Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

First Line of Defense against Viruses and Worms (Including MyDoom).

Feb 2, 2004 3:39AM PST

Something that I and others have been preaching since the big Love Bug virus struck 4 years ago:

From the makers of AVG, Lavasoft News, February 1, 2004:

"...after this last worm spread (MyDoom), and I looked around various online forums, I noticed something was missing. A very big piece of the puzzle. The one piece that has the largest influence on preventing things like viruses and worms from entering the computer and doing anything in the first place.

So what was your answer to the question? If you didn't say the first line of defense was you, the user of the computer, it's time to rethink your security strategy.

Users hold the largest chance of keeping malicious code like viruses and worms off their systems by one extremely easy method, and many fail to exercise it. Instead, they rely on their antivirus program to catch anything suspicious. The method only takes a few seconds to do, and it can prove wonders in preventing system infection and preventing the spread of such items. If you receive something in your email, whether it's from someone you know or someone you don't, and it contains an attachment, and it looks suspicious in any way, your very next step should be to click Delete.

How do you tell the difference between a suspicious and non-suspicious email? The days of judging this by the sender and the sender only are long gone. Most worms will use your friends' email addresses for sending, in an effort to get you to open it. Your first step should be to see if it just looks strange. You know your friends better than anyone else. Look at the writing style of the email. Does it look like something they'd write? If not, then proceed with caution.

A method that some use when sending attachments is to send an email beforehand, letting the other person know they're about to send an attachment, along with what type of file it is and what it contains. This can help greatly in figuring out if something's safe or not, but of course, don't go on this alone.
Perhaps in an Instant Message or a telephone call one could let the other know of the pending email containing the attachment.

One of the best things you can do is trust your instinct. If it looks suspicious, delete it. You can always ask the sender what they sent and have them resend if necessary. But if you do believe it's safe to open, and it turns out not to be, then make sure your next layer of security, such as your antivirus software, is updated and monitoring, and be prepared with backups of your important files in case that layer of security fails."

http://www.lavasoftnews.com/theeye/i17/print/

From SOPHOS:

"...The MyDoom worm (also known as Novarg or Mimail-R) spreads via email, using a variety of technical-sounding subject lines and attachment names. If the attached file is launched, and the worm activated, the infected computer's hard disk is harvested by the worm for more email addresses to send itself to. The worm opens a backdoor onto infected computers which allows hackers to gain access.

The worm also spreads via the KaZaA file sharing network, and launches a denial of service (DoS) attack from infected computers (known as "zombies") against SCO's website between 1 and 12 February.

"MyDoom is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages," said Graham Cluley, senior technology consultant for Sophos. "MyDoom can pose as a technical-sounding message, claiming that the email body has been put in an attached file. Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."

"When the MyDoom worm forwards itself via email, it can create its attachment in either Windows executable or Zip file format. It is possible the worm's author did this in an attempt to bypass company filters which try and block EXE files from reaching their users from the outside world," continued Cluley."

http://www.sophos.com/virusinfo/articles/mydoom.html

Discussion is locked

- Collapse -
Re:First Line of Defense against Viruses and Worms (Including MyDoom).
Feb 3, 2004 12:45AM PST

Also, from Microsoft:

http://www.microsoft.com/security/antivirus/mydoom.asp#howtotell

"How to Help Protect Against These Worms


If you ever receive a questionable e-mail message that contains an attachment?especially if it has a .zip file name extension?do not open the attachment. If you cannot confirm with the sender that the message is legitimate and that the attachment is safe, delete the message immediately. Also note that Microsoft never distributes unsolicited software through e-mail messages.

