New Worm Starts Munching MSN Users

Kosmik writes "It appears that MSN has been struck by a vindictive new worm, according to security company Panda Software. The worm, acting in the vein of movies like the Ring and FearDotCom, delivers a fateful terror message and then proceeds to disable most of your protection software like anti-virus,firewalls and even your Windows control apps (TaskManager, Regedit). It distributes itself to all your MSN contacts by sending a video called 'Fantasma.'"

GAIM

[eldavojohn]

So I connect to the MSN network but through a nice free little app called GAIM.

My friends often try to send me files or pictures or videos through the MSN network and it doesn't work. They get annoyed and tell me to "just use MSN." I'm told that GAIM is stupid & crappy for not supporting these features.

Really makes you wonder if the people who developed gaim couldn't figure out how to make the videos/pictures stream through the chat box ... or if it was a design decision by choice to avoid hidden viruses that the codecs unpack in the media files. Probably the latter.

GAIM also works on a number of other chat networks--as chat clients should. Another thing about chat clients is that they should stick to limited functionality. There are way more secure ways to transfer files. I don't want a profile, I don't want it integrated with my operating system (married to the kernel), I don't want media streaming, I just want to chat.

Don't bloat your software.

Re:GAIM

[CSZeus]

Seeing as Gaim is in the process of working on what they call their vv module (the v's standing for voice and video), I don't think it was as much of a security-driven choice as it was a time-driven choice. That or they've had a change of heart, whichever you deem more likely ;)

Re:GAIM

[Krojack]

BTW the file sending does work.. Its just slow as crap because GAIM somehow can't do a client-to-client direct connect and must send the files throuh the MSN servers. This causes all file transfers to run = 5k/sec. From what i read it will never support the direct connect. I don't get it and I'm no C programmer but I think its annoying. However the other features in GAIM out weight all other reasons for using MSN MEssenger.

Re:GAIM

[foamrotreturns]

You make good points, but you missed a few things.
First of all, GAIM should try to support the features that the native client supports. It's designed to be a total replacement solution, so intentionally leaving features out is a no-no. However, GAIM is a plugin-based program, so if the dev team wants to keep the focus of the development on the core functionality and leave it up to the community to develop a file transfer plugin, that would be OK too.
Next, the idea of a native client supporting more than one network goes completely against the business model that they developed the program to follow:
1) Make free IM product
2) Make it easy to use
3) Put ad support in
4) Charge for ad space
5) Profit!
If they allowed their client to connect to other networks, they destroy their switching costs. Can you imagine what would happen if a complimentary copy of Jasc Paint Shop Pro came with your Adobe Photoshop? Sure, most people would stick with Photoshop, but some people might switch, which would steal Adobe's business. To conclude, interoperability is not in the best interests of the companies who operate the networks, unless they merge.
To solve your problem, you and your friends should set up an SFTP server and use that for file transfers. If your friends get all whiny about you not being able to receive files, just tell them that you'll be the one shaking your head when they get a virus.

Re:GAIM

[CSZeus]

"Gaim 2.0.0 beta 2 does not include voice or video ("vv") support for any protocols. We've done some work toward vv compatibility for Google Talk, but it isn't ready for the general public yet. It is unlikely this will change for the final release of Gaim 2.0.0, but vv will be a primary focus for the next major release of Gaim after that." (emphasis mine) As per their news page circa January, 2006 (link)

Re:GAIM

[FireFury03]

From what i read it will never support the direct connect. I don't get it and I'm no C programmer but I think its annoying.

Direct client-to-client connections is fraught with firewall/NAT traversal problems. That said, Jingle and SIP support both require client-to-client RTP connections (NAT discovery is done through STUN), so it's possible direct file transfer will be implemented then.

Re:GAIM

[cag_ii]

I just want to make sure im clear on what your point is. You are suggesting that not being able to transfer files via GAIM is a feature and not a bug?

Re:GAIM

[Mister+Whirly]

"How many bad viruses would it take to get rid of this trend?"

Not even an infinite amount of the worst viruses could stamp out basic human stupidity. Like death and taxes, it is just inevitable...

