Slashdot Mirror
New Worm Spreads Via MSN Messenger
vxone writes "Anti-virus experts are watching a new worm that spreads through Microsoft Corp.'s MSN Messenger client. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc. Known as Jitux, the worm is self-propagating and contains a link to a Web site that automatically downloads an executable file named 'jituxramon.exe' to the PC. Once the file runs, the worm begins sending out copies of itself to all of the names in the user's Messenger contact list."
MSN is a virus. Uninstall it as fast as you can!
The following statement is false.
The previous statement is true.
Welcome to my world.
Sounds like something from Pokemon.
So let me get this straight, the virus infects a computer, and then infects other computers. Does the virus actually do anything?
:p
As it stands, it sounds a lot like a slashdot discussion
Uhhh, shut down the website that the "worm" is sending a link to?
For anyone who has tried to uninstall MSN messanger, you know how much of a bitch it is. I recommend Windows XP antispy to get rid of it.
:)
After all, (simpsonism) "no one who speaks german could be evil (/simpsonism)
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
It doesn't seem to be using any particular vulnerabilities in MSN. It depends on users to click on a URL they receive in a message.
Now what responsible user would do that. NAI's web site claims that the worm code itself has been removed from the web server, thus rendering the worm harmless:
http://vil.nai.com/vil/content/v_100931.htm
-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.web-user.co.uk/news/47502.html
This detection is for a worm intended to propagate via MSN Messenger instant messaging. The worm is written in Visual Basic.
It propagates by sending messages to the MSN messenger contact list. The messages contain a link to the worm itself:
http://www.home.no/( removed )/jituxramon.exe
When the link is clicked, the worm is downloaded to the target machine.
Note: at the time of writing the the worm was unavailable from this URL.
Seems like the worm must be "human-activated", a user must manually click the link received through MSN to download the worm; that's what I understand from McAfee
It can't be harmful if it comes from a friend!
Now I'll have to explain to my Dad why I had to shut down his Win98/cable modem box. Again. *sigh*
C|N>K
This thing is not a worm, no matter how much you want it to be one.
In Soviet America the banks rob you!
It was a trojan in the default messanger that comes with XP. Add/Remove did not remove it, nor did trying to delete the messanger.exe program file.
The fix was to download the newest MSM, which upon reboot overwrote the pesky trojan.
Sorry I don't have more info than that.
Around two years ago there was a similar virus for messenger. It was smarter, though, as whenever you open a chat window it would say to the other person "here are some pics I took last week" than request a file transfer of the virus (the virus ended in .jpg.exe). It didn't need a website to download from.
I had to talk many people through the process of removing the virus. (it simply took a ctrl-alt-del to kill the program, then delete it from the recieved files folder)
This virus didn't do anything either, the writer left a note in the virus (viewable through a hex editor) that it was just "to see if he could do it".
http://www.home.no/jberg/
Seems to be a webcam up on the same site that hosts the worm. What worm maker would link to a site that hosts their webcam as well? I guess it shows that some people are really that stupid.
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
If you must use MSN and don't need file transfers, I recommend you register a Jabber account at any Jabber server, and use a MSN gateway, and try to convince your friends to move to Jabber.
I've done it already, and my MSN account is redundant!
why 75% of Network Connections Not From Browsers.
Linux doesn't protect users from being idiots. Nothing can.
HOW'S MY POSTING? CALL 1-800-POSTING
Nothing. However privlidge separation on a Unix box would prevent a harmful payload in a worm of this sort, unless the user was running as root. In which case, he needs to be shot.
I still have more fans than freaks. WTF is wrong with you people?
I thought self propagating worms involved no direct user interaction (ie a tard clicking a link), doesn't that make this just a plain old (really simple) trojan if anything being as it pretends to be something else (i assume the link comes with a message like click here to see me holiday pics !)?
because everything is controlled via friggin VB.
i mean, for once the excuse can't be: "well, they attacked [insert MS software title here] because it's the most popular". AIM and YIM have been around a lot longer and no one ever wrote a "worm" (debatable label in this case) for those...
in this age of communication i'm just not getting through
" However privlidge separation on a Unix box would prevent a harmful payload in a worm of this sort, unless the user was running as root."
