The magazine of the Melbourne PC User Group

Defensive Computing
How To Protect Yourself From Virus Infection
Michael Mullerworth

Internet Explorer Updates

Some e-mail programs are particularly targeted by virus writers, eg. Outlook and Outlook Express. These are vulnerable because of their close association with Internet Explorer (IE). When you look at an HTML message in the preview pane or open message window you're actually looking at a browser window. So any vulnerability of Internet Explorer is inherited by the e-mail program. Internet Explorer can be "patched", but if you don't install the patches, simply changing to Netscape, Opera, Eudora, or The Bat as your e-mail client will not protect you if you retain the vulnerable copies of Internet Explorer on your computer.

Accessing mail on the Web, as with Hotmail and Yahoo Mail, exposes the same loophole. Most users do not try to uninstall Internet Explorer (though it is possible), so the recommended updates and patches should be installed, otherwise the susceptibility remains. Currently it is being recommended to upgrade to Internet Explorer 6.x for later versions of the Windows operating system (it cannot be installed with Windows 95). Once IE 6 is installed, you don't necessarily have to use it. 
See: http://www.microsoft.com/windows/ie/downloads/ie6/default.asp

The IE 6 installation should be Typical or Full, not Minimal or Custom.

All versions of Internet Explorer require updates or patches. This can be done by clicking Tools and then Windows Update with Internet Explorer open, and installing the critical and recommended updates. Do this regularly, unless you are already being advised about new updates. To search for yourself, see the following sites. Many members will be using IE 5.0, 5.01 or 5.5 with Windows 95.
 
All IE updates can be found at http://www.microsoft.com/windows/ie/downloads/critical/ or http://www.microsoft.com/windows/ie/default.asp.
 
All versions of IE prior to and including 5.01SP1 can be upgraded with IE5.01SP2 at: http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.asp

The latest 15 May 2002 Cumulative Patch for Internet Explorer(Q321232) can be found at: http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp and details can be read at: http://www.microsoft.com/technet/security/bulletin/ms02-023.asp

Good Habits

Never open attachments to e-mails or never open without first scanning them with an up-to-date antivirus program (AVP). You may choose to open only those attachments which you have requested from someone (and you should scan those too). Regard all unsolicited mail and forwarded messages as suspicious (even if forwarded from someone you know). Beware of persuasive messages with strange headings, or invitations that promise rewards or excitement. When you receive an image file, don't double-click on the attachment. Open the image viewing application first (eg. Irfanview) and then open the image from within the viewing program. Don't trust the icons or file extensions on attachments; they may be deliberately falsified to mislead you into opening a file which seems harmless. Try to get all document files sent to you in Rich Text Format (*.rtf), or disable macros in Word.
 
Show All File Extensions

Configure Windows to always show file extensions. From the Windows Explorer menu
Tools|Folder Options, uncheck "Hide File Extensions For Known File Types". Then it will not be possible for an EXE or VBS file to masquerade as a TXT or JPG file. And never open attachments with extensions VBS, SHS, or PIF, which are almost never used in normal attachments. Also, do not open attachments with double file extensions, like NUDE.JPG.EXE or NAME.DOC.PIF.

Disabling the Preview Pane
 
In Outlook and Outlook Express, both "Auto preview" and "Preview" can enable activation of a virus in a message being viewed in the pane (see the explanation under IE updates above). In other words, if the message is highlighted (and one message in the list always is), it will open in the Preview Pane without being clicked. This is a useful feature that many do not wish to disable. It need not be disabled if your antivirus software is kept up to date and the appropriate updates have been installed.

To disable the preview pane:
In Outlook Express 97, from
View|Layout uncheck (remove the tick from) "Show preview pane".
In Outlook 97, from
View|Define Views tick "messages" and not "messages with auto preview".

Preview Your Mail On The Mail Server
 
You can avoid having to download your mail before you read it. Previewing on the mail server enables you to delete any unwanted mail and any suspicious messages, but these programs usually do not display attachments. There are free programs such as Scanmail, available from http://www.kempston.demon.co.uk/smb/. For a description of Scanmail see: http://www.melbpc.org.au/pcupdate/2009/2009article9.htm.
 
A similar program is Mailcall, see: http://www.simtel.net/pub/pd/47308.html or http://downloads-zdnet.com.com/3000-2369-10059050.html.

Another is MailWasher, which also enables you to set bounce back criteria for lists where unsubscribe proves difficult. MailWasher works with all e-mail programs except those that are Web based such as Hotmail, Yahoo and AOL. It can be found at http://www.tudogs.com/surftools3.php3.
 
Or you can go to the Melb PC Message Of The Day (MOTD) page http://hww.melbpc.org.au/motd/ and from there click the "Check Your Mail" link on the right side. Then enter your username and password and login. Here (in Webmail) you can see the size of your mailbox, read, send, and delete messages (a few at a time), but you cannot download them.

Review Security Settings

In Internet Explorer, these should be set at "Internet", in Tools|Internet Options|Security and Custom Level should be "Medium".
 
In Outlook Express, from
Tools|Options|Security set the level to "Restricted Sites Zone" and tick "Warn Me If Other Applications Try To Send Mail As Me".

Other Sources of Infection

Be aware that other viruses can reach you via infected files in floppy disks or CD-ROMs, in files downloaded from the Internet (including newsgroups), or exchanged via IRC, ICQ, etc. (for example, see: http://www.irchelp.org/irchelp/security/trojan.html), and by simply browsing some Web pages. This includes reading messages in Hotmail, Yahoo Mail, and AOL. So an up-to-date AVP with "Resident" protection is essential.


Figure 1. Security Settings for Internet Explorer.

Resident Protection Must Be Enabled To Be Effective

This is antivirus protection which is activated when the computer is started, and then remains "on watch" in the background. Most resident programs will watch for executable file types, detecting them when they are downloaded or copied, or when a file is opened. Some, but not all, will scan e-mail for viruses (usually incoming mail). But some viruses are programmed to disable the resident component of some AVPs. Any AVP installed on your computer is useless if it is deactivated.

Sometimes you might deliberately disable the AVP to prevent it interfering with another program, eg. while running Windows DEFRAG, or it may be turned off while installing a new software program, and you may forget to turn it on again. Always check to see that resident protection is enabled, usually by right-clicking the AVP icon (in the System Tray at the lower right hand corner of your computer screen), and selecting "Status" or a similar option, or by opening the program and checking Options, or a similar button or menu item. Figure 2 shows the status screen for Vet.


Figure 2. Example of Resident Virus 
Scan Settings (Vet)

Firewalls

Another line of defence is a firewall such as ZoneAlarm http://www.zonelabs.com, which will give added protection; but it is important to understand its actions and behaviour. For more information, see www.melbpc.org.au/pcupdate/2205/2205article5.htm.

For either resident protection or a firewall to be effective and trouble-free, each must be properly configured. Read the instructions carefully.

Subscribe to a (Free) Antivirus Newsletter 

Stay informed! This will get you virus alerts, details of new viruses and hoaxes, tips, and much useful information. This includes descriptions of how to recognise suspicious mail headers and message wording. From any of the major antivirus program vendors, eg. http://www.sophos.com/virusinfo/notifications, or http://www.antivirus.com/subscriptions/default.asp

Visits to their Web sites will also yield much useful information, eg., http://www.vet.com.au/ or http://www.symantec.com/avcenter/ or http://www.europe.f-secure.com/v-descs/.

Update Your Antivirus Today!

Reprinted from the June 2002 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]