Steganos Security Suite 7 - FREE! Get a FREE fully-working copy of Steganos Security Suite 7 (worth £49.99) when you sign up to the Practical PC Newsletter.

Protect your privacy, encrypt and hide sensitive data and much more...
We hate SPAM as much as you do and we promise never ever to sell, rent, loan or give away your personal information. We fully conform to the USA CAN-SPAM rules. Here's our privacy policy.

Not Again!

Our editor gets hot under the collar about the latest wave of email-borne nasties, and wonders why it is that people are still getting caught out.

Over the last year or so we must have seen at least five major alerts about fast-spreading email born nasties. Every time, the advice from experts has been pretty much the same, and advice on how to spot the nasties has been explicit. There's always a pattern, and, for the most part, emails bearing malicious code are fairly easy to spot.

So why is it that my AOL mailbox has been absolutely stuffed with the very latest W32.Badtrans.B@mm worm? I mean, let's look at it - see how to identify it without even looking at the body of the email:

Subject

The subject is, simply, 'Re:' with nothing after it - which, if you were totally naive, might imply that someone had replied to a message you'd sent to them that had no subject. Given that just about every email client you've ever seen prompts you for a subject for your email if you haven't typed one already, it's unlikely that you'd send one that badly formed.

On that basis, then, a subject of 'Re:' is suspect to start with.

Who is it from?

The 'From:' portion of the email will show as something in the form of ' _user@isp.com '. Now, that's a bit unusual, because of the underscore added to the beginning of the email address. It's there to prevent a user casually clicking 'reply to' in order to warn the sender that s/he's got a virus infection. This, again, is suspect. No email client that I'm aware of malforms reply-to or From: addresses in this way without the intervention of malware.

On that basis, then, there's a second level of suspicion about this email.

Attachment

If those two bits of information weren't enough to arouse suspicions, then the third ought to hang the tin cap on the whole thing. Now, here, we AOL users are perhaps more lucky than most, in that we get to see what the filename of the attachment is before we ever get close to even downloading it. In this case, the attachment has what I call a double-dot extension. Now, the filename itself can be more or less anything, with this worm, but it will always have the form 'name.ext.scr' or 'name.ext.pif' where 'name' can be anything at all, and 'ext' will be one of three recognised file extension types - 'doc' 'mp3' or 'zip'.

Here again, this is a fairly usual way of worm writers trying to disguise the nature of their nasty wares, and it relies upon users of Outlook and Outlook Express having recognised extensions hidden in their Windows browsers. If that's the case, then the final extension - '.pif' or '.scr' is hidden, so the attachment looks like an mp3, zip or doc file.

Even so, many of us have advised that you should never open an attachment unless you've absolutely certain what it is and where it's from. That's an absolute, and should be an immutable rule that every email user lives by.

If you take all of these pointers to heart, then this worm is easy to spot, and therefore easy to avoid.

So I'll ask the question again! How on earth does it happen that I've had nearly one hundred infected emails coming at my AOL mailbox?

Habit

The answer is simple. People still don't realise the severity of the email-borne virus threat. This particular one is a nasty one insofar as its payload is concerned - it can log keystrokes that you make when you log onto all sorts of services - including online banking - and then relay them back to a great list of email addresses. One assumes that they're being lifted from there in order to be used maliciously.

Now, if the email carrying the worm had a subject of 'Click here if you want somebody you don't know to completely empty your bank account for you', you can bet that it wouldn't spread. Or maybe it would.

You see, lots of email users have just fallen into the habit of opening every email that drops into their inbox without thinking, and then, in an act of almost suicidal stupidity, double clicking every attachment they find!

I'll give you an example. I got called out to a firm this week, to give the MD a hand with, as it was put on the phone, 'an email problem'. It turned out that he'd received an email from someone he knew, and it had an attachment. However, this user, sensibly, uses digital certification on his email system, and the certificate on the email was reported as being bad.

The MD had been double clicking the email's subject line (we turn off the email preview pane as a matter of course on every installation we do) trying to get to read it, even though he was being warned that something was amiss every time he tried.

My solution was simple. I had him ring the sender, and ask whether the email had, indeed, been sent by him, and then tell him that his digital certificate was bad. Once I'd got the information that the email was genuinely sent, then I opened it for the MD. The attachment was a Word file, which I opened into the Word Viewer in the first place, in order to be sure.

This particular MD has had a fair few close calls in terms of email-borne nasties. Had I not configured his email systems very tightly, his company could have been very badly compromised. He tells me he gets loads of viruses on his home system, which, frankly, doesn't surprise me.

Anyway, you are better informed than to blithely open emails habitually, and you do, also have the added protection of AOL's email system insulating you from a lot of the nasties.

But if you keep getting infected emails, why not have a word with the unwitting senders and put them right, eh?

David Dorn