A Personal Guide to Detecting and Avoiding Viruses, Hoaxes
& Urban Legends
by Rick Barry
September 2002
You use this guide at your own risk. In good
faith, I have done my best to read and listen to others, listen to my own experiences
catching bugs and put together what I believe to be good and sound information.
But I cannot and do not accept ANY legal, operational or other responsibility
for any untoward results that anyone suffers from these guidelines. Read this
and take what you want from it and leave the rest.
I have observed messages that appeared to
have infected file attachments that got through Internet Service Providers’
(ISP) firewalls on the rise in recent months. These precipitated questions and often
the wrong responses in many cases on lists I belong to. The below message, or
some form of it, has been posted to such lists when questions were raised about
potential viruses or hoaxes. After the 3rd or 4th time in
as many weeks, replying to such messages on unrelated professional lists, I
decided to write something up and make it available on the Web, so that in
future I can simply refer people to it.
Like my Net Etiquette (Netiquette)
Guidelines, I have put these virus/worm/Trojan horse and hoax guidelines
together over time using information received from others as well as from
observations and mistakes that I have made over about 20 years of using email.
[To learn about the differences among viruses, worms and Trojan horses, check
out the excellent glossaries of terms at Symantec’s Glossary
and McAfee’s Virus
Glossary of Terms.]
Below is one message that was posted on
one list to which I belong. It typifies how people react to virus threats when
they aren’t sure what to do.
<<
Perhaps someone could tell the
computer illiterati like myself what alerted you
to the fact that this message contained a virus and how to work out where
things like this come from.
>>
My reply has typically been to provide as much of the
information below as I think pertains to the specific request. The reply to the above began:
<<
The question is short
and important, but also not simple. The short answer is: learn from your
past mistakes, examine the incoming message carefully for clues and have good
anti-virus protection. Stop here if you don't want the long answer.
>>
The remainder of this guide is an attempt to cover most of the situations I have observed.
The best thing to do is to avoid getting
into trouble in the first place. Before you get into a situation involving
possible viruses, read this and other sources for tips on keeping out of
trouble. A good source is McAfee’s Virus Detection
and Prevention Tips.
No one who uses the Internet can any
longer afford not to have an up-to-date version of a good anti-virus system and
continuous virus definition updates from the supplier. Don’t go out without it!
You may get more protection with an outdated version of the software but with
completely updated definitions than with the most current software version
without the most current definitions. That leaves you open to those new and
increasingly insidious virus strains. But the surest way is to have both. The
variants and even types of viruses, worms, Trojan Horses, etc., are changing so
rapidly that without a recent version antivirus system and automatic updates as
necessary whenever you are on line, you are at serious risk. To illustrate, one
of the more recent kinds of files being used by disseminators to circulate
viruses is the .zip file, commonly used to condense large multimedia files or
multiple files for faster transfer over the Internet. They chose .zip files to
get their viruses through, because mainstream antivirus programs were not
designed to search those kinds of files. They now typically do, because of the
rash that was created by this crack in the wall. Thus, even if your antivirus
system version is one or two numbers old, it may not be current enough to have
that feature. Check the website of your developer to see if you are in need of
an upgrade. Some are free. For the free Symantec “Scan for Viruses” click HERE. But treat this only as a temporary measure
until you can get full protection. Even
if you have the latest version, but you do not have all of the current virus
definitions and fixes in your computer, you are still very much at risk. These
come initially with the application programs and new ones are added, as they
are discovered and fixes are created, in automatic definition updates, often in
the background without your even noticing it while you are doing other things
on the Internet. But this happens only if you have an up-to-date annual
subscription with your developer. These
cost only around $10 per year at time of this writing. It used to be a
worthwhile expense. Now it is a necessary expense.
Note: At time of this writing, the free scan does not scan compressed files at all. This is very important as most of the more sophisticated viruses/worms now are being circulated in compressed files, typically zip files. Thus a clean bill of health from Symantec's free scan, as nice as that is, will miss these. Similarly, it is my understanding that even installed versions of the software will catch most infected compressed files coming into your system, but will not discover infected compressed files already in your system. To be sure, contact your antivirus system developer. Finally, depending on the provider, the free scan may inform you of infected files but not fix them.
There are two main issues to be concerned about: 1) How do
I know that a virus warning is legitimate, and 2) how do I decide if a
message/attachment I have received may be infected or not.
