The New Breed of Viruses

by Robert English

© 2002- 2007 by Robert English; obtain permission before using elsewhere.

 
This article is for those who are:
  1. wondering why they may have received a copy of a virus with my e-mail address on it;
  2. are interested in viruses in general; or
  3. curious as to what all the fuss is about.
 

"Why are you sending me these huge e-mails with viruses in them?"

First of all, for those of you who may have received a copy of the "Mydoom", "Bugbear", "Sobig", "Klez", or other virus in an e-mail, with my e-mail address in the "from" field, be advised: I did not send it.

Those viruses, and others like them, use what is called a "spoofed" (not the actual) address. That is: it will deliberately fill in a false address in the "from" field, one that has nothing to do with the machine that is actually infected and sending out the viruses.

First thing these viruses do, when they infect a computer, is to find all of the e-mail addresses stored on the newly-infected machine (first in the MS Outlook address book, then in the web pages held in the browser cache) and send a copy of itself to anyone in it. And, to confuse anyone receiving it, the e-mail address it's supposed to be "from" can also be pulled from those same sources. All someone has to do is surf to my web page - they don't even have to send me an email - and my address is stored on their machine and becomes fair game for the virus. Brilliant, actually - and it makes it nearly impossible to track the real source of the infection.

I have never, repeat NEVER, had any of these viruses on my system. I practice the following preventative measures:

  1. I use a server that has Norton Anti-Virus installed on it, and it alerts me to any email which carries an infection - these get deleted immediately.
  2. I pre-scan the contents of incoming e-mail as it is being downloaded, and make a regular habit of deleting anything that I don't want to read. This was initially started to remove "spam", but has come in handy for virus-laden e-mails as well.
  3. I use anti-viral software on my Windows systems, and keep them updated with the latest definitions. Moreover, because these newer viruses will deactivate any anti-virus software on the system, if my system were infected then the anti-virus software would not be able to run at all. And it does.
So, to answer your query, whatever virus you received did not come from me. We are dealing with a very well-crafted piece of computer code that is capable of hiding its source. Gotta give the authors credit, whoever they are.

 

"What is so different about these viruses?"

Besides the previously stated ability to find e-mail addresses in various places in a PC, these things carry their own SMTP (Simple Mail Transfer Protocol) engine. That means they can send e-mails out literally behind your back, while you're browsing online. No need for them to appropriate your e-mail program as some earlier viruses have had to do.

If the infected computer is connected to the Internet with a high-speed connection, such as a DSL line or cable modem, the virus can send out many e-mails in a few seconds instead of requiring a few minutes like it does with an ordinary dialup connection. Since most people don't watch the modem activity while they're online, they don't know that a virus is sending its payload out from their computer.

These viruses basically work as behind-the-scenes replicating machines, making it easy for other viruses to hitch a ride along with it, and as a result there is more than likely more than one virus on the infected system. I have been called to clean other people's systems of such infections, and have found as many as 15 different viruses on the system simultaneously. Open ports can also exist on these systems, which can let new viruses in at any time or allow the virus author to control your machine remotely.

Because this approach works so well, in favor of the virus writers (and whoever might be paying them money to write this code), we may have seen only the beginning of what might prove to be a viral epidemic.

 

"What can I do to keep my PC safe from this thing?"

Several things. You can do any combination of these steps that suits you and your situation:
  1. Get and use anti-virus software;
  2. Delete large e-mails from strangers;
  3. Install a firewall on your system that can monitor outbound traffic;
  4. If you have ordinary e-mail, don't use Outlook Express version 5.0;
  5. Acquire, and use, an "e-mail preview" program;
  6. Switch to an Apple or Linux system;
  7. At the very least, write one "bogus" e-mail at the beginning of your address book.
Let's look into each one of these a little further:

1) There's two heavy players in the AntiVirus software market right now - Norton and McAfee. Both have good reputations, though McAfee has edged Norton out lately: Norton has steadily become "bloat-ware", meaning it takes up more memory and uses more hard drive space than it really needs to. I have worked with Norton for nearly two decades, and have been happy with previous versions, but I am beginning to recommend McAfee for new users.

