A-to-Z Index

Computing Homepage

Information Technology Help Desk

Operational Hours and Exceptions

Malicious Software

Viruses and Worms and Trojans and Spyware, Oh My!

More than 2000 virus and worm carrying email messages arrive at the JMU email server each and every day and we're seeing increasing numbers of virus carrying instant messages. Infected computers spew out thousands of packets per minute attempting to infect neighboring computers with worms. Web visitors using Internet Explorer have spyware and trojans installed on their computers. Regardless of what you call these malicious programs ( virus, worm, trojan, BOT, or spyware ) all are undesirable additions to our computers. We'll refer to them all collectively as "malware", short for malicious programs.

Unless a particular piece of malware is extraordinarily virulent, unique, or common, special announcements will not be made. With tens of thousands of unique malware copies already existing, and new ones coming out daily, it is impractical to keep in mind all the possible symptoms which they may present. Posting alerts to the entire population on every new virus would just result in needless clutter, alarm, and probably eventual numbness. The same piece of malware is often referred to by different names by anti-virus companies and the press leading to further confusion. General StartSafe and  R.U.N.S.A.F.E. guidelines will protect against almost all malicious software regardless of form or name - virus, worm, trojan, spyware, adware:

An ounce of prevention is worth a pound of cure. Once malware runs on a computer, its actions are limited mostly by the whims of the author. Malware that opens the computer to control by third parties is often seen. Damage is sometimes irreversible and often causes large amounts of frustration and lost time because of complicated clean-up and recovery procedures. The relative benevolence of past malware should not be expected of future malware.

There are many malicious software packages in circulation that are not detected by anti-virus software and new ones are released daily. Conventional security measures such as anti-virus software, firewalls, and security updates will often not prevent an infection caused by an operator run program. Many malicious programs allow the criminal to download additional software or change the computer's configuration. Many of the malicious programs disable anti-virus software, firewalls, and updates. All this means is that once a computer is infected, chances are good that it will remain infected exposing the computer's accounts, data, and services.

The first line of defense is to refuse to run unknown programs. The second, which is presently effective at limiting or entirely preventing a compromise due to an operating mistake or previously unknown malware, is to operate the computer using a regular user account. This measure may be more effective than anti-virus/anti-spyware software because it does not depend upon constant signature updates as new threats are released. Most computer operators will have little or no problems using this type of account once it is set up. Windows XP instructions are here. Macintosh instructions are here.  Generic information is here. This practice is effective for preventing  the majority of viruses, worms, trojans, spyware, and other malicious programs from getting a toehold in a computer and limits the ability of others to do damage or hide themselves.

Malware Related Links of interest:

  • Detailed virus threat information from Symantec , Microsoft, and McAfee antivirus product vendors
  • Microsoft releases a "malicious softare removal tool" with each monthly set of automated security updates that targets specific malware. If your computer is set up for automatic updates as recommended by StartSafe, you need do nothing more. But the reported results from this tool are illuminating ( 1, 2, 3, 4 ).

Scams, Hoaxes and Fables

If you run across a suspicious file, you can submit it through a web browser to http://www.virustotal.com/flash/index_en.html and/or virusscan.jotti.org. These sites will run several anti-virus products against the submission. Do not assume, however, that a clean bill of health means the file is harmless.

Email messages containing attachments with certain names and extensions have their attachments stripped off by the JMU email server because of their common use by malicious software. Thousands of virus carrying messages are prevented from reaching our computers each day. The types of messages that are blocked are described here.

Some undesirable programs are installed alongside other, seemingly legitimate programs or when you're offered downloads from some web sites. Read all program documentation thoroughly before installing software, particularly if it is downloaded from the Internet, and only load programs obtained and written from trusted sources. Oftentimes the distributors of programs that include spyware or adware tell you in the fine print of the licensing or installation documentation. Two tools, Adaware and SpyBot, target these programs in particular and are available on the JMU Computing Downloads site.

Help! I'm getting e-mail messages returned from people I didn't send anything to. Some of them are telling me I have a virus.

These types of messages are almost never an indication that you, your computer, or your e-mail account have a problem.

