A Personal Guide to Detecting and Avoiding Viruses, Hoaxes & Urban Legends

by Rick Barry

September 2002


You use this guide at your own risk. In good faith, I have done my best to read and listen to others, listen to my own experiences catching bugs and put together what I believe to be good and sound information. But I cannot and do not accept ANY legal, operational or other responsibility for any untoward results that anyone suffers from these guidelines. Read this and take what you want from it and leave the rest.

 

I have observed messages that appeared to have infected file attachments that got through Internet Service Providers’ (ISP) firewalls on the rise in recent months. These precipitated questions and often the wrong responses in many cases on lists I belong to. The below message, or some form of it, has been posted to such lists when questions were raised about potential viruses or hoaxes. After the 3rd or 4th time in as many weeks, replying to such messages on unrelated professional lists, I decided to write something up and make it available on the Web, so that in future I can simply refer people to it.

 

Like my Net Etiquette (Netiquette) Guidelines, I have put these virus/worm/Trojan horse and hoax guidelines together over time using information received from others as well as from observations and mistakes that I have made over about 20 years of using email. [To learn about the differences among viruses, worms and Trojan horses, check out the excellent glossaries of terms at Symantec’s Glossary and McAfee’s Virus Glossary of Terms.]

 

Below is one message that was posted on one list to which I belong. It typifies how people react to virus threats when they aren’t sure what to do.

 

<<

Perhaps someone could tell the computer illiterati like myself what alerted you
to the fact that this message contained a virus and how to work out where
things like this come from.

>>

 

My reply has typically been to provide as much of the information below as I think pertains to the specific request.  The reply to the above began:

 

<<

The question is short and important, but also not simple.  The short answer is: learn from your past mistakes, examine the incoming message carefully for clues and have good anti-virus protection. Stop here if you don't want the long answer.
>>

 

The remainder of this guide is an attempt to cover most of the situations I have observed.

First…

 

The best thing to do is to avoid getting into trouble in the first place. Before you get into a situation involving possible viruses, read this and other sources for tips on keeping out of trouble. A good source is McAfee’s Virus Detection and Prevention Tips.

 

No one who uses the Internet can any longer afford not to have an up-to-date version of a good anti-virus system and continuous virus definition updates from the supplier. Don’t go out without it! You may get more protection with an outdated version of the software but with completely updated definitions than with the most current software version without the most current definitions. That leaves you open to those new and increasingly insidious virus strains. But the surest way is to have both. The variants and even types of viruses, worms, Trojan Horses, etc., are changing so rapidly that without a recent version antivirus system and automatic updates as necessary whenever you are on line, you are at serious risk. To illustrate, one of the more recent kinds of files being used by disseminators to circulate viruses is the .zip file, commonly used to condense large multimedia files or multiple files for faster transfer over the Internet. They chose .zip files to get their viruses through, because mainstream antivirus programs were not designed to search those kinds of files. They now typically do, because of the rash that was created by this crack in the wall. Thus, even if your antivirus system version is one or two numbers old, it may not be current enough to have that feature. Check the website of your developer to see if you are in need of an upgrade. Some are free. For the free Symantec “Scan for Viruses” click HERE.  But treat this only as a temporary measure until you can get full protection. Even if you have the latest version, but you do not have all of the current virus definitions and fixes in your computer, you are still very much at risk. These come initially with the application programs and new ones are added, as they are discovered and fixes are created, in automatic definition updates, often in the background without your even noticing it while you are doing other things on the Internet. But this happens only if you have an up-to-date annual subscription with your developer.  These cost only around $10 per year at time of this writing. It used to be a worthwhile expense. Now it is a necessary expense.

 

Note: At time of this writing, the free scan does not scan compressed files at all. This is very important as most of the more sophisticated viruses/worms now are being circulated in compressed files, typically zip files. Thus a clean bill of health from Symantec's free scan, as nice as that is, will miss these. Similarly, it is my understanding that even installed versions of the software will catch most infected compressed files coming into your system, but will not discover infected compressed files already in your system. To be sure, contact your antivirus system developer. Finally, depending on the provider, the free scan may inform you of infected files but not fix them. 

 

Then…

 

There are two main issues to be concerned about: 1) How do I know that a virus warning is legitimate, and 2) how do I decide if a message/attachment I have received may be infected or not.

