Copyright 2002, Rick Macmurchie - February 6, 2002

E-Mail Attachment Safety - How to avoid getting infected by E-Mail Worms, Viruses and Trojans

These days most dangerous programs (Viruses, Trojans and Worms) are spread through email message attachments.

How do Viruses, Trojans and Worms spread through email.

An email arrives with an attached file that has a misleading file name or a message subject/body that entices people to open the attachment. Regardless of what the attachment appears to be at first glance, the attachment is a program and opening the attachment runs the program and infects the system. Once the system is infected the Worm often searches the system for email addresses and forwards itself to any found addresses.

Many of these dangerous programs may modify or delete files on the system, or even erase the entire hard drive.

How to identify executable file types.

Computers running Microsoft's Windows operating systems use a three letter identifier added to file names after a period (.) to identify a file's type. When a file or message attachment is opened the file extension is used to decide what program should be used to open the file, or if the file is a program that should be run.

The following list of file name extensions lists types of files identified by Microsoft as potentially containing dangerous programs.

Dangerous File Extensions

File Extension Description File Extension Description
ADE Microsoft Access Project Extension MDB Microsoft Access Application
ADP Microsoft Access Project MDE Microsoft Access MDE Database
BAS Visual Basic® Class Module MSC Microsoft Common Console Document
BAT Batch File MSI Windows Installer Package
CHM Compiled HTML Help File MSP Windows Installer Patch
CMD Windows NT® Command Script MST Visual Test Source File
COM MS-DOS® Application PCD Photo CD Image
CPL Control Panel Extension PIF Shortcut to MS-DOS Program
CRT Security Certificate REG Registration Entries
EXE Application SCR Screen Saver
HLP Windows® Help File SCT Windows Script Component
HTA HTML Applications SHS Shell Scrap Object
INF Setup Information File URL Internet Shortcut (Uniform Resource Locator)
INS Internet Communication Settings VB VBScript File
ISP Internet Communication Settings VBE VBScript Encoded Script File
JS JScript® File VBS VBScript Script File
JSE JScript Encoded Script File WSC Windows Script Component
LNK Shortcut WSF Windows Script File
    WSH Windows Scripting Host Settings File

Any file received as an email attachment with any of the above extensions should NEVER be opened even if you know the person that sent the file.

Unfortunately some email programs don't display file extensions in their default configurations, in particular, Outlook Express.

The display of file extensions can be turned on, the method varies slightly depending of the version of Windows, but generally is similar to the following:

  1. Open 'My Computer'
  2. Find 'Folder Options' (Usually on the Tools menu but possibly on the View menu.)
  3. On the View tab, remove the check mark beside 'Hide file extensions for known file types'
  4. Click the OK button.

Now you will be able to see all file extensions but the list of dangerous file types is quite long, how do you remember them all?

It may be easier to remember the common safe file types:

Safe File Extensions

File Extension Description
GIF Picture - Graphics Interchange Format (CompuServe)
JPG or JPEG Picture - Joint Photographic Expert Group
TIF or TIFF Picture - Tagged Image File Format (Adobe)
MPG or MPEG Movie - Motion Picture Expert Group
MP3 Sound - MPEG compressed Audio
WAV Sound - Audio (Microsoft)

If an attachment does not have one of these safe extensions its best not to open the attachment. Be especially suspicious of any file that has a doubled extension (eg. coolpic.gif.exe). Normally files have only one three or four letter extension so a file with more than one extension is probably an attempt to trick you into opening the attachment.

Also note that a file could have a name like www.yahoo.com, it looks like a URL to a web site, but if you check the dangerous extensions list above you will notice that .com in the extension used by MS-DOS applications. This was the trick used by the recent 'My Party' worm.

Legitimate URLs should be listed in the body of the message like www.yahoo.com (usually blue and underlined) and preferably preceded by http:// as in http://www.yahoo.com/. If in doubt, copy the text of the URL and paste it into the address bar of your web browser instead of clicking on the link.

Making E-Mail Safer

To reduce your risk, at a minimum:

For best protection:

Microsoft Outlook 2002 / XP blocks all attachments with the dangerous file extensions listed above right out of the box.

Microsoft Outlook 2000 needs to be patched to Service Release 1a (Available from the Office Update Site) and the Outlook 2000 SR-1- Extended E-mail Security Update should be installed.

With a patched version of Outlook 2000 or Outlook 2002/XP it is impossible to open or send an attachment with any of the listed dangerous file extensions. This attachment blocking removes the need to know the list of dangerous attachments.

(See Also Update 1 - Changes in how Outlook Express 6 handles attachments after installing Service Pack 1 (SP1) and Update 2 - What are ZIP files and are they safe attachments to open?)

Back to the article IndexBack to the Great White North Home Page

Did the information on this site help you solve a problem?
Consider making a donation to support the site.

Rick Macmurchie
Phone:
(250) 658-6319
E-Mail:
rmac@novatone.net

Hit Counter