Loading ...
Sorry, an error occurred while loading the content.

Re: bagle alert

Expand Messages
  • Al Mierau
    Hi Judii: Yes, that is true, but you would have to of course recognize that certain email, and if you have dozens of emails sitting for preview it is certainly
    Message 1 of 2 , Mar 19, 2004
    • 0 Attachment
      Hi Judii:
       
      Yes, that is true, but you would have to of course recognize that certain email, and if you have dozens of emails sitting for preview it is certainly easy to miss one of those.  And that is exactly what happened to a computer in the north end of Saskatoon late yesterday.  In regards to the new virus issue, the one with the attached hyperlink, it was my feeling that you would have to click on this hyperlink to be taken to an infected url site, but I have now been informed that outlook and outlook express will sometimes go to that hyperlink without you even having to ask for it, thus the serious nature of that type of e-mail.   And this information comes from another computer security expert I know , here is her reply.
       
      Apparently, Al, from what I understand...you do not have to click.
       Merely previewing it in the preview pane activates the virus...it
       works through a hole in security of IE and Outlook or OE (big shocker
       that). My guess is that the URL could be where it originates from

       Sara
       
      I just received several emails from one of the teachers on our LVS group in this regard.  Many of them have switched to Mozilla Thunderbird or Eudora.  I am in fact going to download the Tbird today, on my test computer, and see how it performs.   I will insert part of Beckies emails after my signature here.   The Tbird can be found here.
      Beckie is a computer consultant in the states and has many clients and is disabling  Outlook Express and Outlook on her clients machines, and installing the software mentioned below.
       
      Al Mierau
      security consultant, Saskatoon.
       
      Hi Al,

      Yep it is.  I tried a lot of other programs and never found one I liked
      as much as NN Communicator 4.x so stayed with that old workhorse.  What
      I really wanted was a stand alone email program that would play with all
      browsers and easily import my email groups - most would only import the
      addresses not the myriad groups I have set up for client organizations. 
      The browser issue was important - I use Opera as my primary.  TBird has
      no problem with Opera, IE, Firefox (their standalone browser), Netscape,
      etc.  With the last version of TBird I found I really liked it!  So now
      I've switched over totally.

      One of the nice things about it is that I can make it look like OE for
      my clients in many ways, which is comforting if they are willing to
      switch.  There are some differences in operations, of course, but not
      too bad.  Oh, and you can have multiple identities (which was a pain
      under the old NN).  For those who have used NN email in the past,
      however, this it is very similar so it feels comfortable to them too.

      Butzi and debbieT have both recently changed over and they were OE users
      I think, so they may have some good input on the subject.  There are a
      lot of plugins that can be added to expand the capability of the program.

      Yes, in TBird you can have all kinds of identities... multiple POPs or
      sub identities under 1 POP.  Let's see if I can pretend I understand it
      (wink):

      1.  I use bpetersinc address as my main POP3 email; all of my other
      email addresses simply forward to it.  [As an aside the reason I do that
      is because my ISP has subscribed to Postini for spam control and I LOVE
      that service!]  So what I can do with TBird is set up identities one of
      two ways:

      a.  I can set up my LVS address as if it was a totally separate POP even
      tho it's not - this gives me a totally separate set of folders for LVS
      email.  Different inbox, etc.  When I check my main email, I have
      filters in place that send LVS email to the LVS folder system.  When I
      use the LVS address to reply, however, my settings say "use my default
      identity's SMTP settings to send".

      b.  Or I can set up my LVS address as a sub identity of my bpetersinc
      identity and keep the LVS folders all in that inbox.

      If you have multiple POP3s, you can set up an identity for each of them
      and either use their outgoing server or stick with the default
      identity's SMTP server.  Each POP3 identity has it's own set of folders,
      beginning with an Inbox.

      You can collect email for each identity by click on that identity in
      your Folder Pane and then on Get Mail; or you can add a plugin that
      automatically collects all of them.  In other words, connects to one
      then disconnects and moves on to the next.  You can of course also set
      any/all identities to auto collect email every so often.

      You can use any identity to answer email in any inbox/folder... it's
      accessible via a pulldown list in the email form.  It will default to
      the address for that identity but you then change it with a click.

      There is a plugin that lets you hold all written email and then send it
      all at once... some OE users really like this aspect.  The default is
      for it to send each email as you complete it and press Send.

