computerwriter.com

I Love You (Not)

Toronto Star Fast Forward column for May 18, 2000

Copyright ©, Myles White, 2000

I Love You. That's about as nasty a heading as I can think of for a destructive computer virus. By now, unless of course you've been back-packing in the Himalayas, you've heard of this pernicious "worm" virus and the destruction it has caused world-wide. No doubt you'll also be following news bytes from the Philippines where the alleged culprits are under arrest (or at least were when I wrote this on May 10).

If the original virus wasn't bad enough, it has led other brain-damaged idiots to write up their own variations. According to Symantec's Anti-Virus Center ( www.sarc.com ), there were 29 new versions as of May 9. Network Associates (MacAfee Anti-Virus at www.macafee.com) had counted 23 different versions by the same date.

Fixes

If you've got either the original I Love You (aka Love Letter) virus or one of the versions with equally appalling names such as Very Funny, Mother's Day Confirmation, BugFix, and a host of others (see the two Web sites above), and you're running either Norton Anti-Virus (Symantec), MacAfee Anti-Virus, or Dr. Solomon (also a Network Associates product at the same address as MacAfee), you can download updates to your existing anti-virus software.

If you're not running any of these programs (why not, for goodness sake?), then Symantec has also produced a free tool to fix the problem (at www.symantec.com/avcenter/download.html).

Prevention

I was sent the original Love Letter virus four times the day it broke out, but in my case, it never got beyond my e-mail trash basket. That's because I'm paranoid about programs or formatted documents sent as attachments to e-mail messages. As a standard, inflexible policy that drives public relations companies mad, neither I nor anyone connected with me will open one. We immediately dump and kill 'em. It doesn't matter who they come from or what the reason was that they had for sending them.

I especially won't click on anything with an executable extension (.exe, .com, .bat, .vbs, or .vbx). The last two are the extensions for Microsoft's VisualBasic scripts and, if you've been following the news, you'll know that the program that came in the "Love Letter" had a .vbs extension on it. This policy also saved me from the Pretty Park worm a couple of months ago and more than a few of what I suspect were deliberate attempts to sabotage my systems sent in by "fans" with a grudge over the past couple of years.

There are a few program types that cannot carry viruses and that I will accept, such as Adobe Acrobat Portable Document Format (PDF) files or pictures with .JPG or JPEG, GIF, and or .PNG extensions (but I discourage public relations agencies and readers from sending these simply because of the extra time it takes to download them). Pure text files (with a .TXT extension) are also safe. But if I get anything that has one of those extensions followed by .VBS, there's no way I'd open it.

Yes, I could run an anti-virus checker against each piece of mail I get with an attachment as part of it; however, with upwards of 50 messages each day (not a huge amount, but enough to keep me hopping reading each one) I haven't the time or the inclination to take the time to go to this level.

More Prevention

I don't understand it myself, but I am aware that many people trade jokes, pictures, and other bits of fun and nonsense among themselves over the Internet as attachments to e-mail. It has become a new form of social interaction among family members and groups of friends. And, heck, it's mostly just good, clean fun and a nice way to use your computer and Internet connection to strengthen the bonds of affection in such collectives.

But it can also lead to problems if we're not careful. Depending on the version, some of the main e-mail programs that PC users utilize such as Microsoft Outlook and Outlook Express, Netscape Communicator Message Manager, and both Eudora Pro and Eudora Lite, have settings left over from a less contentious era that allow the programs to execute or open binary attachments automatically. What you want to do is to turn these options off so that you have manual control over whether an attachment is opened or not. Again, depending on the version, some of the programs noted above have special attachment-handling settings that allow you to deal with them automatically in other ways.

Let's take them in the order above.

Outlook and Outlook Express: These instructions are for Outlook 2000 and Outlook Express 5.x. If you have earlier versions, click on Help, then search for "attachments" to find the section where you turn this feature off.

Outlook 2000 is one of the programs with a dangerous option. 

1. Under the main menu item, Tools, choose Rules Wizard.
2. In the first screen, select "Check messages when they arrive."
3. From the voluminous list of options on the next screen, select "Which has an attachment."
4. On the next screen, you get more choices, including the dangerous ones such as "start an application," or "perform a custom action."
   1. You probably want to make sure these are unchecked. 
   2. Other options include deleting the message and sending a template message to the sender (for example: "I do not open unsolicited binary attachments. Your message has been deleted unopened. Please resend your message in plain text, or call me to discuss it.").
5. On the next screen is a list of exception rules (example: delete the attachment and send the message unless it's from Uncle Fred). You can also use this screen to modify other rules (save messages from Aunt Myra unless they have attachments).
6. On the last screen, you give the rule a name, then click Finish.

Outlook Express 5 

1. On the main menu strip, click on Tools, choose Message Rules, then Mail.
2. When the New Mail Rule dialogue box comes up, search for "Where the message has an attachment" in the top list of conditions. Place a checkmark in the box beside the line.
3. Then, in the bottom half of the box, select one or more actions. You can have messages with an attachment moved or copied to a specified folder, deleted, flagged, not downloaded from the server, and/or deleted from the server. There are other choices such as forwarding it to other people that you will most likely not select.

Netscape Communicator: This applies only to version 4 or earlier. If you have a later version of Netscape Message Manager, search Help for "attachments."

1. Message Manager does have a mail filter (under Edit, Mail Filter), but has no way I could find to detect attachments or to specifically handle them.

Eudora is now up to version 4.03 and is free to both registered users of Eudora Pro and to those who previously used Eudora Lite. It has the same functionality in both versions, but the "free" rendition carries advertising.

1. To set up mail filters, click Tools on the main menu, then select Filters. However, this is not where you deal with attachments, at least not just yet.
2. To control attachments and other little goodies such as executable programs arriving in HTML-formatted messages, click Tools, then select Options.
   1. When the Options dialogue opens, scroll down the list of icons on the left until you find "Incoming Mail." One of the options here allows you to set a size limit on incoming messages (Skip messages over:___ in size). Because binary attachments are often large, setting this figure to 25 KB, for example, will hold the message on the server until you decide to download it manually (if at all). You'll get a partial download including the header so you can check who is sending it, the message will be truncated, and there will be a text message saying: "Warning, this message was not downloaded from the server...." 
   2. You can use this message to set up a mail filter (see above) that can set the message to a different colour, add a label, automatically move the message to Trash, then generate a return message (Your message exceeded the permissible length and this usually means a binary attachment accompanied the message. Please note that I do not...).
3. Now scroll down a bit more until you find an icon labelled "Attachments." 
   1. In the dialogue box to the right you get several more options, such as nominating a folder in which to store the attachments. The important box to check off here is the one labelled "Delete attachments when emptying Trash."
4. Next, scroll down a bit more to the icon labelled, "Viewing Mail." 
   1. In this section, look to the bottom of the dialogue box for the line that says "Allow executables in HTML content." 
      1. Leave this box unchecked.
5. There's still more. Find the "MAPI" icon a little farther down the list. Check "Delete MAPI attachments when emptying Trash."
6. And finally, the last item, Miscellaneous, contains the option to "Empty Trash when exiting." I leave that one checked, too.

Bottom Line

It's unfortunate that we have to take these security precautions and that for many people, it will pretty much either eliminate sending and receiving file attachments, or mean that extra time will have to be spent checking them for viruses, but that's the sad world in which we live.

However, there's one last point worth noting. The only way the Love Letter virus could have spread was because people either clicked on it to open the attachment, or had their system set to automatically run or open either executables in HTML documents or other attachments. At the very least, these are unsafe practices.

Back to top