|
Now before you begin, you should get some facts straight about viruses. Firstly, they are not actually living creatures. They are just a program like any other, except that they copy themselves on to other programs, they 'infect' it. They cannot actually run by themselves. To 'activate' a virus, you need to run the program which was infected. To be a classified as a virus, a program needs to be able to copy itself to another program ('replicate'), by executing its code. This is the best definition that we have found: A computer virus is a self-replicating program containing code that explicitly copies itself and that can "infect" other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. This comes from the comp.virus FAQ , an excellent (but lengthy) piece of information about viruses. From all of this information, you should be able to see, that you cannot get infected by a computer virus, by just reading E-Mail, or opening a word document. Unfortunately, this is not entirely true. There is a programming language, called WordBasic. This is used to write macros for Microsoft Word. It is also used, by some evil (and bored) people to write virii. These would be started when a document, which is already infected is opened.
So, you think you have a virus? Well, maybe you don't. Many people just think that they have a virus, because something is wrong. The computer is slower, you can't read floppy disks any more... These are not sure signs of infection. There could be some hardware problem (maybe your floppy drive is getting old), or it could be caused by a new software that you have installed, or even a change in config files. The first step to take to check for virus infection, is to use a reliable virus checker. However, no matter how much they tell you how good they are, I recommend using at least two of them. The more famous ones are (note that these are in ALPHABETICAL ORDER, not performance) :
After you have installed them, run them to see if they find a virus on your computer. Be sure to turn "heuristics" off if you can, as this will greatly reduce the number of false alarms. If there is only one infection, it may be a false alarm. This simply means that the computer thinks you have a virus when in fact you don't. If the scanner tells you it can clean them, you should make a back up copy of all the infected files. You can then let the anti-virus clean the originals only (not the backups). After you have cleaned them, try running the programs, to see if they work. If they appear to be working well, then all is fine, and you can delete the backups. If however they are not working, then you should delete them, and restore your backups. You should try other scanners, to see if they can remove it. Scanners can usually remove some viruses that others can't. If you can't find anything that will remove it, and you have an uninfected backup, then you should re-install it. If you haven't got any backups, then we're afraid you will have to wait a while for a new update of your anti-virus scanner, so that they will be able to remove it. During this time, you should not run the infected program under any conditions. If the program is not important, you can always delete it. If you do not know what the file is used for, do not delete it! After you have finished your new scan, you should do another scan, with a different scanner. This should be done, to pick up the viruses that might have been missed by other scanners.
Well the simplest solution is to always leave your computer turned off, but that might not be too useful (and then there is no point in owning a computer). Otherwise, be carefull with any new things that you install on your computer, that is any floppies, and anything of the 'net. A note on floppies, if you are just going to be reading it, it's worth putting the lock on it, to disable writting. If you read someone else's floppy on your computer, always scan it. Another thing that you should always do, is watch anybody that uses your computer. They could bring a virus on, even if they don't mean to! Of course that is not always possible, so you should consider, using a scanner that stays in memory. It checks all files before you open them, and also scans memory when you load it.
To fully fight a virus infection, you need to now how viruses work, ie how they infect other files. There are three ways of writing viruses. The first method consists of overwriting the beginning of the file they are infecting with their own code. This method isn't too good, as 99% of the times, the infected file will not run properly. When the computer reaches the end of the virus code, it will continue with the code that is left from before, if it doesn't exit back to the system. However this will create lots of errors, as the start will be missing. You will usually realize very quickly something is wrong. Also, this type of virus usually cause the computer to crash, as the rest of the code is not working. However if the virus exits with an error message, you might not realize how wrong things are. The second type of virus, works by adding a jump to the end of the program, where its code is located, and then continuing with a jump back to the beginning where it left off. If this is well written, the program shouldn't crash, and everything should work fine (except of course the virus in memory). The only thing that you can usually detect is the drop of memory. The third type of virus works by appending itself to the beginning without making changes to the original. This means that in some cases the original works as it used to, but in others it doesn't. It depends on how well written it is.
Well that's not easy question, and the reason for this is that there is no easy way for classifying them. I can easily hear you say that's easy, just measure the number of virus they can find, but that is not all. For example how do you classify the results, and compare results?
