New Email Worm Squirming Through Windows Users' Inboxes

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

So that's why the UW mail system went down

[WillAffleckUW]

The entire UW mail system died yesterday morning.

Maybe this is why ...

Re:So that's why the UW mail system went down

...the users still haven't learned from the last 9 years of experience...

You mean they haven't learned to stop using Outlook?

Re:So that's why the UW mail system went down

[93+Escort+Wagon]

You'd think by now UW would have written their own mail client or something.....

Problem is - those both suck (yes I'm at UW).

Of course like many universities, UW now offers hosted Gmail - a much better web option than pine or alpine IMHO. I reailze there are security implications using hosted Gmail, but when the other main option is UW servers accessed via Outlook then it's a bit harder to argue about Gmail's security.

Unfortunately, my department's default mail client is still Outlook. That decision was made by someone who's never used anything BUT Outlook, and so doesn't realize just how behind it is... several of us have argued for Thunderbird (which UW does officially support) but PHB always gives a rambling, incoherent statement against and it doesn't happen.

Re:So that's why the UW mail system went down

[SideshowBob]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

It's certainly possible for a Linux user to download an executable to his/her home directory and run it. That was GP's point.

Re:So that's why the UW mail system went down

[Dr_Barnowl]

Yes, it is. But you have to, download it, save it, set the executable bit, and then run it.

The core problems in Windows that enable this ;

• The shell decides which file types are executables based on the file name extension
• The shell, by default, is configured to hide the file name extension from the user
• The shell trusts executable files to be able to choose their own icon
• There is no executable bit in the filesystem

This means files like MyHappyDocumentAndNotAnEvilWorm_pdf.scr can pass themselves off as a PDF file by having a PDF icon, but will be executed as soon as a user double clicks them (because they have the obscure but "executable" extension for screen savers, which are just normal executables).

On Unix...

• The shell makes it's own mind up about what a file is, it doesn't trust the extension
• The shell presents a single icon for binary executables, and a single icon for scripts
• The user has to explicitly set the executable bit on anything they download

All of which means that they are not so easy to take in with this particular variant of user-exploit.

Re:So that's why the UW mail system went down

[tendays]

That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

System-wide programs are stored in directories not writable by normal users, but that doesn't prevent a user from downloading a trojan into his own directory and running it, which is what the parent was talking about.

Unix systems do offer the option to mount /home (and other mount points like /tmp where the user has write access) with -o noexec which would close that issue, but I've never seen a linux distribution that would do that by default, because users expect to be able to run programs they've downloaded without having to jump through hoops.

What do you mean 2001?

[Superdarion]

What do you mean it's 2001 all over again? I never stopped receiving those. Every once in a while I receive a mail "from a friend", from the friend's address or not, telling me stuff like "Hey, here are the pictures of that party!" or "Have you seen this? I can't believe there are pictures of it!". They all contain links to weird-looking pages which, of course, I never open.

Sometimes I even receive those mails with URLs that actually contain my email address, like www.thisisnovirus.com/picturesfromlastnight/superdarion.

From what I can tell, they usually come from my friend's MSN/hotmail's address books.

Re:What do you mean 2001?

[afabbro]

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Not to defend Outlook, but MS Exchange does come with Outlook Web Access. It provides a web-based interface that provides a web 2.0 interface to Outlook. Probably 90% of what you want to do in Outlook (read/writeyour mail, setup meetings, contacts, etc.) can be done in OWA. It even degrades nicely for older browsers. It's actually quite a sophisticated webapp...though of course, you're still using Outlook.

Re:The hell?

[al0ha]

Yes and actually Macs are one of them Mr. Snarky.

In the original account set up on your Mac perform the following

cd /
touch testfile
ls -l testfile

Whe-e-e-e-e-e-e!!!!!

Re:The hell?

Are there really people crazy enough to use operating systems released in 2001 in 2010? The answer is the same.

Windows is super!

[CrAlt]

My MS Exchange email box at work filled up with these right before the server died..

Subject: Here you are
--------------
Hello:

This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Domain Name: SHAREDOCUMENTS.COM

Registrant:
        Worldwide Media, Inc
        Domain Administrator (info@mostwanteddomains.com)
        Po Box 129
        Highlands
        North Carolina,28741
        US
        Tel. +001.8132675600
        Fax. +001.9543370351

Creation Date: 09-Oct-2003
Expiration Date: 09-Oct-2011

Domain servers in listed order:
        ns17.this-domain-is-4-sale.com
        ns17.mostwanteddomains.com

-----------------

Re:Windows is super!

The actual underlying link is from http://members.multimania.co.uk/yahoophoto/... sharedocuments.com is a decoy

Re:Got mimedefang?

[gmuslera]

The actual file don't go in the mail, just the link to download it. mimedefang or antivirus at the mail server don't have anything to do with it.

Re:The hell?

[tepples]

Are there really people crazy enough to use operating systems released in 2001 in 2010?

Are there really people crazy enough to play video games released in 1980s in 2010? If a 2001 OS is the only thing that will run your application properly, you run the 2001 OS.

Re:The hell?

[Skuld-Chan]

You can't write files to \windows\system under vista/windows 7 without elevation to administrator. Under XP/2000 as a regular user - ditto.

