Viruses
WHAT'S THE BEST ANTIVIRUS SOFTWARE PACKAGE?
In a previous tip on the subject above, I supplied some suggestions, but declined to specify a particular antivirus product by name. One reader understood why, and replied "A great response and skillfully worded. You have made a truthful reply to the inquiry, as each user's needs are best determined by that particular user." However, others wanted me to name names, and one wrote: "A real 'no guts' answer! Have you no strength in your convictions?"
I feel I should explain the reasons for my answer. Since 1991, I've never recommended a particular product; no one antivirus solution could possibly be in the best interest of all users, and doing so would also constitute an endorsement. Even if I wanted to, I'm not in a position to supply free advertising here.
In addition, people from time to time have accused me (wrongly) of favoring a product other than the one they use. I'm certainly not going to name one program, thus angering the fans of the others. And most important to me, I prefer to maintain my independence, so I can give objective advice, instead of the biased opinions one often reads in "reviews," which are sometimes paid for, one way or another. Henri Delger henri_delger@prodigy.net http://pages.prodigy.net/henri_delger/
Stealth detection strategies
A strategy that isn't reported much, but is among the most effective defenses, is to write-protect all .com and .exe files. This is easily accomplished in Windows. It produces an error message if a virus tries to write to a .com or .exe file. Normal viruses will be caught immediately with this technique, and strange behavior of a program that previously loaded smoothly will alert you to possible stealth activity. All viruses are routines that attach themselves to files to perform their tasks. A virus will either append itself to a file or overwrite part of it. Stealth viruses seek to conceal these actions by hooking themselves to system interrupts to return false data whenever an antivirus program or a computer user attempts to examine the suspected file. One little-known technique to detect stealth viruses is to copy the suspect file to a floppy disk. Let's say the infected file was originally 500K in size. The virus added 1000 bytes to the file, but has concealed this by telling DOS the file size is still the same. So DOS copies only the original size of the file to the floppy, leaving 1000 bytes behind. If the copied file doesn't work, but the original seems fine, this indicates that the file is infected with a stealth virus. Edinburgh University PC Virus Technical Support Library http://mft.ucs.ed.ac.uk/pcvirus/pcvirus.htm This site at the University of Edinburgh contains reports on virus infections and an in-depth report on PC viruses and Windows 95. Anti-EXE This boot sector virus continues to be reported, with 50 confirmed infections last year. This memory-resident stealth virus attacks hard and floppy drives. Anti-EXE is a full stealth virus, which not only conceals itself successfully from antiviral agents, but also has the capacity to guard itself from being erased from a system. Consult the documentation of your antiviral packages to determine if your program can deal with the Anti-EXE and other boot-sector Stealth viruses. FORM-Virus and variants This common virus and its variants infects boot sectors on hard drives and floppies. FORM and its variants are sometimes discovered through a clicking noise from the system speaker. The original (and possibly variants) of this virus gets its cue on the 24th day of any month to send these noises to the speaker. Any regular antiviral agent that deals with boot sector viruses can detect and remove these strains. Highlander Infects .COM files, but not COMMAND.COM, this virus is known to activate on the 29th day of any month, where it will display a message a number of times and then hang the system. This virus may be removed with any regular antiviral agent that detects parasitic memory-resident viruses. Junkie This virus infects .COM and .EXE files, and alters master boot records and boot sectors. Infected files should be deleted. A disk restorer is needed to restore the MBR. Ripper This is a memory-resident stealth virus that is destructive to floppy and hard disks drives. The only way to detect and remove Ripper is to boot the system with a clean, uninfected boot disk and immediately run scanner agents. WM.Wazzu The Wazzu is one of the largest families of Word macro viruses, having more than 100 known variants. These viruses usually consist of a single macro, called AutoOpen, in infected documents and templates. Generally, infections are characterized by three words, randomly selected, getting rearranged when a document is opened; the word "Wazzu" may also be inserted. Any document opened in an infected Word program also becomes infected. WM.Cap.A CAP macros are the largest of the family of Stealth Macro viruses, with more than 50 known variants. CAP avoids detection by hiding the Macro selection from the Tools menu, or, when NORMAL.DOT is infected, hiding the Templates selection from the Files menu, or both. Generally, CAP includes ten macros, two of which are used for the Stealth routines, with the rest being encrypted inside infected documents. Virus Authors Most viruses are written by males between the ages of 14 and 24. To date, there has not been a documented case of a female virus author. Q & A Q: Many of the viruses that you post in the Virus Alert of the Day have letters or names appended to them with periods. For example, Clock.B, .C, .D, .E, .F, .G. What does that mean? -John Wood A: That's a good question. If we look at the example you gave, each letter appended to the word "Clock" indicates a variant, or a modified version, of the original Clock virus. Virus authors produce variants in order to foul up antivirus programs and to extend the life of their work. Variants may be very similar to their parent virus, or they may be vastly different. For example, the only differences between a variant and the parent virus may be in the text that they display on the screen. On the other hand, a variant may combine the propagation mechanism of one virus with the damage mechanism of another virus. April The April virus is a boot sector virus that is more of an annoyance than a serious threat to your system. When activated, this virus hooks into the boot sector of a hard disk and will spread by writing itself into the boot sector of every disk you insert into the floppy disk drive. This virus can infect your system at any time of the year but won't make itself known until the month of April, when it begins altering all documents you print. It replaces periods with exclamations points and subtracts 1 from every number in your document. For example, "April 1, 1998" would become "April 0, 0887." Activating Word's built-in macro-virus protection feature: If you use Microsoft Word 97 and are concerned about macro viruses, you can activate Word's built-in macro-virus protection feature. To do so, select Tools, Options; click the General tab; and select the Macro Virus Protection checkbox. From now on, every time you attempt to open a document that contains attached macros, Word will display a dialog box warning you of the macros. This approach is not foolproof--not all documents that contain macros are infected, and certain macro viruses can propagate without triggering the message--but it does let you avoid all but the most insidious macro-virus infections. Macro viruses As you may know, macros are a series of instructions used in applications such as Microsoft Word and Excel to automate repetitive or complex tasks. In addition, macros are capable of performing some system functions, such as deleting, renaming, or setting file attributes. Virus authors have used this capability to create a number of macro viruses that perform many mischievous operations, some innocuous and some disastrous. For example, many macro viruses do nothing more than spread from one document to another and merely take up space, while others modify the contents of documents or overwrite data. Some sophisticated macro viruses have been discovered that are designed to attach documents to e-mail without the user ever knowing it. To complicate matters, certain viruses can even mutate or change form. By the beginning of this year, the number of known macro viruses had soared to more than 2000 and now cause most of the infections in the world today. Macro viruses such as Concept, Wazzu, Npad, and CAP have spread internationally. I've heard several different terms used as plurals of the word "virus," including "viruses," "viri," "virii," and "vira." What is the correct term to use when referring to more than one virus? The correct plural form is "viruses." The terms "viri," "virii," and "vira" all sound Latin and are used often enough that many people believe they are correct; however, Latin has no plural form for the word "virus," which means poison. Form The Form virus, which is scheduled to trigger on the eighteenth of every month (tomorrow, for instance), doesn't contain any intentionally damaging code; but because of a programming bug in the actual code, it can cause problems. The intent of the virus is to produce a clicking sound whenever a key is pressed. The virus displays the following message: "The Form Virus sends greetings to everyone who's reading this text. Form doesn't destroy data! Don't panic!" In order to deliver its payload on the eighteenth, Form replaces the disk's boot sector with part of its code and moves the original boot sector and the rest of its code to another location on the disk. Each time you boot from an infected disk, Form checks the date and then redirects the boot process to the relocated boot sector. On a floppy disk, Form moves the boot sector to any unused cluster and then, in the FAT, marks that cluster as "bad" to protect it from damage. However, on a hard disk, Form moves the boot sector to the last sector on the disk but doesn't protect it. As such, the boot sector can be accidentally overwritten or moved. When this happens, the system will hang during boot-up. Fortunately, the drive and data are still accessible by booting from a floppy disk. Trojan Horse Contrary to popular belief, a Trojan Horse isn't really a virus--it does not replicate and spread itself. Rather, it's a cleverly disguised virus-delivery vehicle that promises to do something useful while it launches its deadly payload. For example, FormatC is a Trojan Horse that masquerades as a Word document containing valuable information; the document also contains a single macro that calls up the DOS Format command while you're reading the document. Because this Trojan Horse is disguised as a Word document, many people incorrectly conclude that FormatC is a macro virus. Casino The Casino virus, which can rear its ugly head April 15, is a memory-resident file virus that infects COM files on execution. When a program that is infected by the Casino virus is run for the first time, the Casino virus attacks the first COM file it finds in the directory and creates a hidden file called COMMAND(ff).COM, where (ff) is the invisible character 0FFh. The Casino virus uses this file to become memory resident and then deletes the fake COMMAND.COM file. On April 15, Casino reads the first 80 sectors of the current drive into memory, including the entire first copy of the FAT and normally part or all of the second copy. Then the virus writes garbage to