MyDoom.C Making Its Way Across The Net

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.

Part of the story?

[Anonymous Coward]

instead scans for machines with an open TCP port 3127

Uh, ok.. so what is on port 3127?

We are not all so nerdly that we memorize port tables... (emphasis on ALL)

MSN messenger?

[Quixotic]

Does anyone know if it is slamming the msn messenger service as well? I havn't been able to connect to it recently, and it seems to be a network wide outage, since other people are having problems as well [trillian.cc]....

Question about this virus and its activity

[GeckoFood]

About the time the first version of this virus set sail, I noticed a huge spike in the number of Backdoor/Subseven probes against my firewall (still ongoing). Is this little bastard responsible for that, or is this caused by another issue altogether?

Seems to be doing some damage already.

[IllogicalStudent]

MyDoom.C's effects seem to already be felt. My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.

Re:MyDoom

[LostCluster]

Virus-writers don't get to name their viruses, the anti-virus companies do that.

No shutoff date?

[ArsonPanda]

I never understood why viruses/worms/whatever bother to include shutoff dates. "hum, I really hate SCO, so I'm going to DDoS them, but only for a few days" Why?

Re:Dumbass alert

[ergo98]

Did you happen to notice the part where it said This new variant relies upon a backdoor left in place by the original email spread virus.

I'm not sure what to think about this: How many times can you tell people never to open attachments until you just give up and accept that a certain casualty rate is to be expected? (As a sidenote -- I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text. This makes uses accustomed to opening attachments).

Re:MyDoom

[Paleomacus]

Really? Kinda like hurricanes and tropical storms then eh? That's kind of a funky analogy.

Any legit use for 3127?

[LostCluster]

Are there any real applications that use port 3127, or can we safely block that port at our firewalls?

Re:Is it just getting started?

[ePINOY]

Not to mention users foolish enough to try downloading spoofs from KaZaA [grisoft.cz]

Re:Is it just getting started?

[Kris_J]

To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.

Fortunately this portscanning behaviour will show up on firewall logs much better than this email crap. Within no time, dshield.org and other similar log aggrigation services should have a nice accurate list of infected machines that they use to contact sysadmins of appropriate networks.

Somebody please...

[zeux]

Write a virus that scans for open 3127 TCP Ports, get into the machine and remove MyDoom from it.

This virus counter-virus wouldn't cause the same problem than the SoBig counter-virus (can't remember the name, sorry) because this time it would spot only actual infected computers instead of every computer with an open RPC port.

Parasitic Viruses attacking My-Doom Infected Boxen

[billstewart]

Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser [f-secure.com]) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)

Re:Is it just getting started?

[centralizati0n]

Since port 3127 isn't used that much, except for the 50,000+ trojaned computers, does anyone else agree that it would be viable to have mega-ops at all those switching stations block port 3127 for say... 5 days, until patches get out and what not? That way, we wouldn't have those huge spreads from seed machines in Russia or what not spreading to the small suburban streets of... say... Washington, Oklahoma? I'm sure MS and SCO would agree, and they have the funding to back any damages from applications using port 3127 that are actually legit. ;)

When will someone use this to their advantage? ...

[LnxAddct]

Anyone know if MyDoom's protocol for port 3127 is documented anywhere? If the virus writer can send it patches, then surely we can too :) We could have this mess cleaned up in a few days if we made the patch clean the machines. Not sure if cleaning people's machines without their permission is illegal, but itd sure make a lot of people grateful. If anyone does do it make sure to sign it as a gift from the opensource community so we look really good instead of the evil people that we've been made to be.
Regards,
Steve

Re:No shutoff date?

[VertigoAce]

I've seen speculation that some authors do it so their previous work won't clobber whatever their new project is. It might also be useful to get around certain automated anti-virus tactics. On a university network it isn't uncommon to disconnect a computer that seems to be infected with a particular virus (ie all addresses resolve to a page telling you that your computer is infected and pointing you in the right direction). So after a few days all of the infected computers suddenly act like normal ones, ready to be infected with the next variant.

Re:Part of the story?

[YOU LIKEWISE FAIL IT]

I'm amazed that someone else hasn't already jumped on this hole. From the analysis I read, you just plonk two bytes down, and then pipe in the executable, and the victim machine runs it. I mean, nmap tied together with netcat would be enough to build an exploiter.

I am more amazed that neither SCO nor Microsoft didn't start tailing their http logs, and firing a disinfector back at hits that match the fingerprint of the ddos thread spool. I know, I know... hackback is bad, but in this case...

YLFI

Re:What about a CodeBlue variant?

