Typical End User Virus FAQs

The following FAQs were developed for viruses and related issues and how they impact ABC Association's environment specifically. Many of these are pertinent to any computer (at home or in a work network environment), while others are specifically noted as being ABC Association related.

There are many generalizations in these FAQs that are directed toward a non-technical staff person – detailed specifics have been excluded for the sake of comprehension and brevity. The focus is on the reader understanding the cause-and-effect, and not the specific technical details.

Feel free to share this with others outside the organization – however note that some items are unique to the ABC Association network, and protections provided in our network are not necessarily in use at other organizations (some of these items have been flagged with a footnote for easier reference).

Note: You can jump to any question and answer by clicking on the question in the list below.

No, or at least not all at once - but at least browse the questions and read items that you aren't familiar with. If you get a virus warning or otherwise are concerned about viruses, come back to this document and see if your question is answered here.

Always feel free to check with IT. We're more than happy to explain any of these issues, terms or explore your concerns.

As you have probably heard on the news, there is an all-time high volume of viruses on the Internet. Some experts estimate that one out of every seven or eight e-mails right now have viruses attached. This situation will only get worse. You're hearing from me on this topic because our best line of protection from viruses is an educated staff, and I wanted to compile a lot of the information that I send out to individuals daily into one manageable document you can look at when you have the time or inclination.

For the purposes of this document, we are including any program that replicates itself and installs itself against your will or knowledge as a virus. It could be intended to harm the system it infects, or simply use that machine as a host to attack others, or provide a back door for hackers. There are many different categories of these types of programs, but they are all bad, and generally can be discussed as one category for the purposes of this document. Also for the purposes of this document I consider a hacked computer and an infected computer as the same thing.

There are literally hundreds of thousands of different viruses, many of which are simply modifications or variants of others. Some are extremely harmful and will replicate and then destroy the system they are on or delete files randomly from your computer. Many are little more than pranks and cause little harm. Still others are "proof of concept" viruses – as soon as someone declares that a system is immune to viruses, people will write one simply to show that they are wrong.

Many are used to launch attacks against certain vendors' web sites, and more commonly viruses are used to search for personal or financial information on your home computer for marketing or fraudulent purposes. Many viruses are broken or not fully effective, and infect a system, but do nothing else. Some do more than one of the above. Again, regardless of the actual result, they are all bad and should not be treated lightly.

Viruses are spread many ways, and currently the most common method is via e-mail. An e-mail based virus will e-mail itself to some or all of the people in the infected person's address book. It will also hide its true source by replacing the "sent from" address with someone else in the address book or a random address. This makes it harder for people to be alerted to the fact that they have a virus, as the notifications or complaints go to the wrong person. By doing this the virus often appears to come from a trusted or known source, and as a result people are more likely to open the infected attachment.

Also, a virus may scan the network the machine is on or try to connect to other unprotected machines accessible via the internet, or search network drives for files to infect. E-mail is just one way that computers can communicate with each other and there's a virus for just about every protocol for inter-computer communications.

Another very common way of spreading viruses is within shareware, freeware or pirated software. Hackers and virus writers will often take software and infect it knowing that people will download them, or masquerade a virus as a provocative video or sound file. File sharing or swapping services are notorious for spreading viruses.

Finally, a newer way people get viruses is via instant messaging applications like AOL Instant Messenger, ICQ, Yahoo Messenger and other similar services. You should not use these applications (or any type of file sharing) application within our network.

There are people who have written viruses that seek out systems that are unsecured, and then apply patches against those vulnerabilities. There are others that purport to do this, but may actually be creating a back door for hackers. The bottom line is we don't want anyone other than the IT department installing applications on your computer, so anything else is bad, regardless of the actual result.

We have two types of virus protection - on each user’s workstation, and each file, application server or e-mail server. They are all updated constantly and we check them routinely for currency.

The antivirus applications constantly scan any file or e-mail that enters our network or is saved to it, and any file as it is being opened and then again when they are re-saved. E-mails are also scanned as they are being composed and then when they are leaving our network.

You should see a yellow shield icon in the system tray (to the left of your system clock). For Windows XP users, you may have to click the "less than" symbol (<) to see all of the icons. If you don't see this, let me know immediately.

There are three basic things that anti-virus software does - first, it looks at a file and searches for known patterns that are associated with specific viruses. You can think of this as looking for a digital fingerprint. This is a very effective way of detecting viruses. The antivirus software uses a file called a signature file, and these are updated with new finger prints ever couple of days. However, virus writers are well aware of this, so they do things to try to change or hide the finger print. Antivirus software also looks for similar patterns or code that could be harmful – this is called "heuristics." Finally, some anti-virus software checks for suspicious activity, such as an application trying to write to certain areas of the computer, modifying specific files or performing other dangerous actions. They also commonly check to make sure you don't have a floppy in your drive when shutting down, as computers will generally boot from floppy first, which will skip any anti-virus application when your computer starts up.