Re:GAIM

[compro01]

Educating the public is cheaper than patching the problem.

you obviously under-estimate the difficultly of educating the average computer user.

here's a little proverb in reply "Ignorance can be cured, but stupid is forever."

Re:GAIM

[FireFury03]

Or, just get IPv6 to work. It's a panaceum for all NAT-related problems -- it fixes them by just removing the damn thing and restoring IP to work the way it was designed.

I already have an IPv6 network - have done for years. But you don't actually expect a clueless MSN user who wants to send you a file to have IPv6 do you? Also, if you want to do SIP you have the problem that one of the more major VoIP projects, Asterisk, has no support for IPv6 at all.

Hell, every transitioned user is a step towards getting rid of IPv4, and that's a noble deed.

I agree, however, IPv6 has one major roadblock which will stop it's adoption in the near future: There are no consumer grade DSL routers in existence that do IPv6. This basically means it's impossible to do native IPv6 or 6-to-4 in most setups (the router is the only thing with a global scope IPv4 address)*.

(* You can of course get one of the Linksys routers, flash it with WhiteRussian and set that up to do IPv6 either natively or 6-to-4, but that's beyond most users. I'm quite disappointed that despite Cisco's stance on IPv6, none of their Linksys DSL routers seem to support it with the official firmware.)

That said, there is apparantly some interesting IPv6 stuff in Vista, so maybe that'll push things in the right direction.

Re:GAIM

[Solosoft]

I wrote up a little thing on setting up IPv6 using Hurricane Electrics Tunnel broker. It uses RADVD and a little script I assmbled up, works like a charm.

Here is the page on using a WRT and DD-WRT for IPv6

Of course if I wasn't so lazy I would have a completed guide on setting that up without Samba ... you can of course simply take the script and put it in the nvram (minus the comments of course) and it works just the same. Ive been using it on a tunnel now for a few months and have had 0 problems. All operating systems on my network just automaticly work with the 6bone. In Windows XP just type "ipv6 install" and it installs the v6 stuff (ping6, tracert6 etc etc) and in linux "modprobe ipv6" should do the trick. If you have a wrt and dd-wrt or one of the linux versions you should look into it. Once it's setup on the router it's easy as one command to setup on your clients. He.net lets you set the reverse DNS too which is kinda cool for IRC (EFnet and freenode support IPv6 and tons more) even my own IRC network and website now support IPv6. Is it usefull ? Hell no ... but knowing that im one step ahead of most of the world is kinda nice.

btw if your intrested IRC to solosoft.org port 6667 and it should connect using IPv6 (#Solosoft if you want to chat I guess im guk :)) or visit http://solosoft.org to see IPv6ness in use (the website WILL not work if you don't have IPv6 working). It's more or less somthing fun to do and somthing a little neat to setup. The thing that gets me the most is that it's a simple residental router doing what a very expensive router does.

Payload

[gEvil+(beta)]

"on the 1st day you get scared, on the 2nd you get desperate, on the 3rd you look for help and on the 4th you die"

Panda did not provide information about the payload of the BlackAngel.B worm.

I think it's pretty clear what the payload is. Somebody better get a fix out for this quick...Like in the next 2 or 3 days!

Miranda

[golemwashere]

Or on windows, you could try Miranda
http://www.miranda-im.org/

Re:Miranda

[CastrTroy]

Or you could just use GAIM for windows.

Fantasma Vs Fantasma

[eldavojohn]

It distributes itself to all your MSN contacts by sending a video called 'Fantasma.'

Not to be confused with the Spanish release of the film "Ghost" starring Whoopie Goldberg, Patrick Swayze, Demi Moore and a rotating lump of clay (possibly the only bearable thing in the movie).

A CNN poll taken recently showed that 98.1% of US citizens would rather have the MSN virus on their computer instead of the 1990 film in Spanish.

It's so unfortunate that we haven't invented the technology to "unwatch" films yet.

So what is new already?

[nietsch]

The only certainties in life are taxes and death, but it seems that it should be ammended for windows users with virus/worm infections.

So, did you pay taxes lately?

Trillian, and regedit...

[ursabear]

A trojan/virus/etc. that disables regedit and the task manager - and monkeys with files. This is not A Good Thing.

