Chronology Current Month Current Thread Current Date
[Year List] [Month List (current year)] [Date Index] [Thread Index] [Thread Prev] [Thread Next] [Date Prev] [Date Next]

Re: email virus/worm



Dear Rick,

Thanks for the message. This latest virus/worm has been the subject of
a number of stories in the news media.

The bottom like is that Microsoft does NOT send out email of this sort
to its customers.

If you get something that purports to be a Microsoft update, DELETE IT!

Mark

Dr. Mark H. Shapiro
Professor of Physics, Emeritus
California State University, Fullerton
Phone: 714 278-3884
FAX: 714 278-5810
email: mshapiro@fullerton.edu
web: http://chaos.fullerton.edu/Shapiro.html
travel and family pictures: http://community.webshots.com/user/mhshapiro




-----Original Message-----
From: Rick Tarara [mailto:rtarara@SAINTMARYS.EDU]
Sent: Thursday, September 25, 2003 10:55 AM
To: PHYS-L@lists.nau.edu
Subject: email virus/worm

For all of those on these lists being inundated by Microsoft Update
emails
and 'failure to deliver' notices (and I know there are many), check out
the
message below from the M$ newsgroup on viruses. At very least, it will
prove you are not alone. Unfortunately, I must suspect that some
members of
these lists have been infected because of the volume I keep getting--so
please, open NO attachments with executable files.

Rick Tarara

********************************************************

Copied message concerning multiple receipts of Microsoft Update and
'reciept failure' messages.
********************************************************


This worm has two main effects, and some secondary effects


I. Main effects

A. It infects venerable systems and networks.

B. It generates a FLOOD of infected e-mail that is sent to e-mail
addresses it harvests from infected machine and networks. These infected
e-mails are of two types

1. An HTML message that looks like a legitimate Microsoft
Security
Bulletin; the hotlinks in this message are valid Microsoft links, and
will
even lead you to a description that will allow you to identify this
e-mail
as bogus. The message has an attached 104 KByte file that contains the
worm. If you don't have all appropriate Microsoft security patches and
Service Packs installed, it may be possible for your system to be
infected
EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is
always the same, though the Subject and From lines differ widely. This
message, so far can be easily be blocked by detecting the string 'Run
attached file' in the body ( in fact, it would be a good practice to
consider ANY e-mail that contains this string AND has an attachment to
very,
very likely to carry an infection.

2. A plain text message that purports to be a notification of
an
'Undeliverable e-mail', with an attachment that purports to be a copy of
the
undeliverable e-mail; this attached file is 104 KBytes long and contains
the
worm. The Subject line, From line, and body present in thousands of
combinations, and probably will continue to mutate. Even worse, real
e-mail
addresses harvested from infected systems and networks are tagged onto
this
type of message, causing one of the secondary effects.

II. Secondary effects
A. Spam effect
1. Mailboxes with an e-mail address that has been harvested
from
infected systems and networks begin to be flood with infected e-mail.
[Personal example: my machines are not infected, but this worm began to
flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail
messages per day. I must empty my mailbox every 5 minutes, 24/7 to
avoid
the possibility of having legitimate e-mail bounced. I had to install
an
application just to segregate the cleaned, previously infected e-mail
from legitimate e-mail (standard spam blockers can't do this.)
B. Notifications from mail services that DO scan for infected
messages, but unfortunately do not realize that the e-mail addresses
given
for the sender are either bogus or e-mail addresses harvested by the
worm.
Thus, completely innocent mailboxes have insult added to injury.

****

What can you do locally as an individual (i.e. in as
SmallOfficeHomeOffice
environment, and /or as a recreational user)?
#1. You can use a remote virus scan from one of the antivirus program
publishers
THEN
#2. You can remove any infections discovered
THEN
#3. You install a good antivirus program, keep it active, keep the
virus
definitions up-to-date (at the moment you should update these
definitions
EVERY day), and set to scan all incoming e-mails and downloads.
THEN
#4. You can install all appropriate Microsoft security patches and
Service
Packs.
THEN
#5. You can consider additional security (DCHP server, firewall, boric
acid
[for roaches], .....

If you begin to be flooded with these infected messages, COMPLAIN to
your
ISP; sent them this URL
http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming
e-mail before passing it to a mailbox. Ask for an increased in mailbox
size
(if you are getting 1500 of these infected e-mails per day, you will
need a
mailbox size over 150 MBytes just to avoid the necessity of completely
emptying it EVERY DAY. Ask about the implicit duty of the ISP to
provide
reliable e-mail service, and if they have received notification of any
pending class actions you might join. Ask if they will unbundle their
services so you can opt out of e-mail service save that cost. That's
about
all you can do about the e-mail flood; only your ISP or other e-mail
provider can come close to solving this problem.

When the e-mail flood becomes too painful, find an ISP or other e-mail
provider that DOES scan and discard infected e-mail before passing it to
your mailbox, and then change to that ISP and/or e-mail provider.
Changing
your e-mail address is no solution; as soon as your new e-mail address
is
harvested from an infected system or network, the problem starts again.

When a mailserver is scanning and not just deleting infected e-mail, but
is
also sending an e-mail to notify the sender, write the administrator a
nasty
note asking them to stop sending these notices.

****
That's about it; you can proof your system against infection, but only
changes at the mailserver level can stop reception of flood of infected
e-mails and increasing numbers of inappropriate notices that you've sent
infected e-mail.

Phil Weldon, pweldon@mindspring