Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Latest WinWorm Spreads Via ICQ And Outlook

timothy posted more than 12 years ago | from the how-vastly-creative dept.

Security 598

mgooderum was among the many to write in about yet another snippet of malice making the Windows desktop rounds: "The latest email virus -- 'Goner' -- is apparently running around this morning (AP news story on Iwon here - no login needed). The virus is a typical worm that spreads via attachments and user's address books. It appears as a message with an attachment that starts: 'How are you ? When I saw this screen saver I immediately thought about you...' Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere. What's moderately unique are two features. One is its ability to replicate via ICQ as well as the usual Outlook and Outlook Express. Two is its small size -- it has a packed form that is only 159 bytes. Symantec has details here; McAfee has details here." Update: 12/04 21:57 GMT by T : That should read 159 kilobytes. And as many posters have pointed out, "destructive" is in the eye of the beholder.

cancel ×

598 comments

Sorry! There are no comments related to the filter you selected.

fp! (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2655976)

biatches 'n ho's

NOT! (5, Informative)

aitala (111068) | more than 12 years ago | (#2655980)

It is not non-destructive - it tries to delete anti-virus and firewall software.

Re:NOT! (0)

Anonymous Coward | more than 12 years ago | (#2656039)

This Virus apparently seeks out the location your AV executable resides in, And deletes everything in that folder, So...If your NAV.EXE runs from \system32 , Can be messy

Re:NOT! (1, Redundant)

Bwana (2384) | more than 12 years ago | (#2656064)

Correctamundo. I think the article needs an update. This payload is not non-destructive:

from symantec [symantec.com]

Once the registry key has been added, the worm will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts.

OT: "moderately unique"?? (0, Offtopic)

gilgongo (57446) | more than 12 years ago | (#2656082)

WTF does "moderately unique" mean?

Either something is unique or it's not, by crikey! Soon we'll have things described as "marginally special" or "slightly dead."

Avoiding off-topic flames like this is just ONE reason to avoid sloppy English.

Re:OT: "moderately unique"?? (3, Funny)

heliocentric (74613) | more than 12 years ago | (#2656130)

WTF does "moderately unique" mean?

I consider myself moderately unique in that my shirt size is an extra medium. I don't know many other people who take an extra medium, but if the shirt companies make 'em then I can't be fully unique.

Either something is unique or it's not, by crikey! Soon we'll have things described as "marginally special"

Well, at the local food store the manager often has things that are getting old on special... oh, you were talking about marginally...

or "slightly dead."

Ever see the Princess Bride? Wesley was not all dead when they took him to Miracle Max's....

Re:OT: "moderately unique"?? (0)

Anonymous Coward | more than 12 years ago | (#2656146)

WTF does "moderately unique" mean?

No meaning; just the average non-command of English encountered here.

Grammah heah be as buggy as Windoze, an' shi'.

Just got goner here (3, Interesting)

monkeyfamily (161555) | more than 12 years ago | (#2655984)

This is the first office I've seen grind to a halt because of an Outlook worm - but then, none of the other places I've temped have been so totally MS-centric. I think I'm the only one left with email access, as I'm using the mozilla client.

Small (-1)

uninerd (79304) | more than 12 years ago | (#2655986)

That is so small!

I got it (-1)

l33t j03 (222209) | more than 12 years ago | (#2655994)

I got root.

Small size a bonus? (1)

oliana (181649) | more than 12 years ago | (#2655998)

I would think that a virus that is intending to bog a system would want to be large...

Re:Small size a bonus? (1)

rediguana (104664) | more than 12 years ago | (#2656116)

... unless the initial infector is small, and then the main payload is transferred after infection. Would allow it to more quickly spread, and then when it becomes fully operational it could have an even more dramatic effect bogging down systems.

Maybe @Home's demise is okay... (2, Funny)

javaaddikt (385701) | more than 12 years ago | (#2656001)

considering I've received 20 virus-laden emails through my @home account in a matter of days.

that should be kbytes. Less impressive. n/t (1)

Unknown Poltroon (31628) | more than 12 years ago | (#2656003)

blank fill for the stupid software. I said n/t, didnt i?

