Very Destructive MAGISTR variant... and how to fear no attachments

Automated PC Solutions

VACM - Virus Alerts for the Common Man

Greetings from The VACM Team,

In this issue:
------------------------------------
1. How to deal fearlessly with file attachments
(learn and stick to just 2 simple steps- the safe way
to open attachments)
2. New MAGISTR variant now making the rounds- VERY destructive!
3. New Law allows anyone to get your credit info. Here's
the simple way to keep your credit info private.
4. Protect yourself from script viruses that run just by
looking at an email

*************************************************************
* 1. How to deal fearlessly with file attachments
*************************************************************
August has been a banner month for email viruses with 90% of our subscribers emailing us about SirCam and Magistr incidents. We at APCS have recovered numerous networks/workstations from the SirCam virus for our clients this past month. Having fixed all these systems, we feel it is our duty to spread the word about how to safely open and deal with file attachments. Knowing just two simple things would have prevented all the SirCam infections we fixed.

And, as we mentioned in the table of contents, there is a new and more cunning version of Magistr going around that most antivirus software cannot detect because it uses ever changing subject and file attachment names. This one also arrives as an attachment, and the steps we will teach you will keep you safe from that one as well.

Most of us get attachments frequently. How do you know which ones are safe and which ones are not?

Wouldn't it be great to know how to deal with file attachments without fear?
This VACM alert is going to help you do just that.

Even though everyone uses antivirus software, we have to wonder about the ever increasing numbers of virus infections and the ultimate cost of virus damages- low-ball estimate of $17 billion for last year.

Remember that new virus threats traveling via email simply spread faster than an antivirus update can. Worse yet, some antivirus software works better than others. While SirCam spread rapidly before antivirus vendors made detection available, you might be surprised to know that some antivirus products STILL DO NOT protect you from SirCam.

McAfee VirusScan, for example, has two settings that can subvert detection of SirCam- the fact that McAfee excludes the Recycle Bin from its scans and the fact that it does not scan .PIF and .LNK files.

So, unless users fully understand the SirCam threat and the capabilities of their antivirus protection, even constant antivirus updates won't protect them from infection. SirCam was a prime example of an email virus that arrived as an innocent looking attachment. The first thing to do, is learn how to make attachments not look innocent. Armed with this knowledge and a couple of other tricks, you can deal fearlessly with file attachments. So, on with the show...

What you should do...
-------------------------------------
Learn these two simple steps well, always follow them, and you won't have to be afraid of attachments.

1. Don't allow Windows to hide file extensions
(those three letters after the "." in the filename)

Why MicroSoft ships Windows with its default settings being the most dangerous they can be is a mystery to all of us. Well, I suppose it helps to keep the antivirus companies in business :-O

By default, Windows is set to hide file extensions of known file types. What this means to you is that you are easy prey to the most common type of email virus tactic, which is- to mail an attachment with a filename that looks like something it is not. The trick is that the virus hackers will simply name the file in such a way as to appear to be a JPG or something harmless because they know that most peoples' systems will not show the actual file extension. For example, if your system is hiding file extensions, a file attachment of "MyDog.JPG.VBS" will appear in your email program as "MyDog.JPG" which leads you to believe that it is simply a picture, when in fact it is a VB script (a program that can do whatever the virus writer wants if you decide to double-click on it). So, let's change the system setting that determines if file extensions are displayed or not...

To keep Windows from hiding file extensions, do this:
-Open Windows Explorer, then use the Explorer menu and do

-View/Folder Options (or Tools/Folder Options, depending on what version of Windows you have).

-A window will appear.

-Click on the "View" tab and,

-In the list of checkboxes on that screen, make sure you UNcheck the "Hide file extensions of know file types".

-Then click on Apply,

-Then click on "Like Current Folder" to apply this setting to all folders.

-Then click OK on all windows to get back to your Windows Explorer window.

Depending on which folder you had selected when you started Windows Explorer, you might immediately notice that you can now see the file extensions for all your files now (that you couldn't see before). Actually, there are still some file types that Windows insists on hiding from you, but for our purposes today, this new setting will suffice. We'll cover the more advanced UNhiding of extensions in a future VACM.

