Bonus chatter about that virus that is responsible for the top six Explorer crashes


Last year, I wrote about a virus that is responsible for the top six Explorer crashes, by a wide margin.

I learned later how the authors of this XYZ Virus operate, and it happens to answer a question posted by commenter SteveL as to why these virus writers are so incompetent that they crash so much.

First, the virus authors infect your computer and crash your system every so often on purpose. Meanwhile, they also set up a legitimate-looking Web site which sells anti-virus software that claims to remove this virus. You send them your money, they send you the software.

The kicker is that the removal software doesn't work. Your computer is still infected with the XYZ virus. But they don't care. They already got your money.

Comments (29)
  1. Nathan_works says:

    Too bad there’s not an entry for "poorly written shell extensions" in the original list..

    (Hah. As I type, I check and see I made the same comment in your original article.. )

    Might not "crash" explorer, but can cripple context menu usage.. That and those 5000 ms ping time network drives I have to use.. Boy, the folks in CA never seem to mind and don’t understand why I hate using it to share files.

  2. Adam V says:

    I wonder if the XYZ Antivirus company could be sued for a non-performing product by the people who bought it, as well as by the people who caught the XYZ virus and lost time/data due to Explorer crashes.

    Then it occurs to me that Microsoft data on Explorer crashes could be used in court to show how prevalent a virus is, and a company could be forced to give up their profits to the government (since the MS data would be stripped of identifying information, the money can’t go back to the users).

    But then I realize how stupid that is – they’d just set up shop in another country where virus-writing isn’t illegal.

    Ah, well… here’s hoping Peter Wiggin shows up soon and creates a worldwide Hegemony.

  3. Someone You Know says:

    @Adam V

    Selling a product that you know doesn’t do what you say it does is a crime in the United States, but it seems like you can get away with a lot using fine-print disclaimers. See, for instance, all the homeopathic remedies and the like that have something like "This product is not intended to diagnose or treat any condition" printed on the packaging.

  4. Alexandre Grigoriev says:

    That all begun with "all users in XP are created as Administrators" decision back in 2001.

  5. John says:

    Alexandre: A non-Administrator account can still install a shell extension for itself.

  6. ulric says:

    how can these company still be in business, given that they perform acts that are illegal, a web site you can identify, and that there is a paper trail for the money?

  7. Anonymous says:

    Would it be worth it to consider a separate process for extensions like in ie8, that way a crash in an extension doesn’t take explorer down?

  8. MadQ says:

    @Anonymous: Explorer is way ahead of IE8. You can tell explorer to "Launch folder windows in a separate process" in the folder options. It kinda slows things down, though. All that cross-process marshalling COM has to do all of a sudden takes its toll.

  9. KJK::Hyperion says:

    Adam V: virus cases HAVE been successfuly taken to court by Microsoft. I recall most were in the "rogue security software" category

  10. KJK::Hyperion says:

    Internet Explorer 8 runs every single tab in a separate process (running virtualized, at Low integrity level), and installs a "safe mode" icon that runs with all add-ons disabled

  11. Daniel says:

    A Wikipedia revision from May 16th, 2008, huh? It seems Raymond wrote this follow-up before the first article was even published. His huge queue never ceases to amaze me.

  12. Jonathan Wilson says:

    I would hope that a virus like this would be the sort of thing removed by the Windows Malicious Softare Removal Tool

  13. Jules says:

    Personally, I think malware writers are simply mostly incompetent.  Really.

    Once, I had a Linux machine online that got compromised via a BIND exploit.  The code the worm in question executed appended something like "5136 stream tcp nowait root /bin/sh" to inetd.conf and sent inetd a HUP signal.  This failed to achieve the desired effect because there wasn’t an LF at the end of the last line in my inetd.conf.

  14. Jules says:

    Alexandre Grigoriev: "That all begun with "all users in XP are created as Administrators" decision back in 2001."

    Except all users in XP are not created as administrators.  Whenever I set up XP, it only makes the first user admin, the rest I have to set up as administrators manually if I want them to be.