What? Still? (0)

Anonymous Coward | more than 12 years ago | (#2656009)

Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

Pretty impressive for 159 bytes (1)

RichMan (8097) | more than 12 years ago | (#2656010)

Is this really 159 bytes or does this packet pull something else down?
If this is 159 bytes of visual basic it is a good thing Forth is not a standard .NET language.

Re:Pretty impressive for 159 bytes (0)

Anonymous Coward | more than 12 years ago | (#2656147)

That's 159 Kilobytes.

Re:Pretty impressive for 159 bytes (1)

choprboy (155926) | more than 12 years ago | (#2656175)

Nope. As usual, the submitters scribble stuff down and Timothy don't bother to check the facts. The packed form (the attachment) is roughly 38K in size, unpacked it is 159KB in size.

I LIEK TEH BARLOG!!!@@1 (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2656014)

nt

hit off the left bow (1, Informative)

Anonymous Coward | more than 12 years ago | (#2656016)

my office was hit, since we saw the multiple emails with Hi we obvious knew that it was a virus. It more of a dll that vbs, using the screensaver extention. Its a little hard to screen than a vbs script

Started here at 16:30ish GMT (2, Informative)

class_A (324713) | more than 12 years ago | (#2656018)

Got the first attachment at around 16:30 GMT - suspected by the wording of the email that it was a virus.

Mailed tech support and didn't get a response. Great.

It seems some people even ran the attachment more than once - probably trying to get the screensaver to work :-)

It only seems to have copied to the first entry in our network wide address book, unfortunately it begins "#All" - ah well, my Macs are safe at least

Re:Started here at 16:30ish GMT (1)

bark76 (410275) | more than 12 years ago | (#2656156)

I've received the email 2 dozen times at least now. I didn't open the attachment because the wording of the email looks like a rewrite of the SirCam message.

That's Why We Get Paid... (2)

Electric Angst (138229) | more than 12 years ago | (#2656020)

Shit. I still have people getting Melissa and Nimbda here at work. (Matter-of-fact, I spent hald an hour just yesterday clearing a machine from its second infection.) A 159 byte virus? Using a sentimental pick-up line? I'm going to be busy...

Yes, I know user education and antivirus software would help stop this, but I'm in no position to get those kinds of things done here.

Re:That's Why We Get Paid... (2, Informative)

CoolVibe (11466) | more than 12 years ago | (#2656138)

Even _after_ education, users remain stupid. They are almost like computers, they do what you say, but not what you mean.

*sigh*

The CEO of my technology company (5, Funny)

v4sudeva (156187) | more than 12 years ago | (#2656021)

has already sent every one of my fellow employees all over the globe 27 copies of this thing.

It's been going on for over two hours now. I can't help but wonder if he's still over there trying to run that damn .scr.

Thanks, boss.

Lol. (0)

Anonymous Coward | more than 12 years ago | (#2656115)

CEO's are funny. Usually so out of touch with the actual running of their business that they have time to play golf. My favorite CEO story is at a large Mortgage company I was working for we had a change in the way we submit mortgage bid sheets and the change would allow us (the company, not me) to make an additional 150,000 in the first 3 days. However, since to make a change we had to get 30 VP signatures before implementing a change (the reason it took 3 days) we lost that money. Pathetic when companies get so big noone has the balls to make a decision. Such is corporate life.

Re:The CEO of my technology company (1)

CoolVibe (11466) | more than 12 years ago | (#2656160)

Thanks for letting me spew coffee all over my laptop. I'll send you the bill...

:-)

(IOW mod that up...)

Non-destructive? so far maybe (1)

Fillos (226259) | more than 12 years ago | (#2656022)

It wouldn't be the first time that AV companies reported a virus as having a weak payload, only to be proven wrong later. Look at the nimda virus. It was first reported as a simple outlook virus

More fun virus stuff (0)

LinuxHeadMN (457423) | more than 12 years ago | (#2656024)

All I can say is, thank god for procmail....

The rest of my office ground to a halt. I sat here laughing and giggling all the way to the SMTP port.

story is wrong (5, Informative)

joshwa (24288) | more than 12 years ago | (#2656025)

The story had a few errors:

  1. The McAfeelink is here. [mcafee.com]
  2. It's 159 KB, not 159 bytes.
  3. It isn't non destructive-- it's desiged to remove many popular anti-virus products. See the McAfee article.

nope, sorry. (5, Interesting)

tswinzig (210999) | more than 12 years ago | (#2656026)

it has a packed form that is only 159 bytes.

Actually the attachment is 38KB, and the virus itself is 159 KILObytes, not 159 bytes, UNPACKED.

The unique thing about it is it disables some anti-virus software, and things like ZoneAlarm.

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Re:nope, sorry. (1)

stylewagon (197083) | more than 12 years ago | (#2656100)

I agree.

Why do all virii contain stupid spelling & gramatical errors?

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

The writer must have been in some hurry...

Re:nope, sorry. (1)

CoolVibe (11466) | more than 12 years ago | (#2656178)

Makes me wonder though...

Who's "harry"?

Re:nope, sorry. (2)

sharkey (16670) | more than 12 years ago | (#2656177)

As soon as virus writers learn how to spell correctly and learn proper grammar, I think we're going to be in some serious trouble.

Yeah, the /. editors will get their asses kicked by script kiddies in the next 1337 hAx0r Spelling Bee. Then the kiddies will look at Slashcode, and discover that "where" is constantly misspelled as "were", the fixing of which will eliminate those annoying form_key errors.

30 bytes (1)

Fuzzums (250400) | more than 12 years ago | (#2656028)

Wow! I'm really inpressed 159 bytes in this Windows age is REALLY NICE. Many years ago you had a destructive virus (calles Define) of 30 bytes overwriting all .com files.

But 159 bytes and spreading by outlook and icq. My compliments! Err. For educational value of course.

Re:30 bytes (1)

Tower (37395) | more than 12 years ago | (#2656172)

It's 159Kbytes... not 159 bytes. Not nearly as interesting.

*LOL*.. virus.. outlook.. *yawn* (1, Troll)

Maeryk (87865) | more than 12 years ago | (#2656029)

Sheesh people. Someday, the business world will get tired of paying for the privelege of having MS set up their software to fail. Ya think?

During Iloveyou, our whole corporate mail system was down for nearly two days. On this last go-round, it didnt go down, it just got really really ugly as they began scrubbing. Cant wait to see what this one does.

Course.. moderate intelligence could prevent this.. remove the preview pane option from Outlook on the users desktop.. educate your users NOT TO OPEN CRAP LIKE THIS!. (what a concept).

Course, that would take away the jobs of many highly paid professionals who are on retainer just for this sort of outbreak.

*sigh*.. My wife is one of them.. guess I wont see her for a few days again.

Maeryk

Re:*LOL*.. virus.. outlook.. *yawn* (-1)

l33t j03 (222209) | more than 12 years ago | (#2656086)

Someday, the business world will get tired of paying for the privelege of having MS set up their software to fail. Ya think?

No.

During Iloveyou, our whole corporate mail system was down for nearly two days

You should upgrade all of your servers to WIndows XP. Soon, Exchange XP will be available and I suggest you upgrade as quickly as possible to that platform.

Re:*LOL*.. virus.. outlook.. *yawn* (4, Interesting)

Lemmy Caution (8378) | more than 12 years ago | (#2656124)

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

Re:*LOL*.. virus.. outlook.. *yawn* (2)

Maeryk (87865) | more than 12 years ago | (#2656166)

Don't be misled. Maybe you are too young to remember, or weren't in the industry, but the VB-based viruses are far tamer than some of the older Bulgarian viruses that used to attack DOS and Novell systems - those viruses would actually destroy the *hardware*. Unix has plenty of exploitable aspects - there was a vulnerability in pine that allowed for the execution of arbitrary code, there have been sendmail holes, worms, and other vulnerabilities. The unix model has been criticized by none other than RMS (when defending the HURD model) for its promiscuous reliance on SUID.

No.. I remember them.. but it still seems that Microsofts very design and failure to treat VB as something security-wise risky has contributed a lot too the spread of this stuff. Not to mention the ease of use of "autoreply" and "autoforward" and all manner of other things that just about any monkey can use now. (Thanks Bill!)

Hell.. my wife got notified that she is "propagating" it because her work account (corporate) is tryign to autoforward it to our home account (which is a setup that has been in effect for three years, at least).

She hasnt even read the work account in a month.

Unix has fewer exploitable aspects that it used to, and the main difference is when we find em, we find and publish fixes for em. Windows first says "ignore the man behind the curtain" and then says "here.. run this patchall, and life will be grand."

