Volume 18, Number 4
June 2001

Virus Watch

By Wells H. Anderson

Today, thousands of computer viruses lurk in computers around the world. While the Internet has fostered an explosion of business activity, it has also fueled the spread of viruses. Learning about the different kinds of threats will help you to defend yourself against them. Simply installing anti-virus software on your computer is not enough.

You do not need to become a computer expert to protect your practice, but you do need to know the basics. This article covers virus threats, precautions, and resources. Solo and small firms are the focus, though much of the advice also applies to large firms and home-computer users.

Range of Computer Threats

Viruses and worms. These two forms of computer wildlife are similar and can have similar disruptive effects. Technically, a virus operates by attaching itself to normal computer programs and spreading when an infected program is used. A worm does not need to latch onto a program; it can make copies of itself and spread across connected computers, often via e-mail.

Trojan horses. Masquerading as a normal program, a Trojan horse may perform its avowed purpose but is designed to do some unknown undisclosed mischief at the same time. A recent variation of the Trojan horse does not harm its host computer but "phones home," reporting information about the contents and use of the computer in which it resides.

E-mail attachments. Viruses and worms are now most often spread as attachments to e-mail messages. Opening an attachment by double clicking on it or by using the File/Open command in a software program activates the worm or virus in the attachment.

E-mail message headers. At the beginning of each e-mail message is a header containing information such as the sender, recipient, and subject. Hackers can take advantage of weaknesses in e-mail programs by packing malicious computer code into these headers.

E-mail messages. Most modern e-mail programs allow the user to create and view formatted text and graphics. Called "HTML e-mail" or "rich text" e-mail, these messages can contain the same harmful code included in malicious web pages.

Malicious web pages. Web pages can be created that do harm and mischief, using features of Java or Microsoft products, to the computers of people who visit the site. The harmful code exploits security holes but will not delete files on the user’s hard disk.

Virus hoaxes. These reports of fictitious viruses and exaggerated reports of real viruses waste time and clog e-mail inboxes. Appealing to do-good instincts, these messages scare people into alerting friends and acquaintances by e-mail.

Hacker attacks. These attacks can be launched against any computer connected to the Internet. Software such as anti-virus programs and hardware firewalls defend against these attacks. How to protect a computer from hacker attacks requires a separate article and does deserve your attention.

Virus Precautions

Basic computer precautions include using anti-virus software and proceeding cautiously with e-mail attachments. Since more and more legal clients are comfortable with e-mail and prefer to receive documents quickly in electronic form, it is important for lawyers to master the safe use of e-mail and attachments. The first line of defense is installing and regularly updating effective anti-virus software.

Anti-virus software settings. The better anti-virus software products can be set to scan for viruses in various ways and places. Set your software to do all of the following automatically:

• Turn on the software when the computer starts up.

• Scan every file opened or copied from a floppy disk.

• Scan every e-mail message and attachment when received.

• Check the vendor website for updated virus files weekly.

Caution: Some of these advanced features may interfere with attempts to install other software. You may have to turn off anti-virus software in order to install a particular new program. Of course, doing so leaves you unprotected. If you really want to try a new program from a potentially risky source, try it on a non-vital computer and scan for viruses immediately after installation.

Virus updates. In order to be effective, anti-virus software must be updated regularly. Most products use technology that can identify sinister content within unknown viruses. But anti-virus programs rely primarily on virus "signatures" to identify and stop viruses. The signature files must be updated each time a significant new virus threat is identified. The only practical way to obtain these files is via the Internet, where they are offered periodically by their manufacturers.

The leading anti-virus software products can be set to connect automatically to the Internet and to check the vendor website for new virus signature files. Because new viruses can spread extremely rapidly, use an automatic updating service set for at least weekly checks.

E-mail attachment handling. General rule: Never open an unexpected e-mail attachment, even if it is from someone you know. Of course, there must be exceptions to this rule. Say you are running up-to-date anti-virus software that checks e-mail attachments and you receive an e-mail message with a specific explanation about its attachment. There is little risk in opening such an attachment.

A malicious attachment spread by a computer worm is usually accompanied by a terse e-mail message. Often, the subject line of the message is designed to promote curiosity, such as the infamous ILOVEYOU virus.

Before opening an unexpected e-mail attachment, either e-mail or call the sender and ask whether the person did send the attachment. It is possible that a worm sent it, using the sender’s name. Most computer worms spread by reading addresses in an e-mail address book and sending e-mails with the worm in an attached file.

