Protect Your Computer from Viruses

Druing the week of 3/1 -3/5/04, thousands of people received email messages
which had attachments that were infected with one of several currently active viruses.

These virus messages fake the "FROM:" address to look as if it is from a legitimate business source or from someone you know or even from yourself! They contain a message aimed at tricking you into opening the attachment which will then infect your system, stealing addresses from your email address book, scanning your hard drive
and any mapped network drives, looking for additional email addresses.

Some of these emails may have pretended to come from the PowerTurn mail server
using almost any possible address at powerturn.com. We DID NOT send out these messages. The FROM address was faked by the attacker.

We want you to know that there are several things you can do to protect yourself from these malicious emails.

First of all, be sure that you are updating your virus definitions daily. If your antivirus software has an automatic update feature, you should be using it AND on active attack days (like during this past week), go to the software vendor's web site and look for daily updates.

If your email program scans for viruses and alerts you that one was found in a message, rejoice: the program is doing it's job! Delete the message --- don't open it. If your program doesn't specify which message had the virus, there are several ways you can tell:

If your inbox has a message with the From field set to your own address, delete it.

If a message is not from you and has an attachment, it is generally safer to delete it, unless you were expecting the message from the sender and you expected the attachment. Be extremely careful if the attachment has an .exe or .zip extension.

There are places where you can determine if the message is part of a virus attack pattern. In the discussion below, we refer to several pages in the Symantec Norton AntiVirus web site, but other vendors offer similar information.

The Symantec Security Response page at
http://www.symantec.com/avcenter/index.html
contains links to details about the most active current viruses and links to download the daily virus definitions update. It also has a link to do an on-line virus scan in case you think your system is infected and your local anti-virus program no longer runs (a typical symptom of an infected machine).

When you review the details of the various viruses, you'll see that some of the particularly malicious virus messages pretend to be warnings that are meant to frighten you into running it's attached program which will then infect your system.

One such virus is the W32.Beagle.J@mm worm, which:

-Is a mass-mailing worm that opens a backdoor into your computer
(on TCP port 2745) and uses its own email engine (SMTP) to spread through email.
-Sends the attacker the port on which the backdoor listens, as well as the
IP address.
-Attempts to spread through file-sharing networks, such as Kazaa and
iMesh, by dropping itself into the folders that contain "shar" in their
names.

The attachment is usually a .zip file (which should never be opened).
The wording in the message is listed in the details page about this worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

A variant of this is the W32.Beagle.K@mm worm:
http://www.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html

It sends out messages containing any of the following text (mis-spellings are the attacker's --- a sure sign):

-Your e-mail account has been temporary disabled because of unauthorized access.

-Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

-Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

-We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

-Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

-Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.

This worm fakes the "FROM:" field, usually setting it to one of the following:
management@<recipient domain>
administration@<recipient domain>
staff@<recipient domain>
noreply@<recipient domain>
support@<recipient domain>

All viruses are known by various names, depending on the anti-virus software
vendor. The W32.Beagle.K@mm worm is slso Known As:
Win32.Bagle.K [Computer Associates], Bagle.K [F-Secure], W32/Bagle.k@MM [McAfee],
W32/Bagle.K.worm [Panda], W32/Bagle-K [Sophos], WORM_BAGLE.K [Trend Micro]

If you are ever in doubt about a message, delete it! Don't even open it to look at the text. If your email program allows you to receive messages in web page (HTML) format, be very careful! Spammers and virus attackers can embed invisible elements in the
text that report back to them that your address is legitimate.

It's also a good idea to turn off the viewer pane, because that automatically opens the message and by then it's too late to prevent the invisible element from reporting back to the sender that you opened the message.

This is less of a problem for those who view their messages off-line: if you have cable or DSL or any other "always on" connection, the message can report back without you knowing about it. If you have dial-up, cancel any attempt to connect to the Internet that pops up after you open a message.

We hope this information is helpful to you. Remember, the time it takes to keep your system protected is measured in minutes. The time it takes to remove a virus infection from your system is measured in hours (and perhaps hundreds of dollars).