      To uninstall and/or upgrade TBird in XP you simply delete the TBird
      folder in the Program directory of your computer.  All settings are
      stored in the User's default area in XP... I don't know where they
      install on Win9x but they have instructions on it.  Oh, and the email is
      kept in a Flat File so it's easy to search outside of the program for
      someone like me who needs archives of client email.  I simply copied out
      the old email files I wanted for archival purposes and removed them from
      my normal installation to keep it clean.  Same thing with the address
      books, if you have multiples.  You can add them back in as needed - I
      pulled out a huge client address book for a client I'm not working with
      right now and already tested adding it back.  Easy Peasy!  "-)

      Probably more than you asked.  hehehe.  I am having my morning coffee
      and got carried away.

      I think there is a lot of good about it.  It might not be for everyone
      yet, but they are really moving ahead with making it a really feature
      rich package.

      On the Bagle topic, the problem is that beginning with Variant Q (I
      think it said) you don't have to click on anything if you have the
      Preview Pane open.  That's the vulnerability... the coding in the
      embedded HTML in the email triggers just be viewing the email.  You
      know, it is really irritating that these people have nothing better to
      do than spend their time writing this stuff, isn't it?  Sheesh.  I can
      only imagine they have low self esteem and need to feel powerful. 
      shaking head.  Good luck with your friends machines!

      Oh, back to the TBird issue:   They have a great help site, run by a
      volunteer.  The link to it is on the Mozilla site where you download it.

      Now I'm on a roll.  "-)

      I wanted to tell you one more thing, Al, that I really like in TBird... 
      the Filters.  Each identity (maybe not sub identities) has it's own set
      of filters which you can configure and they of course auto run when
      email is coming in.  However, you can run any filter on any folder under
      that Identity.  What I use this for is I set up filters for email TO
      each of my current/ongoing clients... then I run the filter on my Sent
      folder and voila!  My replies get sorted and filed into the correct
      Client Archive folder!  That saves me a huge amount of time.  Once I've
      done that I can basically just delete the rest since I don't keep
      anything else.

      I forgot to specify in my earlier email that I set up the Local Folder
      system as my permanent archive and that those are the email files I will
      be searching and copying in/out as needed.

      And finally... there is a Junk Mail system in TBird.  You can turn on a
      "learning" feature as part of it.  So if something is not tagged as junk
      mail I highlight it and click a button, from then on anything like that
      is "learned" as junk mail and automatically goes to the Junk folder. 
      You can then look at the Junk Mail folder every now and then and empty
      it or mark something as Not Junk, which again the program "learns". 
      It's really nifty!

      Ok, I better get back to work now.   "-)

      Becky
       
       
      ----- Original Message -----
      Sent: Friday, March 19, 2004 9:49 AM
      Subject: FW: bagle alert

      This will be of intrest/concern to many. 
       
      I'm willing to be corrected, but I believe that using a webmail or mailwasher tool that allows one to review/delete e-mail BEFORE it is migrated to one's computer is a way to dodge this particular virus threat.  If correction is needed, please reply to ALL.
       
      Al is a search engine-positioning consultant as well as a Mennonite family historian living in Saskatoon.
       
      In Kinship,
      Judith Rempel
      judith@...

      -----Original Message-----
      From: Al Mierau [mailto:almierau@...]
      Sent: Friday, March 19, 2004 6:48 AM
      To: almierau@...
      Subject: bagle alert

      From Al Mierau's desk.
      March 19, 2004
       
       
      Hackers unleash virus with a ‘twist’
       
       
       
      B Y J E F F LE E
      CanWest News Service (The Vancouver Sun)
       
       
       
