[Techtalk] Question about a virus risk

[Mandi]

*nutshell*
Klez will not affect Kmail, or Evolution, or pine, mutt, elm, mozilla,
sylpheed, etc, etc, etc.

Klez is an Outlook virus that runs in the context of a fully installed
windows system.  It does not run on windows when other email agents are
used, either, such as Netscape or Eudora.

Some people reported being able to run the Sir Cam virus using WINE, but
that required downloading an infected attachment and purposely running it
in WINE.  Even then, the virus is extremely hampered because of the
absence of a registry in the WINE environment.  google for "Sir
Cam"/wine/linux for more info.

If you are having weird behavior with Kmail, try getting information from
the nice people at KDE.  kmail is at http://kmail.kde.org.

There are several updates available.

*/nutshell*

Now the long version.

There are other issues related to this, and other subjects to look at
briefly.

The matter of cross platform code is one.  There are few known viruses
that are capable of infecting both Linux and win32 platforms.  Such a
creature is particularly difficult to develop because win32 and Linux have
different executable configurations.

Windows uses an executable header knows as PE (portable executable format)
while x86 linux uses ELF (executable and linking format).  The operating
system determines which executable format a system is capable of working
with.

Typically, an OS will only natively understand one or two executable
formats, and will only be able to execute files of that format, ignoring
all others.

More information here on executable headers:
http://www.nondot.org/sabre/os/articles/ExecutableFileFormats/

The virus itself has to be cross-platform in such a way that it can be
understood by multiple OSs.  This kind of multi-entry executable is
extremely difficult to write.  Check for Linux.simile for more
information.  It is reportedly cross-platform capable, though extremely
rare in the wild.


Secondly, were you to find a virus capable of infecting linux, (there are
a few), in order to damage the system you would need to run the virus
infected file as root.  Now.  If you're running your email client as root,
shame on you.  If you're logged into your system as root, a curse on your
house.  Don't do it.  Log in as a regular user.  If you're really
paranoid, use a separate user for email and su in a terminal window before
launching your kmail (check man xhost as well).

Your normal user won't have access to write over files not owned by that
user.  So "joe" won't be able to overwrite/infect the kmail binary, unless
it is owned and writable by "joe".  On my system, kmail is owned by root.
If my regular user tries to alter this file, I will see a "Permission
Denied" message.

The way Klex infects files on Windows is that it moves the original file
to a new filename, puts itself in the original filename as a wrapper, and
executes whenever the user wants that program to run.  it then executes
the moved file, so the user doesn't know the file has been tampered with.

Klez in and of itself knows nothing about Kmail or Evolution, or any mail
agent other than Outlook.  It won't go looking for those programs, or any
other mail clients.

The reason klez and sir cam are still around at all is the social
engineering involved in their messages.  You are aware that these programs
exist, so you're doing better than a large number of Windows/Outlook
users.  Pay attention to stuff, and only save attachments you were
expecting.  Get confirmation from the sender before doing anything.


Third, email clients other than Outlook have learned more from Outlook's
follies than Outlook has.  Kmail has a number of built in features to
secure the Kmail environment.  Evolution is similar.  They don't execute
attachments, they don't execute javascript.  If a behavior changed, it is
probably a bug or a setting that may not have manifested previously.

Evolution has been known to crash when presented with virus-infected mail
messages to download, due to improper SMTP headings in those messages.  I
haven't seen any similar reports for Kmail.


Finally, think about how you run a program using WINE.  To run a windows
program under wine, you have to type "wine programname" (with options in
there for wine and the program, if needed).  Kmail doesn't even have the
capability to directly run programs, let alone bounce an attachment out to
wine.

Kmail may pop up if you're running a KDE-based app that thinks it wants to
send an email.  This should include Konqueror, though I haven't run either
of those programs in quite some time.


So if you read this far, the point is that you have to go way out of your
way to get the Klez virus on linux, and even then it won't behave as its
author intended, if it runs at all.


Good luck.  Hope that all made sense.

--mandi