Checking Virus Warnings for Authenticity
First, do no harm. Do not immediately
forward copies of virus warnings to everyone you know until you verify that
they are authentic. Otherwise, you (ant thousands of others reacting the same
way) just tie up enormous Internet resources, and in some cases you and
thousands of others will delete necessary files from your computer that you
should not delete because the warning message is “nice” enough to tell you how
to determine if you have the virus already and how to fix it – both exactly
what the perpetrators of such warnings take glee in having happen. Unless you
have received a warning from your own antivirus system (automatically) or a
notice from your software developer, don’t immediately conclude that you have
received a true virus or worm or authentic warning about one. This usually
happens by receipt of a list message suggesting the existence of a virus and
warning of its imminent danger and urging you to resend the message to everyone
in your address book (the vast majority of messages with those instructions are
hoaxes). First check out the purported virus on one of the reliable antivirus
websites. Three principal ones are:
· HOAXBUSTERS that is supported by the US Government
· Symantec’s (developer of Norton Antivirus System) Security Response center:
· McAfee’s (developer of VirusScan Online) Security Center:
Upon receiving a virus or worm warning message, ALWAYS check one or more of the above sources BEFORE you do anything to your computer or tell anyone else to. When you send a hoax, or worse an infected file that purports to be a fix to a nasty virus, you are taking responsibility for misleading not only the people to whom you send the files or information, but also those that they on-send it to. So don't just willy-nilly resend a warning message. At least go take some of the precautions noted in this paper and on the websites of the producers of antivirus systems such as those noted above. To check our a possible hoax or urban legend, go to the above sites and, using their search engines, search on some identifying term(s) in the subject line or an opening string of text of the message that you have received as a search argument in the above tools and see what you find out first. Whenever there is a recommendation to send the message to everyone you know, it is highly probable that the message is a hoax. If you don’t find it in the HOAXBUSTER database, then check the others to see if it is listed among the real viruses/worms/Trojan horses, etc.
Clues I use to filter suspicious email/attachments:
Is if from someone I do not know?
Is the address suspicious
looking?
Is
this email/attachment something I did not request?
Is there no identifiable message - just an envelope and an attachment?
Is it a strange or suspicious looking file extension?
Is it
from a discussion list?
If
the answer to any of the above questions is Yes, I don't open it and will
delete the whole thing. I will then also delete my wastebasket. Some email systems
show the attachment in the envelope of the incoming message but do not download
it until you request it, e.g., AOL.
With other systems, the attachment may be downloaded automatically
before you even look at the message. Find out how your system works.
Is
it from someone I do not know?
Was
from someone I’ve known, but they hadn't told me in advance that they were
going to send it? If not, there has to be a compelling reason for me to receive
or open an attachment from a stranger. More often than not, it may just be
SPAM, but I don’t want that either. If I do know the person, I will look for
them as a minimum to vouch for the fact that the file is okay and preferably to
tell me something about it and why it is likely to be something that I would want. Even
the best of family and friends can get infected and send out infected
attachments without their knowledge.
Is
this email/attachment something I did not request?
In cases where I am familiar with the sender and the attachment is not expected
or is in ANY way suspicious, I will not open the file. If it is someone I know
well, I'll send them an em with a copy of their em showing the name of the
attached file (naming but not actually re-sending the attachment itself) and
ask them if they really sent it to me; and, if not, warn them that they may
have gotten infected with a worm and sent the same message to everyone in their address book.
It may be difficult to determine whether the infected message came from their
computer or their address was stolen from someone else’s infected
computer. This may possibly be determined by
carefully inspecting the message trailer to see if the original address is
theirs or some unknown address or at least to see in what time zone the message
originated. A recent one that purportedly was from this author actually
originated in Europe and was relayed through an Internet server located in the
Atlantic Time zone. To do this, you should look at the end of the message
trailer, just above the envelope information and message ID. Then work backwards
to the delivery at your Internet Service Provider.
Another way is to contact a half dozen others in their email address book and ask if they received the same message. If some did not, it may very well mean that the infected message originated on someone else’s computer where their name was in the address book. Normally, if the virus were sent from someone’s own computer, everyone in his or her email address book would have received it. Finally, of course, one can have an on-line scan done of their computer to see if they are infected. This can be done by contacting an antivirus vendor. Some have free on-line scans but without the fix. If one is relatively certain that the virus originated from his or her own computer, they should gracefully inform everyone in their email address book to that effect and warn them not to open the file. Don’t feel too badly. Increasingly, you will find it has happened to many more people than you think, and people truly appreciate your informing them as soon as you learn about it.
Note: Such viruses/worms, including the H strain of Klez, will discover email addresses not only in the infected system's email address book, but from other source, e.g., the distribution list on an email message that was sent to/from the infected system. The Symantec website states:
"In addition, the worm searches
the Windows address book, the ICQ database, and local files (such as .html and
text files) for email addresses. The worm sends an email message to these
addresses with itself as an attachment. The worm contains its own SMTP engine
and attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment file names are random. The from
address is randomly chosen from email addresses that the worm finds on the
infected computer."
Thus, you cannot conclude that your system is not infected simply from the fact that the email address of someone who received an infected message is not in your email address book.
Is
the address suspicious?