      VA N C O U V E R
      • Five new variants of an e-mail virus break new ground in that recipients are no longer required to open attachments to infect their computers. The new variants of the Bagle virus — which was discovered in January — exploit flaws in Microsoft’s Internet Explorer, Outlook and Media Player programs to run a small hyper text language message that downloads the virus directly into the target computer. Although Microsoft issued a patch last October to fix the flaws, it may not be enough to prevent new variants of the Bagle virus from infecting users’ computers, according to a Korean antivirus company.
      Eric Kwon, chief executive officer of Global Hauri, which identified three of the variants shortly after they were released overnight yesterday, said the virus is still triggered if users try to save the message on computers that have been patched with the Microsoft fix.
      “We found that even a patched computer is still vulnerable if someone tries to save the message,” Mr. Kwon said.
      Antivirus companies around the world began reporting the new variants, called Bagle-P, Q, R, S and T, overnight as users began to open messages that did not contain attachments. Computers in Korea and Australia were first hit early yesterday, with thousands of machines being infected as people went to work. Users in Britain later began to experience computer problems. The impact was expected to widen across time zones.
      In the past, viruses could be spread only by users opening email attachments, which would then trigger self-propagating “worm” programs embedded in the attachments. But the new variants carry a web-based URL or hyper text message in the body of the e-mail that triggers the computer to download a copy of the worm from infected computers.
      It turns off some security and antivirus programs and disables firewalls, according to Chris Belthoff, senior security analyst with Sophos, an antivirus company with offices in Vancouver.
      “This is a pretty serious new twist,” he said from Sophos’s antivirus lab in Boston.
    • H. Phil Duby
      I have not seen a sample of the latest bagle incarnation yet, but the HTMLmodify plugin for SpamPal has blocked several virus emails before the virus checker
      Message 2 of 2 , Mar 20, 2004
      • 0 Attachment
        I have not seen a sample of the latest bagle incarnation yet, but the
        HTMLmodify plugin for SpamPal has blocked several virus emails before the
        virus checker got updated. SpamPal is another spam filtering tool like
        mailwasher. HTMLModify is an addon that looks for dangerous HTML usage /
        exploits, and 'breaks' them, so that the email program will not execute
        them. SpamPal and the plugins are free. See http://www.spampal.org/ for
        details.

        --
        Phil
        ----- Original Message -----
        From: Judith Rempel
        To: AFHS Dist-Gen ; MHSA List
        Cc: Al Mierau
        Sent: Friday, March 19, 2004 8:49 AM
        Subject: FW: bagle alert


        This will be of intrest/concern to many.

        I'm willing to be corrected, but I believe that using a webmail or
        mailwasher tool that allows one to review/delete e-mail BEFORE it is
        migrated to one's computer is a way to dodge this particular virus threat.
        If correction is needed, please reply to ALL.

        Al is a search engine-positioning consultant as well as a Mennonite family
        historian living in Saskatoon.

        In Kinship,
        Judith Rempel
        judith@...

        -----Original Message-----
        From: Al Mierau [mailto:almierau@...]
        Sent: Friday, March 19, 2004 6:48 AM
        To: almierau@...
        Subject: bagle alert


        From Al Mierau's desk.
        March 19, 2004


        Hackers unleash virus with a 'twist'



        B Y J E F F LE E
        CanWest News Service (The Vancouver Sun)



        VA N C O U V E R
        . Five new variants of an e-mail virus break new ground in that recipients
        are no longer required to open attachments to infect their computers. The
        new variants of the Bagle virus - which was discovered in January - exploit
        flaws in Microsoft's Internet Explorer, Outlook and Media Player programs to
        run a small hyper text language message that downloads the virus directly
        into the target computer. Although Microsoft issued a patch last October to
        fix the flaws, it may not be enough to prevent new variants of the Bagle
        virus from infecting users' computers, according to a Korean antivirus
        company.
        Eric Kwon, chief executive officer of Global Hauri, which identified three
        of the variants shortly after they were released overnight yesterday, said
        the virus is still triggered if users try to save the message on computers
        that have been patched with the Microsoft fix
        "We found that even a patched computer is still vulnerable if someone tries
        to save the message," Mr. Kwon said.
        Antivirus companies around the world began reporting the new variants,
        called Bagle-P, Q, R, S and T, overnight as users began to open messages
        that did not contain attachments. Computers in Korea and Australia were
        first hit early yesterday, with thousands of machines being infected as
        people went to work. Users in Britain later began to experience computer
        problems. The impact was expected to widen across time zones.
        In the past, viruses could be spread only by users opening email
        attachments, which would then trigger self-propagating "worm" programs
        embedded in the attachments. But the new variants carry a web-based URL or
        hyper text message in the body of the e-mail that triggers the computer to
        download a copy of the worm from infected computers.
        It turns off some security and antivirus programs and disables firewalls,
        according to Chris Belthoff, senior security analyst with Sophos, an
        antivirus company with offices in Vancouver.
        "This is a pretty serious new twist," he said from Sophos's antivirus lab in
        Boston.


        http://www.afhs.ab.ca
      Your message has been successfully submitted and would be delivered to recipients shortly.