×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Email Worm Squirming Through Windows Users' Inboxes

timothy posted more than 3 years ago | from the vermicide-delicious dept.

Communications 473

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

473 comments

Apples (4, Funny)

sexconker (1179573) | more than 3 years ago | (#33528096)

I thought worms were found in apples.

So that's why the UW mail system went down (2, Informative)

WillAffleckUW (858324) | more than 3 years ago | (#33528114)

The entire UW mail system died yesterday morning.

Maybe this is why ...

Re:So that's why the UW mail system went down (4, Insightful)

causality (777677) | more than 3 years ago | (#33528166)

The entire UW mail system died yesterday morning.

Maybe this is why ...

It's an instance of the reason why. The actual reason is that the users still haven't learned from the last 9 years of experience. The only bad thing is that their stupidity is not self-contained and can affect the networks and computers of others. I say that because this time, it isn't really a technical flaw in Windows since I don't see any reports of the e-mail attachments being automatically executed. This is more like a social engineering attack. It's one that is not remotely new and has provided numerous examples that the even slightly clueful have already learned from.

Re:So that's why the UW mail system went down (5, Insightful)

MichaelSmith (789609) | more than 3 years ago | (#33528256)

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

Re:So that's why the UW mail system went down (5, Insightful)

causality (777677) | more than 3 years ago | (#33528486)

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

I have no idea why you were modded "Troll" except that some people have an irrational oversensitivity to any mention of the iPod or iPad. They should get the fuck over it, to be direct about it.

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them. This has trained the more point-and-drool type of user (the majority who gravitate to this platform) to just click away any dialogs without seriously questioning why a program is requesting extra access. That is, of course, assuming they are running as a non-privileged user in the first place.

The iPhone (I assume you don't intentionally refer to an mp3 player) approach is more like "you don't need root for anything, let us manage that". The Unix approach is more like "programs don't expect to have root privileges without a very good reason, like your package manager for example". In both cases an e-mail client would be run as a normal user. I'm not so familiar with the inner workings of an iPhone but at least on Unix and Unix-like OSs, the binary executable file would also reside in a root-owned directory not writable to any normal user. Combine that with the generally more clueful user base and it's easy to understand why Unix/Unix-like users just don't have these problems.

Re:So that's why the UW mail system went down (1)

DragonWriter (970822) | more than 3 years ago | (#33528556)

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

Normal, non-technical windows users often own their own machines; consequently, yes, they should be able to run an executable in a directory they are able to right to.

Re:So that's why the UW mail system went down (3, Insightful)

causality (777677) | more than 3 years ago | (#33528702)

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

Normal, non-technical windows users often own their own machines; consequently, yes, they should be able to run an executable in a directory they are able to right to.

It's not so much about whether you should be allowed to do with your own property what you wish. Of course you should. It's more like the security model of capabilities. If there is no good reason to allow something to happen then it is better security not to allow it.

This breaks down in Windows because Windows does not have a centralized package manager that handles both the installation and the uninstallation of all new software. The proprietary nature of most Windows software would preclude such a thing. A Linux user can have the full use of their system without ever having to directly download a binary executable and then run that executable just to install or use a piece of software. Instead, they have package managers and repositories which have all but eliminated the issues of third-party malware.

By contrast, on Windows it is far more common to directly download an "Installer.exe" file and then run that installer in the directory into which it was downloaded and with the elevated privileges needed to install software. That introduces problems when such executables come from untrustworthy sources. Introducing undetected malware into a Linux repository is much more difficult and thus has occurred far less frequently than the much easier task of conducting a social engineering attack against a user of an e-mail client.

The way things are done on Windows makes it far more prone to these attacks. The fact that the average Windows user is much less knowledgable than the average *nix user compounds the problem. That's why you have attacks that are about nine years old that are still successful, which is really quite pathetic.

Re:So that's why the UW mail system went down (-1, Troll)

Sir_Lewk (967686) | more than 3 years ago | (#33528574)

Devils advocate here: is there any reason why a normal non-technical people should be using computers?

There, fixed that for you. If people can't be bothered to learn how to use computers, then they should stay the fuck away from computers.

