Viruses |
|
WHAT'S THE BEST ANTIVIRUS SOFTWARE PACKAGE? |
|
In a previous tip on the subject above, I supplied some suggestions, but declined to specify a particular antivirus product by name. One reader understood why, and replied "A great response and skillfully worded. You have made a truthful reply to the inquiry, as each user's needs are best determined by that particular user." However, others wanted me to name names, and one wrote: "A real 'no guts' answer! Have you no strength in your convictions?"I feel I should explain the reasons for my answer. Since 1991, I've never recommended a particular product; no one antivirus solution could possibly be in the best interest of all users, and doing so would also constitute an endorsement. Even if I wanted to, I'm not in a position to supply free advertising here.In addition, people from time to time have accused me (wrongly) of favoring a product other than the one they use. I'm certainly not going to name one program, thus angering the fans of the others. And most important to me, I prefer to maintain my independence, so I can give objective advice, instead of the biased opinions one often reads in "reviews," which are sometimes paid for, one way or another.
Henri Delger
henri_delger@prodigy.net
http://pages.prodigy.net/henri_delger/ |
Stealth detection strategies
A strategy that isn't reported much, but is among the most effective defenses, is to write-protect all .com and .exe files. This is easily accomplished in Windows. It produces an error message if a virus tries to write to a .com or .exe file. Normal viruses will be caught immediately with this technique, and strange behavior of a program that previously loaded smoothly will alert you to possible stealth activity.
All viruses are routines that attach themselves to files to perform their tasks. A virus will either append itself to a file or overwrite part of it. Stealth viruses seek to conceal these actions by hooking themselves to system interrupts to return false data whenever an antivirus program or a computer user attempts to examine the suspected file. One little-known technique to detect
stealth viruses is to copy the suspect file to a floppy disk. Let's say the infected file was originally 500K in size. The virus added 1000 bytes to the file, but has concealed this by telling DOS the file size is still the same. So DOS copies only the original size of the file to the floppy, leaving 1000 bytes behind. If the copied file doesn't work, but the original seems fine, this indicates that the file is infected with a stealth virus.
Edinburgh University PC Virus Technical Support Library http://mft.ucs.ed.ac.uk/pcvirus/pcvirus.htm This site at the University of Edinburgh contains reports on virus infections and an in-depth report on PC viruses and Windows 95.
Anti-EXE
This boot sector virus continues to be reported, with 50 confirmed infections last year. This memory-resident stealth virus attacks hard and floppy drives. Anti-EXE is a full stealth virus, which not only conceals itself successfully from antiviral agents, but also has the capacity to guard itself from being erased from a system. Consult the documentation of your antiviral packages to determine if your program can deal with the Anti-EXE and other boot-sector Stealth viruses.
FORM-Virus and variants
This common virus and its variants infects boot sectors on hard drives and floppies. FORM and its variants are sometimes discovered through a clicking noise from the system speaker. The original (and possibly variants) of this virus gets its cue on the 24th day of any month to send these noises to the speaker. Any regular antiviral agent that deals with boot sector viruses can detect and remove these strains.
Highlander
Infects .COM files, but not COMMAND.COM, this virus is known to activate on the 29th day of any month, where it will display a message a number of times and then hang the system. This virus may be removed with any regular antiviral agent that detects parasitic memory-resident viruses.
Junkie
This virus infects .COM and .EXE files, and alters master boot records and boot sectors. Infected files should be deleted. A disk restorer is needed to restore the MBR.
Ripper
This is a memory-resident stealth virus that is destructive to floppy and hard disks drives. The only way to detect and remove Ripper is to boot the system with a clean, uninfected boot disk and immediately run scanner agents.
WM.Wazzu
The Wazzu is one of the largest families of Word macro viruses, having more than 100 known variants. These viruses usually consist of a single macro, called AutoOpen, in infected documents and templates. Generally, infections are characterized by three words, randomly selected, getting rearranged when a document is opened; the word "Wazzu" may also be inserted. Any document opened in an infected Word program also becomes infected.
WM.Cap.A
CAP macros are the largest of the family of Stealth Macro viruses, with more than 50 known variants. CAP avoids detection by hiding the Macro selection from the Tools menu, or, when NORMAL.DOT is infected, hiding the Templates selection from the Files menu, or both. Generally, CAP includes ten macros, two of which are used for the Stealth routines, with the rest being encrypted inside infected documents.
Virus Authors
Most viruses are written by males between the ages of 14 and 24. To date, there has not been a documented case of a female virus author.
Q & A
Q: Many of the viruses that you post in the Virus Alert of the Day have letters or names appended to them with periods. For example, Clock.B, .C, .D, .E, .F, .G. What does that mean? -John Wood
A: That's a good question. If we look at the example you gave, each letter appended to the word "Clock" indicates a variant, or a modified version, of the original Clock virus. Virus authors produce variants in order to foul up antivirus programs and to extend the life of their work. Variants may be very similar to their parent virus, or they may be vastly different. For example, the only differences between a variant and the parent virus may be in the text that they display on the screen. On the other hand, a variant may combine the propagation mechanism of one virus with the damage mechanism of another virus.
April
The April virus is a boot sector virus that is more of an annoyance than a serious threat to your system. When activated, this virus hooks into the boot sector of a hard disk and will spread by writing
itself into the boot sector of every disk you insert into the floppy disk drive.
This virus can infect your system at any time of the year but won't make itself known until the month of April, when it begins altering all documents you print. It replaces periods with exclamations points and subtracts 1 from every number in your document. For example, "April 1, 1998" would become "April 0, 0887."
Activating Word's built-in macro-virus protection feature: If you use Microsoft Word 97 and are concerned about macro viruses, you can activate Word's built-in macro-virus protection feature. To
do so, select Tools, Options; click the General tab; and select the Macro Virus Protection checkbox. From now on, every time you attempt to open a document that contains attached macros, Word will display a
dialog box warning you of the macros.
This approach is not foolproof--not all documents that contain macros are infected, and certain macro viruses can propagate without triggering the message--but it does let you avoid all but the most
insidious macro-virus infections.
Macro viruses
As you may know, macros are a series of instructions used in applications such as Microsoft Word and Excel to automate repetitive or complex tasks. In addition, macros are capable of performing some
system functions, such as deleting, renaming, or setting file attributes.
Virus authors have used this capability to create a number of macro viruses that perform many mischievous operations, some innocuous and some disastrous. For example, many macro viruses do nothing more than spread from one document to another and merely take up space, while others modify the contents of documents or overwrite data.
Some sophisticated macro viruses have been discovered that are designed to attach documents to e-mail without the user ever knowing it. To complicate matters, certain viruses can even mutate or change
form.
By the beginning of this year, the number of known macro viruses had soared to more than 2000 and now cause most of the infections in the world today. Macro viruses such as Concept, Wazzu, Npad, and CAP have spread internationally.
I've heard several different terms used as plurals of the word "virus," including "viruses," "viri," "virii," and "vira." What is the correct term to use when referring to more than one virus? The correct plural form is "viruses." The terms "viri," "virii," and "vira" all sound Latin and are used often enough that many people believe they are correct; however, Latin has no plural form for the word "virus," which means poison.
Form
The Form virus, which is scheduled to trigger on the eighteenth of every month (tomorrow, for instance), doesn't contain any intentionally damaging code; but because of a programming bug in the actual code, it can cause problems. The intent of the virus is to produce a clicking sound whenever a key is pressed. The virus displays the following message: "The Form Virus sends greetings to everyone who's reading this text. Form doesn't destroy data! Don't panic!"
In order to deliver its payload on the eighteenth, Form replaces the disk's boot sector with part of its code and moves the original boot sector and the rest of its code to another location on the disk. Each
time you boot from an infected disk, Form checks the date and then redirects the boot process to the relocated boot sector. On a floppy disk, Form moves the boot sector to any unused cluster and then, in
the FAT, marks that cluster as "bad" to protect it from damage. However, on a hard disk, Form moves the boot sector to the last sector on the disk but doesn't protect it. As such, the boot sector can be accidentally overwritten or moved. When this happens, the system will hang during boot-up. Fortunately, the drive and data are still accessible by booting from a floppy disk.
Trojan Horse
Contrary to popular belief, a Trojan Horse isn't really a virus--it does not replicate and spread itself. Rather, it's a cleverly disguised virus-delivery vehicle that promises to do something useful
while it launches its deadly payload. For example, FormatC is a Trojan Horse that masquerades as a Word document containing valuable information; the document also contains a single macro that calls up the DOS Format command while you're reading the document. Because this Trojan Horse is disguised as a Word document, many people incorrectly conclude that FormatC is a macro virus.
Casino
The Casino virus, which can rear its ugly head April 15, is a memory-resident file virus that infects COM files on execution. When a program that is infected by the Casino virus is run for the first time, the Casino virus attacks the first COM file it finds in the directory and creates a hidden file called COMMAND(ff).COM, where (ff) is the invisible character 0FFh. The Casino virus uses this file to become memory resident and then deletes the fake COMMAND.COM file.
On April 15, Casino reads the first 80 sectors of the current drive into memory, including the entire first copy of the FAT and normally part or all of the second copy. Then the virus writes garbage to
those 80 sectors and displays a screen intended to look like a slot machine with the following message: "Disk Destroyer - A Souvenir of Malta I have just destroyed the FAT on your Disk! However, I have a copy in RAM and I'm giving you a last chance to restore your precious data. WARNING IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER! Your DATA depends on a game of Jackpot"
"ANY KEY TO PLAY"
When you press a key, there are three possible results: "Ha Ha! You [EXPLETIVE], you've lost! Say bye to your [EXPLETIVE] ..." and the machine hangs. Or "No [EXPLETIVE] Chance, and I'm punishing you for trying to trace me down!" and the machine hangs. Or "[EXPLETIVE]! You're lucky this time--but for your own sake, now switch off your computer and don't turn it on till tomorrow!" and the FAT is copied back onto the disk.
According to the 1997 National Computer Security Association Virus Prevalence Survey, 99 percent of all medium and large organizations in North America have experienced at least one computer virus infection.
According to the Symantec AntiVirus Research Center (SARC) three to six new viruses are discovered every day of the week. Furthermore, the majority of new viruses are macro viruses.
Worms
When programmers were working on the first early computers that could run more than one program at a time, they had to make sure that each program and its associated data were contained within certain areas of memory. If a rogue program broke out of its area, it could perform operations on the data or programs belonging to different procedures. When this type of problem occurred, programmers had to trace the path of damage through the computer's memory in order to discover where the problem originated. To do so, they plotted the path on a printout map. Often, these printout maps would look like worm-eaten wood with irregular curving traces that began and ended suddenly. Thus, the model became known as a "wormhole" pattern, and the rogue programs became known as "worms."
In an early computer network at Xerox PARC, a rogue program, later dubbed the Xerox Worm, not only broke out of its assigned memory area within its own computer, but also spread from one computer to another. This eventually led to the use of the term "worm" to indicate a virus that spreads over networks.
mIRC Script.ini
As you may know, mIRC, the popular Windows client for the Internet Relay Chat (IRC) system, has a security flaw that allows a malicious user to write a script that can cause serious problems. Because a
devious script has traits of both a virus and a Trojan horse, there is some debate over what exactly to call it. However, one thing is for certain: Devious scripts can be a big problem.
The most prevalent of these scripts, called script.ini, causes an infected mIRC client to post embarrassing comments to the chat relay on the user's behalf. It can also echo all chat activity from one
channel to another. To propagate, a script uses the mIRC client to forward a copy of itself to other users in the chat relay. If you're a mIRC user, you should investigate the mIRC FAQ for advice on how to configure your mIRC client to prevent this and similar security attacks: http://www.irchelp.org/irchelp/mirc/si.html
Armored Viruses
In order to determine how a virus works, a researcher must be able to disassemble a virus program and track its code. Virus authors can use a number of tricks to make such an operation difficult. A virus that employs these tricks is said to be armored.
Join the Crew Hoax
One of the more popular hoaxes recently is Join the Crew. This hoax, actually a variant of the Good Times hoax, began as a message posted to several Usenet newsgroups in February 1997. The original message read: "Hey, just to let you guys know, one of my friends received an e-mail message titled Join the Crew, and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what
e-mail you read. Just trying to be helpful...."
There is also a variant of essentially the same message, except that it refers to an e-mail message called "Join the Club." If you receive this message or one like it, simply ignore it--don't pass it on to your friends.
Keep in mind that viruses cannot be spread simply by reading an e-mail message. However, an e-mail message CAN deliver a virus as an attachment. To be on the safe side, be wary of attachments sent to
you by someone you don't know.
Flip
The Flip virus, which can attack a system on the second of any month (such as tomorrow, May 2), is a file-infecting virus that targets .ovl, .exe, and .com files, including command.com. In addition, it can alter the Master Boot Record and boot sector of a hard disk. It spreads by traveling exclusively in infected .exe files--it can't spread via infected .com files, nor by infected floppy disk boot sectors.
The first time an infected .exe file is run on a hard disk, Flip becomes resident in high memory. Once in memory, Flip proceeds to infect the command.com file in the root directory. Then Flip slightly
modifies the system's hard disk MBR and boot sector. From this point on, Flip infects all .com and .exe files that you run. If one of the infected files calls an .ovl file, the .ovl file also becomes infected.
Systems infected with Flip may experience odd file allocation errors, and some of the data files may become corrupt. Infected files will increase in size by 2343 bytes. In addition, the logical partitioning
of the hard disk can be altered, so that the size of the hard disk shrinks.
On the second day of any month, Flip announces its presence by flipping your screen horizontally for one hour.
Pathogen
The Pathogen virus is a tunneling, polymorphic, encrypting, memory-resident, file-infecting virus. It can infect both .exe and .com files. Furthermore, it only infects files whose date is less than 100 years from the current system date.
When Pathogen has infected a system, it becomes memory resident and maintains a counter that increases by one each time an additional .exe and .com file is infected. Once Pathogen infects 32 files, it waits until an infected file is executed between 5 p.m. and 6 p.m. on a Monday and then attacks. It begins by displaying the message:
"Your hard-disk is being corrupted, courtesy of PATHOGEN!
Programmed in the U.K. (Yes, NOT Bulgaria!)
[C] The Black Baron 1993-4.
Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator!
'Smoke me a kipper, I'll be back for breakfast.....'
Unfortunately some of your data won't!!!!!"
Then, Pathogen disables the keyboard and floppy drives, and it corrupts the first 256 cylinders of the hard drive.
According to the 1997 NCSA (National Computer Security Association) Virus Prevalence Survey, the computer virus problem could be virtually eliminated if just 30 percent of the world's PC users used a current, full-time antivirus protection program.
Q: I scan my hard disk for viruses before my weekly backup. After making a recent backup, I discovered that the virus definition file for my antivirus program was out of date and downloaded the update. I then discovered a boot sector virus on my hard disk. This means that the virus is now on my backup tape. If the virus had crashed my hard disk, would the presence of a virus make my backup tape worthless?
A: No, the presence of a virus wouldn't have made your backup tape worthless. If you had needed to, you could still restore important documents, databases, or spreadsheets--basically all of your valuable data--without restoring any infected programs. You could then reinstall your applications from the master disks. It's tedious work, but not as difficult as some people claim. In this instance, however, you should erase the tape with the virus on it and perform a new, full backup.
Reverting Norton Antivirus to the Previous Month's Virus Definition Set
If you've installed a new set of virus definitions in Norton AntiVirus and then decide that you need to revert back to last month's virus definitions, you can do so easily. To begin, locate the definfo.dat file in the \Program Files\Common Files\Symantec Shared\VirusDefs folder and load it into NotePad. Then locate the [DefDates] section and change the CurDefs setting so that it is the same as the LastDefs setting. For example, if the [DefDates] section looks like this:
[DefDates]
CurDefs=19970902.003
LastDefs=19970902.002
You would alter it to look like this:
[DefDates]
CurDefs=19970902.002
LastDefs=19970902.002
An Immune System for Cyberspace
IBM Research is working on a new technology dubbed an "immune system for cyberspace." This involves an automated agent that extends across local area networks and the Internet to find and fix viruses before they do any harm. When a previously unknown virus is detected on a computer, the antivirus software will send the virus safely over the Internet to IBM. Once the virus arrives, it will be automatically
analyzed and eliminated. That fix will then be sent back to eliminate the original infection and will be able immunize computers all over the world.