Weird
with what appear to be random numbers and letters, or what looks like a
legitimate address, especially of someone I know, except that it has an
underline in front of it, e.g.:
_rickbarry@rbarry.com (dead giveaway), rather than the legitimate
Unix-based protocol with the underline or period to separate first and last
name, e.g., rick_barry@torpedoed.com or rick.barry@rbarry.com
If you plan to send someone an attachment, it should be because they have
requested it, or you have been discussing it, or at least that you have
forewarned them and told them why you think they will be interested in seeing
it, preferably in a separate and prior em. An attachment to an envelope without
a plausible explanation should be regarded as highly suspect.
Even
if there is a message, does it make sense?
A currently common one has a message, “I hope you will like this
game.” Come on! In still other cases,
the word usage/spelling/structure is totally out of character with the author.
One infected attachment that came to a list purportedly from the editor of a
professional journal. It had a stupid message in it that gave it away
immediately as something that did not originate with the editor.
If
I am only mildly suspicious, I will simply let it sit for a few days to see if
there is any backlash from other recipients. Sometimes, in such cases, numerous
computer-generated messages will come from the firewall servers of
organizations noting that an infected message came from that source. Or another
recipient will reply warning that his or her anti-virus program detected that
the attachment contained a virus or worm.
Is
it a strange or suspicious looking file extension?
You can also tell something by looking at the file extension. It may be
possible, but I've never heard of a JPG file containing a virus. But
double file extensions such as <.doc.doc> and .exe files (typically used
for executing computer programs) are a no-no right away. Certain other
extensions are also high candidates for contamination. In one case, where
I just played the waiting game, I received no less than a dozen messages from
various organizations (I believe using the same network anti-virus system
because their messages were very similar) informing me that I was on a
distribution list for an email that had been received by that organization that
likely contained a virus. Most of them were from US state governments and
universities, but there were a couple of private sector responses like that
too. Several said that their email system was configured to block file
attachments with any of the extensions listed below. I have placed spaces
between the letters where ordinarily there would not be, of course, because
some organizations will reject anything coming into their firewalls that even
has some of these file names in the text. In other words, they not only reject
attachments with such extensions but those that even talk about them:
*.E X E, *.C O M, *.P I F, *.S C R, *.B A T, *.B A S, *.C H
M, *.C M D, *.C P L, *.H T A, *.J S, *.J S E, *.S C T, *.S H B, *.V B, *.V B E,
*.W S C, *.W S F, *.W S H, *.R E G, and *.L N K
Note: Be careful about referring to file extension names in email exchanges about a virus warning, especially in the subject line of a message. Some server firewalls will reject a message that even refers to these extensions.
Is it from a discussion list?
Sending
attachments to discussion lists is a separate but related subject. It is poor netiquette in any case, unless it
is a very small list and someone has been charged to send the list a report or
other document. Otherwise:
· It is poor manners to assume that everyone on the list wants what you have to offer.
· It creates a security risk for the whole list if you accidentally send an infected attachment to the list or someone deliberately commandeers your email address and does that.
· There is the bandwidth issue, on the Net and everyone’s computer lines.
· Many people – especially busy people who belong to multiple lists – use the list Digest instead of receiving each posting individually. List postings are grouped and sent to the individual at the end of the day in a single file. When attachments are received by a list system and automatically dropped into a digest, the recipient gets page, after page, after page of gobbledy-gook – most annoying to say the least.
At
least three lists to which I belong recently became the hosts for infected
files because they allowed their member to post attachments to the list. That
was okay five years ago, but it isn’t good practice any more. Proper list
netiquette calls for posting the existence of a document to the list,
describing it and inviting anyone interested in it to contact the sender (or
whomever) directly to obtain an off-list copy. Alternatively, if your list
makes use of software such as the web-based Yahoo Groups, provisions are made
whereby files can be uploaded to a group File page and for announcements of the
file to the group; but the individuals must take the step of choosing to visit
the File page and downloading the file.
Even
so…
Despite
using these fairly strict guidelines, I was caught once a few years ago. It can
happen even when you really try hard to avoid it. But you can substantially
reduce the likelihood of it happening by using decision criteria such as the
above and by having an up-to-date anti-virus system. As noted earlier, it
is no longer enough to just buy such systems and install them and not pay the
annual fee for the regular virus definition updates. Things are happening so
fast now, that by the time you install the AV system, there are new viruses/worms/Trojan
horses out that your system won't recognize or fix. Or possibly even whole new
classes of them. The system I use works in the background whenever I'm on the
Internet and continuously updates my virus definitions and fixes. It is more than
worth the annual subscription fee.
Years ago when I was a naval aviator during the Vietnam years, we had a saying
that there were two kinds of pilots: those who had gotten lost and those who
were going to. I think the same is probably true about Internet users and
viruses. I did get lost once – badly.
And I did get a virus once – luckily, not so badly.