More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

Off Track

[andyrut]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track

[B'Trey]

It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.

Re:Off Track

[FortKnox]

Target Microsoft systems and leave Linux machines alone.

I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.

To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.

Re:Off Track

[southpolesammy]

As I said a couple of days ago, the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.

Re:Off Track

[Junks+Jerzey]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...

Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.

Re:Off Track

[MarkusQ]

Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.

Made for themselves?

This is a classic case of blame-the-victim. Someone gets maligned in the press, slandered by corporate greed machines, and somehow this is because of "the reputation [they] made for themselves?"

I supose your next line will be that they were "just asking for it" because of the way they were dressed.

-- MarkusQ

Re:Off Track

[insensitive+claude]

Malware author != script kiddie

Re:Off Track

[vanyel]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

Re:Off Track

[rgriff59]

I'm not a Doctor, and I don't play one on TV, however, my wife is an RN and is working on a FNP. As such, she has lots of wonderfully definitive medical reference books. According to both Taber's Cyclopedic Medical Dictionary, 19th edition and The Merck Manual, 17th edition, it is absolutely and without doubt "viruses." If the medical community says so, that trumps Webster's and /.'ers.

As far as being off track (not unlike this virus plural rot in a story about a worm) wouldn't it be funny to have someone claim SCO's $250,000 bounty for a worm that never would have caused them harm?

Re:Off Track

[magores]

I propose the theory that a Linux virus would actually succeed quite well.

My reasons for thinking this are:

1) For every 100 linux users, I suspect that ~40% of them are people that are currently "dabbling" in linux. These users are as new to linux as "Grandma Gertrude" is to Windows.

2) Of the 100 linux users mentioned, I would guess that ~75% have never done more than glanced at the source code for any given program, much less the kernal. Give these users two pieces of code to run. They are just as likely to run the "bad code" as they are the "good code".

3) I think most would agree that the linux kernal is "safer" than a Windows system. But what about all the programs that get installed on top of (over?) the linux kernal? Many reports are released daily about buffer overflows, etc that effect these programs. Taking the hypothetical 100 linux users I mention above, I would venture that at most 25% of these people apply the patches in a reasonably short time frame.

4) Windows is targeted because it is common. The structure/implementation of Windows "probably" lends itself to the ease of compromising it. However, I venture the guess that a sufficiently motivated malware author (notice I didn't say hacker) could construct an exploit that would cripple many of the linux boxes owned by the people that I mention in 1, 2, and 3.

All I'm really saying is: The Linux Community should make sure it doesn't say, "Bring it on!" Because, the bad guys WILL.

McBride interview

[BWJones]

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview

[vladkrupin]

I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.

doesnt matter.

[eyeareque]

we will neever see an apology from SCO.. they will be gone and bankrupt before too long.

I wish all mail admins..

[grub]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Please Remember!

[Bruce+Perens]

Excerpted from perens.com/SCO/DOS/, this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

• Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
• Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
• Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and explain to them your own experience as a participant in the Free Software community.
• Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org is an excellent example of how to carry this out.
• Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

Re:Please Remember!

[rokzy]

I like Linux and OSS.
I'm glad that SCO got DDOS'd, they're bastards and deserve it.
There's nothing wrong with this imo.

What I think IS a problem, is you trying to make it seem like OSS is one big community where everyone has the same opinions and they all move in the same direction.

I should be able to say "fuck SCO" all day long and it have nothing to do with the fact I use OSS. but then you start making it seem that liking OSS is some kind of religion that governs all my actions.

I use Linux cos it has the tools I need. I use Firebird because it's a fantastic browser. I say "fuck SCO" cos they're full of BS. Get over it.

Re: Please Remember!

[Flower]

I probably rank right up their with all the other SCO haters. I'm on GrokLaw everyday and chip in when I can by transcribing documents but I'd never cheer on MyDoom. The stupid thing, because of the damage it's doing (and it is damage), brings an emotional reaction to the SCO debate which undermines all the good arguments the community has developed. Even if it was developed in Russia, cheering it on because it will DDoS SCO just provides SCO and industry analysts more junk to bring up rather than focusing on the real issues.

I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.

Huh?!

[pclminion]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

The fallacious logic here astounds me. Wait, no it doesn't.

Linux users

[gid13]

From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...

Of course it wasn't some malicous Linux user

[bogie]

This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the whiteshouse.gov site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.

Re:Not to condone writing worms....

[allism]

Don't give them ideas...although it WOULD be interesting to see what kind of load /. can handle...on Sept 11, it seemed like it was the only site up, so it can handle quite a bit, but I guess the question is - which is greater - /.'s load handling or the number of stupid Windows users?

(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)

Re:Am I the only one?

