Read An Email, Get Infected
You can’t get a virus simply by reading an email, right? Wrong. Today we greet VBS/Forgotten (a.k.a. VBS/Pica), the newest entrant to the “read an email, get infected” group.
The year 2000 was ushered in by the first of these email worms, BubbleBoy. Taking advantage of a security vulnerability in Microsoft Outlook and Outlook Express, BubbleBoy barely made a blip on the radar screens of antivirus vendors. Microsoft quickly released a patch and all was well. Or so it seemed.
A few months later, another worm, Kak, appeared on the scene. Kak took advantage of the same security vulnerability as had BubbleBoy. Initial impressions were that users would have applied the previous patch released for BubbleBoy and all would be well. Wrong again. Kak has gone on to become the most prevalent infector of 2000. The Kak Help Center provides instructions for cleaning a Kak infection and preventing future infections from occurring.
In mid-November, BleBla, also known as Verona or Romeo and Juliet, debuted at number 28 on MessageLabs’ ThreatList. Barely a month later, BleBla (aka Verona) is listed at number 8. One saving grace of BleBla might be its reliance on email attachments. Even though the attachments are automatically executed with no help from the user, the fact that there are attachments might prevent some users from ever opening the email at all. In any event, this time, Microsoft released two patches, MS00-037 and MS00-046 to prevent the exploit.
This morning, Dec. 15th, we greet a new contender to the “read an email, get infected” group. VBS/Forgotten is a mass-mailing email worm that is embedded completely within HMTL. Users won’t be presented with the tell-tell paperclip icon signifying attached files, nor will the security patches provided by Microsoft prevent Forgotten from running. In fact, a bit of clever social engineering is used to trick even those with security settings configured to prevent ActiveX controls from running. In such a case, the worm displays a dialog box instructing users to “accept ActiveX”. With a subject line of “Financing”, many may be compelled to do just so.
How can we prevent threats such as Kak, BleBla, and Forgotten from ruining our email experience?
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
http://www.microsoft.com/technet/security/bulletin/ms00-037.asp
http://www.microsoft.com/technet/security/bulletin/ms00-046.asp
From within Internet Explorer, select the following menu items:
Tools | Internet Options | Security | Restricted Sites | Custom Level
In the Custom Level dialog box, disable all settings related to ActiveX and Java (in fact, I would disable everything, set Software Channel Permissions to High Safety, and under User Authentication set it to prompt for username and password.
Note: Just setting the restrictions to High will not work. You must choose Custom Level and scroll through the list making the necessary changes. If you are unable to follow this step, it may be a good idea to ask an experienced friend for assistance.