Maeryk

Misinformation (1, Informative)

Anonymous Coward | more than 12 years ago | (#2656030)

OK, to stem the immediate misinformation to those who don't read the links.

The virus is 39K packed and 159 K unpacked. Not even close to just 139 bytes.

The second is that it DOES have some harmful effects. Primarily, it deletes components of Norton Antivirus which could open the infected PC up to much more deadly viruses.

Jeremy Devers

Gartner Group (0, Troll)

Noxxus (259942) | more than 12 years ago | (#2656032)

I can't wait for the Gartner Group to comdemn use of Outlook like they did IIS :)

Might get a few Dozers to switch to *nix and use Kmail, Evolution, Mutt, Pine...or at least get them to try Eudora instead.

Of course the Exchange admins will cry that they can't support POP3/SMTP because they need their neato calendar and scheduling functions of groupware.

Corporate hyjinx (1)

Blue23 (197186) | more than 12 years ago | (#2656034)

Non destructive ... except in time spent cleaning it up. And hassle. Just had a PC guy come check my laptop to determine if I had autopreview enabled in my Outlook. What a waste.

Gah, if my company just let me throw linux on my laptop I wouldn't have to deal with these problems.

=Blue(23)

What? Still? (5, Funny)

Anonymous Coward | more than 12 years ago | (#2656037)

Didn't everyone get the memo that opening attachments is a really dumb idea? I'm attaching the original message:

&ltAttachment: Don't_Open_Attachments.eml.vbs&gt

Obligatory Dolphin post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2656038)

Humans Rule! Dolphins can suck it.

Pure Wisdom (5, Funny)

Phartx2 (79490) | more than 12 years ago | (#2656040)

I just got the warning message from my school's network goons. In a move of administrative widsom at its finest, it mentioned:

"The Bearcat Online email system is now blocking all messages with "Hi" as the subject."

Linux isn't ready for the desktop... (1, Funny)

sterno (16320) | more than 12 years ago | (#2656041)

Until Linux can spread worms as well as Outlook, Linux will never be accepted as a true desktop replacement!

some correct information... (1, Redundant)

H0NGK0NGPH00EY (210370) | more than 12 years ago | (#2656042)

First off, the McAffee link in the story is broken. The real link is http://vil.mcafee.com/dispVirus.asp?virus_k=99272& [mcafee.com] .

Second, I don't know what "non-destructive" means in this context, because when something terminates processes (ZONEALARM.EXE, SAFEWEB.EXE, and VSHWIN32.EXE to name a few) and tries to delete all files in the directory containing the executable of the process, I call that destructive.

Once again, please employ basic reading skills (0)

Anonymous Coward | more than 12 years ago | (#2656043)

The Symantec article says the bug is 159 KILO-bytes, not 159 bytes.

159 Bytes? Not! (0, Redundant)

Rentar (168939) | more than 12 years ago | (#2656044)

Please check the facts! It's _not_ 159! Not even the first self-replicating Virii were this small (AFAIK). It's aprox. 159 kb if unpacked from its PE-compressed format! The File you have to download to enjoy the virus is aprox. 38 kb.

Re:159 Bytes? Not! (2)

Rentar (168939) | more than 12 years ago | (#2656087)

It's _not_ 159!

Of course I've seen the missing "Bytes" in the split second between pressing submit in the Preview-Page and the loading of the newly posted comment ... Sigh ...

Re:159 Bytes? Not! (1)

CTho9305 (264265) | more than 12 years ago | (#2656094)

minimal virus (.com infecting) is about 29 bytes, IIRC. it is over-writing, so it is readily noticeable. I believe it is called TINY-A (not sure about the last letter).

Social Engineering (4, Interesting)

FatRatBastard (7583) | more than 12 years ago | (#2656047)

This one's strength is actually its social engineering. The text of it sounds like something a friend would send. My sister got nailed and I got it via e-mail from her. Since I had just finished talking to her on AIM I found the text of it a little strange so my guard went up. Funny enough, McAfee didn't catch it on Yahoo (I scanned just to see what came up).

Somwhat destructive: eats firewalls, antivirus (1)

Lee Bottemiller (305781) | more than 12 years ago | (#2656050)



Non-destructive? It puts a hit out on its own opposition...

From
http://securityresponse.symantec.com/avcenter/venc /data/w32.goner.a@mm.html [symantec.com] ...


...the worm will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts.

File size (0)

Anonymous Coward | more than 12 years ago | (#2656051)

According to the Symantec page, the payload is 159kb, not 159b.

Check McAAfffeeeeee link (0)

Anonymous Coward | more than 12 years ago | (#2656054)

it's either been slashdotted out of existance or was never correct.

the other has info tho.

McAfee says that it *can* do damage (1)

mj01nir (153067) | more than 12 years ago | (#2656055)

Quoth McAfee:Under Windows 9x/ME, the worm looks for the following processes in memory:

--A list of processes including AVs and personal firewalls--

If present, the process is terminated and all files in the directory containg that executable are deleted, as well as all files in that subdirectory.

That has my attention. Can anyone confirm this?

More information here (2)

stylewagon (197083) | more than 12 years ago | (#2656056)

F-Secure have a page describing the W32.Goner.A@mm [f-secure.com] as well.

Well... (1)

Arcanix (140337) | more than 12 years ago | (#2656057)

No doubt this was constructed by a bearded GNU-loving linux zealot to show the weakness in closed software systems like ICQ and Outlook... I wish they would just let us (the computer users of the world) use our horribly insecure applications without fear of virii...

This is a sad statement on security (5, Insightful)

JMZero (449047) | more than 12 years ago | (#2656058)

Our office blocks .scr attachments at the server, because we're not completely incompetent. There's no reason to send a .scr or a .vbs or anything like unto it - whatever you have to say could be said in a text file.

It strikes me as extremely sad that a virus like this can still work. How many times does it take?

What can we do to save the unknowing?

hit me again but harder (0, Troll)

timothy (36799) | more than 12 years ago | (#2656059)

Windows is reliable. Every generation is more and more secure. Boy, next one's gonna be the winner. No problems here. Sheesh, I wish I could use Linux at work, but Windows is what we've settled on, so I guess that's good enough. I need to play games. Without the latest DirectX Flooznithummer, I'm not going to go to some inferior operating system. Windows is really secure if you're not a total luser! Gosh, at work we've settled on sitting on sharp, dirty spikes every day instead of regular chairs, and dammit, it's necessary for efficiency! Horses, too.

Symantec's writeup is wrong.. (5, Informative)

Havokmon (89874) | more than 12 years ago | (#2656060)


It says you have to remove the registry entry then reboot. Actually, if you remove the registry entry, the app reinstalls itself, then reboot doesn't do shit.

Shutdown to DOS, then del windows\system\gone.scr
(It's hidden attrib -s-r-h first), then reboot.
You can't delete it before you shutdown, it's 'in-use'.

If you're running NTFS, AND you've been hit, *sigh*..

non-destructive? (1, Redundant)

tswinzig (210999) | more than 12 years ago | (#2656061)

I guess if you don't consider the deletion of files as "destructive."

The worm attempts to delete the following files:

APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE

Sorry about the double-post... (3, Funny)

tswinzig (210999) | more than 12 years ago | (#2656121)

...I was in a harry.

Yes, non-destructive (2, Funny)

Mdog (25508) | more than 12 years ago | (#2656176)

I'd still consider it non-destructive. It is only trying to keep itself alive, not destroy "unrealted" parts of your system.

159k, not 159 bytes (0)

Anonymous Coward | more than 12 years ago | (#2656063)

At least that's what Symantic says.

What about Badtrans? (2, Interesting)

MS (18681) | more than 12 years ago | (#2656066)

Did I miss a post or something?

Badtrans is hitting my mailbox multiple times harder than Sircam, MTX and CodeRainbow combined. And it's only around since 24th November. Quite "every" Outlook user I know of got infected with it.

But then maybe this virus is hitting only Europe, so US-citizens haven't noticed it, yet.

