Your wish is my command. As I explain how the most common viri work, you may
come to the conclusion that I am NOT particulairly fond of Microsoft and some
(alot) of their tactics. That assessment would be correct.
First a quck tour of Microsoft's Office suite. This includes Access, Excel,
FrontPage, Word Viewer, Word, Outlook Express and Outlook. As some of you know,
all of these apps are tied together to make it "easier" for you to "work". The
"glue" that binds all this apps together is Visual Basic Script (VB Script or
VBS).
One of the cute little "features" of Windows is its ability to draw a
"thumbnail" of the ACTUAL attached document in Outllok, Outlook Express and
Exchange (Which the Outlook products are based on). THIS is what the viri
authors exploit.
To draw that cute little thumbnali of the ACTUAL document and not just a generic
picture of a spreadsheet or whatever, the Microsoft email clients (See above)
launch the application that is registered for that file type in the background,
draw the picture and shut the app down. Now this is where the VBS comes in. As
a document is loading, the AutoLoad macro is called. This is where the trouble
starts.
This happens if you don't have the right Security Patches and you have not
turned some obscure setting off. As I do NOT use OutLook, OutLook Express, or
Exchange, unfortunately I cannot advise on what setting to change.
The AutoLoad macro rewrites another macro such as the Save or SaveAs or AutoSave
macro so EVERY time you are actively USING the application triggered by the
attachment and save a file until the virus is exterminated, the "payload" is
released. This "payload" does several things. The first thing it does is
trigger the email client to run in the background. This is when all your
friends, family, co-workers, whatever are nailed. It does a Send All and sends
a copy of itself to EVERYONE in your MICROSOFT-format Address Book. (ONLY
Microsoft-format Address Books are vulnerable.!!!) The second thing it does is
do its nasty deed on YOUR computer, whatever that might be, from deleting a
couple of files to hosing your entire system.
IF you do NOT have OutLook, OutLook Express or Exchange loaded on your machine
and you use a different email client, you will NOT get stung by every virus that
comes your way. Personally I recommend Netscape Mail. Not only does it NOT
draw a picture AT ALL (It displays the filename as a clickable event.), but if
you DO click on the file, it warns you and asks you if you want to open the file
or save it to disk.
Also, since there ARE other ways of distributing viri, I HIGHLY recommend
getting a VERY good anti-virus program and KEEPING ITS DEFINITION FILES
UP-TO-DATE!!! The best two out there (In order of MY preference) are Network
Associates / McAfee's Virus Scan and Symantec / Norton's Anti-Virus. I KNOW
VirusScan allows for AutoUpddate of the virus definition files and an AutoScan
of whatever part of your computer you tell it to. I am sure Anti-Virus allows
for the same thing.
Now, I am NOT associated with any of the companies I have mentioned. I use
Netscape, Netscape Mail and Virus Scan and I know alot of people that use
Anti-Virus, so... VBS is so simple a trained chimp could just about write a
virus. (It was made that way so "non-technical" people could "customize" their
Office apps.) In other words, it does NOT take a Rocket Scientist to write one
of these things anymore. (And the former Rocket Scientist in MY family has FAR
too high morals, values and ethics to EVER consider doing so.)
I hope this was clear enough for everyone to understand. I also hope I have not
offended any Microsoft lovers out there. Them's be the cold hard facts of VBS
viri.
MaryB.
Mark Senk wrote:
> I think an explanation of these e-mail viruses is in order. Please post.
>
> ----- Original Message -----
> From: "Mary Blanton" <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Friday, August 16, 2002 9:08 PM
> Subject: Re: [VICUG-L] About viruses
>
> > If someone would like a slightly technical, yet not all geek terms on how
> most
> > of the viri of today operat, just send me an email. Or, if the Miderator
> > thinks it is appropriate, i would be happu to post the description to the
> > entire list.
> >
> > MaryB. (A currently unemployed Geek)
> >
> > Mariela Riva wrote:
> >
> > > This is a multi-part message in MIME format.
> > >
> > > ------=_NextPart_000_000C_01C2454C.2B5C5E60
> > > Content-Type: text/plain;
> > > charset="iso-8859-1"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > Hello people. I am not used to send emails to the group, but now I just
> =
> > > want
> > > to say that it is a known thing, that most of the known viruses send =
> > > itself
> > > to as many persons as they can, and without any order or even without =
> > > any
> > > intention from the person whose computer is infected. Nobody sends these
> > > sort of things deliberately! Maybe we should get more informed before
> > > blaming others. So, Mick, just don't worry and be just in peace with =
> > > yourself. You did nothing wrong and it is a real pity that others felt =
> > > bad about things which have not happened in fact. Anyway, I have not =
> > > been infected and I ask to everyone for
> > > letting me know if some day somebody receives anything strange from me!
> > > Warm regards,
> > > Mariela
> > >
> > > ----- Original Message -----
> > > From: Camper Mick <[log in to unmask]>
> > > To: <[log in to unmask]>
> > > Sent: Friday, August 16, 2002 4:14 PM
> > > Subject: Virus
> > >
> > > > I have received inquires about Anitas post regarding me possably =
> > > sending
> > > > virues. Please let me assure evryone that I am not infected nor am I
> > > > deliberately sending out viruses to the group. Morey is not sending =
> > > out
> > > > any viruses either so please do not be worried. Unfortunately Anita
> > > > jumped to conclusions rather then try sorting things out. I understand
> > > > that she has dropped out of the group as a result of her suspitions =
> > > and
> > > > regret this very much. You can trust my posts but should you be leary
> > > > about them then block me instead of dropping out of this worth while
> > > > group. I wrote to Anita but she either has me blocked or is ignoring =
> > > me.
