[Zsd-news] Recent Virus Activity
Ian Forbes
iforbes@zsd.co.za
Wed, 4 Feb 2004 15:57:33 +0200
Hi All
By now I think that all of our readers have heard of the "MyDoom" virus.=20
Besides all the hype that has been said in the press the truth is that=20
it is having a direct effect on our users.
This is by far the biggest virus outbreak experienced on the internet,=20
ever. It has put a significant load on the internet, and there have=20
been delays in e-mail.
Likewise, our support staff have been inundated with calls. I have tried=20
to put together answers to some of the questions that we are getting=20
asked very frequently.
WHAT PROTECTION DOES ZSD PROVIDE AGAINST VIRUSES?
ZSD scans all email messages passing through our main e-mail server. We=20
use a different technique to that commonly used by antivirus software.=20
Instead of comparing attached files against a database of known viruses=20
signatures, ZSD's software examines the structure of the e-mail=20
headers, and the type of files.=20
=46irst it rejects messages with certain fraudulent constructs used by=20
many viruses. Many virus messages are rejected at this stage.
Then, if a message has an executable file attachment, the attachment is=20
renamed. This could be a bona fide message (not common but possible) or=20
a virus. By renaming the attached file we reduce the chance of=20
inadvertent execution of a virus. If the user trusts the source of the=20
message, the executable can be saved, renamed and executed.
The system provides complimentary protection to the antivirus scanning=20
software commonly used on desktop computers.
HOW EFFECTIVE WAS ZSD's SYSTEM AGAINST 'MYDOOM'?
As our system does not rely on pattern files, there was no 'window=20
period' during which we had no protection. Our users enjoyed protection=20
even during the first hours of the outbreak when the virus spread very=20
rapidly through other systems which did not have up to date pattern=20
files. There was a 'mutation' of this virus. We provided protection=20
during the window period of the mutated virus too.
WHY AM I STILL RECEIVING VIRUSES?
ZSD system does not block all variants of this virus. In some instances=20
we rename the executable attachments and deliver the message. These=20
messages are 'benign' - you won't easily get infected by accident.=20
However they may well trigger antivirus software on your PC's
WHAT ABOUT ZIP FILES?
ZIP files are not executable - so they do not present a danger as such.=20
But if you unzip a ZIP attachment, you might well get infected by the=20
contents. Thus you should treat ZIP files with caution.=20
One of the variants of MyDoom was in a ZIP file format.
We have recently adjusted our antivirus scanner to rename ZIP files.=20
This in an attempt to prevent users from inadvertently opening them and=20
executing the contents. This is a short term measure and we will=20
re-access it going forward.
WHY AM I GETTING ANTI-VIRUS WARNING MESSAGES?
When our system renames a file, it sends a warning message. This is a=20
courteous thing to do for the recipient of a bona fide message, but we=20
realize that during a virus attack the warning messages become=20
annoying.
WHY AM I RECEIVING BOUNCE MESSAGES?
Somebody else, who has your e-mail address in their address book, has an=20
infected computer. That computer is sending out virus mail. The virus=20
forges the "from" address with one chosen at random from the address=20
book. If your address is chosen all the bounce messages and antivirus=20
messages resulting from that virus mail will be delivered to you.
WHY DO I RECEIVE VIRUS MAIL AT AN ADDRESS I NEVER USE?
It appears this virus is sending mail to addresses made up from random=20
local parts tagged onto domain names found on the infected computer. By=20
chance it could come up with a valid address that is not in normal use.
WHY CAN'T ZSD STOP ALL THESE MESSAGES?
There are many different types of virus related messages. Many contain=20
forged information and there are multiple variants of each virus. Thus,=20
it is virtually impossible to block all the virus related messages. If=20
we attempted this there would be a too high risk of blocking valid =20
messages too. The best thing is to delete them and forget them.
WHAT DO I DO IF MY PC IS INFECTED?
Most antivirus vendors have "removal tool" programs which can be=20
downloaded from their websites. If your PC is infected, you may not be=20
able to reach these websites as the virus blocks access to known=20
antivirus sites. If that is the case use 'Google' (http://
www.google.com) to search for a tool from a site that is not blocked by=20
the virus.
Remember that viruses modify and delete data on your hard drive. Thus=20
even after the virus has been removed there may be operating system=20
files that cannot be restored. Thus your PC might need further work=20
after a virus infection. You may need to seek assistance from a=20
qualified PC support technician.
WHAT ABOUT THE FUTURE?
I am happy with the effectiveness of our antivirus system, but not=20
entirely happy with its user interface. We have made changes to the=20
system and we are constantly looking for ways to improve things. We=20
have recently upgraded our e-mail servers specifically to provide for=20
additional anti-spam and anti-virus services. There are further=20
improvements in the pipeline.
Unfortunately the volumes of virus and spam e-mail are growing at a=20
tremendous rate. Every new measure we put in place blocks many more=20
messages but it seems the number of those that get through keeps on=20
growing.
Ian
=2D-=20
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388 =A0Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa