Computer Counselor - June 1999
Preventions and Cures for the Common Virus
E-mail and the Internet have made catching a virus easier, so maintain diligence
By Daryl Teshima
Daryl Teshima is the editor-in-chief of Law Office Computing. He can be reached at firstname.lastname@example.org.
Months before the Melissa virus invaded e-mail systems and national headlines, the Happy99 virus infected a legal e-mail discussion group, thus awarding the legal community an honor it can seldom claim: being ahead of the technology curve. Members of the discussion list who executed the Happy99.exe attachment were treated to a window with a fireworks display. Behind the fireworks, however, the virus altered critical files needed to connect to the Internet. After a computer was infected, any e-mail message that the user sent triggered Happy99 to create (unknown to the sender) a follow-up message to the recipient that contained the Happy99.exe attachment.
The damage caused by the Happy99 worm virus-so-called because it replicates itself-was not as significant as its delivery method. As is true with the Melissa virus, the messenger of the Happy99.exe attachment is usually someone known to the recipient. With each user's suspicions thus lowered, replication is made easy, and the virus can spread quickly.
Happy99 certainly caused havoc on that particular e-mail discussion group. Within hours, the worm spread to the desktops of many of the lawyers and legal technology professionals who frequent the list. Worse, many users' antivirus programs failed to detect the newly released virus. The virus did not destroy data or hardware (although many users reported problems with sending e-mail), but it did create much embarrassment for those who became unwitting carriers.
The Happy99 incident, along with the recent Melissa outbreak, illustrates the two major developments that have greatly increased the odds of becoming infected by a computer virus. First, the continuing growth of Internet use has increased the opportunities for viruses to infect computer systems. In the past, viruses came from two sources: modems or diskettes. Today, technologies such as ActiveX controls and Java applets, which are activated when viewing certain Web sites, also have the potential to cause damage. In addition, the Internet (and e-mail) is an incredibly efficient way to spread computer viruses worldwide, in part because, as the Melissa and Happy99 viruses clearly showed, it is quite possible that someone you know and trust will be the carrier.
Another sinister development for many lawyers is the proliferation of macro viruses, which are mini-applications that reside within Microsoft Word or Excel documents. With the release of Word 6, Microsoft introduced macros that could be triggered by opening a word processing document. This new breed of macros are powerful time-saving tools, but unfortunately, Microsoft ignored the possibility that embedded macros could be used for malicious purposes. Instead of building in protection, Microsoft chose to downplay the problem and insisted on calling Word viruses "prank macros."
Whatever the name, the problem became worse with the release of Microsoft Office 97, which introduced new document formats for Word and Excel. These formats were not made available to antivirus software makers prior to the suite's release, which made proper detection and removal of new strains of viruses difficult. At least Microsoft acknowledged the problem by placing a Macro Virus Protection option in Word and Excel. The protection, however, simply tells users about the existence of macros in the document and fails to identify or evaluate the effect of the macro. Thus, upon opening a document with an embedded macro, a user is simply warned of the macro's existence, not its potential for harm. This all-or-nothing approach means that a user had the choice of either opening a document and hoping for the best or disabling all macros (good and bad) in the document. Microsoft's protection is also easily disabled; the Melissa virus turned off all virus protection in Microsoft Word. Microsoft Office 2000, which is scheduled for imminent release, attempts to combat this problem by introducing what are called digital signatures to macros, but early reports indicate that there are several holes with this approach as well.
Word macro viruses typically work by attaching themselves to Microsoft Word's default template (Normal.Dot), which is the basis for all word documents created and edited in Word. Once the default template is infected, any Word documents opened subsequently become infected.
Due to WordPerfect's architecture, its users have largely been immune from macro viruses. However, in the forthcoming release of WordPerfect 2000, Corel has licensed the use of Visual Basic for Applications (VBA), the macro language used in Microsoft Office. It is unclear at this time how Corel will implement VBA into WordPerfect, but it is theoretically possible that WordPerfect 2000 documents could likewise be subject to infection.
For legal professionals, macro viruses significantly increase the likelihood of infection. The primary products that law firms produce are word processing documents, which can now trigger harmful computer activity. Perhaps even more frightening is the ability of macros to pull data from a user's computer. The Melissa virus, for instance, replicated itself by reading and sending e-mail to the first 50 addresses in the user's Microsoft Outlook address book. If a macro virus can do this, it is possible that it can send similar confidential information to an adverse party.
With new delivery methods and new viruses, how do you practice safe computing? The first rule is to always verify the source of every file that you open or run on your computer. If you receive a virus in an e-mail attachment, you will not get infected unless you open that attachment. If you are not certain that a file is clean, do not open or run the file. If a friend sends you an unexpected message, such as "I know you'll like this, it's really funny" along with an attachment, be suspicious. Both the Melissa and Happy99 viruses would have been stopped dead in their tracks if recipients had simply deleted their innocent-looking e-mail messages without opening the attachments.
Second, make sure that the macro protection in Word is enabled. In Word 97, go to the menu option Tools, Options, General, Macro virus protection, and check the on box. In Word 2000, go to the menu option Tools, Macro, Security, and make sure that the security level is set to medium or high.
Third, always run an up-to-date antivirus program. The program should scan drives, folders, and files to identify viruses. If it detects a virus, it should be able to remove the virus without altering the data in the file. This feature is critical with macro viruses, as users will often want to retain the information in an infected word processing file. Besides the ability to scan files, many antivirus programs can sit in the background monitoring for any suspicious activity. For example, if a virus attempts to delete or alter system files, the program issues the user a warning about the action, giving the user a chance to halt the damage before it becomes permanent.
Antivirus programs do not provide complete protection. They only compare files on your system with a virus definition library of signature files. This means that an antivirus program is only as good as its last update. What self-respecting hacker would not make sure that a new virus escapes detection by most antivirus programs? The best new viruses escape detection. Using an antivirus program with an outdated library can sometimes be even more dangerous than using nothing, because the old program may give a false sense of security.
Comparing antivirus programs is like comparing brands of toothpaste. All perform adequately. Market leaders McAfee VirusScan 4.0 (www.mcafee.com, $49, free updates) and Norton AntiVirus 5.0 (www.symantec.com, $50, $3.95 first-year subscription for signature updates, free after one year) are two packages that can wipe out most pesky invaders. Both applications provide constant signature file updates that can be downloaded from the Internet. They can also run in the background and warn you if any program attempts to alter key system files, although in a recent lab test by PC magazine, Norton appears to require more system resources (6 percent) than McAfee (4 percent). McAfee also was better at detecting Java- and ActiveX-based viruses than Norton.
Where Norton shines, however, is in ease of use. Most of Norton's critical functions are a single button-push away. For example, Norton's Live Update feature automates the tedious task of downloading new virus definitions, retrieving the file via either the Internet or a direct modem link to Symantec. McAfee, on the other hand, requires navigation of several dialog boxes to accomplish basic tasks. Norton also has a handy quarantine folder where users can store files that they suspect might be infected. Users can also push a single button and e-mail the suspect file to Symantec for further analysis. Best of all, Norton offers a 30-day trial copy of Norton AntiVirus software, which users can download from http://www.symantec.com/nav/index_downloads.html.
Whichever program you choose, the important factor is to regularly update and use it, and above all, exercise common sense. Be suspicious of all files, especially those arriving via e-mail. Understanding that a virus can lurk behind even the most innocent file can go a long way toward keeping your computer system healthy and yourself sane.