Technique
Save Time By
Knowing when you’re probably infected (and when you aren’t)
Protecting your system quickly and thoroughly
Not contributing to the problem
You can lose a lot of time — not to mention a lot of sleep — over viruses. Some of the worries are justified. Many are not. I’ve been working with viruses and antivirus software manufacturers since the first Word macro virus appeared on the scene a decade ago. I was the first person to find a Word 97 macro virus, which was posted on Microsoft’s Web site, by a Microsoft employee, attached to a marketing document. And I’ve been intimately involved in fighting viruses, Trojans, worms, and other nasties up to and including the current “cyberterror-ism” phase. Don’t tell anybody, but I’ve even helped Microsoft at times.
You know what I’ve discovered?
Viruses aren’t anywhere near as bad as most people think. Of course, you need to protect yourself by running a good antivirus program, setting up a firewall (you get a decent, but not great, firewall in Windows XP Service Pack 2), and following a few simple rules, which I list in this technique. Network administrators need to stay on their toes to block fast-spreading Internet worms. But for the most part, in spite of what you’ve read in the papers, well-meaning people trying to fight viruses have done more harm than the viruses themselves have ever caused.
If you want to save time, set up an antivirus program following the rules I give in this technique, get Windows Firewall cranked up (Technique 50) or, better yet, replace it (Technique 51), and then get on with your life.
Understanding Viruses
So much bad information about viruses is floating around the Internet that it’s a wonder anybody gets any work done. Before I look at what a virus is, it may be worthwhile to take a look at what a virus isn’t. Have you ever received an e-mail message that looks like this?
The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too.
The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system. . . .
IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.
That message has circulated for years in more than a dozen languages. jdbgmgr has been blamed for everything from crashing Microsoft Office programs to scrambled hard drives to slow Internet connections to psoriasis. I’ve heard PC salesmen claim that they couldn’t accept a faulty returned PC because it was “infected” with jdbgmgr.
jdbgmgr.exe isn’t a virus. It’s a normal part of Windows: You probably have it on your system. The message is a hoax, passed on by (usually) well-intentioned people who simply haven’t got a clue.
The point? You can waste a lot of time (and money!) fretting over viruses that don’t exist. Spend a few minutes now learning the telltale signs of a virus, and you can laugh at messages like the jdbgmgr hoax.
Dissecting a virus
A computer virus is a program that replicates. That’s all. Viruses generally replicate by attaching themselves to files — programs, documents, spreadsheets — or replacing “genuine” operating system files with bogus ones. They usually make copies of themselves whenever they’re run. Even relatively benign viruses can sap your time by bloating your files and making your computer do strange things. Most embarrassingly, viruses can take up enormous amounts of time if you send an infected file to someone else and have to warn the person (or, worse, the organization) after the fact.
You probably think that viruses delete files or make programs go belly-up or wreak havoc in other nefarious ways. Some of them do. Many of them don’t. Viruses sound scary, but they really aren’t. Most viruses have such ridiculous bugs in them that they don’t get very far “in the wild.”
Trojans (occasionally called Trojan horses) may or may not be able to reproduce, but they always require that the user do something to get them started. The most common Trojans these days appear as e-mail attachments: You double-click an attachment, expecting to open a picture or a document, and you get bit when some program comes in and clobbers your computer, frequently sending out a gazillion messages, all with infected attachments, without your knowledge or consent.
Worms move from one computer to another over a network. The worst ones replicate very quickly by shooting copies of themselves over the Internet, taking advantage of holes in the operating systems (all too frequently Windows).
Collectively, viruses, Trojans, and worms are known as malware. While some malware can carry bad payloads — programs that wreak destruction on your system — many of the worst offenders cause the most harm by clogging networks (nearly bringing down the Internet itself, at times), and by turning PCs into zombies, which can be operated by remote control.
If your PC is turned into a zombie, the cretin who infected you may be able to retrieve data from (or destroy data on) your computer. Surprisingly, though, most zombie puppet-masters aren’t interested in personal data. Some of them make money by mining e-mail addresses from subverted machines, selling the addresses to spammers. Many of them, though, wait until they can get a bunch of subverted machines to work in unison, bombarding a Web site with so many “hits” that the site shuts down. That’s the genesis of the so-called Distributed Denial of Service attack, a technique that has brought down more than a few controversial sites. Most recently, zombies have been used to send out tons of spam, with the spammers lining the pockets of the puppet masters. ‘Tis a brave new world, eh?