[MalleusEBHC]

A similar situation occured with Blaster and Welchia. As a network tech who had to deal with the mess, I must say that Welchia made matters much worse. It added to network traffic even more, thus slowing down an already congested network. Additionally, it makes diagnosing the virus harder. Instead of being able to see someone spamming port 135 and knowing it's Blaster, now you have to look for Blaster and Welchia.

While it's a somewhat noble idea, in the real world it is just another pain in the ass.

Re:Is it just getting started?

[SuperBanana]

And also proved how many users aren't running any anti-virus at all.

Actually, we have the antivirus companies mostly to blame for this one; they discovered it wasn't enough to sell people the software(and that coming up with new features to get upgrades was difficult), but they had to lock them into updates too; pure corporate greed. Instead, people either don't realize they're no longer getting updates, or they think the older definitions will work just fine. I tell people either to update their subscription, or to use a mailer other than Outlook if possible and run any of the various free virus scanning tools(McAfee and Trend for example both have free web-based scanners) on a regular basis or whenever the system starts doing weird stuff.

Lastly- some vendors dragged their feet. McAfee took almost 2-3 days to release "regular" definitions which could either be downloaded to your proxy server and then deployed to all your clients...or downloaded by clients automatically. Until they did it, you had to download special "extra" definition files, put them in certain folders, etc. Ie, impossible for the end-user, and a pain in the ass for small businesses without the tools to deploy stuff like that easily automatically.

Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio.

Except for all the systems behind firewalls that got infected because they got the virus via email...

Right now, this patch seems to not have much of a payload.

Who said anything about it being a patch? Ok, so maybe it is- but "not much of a payload" doesn't mean much, since a compressed diff can be very small...

By the way- off-topic rant, McAfee's corporate software sucks. You can run a mirror of their definitions, but you need Windows Server to do it(2k or 2003). You can deploy sitewide policies, but you need to build it into the installer and any further changes require an overblown management system that needs Windows Server AND MS SQL Server. it gets better- unlike NAV and others, you can't do email scanning on anything except Outlook(NAV has supported POP/IMAP scanning via proxy for years). And the best part? If you get a virus alert from the on-access scan, the user can't click any of the action buttons, because get this- and I swear, this was straight from the mouth of a McAfee rep- "they'll always click ignore to make it go away". "So why did you also disable the delete and quarantine buttons as well?!?" NAV and others let you restrict what option set the user gets(so they can delete, but not ignore...or do whatever). Last but not least, their support is mostly based out of india.

He won't get caught dude

[Anonymous Coward]

I don't think he'll get caught anytime soon. One of the writers, if there is more than one, were attacking SCO. I don't think there are many people out there who are all these things:

1) smart enough to write a windows virus
2) BIG linux advocate
and most importantly...
3) stupid enough to get caught.

Not that it takes a rocket scientiest to write a windows virus, but this particular one does take some knowledge of how to use sockets (or whatever C# or .NET calls their own stupid abstraction).

In any event, most people who know how to do this have at least heard of ways to cover your tracks. Like hopping from rooted box to rooted box 20 times and writing self destruct codes that formats the disks of all those machines. If they didn't do something along those lines, then they deserve to get caught because they're a threat to our community! Just kidding.

Re:Somebody please...

[Qzukk]

Err Huh?

The only way to find the computers with open ports is to scan them. And this is what is the big problem with the counterworms. They infect a host and go on the offensive, spewing as much traffic as the original infected host did, making us scratch our heads and wonder why.

I wish people would take the high road and let the losers who can't admin their way out of a paper bag wallow around in their own ignorance, but if you feel like you must absolutely write a counterworm, please, please, PLEASE make it only counterattack against boxes that are connecting to the host!

For example, instead of scanning for machines, simply lie in wait on a computer, and when something connects to you on 3127, then attack and clean that computer, and only that computer.

No, NOT a Virus, just a scanner/cleaner

[billstewart]

This isn't the kind of job you want to do virally - you can do it just as effectively with a standalone scanner and a separate payload that blocks the ports but doesn't go doing its own scanning. That way, sysadmins and ISPs who want to run it can run it, but it won't clog up their networks with exponentially exploding quantities of probes, and people can block 3127 at their firewalls and run the scanner inside, which is a much safer network load. Depending on how heavily infected your network is, scanning and blocking a few thousand machines doesn't take very long.

