Viruses - or is it viri? - computer viruses

Business Economics, Oct, 1999 by John H. Qualls

We survived the Melissa and the CIH/Chernobyl virus scares in good shape over here in the Kingdom. I personally don't know of anyone who even received an e-mail with one of these viruses attached. Melissa is a Word macro virus, so all you have to do with this one is make sure that your macro checker in Word 97 is turned on. This alerts you to the presence of macros in any Word document that you load and allows you to strip the macro off before loading the file. Because most people don't attach Word macros to their documents, they can be stripped without affecting the contents. That way you can safely look at the text of the Word message. In the case of Melissa, the text evidently contained a listing of some "hot" web sites, which of course would not be of interest to any of us. right?

As for Chernobyl, it was an ".exe" virus, which would infect your machine if you clicked on the attachment to an e-mail. The only way to detect a virus like this is to have a virus shield program, like that contained in Norton's AntiVirus program, running in the background. It should alert you to the presence of a virus in the e-mail attachment. However, if your virus signature file is not up to date, it might not alert you in time to avoid disaster. So, the best policy is not to click on any ".exe" executable file in an e-mail attachment unless you are absolutely sure that it is OK.

Although we escaped the two most widely publicized viruses, several of my coworkers received e-mails with the "Happy 99" virus attached as an ".exe" file. Norton intercepted these attachments and warned the recipients of the virus' presence. However. even with the Norton shield program running in the background. I still run a separate scan on every ".exe" attachment that I get before running it, just to be sure. Norton is updating its virus signatures at least twice a month now on their website, and we download these at work as soon as a new one appears. I advise you to do the same.

By the way, there is a special warning on the Notion website about Word macro viruses that are contained in files with an ".rtf" extension. The ".rtf" extension usually means "rich text format," which is supposed to be a text-only file that is not capable of carrying a Word macro virus. Thus the ".rtf" extension is not one that the antivirus programs bother to check, unless you specifically tell them to.

Of course, some clever hacker noted this and also figured out that you can rename a Word ".doc" file with an "rtf" extension, and Word will open it up as if it were a standard Word document. Thus, a hacker can put a macro virus into a Word ".doc" file and rename it with an ".rtf" extension, thus escaping detection by antivirus programs that are set to examine only files with certain extensions.

What is the solution to this conundrum?

Tell your antivirus program to scan all files, not just those that end with certain extensions such as ".exe" or ".doc." This is usually quite simple to do, but it does require that you take action to do it. For some reason, Norton's AntiVirus program defaults to just checking certain extensions, and the ".rtf" extension is not one of them. Just make sure that you set the "scan all files" option in both the scanning module and the autoprotect background checking module. In Norton's AntiVirus program, these are on to separate tabs in the "Options" section.

If you insist on only checking certain files, make sure that the ".rtf" extension is one of them. In fact, Norton recommends that the following file extensions be checked: 386, adt, bin, cbt, cla, com, cpl, csc, dll, doc, dot, drv, exe, htm, htt, js, mdb, mso, ov?, pot, ppt, rtf, scr, shs, sys, vbs, xl?.

Out of curiosity, I just checked my Norton AntiVirus, and only fifteen out of the twenty-seven extensions above would be checked if I chose to scan only certain files. I could add the others, but why should I bother? I simply selected the "scan all files" option. You should do the same, because I can guarantee that some hacker out there is even now figuring on how to use another extension other than the ones shown above.

Make certain that you have the Macro virus protection turned on in your copy of Word 97. (Click Tools, click Options, select the General tab, turn the Macro virus protection option on.) If you have an older version of Word, make sure that you have added the Microsoft macro that protects against macro viruses. More importantly, make sure that you know what to do when you get a warning message from Word, saying that a document you are loading has a macro in it. You should always instruct the program to open the document without the macro attached, unless you are absolutely certain that the macro is necessary. When in doubt, load the document without the macro, and see what it is. You can always reload it with the macro, if it is necessary.

It is important to realize that the Macro virus protection feature cannot actually detect a virus - only the presence of a macro in the document. However, I have never encountered a Word document that uses a macro embedded with the document. All of the macros I have ever needed in Word are stored in my normal.dot template. I have never attached one of these macros to a document, and I have never received a document from anyone with a legitimate macro attached.