Re:So that's why the UW mail system went down (2, Insightful)

binarylarry (1338699) | more than 3 years ago | (#33528708)

I think a better route would be make that the default method/policy and make it hard for the average user to it.

That would sit better with me than the Apple "We fucking own you" approach that requires you to physical hack the product you just "bought."

Sandboxie: 29 EUR (1)

tepples (727027) | more than 3 years ago | (#33528262)

The actual reason is that the users still haven't learned from the last 9 years of experience.

The other reason is that Windows still doesn't include an easy point-and-click tool to make a jail in which to run an untrusted app. If Windows had this, people wouldn't have to spend 29 EUR on Sandboxie.

Re:So that's why the UW mail system went down (1, Informative)

Anonymous Coward | more than 3 years ago | (#33528452)

...the users still haven't learned from the last 9 years of experience...

You mean they haven't learned to stop using Outlook?

Re:So that's why the UW mail system went down (5, Interesting)

Annorax (242484) | more than 3 years ago | (#33528616)

No, it's more of the fact that "a sucker is born every minute" or more along the lines of every millisecond.

The college freshmen of today never experienced the "2001 all over again", so they are ripe for the pickings of email bombs that look "old hat" to old farts like us.

Re:So that's why the UW mail system went down (1)

morgan_greywolf (835522) | more than 3 years ago | (#33528392)

You'd think by now UW would have written their own [washington.edu] mail client [washington.edu] or something.....

Re:So that's why the UW mail system went down (3, Informative)

93 Escort Wagon (326346) | more than 3 years ago | (#33528502)

You'd think by now UW would have written their own [washington.edu] mail client [washington.edu] or something.....

Problem is - those both suck (yes I'm at UW).

Of course like many universities, UW now offers hosted Gmail - a much better web option than pine or alpine IMHO. I reailze there are security implications using hosted Gmail, but when the other main option is UW servers accessed via Outlook then it's a bit harder to argue about Gmail's security.

Unfortunately, my department's default mail client is still Outlook. That decision was made by someone who's never used anything BUT Outlook, and so doesn't realize just how behind it is... several of us have argued for Thunderbird (which UW does officially support) but PHB always gives a rambling, incoherent statement against and it doesn't happen.

Re:So that's why the UW mail system went down (1)

WillAffleckUW (858324) | more than 3 years ago | (#33528654)

We only have about six computers in our labs that run Windows, mostly for submission reasons, and unfortunately some of those are required to use Outlook. Most of the rest are Linux.

Re:So that's why the UW mail system went down (0)

Anonymous Coward | more than 3 years ago | (#33528660)

Actually, it's due to the decisions of incompetent, computer-illiterate, corrupt 'decision-makers', who have been coerced into signing 'MS junk only' support contracts, licensing deals, etc.

Go ahead, see if you can find out ANYTHING about your schools/employers MS contracts. Good luck with that.
The secrecy keeps the corruption under wraps, sending billions to MS, while billions more ate up in 'support issues', etc. Dunce-head 'administrators' think infected computers are just the way the world works, and sign some contracts and send loads of money to look after all of these 'problems'. Great for business, not so good for anyone else who wants to actually use a computer to accomplish something.

Got mimedefang? (3, Interesting)

Shoeler (180797) | more than 3 years ago | (#33528134)

People still allow .exe files through filters? Helllloooooo mimedefang...

Re:Got mimedefang? (2, Interesting)

Technoodle (1384623) | more than 3 years ago | (#33528176)

I had a client that got a link to a .scr file. They thought it was suspicious but clicked it and ran it anyway. When will Users ever learn?

Re:Got mimedefang? (4, Interesting)

Jaktar (975138) | more than 3 years ago | (#33528368)

I was called to a co-workers office today. He told me that he received an email from someone in our company. He didn't remember the name of someone he had spoken with yesterday and assumed it was the person that he had talked to. He clicked the link and then witnessed the awesomeness that is this exact worm. I got to see the email. It had all the usual signs of being junk/scam/phishing/younameit. I then further continued to giggle as the company posted a warning on our main site page having already shutdown the mail server. By the time he had caught the worm in action it had operated for about 30 seconds and managed to get around 800 messages (and counting) in his outbox before he killed the process.