All these definitions are becoming more academic and less relevant, as the trend shifts to blended-threat malware. Blended threats incorporate elements of all three traditional kinds of malware — and more. Most of the most successful “viruses” you read about in the press these days are, in fact, blended-threat malware. They’ve come a long way from old-fashioned viruses.
The first really big virus
The world changed when John McAfee appeared on the Today Show in March, 1992, and told Bryant Gumbel that the Michelangelo virus infected more than a million PCs. One week later, the PC world was supposed to end. All the major wire services ran alarming predictions — millions of dollars were forecast to be lost in the wake of the largest computer virus of all time.
The Big Day arrived and . . . nothing. A few thousand systems got clobbered, here and there, but Michelangelo turned into a dud of astonishing proportions. McAfee made millions. The wire services fell silent. We all got huckstered. Does history repeat itself in Internet time?
By and large, malware works in rather predictable ways:
By infecting legitimate program files or floppies:
These old-fashioned methods of replicating have all but disappeared because people rarely pass around program files or floppies anymore.
By infecting documents: This type of transmittal
works when a user opens an infected document. Other documents on the user’s PC become infected. When the user sends copies of those documents to others, the recipients’ machines can become infected, too. It’s a slow and haphazard approach that’s on the wane because antivirus programs have improved enormously and because Microsoft has built antivirus hooks into the Office programs. Whenever you open a file in a recent version of Office, your antivirus program scans the file before the program (Word, Excel, whatever) even touches it.
By automatically sending copies of infected documents to others: That’s how Melissa (1999) works. If you open a Melissa-infected document in Word, Melissa automatically sends infected documents attached to e-mail messages destined
to the first 50 people in your address book. Melissa was so successful that network administrators at hundreds of large installations — including Microsoft and Intel — pulled their networks offline (in some cases, for days). Melissa doesn’t have a destructive payload, but it completely brought down e-mail communication in many companies.
By sending copies of itself attached to e-mail messages: ILOVEYOU (2000) arrives attached to an innocuous-looking message that says kindly check the attached LOVELETTER coming from me. Anyone using Outlook or Outlook Express who double-clicks the attached file, LOVE-LETTER-FOR-YOU.TXT.vbs, unleashes the worm, which immediately sends copies of itself to everyone in the infected user’s address book. It also overwrites files. Ford, the Jet Propulsion Lab, the Space Center in Houston, and even the British Parliament were knocked out by ILOVEYOU. Bill Gates once joked that he received infected messages from people who should know better.
The Anna Kournikova virus (early 2001) works much like ILOVEYOU. It arrives as an e-mail attachment called AnnaKournikova.jpg.vbs. If you double-click the attachment, copies of the worm are sent to everyone in your address book. One big difference with Anna: It was written with a virus construction kit, readily available on the Web.
By sending copies of itself via e-mail and directly infecting other computers on the local network: Klez (Spring 2002) is a multi-attack opportunist of this ilk. It sends copies of itself attached to e-mail messages addressed to everyone in your address book. For good measure, sometimes Klez retrieves a legitimate file from the infected computer and sends it along with the program itself. (Highly embarrassing!) Klez also spoofs the From: address (puts a completely bogus return address on the message) by scanning the address book and sticking randomly selected e-mail addresses in the From: line. At the same time, Klez infects other PCs on the local
network by dropping copies of itself in network-accessible folders. The copies have random names, so people using other computers on the network might run Klez accidentally, thinking that they’re running some different program. MyDoom (2004) also spreads as an e-mail attachment.
Your best defense is to buy a good antivirus package. Downloading one from the Web takes less than 30 minutes. Setting it up takes another 30 minutes, tops. For an hour’s investment, you can save days and days of clean-up.
