Welcome to Blaisdell's Little Corner of the Web


Freeware
| Security | Virus Information Archives | Web3000
| Microsoft Security Tools | The List | Virus Removal Tools | Updated on 09/02/06

Latest Viruss Warnings & Alerts

The page index
Archives to see what's
here.  
See McAfee's Steps to Protect Your PC

Interested in free antivirus software? Then check out this page of freeware antivirus programs. Check them out, the price is right!!
Click on the image to the right.=============
Looking for a anti-virus scanner that won't break the bank (It's Free and is our personal favorite):
AntiVir Personal Edition - Our Favorite. Go to Bo's Featured Freeware for more or [Download Now]
This easy-to-use freeware antivirus utility detects over 80,000 viruses and includes a resident monitor and desktop program. Scans for DOS, Windows, macros and Java viruses. Available in German and English. (For Windows).

AVG Free Edition 
(Note: this site is occasionally unavailable). Here's an excellent, freeware anti-virus utility that also offers you free monthly updates. An easy-to-use program, AVG features resident protection, an E-mail scanner and automatic healing of infected files. Note that the freeware version of this program is only valid for users in the U.S., Canada and Britain. (For Windows).

Yeah but Bo, is it really a virus or a hoax? Check out this selection of some of my favorite Hoax Busting Sites. Never be taken by a hoax again! Is there anywhere else that I can go to get real time virus info Bo? Sure is, click here. for some of my favorites. 
Bo's Mission statement

Should I Worry About Code Red?

Bohunkyo got a worm. KAKWorm to be exact. Read more about this pesky little bugger by clicking here.

Step by Step
Five Remedies for Virus Relief
Learn proactive and reactive actions that will make your computer virus-free. full article


When is a Virus not a Virus?
Check out Virus Hoax and Myths @ VMyths.com
Note: The Myths.com site is temporarily down. If you get a message that the site cannot be found, try the Urban Legends and Folklore site instead. Thanks Denise for the broken link report, very much appreciated....Bo

Index

| Virus Encyclopedia  | Virus Calendar | Hoaxes  | Glossary|

Simple Steps to Protect Your PC
Performing a few simple steps can protect your PC from security threats. McAfee.com has tips and techniques for keeping hackers at bay and keeping your personal information secure. Increase your computer security today.

 

  • Question: The NYB virus keeps re-appearing-Hint: Think Boot Sector Virus
  • Bergin buddy Spyware is back and it is a bear to remove. spyware eradicators won't touch it but you can get rid of it manually or use some other devices. 
    • Check out, SaferSite.com for more info. and instructions on how to remove it manually

Removal Tools:

Removal Tools
Ordered Chronologically
Removal Tools
Ordered Alphabetically

Want more? Go to Bo's Virus Info & Archives Page

Microsoft Security Tools


Symantec United States Hahaha Worm Is No Laughing Matter
Alias Hahaha and Snow White, this complex worm updates itself via the Internet. Reports of infection are increasing wordwide
Hybris (W95.Hybris.gen) is a complex supervirus whose e-mail delivery system is similar to Happy 99 and whose programming and payload are similar to MTX.

What have we learned?
Here are just a few things you can do to minimize your chances of getting infected.
The most obvious trend this year was the on-going outbreak of e-mail bound viruses. How do you stay safe? Don't open attachments! One of the best ways to prevent virus infections is not to open attachments, especially when dangerous viruses are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

Read An Email, Get Infected

You can’t get a virus simply by reading an email, right? Wrong. Today we greet VBS/Forgotten (a.k.a. VBS/Pica), the newest entrant to the “read an email, get infected” group.

The year 2000 was ushered in by the first of these email worms, BubbleBoy. Taking advantage of a security vulnerability in Microsoft Outlook and Outlook Express, BubbleBoy barely made a blip on the radar screens of antivirus vendors. Microsoft quickly released a patch and all was well. Or so it seemed.

For more virus information and the latest nastiest bugs, check out Bo's Latest Virus List


How can we prevent threats such as Kak, BleBla, and Forgotten from ruining our email experience?

