Slashdot Mirror
Microsoft Mail Worms Gang War?
cuzality writes "The media is now beginning to suggest that this recent onslaught of new viruses (with new versions of major-impact viruses being found daily) the result of a virus gang turf war, kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club. The gangs are shooting fast and loose: variations of the big ones are being discovered daily (as of March 4, we are up to MyDoom.H, Netsky.F, and Beagle.K), and in the space of three hours on Wednesday morning, five variants of these three were first discovered. Typically these viruses (or more correctly, worms) do little damage to the infected computer, intent mostly on spreading far and wide, and sometimes inflicting DoS on some poor evil empire."
Since Microsoft is in Seattle, this could be a real West Side Story.
Where's the question?
Make even shorter URLs - 8LN.org
MyDoom.F does destroy word, excel, access, jpg, and other files.
SARC
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.
Bored? Why not join a decent mess
"Plenty of letters left in the alphabet" - J. L. Picard
"Draco dormiens nunquam titillandus."
It was bound to happen, given that more and more worms are written for criminal spammers. And since spammers AND criminals are stupid, they will fight each others.
I mean, seriously, how hard is it to write malicious code if you can get the person to run any program. Heck, here's my virus:
This is NOT hacking... it's taking advantage of stupid people...
Jay | http://oldos.org
Actually, the evil empire isn't all that poor; it's got several billion dollard in cash. And the poor wannabe empire isn't poor either; apparently it got a $86 million cash injection, thanks to the evil empire.
I'm getting some forged emails lately, badly forged at that, which look like they're coming from my ISP, "warning viruses being sent from your account", "warning immenent suspension", etc. They have a pif file atteched (which I never open) and have been coming from .lt or .gr servers (my ISP would not likely be using these.) Looks to me like another brand of worm on the rounds and there's a morbid sense of humor behind it.
A feeling of having made the same mistake before: Deja Foobar
From the article:
...
Most of the comments tucked inside the latest bugs are brief, unprintable and poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth version of Netsky.
Hmmm, where have I seen that misspelling before? Let me think
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
since some of these viruses involve opening back doors, it's a turf war in the sense of who owns more zombie computers, I guess.
What's interesting/annoying is that the latest variants of the Bagle/Beagle virus use password protected encrtypted zip attachments which has caught quite a few mail gateways and virus companies off guard. Our mail gateway (mailscanner/f-prot/spamassassin) was unable to deal with the encrypted zip attachments and passed them on through.
The virus companies better hurry the heck up and come up with a solution. (Looks like ClamAV and Sophos have already done so.)
I always wondered what motivated these people. Is it as simple as recognition? Its not like they can tell anybody it was they who did it. Really it isn't even "neat" on a technical scale. So they don't do it for a challege. They don't do for noteriety. They just do it to cause trouble.
Seems like the internet version of the street vandalizer has come to pass. Sad really.
It's all Politics
In the late 1800's in the American west there was a boom in illegal activities (Billy the Kid, Butch and Sundance, etc.). The citizenry had enough and banded together (i.e., paid taxes) to fight back (i.e., hired police). Cyberspace is in the equivalent of the late 1800's in terms of working out who controls what. Now we, the citizenry, must decide if we want to hire the Pinkertons or establish a proper police force. Just remember, the Pinkertons were often as dirty-dealing as the crooks they were after, and the Sheriff was usually a former badguy with a badge.
If all this should have a reason, we would be the last to know.
The only reason anyone writes a virus these days is to do it. Even when there's an added payload (like a DDOS to www.sco.com), the virus is out there solely to be out there. The fact that it's due to rivaling gangs makes perfect sense.
If someone were to write a truly destructive virus (you open it, it sends itself to everyone in your inbox, then promptly writes random data over your hard drive) then we'd really see people start to take viruses seriously.
Even the most "destructive" viruses in recent history have wimped out in some way -- just consider Michelangelo, which was hard-coded to become destructive at a much later date, long after it would be discovered and patches written.
Cretin - a powerful and flexible CD reencoder
...kinda like the India/Pakistan virus conflict, in which official Pakistani sites were savaged by such infamous groups as Indian Snakes and Indian Hackers Club...
Seems like virus writers also got oursourced to India!!
With that in mind, those programmer comments being reported now, although they do seem to show a gang war, may just be more misdirection and once again the media fell for it. If it really is the spammers behind it all, and criminal elements doing it (yeah, I know, "spammers" and "criminal elements" are redundant), this gang war idea may just be more cover.
