Virus from opening email? 4

[Accessdabbler]

I've heard that you can get a virus just by opening an email message (without running the attachment). I assume the email would have to be HTML-based?

I've always used Eudora and I've never seen this type of virus. Is this only a problem with Outlook?

Can someone point me to a virus website that explains how this works and how to defend your system against it?

Also, a good site that shows how to protect IE from invoking a virus from a webpage would be appreciated too.

 

[KimberTech]

YES....there are virus that will execute without user intervention..

There are a couple of things you can do...
The preview pane in Outlook can be turned OFF.
Disable scripting in your email package.

There are activex controls that run on websites just by viewing the pages..
The list is endless....

The most important thing to do is keep an updated antivirus running with an email plug in if available, and keep your operating system patched. Enable heuristic scanning options so the system checks for suspicious patterns and not just known virus types....
AND BACK UP DATA.....because the scanners are only as good as the updates and sometimes they come too late...
Firewalls can help as well, by blocking incoming access to trusted sources.
Another thing you can do is SAVE all attachments to the hard disk and scan them before you open them.

There are hundreds of products to accomplish what you are asking, but nothing is 100%.
It also depends a lot on what programs you are using:

http://support.microsoft.com/?kbid=255994

http://www.flmenterprises.net/classroom/documents/Nine Steps to Protect Against Virus Attacks.pdf

Lots of other links on the web if you check out the antivirus websites they usually have good info.

If you need any more links, post back and I will put some more up for you.

Hope this helps
Kimber

The more I learn,I realize how much more there is to know!

 

[Grunt2002]

Hello,

Using a commercial antivirus is the best way : they scan mail before letting the mail client to handle the files.

Provided you have up-to-date virus definitions, you won't have any problem !

Cheers

Grunt

 

[drdebit]

What about accessdabbler's question in regard to outlook vs eudora and others?
Do email viruses attack everything equally or do they have to be written for specfic email software?

 

[2ffat]

Most Email virii use Outlook because 1) it is very popular, and 2) it allows the email to run scripts like active-x. There are some technical differences, too, that won't allow some virii to run in some browsers when they will in another.

It is best to set your email browsers to ask before running ANY scripts.
James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[wgcs]

You forgot the #3 reason most AV packages target Outlook: It's the most susceptible to Virii!

(sorry, I had to.....)

 

[manarth]

wgcs (Programmer) Apr 4, 2003
"You forgot the #3 reason most AV packages target Outlook: It's the most susceptible to Virii!"

It's not so much vulnerable, as feature-full. The prime reason is popularity - it's he most common email client around.


If you're using outlook, you can specify the security level in which you view email (if you set custom control; do not run any Active-X - you've protected yourself against more than 3/4 of outlook's vulnerabilities).

If preview-pane is switched on, you are effectively opening the email. If the email is HTML format, then any active-x controls / embedded links will be activateed (as per the security settings in your email client). This is why setting security levels is so important.



Accessdabbler: to answer your question(s) - Yes, the email HAS to be HTML based. "Is it only a problem with Outlook?"No. Whilst I do not know the specific vulnerability of Eudora, any client that displays HTML email may be at risk. To secure IE (to a certain degree) go to your security options - disable java, scripting, and execution of active-x controls. This will reduce your IE functionality, but increase your security. Your call!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[muddyjohn]

I think all IT people should read the following book:
Email virus protection handbook
by: Syngress

Read page 341

&quot;The most common misconception is that these viruses are somehow capable of activating themselves automatically with no user intervention. That is not the case.&quot;

John Burks
CIO
Muddycomputers.com

 

[KimberTech]

Unfortunately, I would have to disagree with you.

There are many instances where the opposite is true, and that user NON intervention is the cause of virus infection.

-Leaving installed programs as is without installing updates and security patches, including antivirus.

-Leaving web browser software as is, and allowing scripting and autopreview in Outlook.

I would like to hear some of the other forum members opinion on this. I hope that quote was taken out of context.
While it is true that a lot of virus infections are the result of a users actions, I do not feel that the quote is a completely accurate reflection of the facts.

This one comes to mind:

http://www.microsoft.com/technet/tr...TechNet/prodtechnol/ie/downloads/scrpteye.asp

Not all malicious code is attachment-based. Active content, such as HTML scripts, can hide malicious code embedded within an e-mail.

I would not like to see anyone with a false sense of security when it comes to virus protection.

Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[greyted]

KimberTech,
You are absolutely correct to disagree.
Having suffered from the very same thing I know it is possible. Bruno2000 asked the question regarding Preview on July 27th 2002. Fortunately I and others were of some assistance to him having gone through my virus experience because I did not use Preview.
Some people would not believe that infection can occur without opening an email, that is why it is essential to use the Preview function if you are vulnerable.
As you quite correctly point out it is vital to protect yourself and others from these malicious attacks.
My AV is updated daily and all emails are scanned, incoming and outgoing.
Like most of us I learned my lesson the hard way and what a lot of grief it caused me and others on my email list.
Having advised a lot of my customers to protect their systems with a good AV package, Firewall and the use of Preview I have loads of positive feedback where they have seen virus attacks against their system thwarted. Most of my customers are home based PC users but these good habits are passed to their children so hopefully the younger generations are better informed and more aware than we have been in the past.

