This article started life when I began editing Ken's contribution to this E-Journal, in particular his comments against Internet Explore (IE) and Outlook Express (OE) with regard to the 'I Love You' virus (ILY) in particular. I kept wanting to make editorial comments - so many that I thought it would be better to write a separate article, especially as OE users will need to know how to protect themselves against viruses.

I agree with Ken when he says that cultural diversity will stop the spread of viruses. However, I have comments against a lot of the thoughts of his and those of other commentators in the press regarding viruses and the part played by Microsoft software. Cultural diversity is a nice thing but there are advantages in a mono-culture as well. A standard platform has fuelled the explosive growth in the usage of personal computers and the services provided by them. Developing for one rather than, say, 3 platforms reduces development time by at least 50% I would suggest. Interconnectivity is greatly enhanced by standardisation. Why do we accept the IP standard, which has helped fuel the Internet revolution, without comment but get upset about the standard Wintel platform?

Apart from preaching diversity, Ken and others have suggested that Microsoft is to blame because OE is full of security holes. There are some holes BUT the ILY virus does not exploit them! There are far more serious viruses than ILY and yet not much attention has been paid to them. More of that later. The problems caused by ILY could have been prevented with the version of OE supplied now. If commentators would actually refrain from blaming Microsoft and spend the time understanding the basics of the software they could benefit the community a lot. Such commentators are like the newbies in the 'focus group'. They do not know how to set OE up so it DOES warn you about some of the nasty things in life. I dislike software that thinks it knows what I want to do, which is where all MS stuff is going, but I have not noticed this approach so much in OE. Word 97 is another story.

Ken suggests IE and OE are foisted upon the punter. They are not. The choice to obtain Netscape, or Opera or other browsers exists. One way or another the punter chooses to go with Uncle Bill. Admittedly, most ISP CD-ROMs are based on IE and OE but I would suggest there is good reason for this. Whatever is wrong with MS software, it cannot be denied that it is very easy to set up automatically. MS also allowed customers to brand IE, something that Netscape did not do as far as I am aware. Software that is difficult to install for newbies, like OS/2 or even Netscape, is only going to have a niche market. For these reasons the ISPs are bound to go for IE and OE. The market has to cater for the newbies to get sufficient size. What would bother me would be if we were all forced to use newbie software. Ken can be grateful he has Netscape and Eudora so he can do his own thing but you cannot expect newbies to use them. They would simply give up trying to set them up.

I have to correct a specific error that Ken made. His assertion that a machine needs Visual Basic to propagate the ILY virus is wrong. The virus is held in a .vbs file. My machine does not have VB and yet .vbs files are executed with wscript.exe, which is a file that comes with Windows 98 (or maybe IE/OE which is all integrated with Windows 98).

Some commentators have suggested that scripting is the reason for viruses so scripting should not be allowed in Windows! That is as daft as saying that networks enable the propagation of viruses so we should ban networking! Although end users may not use scripting it is a quite powerful tool that can be used by the professional to provide ease of use to end users. Once again, the commentators do not understand what they are talking about.

Others have suggested that viruses are caused by attachments so we should not allow attachments. I have a feeling that this course will be followed by a lot of corporate business. I will be interested in seeing how this policy fares when the MD of Big Corps wants to receive the latest sales figures from the regional offices and they are all in Excel spreadsheets!). The attachment capability is one of the benefits of e-mail over snail mail.

Nobody has blamed the end user for virus propagation. They do play a part. Some IT departments have reported that even when users have been told not to open the ILY attachment they still do it!

Many, including Ken, have said that OE is the cause so it should be altered. After 'I Love You', MS have succumbed to this view and now decided to release an OE update. I just read some news about this at the time of writing. The patch reported is for Outlook 2000. Does that mean other Outlook users will not get it? Apparently the patch prevents users from accessing certain file attachments. In addition it stops some e-mails being sent without consent and finally it increases security settings. Gartner Group research think the patch has been rushed and has not thought through the implications. One problem appears to be that you can add to the list of attachment types that can be accessed, but you cannot remove items from the list. Curiously MS Office attachments, which was the source of Melissa, are not on the list. I must stress I have only just seen this report at the time of writing so I do not fully understand the mechanism of the patch. However, OE users can already protect themselves against ILY type viruses and I will describe how after a quick discussion of the virus itself.