Meanwhile there are millions of zombie Windows boxes around the world with clueless owners not realizing they are 0wn3d. That's the real story the media should be following up on.
Typically these viruses (or more correctly, worms) do little damage to the infected computer,
maybe little damage to the computer itself, but they definitely cost a company in terms of IT support calls, and loss productivity. Even though this cost is not easy to measure, but is certainly not a small amount.
Consensus is good, but informed dictatorship is better
Of Neal Stephenson's thing about how in the future when you go outside you'll have to breathe through a hankerchief, a la 19th-century london, because the air will be filled with millions of malicious nanobots, and millions of helpful nanobots neatly neutralizing the malicious ones, and millions of meta-malicious nanobots that only exist to disable the neutralizers... just one big no-net-effect hacker arms race.
I wonder how long it will be and how much futher adoption of windows server operating systems we'll have to see before internet traffic starts to look like that.
If being the victim of a Microsoft worm is like being caught in the crossfire of a gang war, there's a simple solution: stay out of the line of fire. If you had a choice between one house in a safe neighborhood, and another house of roughly the same price in a neighborhood where bullets from the local crack dealers were coming through your walls at three in the morning, where would you choose to live?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Yeah, but they've been secretly building their own Deathstar, which is hidden behind the Moon, for years now. I'm not so worried about the Evil Empire using it as when it gets 0wn3d.
A feeling of having made the same mistake before: Deja Foobar
This commercial IT market is becoming too patch-dependent.
Can anyone make products out-of-the-box any more? Viruses need daily patch updates. The OS need daily patch updates. This is ridiculous.
Are these really viruses? Only two are actually mass-mailing worms that don't rely on Outlook's address book to send themselves. All of them rely on the user to open and run the malware program. Some of the MyDoom variants I'm seeing don't even make a feeble attempt at social engeering. Apparently most users are just downloading and executing attachments without even thinking. This despite all the warnings and hype surrounding e-mail containing "viruses".
Imagine if e-mail was just plain old ASCII text with no attachment support. *sigh*
Fred
"A fool and his freedom are soon parted"
-RMS
Wouldn't this much virus activity raise the chances of being caught? Pride has been the downfall of a great many "1337 d00dz" who can't seem to avoid bragging about their 5|i77z. Then again, if you did stage such acts, it does nothing for your ego unless people know you did so.
These are not your stealth haxorz, these are the works of script kiddies. But of course everyone here already knew that.
all your computers are belong to us, no US, NO US, NONO US!!!
How is my computer their turf?
:)
If you have to ask a question like that, a better one might be "How ISN'T my computer their turf?" Here's a tip: If you suddenly find all of your ports open, you may want to consider running a virus scanner.
Well, what are you sposed to do, when you've got thousands of users doing menial stuff all day long, and the people who have to deal with this crap arent the people who can implement change? I fix virus infected machines at the state all day, but that doesnt mean i can just call someone up and ask them to block .bat files at the server, or kill msn messenger ports. They just don't care, because they have 'bigger' concerns.
The Pakistany/Indian conflict is well determined as clubs have names.
Besides the "sorry but i had to" message in one of the MyDoom variants, no one has claimed authory on this "gang" attacks to evil empires. As far as we know it could be a single programmer with lots of free time and a bad temper.
Maybe is many ppl, but they are merely common intrested in a visible evil empire rather than a gang.
"The quality of life is inversely proportional to the number of keys on your keyring."
Can anyone recommend a good server-side tool to block viruses and worms? I'm using procmail now with a bunch of handwritten rules, and they work well on a bunch of older viruses, but there are so many new variations now that I can't keep up! On the client side, Bayesian filters (in Mozilla Mail and Apple Mail.app, for example) work reasonably well with spam, but they have a harder time with viruses and worms. It's also more annoying because viruses and worms are so large (30k or 100k, typically) and my local mail client has to download the entire message before filtering it out.
Note that I don't want to just block all messages containing attachments with certain extensions. There are many legitimate reasons for someone to send me a zip file as an attachment.
Except that the subject isn't a grammatically correct question. Hell, it's not even a grammatically correct statement.
