Safe Hex - Safe Computing Tips

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Safe Hex translations available: Français and Deutsch

Main Menu

Safe Hex - A collection of suggestions intended to help you defend against viruses, worms, trojans (oh my!), malware and other questionable code.

Install, use and update anti-virus software

Keep your operating system and programs patched

Consider using alternative web browser and email software

Be cautious when reading email with attachments and downloading files

File formats

Configure your operating system properly

Preserving your privacy

Miscellaneous tips

If you still get hit by a virus...

1. Install, use and update anti-virus software
Anti-virus software will prove to be very helpful in defending your computer against malicious code - provided it's used correctly. These are recommendations for you to get the most out of your anti-virus program:

Choose a good anti-virus program.
A list of anti-virus programs and their reviews is available here. This page also explains what to focus on when selecting an anti-virus solution and how to interpret test results. Also take a look at this page, which explains why you shouldn't blindly follow the recommendations of your favorite PC magazine: Computer Magazines and Virus Testing.

Keep it up-to-date.
Anti-virus programs can only protect you from what they know about. Since new viruses surface every day, it's very important for you to update your anti-virus program regularly.

Use it!
An unused anti-virus program is obviously useless. Use your anti-virus program to scan new files you just downloaded or to do routine scans. If you are not very knowledgeable about computers and viruses you may benefit from using the memory resident scanner. If, however, you know what you are doing, then you probably can live without it.

Don't rely on it.
Modern anti-virus programs detect malicious code quite reliably but it is very important to remember that NO anti-virus program is perfect. No anti-virus program on Earth can compensate for imprudence or unsafe software. No anti-virus program will ever detect all viruses all the time.

Use it intelligently.
Some anti-virus programs offer some questionable features and gadgets. You shouldn't use a feature just "because it's there". For example, AV scanner certification messages are essentially useless and only serve to advertise AV software.

2. Keep your operating system and programs patched
You are strongly advised to apply all security-related patches for your software as they become available. Here is a list of some of the most "essential" patches. It is only a partial list:

http://www.microsoft.com/technet/security/bulletin/ms99-032.mspx
for Internet Explorer 4.0 and 5.0 as well as Outlook Express
Take a look at the description of the Kak worm.

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx
for Internet Explorer 5.0, 5.01 and 5.5 as well as Outlook Express
This is a security hole used by a large number of viruses, such as Klez

http://www.microsoft.com/technet/security/bulletin/MS00-072.mspx
for Windows 95, 98, 98 Second Edition and ME
This security hole is exploited by Opaserv

http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
*Replaced by: http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
for Windows NT, 2000, XP and 2003 - Cumulative Update for Microsoft RPC/DCOM
This security hole is exploited by Blaster

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
for Windows NT, 2000, XP and 2003
This security hole is exploited by Sasser

You can use the Windows Update and Office Update sites to keep your system up-to-date. Note that they work with Internet Explorer only. You may have to lower your Internet security settings in order for them to function correctly. Don't forget to set your security preferences to a higher level again when you are done.

3. Consider using alternative web browser and email software
Microsoft's popular Internet Explorer and Outlook Express programs have been known to be somewhat "buggy" and are often targeted by malicious "programmers". You may benefit from using alternative software. Here is a list of alternatives:

Browsers:

Mozilla/Firefox: http://www.mozilla.com

K-Meleon (based on Mozilla): http://kmeleon.sourceforge.net

Opera: http://www.opera.com

Email programs:

Mozilla/Thunderbird and Opera (see above)

The Bat!: http://www.ritlabs.com

Pegasus Mail: http://www.pmail.com

Note that security holes may be discovered in these programs as well (though probably less frequently), so it's a good idea to check for updates regularly.

You'll be able to import your IE Favorites to most of these browser alternatives. Be very careful to set IE security settings for all zones to maximum:
http://www.microsoft.com/security/incident/settings.mspx#XSLTsection125121120120
including the My Computer zone: http://support.microsoft.com/default.aspx?kbid=182569
(And consider using IE only for downloading Windows updates and critical security patches for your particular version of Windows. When finished, make sure your security settings for all zones are back to maximum.)

4. Be cautious when reading email with attachments and downloading files
You should never, ever (and we really mean it!) do the following:

Never open email attachments from someone you don't know

Never open email attachments forwarded to you even if they're from someone you know

Never open unsolicited or unexpected e-mail attachments until you've confirmed the sender actually meant to send them. If you know the sender and you are absolutely sure they intentionally sent the attachment, then scan it with an up-to-date virus scanner before opening it.

Never pay attention to virus warnings or even forward them unless you subscribe to a serious virus newsletter.

Never obtain software from "warez" sites or peer-to-peer programs like Kazaa. Get it from known, trusted sources only.

Note: Some files can best be tested by first invoking their associated application and then using the "Open" function of that application. For example, picture image files such as JPG and GIF can be tested by invoking the picture viewer of your choice. When such files are received as email attachments or downloaded, they should first be saved to some test or download folder (you can create one for this purpose). Then you can use your picture viewer application to safely open the file. If there is something amiss with the tested file your viewer will complain and you can just delete the file.

Similarly, sound files such as MP3 and WAV can also be tested by first invoking your player of choice. Alleged Text (TXT) files should also be opened by first invoking Notepad. Never double click on these files while in Explorer or in your email client until they have been tested in this way. There may be a hidden file extension or CLSID (class ID extension).

While we're at it, let's briefly address the way some newsreaders may view images and other file types. For example, Free Agent (a free newsreader from Forté) has a dangerous item under the File menu called "Launch binary attachment". It will allow the execution of those jpegs and gifs with hidden exe (executable) extensions. (That's a bad thing.) Instead, the user should click on "Decode binary attachment" and the uuencoded file will be decoded into the Agent folder for viewing after invoking your viewer of choice and opening the file.

