October 2000 update: Be sure to see the page this file belongs to: http://www.firstpr.com.au/security/ for important information on how Outlook Express will cause your computer to be infected *immediately* (that is without you taking any action, or being able to prevent it) on reciept of an email containing certain kinds of computer virus or worm. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This is my standard text I developed to send to people who send me an executable program via email. If anyone wants to use this themselves, or suggest refinements, I would be very happy. - Robin rw@firstpr.com.au 27 February 1999 Dear _ _ _ _, This is my standard text I send to friends who send executable programs by email, expecting the recipient to run the program. An executable program has complete control of the computer it runs on and so can cause immense damage and unlimited security breaches. Short version ------------- NEVER run an executable program which you receive by email (or from a Usenet newsgroup)! (Clicking on the program's name, or "Opening" it by some other means, will run it.) NEVER send someone an executable program via email or Usenet! These practices are the computer equivalent of accepting or making an offer such as: "Here's something you have never seen before. I hadn't seen it until recently either. I have no idea where it really came from - someone just gave it to me. Stick the needle into your arm and press the plunger. Its GREAT!!!!" This warning is aimed at Windows users, where executable programs are files with names ending ".exe", ".com" or ".bat" - but the same principles apply to all other operating systems. This text was up-to-date on 27 Feb 1999. An up-to-date version of this text, with links to relevant security web-sites, can be found at: http://www.firstpr.com.au/security/ You may wish to forward this email immediately to any other people who you have sent an executable program too - or email them a message not to run or "Open" the program, and to consult the above URL for a fuller explanation Long version ------------ I am sure you didn't mean any harm, and it is highly likely that the program you sent is benign. I am certainly not going to run it and I don't have time to research it or analyse it. However it could have caused problems if I ran it. Unless the program is very short, and its operation is thoroughly analysed, it is impractical or impossible to determine the dangers posed by an executable program simply by analysing it or running it under a debugger. The only way to be reasonably sure that the program is benign is if it came from programmers who are in full control of their software, and who ensure that there are no security problems with the programs they publish. By sending executable programs to friends, and suggesting they run it, you are making it more likely to accept when someone they may or may not know sends them an executable program. It is easy for an attacker to send out such programs by email or to attach them to a Usenet posting. A few people will run it and then the attacker either has control over their machine via the net, or has successfully spread their program which has some other malicious intent. As is explained below, some programs install themselves in the victims computer and send a copy of the program to everyone the victim emails, as if the victim intended to send it. Other programs enable the attacker to read, write or delete all files in your computer via the Internet. It is a really bad idea to encourage people to run executable programs received in an email, unless perhaps they get the program directly from a trusted person who knows for a fact it contains no virus, worm or Trojan horse. If you know of a program you want a friend to run, make sure it comes from a site which takes responsibility for it not containing a malicious program. The only people who can fully attest to this are the programmers who wrote it. There are all sorts of things getting around, and you don't know until it is too late. An executable program can do anything to a Windows machine. There is no security. It can install a virus, or it could surreptitiously give control to anyone in the world via the Net. The effects of this may be disastrous - for a personal computer at home or even more so for a computer at a workplace. Files could be deleted, altered or sent to someone anywhere it the world. An executable program could install something which deletes everything off the hard drive a few months later. The fact that one person runs a program and notices no problems is no proof at all that the program is in fact benign. Most people have no idea about computer security at all. So they have no idea how dangerous it is to run executable programs which they cannot be certain are benign. During 1997, many people were sending various benign programs around - which made sounds, pretty patterns or images which were revolting and/or amusing. This caused many people to be extremely promiscuous with what they would run on their computer, so when a malicious program called "Happy99.exe" was first released in January 1999, it like spread like wildfire. If run on a Windows machine, it produces