Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this:
Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:
*ROTFLMAO* I'm sorry, but there is so much in this document to laugh at. As laughter is good therapy, here's the entire thing potted into a syringe-sized dose:
THIS BETA...SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS. A nice starter - you know you're in Microsoft's hands now!
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook. Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.
Certain functionality in Office may be impacted by this update. What does that mean? Let's follow the link Palm, Windows CE devices (PDAs) have synchronization issues. These include: Syncing with the Inbox displays a prompt and then fails. This is under investigation. Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.
Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... Such as elm/pine/Eudora/Netscape Messenger...
Level 2 security contains only one file type by default:.ZIP files. If a message contains a.ZIP attachment, you are prompted to save the file to disk if you try to open it. Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide? This update...was not created to address a security vulnerability within Outlook. Ah, yes - so you said. And you know what, I almost believe you...
I've always been a fan of Perl because it maps to the way I think - when I concoct solutions in my head, I think in the same kind of atomic units that Perl (and Tcl, for that matter) uses.
The problem here is that writing a Perl book designed specifically to shoehorn a C-thinking (or worse yet a VB-thinking) mind into a Perl-mindset is never going to hit the mark. Ultimately, to make that transition, you have to be willing to ditch a lot of the coding intuition that you've built up.
The Camel Book understands this and starts by teaching the lesson of TMTOWTDI and by belting you with regexps as soon as it possibly can. A book that tries to mollycoddle and tell you you don't need rethink your coding strategy is probably never going to tap the full potential of Perl.
Oh, and I'd hope no Perl hacker worth their salt has ever used ++@_[0]; - but then, I suppose
Something that provided file access to the machine was my hunch - particularly given the worm goes to great lengths not to delete MP3 files (it sets them as hidden) even though it's happy to trash all the other files it goes after.
Obviously Napster just isn't good enough for some script kiddie out there.;)
Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:
Files created/edited: MSKernel32.vbs [created in System folder, copy of worm] Win32DLL.vbs [created in Windows folder, copy of worm] LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm] LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it] WIN-BUGSFIX.exe [downloaded into default IE download folder] WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose] *.vbs, *.vbe [overwritten with copy of worm] *.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs] *.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs] *.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created] script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]
Registry keys created/edited: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \MSKernel32 [created to run MSKernel32.vbs] HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Win32DLL [created to run Win32DLL.vbs] HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded] HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]
From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).
I'm not sure about the.exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.
Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'
Slashdot Mirror
*ROTFLMAO* I'm sorry, but there is so much in this document to laugh at. As laughter is good therapy, here's the entire thing potted into a syringe-sized dose:
.ZIP files. If a message contains a .ZIP attachment, you are prompted to save the file to disk if you try to open it.
THIS BETA...SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS.
A nice starter - you know you're in Microsoft's hands now!
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.
Certain functionality in Office may be impacted by this update.
What does that mean? Let's follow the link
Palm, Windows CE devices (PDAs) have synchronization issues. These include:
Syncing with the Inbox displays a prompt and then fails. This is under investigation.
Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.
Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files...
Such as elm/pine/Eudora/Netscape Messenger...
Level 2 security contains only one file type by default:
Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide?
This update...was not created to address a security vulnerability within Outlook.
Ah, yes - so you said. And you know what, I almost believe you...
I've always been a fan of Perl because it maps to the way I think - when I concoct solutions in my head, I think in the same kind of atomic units that Perl (and Tcl, for that matter) uses.
;)
The problem here is that writing a Perl book designed specifically to shoehorn a C-thinking (or worse yet a VB-thinking) mind into a Perl-mindset is never going to hit the mark. Ultimately, to make that transition, you have to be willing to ditch a lot of the coding intuition that you've built up.
The Camel Book understands this and starts by teaching the lesson of TMTOWTDI and by belting you with regexps as soon as it possibly can. A book that tries to mollycoddle and tell you you don't need rethink your coding strategy is probably never going to tap the full potential of Perl.
Oh, and I'd hope no Perl hacker worth their salt has ever used ++@_[0]; - but then, I suppose
s/([\000-\037"&<>\177-\377])/'&#'.ord($1).';'/ge;
is confusing enough for non-Perl-thinkers.
Something that provided file access to the machine was my hunch - particularly given the worm goes to great lengths not to delete MP3 files (it sets them as hidden) even though it's happy to trash all the other files it goes after.
;)
Obviously Napster just isn't good enough for some script kiddie out there.
Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:
n \MSKernel32 [created to run MSKernel32.vbs]n Services\Win32DLL [created to run Win32DLL.vbs]n \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
.exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.
Files created/edited:
MSKernel32.vbs [created in System folder, copy of worm]
Win32DLL.vbs [created in Windows folder, copy of worm]
LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
WIN-BUGSFIX.exe [downloaded into default IE download folder]
WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
*.vbs, *.vbe [overwritten with copy of worm]
*.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
*.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
*.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]
Registry keys created/edited:
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]
From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).
I'm not sure about the
Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'