Re:Got mimedefang? (4, Informative)

gmuslera (3436) | more than 3 years ago | (#33528332)

The actual file don't go in the mail, just the link to download it. mimedefang or antivirus at the mail server don't have anything to do with it.

The hell? (3, Insightful)

goodmanj (234846) | more than 3 years ago | (#33528152)

Stupid question from a Linux / Mac user:

Are there really operating systems in use in 2010 that let you write files to a system directory without entering an administrator password?

Re:The hell? (1, Informative)

al0ha (1262684) | more than 3 years ago | (#33528246)

Yes and actually Macs are one of them Mr. Snarky.

In the original account set up on your Mac perform the following

cd /
touch testfile
ls -l testfile

Whe-e-e-e-e-e-e!!!!!

Umm.. nope. (4, Insightful)

CrAlt (3208) | more than 3 years ago | (#33528390)

That would only work if you where logged in as an the admin account..
Or do you do everything as root?

Last login: Thu Sep 9 18:35:16 on console
focker:~ cralt$ cd /
focker:/ cralt$ touch testfile
touch: testfile: Permission denied
focker:/ cralt$ uname -a
Darwin focker.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386

Thank you come again.

Re:Umm.. nope. (-1, Troll)

tepples (727027) | more than 3 years ago | (#33528470)

That would only work if you where logged in as an the admin account..

And guess what: Millions of PCs running Windows XP Home Edition have admin privileges on all user accounts. Part of this comes from Windows 98 applications that wouldn't work without admin privileges.

Re:The hell? (1)

goodmanj (234846) | more than 3 years ago | (#33528394)

Point taken, but unless I'm mistaken you can't do any shenanigans by creating new files in /.

If you could *edit* existing files in / or create files in a path directory, you'd be in business, but you can't: they're all owned by root.

Re:The hell? (0)

Anonymous Coward | more than 3 years ago | (#33528418)

Unless, like a good security-concerned netizen, you follow directions and reserve that original account for actual Administrative purposes, creating normal, non-privileged user accounts for all your users to surf, check email, and download worms with.

This works very well, especially when accounts for significant others and children are concerned.

Re:The hell? (1)

93 Escort Wagon (326346) | more than 3 years ago | (#33528532)

I still don't get why more Mac users don't do this - running as a non-admin is trivially easy on the Mac. You don't even have to think about it - the OS will prompt you for an admin username/password when necessary (unlike Windows, where you still have to manually select "run as admin" I believe).

Better security with absolutely no pain. What's the problem?

Re:The hell? (1)

TrancePhreak (576593) | more than 3 years ago | (#33528722)

Applications can be built admin-rights aware for windows (where it asks to elevate as necessary). Problem is, not everyone knows how. Fortunately, most installers often have this built into their mechanisms.

Re:The hell? (1, Informative)

Anonymous Coward | more than 3 years ago | (#33528270)

Are there really people crazy enough to use operating systems released in 2001 in 2010? The answer is the same.

Re:The hell? (2, Informative)

tepples (727027) | more than 3 years ago | (#33528480)

Are there really people crazy enough to use operating systems released in 2001 in 2010?

Are there really people crazy enough to play video games released in 1980s in 2010? If a 2001 OS is the only thing that will run your application properly, you run the 2001 OS.

Re:The hell? (1)

Sir_Lewk (967686) | more than 3 years ago | (#33528648)

OS is the only thing that will run your application properly, you run the 2001 OS.

Not for checking your email it isn't. Unless of course you are a fucking moron.

Re:The hell? (1)

bertoelcon (1557907) | more than 3 years ago | (#33528734)

OS is the only thing that will run your application properly, you run the 2001 OS.

Not for checking your email it isn't. Unless of course you are a fucking moron.

Checking email isn't the only thing people do on computers these days.

Re:The hell? (1)

Haeleth (414428) | more than 3 years ago | (#33528684)

Yeah, but if you've got any sense, you run it in a sandboxed virtual machine, or as a dual-boot option that you only fire up for that one application, or on a separate heavily-firewalled computer that does not have direct access to the internet and is never used for anything else.

It remains that using a 2001 OS as your primary desktop environment in 2010 is at best naive, and at worst foolhardy.

In any case, the number of games that don't work in DosBox OR VirtualBox OR Windows 7 is vanishingly small.

