Just another example of why Outlook sucks. And makes every person that has been using e-mail from pre-outlook days wonder why Microsoft had to force this vile program onto the masses.

If you haven't heard of it yet, you soon will. I'm sure The Media will have a field day with this. It will probably be all we hear about for the next 48 hours. Oh Boy, I can hardly wait.

More info: it apparently has a nasty payload too. It messes with MIRC to replicate itself further. It traverses your drives and copies itself over any JPEGs, MP3s, javascript files, and more.

Even more: It copies itself to your system directory and to your windows (or winNT) directory. It then adds entries into the registry to start these up when you reboot. It then attempts to download the file WIN-BUGSFIX.exe from one of 4 random places if you have the file WinFAT32.exe. It copies itself over any vbs, vbe, js, jse, css, wsh, sct, or hta files changes the extenstion to vbs if it wasn't already. It also overwrites any jpg or jpeg files and renames them to the same thing appending the extenstion vbs. If it finds any mp3 files it creates a new file by the same name with a vbs extenstion, this new file is a copy of itself. If you have MIRC it modifies the script.ini file to send itself to people. It appears that when you join a channel it will send itself to anybody in that channel. It also does some other things with the registary that I'm not to sure about. Kurt "The Pope" has a writeup on it, but his website was /.ed before I could read it. Also the source code is now widely available since the programmer didn't do anything to try to hide it. Acording to the first 2 lines of it this virus came from Manila, Philippines by somebody going by the nick spyder.

I know this is an incomplete description I do not know VBScript nor MIRC very well.

DoN'T rEAD +H15 N0d3!!!

Then dem bones dialed #91 and spoke to me through the dial of my phone. "Please," he begged me (ever notice how small the noding vocabulary really is?), "add a writeup to that node; then people will be able to save themselves from certain immediate irrefutable irreversible indelible extinction by voting it up and cooling it."

I have but complied with the wishes of the Everything Gods.

"I have no idea how it got through the firewall," Ms Ghesquiere said. "It's supposed to be protected."

I don't see how a firewall can protect from something it's not been told about. Are there any firewalls or virus detectors around that would guess that this payload was a virus by its activity?

This worm sounds very pernicious (from what I've read). However, any scripting language could have been used on any platform to much the same effect. (Convince the user to launch you, find out what platform you're running on, find a nearby LDAP server, send out copies, install in startup (user login under *nix - no need to mess with inaccessible system files). I can certainly visualise how I'd do it on Linux...) M$' dominant position has, again, cost a large number of companies a large amount of money.

• User sees attached wibble.doc and opens it in StarOffice/WordPerfect/??
• Virus is lucky and has a compatible payload - DocOpen event is triggered and the script runs.
• Virus is lucky and the script environment actually supports the ability to run other programs.
• Virus checks out the platform it's running on (OS, desktop environment, wordprocessor, network access, etc) and decides on best way of replicating.
• Virus constructs new virus based on this information.
• Virus searches for regexs that look like mail addresses in files under $HOME and mails the new virus out.
• Virus dumps some nice, quiet start up scripts in the user's rc files. These start very quiet background processes that poll for access to the internet and open an IRC connection if possible. Ideally the virus can use PERL for this...
• Virus forks and does whatever else it fancies to the user's files...

This thing here, it just walks through the totally open front door, and fucks the system every which way.
This tells you two things:

1. Users are fucking stupid creatures
2. Microsoft's design is even more fucking stupid

1. The first mistake in design is that a mail client allows you to execute a random piece of code that you got from the net.
   The designers should have asked themselves: Is this really a typical user activity ? or Is this a security hole that someone will exploit ? which basically means "Should this be made convenient like renaming a file or inconvenient like formatting a hard disk ?" - my take would obviously be "inconvenient as hell, and maybe more".
2. The second mistake is in user interface design: the interface should make forcefully clear that what you are going to do is FUCKING DANGEROUS. The mild mannered Windows warning dialog, with its lengthy chat, just does not cut it.
3. The third mistake lies in user training. It is assumed that users will understand what they do, but in reality they do not. I see it all the time: the project I work in has some fairly large mailing lists, used by absolute beginners.
   They get a Word document from someone who has just graduated from chalk+blackboard to a keyboard, and cheerfully open and run the macros. And then forward the infected documents to the rest of the list.

Consider a virus that is a Linux x86 executable: I could uuencode it, and mail it to my buddies. And it would never survive, because my buddies have the training not to run an executable coming from an unknown source (point 3), and because many tipical Unix mail clients (pine, mutt, ...) do not give you any facility for one-touch uudecoding and running of random crap of unknown origin (point 1).

I'm sure if you read your email with a text-only reader this would not be a problem. If you used a rock instead of a computer it would also not be a problem!