 

Checking Virus Warnings for Authenticity

 

First, do no harm. Do not immediately forward copies of virus warnings to everyone you know until you verify that they are authentic. Otherwise, you (ant thousands of others reacting the same way) just tie up enormous Internet resources, and in some cases you and thousands of others will delete necessary files from your computer that you should not delete because the warning message is “nice” enough to tell you how to determine if you have the virus already and how to fix it – both exactly what the perpetrators of such warnings take glee in having happen. Unless you have received a warning from your own antivirus system (automatically) or a notice from your software developer, don’t immediately conclude that you have received a true virus or worm or authentic warning about one. This usually happens by receipt of a list message suggesting the existence of a virus and warning of its imminent danger and urging you to resend the message to everyone in your address book (the vast majority of messages with those instructions are hoaxes). First check out the purported virus on one of the reliable antivirus websites. Three principal ones are:

 

·        HOAXBUSTERS that is supported by the US Government

·        Symantec’s (developer of Norton Antivirus System) Security Response center:

·        McAfee’s (developer of VirusScan Online) Security Center:

 

Upon receiving a virus or worm warning message, ALWAYS check one or more of the above sources BEFORE you do anything to your computer or tell anyone else to. When you send a hoax, or worse an infected file that purports to be a fix to a nasty virus, you are taking responsibility for misleading not only the people to whom you send the files or information, but also those that they on-send it to. So don't just willy-nilly resend a warning message. At least go take some of the precautions noted in this paper and on the websites of the producers of antivirus systems such as those noted above. To check our a possible hoax or urban legend, go to the above sites and, using their search engines, search on some identifying term(s) in the subject line or an opening string of text of the message that you have received as a search argument in the above tools and see what you find out first. Whenever there is a recommendation to send the message to everyone you know, it is highly probable that the message is a hoax.  If you don’t find it in the HOAXBUSTER database, then check the others to see if it is listed among the real viruses/worms/Trojan horses, etc.

 

Clues I use to filter suspicious email/attachments:

Is if from someone I do not know?

Is the address suspicious looking?

Is this email/attachment something I did not request?
Is there no identifiable message - just an envelope and an attachment?
Is it a strange or suspicious looking file extension?

Is it from a discussion list?

If the answer to any of the above questions is Yes, I don't open it and will delete the whole thing. I will then also delete my wastebasket. Some email systems show the attachment in the envelope of the incoming message but do not download it until you request it, e.g., AOL.  With other systems, the attachment may be downloaded automatically before you even look at the message. Find out how your system works.

Is it from someone I do not know?

 

Was from someone I’ve known, but they hadn't told me in advance that they were going to send it? If not, there has to be a compelling reason for me to receive or open an attachment from a stranger. More often than not, it may just be SPAM, but I don’t want that either. If I do know the person, I will look for them as a minimum to vouch for the fact that the file is okay and preferably to tell me something about it and why it is likely to be something that I would want. Even the best of family and friends can get infected and send out infected attachments without their knowledge.

Is this email/attachment something I did not request?

In cases where I am familiar with the sender and the attachment is not expected or is in ANY way suspicious, I will not open the file. If it is someone I know well, I'll send them an em with a copy of their em showing the name of the attached file (naming but not actually re-sending the attachment itself) and ask them if they really sent it to me; and, if not, warn them that they may have gotten infected with a worm and sent the same message to everyone in their address book. It may be difficult to determine whether the infected message came from their computer or their address was stolen from someone else’s infected computer.  This may possibly be determined by carefully inspecting the message trailer to see if the original address is theirs or some unknown address or at least to see in what time zone the message originated. A recent one that purportedly was from this author actually originated in Europe and was relayed through an Internet server located in the Atlantic Time zone. To do this, you should look at the end of the message trailer, just above the envelope information and message ID. Then work backwards to the delivery at your Internet Service Provider.

 

Another way is to contact a half dozen others in their email address book and ask if they received the same message. If some did not, it may very well mean that the infected message originated on someone else’s computer where their name was in the address book. Normally, if the virus were sent from someone’s own computer, everyone in his or her email address book would have received it. Finally, of course, one can have an on-line scan done of their computer to see if they are infected. This can be done by contacting an antivirus vendor. Some have free on-line scans but without the fix.  If one is relatively certain that the virus originated from his or her own computer, they should gracefully inform everyone in their email address book to that effect and warn them not to open the file.  Don’t feel too badly. Increasingly, you will find it has happened to many more people than you think, and people truly appreciate your informing them as soon as you learn about it.

 

Note: Such viruses/worms, including the H strain of Klez, will discover email addresses not only in the infected system's email address book, but from other source, e.g., the distribution list on an email message that was sent to/from the infected system. The Symantec website states: 

 

"In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer."

 

Thus, you cannot conclude that your system is not infected simply from the fact that the email address of someone who received an infected message is not in your email address book. 

 

Is the address suspicious?

