Tools and Rules of Internet Security

Scott Spanbauer

Having been bitten by the I Love You virus, I know never to open an e-mail attachment with the file extension.vbs. I also know about the dangers of opening e-mail attachments with the extensions.exe (executable files) and.doc (Microsoft Word files with macros). But what other potentially nasty files should I never open? And are there files that are safe to open no matter what?

Frank Clark, Everett, Washington

Your letter raises many fundamental questions about the ways we use our computers and about the safety of our information.

If you were stung by the I Love You virus, you experienced one of the worst effects a virus can have: inconvenience. Whether the virus is pernicious or benign, cleaning it off your system takes time. Many viruses are capable of destroying data on your computer or stealing it from your PC, but most do neither and are written merely to prove the existence of flaws in the operating system or e-mail software they infect.

Of course, much of the flawed software comes from Microsoft, which has triggered more than one Gates basher to call for a boycott of Windows, Internet Explorer, and Outlook as a way to ensure security. Whatever the merits of this approach, the issue is not that simple, and just switching to Linux, Eudora, or Opera won't protect you from every Internet security threat that's lurking out there.

Viruses can use various means to insinuate themselves into your computer--through a floppy disk, a program copied from a different PC, or software downloaded from AOL or the Internet. Alternatively, they may be introduced via a macro or other script file that runs within a standard application such as Microsoft Word, Outlook, Netscape Navigator, or Eudora. Ordinarily, you have to take some action to start a program, macro, or script running on your computer, but many viruses trigger the application automatically. Recently e-mail viruses have turned up that launch as soon as you view the message they are embedded in--no other action is required on your part.

Although the situation may sound hopeless, it is not. You can still use the software of your choice, and you can still open e-mail attachments. Here are several basic rules that can help you protect yourself from viruses.

Use antivirus software. I generally dislike installing utilities on my computer because they conflict with other programs and the operating system itself, and they make troubleshooting much more difficult. Antivirus programs are among the worst offenders, but just the same, most people should install one and keep that program updated. Doing so will protect you from the vast majority of viruses. Skip this step at your peril. (Look for a feature on viruses and antivirus programs in next month's PC World.)

Update your software. In the last couple of years, software makers have become increasingly responsive to reports of security flaws in their software. The whole issue has moved out of the realm of obscure discussions buried in Usenet newsgroups and onto the pages of the New York Times, the Wall Street Journal, and of course, PC World's Bugs and Fixes column. These days, software vendors often post security fixes to their Web sites before a real-world threat has even materialized.

To update Netscape Navigator, select Help, Software Updates.To update Internet Explorer or Windows 98, 2000, or the new Millennium Edition (Me), choose Start, Windows Update, or cruise directly to windowsupdate.microsoft.com. This Microsoft site will determine what software versions you are currently running and will assist you in downloading and installing required updates.

Understand and use security settings. Most applications that host macro code or scripting languages have security settings that let you control when and how the scripts run. Know what those settings are and make sure they meet your security needs. In Internet Explorer, choose Tools, Internet Options, click the Security tab, and then select the Internet zone. Click the Custom Level button to browse security options, or click the Default Level button to make sure security is set to Medium. To find Netscape Navigator's security settings, choose Edit, Preferences, and then select Advanced in the Category window. Don't forget your application's macro security settings. In Word, Excel, or Outlook 2000, choose Tools, Macro, Security, and make sure your setting is at least Medium. If your Word files don't rely much on macros, choose High.

Another important security setting in Windows Explorer relates to file extensions that have been hidden on such file types as.vbs (Visual Basic script). Several Outlook e-mail attacks have tricked users into launching.vbs attachments by giving them names such as filename.jpg.vbs. Since the.vbs extension disappears, the file looks like a nonexecutable, nonscriptable.jpg image file that is safe to open. To protect yourself from this trick, open an Explorer window, choose Tools, Folder Options or View, Folder Options (depending on your version of Windows), select the View tab, remove the check from "Hide file extensions for known file types," and then click OK.

Don't launch executable or scriptable files. Executable or scriptable file types include those with.exe,.com,.bat,.xls,.doc, and.vbs extensions. Your best bet is to scan all downloaded files for viruses before running them. If an arriving e-mail contains a Word (.doc) document, assume the document will infect your system. Don't open it until your antivirus software has scanned it and declared it virus-free. Just because the document comes from your boss or your mother doesn't mean it's safe. If you want to view the contents of a file without triggering any macros it may include, open it in Notepad or Quick View. Regrettably, the Quick View utility is not included in Windows 2000 or in Windows Me, but you can buy a third-party copy of Quick View Plus 6 from Jasc Software for $49 downloaded or $59 boxed.

The major shareware sites--including PCWorld.com's Downloads--scan programs for viruses before posting them for download, and of course legitimate software vendors ensure that the applications they post to their Web sites are free of viruses. Software posted to pirate (so-called "warez") sites or newsgroups may be infected, however, and the pirated applications floating through such file-sharing systems as Napster and Gnutella must also be considered virus hazards.

Buying Information

Quick View Plus 6 $49 for download, $59 for boxed version Jasc Software 800/622-2793 http://www.jasc.com/product

Another AOL Mail Alternative

If you shouted, "Hallelujah!" when you read in the September Internet Tips column about the Netscape 6 preview release's ability to access America Online Mail accounts, you may need to curb your enthusiasm a bit. Netscape has unleashed a second preview release that's as buggy as the first and likewise remains suitable only for testing.

But rather than moping about poor commercial software development, you should rejoice. ENetBot's $20 ENetBot Mail lets you check your AOL mail from within any POP3-capable e-mail program (including Eudora, Outlook, Outlook Express, and Messenger). Once you have calmed down from all the excitement, you can download the 1.75MB, 30-day trial version of the utility from the company's Web site.

Blue Book Online

When you buy or sell a used car or motorcycle, there's only one place to find a realistic price: the Kelley Blue Book. If you can't make it to your library's reference section, zoom over to KBB.com to look up the price of new and used vehicles in your area. Also provided are reviews and tips for buyers and sellers, plus links to Web-based car dealers, financing sources, and insurance providers. A "lemon check" reports a vehicle's odometer, salvage, and major accident history based on the vehicle ID number.

Download of the Month: 1st Page 2000 2.0

Evrsoft's free 1st Page 2000 HTML editing software breaks all the molds: It supports frames, scripting, and style sheets (unlike some of its commercial counterparts), and the HTML it creates is free of the bogus tags and extra code common in most WYSIWYG editors. 1st Page 2000 (the name will be changed when it's next updated) generates standard, bug-free HTML code, and it may be the simplest way to take your Web authoring skills to the next level.

The freeware works with existing HTML files, or you can use it to start new ones that support Cascading Style Sheets and Java applets. The editor highlights tags in color and lets you insert tags from lists. Reference guides and tutorials are included for HTML 4.0, Cascading Style Sheets, and other Web technologies. Also provided are hundreds of prefabricated JavaScript, CGI, and Perl scripts to pop into your Web pages. If that's too geeky for you, an Easy mode hides advanced tools and options until you're ready for the Expert or Hardcore modes. Find the 5MB file at PCWorld.com's download library.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Scott Spanbauer is a PC World contributing editor.