Dinivin
That's where I think this is all ultimately headed. The spammers are in bed with the virus writers, who have taken the penis enlargement pills as commission. :P
Why don't these "hackers" use their skills to do something productive. With the time and effort they're putting into this programming, they probably could have written some utility software that would have earned them bags of money. But where's the fun in that.
TechTV's The Screen Savers last night suggested that one of the motivations of competitive virus writers is because the anti-virus companies put out rank-order lists such as the one shown on SARC's homepage. Maybe those lists should be discontinued to at least knock down some of the motivation?
The coverage by the media on these viruses is just outright terrible. There's always the assumption that all users are affected, when in reality a number of users are completely unaffacted by these viruses (reduced internet bandwidth aside). The growing number of Linux, MacOS X, BSD, and various other unix-based flavors are largely unaffected by these attacks. Furthermore, those Windows users who keep up with patches & fixes and use firewalls are also largely unaffacted.
This piece by MSNBC is a prime example that never once clarifies that some people may not even be affected by these viruses.
For the "cyber" reporters out there: get a clue and portray more than one perspective.
Did Microsoft create them? No.
Do they exploit any vulnerability that Microsoft is responsible for creating? No. (They spread by tricking users into running the attached executables.)
I know it's fun to pretend that everything bad is Microsoft's fault (and I'm no fan of Microsoft myself), but come on... how does it make any sense to prefix something with "Microsoft" when Microsoft had absolutely nothing to do with it? What's next? "Microsoft OpenSSL vulnerability discovered"? "Microsoft recording industry sues 12-year-old kid"? "Microsoft PATRIOT act renewed"? "Hacker charged with violating the Microsoft DMCA"?
If evil didn't exist, humans would have to invent it. Face it, computers are boring, but "Rival Hacker Gangs Virus Turf War" is the lifeblood of pop media newstertainment.
Here are some more down to earth email worms.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
It's surpring no consortium (like an ISP group) has come together and filed a lawsuit against MS for having to mop up their work. It's definitely costing to pass the traffic, having to explain 12! times a day to customers that we didn't send them a moronically written "Your account is suspend for virus activity" (yes I know it's a typo). MS should definitely be dishing out some money for this. After the first 100 or so viruses from the years 2000-2002 you would figure they would get their act together, but it's the same old story. And for the users (non geek users) of MS, the grandmothers, housewives, and non techies, you would figure they would wise up to the same shit different day. Instead they still open attachments, and rather altogether, still use the same chopperating system they often have to reinstall after having been infected 12! per year.
Seriously mind boggling. As for the virus creators they too need to be punished for their actions, and severely at that. I'm skeptical about the entire 'cybercrime' terrorist approach the DOJ and others have taken on this, but this is definitely something that's getting out of hand. And if you too also work in an ISP, you would know the guys of headaches one deals with on these virus issues. Hopefully our 3rd party antispam/virus filter mail provider gets their act together. Think about the costs for a mid sized ISP on something like technical support alone. 1000 calls a day to explain why someone should not open those emails multiplied by the salaries. Wasted money.
MoFscker
MyDoom installs a back door on every machine it is run in. If that constitutes "little damage" then I guess we should all set our root password to "root" .
Allow PDF, GIF, and JPEG at the firewall and in the mail client. That's it.
Microsoft needs to turn off the "feature" that clicking on a mail attachment runs it. It should just be "viewed", with a dumb viewer. It should be impossible to launch programs from mail attachments. Users should have to explictly save to a file and run to do that.
"...and sometimes inflicting DoS on some poor evil empire." Or in the case of sco.com, an evil feifdom.
Let us not become the evil that we deplore.
here in my office (government), we had very little trouble with mydoom or any of its variants - but netsky.d, for whatever reason, was slipping through. this was on march 2, so for a few hours, we had a lot of people calling the helpdesk and complaining about the "weird beepy noises" coming from their computers.
the exchange server is configured to catch most of this crap, delete the attachments, etc. - but if ANY of it gets through to a user, the attachment WILL get opened.
the hell of it is, our security advisor sends out DAILY network alerts, telling people EXPLICITLY what to look for, what NOT to do under any circumstances, right down to the various subject lines and attachment names that these worms will manifest with. she couldn't be any clearer in her instructions if she walked into their individual offices and handed them a stone tablet, engraved by the hand of God himself and saying "Thou shalt not clicketh upon this thing."
the typical excuses we hear are something along the lines of "b-but . . . it came from a guy i know? he wouldn't send me a virus?"
sigh.
