Visual Basic Email Viruses

For general information about computer viruses, also see our Computer Virus Information page.

The current emailed viruses/worms can spread via email as an attachment, via IRC as a DCC download, and via infected files in mapped network drives, so they can spread across the network via file shares. While only infecting Windows 95, NT, 98, or 2000 machines, the viruses can also be propagated by non-Windows systems via email, or via file-sharing mechanisms such as Samba.

If your computer has been infected by a virus, please ask your system administrator to submit a summary report to security@caltech.edu. Please don't just forward an entire copy of the infected message to IMSS -- this contributes to the heavy load large virus outbreaks place on our mail server.

The latest versions of Visual Basic Script (vbs) viruses take advantage of a bug in the Microsoft Windows family operating systems that causes certain file extensions to be hidden from the user, even if Windows has been configured in My Computer/View/Options/View to show all file extensions. An executable script file with the extension ".txt.shs," for example, will display in Windows as being a ".txt" file. This can fool users into thinking the file is safe to open. There is a workaround for this bug.

Outlook users: Install Microsoft's Outlook security patch if you have not already done so.Check theWindows UpdateandOffice Updatepages for current patches.

Consider turning off Visual Basic Scripting: Unless you must use Visual Basic scripting as part of your work, consider simply disabling Visual Basic Scripting by causing Windows to "forget" how to open .vbs files.

Do not open attachments received in email from anyone unless you know what they are and are expecting them. Do not accept DCC's on IRC from anyone unless you know exactly what you are receiving. Consider creating a filtering rule in your email program that filters all messages with .vbs attachments into a special folder. Such messages probably include an infected file and should be handled with care.

IMSS recommends using antivirus software and updating the virus definitions regularly. During outbreak conditions, we recommend daily updates.

Be advised that emailed Visual Basic script viruses have now been spotted with a variety of subject lines, including blank or randomly-generated ones. Simply checking for "suspicious" subject lines is not sufficient, particularly since the virus may come from someone you know, who had your name in his or her email address book.

Making sure that no file extensions are hidden in Windows:

The problem: Many of the current crop of Windows-based email viruses rely on two "features" of Windows. By default, Windows does not show certain file extensions. In addition, even if you set Windows to display all file extensions, there are certain types of files whose extensions still will not be displayed. This allows a malicious person to create and forward a file named, for example, "harmless.txt.shs". If the recipient examines this file under Windows, what will display for the file name is simply "harmless.txt" -- something that looks like a perfectly harmless text file. Instead, it is really a "shell scrap," which can be used as a type of executable program in Windows.

The fix: First, be sure you already have set Windows to display all file extensions. Do this by opening My Computer and then choosing View and then Options, and View. Uncheck the "hide file extensions for known file types" checkbox, and choose the "show all files" radio button.

Second, fix the problem in Windows that causes some files to remain hidden, by removing all occurrences of the value "NeverShowExt" from the registry. Note that the registry is a sensitive file that the Windows operating system relies upon for correct functioning. Be very careful when editing this file. If possible, get your system manager to help you.

  • Close all open programs
  • Open the Windows Start menu
  • Select "Run" and enter "regedit" to open the registry editor
  • From the "Edit" menu, select "Find"
  • Uncheck the "Keys" and "Data" entries under "Look at"
  • Enter "NeverShowExt" in the "Find What" box and click "Find Next"
  • When a value is found, right click on the value name and select "Delete"
  • Press F3 to find the next occurrence of "NeverShowExt".
  • Repeat the previous two steps until all occurrences of "NeverShowExt" have been deleted from the registry
  • The computer will need to be rebooted for changes to take effect

Preventing Sendmail Mail Servers from Spreading the Virus

Unix Sendmail

Based on rulesets used for the Melissa virus as well as more recent updates for the Love Bug virus, Unix admins can add the following sort of filtering to sendmail.cf and restarted the inittab-spawned sendmail processes.

Be aware that checking the subject line of every message will cause a performance hit, so use filters as sparingly as possible.

HSubject: $>Check_Subject 
D{MPat}ILOVEYOU 
D{MMsg}This message may contain the ILOVEYOU virus. 

SCheck_Subject 
R${MPat} $* $#error $: 553 ${MMsg} 
RRe: ${MPat} $* $#error $: 553 ${MMsg} 

Procmail

Exchange

Install and run a server-based antivirus solution such as Symantec(see below). We've heard of a commercial product called Mail Essentials for Exchange/SMTP which might be helpful for preventing viruses as well, but please note that IMSS has not tested it nor do we have a copy.

Using the Caltech Site-Licensed Norton Antivirus to Protect Windows Servers, Macs and PCs

IMSS recommends that computers using antivirus software have their virus definitions regularly updated. During outbreak conditions, we recommend daily updates!

If you don't have it already, obtain a copy of our site-licensed antivirus software. Be sure to update its virus definition list regularly, either using NAV's "LiveUpdate" feature, or by downloading updates manually.

If you discover a virus on your server(s), send a summary report to security@caltech.edu; we compile impact estimates of affected campus systems.

If you have other antivirus software installed, be sure to check the website for your particular antivirus program regularly to get updated virus definition lists. Some commonly-used antivirus program vendors include:

If your computer has been hit by a virus, please ask your system administrator to submit a summary report to security@caltech.edu to help us track how many systems on campus have been affected.