I bring a
quote from the BBC website:
"I have no idea how it got through the firewall," Ms Ghesquiere said. "It's supposed to be protected."
I don't see how a firewall can protect from something it's not been told about. Are there any firewalls or virus detectors around that would guess that this payload was a virus by its activity?
This worm sounds very pernicious (from what I've read). However, any scripting language could have been used on any platform to much the same effect. (Convince the user to launch you, find out what platform you're running on, find a nearby LDAP server, send out copies, install in startup (user login under *nix - no need to mess with inaccessible system files). I can certainly visualise how I'd do it on Linux...) M$' dominant position has, again, cost a large number of companies a large amount of money.
- User sees attached wibble.doc and opens it in StarOffice/WordPerfect/??
- Virus is lucky and has a compatible payload - DocOpen event is triggered and the script runs.
- Virus is lucky and the script environment actually supports the ability to run other programs.
- Virus checks out the platform it's running on (OS, desktop environment, wordprocessor, network access, etc) and decides on best way of replicating.
- Virus constructs new virus based on this information.
- Virus searches for regexs that look like mail addresses in files under $HOME and mails the new virus out.
- Virus dumps some nice, quiet start up scripts in the user's rc files. These start very quiet background processes that poll for access to the internet and open an IRC connection if possible. Ideally the virus can use PERL for this...
- Virus forks and does whatever else it fancies to the user's files...
Evidence exists that the virus actually started on
Everything..!