Dan's Mail Format Site | Attachments | Viruses

Dan's Mail Format Site:

Attachments: Viruses

[<== Previous] | [Up] | [Next ==>]

A major worry of anybody who receives e-mail messages with attachments is whether they've been hit with a virus... and, if so, is it likely to do some damage to their computer? This article discusses the issue of viruses, worms, and Trojan horses, the things that go "bump" in your e-mail box. Are they something you need to worry about?

NOTE: Viruses is the proper plural of virus... some "pedant wannabes" like to use forms like viri or virii, but there's no support for them in classical Latin. It seems that in ancient Rome, "virus" was a collective noun for a mass of pestilence, and had no plural. If it did, it probably wouldn't have ended in -i, since the word was not in the part of the complex structure of Latin word classes that took such a suffix, even though many other -us nouns were. Anyway, viri is Latin for "men", so it would have been very confusing to use it also as the plural of "virus"!

What is a virus?

The concept of a computer virus was envisioned by computer science researchers long ago, who wrote various academic papers exploring the theoretical possibility of such a program. While a few actual viruses may have surfaced on the old mainframe-based networks, it took the widespread use of personal computers in the '80s to provide the fertile ground from which the first major viruses sprung, spreading via floppy disk or bulletin board system download. The widespread use of e-mail attachments in the late '90s created the means for a vast profusion of new malicious programs to spread widely.

To be precise, most of the harmful programs spreading via e-mail aren't technically viruses. Those who study such programs have created three distinct categories of them:


Programs that attach themselves to other programs, running when the host program is executed, and which proceed to self-replicate by attaching copies of themselves to other programs. They spread when infected programs (including the boot sectors of disks) are brought to other computers and run.


Self-contained programs (which don't attach themselves to other programs like viruses) which, when run (perhaps as an e-mail attachment that a recipient launched) make copies of themselves to send to others.

Trojan horses

Malicious programs that pretend to be something else in order to entice people to run them, and then do nasty things to the computer they're running on, but without self-replicating or attaching themselves to other programs. These don't spread unless they're sent on purpose.

By these standards, most of the so-called "e-mail viruses" are actually worms; however, "virus" has entered the vernacular as the common term for all sorts of "malware". This is partly due to the same sort of sloppiness that has muddied lots of other precise terminology in the area of computers and the Internet since it became popular in the mid-'90s, but partly because the above-noted distinction is becoming more difficult even for experts to make; newer generations of "malware" can sometimes take on aspects of all of these types, changing based on the situation the program finds itself, or based on random factors such as the system clock value; it might propagate itself sometimes by attaching to other programs, sometimes on its own, and sometimes masquerading as something else to get people to run it.

E-Mail Viruses

E-mail viruses (or "worms", if you prefer) were the subject of users' panic and worry long before they existed in reality. Several notable virus hoaxes went around in the mid '90s, such as the one that claimed that if you got a message with the subject "Good Times", then merely opening it in your mail reader would cause disastrous consequences to your computer. Actually, at that time, mail readers displayed nothing but plain text, so it was completely impossible for a virus, worm, or Trojan horse to cause malicious effects merely by opening a message in a mail reader. (File attachments were possible even back then, but you had to save them to disk and then run them; there was no way to launch them directly from a mail reader.) People still believed the warnings, and after several false scares of that sort, the first real e-mail viruses probably ran into a "Boy Who Cried Wolf" effect where people didn't believe warnings now that they were true.

But as mail programs got more advanced, the possibilities for virus/worm/trojan writers expanded. With some programs automatically rendering HTML messages with inline images, embedded sounds, and, most dangerous of all, scripting languages, malicious programmers found security holes to exploit so that a message could indeed do nasty things just by being opened. Even files most people regarded as "safe", like MS-Word documents, could have macro viruses embedded. And one of the things such a program could do, once run, was to find the user's address book and e-mail itself to all the user's friends... who might well open the message and its attachments without fear because it came from somebody they know. Thus, e-mail viruses have been a big danger.

Nevertheless, virus hoaxes continue to circulate alongside the real viruses, so don't believe every warning you hear. In particular, if a message tells you to look for some particular filename on your system and delete the file because it's a virus, it's probably a hoax; several versions of this are going around, and if you follow their instructions you'll actually be deleting a perfectly innocent file that's part of the operating system.

What to Watch Out For

Here are a few telltale signs that an e-mail message you just received is probably a virus.

  • It has an attached file with a name that has a "double extension", like somefile.gif.exe. Usually the first extension will indicate something fairly innocuous, like an image or sound file, while the last extension (which is the actual file extension) is one that indicates an executable file of some sort, which can easily carry a virus. The reason for the use of double extensions is that Windows, in its default configuration, doesn't show file extensions; thus, the above-referenced file gets shown in a subdirectory listing as somefile.gif, with the .exe hidden. (This is a configuration setting I immediately change on every copy of Windows I set up; I can't stand to have technical details hidden from me.) Since the user sees only the .gif, the file appears to be a graphic instead of a program, and the user doesn't think twice about double-clicking it, which in fact launches a dangerous program. Watch out!