Trend Micro, Inc. / PC-Cillin
Dr Solomon / Anti Virus
The installation program of the windows 95 version of Dr Solomon Anti-virus, does not let you choose where to install the product. In fact it doesn't even tell you where it is installing the product, although it creates shortcuts to it in the start bar. VirusFind will be run each time that Windows is restarted. does not automatically scan files and programs as they are run. Find Virus displays a percentage of files that have already been scanned. Find Virus will optionally scan inside the following archives: PKZip, ARJ, LZH, ARC, PKLite, LZExe, Diet, Cryptcom Microsoft Expand, and ICE. It can also scan heuristically. Although Dr Solomon installs itself in the startup directory, it does not ask you to reboot after you have installed. F-Prot is available for Windows 3.x, Windows 95, Windows NT, and DOS. The DOS version of F-Prot allows you to choose which files to scan (executable, all files, or user-defined). You can also choose which sort of virus to scan for, and what to do if a virus is encountered. There are two modes of scanning: heuristics and secure. F-Prot comes with a list and explanation of various viruses, and also includes information on whether the damage caused by the virus is repairable or not. This version of F-Prot is free for use on privately-owned computers which are not used in commercial activities.
Since 1988, computer virus hoaxes have been circulating the Internet. In October of that year, according to Ferbrache ("A pathology of Computer Viruses" Springer, London, 1992) one of the first virus hoaxes was the 2400 baud modem virus:
I've just discovered probably the world's worst computer virus yet. I had just finished a late night session of BBS'ing and file treading when I exited Telix 3 and attempted to run pkxarc to unarc the software I had downloaded. Next thing I knew my hard disk was seeking all over and it was apparently writing random sectors. Thank god for strong coffee and a recent backup. Everything was back to normal, so I called the BBS again and downloaded a file. When I went to use ddir to list the directory, my hard disk was getting trashed again. I tried Procomm Plus TD and also PC Talk 3. Same results every time. Something was up so I hooked up to my test equipment and different modems (I do research and development for a local computer telecommunications company and have an in-house lab at my disposal). After another hour of corrupted hard drives I found what I think is the world's worst computer virus yet. The virus distributes itself on the modem sub- carrier present in all 2400 baud and up modems. The sub-carrier is used for ROM and register debugging purposes only, and otherwise serves no othr (sp) purpose. The virus sets a bit pattern in one of the internal modem registers, but it seemed to screw up the other registers on my USR. A modem that has been "infected" with this virus will then transmit the virus to other modems that use a subcarrier (I suppose those who use 300 and 1200 baud modems should be immune). The virus then attaches itself to all binary incoming data and infects the host computer's hard disk. The only way to get rid of this virus is to completely reset all the modem registers by hand, but I haven't found a way to vaccinate a modem against the virus, but there is the possibility of building a subcarrier filter. I am calling on a 1200 baud modem to enter this message, and have advised the sysops of the two other boards (names withheld). I don't know how this virus originated, but I'm sure it is the work of someone in the computer telecommunications field such as myself. Probably the best thing to do now is to stick to 1200 baud until we figure this thing out.
Mike RoChenle
To: ALL Refer#: NONE
Warning: There's a new virus on the loose that's worse than anything I've seen before! It gets in through the power line, riding on the powerline 60 Hz subcarrier. It works by changing the serial port pinouts, and by reversing the direction one's disks spin. Over 300,000 systems have been hit by it here in Murphy, West Dakota alone! And that's just in the last 12 minutes. It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac, RSX-11, ITS, TRS-80, and VHS systems. To prevent the spresd of the worm:
1) Don't use the powerline.
I'm sure if we are all careful to follow these 9 easy steps, this virus can be eradicated, and the precious electronic flui9ds of our computers can be kept pure. ---RTM III Since that time virus hoaxes have flooded the Internet. With thousands of viruses worldwide, virus paranoia in the community has risen to an extremely high level. It is this paranoia that fuels virus hoaxes. A good example of this behavior is the "Good Times" virus hoax which started in 1994 and is still circulating the Internet today. Instead of spreading from one computer to another by itself, Good Times relies on people to pass it along.
There are several methods to identify virus hoaxes, but first consider what makes a successful hoax on the Internet. There are two known factors that make a successful virus hoax, they are: (1) technical sounding language, and (2) credibility by association. If the warning uses the proper technical jargon, most individuals, including technologically savvy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage. When we say credibility by association we are referring to who sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to believe the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations. Individuals should also be especially alert if the warning urges you to pass it on to your friends. This should raise a red flag that the warning may be a hoax. Another flag to watch for is when the warning indicates that it is a Federal Communication Commission (FCC) warning. According to the FCC, they have not and never will disseminate warnings on viruses. It is not part of their job.
