M ACRO VIRUSES
Documents created by many productivity appli-cations can contain programs called macros thatstart when a document is opened, when they areselected from a menu, or when a combinationof keys is pressed. A macro virus is a file infec-tor that hides inside such documents. Microsof t
Word files are the most frequent carriers, butExcel spreadsheets and other document typesare also targets. Microsoft has taken a few mea-sures, in recent versions of its Office suite, tomake such viruses harder to write. But millionsof people still use older, unprotected versions,and virus writers have taken on the challengeof bypassing newer safeguards with gusto.To avoid macro viruses, set whatever securi-ty features the application has to High, or dis-able macros altogether. Be wary of openingdocuments that arrive unexpectedly – even if they appear to come from someone you know.(Many macro viruses, including Melissa, spreadlike Trojan horses or worms, mailing themselvesto everyone in a victim’s address book withoutthat person’s knowledge.) Again, use and reg-ularly update antivirus software. Finally, ask your ISP or company network administratorwhether incoming email messages can bescanned for potentially dangerous attachmentsbef ore hitting your mailbox.
Like the wooden horse that figured so promi-nently in Homer’s Iliad, a Trojan horse program
masquerades as something it is not, to persuadea user to let it into the system. In the BBS era,
such programs often impersonated new ver-sions of commonly used programs, such as thePKZIP file compression utility. A more recent
example: the Anna Kournikova Tro j a nhorse / worm program, which arrived in users’
electronic mailboxes appearing to be a picture
of the attractive Russian tennis star.Although some malware can propagate with-out user intervention, most of the malware towhich Internet and email users are likely to beexposed takes the form of a Trojan horse in atleast one phase of its life cycle. Note that Tro- jan horses can’t do their dirty work unless acti-vated by the user. It is theref ore vitally impor-
tant that you know exactly what you are run-ning, launching or opening – especially whenit comes as an attachment to email.In many cases, a Trojan horse will attempt toconceal its true nature by arriving as a file withmultiple extensions – for example,AnnaKournikova.jpg.vbs. This type of filename
exploits the fact that Windows, like many Win-dows email programs, uses the last extension atthe end of the filename to choose an icon torepresent the file. The name is then displayed,minus the final extension and the period thatprecedes it, next to the icon.Such a multiple-extension exploit is a deadgiveaway that an attachment is malicious.Recipients of the Anna Kournikova program
who use Outlook or Outlook Express see theattached file containing the worm as an iconwith a scroll in it. Next to the icon is the nameAnnaKournikova.jpg. The script icon, which
contains an image of a scroll, looks at firstglance as if it might represent some type of photographic film, and the displayed namemakes the file appear to be a jpeg image. So,many users clicked on the icon expecting to seea picture.To avoid Trojan horses, users must take greatcare to avoid running a program that can work its will on their machines. This means scrutin-ising all email attachments and downloadingprograms from trusted sources only. Antivirussof tware can identify well known or wide-
spread Trojan horses, but versions of malwarethat are modified in only minor ways can oftenslip through. What’s more, antivirus vendorscan be slow to provide patterns for the latestTrojan horses, sometimes taking up to ten daysto make new pattern files available for down-load. So it is extremely useful to install heuris-tic filters (that is, filters that identify and quar-antine suspicious email according to a set of rules) on one’s mail server. (If you rely on yourISP’s mail server, encourage your provider todo this.) Such filters require some technical
expertise to set up and should be installed bya network administrator.
A worm is malware that propagates fro mmachine to machine without human interven-tion. The most famous program of this ilk wasunleashed by Robert Tappan Morris, Jr., the sonof a noted computer security expert, in 1988.Taking advantage of known security holes incommonly used software, it used the comput-ing power of each infected machine to break into others, spreading like wildfire between sys-tems made by Digital Equipment and Sun.While the “Morris worm” didn’t intentionallypack a harmful payload, it had a bug in the partof code that was supposed to limit its repro-ductive zeal. As a result, its overeager attemptsto spread itself consumed most of an infectedmachine’s resources, crippling a substantial frac-
tion of the computers on the Internet. (Surpris-
w w w .
.c o .a e
w w w .
-m id e a st.
types of virus
know what you’re up against
Tutor.JUNE.NEW 14/05/01 8:21 PM Page 3