  15. Aaargh! says:

    > Except all users in XP are _not_ created as administrators. (…)  it only makes the first user admin

    And how many home-users have multiple accounts on their system ?

    The problem is not even that the user is an admin, the problem is that an admin user *always* has full admin rights.

    On most other OSes an admin user means a user who is able to get full access when needed, by typing his password. Windows tries to ‘fix’ this with UAC which IMHO is a completely insane idea. It’s security backwards.

    [I thought “root” had full admin privileges all the time. -Raymond]
  16. Fuenby says:

    @Aaargh! – If a malicious user has physical access to your desktop, he can do pretty much anything he wants to it. It’s not users we have to worry about, it’s applications—and UAC handles this adequately.

    Also, looking at http://en.wikipedia.org/wiki/User_Account_Control#Tasks_that_trigger_a_UAC_prompt , I don’t really see unnecessary privilege requirements there. (Except maybe Task Scheduler, but an average user  wouldn’t run it that often.)

  17. Aaargh! says:

    > I thought "root" had full admin privileges all the time. -Raymond

    That is correct.

    However, usually (taking OS X as an example here) an ‘administrator’ user is *not* root. It’s a user with ‘sudo’ rights, which means the user can run things as root after entering his/her password. In fact, the root account is disabled by default, you have specifically enable it (and there is no need to do that, at all)

    In practice this means that even an administrator user runs his day-to-day stuff as a mere mortal.  Only when doing something that requires more privileges (like e.g. changing a system-wide setting) the user needs to enter his password once. This occurs so rarely that it’s not annoying at all, unlike UAC. And it’s actually proper security (e.g. a malicious user that walks up to an unlocked desktop still can’t do any system-wide damage).

  18. Alexandre Grigoriev says:

    @Jules:

    "Except all users in XP are not created as administrators."

    Sure. Never mind that 99% of XP Home users don’t have any idea that they’re supposed to explicitly change their user account type to Limited User. Vista, Windows 7 (and XP Home?) even encourages that by the fact the Administrator account is DISABLED. You HAVE to have one of the user’s accounts with administrative privileges.

  19. Falcon says:

    @Jules:

    "This failed to achieve the desired effect because there wasn’t an LF at the end of the last line in my inetd.conf."

    The crazy thing here is that they wouldn’t need to be particularly clever at all – I’m assuming that inetd allows blank lines in the conf file (a reasonable assumption), so all it would take is adding an LF to the beginning of the string!

    Of course, in this case, the failure is desirable from an "end user’s" point, but it’s a WTF nonetheless…

  20. Stefan Kanthak says:

    @John:

    A non-Administrator account can still install a shell extension for itself.

    But Explorer won’t use it unless it has been approved by an Administrator.

    See MSKB 216384 which is turned on per default since XP SP2.

  21. someone else says:

    @Aaargh!

    Quite a lot of these prompts have been fixed in Windows 7.

    And the problem of needing to be admin for installing apps is often created by the installer, not Windows. I especially like installers that need to run as admin, but install only for the current user.

  22. Aaargh! says:

    >  It’s not users we have to worry about, it’s applications.

    You’re making a distinction that does not exist. Users do not interact with the Win32 API directly, they only do so through applications. An application running as a certain user doing something should be considered as that user doing it. You don’t need to ask if the user wants to allow the app to do something, the user has already made his/her intent clear by running the app in the first place.

    The question is not if the user wants the app to do X, it’s if the user is *allowed* to do it by the administrator of the system. The user can then prove he is indeed allowed to do so by authenticating him/herself as a legit user with the correct permissions to the system.

  23. Aaargh! says:

    > I don’t really see unnecessary privilege requirements there.

    I can see at least one:

    * Installing and uninstalling applications

    Why should installing an app be considered a privileged operation ?

    As for the rest, those are things only administrator should be able to do, and do therefore not require additional security prompts for several reasons:

    * You’re admin, you’re supposed to know what you’re doing

    * You specifically logged in as an administrator to do these (potentially dangerous) tasks, you do not need to be reminded again

    UAC is a hack to prevent malicious apps that stupid users download from wrecking the system. Instead of fixing the problem (normal users always running with full admin rights) they are fixing the symptom.

