Poor Outlook for email attachments

Just when I was getting back to my original stride, I tripped. Again. Will this plague of viruses never end? Digressing for a moment first there were DOS-based strains like Cascade and Pakistani Brain. That no good today since Windows 2k, ME and XP don't even do DOS properly. As for Outlook-based strains like Melissa and ILoveYou, they too have been blocked by Microsoft. The latest viral manifestation is Linux-based.

That said, its heads-up time in respect of the Magistr virus. This has gone from a proof-of-concept with a few outbreaks to a full-blown infection. Over the weekend, Europe started reporting multiple outbreaks. And its a matter of time before the rest of the world too is infected. Because Magistr's pay load is date-sensitive, dormant or already-infected systems will self-destruct in mid-month (13-15 April onwards). The virus will attack and destroy the contents of your storage media 30 days from the date the pay load first executes on your PC. It also flushes the CMOS settings and even overwrites the BIOS information.

Incidentally, I think Microsoft has gone a wee bit overboard in its relentless, possibly ruthless approach to preventing any viral infectors from destroying the sanctity of your (often Microsoft-fueled) email. Unfortunately, you can't have an omelette without breaking a few eggs. And the latest Microsoft approach seems to follow this dictum.

The Office 2000 SR-2 update inadvertently ensured that my Outlook 2000 no longer permitted me access to executable attachments. The work around was to import the Outlook .PST file into Outlook Express. No longer, because OE 6 too has now outlawed 30 different file types including .EXE, .BAT, .HLP, .JS, .VBS files, photo CD images, .SCR and even HTML application files. OE also warns you when you attach a file belonging to these outlawed formats. The downside is there is no way (yet?) to disable the attachment restriction setting.

So if you too regularly receive .EXE attachments; including self-extracting compressed files, I recommend you get an account with an online storage space provider like Mydocsonline.com.

And as end-piece let me acquaint you with Adore. This Linux worm is a variant of the Ramen infector. And essentially permits back-door entry into Linux systems. Ramen exploited 3 well-known 'holes' in Linux distributions. Patches were available for all three, yet many administrators had not bothered to update their installations. Adore takes advantage of a fourth flaw existing in versions with DNS enabled.

Adore replaces PS, an application used by administrators to list currently running programs, with a copy that lists all programs except the worm. It then sends a copy of several key system files to four e-mail addresses: two in the United States and two in China. The worm is so-named because each of these e-mail uses the user name adore9nnn.

The worm also replaces ICMP (Internet Control Message Protocol), a basic Internet service, with an almost identical version. This open the back door whenever it receives the proper command sequence from the Internet. ICMP is typically used to send error information across from machine to machine. Then after infecting and sending information through e-mail, the worm waits until 04:02 before deleting all its files, except the back door. Download the SANS Adorefind tool (http://www.sans.org/y2k/adore.htm) to check if your Linux system is compromised.

Govind Menon
[email protected]

Top

   
 

Other Articles

CareerCornerChiefChatMailbox | SiteScan |Techtalk
Tips | VirusWatch | Webware