LovSan Clone Let Loose

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Cloning..

[Stalus]

Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

Feeling left out

[cesman]

I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.

Re: Cloning..

[Black Parrot]

> Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

The scary part is that if they mutate and interbreed we could end up with a virus with four asses.

Phew

[tarquin_fim_bim]

"All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."

Guess they were just damned lucky there.

Re:It's a little fishy

[Anonymous Coward]

Woot, new way to make money:
1. Capture virus
2. Rerelease it so it's harder to stop, harder to detect and more harmful
3. PROFIT!!!

If we're lucky...

[Black Parrot]

If we're lucky the power will be out and the worms won't be able to carry out their attack.

Well some are safe from it...

[3seas]

Those in the US north east and south east Canada.....

News Flash

[ReyTFox]

SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.

I hope this new version runs under WINE

[Anonymous Coward]

I am feeling left out. That worm is striking everything. Please, worm writers, try it out under WINE (http://www.winehq.org) before you release that worm. Better yet, write your worms in something cross-platform like Java. Oh wait, java doesn't have buffer so you can't do buffer overflows so most worms won't work. Never mind.

SCO announcement

[thanjee]

Lovsan is a proprietry product of SCO. All users who are running Lovsan on their computers without a lisense will face charges of $5,000.
Lisensing fees start at $699 for home users.

Re:Feeling left out

[alonsoac]

No seriously, I once was regarded by friends and family as the guy who could fix their computers. Now they call like crazy saying their PC is rebooting and I don't know what the hell they are talking about. Then I read about the virus and tell them what to do but of course I wouldn't know if it will work (or why it didn't work) since I dont have an infected machine to try it. This has made me look like an idiot plus I'm here working all day while my friends enjoy a couple days of forced vacations while someone has time to fix their machines. Grrrr..

Re:I hope this new version runs under WINE

[ihummel]

We at CodeWeavers are proud to announce our new product: Crossover Blaster. This new piece of software for the Linux operating system will provide the same quality that you've come to expect from Crossover Office, but this time with the very popular Blaster worm (known to some as LovSan). It will even work with clones of the worm.

Finally, all the Linux users who have felt left out can participate in the reboot fun. It is a bargain for $50. See www.crossoverblaster.devnull for more details.


Disclaimer: I do not work for CodeWeaver. My views are purely my own.

Re:the average user reaction...

[Un pobre guey]

I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems?

Most common "problem" I have seen is that people do the following:

1)Get a computer, with OS and some software installed

2)Use the computer

3)If buy commercial software, install it, hitting OK every time it appears

4)If download arbitrary software from the net, install it, hitting OK every time it appears

5) If computer seems sluggish or something seems wrong, do one or more of the following:

• Go to the Program Files directory (of course it's Windows) and delete one or more directories containing programs you recall having installed recently
• Hunt around the hard disk and delete things that don't look right
• Buy software that supposedly fixes your system, and run it several times consecutively, choosing different options each time
• Reboot
• Re-install the operating system

6) Go to 2)

This algorithm is run continuously for several years.

Re: Cloning..

[couch_potato]

I think we all agree that outside or a research environment, virus/worm writing is the lowest form of geekery.

Wrong. It's still a step above Star Trek conventions.

Oh, it's not that bad!

[jprupp]

Hey AV experts, just wait till the 17th to post a fix, please?, in the meantime, have fun, enjoy the beach, watch windowsupdate.com as it goes DoSed, what a wonderful life!. At last a virus that goes to the source of the problem. hehehe I think I'll get some Karma for saying this, well, some Karma is not too bad!.

Re:Defeating MSBLAST.EXE and The Blaster Worm

[Anonymous Coward]

Agreed, my moose couldn't read it either.

Re:If we're lucky...

[Anonymous Coward]

Perhaps luck had nothing to do with it...it'll probably turn out that the entire east coast power grid is controlled by a single unpatched WindowsME box.

Re: Cloning..

[NanoGator]

"Wrong. It's still a step above Star Trek conventions."