  1. Install the security patches provided by Microsoft:

    http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
    http://www.microsoft.com/technet/security/bulletin/ms00-037.asp
    http://www.microsoft.com/technet/security/bulletin/ms00-046.asp
     
  2. Tighten security settings in Outlook and Outlook Express:

    From within Internet Explorer, select the following menu items:
     
    Tools | Internet Options | Security | Restricted Sites | Custom Level
    In the Custom Level dialog box, disable all settings related to ActiveX and Java (in fact, I would disable everything, set Software Channel Permissions to High Safety, and under User Authentication set it to prompt for username and password.

    Note: Just setting the restrictions to High will not work. You must choose Custom Level and scroll through the list making the necessary changes. If you are unable to follow this step, it may be a good idea to ask an experienced friend for assistance.
     
  3. After making the above modifications to Internet Explorer, open Outlook Express (if not already open) and add it to the Restricted Zone. Do this by choosing Tools | Options | Security and selecting Restricted Zone.
     
  4. Finally, regardless of the message received – do not allow scripts to run from within email. If you believe there is a legitimate purpose for the scripts (there’s not), reply to the sender and explain that you do not accept scripting in email and ask that they resend the message in plain text only. If they have something legitimate to say, they will be happy to oblige your request.

VIRUS ALERT - W32/ProLin@

W32/ProLin@ is an Internet worm that spreads via email. AVERT has given it a risk assessment of MEDIUM TO HIGH-RISK. The email comes with an attachment named CREATIVE.EXE, which carries the icon of a Shockwave Media Player application.
You may receive the email in this format:

Subject = A great Shockwave flash movie
Body = Check out this new flash movie that I downloaded just now ... It's Great
Bye
Attachment = creative.exe

If you run CREATIVE.EXE, it finds and alters all .JPG and .ZIP files on your system and forwards a copy of itself to everyone in your email address book.
Please do not run the attachment.

Click here for more information from McAfee.com


W32/Navidad@ worm

The email can come from addresses that you will recognize. Attached is a file named NAVIDAD.EXE and when it is run, it displays a dialog box entitled, "Error" which reads "UI". A blue eye icon then appears in the system tray next to the clock in the lower right corner of the screen, and a copy of the worm is saved to the file "winsvrc.vxd" in the WINDOWS SYSTEM directory.

If your PC becomes infected with the W32/Navidad@ worm, all subsequent emails addressed to you will be responded to automatically with an email from your address with the W32/Navidad@ worm as an attachment. Click here for detection and removal instructions from McAfee.


Zone Labs Home If you are connected to the Internet with either cable or a dedicated T-1 line you need a firewall. If you do not have a firewall to block someone getting at your data vie that connection, try ZoneAlarm. If you are connected via modem, it is also wise to put up a first line of defense. ZoneAlrm is good for you as well.

PROBLEM: Your friend's version of ZoneAlarm logs alerts to a file, but your own version does not.

SOLUTION: Earlier ZoneAlarm versions don't write intruder alerts to a log file, whereas later versions do (2.1.7 and beyond). Since ZoneAlarm doesn't turn on intruder logging by default,
though, you should: click on the main dialog box's Alerts button, then check the "Log alerts to a text file" check box.
Index


Microsoft's Security Patches and where you can get your copy.
These updates are located at:
 
Office 2000 Service Release 1- <http://officeupdate.microsoft.com/2000/downloadDetails/O2kSR1DDL.htm>

Outlook 2000 E-mail Attachment Security Update- <http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm>

Outlook 98 E-mail Attachment Security Update- <http://officeupdate.microsoft.com/downloadDetails/O98attch.htm>

Outlook 97 E-mail Attachment Security Update- <http://officeupdate.microsoft.com/downloadDetails/O97attch.htm>
 
3) If you use Outlook 2000, use the option to set your attachment security setting to High.  When security is set to High, users will receive a warning before opening an attachment.  To make sure your setting is set to High:
1) On the Tools menu select Options
2) Select the Security Tab
3) Click on the Attachment Security button
4) Select High (if not already selected)
Index


BoHunky0 Hit with "DA.SlowDown Virus"

No matter how careful you are, or think you are, viruses can affect anyone
even the Bo Master.

