Detecting if an e-mail attachment has an infection.
By David Curtis - Brooksville Computer
PART ONE
The safest way to avoid possible virus threats:
This happened to me today. It is unusual for me to receive any infected emails, but it happens to everyone.
The best protection against viruses is to have a current and updated Antivirus program installed on your computer. Virus updates are known as definitions. Virus definitions are there only to inform the Antivirus as to exactly what is a virus, how to stop the virus and sometimes how to repair any damage the virus may have done. Antivirus cannot ignore files that are not viruses however, since it must check almost all files to see if they are infected.
Let's say that there is a brand new virus that nobody at McAfee or Norton has ever seen before, and that someone sends you an email that looks suspicious for one reason or another, and that the email is indeed infected with the virus. How well would you do?
Here's the email I received today. In the “From” field of the
second marked email it says “administrator@earthlink.net”
and there is also an attachment to this email. I have received other emails from Earthlink but they don’t
quite look the same (as you can see by the first marked email), which is clue number one that something may be wrong.
Notice that the “From” address is not the same in the bottom example as the address in the top example;
one says "EarthLink" and the other says "administrator@earthlink.net". The most obvious reason to become suspicious when an
e-mail carries any attachment there may be
reason for concern.
To continue, here is the ACTUAL message which I received:
”Dear Earthlink Member,
We have temporarily suspended your email account
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial
sign up process.
3. An innability to accurately verify your selected
option of subscription due to an internal error within our processors.
See the details to reactivate your Earthlink account.
Sincerely,The Earthlink
Support Team
+++ Attachment: No Virus (Clean)
+++ Earthlink Antivirus -
www.earthlink.net”
Note that the message
itself says that it’s “Clean” and has “No Virus”. Also note that there are multiple spelling
errors in the email: “submiting” “Innability” and the typographical spacing error in “Sincerely,The”
The attachment symbol in most emails is the paper clip (look over on the right
between the letter M and the number 5 to see the paper clip). If you are not expecting an email with an
attachment, and if you don't have an updated Antivirus program (remember though
that a virus can be too new for it to be caught) then I advise you to just go ahead and delete the
item and the email.
PART TWO
How the Virus payload is activated:
(For demonstration purposes only)
What I did was NOT delete the
E-Mail. I kept it and opened it up so that I could show you what it is
that we are dealing with when it comes to certain viruses. To perform what
it is I'm doing in part two of this article I make sure my antivirus is
temporarily turned off. In most cases viruses must be activated by a user clicking on them for
them to infect a computer, once activated they can spread and reproduce
themselves automatically. What I am showing you should NOT be done at home
or at work. I have my computer set up in special ways with backup images of
the disks, and isolated backups of my files, so even if a virus were to get
loose on my PC there would be no permanent damage.
Due to the carefulness I've demonstrated I haven’t
had a virus outbreak on any of my Windows computers in five years, and I have
safely downloaded, contained and studied several dozen viruses over the years. Never has one of these gotten loose on
any of my machines.
Now for the
attachment… why an attachment for details? First
of all it looks odd - I'm already reading the email, so why say that the
message is somewhere else, and on top of that why is it zipped, and third a lot
of computer users still don't know how to open a zipped file.
Next I saved the
attachment to the desktop, and cautiously viewed the contents of the zip file:
This is NOT a "text" file icon! (circled in red)
… a harmless text file? That’s pretty big for a text file. One full page of text is about 5k (Size 5,000), so this file is more than ten whole pages of text... and the icon for text doesn't look like a blank white square box. Hmmm… and look at those three dots after the name… there’s more? And look at the “Type” (category) of file it is… it’s an “application”. Text files aren’t applications.
For comparison I create a zipped up text file so you can see the difference:
A real text file icon looks like a note-pad. (Compare this icon to the one above)
Do you see the difference?
The above zipped text file is real. The small white icon looks like an open note-pad with some writing on it, not like a blank box. Also notice that the "Type" says "Text Document" and not "Application".
So now to show you
that it's not a text file I slide the column division bar separating the "Name"
and "Size" columns over a little bit to the right and now we see something else:
This is the REAL name of the file. "...-details.txt.exe"
Way to the right of “important-details.txt" we see a period and the letters ".exe" This is known as a “double extension”, a popular ruse in effect for the past few years because by default Windows hides the extensions of know file types and users must rely on the picture icon to figure out what is what. The best way to remedy this situation is to open any folder and go to "Tools" and then "Folder Options" click on "View " then go down and uncheck the box that says "hide file extensions for known file types". From a hackers or a virus writers perspective because the file extensions are hidden it's easy to make an executable look like anything else by simply giving the virus a different icon.
So now... I know in my mind that this is a virus, but it's time to check by scanning the file using one of my antivirus scanners to see if it's a known virus, or if it's a custom job made just for me. I checked the update status of my antivirus as soon as I received this email, before doing anything else. Now I scan the attachment and...
It’s a virus all
right. So I do NOT click on that. Instead I forward it to the real
administrator at Earthlink and show you the
results:
The best way to deal with viruses is to have a good Antivirus installed and updated and to stay aware of anything that can still get through.
This particular infection would spread from computer to computer on a network, going from share to share and re-infecting the whole network over and over again unless the network were shut down so no computers were in contact with one another, the internet were disconnected from the outside world, and each computer that was on the network would have to be scrubbed individually using a specific virus removal tool from Symantec.
LATE NOTE:
A second E-Mail had been sent as well, but it went to my SPAM filter. It said:
Dear Earthlink Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your online
experience and confirm the attached document so you will not run into any future
problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The Earthlink Support Team
+++ Attachment: No Virus found
+++ Earthlink Antivirus - www.earthlink.net
END