New Virus Can Strike Via HTML E-Mail

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.

Which is worse? Virii or their names?

You know, whenever I read some really good piece of science fiction, the terror is never caused by something called BubbleBoy...or Melissa, or Good Times, or any of these other stupid names.

At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.

[/tongue in cheek]

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

A security flaw in Microsoft software?????

"In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses."

Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.

Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!

Active content in emails.

I'm increasingly worried about the ability to send active content in emails... above and beyond people who blindly execute attached files (user stupidity), it's getting to the point where just
READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...

Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*

Official Virus Information and Security Patch

It appears that Symantec has already analyzed this virus. This article [excite.com] mentions that the the virus may be protected by an August Microsoft IE5 ActiveX security patch.

Symantec posted this advisory of the VBS.BubbleBoy here
http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html [symantec.com].
It contains details of what the virus does, where it goes into the registry and how to protect yourself.

If you already do not have that security patch from Windows Update [windowsupdate.com], you can download the patch from
http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp [microsoft.com].

This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

This is *not* just another email virus

Read the article, folks. This is the email virus.

That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.

This is a big deal.

Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)

But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.

Now...there is some good news here.

Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).

So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.

As for what I'm sure the mainstream /. response to this will be--i.e., this sort of thing is inevitable with HTML email, why can't everyone just use Pine for email and ftp instead of attachments, and while we're at it let's replace all our PC's with teletypes hooked up to a PDP-11--I'm not so sure. IMO, it's a Good Thing that feature-rich email is here to stay, and in the long run there's not so much reason for email to be any more secure than browsing; if a computer can be compromised through its browser, then that's unacceptable right there.

On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...

Re:Which is worse? Virii or their names?

Already been done.

Pokemon is a memetic contagion from Japan. Since virii are not necessarily biological or cybernetic, this perspective works.

We can even classify it. It's a derivative of the 'pet rock'meme-virus of the mid-70's, but in a much more aggressive form. This virus resembles the Beanie-baby and Furby virii except that it infects only young meme environments which have not yet been able to develop immunity to Fad-class virii..

This immunity requires that the marketing-service ports be shut down unless absolutely needed. The procedure for establishing such immunity is typically referred to as 'jading'. Once a potential host is adequately jaded, it is much less likely to be infected by this, and further mutations of the fad-class virii...

Disillusionment is good.