2. Next- NEVER just double click file attachments in
emails directly!! There's a safe way...

Whenever I get file attachments, here's what I do:

-First, I do a LiveUpdate to get the latest virus definitions installed
(LiveUpdate is Norton, yours may differ. Just get the latest
virus updates for your antivirus software installed.)

-Make VERY sure that your auto-protect is enabled (usually this means that the antivirus icon down in the system tray area does not have a red circle and line through it).

-then go back to the email message with the attachment, right-click on the attachment and do a "Save As" (this may be done differently in email programs other than Outlook. Just make sure you save the attachment to
your hard drive, rather than opening it directly from within the email
message by double-clicking on it). I usually do the "Save As" and send
the attachment right to my desktop where it's easy to get to later (for
deleting or filing somewhere else).

So, what good did all that do?

Well, first you got the most up-to-date virus protection. Then, by doing the "Save As" you actually gave your AntiVirus software a chance to scan the file as it was being written to your disk (desktop, or folder you chose). That's right- you made sure that your antivirus had a chance to look at the attachment.

Plus, you got to see exactly what the filename was when you did the SaveAs. If the filename ended in .VBS or .VBE or .PIF or .LNK or .SCR or .EXE or .CMD or .BAT, these are highly suspect. Go ahead and do the SaveAs to let the virus scan happen, but you might still want to just delete the email since nobody has any business sending you a file of this type, unless they are trying to get you to execute a virus program, that is. BTW, if you get a .EXE or one of the other suspect file types, and it came from someone you know, you might just email them back and ask if they sent it to you and what it is. Then wait for their reply before opening it. They may not know they sent it to you if their system has a virus quietly sending infected emails to everyone that person knows.

Now, if the SaveAs completes without generating a warning from your antivirus, and it is really a valid file (such as a .DOC or .TXT or .XLS), only then should you consider opening the attachment. You can double click on it from the email message, or you can double click the copy you saved to your desktop. Either way, when you are done with the file, you have a copy on your desktop that you can either delete or move to a folder of your choice if it is something you wish to keep.

Follow these two simple tips always and never fear a file attachment again!

*************************************************************
* 2. New MAGISTR variant now making the
* rounds- very destructive!
*************************************************************
Armed with your new knowledge in how to deal safely with file attachments, you won't have to worry too much about this one- as long as you adhere to those two simple steps.

-as reported by About Virus...
First discovered infecting computers in mid-March 2001, the Magistr virus is considered a high risk threat. Cunningly, the virus sits on the infected user's system for a pre-determined period of time before unleashing its wrath which ranges from corrupting data to erasing critical information found in the system BIOS and overwriting sectors on the hard drive. Compounding the risk, on September 3, 2001 a new variant was discovered that was impervious to signature-based scanners. Reportedly, the new variant is an "improved" version of the original Magistr, making the rendering of its malicious payload far more likely.

New variants of Magistr are particularly threatening. Because Magistr sends itself with random filenames, random subject lines, and random message bodies, traditional filtering mechanisms (i.e. lexical analysis or filtering on keywords) will not work. In such a case filtering of all executables remains the most viable defense against this type of email-borne threat.

Specifically, Magistr is a mass-mailing email worm arriving as an .EXE attachment. The filename itself varies, and it may include one or more files that are not part of the infection but rather were lifted from the infected user's machine. If the .EXE file is run, the virus will copy itself to the Windows\System directory, infect Windows 32-bit portable executable files on the system, and will also register itself to run each time the system is rebooted. To do so, Magistr modifies the regisry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\filename

The filename designated will be whatever the virus was received as with the last digit decreased by a factor of 1. Thus, if the infected executable is received as ABCDEFG.EXE the name saved in the Windows\System directory and targeted in the registry becomes ABCDEFF.EXE.

The worm could also install itself via the WIN.INI file's LOAD= line, in which case the pointer would again be to the copy of itself in the Windows\System directory.