Why is it Microsoft's fault? Becuase they innovate and have advanced scripting integrated between most of their products?

No, don't worry about logicaly debating your case, just vote this down and further prove my point that you have no point!

EE: The user sees (typically) hundreds of messages with the same subject, and no body, and an attachment... they willingly execute this attachment (no, it is not automatically executed on preview), as they would any executable they have downloaded from the internet... and then their data is destroyed (not 'stolen'). After the user willingly double-clicked this app I'm sure they will have the sense to go through your 8,000 step procedure and defeat your security system in order to see ther important love letter. What you're saying is that everyone should wear a helmet because someone might throw a rock! How about retards that go around executing blatant 'vruses', maybe they should get educated! Linux isn't the most user friendly OS...it is no nonsense and the few who know every last command for vi benefit from it. I dont see any userfriendly features of Linux... the first time I used vi I couldn't work out how to exit it... I'm not saying this is a bad thing... just pointing out that Linux users learn the system, and maybe internet users should learn how to be responsible instead of making everyone else pay for their stupidity and ignorance! Do you want linux to migrate to a MacOS style to accomodate the influx of Linux newbies thats coming (yeah, anytime now)... "No I'm sorry, you cannot know what you are doing as this may lead to wanting to get power out of the system, which is forbidden. Please resume pointing and clicking." I have the opportunity to try a dd to /dev/mem ...it may not be useful, but dammit I like my right!

Making this happen by default in order to support an operation that should be uncommon (executing non-authenticated code recieved through e-mail, the equivalent of lending your machine to a stranger for a day, without supervision) is in my opinion bad user interface design.

Guns are commonly designed with safety catches; if we were selecting a gun to give to everybody, I assume we would pick one with a safety catch, even though the catches aren't strictly necessary if the user is careful. We should go to at least the same level of protection for MUAs; though the consequences usually are less severe with a mailer mishap, guns are, after all, designed to kill, while this is (hopefully) not a common design goal for MUAs. Thus, we can expect people to be somewhat more careful around guns than they would be around MUAs.

If I was to support executing content directly from the MUA at all, I would have done the following things to restrict damage:

• Default to not running executable content on double-click, instead displaying a requester telling about the dangers of executing code on your machine, about the ease of forging e-mail, that firewalls will not protect you against this, and of where the user can change the preferences to allow execution.
• Allow execution with or without a warning each time execution is attempted (after the above option has been changed to allow it at all.) I'd probably do this by allowing execution of the executable that triggered the last warning before enabling of execution, but coming up with a warning (with a disable button) each time afterwards (until the user disable the requester.)
• Allow execution in a sandbox, where the executing program does not get write access or access to create outbound network connections, and the output from the program is displayed in a controlled fashion, avoiding spoofing for passwords and similar.
• (If possible) Allow execution with other types of lowered access, e.g. popping up a requester before allowing writes to proceed.

This isn't enough to give perfect security, but it creates a much safer environment, and one where users are automatically taught about the dangers of their actions. The cost is at two levels - the user that actually know what she is doing lose 30 seconds disabling the protection, and the implementor of the program lose time implementing the security features.

I think this is a reasonable cost, and that not taking it is irresponsible.

Date: Wed, 10 May 2000 19:07:34 -0400 (EDT)
From: XXXX XXXXXX XXXXX 
To: XXXXXX X XXXXX 
Cc: geekhumor@umich.edu
Subject: Re: ILOVEYOU

Sorry, the user of this machine is infected by the IMNOTREADYFORACOMMITMENT
virus, and is therefore incapable of responding appropriately to your
thoughtful message. Unlike software viruses, IMNOTREADYFORACOMMITMENT is a
wetware virus, transmitted by the Y chromosome. Those stricken by the dreaded
IMNOTREADYFORACOMMITMENT virus cannot be helped by standard interventions such
as anti-virus software. Completely reformatting these hapless individuals
might work, but unfortunately there are no safe, reliable methods for doing so
at this time. There is some evidence that the IMNOTREADYFORACOMMINTMENT virus
might go into remission after 10 to 60 years of torturing its host. Good bye,
good luck disinfecting your computer, and be thankful that you do not carry
the dreadful Y chromosome!

On Wed, 10 May 2000, XXXXXX X XXXXXX wrote:

>
> kindly check the attached LOVELETTER coming from me.

:0
* ^Subject: ILOVEYOU$
EXITCODE=67

this will bounce anything sent through that mail server, both incoming and outgoing messages.
hasta la vista, stupid macro virus!

any reason why this was voted down? is it technically incorrect? does it already cover something discussed above? if so please let me know and i will have it modified or removed. i do not want to spread stupidity.