I was bombarded with e-mails from people who were infected by the MyDoom virus, which MessageLabs called the fastest-spreading computer virus of all time.
Did you have an effective anti-virus strategy in place when MyDoom struck? I'm sure many of you did, but preventing e-mail viruses from spreading within any organization is not easy. No one strategy is sufficient when trying to prevent e-mail viruses, and the only way to really conquer them is to use a combination of techniques.
One of your first priorities is educating your users. Seems obvious, but you need to explain to them what constitutes a suspicious attachment. Even though this is critical, don't expect your users to keep viruses out of your organization once you do educate them. I have received way too many phone calls over the years that start off with, "I know that you told us not to open attachments from people that we don't know, but..."
Fortunately, Outlook lends a helping hand by blocking malicious attachments. Outlook 2000 (Service pack 2 and later), XP, and 2003 block about 60 different file extensions that Microsoft considers dangerous. For example, many E-mail viruses use the .PIF file extension. Should someone running Outlook 2003 receive an E-mail message with a .PIF file attached, Outlook will prevent the user from opening the file, and prevent the virus from executing.
Blocking potentially harmful E-mail attachments directly through Outlook is a huge step in slowing
By default, Windows is configured to hide file extensions for known file types. Many viruses, including MyDoom, exploit this by using multiple file extensions. For example, a file might be named FILE.DOC.EXE. While the .EXE extension indicates that this is an executable file, Windows hides the .EXE extension and would simply display the filename as FILE.DOC. A user might then see this file and assume that it is a harmless Microsoft Word document. To prevent this from happening, I often recommend configuring all of your user's computers to show all file extensions. However, in some cases revealing the true file extension would not do anything to stop the spread of MyDoom.
ZIP seemed harmless, but wasn't
The MyDoom virus managed to circumvent Outlook's file blocking for a lot of people because one of the extensions that it used was ZIP. ZIP files themselves are harmless, so if users viewed the file extension, they might assume the file was harmless. The actual virus is compressed within the ZIP archive. Outlook does nothing to block the .ZIP file because ZIP is considered a safe file type. Furthermore, Outlook does not block the contents of a ZIP file regardless of file type.
Imagine for a moment that one of your users has a friend whose computer became infected with MyDoom and the virus on that computer gets sent to someone in your organization in the form of a ZIP attachment. Even a well-trained user might try to open the attachment. After all, it's a harmless ZIP file from a friend. In this case, the user opens the attached file and activates the virus. Sure, your anti-virus software should kick in and stop the virus in its tracks, but what if the virus definition files haven't been updated to recognize the new virus yet?
The MyDoom virus uses one of the following subject lines when it gets sent out: test, hi, hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status, or Error. You could tell your SPAM filter to block any message using one of these subject lines. More sophisticated SPAM filters will even allow you to block messages with certain attachment types. If you have such an application, you could for example block any inbound message that has a subject line of Hello and contains a ZIP file.
While I am a big believer in anti-virus software, I am an even bigger believer in prevention. My philosophy is that you should make every effort to block a virus from entering your organization in the first place. If a virus does get in, then your anti virus software should be your last line of defense, not your first.
This was first published in February 2004