The messages are almost always caused when criminals or infected computers forge your e-mail address in the FROM section of messages they are sending to other people. This is often done to decrease risk of detection, cause confusion, or increase the chances of fooling recipients by using names the recipient may trust. It can be done by any computer anywhere in the world.

The messages are a reflection of the trusting design of the Internet and the abuse of that trust. Internet e-mail standards allow anyone to pretend to be anyone else.

This activity ebbs and flows. During periods of high virus, scam, or SPAM activity, you may see quite a lot of such messages. If the messages are sent to a public e-mail distribution list, a lot of people may see them, respond, and cause a flood of confusing messages.

Here is an example of what is happening:

  1. A computer somewhere in the world owned by "Bill" becomes compromised. It may be compromised by a virus program that randomly picks e-mail addresses or those found on the computer or it may be compromised in a way allowing criminals to use his computer to send SPAM and messages with malicious intent.
  2. The computer, under the control of the virus program or remote criminal, composes an e-mail message. It has the ability to put anything it wants in the TO and FROM fields. It makes little difference to where the message actually gets sent or from what account or computer it is sent. It should be particularly noted that the FROM field is as meaningless and easily forged as the return address on the outside of an envelope. Anything or anyone can write anything they want there. For example:
  3. The compromised computer sends a message. For example:

    From: DukeDog@jmu.edu ( Note that it does not say Bill though it could. It might list your address, helpdesk@jmu.edu, santaclause@northpole.net, President@bank.com,  or anything else the virus or criminal wants to put there. )

    To: HokieBird@vt.edu ( The message may be received by HokieBird or someone else entirely. Actual mail routing does not depend on this field. You may receive messages not appearing to be addressed to you.)

  4. HokieBird's e-mail server receives the message.

    If the server delivers the message to HokieBird's mailbox, HokieBird sees a message that appears to have been sent by DukeDog@jmu.edu but that was actually sent by Bill's computer under the control of a virus or criminal. If HokieBird replies to the message, the reply will usually get sent to DukeDog@jmu.edu, the apparent sender. Other fields under control of the virus or criminal can change this behavior to send replies to a completely different third party, for example tuitionpayment@criminal.net .

    Dukedog may also receive a message if HokieBird's e-mail server refuses to deliver the message to HokieBird's mailbox. The server may do so for a number of reasons but whatever the reason, it will send any error or status messages to the apparent sender: DukeDog@jmu.edu because that is whose name is in the FROM field.

    Reasons DukeDog@jmu.edu may get a response from HokieBird's server:

    1. The VT server can't find a user named HokieBird@vt.edu ( example message subject: Returned mail: User unknown )
    2. HokieBird's mailbox is full
    3. The server detects a virus
    4. The message has an illegal attachment
    5. The message looks like SPAM

There is nothing that can be done about the problem on this end. We cannot stop a computer outside JMU from sending e-mail messages, even forged ones, to other computers. In cases of gross abuse, we can complain to their internet provider but this is rarely effective. Hundreds of thousands of computers outside JMU are infected and compromised, some say millions, and are often used by criminals to send SPAM, scams, and viruses. We have no control over them.

For those interested, the true source of an infected message can usually be determined by examining the full mail headers. Note that the headers from the original, infected message must be examined, not the headers of a complaint or bounced message. Also note that some viruses add false information to make this more difficult.

We are limited in what we can filter in our central e-mail system. However, individuals may create custom filters suited to their tolerance, desires, and abilities. These capabilities are more fully described here. Such filters won't stop the forgery or the response messages but may allow you to discard messages resulting from them if they get too numerous or bothersome.

The only generic statement that can be made about the issue is that e-mail and instant messages are not reliable communications methods on which to make any type of decision concerning sensitive information or the identity of the apparent sender. Note that the same statement applies to telephone numbers and addresses included in such messages. If sensitive information, finances, or computer programs are involved, always verify the information on a trusted source - web site, previously known or published phone number, etc. - independent of information provided in the message. While these statements are true of all such messages, messages you expect will understandably be trusted more. However, be wary of generic messages such as 'here you go' and 'it's ready now' that can be interpreted as responses to almost anything. Authors of business messages can help combat this problem by crafting complete messages and/or including original requests in the responses.