No. The biggest problem with the signature approach is that the antivirus manufacturers can only create a new signature once a new virus has been detected - and that usually means that someone was infected. These companies actively seek out and monitor for new viruses, but it's possible, if not likely, that a new virus can spread more quickly than the signatures can be updated and shared. While they are quick to develop them, a virus can spread around the world and to hundreds of thousands of computers within hours. Because of this, it's important that we don't rely on only the scanning software, but be careful of what we open or download.

Other than anti-virus scanning, our primary defense against viruses and hackers is our firewall. The firewall is designed to only allow certain types of information into the network, and only to the appropriate places. This is primarily a protection against hackers and viruses that spread via means other than e-mails.

We also update all of our workstations and servers with the latest Microsoft security patches as they are released. Our workstations are set to check for critical updates every day, and we push down updates to the workstations periodically when a significant issue needs to be addressed. Finally, we spot check all of the computers periodically to make sure the updates are happening correctly.

Our absolute best protection against viruses however is having educated users that are careful about what they do and ask for help when they see something suspicious.

There are three major things we are planning to implement in the next couple of weeks to extend our protection.

There are a couple indications – the most common sign is the computer will start having inexplicable problems or exhibit erratic behavior. As an example, some viruses will disable your dial-up connection, to make sure you can't download a fix. Other times you will see a pop-up message on the computer from the antivirus software saying a virus was discovered and whether it was successfully removed or not. As a general rule of thumb, if you get the message when you go to access a specific file, the virus was probably caught before it caused problems. If the message appears randomly while you are doing other things, the computer is idle, or as part of the start up or shut down process, it may mean the virus was on the computer, and a new virus signature file allowed the software to detect it.

Regardless of the message, in all cases, we treat the computer as if it's infected until we can definitely ascertain that it is not.

When we suspect that a computer is actively infected, we remove it from the network so it can't cause further damage or infect other machines. Then we scan the computer using the latest version of our antivirus software. We also note the virus signature date and the critical Microsoft patches to determine the likelihood that the computer was open to infection or hacking. If the machine is up to date and no viruses are found, we can start troubleshooting other possible problem areas.

Once a computer or server has been confirmed as being infected, we research the virus and determine how serious it is. Many viruses are very easy to deal with or there are tools available to automatically remove the virus and repair any damage. If that's the case, we do so and make sure that if there is a patch for the vulnerability, that it's patched. Otherwise, would we completely reformat the computer and reinstall all of the applications from scratch. In most cases you can never be sure what damage was done or if the virus also left any back doors for hackers or other problems.

Fortunately it's very rare that our desktop computers get infected – in fact it's been over a year that I know of this happening. However, our laptops get infected more commonly as the result of being plugged into insecure networks, so they get reconfigured periodically.

This is critical – DO NOT connect the laptop to our network or even turn it on if you can help it. Let me know as soon as possible and make sure that no one else uses the laptop. Do not try to fix anything, and don't delete any files or messages.

If the message is in an e-mail, see the information below about e-mail warnings. Assuming the message is a pop-up message from Symantec you should contact me immediately – do not reboot or turn your computer off. If you cannot wait for whatever reason, capture a print screen by pressing the Print Screen button and then open Word and choose the Paste (Ctrl-V) option – this will put a copy of the screen image in the document. Print out or save the document for me. However it's usually best to do nothing until we investigate. Most of the messages are telling you that something was prevented before it became a problem, but it is always best to check with me so I can make sure that it didn't come from within our network.

If the message is an internet browser pop-up message (the same kind of window that a pop-up add appears in) it is possible it is simply a scare-tactic advertisement. Regardless, if there is any question save or print the message and check with me.

If you don't have one already, you need to get a good antivirus software package. There are many available, but Symantec/Norton antivirus is a good product. Contact me for more information.

If you don't have a program and need to test your machine immediately, you can do so via the web at:

If you have a virus on your home computer, it is usually best to reconfigure your computer as we do in the office. It's a big hassle, but in the long run best. I can help you determine if that's really necessary. As with our computers in the office, you should make sure that you periodically back up critical documents or data files and ensure you have up-to-date antivirus protection.

