Last update 17 July 2002
Audience for this note is all users of email in the Department. Unix-based users, even though they may feel themselves secure against MS-Windows-based viruses, are by no means immune against passing on copies of infected attachments, with consequences for their reputation and the good name of the department. This is no mere theory: I know of at least two cases here. Consequently, I urge even Unix-based users to take a serious interest in these warnings, and not just dismiss them as irrelevant to them. Thanks.
Laptop warning: Laptops which are taken out of the Department and connected to random Internet Service providers are at additional risk of virus infection, which can then find its way back into the Department when the laptop returns. Please be extra vigilant in this kind of situation.
This page begins with news items and some recent incidents. The FAQomatic also contains some items about viruses.
[or skip to the main briefing]
As of Feb 2002, Computing Service are recommending Sophos Anti-Virus for all supported platforms, instead of the two products previously recommended. Note that the licence with Sophos permits staff and students to install the product on their home machine, and this is strongly recommended. Please consult your usual I.T support person for any assistance in migrating to the new software. Under the terms of the outgoing licence, all copies of the previously-recommended product must be de-installed by mid-August: but don't wait till then to take advantage of the new software.
15 July 2002: W32.Frethem.K@mm, also known as W32/Frethem-Fam, has been rejected in significant numbers by our mailer, around 15-17 July. At least one system in Fermilab is known to have been infected from somewhere, since the Fermilab mailer has sent out a number of mails accompanied by an alert to say that it found the original mail to be infected and it has filtered it before passing it on. DESY-ZEUS also put out a warning in terms which suggest they have had contact with infected systems.
In mid-May 2002 we were seeing increasing numbers of attempts to send us executable attachments which fraudulently claim to be Sophos-supplied fixes for a previous virus. In fact these are reported to be yet another variant of a previously-known virus. Need it be said that installing software which you got as an email attachment from some random sender, possibly counterfeited, is an extremely bad idea? Always go to the official web site or other appropriate vendor resources.
In the second week of May 2002, there have been a couple of instances of the "jdbgmgr.exe" hoax. As the Sophos page rightly remarks, this Windows component could conceivably fall prey to a virus infection just like any other Windows component, but the usual telltales, e.g "please send this message to everyone in your address book" are indicative of a hoax rather than a genuine alert. Never trust instructions given in some arbitrary email: always check the indications against a reliable web site e.g Sophos, and if still in doubt, disconnect your machine from the network, shut it down if thought appropriate, and consult with an IT support person before taking any further action, particularly as regards removing or interfering with components of the operating system.
If you don't (directly or indirectly) use the Departmental mail system, then you can't get any benefit out of the effort that your mail system manager (hi Graeme) is putting-in for your benefit. This applies just as much for those who use a public ISP from their laptop, as for those who use a central mail server, or a mail server in a different Department.
In summing-up observations from incidents, the primary problem is that we have too many end-users who are managing their own PC systems, and too few systems being managed in a co-ordinated fashion. This situation seems unlikely to improve unless/until enough influential users realise that there really is a problem, and start pressing for the job to be done in a more scaleable fashion. However, as long as we are in the situation that we are in, it's important for users to keep an eye on the upgrade situation, make sure that the versions which they are running are at the software level currently recommended by Computing Service, and that the anti-virus data is as up-to-date as feasible. If automatic updating is enabled for your system, then check it to see that it's really working.
Above all, DO NOT open emails which seem suspicious, REGARDLESS of who they come from. This advice applies no matter how up-to-date you think your virus protection may be. Treat that protection as a back-stop: if the virus protection ever triggers, then it probably means you were doing something risky, that you really ought not to have attempted.
The weaknesses exhibited by Code Red were finally turned into a major exploit, with several accompanying nasties. Many sites were totally taken-out by this attack. (Glasgow Univ appears to have got off relatively lightly, but this should be no excuse for dropping our guard - quite the contrary, it could serve as a demonstration of the benefit of maintaining defences, in spite of the fragmented support situation in the Department.)
