This document provides information for end-users and administrators about protecting computers from threats that are delivered through email.

 

Email has quickly become one of the methods of choice for spreading viruses and other threats. Unfortunately, the old adage of "only open email from people you know" no longer applies because some viruses, such as some variants of Mydoom and Netsky, will send email using the user's name to foster a sense of trust by the recipient.

For details, read the document Email indicates that you have sent out a virus, but scanning all files with current virus definitions does not detect anything.

The following are some of the more common methods used by a virus to send itself through email.

Attacks by attachments
The use of multiple extensions is common. A file named Budget.xls.pif is a program, not an Excel document.

Unless you are positive that the file can be trusted, do not run files with the following extensions:
Common:
.bat - Batch File
.com - Executable (Program)
.doc - Word Document (Macro Viruses)
.dot - Word Template (Macro Viruses)
.eml - Email archive, auto-executing (Likely not visible)
.exe - Executable (Program)
.hta - HTML (May not be visible)
.js - Java Script
.pif - Windows Program Information File
.pot - PowerPoint Template (Macro Viruses)
.ppt - PowerPoint Document (Macro Viruses)
.scr - Windows Screen Saver
.shs - MS Scrap File (May not be visible)
.vbs - Visual Basic Script
.vbe - Visual Basic Script
.wsh - Windows Script
.xl? - Excel Document (Macro Viruses)
.zip - Compressed File

Uncommon (but no less dangerous):
.386, .acm, .acv, .adt, .ax, .bin, .btm, .cla, .cpl, .csc, .csh, .dll, .drv, .hlp, .htm, .htt, .inf, .ini, .jse, .jtd, .mdb, .mp?, .mso, .obd, .obt, .ocx, .ov?, .pl, .pm, .pps, .prc, .rar, .rtf, .sh, .shb, .smm, .sys, .vsd, .vss, .vst, .vxd, .wsf.

Embedded code attacks
Embedded code attacks are "invisible," since there is no attachment to run. The malicious code is built into the email itself or inserted as a signature. You can protect against such attacks by doing the following:

• Use the latest version of your Symantec AntiVirus product and keep the virus definitions up-to-date.
• Consider disabling preview windows, as these types of malicious code may execute if previewed. If preview is on, simply clicking on a suspicious message could infect the computer before you can delete it.
• Do not click links in unsolicited email messages.

Visit the Symantec Security Response Web site for information on the latest virus threats.

Phishing attacks
Often arriving in email, phishing scams appear to come from a legitimate organization and entice users to enter credit card or other confidential information into forms on a Web site designed to look like the legitimate organization. Consider who is sending the information and determine if it is a reliable source. The best course of action is to simply delete these types of emails.

Steps for administrators

• Educate users about the different types of email attacks and what to do with unsolicited or suspicious messages.
• Consider limiting access to personal email accounts on your network.
• Consider having your email servers strip attachment types listed under the "Attacks by attachments" section of this document. Read your email server's documentation for information.
• Use an antispam program to reduce the number of phishing scams and similar threats that reach your users.
• Consider disabling or uninstalling the Windows Scripting Host.
  Read the document How to disable or remove the Windows Scripting Host for details.
• Make sure that all patches and security updates have been applied.
• Define a procedure for reacting to a suspected infection. It is recommended that you include disconnecting infected systems from the network in this procedure.