CIAC recommends that you DO NOT circulate virus warnings without first checking with an authoritative source. Authoritative sources are your computer system security administrator or your computer incident advisory team. Real warnings about viruses and other network problems are issued by different response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP. If you download a warning from a team's web site or validate the PGP signature, you can usually be assured that the warning is real. Warnings without the name of the person sending the original notice, or warnings with names, addresses and phone numbers that do not actually exist are probably hoaxes. Another area of concern is Internet chain letters that may or may not be true. For more information on Internet chain letters reference CIAC Internet Chain Letters
Upon receiving a warning, you should examine its PGP signature to see that it is from a real response team or antivirus organization. To do so, you will need a copy of the PGP software and the public signature of the team that sent the message. The CIAC signature is available at the CIAC home page. You can find the addresses of other response teams by connecting to the FIRST web page. If there is no PGP signature, see if the warning includes the name of the person submitting the original warning. Contact that person to see if he/she really wrote the warning and if he/she really touched the virus. If he/she is passing on a rumor or if the address of the person does not exist or if there is any questions about the authenticity or the warning, do not circulate it to others. Instead, send the warning to your computer security manager or your incident response team and let them validate it. When in doubt, do not send it out to the world. In addition, most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the web site of the company that produces the product that is supposed to contain the virus. Checking the PKWARE site for the current releases of PKZip would stop the circulation of the warning about PKZ300 since there is no released version 3 of PKZip. Another useful web site is the "Computer Virus Myths home page" which contains descriptions of several known hoaxes. In most cases, common sense would eliminate Internet hoaxes.
W32.Mypics.Worm
It will also contain a worm program attachment named pics4you.exe (34,304 bytes). Below is an example of how the E-Mail message will appear: It attempts to fool the recipient into believing that the attachment contains images. When the attachment is executed (pics4you.exe), the program will not display any images and simply seems to have terminated. But the worm will become resident in memory and will E-Mail itself to as many as 50 people. The worm will also modify the current Microsoft Internet Explorer browser's 'Home Page' setting to an adult web page. The Windows registry keys will also be modified and changed to load the worm in memory every time the computer system is rebooted. As a result, the worm will always be resident in memory. The worm has two payloads that simulate a Y2K problem. First, the worm monitors the system clock and when it detects the year is 2000, the worms will modify the system BIOS. On the next cold reboot, the computer will display a message such as "CMOS Checksum Invalid" and prevent the computer from booting. This can easily be corrected by going into the BIOS setup. After the BIOS settings are corrected, the worm will execute its second payload and will format the hard drive.
Technical Details of Payload
The worm will overwrite the autoexec.bat with the following data: ctty nul format d: /autotest /q /u format c: /autotest /q /u The new autoexec.bat file size will be 64 bytes. As a result, the data on both the C and D drives will be formatted. Norton AntiVirus will detect this file as W32.Mypics.Worm (bat). Additional Notes It is important to note that the worm has been written using Microsoft Visual Basic. In order for the worm to run, the worm is dependent on a Visual Basic Virtual Machine run-time library file named MSVBVM50.DLL that needs to be installed independent of the worm on the computer. The MSVBVM50.DLL does not propagate with the worm. Symantec Norton Anti-Virus Research Center Related Software: Network Associates Virus Alerts Related Software:
Dr. Solomon's Anti-Virus
PrettyPark.Worm
PrettyPark is dangerous, because it potentially opens your system to active attacks from the outside. It is an insidious combination of self-spreading worm and Trojan horse "back-door" program. Symantec Norton Anti-Virus Research Center Related Software
Norton Anti-Virus
The Dangers of Happy99.exe A particular virus is making the rounds lately, and it's called Happy99. It is distributed via E-Mail by those infected, as an attached file named Happy99.exe, which is sent with every outgoing E-Mail message from the infected machine. Unsuspecting recipients that run the attached file under Windows95/98 become infected, and become unknowing accomplices in the spread of Happy99. Rather than being an outright malicious virus, which would roam your hard drive corrupting data, Happy99 is actually a "worm," which means that its sole purpose is to replicate to as many locations as possible. When the program is executed, a fireworks display appears on the screen, with the text "Happy New Year 1999 !!" In the background, the program is modifying system files, enabling its spread via future outgoing E-Mail