation. It's equally possible, and perhaps even more likely, that the "jberg" user's FTP space has been compromised to host the malicious file.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Why bother with format c:\ when fdisk is going to wipe the drive during repartitioning anyway? And no, BSD are not good choices for a first time switcher. They make sense if you are fairly familiar with Unix, but if your only experience is MS Windows or Mac OS, your best bet is to start by playing around with Knoppix (or a Gentoo Live CD maybe) and seeing if you even like Linux before you go erasing your hard drive. That way you can get a feel for the system before you plunge in head first.
This is the kind of vunerability that we'll basically never be able ot get rid of, barring some kind of orwellian palladium thing. Dumb users will run shit they shouldn't, and infect their boxes. You can do things to reduce the probability, but you can't eliminate it.
Palladium is only bad because it's done in hardware. You can do all the same things in software, except prevent the owner of the machine from controlling it (which is the point for the companies pushing it, of course).
For something like this, you just need to be able to run applications with restricted permissions (we already do this with Java applets, after all).
If the program tries to access your GPG private key, delete your files or send an email, the sandbox can ask the user to confirm ("This program wants to read your email address book, which is not world-readable. OK?")
This is much better than the current vague warnings users get ("This program might destroy your computer. Or it might be safe. Guess you'll just have to trust it. OK?").
This has always bothered me and is a serious question... If they know what website is being used why can't they shut it down and/or find the person who created it. I understand he could claim that his website was hacked or whatever, but at least they would stop it from spreading. The worm would be better if it used MSN to send the files to each other. The only thing that using a webpage accomplishes is that you can alter the executable to whatever you want whenever you want to.
Regards,
Steve
for some reason they're immune to this barrage of RTFM and instead it is Microsoft who gets the blame.
Because Microsoft's marketing blows sunshine up people's asses. People believe they are buying a simple system that will just run, never need maintenance, and protect them from messing it up. In reality Windows is a complex system that needs a fair bit of maintenance, or at least care on the part of the user to not do something that will cause problems (like open any old e-mail attachment in their inbox, no matter who the sender, or download any old file from Kazaa, or install Bonzi or other stupid shit like that).
When you try to explain to people that they need to run Software Update and virus scans and do other system maintenance once in a while, they don't want to hear it. "You mean I paid all this money (read: $399) for this computer and it doesn't do all that stuff for me? Forget it!"
~Philly
The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc.
So why is this worth an entire headline? Shouldn't we at least wait until it's actually doing anything, or did Slashdot just want to get a new Microsoft worm article with a byline of "new-year-new-problems," despite sites like LinuxSecurity that list new vulnerabilities WEEKLY that Slashdot never reports?
And before anybody accuses me of being a Microsoft shill (you know who you are), I'm merely being the voice of opposition because I see so much groupthink here. I wish Slashdot was more rational and down the middle and objective, that's all. There is a genuine bias and propaganda going on against Microsoft, the RIAA, and so forth. Any inkling of a worm, no matter how minor and ineffective, gets breathlessly reported the minute it's submitted. Meanwhile, you never hear a thing about the faults of Linux security, except when they're forced to, like with the breaches of GNU/FSF, GNOME, Debian, and Gentoo, all within the span of six months or so.
"Sufferin' succotash."
While meant as a joke it is a good idea. MSOE seems to want to load msn whenever it starts up [even if you have Gaim installed and running ;-)]. I just delete the f'ing directory and that cured my problems.
Tom
Someday, I'll have a real sig.
You don't need to prove anything except that the virus is coming from that website. The website owner may be unaware of the virus and innocent, but they, and/or their ISP/hosting service become guilty of negligence or become accessories if they don't do anything about it once they are notified.
For example, if your brother in law is keeping a dead body in your basement without your knowledge then you are not guilty of anything. Once you find out about the dead body, however, you are obligated to act or you are an accessory (this is, of course, provided that your brother in law is not legally allowed to keep a dead body for some reason). Oddly enough, with the United States bizarre civil forfeiture laws, if your brother in law is storing drugs instead of a dead body, you are still not guilty of anything, but they can confiscate your house and sell it in an auction anyway. Apparantly the legal justification for this is that the house is guilty of a crime or something like that.