Virus Protection Measures

Suddenly found you can't run *.exe files

Many viruses have the habit of modifiying the windows file association for *.exe files, the upshot is you find you can't run any files of te type *.exe. Check the following registry entries that define how to run a executable file, they should be as follows:-

HKEY_CLASSES_ROOT\exefile\shell\open\command\
‹No Name›: REG_SZ: "%1" %*

HKEY_CLASSES_ROOT\.exe
‹No Name›: REG_SZ: exefile

Of course if these entries have been corrupted you won't be able to run regedit.exe or regedit32.exe. You can either temporaily copy the rededit.exe to regedit.com and run that, or create a *.reg to carry out the edit for you as follows and simply click on it:-

REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
""="\"%1\"%*

How was Microsoft Cracked

Friday 27th October 2000, MS reported that system crackers broke into their corporate network. How was this acheived? It's been reported the most likely scenario was the use of a common cracker's tool called the QAZ trojan. This was sent by email (spam) to a family computer of a Microsoft employee. This employee used that computer to check their email and work on the Microsoft corporate network. The QAZ trojan (or a companion tool) stole some passwords from that PC and emailed them back to the cracker. This allowed them to later log onto the MS network posing as the authorized employee. This scenario of how Microsoft was compromised has no been a 100% confirmed, but points to a real security risk for many companies.

The QAZ trojan worm is sent as an Email attachement, which if inadvertently installed sends a remote signal back to the cracker of the location of the infected PC and opens a backdoor that allows the remote attacker to gain control of the local machine. As of September 14th 2000, there are at least four variants of the original virus.

Protect Yourself from BubbleBoy

Outlook 98/2000 and Outlook Express are vulnerable to attack by a "worm" called BubbleBoy that propagates via VBScript in HTML-format messages. This worm is the first that can infect a system just from the mail item being opened. (Other viruses only propagate if you open an attached file.) Outlook Express and Outlook 98 are particularly vulnerable, since BubbleBoy operates in those programs even when a message is just viewed in the preview pane.

A patch to Internet Explorer 5.0 to prevent such attacks has been available for several months. What's new is that someone has demonstrated exactly how such a worm might work . So, it's more important than ever that you install this patch (fortunately, it's not in the "wild" yet as far as we know):

Microsoft Security Bulletin (MS99-032)

Common Methods of Infection

Email Attachments. The use of attachments has become very popular especially in business environments, as a method of exchanging preformatted documents rather than the default plain text of the standard Email. Unfortunately this also allows the easy exchange of viruses. Apart from the "BubbleBoy" exploit above for which you should applied the apropriate patch. The only other possibility of being affected by a virus supplied by Email is by opening the Email "attachment", NOT by reading the actual Email.
When you receive an Email with an attachment, always save the attachment to a temporary folder on disk. The reason for this is to ensure that the Anti-Virus software running on your workstation gets a chance to scan it for a virus before you attempt to open it. Some Email clients like Eudora save attachments separately to an attachments folder anyway, Outlook doesn't.
Now we have the attachment on disk as a separate file. Before opening it ask yourself where has it come from, do you know/trust the source? What type of file is it?

Attachments or downlaod files with the following file types are particularly dangerous:-
- Direct execuable *.exe, on a PC a rougue program could do just about anything.
- Visual Basic scipts *.vbs, i.e. "I_Love_You.vbs" attachments in recent Emails.
- Screen Saver *.scr, An example of a portable executeable PE file that could contain a virus and is executable on all windows platforms
- Microsoft Scrap Object file *.shs, These types of files are executable and can contain a wide variety of objects. The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed, but the extension does show in the Email.
If it's an application document see below:

Floppies, ZIP, SyQuest's, CD-ROM's Where have they come from? Do you trust the source? Ensure any workstation used to access these disks has up to date Anti-Virus software set to scan all inserted disks. Again what sort of files do the disks contain? Be wary of direct executables - they could contain a virus, for application documents see below:
I recommend the BIOS of all workstations and especially servers are set to boot their hard disks in preference to the floppy drive. This is to prevent the accidental execution of files and hence infection by a possible virus on the floppies when the workstation or server is re booted without checking the floppy drive first. This is particularly important on Windows NT as this is the only way a NT workstation or server can be infected with a boot sector virus.

Application Macros. Applications which support macros and imbed them in the saved files could have the capability to invoke malicious actions on the operating system and hence should be considered as a virus.
This particularly applies to Microsoft Office applications WORD and EXCEL which have been recently hit by the Melissa macro virus and its derivatives. These Microsoft Office applications contain by default macro detection and warning when opening a file. If you see this message ask yourself "Why does this document contain a macro?" Check with the author of the document the reason for the macro before opening the document with macros enabled. As a general rule if you see the warning about a document containing a macro and "Do you want to continue with Macros enabled or disabled?" always choose DISABLE.
Far too many people have got used to selecting the default action to any warning message they see and this is unfortunately to enable macros, so some user training may be required for your employees.
To check that your Microsoft WORD or Excel are still set to warn about documents containing macros look under: [Tools][Options][General Tab] and check the "Macro Virus Protection" option is still ticked.

Protection

Install up to date Anti-Virus software and make sure it's kept up to date. Most have live update features via the Internet. Ensure you have Antivirus software is installed on all computers, servers and gateways including email servers. Setup Anti-virus checking at points of entry to the organization, to check all incoming forms of media. A key source of viruses could be employees exchanging files with their PC's at home. Although you can try and outlaw this, it may be better to setup an Anti-virus checking station at the employee's point of entry so it's easy for them to comply with checking procedures. Make sure any laptops connecting to your network from visiting people or owned by employee's have upto date Antivirus software properly configured before allowing them to connnect.

The latest virus scares in the news are those affecting Microsoft Office macros, see above. Because Anti-Virus checkers are one step behind virus writers, train staff of the possibility that documents can contain macro viruses however they were received. If an applications issues a warning about a document containing a macro, it should be considered very seriously. The source of documents containing macros should be checked before opening with macros enabled, see above.

Send mail to with any comments about this web site.
Last modified: 04 June 2005