Last year there was a virus called Melissa which was included as a macro in a Microsoft Word attachment. It was the macro programming language that was the tool for replication. ILY is similar except it uses the Visual BASIC scripting (VBS) language instead of the macro language. This enables it to replicate much better than Melissa. Melissa would only replicate on machines which could execute the macro language, namely those with Microsoft Word. ILY will replicate on machines which can execute the VBS language. This means any machine with Windows 98 or later since the file WSCRIPT.EXE on these machines will execute .vbs files. On my Windows 95 Release 950 with IE4 .vbs files cannot be executed.

ILY uses VBS to replicate itself to all addresses in the OE Address Book. Within a corporation it will also copy to organisational subgroups set up within the e-mail system. This copying process and the consequent increased traffic was the cause of the breakdown of business e-mail systems by ILY.

There are, at the time of writing, 26 variants of ILY according to F-Secure (http://www.fsecure.com/v-descs/love.htm) . The payloads of each variant vary but some of the things it does are:

• Replace certain file types with new files containing the virus. (e.g. MP3, JPG and many others dependent on variant). Sometimes the filename is changed by adding .vbs to the existing filename and extension.
• Modify win32.dll so the virus takes effect on boot up.
• Alter the registry to run files at startup which will initialise the virus.
• Create an HTML file which will propagate via Internet Relay Chat.
• Modify the IE Home page to point to a program which purports to fix the problem. It doesn't. A variant points to an Adult site.

The key to infection with ILY is to open the .vbs attachment with the original e-mail. If you do not open it you will not get infected. As mentioned above, telling someone not to open a .vbs attachment can be a pointless exercise. When you do open it you will, on my Windows 98 IE4 SP2 machine anyway, give a warning.

Some files can contain viruses or otherwise be harmful to your computer. It is important to be certain that this file is from a trustworthy source. What do you want to do with the file?

Options given are Open or Save to disk. If you simply click Cancel to close the dialog box and delete the message then again you will not get infected. Again, human nature is to ignore the warnings!

The only sure way is to ensure .vbs files CANNOT be downloaded and this can be done as follows, (I am assuming IE4 here. IE5 has the capability but the menus and options chosen may vary from those given below):

• Open Outlook Express
• Select Options from the Tools menu
• Select the Security tab
• In the Zone box select Internet Zone and click the Settings button
• Click OK to the warning message
• Set the Security level for this zone to High
• Click OK
• Click OK

Note: When I tested the above procedure I found that .vbs files already downloaded to the PC will execute from within OE. I can only assume that the fix will only stop the .vbs files being downloaded from the internet or mail server. I cannot test this as my mail server has blocked the sending of .vbs files!

Another alternative which stops .vbs script files from executing by double clicking them is to remove the association with wscript.exe. This can be done as follows:

• Open Windows Explorer
• Select Folder options from the View Menu
• Select the File Types tab
• From the list of Registered File Types select VBScript Script File
• Click the Remove Button
• When the Are you Sure? Dialog appears click OK

This is probably the best way to solve the problem as it will still allow script files to be executed in legitimate circumstances. However it only deals with viruses using VBS script to propagate.

The most drastic option is to remove wscript.exe and then there will be nothing to execute script files. To do this use Add/Remove Programs in Control Panel to alter the Windows setup. Look for the Windows Scripting Host component under Accessories and remove it.

ILY has been getting all of the publicity recently but there is a strain of viruses that replicate in a much more lethal way. Melissa and ILY rely on an attachment being opened. The viruses Bubble Boy and KAK will replicate simply by opening an e-mail, or previewing it, in OE. In other words receive the e-mail and you are infected! Bubble Boy was mentioned some time ago in the press but was rumoured to be generated in the laboratory and never appeared in the wild. KAK, however, does appear in the wild and if we are to use e-mail we must protect against such viruses. They work by exploiting a known security issue of OE. Microsoft patched the problem in IE5 version 5.01 but if you are using an earlier version, including 5.00, then you must install a patch provided by Microsoft. Rather than explain the workings of the virus here I will simply point you to two pages on the Microsoft Web site.

www.microsoft.com/technet/security/bulletin/ms99-032.asp is a security bulletin relating to the problem

www.microsoft.com/technet/security/bulletin/fq99-032.asp is a FAQ list to be read in conjunction with the bulletin.

The patch, q240308.exe, can be downloaded from various places on the Microsoft site, identified in the two papers above.