** Chigusaaa!!! You're the coolest girl in the WORLD!!! **
Put in a mail filter. Dop all .PIF, .EXE, .COM, etc., etc., including (nad this is the clever bit) all .ZIPs.
.ZIPs we receive is so low that telling the sender to rename the attachment is feasible. They are also getting hammered by Bagle et al. so they understand.
Either route to holding folder or just drop as we do. The number of legitimate
Other than users who still forward us the defanged emails even after being repeatedly told not to do so, we have had no impact to the firm whatsoever.
If you don't want to repeat the past, stop living in it.
Date: Wed, 03 Mar 2004 10:03:48 -0800
From: support@xxx.edu
To: me@cc.xxx.edu
Subject: Warning about your e-mail account.
Parts/Attachments:
1 Shown 10 lines Text
2 12 KB Application
Dear user of "xxx.edu" mailing system,
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
For more information see the attached file.
Cheers,
The xxx.edu team http://www.xxx.edu
[ Part 2, Application/OCTET-STREAM (Name: "Information.pif") 16KB. ]
[ Cannot display this part. Press "V" then "S" to save in a file. ]
------
Pretty *good* social engineering, if you ask me. The other earlier worms did not send customized messages according to the domain. I had to stop a couple of family/friends from giving in and opening the attachment.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
The first part of the question is understood, at least by those who understand such things: "[Is this a] Microsoft mailworms gang war?"
Hic iacet Arthurus, rex quondam rexque futurus.
wow, so you've just made it so noone can ever send any kind of executable attachment ever again, legitimate or not. yea, that'll make EVERYONE real happy.
Personally, I send myself zip files with executables in them all the time, on purpose, for work-related stuff. Why should I not be able to do that?
Users click "OK/Yes" on messages just like they click "I Agree" on license agreements. Either that, or the from address is spoofed and they think it's safe to open it.
SmashTech - No smashing of tech involved
I think I'd crap on M$ for putting that in as a default.
Here's a better solution: 99% of the population knows you have to change your oil, because they are (somewhat) educated in that regard. Why not just educate people?? There's nothing GM can do to make you change your oil c'ept show you what happens if you don't!
Your solution sounds like the default Outlook XP fix: Block any executable attachments. What kind of garbage solution is that? It's called a "Let's break it so they can't use it" fix.
Mod +5 Drunk
Aren't many people having trouble finding IT jobs? There was the dot-com crash and then outsourcing...
How many people do you know that actually read EULAs, or javascript popups? Everyone that I know seems to look for the escape (clicking "I Agree" on EULAs or "OK" on anything their browser pops up). Hell, these attachments need to actually be executed. The user is already going to the trouble of right-clicking the attachment and either saving it, finding it, and running it, or just running it right from OE. One more popup would only slow them down by half a second.
do not read this line twice.
This is only a Microsoft worm/virus/trojan in the sense that it runs a Windows exe. This is NOT a failing with Outlook or Outlook Express. This code can be run from ANY client that allows attachments
[paraphrased email text below]
"Hi, I'm the admin from [YourEmailServer]. We've been getting complaints about your account, and we think you have a virus. Please open the attachment, and run the file. Password is 12345
Cheers, [YourEmailServer]
Haven't we been asking the ISP's to get on top of the virus problem? Well...here comes an email, supposedly doing just that!
"We think you have a problem, and here's how to fix it"
This exact same thing could have been targeted to the OSX environment, or a *nix script.
"Hi, due to the traffic we've noticed, we think your Mac/Linux box has been compromised. Please run this script to identify and fix the problem."
Now...most *nix users are a bit more clueful and suspicious. But, more than a few would be caught out.
(and if you, the writer(s) of these things are out there reading this...this is NOT a compliment. You are not cute, nor are you inventive. You are merely a fool. And one that will be caught. Hopefully for you, by the authorities. They will be much easier on you than we will be...we won't be using vaseline)
Although this sentence is not a question, it ends in a question mark?
A question, what is it?
It's an interrogative statement used to test knowledge, but that's not important right now.
Maybe this virus war will tie up all the developers in India and Pakistan who would otherwise take our jobs.
Table-ized A.I.
A better interpretation might be: "[Are the] Microsoft mailworms [part of a] gang war?". At which point the title goes way beyond the shortening that is generally acceptable for titles.