 

Weird with what appear to be random numbers and letters, or what looks like a legitimate address, especially of someone I know, except that it has an underline in front of it, e.g.:  _rickbarry@rbarry.com (dead giveaway), rather than the legitimate Unix-based protocol with the underline or period to separate first and last name, e.g., rick_barry@torpedoed.com or rick.barry@rbarry.com


Is there no identifiable text with the message?


If you plan to send someone an attachment, it should be because they have requested it, or you have been discussing it, or at least that you have forewarned them and told them why you think they will be interested in seeing it, preferably in a separate and prior em. An attachment to an envelope without a plausible explanation should be regarded as highly suspect.

 

Even if there is a message, does it make sense?  A currently common one has a message, “I hope you will like this game.”  Come on! In still other cases, the word usage/spelling/structure is totally out of character with the author. One infected attachment that came to a list purportedly from the editor of a professional journal. It had a stupid message in it that gave it away immediately as something that did not originate with the editor.

 

If I am only mildly suspicious, I will simply let it sit for a few days to see if there is any backlash from other recipients. Sometimes, in such cases, numerous computer-generated messages will come from the firewall servers of organizations noting that an infected message came from that source. Or another recipient will reply warning that his or her anti-virus program detected that the attachment contained a virus or worm.

Is it a strange or suspicious looking file extension?


You can also tell something by looking at the file extension.  It may be possible, but I've never heard of a JPG file containing a virus.  But double file extensions such as <.doc.doc> and .exe files (typically used for executing computer programs) are a no-no right away. Certain other extensions are also high candidates for contamination.  In one case, where I just played the waiting game, I received no less than a dozen messages from various organizations (I believe using the same network anti-virus system because their messages were very similar) informing me that I was on a distribution list for an email that had been received by that organization that likely contained a virus. Most of them were from US state governments and universities, but there were a couple of private sector responses like that too.  Several said that their email system was configured to block file attachments with any of the extensions listed below. I have placed spaces between the letters where ordinarily there would not be, of course, because some organizations will reject anything coming into their firewalls that even has some of these file names in the text. In other words, they not only reject attachments with such extensions but those that even talk about them:

*.E X E, *.C O M, *.P I F, *.S C R, *.B A T, *.B A S, *.C H M, *.C M D, *.C P L, *.H T A, *.J S, *.J S E, *.S C T, *.S H B, *.V B, *.V B E, *.W S C, *.W S F, *.W S H, *.R E G, and *.L N K

 

Note: Be careful about referring to file extension names in email exchanges about a virus warning, especially in the subject line of a message. Some server firewalls will reject a message that even refers to these extensions.  


Is it from a discussion list?

 

Sending attachments to discussion lists is a separate but related subject.  It is poor netiquette in any case, unless it is a very small list and someone has been charged to send the list a report or other document. Otherwise:

·         It is poor manners to assume that everyone on the list wants what you have to offer.

·         It creates a security risk for the whole list if you accidentally send an infected attachment to the list or someone deliberately commandeers your email address and does that.

·         There is the bandwidth issue, on the Net and everyone’s computer lines.

·         Many people – especially busy people who belong to multiple lists – use the list Digest instead of receiving each posting individually. List postings are grouped and sent to the individual at the end of the day in a single file. When attachments are received by a list system and automatically dropped into a digest, the recipient gets page, after page, after page of gobbledy-gook – most annoying to say the least.

 

At least three lists to which I belong recently became the hosts for infected files because they allowed their member to post attachments to the list. That was okay five years ago, but it isn’t good practice any more. Proper list netiquette calls for posting the existence of a document to the list, describing it and inviting anyone interested in it to contact the sender (or whomever) directly to obtain an off-list copy. Alternatively, if your list makes use of software such as the web-based Yahoo Groups, provisions are made whereby files can be uploaded to a group File page and for announcements of the file to the group; but the individuals must take the step of choosing to visit the File page and downloading the file.

Even so… 

 

Despite using these fairly strict guidelines, I was caught once a few years ago. It can happen even when you really try hard to avoid it. But you can substantially reduce the likelihood of it happening by using decision criteria such as the above and by having an up-to-date anti-virus system.  As noted earlier, it is no longer enough to just buy such systems and install them and not pay the annual fee for the regular virus definition updates. Things are happening so fast now, that by the time you install the AV system, there are new viruses/worms/Trojan horses out that your system won't recognize or fix. Or possibly even whole new classes of them. The system I use works in the background whenever I'm on the Internet and continuously updates my virus definitions and fixes. It is more than worth the annual subscription fee.


Years ago when I was a naval aviator during the Vietnam years, we had a saying that there were two kinds of pilots: those who had gotten lost and those who were going to.  I think the same is probably true about Internet users and viruses. I did get lost once – badly.  And I did get a virus once – luckily, not so badly.