  • It has a "dangerous" file extension (doubled or not). Anything executable is dangerous as an e-mail attachment unless you're absolutely certain it's a legitimate thing (like if you have the sender on the phone right now, and it's somebody you trust, and they tell you what the program they just sent is). Among the executable extensions in Windows or MS-DOS are .exe, .com, .scr (screensavers), .bat (batch files), and .pif (Program Information Files; a rather archaic scheme used for running MS-DOS programs under Windows, but often used to sneak in viruses because Windows will let you try to run them).

  • It's an HTML-format message that includes IFRAME, OBJECT, APPLET, or SCRIPT elements. These are rarely used in legitimate HTML e-mail, but sometimes used to sneak in viruses.

  • A message has text that doesn't really make sense, accompanied by an attachment. Perhaps it's from somebody you don't know and says "Here are directions to the thing Friday night!"... What thing??? Or maybe it seems to have fragmentary parts of business correspondence; some viruses will patch together body text from pieces of other e-mail messages stored on the computer it's taken control of. If the message body is too cryptic to make sense of, don't open any attachments that came with it.

What to Ignore

If you get something that appears to be a virus, one thing to ignore is the name and address in the "From" line. That is not necessarily who actually sent you the virus. Currently, the most common viruses forge their "From" lines, so they probably came from somebody completely different. Thus, it does no good to get angry at the person who appears to have sent you a virus, or to warn him/her that he/she is infected; it's likely an innocent person who neither sent nor received the virus in question, but whose address was picked out of an address book or Web page by a virus finding fake return addresses to use.

Protecting Against Viruses

Installing an anti-virus program, such as Norton Anti Virus or the McAfee security programs, will give you some help in avoiding virus infection. But they're not perfect; they can only guard against viruses they know about, and new ones surface all the time. Keep your virus definitions up to date, but don't let your guard down totally just because you think your system is protected.

Also pay attention to announcements of security holes and patches to fix them in your operating system, e-mail program, and Web browser. Some of the worst flaws, where messages could launch viruses even from the preview pane, have been fixed now if you have the latest update of your mail program. We can hope that, nowadays, viruses can only launch themselves if you actually open an attachment, not just view a message body... cross your fingers...

Why Avoiding Microsoft Programs May be the Best Way to Avoid Viruses

I know you're saying, "There he goes again, with another anti-Microsoft rant." And it's true that I have a strong dislike for big corporations that undermine Internet standards (like Microsoft, and also AOL). But there are actually several good reasons why using some other brand of e-mail program will give you very good protection against viruses, worms, and related hazards. They fall in two basic categories:

1. Viruses Target Microsoft because It's Popular

Even if Microsoft's e-mail programs aren't inherently more unsafe than any others, and the others have security holes just as bad, you're still at greater risk with Microsoft programs, for the simple reason that the virus authors are specifically targeting them. Like the bank robber who, when asked why he robbed banks, said "Because that's where the money is," virus creators target MS Outlook because that's what most of the users are using; they get more "bang" from an Outlook virus than, say, a Pegasus Mail virus. Thus, they're always on the lookout for security holes in Microsoft products that they can exploit, and once a virus takes control, it always looks for an Outlook-format address book to find new victims. If you use something else (even something with its own security holes), you'll be safe from these viruses because they're not targeting you.

This, of course, is self-limiting; if enough people took my advice and switched from Microsoft products to something else, that something else would then become a leading target for virus authors. At that point, all of you would need to move on yet again, and keep seeking out more obscure mail programs to use. If people seek out different mail programs from one another, however, they would be creating a multiculture, instead of a Microsoft-dominated monoculture, which would be a less fertile environment for viruses in general.

2. Microsoft Programs Really Are More Insecure

I don't, however, think that their higher popularity is the only reason why Microsoft e-mail programs are so susceptable to viruses. There are some design decisions that Microsoft has tended to make with its software over the years that create security vulnerabilities. The Microsoft philosophy is to try to make it easy to use their software without actually having to think about it... to this end, the software tends to do things behind the user's back, and hide the technical details from the user. The emphasis is on trying to do what the software guesses the user really wants, without actually letting the user know what it's doing until it's already done. They also like to have their software do "gee-whiz" special effects, even if they provide more methods of sneaking in "malware", which more pedestrian stuff like plain text does not. And Microsoft programs tend to ignore Internet standards, even when the standards are there for a reason; for instance, both their Web and e-mail programs second-guess MIME types, figuring out what they think a file really is, even if that's different from what it's announced as being... this can let dangerous stuff get past a filtering proxy (because it's identified as something safe), but still get executed by the user. There's a reason that one of the "affectionate" names users have given to MS Outlook (along with "Outhouse") is "Lookout", as in "Look out... here comes another virus!"

If you use a mail program like Pine or Pegasus, which doesn't do as much in the way of "snazzy" multimedia, you've got little chance of picking up a virus, since your program wouldn't launch it even if you received one.


Next: The section on how to configure specific mail programs, to make your output as standards-compliant and non-problematic as can be managed, begins with The Bat.

[<== Previous] | [Up] | [Next ==>]


This page was first created 15 Jun 2003, and was last modified 19 Jun 2003.
Copyright © 2003-2011 by Daniel R. Tobias. All rights reserved.