Many corporations support MSN Messenger only. Given a choice, however, I'm very fond of Trillian Pro 3. I found the license price for Trillian to be quite reasonable, considering its flexibility, stability, and the fact that (so far, fingers crossed) it has not been subject to attacks such as this.

so going to happen

[Kenshin]

This is so going to happen to my sister, and I am so not going to fix her computer this time.

Remember kids, don't constantly insult the person who fixes your computers.

Bonus points for character

[Rob+T+Firefly]

I don't much approve of destructive viri, but if they're going to be out there, they might as well have a little character to them. Who needs yet another boring old "spams your adress book and erases your HD" routine when you can be 0wned by something just a bit more interesting?

Reminds me of the good old days of "gimme a cookie."

Re:Bonus points for character

'Virii' isn't a word.

neither is 'pedantoknob,' you pedantoknob.

Here's a hint...

[WalterGR]

From the article:

To be impacted with the worm, users have to actively download the code. Messenger conversations initiated by the worm carry texts like "jaja look a that" or "mira este video" as well as a web address from where it is downloaded.

Ummmm... here's a hint: if somebody sends you a random URL to an executable, don't run it!

The More You Know

Re:Here's a hint...

[DigitalGodBoy]

But there might be candy on the other side! And everyone loves candy!

Fururama?

[awhelan]

a video called 'Fantasma.'

Anyone read this quickly as 'Futurama'?
Normally I will question the brain of anyone who clicks a link without confirming with the person who sent it that it's not a virus, but all my friends know I love futurama clips.
Good news everyone, I can be socially engineered.

How does it reproduce?

[Spy+der+Mann]

Through a vulnerability in MSN messenger, or is it just the usual "click here to get infected" method?

What are you talking about?

[SmallFurryCreature]

As far as I read it this doesn't have anything to do with "bad security" just "bad users". You have to download the code and execute it.

Lots of people complain that P2P is unsafe because it carries virusses and what not. So how come I have never been infected?

Obvious it is because of my enormous intellect that makes einstein look stupid and think that a 15mb .exe files claiming to be a movie is suspicious.

Yes granted the recent WMF crap showed us that if you use MS software any file extension is under suspiscion and the design choice by MS to hide the extension by default must rank as one of their most stupid one (then again this is ms, they make so many it is hard to determine wich one was their worsed).

But GAIM does not protect you from being stupid. Nothing does. Just that if you went through the trouble of installing GAIM on a Non-MS machine, or if you are on a MS-machine deliberatly disabled MSN and installed GAIM, then you are probably not that stupid.

It ain't GAIM that is keeping you safe, it is your brain. Trust me on this, I been around long enough to know people will do anything to get infected. Just promise them a juicy picture. We have about the same chance of stopping computer infection as we have of stepping Sexually Transmitted Diseases. When Miss Jpeg flirts with you, you don't think of using a condom. (Oh and using a condom isn't enough, deep kissing can do it too. How many of you practising safe sex make sure no fluids whatever are swapped?)

Re:What are you talking about?

[Mister+Whirly]

"How many of you practising safe sex make sure no fluids whatever are swapped?"

This is Slashdot, where safe sex means you have a firewall between you and the porn site...

Re:What are you talking about?

[99BottlesOfBeerInMyF]

As far as I read it this doesn't have anything to do with "bad security" just "bad users". You have to download the code and execute it.

I strongly disagree. Windows fails to make it clear to most users that this is a program, not a movie. That is a security failing of Windows. By default Windows lets any program, even if it has never run before, do anything it wants to. This is a security failing. By default programs should be limited and users should have to explicitly grant the right to do things like connect tot the internet, and especially to do suspicious things like read your MSN buddy list.

The problem is not that users are stupid, it is that software is poorly designed. By default why should the OS let random programs read my MSN buddy list? How many that aren't worms need to do that? It is a stupid choice, given the current state of Windows malware.

First, fix the OS. Make sure users know what is software and what is data, then restrict all of it by default. Fix the UI so users aren't conditioned to constantly click "OK" for vague or useless reasons. Give them real, informed choices and the power to do whatever they want, but only if they are expecting it and only the exact functions they want. Once that is solved and the automated exploits are locked out, you can complain about stupid users. Until then, stop denying the problem because you have been trained to work around it.

