Defending Against Outlook Viruses

FRAMINGHAM (07/03/2000) - Melissa and the Worm.ExploreZip virus were slaps in the face to Microsoft Outlook users. But the ILoveYou virus, which struck during the spring, appears to have been the real wake-up call. And not only for companies using the technology on corporate networks. Microsoft Corp. and other vendors have also sprung into action by rushing out security patches to help fend off new worm viruses whose target is Outlook and whose signature is rapid propagation.

E-mail administrators who have had trouble convincing their bosses to spend the time and money on e-mail security software and policies are now finding sympathetic ears in the corner offices.

"Our orders are coming right from the top," says Jeff Marden, network architect for Fairchild Semiconductor in Portland, Maine, who now can pay more than lip service to messaging security. "We took quite a beating with the ILoveYou virus."

Marden is not alone, as businesses around the world were stung by the virus that infiltrated e-mail systems with a tantalizing love letter, then played Cupid's evil twin behind the scenes. The virus, which used a Visual Basic script, quickly spread by hijacking the Microsoft Outlook address book and sending e-mails to those listed within.

And there was plenty to hijack. More than 45 million Microsoft Exchange seats have been sold, and most buyers use Outlook as their client. Countless others use Outlook as the front end for Post Office Protocol 3 e-mail servers, ISP accounts and on home PCs.

Some e-mail administrators report that their systems were crippled by thousands of ILoveYou messages. Fortunately, the virus only ate up .jpg and .gif graphic files, although the damage could have been much worse.

With that thought fresh in many minds, e-mail administrators have gone on the defensive.

"We are creating more formal procedures that we are lining up tongue-and-groove with our overall security plan," Marden says. Fairchild is dropping the use of attachments, and no executable code can be passed through e-mail at the company. Each message is now scanned for viruses at the network's perimeter.

Others seem to be taking the same tack. Security experts say ILoveYou spinoffs, which masqueraded as jokes and resumes, didn't spread widely because there was heightened awareness among administrators and end users.

"All of our mail now passes through a virus scanning server that sits on the outer border of the network," says an e-mail administrator for a Fortune 500 petroleum company. "We block all executables. We added .vbs [to the list of banned attachments] after the ILoveYou outbreak. Worm viruses move so fast that we have to go on a staunch defensive."

The company also has an antivirus response team on-call 24 hours per day that can update virus software on 30,000 desktops in less than five hours. The company policy dictates that e-mail servers be shut down for inward- and outward-bound mail at the first sign of trouble.

"This all works because we have buy-in from the bosses, but they had to feel the pain first," says the administrator, who requested anonymity.

And there was substantial pain with ILoveYou and other viruses. So much so that Microsoft was goaded by beleaguered users and security experts to develop a patch to safeguard Outlook.

Microsoft responded last month with its Outlook E-mail Security Update, a patch that blocks 37 attachments from reaching a user's in-box. The patch also adjusts security zone settings in Outlook to prevent scripts from running by default and prevents other applications from using the address book to send e-mail.

E-mail administrators have given the patch favorable reviews. Most say it's a good idea to install it.

The patch, however, only works with Outlook 98 and 2000. Part of the code runs on the Outlook client, and a second piece runs on mail servers so administrators can fine-tune security settings. Those servers naturally include Exchange, but Lotus Development Corp. and Hewlett-Packard Co. are adapting the patch to run on their servers as well.

"Virus writers are getting quite intelligent so we can't prevent all viruses, but if you install this update it will prevent the most popular viruses," says Lisa Gurry, product manager for Microsoft Office. "This patch is significant for enterprises to have."

Third-party vendors also are stepping up to the plate. In June, Computer Associates released Mail Watcher, and Reliable Software Technologies released JustBeFriends. Both patches, which are free, monitor applications or code that makes calls to Outlook seeking to use the client for mass mailings. In essence, the patches lock the Outlook address book so viruses can't automatically spread.

The CA patch works with all versions of Outlook, including Outlook Express, and runs on Windows 2000, NT, 95 and 98. The Reliable patch also works with all Outlook clients but only runs on Windows NT and 2000. Both patches can be used with the Microsoft patch.

E-mail administrators also can take other measures, according to consultants.

Jim Froio, a technology specialist with Alpine Computer Systems in Holliston, Massachusetts, tells clients to turn off the preview window in Outlook 2000.

"When you preview an e-mail, the script executes," he says.

He also tells companies to disable the Windows Scripting Host on their desktop operating systems, which prevents scripts from running.

"I haven't found anybody that has a reason to run [Visual Basic script]," Froio says. The only problem with disabling the Scripting Host in Win 2000 is that the operating system's self-healing features will reinstall it automatically.

And Microsoft doesn't recommend such a step. Company officials say removing the scripting host "guts" the operating system and disables certain tasks, such as loading antivirus software when a machine starts.

Froio says the decision to take any preventative action will always be a trade-off between levels of vulnerability and functionality. He says the best defense is user education.

And with so many corporate and IT executives getting that education today, can other end users be far behind?

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesExploreZipHewlett-Packard AustraliaMicrosoftReliable Software Technologies

Show Comments

Market Place