Re:The hell? (5, Insightful)

drcheap (1897540) | more than 3 years ago | (#33528278)

Stupid question from a Linux / Mac user:

Are there really operating systems in use in 2010 that let you write files to a system directory without entering an administrator password?

Yes, because people will give a computer anything it asks for, especially if it asks in an ambiguous manner.

What's this? A UAC prompt asking for permission to "perform the action I requested"? Wait, what was I just doing? Oh yeah, reading email. Yes I want to do that. ]click[

Same thing would happen if you gave them a Linux/OSX box that asked for admin password. Granted M$ made it easier by not requiring one to actually type in any actual password to elevate privileges.

Re:The hell? (4, Insightful)

goodmanj (234846) | more than 3 years ago | (#33528472)

I know this has been said before, but if your operating system is asking for an admin password often enough that replacing it with a mouseclick significantly improves the user experience, you're solving the wrong problem.

Re:The hell? (2, Insightful)

Missing.Matter (1845576) | more than 3 years ago | (#33528678)

The default UAC behavior in Windows 7 is to notify when installing programs and when programs try to change protected Windows settings on their own. The ONLY time I see a UAC prompt is when I install software. How is this unreasonable?

Re:The hell? (1)

grasshoppa (657393) | more than 3 years ago | (#33528382)

Vista/7, by default prompt.

Thanks to UAC in vista, folks have been well trained to just click "Yes" when prompted. So yes, this will be a threat.

Re:The hell? (2, Interesting)

archmcd (1789532) | more than 3 years ago | (#33528460)

Well, in the case of Windows XP and common corporate practices, it's not unusual for an individual that would require administrative rights to log in with an account in the Administrators group on a regular basis, whether administrative tasks will be performed or not. I've worked for companies where 1 in 3 users have administrative rights on their workstation due to a "business need" which may have been a one-time task, but the escalated privileges remain indefinitely. 1 in 3 is an awful lot of people in a company with over 100,000 employees.

Re:The hell? (3, Informative)

Skuld-Chan (302449) | more than 3 years ago | (#33528484)

You can't write files to \windows\system under vista/windows 7 without elevation to administrator. Under XP/2000 as a regular user - ditto.

That said - there's probably an alarming amount of people who would enter credentials upon getting the elevation prompt on Mac/Windows/Linux after clicking on an attachment or link in their email client.

Three things (4, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33528488)

1) Yes, older ones. Unlike Apple, other companies don't force you to stop using an OS after a couple years. MS supports their OSes for a minimum of 10 years, and XP is scheduled to be supported until 2014. On XP most users run as an administrator, and thus need no privilege escalation to do anything. This is not required, they could run as a normal user, however they don't.

2) Who says you need system access? Most spyware we encounter these days doesn't bother, it just infects the user directory. No admin needed. Also, some detection tools have trouble noticing it when you log in as an admin and run them, since it is inactive at that point.

3) We are talking about people who will run executables from e-mail, something they've been told not to do about 1,000,000 times. You REALLY think an admin prompt will stop them? Hell no, they'll just grant permission.

If you think having to escalate privilege protects an OS, you are deluding yourself. Don't get me wrong, I like the feature and in the hands of a technical user it is a useful defense. However it does shit for the clueless users. You cannot protect someone against themselves and still give them control over their own system.

Re:The hell? (1)

Blakey Rat (99501) | more than 3 years ago | (#33528500)

They all do, if you configure them to. Using the default configuration? None of them do.

Note that this virus is mostly affecting people running a 2001 OS (Windows XP), not a 2010 OS (Windows 7). Vista and Windows 7 users are pretty well-protected from this virus, using the default configuration.

(Of course you weaseled around that one by saying "in use in 2010", but I felt it was only fair to point it out anyway. Hell, Windows 3.11 is "in use in 2010".)

Re:The hell? (0)

Anonymous Coward | more than 3 years ago | (#33528582)

No question is stupid!