By attacking computers connected directly to the Internet: The brave new world of attacks involves worms, such as Code Red (Summer 2001) and Slammer (early 2003), that aggressively look for vulnerable PCs that are directly connected to the Internet. Humans are no longer part of the infecting vector — these worms are completely self-propelled, scanning randomly generated IP addresses. (Code Red 2 goes one step further by focusing most of its attacks on nearby networks, presumably inside a corporate firewall.) Microsoft’s own Hotmail servers were brought down by Code Red, which exploited a known, fixed problem with Microsoft’s Internet Information Server. (Yes, Microsoft forgot to patch its Hotmail servers.) Slammer took out SQL Server installations. Many PC users have a SQL Server on their machines, disguised as a product called MSDE. Sobig, Blaster, and Sasser (2003-4) also ran across wide swathes of unpatched Windows systems.
Code Red took about 12 hours to infect most of its intended victims. During the first minute of its existence, Slammer doubled the number of infected systems every 8.5 seconds. Slammer took about 10 minutes from the moment it was unleashed to infect most of its victims. In fact, the single greatest barrier to Slammer’s propagation was the Internet’s near-meltdown due to Slammer’s fast propagation.
Fast-propagating worms on the Internet are nothing new — the Computer Emergency Response Team (CERT) was initially formed largely in response to Robert Morris’ worm, which essentially brought down the Internet in late 1988.
I think it’s pretty obvious that the future of viruses, worms, and Trojans lies in these automated direct attacks. Enough do-it-yourself virus-authoring kits are available that the script kiddies will keep churning out classic viruses — so it’s more important than ever that you use a good antivirus program. But the real killer problems for Windows users will come from previously unidentified or poorly patched security holes in Windows, Windows servers, Internet Information Services, Exchange Server, SQL Server, and the like. Other than setting up a firewall, you can’t do much about those. Your network administrator gets stuck holding the ball.
Discerning whether your PC’s infected
So how do you know if you’re infected?
The short answer is this: Many times, you don’t. If you think that your PC is infected, chances are very good that it isn’t. Why? Because malware these days doesn’t usually cause the kinds of problems people normally associate with infections.
That said, here are a few telltale signs that might mean that your PC is infected:
Someone tells you that you sent him an e-mail message with an attachment — and you didn’t send it. In fact, most e-mail malware these days is smart enough to spoof the From: address, so any infected message that appears to come from you probably didn’t. Still, some dumb old viruses that aren’t capable of hiding your e-mail address are still around. And if you get an infected attachment from a friend, chances are good that both your e-mail address and his e-mail address are on an infected computer somewhere. Six degrees of separation and all that . . .
If you receive an infected message, look at the header to see whether you can tell where it came from. In Outlook, open the message and then choose View Options. A box at the bottom may (or may not!) tell you who really sent the message (as shown in Figure 49-1).
• Figure 49-1: I blurred the identity of this sender who may have been a victim himself.
If you suddenly see files with two filename extensions scattered around on your computer, beware. Filenames, such as kournikova.jpg.vbs (a VBScript file masquerading as a JPG image file) or somedoc.txt.exe (a Windows program that wants to appear to be a text file), should send you running for your antivirus software.
Always, always, always have Windows show you filename extensions. See Technique 20.
Your antivirus software suddenly stops working. If the icon for your antivirus product disappears from the notification area (near the clock), something killed it — and chances are very good that the culprit was a virus.
Your Internet connection slows to a crawl. Even
worse than usual.
What to do next
If you think that you’re infected, follow these steps in order:
1 Don’t panic.
Chances are very good that you’re not infected.
2. Update your antivirus software with the latest signature file from the manufacturer’s Web site; then run a full scan of your system.
If you don’t have an antivirus package installed, run — don’t walk — to your nearest computer store and beg for mercy from the PC protection gods.
3. If your antivirus software doesn’t identify the problem, go to the manufacturer’s main page and see if it has a warning.
Table 49-1 gives the Web addresses for the major antivirus software manufacturers. Note that some sites may have news posted hours before other sites — but it’s impossible to tell in advance which will get the story first.
4. Check securityresponse.symantec.com/ avcenter/hoax.html or us.mcafee.com/ virusInfo/default.asp?id=hoaxes to see if you’re the victim of a hoax.
Many of the hoaxes floating around these days sound mighty convincing. Save yourself a lot of embarrassment by ensuring that you’re not being pulled by the leg.
5. If you still can’t find the source of the problem, follow the instructions on your antivirus software manufacturer’s home page to submit a new virus.
