In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE SENDING IT. The problem is dumb users who DONT LISTEN. This is mostly the office crowd. The real imbeciles are people operating a broadband connection without a license. Letting a computer illeterate, typical beer guzzling, porno hunting hick have a computer with a DSL/cable connection should be a capital offense. Those are where most of the zombies are located. When you use words like "attachment" and '.exe' with them, their eyes just sort of glaze over. "Hey, all I do is point and click and it just works". We need to cleanse the gene pool of these kinds, or at least take away their dsl connections. ----- Original Message ----- From: "Sam Stickland" <sam_ml@spacething.org> To: "Curtis Maurand" <curtis@maurand.com>; "Todd Vierling" <tv@duh.org> Cc: <nanog@merit.edu> Sent: Monday, March 01, 2004 10:06 Subject: Re: Possibly yet another MS mail worm
Curtis Maurand wrote:
On Mon, 1 Mar 2004, Todd Vierling wrote:
On Mon, 1 Mar 2004, Curtis Maurand wrote:
Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they want to call it this week. Its on every windows system.
No, my point was that the majority of newer trojan mail viruses don't depend on ActiveX exploits -- they simply wait, dormant, for a n00b to click on this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.
It's as if the modern e-mail viruses are closer to human infections. Only the clueful are immune. 8-)
The latter is very true.
My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in an email message that gets executed to have access to the rest of the system, rather than executing within a protected sandbox. Of course scripts within email messages shouldn't execute at all. Once they do execute, they have access to the OLE objects on the machine. Its a security hole big enough to drive a tank through.
I don't think that defines the problem very well. The current Bagle.C virus does the following:
"W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
Adds the value:
gouday.exe = <SYSTEM>\readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-C runs every time you logon to your computer"
It also uses it's own SMTP engine to replicate itself. So effectively it's opening a connection to port 80 (from an unprivileged port), listening on port 2745 (an unprivileged port), and opening connections to port 25 (from an unprivileged port).
Maybe I'm missing something here, but where does access to OLE objects come into play? Also this virus would appear to function just as well even if a non-adminstrator user opened it.
Sam