Of course all modern operating systems require administrator privileges to modify such files, however, most viruses circumvent this through some kind of exploit in the operating system or in a admin-privilege-granting application (e.g., sudo). There are many examples of such attacks on all modern platforms (even cell phones!) So do not believe that just because your operating systems only represent a small faction of the computer systems in production today (and thus are less of a target for attackers) that you are somehow immune to such problems.

some stuff does not need admin to take over the sy (1)

Joe The Dragon (967727) | more than 3 years ago | (#33528624)

some stuff does not need admin to take over the system even more so when it uses old windows 3.1 or 9x holes that are still in XP, vista and 7.

The old code is not holes but old printing or other sub systems that are not in use any more but the code base that that old system used is still in the windows code base.

What do you mean 2001? (5, Informative)

Superdarion (1286310) | more than 3 years ago | (#33528172)

What do you mean it's 2001 all over again? I never stopped receiving those. Every once in a while I receive a mail "from a friend", from the friend's address or not, telling me stuff like "Hey, here are the pictures of that party!" or "Have you seen this? I can't believe there are pictures of it!". They all contain links to weird-looking pages which, of course, I never open.

Sometimes I even receive those mails with URLs that actually contain my email address, like www.thisisnovirus.com/picturesfromlastnight/superdarion.

From what I can tell, they usually come from my friend's MSN/hotmail's address books.

Re:What do you mean 2001? (1)

istartedi (132515) | more than 3 years ago | (#33528276)

It's even more interesting to look at packets with a sniffer on Comcast. Something out there is still broadcasting UDP on this subnet. IIRC, there was a Windows service that used to be enabled by default, that allowed you to send simple UDP messages and have them pop up at people. AFAIK It's long since been disabled; but you still see that kind of traffic on the network. Guess what, it's all spammy messages too. How many unpatcheable '98 or even '95 boxes are on the network?

Also, I defy any Linux user to come back and say that a 12 year old distro wouldn't be an absolute cess pool if it were that popular.

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Re:What do you mean 2001? (4, Informative)

afabbro (33948) | more than 3 years ago | (#33528342)

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Not to defend Outlook, but MS Exchange does come with Outlook Web Access. It provides a web-based interface that provides a web 2.0 interface to Outlook. Probably 90% of what you want to do in Outlook (read/writeyour mail, setup meetings, contacts, etc.) can be done in OWA. It even degrades nicely for older browsers. It's actually quite a sophisticated webapp...though of course, you're still using Outlook.

Re:What do you mean 2001? (2, Insightful)

scdeimos (632778) | more than 3 years ago | (#33528508)

[on OWA] It even degrades nicely for older browsers.

I wish it downgraded nicely for newer browsers, too.

Re:What do you mean 2001? (0)

Anonymous Coward | more than 3 years ago | (#33528564)

Being the origins of the XMLHttpRequest feature that has since brought us wonders such as Gmail and Maps, one might say that Outlook Web Access was the first true webapp. It's not surprising that they've got a head start on things.

it's comcast they can't even get cable right at ti (1)

Joe The Dragon (967727) | more than 3 years ago | (#33528578)

it's comcast they can't even get cable right at times and they still have a hard time with people in the call center getting info to the cable guys. Try asking for a cable card or if you want some fun tru2way.

Re:What do you mean 2001? (1)

Dalzhim (1588707) | more than 3 years ago | (#33528312)

They all contain links to pages (probably weird-looking) which, of course, I never open.

Here, fixed that for you.

Re:What do you mean 2001? (1)

DrSkwid (118965) | more than 3 years ago | (#33528492)

Do you have any pictures of my wife you could send me in a zip file, or perhaps a failed UPS delivery summary ?

U R teh winnar! (2, Insightful)

drcheap (1897540) | more than 3 years ago | (#33528174)

Sigh. We need licenses to operate computers, that way we can revoke them when people click on the shiny red buttons.

--
Click to read more great comments: ILoveSlashdot.exe [slashdot.org]

Re:U R teh winnar! (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33528230)

That's much too kind. They could still breed then. The only reasonable option is summary execution for Windows use.

Re:U R teh winnar! (3, Insightful)

Pentium100 (1240090) | more than 3 years ago | (#33528384)

Because there is no way for a virus to spread on a Linux machine.

Even assuming that Linux does not have security bugs and the user runs as user and not root, the virus can still:
1. Access all of the users files.
2. delete them (rm -rf /home/username )
3. Send itself to every email address it could find in the users files.