That said - there's probably an alarming amount of people who would enter credentials upon getting the elevation prompt on Mac/Windows/Linux after clicking on an attachment or link in their email client.

Re:Adobe PDF zero day saved me

[archmcd]

I haven't thought of PDF's as safe in a couple years now.
http://www.computerworld.com/s/article/9176117/PDF_exploits_explode_continue_climb_in_2010

Not a worm...

[TrancePhreak]

This is a merely a trojan. A real worm would infect other machines without intervention.
http://en.wikipedia.org/wiki/Computer_worm

Re:Umm.. nope.

[BenoitRen]

The grandparent was talking about Macs, smartass.

Re:Adobe PDF zero day saved me

[bloodhawk]

You normally think of PDF's as safe.

What planet are you from? have you not seen or heard of the literally dozens of exploits and vulnerabilities constantly flowing from Adobe's readers and file format? they make microsoft look like fort knox.

Re:Three things

[joeyblades]

Unlike Apple, other companies don't force you to stop using an OS after a couple years.

Huh? Ummm... I have a G3 Gossamer, purchased in 1997, running OS 9 since 1999, that is still going strong... still running Mac OS 9. Apparently I escaped under Apple's merciless radar because they have not forced me to stop using it. It's still a rock solid machine and I sometimes still use it to run some old PowerPC software and (get this) I can still run some 68000 software in emulation mode.

And for the record, I know you were really trying to make a statement about OS support, but I couldn't let you get away with rewriting history:

• Windows 95 was supported for less than 3 years.
• Windows NT was only supported for 4 years.
• Windows 2000 was only supported for 5 years.
• Windows XP has only been supported for this long because Microsoft screwed the pooch. If Vista would have come out sooner and if Vista wouldn't have been such a bomb and if Microsoft could make their new OSes support the tons of enterprise software that currently depends on XP, XP would be long dead.

Re:Dealing with this mess...

[don_carnage]

The main point of physically visiting each machine was to leave a note stating, "Do not turn on this machine until further notice." It's all fine and dandy that you shut them down remotely, but how do you prevent the user from coming in the next day and turning the machine back on?

Re:It's not

[MrSenile]

It seems? So you're basing these comments off of something, rather than blowing hot air? I would love to see some examples of these mysterious and unexpected UAC prompts. SInce you've never used Windows 7, I'm sure this will be a hard request.

I find a lot of games and some applications (mostly window tool applications like spybot search & destroy) always brings up the UAC. It'd be nice to be able to tag it saying 'yes, I know this application will bring up this prompt, now ignore this one application' without having to raise or lower the security operating system wide, but that's my personal beef with Win 7.

What's the difference? So they have to click instead of entering "123" and you've slowed them down a 10th of a second. And seriously, this is the Linux user's solution to a user problem? Modify the behavior by making the UI a pain in the ass and pissing the user off? No wonder no one uses your OS.

And I'm assuming you've used this OS to compare what he's saying or are you taking someone else's word for something without first hand experience? You know, like you've accused the other guy of doing? Just curious.

I'm sorry, root can do absolutely ANYTHING to a Linux machine. If a user is convinced (through way of enticing screensaver) to give a malicious piece of code root access, what exactly is stopping it from destroying the system? Also for most users destroying home is equivalent to destroying the system.

You've obviously not used Linux. LIDS, ACL's, SELinux, and many other tools, including, but not limited to chroot jails, allows you to lock down a system, even from root, from specific areas. While I'm sure Windows has similiar 'tools', especially in a networked environment where you can set up security policies, the fact that you said Linux can be configured to allow 'root to do absolutely ANYTHING to a Linux machine' is a fallacy and you need to retract that statement. Your opinion is flawed. Perhaps because like you accused someone else, you've not used Linux enough to draw conclusions?

Because we all know Linux is bug free

This was a stupid statement. Nothing is bug free. You're obviously trolling, but at least Linux seems to address bugs, generally (but not always) faster than the Windows counterpart. And yes, there's several links to confirm that, and no, I'm not going to bother repeating other slashdot topics to feed you.

If you had even bothered to use Windows 7, you wold know it's stable, fast, secure, and a pleasure to use. At least that's the general consensus. Of course you should actually, I don't now, USE the software before you critique it. I still can't believe you're basing these assertions from your experience with pre-SP1 XP

Oh agreed, it's more stable than XP, but as I've had it bluescreen a few times, sometimes with similiar screens as XP (like the NOT_LT_OR_EQ bs), or have explorer crash on me asking me kindly if I want to send the bug report to Microsoft (I do of course), the fact your global comment of 'stable' is flawed. More stable than XP, yes. Stable globally? No.

Fast, yes, it's faster. But on the same hardware that XP ran 'fast' on it's actually a touch slower. It needs better video and better CPU to actually run 'faster'. Does this obviously by better threading, better memory management, and streamlined I/O. Only took them 20 years to do it right (or at least 'better'). So while overall, yes, it IS faster, this is also bias based on the hardware you run it on.

Secure? The security is about equal to Win 2008 server for security, which while a great improvement over other windows, is still, frankly broken at the object layer allowing viruses (like flash viruses, email viruses, etc) to propigate quite nicely. The fact that other operating systems have less (or no) real viruses, while enjoyable, is moot. The fact is Windows still does, thus, shoots th