New Week, New Tactics

[Guest guest]

Hackers are using new tactics to spread their

viruses.

~~~~~~~Example One~~~~~

If you receive an email that says:

If the message

will not displayed automatically,

follow the link to read the delivered message.

Do Not Open the Link !!!!

These

links are a new way of trying to get you to download a virus. The link

is *NOT VALID*,

~~~~~~Example Two~~~~~~~

Also, you may have received some email from

"support@..." with the subject line: "Re: Sumbit a Virus

Sample", and a body message that states something along the lines of:

------------------

The sample file you sent contains

a new virus version of mydoom.j.

Please clean your system with the attached signature.

Sincerly,

Ferrew

------------------

THIS IS A VIRUS.

DO NOT use the included "signature.zip" (or any other attachment) that

comes with that email.

~~~~~~~~Example Three~~~~~~~~~

The way

the links are "spoofed" and make you think you're going to a normal

"good" website is in the way the link is formatted.

---

This is how

it works: the actual URL syntax in the link -- which appears in the IE

address bar, when the link is clicked, and also at the bottom of the IE

window, when someone rolls over the link with the cursor -- looks like

this: http(s)://username:password@server/resource.ext.

The browser

uses whatever is to the right of the @ symbol to locate the Web page.

Everything to the left of the @ is used to authenticate the user. If

there is no authentication mechanism available on the targeted page,

the beginning part of the URL is ignored.

Attackers,

then, can use the area to the left of the @ symbol to create a fake Web

address and fool victims into going to a different page or site.

For instance, the URL http://www.cnet.com@... looks like it

will go to the Web site http://www.cnet.com, but it actually goes to

http://mysimon.com.

The problem

has been made worse by a recently discovered bug in the URL display of

Internet Explorer browsers. By adding a few special characters in front

of the @, an attacker can prevent the browser from displaying the true

destination address of the URL. So, for instance, in the above example,

the URL in the IE address bar and at the bottom of the IE window would

appear as simply http://www.cnet.com.

~~~~~~~~~Example Four~~~~~~~~~

This

week the Bagle worm raised the bar with an attachment-less version.

Last week we reported Bagle.M/N was using polymorphic virus techniques

to infect executables on a victim's hard drive. The latest versions,

Bagle.O, Bagle.P, Bagle.Q now use the Internet Explorer Object Tag

vulnerability to infect users systems running un-patched versions of

Internet Explorer. Using an exploit described in Microsoft's security

update MS03-040,

the worm can automatically run and install itself when a user opens an

e-mail.

Source: http://www.pcmag.com/article2/0,1759,1552856,00.asp

Bagle.Q

info: http://www.pcmag.com/article2/0,1759,1552319,00.asp

SO .. if you are using Outlook as your email .. and have NOT

updated the patch in Windows Updates .. then you probably have this

rampant virus.