 |
|
|
|
|
Copyright 2002, Rick Macmurchie - February 6, 2002
E-Mail Attachment Safety - How to avoid getting infected by E-Mail Worms, Viruses and Trojans
These days most dangerous programs (Viruses, Trojans and Worms) are spread through email message attachments.
How do Viruses, Trojans and Worms spread through email.
An email arrives with an attached file that has a misleading file name or a message subject/body that entices people to open the attachment. Regardless of what the attachment appears to be at first glance, the attachment is a program and opening the attachment runs the program and infects the system. Once the system is infected the Worm often searches the system for email addresses and forwards itself to any found addresses.
Many of these dangerous programs may modify or delete files on the system, or even erase the entire hard drive.
How to identify executable file types.
Computers running Microsoft's Windows operating systems use a three letter identifier added to file names after a period (.) to identify a file's type. When a file or message attachment is opened the file extension is used to decide what program should be used to open the file, or if the file is a program that should be run.
The following list of file name extensions lists types of files identified by Microsoft as potentially containing dangerous programs.
Dangerous File Extensions
| File Extension | Description | File Extension | Description |
|---|---|---|---|
| ADE | Microsoft Access Project Extension | MDB | Microsoft Access Application |
| ADP | Microsoft Access Project | MDE | Microsoft Access MDE Database |
| BAS | Visual Basic® Class Module | MSC | Microsoft Common Console Document |
| BAT | Batch File | MSI | Windows Installer Package |
| CHM | Compiled HTML Help File | MSP | Windows Installer Patch |
| CMD | Windows NT® Command Script | MST | Visual Test Source File |
| COM | MS-DOS® Application | PCD | Photo CD Image |
| CPL | Control Panel Extension | PIF | Shortcut to MS-DOS Program |
| CRT | Security Certificate | REG | Registration Entries |
| EXE | Application | SCR | Screen Saver |
| HLP | Windows® Help File | SCT | Windows Script Component |
| HTA | HTML Applications | SHS | Shell Scrap Object |
| INF | Setup Information File | URL | Internet Shortcut (Uniform Resource Locator) |
| INS | Internet Communication Settings | VB | VBScript File |
| ISP | Internet Communication Settings | VBE | VBScript Encoded Script File |
| JS | JScript® File | VBS | VBScript Script File |
| JSE | JScript Encoded Script File | WSC | Windows Script Component |
| LNK | Shortcut | WSF | Windows Script File |
| WSH | Windows Scripting Host Settings File |
Any file received as an email attachment with any of the above extensions should NEVER be opened even if you know the person that sent the file.
Unfortunately some email programs don't display file extensions in their default configurations, in particular, Outlook Express.
The display of file extensions can be turned on, the method varies slightly depending of the version of Windows, but generally is similar to the following:
Now you will be able to see all file extensions but the list of dangerous file types is quite long, how do you remember them all?
It may be easier to remember the common safe file types:
Safe File Extensions
| File Extension | Description |
|---|---|
| GIF | Picture - Graphics Interchange Format (CompuServe) |
| JPG or JPEG | Picture - Joint Photographic Expert Group |
| TIF or TIFF | Picture - Tagged Image File Format (Adobe) |
| MPG or MPEG | Movie - Motion Picture Expert Group |
| MP3 | Sound - MPEG compressed Audio |
| WAV | Sound - Audio (Microsoft) |
If an attachment does not have one of these safe extensions its best not to open the attachment. Be especially suspicious of any file that has a doubled extension (eg. coolpic.gif.exe). Normally files have only one three or four letter extension so a file with more than one extension is probably an attempt to trick you into opening the attachment.
Also note that a file could have a name like www.yahoo.com, it looks like a URL to a web site, but if you check the dangerous extensions list above you will notice that .com in the extension used by MS-DOS applications. This was the trick used by the recent 'My Party' worm.
Legitimate URLs should be listed in the body of the message like www.yahoo.com (usually blue and underlined) and preferably preceded by http:// as in http://www.yahoo.com/. If in doubt, copy the text of the URL and paste it into the address bar of your web browser instead of clicking on the link.
Making E-Mail Safer
To reduce your risk, at a minimum:
Apply all the security patches available from the Windows Update Site on a regular basis and/or
Install Internet Explorer 6
If using an email program other than Outlook / Outlook Express, check the manufacturer's web site regularly for security updates.
If using the full version of Outlook from MS Office, apply all the security patches available from the Office Update Site on a regular basis.
For best protection:
Use Microsoft Outlook 2000 or Microsoft Outlook 2002 / XP for email.
Microsoft Outlook 2002 / XP blocks all attachments with the dangerous file extensions listed above right out of the box.
Microsoft Outlook 2000 needs to be patched to Service Release 1a (Available from the Office Update Site) and the Outlook 2000 SR-1- Extended E-mail Security Update should be installed.
With a patched version of Outlook 2000 or Outlook 2002/XP it is impossible to open or send an attachment with any of the listed dangerous file extensions. This attachment blocking removes the need to know the list of dangerous attachments.
(See Also Update 1 - Changes in how Outlook Express 6 handles attachments after installing Service Pack 1 (SP1) and Update 2 - What are ZIP files and are they safe attachments to open?)
Back to the article Index ● Back to the Great White North Home Page
Rick Macmurchie
Phone: (250) 658-6319
E-Mail: rmac@novatone.net
