OT - Severe Virus Warning

[Brent]

Thanks to Microsoft, you don't even have to open an attachment to get infected now- just looking at your email will do it.


Net virus can strike unseen
 
Jeff Lee
CanWest News Service
Friday, March 19, 2004
 
 
Just looking at your e-mail can now deliver you the nastiest of new viruses.

Five new variants of a malicious e-mail virus released overnight Thursday on the Internet break new ground in that recipients are no longer required to open attachments to infect their computers.

The new variants of the Bagle virus -- which was first discovered in January -- exploit known flaws in Microsoft's Internet Explorer, Outlook and Media Player programs to run a small hyper text language message that downloads the virus directly into the target computer.

Although Microsoft issued a patch last October to fix the flaw, it may still not be enough to prevent new variants of the Bagle virus from infecting users' computers, according to a Korean antivirus company.

Eric Kwon, chief executive officer of Global Hauri, which identified three of the variants shortly after they were released, said his staff discovered the virus is still triggered if users try to save the message on computers that have already been patched with the Microsoft fix.

"We found that even a patched computer is still vulnerable if someone tries to save the message," Kwon said.

"This means people are going to have to change the way they send messages to one another."

In the past, viruses could be spread only by users opening e-mail attachments which would then trigger self-propagating "worm" programs HACKded in the attachments.

But the new variants carry a web-based URL or hyper text message in the body of the e-mail that triggers the computer to secretly download a copy of the worm from already infected computers.

It also turns off some security and anti-virus programs, and even disables firewalls, according to Chris Belthoff, senior security analyst with Sophos, an antivirus and anti-spam company with offices in Vancouver.

"This is a pretty serious new twist, in that most people have learned not to open e-mails that have attachments they aren't expecting," Belthoff said from Sophos's lab in Boston, Mass.

http://www.canada.com/calgary/calgaryherald/news/story.html?id=27999f63-6e3a-4a86-b9b4-61df3d47f8db


New, more dangerous Net viruses unleashed
Latest variants no longer rely on telltale attachment to suspicious e-mail
 
Jeff Lee
Vancouver Sun
Friday, March 19, 2004
 
Nasty new viruses that can make computer users' financial and personal information available to hackers and are activated simply by looking at e-mail are working their way around the world, Internet security experts said Thursday.

The new and more dangerous variations of the Bagle virus -- first discovered in January -- have been unleashed with a new twist: users no longer have to open an accompanying attachment to get the virus.

Anti-virus experts say five new variants of the Bagle can defeat and disable security programs and anti-virus programs, rendering the machine vulnerable to cyberspace piracy.

"This is a pretty serious new twist, in that most people have learned not to open e-mails that have attachments they aren't expecting," said Chris Belthoff, a senior security analyst with Sophos, an anti-virus and anti-spam company with offices in Vancouver.

"That information is now useless in light of this new method being propagated by Bagle. Now, even looking at the message in a preview window is enough to kick it off."

Belthoff said the virus makes the computer available to hackers who can turn it into a platform from which to launch other attacks. It also allows hackers to install programs, such as keystroke-monitoring software that can harvest sensitive information.

"It can put all that into a file that someone can come back and take at their leisure," he said. "They can look and see a 16-digit number followed by what looks like an expiry date and conclude they have credit card information. It is pretty serious what this virus will allow people to do."

The new variants of the Bagle virus, known as Bagle-P, Q, R,- and T, exploit known flaws in Microsoft's Internet Explorer, Outlook and Media Player programs to run a small hypertext language message that downloads the virus directly into the target computer.

Although Microsoft issued a patch last October to fix the flaw, it may still not be enough to prevent new variants of the Bagle virus from infecting users' computers, according to a Korean anti-virus company.

Eric Kwon, chief executive officer of Global Hauri, which identified three of the variants shortly after they were released, said his staff discovered the virus is still triggered if users try to save the message on computers that have already been patched with the Microsoft fix.

"We found that even a patched computer is still vulnerable if someone tries to save the message," Kwon said. "This means people are going to have to change the way they send messages to one another."

Anti-virus companies around the world began reporting the new variants overnight as users began to open messages that did not contain attachments. Computers in Korea and Australia were first hit early Thursday, with thousands of machines being infected as people went to work. Computer users in Britain later began to experience problems.

Kwon, whose company has an office in San Jose, California, said the e-mail containing the viruses uses authentic subject lines to fool people into opening the message.

"In today's cyber post office, it is increasingly more difficult to tell friend from foe. One now must go the extra step of identifying and never opening e-mails with the titles of known Bagle virus subject lines (see sidebar) even though there is no attachment visible," he said.

Global Hauri's staff also found taunts written by the viruses' author warning people to "not even try" to build a defence. Belthoff said Sophos identified Bagle-S and T as variants of Bagle-R.

Belthoff said he can't verify Global Hauri's claim that the virus is still activated in patched computers.

He said the solution is to make sure computers have the latest Microsoft patches and also use anti-virus programs with up-to-date virus definitions.

Microsoft's patch can be found at http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx

- - -

BAGLE VIRUS HAS NEW VARIANTS

The new variants of the Bagle virus discovered Thursday are transmitted through an e-mail message without an attachment. The variants are known as Bagle-P, Bagle-Q,, Bagle-R, Bagle-S and Bagle-T.

One anti-virus company, Sophos Inc., has found that Bagle-R avoids sending itself to addresses that include the following words: @hotmail, @msn, @microsoft, rating@, f-secur, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@

Here are some of the randomly-chosen subject lines the virus selects when mailing itself to other computers:

- E-mail account security warning.

- Notify about using the e-mail account.

- Warning about your e-mail account.

- Important notify about your e-mail account.

- Email account utilization warning.

- E-mail technical support warning.

- Email report. -Important notify.

- Account notify. -E-mail warning.

- Re: Msg reply. -Re: Hello.

- Re: Yahoo! -Re: Thank you!

- Re: Thanks :). -Re: Document.

- RE: Text message.

- Incoming message.

- Encrypted document.

The viruses exploit a known flaw in Microsoft's Internet Explorer and Outlook programs.

Microsoft's patch can be found at: http://www.microsoft.com

Source: Sophos Inc., Global Hauri Inc., Microsoft Inc.

[Kitty C.]

Thanks, Brent.  I passed this on to our IS people.  This sounds vicious.