E-Musings Mon Immorata

Browned Off By Bagel? Don't despair, learn about the latest Internet Worm, plus lots of new software previews This week sees more upsurge in free updated software releases. But first, an alert about the Bagel ( I-Worm.Bagle, W32/Bagle@MM, W32.Beagle.A@mm, W32/Bagle-A, Bagle) Worm which is neither a cross-breed Beagle (dog) nor a piece of pastry! This Internet Worm affects all versions of Windows including XP and 2003, and spreads through an email attachment. Actually, the infected mail's body text always contains the text strings: Hi, body, Test =). With Test and yep in the sender's signature. The infected executable includes its own SMTP mail server that it uses to self-propagate. The virus installs itself into your computer as BBEAGLE.EXE very often as a stealth file pretending to be a sub-process belonging to the Windows Calculator (CALC.EXE). So if Calc is self-initializing once too often, it's likely you've been Bageled! Killing Calc doesn't terminate Bagel. The worm is a product of post-anti-spam times, and includes several tricks to avoid becoming part of the Internet's spam deluge. But I'm getting ahead of myself. The Bagel worm searches for, and extracts email addresses from files with WAB, TXT, HTM and HTML extensions. However, the gathered IDs are filtered to exclude any containing the strings .r1, @hotmail.com, @msn.com, @microsoft or @avp. The worm then sends email to filtered address list. This is not an actual message but an independent probe to verify that the address exists and to query the name of the mail domain server from the latter's MX Record. It then uses these authenticated addresses and mail domain details to authentically construct a spoofed header with a verifiable From address and mail server IP details so that a cursory scan of mail header won't ring alarm bells. And over the past week I have received several Bagelized emails presumably from one, or many inflected users! The worm listens on Port 6777 for remote commands and allows a malicious user to take control of an infected system. The worm also polls 36 web sites for a .PHP update file. However, the actual file doesn't exist on the target sites. And all you get is lots of error traffic between your connection provider and the target site that consumes vast amounts of bandwidth! Most diabolical and far more effective at crash a web server that a Ping Flood, since this attack takes place using a seemingly legitimate request for a file! The worm's current version self-deactivates on January 28, 2004 or later, restricting the infection span. Of course, its highly probable that someone will adapt the virus and extend the timeout date for a new range of infections. Refer to your antivirus software's web site for detailed advice on removing the virus. If you still lack a personal antivirus, check out AVG Antivirus. Version 6 has recently been updated (again) with some of its more irritating bugs excised. However, don't plan installing it just before sending out an important email. You have to work with the product to properly setup the sending mail server's scanning, or mails will actually never leave! If you also lack a firewall, or are trust a bit too much in the efficacies and security consciousness of your Internet-over-cable provider or the ISP, Stop! The Personal Firewall Day site has been developed for folks like you. Launched on January 15, 2004, henceforth known as Personal Firewall Day, the site is endorsed by a consortium of software companies and security vendors including McAfee, Microsoft, Sygate, TruSecure, Zone Labs, the ITAA (Information Technology Association of America) and the SANS Institute. Available is information about security issues and the tools available. As well as software downloads and updates. If you are looking for a no-cost tool to automate intra-office or network messaging. But don't want to struggle with bigger issues, look no further than the Jabber Project. This open-source initiative has developed separate chat server and clients for the Win32, Linux and Unix/Unix-clones. However, for the Win32 platform, of all the messenger clients, the best, most stable is Exodus. Most Jabber client can also connect to MSN, Yahoo, AOL and ICR, but often the Jabber Server needs to have these transports installed and running. And while on the topic of instant messengers, Cerulean Studios Trillian Professional is now available in v2.01. This build includes several Yahoo-induced patches as well as improved stability. I haven't actually downloaded and used a version, and Trillian Professional is no longer available in Try and Buy downloads. You pay first then get your copy. I also found an online Trillian Community site that featured various improvements, updated files, discussions, tips 'n tweaks, feature articles and the inevitable links to cracked copies and more. If you IM a lot, do visit it. Do avoid using Trillian Pro 2.x to connect to a Jabber server unless you install the updated v1.1 available from the Trillian Community site. The JABBER.DLL plug-in offered by Cerulean Studios is very buggy. Only Trillian Pro versions support plug-in messengers. Winzip too has been updated to version 9 Beta 3 Build 6007. The updates include changes to AES-encryption format so that Winzip can read AES-encrypted files created in PKZIP for Windows. The file menu too has been upgraded to bring most frequently used items to the fore and reduce the size of each menu. Also updated is the Zip add-in for Outlook (Beta 5 Build 6012). Make sure to download both files if you use Outlook. Also announced is a new anti-spam add-in Beta software for Outlook 97/2000/XP. Trend Micro's Anti-Spam 1.0 offers an easy-to-configure interface to trap spam mail received in your Inbox. You can define the spam catching threshold (alert level) using heuristic rules, manage a separate quarantine folder, and setup personalized approved (white-) and blocked sender (black-) lists. The program also updates the developers about new spam patterns and senders, so that all users benefit. Finally lots of developments on the Fontifier service's free personal font development offer. Reader Anand actually bit and went through the hassle of downloading the template, penning his samples, scanning it all back into an image file and uploading the latter to the service. I haven't been able to view an example of the results (which he is quite happy with) because to view the personalized font you need to first install it into Windows! While Windows 9x/ME user supposedly has an upper limit of 1000 fonts installed. Windows 2000/XP/2003 don't have any defined ceiling. Fonts are stored under a single registry key that's limited to 64 KB. Of course, from experience I know that regardless of the Windows version, 384 is the upper limit if you want to avoid system slowdowns and lockups. Readers who managed to break this number barrier do write in giving your system configuration details. Sop because I didn't have Anand's personal font installed, I couldn't view his emails except in 24 point Arial! Which when you look at objectively is perhaps a solution to spam. Instead of white lists, suppose you could only view content using a specific personal font. The number of Windows fonts should be reduced to 3: system serif font, system sans serif font and symbols font. With the 384 limit, that allows me a personal font, plus 380 fonts belonging to correspondents. This truly neat solution will bring a standardization to how we view typefaces, resolve spam and generally reduce web-induced problems. I'm kicking myself for not having though about it before! And on that note we part. Let's meet next week. Click Here to Email Me