Yeah most are not too damaging, but here's my story.
Symantec's corporate antivirus software only allows for once daily automatic downloading of new virus signatures.
- Last week our AV server downloaded updates at 8am as usual.
- At 11am Symantec released new signature for MyDoom.F.
- At 1pm stupid_corporate_user_04 opens and unleashes MyDoom.F on the network. MyDoom.F blows away all MS Office and image files on stupid_corporate_user_04's machine, then begins the same task on all network shares this person had access to.
- At 8pm automatic backups kick off
- At 11pm backups complete, having successfully backed up ruined shares.
- At 8am the next morning, AV server picks up signature for MyDoom.F. At same time, users begin to notice their files are gone. Alarms go off everywhere.
- At 11pm that second day, all corrupted/trashed files have been removed, all viruses eradicated, all data restored from 2 day old backups.
Summary: 1.5 to 2 days of work time lost by 60 employees, plus 12 hours @110$/hr for support consultant to help clean up the mess.
Needless to say, I wouldn't categorize the virii as doing little damage, whether they actually delete local files or not. Even had we not lost files, we still would have had a big cleanup job, and it still would have impacted our users.
Here's a big Fuck You to the person who wrote that variant, and to all the other virus writers out there.
.sigs are for post^Hers.
Considering the number of people I've encountered who don't even know what a "program" is (all they know are that there are a set of different boxes on their screen, each of which does something different), how can you expect them to understand what executable code is, or how it gets run, or why it shouldn't be run?
You've seen polarized power plugs, right? The ones with one blade slightly wider than the other. This is to prevent people with no knowledge of electricity from inserting the plug into the receptacle in a way that will blow up their equipment.
Microsoft software is like having unpolarized plugs. To someone who knows what they are doing, this is not a problem, but for the average user, the useless ability to plug it in backwards has no beneficial properties whatsoever.
There should be no way to run an executable from a mail client. Not even a dialog that asks "Are you sure you want to run this?" People avoid thinking by simply clicking "Yes" to any question they are asked. It needs to be forbidden to execute an attachment. If you really, really must, then you can save it to a folder somewhere, then run it from there.
Microsoft's practices of allowing users to perform any bone-headed, ill-advised actions they wish, should rank right up there with the irresponsibility of not supplying polarized plugs for electrical equipment. In fact, this situation is even more serious, since an incorrectly inserted power plug only has the potential to destroy the machine and/or the user, whereas a virus infection in a corporate network can potentially impact thousands of people.
Apparently, they didn't find Microsoft enough of a challenge.
Obligatory Futurama quotation:
Fry: I'm good at video games and bad at everything else. That's why I wish life were more like a video game.
Farnsworth: Can you put that in the form of a question?
Fry: Uh, what if that thing I said?
-- Ed Avis ed@membled.com
"A new company policy is hereby enacted: It is forbidden for any user on the corporate network to execute any binary email attachment of any kind, including any attachment from anyone within the network. We will occassionally enforce this measure by sending dummy attachments to all corporate users which will report your workstation to network operations should you click on the attachment. Doing so will be grounds for immediate dismissal. We reserve the right to be sneaky, so your best policy for keeping your job secure is to simply never click on an attachment. Thanks, and have a nice week."
Enabling terrorists...
Who do you want to DOS today?
When will Microsoft be held responsible for aiding terrorists?
It's not Linux that is the tool of terrorists, it's Windows.
I don't know the meaning of the word 'don't' - J
Is there such a beast as a "clueless end user test" type executable that I can email to my coworkers, and if they execute it an email is sent back to me as "evidence"?
I think this would be a fairly blunt social engineering test for a company to put it's employees through. Especially since we have to send out quarterly training about it. I want to know if it sinks in at all.
Nuke Gay Whales for Jesus.
I go to Ohio State University, and for the past week I and most people I have know have been receiving these message from
staff@osu.edu.
That's over 30,000 users, right there, on broadband. Multiply that by every campus in the world... I was honestly even curious about it, until I saw the attachment file. Their biggest weakness in it, actually, was that it sent several copies, each with a different user@osu.edu. That made it more suspicious.
No. He meant redundant. A redundant question is one that doesn't need to be asked, a rhetorical question is one that doesn't need to be answered. Big difference.
why executables still allowed in e-mail after all YEARS of worm history? There are only a few legitimate reasons for them and everything could be done in other way. And it's obviously that education users and even presenting them a warning doesn't work.