[Conspiracy_Of_Doves]

Umm.. Dude. I'm as big a Douglass Adams fan as the next guy, but he didn't invent every figure of speech in the english language. Some expressions (such as wet slap) did, in fact, exist before he first used them.

Isn't It Ironic - Don't You Think?

[BigBlockMopar]

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:

• promotes the very monoculture about which he speaks (noting that Microsoft doesn't offer a PowerPoint reader for Linux)
• allows the embedding of executable content which could be (and has been) used to carry malicious code

Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.

At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.

what makes you think that people in Russia

[meshko]

do not follow the SCO lawsuite?
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.

Apology?

[Rostin]

Give me a freaking break. I see politicians and the like smeared from here to the moon on a routine basis because of what amount to conspiracy theories, and then someone should apologize because they have the gall to suggest the possibility that disgruntled linux users may be responsible for a DOS attack on SCO? I mean, how could they? Everyone here on /. sure seems to love SCO. There's no motive at all.

I want to preserve this one and bring it out the next time some moron starts carrying on about how the US is involved in Iraq because of some vague connection that the Bush administration has with oil companies.

Re:The ultimate call for group think.

[Krow10]

I personally like to see SCO denial of serviced to kingdom come.

The problem with that is it doesn't hurt SCOX at all. Look at their business; look at the SEC filings with their financial numbers -- SCOX is not getting any revenue from their website, but they do get some sympathy every time some jackhole pulls a DoS on their pathetic site (of course, in the lab tests show that MyDoom.a doesn't actually execute the DoS code.) Yeah, SCOX can kiss my arse as well, but so can the spammers who coded this and anyone else who puts SCOX in the news for something other than their impending bankruptcy and fraud investigation.

Cheers,
Craig

Re:Security could be easily enhanced

[Flower]

*sigh*

No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.

MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.

And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?

That soundbite of yours starts getting a little hollow now doesn't it?

Social engineering for Sysadmins

[ericspinder]

Throwing the authorities off-track might have been the idea, but I think that it JUST MIGHT have been an attempt at social engineering aimed at the sysAdmins and virus hunters.

Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...

They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.

Ingenious my arse

[Chuck+Chunder]

Didn't blaster target the wrong address for Windows Update?

DDOS a website that probably gets about 10 interested visitors a day anyway?

Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.

Re:Ingenious my arse

[zcat_NZ]

and then nukes the system it's living on..

Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.

Now imagine a worm that spreads fast (flood-scan the local /16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all the files it can access. Changes numbers in databses and spreadsheets, swaps words around in documents. By the time anyone starts to notice this thing has rendered all of the current data and at least a month of backups unusable.

That's the worst virus I can think of.

I'm tired of this...

[verbatim]

I'm getting hundreds of these cute "you've got a virus" warning from mail servers around the world. They're all the same - We've found an infection in an email from you... except when you look at the headers of the original e-mail, it is plain as day that the e-mail never went through my mail server and just forged the e-mail address.

A header from the most recent example:

Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500

RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).

I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.

Re:A million zombied machines for anyones use

[mabu]

As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.

Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.

Who Said It'll Attack SCO? & A FUDworm?

[DynaSoar]

Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

If it turns out that the DDOS payload is inert:

Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)

If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.

Most resource-efficient way to deal with this

[mabu]

I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.

The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.

My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.

For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:

Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255

The easy thing to do is put 4 lines in my /etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.

Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.

Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.

Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.

Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.

If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.

The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.

Common sense lacking in virus writers?

[hazzey]

I have thought this same thing about all of the DDoS viruses that have been around lately. Why is the date that the DDoS is supposed to start always a week+ after the news media proclaims it a "massive infection." It is almost like the writers just want publicity and not to actually do harm. It's not like wish that they would get their acts together, but it just strikes me as odd.

Port 25 blocking

[Awptimus+Prime]

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.

Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.

I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.

For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo. ;-)

Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.

I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.

Re:Port 25 blocking

[phillymjs]

Most of the spam I get these days comes from SMTP-trojaned Windows boxes sitting on consumer broadband networks.

As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.

Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.

~Philly

Re:Port 25 blocking

[kirkjobsluder]

And for those that need Sendmail/qmail/Postfix/whatever, how hard is it, really, to configure the MTA to send mail through the ISP server?

Re:Way OT

[SlightOverdose]

/me double checks what language he speaks

"English"

oh. Wow. English != Latin.

Just because a word is wrong in latin doesn't make in wrong in english. New words are made up every day and accepted into normal speech. Most of these words don't have latin roots.

More specifically, a word is only a phonetic way of transfering information. if a significant number of people use a word and know what it means, that word has correctly transfered this information, and therefore is correct regardless of whether some anal language nazi thinks so.

I always have and always will say Virii. Most people I know say Virii. Therefore, Virii IS a valid word, even if it is only slang, like Boxen or scr1pt k1dd33.

Thank you and goodnight.