In any event, five minutes after the virus was initially run, it begins a mass-mailing routine based on addresses found in Outlook, Outlook Express, and even Netscape Mail. The body and subject line of the email appear to be derived from files or emails on the infected user's system. This could either cause the email message carrying the virus to appear filled with gibberish, or conversely, the chosen text could lend an air of legitimacy.

Describing it as an "anti-emulation, polymorphic with advanced infection algorithms® Patrick Nolan, virus researcher for McAfee AVERT says this newest threat, "sets up tricks to make it harder for virus researchers to debug it." Not being able to predict, with 100% accuracy, what Magistr will do next, makes detecting it all the more harder.

*******************************************************
* 3. New Law allows anyone to get your credit info
*******************************************************
Thanks to our subscriber, Richard, for this valuable bit of info.
We haven't checked it out yet, but definitely will be doing so
in the near future !!

> Just wanted to let everyone know who hasn't
> already heard, the four major
> credit bureaus in the US are allowed,
> starting July 1, to release your
> credit info, mailing addresses, phone numbers,
> etc. to anyone who requests it. If you would
> like to 'opt out' of this release of info, you can
> call 1-888-567-8688. It only takes a couple of
> minutes to do, and you can take
> care of anyone else in the household while making
> only one call. You'll just need to know their
> social security number. Be sure to listen closely,
> the first opt out is only for two years, make
> sure you wait until they prompt you to press '3'
> on your phone keypad to opt out for good.
>
> *******PASS THIS MESSAGE ON TO ALL*******

*******************************************************
* 4. Protect yourself from script viruses that run just by
* looking at an email
*******************************************************
We made this technique available to our subscribers months ago. Again,
this is a simple case of setting Windows settings properly.
To protect yourself from script viruses that run all by themselves just by viewing an email, visit the VACM archives and click on the "Do This First..." link.

The VACM archives are here.

*******************************************************
* In Closing...
*******************************************************
Well, that's all we have time for in this edition. It was lengthy, I know, but very important information that can save you lots of aggrevation!

Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions

*** Be sure to check out the appendix at the end of this alert
if you are having trouble booting your computer into "Safe Mode".
The process is all spelled out for you there.

Why should you be very
concerned about Spyware?

Learn how to avoid Identity Theft and Windows corruption in this
free VACM Video:
VACM-tested #1 AntiSpyware Software

How did they steal my Identity?

Why do I get so much SPAM ?

Why is your computer
running so slow ?

Today, every PC needs just a few protection softwares. Find out what and why. Visit our Links Page to avoid Indentiry Theft and costly computer repairs.
VACM Links to Protection Tools and Softwares

Keep your PC Safe and
Avoid a costly trip to the shop...
with these VACM approved tools.

You need 3 things to protect your PC(s) automatically. Use these links to go directly to the Download and Purchase pages:

Old Shotgun Shell Boxes
are collector's items and
worth good money!
(yes... just the empty boxes)

get your
ShotShell BlueBook
price guide
now.

To cancel your subscription to VACM, reply to this email with the word UNSUBSCRIBE in the subject.

If you click on the link below, the "unsubscribe" email will be created for you and you can simply hit "Send" in you email program:

Create My Unsubscribe Email

IMPORTANT: please include the email address at which you are currently receiving VACM Alerts in the body of the message.

******** APPENDIX - Handy How-To Tips **********

* How To Boot into Safe Mode

Shut the computer down so that the power is off.

Turn the computer on, wait 1 second and begin pressing the F8 key
on the keyboard, once every second repeatedly. Do this until
the Windows Startup Menu appears. If you get a keyboard
error, press F1 to resume and then continue pressing the
F8 key once every second, or your PC may tell you to press another key for BIOS setup.

Select Safe Mode from the Windows Startup Menu, then press
the Enter key on the keyboard.

Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.

At the end of the boot process a dialog box will appear
informing you that Windows is in Safe Mode. Click OK on this dialog box.

Windows is now in Safe Mode.

If you miss hitting the F8 at the right time, Windows will boot
normally and you will not see the "Safe Mode" message. In this
case, start from the top of these instructions until you get the
boot menu screen where you can choose "Safe Mode". This can be
a little tricky the first time you do it.

Locations of visitors to this page