The topic of email-borne viruses and worms comes up regularly on the Forum, whenever a new one is released. Whilst the concern of Forumites is understandable, this is not really a suitable place to discuss the technical details -- especially not every time the topic comes round! There are loads of other places with more experienced anti-virus folks around on the Net.
This page is an attempt to summarise the main points. I'll keep it updated as new generations of worms are released. Please contact me (not the list) if you have any comments or suggestions to make that page more useful as a starting point for worried Forumites!
Strictly, viruses, trojans and worms are all different:
Most malicious programs have elements of all three: they might arrive attached like a virus to a legitimate email, pretending to be something the user wants (a new screen saver, or a document, for example), and once installed send themselves out as new emails to new victims automatically. Some are pure worms, jumping directly from computer to computer without using email at all.
In practice, of course, the distinction is a moot point: they all need to be avoided!
"Blaster" is a worm which spreads directly from one Microsoft Windows system to another, exploiting faults in the Windows mechanisms intended for filesharing and printer sharing. It only directly affects Windows machines, although the additional network traffic on the Internet at large can cause knock-on effects, as everything runs more slowly.
"Bugbear" is a hybrid worm/virus, which spreads both directly and via email. It only affects Windows machines in any way at all. Even then, it only spreads easily between people using Microsoft email products (Outlook or Outlook Express). Some other email programs (notably Eudora) use various components from Microsoft to display messages, and may therefore also provide the means for the worm to spread, although not so easily.
This group of worms all make use of Windows' "feature" to hide part of the file name of known file types to try to make you think the attachment is plain text, or a Word document, or something else innocuous. The icon is usually (but not always) a give-away if you look at it carefully. You are recommended to turn off this feature (on the Folder Options screen in Explorer).
As always, the best way to avoid being infected, if you really cannot
avoid using vulnerable products, is to configure them not to view
attachments or HTML email without an explicit action by you (yet another
reason why HTML is banned on the Forum), to disable all active scripting
(JavaScript, ActiveX, etc), and to delete messages unread if you are the
slightest bit suspicious. If the sender is genuine, and the matter is urgent,
they will contact you again. Do NOT attempt just to reply to the
suspicious email unless you have an option to reply without including the
original message.
Tracing the origin of an email
Discovering who is actually "infected" (so as to warn them, or to take extra care about messages from them) has become increasingly difficult since email worms first came out. The first generation (Melissa and friends) were comparatively simple: the emails had genuine sender addresses (although hitting "reply" would introduce an extra "_" to make sure you were awake), so it was easy to identify the victim.
The next generation started using random email addresses from the host's Outlook address book and message store. This meant that reports of finding the worm, either automated or manual, would tend to go to an innocent third-party: whilst this could still be of some forensic value, it also has the danger that the worm would propagate, using the bounce message itself, to a new victim.
More recently this obfuscation has gone one stage further, with random addresses being created from parts of other addresses in the Outlook address book. There is no reason to believe that the sender email address bears any relation at all to the real source, or even exists, so the only appropriate action, unless you feel able to investigate IP addresses and detailed SMTP routing, is to delete the email.
Even viewing the full headers of the emails doesn't always reveal much. Early
generations used Outlook's SMTP engine to do the sending, which would insert
quite a lot of tell-tale information; the later ones are more sophisticated,
and although you can usually tell which ISP the originator uses, even that may
not be of much help with so many "virtual" ISPs sharing server equipment
nowadays.
Protection from viruses and worms
Most of this is common sense. You need to take all of these precautions, as different attacks will use different methods. In particular, anti-virus tools are the least effective of all the precautions, although they can be a useful backstop, so if you have not patched your systems and have no firewall, there is little point paying money for an anti-virus tool alone.
Please send comments on this page, or suggested updates, to me (not the list).