Could you elaborate on this a little? From what little I understand of permissions in *nix, this might prevent data from being written in the wrong spot (i.e. overwriting of system files), but would it prevent a headless app from running and sending out messages to other machines?
Ah if only application firewalls were standard issue like virus scanners. At least Microsoft's forcing that evolution to happen.
"Derp de derp."
copy and paste into a .bat file
C HINE\SOFTWARE\Policies\Microsoft\Me ssenger\Client]>>%temp%\noe gr .reg% \nomsngr.reg /s %temp%\nomsngr.reg
:)
@echo off
echo Removing Microsoft Messenger...
rundll32 advpack.dll,LaunchINFSection %WinDir%\inf\msmsgs.inf,BLC.Remove
echo Disabling it from running in the future...
echo REGEDIT4>%temp%\nomsngr.reg
echo
[HKEY_LOCAL_MA
msngr.reg
echo "PreventRun"=dword:00000001>>%temp%\nomsngr.reg
echo "PreventAutoRun"=dword:00000001>>%temp%\nomsngr.r
echo "PreventAutoUpdate"=dword:00000001>>%temp%\nomsng
echo "PreventBackgroundDownload"=dword:00000001>>%temp
echo "Disabled"=dword:00000001>>%temp%\nomsngr.re g
regedit
run and bam! messenger is gone for good
+++ David Watts 5495 0.0 0.5 1888 884
So basically, after reading the article and seeing that it only spreads to peeps on your contact list, I can now view my use of MSN messenger the same as swinging.
I smelll a new MSN Msgr advertising campaign. "All the danger and excitement of swinging. Come on over, we're waiting to fuck you!"
Many of the newer 'user friendly desktop' Linuces run as root, such as Lindows. While I think this is horribly stupid, it doesn't stop the fact that many neophytes to the Linux world will be running Gaim or equivalent as root.
.
"...Ah if only application firewalls were standard issue like virus scanners..."
OS X comes with ipfw preinstalled, and it can be turned on with a couple of mouse-clicks:
Apple Menu->System Preferences
Select 'Sharing'
Select 'Firewall' tab
Click 'Start' button
There is also a tab with a list of service that one can check on or off, and it is easy to add new ones (click the 'New...)
Seems that I've read some debate of the merits of ipfw vs. other firewalls, but it seems to work fine for me. Also, there is the debate about whether or not it should be on or off by default. Personally, I think it should be on.
As far as headless apps, like daemons, I don't know. OS X asks for an admin password any time it needs 'root' access; if one makes sure they know what they're installing, and trusts the source, then I don't think anything too bad could happen.
Although, this just occurred to me. Could something like this launch an app in the background that captured keystrokes and saved them to a non-secure file/folder? That could be a problem.
(tig)
Ignorance and prejudice and fear
Walk hand in hand
2004: New Worm Spreads Via MSN Messenger
2005: MSN Virus Spreads Through Talking About Windows
2010: Virus Becomes Airborne
2012: Virus Overwrites C:\Brain\Personality
2015: Kalahari Bushmen last remaining humans on planet arguing about whether Linux or FreeBSD is better
do you trust ./'ers to only write innocent, good willed code ?
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Status: Critical
Infection rate: Global
This worm usually begins like this, but many variations have been seen in both the wild and in the lab.
John: Yo wazzup?
Me: No time to chat. I'm a little busy, gotta do some work.
John: Then why is your IM on?
Me: Because I need it for work.
Soon the worm spreads.
Jane: Hey, why are you giving John the cold shoulder?
Me: Shit, I just want to get something done here. I'm sending someone a file with IM then I'm gone.
Jane: You're full of it. John knows you're still pissed at him about blah blah.
The worm may even infect unaffiliate third-parties.
Joe: Hey man, you don't know me, but I work with Jane at Curuthers and Magalby and the way you treat her and your so-called pal John is fucking bullshit. You shoud be ashamed of yourself.
