For the past four months, W32/Sircam@mm has topped Messagelabs' list of most active viruses, but W32/Badtrans.B@mm finally toppled it over the weekend.
W32/Badtrans.B@mm first appeared on the 23 November and spread rapidly among home users in the UK on Saturday and Sunday. On Monday morning the pattern of victims changed to business users as people started work. People opening their email before their anti-virus software was updated to catch Badtrans.B may have assisted this. When executed, it emails itself to many addresses as an attachment. The attachment may have different names, but it will always have a double-extension. The worm also drops a password stealing Trojan (if your site has been infected, force users to change their passwords as a precaution). If the recipient is using some versions of Microsoft Outlook, the infected attachment will execute automatically if the message is viewed or previewed. A security patch from Microsoft released on the 29th March 2001 fixes the bug that allows this to happen.
The rapid spread of Badtrans.B was avoidable:
- Attachments with double-extensions should be blocked at the mail gateway - such files are automatically suspicious (some Unix users might like to send and receive .tar.gz files, this can easily be accommodated with a slightly more complex rule).
- Software should be kept up-to-date with the security patches. Make sure the patches get re-applied after re-installations, e.g. when hard disks crash, by having a "standard installation checklist".
- Automate your anti-virus updates, consider the relationship between the update schedule and user activities: e.g. schedule an update before users open their mailboxes on Monday morning. Of course, systems that run all the time, such as mail servers and gateways, should have updates scheduled without regard for weekends and holidays.
- Instruct users to follow Safe Hex.
Any one of these would have slowed the spread of W32/Badtrans.B@mm, and many other viruses, all of them together would be very effective. Why are people not doing the simple things to protect themselves?