.exe and .scr, but all a.out, elf and company too.
Why nobody ever came up with default mail server configuration which prohibits any executable content? And not only
So far nobody. You have to patch qmail and add qmail-scanner if you want to do this. Is there a checkbox in microsoft exchange? An option in sendmail.cf?
Fuck.
err...Outlook2003 and Exchange2000 do exactly that. If a program tries to access the Address Book, it pops up an approval dialogbox. You can't click yes for 5 seconds.
But since these worms also searches in a wide range of other filetypes (.txt,.doc,.html,etc etc) for valid email addresses to send to, it makes little difference.
Simple three point plan for eliminating e-mail viruses:
1. Microsoft should immediately patch exchange and outlook so that no attachments that include executable files can be transmitted. You get word files, pdfs, plain text, jpegs and similar "passive" file formats. any scripting gets filtered out of html or spreadsheets. An archive (tar, zip, etc) doesn't get transmitted if it contains bad stuff or is not readable. And you can't override this by just clicking "yes" or "okay" upon receipt of a message.
2. viruses propagate similar to spam. ms exchange or other MTAs should make note of 50000+ very similar messages being tossed about and immediately blacklist compromised machines, then go into mail accounts and yank out virus messages that haven't been downloaded yet. Messages with attachments should be subject to a short extra wait time (5 min) to slow propagation and give the system time to react.
3. email attachments, even non-executable ones, should be opened in a restricted environment, e.g. chroot jail, java sandbox, or a refreshable vmware image. if the virus goes nuts, just delete the environment and kill its processes. don't allow outbound connections from the sandbox. In the long run, web pages and downloaded files should be treated similarly.
Yes, virus writers will find workarounds and attack new security holes. But microsoft has an obligation to fix existing security holes and at least make the virus writers look for new ones.
Yes, some people will be annoyed that their excel macros get lost. But it is time to start setting up a social environment where email is about sending a message that you type in yourself to communicate, not just a file sharing system for forwarding zip files.
Now this may sound a little over aggressive , but I am a poor sys admin who is getting bombarded with blocked messages every 20 secs or so. Personaly if i ever meet a virus writter, if its this shit or some other virus they have written their head is going to end up in a glass jar in my fridge Be Warned
There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
The most powerful way to bypass security has always been "social engineering" - so why would you think it'll be different for virii?
If people actually do wisen up and stop opening email attachments they're unsure about, the virus writers will just come up with more creative ways to convince you to run the code. Write a small applet that lets them play a contest game to win money - only, nobody is really going to win anything, and it drops a trojan horse on the PC. Send mail that looks like a legitimate attached form from the ISP, requesting some sort of info your ISP might actually need. (Heck, one popular method seems to currently be bundling "malware" with legitimate freeware apps people want to download and use - like p2p music sharing packages, pop-up blockers, and time synchronizing clients.) Who knows? This problem isn't going to go away just by trying to "educate it away", telling people not to read the stuff they get in their email.
Personally, I think virus scanners are generally a bit "behind the times" in this war. EG. How many scanners have you seen that allow starting up without having to boot the actual OS that's being used, so they can remove a virus without it getting a chance to execute in RAM first? Of these, how many can scan an NTFS file system when started up in that manner? (To my knowledge, only the expensive "Avast BART" product currently offers all of this.) Modern trojan horses and virii are often shutting down the virus scanner processes so scanners can't remove them. They even do such things as prevent "regedit" from running, so you can't just prune them from the registry and reboot. (Of course, so far, many are coded poorly enough so you can just rename regedit to something else and then run it -- but that's bound to change.)
One of the problems with the destruction of files is that it implies this virus author isn't interested in commercial games (as such people want their virus well hidden). Thats worry because they are then not trying to hide within a system (like a well evolved natural virus) but can be quite happy to kill the host.. and all it takes is a bios erase or randomly setting the IDE disk password on all modern IDE hard disks and its factory return time.
The problem is that most AVs do not check password protected zipped attachments, because they can't look inside them they are let through. This is supposed to let people send encrypted stuff through your mail gateway and it will not be deleted. Needless to say this default didn't work for us and we had to change it so that it qurantines suspicous attachemnts.
You always point your finger at the bad guy, but what if the bad guy points his finger at you?