May 22, 2000
By Karen Kenworthy
IN THIS ISSUE
Sorry you couldn't make it to my nephew Daniel's graduation ceremony. It was very moving. His Mom and Dad went onstage with him, and his Dad presented Daniel's diploma. Daniel gave his Mom a hug, and a rose. All the while we heard a recording made by his Mom and Dad. In it they told Daniel how much they love him, and how proud they are of him. There wasn't a dry eye in the house. Well, not in our family's section of the auditorium anyway. :)
Tale of Two Outlooks
When I got back to work I discovered the "Love Bug" is still a hot topic. Most likely a kid's malicious prank, this virus erases certain types of files on every computer where it finds a home. It spreads itself to other computers via e-mail.
The bits scarcely dry on last week's newsletter when I received a note from reader Doug Knox. He cited a sentence I'd written, "It also e-mails copies of itself to everyone in your Outlook or Outlook Express address book," then added:
"This information is wrong. Outlook Express does not support the MAPI commands that the worm uses to send e-mail. Their system can still be infected, but it will not propagate from a computer running OE as its mail client. Of course, if Outlook is installed on the same machine, the virus can spread from there, but it will not on a machine that only has Outlook Express."
Oops! Doug's exactly right. MAPI stands for Mail Application Program Interface. It provides a standard way for programs to control e-mail clients such as Microsoft's Outlook. The Love Bug took advantage of this feature and ordered Outlook to e-mail copies of the virus to everyone in the victim's e-mail address book. But Outlook's free little brother, Outlook Express, doesn't support MAPI and can't spread the Love Bug virus.
We also talked a bit last week about "executable" files, files that contain programs. Double-click or open one of these files and something will happen. And it might not be something nice.
I mentioned 11 types of files, including the common .EXE file (used to store most Windows applications), and .VBS (a Visual Basic Script file, like the one used to store and spread the Love Bug virus). I also pointed out a few types of files that don't contain programs, but which still might do harm. These included .REG (REGistry files) which, when double-clicked, are immediately copied to the Windows Registry.
Not to be outdone, last week Microsoft published its own list of files which "can execute malicious code." Bill Gates is so competitive <grin>. Naturally, the list includes all the types of files I mentioned, plus a few more (see http://officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm).
Most of the added files aren't dangerous in and of themselves. To do harm, they need the help of other files or Web sites. Microsoft placed, for example, .URL files (shortcuts to Internet locations) on its list. Double-click such a file, and your Web browser is automatically launched, and directed to a particular Web or FTP site. Whether this causes harm, or is simply convenient, depends on the site being visited.
Other files on Microsoft's list are used to store program fragments -- portions of computer program. These fragments can't run by themselves. Double-click one and you'll simply see an error message. But the instructions stored in these files are sometimes executed by other programs, making the fragments potentially dangerous. In this category Microsoft includes .WSC and .SCT files, both used to store Windows Scripting Component.
But Microsoft's list does not include several much more common types of executable files. Among the missing are .DLL (Dynamic Link Library), .OCX (ActiveX Control), and .DRV (Windows Driver). Like the Windows Scripting Component files, these files contain only fragments of programs. But many are widely used. Some are even parts of Windows itself.
But whether you think Microsoft's list of dangerous files is too long, or too short, there's no doubt it'll soon be important. That's because new versions of Outlook and Outlook Express will be released a few days from now. These versions won't allow us to open any file attached to an e-mail message, if the type of the file appears on Microsoft's list.
As a result, users of Microsoft's e-mail programs will no longer be able to easily receive those types of files via e-mail. Temporarily changing a file's extension before sending, or storing it within some other type of file (such as a .ZIP archive file) will probably fool the e-mail inspector. But these tricks are a nuisance at best, and have their own potential problems are worst. And there's no guarantee the e-mail programs will forever be fooled this easily.
Will other e-mail programs follow suit? They will if this new security feature proves popular. This change, plus a few others Microsoft has planned, will make it much harder for a virus like the Love Bug to thrive. My guess is that for most people, this will prove a good trade-off of security for convenience.
But a lot of folks have gotten used to the freedom to send and receive any type of file via e-mail. Usually, they've taken appropriate precautions when receiving unknown or suspicious files. For them, the trade-off may be a poor one. For companies that produce e-mail greeting cards, or distribute other types of software via e-mail, it could be an impoverishing trade-off too. :(
All this talk about executable files got me to thinking about our Directory Printer program. As you may remember, this little utility can print a list of files found in a directory or on a drive. Along with each file's name, it can print other useful information such as the file's size, and when the file was last modified.
It can even print the file's attributes, shown as a string of four characters, If the letter R appears in the file's attribute string, the file is Read-only. An H indicates the file is Hidden, while the letter S signals a System file. If the letter A, for Archive-able, appears in the string, the file needs to be backed up. Attributes that don't apply to a particular file are replaced by a hyphen ("-"). So, for example, an attribute string of "RH--" indicates a file is Read-only and Hidden, but not a System or Archive-able file.
Unix, and some other operating systems, maintains another file attribute, indicating whether a file is executable. Windows uses the filename extension for this purpose, but as we've seen this makes it hard to tell exactly what a file can do.
To clear up some of the confusion, I've taught the Directory Printer a new trick. It now recognizes all the types of files on Microsoft's list, plus .DLL, .OCX, and a few others Microsoft forgot. When it spots such a file, it adds the letter "X" to the file's attribute string. So, for example, if a file is a Read- only Hidden file, and executable, the attribute string will be RH-X.
The Directory Printer also sports a new checkbox on its main window. Check this box, labeled "Highlight Executable Files," and the names of all executable files will be printed in a special way. In most cases, their names will appear in bold plus italic. But if you've selected either font attribute for the entire report (via the program's Select Font button), then that attribute will be disabled when printing an executable file's name.
You can download the latest Directory Printer, version 2.6, from my Web site at https://www.karenware.com/powertools/ptdirprn. While there, you can also download the program's Visual Basic source code. As always, both are free.
And if you get a chance, come by and see lovely Monica's High School graduation ceremony this weekend. It's sure to be as special as Daniel's. If you can make it, look me up afterwards and we'll talk. If you can't get by, keep looking for me on the Internet. If you see me there, be sure to wave and say "Hi!"