> > > > I have done all I can in this matter and apologize for any concerns =
> > > that
> > > > my email may have caused.
> > > >
> > > > mick
> > > >
> > > > --
> > > > [log in to unmask]
> > > > http://www.campermick.com
> > > >
> > > >
> > > > VICUG-L is the Visually Impaired Computer User Group List.
> > > > To join or leave the list, send a message to
> > > > [log in to unmask] In the body of the message, simply =
> > > type
> > > > "subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
> > > > VICUG-L is archived on the World Wide Web at
> > > > http://maelstrom.stjohns.edu/archives/vicug-l.html
> > > >
> > > >
> > >
> > > ------=_NextPart_000_000C_01C2454C.2B5C5E60
> > > Content-Type: text/html;
> > > charset="iso-8859-1"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > > <HTML><HEAD>
> > > <META content=3D"text/html; charset=3Diso-8859-1" =
> > > http-equiv=3DContent-Type>
> > > <META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
> > > <STYLE></STYLE>
> > > </HEAD>
> > > <BODY bgColor=3D#ffffff>
> > > <DIV><FONT face=3DArial size=3D2>Hello people. I am not used to send =
> > > emails to the=20
> > > group, but now I just want<BR>to say that it is a known thing, that most
> =
> > > of the=20
> > > known viruses send itself<BR>to as many persons as they can, and without
> =
> > > any=20
> > > order or even without any<BR>intention from the person whose computer is
> =
> > >
> > > infected. Nobody sends these<BR>sort of things deliberately! Maybe we =
> > > should get=20
> > > more informed before<BR>blaming others. So, Mick, just don't worry and =
> > > be just=20
> > > in peace with yourself. You did nothing wrong and it is a real pity that
> =
> > > others=20
> > > felt bad about things which have not happened in fact. Anyway, I have =
> > > not been=20
> > > infected and I ask to everyone for<BR>letting me know if some day =
> > > somebody=20
> > > receives anything strange from me!<BR>Warm=20
> > >
> regards,<BR> &=
> > > nbsp; =20
> > > Mariela<BR><BR>----- Original Message -----<BR>From: Camper Mick
> <<A=20
> > > href=3D"mailto:[log in to unmask]">[log in to unmask]</A>><BR>To: =
> > > <<A=20
> > >
> href=3D"mailto:[log in to unmask]">[log in to unmask]
> > > DU</A>><BR>Sent:=20
> > > Friday, August 16, 2002 4:14 PM<BR>Subject: Virus<BR><BR><BR>> I have
> =
> > >
> > > received inquires about Anitas post regarding me possably =
> > > sending<BR>>=20
> > > virues. Please let me assure evryone that I am not infected nor am =
> > > I<BR>>=20
> > > deliberately sending out viruses to the group. Morey is not sending =
> > > out<BR>>=20
> > > any viruses either so please do not be worried. Unfortunately =
> > > Anita<BR>>=20
> > > jumped to conclusions rather then try sorting things out. I =
> > > understand<BR>>=20
> > > that she has dropped out of the group as a result of her suspitions =
> > > and<BR>>=20
> > > regret this very much. You can trust my posts but should you be =
> > > leary<BR>>=20
> > > about them then block me instead of dropping out of this worth =
> > > while<BR>>=20
> > > group. I wrote to Anita but she either has me blocked or is ignoring =
> > > me.<BR>>=20
> > > I have done all I can in this matter and apologize for any concerns =
> > > that<BR>>=20
> > > my email may have caused.<BR>><BR>> mick<BR>><BR>> =
> > > --<BR>> <A=20
> > > href=3D"mailto:[log in to unmask]">[log in to unmask]</A><BR>>
> <A=20
> > >
> href=3D"http://www.campermick.com">http://www.campermick.com</A><BR>><=
> > > BR>><BR>>=20
> > > VICUG-L is the Visually Impaired Computer User Group List.<BR>> To =
> > > join or=20
> > > leave the list, send a message to<BR>> <A=20
> > >
> href=3D"mailto:[log in to unmask]">[log in to unmask]
> > > .edu</A>. =20
> > > In the body of the message, simply type<BR>> "subscribe vicug-l"
> or=20
> > > "unsubscribe vicug-l" without the quotations.<BR>> VICUG-L is =
> > > archived=20
> > > on the World Wide Web at<BR>> <A=20
> > >
> href=3D"http://maelstrom.stjohns.edu/archives/vicug-l.html">http://maelst=
> > >
> rom.stjohns.edu/archives/vicug-l.html</A><BR>><BR>><BR></FONT></DIV=
> > > ></BODY></HTML>
> > >
> > > ------=_NextPart_000_000C_01C2454C.2B5C5E60--
> > >
> > > VICUG-L is the Visually Impaired Computer User Group List.
> > > To join or leave the list, send a message to
> > > [log in to unmask] In the body of the message, simply type
> > > "subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
> > > VICUG-L is archived on the World Wide Web at
> > > http://maelstrom.stjohns.edu/archives/vicug-l.html
> >
> >
> > VICUG-L is the Visually Impaired Computer User Group List.
> > To join or leave the list, send a message to
> > [log in to unmask] In the body of the message, simply type
> > "subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
> > VICUG-L is archived on the World Wide Web at
> > http://maelstrom.stjohns.edu/archives/vicug-l.html
> >
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