Needless to say, I'm happy to read my e-mail on a *nix box. :-)

ms

got two this morning you have to run it (1, Troll)

johnjones (14274) | more than 12 years ago | (#2656070)

I got it but as I run linux it means nothing

you actually have to execute it as aposed to useing built in scripts that outlook runs

so its the users that are spreading this !

people should not be able to recive attachments IMHO

what do they lose by outlawing attachments from outside the organisation ?

nothing

you want to send something to someone convert it to PDF/HTML and stick it on the web server

there are lots of publishing frameworks even OpenSource ones

deny all attachmenst comeing through your gateway

regards

john jones

What more can Microsoft do? (1)

Osty (16825) | more than 12 years ago | (#2656076)

As these kinds of worms become more and more common, one has to wonder what more can Microsoft do? They've already released hotfixes that address the problems (Outlook XP strips attachments by default, older versions have fixes that do the same). Short of force-feeding the patches to users (which itself would garner a huge outcry), what more can be done?

Our office just got em' (2)

jon_c (100593) | more than 12 years ago | (#2656078)

First from the CEO, then from about 15 other co-workers. Right now the IT team is running around trying to figure out how to filter it out.

I peeked inside and found that it links to the VB runtime DLL. Unfortantly I can't tell anymore then that at this point.

-Jon

Is it really so hard... (0)

Anonymous Coward | more than 12 years ago | (#2656080)

to personnally sign the messages that you send to your friends and NOT use the built-in outlook signature feature? It makes the mail much more personal, and can alert your friends that something might be wrong if they don't see your personal touch at the end of the message

--ac

Already received it (2)

Anml4ixoye (264762) | more than 12 years ago | (#2656083)

I have already received 17 copies of the virus. But you know, following the rules that I teach in my Internet Basic class - don't open anything you aren't expecting, verify it first - worked charms in this case. The first person I got it from I called and they had no idea about it, which raised little red flags with me.

Is Outlook to blame? Sure, partially. But is stupid users who open attachments at random without verifying it also to blame? Absolutely.

Re:Already received it (0)

Anonymous Coward | more than 12 years ago | (#2656164)

And people wonder why I use Eudora? Everytime this s*ht starts I have the fun of scooping the dead attempts to contaminate me out of the attachment directory ...

I haven't started getting it yet .... but I'm sure I will

Dr F.

Finding the culprit (5, Funny)

rkent (73434) | more than 12 years ago | (#2656084)

Well, since McAfee and Symantec are reporting it, I guess this is not a first draft of magic lantern... unless they issue another press release in 45 minutes saying "um... nevermind, there is no 'Goner' worm."

We got it via ICQ. (1, Interesting)

Anonymous Coward | more than 12 years ago | (#2656090)

Someone at my office got the virus by ICQ then it killed our exchange server. we had over 10,000 copys of the virus in the out que before we could pull the server off the network. All this because one of the 2000 admins forgot to add *.scr back into the filter rules when he upgraded the anti-virus app last week.
Aint life GRAND!

Outlook _can_be_ secure (1)

Matey-O (518004) | more than 12 years ago | (#2656092)

(lost some karma with THAT subject.)

Is it so tough to punt all attachments that arent .txt or .zip?

nimda aside (which go in here on developer's IIS boxes) Doing the above will prevent 99% of the stuff hitting outlook in an enterprise.

(And having a really good virus scanner on the exchange server helps, too)

159 bytes? (1)

Fuzzums (250400) | more than 12 years ago | (#2656095)

159 KILO-bytes that is...

symantec : http://www.sarc.com/avcenter/venc/data/w32.goner.a @mm.html
The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.

Re:159 bytes? (-1)

l33t j03 (222209) | more than 12 years ago | (#2656144)

Oh, so this thing is actually 159 kilobytes, not 159 bytes. Thanks a lot, I didn't believe the other 47 posts prior to your that pointed this out but yours put me over the top. You are one hell of a guy.

3 words (0)

Anonymous Coward | more than 12 years ago | (#2656103)

Linux
Apache
Sendmail

Quite Obvious (2)

Cylix (55374) | more than 12 years ago | (#2656104)

This one was very obvious. However, the bottom line is, never open any unknown executables and stay away from clients that have security issues.

An interesting question arose out of all this... I have had more then a few emails from people here at work that I don't know. I have to wonder how my email address ends up in so many address books.

Unfortunately most people won't have the benefit of strangers sending this message.

Oh beautiful corporate america, may your mail servers be forever fruitful.

