I have opened the Zip file attachment to examine it (very carefully) and found an HTML Webpage. Seems harmless, no? Actually the Web page contains a malicious java script which executes a worm file when you simply view the page in your browser. I used my Web editing software to open the source file and read the code, rather than viewing it. The message itself is harmless, and thus would not be detected and deleted by your anti-virus software. Norton will detect and block the attachment if you are running the latest updates. If you view the properties of the message, you will see that it comes from an unnamed IP address rather than from a valid domain name. Here is the header text from one of the messages that I received. You will note the X-Mailer is always “TheBat!” and priority is always set to “2 (High)”. Note the sender is “localhost” with the IP of [66.196.204.1]. Using “localhost” as the sender is always a good sign of this message being SPAM or otherwise unwanted mail. Here is the text from one of these messages.

There have been other messages allegedly from Microsoft, McAfee, or Symantec offering warnings about viruses and having an attached “patch” file which they encourage you to install.  These companies never send you the attachment in the message, they always refer you back to their Website if there is truly a danger. One such message from “dispatch@mcafee.com” contains the W32.Hawawi.Worm virus in one of two attachments. The other attachment was a harmless JPG file that it found from the infected computer to send.

I’ve noticed my SPAM filter software, MailWasher, has been catching messages that are allegedly from myself to myself, but the name in front of the sending address is never my name, nor does it originate from my computer or mail server. Most of these messages contain offers to sell Viagra or similar items at so called reduced pricing. Since the message mentioned Viagra and my SPAM filter has been set to delete messages with such phrases in them, the messages get trashed and deleted despite my address being shown as the sending address. I’m running the paid “Pro” version of Mail Washer. They offer a free version which is restricted to only 1 mail account being checked, but the Pro version ($19.99) allows almost unlimited mail accounts. I’m checking nearly a dozen accounts each time it looks for mail.

One of the latest threat to our computers, is a new virus (W32.Blaster.Worm) targeting a weakness in Windows 2000, XP, 2003 Server and NT 4.0 Server. I was made aware of a SERIOUS vulnerability within all of Microsoft's NT Operating Systems ( Windows NT 4.0, Windows 2000, and Windows XP). This vulnerability allows a remote user on the Internet to issue arbitrary code on your system, most commonly restarting your computer while you are using it. One way to tell if your system is infected, is if you received this message and your system rebooted : "'System Shutdown is initiated by NT Authority/System.....Remote Procedure Call (RPC) service terminated.' " There have been widespread reports of this problem becoming increasingly common, so Microsoft has issued a patch to fix the aforementioned vulnerability. Please see technet for more information-and files needed in order to fix this SERIOUS bug in the Operating system:

If you have a firewall (you do have one, right?) Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

• TCP Port 135, "DCOM RPC"
• UDP Port 69, "TFTP"

The worm also attempts to perform a DoS (Denial of Service) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

If you need a firewall, I recommend the free version of ZoneAlarm, although for serious users, you might consider buying the “Pro” version for around $39.99 (watch for sales from this company, or special offers to save $$). The “Pro” version allows more control over individual ports in/outbound and programs and I highly recommend it. This firewall stops intrusions inbound and unauthorized programs trying to go outbound. It is easily configured for your system.

At the risk of repeating myself, remember that if you haven’t updated your anti-virus program since last month’s article, you are at risk of catching some of the newer viruses that have been released this month. If you get a message that sounds strange, even from a trusted address, or one that contains an unexpected attachment, you had better check it with your updated virus program before opening it, or you might need to call me to come fix your computer afterward.