This scales particularly well for this application, because the big source of infections was Outlook, which is used in corporate email environments, so corporate firewalls are the right boundary. There's probably some amount of Outlook Express infection, which is a problem for consumer-oriented ISPs, but it's mostly a corporate problem.
Also, running the thing as a sysadmin-controlled port scanner means that you can tailor the payload to pop up a dialog box saying "Hey, Stupid, You clicked on the MyDoom Virus and got yourself infected, call the Help Desk at 1-555-555-31337 to get your machine cleaned up"

ISP firewalls vs. End-User or Company firewalls

[billstewart]

For a company/university/personal firewall, yes, it should usually be blocking any inbound traffic that's not understood. ISPs have a much different type of user base - they should be allowing the end-to-end Internet to work, staying open to any protocols that they don't have a very good reason to block. Temporarily blocking 3127 or 1434 or whatever is often necessary if there's a big outbreak, and there are some ISPs that restrict Port 25 because they're trying to prevent their users from spamming - but as a home Linux user, I find that rude and wouldn't use such an ISP for normal activities.

Macs are feeling it, too

[Undefined Parameter]

I own two Macs, so don't take this as a troll, please.

Right now, Macs are feeling the effects of this virus, too; it's slowing down internet connections for ALL platforms thanks to the fact that it's indiscriminately flooding networks with "noise" in trying to find other machines with the MyDoom-opened port. To my knowledge, it doesn't stop searching, either.

And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so. Not only is YOUR "counter-virus" going to add to the network congestion, but it may well become a problem itself if it's not written just right. In other words, the cure might be worse than the disease.

For the short term, we need an education campaign. Teach the standard (and sub-standard) users of the world how to identify a virus, how to prevent getting infected, and why they should care. As the old saying goes, "you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."

~UP

eternal return

[veg_all]

I was fascinated by the zombifying worms, spreading across the internet making unsuspecting hosts into proxy spam servers, but now I'm beginning to wonder if worm harvesters will have to be written and (by mutual agreement) released onto the net. I still get code red droping by all the time (it can have my default.ida, for all I care; I'm through with it), and new kiddies write them at such an increasing pace that one New York Times article about worms recently needed two slashdot articles by the time it was posted. Might they start (at some point in the future) to actually start to "clog" the internet? Hell, they already do; the network where I work was brought to a crawl more than once over the last year because of them (and the idiots who administer the network, but that's another rant). Anyway, when worms constitute more than 50% of the traffic more than 50% of the time, some regulatory body is going to propose spidering worm-eaters. It'll be like "core wars" all over again (everything comes full circle sooner or later).

Re:Somebody please...

[stratjakt]

I always thought a clever counter-worm would use a swarming/distributed technique, to cut down on the scanning..

Using bittorrent as an example, they all connect to a central tracker, and each is assigned a subnet to scan and clean, they scan that range, pass on to the first infected machine found, and shut down, and that machine takes on the rest of the assigned range..

Lather, rinse, repeat. Every machine gets scanned once, in a nifty distributed fashion.

Just random thoughts in my head, frankly I dont care what a worms purpose is, I dont want it on my network.

Re:Nimda

[nuckfuts]

He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway.

Maybe that's because the name Concept Virus was already taken.

The original Concept Virus was a significant milestone - the first virus written to infect MS-Word documents (using Word's own macro language - thanks Microsoft, we really need all that capability in a word processor). It was the start of an era where macro viruses became the most prevalent method of virus transmission on the planet, surpassing boot sector viruses (remember floppy diskettes?) and other formerly common methods.

Re:Part of the story?

[Tuxedo Jack]

So this could possibly be another tool for opening ports for spammers. Joy.

Also, Roadrunner will clog your inbox with bounce messages or "sent from a RoadRunner IP" messages. I told my clients about this, and they've instituted a mail-block policy on any and all RR servers until they turn it off.

Re:Somebody please...

[PacoTaco]

For example, instead of scanning for machines, simply lie in wait on a computer, and when something connects to you on 3127, then attack and clean that computer, and only that computer.

A cool enhancement would be to leave a friendly worm on the recently cleaned computer for a while (say a couple days) that cleans any other machine that attacks it. This would have a much greater impact without any scanning.

Re:mydoom source

[Eberlin]

First they did them as .exe files. Then came VBA (those word document worms). You could read the source on those if you really wanted to.

Well, we're past that step -- them ol' VBScript virii were interesting reads. I used to have a tagline that went "support shared source -- virii in VBScript!"

I suppose between the source/compile and the Amish virus, it'll be interesting. :)

Re:That sad part is..

[Mipmap]

I think the next "duh" security step for non-techies is to close up ports on their router, or if they don't have one (god forbid) on their ZoneAlarm installations.

What's needed for most folks beyond e-mail (25 and 110), web (80 and 443), and dns (53)?