a fireworks display. Secretly, it modifies the computer's Internet software so that every email or Usenet newsgroup posting made from that computer is accompanied by a second similarly addressed email or Usenet posting with the program attached. If you receive an email containing a file called "Happy99.exe" DELETE IT! There have been false email virus warnings in the past, such as the "Good Times" hoax, but "Happy99.exe" is a real Trojan horse program, and arguably an Internet worm too. http://www.datafellows.com/v-descs/ska.htm http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.asp One way to protect against the way Happy99.exe modifies your Windows networking software is to find the file c:\windows\system\WSOCK32.DLL (If your Windows Explorer is configured not to display DLL files, use Start > Find > Files and look for WSOCK32.DLL in drive C:.) Then click on its name, and use File > Properties to set it to read-only. Two far more dangerous Trojan Horse programs are known as "NetBus" and "Back-Orifice". These install themselves into Windows machines and give the attacker full read-write-delete control over all your files via the Internet. Thus the attacker, who could be anywhere in the world, and probably using a someone else's machine which they have gained control of, can read any of your files, alter them, delete them, upload new files, including executable programs and run them - all without you knowing. They can also send your keystrokes and screen images to the attacker, open and close the CD-ROM drive's tray, reboot the computer etc. http://www.Europe.Datafellows.com/v-descs/netbus.htm http://www.Europe.Datafellows.com/v-descs/backori.htm The typical approach is for the victim to be asked to run some program, with a nice-sounding name, but which is in fact one of these Trojans. One report on 26 Feb 1999, from the BUGTRAQ mailing list: http://www.netspace.org/lsv-archive/bugtraq.html says that an email purportedly from yahoo.com urged the intended victim to load and run a program called Yahoo.exe - which is in fact NetBus. Remember that email sending is insecure. It is easy to send an email which appears to be from any email address desired, including from well known companies, from me, or from you. Digital signatures are the only way to reliably solve this, but that is another story. (http://www.ozemail.com.au/~firstpr/crypto/ and http://www.cs.auckland.ac.nz/~pgut001/links.html) If you want to download and use an .exe file which is supposedly a self-extracting Zip archive, but which you are concerned may be a malicious program, you may wish to use WinZip to open it to safely view and extract its contents, rather than run the .exe program itself. WinZip and other archive programs can be found in the "Compression Utilities" of one of the Tucows sites listed at: http://www.tucows.com/ Another problem is macro viruses in Microsoft Word files. I believe Microsoft was culpably negligent in designing Word so that macros could install themselves without permission. Search for "macro" at: http://www.datafellows.com/ Since November 1994, the Good Times "email-virus" hoax and its offspring have been spread by people who pass it on without sufficient critical thinking or checking. http://www.public.usit.net/lesjones/goodtimes.html Please do not spread warnings to other people simply because of the urgency with which someone urges you to do so. You should evaluate the warning and be sure you understand the nature of the problem first - otherwise all sorts of misleading warnings spread like wildfire. This warning you are reading is against the general principle of running attached executable programs in email (or Usenet news for that matter). It is backed up by real web-based expert reports malicious programs which spreads this way - Happy99.exe and NetBus. By all means pass this on to your friends, but don't urge them to pass it on without proper consideration! If you think that the spread of this message is worth the trouble of saving some people from spreading Happy99.exe or having their computer security completely eliminated by Back Orifice or NetBus, and possibly much more malicious programs, then yes, pass this warning on. I am not a virus or security expert. I believe this warning reflects common sense and so you don't need to trust me as an expert. Everything about this the warning should be readily understandable to anyone, and verifiable by checking with expert sites with more information. A good place to start is Yahoo's computer security section: http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/ Regards - Robin =============================================================== Robin Whittle rw@firstpr.com.au http://www.firstpr.com.au Heidelberg Heights, Melbourne, Australia First Principles Research and expression: Consulting and technical writing. Music. Internet music marketing. Telecommunications. Consumer advocacy in telecommunications, especially privacy. M-F relationships. Kinetic sculpture. Real World Electronics and software for music including: Interfaces Devil Fish mods for the TB-303, Akai sampler memory and Csound synthesis software. ===============================================================