For a single user machine, rm -rf / and rm -rf /home/username is about the same in the damage.

Yes, most of Linux users now are the ones that know what they are doing and would be able to stay clean even using Windows. If, say, everyone goes to Linux, the "oh, look, my friend sent me a screensaver " users and virus creators will go too and Linux will have the same problem as Windows do now.

For now, the number of Linux users, not to mention the number of stupid Linux users is too low for the virus writers to care (why spend time to create a virus that works for 5% of people, 90% of whom know how to protect themselves, when he can create a virus that works for 90% of people a lot of whom will run it).

I use both Linux and Windows, my opinion is that both operating systems have their own advantages and disadvantages, but both are good at what they do, especially Linux for servers or work computers that need a browser and OpenOffice.

Re:U R teh winnar! (1)

DrSkwid (118965) | more than 3 years ago | (#33528522)

How did this virus write itself with execution privileges ?

Re:U R teh winnar! (1)

EvanED (569694) | more than 3 years ago | (#33528670)

Among several possibilities, "unzip this and look!"

~/delete : cat > hello.sh
#!/bin/sh
echo Hello!
~/delete : chmod +x hello.sh
~/delete : tar cvf hello.tar hello.sh
hello.sh
~/delete : gzip hello.tar
~/delete : zip hello.zip hello.sh
  adding: hello.sh (stored 0%)
~/delete : cp hello.tar.gz hello.zip ~/public/html
~/delete : rm *
~/delete : wget [...]/hello.tar.gz
--2010-09-09 18:05:50-- http://.../hello.tar.gz
Resolving pages.cs.wisc.edu... 128.105.7.26
Connecting to pages.cs.wisc.edu|128.105.7.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 158 [application/x-gzip]
Saving to: `hello.tar.gz'
[...]
2010-09-09 18:05:50 (25.1 MB/s) - `hello.tar.gz' saved [158/158]
~/delete : tar xvf hello.tar.gz
hello.sh
~/delete : ./hello.sh
Hello!
~/delete : rm *
~/delete : wget [...]/hello.zip
--2010-09-09 18:06:16-- http://.../hello.zip
Resolving pages.cs.wisc.edu... 128.105.7.26
Connecting to pages.cs.wisc.edu|128.105.7.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 170 [application/zip]
Saving to: `hello.zip'
[...]
2010-09-09 18:06:16 (27.0 MB/s) - `hello.zip' saved [170/170]
~/delete : unzip hello.zip
Archive: hello.zip
  extracting: hello.sh
~/delete : ./hello.sh
Hello!

(And no, using something like file-roller won't help you here.)

Re:U R teh winnar! (1)

Pentium100 (1240090) | more than 3 years ago | (#33528696)

Well, there has to be a way for a user to execute an email attachment or a downloaded file. If the user wants the screensaver (or whatever) that he found on some site or got from his "friend", he will check the checkbox that says "allow execution" (or similar).

Kind of the same happens with Windows. The user has to download the executable file and run it ignoring two warnings (one from firefox and another one from Windows).

Re:U R teh winnar! (1)

EvanED (569694) | more than 3 years ago | (#33528602)

Not just that, but it could set itself to run each time the user logs in. This is less damaging than putting it into a system folder, and it would save quite a few people. That said... what percentage of desktop computers are or essentially are single-account machines? I'd guess easily 3/4 of them, and probably more like 85 or 90%. Between people who actually have their own computer (e.g. they live alone), share accounts between everyone in a family (I would guess most "normal" people, though I'm not sure), machines where there is a de-facto single user (e.g. almost all "personal" workstations in company settings), and the general increased prevalence of computers (especially laptops), I'd say that a very substantial majority of the time, compromising one account is basically the same as compromising the system.

Re:U R teh winnar! (4, Funny)

_Sprocket_ (42527) | more than 3 years ago | (#33528440)

Now Timmy... can you tell me which of the shiny... candy-like... red buttons has an electric current on it's surface? Ooooh. Sorry. It WAS a trick question. They all do. We're going to need another Timmy.