5. File formats
Stop using DOCs (if at all possible). Instead, use pure Rich Text Format for your documents, because that doesn't support the macro language. There's a caveat to this unfortunately. Some macro viruses intercept File SaveAs RTF and save a file with a .RTF extension which actually contains a DOC format file! So it needs to be real RTF. Tell the people that you deal with that you would rather they sent you RTF or CSV (Comma-Separated Variable) files rather than DOC or XLS.

Warning - Microsoft RTF Security Bulletin - May 22, 2001

6. Configure your operating system properly

Configure Windows so that it displays all file extensions, including those of known file types. The procedure to achieve this is described at www.irchelp.org.
Note that even with this option set, Windows will still hide the extensions of a few select file types, such as .shs and .pif. To circumvent this, you can delete all occurrences of the string "NeverShowExt" (without the quotes) in the registry using regedit.exe.

Be very cautious when you edit the registry! Do it only if you know what you are doing!

Most Windows versions come with the Windows Scripting Host (WSH), which allows for execution of VBS (Visual Basic Script) and JS (JScript) files. These files can contain malicious code.

You can prevent the accidental execution of script based malware by setting the default action for VBS/VBE and JS/JSE to "Edit", so that such files will be opened in Notepad. If case you really want to run such a file, then you will still be able to right-click on it and select "Open".

If you are not on a LAN (local area network), disable file and printer sharing in the Network options of the Control Panel. If you need to have file and printer sharing enabled, make sure that you are sharing only the items that really need to be shared. Never share entire drives or important folders like the Windows folder, and do not allow write access unless you have to. It's also of paramount importance to set strong passwords for the shares. Passwords should be as long as possible and consist of a mix of letters, numbers, punctuation signs, etc.
If you are running Windows 95, 98, 98 Second Edition or ME, install the following patch:
http://www.microsoft.com/technet/security/bulletin/MS00-072.mspx

For detailed information on safe network configuration, take a look at the following sites:

http://grc.com/su-rebinding9x.htm

http://www.pcflank.com

Network configuration is a particularly important point. Many unsuspecting users are not aware of the dangers of open shares, and some viruses use file sharing as a means of spreading (quite successfully). Two such beasts are:

Opaserv: http://vil.nai.com/vil/content/v_99729.htm
Bugbear: http://vil.nai.com/vil/content/v_99728.htm

7. Preserving your privacy
You should never, ever (and again, we really do mean it!) do the following:

Never use the "Unsubscribe" feature of spam emails or reply to spam mails because by doing so, you confirm the validity of your email address and the spammer can keep on sending you unsolicited commercial email, which you probably don't want.
The proper way to deal with spam is to delete it and, if you wish to do so, complain about it to the sender's Internet Service Provider (you need to analyze the message headers to determine the ISP, do not rely on the sender's alleged email address which is probably forged or fake in most cases).

Never select the option on web browsers for storing or retaining user name and password.

Never disclose personal, financial, or credit card information to little-known or suspect web sites.

Never use a computer or a device that cannot be fully trusted.

Never use public or Internet café computers to access online financial services accounts or perform financial transactions.

8. Miscellaneous tips

Pay attention to files with multiple extensions. Generally, the last extension is the relevant one. For example, a file named

hello.mp3.exe

is an executable program (.exe) and not an MP3 file!

Note, however, that if you are using Outlook Express and see a file with three extensions, Outlook Express may consider the second extension to be relevant, so that a file named

hello.mp3.exe.jpg

is an executable program (.exe) and neither an MP3 file nor a JPG file!
(Ed. note: not a typo or mistake -- it's an Outlook Express exploit used by "Sadhound".)

That's why it's important to follow the procedure outlined in section 4 for opening unknown files. You can't go wrong by simply ignoring any file with more than one extension.

Set the boot sequence to C: first in the BIOS. This can be "C only", "C,A" or whatever you want as long as C: comes first.

Regularly back-up your data.

Install a good firewall. Check out "Firewalls/Filters" here.

9. If you still get hit by a virus...
... then the most important rule is: DON'T PANIC

Very often users will do more damage with panicked recovery attempts than a virus or Trojan horse would have.

If your computer does become infected with a virus, the alt.comp.virus newsgroup is a good place to go for help and/or information. You can ask for, or find advice from a number of professionals and other experienced users.

Please note the following tips when using the alt.comp.virus newsgroup:

Do not post binaries or virus samples.

Be specific and include details when asking for help.

Disable your news reader's ability to execute scripts embedded within HTML.

Delete all messages that contain attachments.

Don't be intimidated by all the noise there.

Read some postings first and search for subjects that might indicate a problem similar to yours.

Do not give advice if you aren't certain it's good advice, even if you just want to be helpful.

alt.comp.virus on Google
alt.comp.anti-virus on Google

Administrator Tip

You might benefit from a hoax policy deployed amongst your staff. Perhaps something like this: "Thou shalt not forward any virus warnings of any kind to anyone other than <insert name of person in your company who looks after anti-virus issues>. It doesn't matter if the virus warnings have come from an anti-virus vendor, or been confirmed by any large computer company or your Aunty Margaret. All virus warnings should be sent to <insert name>, and <insert name> alone. It is <insert name>'s job to send round all virus warnings, and any virus warning which comes from any other source should be ignored".

Before you go...

Tell all of your friends and family to practice safe hex.

Remember, if someday you do encounter a virus, do not panic!

Have an extended look at the A.C.V Reference Desk.

Some additional computer security related links.

Updated: May 3, 2004