For more information on this new technology, visit IBM's Antivirus Online Web site at http://www.av.ibm.com
16-bit Viruses
The majority of the boot sector and file infector viruses were designed to live and breed in the 16-bit DOS environment; so you won't encounter as many of these types of viruses today as you would have a few years ago. This might also explain why macro viruses are on the rise.
FindVirus Demo
Are you in the market for a new antivirus utility? As you know, there are many different programs to choose from, making the decision a tough one. Fortunately, several vendors have made available free demos that you can download and try for a limited period of time. One of these is Dr Solomon's Anti-Virus Toolkit. You can download a demo of one of the Toolkit's modules, called FindVirus, and use it for 60 days. The FindVirus demo allows you to easily detect and remove viruses, as well as configure automatic daily virus scans.
What is the CIAC?
Q: I've heard the acronym CIAC and viruses mentioned in the same sentence, and I'm curious. What exactly does CIAC stand for and what does this organization do? --Valerie Brown
A: CIAC stands for Computer Incident Advisory Capability. The CIAC is the computer security incident response branch of the United States Department of Energy and the emergency backup response team for the National Institutes of Health. The CIAC was established in 1989 to provide computer security services to employees and contractors of the Department of Energy. As a part of its job, the CIAC occasionally reports on viruses. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. You can learn more about the CIAC by visiting its Web site at http://ciac.llnl.gov/
If you have any questions regarding viruses, or the newsletter, send them to the editor at virus-alert@optimator.win.net
As you may know, DOS, and subsequently Windows 95, follow specific rules when launching executable files. When you type a command name at a DOS prompt, the operating system first looks for a COM file, then an EXE file, and finally a BAT file. For example, if you have three files named TEST.COM, TEST.EXE, and TEST.BAT, the operating system only loads TEST.COM. Companion viruses take advantage of this fact to infect your system by creating COM files with the same name as legitimate EXE files. In this way, these viruses ensure they get executed. Once the virus is loaded into memory, it passes control over to the original EXE file.
Companion viruses run in a Windows 95 DOS session, and some may even be effective under Windows 95.
Microsoft virus blooper
In October 1996, Microsoft shipped 14,000 Solution Provider CDs
infected with the Wazzu Word macro virus to software developers and
trainers worldwide. The Wazzu virus was found residing in one of the
122 Word documents on the CD.
Reinfection Potential
If a virus has attacked your system, your risk of reinfection is very
high. Here's why: Viruses are capable of hiding anywhere and
everywhere. Any floppy disk you inserted into your drive while the
virus was present is suspect. Therefore, simply scanning and cleaning
your hard disk is not adequate insurance against reinfection; you also
need to scan and clean all the floppy disks you use on a regular
basis. If you don't know how many floppies you inserted into the
drive, scan them all. Furthermore, if you use floppy disks to transfer
data from work to home or share data with friends, be sure that you
run antivirus software on all systems that could have potentially come
in contact with an infected floppy disk.
BootProtect
As you may know, boot sector viruses infect your system when you boot
from a floppy disk in drive A. If you're like most computer users, you
rarely do this on purpose. Usually, you've accidentally left a disk in
the drive. If you're worried about encountering a boot sector virus in
this manner, then you'll want to investigate BootProtect from
Erimarsoft. This tool prevents boot sector viruses from invading your
system by checking your floppy disk drive each time you shut down or
reboot, and warning you if a disk is in the drive. You can also
customize BootProtect to monitor the CD-ROM drive as well and, if it
finds a disk in the drive, automatically open the CD-ROM drive's door.
To try out the software, go to
http://www.pcworld.com/software_lib/data/articles/anti-virus/5118.html
Question of the Week: How many virus types are there?
Q: I've heard about so many viruses since I've subscribed to your
service, and have read about boot sector and macro viruses. Recently,
a friend told me that there are other types of viruses out there in
the wild. How many different types are there?
--Beth Watkins
A: The majority of viruses fall into four main categories: boot
sector, file-infecting, multipartite, and macro viruses.
A boot sector virus infects the boot sector on a floppy disk and can
eventually spread to the master boot record on a hard disk if an
infected floppy disk is used to boot the system. Once the master boot
record is infected, the virus attempts to infect the boot sector of
every floppy disk that is inserted into the floppy disk drive and
accessed.
File-infecting viruses operate in memory, and target executable files
that have the following extensions: COM, EXE, DRV, DLL, BIN, OVL, and
SYS. Each time an infected file is run, the virus spreads to another
executable file.
Multipartite viruses have characteristics of both boot sector viruses
and file-infecting viruses.
Macro viruses are application specific and infect documents created
with applications that use macro utilities, such as Microsoft Word and
Excel. Unlike other types of viruses, macro viruses aren't specific to
an operating system and can spread with ease via e-mail attachments,
floppy disks, Web downloads, file transfers, and cooperative
applications.
If you have any questions regarding viruses or the newsletter, send
them to the editor at
virus-alert@optimator.win.net
ARE PICTURE FILES A VIRUS HAZARD OR NOT?
A reader asks: "Can I get a virus from downloading a JPG, GIF, or TIF
file from a newsgroup or anyone else? You've mentioned EXE files and
MS Word macros as potential virus threats, but I worry that something
that seems innocuous, like a picture file, might contain a virus as
well."
GIF, JPG, and similar image files contain data to indicate intensity
and color of images. Image files don't execute, but a viewer program
(often part of a Web browser application) reads their data and
converts them to what you see. If someone planted a virus program in
such an image file, the viewer might halt or display a garbled
picture, but the virus itself would not be able to do anything. If
viruses could spread via image files, virus writers would have done
so, and looking at the images on Web pages would no longer be safe.
ARE WINDOWS HELP FILES SAFE? NOT ANYMORE
A couple of years ago, I received a Trojanized HLP file and didn't
think much of it. But in December, the Babylonia virus (also in some
respects a worm) was posted to an Internet newsgroup as a Windows HLP
file (named serialz.hlp then, but it could have any HLP file name by
now). When opened, it alters EXE and HLP files, sometimes corrupting
them. That ordinarily would limit its spread, but it also creates a
file (kernel32.exe) that attempts to connect to a virus writers' Web
site in Japan in order to download the rest of its code.
Besides spreading via the sharing of infected EXE and HLP files,
Babylonia can spread to other users through mIRC chat by sending its
EXE and INI files to all those connected to the channel, or it can
spread as a file attached to outgoing e-mail messages.
CAN A SCANNER KEEP UP WITH NEW VIRUSES?
In a previous tip on the subject above, I wrote that depending on an
up-to-date scanner is becoming less important, and keeping current
backups is becoming more important.
A reader replied: "I was expecting you to finish that last paragraph
with a recommendation to update virus definitions every week or even
more frequently. Why do you feel it's more important to back up than
to step up infection prevention measures?"
I've been recommending that people use antivirus protection since
1991, but the events of 1999 have made me rethink things. A backup
will protect data from ALL hazards--including a virus written
yesterday, which you can't necessarily expect a scanner to recognize.
Nevertheless, I still recommend use of antivirus software--but I also
recommend that users rely more on backups than on scanners.
Some people buy antivirus software, install it, then update it
infrequently, if at all. I'm trying to get those readers to change
their way of thinking, because virus writers in 1999 finally learned
how to combine the Internet, e-mail, and malware into a serious
threat.
DEFENDING AGAINST WORD MACRO VIRUSES
A reader suggests: "Is it worth mentioning that if you hold down the
shift key while you open the Word document, it will open without using
macros, thus making it safe to open e-mail messages with Word
attachments?"
I'm sure many people do that, but I'm never sure when to use a term
like "safe," because virus writers keep coming up with new tricks, and
can easily do things like turn Word's macro virus protection option
off, disable menus that let users view macros, and the like. One
suggestion I'd make is that concerned readers visit Microsoft's very
own Anti-Virus Resources for Microsoft Office page at http://officeupdate.microsoft.com/Focus/Articles/virusres.htm
ELFBOWL AND FROGAPULT.EXE--ANOTHER HOAX
Last month, two downloadable games became very popular, and the virus
hoax authors got busy, spreading false stories that the programs were
infected with a "Christmas Day" virus. This version was the common
one:
To all
If you have received any of these games frogapult.exe (frog game) &
elfbowl.exe (elfbowling game) please can you delete them completely
out of your system as they both have a delayed virus attached to them
that will be activated on christmas day and will wipe out your system.