To block harmful attachments in e-mail messages, get the latest updates for Outlook and Outlook Express by doing the following:

If you use Outlook 2003: Learn which attachment types are blocked in Outlook 2003:
http://support.microsoft.com/?id=829982

If you use Outlook 2002: Get the latest Office service packs and learn which attachment types are blocked in Outlook 2002:
http://office.microsoft.com/officeupdate/default.aspx

http://support.microsoft.com/?kbid=290497

If you use Outlook 2000: Get the latest Office service packs:
http://office.microsoft.com/officeupdate/default.aspx

If you use Outlook Express 6: Learn about virus protection features:
http://support.microsoft.com/?kbid=291387

If you use earlier versions of Outlook Express: Download the latest version of Internet Explorer, which includes the latest version of Outlook Express:
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp

How to Tell If a Computer Is Infected with Mydoom.A or Mydoom.B
Go To:

http://www.microsoft.com/security/antivirus/mydoom.asp#howtotell

- Collapse -
Re:Re:First Line of Defense against Viruses and Worms (Including MyDoom).
Feb 3, 2004 1:22AM PST

Donna (Mod) just made reference to this article:

'The clueless users who refuse to upgrade" by Tim Mullen, SecurityFocus.

"Was the vector some l337 0-day 'sploit? Nope. Was it a complex multi-layer program leveraging several unpatched vulnerabilities? Nope. It was -- wait for it -- an executable attachment in an email. What genius! The author of Novarg (or MyDoom, or whatever you want to call it) really put his noodle to the test when he cooked this one up, huh?

I would like to think that in this day and age people would know better than to open executables in an e-mail.........."

http://www.theregister.co.uk/content/56/35300.html

- Collapse -
Also...
Feb 3, 2004 1:54AM PST

Donna (Mod) also posted about the "Finnish researcher says he cracked MyDoom in two hours".

Ero Carrera and a dozen colleagues work for the Finnish internet security firm F-Secure.
http://www.smh.com.au/articles/2004/02/02/1075570331680.html

"Last Monday night, Carrera first ran MyDoom on an isolated computer to see how it worked. Then he decrypted and decoded the bug, breaking it up to learn what the individual parts did, thereby learning its characteristics.

Once that was done, it was easy to write detection software for it, he said, claiming he had completed the task in less than two hours at his Helsinki apartment.

But technology can only do that much, Mikko Hyppoenen, Carrera's boss, pointed out. The real reason why viruses cause havoc to computer systems around the world is human behaviour, he said.
"The virus outbreaks are not a technological problem, but a social problem. People never learn. Even when they are repeatedly told to not open any suspicious emails or attachments, they still continue to do it," he noted....."

- Collapse -
Re:First Line of Defense against Viruses and Worms (Including MyDoom).
Feb 3, 2004 12:59AM PST

Sophos link was very valuable and helpful.
thank you.
david williams.

- Collapse -
JR, Thanks, And Here Are Some More Good Practices...
Feb 3, 2004 3:06AM PST

Absolutely correct. The best line of defense is the user. Be smart and vigilant. We could post these types of things all day, but here are some links to advice from the McAfee forums.

Virus Protection - Best Practices
http://forums.mcafeehelp.com/viewtopic.php?t=30

Best Scripting & Active X practices for Outlook & OE
http://forums.mcafeehelp.com/viewtopic.php?t=8018

Outlook Express Email and VirusScan
http://forums.mcafeehelp.com/viewtopic.php?t=9082

Best Practices - 10 methods to reduce SPAM
http://forums.mcafeehelp.com/viewtopic.php?t=10304

Hope this helps, too.

Grif

- Collapse -
Bump. 'Dumb' users spread viruses - official
Feb 6, 2004 6:46AM PST

is the title of a article that Donna found:

Steve Brown, UK MD of network and security outfit Novell - which sponsored the report - said: "Viruses only work if there are people dumb enough to open them and pass them on." http://www.silicon.com/0,39024729,39118228,00.htm

In another article that Marianna found concerning clueless office workers, ".....a third of those polled in the Novell-sponsored study said they are too busy to check their emails before opening them."
http://www.theregister.co.uk/content/55/35393.html