E-Musings Mon Immorata

Sober.D worm pretends to come from Microsoft, Office XP SP-3, slipstreaming Office security updates, Firefox 0.8+, Thunderbird optimization, free image editor, and advanced free zip/unzip software This week's in virus and worm alerts little has changed. Bagel has a twist: Bagel.M uses .RAR instead of .Zip for infected attachments. And if you are a part of a European or North American business network, do stay alert for a spoofed Microsoft path (again). The Sober.D ( I-Worm.Sober.D, W32/Sober.d@MM, W32.Sober.D@mm, W32/Roca-A, Sober.D) worm pretends to be a Microsoft-engineered solution against the MyDoom virus! The infected mail is titled "Microsoft Alert: Please Read!" (English) or "Microsoft Alarm: Bitte Lessen!" (German). And the sender's address ends with a Microsoft-managed domain in Germany, Israel, Switzerland or Austria. The message body reads

English:

New MyDoom Virus Variant Detected! A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Please download this digitally signed attachment. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468. Protection: This Update includes the functionality of previously released patches. +++ 2004 Microsoft Corporation. All rights reserved. +++ One Microsoft Way, Redmond, Washington 98052 +++ Restricted Rights at 48 CFR 52.227-19

OR German:

Neue Virus-Variante W32.Mydoom verbreitet sich schnell. Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine Vorg?nger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen. Zudem installiert er auf infizierten Systemen einen gef?hrlichen Trojaner! F?rende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg. Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem SchSdling zu schntzen! +++ 2004 Microsoft Corporation. Alle Rechte vorbehalten. +++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1 +++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

The file attachment is either a .ZIP or .EXE file titled Patch, MS-Security, MS-UD, UpDate, sys-patch or MS-Q. This virus does nothing constructive except scanning your hard drive for email addresses to send copies of itself to using its built-in SMTP engine! Do remain alert for socially-engineered mail that's clearly intended to spoof (fool) recipients into believing the message is genuine. The first such message supposedly originates from Citibank NA and wants you to confirm your ATM card and PIN numbers via a web-based form. I immediately identified it as a fake. How now? Ask yourself why would Citibank with its own extensive corporate network worldwide be using a Yahoo.com mailing address? The language used too was very stilted and although I don't remember (now) the exact phraseology, it seemed to have been built using an AI (artificial intelligence) algorithm that strung together seemingly-alike phrases but not as someone writing good English grammar would compose! This specific spoof only works with Internet Explorer. Which includes a vulnerability that allows a JavaScript redirect. And the address displayed in the Address Bar is not the real address of the web page viewed! The full details with patches for your IE version are available in Microsoft Security Bulletin MS04-004. The second spoof was generated by a Bagel-infected computer. In last week's column I mentioned how users of my company's mail system received warnings from the system administrator that their accounts would be suspended. Except, I the sysadmin didn't remember sending anything of the sort. And my computer wasn't infected either. Back tracing the mail found a spoofed URL whose Net block ID was assigned to China! Read more on zombie/hijacked Net blocks. The third spoofed mail was delivered to a Yahoo account. And wanted me to confirm my Yahoo ID and password. In light of recent security-related developments it was quite tame. And I deleted it without so much as a second glance. But the problem appears widespread enough for Yahoo to include an alert for email users, complete with a special ID -- spoof@yahoo-inc.com. Actually the best defense against viruses is mental alertness. Also if your email client can display message size and attachment included (most do), enable these features. Stay alert for email with attachments that's 24-32 kB and whose subject includes "RE:" as its most probably (99.99%) an infected email; even if the sender's address (seems to) belong to a friend or colleague. If you use Microsoft Office XP, Service Pack-3 was released last week. In the grand Microsoft tradition this release contains all files included in SP-1, SP-2 and incremental patches up to SP-3. SP-3 Lite for others who keep their computers fully updated is a 17 MB download, but I recommend the 75MB full kablooey. If you have a (legal) copy of Office XP and would like to build a fully-patched version, you need to copy the Office XP CD contents to a folder on your hard drive, then download the administrative version, and finally slip stream the update into Office XP. End by burning the newly-updated copy to a CD. And finally reinstall the newly updated copy to your computer so that you get the benefit of the latest patches. Outlook XP users should also download an program-specific update to resolve a flaw discovered a day after the Office XP SP-3 was released. The vulnerability allows a malicious developer to configure a spoofed Outlook Today page that in turn execute scripts on the redirected page in the Local (very-low) security Zone instead of the default Internet (High) Security Zone. Free software wise, Mozilla has released yet another Firefox (nee Firebird, and previously Phoenix) browser. The version 0.8+ is very stable unlike previous x.8 versions. However, it is a resource hog. Ten tabs used 52 MB of RAM. And although the browser seemingly reduces memory use on minimize to 1.3 MB of RAM, even minute the memory usage would increase by 1.5 MB; even though no pages were being reloaded! In NetMeter I have found an excellent free bandwidth monitor that offers a visible meter bar with a transparency option (Windows 2000 or later) with a unique "click-thru" feature that allows the bar to be displayed without blocking access to application menu controls being overlayed. Also included is a tabbed report of data uploaded and downloaded on a daily, weekly, monthly basis with an export to .CSV option. Great for users on fixed usage plans who can define a max transfer figure then receive an alert when its exceeded. I also found Photofiltre, a free image editor with some very advanced features. The program has an English interface but the developer's site, tutorials and add-in packs are in French! I recommend using MyIE2's built-in WorldLingo translator to understand how to use this advanced image editor which also includes a JPEG2000 import/export feature; the first I've found in a free software. If you use Thunderbird, then you definitely need Thundertray a free utility with command-line tweaks to speed up launching Thunderbird. Installing is really easy: just unzip the files to your Thunderbird folder. And if you still don't have an unzip utility and depend on Windows XP's rather feature-limited offering. Look no further than JustZIPit which offers extremely fast compression using both the default .ZIP and the new Zip64 super archive formats. It can also extract files from .CAB, .GZ and .TAR archives. Is comes at the ideal price: free. That's it for this week. Stay Safe! Click Here to Email Me