Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Mail Worms Gang War?

Posted by CmdrTaco on from the that-makes-sense dept.

cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."

11 of 609 comments (clear)

  1. I would like to point out... by chrisopherpace · · Score: 5, Informative

    MyDoom.F does destroy word, excel, access, jpg, and other files.
    SARC
    This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.

    --


    Bored? Why not join a decent mess
  2. Warnings... by ackthpt · · Score: 5, Informative

    I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Warnings... by Hayzeus · · Score: 5, Informative

      I doubt humor is involved -- the point is to get people to open the zip and run the archived file -- which you have to go to some trouble to do, given that the zip is password protected (to get by email scanners). I've had a couple of users here contact me about these, but nobody has run them yet. Of course I only have a few users, most reasonably clueful. This would probably suck for larger outfits.

      --

      Roving Web-Teleoperated Robot
    2. Re:Warnings... by spydir31 · · Score: 3, Informative

      That's Beagle.K (or Beagle.J, it's linked from the story, though), I've only recieved one, but it's annoying as all hell to block.
      I'm now blocking all encrypted zip attachments via my trusty MailScanner
      (there's a beta version which adds this, I couldn't trust the filename rules, and wouldn't block all zip attachments)

  3. Re:Turf? by glen604 · · Score: 5, Informative

    since some of these viruses involve opening back doors, it's a turf war in the sense of who owns more zombie computers, I guess.

  4. latest breed by A+moron · · Score: 4, Informative

    What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.

    The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)

    1. Re:latest breed by RobertB-DC · · Score: 3, Informative
      Foo: ...the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments [...] The virus companies better hurry the heck up and come up with a solution.

      Bar: Seems a bit odd to me that a worm can propagate when you have to enter a key to run it, for god's sake that's like getting a grenade in the mail with a note saying 'Pull this pin and hold'.

      What's odd is the grandparent's suggestion that the "virus companies" (I'm not touching that one!) should find a solution.

      Solution to what? Clueless users who blindly follow any official-sounding directions they receive in email?

      In defense of the clueless users, though, the latest email had halfway decent human engineering. I didn't get it, but our IT Security folks sent a warning about it. Here's the message -- note that site is our corporate web site. If you overlook the obviously broken English ("Pay attention on attached file."), you could almost convince yourself:
      From: staff@ site.com [staff@site.com]
      To: yournamehere [yournamehere@site.com]
      Sent: Tue Mar 02 17:27:52 2004
      Subject: Important notify about your e-mail account.

      ***********************
      Warning: Your file, Document.zip/jhlvbpgfu.exe, is password-protected. It was not scanned by InterScan MSS.
      ***********************

      Hello user of site.com e-mail server,

      Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

      Pay attention on attached file.

      Attached file protected with the password for security reasons. Password is 50655.

      Have a good day,

      The site.com team
      http://www.site.com
      --
      Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  5. Pretty good social engineering this time by GillBates0 · · Score: 4, Informative

    Date: Wed, 03 Mar 2004 10:03:48 -0800
    From: support@xxx.edu
    To: me@cc.xxx.edu
    Subject: Warning about your e-mail account.
    Parts/Attachments:
    1 Shown 10 lines Text
    2 12 KB Application

    Dear user of "xxx.edu" mailing system,

    We warn you about some attacks on your e-mail account. Your computer may
    contain viruses, in order to keep your computer and e-mail account safe,
    please, follow the instructions.

    For more information see the attached file.

    Cheers,
    The xxx.edu team http://www.xxx.edu

    [ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    ------
    Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  6. Re:Is the probelm really hard to fix? by liquidsin · · Score: 3, Informative

    How many people do you know that actually read EULAs, or javascript popups? Everyone that I know seems to look for the escape (clicking "I Agree" on EULAs or "OK" on anything their browser pops up). Hell, these attachments need to actually be executed. The user is already going to the trouble of right-clicking the attachment and either saving it, finding it, and running it, or just running it right from OE. One more popup would only slow them down by half a second.

    --
    do not read this line twice.
  7. ...little damage... by blunte · · Score: 4, Informative
    Typically these viruses (or more correctly, worms) do little damage to the infected computer


    Yeah most are not too damaging, but here's my story.

    Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.

    - Last week our AV server downloaded updates at 8am as usual.
    - At 11am Symantec released new signature for MyDoom.F.
    - At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
    - At 8pm automatic backups kick off
    - At 11pm backups complete, having successfully backed up ruined shares.
    - At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
    - At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.

    Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.

    Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.

    Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
    --
    .sigs are for post^Hers.
  8. Re:MS Address Book lock down? by YrWrstNtmr · · Score: 3, Informative

    err...Outlook2003 and Exchange2000 do exactly that. If a program tries to access the Address Book, it pops up an approval dialogbox. You can't click yes for 5 seconds.

    But since these worms also searches in a wide range of other filetypes (.txt,.doc,.html,etc etc) for valid email addresses to send to, it makes little difference.