If you’re the first to report a new virus, you’re so cutting edge.
6. Do not — repeat — do not send messages to all of your friends advising them of the new virus.
Messages about a new virus can outnumber infected messages generated by the virus itself — in some cases, causing more havoc than the virus itself. Try not to become part of the problem. Besides, you may be wrong.
Table 49-1: Major Antivirus Software Vendors
| Product | Company | Breaking News Web Site |
| AVG Anti-Virus | GRISoft | www.grisoft.com |
| F-Secure Antivirus | F-Secure | www.f-secure.com/virus-info |
| Kaspersky Antivirus | Kaspersky Lab | www.kaspersky.com |
| McAfee VirusScan | Network Associates | us.mcafee.com/virusInfo/default.asp |
| Norton AntiVirus | Symantec | securityresponse.symantec.com |
| Panda Antivirus | Panda | www.pandasecurity.com |
| Trend PC-cillin | Trend Micro | www.antivirus.com/vinfo |
In recent years, I’ve come to view the main-| stream press accounts of virus and malware outbreaks with increasing, uh, skepticism. The antivirus companies are usually slower to post news than the mainstream press, but the information they post tends to be much more reliable. Not infallible, mind you, but better. We also cover security problems at Ask.com.
Protecting Yourself — Quickly
Every Windows XP user needs to follow five simple things to guard against viruses, worms, Trojans, and the like:
Buy, install, update, and religiously use one of the major antivirus packages listed in Table 49-1 (earlier in this chapter).
It doesn’t matter which package you use, but you need one.
I recommend AVG Anti-Virus to my penny-pinching friends (of which I seem to have many). It’s a solid, frequently updated, easy-to-use program that also happens to be free for private, non-commercial, single home computer use. Go to www.grisoft.com, and look for the AVG Free Edition. Bet you’ll be pleasantly surprised.
Force Windows to show you filename extensions.
Microsoft’s decision to have Windows hide filename extensions — the letters at the end of a filename, such as .doc or .vbs — reeks of trying to put the toothpaste back in the tube. It’s a dangerous design mistake that you can fix by following the steps in Technique 20.
The important letters in a filename’s extension are the ones following the last period. abc. gif.bat is a batch file that runs if you doubleclick it. Similarly, def.doc.vbs is a VBScript program — not a Word document — that also runs immediately.
After you can see filename extensions, watch out for the ones in Table 49-2.
If you double-click a file with one of those extensions, it runs immediately, with potentially disastrous results.
Yes, it’s true: JPEG files (that is, files with the filename extension .JPG) can include potentially harmful programs. How can picture files turn into malicious programs? Because Microsoft screwed up. Again. Dozens of Microsoft programs mishandle JPG files, and the result can be devastating. You need to patch them all. See www.microsoft.com/security/bulletins/ 200409_jpeg.mspx for details.
Never open or run a file attached to an e-mail message until you (a) contact the person who sent you the message and verify that he or she specifically sent you the file and (b) save the file on your hard drive, update your antivirus software’s signature file, and run your antivirus software on the file.
Infected e-mail attachments are the single most common source of infection at the moment. And it’s 100 percent preventable.
Don’t rely on the Windows Security Center (shown in Figure 49-2) to tell you if your anti-virus software is up to date. Sometimes the Security Center doesn’t get the right message from the antivirus software, and sometimes the antivirus software doesn’t toss out a warning in time. If you have a file to scan — specifically, a file that is attached to an e-mail message — take the time to update your antivirus software’s signature file before you scan the file.
• Figure 49-2: The Windows Security Center doesn’t always get the straight story on when an antivirus program is up to date.
If you get an e-mail message warning you about a virus, don’t forward it.
You’re only contributing to the problem even if the warning is valid (and it rarely is; see the next section). If the problem sounds dire, find a reference on one of the sites mentioned in Table 49-1 (earlier in this chapter) and then call your
friends and tell them to look at the site. That way, they not only get the real story (plus or minus an editorial quirk or three), they also stay informed about new tools to solve the problem.
Follow those five things and you not only help yourself, you help all your coworkers, friends, and colleagues as well.