This is not a worm (1)

chispito (1870390) | more than 3 years ago | (#33528182)

It is a file that is linked in the spam message itself, with an .SCR extension (.SCR is a screen saver extension in win32, if I am not mistaken), though the text of the file reads as though it were a PDF. In Outlook, at least, downloading and executing the file immediately causes the user's outbox to fill with emails to all of his or her closest coworker friends. The emails have the subject "Here you have."

LOL - My inbox was full this morning (0)

Anonymous Coward | more than 3 years ago | (#33528190)

LOL - My inbox was full this morning with this email. Go multinational corporations - maximum effect for this crud.

*sigh* now my day will be full of work cause I'm the IT Admin *cry*

Hit NASA today (2, Interesting)

Anonymous Coward | more than 3 years ago | (#33528232)

It started working its way through NASA and contractor mail servers today. Lots of folks send mail to distribution lists and so those were getting lots of backwash from people replying to them, saying they didn't think the message was for them...

Re:Hit NASA today (0)

Anonymous Coward | more than 3 years ago | (#33528410)

At least Jeanie isn't around to yank the Center off the 'Net because of a stupid Windows worm anymore.

Probing (1, Insightful)

religious freak (1005821) | more than 3 years ago | (#33528240)

So... *if* you were a government or some other organization - wouldn't this be a cool method of probing for vulnerabilities???
*removes tinfoil hat

People still fall for this? (2, Funny)

kheldan (1460303) | more than 3 years ago | (#33528260)

For that matter, people are still using Outlook?

They're still using Outlook for email

laughingwomen.jpg

Windows is super! (2, Informative)

CrAlt (3208) | more than 3 years ago | (#33528284)

My MS Exchange email box at work filled up with these right before the server died..

Subject: Here you are
--------------
Hello:

This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Domain Name: SHAREDOCUMENTS.COM

Registrant:
        Worldwide Media, Inc
        Domain Administrator (info@mostwanteddomains.com)
        Po Box 129
        Highlands
        North Carolina,28741
        US
        Tel. +001.8132675600
        Fax. +001.9543370351

Creation Date: 09-Oct-2003
Expiration Date: 09-Oct-2011

Domain servers in listed order:
        ns17.this-domain-is-4-sale.com
        ns17.mostwanteddomains.com

-----------------

Re:Windows is super! (3, Informative)

Anonymous Coward | more than 3 years ago | (#33528352)

The actual underlying link is from http://members.multimania.co.uk/yahoophoto/... sharedocuments.com is a decoy

Re:Windows is super! (4, Insightful)

Anonymous Coward | more than 3 years ago | (#33528420)

Turn in your low slashdot ID immediately.

Re:Windows is super! (4, Interesting)

Marauder2 (82448) | more than 3 years ago | (#33528424)

Before the collective wrath of Slashdot falls upon an innocent* cyber squatter, bear in mind that the URL listed in the text of the email wasn't actually the URL that the href linked to (text claimed to point to one spot, actual href tag pointed some place completely different). It didn't link to a PDF either but an executable with the .scr (Windows Screensaver) extension.

*Presumed innocent in the context of this malware, not in the grander scheme of effing up the domain registry system for the rest of us...

Re:Windows is super! (1)

benraldo (799565) | more than 3 years ago | (#33528758)

the link in the email actually points to.. added some spaces to break the url. Browse to this only if you want to get the work, or feel comfortable that you are protected. http : // members.multimania.co.uk / yahoophoto / PDF_Document21_025542010_pdf . scr Hello: This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers,

Adobe PDF zero day saved me (2, Interesting)

Maxo-Texas (864189) | more than 3 years ago | (#33528294)

I was suspicious of any PDF today.

Might not have clicked on it but I might have. You normally think of PDF's as safe.

Re:Adobe PDF zero day saved me (0)

Anonymous Coward | more than 3 years ago | (#33528430)

but they really arent http://www.technewsworld.com/story/70791.html

It's already hit NASA (4, Interesting)

ToSeek (529348) | more than 3 years ago | (#33528344)

Got sent to a maillist that covers just about everyone who works at a NASA center east of the Mississippi. Once you add up the virus-generated emails, the emails warning everyone it's a worm, and the emails complaining "for God's sake don't reply to everybody" (which replied to everybody), there were several score messages sent to thousands of users.

