Several new versions of the Stupidity worm have recently been observed in the wild; it is suspected that Stupidity variants are now in active development. Stupidity is a highly polymorphic, prolific infector that can be carried in PE and ELF binaries. Stupidity causes the infected machine to occasionally flood other machines on the Internet with large quantities of undesired traffic (the exact frequency varies depending on the version), and slowly corrupts files on infected machines, occasionally deleting them entirely.
Stupidity uses several vectors to spread. Primarily, it replicates over email and instant messaging networks. When the message containing Stupidity is read in a vulnerable browser, it will execute automatically and then proceed to use your computer to infect other systems.
Stupidity.V and Stupidity.W were first released inside chain letters offering a Special Polynesian Fidelity Charm, in the first case, and a traditional Ponzi scheme promising $48,190 in three months if you sent money to all the addresses on the list and followed the instructions. It is likely that future Stupidity variants will be released in chain letters; users are advised to be highly suspicious of any mail they receive that instructs the recipient to forward it to large numbers of people. Remember, the person who sent you the letter did not write it themselves; it could contain any type of malicious content the original author wished.
When running, Stupidity will automatically insert itself into mail sent from the infected machine; it can also be carried in AIM and Yahoo messages. This is particularly dangerous, as it means that the worm will arrive inside actual mail; in addition, many systems that are not themselves vulnerable to Stupidity will pass it through unmodified. (See Inset 1 for an explanation of how this works)
Angel033 is infected with Stupidity. One in every ten mails she sends out will be infected. She receives a good-luck chain letter and mails it to twenty of her friends.
Most of her friends receive the chain letter unmodified, and remain unaware that she is infected.
Barry and Bob receive infected mails. Bob is using an unpatched version of Microsoft Outlook; Stupidity executes automatically when he reads the mail, and he becomes infected. Barry's Outlook has been patched; he is not infected, but he forwards the letter to several of his friends.
Candi opens Barry's letter. In addition to a note from Barry saying 'lol, love this thing', the whole chain letter, is displayed in her email program exactly as Barry received it. Since it came with a copy of the Stupidity worm, and Candi is using an unpatched email program, she becomes infected.
DETECTION:
An up-to-date virus program will detect Stupidity and disable it; however, if your definitions are not up to date, or if it's a new variant of Stupidity, it will need to be removed by hand.
Stupidity.D, Stupidity.F, and most of the G and P variants inhabit a file whose name matches win{sock|suck}{|2|32}.dll. (See Inset 2 for an explanation of what 'name matches' means). The infected machine will be configured to route all network connections through that file, and (on G and P) to protect the file against modification. To verify, boot your computer into safe mode and rename it to something else; then reboot normally. If your machine was infected, it will be unable to access the Internet until you repair the TCP-IP stack.
Stupidity.H, Stupidity.IA, and Stupidity.K will use the filename "OpenTransport". Stupidity.L uses "RECYCLER" or "OpenTransport" at random.
Stupidity.M, Stupidity.N, and Stupidity.PD use a fake Microsoft
Outlook program. Instead of locking the file to prevent deletion,
a background process on the infected machine checks every eight seconds
to see if the file is still there; if not, it automatically restores it
from a backup. To detect it, take the following steps:
1: Locate the Microsoft Outlook application. It will be an .EXE file.
2: Make a backup copy of it. If it is uninfected, this will be harmless;
if it's infected, it will be harmless as long as you don't run the backup.
3: Delete the original.
4: Wait a few seconds (up to a minute, on slow machines).
5: Look at the folder Microsoft Outlook was in and see if it's still gone.
6: If it's actually gone, you're not infected; you can restore the old
backup copy. If it rematerializes, your machine has Stupidity.
Stupidity.X will manifest itself as a file called 'libc.so', with a random number appended. Due to a bug, it's usually possible to delete libc.so while Stupidity is running; your machine will then be unable to spread Stupidity once you reboot.
Copyright 2005 Computer User's Network Test Laboratories, Incorporated. Permission is granted to freely reproduce this advisory and send it to anyone who you believe may have Stupidity, as long as this copyright notice is left intact.