those 80 sectors and displays a screen intended to look like a slot machine with the following message: "Disk Destroyer - A Souvenir of Malta I have just destroyed the FAT on your Disk! However, I have a copy in RAM and I'm giving you a last chance to restore your precious data. WARNING IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER! Your DATA depends on a game of Jackpot" "ANY KEY TO PLAY" When you press a key, there are three possible results: "Ha Ha! You [EXPLETIVE], you've lost! Say bye to your [EXPLETIVE] ..." and the machine hangs. Or "No [EXPLETIVE] Chance, and I'm punishing you for trying to trace me down!" and the machine hangs. Or "[EXPLETIVE]! You're lucky this time--but for your own sake, now switch off your computer and don't turn it on till tomorrow!" and the FAT is copied back onto the disk. According to the 1997 National Computer Security Association Virus Prevalence Survey, 99 percent of all medium and large organizations in North America have experienced at least one computer virus infection. According to the Symantec AntiVirus Research Center (SARC) three to six new viruses are discovered every day of the week. Furthermore, the majority of new viruses are macro viruses. Worms When programmers were working on the first early computers that could run more than one program at a time, they had to make sure that each program and its associated data were contained within certain areas of memory. If a rogue program broke out of its area, it could perform operations on the data or programs belonging to different procedures. When this type of problem occurred, programmers had to trace the path of damage through the computer's memory in order to discover where the problem originated. To do so, they plotted the path on a printout map. Often, these printout maps would look like worm-eaten wood with irregular curving traces that began and ended suddenly. Thus, the model became known as a "wormhole" pattern, and the rogue programs became known as "worms." In an early computer network at Xerox PARC, a rogue program, later dubbed the Xerox Worm, not only broke out of its assigned memory area within its own computer, but also spread from one computer to another. This eventually led to the use of the term "worm" to indicate a virus that spreads over networks. mIRC Script.ini As you may know, mIRC, the popular Windows client for the Internet Relay Chat (IRC) system, has a security flaw that allows a malicious user to write a script that can cause serious problems. Because a devious script has traits of both a virus and a Trojan horse, there is some debate over what exactly to call it. However, one thing is for certain: Devious scripts can be a big problem. The most prevalent of these scripts, called script.ini, causes an infected mIRC client to post embarrassing comments to the chat relay on the user's behalf. It can also echo all chat activity from one channel to another. To propagate, a script uses the mIRC client to forward a copy of itself to other users in the chat relay. If you're a mIRC user, you should investigate the mIRC FAQ for advice on how to configure your mIRC client to prevent this and similar security attacks: http://www.irchelp.org/irchelp/mirc/si.html Armored Viruses In order to determine how a virus works, a researcher must be able to disassemble a virus program and track its code. Virus authors can use a number of tricks to make such an operation difficult. A virus that employs these tricks is said to be armored. Join the Crew Hoax One of the more popular hoaxes recently is Join the Crew. This hoax, actually a variant of the Good Times hoax, began as a message posted to several Usenet newsgroups in February 1997. The original message read: "Hey, just to let you guys know, one of my friends received an e-mail message titled Join the Crew, and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what e-mail you read. Just trying to be helpful...." There is also a variant of essentially the same message, except that it refers to an e-mail message called "Join the Club." If you receive this message or one like it, simply ignore it--don't pass it on to your friends. Keep in mind that viruses cannot be spread simply by reading an e-mail message. However, an e-mail message CAN deliver a virus as an attachment. To be on the safe side, be wary of attachments sent to you by someone you don't know. Flip The Flip virus, which can attack a system on the second of any month (such as tomorrow, May 2), is a file-infecting virus that targets .ovl, .exe, and .com files, including command.com. In addition, it can alter the Master Boot Record and boot sector of a hard disk. It spreads by traveling exclusively in infected .exe files--it can't spread via infected .com files, nor by infected floppy disk boot sectors. The first time an infected .exe file is run on a hard disk, Flip becomes resident in high memory. Once in memory, Flip proceeds to infect the command.com file in the root directory. Then Flip slightly modifies the system's hard disk MBR and boot sector. From this point on, Flip infects all .com and .exe files that you run. If one of the infected files calls an .ovl file, the .ovl file also becomes infected. Systems infected with Flip may experience odd file allocation errors, and some of the data files may become corrupt. Infected files will increase in size by 2343 bytes. In addition, the logical partitioning of the hard disk can be altered, so that the size of the hard disk shrinks. On the second day of any month, Flip announces its presence by flipping your screen horizontally for one hour. Pathogen The Pathogen virus is a tunneling, polymorphic, encrypting, memory-resident, file-infecting virus. It can infect both .exe and .com files. Furthermore, it only infects files whose date is less than 100 years from the current system date. When Pathogen has infected a system, it becomes memory resident and maintains a counter that increases by one each time an additional .exe and .com file is infected. Once Pathogen infects 32 files, it waits until an infected file is executed between 5 p.m. and 6 p.m. on a Monday and then attacks. It begins by displaying the message: "Your hard-disk is being corrupted, courtesy of PATHOGEN! Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4. Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator! 'Smoke me a kipper, I'll be back for breakfast.....' Unfortunately some of your data won't!!!!!" Then, Pathogen disables the keyboard and floppy drives, and it corrupts the first 256 cylinders of the hard drive. According to the 1997 NCSA (National Computer Security Association) Virus Prevalence Survey, the computer virus problem could be virtually eliminated if just 30 percent of the world's PC users used a current, full-time antivirus protection program. Q: I scan my hard disk for viruses before my weekly backup. After making a recent backup, I discovered that the virus definition file for my antivirus program was out of date and downloaded the update. I then discovered a boot sector virus on my hard disk. This means that the virus is now on my backup tape. If the virus had crashed my hard disk, would the presence of a virus make my backup tape worthless? A: No, the presence of a virus wouldn't have made your backup tape worthless. If you had needed to, you could still restore important documents, databases, or spreadsheets--basically all of your valuable data--without restoring any infected programs. You could then reinstall your applications from the master disks. It's tedious work, but not as difficult as some people claim. In this instance, however, you should erase the tape with the virus on it and perform a new, full backup. Reverting Norton Antivirus to the Previous Month's Virus Definition Set If you've installed a new set of virus definitions in Norton AntiVirus and then decide that you need to revert back to last month's virus definitions, you can do so easily. To begin, locate the definfo.dat file in the \Program Files\Common Files\Symantec Shared\VirusDefs folder and load it into NotePad. Then locate the [DefDates] section and change the CurDefs setting so that it is the same as the LastDefs setting. For example, if the [DefDates] section looks like this: [DefDates] CurDefs=19970902.003 LastDefs=19970902.002 You would alter it to look like this: [DefDates] CurDefs=19970902.002 LastDefs=19970902.002 An Immune System for Cyberspace IBM Research is working on a new technology dubbed an "immune system for cyberspace." This involves an automated agent that extends across local area networks and the Internet to find and fix viruses before they do any harm. When a previously unknown virus is detected on a computer, the antivirus software will send the virus safely over the Internet to IBM. Once the virus arrives, it will be automatically analyzed and eliminated. That fix will then be sent back to eliminate the original infection and will be able immunize computers all over the world. For more information on this new technology, visit IBM's Antivirus Online Web site at http://www.av.ibm.com 16-bit Viruses The majority of the boot sector and file infector viruses were designed to live and breed in the 16-bit DOS environment; so you won't encounter as many of these types of viruses today as you would have a few years ago. This might also explain why macro viruses are on the rise. FindVirus Demo Are you in the market for a new antivirus utility? As you know, there are many different programs to choose from, making the decision a tough one. Fortunately, several vendors have made available free demos that you can download and try for a limited period of time. One of these is Dr Solomon's Anti-Virus Toolkit. You can download a demo of one of the Toolkit's modules, called FindVirus, and use it for 60 days. The FindVirus demo allows you to easily detect and remove viruses, as well as configure automatic daily virus scans. What is the CIAC? Q: I've heard the acronym CIAC and viruses mentioned in the same sentence, and I'm curious. What exactly does CIAC stand for and what does this organization do? --Valerie Brown A: CIAC stands for Computer Incident Advisory Capability. The CIAC is the computer security incident response branch of the United States Department of Energy and the emergency backup response team for the National Institutes of Health. The CIAC was established in 1989 to provide computer security services to employees and contractors of the Department of Energy. As a part of its job, the CIAC occasionally reports on viruses. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. You can learn more about the CIAC by visiting its Web site at http://ciac.llnl.gov/ If you have any questions regarding viruses, or the newsletter, send them to the editor at virus-alert@optimator.win.net As you may know, DOS, and subsequently Windows 95, follow specific rules when launching executable files. When you type a command name at a DOS prompt, the operating system first looks for a COM file, then an EXE file, and finally a BAT file. For example, if you have three files named TEST.COM, TEST.EXE, and TEST.BAT, the operating system only loads TEST.COM. Companion viruses take advantage of this fact to infect your system by creating COM files with the same name as legitimate EXE files. In this way, these viruses ensure they get executed. Once the virus is loaded into memory, it passes control over to the original EXE file. Companion viruses run in a Windows 95 DOS session, and some may even be effective under Windows 95.

Microsoft virus blooper In October 1996, Microsoft shipped 14,000 Solution Provider CDs infected with the Wazzu Word macro virus to software developers and trainers worldwide. The Wazzu virus was found residing in one of the 122 Word documents on the CD.

Reinfection Potential If a virus has attacked your system, your risk of reinfection is very high. Here's why: Viruses are capable of hiding anywhere and everywhere. Any floppy disk you inserted into your drive while the virus was present is suspect. Therefore, simply scanning and cleaning your hard disk is not adequate insurance against reinfection; you also need to scan and clean all the floppy disks you use on a regular basis. If you don't know how many floppies you inserted into the drive, scan them all. Furthermore, if you use floppy disks to transfer data from work to home or share data with friends, be sure that you run antivirus software on all systems that could have potentially come in contact with an infected floppy disk.

BootProtect As you may know, boot sector viruses infect your system when you boot from a floppy disk in drive A. If you're like most computer users, you rarely do this on purpose. Usually, you've accidentally left a disk in the drive. If you're worried about encountering a boot sector virus in this manner, then you'll want to investigate BootProtect from Erimarsoft. This tool prevents boot sector viruses from invading your system by checking your floppy disk drive each time you shut down or reboot, and warning you if a disk is in the drive. You can also customize BootProtect to monitor the CD-ROM drive as well and, if it finds a disk in the drive, automatically open the CD-ROM drive's door. To try out the software, go to http://www.pcworld.com/software_lib/data/articles/anti-virus/5118.html

Question of the Week: How many virus types are there? Q: I've heard about so many viruses since I've subscribed to your service, and have read about boot sector and macro viruses. Recently, a friend told me that there are other types of viruses out there in the wild. How many different types are there? --Beth Watkins A: The majority of viruses fall into four main categories: boot sector, file-infecting, multipartite, and macro viruses. A boot sector virus infects the boot sector on a floppy disk and can eventually spread to the master boot record on a hard disk if an infected floppy disk is used to boot the system. Once the master boot record is infected, the virus attempts to infect the boot sector of every floppy disk that is inserted into the floppy disk drive and accessed. File-infecting viruses operate in memory, and target executable files that have the following extensions: COM, EXE, DRV, DLL, BIN, OVL, and SYS. Each time an infected file is run, the virus spreads to another executable file. Multipartite viruses have characteristics of both boot sector viruses and file-infecting viruses. Macro viruses are application specific and infect documents created with applications that use macro utilities, such as Microsoft Word and Excel. Unlike other types of viruses, macro viruses aren't specific to an operating system and can spread with ease via e-mail attachments, floppy disks, Web downloads, file transfers, and cooperative applications. If you have any questions regarding viruses or the newsletter, send them to the editor at virus-alert@optimator.win.net

ARE PICTURE FILES A VIRUS HAZARD OR NOT? A reader asks: "Can I get a virus from downloading a JPG, GIF, or TIF file from a newsgroup or anyone else? You've mentioned EXE files and MS Word macros as potential virus threats, but I worry that something that seems innocuous, like a picture file, might contain a virus as well." GIF, JPG, and similar image files contain data to indicate intensity and color of images. Image files don't execute, but a viewer program (often part of a Web browser application) reads their data and converts them to what you see. If someone planted a virus program in such an image file, the viewer might halt or display a garbled picture, but the virus itself would not be able to do anything. If viruses could spread via image files, virus writers would have done so, and looking at the images on Web pages would no longer be safe. ARE WINDOWS HELP FILES SAFE? NOT ANYMORE A couple of years ago, I received a Trojanized HLP file and didn't think much of it. But in December, the Babylonia virus (also in some respects a worm) was posted to an Internet newsgroup as a Windows HLP file (named serialz.hlp then, but it could have any HLP file name by now). When opened, it alters EXE and HLP files, sometimes corrupting them. That ordinarily would limit its spread, but it also creates a file (kernel32.exe) that attempts to connect to a virus writers' Web site in Japan in order to download the rest of its code. Besides spreading via the sharing of infected EXE and HLP files, Babylonia can spread to other users through mIRC chat by sending its EXE and INI files to all those connected to the channel, or it can spread as a file attached to outgoing e-mail messages. CAN A SCANNER KEEP UP WITH NEW VIRUSES? In a previous tip on the subject above, I wrote that depending on an up-to-date scanner is becoming less important, and keeping current backups is becoming more important. A reader replied: "I was expecting you to finish that last paragraph with a recommendation to update virus definitions every week or even more frequently. Why do you feel it's more important to back up than to step up infection prevention measures?" I've been recommending that people use antivirus protection since 1991, but the events of 1999 have made me rethink things. A backup will protect data from ALL hazards--including a virus written yesterday, which you can't necessarily expect a scanner to recognize. Nevertheless, I still recommend use of antivirus software--but I also recommend that users rely more on backups than on scanners. Some people buy antivirus software, install it, then update it infrequently, if at all. I'm trying to get those readers to change their way of thinking, because virus writers in 1999 finally learned how to combine the Internet, e-mail, and malware into a serious threat. DEFENDING AGAINST WORD MACRO VIRUSES A reader suggests: "Is it worth mentioning that if you hold down the shift key while you open the Word document, it will open without using macros, thus making it safe to open e-mail messages with Word attachments?" I'm sure many people do that, but I'm never sure when to use a term like "safe," because virus writers keep coming up with new tricks, and can easily do things like turn Word's macro virus protection option off, disable menus that let users view macros, and the like. One suggestion I'd make is that concerned readers visit Microsoft's very own Anti-Virus Resources for Microsoft Office page at http://officeupdate.microsoft.com/Focus/Articles/virusres.htm ELFBOWL AND FROGAPULT.EXE--ANOTHER HOAX Last month, two downloadable games became very popular, and the virus hoax authors got busy, spreading false stories that the programs were infected with a "Christmas Day" virus. This version was the common one: To all If you have received any of these games frogapult.exe (frog game) & elfbowl.exe (elfbowling game) please can you delete them completely out of your system as they both have a delayed virus attached to them that will be activated on christmas day and will wipe out your system. Let everyone know of this. Like other virus hoax messages, this one has certain characteristics common to such hoaxes, regardless of what they are named: First, it's written in a frantic style, claiming that some new virus will "destroy everything" (some viruses can, but most cannot). Second, it urgently requests that you pass the warning on to everybody else on the planet (which is how you got it). Though it's not true of this hoax, most others also include a third element: a claim that IBM, AOL, Microsoft, Compaq, the government, or some other agency has announced the virus (they do not make such announcements). For more information on virus-related hoaxes, go to http://www.kumite.com/myths FEATURE-RICH APPLICATIONS AND VIRUSES In a previous tip on the subject above, a reader asked: "Adobe Illustrator 8 now has the ability to automate tasks. As of yet I have not found any holes in its system, but I am only one person. What do you think the possibility is that we will see viruses attached to Illustrator files in the near or distant future?" Other readers have asked this, and one offers some reassuring words "The automation in Adobe Illustrator 8 does not autoexecute nor does it contain any actual scripts. 'Actions,' as they are called, are not attached to Illustrator files; they have to be loaded manually. The only 'danger' I could foresee is downloading an Action List from a dubious source on the Internet, but I doubt it could contain anything damaging to the operating system or even Illustrator, for that matter. The Actions only execute operations available within Adobe Illustrator itself." FILES FROM FRIENDS, FAMILY, AND COWORKERS In a previous tip on the subject above, I wrote: "Deleting every executable file attachment will protect your data, and doing anything else will expose your data to an unnecessary risk." Many readers expressed opposing views; here's one: "So in other words, let's all just throw our computers out the door because we shouldn't use them in case we might get a virus." My comments should not be interpreted as indicating the end of the world is around the corner: All I tried to point out is that opening or running certain files carries a risk. That's a factual statement, thanks to those who are out to cause other people trouble. I'm not telling anyone what to do--just reminding users, especially new ones, to consider the risk involved. I do that because many people don't consider the risk at all and click everything. I hear from them on occasion, and the first word they write is HELP! HEURISTIC SCANNERS AND FALSE POSITIVES A reader asks: "Could you say something sometime about false positives? The heuristic scanning of my antivirus software was interpreting some macros from a Microsoft Office add-on as infected. Subsequent checking of the macros proved that this was not the case." Heuristics involves disassembling the instructions in a file, looking for those a virus might use and nonvirus programs don't ordinarily use. It's a complex process, and an imperfect one, because the scanner has to weigh the risk before sounding an alarm. An instruction to write to executable files may present what looks like a clear danger, or only one or two suspicious things. When the alarm goes off, the user must decide whether he needs to worry. If it turns out to be a false positive, send a copy of the file to the company involved so it can improve the scanner. NEWAPT: YET ANOTHER WORM SPREAD BY E-MAIL Despite the news reports of a virus "deluge," 1999 fortunately did not bring a wave of viruses and other malware becoming widespread and causing enormous damage. Only a relative handful of such creations actually caused problems by the end of the year. Sloppy programming on the part of virus writers is one reason for that. NewApt, a recently discovered Windows 95/98 worm, illustrates another reason some viruses don't get very far. It can send itself via Outlook Express mail as a message from users who have the worm active on their system. Along with that capability, it can select any one of two dozen names for its file attachment, and that might trap the unwary. However, in one form, its HTML-style message looks like an ad for a Web site--complete with a legitimate URL, but with the attached file offered as an animation from the "funny programs and animations" on the site. Although that might tempt some to click on the EXE file, the names are mostly silly, like farting.exe. For those like myself who do not receive e-mail in HTML form, it delivers an insulting message instead. SAVING TO A: DRIVE FIRST--A GOOD SUGGESTION A reader writes: "Your comments on running two antivirus programs are well thought out. As a programmer, I agree with your logic, and I keep secure copies of the actual programs on CD or disk, and save all my user-related and user-made data files on scanned disks. It is just a little preventive maintenance; when saving files I have it set up to go to my A: drive first, then I resave the same file on the hard drive. That doesn't consume much time, and it saves me a lot of headaches later." I like your idea of saving to the A: drive first, because that will make it impossible to forget, and that's important. It used to take weeks for a virus to spread far enough to pose a threat, allowing for scanner updates and warnings that provided a measure of safety. But 1999 changed all that: Now it's possible for a virus writer to get a virus, Trojan, or worm from his computer to yours the same day--received not from a stranger, but from people you know and trust. TROJAN HORSE PROGRAMS VERSUS SCANNERS A system engineer for a major antivirus software producer writes: "I somewhat disagree with your comment, 'The most effective defense against destructive Trojans is consistent and frequent backup--not a virus scanner.'" He continues, "To most AV companies, Trojans receive the same attention as viruses. Backups are good, but that is being reactive. It's like waiting for heart disease thinking, no worries, I have a backup on ice. Trojans can be scanned for in much the same way viruses are scanned. We can also scan using heuristics. Protection against ALL Trojans? No. But those known to exist in the wild? YES. Protect yourself, get a virus scanner. You can also limit the destructiveness of Trojans in terms of the initial damage and tracking the source by making creative changes to your security policy." Since my original comment might mislead some, in fairness to those in the industry who work hard to protect the rest of us, I should have stated that a good scanner can detect many Trojans, with a backup adding protection against any the scanner might miss. UPDATING ANTIVIRUS SCANNERS SHOULD BE EASY A reader comments, "It would be great if you could get your updates in a timely fashion and not corrupt anything, as has been my experience with one company. I'm not a system administrator of a large company with several certificates, but I'm not a computer novice, either. I don't need to do things manually in DOS. I have enough to do already and I don't need the hassle. I don't want to worry that my system has up-to-date antivirus protection. That is what they get paid for." My experience has been that all the major companies have engineered their products to protect their customers adequately, and perhaps some need to pay more attention to your concern. In any event, there's only so much one can expect from a scanner. Besides keeping the software updated, it's still up to the user to employ common sense, to be very selective about running new programs or opening files sent to them, and above all, to keep backup copies of at least the important files they create. UPGRADING SOFTWARE AND FALSE POSITIVES An antivirus program left running can interfere with the process of installing or upgrading other software. For this reason, one reader suggests that you "scan all files on new software disks before installing, then disable the antivirus software during the installation, and reenable it before rebooting for completion of the installation. Finally, scan all files after installation." One point I'd add is that some users would then get a warning message from the scanner when it recognized changed executable files. Unfortunately, some users panic when told the file MIGHT be infected--even though in reality the file is not infected, but merely changed by a software upgrade. WHAT ABOUT VIRUS ALERT AND THE NEWEST VIRUSES? A reader wrote: "There have been at least five other worms reported since the one you wrote about today. This particular one was found in early December. Can't you be more prompt with your findings? That's not to say you don't do a good job. I enjoy Virus Alert, and I respect your mission and intent. But truthfully, in this progressive world, one needs to be ahead of the game when it comes to viruses. And there hasn't been one single virus I have seen mentioned in your Tips that I didn't know about already." I replied to this reader that the worm in January's Tip was reported in December, but I wrote the Tip soon after the initial reports. There's a built-in delay in the information here, because I submit Tips in advance of publication. Those who need immediate information can get that from antivirus vendors' Web sites. These companies earn many millions of dollars, and employ hundreds of researchers. I can't compete with that, but I do the best I can with my limited resources. The writer is not the only person who expects more than I can provide, and I understand those feelings. However, my objective here is not to compete with information provided by others, but to keep readers informed enough to take precautions. It's also important to note that many alerts and frantic press releases about the latest viruses are written by marketing people, not researchers, and can be read with amusement a year later, because the viruses that initially inspired such fear never got very far. WHAT IS AN EXECUTABLE FILE? A reader asks: "I've been under the impression that any attachment represents a potential danger. In one of your recent items, however, you implied that only 'executable' attachments are problems. This is a new term to me. What's an 'executable' attachment, and how do you identify it?" My definition of an executable file is one the operating system will recognize as carrying instructions to perform, and then proceed to carry out those instructions without