No, there are also lots of hoaxes, scams and fraudulent activities circulating routinely. The most recent is when you are told that an account of yours has been disabled, compromised or otherwise called into question and are then provided with a web address and are prompted for personal or account information. This is called "Phishing." The URL and site address looks legitimate (e.g., www.bankofamerica.com) but is in fact actually somewhere else - commonly overseas. The e-mail will look very convincing, include logos and the proper formatting and the web site will have many links that work. In fact some, like the ones directing you to Microsoft to "update" your system (with a tool that lets hackers access your system) even have articles about the dangers of these e-mails. Never click on a link and then enter personal or account information - it is typically an attempt to steal your information. If you get a message like this, and believe it may be legitimate, call your bank or whomever, on the phone, or type the web address in yourself. Again, do not rely on clicking the link – you will probably not end up where you think you are going. Most legitimate businesses do not conduct business in this manner anyway.

1) An executable file is included in the e-mail, and when you double-click or try to open it, the virus is run. Our system simply deletes these types of files - whether they are a virus or not, as they aren't generally used for business purposes. This alone blocks 95% of all viruses or more. Additionally, if for some reason a file comes in that we do allow that has a virus, both of our anti-virus measures should detect and either fix or delete this file.

2) Some viruses include a message saying that the file couldn't be sent to our system as is (because of 1 above) so they put it in a ZIP file or a mail client incompatibility. You would open the zip file and then run the executable. Right now we allow ZIP files into our e-mail system, but may have to stop this if the risk outweighs the benefits of allowing it. Our antivirus measures should detect these viruses but as always, a virus is more harmless if not run.

3) You are directed to a web site where a script or executable is run. Our workstation anti-virus scanning should detect these viruses. However, it does not detect other types of malicious programs like Spyware.

4) Some e-mails, particularly HTML formatted mail, can contain scripts that run automatically when the page is loaded. Our system should protect you from this, however it's always safest to simply close and delete suspect e-mails.

An executable file is any file that if you double-click on it, will automatically run either a program contained in the file, or run a program that executes commands stored in the file. It is very rare for there to be ANY reason for someone to send you a file of this nature via e-mail. If we find any of these in an e-mail, we delete the entire e-mail.

An extension is the two or three character text that's at the end of a file name following a period. Most applications like Word and Excel add an extension automatically (doc or xls). Windows uses the extension to determine what program to open the file with. For example, a ".doc" extension does not guarantee that it's a Word document, but Windows will launch Word when you double-click on that file.

In Windows Explorer, go to Tools/Folder Options and click on the View Tab. Uncheck the box labeled "Hide extensions for known file types."

You can not send a file, regardless of type, via e-mail that has one of the following extensions:

ad, ade, adp, asd, asf, asp, asx, bas, bat, bin, cab, ceo, chm, cmd, com, cpl, dll, enc, exe, hlp, hta, hto, inf, ins, isp, js, jse, lnk, mda, mdt, mdw, mdz, msc, msi, msp, mst, nws, ocx, ops, pif, prf, reg, scf, scr, sct, shb, shm, shs, vb, vbe, vbs, vbx, vsd, vss, vst, vsw, vxd, ws, wsc, wsf, wsh

If you need someone to send you a utility for example, that includes an exe file, you can have them zip the file. Executables in a zip file are permitted, and our antivirus program will scan them so you are still protected. Otherwise, contact me and I'll arrange to get you the files you need.

We think that's the case, but hackers and virus writers are constantly coming up with new clever ways to do damage. We monitor various sources of information on this, and update these lists accordingly. Regardless, never open a file that you are not expecting or don't know why you got. It is common for viruses and hackers to send a cryptic message which encourages you to open the attachment to try to determine why you got the message.

We don't notify them due to the fact that in most cases we wouldn't be notifying the correct person anyway or are not coming from a legitimate address. These notifications are generally useless and just add more overhead to our system.

Files of this nature aren't really executable - although they can contain macros which are basically programs that can be run when you open a document. Our antivirus system and Office XP detect Macro Viruses and will warn you before allowing them to run, so these are usually safe to open this way. Technically it's not safe to double-click on any file unless you see that the extension is what it should be – i.e., doc or xls. If you don't know what the extension means or aren’t anticipating the file, you shouldn't double-click on it.

Not necessarily - the only way to be sure is to look at the file extension. It's possible to change the displayed icon for a given file, and it's very common that a virus will use a "trusted" file extension (like doc) but then have the executable extension afterward (like exe or scr). (e.g. account.doc.exe)

First, you can always check with IT and we'll help you verify that it's safe. Also, if you save the document to your computer, and then open Word or Excel first, and use the File/Open method, you can safely open the document.