    On an properly set up system a malicious app wouldn’t be able to do those things either, because the user running them simply won’t have the privileges to do so. The malicious app would have to trigger a ‘sudo’ prompt, at which time the user would have to type in his/her password. A password screen is not something where you can just click on ‘ok’ (as most users will do without thinking with UAC) and it should be such a rare occurrence that the user will immediately become suspicious.

    UAC might prevent some malicious apps from doing too much damage, but it’s a very ugly and unnecessary hack, there are proper ways to fix this.

  24. Miral says:

    @Aaargh!:

    Whether to install for a single user or for the entire machine is a choice of the application vendor.  Most vendors will usually choose to install for the whole machine; partly because that reduces file duplication and partly because there is no standard location where per-user applications are supposed to be installed.

    And installation and admin behaviour on Vista is now nearly identical to the equivalent on Linux.  On Windows, you have to elevate to run installers.  On Linux, you have to elevate to run the package manager.  On Windows, you have to elevate to run certain admin-only tasks.  On Linux it’s the same.

    Essentially UAC is the same thing as Linux with sudo — user accounts in the Administrators group on Windows are the equivalent of users in the sudoers file in Linux; programs run from the shell run with low privilege by default in both; in order to run admin tasks you have to take some special action (UAC prompt for consent/credentials, run sudo) first.  What’s the difference?

    The only real reason why UAC has caught more flak on Windows vs. Linux is because there’s a lot more Windows software that simply assumes that it’s running as an administrator, causing more prompts than should be required.  That has been gradually improving as vendors update software to be better behaved.

  25. Drak says:

    @Miral

    >> Essentially UAC is the same thing as Linux with sudo — user accounts in the Administrators group on Windows are the equivalent of users in the sudoers file in Linux; programs run from the shell run with low privilege by default in both; in order to run admin tasks you have to take some special action (UAC prompt for consent/credentials, run sudo) first.  What’s the difference?

    The difference is that you need to know the users password for sudo, and you don’t for UAC. So if a user leaves his PC unattended UAC isn’t going to stop alleged abusive other user to do something bad, while sudo will require a password (unless you have one of those systems where sudo only requires a password every so often, which imho isn’t a very good choice)

    Of course, you should always lock your PC when leaving it unatended… But that’s something even Microsoft can’t automate ;)

    [I’m amused by the implied argument that unix is superior to UAC because UAC isn’t annoying enough. -Raymond]
  26. Cheong says:

    Actually, I’d wish to have something more like SELinux where even if I grant administrator right to certain process, I can still cage it to modify places that I allow it to modify.

    For advanced level users it’ll be more effective than UAC for protecting us from attacks.

    Just let it be disabled by default as even lots of Linux administrator seems unable to get how to make it work… and usually leave it disabled or in permissive mode. :P

  27. Phil says:

    > The difference is that you need to know the users password for sudo, and you don’t for UAC. So if a user leaves his PC unattended UAC isn’t going to stop alleged abusive other user to do something bad, while sudo will require a password (unless you have one of those systems where sudo only requires a password every so often, which imho isn’t a very good choice)

    Isn’t it the case where a user who isn’t in the administrators group has to enter credentials for a user who is in the administrator’s group when a UAC prompt appears?

    Assuming my memory is correct the way to emulate sudo is to have one admin user with all other users not in the administrators group.  Then when people need to do admin task they use the credentials for the admin user.

  28. Gareth says:

    >The difference is that you need to know the users password for sudo, and you don’t for UAC.

    This is a setting. It defaults to not annoying people, but can be set the same as Un*x if required (and often is in corporate environments).

    I believe the genesis of this setting is the desire not to annoy people into turning UAC off – but to ask them to approve actions.  Where in a corporate setting you can annoy them as much as you like :-)

  29. mbghtri says:

    Chen’s Law: On any blog post about Vista, Windows 7, or IE, the comments will eventually degenerate into an off-topic UAC rant.

    Corollary: At least one comment will include the obligatory "M$" abbreviation.

Comments are closed.