steverose.com
Ideas and Information from a Maui Perspective

Viruses, and Email Safety

By Steve Rose
Wednesday, October 23, 2002

This is an email response I recently sent to affected friends and coworkers who had received a virus hoax, a warning about a system file called jdbgmgr.exe.  I took the opportunity to talk about email safety at a time when a preview can launch a trojan / virus / worm, without the need to open an attachment.   In any program, there are vulnerabilities that go beyond what I’ve mentioned, but at least it is a start and has worked for me so far.

 

Dear Bill and Friends,

The virus warning about jdbgmgr.exe is not accurate. You will be deleting a
file that is a normal part of your OS. Please see the Symantec site,

<http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html>

If you would rather not follow a link in an email from a stranger (good
practice!), then go to Google.com and enter jdbgmgr.exe in the search line.
One of the first responses will lead to the above site, where you can also
find instructions on how to restore the program if you have already deleted
it. (It is a Java debugger file).

Always be suspicious of emails that talk about a virus that is "immune" to
Norton and other antivirus programs. As long as your virus definitions are
up to date (as of today!), you are fairly well protected. Ironically, as
the Symantec site mentions,

"CAUTION: Jdbgmgr.exe, like any file, can become infected by a virus. One
virus in particular, W32.Efortune.31384@mm mailto:W32.Efortune.31384@mm

targets this file. Norton AntiVirus has provided protection against

W32.Efortune.31384@mm <mailto:W32.Efortune.31384@mm> since May
11, 2001
."

Other virus checkers are also able to find a true virus attack on this file.

Since some viruses can be activated by previewing an HTML email message
(e.g. Klez), here is my recommendation:

First, use Outlook Express in Windows instead of Outlook (more on this
later), turn off the preview mode (go to Tools, Layout, and uncheck Preview
Pane). Preview mode will bring up the message in HTML and execute the virus
code.

Expand your message list columns to show From, To, Subject, Received,
Account, and Size. This will give you the best clues on where a message has
originated, and its legitimacy.

Delete obvious spam and potential virus attacks without opening. Be
careful, as some friends may have changed email addresses to something
unfamiliar, and used a spam-like subject line (sigh). Part of this process
is to go to the Symantec or Macafee web site, and see commonly used virus
message subject lines. Also, remember that deleting a message only moves it
to the deleted message file, where it lives on. When you delete it from the
deleted message file, it is "actually" deleted. (Also, remember that it is
frequently possible to "undelete" a file even after this step, but it takes
an intentional act.)

For any remaining unfamiliar messages that may be of value, right click on
the message, then choose Properties, then the Details tab, then the Message
Source button. Double click on the title bar of the Message Source window.
(lots of humbug, but worth it not to get infected). This will let you see
the message and its address path in plain text, and does not give any virus
code the opportunity to execute. A virus can only infect if it gets
execution control of the processor.

If the message just consists of a mime attachment (nothing but a rectangular
block of "nonsense" letters), I delete it. Mime attachments execute.
Sometimes, the message will be in HTML without a plaintext version, in which
case you have to wade through the tags to see the text of the message, but
it is there. In any case there will be enough information to make a
decision as to whether the message is worth opening.

I'm clearly paranoid, as Norton checks my incoming and outgoing email, but
my experience is that you can't be too careful. As they say, just because
you're paranoid doesn't mean that there isn't someone out to get you.

I've always used Outlook Express as an email client, and Outlook to maintain
my address list (and for PDA sync), leaving Outlook without any mail
accounts so that an attack on Outlook will have no way to propogate.
However, some new viruses mine the Inbox for email addresses (including OE),
so that strategy has become less useful.

If you know of a more convenient way to safely preview messages without
disabling the browser, I'd appreciate knowing. I've seen one utility that
turns off HTML viewing of email, but there were drawbacks. There may be
other email clients that are better protected or less susceptible to attack.

Aloha,
Steve Rose


Home

Made with CityDesk