[Date Prev][Date Next] [Chronological] [Thread] [Top]
(erielack) Virus suggestions

Subject: (erielack) Virus suggestions
From: gelwood <gelwood_@_dnaco.net>
Date: Tue, 14 May 2002 08:09:47 -0400 (EDT)
I received the following message from a friend who is also in computer
security. I am passing it along as food for thought.

Another point - remember, the bad guys are also trying to get into your
computer to get personnel information. Even though  you use a dialup, your
system can still be and probably is being probed. One of the people in our
office runs a personnel firewall and receives 3-5 probe alerts DAILY form
source in Asia (China, Korea, Singapore). If the bad guys get access to
your computer, they will be looking for SSN and other personnel data.

- --- Bill's message --

DON'T GET KLEZED
- -------------------------------------------------------------------

I don't know about you, but I'm getting Klezed on an hourly basis. In
fact, after a huge drop-off of email worms and viruses for several
months, I'm suddenly being inundated by email messages containing
malicious W32.Klez attachments again. So much so that I'm beginning to
feel like it's only a matter of time before one of them gets me.

Perhaps the worst offender is a message I've received repeatedly whose
subject line reads: "W32.Klez.E removal tools." That subject couldn't
be further from the truth; if you open this attachment, you're
unleashing the W32.Klez.gen_@_mm virus on your PC. The subjects of
similar messages say "Worm Klez.E immunity" and "W32.Elkern removal
tools." Other notable message subjects containing virtual bombs include
"Look my pretty girlfriend" (sic), "A special powful tool" (sic), "A
WinXP patch," and "IE 6.0 Patch." It seems clear that you don't need to
be great with the English language to send out Klez. And also that you
think you have a sense of humor. I even got one that read: "Hello,
scot,eager to see you." Yeah, right.

By and large, my antivirus program (I'm currently using Norton
AntiVirus 2002 -- because of something I'm testing -- even though I
recommended against it) is keeping up with the Klez barrage. But I have
found some messages that Norton missed with suspicious attachments
(like Setup.exe) from people I didn't know. That's why I say it's only
a matter of time.

There are things you can do to prevent disaster on your PC in these
strange times. The most important ones are at the top:

1. Buy, install, and regularly update (at least weekly) a top-notch
antivirus program. I like the products from Trend Micro, Norton, and
Panda. Be sure to renew your annual subscription to the antivirus
updates. That's money well spent.

2. Outlook and Outlook Express users, you must install all the security
patches for your version of Windows, Office, and Internet Explorer.
Windows Update handles Windows and Internet Explorer. Outlook users in
particular need to visit the Office Product Updates site as well.

Windows Update:
http://windowsupdate.microsoft.com/

Office Product Updates:
http://office.microsoft.com/productupdates

While you're at it, stay up to date on all things Office-related with
Jim Powell's The Office Letter newsletter:
http://www.officeletter.com/

3. Never, ever open an attachment in an email message from someone you
don't know. All sorts of file types can run automatically when you
click them -- not just .EXE and .SCR files. Start out by assuming any
file attachment is a program, not a file. And it's sad to say, but
you're also better off assume it's a malicious file.

4. Never open an attachment from someone you do know if anything about
the message or the attachment is surprising or out of context. If you
have even the slightest doubt, don't open the attachment. Contact the
sender, and ask him or her to verify that the attachment was sent
intentionally.

5. Avoid opening messages whose topics sound too good to be true, like
someone posing as someone you know or like Spam. Most malicious code
borne by email requires you to click it. But there are some variants
that begin to work on your PC as soon as you open the message. The most
likely type of email to do that would be HTML or other graphical or
animated mail, but there are no guarantees. And using a mail preview
window is no protection either. In fact, with some email programs, a
preview window may unleash the bad stuff without notice.

6. If you use Outlook or Outlook Express, your address book is
frequently targeted by email worm and virus creators who use your
address book to proliferate their destructive seeds. Even if you have
one of these programs installed but don't use it, it can still be
harnessed to send out viruses without your knowledge, so long as you
have email addresses in the address book. Your first line of defense is
to add your own email address as a contact in your Microsoft address
book. If the virus triggered a virus message from your PC, you would in
all likelihood receive a copy of the message sent to others. Hopefully,
that would alert you to the problem.

7. A variation on the same idea is a tip supplied by SFNL readers Rasa
Petrovic and also Charlie and Jan Knutsen. I've tested it, and the tip
works, though it makes assumptions about how email worms or viruses
send email to replicate themselves. It's not going to work with all
malicious code; it's not a panacea; but for Outlook and Outlook Express
users, it's worth doing.

Open your email address book and add a New Contact. In the first name
field type *000 (that's an asterisk followed by 3 zeros). Two zeros,
four zeros, !000, or others -- so long as the new entry appears at the
very top of your address book. (Varying this name is preferable because
if everyone uses the same contact name, virus writers may wise up and
delete a specific entry.)

In the box where you would enter the email address, type XXX_WormAlert,
replacing XXX with your own first name. Click Add, and click OK when
the address book wonders whether you really want to add an invalid
email address. Close your address book, and your done.

How it's supposed to work: When a virus attempts to send out one
message to all the recipients on your contact list, your email program
will halt the sending of the message because the first (lowest
alphabetical) address is invalid. No messages will go out at all, and a
dialog box will open showing you that XXX_WormAlert is the address with
the problem. If you ever see that error message, you know that either
you've accidentally sent an email to your invalid email address
Contact, or a virus is at work on your system, attempting to replicate
itself to all recipients in your address book.

The offending message will probably remain in your Outbox, ready for
another attempt. Go in there and delete it, update your antivirus
program, and run a full scan of your system.

Real-world analysis: I tested this tip with Outlook Express 6.0. What I
found was that it didn't matter what I named the XXX_WormAlert New
Contact entry. I tried naming it ZZZ and that still halted the
transmission to all the recipients. I decided not to change the tip
because I'm not sure whether that's the case with all versions of
Outlook Express and Outlook. But I want to stress that you shouldn't
rely solely on this tip. It's just one of many measures you should
take. There's a reason why it's toward the bottom of the list here.

8. Several programs provide added protection that prevents you from
running executables and scripts that arrive on your computer. ZoneAlarm
has a built-in routine that renames executable attachments to prevent
them running. The latest version of the program provides support for a
lot more file types.


          Bill

Bill Telzerow
Sr Security Consultant

- ---- End of Bill's message ----


George Elwood
http://www.dnaco.net/~gelwood

------------------------------
Follow-Ups:
- (erielack) Re: Viruses - Any virus protection for Linux?
  - From: Bob Mitchell <nebula07869_@_yahoo.com>
Prev by Date: (erielack) Port Jervis yards to be upgraded
Next by Date: RE: (erielack) Seacaucus Transfer news...
Index(es):
- Chronological
- Thread