Here's my router's log tonight. Log at all the 3127 hits. There's also a 3128 hit in there, surely a variant trying to side step someone closing a single port.

Monday, February 09, 2004 12:50:06 PM Unrecognized access from 68.94.18.241:3677 to TCP port 3127
Monday, February 09, 2004 12:50:09 PM Unrecognized access from 68.94.18.241:3677 to TCP port 3127
Monday, February 09, 2004 12:50:15 PM Unrecognized access from 68.94.18.241:3677 to TCP port 3127
Monday, February 09, 2004 12:55:13 PM Unrecognized access from 4.47.238.39:2458 to TCP port 445
Monday, February 09, 2004 12:55:16 PM Unrecognized access from 4.47.238.39:2458 to TCP port 445
Monday, February 09, 2004 12:55:24 PM Unrecognized access from 4.47.238.39:2458 to TCP port 445
Monday, February 09, 2004 12:57:56 PM Unrecognized access from 212.0.203.24:1031 to UDP port 137
Monday, February 09, 2004 12:58:12 PM Unrecognized access from 67.3.162.172:1945 to TCP port 3127
Monday, February 09, 2004 12:58:15 PM Unrecognized access from 67.3.162.172:1945 to TCP port 3127
Monday, February 09, 2004 12:58:21 PM Unrecognized access from 67.3.162.172:1945 to TCP port 3127
Monday, February 09, 2004 1:13:40 PM Unrecognized access from 151.199.43.246:1314 to UDP port 137
Monday, February 09, 2004 1:16:44 PM Unrecognized access from 200.174.67.136:4059 to TCP port 3127
Monday, February 09, 2004 1:16:47 PM Unrecognized access from 200.174.67.136:4059 to TCP port 3127
Monday, February 09, 2004 1:18:18 PM Unrecognized access from 81.7.107.247:3070 to TCP port 3127
Monday, February 09, 2004 1:18:21 PM Unrecognized access from 81.7.107.247:3070 to TCP port 3127
Monday, February 09, 2004 1:18:26 PM Unrecognized access from 81.7.107.247:3374 to TCP port 3128
Monday, February 09, 2004 1:18:34 PM Unrecognized access from 81.7.107.247:3691 to TCP port 1080
Monday, February 09, 2004 1:18:37 PM Unrecognized access from 81.7.107.247:3691 to TCP port 1080
Monday, February 09, 2004 1:21:41 PM Unrecognized access from 61.223.128.16:3169 to TCP port 445
Monday, February 09, 2004 1:21:44 PM Unrecognized access from 61.223.128.16:3169 to TCP port 445
Monday, February 09, 2004 1:21:50 PM Unrecognized access from 61.223.128.16:3169 to TCP port 445
Monday, February 09, 2004 1:24:28 PM Unrecognized access from 81.219.64.138:46674 to TCP port 1214
Monday, February 09, 2004 1:24:31 PM Unrecognized access from 81.219.64.138:46674 to TCP port 1214
Monday, February 09, 2004 1:24:37 PM Unrecognized access from 81.219.64.138:46674 to TCP port 1214
Monday, February 09, 2004 1:27:37 PM Unrecognized access from 151.199.40.13:1634 to TCP port 445
Monday, February 09, 2004 1:27:40 PM Unrecognized access from 151.199.40.13:1634 to TCP port 445
Monday, February 09, 2004 1:27:46 PM Unrecognized access from 151.199.40.13:1634 to TCP port 445
Monday, February 09, 2004 1:28:16 PM Unrecognized access from 80.2.66.105:3994 to TCP port 3127
Monday, February 09, 2004 1:28:19 PM Unrecognized access from 80.2.66.105:3994 to TCP port 3127
Monday, February 09, 2004 1:28:25 PM Unrecognized access from 80.2.66.105:3994 to TCP port 3127

Re:Is it just getting started?

[gad_zuki!]

Exactly. Lots of computers running mydoom have a working anti-virus, its just that the owners won't pay for updates or they have no clue what an update is or why it would expire.

Granted it costs money to update virus scanners, but that should be part of the one time purchasing fee. I guess you get what you pay for, the last few dells I've played with on the residential front came with McAfee that expired in TWO months.

You can only blame the user for so much. They were sold lemons and they have to deal with lemons. If Dell et al cared about security they would cut a deal with the people from AVG or someone who can actually provide updates for free. Not to mention start ghosting their drives with service pack one and the patches for blaster. It would cost next to nothing to toss in a disk or CDROM with 'critical updates - install before putting computer on net' if moving up to a more current ghost image is too expensive.