Off-topic? By Grabthar's Hammer, I shall avenge you.

I am so sick of these amatures...

[codepunk]

Damn if you are going to write a worm make it do some damage. You back hats are really starting to bore the shit out of me.

For instance take this worm and add the ability for it to seek the network for every single excel spread sheet it can find and randomly mix up a couple of cell values. Then have it set the access time back to the original.

Hell just write a few bytes to a random location in any file you can access.

Come on black hats, quit boring me!

Re:Feeling left out

[Nucleon500]

I'm told it works in Wine.

Re:If we're lucky...

[LordLucless]

That's right, Microsoft nuked the power station to offset the bad worm publicity.

Damn, Slashdot needs a "+1 Paranoid" mod

Simple security practices go a long way...

[Anonymous Coward]

My parents windows 2k and windows xp boxes are safe from this bug, thanks to a single, very basic security fix: rename the Administrator account, make sure it has a password, and then make sure no other user has Administrator rights on the computer.

Left out? Try a Linux version :)

[dark-br]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
} // end mblaster_l.c

Re:Feeling left out

[Anonymous Coward]

Or for the simpler solution

nc -l -p 135 > worm.out

Re:Feeling left out

[Steve G Swine]

People who store pornography on their computers deserve to get their data wiped.

And in some cases, their keyboards.

Re:Simple security practices go a long way...

[toddestan]

The next step is to remake the Administrator account, except make it a basic user and give it no privileges at all. Then give it a really long random password. If someone ever tries to h4x0r the box, this one is guaranteed to keep the script kiddies busy for days!

Massive Legal Ramifications in here

[steveoc]

There are massive legal rammifications to this.

Firstly, the second strain of the virus is clearly derived from
the first strain. This is blatant piracy, and a violation of the
cherished IP of the original authors.

The original author of the virus is now in a position to reap a windfall, by :
- Suing the second author to the tune of $3Bn for having blatantly stolen their code.
- Suing the thousands of owners of infected machines because they may be running pirated code in violation of the DMCA.
- Offering infected users a $699 licence fee for running the derived virus, which will protect them from any further legal action.

What the authors of the second, derived virus have done is abominable, and shows a callous disregard for the IP rights of the original authors. They are nothing but pirates, and a threat to the wholesome values of benign free-trade capitalism.

-----------------------

Re: Cloning..

[chrispycreeme]

I could take down 500,000 machines in a weekend. Just line em up and give me a strong electromagnet. Oh and a Jeep, I dont want to walk that far. I think what the previous poster was saying is that the worm is the code equivalent of a sledge hammer- not very elegant but gets the job done. Just like 90% of the crap I whip out when my boss wants it "yesterday".

Re:Feeling left out

[Skuld-Chan]

Me too - none of my 3 windows machines (including the one at work) were affected at all :(.

Re: Cloning..

[Drakonian]

What about script kiddies?

Re: Cloning..

[Lectrik]

Addendum: If you wanted to get really fancy, you could make the virus check the web, newsgroups, and IRC for cryptographically signed updates that could include new instructions and new vulnerabilities to take advantage of.

<Obligatory MS Bashing>
I think that's called Windows
</Bash>

Gets funny indeed after so many times

[billsf]

Perhaps to not be redundant, most appear to view this as a comedy issue. Maybe all future Microsoft security issues, worms and trojans should be filed under the comic section?

It is certainly redundant to state the simple solution is to abandon all Microsoft products. There must be hundreds of exploits 'widely known among hackers' but not known to Microsoft and/or published. Any 'hacker' worth his salt can get into any NT type server with a minimal effort and can certainly get to clients and install servers. The truth of he matter is us old hacks are really bored with Microsoft.

Re:If we're lucky...

[pmz]

That's right, Microsoft nuked the power station to offset the bad worm publicity.

Well, Bill Gates is already more powerful than any government leader in the world, so perhaps we shouldn't be suprised if he has also mastered lightning and other natural phenomena to do his bidding.