A star for you Kimber, good post.


Ted

 

[manarth]

&quot;Some people would not believe that infection can occur without opening an email, that is why it is essential to use the Preview function if you are vulnerable.&quot;

Just to make people aware, previewing the email (using the preview frame in outlook express) is tantamount to opening the email.

Previewing the email is not a security measure.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[greyted]

manarth,
Better to be aware of the Preview issue, thanks for pointing that out. One star.
To make my position clear, most computer users that I deal with in their home environment are not aware that Preview is ON by default and subsequently leaves them at risk. In fact most computer users are not even aware that Preview exists so I then show them how to put it on their tool bar and turn Preview OFF.
From all that I have read and been taught over the last three or four years it does help to turn Preview off.
Hope this clarifies my position. Having re-read my previous post I guess that paragraph you quoted was not thought out too good, my apologies to all.

Should have taken more care and used the Preview Post facility here.

As I stated in my previous post I got infected via an email and a lot of grief it caused me and all those in Address Book and their address books.


Ted

 

[manarth]

Ted - and yet I've found even the &quot;preview post&quot; is not always sufficient to protect me from my occassional (!) misstatement. especially at 7 in the morning


To turn the preview pane off (in outlook express)
-run outlook express
-go to your inbox
-select View --> Layout
-uncheck the box marked &quot;Show preview pane&quot;
-select OK

You will still see the subject line of the email, and the sender's details... if you see anything suspicious, simply hit that delete key. Scripts, etc are not run until the mail is previewed / opened. Read your email at your peril!

As a second security step, you can change outlook's default security level:
-run outlook express
-select Tools --> Options
-select the Security tab
-select the option &quot;Restricted Sites Zone&quot; (under Internet Zones)

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[greyted]

manarth,
Exactly how I have mine set-up in Outlook Express and how I set-up my customers. It is to this day quite a shock to me that quite a few techs I come into contact with do not know about this problem. In fact some will argue that it is impossible to get a virus via emails being Previewed, hate to think what happens with some of the email virii we have now.

My excuse is I had to go shopping and I hurried the post. A poor excuse I know!


Ted

 

[muddyjohn]

KimberTech,

Thanks for the information. I have contacted the company that wrote the book for a response. I wrote word for word what the book teaches. After reading all the postings and some research, I have to take your side and now learn more about scripts.

Thanks guys/gals,
John Burks
CIO
Muddycomputers.com

 

[2ffat]

One other option is something like MailWasher (it's free from places like Tucows and CNet). It pulls in the list of emails on the server but not the emails themselves. You can then allow them through, create a filter, add the address to a &quot;friend's&quot; list, blacklist it, delete it, or sent it back to the originator saying your address is invalid. If you do want to look at the email, it pulls it in as ascii, no scripts can be run, no links are triggered.

The only drawback is this adds another program that you must run to see your email.


James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[KimberTech]

John,

Thanks for posting back.
I was worried you would take offense....and I am happy that you took the information and checked it out yourself instead.

Misinformation is a dangerous thing...I am curious to know what the response is from the author.

Ted,Marc and James.....thanks for coming in to back me up.

Leaves me wondering how old that book is??

Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[vesselescape]

my humble $00.02

It seems as the entire discussion above is re: Outlook.

As it is open to (severe) exploit in its default configuration, why is it being used so much ?

1. Like Everest, because it's there?
2. Lack of knowledge of other email clients?
3. Because it is well written and works well?

As for my own observation, it is a combination of one and 2 above. &quot;2ffat&quot; and &quot;wgcs&quot; observations about it being a chosen platform for exploits are both valid. MS's choice to include active-x routines as a default is a prime example.
&quot;Muddyjohn&quot; was also correct with his quote, as long as one does not open html encoded email while allowing java, javascript, active-x or other script base applications to run by default. Oh yeah, lets not forget MS Word macros and misc and etc other MS embeded problems.

The point of the above rant, explanation, etc, is just the observation that in 15 years of network and web administration, we have observed that anyone who persists in using the latest cutting edge technology usually ends up bleeding. If one is truely concerned about maintaining a reasonable amount of system security, one should install an email client with a minimum amount of bells and whistles, that does an excellent job of transmitting plain text (read ascii) messages in a timely manner. Grandmas jpg files as an attachment are ok, but if you use a product that by default opens html files with embeded scripts active by default, your gonna end up with the flu sooner than later.

Practice &quot;Safe Software&quot; and you won't have to recover from a disease spread by some script-kiddie

Regards

 

[FatesWebb]

There seems to be misunderstandings.

Viruses that can execute on preview or view of an email message use the iframe exploit or exploit mime. This is an outlook outlook express internet explorer exploit.

Systems that are vunerable are only ones running
Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2),

If you are running this, then you should load this patch here....

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

Thanks


FatesWebb

if you do what I suggested it is not my fault...