Certain kinds of attached files are especially dangerous. These files are "executable" or have macro capabilities. Watch for the following three-letter extensions at the end of filenames: .bat, .cmd, .com, .dll, .doc, .dot, .exe, .ppt, .ocx, .vbs, .xls, and .xlt.

Caution: An e-mail attachment that appears to end in some "safe" extension may actually be hiding one of the dangerous extensions. One recent virus disguised its attachment by using spaces after the filename to push its real three-letter ending out of view: prettypicture.jpg .vbs

E-mail messages. When the BubbleBoy worm struck in November 1999, it changed the rules. This malicious e-mail message could infect a computer without using an attachment. What was worse, users of Microsoft Outlook did not even have to open in the message. The message preview pane alone could activate the worm.

• Obsolete rule: An e-mail message can’t infect your computer. You have to open an attachment to be infected.

• New rule: An e-mail message probably cannot infect a computer as long as all Microsoft Windows and Outlook security patches have been installed.

The latest worms have been written to take advantage of security weaknesses in Microsoft Windows and Microsoft Outlook. Anti-virus software catches older worms and can even identify some brand-new worms and viruses using heuristics. But unreported new variants can slip past even the best anti-virus software.

Recently, a new e-mail threat emerged that exploits the special vCard signature block used by new e-mail programs. A virus buried in the vCard can be activated by adding names to the Microsoft Outlook 2000 address book. Microsoft offers a fix at www.microsoft.com/technet/security/bulletin/ms01-012.asp. Once again: Make sure your e-mail software and Web browser are up to date.

Windows updates. Keeping Microsoft Windows updated is essential to protecting a computer. Microsoft recognized this and designed Windows 98 and later releases to update themselves over the Internet. Check to see whether your start menu contains a choice named Windows Update. If not, go to http://windowsupdate.microsoft.com, which will help you identify the update files you need, download them, and update your software.

Program security settings. Viruses can exploit the powerful automation features of Microsoft Windows, Word, PowerPoint, Excel, and Internet Explorer. All have settings for security. Higher security settings offer more protection but can interfere with the use of some of the macros and scripting sometimes used to automate these programs.

In Microsoft Word you can set Security to high, medium, or low. To choose a setting, click on Tools/Macros/Security. Microsoft’s Web browser, Internet Explorer, has security settings under Tools/Internet Options/Security. Users who are not using the powerful features anyway should use high security settings. Power users should use medium or low settings but continue to be careful about using other anti-virus defenses.

Netscape and Opera offer Web browsers that have not been targeted by hackers as often as Microsoft Internet Explorer. The downside is that some Web pages designed for Explorer may not display as well in these browsers, but you may prefer their features and aesthetics, as well as their greater security. (Netscape version 6: www.netscape.com/browsers; Opera version 5: www.opera.com.)

Checking hoaxes. An alarmed associate or friend may call or send an e-mail warning you about some frightening new virus. Before you spread the word further, you may want to check one of the websites that monitor hoaxes.

A reliable source of information about virus hoaxes is the Computer Incident Advisory Capability, U.S. Department of Energy (http://hoaxbusters.ciac.org). If you prefer not to trust the government and want a private source of information not connected to anti-virus vendors, visit www. vmyths.com.

Firewalls. Firewalls are essential to prevent hackers from accessing your computers. If you have inadequate protection, hackers can intrude to steal information or plant "zombies" that attack other computer systems.

For individual computers, BlackICE Defender is a good product ($39.95, from www.networkice.com). Zone Labs offers a free version of ZoneAlarm for personal and nonprofit use, www.zonealarm.com. In addition to protecting your computer and alerting you to attacks, ZoneAlarm alerts and gives you control when something on your system attempts to connect to the Internet.

Backups. A complete, recent backup provides the last-ditch defense against a computer disaster, virus-related or otherwise. Make sure that your office has a backup system that runs every night. At least once a month, check the files in your backup to make sure they are really there. If the unimaginable happens—a virus erases all files on your hard drives—you will breathe a big sigh of relief when your backup system resurrects them.

 

Wells H. Anderson is president of Wells Anderson Legal Tech Services in Minneapolis. His firm works with lawyers who want to implement better computer systems. An active contributor to the ABA’s Lawtech and other e-mail discussion groups, he won the Legal Technology Consultant of the Year Award for 2000 from TechnoLawyer .

Back to Top

< /