"Novarg" Virus making the rounds

Antennaria@aol.com Antennaria@aol.com
Wed, 28 Jan 2004 10:31:21 PST
Being in the position as an IT manager currently, for a 300 person firm, our group has been very aware of the new virus woes these last couple days.  The latest virus making the headlines is the Novarg or MyDoom virus.  Since some advice was offered on computer viruses on this forum, I though I would offer some clarifying points.

>...Windows operating systems default 
>to a setting which makes file extensions
>invisible to the user. Because of these 
>factors, it is no longer safe to classify
>email attachments by filename, because 
>there are many ways to 'spoof' a harmless 
>looking file extension.

It is true, the "default" Windows setting is to not show file extensions.  I recommend turning on display of file extensions, a very important step.  I disagree with the statement that "it is no longer safe to clasify email attachments by filename".  The file names can't be "spoofed" in the true sense of what "spoofing" means. Example, the To: and From: fields in your email message are just text fields... these can be "spoofed" with a completely differently name put into the field... the true sender's name is contained within the routing properties.  But you're right in saying that the spammers and virus writers try to make the file extension unobvious but adding a messload of blank spaces with the real file extension way out to the right, among several lame-ish tricks.  The point is, the it is indeed always possibly to learn what the true file extension is, and to be smart about them.

By the way, this particular virus is mostly being sent as a ZIP file (.zip).  It is safe to open a zip file, however, inside the zip file is the actual virus file. In most the current viruses attachments I looked at, it's a PIF file, a Windows System file that is not safe to open, and no one would have business to open one anyway.

>Anti-virus programs are not an
>effective panacea, since, on 
>the average, it takes at least 
>two weeks for anti-virus software 
>writers to incorporate filters 
>for a new virus into their software.

Our experience is different,  We use an enterprise-wide Norton Anti Virus solution, with "live updates" (live-time updates).  We find it very effective, with the updated virus detection filters updated by Symantec within hours of any major virus outbreak.  

It should also be remembered, that it is possible to screen (block) all files with certain attachment types.  Therefore, even if it's a new virus, it's not so critical because the method of virus delivery is usually the same... via one of the banned file extension types.  I understand, that a file extension can be changed and masquerade as something else, and be a danger... so you really need both... the active virus detection, and the automatic blocking of certain file types by file extension.  This latest Novarg virus mostly comes as a ZIP file, a common and acceptable file type, but with the bad virus file inside, of an unacceptable file type.  The Novarg virus hit yesterday morning... but by the lunch hour, the Symantec Norton Anti Virus filters were updated and effective detecting and quarantining the new virus attachments.

>If you absolutely must test a 
>suspicious attachment, there 
>is one safe way to open and 
>check them. Right-click on 
>the attachment...  'Open with'
>... Choose the application which
>is appropriate for the type of 
>file it appears to be.

These are dangerous instructions, because there are conditions that are not described here, and a novice or less-than-savvy computer user could get into trouble.  The example of opening a JPG or GIF file is benign enough, but advising people to use whatever appropriate application to open the file is too vague a suggestion.  There are things like WORD macro viruses and other methods of virus delivery, that the best advise is to buy something like Symantec Norton Anti-Virus, and subscribe to Live Update (currently $19.95 for 1 year), to have the virus detection.  

Then of course, you can go a long ways to avoid viruses, by being smart and observant.  Most bogus virus messages are easy to detect, and most times, the message title is the dead giveaway, along with those file attachments with the now familiar BAD type of file extension.

Mark McDonough        
Pepperell, Massachusetts, United States  
"New England", near New Hampshire  
USDA Zone 5
website: http://www.plantbuzz.com/
alliums, bulbs, penstemons, hardy hibiscus, 
western american alpines, iris, plants of all 

More information about the pbs mailing list