If you're like most network administrators, the last thing you want is yet another worm wriggling its way into your LAN from e-mail. You've probably seen a few "fixes" floating around the Web that promise to curtail viruses. For example, have you received a message like this one recently?
"I solved the spreading of viruses via e-mail by creating a special entry in my address book. The name of the contact is !000 (three zeros with an exclamation point in front) and the e-mail address is worm.alert. If any virus worm attempts to spread itself, it will try to send to !000 first. I get a warning message that the mail could not be sent, which tells me I have a worm."
Too bad it doesn't work. An earlier variation of this bogus Outlook security fix lists the contact name as !0000 with an e-mail address of !0000@novirus.com. No matter which version you try, though, this "fix" fails.
The problem with this fix is that it presumes that simply adding the bogus address
"!000" to your Windows Address Book will stop modern Outlook transmitted diseases (OTD) in their tracks, or at least warn you that you're infected. At best, that's only half true.
When you put in your own address or a bogus one, the worm will still happily send its poisonous load to everyone on the list. The one change is that if you use your address, you'll know about it sooner. Even if you have Outlook check for mail constantly (if you don't check often, the worm will do its work and you'll never have a chance to catch it), the worm will still be happily sending itself to everyone in your address book in milliseconds while you're playing catch-up in seconds. Some fix, huh?
In addition, this fix presumes that the worm will try to send copies of itself out to everyone in your Outlook or Outlook Express address book, starting with the first entry. But it might not.
While Melissa and other older and cruder OTDs still send to everyone on the address list, the more up-to-date worms don't do this. Some of today's OTDs, like VBS.Stable-A, randomly pick addresses from your Outlook address book to launch their attacks. Others such as SirCam will raid your address book for addresses, but these worms run their own Simple Mail Transport Protocol (SMTP) server so that keeping an eye on what Outlook is up to may not show the problem at all. Indeed, SirCam doesn't have to use your address list; it can pull e-mail addresses from Web pages in your Web browser cache.
The newest OTD, VBS.Masteal.Trojan, was discovered on October 18th. It's a Trojan horse that copies all e-mail Outlook addresses to the file C: Shell.dll.txt and then sends the addresses to a pre-programmed list of e-mail addresses within the Trojan. The !0000 can do nothing about this.
The only thing this protection trick does is to make you think you're safe when you're not. The best ways to protect yourself from spreading OTDs is by relying on those old standbys: constantly updating anti-virus detectors; using maximum-security measures in Outlook (such as turning off all scripting); or simply switching to another e-mail client or client/server combination such as Lotus Notes/Domino or Novell GroupWise. Even with the best of protection, you may still get an OTD. But you're far less likely to spread them with these solutions.