Persoanlly, I don't see why ISPs can't get in on this. Everytime I switch broadband providers they send a guy out to install crap on my PC. I usually stop them, but their install packages are simple ad-ware or PPPoE drivers. Why not toss in a n anti-virus for a huge discount, if not free, if the computer doesn't have a working one? Its good for the network and its good for the customer. Yes, it shouldn't be mandatory but for the average person it would be a great opportunity to get an up to date scanner. Heck, toss in a firewall while you're at it and make sure their windows update settings are correct. They could automate this when they put their ad-ware and change the name of IE to IE provided by Comcast crap.

Re:An idea revisited...

[JPriest]

You do know that this is what Nachi did and it turned out to be worse than Blaster that it was sent out to get rid of. Why don't you just let the virus propigate for 48 hours then clean the disk while you are at it.

Re:MyQuake

[Anonymous Coward]

Then there is the is a virus called MyDukeNukemForever... it never actually gets around to mounting an attack, though...

Re:This Internet isn't for me

[JPriest]

But the post you link in Google groups does prevent worms from using their OWN SMTP engines, Forcing them instead to pass through a mail server run by a paid administrator that has the ability to add spam and virus filters. I think blocking dynamic IP addresses from mail servers is a great idea.

Actually, Mydoom.C does give you the source :-)

[CrystalFalcon]

From Internet Storm Center [sans.org] (emphasis mine):

A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.

Re:Target American Idol !!!

[Lars T.]

You make it sound like a bad thing - it can't get much worse. Instead of corporations, the best hackers would decide who runs America.

Re:Netcraft confirms it...

[JPriest]

Re AC: My suggestion is that the email client and attachments be sandboxed so the worm can't gain administrator access outright. It would be hard to write a worm to bypass all the firewalls people are using but there is no need. The same people that open these attachments are the same people that just click "yes" every time the firewall pops up a message.

dshield and the number of infected systems

[csk_1975]

I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?

ISC [incidents.org] and dshield [dshield.org] are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.

backscatter

[Tom]

Anyone got a good SpamAssassin or procmail rule to filter out the backscatter?

I couldn't care less if it weren't for the flood of "you sent us an infected mail" spam that has been flooding my inbox for days because some stupid morons don't know that auto-notifications on virus scanners should be smashes, crucified, cooked in hot oil and quartered before being shot through the head with a shotgun because all the recent viruses fake the damn sender address.

Re:Macs are feeling it, too

[Anonymous Coward]

And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so.

You don't need a counter 'virus'. You need a program which passively listens, and then patches the user's system on their behalf. The only systems you will patch are the infected ones which are actively attacking you.

Patching them (via backdoor/exploit) won't increase traffic. It will decrease it. The small amount of traffic you send to their system shuts off their large flow of traffic. When systems stop attacking you, you're not generating traffic.

Re:MyDoom

[funwithstuff]

MyDoom got its name from a typo. The BBC says [bbc.co.uk]:

The Mydoom virus gets its name from a spelling mistake in the code inside the virus. Instead of writing "my domain" the creator wrote "my doomain".

But yeah, the anti-virus companies named it.

Re:Port 25

[weave]

If port 25 is blocked, we'd just get SMTP-over-HTTP within 6 months.

Great timing on this post (for me). I just got done reading how Microsoft has implemented RPC over HTTP in Exchange Server 2003. What next? Redirect ports 137-139 and 445 over HTTP to allow file sharing through corporate firewalls? :(

Re:Actually, Mydoom.C does give you the source :-)

[gnu-generation-one]

"Doomjuice is also set to perform a DDOS against www.microsoft.com."

So by the reasoning of the popular media, this one must have been written by the US Justice Department, because it attacks microsoft?

Re:MyDoom

[MutantEnemy]

Not what MSNBC [msn.com] says...

[The antivirus guy] named it MyDoom after spotting a line of text that included "mydom" (short for "my domain") in the virus code. "It was evident early on that this would be very big," he says. "I thought having 'doom' in the name would be appropriate."

Re:mydoom source

[glsunder]

Yes, that's true that it could include instructions on how to install the virus on linux, however, that requires that the victem can follow instructions. That wipes out the lower end of users who would have just clicked on it in windows. Plus, by making people pay more attention to what they're doing, there's a better chance that they'll think "hmm, this is fishy".

Where you'll get into trouble, is you'll have assholes who write popular programs that require you to run as root, so every dumbass will be root. And users won't care at all. One example of software for windows like this is the sims -- it requires you run it as administrator. The sims is at the same time the most popular and most crappily written games of all time. That is scary.