[Zsd-news] Recent Virus Activity

Ian Forbes iforbes@zsd.co.za
Wed, 4 Feb 2004 15:57:33 +0200 

Hi All

By now I think that all of our readers have heard of the "MyDoom" virus.=20
Besides all the hype that has been said in the press the truth is that=20
it is having a direct effect on our users.

This is by far the biggest virus outbreak experienced on the internet,=20
ever. It has put a significant load on the internet, and there have=20
been delays in e-mail.

Likewise, our support staff have been inundated with calls. I have tried=20
to put together answers to some of the questions that we are getting=20
asked very frequently.


WHAT PROTECTION DOES ZSD PROVIDE AGAINST VIRUSES?

ZSD scans all email messages passing through our main e-mail server. We=20
use a different technique to that commonly used by antivirus software.=20
Instead of comparing attached files against a database of known viruses=20
signatures, ZSD's software examines the structure of the e-mail=20
headers, and the type of files.=20

=46irst it rejects messages with certain fraudulent constructs used by=20
many viruses. Many virus messages are rejected at this stage.

Then, if a message has an executable file attachment, the attachment is=20
renamed. This could be a bona fide message (not common but possible) or=20
a virus. By renaming the attached file we reduce the chance of=20
inadvertent execution of a virus. If the user trusts the source of the=20
message, the executable can be saved, renamed and executed.

The system provides complimentary protection to the antivirus scanning=20
software commonly used on desktop computers.


HOW EFFECTIVE WAS ZSD's SYSTEM AGAINST 'MYDOOM'?

As our system does not rely on pattern files, there was no 'window=20
period' during which we had no protection. Our users enjoyed protection=20
even during the first hours of the outbreak when the virus spread very=20
rapidly through other systems which did not have up to date pattern=20
files. There was a 'mutation' of this virus. We provided protection=20
during the window period of the mutated virus too.


WHY AM I STILL RECEIVING VIRUSES?

ZSD system does not block all variants of this virus. In some instances=20
we rename the executable attachments and deliver the message. These=20
messages are 'benign' - you won't easily get infected by accident.=20
However they may well trigger antivirus software on your PC's


WHAT ABOUT ZIP FILES?

ZIP files are not executable - so they do not present a danger as such.=20
But if you unzip a ZIP attachment, you might well get  infected by the=20
contents. Thus you should treat ZIP files with caution.=20

One of the variants of MyDoom was in a ZIP file format.

We have recently adjusted our antivirus scanner to rename ZIP files.=20
This in an attempt to prevent users from inadvertently opening them and=20
executing the contents. This is a short term measure and we will=20
re-access it going forward.


WHY AM I GETTING ANTI-VIRUS WARNING MESSAGES?

When our system renames a file, it sends a warning message. This is a=20
courteous thing to do for the recipient of a bona fide message, but we=20
realize that during a virus attack the warning messages  become=20
annoying.


WHY AM I RECEIVING BOUNCE MESSAGES?

Somebody else, who has your e-mail address in their address book, has an=20
infected computer. That computer is sending out virus mail. The virus=20
forges the "from" address with one chosen at random from the address=20
book. If your address is chosen all the bounce messages and antivirus=20
messages resulting from that virus mail will be delivered to you.


WHY DO I RECEIVE VIRUS MAIL AT AN ADDRESS I NEVER USE?

It appears this virus is sending mail to addresses made up from random=20
local parts tagged onto domain names found on the infected computer. By=20
chance it could come up with a valid address that is not in normal use.


WHY CAN'T  ZSD STOP ALL THESE MESSAGES?

There are many different types of virus related messages. Many contain=20
forged information and there are multiple variants of each virus. Thus,=20
it is virtually impossible to block all the virus related messages. If=20
we attempted this there would be a too high risk of blocking  valid =20
messages too. The best thing is to delete them and forget them.


WHAT DO I DO IF MY PC IS INFECTED?

Most antivirus vendors have "removal tool" programs which can be=20
downloaded from their websites. If your PC is infected, you may not be=20
able to reach these websites as the virus blocks access to known=20
antivirus sites. If that is the case use 'Google' (http://
www.google.com) to search for a tool from a site that is not blocked by=20
the virus.

Remember that viruses modify and delete data on your hard drive. Thus=20
even after the virus has been removed there may be operating system=20
files that cannot be restored. Thus your PC might need further work=20
after a virus infection. You may need to seek assistance from a=20
qualified PC support technician.


WHAT ABOUT THE FUTURE?

I am happy with the effectiveness of our antivirus system, but not=20
entirely happy with its user interface. We have made changes to the=20
system and we are constantly looking for ways to improve things. We=20
have recently upgraded our e-mail servers specifically to provide for=20
additional anti-spam and anti-virus services. There are further=20
improvements in the pipeline.

Unfortunately the volumes of virus and spam e-mail are growing at a=20
tremendous rate. Every new measure we put in place blocks many more=20
messages but it seems the number of those that get through keeps on=20
growing.


Ian

=2D-=20
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388 =A0Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa