Tip

How to combat e-mail viruses

I was bombarded with e-mails from people who were infected by the MyDoom virus, which MessageLabs called the fastest-spreading computer virus of all time.

Did you have an effective anti-virus strategy in place when MyDoom struck? I'm sure many of you did, but preventing e-mail viruses from spreading within any organization is not easy. No one strategy is sufficient when trying to prevent e-mail viruses, and the only way to really conquer them is to use a combination of techniques.

One of your first priorities is educating your users. Seems obvious, but you need to explain to them what constitutes a suspicious attachment. Even though this is critical, don't expect your users to keep viruses out of your organization once you do educate them. I have received way too many phone calls over the years that start off with, "I know that you told us not to open attachments from people that we don't know, but..."

Fortunately, Outlook lends a helping hand by blocking malicious attachments. Outlook 2000 (Service pack 2 and later), XP, and 2003 block about 60 different file extensions that Microsoft considers dangerous. For example, many E-mail viruses use the .PIF file extension. Should someone running Outlook 2003 receive an E-mail message with a .PIF file attached, Outlook will prevent the user from opening the file, and prevent the virus from executing.

Blocking potentially harmful E-mail attachments directly through Outlook is a huge step in slowing

    Requires Free Membership to View

the spread of E-mail viruses, but it isn't enough for several reasons. For starters, there are still people in the world with older versions of Outlook that don't support file attachment blocking. There are also people running E-mail clients other than Outlook. Even if a user is running a current version of Outlook, it is possible for the user to disable file extension blocking by editing the Registry.

By default, Windows is configured to hide file extensions for known file types. Many viruses, including MyDoom, exploit this by using multiple file extensions. For example, a file might be named FILE.DOC.EXE. While the .EXE extension indicates that this is an executable file, Windows hides the .EXE extension and would simply display the filename as FILE.DOC. A user might then see this file and assume that it is a harmless Microsoft Word document. To prevent this from happening, I often recommend configuring all of your user's computers to show all file extensions. However, in some cases revealing the true file extension would not do anything to stop the spread of MyDoom.

ZIP seemed harmless, but wasn't

The MyDoom virus managed to circumvent Outlook's file blocking for a lot of people because one of the extensions that it used was ZIP. ZIP files themselves are harmless, so if users viewed the file extension, they might assume the file was harmless. The actual virus is compressed within the ZIP archive. Outlook does nothing to block the .ZIP file because ZIP is considered a safe file type. Furthermore, Outlook does not block the contents of a ZIP file regardless of file type.

Imagine for a moment that one of your users has a friend whose computer became infected with MyDoom and the virus on that computer gets sent to someone in your organization in the form of a ZIP attachment. Even a well-trained user might try to open the attachment. After all, it's a harmless ZIP file from a friend. In this case, the user opens the attached file and activates the virus. Sure, your anti-virus software should kick in and stop the virus in its tracks, but what if the virus definition files haven't been updated to recognize the new virus yet?

The MyDoom virus uses one of the following subject lines when it gets sent out: test, hi, hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status, or Error. You could tell your SPAM filter to block any message using one of these subject lines. More sophisticated SPAM filters will even allow you to block messages with certain attachment types. If you have such an application, you could for example block any inbound message that has a subject line of Hello and contains a ZIP file.

While I am a big believer in anti-virus software, I am an even bigger believer in prevention. My philosophy is that you should make every effort to block a virus from entering your organization in the first place. If a virus does get in, then your anti virus software should be your last line of defense, not your first.


This was first published in February 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.