PDQ Library:  Famous Computer Viruses

Avoiding MS-WORD macro viruses in Email

When you receive a MS-WORD file attachment in your Netscape mail, it is presented in a box at that looks something like this:

Name: sample.doc
Part 1.2 Type: zz-application/zz-winassoc-doc
Encoding: base64

When you click on the link "Part 1.2", a window pops up that says:

Netscape will launch the application WINWORD.EXE in order to view a document.

Although it doesn't indicate this, if you click on the CONTINUE button, MS-WORD may automatically start and display the file as soon as it is downloaded -- displaying an infected word file can infect your hard drive with macro viruses!

In recent versions of MS Word, there is an option that allows you to block macros from running automatically on startup. SET THIS OPTION.

Always click on the CANCEL button instead. This will download the file only. Then run any good virus checking software that tests for macro viruses. Keep the data file updated (you can usually download updates for free from their web sites).


Melissa Virus

The MELISSA virus, took down corporate networks everywhere in the world in 1999. Although it sounded like a hoax, it wasn't. The Melissa virus proved once again that outgoing Email is now the fastest way to spread a virus. If you open the MS WORD attachment containing Melissa, you unleashed a computer virus which sends copies of the Email message and attachment to the top 50 addresses in your Outlook (mail software) address book. To protect yourself from Melissa, don't open any WORD attachments unless you are certain of the sender and have scanned the file with anti-virus software.

E-MAIL WILL COME FROM SOMEONE YOU KNOW -- who has you in their address book, so it will look legitimate.
The subject line reads: Important message from {someone you know}
The message reads: Here is the document you asked for... (which you didn't).

The email attachment contains a virus. Delete the message immediately. It appears to be a list of porn sites. If you open the MS WORD attachment, you unleash Melissa.

The WORD attachment changes the registry in Windows 95 and 98. If it finds the registry unchanged (indicting it hasn't infected the computer before), it infects the computer, and sends copies of the Email message and attachment to the top 50 addresses in your Outlook address book.

Here are some ways to protect yourself:

  1. Don't open any WORD attachments without checking with the person who sent it first AND first scanning it for viruses before opening it. Newer versions of MS Word allow you to block macros on loading a file. You can also download a MS Word File Viewer from Microsoft to simply view the document with no danger of infecting your computer. Some webmail services can display Word documents and other attachments without danger to your computer.
  2. Don't use Outlook mail software unless it's the latest most secure version - check for updates regularly.
  3. Ask people to send you mail messages normally rather than sending word processor files (which many people cannot or won't read anyway). Using Word to send Email explains how to type your messages in MS Word then send as a normal plain email so everyone can read it (AND downloads much faster than Word or HTML formats).

Happy99 Virus

This might be of help to anyone suffering from Happy 99.exe virus. This very annoying virus sends out Email with a copy of itself as an Email attachment! Your first indication that your computer is infected is angry mail from your friends that you have sent them this file.

Download Happy99Cleaner by Craig Schumgar from www.freewarefiles.com.

For manual removal:

  1. Delete the windows\system\ska.exe file
  2. Delete the windows\system\ska.dll file
  3. Delete windows\system\wsock32.dll then rename windows\system\wsock32.ska to windows\system\wsock32.dll
  4. DELETE the downloaded file HAPPY99.exe

Love Bug Virus


The Internet TourBus 4 May 2000
CERTŪ Advisory CA-2000-04 Love Letter Worm

I LOVE YOU ... I HONESTLY L#$@_^($@ ... **NO CARRIER**

Update your antivirus definitions, kiddies. There's a new bug in town:
the ILoveYou worm ("VBS.LoveLetter.A").

[Xince many ISPs automatically filter ANY message that contains the "kindly check ..." body text below, I took the liberty of changing the "e"s in that sentence to "3"s. After all, we wouldn't want your ISP to inaccurately think that today's TOURBUS post is actually the dreaded ILoveYou letter.]

Who is affected? Anyone who is running Windows, especially if you also have Windows Scripting Host enabled. Should you panic? NO! (There are some SIMPLE ways to protect yourself from both the ILoveYou worm and the countless copycat worms that are already starting to pop up).

Here's what's going on. Someone sends you an E-mail with the subject ILoveYou and a body that reads "kindly ch3ck th3 attach3d LOV3L3TT3R coming from m3." Attached to the E-mail is a file named "LOVE-LETTER-FOR-YOU.TXT.VBS." If you are foolish enough to double-click on the attached file, that's when the fun begins.

Anyway, according to our friends at CERT, the organization formerly known as the computer emergency response team, "when the worm executes, it attempts to send copies of itself using Microsoft Outlook to *ALL* the entries in *ALL* the address books." [Emphasis mine] In other words, if you have Outlook and you foolishly double-click on LOVE-LETTER-FOR-YOU.TXT.VBS, the worm will automatically e-mail itself to EVERYONE you know.

Oh, but wait. It gets worse.

Even if you don't use Microsoft Outlook, the ILoveYou worm can still do an unimaginable amount of damage to your PC. According to CERT, if executed, the worm will locate certain files on your computer (.vbs, .vbe, .js, .jse, .css, .wsh, .sct, and .hta files) and replace them with copies of the ILoveYou worm. The worm will also take *ALL* of the JPEG picture files stored on your computer and replace them with worm-infected files. (For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm). And, for you music lovers who have MP3 and MP2 files on your PCs, ILoveYou will create a copy of itself for every one of those files as well. (Fortunately, your original mp3 or mp2 files will still be there, but they will be hidden).

Frightening, isn't it? But wait ... there is even MORE! CERT warns that since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible.

Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a new users may be affected!

I may be wrong here, but I think the folks at CERT are trying to tell us that if our PCs become infected with this little bugger, the only way to fix it will be to format our hard drives and start from scratch. EEEK!

You can read *ALL* of CERT's comments on the ILoveYou worm at www.cert.org/advisories/CA-2000-04.html

With all of the nasty stuff that the ILoveYou worm does to your computer, and with the squillion different copycat viruses that are waiting in the wings, why on earth did I, a few paragraphs ago, tell you NOT to panic? Simple! While the ILoveYou worm is frightening, protecting yourself from it (and its ilk) isn't all that difficult ...

Crispen's *Six* Antivirus Rules - 4 May 2000

In light of the recent ILoveYou worm outbreak, I decided to re- rewrite my rules on how to protect yourself from computer viruses, Trojan horses, or worms. Regardless of your operating system, these six rules should protect you from most of the over FORTY-SIX THOUSAND viruses that are currently floating around the Net (including the ILoveYou worm).

1. Purchase a good, commercial antivirus program like Norton Antivirus or Mcafee Virusscan.

Most commercial antivirus programs usually cost between US$40 and US$50 and can be purchased at almost any computer store in the world. [You can usually save about US$10 if you purchase the software online -- visit www.shopper.com for more information].

Antivirus program manufacturers also release minor upgrades every two to three months and major upgrades every twelve to eighteen months. YOU NEED THESE UPGRADES. Minor upgrades are usually free, and major upgrades usually cost anywhere between US$20 and US$40, depending on the manufacturer [think of this as an expected expense -- just as you have to change your car's oil every 3,000 miles, you have to upgrade your antivirus software every year to year-and-a-half].

To see if any minor or major upgrades are available for your antivirus program, visit your antivirus program manufacturer's homepage. A list of antivirus manufacturers' homepages can be found at www.yahoo.com or at AOL keyword "virus."

2. Update your virus definitions frequently (at least once a week).

With over 250 new viruses being discovered each week, if you don't update your definitions frequently you won't be protected from ANY of the new viruses floating around the Net.

How do you update your virus definitions? That depends on the antivirus program you use. Norton Antivirus has a "Live Update" button built into the program; click on it, and Norton automatically downloads and installs the latest virus definitions from Net. McAfee VirusScan has a similar update function (go to File --> Update VirusScan).

If you are unsure of how to update your virus definitions, visit the homepage of your antivirus software manufacturer and look for their "download," "update," or "technical support" section.

3. Never double-click (or launch) *any* file, especially an e-e-mail attachment, regardless of who the file is from, until you first scan that file with your antivirus program.

This is probably the most important rule of them all. There are currently over forty-six thousand viruses out there, there are over 2.8 trillion possible files names out there, and any one of those viruses could be hiding in any one of those file names. A lot of people think that you can protect yourself from a virus by being on the lookout for one particular virus or one particular file name (hence all of the virus warnings you have received in your E-mail inbox lately). That's not only silly, that's dangerous. If you want to protect your computer from viruses, you need to ignore ALL of the virus warnings you receive and instead beware of EVERY file you see, especially every file that is attached to an E-mail message.

It is important to note that, despite all of the warnings to the contrary, there is no such thing as an E-mail virus. If you are running the most up-to-date version of Windows (see rule #5 below) or if you have a Mac, you can open your E-mails, regardless of their subject lines, without fear of infecting your computer, provided your E-mail program doesn't automatically open attachments (most don't). It is the files that are ATTACHED to E-mails that you have to fear.

Think of a computer virus as a well-packaged letter bomb. You can move a letter bomb from room to room in your house without any danger. Open the letter bomb, however, and you die. The same is true with computer viruses. You could download a billion virus-infected files from the Internet and receive another billion virus-infected files attached to E-mail messages and your computer still wouldn't be infected with a virus. Open, or double-click on, just ONE of those files, though, and your computer is dead.

Remember, to infect your computer with a virus, you have to open (or double-click on) a file that contains a virus. As long as you don't open that file, you really have nothing to fear.

How can you scan a file for viruses? That depends on the antivirus program you use. The best bet is to read your antivirus program's instructions or read its online help section. If you use Norton Antivirus or McAfee VirusScan, right-click (or, if you have a Mac, click and hold) on the file in question. A pop-up menu should appear, and one of the choices should be "Scan with ..." and the name of your antivirus program. If that doesn't work, just open your antivirus program and try to scan the file from there.

Do you have to scan EVERY file, even if that file is from your friends or coworkers? Yes! The Melissa, WormExplore.Zip, and ILoveYou viruses distributed themselves by opening your E-mail program, looking at either your 'friends' list or the list of E-mail addresses in your inbox, and then distributing virus-infected files to everyone on that list.

In the world of computer viruses, you can't trust ANYONE (even if they say they love you). :P

4. Turn on macro virus protection in Microsoft Word, and beware of all word macros, especially if you don't know what macros are.

Word Macros are saved sequences of commands or keyboard strokes that can be stored and then recalled with a single command or keyboard stroke. They enable advanced Word users to easily accomplish what would otherwise be difficult tasks. They also allow virus writers to do serious damage to your computer. For example, the Melissa virus was actually a Word Macro virus.

If you use Word 97, go to Tools --> Options. Click on the "General" tab. Make sure that "Macro virus protection" (at the bottom of the list) is checked.

If you use Word 2000, Double-click on the Tools menu, point to "Macro," and then choose "Security." Select the level of security you want. High security will allow only macros that have been signed to open. Unsigned macros will be automatically disabled. Medium security always brings up the macro dialog protection box that allows you to disable macros if you are unsure of the macros.

With Macro virus protection turned on, Microsoft Word will warn you every time you try to open a Word document that contains a macro. The warning gives you three choices: the option to open the file but disable its macros ("disable macros"), open the file with macros enabled ("enable macros"), or the option to not open the file ("do no open"). Chose the first (default) option: "disable macros."

For more information, visit "About helping protect files from macro viruses" at office.microsoft.com

5. Run Windows update at least once a month.

Windows is aptly named - it is full of holes! There are several, inadvertent open doors (security holes) in the Windows operating system that could conceivably make your computer vulnerable to outside attack. A hacker could 'walk through' one of these open doors on your Windows PC and read any file on your computer, delete files or programs, or even completely erase your hard drive.

When the folks at Microsoft discover a security hole, they immediately release a software patch to fix it. Without the patch - and there are MANY - your computer is wide open to outside attack. When a large number of patches have accumulated, a Service Pack is made available, which includes all the patches since the last Service Pack or software distribution. These are very large downloads and you can order a CD by postal mail.

*In 2008, Windows 98 is no longer maintained (patched) by Microsoft. Windows XP has been patched to SP3 (service pack number 3) and Windows Vista has been patched to SP1.

Fortunately, downloading these patches couldn't be simpler. Built into every 98 PC (and into every version of Microsoft's Internet Explorer since version 4.0)is something called "Windows Update." Windows Update is an easy-to-use tool that helps you ensure that your PC is running the absolute latest Microsoft software patches and drivers.

Here is how to use Windows Update to download all of the security patches Microsoft has released since your PC was made:

  1. Connect to the Internet.
  2. If you have Windows 98, launch Windows Update by going to Start --> Settings --> Windows Update on your PC. You can also launch Windows Update by going to Tools --> Windows Update in either Internet Explorer 4 or 5. Either way will connect you to Microsoft's Windows Update page at windowsupdate.microsoft.com.

    If you have an old version of Internet Explorer, Microsoft's Windows Update page will automatically talk you through the process of downloading and installing the latest version of Internet Explorer.
  3. On the top left-hand side of the Windows Update page, click on the "Product Updates" link.
  4. A pop-up window will appear, telling you to wait while your computer doesn't send any information to Microsoft (that's what it says!)
  5. Eventually, you'll see a page that says "Select Software." When Microsoft releases an essential update or patch to close a security hole in Windows, they put it in this page's Critical Updates section. Select (click on) EVERYTHING in the "Critical Updates" section - you need ALL of the critical updates. Then click on the Download arrow in the top right hand corner of the page.
  6. Follow the on-screen prompts. That's it!

New security holes are found in Windows every week or two, so it is a good idea to run Windows Update at least once a month. The first time you run it, expect to see a MESS of critical updates. After that, though, there should only be one or two critical updates you'll have to download every month.

6. If someone unexpectedly sends you an executable file or Visual Basic script file (file that ends in .exe or .vbs), throw it out.

Most of the forty-six thousand viruses that are floating around the Net right now are hiding in executable files. Some of the most vicious, new viruses are hiding in Visual Basic script files. If someone, even a close personal friend, unexpectedly sends you a file that ends in .exe or .vbs -- or if they unexpectedly send you a zipped file that contains a file or files that end in .exe or .vbs -- your safest bet is to delete the file without opening it.

The key word here is "unexpectedly." If you are expecting a friend to send you an executable file, you certainly don't need to delete that file -- just virus scan it first before you open it.

However, if you are in an environment (like a home) where you don't often receive ANY files attached to your incoming E-mail messages, a better rule would be: "When in doubt, throw it out ... and doubt EVERYTHING."

How well will these six rules protect your computer from becoming infected with a virus, Trojan horse, or worm? Take a look at the following questions, and decide for yourself. How many people whose computers were infected with the ILoveYou virus ignored at least one of these rules? ALL OF THEM! How many people who followed these six rules had their computers infected by "ILoveYou?" NONE OF THEM! How many people whose computers were infected with the WormExplore.Zip virus ignored at least one of these rules? ALL OF THEM! How many people who followed these six rules had their computers infected by the WormExplore.Zip virus? NONE OF THEM!

These six rules will not protect you from every computer virus, Trojan horse, or worm, but they will so significantly decrease your computer's chances of becoming infected that you can all but forget about the next virus scare and all the ones that will follow.

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2238 Copyright 1995, Rankin & Crispen - All rights reserved

Tourbus Home: Archives, Free Stuff and More - www.InternetTourbus.com

Original article by Patrick Douglas Crispen www.netsquirrel.com

More Help

Remember, never execute or open any file that is forwarded to you unless it's been checked for a virus or trojan.

It is Windows95/98/NT Freeware that both cleans up the Happy99.exe and produces a list of Email recipients that may have been affected for you. (March/99)

TOP back