On August 3, 2000 I was hit with the DA,SlowDown virus which attached itself to my C:\PROGRA~1\INTERN~1\CONNEC~1\ICWCONN1.EXE or
(C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe) as you can see, it
attached itself to Internet Explorer's Connection Wizard. Symptoms include, but are
not exclusive to; an immediate slowdown in your Internet connection (I connect at a humble 33.6 KBS which my ISP sees as 28.8 KBS), an obvious memory drain,
(The SlowDown virus is a TSR Terminal or Stay Resident virus) and subsequent
lockups and crashes. The virus is an old one, molded in 1990 but obviously is floating around the web somewhere. It could only have come from a few programs which I routinely allow ebb and flow net access through ZoneAlarm, my personal firewall.

Norton Anti-Virus discovered this behavior and repaired the damage. A freeware program InoculateIT Personal Edition that I have used for a long time did not detect the virus. I am in the process of determining where the bug came from. I have my suspicions but I am not sure at this point in time.

Simply because I use the Internet for a varied amount of projects, I routinely run 3 separate anti-virus programs and at times are testing others for different people. I was not testing any at this time however. Even with all my precautions I allowed access to my computer for malicious intent. It is time to rethink my security options and start to tighten up a bit. First stop, rethink my firewall settings, this is how I contracted the virus, of this I am certain.

Symantic's Virus Research Center says this about the virus:

Detected as: DA.SlowDown
Aliases: Dark Avenger
Area of Infection: .COM Files, .EXE Files, COMMAND.COM
Characteristics: Memory Resident, Triggered

A variant of the original Dark Avenger.1800 based on the author's source code,
which he released in January of 1990.

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:

http://www.symantec.com/avcenter/download.html

Index


Bohunky0 has gone digging for worms and found a KAK of em!

Just letting you know that I had received a worm virus that attached itself to my email signature file. Norton discovered it and I have located all of the pointers, as far as I know, it continually reloads itself after Norton has cleaned it.

Here is what to look for in your Autoexec.bat:

@ off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta

del C:\Windows\STARTM~1\Programs\StartUp\kak.hta

In your Registry it sets up the following:

REGEDIT4

[HKEY_CURRENT_USER\Identities\{03FA7420-3FCC-11D3-A1EB-AF89CC02843C}\Software\Microsoft\Outlook Express\5.0\signatures] "Default Signature"="00000000"

[HKEY_CURRENT_USER\Identities\{03FA7420-3FCC-11D3-A1EB-AF89CC02843C}\Software\Microsoft\Outlook Express\5.0\signatures\00000000] "name"="Signature #1" "type"=dword:00000002 "text"="" "file"="C:\\WINDOWS\\kak.htm"

[HKEY_CURRENT_USER\Identities\{03FA7420-3FCC-11D3-A1EB-AF89CC02843C}\Software\Microsoft\Outlook Express\5.0] "Signature Flags"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cAg0u"="C:\\WINDOWS\\SYSTEM\\03FA7420.hta" This one sets up a warning when windows starts=Driver Memory Error - it is nothing more than an html document. It is a file named:

03FA7420.hta and will be found in your Windows\System directory. You may need to delete this one through DOS, I did.

It also delivers the following file to your root directory C:\

AE.KAK

And

kak.reg to your Windows directory.  C:\Windows

Because it is a Internet Explorer Worm it attaches itself to your signature file in Outlook Express and mails itself along with your email to others.

You may wish to warn the folks that you regularly email to.

VBS.KakWorm spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer newsgroup reader.

The worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.

Microsoft has patched this security hole. The patch is available from Microsoft's website. If you have a patched version of Outlook Express, this worm will not work automatically.