further intervention. DOS, which preceded (and today is incorporated into) Windows, has certain files reserved for that purpose--BAT, COM, and EXE --and these files are of the most concern. Simply clicking such a file will cause it to run. Other types of files can host a virus program, most notably DOC and DOT files, which Microsoft Word uses. Still other types, such as graphics files (JPG and GIF), as well as pure text files, are safe from viruses. WINDOWS 95/98 VIRUSES AND DOS ANTIVIRUS PROGRAMS In a previous tip on this subject, I wrote: "While it's possible to scan and remove Windows 95/98 viruses with a DOS antivirus program, it is important to remember that one should not do so by running the DOS program in a DOS box or shell (which you start by clicking MS-DOS from the Windows Start menu)." One reader pointed out, "To be really secure, if you're booting to DOS to do a virus scan, you should really be booting from a floppy." Although I was addressing one specific issue--that of booting to DOS versus running DOS in a Windows session--I should have also mentioned that the preferred procedure when a virus is suspected is to power down the system and reboot from a write-protected floppy disk you know is uninfected. DO ANTIVIRUS PROGRAMS REMOVE VIRUSES COMPLETELY? A reader wrote: "If a virus slips by and gets on your computer, can it be completely removed with your virus software? Someone told me that the virus software can detect and remove the infected files, but the virus is still in your BIOS. Is this true?" Recovery from a virus often depends on what a virus did. If a virus overwrites (corrupts) files, the only remedy is to delete them, then restore them from original installation disks or backups. Another factor involved in file restoration is how good the antivirus software is. While most software can reverse changes made by the virus, if the scanner misidentifies one variant of a virus as another, it can destroy a file by restoring it incorrectly. Finally, some software removes only enough of a virus to disable it, and virus code left behind can be detected by a different scanner, which will sound a false alarm, as if the virus was still intact and functional. One last point: Viruses may be found in memory or on a disk, but do not spread from or hide in a computer's BIOS, CMOS, or anywhere else. THE LATEST VIRUS VANDAL TARGET: VISIO Visio is a well-established graphic drawing application, useful for making diagrams, particularly organizational charts and flowcharts. It's been around for close to ten years, and has grown more popular and powerful. Like many applications that offer enhanced features (Word and Excel come to mind), its new version 5.0 also offered virus writers a challenge. Indeed, someone has succeeded in creating a virus that can spread among users of Visio, but despite alarmist press releases from some sources, the threat isn't real--yet. (The virus writer sent a copy of the virus to some antivirus firms, but the virus has not been reported "in the wild.") It's too early to tell what will follow, but it doesn't seem likely that such viruses for Visio will get very far, because the user base for Visio is much smaller than Word (for example), and Visio users are less likely to share diagram files with others. CAN SOMEONE STEAL YOUR PASSWORD WITH A TROJAN? A reader wrote: "I came home and tried logging onto the computer. I couldn't. After trying several times and continuously receiving the message 'Incorrect password,' I decided to call my ISP. They told me I had been kicked off the system as that day I had sent 500 pieces of pornographic e-mail in a 15-minute period to people all over. I tried telling them I didn't do it but they wouldn't even listen to me. They told me my account had been terminated and I could reapply in 6 months (something I will never do). No one lives with me or has access to my account, ID, or password, yet mail was sent using it. I think something should be done to computer hackers instead of the innocent person having to pay." Yes, there is a way to stop hackers. Don't run or open file attachments sent to you. From what you have written, it appears that at some point you did so, and that file attachment was a password-stealing Trojan, which sent your password out. Using your password and your ISP's software, the hacker was able to log in as you and do whatever he or she wished with your account. OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 1 OF 3 Can older PC/DOS viruses function in a Windows 95/98 environment? It's unusual to hear of such cases, but it does happen. That's because, in order to run older DOS and Windows programs, Windows 95/98 functions in some ways like Windows 3.1 does under DOS. This makes Windows 95/98 backward-compatible for those who use older programs, but also allows viruses written for older (DOS) systems to run. At the beginning of the start-up process, Windows starts in what's called "real mode," to allow programs and drivers from config.sys and autoexec.bat to load. During this period, specific machine code runs each time, and if a DOS file-infecting virus has modified the start-up code, the virus also runs. Once the Windows 95/98 graphic interface loads and the start-up process is completed, Windows does manage the file system with device drivers and 32-bit programs to ensure the integrity of the file system. This control would block DOS programs--and DOS file-infecting viruses--from writing to the hard disk (but not from writing to floppy disks). OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 2 OF 3 Although Windows 95/98 protects (controls access to) the integrity of the file system, it suspends this protection when a Windows user opens a DOS window (also called a "DOS box") in order to run older DOS programs. That's a necessary evil, because Windows protection would interfere with an older DOS program. Since there is no Windows file protection in a DOS session, a DOS virus can not only run, but spread to other files. In addition, if more than one DOS box is in use, all of them will have the same programs (and viruses, if any) loaded. Also, a virus can spread to multiple DOS sessions. Finally, a DOS box retains all programs in memory that ran during the Windows start-up, and that could include a DOS virus. Even the long file names Windows uses do not provide immunity to older viruses. That's because Windows 95/98 stores two copies of file names: one that only Windows 95/98 can read, and one that DOS can read. DOS programs (and DOS viruses) won't recognize the Windows-readable file name (DOS sees it as a label entry and ignores it), but they will recognize the DOS-readable file name. OLD PC/DOS VIRUSES AND NEW WINDOWS SYSTEMS--PART 3 OF 3 Old DOS boot or MBR (master boot record) viruses can also affect new systems. If the user boots with a floppy disk that a boot or MBR sector virus has infected, the virus program will run before Windows 95/98 loads, and that virus can infect the hard disk. Once a boot/MBR virus has infected the hard disk, the virus loads each time the PC boots, before Windows 95/98 loads. These viruses can also write to other systems, such as OS/2 and Windows NT. One final note: If your CD drive fails to work, you may have a boot/MBR virus if Windows drops the disk I/O system into BIOS mode. Also, one of the characteristics of an older (16-bit) boot/MBR virus on Windows 95/98 systems is that it changes the MBR, forcing the PC into 16-bit mode. This stops 32-bit drivers, such as CD drivers, from working. Important: This does not mean you should immediately conclude your PC is infected with a virus when your CD drive isn't working. WHEN A HOAX CAN BECOME THE REAL THING A reader wrote: "In a previous tip, you wrote about Elfbowl and Frogpult, describing the fact that these programs were victimized by erroneous virus reports. Late last month I was watching a computer segment on the television news that described how the host received a copy of Elfbowl from a friend that the friend had added a virus to. That got me to thinking, isn't there a danger that once a virus is reported as a hoax, a virus could be added? The perfect opportunity for someone to do damage would be once everyone had let their guard down." It appears that you are correct--someone can play copycat, even with what started out as a hoax. As a matter of fact, I recently heard from an IS manager in a very large corporation that a Trojan related to the hoax was actually circulated in Australia, late in December. Here's what he wrote: "The second-wave December version of frogapult did play the game if started through My Computer in Windows, so I can only assume it was a wrapper around the original. It also installed itself into the start-up menu (when started through the start-up menu, it didn't play the game!). On December 24, the boot sector was erased, plus, as we found out, it was using TCP/IP for some unknown purpose."
FILES FROM FRIENDS, FAMILY, AND COWORKERS
Several other readers wrote in response to the previous tip of this title--with some interesting solutions for e-mailing files to people or for taking action when you receive e-mailed files from others. Here are some interesting excerpts from their messages: "If you want to e-mail attached files to friends and work colleagues, use a predetermined code word or phrase in the subject to alert the recipient that it's from you." "When I teach e-mail classes, I always advise people to send one e-mail advising that a second message is coming with an attachment, and also list the size of the attachment. That way, the recipient knows an attachment is on the way and knows exactly what the attachment is." "I propose that the next time they get an executable attachment from a friend or relative, they ask where the SENDER got the file from. I'm appalled at how many people will forward a file BEFORE they even open it up to see what it does or scan it for problems. Just because it comes from a person you trust doesn't mean it initiated with a person you trust." "It has gotten to the point lately that if I receive an attachment--even from somebody I know--I e-mail that person back asking them if he or she sent me that file. I do not open it or even scan it until I get a response back from the person who sent it."
HAPPY99.EXE IS STILL IN CIRCULATION
I wrote about Happy99.exe months ago, and I'm surprised that I (and other people) still receive e-mails with it attached, as did this reader, who wrote: "I had a personal experience with the Happy99.exe virus (worm), which attaches itself to your outgoing e-mail once you have opened it. I received it from a company I had sent an inquiry to for some information on saws. They did not know they had it; I did not know what it was when I got it. Oh, a fireworks display, how nice to see! Then it started going out with all my e-mails to everyone else. I had to call for technical help on how to rename files it had altered. Since the first time, I have received it three more times, all from different sources, but never again did I open it." If Happy99.exe has modified your system, an up-to-date antivirus program can get rid of it. Those who like to tinker can even do it manually. Here's how. Go to Start, Shut Down. Select Restart In MS-DOS Mode. This allows you to take the following steps safely: 1. Delete the files ska.exe, ska.dll, liste.ska, and wsock32.dll from the Windows\System folder/directory. 2. Rename the file wsock32.ska to wsock32.dll and reboot (wsock32.ska is a backup copy of your original wsock32.dll). 3. Be sure to delete the source of the problem, Happy99.exe.
HOW DO ANTIVIRUS COMPANIES GET VIRUS SAMPLES?
A reader wrote: "An antivirus company recently reported it had discovered a Windows 2000 virus. How do antivirus companies find viruses? They can get them from users. But where do they download these things? If company A discovers a new virus while it is not available in the wild, how can other antivirus companies get this virus? Company A probably doesn't send the new virus to B, C, and so on, so where do these companies find these new viruses?" Others have asked before how a firm can obtain hundreds of new viruses every month that are not available in the wild (before users first get infected). I can't say whether some antivirus company researchers visit virus writers' Web sites to obtain samples of new viruses, but that's a possibility, I suppose. There are other possibilities. One is that someone outside a company will obtain new viruses from underground sites and send them to antivirus vendors. I know that's true, because I did that some years back, and know others who have done so as well. And I can say that some virus writers, out of boastfulness, make their viruses available to some antivirus companies, as did the creep who sent his Visio virus. One point to remember is that the antivirus business is very competitive. One company boasts that its scanner can detect 50,000 viruses, and this pressures other companies into reporting similar totals, however meaningless such numbers are. Nevertheless, despite their marketing competitiveness, there is cooperation among some researchers, and trusted individuals exchange new viruses even though they work for rival firms.
IS IT SAFER TO OPEN E-MAIL FILE ATTACHMENTS OFFLINE?
A reader writes: "When I get an attachment from a friend, do you mean that the safest thing is to save it to the desktop, then go offline to open it--thus I will not get a virus? Or do you mean I should save it, scan it with my virus program, and then open it?" This reader (and others) have misunderstood a previous writer's note that "I found out that they had opened it up offline, so nothing was sent out." In fact, this meant that they DID infect their systems with PrettyPark, but since they were offline, the virus or worm did not instantly e-mail itself to infect other people. So (as you wrote above) saving "it to the desktop and then going offline to open it" does NOT mean that you will not get a virus. Whether you are online or offline is irrelevant; if you open and/or run an infected file, you WILL infect your system. Here's a summary of three safety levels for dealing with text e-mail messages: - Read the message, do not open and/or run the attachment. That's 100 percent safe. - Read the message, then open and/or run the attachment. That's not safe at all. - Read the message, scan it, then open and/or run the attachment. This procedure offers questionable safety, depending on how good the scanner is and how recently you've updated it (but remember, no scanner can detect everything).
IS THE RISK OF TROJANS LESS THAN THAT OF VIRUSES?
A reader wrote: "The risk of being bitten by a Trojan horse is extremely low if you are running an up-to-date scanner. The only real risk of Trojans (and viruses and worms) is if you are on the leading edge of the spread, before the antivirus companies develop the patch. This is a serious problem for worms, but I've yet to see this become an issue for Trojans. Finally, your last comment implies that there are Trojans in the wild that antivirus scanners cannot detect. You need to convince me this is true." The risk is low because of scanners, but also because Trojans do not self-replicate. On the contrary, they often do the opposite by self-destructing. Often, destructive Trojans are set to wipe all files from a disk (including themselves) immediately. This would preclude them from spreading further, at least from that victim. As for whether there are Trojans in the wild that scanners cannot detect--that's a fact. After all, antivirus firms get some of their samples from victims in the wild, who get them first and submit them--only after that does the scanner get updated.
IT ISN'T NECESSARY TO SCAN A HARD DISK OVER AND OVER
By default, scanners ordinarily check the files that viruses most commonly infect. Thus they scan some files, according to their extensions, and skip others. Other scanners allow the user to make changes to the default to scan some file extensions but not others, or even all files, regardless of extension. I'd recommend using a current, up-to-date scanner to scan all files on the hard disk, once only. Then you should make a complete backup of all files on the hard disk. After that, you don't need to scan the hard disk's files again (assuming there were no viruses on the hard disk unknown to the scanner at that time). To keep the system clean, scan all incoming files, regardless of their extension and their source, before first use.
NOT-SO-HARMLESS E-MAIL FILE ATTACHMENTS
A reader writes: "Someone in our department forwarded me an executable with an excited note about how 'cool' it was. I ran it and watched as the program did a VERY convincing simulation of wiping out my hard disk--during which exercise I found that the keyboard had been disabled. I had just bought a backup drive the week before and used it to back up everything important, so while I waited for it to finish I went over in my mind what I would have to do to recover. When it was over, it turned out that the thing had been an advertisement. It was a sharp but ultimately painless lesson. I learned it well. My standard practice now is to delete immediately any e-mail attachment I didn't specifically ask for." As I replied to the reader, I've seen joke programs like that, and I've also seen real Trojans that do wipe out files on a hard disk. Obviously, the coworker who thought this prank was "cool" didn't take into account the fact that someone might think it was the real thing. If the recipient panicked and hit the OFF switch, real file damage could occur because of the way Windows operates.
WHAT IS AN SHS FILE, AND IS IT DANGEROUS?
A reader writes: "I was just wondering if your readers were aware that an .shs file can contain any type of executable code. When opened, it will execute any code contain therein. I believe a lot of Windows users are not familiar with this file type and might open it thinking it can't harm their system." I replied that I'm not aware of any SHS viruses; however, an SHS (scrap object) file with an .shs extension can be used as a Trojan in Windows 95 and above. My advice: If you receive a file with an .shs extension, either as a download from a Web site or as an e-mail attachment, do not run it--delete it.
WHAT'S THE BEST ANTIVIRUS SOFTWARE PACKAGE?
A reader writes: "I understand your not wanting to commit yourself to any product, and as you say, what's good for one person might not suit another. On the other hand, what I would like to see is some sort of comparison--a few of the major names, with the strong and weak points of each." I replied that unfortunately, including only "a few of the major names" as he suggested would provoke criticism from those whose favorite software I would be excluding. I can't do that, even if I had the time. However, you can turn to some sources of objective evaluations. The ICSA, which publishes Information Security Magazine, certifies antivirus software: http://www.pcworld.com/r/tw/1%2C2061%2Ctw-v2-24%2C00.html Then there's the Virus Bulletin test results: http://www.virusbtn.com/Comparatives And the Virus Research Unit, at: http://www.uta.fi/laitokset/virus
CAN SNOOPERS GAIN ACCESS TO FILES ON YOUR COMPUTER?
