E-Musings Mon Immorata

How Freeloader was nearly Bagelized, then learned to detect and remove this insidious worm. Webmonkey's going to die on March 15, so you better visit it now, and a couple of free Web search tools Something very interesting happened the other night. I was on-line (as usual) in the wee small hours checking mail and surfing the web when I chanced across in my company accounts mail purportedly from the server administrator warning I'd committed a grievous sin! If I didn't respond within a 48 hour period my account would be terminated. The mail appeared almost normal but was composed with rather unnatural, machine-like language constructs with lots of space between words; as if the writer was unfamiliar with the English language. The subject also contained a period at its end; as if it been plucked from a sentence. But the real giveaway was the signature which claimed to come from my company's Mail Domain Administrator. Most suspicious as I didn't remember sending such a message to anyone, least of all myself!. The suspect mail titled "E-mail account disabling warning." body read

Dear user, the management of www.mycompany.com mailing system wants to let you know that,

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

Please, read the attach for further details.

For security purposes the attached file is password protected. Password is   "33107".

Sincerely,

     The   mycompany.com team

                              http://www.myrealbox.com

With an attached file titled INFORMATION.ZIP. Now why would I want to "resign" my account? Terminate yes, but resign? And then the penny dropped: I'd been Bagelized! It seems that several colleagues too received identical messages. Luckily, a bad (and recurring) Klez infection in mid-2003 had alerted even the most narcoleptic among them that viruses were a real danger and you needed to be careful about what email attachments were opened. Most have their email client's security set it its highest which block all mail attachments regardless of sender or file type! The Bagel problem is so severe (shades of Nimda & Code Red?) that web-based mail services like Novell's MyRealBox have posted an alert asking users to delete any messages with the subject as:

- E-mail account security warning.
- Notify about using the e-mail account.
- Warning about your e-mail account.
- Important notify about your e-mail account.
- Email account utilization warning.
- Notify about your e-mail account utilization.
- E-mail account disabling warning.

and to immediately delete and purge the message without opening the attachment. But what makes the Win32.Bagle.mm virus so dangerous is its pay load is contained in a password-protected Zip file. The worm may take advantage of a newly-revealed vulnerability in the Zip/Unzip protocol where the very password used to view file contents is the bomb trigger! Unfortunately most anti-virus software are (still) unable to scan inside .ZIP files for viruses; a vulnerability Bagel's developer has exploited so well. Even though this isn't the first virus to be compressed in a ZIP archive. I've seen viruses that were double-archived, so that can't be the root of the problem. It's more likely that while we commonly scan file downloads, the unzip tools we use don't link to an installed virus scanner to check archive before opening them. The worm also targets most commercial and freeware anti-virus software. On infected systems it runs every 10 seconds scanning for, and terminating, any security software processes. It also opens Port 2745 to receive commands from a remote attacker and in some instances queries a remote machine at 151.201.0.39 for DNS services. Although the current version (Bagel.K) self-destructs on March 14, the next incremental version will raise the bar again increasing proliferation. Bagel also targets P2P file-sharing networks and searches for folders with "shar" in their name, then copies itself as Microsoft Office 2003 Crack, Microsoft Office XP working Crack, WinXP Crack, Serials.txt.exe, Windown Longhorn Beta Leak.exe, Opera 8 New!.exe, Matrix 3 Revolution English Subtitles.exe, Adobe Photoshop 9 full.exe, etc. Instead of attempting to remove the worm using Registry-editing, it's better to use a system cleaner from BitDefender, Trend Micro System Cleaner, McAfee AVERT StingerAnti-Bagel utility, F-Secure's Bagel Remover, or try out a free spy-ware scan. And while on the topic of spy- and ad-ware, Patrick Kolla of SpyBot Search & Destroy -- a reliable, frequently updated spy-ware removal tool -- fame has complied a list of such software. If you are looking for a great place to learn about web development, I'd direct you to Webmonkey. But only until March 14, 2004, when the site is scheduled to be taken offline forever. The full story is here, courtesy Wired columnist Paul Bouten. If you don't get an opportunity, or lack the bandwidth to download a personal copy, the Wayback Machine may be able to help you with pages from 1998 through 2003. There's an interesting free utility the Intel Active Monitor for Intel Desktop Boards. It only works with the real thing, and not with clones like Krypton or Tomato. It tracks system and processor temperatures, power supply voltage and fan speeds using sensors embedded within the board. In the event of a component failure the user is alerted. For aficionados, Total Commander 6.02 is available. As is a free Net search utility, RAX Search. However, I haven't downloaded it as I prefer to trust in the open-source Dave's Quick Search Deskbar which lets anyone with some HTML development experience customize it further. That's enough for now. Until next week Stay Safe! Click Here to Email Me