In association with heise online

File attachments

A large number of current viruses travel as email attachments. The contaminents use all kinds of tricks to get past virus scanners. For instance, various variants of Bagle travel as encrypted archives. The password is in the body of the email or in an attached image.

The most important principle for the safe handling of emails is therefore never to open a file attachment that you did not request. Just knowing the sender is not sufficient. Viruses and worms search infected PCs for email addresses to which they then send themselves using a false sender address. That is how emails that appear to come from colleagues and relatives actually originate from viruses or worms and contain malicious code. Ideally, the email sender should notify the receiver before sending any attachments.

If you receive an unanticipated email with an attachment, you should make certain that the message actually came from the sender, for example, by writing another email to confirm the first email, or confirming by telephone. That takes away some of the efficiency and directness of the medium; still, a short call is still better than having to debug your PC.

In the past, virus authors have tried to mask the character of their attachment with doubled file endings. The email worm ILOVEYOU is the classic example of this tactic. It spread itself in the form of a VB script program with the name LOVE-LETTER-FOR-YOU.TXT.vbs. Some mail clients did not show the .vbs ending, but still started the script depending on the the system configuration.

In order to prevent this kind of trick, you should configure Windows to show all file endings. To configure Windows in this way, first open the menu item "Tools/Folder Options..." in the Windows File Explorer and click on the "View" tab at the top. Uncheck the setting "Hide extensions for known file types", as shown in the image below.

Tools/Folder Options...

Antivirus programs and additional protection

Antivirus programs prevent the user from saving or executing an infected attachment. Some virus monitors check emails as they are received, that is, before they land in the user's inbox. The effectiveness of anitvirus tools depends on the freshness of their virus signature. Because new variants of viruses have begun to appear on an hourly basis, it is suggested that the refresh interval for the antivirus software's virus signature be set as short as possible. Further information concerning virus protection as well as links to antivirus software companies can be found on Antivirus pages.

Furthermore, antivirus software cannot stop all malicious code. Especially at risk are those who, for example, must deal with dangerous data types for work purposes. This category includes Office documents, which have in the past proven to be carriers of macroviruses.

For this reason, it is suggested that you do not open Office documents with Microsoft Office, but rather with a special viewer like Microsoft's or Quick View Plus, which cannot execute macros. Word documents (.doc) can also be associated with Wordpad, an editor which is not macro-capable. There are also complete office software alternatives, like OpenOffice, which do not execute Visual Basic programs, so that macro viruses have no starting point from which to execute malicious code.

One effective method of protecting against unintended double clicks is to associate those dangerous file types with another application. Visual Basic Script files, for example, can be associated with a text editor (Notepad.exe, for instance), so that the Windows Script Host does not automatically execute the file when it is clicked on. The same recommendation applies to typical file types known to carry worms such as .scr (Windows screensaver) as well as various script file endings (.js, .wcs, .wbs, .wsh, .wsf, .vbe).

These changes can be made in the "Folder Options" dialogue box of Windows File Explorer; this can be found under the "Tools" menu in Windows XP. Under the "File Types" tab, Windows shows all file endings recognized by the operating system. You need only to change the standard action from "open" to "edit". First click on the file type you want (in this example, VBS), then on "Advanced", then highlight "edit" and then click on "Set Default". A double click on the file now opens the safe editor Notepad; to execute the file, you must first open the context menu and choose "open". Not all file types have the same associations, and for some the "edit" option will need to be added and associated with a safe application - one such as Notepad that will not execute scripts.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit