Forum FAQ - Viruses and Worms

The topic of email-borne viruses and worms comes up regularly on the Forum, whenever a new one is released. Whilst the concern of Forumites is understandable, this is not really a suitable place to discuss the technical details -- especially not every time the topic comes round! There are loads of other places with more experienced anti-virus folks around on the Net.

This page is an attempt to summarise the main points. I'll keep it updated as new generations of worms are released. Please contact me (not the list) if you have any comments or suggestions to make that page more useful as a starting point for worried Forumites!

Intro

Strictly, viruses, trojans and worms are all different:

Virus: malicious code which attaches itself to an existing file (application or document), and requires the file to be opened to activate.
Trojan: malicious code disguised as a new desired application.
Worm: malicious code which spreads by itself, with no user interaction.

Most malicious programs have elements of all three: they might arrive attached like a virus to a legitimate email, pretending to be something the user wants (a new screen saver, or a document, for example), and once installed send themselves out as new emails to new victims automatically. Some are pure worms, jumping directly from computer to computer without using email at all.

In practice, of course, the distinction is a moot point: they all need to be avoided!

Pure worms (eg. Blaster)

"Blaster" is a worm which spreads directly from one Microsoft Windows system to another, exploiting faults in the Windows mechanisms intended for filesharing and printer sharing. It only directly affects Windows machines, although the additional network traffic on the Internet at large can cause knock-on effects, as everything runs more slowly.

Email-borne worms (eg. Bugbear)

"Bugbear" is a hybrid worm/virus, which spreads both directly and via email. It only affects Windows machines in any way at all. Even then, it only spreads easily between people using Microsoft email products (Outlook or Outlook Express). Some other email programs (notably Eudora) use various components from Microsoft to display messages, and may therefore also provide the means for the worm to spread, although not so easily.

This group of worms all make use of Windows' "feature" to hide part of the file name of known file types to try to make you think the attachment is plain text, or a Word document, or something else innocuous. The icon is usually (but not always) a give-away if you look at it carefully. You are recommended to turn off this feature (on the Folder Options screen in Explorer).

As always, the best way to avoid being infected, if you really cannot avoid using vulnerable products, is to configure them not to view attachments or HTML email without an explicit action by you (yet another reason why HTML is banned on the Forum), to disable all active scripting (JavaScript, ActiveX, etc), and to delete messages unread if you are the slightest bit suspicious. If the sender is genuine, and the matter is urgent, they will contact you again. Do NOT attempt just to reply to the suspicious email unless you have an option to reply without including the original message.

Tracing the origin of an email

Discovering who is actually "infected" (so as to warn them, or to take extra care about messages from them) has become increasingly difficult since email worms first came out. The first generation (Melissa and friends) were comparatively simple: the emails had genuine sender addresses (although hitting "reply" would introduce an extra "_" to make sure you were awake), so it was easy to identify the victim.

The next generation started using random email addresses from the host's Outlook address book and message store. This meant that reports of finding the worm, either automated or manual, would tend to go to an innocent third-party: whilst this could still be of some forensic value, it also has the danger that the worm would propagate, using the bounce message itself, to a new victim.

More recently this obfuscation has gone one stage further, with random addresses being created from parts of other addresses in the Outlook address book. There is no reason to believe that the sender email address bears any relation at all to the real source, or even exists, so the only appropriate action, unless you feel able to investigate IP addresses and detailed SMTP routing, is to delete the email.

Even viewing the full headers of the emails doesn't always reveal much. Early generations used Outlook's SMTP engine to do the sending, which would insert quite a lot of tell-tale information; the later ones are more sophisticated, and although you can usually tell which ISP the originator uses, even that may not be of much help with so many "virtual" ISPs sharing server equipment nowadays.

Protection from viruses and worms

Most of this is common sense. You need to take all of these precautions, as different attacks will use different methods. In particular, anti-virus tools are the least effective of all the precautions, although they can be a useful backstop, so if you have not patched your systems and have no firewall, there is little point paying money for an anti-virus tool alone.

Do not use vulnerable software: Most attacks only affect Microsoft products. Whilst this is partly due to their huge market share (they are therefore a big target), it is also indisputably true that Microsoft software has more faults in general, and more critical faults, than most other software. If you must use Microsoft products, you must also ensure that they are kept right up to date with all available patches. Check with "Windows Update" at least once a week (preferably daily), enable "Auto-update", and install all critical patches as soon as they are released. Many of these are large downloads, but that is the price for using Microsoft.
Use a firewall: Worms often use faults (or even sometimes documented features) in parts of your system such as file-sharing which should simply not be made available to the outside world. A firewall will prevent unauthorised access to your computer. The best firewalls are those in separate boxes, or built into an ADSL (broadband) router, but if you are on a tight budget software firewalls such as ZoneAlarm are an adequate substitute.
Note that the use of a broadband "always on" connection makes a direct attack more likely, but even dial-up users are vulnerable.
Use email responsibly: Don't open any attachments or emails from people you don't know, but delete them unread. The faking of the sender of modern viruses means even this cannot be fool-proof, though. You should always turn off the display of HTML email if your software allows you to (get different software if it doesn't!), and disable all "active content" such as JavaScript or Active-X.
Use anti-virus tools: If you haven't taken all the other precautions above, don't bother buying an anti-virus package, since by the time the tool detects an attack (if it does) it's too late. If you want to be sure you have covered all bases, by all means add one to your arsenal, but choose carefully: the most highly marketed tools are not necessarily the best. Look for a tool which can be updated daily, and ensure that that happens.
However, be cautious about using an email-scanning tool on your own computer, either as a separate product or as part of an anti-virus package. They do not add any protection beyond what an "on-demand" file-scanning tool affords, and frequently cause new problems such as duplication of normal emails. There is never any point in using an outgoing scanner: most worms will bypass it anyway, and all it achieves is the addition of a meaningless comment appended to all your email, which will irritate everybody else. If your email provider scans mail on their servers (most do), then scanning your incoming mail adds nothing except the increased risk of delayed, lost or duplicated email.

Please send comments on this page, or suggested updates, to me (not the list).

Back