Home » Articles » Anitivirus Software 

How to Stop Email-borne Viruses

Keep SirCam and other viruses out of email

The SirCam virus continues to flow into users' inboxes, disrupting normal email use and increasing the likelihood of infection. One frustrated couple in Australia reported that SirCam attachments were coming in at such a high rate they were quickly exceeding the 15Mb limit imposed by their ISP. To reduce the bandwidth consumption and keep their mailbox below capacity, the enterprising couple had resorted to logging into their account hourly via the web mail interface, deleting any SirCam emails before accessing their account through their regular mail client. (Attempts to persuade their ISP to block the sender had failed, as had attempts to email the sender).

With such widespread use of antivirus software, one has to question the ever increasing numbers of infection and the associated damage costs - last year conservatively estimated at $17 billion. In most cases, it is simply a matter of speed. New threats traveling via email simply travel much faster than a signature update can. However quickly vendors move to make these updates available, containment is difficult. To make matters worse, all antivirus is not created equal. While SirCam got a bit of a foothold in the hours and days before detection was made available, some antivirus products are still stymied by it, worsening the problem. McAfee VirusScan has two settings that can thwart detection of the virus - their habit of excluding the Recycle Bin from scans and the lack of .PIF and .LNK extensions in their scan list. Thus, unless users fully understand the SirCam threat and the capbabilities of their antivirus protection, even constant updating won't be enough to protect them from infection.

Fortunately, there are steps you can take to prevent SirCam, and other email-borne threats, from ever winding up in your inbox. By keeping threats out of email, signature updating becomes a much more effective strategy. The simplest, most effective method to protect against email-borne threats involves the use of filtering software. Though historically focused at the gateway level, a new product, MailDefense, provides desktop users with a means to easily remove harmful executable-type attachments and other active content from email. Highly effective against both known and unknown threats, such filtering packages alleviate the need to become an overnight security expert just to enjoy safely sending and receiving email. MailDefense quarantines executable file types, removes macros from Microsoft® Office files, and strips scripts and ActiveX controls from email messages.

You can bypass the protection offered by filtering and elect to manually configure your mail client to stop specific threats. However, protection offered by the email client varies. For example, Eudora® and AOL® simply display a message when certain attachment types are received, still giving the user full access to the attachment. AOL provides a "Don't show this message again" option, which makes it likely to be disabled and never again seen by users. Microsoft® Outlook and Outlook Express email clients provide message rules that can be configured to block individual viruses. However, the rules must be setup exactly right or the virus will be allowed through. Configuring message rules also requires specific knowledge of the virus' characteristics - thereby effective against known threats only.

Outlook Express

To block SirCam in Microsoft® Outlook Express:

Congratulations! You've now successfully created the two rules necessary to block the SirCam attachment from Outlook Express, causing it to be immediately deleted upon receipt in email. For blocking other viral attachments, please find the appropriate description for that virus and setup the applicable rules accordingly.

Microsoft® Outlook
To block SirCam in Microsoft® Outlook:

1. Select the Tools menu
2. Select Rules Wizard
3. Click New
4. Under "Which type of rule do you want to create?" select "Check messages when they arrive"
5. Click Next
6. Under "Which condition(s) do you want to check" select "With specific words in the body" and also select "Which has an attachment"
7. Under "Rule Description" click the underlined text "contains specific text"
8. Type (without the quotes) "Hi! How are you?" and click Add
9. Type (without the quotes) "See you later. Thanks" and click Add
10. Click OK
11. Click Next
12. Under "What do you want to do with the message" select "Permanently delete it"
13. Click Next
14. Click Next
15. Type in a name for the rule and click Finish
16. You will now be back at the "Message Rules" dialog box. Repeat steps 3 through 7.
17. Type (without the quotes) "Hola como estas ?" and click Add
18. Type (without the quotes) "Nos vemos pronto, gracias." and click Add
19. Repeat steps 10 through 15.
20. Click OK

Congratulations! You've now successfully created the two rules necessary to block the SirCam attachment from Outlook, causing it to be immediately deleted upon receipt in email. For blocking other viral attachments, please find the appropriate description for that virus and setup the applicable rules accordingly.

ZoneAlarm Pro, the professional version of the popular ZoneAlarm Personal firewall, provides a MailSafe option which renames certain executables to a registered ZoneAlarm extension. Thus, if certain types of executables are received in email, the user will not be able to open them without first answering a series of prompts provided by the firewall.

Unfortunately, keeping email safe from viral attack is not as simple as blocking specific extensions. Script worms such as Kak can only be stopped by applying specific patches and configuring the mail client appropriately, or by using a filtering product to automatically remove all scripts for you. The Email Help Center provides specific details on securing Microsoft® mail clients against scripted threats for those who choose not to use filtering products. A third email-borne threat, macro viruses constitute a large percentage of all active viruses. Email clients and firewall products have no built in defense against the threat of macros, leaving filtering software as the most viable means of protection. Whether via filtering software or manually configuring rules, keeping viruses out of the inbox is the most important viral defense strategy against email-borne threats.

At a minimum, the extension list should include: acm, acv, bat, chm, cla, cmd, com, cpl, crt, dll, doc, dot, eml, exe, hlp, hta, htm, html, inf, ins, isp, js, jse, lnk, msc, msg, msi, msp, ocx, pif, ppt, reg, scr, sct, shb, shs, sys, vbe, vbs, wsc, wsf, wsh, xls, xlt. http://filext.com/ is a great resource for looking up file extension descriptions and the programs to which they are registered.

If you are not familiar with the workings of your antivirus product and don't know how to check the exclude or extension list, contact your antivirus vendor or post a message in the antivirus help forum for assistance.

In summary, email is a widely available tool that has equally wide consequences if used inappropriately. It is this inappropriate use the virus writers are counting on to spread their wrath. If filtering software is not your cup of tea, familiarize yourself completely with the advice laid forth in Protecting Your Organization From Electronic Message Viruses by Robert Grupe, a Senior Product Manager at McAfee. These are the critical steps you will need to take if you choose to email without proper protection, along with the tips outlined in this article and in the Email Help Center.