A reader writes: "I think some people are confused about what an antivirus scanner is for and what it can do. People on cable or a DSL modem might need some form of Internet protection software to calm their nerves." I assume he was referring to firewall software. Although this is not directly related to viruses, I want to make the point that a computer directly connected to the Internet is very much at risk for intrusion from anyone anywhere on the Internet. Even though I still use a dial-up connection to an ISP, I have a firewall program installed. On one recent occasion, I let my computer just sit there while outside sources made 42 attempts to access it. I traced some of them back to the source, and found that some came from commercial Web sites (even sites I had never visited), while others came back as unknown. Go to http://grc.com/default.htm Click Shields Up and test your PC's security, and you'll see what I mean. Then go from there to http://www.zonelabs.com and you can download the free firewall I'm using at the moment, ZoneAlarm.
CREATING AN EMERGENCY SYSTEM BOOT DISK
Do you have a floppy disk that will let you boot your PC in case of an emergency? Once you've checked for viruses, create a system boot disk and write-protect it for future emergencies, virus-related or otherwise. Here's how in Windows 95/98: 1. Place a disk in the A: drive. 2. Open My Computer. 3. Click the right mouse button to select the A: drive. 4. Under File, click to select Format. 5. Click to select Full Format. 6. Under Other Options, check Copy System Files. 7. Press Enter or click the Start button. 8. When the format is complete, lock (open) the write-protect window on the disk. 9. Label the floppy and put it in a safe place.
A SAFE WAY TO INSTALL ANTIVIRUS SOFTWARE
>From a reader: "In the old days, you had to cold-boot and install antivirus software from a write-protected floppy, which cleared out any virus that could be hiding in memory. Now that you install from a CD, how can you make sure a memory-resident virus doesn't bypass detection and continue to spread?" I replied that the user has to hope the program is as good as it undoubtedly claims to be. In ye olden days of DOS, viruses could control memory and fool the simpler scanners we used then, so a boot from a floppy disk was standard procedure. The situation is different today, because a good scanner can control the situation, detect viruses in memory, and remove them. Under Windows 95 and later versions, you may run into some issues when you remove viruses attached to files Windows is using. But you can overcome such problems with Windows 95 and later viruses by booting to DOS and then running the scanner, because then Windows won't be using its files.
BE CAREFUL WHERE YOU BUY YOUR SOFTWARE
>From a reader: "A friend gave me a floppy disk with a game on it that he bought at a computer expo. Although a virus scan said there was no virus, within seconds it issued a warning that something was trying to write to the hard drive--guess what, it contained a Trojan. People should not buy anything like this. If it doesn't come from a manufacturer and isn't sealed, do not put into your computer. Very sadly, my friend did not scan this game and destroyed his hard drive files! That's a very hard way to learn a lesson, isn't it?" I agree that buying software at a flea market, yard sale, or anywhere but an authorized retailer can be risky. At the same time, it doesn't matter to a virus what disk it's on, and in some cases disks have been mass-produced with a virus on them--not to mention software returned by a customer, which the store then shrink-wraps for resale. Scan all incoming disks, regardless of source.
CHODE--COMING SOON TO A PC NEAR YOU
A reader writes: "After your recent tip about outsiders getting access to my computer , I went to grc.com and found a wide-open port. When checking some other things on that site, I found that I had that new worm, Chode." Chode (also called Firkin) is the first worm or virus I've heard of that can travel by itself--no e-mail required--directly from one Windows PC to another via the Internet, by searching for and exploiting Windows sharing. Given virus vandals' lack of imagination, copycat variations will no doubt soon be making computing less fun for people. Chode is also called the 911 Worm; you can find details regarding it in an FBI advisory at http://www.nipc.gov/nipc/advis00-038.htm For PCs connected to a LAN, file and printer sharing may make sense. Consult your administrator before you take any action. If you're not on a LAN, leaving sharing enabled on a PC connected to the Internet is dangerous. Write the instructions in this tip down, then exit all programs and go to My Computer, Control Panel. Select Network and click the File And Print Sharing button. If nothing is checked, click Cancel twice. If either option is checked, remove the checkmark(s), then click OK twice--your PC will reboot.
CIH CAN RUIN YOUR DAY
CIH or Chernobyl is the first virus known that can completely disable many newer (486, Pentium, or Pentium II) computers by overwriting BIOS (basic input-output system) program code, if the code is stored on the special flash (write-enabled) BIOS chip. Once CIH triggers, some users have a serious problem: The PC simply won't start up. That's because the BIOS program directly accesses the PC's hardware to test system memory and disk drives at bootup, then accesses the disk to load the operating system. Without a working BIOS program, a PC will not even boot up from a floppy disk. While it may be possible to use a disk image of the BIOS code made in advance or obtained from the manufacturer, a user would have to know how to restore it and have the hardware necessary to write to the flash RAM chip. Ironically, this hardware would be the PC itself, booted to DOS and running flash RAM upgrading software. And that's where most CIH victims end up helpless, needing at least a technician's help (they may even have to replace the motherboard if the BIOS chip is soldered to it). CIH--known variously as PE_CIH, W95.CIH, Win32/CIH, and Chernobyl--is a very destructive virus. Variants of it are "in the wild" (meaning they are spreading from PC to PC and site to site), originally "assisted" by deliberate distribution, via downloads from the Internet, in June 1998. Although the risk is not great, even users who don't download anything from the Internet could encounter CIH (or any other virus so deliberately spread) by merely obtaining and running an infected file from someone at work, school, or elsewhere. CIH triggers (depending on the variant) on the 26th of any month, or on April 26. When it triggers, it is programmed to overwrite the first (absolute) megabyte of the hard disk, thus destroying the vital data contained in the MBR (master boot record), FAT (file allocation table), and root directory, causing loss of access to (though not destroying) files. But that's not the worst part, as we'll see tomorrow.
DETECTION OF VIRUSES HIDDEN IN COMPRESSED FILES
>From a reader: "In the last year, on two occasions I have installed software on my wife's PC, and later that evening my antivirus software has found a virus in it. Given that most of the software you would install today comes compressed and has different extensions than the final production versions, I am not confident that a scan of the CD or disk will pick up the virus." Keeping a system virus free by scanning all incoming files--regardless of their extension and their source--before first use should work, because a good scanner can decompress files as it checks their contents. However, if you're not confident that a scan of an installation CD or a floppy disk will work, scan the folder or directory to which the new program installed its decompressed files before running the new program.
EXTINCT VIRUSES VERSUS THOSE IN THE WILD
A reader writes: "How can you be so sure the Casper virus exists ONLY in collections like yours? The mere fact that it exists is enough to breed caution." I happen to know a lot about the Casper virus. About ten years ago, someone named Mark Washburn was dissatisfied with the simple scanners then in use. These detected viruses mainly by matching strings of code in programs to strings of code found in known viruses. Washburn theorized that vandals would soon write more-complicated (self-encrypting) viruses that would be impossible to detect by matching strings, since no two infected files would look alike. To prove his point, he wrote and distributed (supposedly only to responsible antivirus researchers) a series of such viruses, named V1P1, V1P2, V2P1, and so forth. But his viruses got redistributed somehow, and some virus writer took one, added some naughty words, and called it Casper. Like the Washburn original, Casper does not use memory to spread, and infects only executable COM files, one at a time. Viruses that spread poorly like Casper eventually die out, if they circulate at all. In reality, of the huge number of viruses written (counting minor variants like Casper), you'll find less than 1 percent "in the wild" (circulating from user to user). You can even look up a list of the viruses you really need to worry about, called the "WildList." You can learn more about that at http://www.wildlist.org
MEMORY USE OF ANTIVIRUS PROGRAMS
From a reader: "I have tried to update my virus scan program and it tells me that my system is out of memory. I have plenty of space on my hard drive, so what does this mean?" I replied to her that means that the program doesn't have enough RAM (random access memory) for it to run. Think of RAM as temporary storage for instructions and data used by programs actively in use. RAM is not connected with the long-term storage space available on your hard disk, which stores files not in use. She either needs to have a technician add memory (if her computer can be upgraded), or switch to an antivirus program that requires less RAM. Another possible fix might be to configure the computer, or the program, to use RAM more efficiently.