Let everyone know of this.
Like other virus hoax messages, this one has certain characteristics
common to such hoaxes, regardless of what they are named: First, it's
written in a frantic style, claiming that some new virus will "destroy
everything" (some viruses can, but most cannot). Second, it urgently
requests that you pass the warning on to everybody else on the planet
(which is how you got it).
Though it's not true of this hoax, most others also include a third
element: a claim that IBM, AOL, Microsoft, Compaq, the government, or
some other agency has announced the virus (they do not make such
announcements). For more information on virus-related hoaxes, go to http://www.kumite.com/myths
FEATURE-RICH APPLICATIONS AND VIRUSES
In a previous tip on the subject above, a reader asked: "Adobe
Illustrator 8 now has the ability to automate tasks. As of yet I have
not found any holes in its system, but I am only one person. What do
you think the possibility is that we will see viruses attached to
Illustrator files in the near or distant future?"
Other readers have asked this, and one offers some reassuring words
"The automation in Adobe Illustrator 8 does not autoexecute nor does
it contain any actual scripts. 'Actions,' as they are called, are not
attached to Illustrator files; they have to be loaded manually. The
only 'danger' I could foresee is downloading an Action List from a
dubious source on the Internet, but I doubt it could contain anything
damaging to the operating system or even Illustrator, for that matter.
The Actions only execute operations available within Adobe Illustrator
itself."
FILES FROM FRIENDS, FAMILY, AND COWORKERS
In a previous tip on the subject above, I wrote: "Deleting every
executable file attachment will protect your data, and doing anything
else will expose your data to an unnecessary risk."
Many readers expressed opposing views; here's one: "So in other words,
let's all just throw our computers out the door because we shouldn't
use them in case we might get a virus."
My comments should not be interpreted as indicating the end of the
world is around the corner: All I tried to point out is that opening
or running certain files carries a risk. That's a factual statement,
thanks to those who are out to cause other people trouble. I'm not
telling anyone what to do--just reminding users, especially new ones,
to consider the risk involved. I do that because many people don't
consider the risk at all and click everything. I hear from them on
occasion, and the first word they write is HELP!
HEURISTIC SCANNERS AND FALSE POSITIVES
A reader asks: "Could you say something sometime about false
positives? The heuristic scanning of my antivirus software was
interpreting some macros from a Microsoft Office add-on as infected.
Subsequent checking of the macros proved that this was not the case."
Heuristics involves disassembling the instructions in a file, looking
for those a virus might use and nonvirus programs don't ordinarily
use. It's a complex process, and an imperfect one, because the scanner
has to weigh the risk before sounding an alarm. An instruction to
write to executable files may present what looks like a clear danger,
or only one or two suspicious things. When the alarm goes off, the
user must decide whether he needs to worry. If it turns out to be a
false positive, send a copy of the file to the company involved so it
can improve the scanner.
NEWAPT: YET ANOTHER WORM SPREAD BY E-MAIL
Despite the news reports of a virus "deluge," 1999 fortunately did not
bring a wave of viruses and other malware becoming widespread and
causing enormous damage. Only a relative handful of such creations
actually caused problems by the end of the year. Sloppy programming on
the part of virus writers is one reason for that.
NewApt, a recently discovered Windows 95/98 worm, illustrates another
reason some viruses don't get very far. It can send itself via Outlook
Express mail as a message from users who have the worm active on their
system. Along with that capability, it can select any one of two dozen
names for its file attachment, and that might trap the unwary.
However, in one form, its HTML-style message looks like an ad for a
Web site--complete with a legitimate URL, but with the attached file
offered as an animation from the "funny programs and animations" on
the site. Although that might tempt some to click on the EXE file, the
names are mostly silly, like farting.exe. For those like myself who do
not receive e-mail in HTML form, it delivers an insulting message
instead.
SAVING TO A: DRIVE FIRST--A GOOD SUGGESTION
A reader writes: "Your comments on running two antivirus programs are
well thought out. As a programmer, I agree with your logic, and I keep
secure copies of the actual programs on CD or disk, and save all my
user-related and user-made data files on scanned disks. It is just a
little preventive maintenance; when saving files I have it set up to
go to my A: drive first, then I resave the same file on the hard
drive. That doesn't consume much time, and it saves me a lot of
headaches later."
I like your idea of saving to the A: drive first, because that will
make it impossible to forget, and that's important. It used to take
weeks for a virus to spread far enough to pose a threat, allowing for
scanner updates and warnings that provided a measure of safety. But
1999 changed all that: Now it's possible for a virus writer to get a
virus, Trojan, or worm from his computer to yours the same
day--received not from a stranger, but from people you know and trust.
TROJAN HORSE PROGRAMS VERSUS SCANNERS
A system engineer for a major antivirus software producer writes: "I
somewhat disagree with your comment, 'The most effective defense
against destructive Trojans is consistent and frequent backup--not a
virus scanner.'"
He continues, "To most AV companies, Trojans receive the same
attention as viruses. Backups are good, but that is being reactive.
It's like waiting for heart disease thinking, no worries, I have a
backup on ice. Trojans can be scanned for in much the same way viruses
are scanned. We can also scan using heuristics. Protection against ALL
Trojans? No. But those known to exist in the wild? YES. Protect
yourself, get a virus scanner. You can also limit the destructiveness
of Trojans in terms of the initial damage and tracking the source by
making creative changes to your security policy."
Since my original comment might mislead some, in fairness to those in
the industry who work hard to protect the rest of us, I should have
stated that a good scanner can detect many Trojans, with a backup
adding protection against any the scanner might miss.
UPDATING ANTIVIRUS SCANNERS SHOULD BE EASY
A reader comments, "It would be great if you could get your updates in
a timely fashion and not corrupt anything, as has been my experience
with one company. I'm not a system administrator of a large company
with several certificates, but I'm not a computer novice, either. I
don't need to do things manually in DOS. I have enough to do already
and I don't need the hassle. I don't want to worry that my system has
up-to-date antivirus protection. That is what they get paid for."
My experience has been that all the major companies have engineered
their products to protect their customers adequately, and perhaps some
need to pay more attention to your concern. In any event, there's only
so much one can expect from a scanner. Besides keeping the software
updated, it's still up to the user to employ common sense, to be very
selective about running new programs or opening files sent to them,
and above all, to keep backup copies of at least the important files
they create.
UPGRADING SOFTWARE AND FALSE POSITIVES
An antivirus program left running can interfere with the process of
installing or upgrading other software. For this reason, one reader
suggests that you "scan all files on new software disks before
installing, then disable the antivirus software during the
installation, and reenable it before rebooting for completion of the
installation. Finally, scan all files after installation."
One point I'd add is that some users would then get a warning message
from the scanner when it recognized changed executable files.
Unfortunately, some users panic when told the file MIGHT be
infected--even though in reality the file is not infected, but merely
changed by a software upgrade.
WHAT ABOUT VIRUS ALERT AND THE NEWEST VIRUSES?
A reader wrote: "There have been at least five other worms reported
since the one you wrote about today. This particular one was found in
early December. Can't you be more prompt with your findings? That's
not to say you don't do a good job. I enjoy Virus Alert, and I respect
your mission and intent. But truthfully, in this progressive world,
one needs to be ahead of the game when it comes to viruses. And there
hasn't been one single virus I have seen mentioned in your Tips that I
didn't know about already."
I replied to this reader that the worm in January's Tip was reported
in December, but I wrote the Tip soon after the initial reports.
There's a built-in delay in the information here, because I submit
Tips in advance of publication. Those who need immediate information
can get that from antivirus vendors' Web sites. These companies earn
many millions of dollars, and employ hundreds of researchers. I can't
compete with that, but I do the best I can with my limited resources.
The writer is not the only person who expects more than I can provide,
and I understand those feelings. However, my objective here is not to
compete with information provided by others, but to keep readers
informed enough to take precautions.
It's also important to note that many alerts and frantic press
releases about the latest viruses are written by marketing people, not
researchers, and can be read with amusement a year later, because the
viruses that initially inspired such fear never got very far.
WHAT IS AN EXECUTABLE FILE?
A reader asks: "I've been under the impression that any attachment
represents a potential danger. In one of your recent items, however,
you implied that only 'executable' attachments are problems. This is a
new term to me. What's an 'executable' attachment, and how do you
identify it?"