For quite some time now, large numbers of Microsoft IIS web servers that had been compromised by the Code Red worm have been broadcasting to the Internet the fact that they are vulnerable. System administrators noted with some distress that the frequency of probes from such compromised servers was not abating, suggesting that their owners were not taking the problem sufficiently seriously and that their service providers were not taking sufficiently strong action against these compromised systems. We predicted it was inevitable that this open invitation to make use of the compromised systems for some nefarious purpose would eventually be taken up by network crackers, but we hadn't expected anything so perverse as Nimda turned out to be.
Nimda is a complex bag of nasties which propagates by several different mechanisms. Some of these (like Code Red) are a matter of concern primarily for system administrators - particularly those who are running web servers from Microsoft; but the worm also propagates via email attachments, via compromised web pages which users may visit, and via writeable fileshares.
Ideally, none of these ought to be of concern to the user of well-behaved and sensibly-configured client software: they rely on design weaknesses specifically in Microsoft software.
Be warned: this beast can spread like wildfire if it once gets a foothold, especially if individual users are behaving in an unsafe fashion (using unpatched Microsoft products for reading mail or web browsing).
Recommendations to users of all kinds of MS Windows systems:
This briefing has been prepared by A.Flavell, prompted by a number of suggestions from users. It represents a personal view, but appears to be consistent with the campus policy as expressed in documents from the computing service etc.
Viruses (including "worms" and similar nasties) have become a frequent occurrence on the Internet. But also, much time has been wasted by hoax warnings, spread in good faith by users. This briefing attempts to assist users in protecting themselves and each other from both kinds of abuse.
Viruses are nowadays commonly spread by means of email attachments which contain some sort of active content, also to some extent, as formerly, by exchange of infected diskettes. No harm can arise from mere data, such as plain text treated as such: the risk is specifically associated with active content, such as executable macros etc. that can be embedded into various kinds of content.
The risk is therefore dependent on the user being misled into executing this kind of malicious attachment. The consequences can be massive, including deleting various kinds of file - maybe components of some operating systems, (even destruction of the BIOS in some kinds of PC, making them unusable), as well as the virus sending itself to your email correspondents, with the inevitable consequences for your good name and the reputation of the Department, and, as some others have experienced, a distinct risk of adverse comment in the press.
Supported by Guidance on use of E-mail issued by the Computing Service, the following points are made:
Always be suspicious of an email message with attachments; even from someone who is known to you, if you were not expecting attachments from them. (In clear text: they might have become the victims of a virus themselves.)
Never open a doubtful attachment (as we can see, software bugs can make it harmful to even open the mail which contains such an attachment!). Seek advice, contact the sender for clarification by other means, or delete it unseen.
Certainly you should use virus protection software, and keep it up to date. But you should not rely on virus protection software as your first line of defence, because it will always lag behind the actual threat. Rather, you should adopt ways of working that are inherently resistent to virus attack, and look upon the virus protection as a backstop, albeit an important and valuable one.
Many email exchanges appear to be carried out with potentially risk-bearing formats (Word documents, self-expanding archives, Excel spreadsheets) when the message could, much more safely and conveniently, be exchanged with a simple plain-text mail "body". While there are certainly situations where attachments containing these more complex formats are both necessary and appropriate, please try to resist creating these formats unless they are really appropriate, and you know that your recipients are prepared and willing to accept them.
For distribution of a document to a reasonably wide audience, it makes far more sense to distribute the URL of a master copy of the document on a web server. In this way it will not be subjected to the risk of accreting viruses from those through whose hands it passes!
It is particularly worrying that vendors seem to be encouraging users to create email in quasi-HTML formats, with what seem to be inadequate precautions for protecting users from various kinds of active content which these formats might be concealing. Although it is understandable that users might want to produce a more attractive format than the traditional plain-text email, there is significant concern about the number of incidents that have occurred with more elaborate mail formats, pointing to insecure designs in the vendor's software.
