Current Security News - Including Current Virus Alerts
Computer Virus Information Sites
EMail Hoaxes and Virus Hoaxes Information
Technical Support Sites
Web Page Creation Information Sites

 

SECURING YOUR SYSTEM AGAINST EMAIL VIRUSES

The danger from email viruses is increased when some Microsoft email programs are used in their default configurations, which provide for emails with scripting capabilities.. These configurations, coupled with the tight integration between the email programs and the Windows operating system, can place your system at risk.

Scripting capabilities allow emails to include program code within the email which can execute on your system and provide the script writers with as much capability as if they were seated at your keyboard.

Most people do not need scripting support in email, the majority of users do not need Microsoft's Windows Scripting Host enabled, and very few people need the ability to run VBScripts by double-clicking.

Listed below are steps that you can take to reduce your computer's vulnerability to email viruses. The few minutes taken to perform these steps will be time well spent. Some people who have been hit with email viruses have spent over a week trying to get their computers restored, and even then ended up losing personal files that could not be replaced. And, without taking the precautions listed here, they could end up doing it all over when the next email virus arrives!

Disable E-mail scripting in Outlook/Outlook Express.

Vulnerabilities in the default configuration of Outlook 98, Outlook Express 5, and Outlook 2000 make systems susceptible to serious compromise simply by viewing email (without opening any attachments).

Protect yourself by reconfiguring your Outlook 98 , Outlook Express 5 , and Outlook 2000 as described in these subsections:

Note: Outlook 97 does not appear to support scripting in e-mail, and is therefore not vulnerable.

Disable Windows Scripting Host.

Windows Scripting Host (WSH) can be used legitimately to automate tasks when using the Windows operating system, but it can also be exploited by worms such as ILOVEYOU and Bubbleboy. Though some users with legitimate scripting needs may choose not to disable WSH, disabling Windows Scripting Host will virtually eliminate the possibility of accidentally executing a malicious .VBS file.

  1. From the Windows Start Menu, select Settings > Control Panel.
  2. Open Add/Remove Programs.
  3. Select the Windows Setup tab.
  4. Double-click on Accessories and make sure Windows Scripting Host is deselected (no checkmark).

If Windows Scripting Host does not appear in the list, your system doesn't have it installed, so this section doesn't apply.

You can also disable Windows Scripting Host by deleting WSCRIPT.EXE and CSCRIPT.EXE from your computer.

Remove the VBS (Visual Basic Script) and VBE (VBScript Encoded) file extensions from the Registered File Types list.

The ILOVEYOU variety of worm requires that your system have the VBS extension "registered" in order to spread. If this association is removed, users cannot execute VBScripts by double-clicking the script. Remove the VBS and VBE extensions from "Registered file types" by following these steps:

  1. From your desktop, double-click the My Computer icon.
  2. From the Top-Line Menu, select View > Folder Options.
  3. Select the File Types tab.
  4. Select VBScript Script File from the file types list.
  5. Click Remove.
  6. If you get a confirmation dialog, select Yes.
  7. Select VBScript Encoded File from the file types list.
  8. Click Remove.
  9. If you get a confirmation dialog, select Yes.
  10. Click OK to finish.

If VBScript Script File and VBScript Encoded File do not appear in the file types list, then this section doesn't apply.

If necessary, users can still run legitimate VBScripts using the Wscript.exe program. Note: Other file types (such as .REG files) can also be dangerous, and can be removed from the Registered File Types list for a more secure system.

Set Windows to display all file extensions.

By default, Windows hides the extensions of known file types. In this default condition, it is easy for virus writers to disguise attached virus files that need to be opened in order to launch the virus. In the default condition for example, an executable file named "OurNewBaby.jpg.exe" would appear as simply "OurNewBaby.jpg", leading the recipient to believe that it was a simple graphics file. The default setting can be changed to display all extensions by following these steps:

  1. From your desktop, double-click the My Computer icon.
  2. From the Top-Line Menu, select View > Folder Options.
  3. Select the View tab.
  4. In the Advanced settings list, under Files and Folders, remove the checkmark from the box labled "Hide file extensions for known file types".
  5. Click OK to finish.

Install Microsoft fixes.

Install the Microsoft update that fixes the scriptlet.typelib / Eyedog vulnerabilities (these vulnerabilities allow Bubbleboy and other worms to work).

It is also recommended that you install two additional E-mail related fixes:

Check the Microsoft Security Advisor regularly for Bulletins and fixes to other vulnerabilities that are published weekly.

Additionally, two other Microsoft Security webpages are:

Continue to exercise extreme caution with file attachments.

Don't open unexpected attachments from even trusted sources until you confirm that they actually sent them. Many email viruses spread by attaching the virus code to or embedding it within outgoing emails, or by generating their own outgoing emails based upon the infected computer's address book, without the infected computer owner's knowledge.

Lastly, never open attachments from suspicious or unknown sources.

Return to Current Information Hints and Tips