2) AOL users seem to be easy prey for viruses in general - as the neighborhood computer guy, I have had more virus calls from AOL users than from anyone else. If you're using this service for your online surfing, you're going to get a lot of garbage in your inbox. But, since your e-mail listing is displayed in the browser without automatic previews, you have a first-line of defense at your disposal - look for any e-mails that are over 50K in size and delete them outright. Don't open them. You'll be much safer.

3) Some "security suites", such as the ones in McAfee and Norton's product lines, have a decent firewall which not only blocks incoming traffic but also checks outbound data to make sure that your computer isn't sending stuff out behind your back. There are also some free ones which will do the job - see this page at GRC.com which helps greatly to explain the values in the different products which are available. To put it simply, if your computer is infected then there's no way the virus can send its e-mails out in secret if you have a firewall in place.

4) If you use ordinary e-mail services (from POP servers), and you are using Outlook Express version 5 to look at your mail, here's one word of advice: UPGRADE!
There is a security hole in this particular version of Outlook Express that you can drive a truck through. Version 5.5 (for Windows95 machines) and version 6 (for Windows98 on up) are safer, since they give you the added option of not automatically opening attachments. Version 6 also gives you the option of not opening any attachments at all, which is best for most people. So, if you're still using the old version of Outlook Express, either upgrade or use another email program such as Eudora.

5) E-mail preview programs are terrific for those of us with ordinary POP-server e-mail. Using programs like this, we can view whatever e-mails might be waiting on the server, selectively delete the ones we don't want to see, and then use our ordinary e-mail program to download and read the rest.
I have written, and am now offering as "freeware", a program written in C-Sharp (runnable on Windows systems that have the .NET Runtime Environment installed) called "E-Checker". It will allow you to look at the contents of your e-mail server and delete any suspicious e-mail before you download it. Read about it by clicking here.
There is an alternate program for those who cannot use the .NET Runtime (this includes the venerable Windows95, sadly) - a program out of New Zealand called Mailwasher. This program has the added benefit of being able to "bounce" spam, which sadly doesn't work as well as it did when the program first came out (spammers are increasingly using bogus reply-to addresses, so your "bounce" never reaches the right target). It's still a great program for deleting unwanted e-mail off of your server, however, and for the price (free) it's great.

6) Switching operating systems is the most extreme method to avoid infection, but it is thorough.
Any of the viruses that commonly hitch onto a Windows system do not infect the Apple OS, Linux, or any other spin-off of UNIX for that matter. Using a non-Microsoft operating system reduces the number of possible infections, and in the case of Apple, avoids them.

7) The cheapest way to detect the presence of a virus on your system is to write a deliberately bogus e-mail address into your address book. "aaardvark@bogus.site" is a good example. You yourself will never use it. The virus won't know the difference, however, and will send a virus-laden e-mail to that address. When you get a message stating "Undeliverable mail", and it was to this bogus address, then that will be your cue that your system must be infected. You must then take whatever steps are necessary to clean your system up, or you will be part of the problem instead of part of the solution (to start with, Symantec's web site has posted an excellent step-by-step removal method for the Klez virus and many others).

 

A Final Word

There isn't anything I can do about the fact that these viruses use my e-mail address to fool people into thinking it's from me. However, I can use it as an opportunity to educate people about what a dangerous place the Internet is becoming because of these malicious pieces of software. I've gotten to a point where I will not recommend a Windows PC to a novice - I will point them toward an Apple instead, which is (so far) impervious to these threats besides being just plain easier to operate.

You've no doubt heard the expression, "It's far better to prepare for something that might never happen than to have it happen to you and not be prepared." This warning needs to be taken to heart and applied. Like all enjoyable activities, if you protect yourself while you do it then everyone benefits. Like the guy used to say on "Hill Street Blues", let's all be careful out there.

 

Bibliography:

 

Back To Home Page

 
rev 1.5.07, RAE Productions