messages. If you have run this program, or another program exhibiting similar displays, you may be infected with Happy99. Without your knowledge, everyone receiving E-Mail from you has received a copy of Happy99.exe attached to your message. To our knowledge, Happy99 does not destroy any data on your computer, but you should take steps to identify if you have been infected and take the necessary steps to rid yourself of this worm/virus. Listed below are a few sites which have information concerning Happy99, including how to detect and remove it from your system. We cannot warrant the information located on those sites, so please read all instructions and precautionary details thoroughly before taking action. As always, if you are unsure about undertaking such actions, please consult a professional computer consultant for assistance. Symantec Norton Anti-Virus Research Center Related Software
Norton Anti-Virus
Related Software
Dr. Solomon's Anti-Virus
E-Mail Virus - Melissa The "Melissa" virus is the same as any other Microsoft Word Macro type virus. It infects your computer through a Microsoft Word file, attached to an E-Mail that you need to open. It then sends itself to the first 50 people, via E-Mail, in any address books, or other E-Mail type programs it can find on your computer. This can easily be avoided however, if you follow the rule of, "Do not open any E-Mail attachments from anyone, unless you know what they are." If you get this via E-Mail, generally the subject of it will say:
Subject: Important Message From
The body of the message will say something like:
Here is that document you asked for
If you delete this attachment without opening it in Microsoft Word, you will not be infected. This Macro-virus disables all precautions for macros in Microsoft Word. It affects all versions of Microsoft Word, including Word 2000. More information on this virus, and how to remove it from your system if you are infected, can be found at the following page:
Listed below are a few additional sites which have information concerning "Melissa", including how to detect and remove it from your system. We cannot warrant the information located on those sites, so please read all instructions and precautionary details thoroughly before taking action. As always, if you are unsure about undertaking such actions, please consult a professional computer consultant for assistance.
Symantec Norton Anti-Virus Research Center
Related Software
Norton Anti-Virus
Related Software
McAfee VirusScan
The "Worm.ExploreZip" virus is the latest in a series of Mail "Worms" that attach themselves to outgoing messages of those infected by the virus. Particularly at risk are users of Microsoft Outlook, Outlook Express, and Microsoft Exchange, as the virus causes those programs to reply to incoming messages with the following message:
Hi Recipient Name!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye or sincerely Recipient Name
Attached to the message is a file called "zipped_files.exe" which contains the worm. Do not run this attachment!
The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drive(s), as well as any mapped drives, each time it is executed. The worm will also search the mapped drives for Windows installations and copy itself to the Windows directory, and then modify the WIN.INI file.
If you delete the message from your Inbox and from your "Deleted" folder without opening the attachment, you will not be infected. This problem can be avoided, however, if you follow the rule of, "Do not open any E-Mail attachments from anyone, unless you know what they are."
More information on this virus, and how to remove it from your system if you are infected, can be found at the following page:
®CERT Advisory CA-99-06 ExploreZip
Listed below are a few additional sites which have information concerning "Worm.ExploreZip", including how to detect and remove it from your system. We cannot warrant the information located on those sites, so please read all instructions and precautionary details thoroughly before taking action. As always, if you are unsure about undertaking such actions, please consult a professional computer consultant for assistance.
Symantec Norton Anti-Virus Research Center
Related Software
Norton Anti-Virus
Related Software
McAfee VirusScan
The "BubbleBoy" worm is the latest in a series of Mail "Worms" that attach themselves to outgoing messages of those infected by it. Particularly at risk are users of Microsoft Outlook and Outlook Express as the worm causes those programs to send itself to everyone in every MS Outlook address book on your system.
Bubbleboy is transmitted through an E-Mail message with the subject heading "Bubbleboy is back!"
Do not open this message! Opening and viewing the message will infect your system!
If you delete the message from your Inbox and from your "Deleted" folder without opening it, you will not be infected.
Listed below are a few additional sites which have information concerning "BubbleBoy", including how to detect and remove it from your system. We cannot warrant the information located on those sites, so please read all instructions and precautionary details thoroughly before taking action. As always, if you are unsure about undertaking such actions, please consult a professional computer consultant for assistance.
Symantec Norton Anti-Virus Research Center
Related Software
Norton Anti-Virus
Related Software
Symantec Norton Anti-Virus
|