III. Solution
Update Your Anti-Virus Product
It is important for users to update their anti-virus software.
Some anti-virus software vendors have released updated information,
tools, or virus databases to help combat this malicious code. A
list of vendor-specific anti-virus information can be found in Appendix A.
Apply the Microsoft Outlook E-mail Security Update
To protect against this malicious code, and others like it, users of Outlook 98 and 2000 may want to
install the Outlook E-mail Security update included in an Outlook SR-1.
More information about this update is available at
http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
You may also find the following document on Outlook security useful
http://www.microsoft.com/office/outlook/downloads/security.htm
The Outlook E-mail security update provides features that can prevent
attachments containing executable content from being displayed to
users. Other types of attachments can be configured so that they
must be saved to disk before they can be opened (or executed). These
features may greatly reduce the chances that a user will incorrectly
execute a malicious attachment.
Filter the Virus in Email
Sites can use email filtering techniques to delete messages
containing subject lines known to contain the malicious code, or can filter
attachments outright.
Exercise Caution When Opening Attachments
Exercise caution when receiving email with attachments. Users should disable
auto-opening or previewing of email attachments in their mail
programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way. Finally,
cryptographic checksums should also be used to validate the
integrity of the file.
IV. General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated
through electronic mail include:
Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-1999-04.html
False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-1999-02.html
Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.htm
In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
- Making false claims that a file attachment contains a software
patch or update
- Implying or using entertaining content to entice a user into
executing a malicious file
- Using email delivery techniques that cause the message to appear
to have come from a familiar or trusted source
- Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)
The best advice with regard to malicious files is to avoid executing them in
the first place. CERT advisory CA-1999-02.html and the following CERT tech tip
discuss malicious code and offers suggestions to avoid them.
http://www.cert.org/advisories/CA-1999-02.html
Tech tip: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond
