 Number 211 - December 2000 |
| I'm Sick of Virus Scares | |
| by Jean Wilcox, July 2000 Suncoast Beeper, St Petersburg, FL | |
|
I have no doubt you are,
too, but what to do about it? We can't just sit here and let the bad
guys win. You can run your virus checker religiously, update the virus
data files as often as they are released to you, but the enemy is always
one step ahead of the virus software because, almost by definition,
that's how the software people stay in business. If you didn't need
fresh information on a continuing basis, they could only sell to you
once, right?
So am I recommending tossing Norton and McAfee and F-Secure and their ilk into the trash? Of course not. Buy it, update it, and use it. But use your head, too. There is a lot you can do to protect yourself. In fact, your best defense is a good offense, so let's set up our offense first in the form of understanding some of the major things that can hurt you. The main thing to remember is NEVER to open anything unless you are absolutely positive it is harmless, and for all sorts of reasons, it's often difficult to determine that. We all know that executable files can carry destruction into your computer. But not all executables have the extension of .EXE, not by a long shot. Runable programs come in all sorts of shapes and configurations entirely aside from .COMs and .BATs and .EXEs. You already know better than to touch those. But what about an .REG? Unless this is something you particularly asked for, it could have the ability to eat your registry by merging itself into it or even destroying it completely. If you are one of the few people (in my social circle) who are running NT or Win 2000, then a .CMD is the same things as a .BAT file and so would also be considered executable. A .PIF is a program information file. It provides information about a DOS program, such as how much memory it needs, how it accesses the screen, etc. Open or run a PIF file, and its associated .RXE, .COM or .BAT file is executed. Did you know that? Aside from those, consider JavaScript, which employs the extensions of either .JS or .JSE. The first is a program written in the JavaScript language. The second is the same thing except that it's been encoded to prevent us from seeing its true content. JavaScript is, of course, used on the Internet and thus should be treated with all due respect. Files with names ending in .INF contain information describing how a program or driver should be installed. They include lists of files to be copied, and even Windows Registry entries to be added, changed or deleted. Opening or double clicking this type of file can have undesirable consequences, to put it mildly. A .WSH is a text file that contains settings used when running a particular script. Open or run one of these files and its associated script file (.VBS, .VBE, .JS or .JSE) will be executed. A .WSF, a file containing scripts, data and other information is in the XML, eXtensible Markup Language. (This is the language Mr. Gates plans to use to conquer the world, Part II.) A major problem now is VBScript, Microsoft's scripting language which is an extension of their Visual Basic language. It can be used with MS Office applications, among others. It can also be embedded in web pages and be understood by browsers. This is where a big problem comes in. A file with a .VBS extension is a text file containing a program written in the VBScript language. These are 32-bit Windows programs, and they can do anything an .EXE can do. A .VBE is a VBScript file that also has been encoded to prevent us from seeing its true nature. The .VBE is recognized only by Win 2000 or any older version of Windows that has been upgraded to Windows Scripting Host ver. 2.0. Perhaps you remember my mentioning a risky procedure at the last meeting involving this particular update, which I DO NOT recommend. |
Set up your Explorer or
My Computer to always show filenames, ALL FILENAMES, and also all
extensions. Under View, be sure to set up LIST and DETAILS. Then click
Folder Options, the View tab, UNCHECK "hide file extensions for known
file types". Under Hidden Files, click "show all files." Once you can
see what a file's extension is, you are in a better position to avoid
poisoning your own well. Make a list of all those extension we mentioned
and keep it handy so you can check it again for something that could be
trying to come into your computer by way of an e-mail attachment. Stay
on your toes. Open text files in Notepad, not by just clicking the file.
Open something that purports to be a graphic in a graphics viewer.
Graphics do not carry viruses but it's very simple to change the name of
a file and its extension to make it look like a graphic. Use your
noodle. If you don't know what it is, and can't find out, then just
forget it. It ain't worth it.
I use McAfee VirusShield so that's the only one I can describe reliably but they pretty much all work the same way. In most of these programs, you can generally name the extensions of files that you want to always scan before they are accepted. If using McAfee, go to its "Properties, System Scan, Detection, What to Scan, Extensions". There, check the list of usual suspects against the list you just made. You can add any extensions that are missing. Under "E-Mail Scan, Attachments", check ALL ATTACHMENTS. Under "DownLoad Scan, What to Scan, Extensions", again, add anything that you think should be there. Under "Internet Filter", tell your program to thoroughly checkout ActiveX Controls and Java Classes for potentially harmful items. There is one more thing, and it's important. The latest virus, or worm, or whatever, that had the potential to totally ruin your day had TWO extensions. It read "filename.txt.shs". Two periods in a filename! That's all you need to know! If you see such an animal you know something strange has happened to its DNA. Sometimes a filename's extension is invisible for one reason or another, and this is one of those times. The extension .SHS is NEVER shown in Windows if you use the defaults. SHS files are Shell Scrap files and they can be set to hide all sorts of unpleasant things. Even if a system is configured to "show all files" and "show extensions of known file types", and even though your virus checker can search for them, (if you take it upon yourself to tell it to do so), it WILL NOT SHOW THIS EXTENSION. Here's how to make it show by changing an entry in the Registry, and I'll tell you step by step how to do it. Click Start, Run, type "regedit", click OK. Click Registry, then Export Registry File. Give it a name and tell it where to go. The Desktop is fine, or My Documents. Click the little plus sign beside HKEY_CLASSES_ROOT to open it up. Go way down the list, quite near the end, until you find a folder called "ShellScrap". This time, click the folder itself; don't open it. In the window pane on the right side of your screen you will see "NeverShowExt"="0". That sounds great, but it's not enough. Highlight this text by clicking it once. On the Menu item at the top of the Regedit screen, click on EDIT, then on MODIFY. A box will open up with two areas, the first of which contains your highlighted text. The second one is empty. Into this empty box, type (exactly, but no quotes) "AlwaysShowExt". Click OK after you've done this, then close the registry editor. Nothing will go wrong but perhaps you'll sleep better if you know that if you screw it up somehow, all you have to do is go back to the beginning and choose the selection, "Import the registry", and tell it where you put the exported copy in the beginning. Now get a good night's sleep, because you have done just about everything you could to protect yourself against mischief. |
|
Number 211 - December 2000
|
|