New Email Worm Squirming Through Windows Users' Inboxes

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

What do you mean 2001?

[Superdarion]

What do you mean it's 2001 all over again? I never stopped receiving those. Every once in a while I receive a mail "from a friend", from the friend's address or not, telling me stuff like "Hey, here are the pictures of that party!" or "Have you seen this? I can't believe there are pictures of it!". They all contain links to weird-looking pages which, of course, I never open.

Sometimes I even receive those mails with URLs that actually contain my email address, like www.thisisnovirus.com/picturesfromlastnight/superdarion.

From what I can tell, they usually come from my friend's MSN/hotmail's address books.

Re:What do you mean 2001?

[afabbro]

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Not to defend Outlook, but MS Exchange does come with Outlook Web Access. It provides a web-based interface that provides a web 2.0 interface to Outlook. Probably 90% of what you want to do in Outlook (read/writeyour mail, setup meetings, contacts, etc.) can be done in OWA. It even degrades nicely for older browsers. It's actually quite a sophisticated webapp...though of course, you're still using Outlook.

Re:Got mimedefang?

[gmuslera]

The actual file don't go in the mail, just the link to download it. mimedefang or antivirus at the mail server don't have anything to do with it.

Re:Windows is super!

The actual underlying link is from http://members.multimania.co.uk/yahoophoto/... sharedocuments.com is a decoy

Re:The hell?

[Skuld-Chan]

You can't write files to \windows\system under vista/windows 7 without elevation to administrator. Under XP/2000 as a regular user - ditto.

That said - there's probably an alarming amount of people who would enter credentials upon getting the elevation prompt on Mac/Windows/Linux after clicking on an attachment or link in their email client.

Re:So that's why the UW mail system went down

[93+Escort+Wagon]

You'd think by now UW would have written their own mail client or something.....

Problem is - those both suck (yes I'm at UW).

Of course like many universities, UW now offers hosted Gmail - a much better web option than pine or alpine IMHO. I reailze there are security implications using hosted Gmail, but when the other main option is UW servers accessed via Outlook then it's a bit harder to argue about Gmail's security.

Unfortunately, my department's default mail client is still Outlook. That decision was made by someone who's never used anything BUT Outlook, and so doesn't realize just how behind it is... several of us have argued for Thunderbird (which UW does officially support) but PHB always gives a rambling, incoherent statement against and it doesn't happen.

Not a worm...

[TrancePhreak]

This is a merely a trojan. A real worm would infect other machines without intervention.
http://en.wikipedia.org/wiki/Computer_worm

Re:Adobe PDF zero day saved me

[bloodhawk]

You normally think of PDF's as safe.

What planet are you from? have you not seen or heard of the literally dozens of exploits and vulnerabilities constantly flowing from Adobe's readers and file format? they make microsoft look like fort knox.

Re:So that's why the UW mail system went down

[Dr_Barnowl]

Yes, it is. But you have to, download it, save it, set the executable bit, and then run it.

The core problems in Windows that enable this ;

• The shell decides which file types are executables based on the file name extension
• The shell, by default, is configured to hide the file name extension from the user
• The shell trusts executable files to be able to choose their own icon
• There is no executable bit in the filesystem

This means files like MyHappyDocumentAndNotAnEvilWorm_pdf.scr can pass themselves off as a PDF file by having a PDF icon, but will be executed as soon as a user double clicks them (because they have the obscure but "executable" extension for screen savers, which are just normal executables).

On Unix...

• The shell makes it's own mind up about what a file is, it doesn't trust the extension
• The shell presents a single icon for binary executables, and a single icon for scripts
• The user has to explicitly set the executable bit on anything they download

All of which means that they are not so easy to take in with this particular variant of user-exploit.

Re:Dealing with this mess...

[don_carnage]

The main point of physically visiting each machine was to leave a note stating, "Do not turn on this machine until further notice." It's all fine and dandy that you shut them down remotely, but how do you prevent the user from coming in the next day and turning the machine back on?