First step, this is only a problem for you if your computer uses the Windows operating system. If you have a Mac or run Linux, clicking the link will not cause any problems. This also didn't appear to affect computers with Windows XP if you've installed Service Pack 2. Setting a default browser other than Internet Explorer (such as Mozilla, Firefox, or Opera) would also likely have lessened the impact.
That being said, even if you do have XP with SP2 installed or use a different browser, it's probably wise to go through the worm removal procedure anyway.
The worm that likely got installed when you clicked on the link in the Paypal message doesn't do any damage to your files, but it does install a web service and begin sending out emails (just like the one you got) that point people to your machine, which then installs the worm on their computer and so on. The damage it does is to Internet Explorer.
If you are afflilated with the university (faculty, staff, student), you are covered by the campus site license for Sophos AntiVirus. This means you can install Sophos on your personal computer at no cost to you. It can be downloaded here: https://sitelicense.arizona.edu/sophos/.
Information and the removal procedure for the worm you likely got can be found here:
- http://www.sophos.com/virusinfo/analyses/w32bofraa.html
- http://www.sophos.com/virusinfo/analyses/w32bofrab.html
- http://www.sophos.com/virusinfo/analyses/w32bofrac.html
Following the Recovery procedures listed in any of those areas will take care of all three variants of the worm. The basic summary is: burn a CD with the Sophos CLI (Command Line Interface) and the latest IDEs installed, start your computer in Safe Mode with Command Prompt, insert the CD, navigate to your CD drive in the command prompt, and run the command line disinfectant utility. After that procedure, you'll have to edit the registry file to remove any other remnants of the worm. The links above provide further detail about how to do all of this.
It's also a good idea to install Sophos on your computer and make sure you keep it up to date with virus definitions (IDEs) in order to prevent this happening in the future. Turning on the firewall option in Windows is another good practice for preventing these kinds of attacks. Alternatively, you can download and install Kerio Personal Firewall here: https://sitelicense.arizona.edu/kerio/kerio.shtml.
And the final bit of advice: I know it's easier said than done when you've had many successful transactions through the Ebay/PayPal system (I have, myself), but it's wisest to never click direct links in email messages, particularly when the message has something to do with money. Ebay is set up to let you contact sellers/buyers directly from their webpages, and it's generally best to handle any communications through that system.
If you need to check the status of a PayPal transaction, simply go straight to your browser and enter the PayPal site "by hand" rather than click a link. If the link is too tempting, take a moment to view the "raw source" of the email, which is usually a menu command of some sort in mail clients such as Eudora. If the code surrounding the link contains numbers (such as http://123.45.234.56/), chances are high that it's not PayPal or a bank. Those links would always include a fully-qualified domain name (https://www.paypal.com/) and absolutely should include the https instead of http (that means the link is "secure" and that your information is encrypted on the resulting page). Socially engineered emails like the one that attacked us yesterday can be spotted through that kind of diligence, which doesn't take a terribly long time once you get the hang of it. A little paranoia goes a long way in the world of computer safety and security.
There is also a UA site devoted to understanding computer security and best practices for keeping your computer safe that might be worth a few moments' perusal: http://security.arizona.edu/.
-Safe computing,
-Cynthia
November 10, 2004