Clueless users hit by another worm
by Arie Slob
Hello Windows users,
Here we go again.....
After the recent spate of Badtrans.B infections, a new worm made its presence felt this week. Known by the name "Gone" or "Goner", it is a simple Visual Basic program. And it uses what still seems to be the best way to get people to spread the virus and infect themselves: Social engeneering.
The only way the virus can be activated is if the attachment from an infected e-mail is run. The e-mail will typically be from a person you know, but both the subject as the body of the message are dead giveaways. The subject simply reads Hi, and the body reads: How are you? When I saw this screensaver, I immediately thought about you. I am in a harry[sic], I promise you will love it. Attached is a file called Gone.scr which is a copy of the virus. The *.scr (normally a screen saver extension) extension tricks the curious into running the file.
When run, the worm attempts to shut down several known Anti Virus software systems and Firewall software such as AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus, Zone Labs' ZoneAlarm and others by deleting the executable file and all files contained within the same directory and subdirectories where the given file resides. If the files are in use and cannot be deleted, the file %SYSTEM%\Wininit.ini is created, and is used to delete the files when the computer restarts.
It will spread by mailing itself to the contacts listed in the infected user's Outlook Address Book. The worm also attempts to send itself through ICQ if it is installed on an infected computer. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. This way all ICQ contacts of an infected user will get the worm.
If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked by IRC Operators preventing this functionality.
The rate and speed of the infection shows that users are still opening any file sent to them without a second thought. Do I think this is ever going to change? No, I do not.... My "diatribe" last week was mainly due to the fact the automatic running of this virus could have been prevented if the correct system update had been installed. This latest worm just shows that I shouldn't have bothered about it.....
And yes, I do agree, Microsoft is largely to blame for their lack of security in Outlook & Outlook Express. They are slowly changing this, but it is going to take years before the majority of users will run the latest (and more secure) software. And as you can see in the article below, Microsoft still doesn't get it right.....
Microsoft's Outlook Express 6 "E-mail attachment
Microsoft added a security setting to Outlook Express 6: Do not allow attachments to be saved or opened that could potentially be a virus. This setting is not enabled as default, but Microsoft is suggesting it in this document entitled Using Virus Protection Features in Outlook Express 6.
I had even suggested myself that this should have been set as default, to reduce the number of worms spreading, due to the fact that most people just seem to open any and all attachments they receive, without giving it a second thought.
But this week I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union, who asked me for some advice on a problem he seemed to be having: When he tried to forward an e-mail with a "blocked" attachment, the attachment becomes available to be run or saved!
I did a little test myself, and must admit that he is right. That renders this "security" option useless.
When contacted, a person from Microsoft's Security Response Center wrote in an e-mail: "The capability to forward an email with an attachment is a feature in Outlook Express that is by-design. As you mention, Outlook Express does allow the blocking of unsafe attachments.
It looks like Outlook Express successfully blocked the attachment in the Inbox for David McSpadden.
It is important for users to recognize that greyed-out attachments are not safe to be opened and, users should be deleting, not forwarding an email with a greyed-out attachment."
Do I need to say more??? (It's a "feature" not a bug!)
Rose City Software
"I just had to tell you about DU Meter, this great little utility that monitors my new DSL connection 24/7. A quick glance always tells me if a download is finished, stuck, or still in progress, and if my connection is working right. My desktop just wouldn't be the same without it!"
Web Site Updates
These pages were added/updated in the past week. Information on previously updated/added pages is available on the What's New? page for 1 month.
Added: Palm.net Users to Lose Personal Information Management Features
Added: Faster Systems = Increasingly Power-Hungry Super Processors
Added: Gator's Pop-Up Advertising Under Fire
Added: Office XP for $150?
Added: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed
Added: Save Windows Update Downloads
Added: Disable Search Assistant
Updated: Frequently Asked Questions (FAQ)