Skeptical as I am about unknown e-mail attachments, even I was puzzled by the latest file sent to me from “support@microsoft.com”. The e-mail [My Life as a Fischer has an example of it] looked official enough and, stranger still, Norton AntiVirus did not flag the file as infected. I nevertheless did not run the attachment, of course, and I wasn’t surprised, afterward, to find out the attachment was indeed yet another variant of the MS Blast worm.Evidently all these worms in the MS Blast family want to exploit vulnerabilities in DCOM, a component that allows networked computer to communicate. Since DCOM would hardly ever be used in a home environment there’s no reason for it to be running at all. But Microsoft, instead of deactivating it, has concentrated on distributing patches that simply rewrite the code. DCOMbobulate, another great free utility from GRC.com, is a small program that will deactivate DCOM for you, eliminating the vulnerability that MS Blast-type worms try to exploit. It’s a quick and painless and highly recommended. Why leave something running that you will never use?
I told bogie that being the Linux geek that I am, I opened the attachment in a binary viewer.
It was interesting…the body of the email itself (down to the graphics) is encoded into the “patch”.
Greg
San Diego
I guess that would explain why, as I’ve heard, simply previewing the e-mail will load the worm.
As my understanding of that ‘preview’ thing goes, there’s an option – or was an option – to automagically open attachments (which included .exe files) in OE and Outlook.
One of the fixes MS released awhile back was supposed to permanently turn that option off.
View attachments inline vs as separate attachments will cause problems too.
But virus/worm/trojan writers know that your average newbie will open them anyway, especially if it looks like the message is official.
Greg
San Diego