My definition of an executable file is one the operating system will
recognize as carrying instructions to perform, and then proceed to
carry out those instructions without further intervention. DOS, which
preceded (and today is incorporated into) Windows, has certain files
reserved for that purpose--BAT, COM, and EXE --and these files are of
the most concern. Simply clicking such a file will cause it to run.
Other types of files can host a virus program, most notably DOC and
DOT files, which Microsoft Word uses. Still other types, such as
graphics files (JPG and GIF), as well as pure text files, are safe
from viruses.
WINDOWS 95/98 VIRUSES AND DOS ANTIVIRUS PROGRAMS
In a previous tip on this subject, I wrote: "While it's possible to
scan and remove Windows 95/98 viruses with a DOS antivirus program, it
is important to remember that one should not do so by running the DOS
program in a DOS box or shell (which you start by clicking MS-DOS from
the Windows Start menu)."
One reader pointed out, "To be really secure, if you're booting to DOS
to do a virus scan, you should really be booting from a floppy."
Although I was addressing one specific issue--that of booting to DOS
versus running DOS in a Windows session--I should have also mentioned
that the preferred procedure when a virus is suspected is to power
down the system and reboot from a write-protected floppy disk you know
is uninfected.
DO ANTIVIRUS PROGRAMS REMOVE VIRUSES COMPLETELY?
A reader wrote: "If a virus slips by and gets on your computer, can it
be completely removed with your virus software? Someone told me that
the virus software can detect and remove the infected files, but the
virus is still in your BIOS. Is this true?"
Recovery from a virus often depends on what a virus did. If a virus
overwrites (corrupts) files, the only remedy is to delete them, then
restore them from original installation disks or backups. Another
factor involved in file restoration is how good the antivirus software
is. While most software can reverse changes made by the virus, if the
scanner misidentifies one variant of a virus as another, it can
destroy a file by restoring it incorrectly. Finally, some software
removes only enough of a virus to disable it, and virus code left
behind can be detected by a different scanner, which will sound a
false alarm, as if the virus was still intact and functional. One last
point: Viruses may be found in memory or on a disk, but do not spread
from or hide in a computer's BIOS, CMOS, or anywhere else.
THE LATEST VIRUS VANDAL TARGET: VISIO
Visio is a well-established graphic drawing application, useful for
making diagrams, particularly organizational charts and flowcharts.
It's been around for close to ten years, and has grown more popular
and powerful. Like many applications that offer enhanced features
(Word and Excel come to mind), its new version 5.0 also offered virus
writers a challenge. Indeed, someone has succeeded in creating a virus
that can spread among users of Visio, but despite alarmist press
releases from some sources, the threat isn't real--yet. (The virus
writer sent a copy of the virus to some antivirus firms, but the virus
has not been reported "in the wild.")
It's too early to tell what will follow, but it doesn't seem likely
that such viruses for Visio will get very far, because the user base
for Visio is much smaller than Word (for example), and Visio users are
less likely to share diagram files with others.
CAN SOMEONE STEAL YOUR PASSWORD WITH A TROJAN?
A reader wrote: "I came home and tried logging onto the computer. I
couldn't. After trying several times and continuously receiving the
message 'Incorrect password,' I decided to call my ISP. They told me I
had been kicked off the system as that day I had sent 500 pieces of
pornographic e-mail in a 15-minute period to people all over. I tried
telling them I didn't do it but they wouldn't even listen to me. They
told me my account had been terminated and I could reapply in 6 months
(something I will never do). No one lives with me or has access to my
account, ID, or password, yet mail was sent using it. I think
something should be done to computer hackers instead of the innocent
person having to pay."
Yes, there is a way to stop hackers. Don't run or open file
attachments sent to you. From what you have written, it appears that
at some point you did so, and that file attachment was a
password-stealing Trojan, which sent your password out. Using your
password and your ISP's software, the hacker was able to log in as
you and do whatever he or she wished with your account.
OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 1 OF 3
Can older PC/DOS viruses function in a Windows 95/98 environment? It's
unusual to hear of such cases, but it does happen. That's because, in
order to run older DOS and Windows programs, Windows 95/98 functions
in some ways like Windows 3.1 does under DOS. This makes Windows 95/98
backward-compatible for those who use older programs, but also allows
viruses written for older (DOS) systems to run.
At the beginning of the start-up process, Windows starts in what's
called "real mode," to allow programs and drivers from config.sys and
autoexec.bat to load. During this period, specific machine code runs
each time, and if a DOS file-infecting virus has modified the start-up
code, the virus also runs.
Once the Windows 95/98 graphic interface loads and the start-up
process is completed, Windows does manage the file system with device
drivers and 32-bit programs to ensure the integrity of the file
system. This control would block DOS programs--and DOS file-infecting
viruses--from writing to the hard disk (but not from writing to floppy
disks).
OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 2 OF 3
Although Windows 95/98 protects (controls access to) the integrity of
the file system, it suspends this protection when a Windows user opens
a DOS window (also called a "DOS box") in order to run older DOS
programs. That's a necessary evil, because Windows protection would
interfere with an older DOS program. Since there is no Windows file
protection in a DOS session, a DOS virus can not only run, but spread
to other files.
In addition, if more than one DOS box is in use, all of them will have
the same programs (and viruses, if any) loaded. Also, a virus can
spread to multiple DOS sessions. Finally, a DOS box retains all
programs in memory that ran during the Windows start-up, and that
could include a DOS virus.
Even the long file names Windows uses do not provide immunity to older
viruses. That's because Windows 95/98 stores two copies of file names:
one that only Windows 95/98 can read, and one that DOS can read. DOS
programs (and DOS viruses) won't recognize the Windows-readable file
name (DOS sees it as a label entry and ignores it), but they will
recognize the DOS-readable file name.
OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 3 OF 3
Old DOS boot or MBR (master boot record) viruses can also affect new
systems. If the user boots with a floppy disk that a boot or MBR
sector virus has infected, the virus program will run before Windows
95/98 loads, and that virus can infect the hard disk. Once a boot/MBR
virus has infected the hard disk, the virus loads each time the PC
boots, before Windows 95/98 loads. These viruses can also write to
other systems, such as OS/2 and Windows NT.
One final note: If your CD drive fails to work, you may have a
boot/MBR virus if Windows drops the disk I/O system into BIOS mode.
Also, one of the characteristics of an older (16-bit) boot/MBR virus
on Windows 95/98 systems is that it changes the MBR, forcing the PC
into 16-bit mode. This stops 32-bit drivers, such as CD drivers, from
working. Important: This does not mean you should immediately conclude
your PC is infected with a virus when your CD drive isn't working.
WHEN A HOAX CAN BECOME THE REAL THING
A reader wrote: "In a previous tip, you wrote about Elfbowl and
Frogpult, describing the fact that these programs were victimized by
erroneous virus reports. Late last month I was watching a computer
segment on the television news that described how the host received a
copy of Elfbowl from a friend that the friend had added a virus to.
That got me to thinking, isn't there a danger that once a virus is
reported as a hoax, a virus could be added? The perfect opportunity
for someone to do damage would be once everyone had let their guard
down."
It appears that you are correct--someone can play copycat, even with
what started out as a hoax. As a matter of fact, I recently heard from
an IS manager in a very large corporation that a Trojan related to the
hoax was actually circulated in Australia, late in December. Here's
what he wrote: "The second-wave December version of frogapult did play
the game if started through My Computer in Windows, so I can only
assume it was a wrapper around the original. It also installed itself
into the start-up menu (when started through the start-up menu, it
didn't play the game!). On December 24, the boot sector was erased,
plus, as we found out, it was using TCP/IP for some unknown purpose." |
FILES FROM FRIENDS, FAMILY, AND COWORKERS |
|
Several other readers wrote in response to the previous tip of this
title--with some interesting solutions for e-mailing files to people
or for taking action when you receive e-mailed files from others. Here
are some interesting excerpts from their messages:
"If you want to e-mail attached files to friends and work colleagues,
use a predetermined code word or phrase in the subject to alert the
recipient that it's from you."
"When I teach e-mail classes, I always advise people to send one
e-mail advising that a second message is coming with an attachment,
and also list the size of the attachment. That way, the recipient
knows an attachment is on the way and knows exactly what the
attachment is."
