[copperpress-advertserve-ad-reload zone="3"]
 July 1, 1999

Geek gets bit by virus; how can you avoid it?

After years of dodging the bullet, I’ve finally been hit.

On June 10 my system was attacked by the Worm.ExploreZip virus. You’ve probably heard plenty about this virus already. What you may not have heard, though — if you weren’t hit by the virus yourself — is the clever way in which the virus programmer used “social engineering” to encourage people to run the file.

Social engineering is an old term used by phone phreaks (phone phreaks are people who hack into telephone systems so that, for instance, they can make free phone calls). Social engineering refers to the way in which a phreak can use cunning and deception — rather than computing skills — to obtain information that would allow him access to a system.

A phreak might impersonate a system administrator when calling a technician, and try

to elicit private information such as account IDs and passwords. (If you’d like to read a description of the sorts of social-engineering tricks used by phone phreaks, visit

http//natasha.warezbbs.com/contributors/gothic9/napvol2.html.)

How did the Worm.ExploreZip virus use social engineering? Well, it was ultimately the programming that damaged my computer’s data files. But I know better than to run an executable file someone sends me over the Internet. In order to get me to run the file I had to be softened up with social engineering first.

Here’s what happened. First, I received an e-mail from someone I’d never heard of. You may have read that the virus goes into the Microsoft Outlook inbox and sends responses to messages that have been received, attaching itself to the outgoing messages, so that the person getting the virus recognizes the person apparently sending the message. In my case that

didn’t quite happen. I have a newsletter that goes out to 25,000 people, and in this case the virus was responding to a message that had gone to one of my subscribers; I didn’t recognize his name.

But I did recognize the Subject line, because it referred to my newsletter — this message was clearly a response to something I had sent. And the message text seemed to make sense, too. Well, as much sense as many of the messages I receive.

“Hi Top !,” it began. No, Top isn’t my name, but Top Floor Publishing is my company name, and I often get people misunderstanding my name (calling me Richard, for instance, instead of Peter, because my newsletter is called Poor Richard’s Web Site News) or just trying to be cute. In any case, I’m not sure I really noticed the salutation. I get scores of e-mail messages each day, so tend to scan them very quickly.

“I received your e-mail, and I shall send you a reply ASAP,” the message continued. “Till then, take a look at the attached zipped docs.” This made sense to me, in combination with the Subject line.

I had recently sent out sample chapters from a book I’m publishing (“Poor Richard’s E-mail Publishing,” by Chris Pirillo — see http//TopFloor.com/), and had received dozens of responses, in many cases files that the readers had returned with comments inserted into the text. My immediate reaction was that this was one of the responses related to that book.

Now, you already may have heard what I’ve just described. That the virus e-mails responses to messages, trying to masquerade as a message from someone you know. But there’s yet another trick the virus programmer used, one I haven’t seen described in the press.

If the virus had only done what I’ve described so far, I would have been OK. I wouldn’t have run the program that was attached to the message. I never run programs that I don’t

recognize, and even if I do recognize them I virus check them first. But in this case I didn’t realize it was a program.

The attachment was called zipped_files.exe. But the programmer had attached

the WinZip icon to the program. You’ve probably seen this icon, a picture of a vice squeezing a filing cabinet (if not, go to http//www.winzip.com/, where you can see the icon right above the large word, WinZip). I glanced down at the attachment in the message, saw the zip icon, and without paying attention double-clicked on it to open it, so I could see what was inside.

The fact that there was .exe at the end of the filename didn’t really register with me. It had been a long day, I hadn’t slept much the night before, I saw the zip icon …

You should understand that opening .zip files does not pose a danger from viruses. Although a zip file might contain a virus inside it, merely opening the file and viewing it in the WinZip viewer will not run anything, so it’s perfectly safe to open a zip. (The only types of files that can carry viruses are files that “do” something; program files and files

containing advanced document formats that can contain macros, such as Word for Windows and Microsoft Excel files. Files that are essentially insert until another program does something with them — such as image files that must be opened in a program that will display them — cannot carry viruses.)

Of course, this wasn’t a zip. The first thing I saw was a message saying “Cannot open fileit does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again.” My immediate thought was that the person sending the file had screwed up the manner in which he had created the file.

So, at this point the virus was free on my system, blowing away files here and there. It focused on .doc (Word for Windows), .ppt (PowerPoint), and .xls (Excel Spreadsheet) files. If I’d been a programmer it also would have started blowing away various C and C++ files.h, .c, .cpp, .asm files. (It was not removing the files completely, just removing all the data from the

files.)

Just how can you protect yourself from viruses such as these? Here’s a

quick list of things to do.

1. Always have recent backups. If you do get hit, at least you can recover.

2. Get a good anti-virus program, and run it in the background so it will

detect viruses that are downloaded to your computer.

3. Always have the latest virus definitions. Update every few days if you get a lot of files sent to you across the Internet or install many programs. (My anti-virus definitions were little more than a week old, yet still too old to detect this virus.)

4. And here’s another step that I wouldn’t have thought of mentioning until

my experiences last week. Before you run a program, carefully look at the file extension. Don’t rely on just the file icon to tell you what the file really is!

“Poor Richard’s Internet Marketing and Promotions,” the “sequel”

to “Poor Richard’s Web Site,” is now in print. Visit http//PoorRichard.com/promo/ for sample chapters, Table of Contents, and more. The same sort of commonsense advice that

made Poor Richard’s Web Site so popular … applied to online marketing and promotions.

After years of dodging the bullet, I’ve finally been hit.

On June 10 my system was attacked by the Worm.ExploreZip virus. You’ve probably heard plenty about this virus already. What you may not have heard, though — if you weren’t hit by the virus yourself — is the clever way in which the virus programmer used “social engineering” to encourage people to run the file.

Social engineering is an old term used by phone phreaks (phone phreaks are people who hack into telephone systems so that, for instance, they can make…

[copperpress-advertserve-ad-reload zone="3"]

Related Content

[copperpress-advertserve-ad-interstitial zone="30"]