Re:What are you talking about?

[mpe]

First, fix the OS. Make sure users know what is software and what is data, then restrict all of it by default.

Also so that the OS knows what is software and what is data. e.g. if an executable has been disguised as an AVI then the best thing to do is try (and probably fail) to play it as an AVI. As opposed to displaying a file with an icon indicating it is one type of file then when it is selected to be opened looking at whatever is actually in the file to decide how to open it.
Effectivly Windows likes to play "bait and switch" with file types.

this is news ?

from Pandas webpage

Countries affected
España 2.42
México 2.15
Perú 0.71
Chile 0.33

there are NO english speaking countries affected and the original site which hosted the file is dead (file removed i looked)
if today is AV fud promotion day you could at least try and scare us with a virus that affects English speaking countries

Viruses, Taxes (oblig)

[mfh]

At least death doesn't get WORSE every year!!!

Shock horror, virus writers target MSN

[99luftballon]

News up next - Ursine defecation in arboreal context and spiritual leader found in Rome.

GAIM is not inherently more secure...

[RingDev]

In this case the user is clicking on a hyper link in the IM Conversation which uses a web browser to download an external application. If someone on your buddy list sent you this message, it would come through with no problems. You could click the link and download the file with no problems. It could even execute it's payload while you are wrapped in your GAIM blanket of security. The only thing that it MIGHT not be able to do is to propagate itself to all of the members of your friends list.

-Rick

Doesn't make worms less annoying

[SanityInAnarchy]

Someone I met online recently sent me this message:

"I got my MSN names from http://www.im-names.com/ they're free!"

After getting this person to clarify that it was sent automatically. I said "OK, that's spyware." They said "I don't care." They are now blocked.

Gaim and some common sense means I'll never actually get the spyware, but it doesn't mean I won't get annoyed by it. After all, remember chain mail? I used to get chain IMs all the time -- "Send this to 25 friends by midnight and something good will happen!".

Really, the only solution, no matter what your IM client, is to start blocking morons.

The title is misleading.

[cciRRus]

Should be changed to "New Worm Starts Munching MSN Messenger Users". The MSN Messenging network and MSN are two different things.

MSN Users...

[writermike]

*crunch* *crunch* *swallow*

Hmmm... tastes like chicken.

Re:Argh those damn kids and their newfangled tech

[FireFury03]

Do you also rail against email attachments?

Having supported a lot of moron users I can say that yes, email attachments are often a very Bad Thing. But mainly in the "when you have a hammer everything looks like a nail" sense. In some cases attachments are a good way of sending someone a file, but the clueless get too used to doing it that way and don't think of the consequences.

An example I saw a few years ago (which is a whole catalogue of cockups):

An estate agent did email-shots to prospective house buyers on a weekly basis. This mail shot consisted of an attached Word document containing descriptions and photos of properties. The photos were taken with something like a 2MP camera and they let Word "scale" them (read: the photos were imported in full resolution and then resized so they were still stored in the document at 2MP!). They would then mail-shot this (very large) document to around 500 email addresses. To make things worse, each week they took the last week's document and modified it, and Word in it's infinite wisdom keeps metadata about changes so the document got bigger each week.

By the time I got called in to fix their mail server (which had fallen over under the strain) I discovered several tens of gigabytes of mails queued for sending, many of them weeks old because it was now taking over a week to send the weekly mailings over their ADSL. And of course, almost all the mails were eventually getting bounced by the recipients' mail servers anyway because they were so big.

What they should've done is paid someone to set up a web site for them with a proper SQL backend to present the data they were mailing out. Clearly the users here were terminally clueless, but the point is that the software they were using made it far too easy to make each and every one of these mistakes.

So in summary, yes in some cases email attachments are useful, but I worry that they are frequently over-used because people get too comfortable using that feature for everything. Oh, and I don't believe most people have much legitimate need for sending executables over email so they should probably be automagically rejected.

Re:Cornelius Album

[kbox]

A dial up modem sounds good too... if you are into odd electronic music.