Unless you specifically requested and were expecting this file, you should probably delete the entire e-mail as it is most likely a virus or scam.

The most common reason is that an e-mail came in that had a virus, but the system deleted it which does not clear the notification. This is an annoyance for those of you getting lots of these messages. When we implement the new virus scanning service defined above, this problem will be resolved. I'm also looking for another way to stop this behavior in the meantime. I get notifications of all of the viruses that are caught so if this happens note the time it happened and check with me, and I can see if we have a corresponding virus warning.

Otherwise, it may mean that you have a rule set to move certain e-mails to a different folder based on the content, sender or subject.

If the notification came to your ABC Association e-mail address, and look like they were automatically generated from a firewall or scanning system, then you probably did not. The current viruses are very clever and when they are sent, mask the true identity of where they came from. Chances are that someone who has you in their address book is actually the person that was infected, and the virus randomly picked your address to display as the "sent from" address. The message will usually say what the file was that was infected - and if it has an executable extension (exe, com, pif, scr, vbs and many others) you can be sure that it didn't come from our network - our mail system deletes any e-mail with these types of files whether they are coming in or going out.

If you are using a laptop and have connected to an unsecured network (home high speed without firewall or hotel network as an example) recently prior to getting the message, there's a slight chance that it could be legitimate, so you should check with me.

You can't, so please feel free to send them to me to look at with you. HOWEVER it would be very helpful if you would look at the message first and see if you can figure this out on your own, or at least learn to recognize the common extensions I listed above. We get hundreds of these notifications every day, so I need your help to screen them out. Most of the notifications say the same thing, or have the same subject line - if you keep sending me the same message over and over again, I'll get pretty grumpy.

In these cases let me know right away. I'll contact that person's IT department (if they have one) and work with them to determine where the virus really came from and address the issue accordingly.

These are called Non Delivery Reports (NDRs) and yes, this is possibly the result of someone sending a virus out (spoofing your address as described previously) to an address that doesn't exist any more, resulting in a bounce message coming to you. If you did not send this person an e-mail recently, you can just delete these messages.

We can block NDR messages, however they have a legitimate purpose - if you sent someone an e-mail but mistyped their address, or their mail server was down, it's good to get the "bounce" messages. Unfortunately we can only block or allow them all - there is no way to differentiate between the causes of NDRs.

Yes, an experienced IT person can look at the message and easily discover the true source, but with hundreds or thousands of viruses and spam messages coming to organizations every day, few people try. When we do contact organizations to tell them that they really did send us a virus, IT people routinely deny it (and then go quietly fix the problem before their bosses find out). When our system detects a virus, we simply delete the entire message now.

[1] Systems in place at other organizations will vary.

[2] This is for the Symantec Antivirus Corporate Edition used at ABC Association. Other networks may or may not display this icon, or the icon could be different for other anti-virus applications.

[3] Not all organizations have firewalls, or do not have the same level of protection that we have. Our external access is very limited, therefore we can have a very restrictive access policy. Also, not all organizations apply the Microsoft patches as aggressively as we do.

[4] These plans are unique to ABC Association but reflect common security practices that should be considered at other organizations.

[5] Not all IT people subscribe to this approach. We feel this is the safest approach. Also, we have the ability to quickly replace the operating system on an infected computer via disk imaging, so this is not a time consuming approach.

[6] Not all organizations require this, although they should.

[7] Not all organizations block e-mails based on file extensions. Also, some organizations take precautions to the other extreme and do not permit ZIP files. Not all antivirus applications detect malicious web scripts, and some organizations do not allow any web scripts.

[8] Not all organizations block e-mails based on extensions. Those that do may warn the recipient or sender. In our experience these are rarely legitimate attempts to send information and just create additional e-mail that bounces.

[9] This list is not an authoritative list, but is commonly used by many organizations. Some organizations do not block files based on extensions.

[10] Some organizations notify the sender. Again, we believe most of these are not legitimate e-mails, and sending warnings simply create large numbers of bounce messages.

[11] Not all organizations are protected from Macro viruses. Organizations with Office 95 or 97 are particularly vulnerable to these viruses.

[12] Not all antivirus solutions cause this problem and it is unique to Outlook.

[13] If you don’t work at ABC Association, please don’t ask me to look at these for you (unless you suspect someone at ABC Association sent you the e-mail). Please check with your own IT department.

Source: George Breeden, Techno Prophet - This site is a non-commercial forum for free-exchange of technology information for people who work for or directly support non-profits. Adapted with permission. For restrictions on the use of this document, see the Techno Prophets website.