ZIP archivers offer the option to package an archive, together with MS Windows software for unpacking it, into a single executable file. This is felt to be more convenient for the recipient, who might not have a ZIP-archive unpacking program at their disposal. However, on receipt of such an executable file from a potentially compromised source, the recipient has no idea whether this Windows executable file is in reality a ZIP archive, or perhaps is a camouflaged virus/worm/trojan.
Note that a ZIP archive package (such as WinZip) will have the capability of unpacking a self-expanding ZIP archive, without taking the risk of actually executing the would-be archive itself. It is therefore strongly recommended that you run your own, installed and trusted, version of a ZIP archive program, and use that to unpack ZIP archives - even the self-expanding archives.
Quite a proportion of viruses involve, as one of their propagation mechanisms, attempts to write to writeable network shares. If you are accustomed to using network shares, it would be wise to consider how you are using them: maybe read-only access is adequate to fulfil your usage requirements, with updating limited to a single user.
Virus hoaxes usually take the form of an urgent email describing some "new", fancifully-named and supposedly seriously hostile "virus", and pleading with you to immediately inform all your friends, on account of the risk. Some of these mails also cite the names of well known companies, for example IBM, as the source of the warning, in order to lend an air of respectability to the report.
In this kind of situation, the first priority is to contact your I.T representative to find out what is already known. Some of these hoaxes have indeed been known for months or even years, yet still, individuals are suckered into continuing to propagate the warnings. Although not as damaging as a real virus, this kind of fake alert is so prevalent as to cause much wasting of everyone's time if it is not handled correctly. Interested users may of course refer to a reliable web site to check for previous "form". (Not, of course, to any URL cited in the mail itself, which could well be a bogus web page created by the hoaxers.)
Here are some of the warning signs that are usually present in these hoaxes.
As long as you are already "practising safe systems of email" (to coin a phrase), there should be no risk in awaiting the findings of your I.T representative, even if the alert should prove genuine. Some of these hoaxes indeed describe a modus operandi that appears convincingly dangerous to the non-specialist, even though to the specialist it is obvious that a properly-behaved mail client could not be harmed by them. Short of a serious program loophole (of which, however, several have been found in Microsoft software recently), the only kind of virus that really works that way is the "brain virus", i.e the hoax!
There's a worrying proportion of incidents where people appear to be distributing copies of what, in earlier times, we used to call "copier humour", but which are now passed on as executable programs: this should set the warning bells ringing! While it may well be that a proportion of these are harmless fun, it only takes one Trojan program or other virus to do the harm, which may only become apparent quite some time after you enjoyed the joke and passed a copy on to friends. The departmental mailer does its best to block potentially dangerous formats when sent as active attachments; but when packed into compressed archives (zipfiles) etc. the content can easily get past the checks, and then it's up to you to protect yourself.
Do not put your computer installation at risk for the sake of a bit of fun. Install an anti-virus package, and keep its profiles up to date, but do not rely on it as your sole protection - "practice safe email" procedures.
Internet Explorer has a potentially serious loophole in its handling of the
HTTP content-type text/plain, such that if the content of the
plain-text appears to be HTML, then IE will overrule the text/plain
content-type, and treat it as HTML instead. This HTML could in turn contain
active content, thus leading to the possible scenario where the opening of a
plain-text web page can result in the execution of active content. This is
unlikely to happen by chance, but a malicious web site could set up some content
that had been deliberately designed to exploit this.
This misbehaviour, i.e silently overruling the mandatory HTTP Content-type header, is even presented on IE's own pages as intentional and beneficial. If you use IE as your web browser, I strongly recommend opening up the security dialogue (e.g in Win IE5 this would be Tools -> Internet Options -> Security) and, at least for "the Internet", disabling as many kinds of active content as you can. Trusted sites that genuinely need these active-content techniques can be treated specially. But don't forget that even a normally trustworthy colleague could be fooled into passing-on dangerous content, so don't enable this unless it's a genuine functional requirement.