"I propose that the next time they get an executable attachment from a
friend or relative, they ask where the SENDER got the file from. I'm
appalled at how many people will forward a file BEFORE they even open
it up to see what it does or scan it for problems. Just because it
comes from a person you trust doesn't mean it initiated with a person
you trust."
"It has gotten to the point lately that if I receive an
attachment--even from somebody I know--I e-mail that person back
asking them if he or she sent me that file. I do not open it or even
scan it until I get a response back from the person who sent it." |
HAPPY99.EXE IS STILL IN CIRCULATION |
|
I wrote about Happy99.exe months ago, and I'm surprised that I (and
other people) still receive e-mails with it attached, as did this
reader, who wrote: "I had a personal experience with the Happy99.exe
virus (worm), which attaches itself to your outgoing e-mail once you
have opened it. I received it from a company I had sent an inquiry to
for some information on saws. They did not know they had it; I did not
know what it was when I got it. Oh, a fireworks display, how nice to
see! Then it started going out with all my e-mails to everyone else. I
had to call for technical help on how to rename files it had altered.
Since the first time, I have received it three more times, all from
different sources, but never again did I open it."
If Happy99.exe has modified your system, an up-to-date antivirus
program can get rid of it. Those who like to tinker can even do it
manually. Here's how. Go to Start, Shut Down. Select Restart In MS-DOS
Mode. This allows you to take the following steps safely:
1. Delete the files ska.exe, ska.dll, liste.ska, and wsock32.dll from
the Windows\System folder/directory.
2. Rename the file wsock32.ska to wsock32.dll and reboot (wsock32.ska
is a backup copy of your original wsock32.dll).
3. Be sure to delete the source of the problem, Happy99.exe. |
HOW DO ANTIVIRUS COMPANIES GET VIRUS SAMPLES? |
|
A reader wrote: "An antivirus company recently reported it had
discovered a Windows 2000 virus. How do antivirus companies find
viruses? They can get them from users. But where do they download
these things? If company A discovers a new virus while it is not
available in the wild, how can other antivirus companies get this
virus? Company A probably doesn't send the new virus to B, C, and so
on, so where do these companies find these new viruses?"
Others have asked before how a firm can obtain hundreds of new viruses
every month that are not available in the wild (before users first get
infected). I can't say whether some antivirus company researchers
visit virus writers' Web sites to obtain samples of new viruses, but
that's a possibility, I suppose.
There are other possibilities. One is that someone outside a company
will obtain new viruses from underground sites and send them to
antivirus vendors. I know that's true, because I did that some years
back, and know others who have done so as well. And I can say that
some virus writers, out of boastfulness, make their viruses available
to some antivirus companies, as did the creep who sent his Visio
virus.
One point to remember is that the antivirus business is very
competitive. One company boasts that its scanner can detect 50,000
viruses, and this pressures other companies into reporting similar
totals, however meaningless such numbers are. Nevertheless, despite
their marketing competitiveness, there is cooperation among some
researchers, and trusted individuals exchange new viruses even though
they work for rival firms. |
IS IT SAFER TO OPEN E-MAIL FILE ATTACHMENTS OFFLINE? |
|
A reader writes: "When I get an attachment from a friend, do you mean
that the safest thing is to save it to the desktop, then go offline to
open it--thus I will not get a virus? Or do you mean I should save it,
scan it with my virus program, and then open it?"
This reader (and others) have misunderstood a previous writer's note
that "I found out that they had opened it up offline, so nothing was
sent out." In fact, this meant that they DID infect their systems with
PrettyPark, but since they were offline, the virus or worm did not
instantly e-mail itself to infect other people. So (as you wrote
above) saving "it to the desktop and then going offline to open it"
does NOT mean that you will not get a virus. Whether you are online or
offline is irrelevant; if you open and/or run an infected file, you
WILL infect your system. Here's a summary of three safety levels for
dealing with text e-mail messages:
- Read the message, do not open and/or run the attachment. That's 100
percent safe.
- Read the message, then open and/or run the attachment. That's not
safe at all.
- Read the message, scan it, then open and/or run the attachment. This
procedure offers questionable safety, depending on how good the
scanner is and how recently you've updated it (but remember, no
scanner can detect everything). |
IS THE RISK OF TROJANS LESS THAN THAT OF VIRUSES? |
|
A reader wrote: "The risk of being bitten by a Trojan horse is
extremely low if you are running an up-to-date scanner. The only real
risk of Trojans (and viruses and worms) is if you are on the leading
edge of the spread, before the antivirus companies develop the patch.
This is a serious problem for worms, but I've yet to see this become
an issue for Trojans. Finally, your last comment implies that there
are Trojans in the wild that antivirus scanners cannot detect. You
need to convince me this is true."
The risk is low because of scanners, but also because Trojans do not
self-replicate. On the contrary, they often do the opposite by
self-destructing. Often, destructive Trojans are set to wipe all files
from a disk (including themselves) immediately. This would preclude
them from spreading further, at least from that victim. As for whether
there are Trojans in the wild that scanners cannot detect--that's a
fact. After all, antivirus firms get some of their samples from
victims in the wild, who get them first and submit them--only after
that does the scanner get updated. |
IT ISN'T NECESSARY TO SCAN A HARD DISK OVER AND OVER |
|
By default, scanners ordinarily check the files that viruses most
commonly infect. Thus they scan some files, according to their
extensions, and skip others. Other scanners allow the user to make
changes to the default to scan some file extensions but not others, or
even all files, regardless of extension.
I'd recommend using a current, up-to-date scanner to scan all files on
the hard disk, once only. Then you should make a complete backup of
all files on the hard disk. After that, you don't need to scan the
hard disk's files again (assuming there were no viruses on the hard
disk unknown to the scanner at that time). To keep the system clean,
scan all incoming files, regardless of their extension and their
source, before first use. |
NOT-SO-HARMLESS E-MAIL FILE ATTACHMENTS |
|
A reader writes: "Someone in our department forwarded me an executable
with an excited note about how 'cool' it was. I ran it and watched as
the program did a VERY convincing simulation of wiping out my hard
disk--during which exercise I found that the keyboard had been
disabled. I had just bought a backup drive the week before and used it
to back up everything important, so while I waited for it to finish I
went over in my mind what I would have to do to recover. When it was
over, it turned out that the thing had been an advertisement. It was a
sharp but ultimately painless lesson. I learned it well. My standard
practice now is to delete immediately any e-mail attachment I didn't
specifically ask for."
As I replied to the reader, I've seen joke programs like that, and
I've also seen real Trojans that do wipe out files on a hard disk.
Obviously, the coworker who thought this prank was "cool" didn't take
into account the fact that someone might think it was the real thing.
If the recipient panicked and hit the OFF switch, real file damage
could occur because of the way Windows operates. |
WHAT IS AN SHS FILE, AND IS IT DANGEROUS? |
|
A reader writes: "I was just wondering if your readers were aware that
an .shs file can contain any type of executable code. When opened, it
will execute any code contain therein. I believe a lot of Windows
users are not familiar with this file type and might open it thinking
it can't harm their system."
I replied that I'm not aware of any SHS viruses; however, an SHS
(scrap object) file with an .shs extension can be used as a Trojan in
Windows 95 and above. My advice: If you receive a file with an .shs
extension, either as a download from a Web site or as an e-mail
attachment, do not run it--delete it. |
WHAT'S THE BEST ANTIVIRUS SOFTWARE PACKAGE? |
|
A reader writes: "I understand your not wanting to commit yourself to
any product, and as you say, what's good for one person might not suit
another. On the other hand, what I would like to see is some sort of
comparison--a few of the major names, with the strong and weak points
of each."
I replied that unfortunately, including only "a few of the major
names" as he suggested would provoke criticism from those whose
favorite software I would be excluding. I can't do that, even if I had
the time. However, you can turn to some sources of objective
evaluations.
The ICSA, which publishes Information Security Magazine, certifies
antivirus software:
http://www.pcworld.com/r/tw/1%2C2061%2Ctw-v2-24%2C00.html
Then there's the Virus Bulletin test results:
http://www.virusbtn.com/Comparatives
And the Virus Research Unit, at: http://www.uta.fi/laitokset/virus |
CAN SNOOPERS GAIN ACCESS TO FILES ON YOUR COMPUTER? |
|
A reader writes: "I think some people are confused about what an
antivirus scanner is for and what it can do. People on cable or a DSL
modem might need some form of Internet protection software to calm
their nerves."