RUNNING MULTIPLE ANTIVIRUS PROGRAMS
A reader writes: "If you have two antivirus software programs, would it create any conflict? I am at present using one and have uninstalled the other, as someone advised against having two such programs." Since no antivirus scanner can detect everything, some people think the best way to enhance their safety is to use two or more scanners. However, the incremental increase in safety you gain by doing that is much smaller than what you can achieve by making a backup of essential files on the hard disk, so that's what I advise people to do first. After making a backup, if you choose to run two antivirus programs, remember that running them simultaneously in memory could cause conflicts and will impede system performance. Running their manual scanning components sequentially should not present any problem, however.
SCANNERS X, Y, AND Z--HOW MANY ARE ENOUGH
>From a reader: "I have two questions. First, I can't help wondering why you only identify scan programs generically (scanner X, scanner Y, and so on). Second, do I have to go as far as installing a second (or third, or fourth) scanner program just to be on the safe side? Seems a little ridiculous, doesn't it?" As I replied to this person, while I have no reason to doubt what readers tell me, when someone tells me of an incident, I did not witness the events myself. If the information is negative, that could damage a company's reputation, and the information may be inaccurate or false. On the other hand, positive information provides free advertising. So I won't name names. As for the question of using multiple scanners, I've covered that subject here previously. The bottom line is that no scanner detects everything, and even a combination of scanners won't detect everything. That's why I keep suggesting that you keep backups of essential files, whether you run one scanner or ten.
SHOULD YOU TEST AN EMAIL SCANNER WITH A REAL VIRUS?
A reader writes: "We are currently evaluating a server-based e-mail scanning software, and we have one little problem: How can we be sure the scanner detects viruses in e-mails if we never have and hopefully never will receive a virus via e-mail? Is there such thing as a harmless test virus we can download somewhere and e-mail to ourselves to test the scanning engine?" When a buyer evaluates antivirus software, the test is no different from evaluating any other type of software you're going to deploy in an enterprise. What you have to judge first is how well the software performs for you in your environment. Second, you should be satisfied that those using the software will find it comfortable enough to use. There are other issues--among them cost, upgrades, and extra features--but I'd trade them for quality, customer-friendly technical support. You'll notice that I don't include testing viruses on my list. Does one light a fire to test a fire extinguisher before buying it? For similar reasons, you're best off leaving the testing of viruses to those in that business. I suggest that one should rely on the vendor, but if it's important to you, ask for a demonstration (at the vendor's site, not yours).
SNOOPERS AND YOUR PC: EVIL OR NO
If you're using a firewall, you may have noticed that some days it warns you many times of would-be intruders, and other days you receive no such warnings. One reader explains, "I do not think commercial sites have anything evil lying in wait when they probe you (at least nothing more evil than the dreaded cookie). More likely, they were trying to update details from users who previously had your newly assigned dynamic IP (very few ISPs assign static IPs to dial-up customers). Other contacts may come from a variety of sources, like a user running a server who had your previous address; instant messaging programs looking for the wrong IP; and yes, even people scanning a range of IP addresses for malicious purposes." He also pointed out, "ZoneAlarm is unique in that it keeps unauthorized outbound traffic from leaving your machine. A program available at grc.com called OptOut, though very tiny, quickly finds the word spyware on your system and removes it. Most people do not know they even have such Internet usage tracking tools installed on their machine. I suggest you run it. You may be surprised at what you find. If you do not use much freeware or shareware, it may find nothing; but you're always better safe than sorry in future."
SNOOPERS AND YOUR PC: TARGETING YOU
A reader writes: "I am temporarily using an older computer with an external modem. All day long I noticed that at times when I was not downloading or doing anything whatsoever on the Net, I saw the RD & SD status lights (Receive & Send Data) flashing like crazy. In fact, as I write this--and I'm not doing any Web, e-mail, or other Internet-related tasks--those lights are still flashing like mad. I feel like some unknown person or organization is taking over my computer. This is positively eerie." As I wrote last month, a computer connected to the Internet (especially directly, such as with a cable modem) runs the risk of intrusion from anyone anywhere on the Internet. So many people have written back to me on the subject that I'll repeat my advice: Install a firewall to protect your computer from others. Go to http://grc.com/default.htm and click the Shields Up link. Test your PC's security and you'll see what I mean. From there, you'll find a list of firewalls, one of which is free for noncommercial use--ZoneAlarm from Zone Labs. You can check the company's Web site for more information on the product: http://www.zonelabs.com
SNOOPERS AND YOUR PC: WHO IS AT THE OTHER END?
In yesterday's tip, I repeated my suggestion to protect your PC from intruders with firewall software. The most common question I receive on this subject is this: "ZoneAlarm's manual talks about using whois and traceroute to track down who is attempting to gain access to my computer. Where do I find such programs? The manual didn't say. Tonight alone I am up to 33 alerts and still counting. Many seem to come from certain IP addresses--there are about 14 different addresses in those 33 alerts. This is an eye-opening experience; I'm sure it has been going on for quite a while and only now is manifesting itself due to the firewall. This reinforces my belief that one should keep important information strictly in offline computers." If he wishes, he can go to http://grc.com/cb-faq.htm where one can read about and learn where to find utilities, like Sam Spade, that make tracing intruders easier. As for myself, I'm too busy to do that, and agree with something else in that FAQ: "Remember that you came to ShieldsUp because you were concerned about the security of your machine. You wanted to turn it into Ft. Knox to foil these script kiddies. Well, now imagine you're living in Ft. Knox. Are you really going to be concerned about people shooting paper straw wrappers at the walls?"
VIRII, VIRI, VIRRI, VIRUI--OR VIRUSES
In a previous tip, I quoted a reader's question that included this comment: "Occasionally I receive an e-mail with this statement in the header: 'This mail has been scanned for known virii.'" In part of my reply, I said this is obviously not a message from your antivirus software program, because no company would ever use the word "virii." It's virus writers' slang for viruses, and not really a word." That brought several comments like this one: "For many years, the proper plural of 'virus' was considered to be 'virii'--that is the proper Latin plural (alumnus and alumni is another example). Contemporary use has allowed the improper 'viruses' to become the norm. Those of us who were once Latin majors find it amusing to think that 'virii' as the plural form is now considered 'slang.'" Sorry, but we're not speaking Latin. Even if we were, I is the Latin plural ending for US, so virI would be the Latin Plural for virUS. In order to get virII, you'd have to start with virUSUS. (Do we have "alumnii?") So far as I know, no professional in the antivirus business, nor any commercial antivirus Web site, uses any plural of the word virus except viruses. However, you will see viri, virii, even virri and virui on underground virus vandal sites. That's why I never use such terms, and why I attempt to educate others not to use them.
VIRUS COLLECTION HAZARDS
A reader writes: "You once said you have a collection of viruses. If such a collection fell into the wrong hands, could a vandal successfully swarm the Internet in one overwhelming foray? For example, if you created a downloadable program and hid a swarm of viruses within that program, could the effect overwhelm a virus scanner to the point that some part of the virus would get through? Although you can very easily stop one virus, could many disrupt a computer?" I replied that there's no danger of either event occurring. Internet transmissions consist of packets that get bounced from one computer network to the next in haphazard fashion, then assembled at the destination. During the trip, a virus is an inert piece of data, so it wouldn't pose a risk to the Internet. As far as hiding viruses in a program goes, I've never seen a program infected with more than one virus that functioned properly, so the chances of a system crash are greater than the chances of one virus in a group spreading unobserved. In other words, don't worry about virus collections (some of which do land in the wrong hands, of course).
Most tips are from TipWorld - http://www.tipworld.com :The Internet's #1 Source for Computer Tips, News, and Gossip
Henri Delger henri_delger@prodigy.net http://pages.prodigy.net/henri_delger/