Discussion on:

Virus alert! You can now get infected by opening an e-mail

its a good idea not to set the email program to automatically do a preview of the message when you click on the header on the list in the inbox.

also, what has worked for me is to have multiple email accounts, each tied to a particular service, ie bank accounts, credit cards, utilities, etc... now a days, there is no limit as to how many email accounts people can have. so why not take advantage of it and set up a system.

in my system, if i see an email header in my hotmail inbox that looks like it pertains to the bank, but i had actually set up my bank account with an email address via my isp email account, then its easy to see that the message in the hotmail can be unquestionably deleted.

Hi Tuan, I really enjoy your posts. I'm on a Mac, and imagine they're immune to this exploit, which I imagine takes advantage of Windows XP...but was wondering if you would provide more details so that I can properly protect my data. Thanks, Zachary

@zcochran88

HTML e-mails function like mini web pages, so turning them on is akin to visiting a malicious web site. The javascript is exploited to download the virus to your computer. I found some instructions from SecurityNewsDaily on how Apple users can prevent getting infected:

"Apple Mail users can block loading of images hosted on remote Web servers by going to Preferences > Viewing > uncheck Display remote images in HTML messages, which would theoretically block a remote JavaScript-directed download. (The malicious message that Eleven found affects Windows PCs only.)"

Great. Thanks!

But seriously, this is old news. If your system is regularly patched, you use filtering, and do not open anything that comes from sources unknown or is otherwise suspicious, you're odds of infection are relatively low.

Seriously, it's this possibility that resulted in me disabling the preview pane in Outlook Express back in my Windows 98 days. A security reminder is nice and appropriate, making it sound like you found some new thing is NOT.

I distinctly remember removing the prieview pane from Outlook 98 and disabling VBA to prevent this sort of nonsense.

Does it hit with webmail or only mail clients?

That said, I need to check that JavaScript is disabled in my e-mail client. . .

Ok, now that PayPal has made email statements MANDATORY or they suspend your account as of this month, how do we know it's really from PayPal without opening it first?

Their new policy says that when they send email, it constitutes a legally binding contract. They recommend you log in to PayPal directly, not by email link, if you're nervous. But if merely OPENING an email exposes you, then what?

Stop using PayPal, I guess? Hard, since they have monopolized eBay.

If you use POP E-mail, just open the item in the "Message source" view, available in one way or another in nearly all POP E-mail programs. The item is then opened in Notepad, which displays text only and cannot execute any embedded malware. You can also read the full header, this way.

If you use Webmail, check with your service provider to see if they filter such stuff or provide a "view source" mode.

This is old, but sound advice, stuff every techie ought to know.

This is overwhelmingly scarey for some of us who are self taught the computer. Maybe I should monitor a middleschool class or something.
I haven't used Pay Pal for awhile, I always got phised. I'd call my son the geek and ask him what to do. Is this worse than whst it was?
Thanks for writing this post. Atad over my my head to digest in one sitting. Malika Bourne

The problem comes from automatic program execution (autoexecute). This has always been a Microsoft Feature. That's what makes viruses work, it's also what makes Microsoft Update work. Without Automatic Execution (which has been in Microsoft OS versions since at least DOS 2) much of the Microsoft ecosystem would not work. Computer viruses simply use the existing Microsoft ecosystem.

For defense, First, abandon Outlook.

Second, turn off HTML preview in email. Text only is the only safe way. ASP, C#, Java, JavaScript are all used, as is Visual Basic. Even Adobe pictures can have scripts buried in them. This is part of Flash. And YES, Flash autoexecutes the scripts. None of the above systems should be considered safe. Nor can most macro's be trusted. There are thousands of Word and Excel malware macros around. If you open up an infected document, then your computer is also infected. This problem is not unique to Microsoft. All programs with Macro languages that will autoexecute are vulnerable. In your programs, if there is a feature to enable macros to execute automatically when the document opens, TURN IT OFF!

Third, Learn to look in the text files for these languages. All viruses have a program text file, usually with a block of what look like random charactors. The random looking charactors are the machine code for the Virus, but it is loaded and started by the MSBasic/.Net/JavaScript/etc.

Look also for any .exe file in the attachments. having the .exe extension marks it as a program to Windows.

Of course a better solution is to go to the Unix world, where marking a program as executable is done by the OS separately from the naming conventions. OSX is a better choice than Windows for this. Linux is better than OSX. Fanboys will disagree with both statements, but they are true and have been shown so by serious research. There are also special versions of Unix and Linux that are even harder to compromise. But remember that the more secure a system is, the harder it is to use it. Microsoft is vulnerable because they try to make the computer make your life easier. The OS doesn't know if the request comes from you, from a trusted vendor you are using (such as MS Office, or Adobe Photoshop) or from a criminal gang (Malware).

Antivirus software can provide limited protection, but Malware often targets the Antivirus software as a way of spreading. But Antivirus is often also a source of 'bugs'. All software has 'bugs'.

Malware writers look for the bugs to exploit. Historically, Windows has both the most bugs, and the most users. Especially, the most untrained users. Thus, to the Malware people (Press calls them 'hackers', People who write software that is not intended to be commercial. they are really 'Crackers', people who want to crack your computers protection, like a breaking the shell of a nut, and steal from you.) Windows offers both the easiest pickings and the most targets on the market.

If you can survive a transition to OSX (Apple) or even better to Linux, then you will be more protected. But if you HAVE to use something exclusive to Windows, then at least adopt the latest version of Windows. Windows 7 and the preview versions of Windows 8 have adopted about half of the common Unix criteria which Linux uses for system protection. Apple is a little further along than Windows in this regard.

No system can be totally safe, but there are things that you can do to help protect yourself. Look at first and Second above as more important than the Antivirus, but if you are using windows, then you need the Antivirus too. Antivirus is less important for OSX and Linux, but many Linux systems have Antivirus installed, just to remove the Windows virii that are so prevalent.

even with all that, if you have good habits, you can protect yourself.

I hope this helps you. It is really a very complex subject.

I use Yahoo mail, which does filter HTML. I also do my browsing in Firefox with NoScript, which blocks JavaScript from executing unless I authorize it. I don't think I have anything to worry about.