Re:It's already hit NASA (-1, Troll)

eyenot (102141) | more than 3 years ago | (#33528504)

YES! NASA ROCKS!!!

Top minds for rizzle!

EVERYBODY in America so SMART!

i JUST got this virus! (4, Funny)

nimbius (983462) | more than 3 years ago | (#33528346)

thank goodness I saw this article...i was seconds away from clicking on the attachment in Pine.

Re:i JUST got this virus! (-1)

Anonymous Coward | more than 3 years ago | (#33528438)

I run Xenix (aka Windows OT).

Did MS ever backport virus compatibility to it before getting rid of it?

Dumb Question.... (0)

ozzy85 (1427363) | more than 3 years ago | (#33528388)

Who has the time to write these worms? And why the hell do they write them? I honestly cannot see one incentive to do so.

Re:Dumb Question.... (1)

CrazyJim1 (809850) | more than 3 years ago | (#33528468)

People in counties with no cyber laws do it because they're typically congratulated if found out instead of imprisoned. Also if you write for a botnet, you can then leverage your botnet to do interesting stuff mimicing a super computer, or just have an extensive proxy network where you can game social systems. The main reason is a lot of people will do scummy things to make money.

Re:Dumb Question.... (0)

Anonymous Coward | more than 3 years ago | (#33528510)

stealing personal information like wow account cc numbers and social security number

Re:Dumb Question.... (1)

jack2000 (1178961) | more than 3 years ago | (#33528512)

Malice? Script kiddies grinding their teeth? People hate people?

Working with people has made me jaded and callous but not enough to start writing viruses.

Re:Dumb Question.... (1)

melikamp (631205) | more than 3 years ago | (#33528554)

I've known people in my high school (the Russian equivalent of it) who wrote DOS viruses in assembly back in 94-96. Great times. One virus, at least, made a splash in Ukraine, or so I've been told. So there you have it: bored high school students. If no one else did it, it would be more than enough, but nowadays one can actually make money doing that.

Lulz @work today (5, Interesting)

mrsam (12205) | more than 3 years ago | (#33528426)

Initially, got a few batch of these at $work$ today -- one of the remaining 800lb Wall Street gorillas. The mails originated from some senders @NYSE, and were sent to some internal mailing lists.

It didn't take long before a bunch of our own drooling baboons clicked the link, causing more mails to go out to the internal lists. That went on for a few hours. Then came the inevitable "why are you sending this", "i must've gotten this by mistake", "take me off the list" replies from more internal senders, resent to the same internal lists. Then came the inevitable "this is a virus, do not reply to all" replies to all.

I told my management that what they have in their inbox, basically, is a list of people to get the axe when the next round of layoffs comes around. Can't create a more accurate list of people who are truly the bottom of the barrel, and do not belong in an organization that's supposedly charged with with billions of investors' and depositors' money.

P.S. -- I also thought that this was the exploit for the 0-day PDF flaw too, given the .pdf extension. But if this was just an ordinary executable, that you actually had to click through an extra time to execute, then there's even less excuse for anyone with a brain to get infected with this.

Social engineering (1)

Acetylane_Rain (1894120) | more than 3 years ago | (#33528544)

There's a confusing reference to "containing malicious executables" in the first sentence of the summary, which appears to be a nearly direct quote of the first few paragraphs of the article itself. However, the emails only contain a "link" to the malware, which, of course, is less exciting news, since that's what some s(p/c)ammers already do. (To be sure, this is corrected in the second sentence which mentions the "messages contain a link" to the file.) This is a two-stage browser-based attack, which uses social engineering via email as its point of entry.

Incidentally, the link to the article is to a site hosted by a anti-virus vendor, rather than an independent security company. So take it all with a grain of salt or puff of powder.

they wouldn't care anyway (0)

Anonymous Coward | more than 3 years ago | (#33528608)

I'm in a position where I am here to help people with their workstations. Basically it is a, "put out fires" situation. I could tell people about this latest issue with Microsoft products, but the reality is, they wouldn't listen anyway. Of course, if they listened, they wouldn't have Outlook on their PC's in the first place.

Worm? No (1)

nurb432 (527695) | more than 3 years ago | (#33528642)

Trojan, yes.

Worms don't need human intervention to spread. ( technically, neither do viruses )

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...