Virus making the rounds

Jamie geophyte@sbcglobal.net
Tue, 27 Jan 2004 22:22:26 PST
At 09:49 AM 1/27/2004 -0800, you wrote:
>Please everyone get virus protection and never open attachments that you 
>have any questions about. Beware of any emails you receive that have 
>attachments with these extensions:
>.bat, .cmd, .pif, .exe, .scr, .zip

Dear all,

My resident better half and technical expert has provided a few comments 
regarding attachments.

Due to recent 'improvements' in the Windows operating systems, it is now 
possible for filenames to have 256 characters. Also, many previously 
'illegal' filename characters are now allowed, and Windows operating 
systems default to a setting which makes file extensions invisible to the 
user. Because of these factors, it is no longer safe to classify email 
attachments by filename, because there are many ways to 'spoof' a harmless 
looking file extension.

For example, we received an attachment today consisting of a normal Zip 
file archive, containing a file named;

readme.txt 
.scr

This malicious screensaver file (identified by the true extension '.scr' 
seen far to the right) will show up simply as readme.txt in the Windows 
Explorer and most other dialog boxes in the Windows system, unless the user 
is extremely observant. This is an example of a very simple, low-level name 
spoof -- there are schemes in circulation which are much more sophisticated.

>Unless you have requested something and the email is in response to that 
>or you have downloaded something you wanted from the Internet it seems 
>wise never to open any attachment with these extensions just as a 
>precaution. And remove the message and the attachment from your computer 
>without opening it. We have also written code so files with these 
>attachments cannot be uploaded to the wiki.

Since most new viruses and worms will harvest email addresses from the 
victim's email address book, or the victim's stored email, it is likely 
that you will receive harmful attachments from (apparent) 'friendlies'.

Anti-virus programs are not an effective panacea, since, on the average, it 
takes at least two weeks for anti-virus software writers to incorporate 
filters for a new virus into their software. The screensaver I received 
today checks out as 'safe' with all of our current anti-virus programs, 
however, there is no doubt in my mind that it is some sort of malicious 
software, and it will be correctly identified as such in the next software 
update.

If you absolutely must test a suspicious attachment, there is one safe way 
to open and check them. Right-click on the attachment link and save the 
file to the hard drive. Open the Windows explorer, navigate to the folder 
with the attachment, and right-click on the filename. A menu will appear. 
If one of the menu choices is 'Open with', select that option, and you will 
be presented with a short list of applications that your system normally 
uses to open that type of file. Choose the application which is appropriate 
for the type of file it appears to be. For instance, if the file is 
masquerading as an image file, (.gif or .jpg), select your image viewer or 
editor to open the file. Using this technique, the questionable file will 
always be treated as data, and opened WITHIN an application, but not 
executed on your system. If the file is bogus, the chosen application will 
generate some sort of error, but the file will not be able to run, or 
damage your system.

If, after right-clicking on the filename, you do NOT see "Open with", but 
only see choices like 'Open', 'Run', 'Test', 'Configure' or 'Install', it 
is some sort of executable file and you should probably delete it.

Best regards,
Jamie


More information about the pbs mailing list