June 8th, 2001, Mike Richter posted the following message to the list. It deals with virus infections and gives information on the threats and protection against them.
It will be obvious to any true security expert that I am not one; I have some knowledge – enough to help. I will not attempt to be comprehensive and will not recommend specific products, but I will try to share an understanding of the beasts that are roaming the Internet and a minimum effort you can take to protect yourself.
There are three major categories of nasty out there: virus, worm and Trojan (horse). While they are different and impose different requirements, they are all activated without your desire and take resources of your computer for their own functions. Let’s call them all “viruses” as most people do and worry about the distinctions another day. Since the PC is by far the most popular platform and is the way those enemies of the hackers, the corporations, run their businesses, the PC running Windows is the target of almost all viruses. For simplicity (and to cover my ignorance), I’ll be concerned only with Windows infections.
Usually, a virus enters your system attached to something innocent. While it can come in through a WWW site, I will ignore that for this note – it’s a complicated subject and e-mail is the key issue. A virus which arrives attached to e-mail does no damage until it is activated. It is activated by being executed; like any other program, it does nothing until it runs.
There are several ways for a virus to be activated.
The usual one is that the recipient clicks on it – tells it to run. That method is blocked by you not clicking on it. When you get an attachment you do not expect or which is not fully explained by the associated e-mail message, don’t run it. If it claims to be a text file or a picture or anything of the sort, you can safely look at it with a viewer. For example, you can find the file with Explorer, right-click it and view it with a graphics program or a sound program or a text editor. If it is not what it claims to be, it will not open in that program – and you can dump it.
There are two other ways that attachments can be activated that need to be mentioned.
In programs such as MS Word and Excel, there are macros which are programs in themselves. Word and Excel offer you an option to run macros when you open a document. Don’t do it. Most of us have little or no need for macros and even less for macros in attachments to e-mail. If you need the macro and trust the document, you can run it later, after the document has come up in the program.
There’s another “convenience” provided if you use Outlook or Outlook Express to read your mail. You can set it to run attachments when they come up or even when they are previewed. Don’t do it; make the program ask you for permission and deny that permission unless you are certain that all’s well. Since most companies use Outlook or Outlook Express, if you can use another e-mail client such as Pegasus or Eudora, do so. It may not be as convenient, but it is much safer.
There are many things which can happen to your computer which will make you glad you have a backup. In addition to being infected with a virus, you can have a hard-disc crash or a failure on your motherboard. How much you back up is up to you – just because you have a batch of WAV files and movies to enjoy some time does not mean that you have to back them up. How often you back up depends on your paranoia and your tolerance for losing information. The rule of thumb is that if your last backup is old enough to leave a lot of extra work after a restore, make a new backup. For your information, I back up my boot disc and my applications at least once a week. I do an extra backup if I’m about to install tricky or complex software or any large program I may decide to pull out later. (Uninstall doesn’t always do what it should and seldom does it completely.)
There are two aspects to a good anti-virus program: scanning and monitoring. Scanning means examining a part (or all) of your system for current viruses. Monitoring means watching everything that goes on for suspicious activity. For various reasons, I do not monitor my system, but you are welcome to do so if you wish. Monitoring takes some computer resources and can interfere with other programs. Since I write a lot of CD’s (oh, you guessed?) and since monitoring can cause problems in that operation, I use scanning only.
I scan my system in several ways. Whenever I get an attachment, my mail client (Eudora) puts it into a specific directory. Before I even read my e-mail, if there’s an attachment in the batch I run a scan of that directory. Before I run a backup, I scan the whole drive. In that way, I have confidence that I can restore from that backup to a clean system even if something gets through my protection.
Viruses are being created in great numbers. Fortunately, few are serious when they first appear and the companies making anti-virus programs are quite vigilant in finding them before they become worrisome. Unfortunately, most such companies update their “signatures” – their detection packages – less often than they should. If a virus spreads faster than expected, it may get to you before their update does. Most AV programs provide automatic updates. The first time I run the AV program each day, I have it check for an update and install it if one shows up.
I have recommend a free program from Computer Associates in the past; they no longer offer it, but I use their inexpensive EZ Antivirus which performs in the same way. Other people use programs from McAfee, Symantec (Norton) and other publishers; the choice is yours and various organizations and magazines rank them in different ways. But whatever tool you use, it must be up to date to be of value.
How viruses spread
E-mail viruses are spread by the pre-empted machine sending e-mails to various addressees with their programs attached. Three mechanisms are commonly used:
- send to those in the address book;
- send to those who have sent e-mail currently not read;
- send to addresses captured as they are passing between the computer and the Internet.
The most popular mode uses the address book and once again Outlook and Outlook Express are the ones usually chosen. There are too many ways to disguise the virus program to detail here. Fortunately, all can be beaten with good procedures.
Two points I made in earlier posts need to be repeated:
- no virus can be conveyed in an opera-l post and
- a virus is almost always sent by a ‘stolen’ computer, not by the person whose name appears on the accompanying e-mail.
The CUNY listserv will not distribute attachments (not even HTML) and no virus can be put into the e-mail text itself.
The machine which has been pre-empted will do what the virus commands without direction from its owner – in fact, without the owner’s knowledge. The only thing the owner did wrong was activate the virus. You may trust the owner completely, but you have no reason to trust a pre-empted computer. Remember that when you think that the attachment must be okay because you trust the person who sent it. I know one person who was infected in mail from her office computer and a business owner who succumbed when another business owner sent him a routine e-mail.
First, do not let your e-mail client do anything “for” you except give you the chance to read your mail. How you stop that depends on your client. It does mean an extra click to read an attachment, but that gives you the chance to look at it safely. Second, whenever you receive an attachment, either scan it or allow your AV program to monitor it (or both). Third, if the attachment is not clearly something you want or need and if it is not well explained in the covering e-mail, throw it away. Finally, try to view the attachment rather than clicking to activate it.
If all that fails and you are infected, don’t panic. Go to the WWW site of your AV program’s publisher – and one or two more if you wish – to learn what that particular virus does and how to clean it out. You may need to do some detective work to find the name. If you were infected because you forgot to scan the attachment, it’s probably still there and scanning it now will give you the name – late, but at least that’s useful. Otherwise, you may have to search based on the name of the attachment or on the properties of the infection. But knowing the name is very important, so please take the effort.
If you must restore from a clean backup, do it. As soon as you know you are clean, contact those who were likely to be infected from your machine. Give them the name of the virus and at least links to the sites where they can get information. Apologize for what your computer did to them (and assure them that it has been taken to the woodshed already). If you know what machine infected you, tell its owner – in fact, you should do that even if you caught the virus before it damaged you. That’s the way most people discover that they have been infected.
AV programs, monitors and updates are valuable tools in protecting your system, but sound procedures are essential.