Table 49-2: Filename Extensions for (Potentially Unsafe) Program Files
| .ade | .adp | .asx | .bas | .bat |
| .chm | .cmd | .com | .cpl | .crt |
| .exe | .hlp | .hta | .inf | .ins |
| .isp | .jpg | .js | .jse | .lnk |
| .mda | .mdb | .mde | .mdt | .mdw |
| .mdz | .msc | .msi | .msp | .mst |
| .ops | .pcd | .pif | .prf | .reg |
| .scf | .scr | .sct | .shb | .shs |
| .url | .vb | .vbe | .vbs | .wsc |
| .wsf | .wsh |
Avoiding Hoaxes
Tell me if you’ve heard this one:
NEW VIRUS — THIS IS SERIOUS Please take note . . . If you receive an e-mail titled “PLEASE HELP POOR DOG. Win A Holiday” DO NOT OPEN IT ! ! ! It will erase everything on your hard drive. Forward this letter to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft; please share it with everyone who might access the Internet.
WARNING If you receive an e-mail titled “It Takes Guts to Say ‘Jesus,’ DO NOT OPEN IT. It will erase everything on your hard drive. This information was announced on 21 April by IBM stating that
this is a very dangerous virus, much worse than Melissa, and that there is NO remedy for it at this time.
PLEASE READ THE MESSAGE BELOW !!!!!!!!!!!!! Some miscreant is sending e-mail under the title “Good Times” nationwide; if you get anything like this, DON’T DOWNLOAD THE FILE! It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this mail to anyone you care about.
URGENT! VIRUS! This information arrived this morning, from Microsoft and Norton. Please send it to everybody you know who accesses the Internet. You may receive an apparently harmless e-mail with a PowerPoint presentation called Life is beautiful.pps. If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately. If you open this file, a message will appear on your screen saying: “It is too late now, your life is no longer beautiful,” and subsequently you will LOSE EVERYTHING IN YOUR PC. The person who sent it to you will gain access to your name, e-mail, and password.
It continues to amaze me how many people forward messages like that. But every day, hundreds of millions of copies of hoax virus warnings and chain letters clog the Internet.
No, Bill Gates can’t keep track of who you send e-mail to — and he certainly won’t give you $10 each time you click the Forward button. No, the postal service isn’t about to impose a fee for using e-mail. No, you won’t have your hard drive erased if you view a message entitled WTC Survivor.
Here’s how to spot a hoax:
Unless the message is an official release from a recognized source — say, a Microsoft Security Bulletin, a Symantec Virus Alert, a CERT Advisory, or a news story from AP or Reuters — there’s at least a 90 percent chance that you are looking at a hoax.
If one single exclamation point is in the entire message, or more than one word is in ALL CAPS,
or it has more than one or two misspellings, or if it warns in breathless terms about all the data on your disk being destroyed, it’s a hoax. Bet on it.
If the message refers to a legitimate source — say, the Bugtraq news list or Microsoft or Norton — but doesn’t quote directly from the source, it’s either a hoax or so hopelessly garbled that you don’t stand a chance of understanding the real problem.
Microsoft doesn’t distribute files by e-mail. If you get a file attached to a message that purports to be from Microsoft, it isn’t. Chances are good you have a hoax message, with a real virus attached.
If it’s too good to be true . . . well, you know the rest of the saying.
Do yourself a favor. If you get junk like this:
Don’t forward it. Forwarding hoaxes does not endear you to most folks. Forwarded hoaxes are indistinguishable from spam. Spam’s bad enough without turning it into a cottage industry.
Check out a site such as Rob Rosenberger’s Virus Myths page, www.vmyths.com, or CIAC’s Hoax-busters, hoaxbusters.ciac.org, and see if you’re looking at a known hoax. If you are, write to the person who sent the hoax to you and tell him about it.
Even if you get a real message warning about a real virus, don’t forward it. You only add to the damage caused by the virus — and the information you send may be out of date. As I explained in the preceding section, the best way to handle a real warning about a real virus is to find a reliable Web site that’s reporting on the infection. Then pick up the phone, call your friends, and tell them about the site. That way you don’t add to the volume of e-mail that the virus generates, and you make sure that your friends get the latest, best information from an authoritative source.
That saves your time. It saves their time. And you don’t contribute to the volume of e-mail.