I assume he was referring to firewall software. Although this is not
directly related to viruses, I want to make the point that a computer
directly connected to the Internet is very much at risk for intrusion
from anyone anywhere on the Internet. Even though I still use a
dial-up connection to an ISP, I have a firewall program installed. On
one recent occasion, I let my computer just sit there while outside
sources made 42 attempts to access it. I traced some of them back to
the source, and found that some came from commercial Web sites (even
sites I had never visited), while others came back as unknown.
Go to http://grc.com/default.htm Click Shields Up and test your PC's security, and you'll see what I mean. Then go from there to http://www.zonelabs.com and you can download the free firewall I'm using at the moment, ZoneAlarm. |
CREATING AN EMERGENCY SYSTEM BOOT DISK |
|
Do you have a floppy disk that will let you boot your PC in case of an
emergency? Once you've checked for viruses, create a system boot disk
and write-protect it for future emergencies, virus-related or
otherwise.
Here's how in Windows 95/98:
1. Place a disk in the A: drive.
2. Open My Computer.
3. Click the right mouse button to select the A: drive.
4. Under File, click to select Format.
5. Click to select Full Format.
6. Under Other Options, check Copy System Files.
7. Press Enter or click the Start button.
8. When the format is complete, lock (open) the write-protect window
on the disk.
9. Label the floppy and put it in a safe place. |
A SAFE WAY TO INSTALL ANTIVIRUS SOFTWARE |
|
>From a reader: "In the old days, you had to cold-boot and install
antivirus software from a write-protected floppy, which cleared out
any virus that could be hiding in memory. Now that you install from a
CD, how can you make sure a memory-resident virus doesn't bypass
detection and continue to spread?"
I replied that the user has to hope the program is as good as it
undoubtedly claims to be. In ye olden days of DOS, viruses could
control memory and fool the simpler scanners we used then, so a boot
from a floppy disk was standard procedure. The situation is different
today, because a good scanner can control the situation, detect
viruses in memory, and remove them. Under Windows 95 and later
versions, you may run into some issues when you remove viruses
attached to files Windows is using. But you can overcome such problems
with Windows 95 and later viruses by booting to DOS and then running
the scanner, because then Windows won't be using its files. |
BE CAREFUL WHERE YOU BUY YOUR SOFTWARE |
|
>From a reader: "A friend gave me a floppy disk with a game on it that
he bought at a computer expo. Although a virus scan said there was no
virus, within seconds it issued a warning that something was trying to
write to the hard drive--guess what, it contained a Trojan. People
should not buy anything like this. If it doesn't come from a
manufacturer and isn't sealed, do not put into your computer. Very
sadly, my friend did not scan this game and destroyed his hard drive
files! That's a very hard way to learn a lesson, isn't it?"
I agree that buying software at a flea market, yard sale, or anywhere
but an authorized retailer can be risky. At the same time, it doesn't
matter to a virus what disk it's on, and in some cases disks have been
mass-produced with a virus on them--not to mention software returned
by a customer, which the store then shrink-wraps for resale. Scan all
incoming disks, regardless of source. |
CHODE--COMING SOON TO A PC NEAR YOU |
|
A reader writes: "After your recent tip about outsiders getting access
to my computer , I went to grc.com and found a wide-open port. When
checking some other things on that site, I found that I had that new
worm, Chode."
Chode (also called Firkin) is the first worm or virus I've heard of
that can travel by itself--no e-mail required--directly from one
Windows PC to another via the Internet, by searching for and
exploiting Windows sharing. Given virus vandals' lack of imagination,
copycat variations will no doubt soon be making computing less fun for
people. Chode is also called the 911 Worm; you can find details
regarding it in an FBI advisory at
http://www.nipc.gov/nipc/advis00-038.htm
For PCs connected to a LAN, file and printer sharing may make sense.
Consult your administrator before you take any action. If you're not
on a LAN, leaving sharing enabled on a PC connected to the Internet is
dangerous.
Write the instructions in this tip down, then exit all programs and go
to My Computer, Control Panel. Select Network and click the File And
Print Sharing button. If nothing is checked, click Cancel twice. If
either option is checked, remove the checkmark(s), then click OK
twice--your PC will reboot. |
CIH CAN RUIN YOUR DAY |
|
CIH or Chernobyl is the first virus known that can completely disable
many newer (486, Pentium, or Pentium II) computers by overwriting BIOS
(basic input-output system) program code, if the code is stored on the
special flash (write-enabled) BIOS chip. Once CIH triggers, some users
have a serious problem: The PC simply won't start up.
That's because the BIOS program directly accesses the PC's hardware to
test system memory and disk drives at bootup, then accesses the disk
to load the operating system. Without a working BIOS program, a PC
will not even boot up from a floppy disk. While it may be possible to
use a disk image of the BIOS code made in advance or obtained from the
manufacturer, a user would have to know how to restore it and have the
hardware necessary to write to the flash RAM chip.
Ironically, this hardware would be the PC itself, booted to DOS and
running flash RAM upgrading software. And that's where most CIH
victims end up helpless, needing at least a technician's help (they
may even have to replace the motherboard if the BIOS chip is soldered
to it).
CIH--known variously as PE_CIH, W95.CIH, Win32/CIH, and Chernobyl--is
a very destructive virus. Variants of it are "in the wild" (meaning
they are spreading from PC to PC and site to site), originally
"assisted" by deliberate distribution, via downloads from the
Internet, in June 1998.
Although the risk is not great, even users who don't download anything
from the Internet could encounter CIH (or any other virus so
deliberately spread) by merely obtaining and running an infected file
from someone at work, school, or elsewhere.
CIH triggers (depending on the variant) on the 26th of any month, or
on April 26. When it triggers, it is programmed to overwrite the first
(absolute) megabyte of the hard disk, thus destroying the vital data
contained in the MBR (master boot record), FAT (file allocation
table), and root directory, causing loss of access to (though not
destroying) files. But that's not the worst part, as we'll see
tomorrow. |
DETECTION OF VIRUSES HIDDEN IN COMPRESSED FILES |
|
>From a reader: "In the last year, on two occasions I have installed
software on my wife's PC, and later that evening my antivirus software
has found a virus in it. Given that most of the software you would
install today comes compressed and has different extensions than the
final production versions, I am not confident that a scan of the CD or
disk will pick up the virus."
Keeping a system virus free by scanning all incoming files--regardless
of their extension and their source--before first use should work,
because a good scanner can decompress files as it checks their
contents. However, if you're not confident that a scan of an
installation CD or a floppy disk will work, scan the folder or
directory to which the new program installed its decompressed files
before running the new program. |
EXTINCT VIRUSES VERSUS THOSE IN THE WILD |
|
A reader writes: "How can you be so sure the Casper virus exists ONLY
in collections like yours? The mere fact that it exists is enough to
breed caution."
I happen to know a lot about the Casper virus. About ten years ago,
someone named Mark Washburn was dissatisfied with the simple scanners
then in use. These detected viruses mainly by matching strings of code
in programs to strings of code found in known viruses. Washburn
theorized that vandals would soon write more-complicated
(self-encrypting) viruses that would be impossible to detect by
matching strings, since no two infected files would look alike. To
prove his point, he wrote and distributed (supposedly only to
responsible antivirus researchers) a series of such viruses, named
V1P1, V1P2, V2P1, and so forth.
But his viruses got redistributed somehow, and some virus writer took
one, added some naughty words, and called it Casper. Like the Washburn
original, Casper does not use memory to spread, and infects only
executable COM files, one at a time. Viruses that spread poorly like
Casper eventually die out, if they circulate at all. In reality, of
the huge number of viruses written (counting minor variants like
Casper), you'll find less than 1 percent "in the wild" (circulating
from user to user). You can even look up a list of the viruses you
really need to worry about, called the "WildList." You can learn more
about that at http://www.wildlist.org |
MEMORY USE OF ANTIVIRUS PROGRAMS |
|
From a reader: "I have tried to update my virus scan program and it
tells me that my system is out of memory. I have plenty of space on my
hard drive, so what does this mean?"
I replied to her that means that the program doesn't have enough RAM
(random access memory) for it to run. Think of RAM as temporary
storage for instructions and data used by programs actively in use.