An interesting quote (2)

SomeoneYouDontKnow (267893) | more than 12 years ago | (#2656106)

NEWS.COM has an interesting quote from David Perry of Trend Micro. He says, "Every time enough time goes by that people forget to be wary of these things, it pops up again. Apparently, we have to resign ourselves to the fact that education doesn't work."

How sad...but true. It's almost like that quote on the (I believe) CDW commercial, where the woman tells the IT manager something to the effect of, "I opened that virus just like you told us not to."

All it takes is a little dilligence, and these things would be far less of a problem. Not even real dilligence, just less stupidity on the part of users. I mean, a person would have to be living in a cave not to have heard about Melissa, I Love You, Code Red, SirCam, etc. When is it going to sink in that you shouldn't open unexpected e-mail attachments?

Oh, BTW, the original post stated that this thing is mostly non-destructive. I'm not so sure I'd agree with that assessment. If this thing is stripping out virus scanners and firewalls, it's opening up a machine for other types of attacks. I'd be a little concerned about that.

Why, oh why, do they keep opening these things? (1)

FireballFreddy (472710) | more than 12 years ago | (#2656107)

Has anybody else noticed:

1. These attachments usually get opened by the non-technical people in HR, or the supposedly technical people in remote offices, and the same people just keep opening them?

2. The actions of these few people limit the productivity of *everybody*.

I think companies should implement harsh policies against this. Open an attachment once, you get chastized by the IT department. Open another one and you get fined/fired. Natural selection... if they can't figure this stuff out, then they probably aren't smart enough for their job.

-FF

Re:Why, oh why, do they keep opening these things? (0)

Anonymous Coward | more than 12 years ago | (#2656117)

Have you tried to (re)boot the (l)users?

Now I have some extra ammo... (2, Redundant)

Rude Turnip (49495) | more than 12 years ago | (#2656112)

To explain to others why Windows-based firewalls like ZoneAlarm and BlackIce are inherently less secure than dedicated firewall devices and dedicated Linux firewall solutions...the fact that they run on Windows means they can be knocked dead by a virus.

And speaking of antivirus software...everyone at my company received a warning email about this virus today from the admin. I took the opportunity to reply back to his email with the following:

*****
On the topic of virii, Mcafee and Symantec's Norton AV may be leaving a "backdoor" open in its future product updates to accomodate the FBI's Magic Lantern virus for Outlook. I doubt the government really wants to spy on us, but think of this:

As soon as someone figures out how to mimmick Magic Lantern's signature/fingerprint/code/etc., crackers everywhere will have an easy way into any computer protected by Mcafee or Norton AV. Wave good-bye to confidentialty. This is rather alarming. Here's a link to an article from Wired:

http://www.wired.com/news/conflict/0,2100,48648, 00 .html

Here is a link to an article on the topic from the Forum on Risks to the Public in Computers and Related Systems

http://catless.ncl.ac.uk/Risks/21.77.html

This is just a junior analyst's opinion, but I would begin seeking virus protection alternatives.
*****

installs takeover script (3, Informative)

Proud Geek (260376) | more than 12 years ago | (#2656122)

According to the Symantec page it will install robot scripts if you have mIRC installed. Add that to the 'really-is-harmful' list.

microsoft and their security principals (0, Troll)

flipper28 (473369) | more than 12 years ago | (#2656126)

We're getting hit every day by a virus, although our virus detection software picks it up, I help wondering why microsoft products have so many security flaws.

Wouldn't you think that they would pull their socks up by now? It's not enough to say that microsoft makes bad software because they're microsoft or some large conglomerate. There must be a reason why (besides saying use linux).

Re:microsoft and their security principals (1)

WildBeast (189336) | more than 12 years ago | (#2656158)

heuh? It's a virus, it should not be executed in the first place.

Non-destructive.... Read Again (1)

erpbridge (64037) | more than 12 years ago | (#2656128)

I think you need to read your descriptions again. Linked right off Network Associates (McAfee's parent company) front page, this notification [nai.com] says that under Win9x/ME, this virus searches for various processes (processee?) for known names, such as ZoneAlarm, Norton Antivirus, Norton Firewall (that's the only names I recognize in the list).

Finds those processes, kills them, and tries to clear those directories. I'd call that destructive.

159 BYTES??? WRONG. (0)

Anonymous Coward | more than 12 years ago | (#2656131)

Nicely done, Tim! Read the symantec write up:


The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.