Me: Seriously, I just want to get some work done here.
Joe: Yeah, like I'm going to trust a liar like you.
Fix: None.
Stopgap: Forever stop using IM with crazy paranoid social primates.
About a year ago, I think something like this was on the loose. Almost everyone on my contact list tried to send me something called "blaargh.exe". When I asked them what it was they had no clue.
;)
Well, people that accept these kind of file transfers without knowing what it is and then _opens_ the executable only have themselves to blame... (for not getting a Mac
Sig Nature
If you are able to read this, you have just been infected with the Honor System Virus. This virus is a cross platform virus.
If you are running a MS Windows Box, please insert a DOS disk, reboot, and type FORMAT C: /q press Enter, Y, and then Enter again.
If you are running a Linux or other Unix based OS, please open a Bash Shell as root and type in rm -rf / and press Enter.
Mac User's need not do anything at this time, since your computer will likely crash on its own before you could successfully and intentionally format your own hard drive.
Thank you for your participation in the Honor System Virus. Have a nice day!
Programs execute with the same permissions as the user, though this happening is not very likely. For this to occur, two things have to happen;
Neither are impossible, though these are unlikely. (Some apps might skip the first step, though this is also rare.)
Keep in mind that unlike Windows, Unix-style systems don't use the name of the file or it's extention (suffix) to determine if a file is an executible. If Windows followed the same model, you could click on worm.exe and Worm would not run automatically.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Well, files by default are not executable, so it wouldn't execute unless you ran chmod on it. Furthermore, ports 0-1023 are privlidged by most unixes, and can't be bound to unless you run as root, stopping things like spam mail servers.
I still have more fans than freaks. WTF is wrong with you people?
Why is it when some one does something stupid on UNIX and screws their HDD, its the user that is blamed but when the user CHOOSES to run Windows and CHOOSES to run MSN and CHOOSES to have their default browser to be Internet Explorer, for some reason they're immune to this barrage of RTFM and instead it is Microsoft who gets the blame.
Sure, I love the Microsoft bashing mosh pit just as much as the next Mac/FreeBSD user, however, in all honesty, when is the end user going to take responsibility for their actions? doesn't this sound like the a-typical senario in the "real world", something bad happens and the government is blamed for not stopping the idiot from hurting themself.
The fact remains that the end user does VERY little to protect themselves. Sure, we'll have a chorus of ranters claiming that in their zyx operating system world, they would *NEVER* need that and through some miracle, some how their operating system of choice is immune to all vunerabilities.
The fact remains that no matter what operating system you run, you HAVE to take precautions. Run an anti-virus, make sure your software and virus definitions are updated, run a GOOD firewall and actually learn how to use the computer so that you can set up the firewall so that is it beneficial rather than a hindrance.
If you follow these VERY basic precautions, I would be VERY surprised if you get infected.
In a perfect world, one WOULDN'T need to take these precautions, software would be bug free, everyone would be honest Joe's and Jane's, however, that isn't the case, the fact is, the world is filled with losers, script kiddies and other parasites and unfortunately the only way to defeat these people is to make their conquests so meaningless that they'll go back to nicking car badges off cars and boasting to their friends about what level of "Rainbow Islands" they got up to on their SEGA.
Btw, does any one remember that game?
Erotic uses a feather; Pornography uses the whole chicken
Hold on... so, would the worm spread through Trillian, Miranda and such?
I kept getting IM bots sending me links to random porn sites since its 'peak' time when it appeared on almost all my friends' profiles. I found the fix here and sent it to my friends. Since their fix, I've been getting less spam.
I would use gAIM but I found that AIM with the final free DeadAim saves more resources on my system.
hey, foolio:
that's Windows Messenger you are referring to, a completely different beast than MSN Messenger. Windows Messenger is an old component for sending explorer events to domain clients, for saying things like 'The Network is Going Down. Save Your Work Now." and such to your users. MSN Messenger is for "lol cyber u a/s/l/ here's a link to my plush toy auction on ebay" style messages to your social circle (and random people).