RAM is not connected with the long-term storage space available on
your hard disk, which stores files not in use. She either needs to
have a technician add memory (if her computer can be upgraded), or
switch to an antivirus program that requires less RAM. Another
possible fix might be to configure the computer, or the program, to
use RAM more efficiently. |
RUNNING MULTIPLE ANTIVIRUS PROGRAMS |
|
A reader writes: "If you have two antivirus software programs, would
it create any conflict? I am at present using one and have uninstalled
the other, as someone advised against having two such programs."
Since no antivirus scanner can detect everything, some people think
the best way to enhance their safety is to use two or more scanners.
However, the incremental increase in safety you gain by doing that is
much smaller than what you can achieve by making a backup of essential
files on the hard disk, so that's what I advise people to do first.
After making a backup, if you choose to run two antivirus programs,
remember that running them simultaneously in memory could cause
conflicts and will impede system performance. Running their manual
scanning components sequentially should not present any problem,
however. |
SCANNERS X, Y, AND Z--HOW MANY ARE ENOUGH |
|
>From a reader: "I have two questions. First, I can't help wondering
why you only identify scan programs generically (scanner X, scanner Y,
and so on). Second, do I have to go as far as installing a second (or
third, or fourth) scanner program just to be on the safe side? Seems a
little ridiculous, doesn't it?"
As I replied to this person, while I have no reason to doubt what
readers tell me, when someone tells me of an incident, I did not
witness the events myself. If the information is negative, that could
damage a company's reputation, and the information may be inaccurate
or false. On the other hand, positive information provides free
advertising. So I won't name names.
As for the question of using multiple scanners, I've covered that
subject here previously. The bottom line is that no scanner detects
everything, and even a combination of scanners won't detect
everything. That's why I keep suggesting that you keep backups of
essential files, whether you run one scanner or ten. |
SHOULD YOU TEST AN EMAIL SCANNER WITH A REAL VIRUS? |
|
A reader writes: "We are currently evaluating a server-based e-mail
scanning software, and we have one little problem: How can we be sure
the scanner detects viruses in e-mails if we never have and hopefully
never will receive a virus via e-mail? Is there such thing as a
harmless test virus we can download somewhere and e-mail to ourselves
to test the scanning engine?"
When a buyer evaluates antivirus software, the test is no different
from evaluating any other type of software you're going to deploy in
an enterprise. What you have to judge first is how well the software
performs for you in your environment. Second, you should be satisfied
that those using the software will find it comfortable enough to use.
There are other issues--among them cost, upgrades, and extra
features--but I'd trade them for quality, customer-friendly technical
support.
You'll notice that I don't include testing viruses on my list. Does
one light a fire to test a fire extinguisher before buying it? For
similar reasons, you're best off leaving the testing of viruses to
those in that business. I suggest that one should rely on the vendor,
but if it's important to you, ask for a demonstration (at the vendor's
site, not yours). |
SNOOPERS AND YOUR PC: EVIL OR NO |
|
If you're using a firewall, you may have noticed that some days it
warns you many times of would-be intruders, and other days you receive
no such warnings. One reader explains, "I do not think commercial
sites have anything evil lying in wait when they probe you (at least
nothing more evil than the dreaded cookie). More likely, they were
trying to update details from users who previously had your newly
assigned dynamic IP (very few ISPs assign static IPs to dial-up
customers). Other contacts may come from a variety of sources, like a
user running a server who had your previous address; instant messaging
programs looking for the wrong IP; and yes, even people scanning a
range of IP addresses for malicious purposes."
He also pointed out, "ZoneAlarm is unique in that it keeps
unauthorized outbound traffic from leaving your machine. A program
available at grc.com called OptOut, though very tiny, quickly finds
the word spyware on your system and removes it. Most people do not
know they even have such Internet usage tracking tools installed on
their machine. I suggest you run it. You may be surprised at what you
find. If you do not use much freeware or shareware, it may find
nothing; but you're always better safe than sorry in future." |
SNOOPERS AND YOUR PC: TARGETING YOU |
|
A reader writes: "I am temporarily using an older computer with an
external modem. All day long I noticed that at times when I was not
downloading or doing anything whatsoever on the Net, I saw the RD & SD
status lights (Receive & Send Data) flashing like crazy. In fact, as I
write this--and I'm not doing any Web, e-mail, or other
Internet-related tasks--those lights are still flashing like mad. I
feel like some unknown person or organization is taking over my
computer. This is positively eerie."
As I wrote last month, a computer connected to the Internet
(especially directly, such as with a cable modem) runs the risk of
intrusion from anyone anywhere on the Internet. So many people have
written back to me on the subject that I'll repeat my advice: Install
a firewall to protect your computer from others. Go to
http://grc.com/default.htm
and click the Shields Up link. Test your PC's security and you'll see
what I mean. From there, you'll find a list of firewalls, one of which
is free for noncommercial use--ZoneAlarm from Zone Labs. You can check
the company's Web site for more information on the product: http://www.zonelabs.com |
SNOOPERS AND YOUR PC: WHO IS AT THE OTHER END? |
|
In yesterday's tip, I repeated my suggestion to protect your PC from
intruders with firewall software. The most common question I receive
on this subject is this: "ZoneAlarm's manual talks about using whois
and traceroute to track down who is attempting to gain access to my
computer. Where do I find such programs? The manual didn't say.
Tonight alone I am up to 33 alerts and still counting. Many seem to
come from certain IP addresses--there are about 14 different addresses
in those 33 alerts. This is an eye-opening experience; I'm sure it has
been going on for quite a while and only now is manifesting itself due
to the firewall. This reinforces my belief that one should keep
important information strictly in offline computers."
If he wishes, he can go to
http://grc.com/cb-faq.htm
where one can read about and learn where to find utilities, like Sam
Spade, that make tracing intruders easier. As for myself, I'm too busy
to do that, and agree with something else in that FAQ: "Remember that
you came to ShieldsUp because you were concerned about the security of
your machine. You wanted to turn it into Ft. Knox to foil these script
kiddies. Well, now imagine you're living in Ft. Knox. Are you really
going to be concerned about people shooting paper straw wrappers at
the walls?" |
VIRII, VIRI, VIRRI, VIRUI--OR VIRUSES |
|
In a previous tip, I quoted a reader's question that included this
comment: "Occasionally I receive an e-mail with this statement in the
header: 'This mail has been scanned for known virii.'" In part of my
reply, I said this is obviously not a message from your antivirus
software program, because no company would ever use the word "virii."
It's virus writers' slang for viruses, and not really a word."
That brought several comments like this one: "For many years, the
proper plural of 'virus' was considered to be 'virii'--that is the
proper Latin plural (alumnus and alumni is another example).
Contemporary use has allowed the improper 'viruses' to become the
norm. Those of us who were once Latin majors find it amusing to think
that 'virii' as the plural form is now considered 'slang.'"
Sorry, but we're not speaking Latin. Even if we were, I is the Latin
plural ending for US, so virI would be the Latin Plural for virUS. In
order to get virII, you'd have to start with virUSUS. (Do we have
"alumnii?") So far as I know, no professional in the antivirus
business, nor any commercial antivirus Web site, uses any plural of
the word virus except viruses. However, you will see viri, virii, even
virri and virui on underground virus vandal sites. That's why I never
use such terms, and why I attempt to educate others not to use them. |
VIRUS COLLECTION HAZARDS |
|
A reader writes: "You once said you have a collection of viruses. If
such a collection fell into the wrong hands, could a vandal
successfully swarm the Internet in one overwhelming foray? For
example, if you created a downloadable program and hid a swarm of
viruses within that program, could the effect overwhelm a virus
scanner to the point that some part of the virus would get through?
Although you can very easily stop one virus, could many disrupt a
computer?"
I replied that there's no danger of either event occurring. Internet
transmissions consist of packets that get bounced from one computer
network to the next in haphazard fashion, then assembled at the
destination. During the trip, a virus is an inert piece of data, so it
wouldn't pose a risk to the Internet. As far as hiding viruses in a
program goes, I've never seen a program infected with more than one
virus that functioned properly, so the chances of a system crash are
greater than the chances of one virus in a group spreading unobserved.
In other words, don't worry about virus collections (some of which do
land in the wrong hands, of course). |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|