That's KB, as in Kilo Bytes. Or KB, as in KayBee, the toystore you go to to amuse your childlike mind. God ya'll is some dumbasses. I admit though, had this bug compressed to 159, that truly would be remarkable. Sadly, that is not the case here at all, and the only remarkable fact is... well, you know.

block .scr extensions (1)

jark (115136) | more than 12 years ago | (#2656132)

corporate IT folks ought to be blocking .scr extensions by default, at either the email gateways or using any virus scanning products that scan email before the mail is delivered to the mail server. doing so would have ensured that your organization was not infected with this evil virus.

within the first 12 hours since being notified of this virus, our organization has seen almost 1000 reports of .scr attachments being stripped, and we're handling only around 2000 email boxes!

This shouldn't need to be news anymore (1)

llamalicious (448215) | more than 12 years ago | (#2656137)

By this time in history, sysadmins of windows networks and email servers who have a majority of users running Outlook should already have setup their systems to be unaffected by this type of worm.

Things like this can simply be disabled at the root by disallowing suspect extensions, like .scr at the server level.

C'mon, why would you need to email screensavers around anyway... zip it and save some bandwidth.

True, many people need to send every other type of attachment, and it doesn't fix the basic problem M$ has with security in their products, but if the sysadmins don't do their job, it just help guarantee the proliferation of these things.

that's my 2 cents; and I'd like a rebate.

Last Straw, the (0)

Anonymous Coward | more than 12 years ago | (#2656139)



This is the last straw. I have already talked to all of the relevant managers and we are slated to migrate all of our users e-mail action to Eudora starting in January.

We have always used Outlook/Outlook Express because it's "free" and requires a little less work setting up than Eudora (it's already installed for example).

But that convenience comes at a huge price, thanks to the freaks at Microsoft who decided that it was a good idea to create such promiscuous software.

"Hey guys, let's try to create an email client that runs untrusted code (Visual Basic of course) automatically! After that's done, we'll do the same thing with our word processing and spreadsheet software. And while we're at it, let's integrate it all really tightly with the OS -- for maximum destructive effect ^H^H^H^H^H^H usability. Excellent!"

The time for change has come. Just say NO to Outlook Express and Outlook!

DDoS (2)

Reckless Visionary (323969) | more than 12 years ago | (#2656143)

It doesn't just delete files. As Symnatec reports [symantec.com] :

"If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks."

MS handling the bug (1)

Telastyn (206146) | more than 12 years ago | (#2656149)

Note that the most recent version of outlook says "This is a .scr, don't open this you moron." and prevents the user from opening it.

This is nothing. Wait a few days (4, Insightful)

ellem (147712) | more than 12 years ago | (#2656153)

This virus has two real goals:

1 -- Proagate
2 -- Disable Anti Virus

This worm is a setup. So in a few days the 31337 h4x0rs will release the REAL virus that does the REAL damage to the people whose defenses have been compromised.

I love being a Win Sys Admin

Anyone need a an OSX admin?

Gartner group against ICQ (-1)

robvasquez (411139) | more than 12 years ago | (#2656155)


It had to happen

I'm waiting for a giant AOL Virus to sweep the nation!

Not just DoS from e-mail forwarding... (2)

Cutriss (262920) | more than 12 years ago | (#2656163)

Goner is apparently non-destructive other than the normal DoS issues with the load from it forwarding itself everywhere.

Per the Symantec virus warning, it will also use IRC bots to commit DoS attacks.

URL is wrong for antivirus info (1)

Electronic_castaway (531006) | more than 12 years ago | (#2656165)

I got one today and didn't get bit, I keep the Preview pane turned to OFF, Works well to keep those HTML email that register who is opening their mail so they can keep you on as an active victim. (err, client). Using simple precautions keeps away most virii.

Additionally You can look and see what attachments are in a message in outlook without reading the message.

In Outlook Right-Click and select view attachment. It will display something like "gone.src"

BTW, The actual URL of Mcafee's site is http://www.mcafee.com/anti-virus/ [mcafee.com]

159 KB not 159 bytes (1, Redundant)

weezel (6011) | more than 12 years ago | (#2656171)

From the Symantec link:

The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.


Is it too much to expect the editors of Slashdot to even begin to do their jobs?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>