Symantec logo Symantic has a cure for the worm:
Click here to download tool to repair Wscript.Kakworm damage

Also known as: VBS.Kak.Worm, Kagou-Anti-Krosoft
Category: WORM
Infection length: 4116 Bytes
Virus definitions: December 30, 1999


Question: "Recently, I keep getting the following message: "zbSFV.exe has generated errors and will be closed by Windows. You will need to restart the program." When I click OK nothing happens. I get this message for any program I have open, and sometimes when I have NO program open. A search reveals this file is in my WINNT\system32 folder, but I don't know what it does. I have Win2K Professional with plenty of memory. Does anyone know what this error message is about? Thanks for assistance."  ~ Jim

Answer: It is a Trojan horse. Run a complete virus scan on your system with the latest virus signatures. You may have to boot in Safe Mode for it to work. Download Ad-aware 6 and its latest update and run it. Download SpyBot Search&Destroy, its updates, and run it (in that order). Download HijackThis and run it. These three programs are all freeware. HiJackThis checks to see what browser extensions are installed. Be careful that you do not delete any extensions that you DO want. These four things should fix you up.

"Whenever I run across a client with Trojans/viruses, I kill the process tree, edit the "Run" sections of the registry and Start Menu to remove the calling program (probably started with RUNDLL32.EXE), boot in Safe Mode, and run my antivirus stuff before doing the rest."


MELISSA UNLEASHED AGAIN
She's baaaaaack. A variation of the celebrated Word virus Melissa popped up after a Macintosh Office 2001 user saved an infected document. The document was emailed to a Windows 97 user who opened it and started the latest round of infection. The virus -- this one's called Melissa-X or Melissa 2001 -- works by sending itself to 50 Outlook addresses, eventually clogging email servers and shutting them down. Suspect Melissa if an email arrives with "Important Message From (name)" in the subject line, and the statement "Here is that document you asked for ... don't show anyone else;-)" in the body. Click for more.

W97M/Melissa@ is a macro virus for Word97 that spreads via the email program MS Outlook. This virus creates an Outlook object that sends an infected document to the first 50 addresses in the address book.

The email comes with the subject line "Important Message From" Application.UserName, with a body text of "Here is that document you asked for ... don't show anyone else ;-)" and a document attached. The content of the document is a list of pornographic Web sites.

First discovered on March 26, 1999, this virus is now in a new file format for Word9X / Office2001 for Mac. It is specific to Mac Office2001 and can infect a host system running Office98 (also for Mac) or Office2000. This virus will infect Office97 systems that have been updated to SR1 update and above.

PC Users: This variant can infect users of Windows Office 97 or 2000 if they receive the email message from a Mac user.

Another variant of this worm is W97M.Melissa.W

Also see:

Virus won’t let victims get help
A computer virus that’s smart enough to block its victims from getting help is steadily spreading around the Internet.            

Also be warned. I received a virus the other day myself. It is called the Hahaha virus and carries an attachment. Of course it has the usual Melissa like protocol. That is it sends itself to the first 50 people in your Outlook address book. Never open any attachments that you are not expecting and even then there is no guarantee. For those of you who regularly email me not to worry, I knew of the virus and deleted the minute that I saw it. No infection has taken place and to be sure I ran a virus scan of my entire system and network. No problems were reported. Learn more about the Hahaha worm and others at Bohunky0's Virus Archives page


About Blaster
W32.Blaster.Worm

Blaster is a worm, a program that runs on one computer and then looks for other computers across the network or Internet it can infect.  In this case it uses a technique called 'buffer overrun' to trick a computer into running a program.

You don't have to do anything to infect your computer, even if your computer is sitting idle it could be infected if the right connections (ports) are open to your computer.  Just being careful with your email and what web pages you visit isn't going to help.

Blaster takes advantage of a known problem in Windows NT, NT Terminal Services Edition, 2000 (all flavors), XP (all flavors) and Windows Server 2003 (all flavors).  This worm takes advantage of the security flaw that was highlighted by the US Dept, of Homeland Security a few weeks ago.

The Good News? This is a known problem and there is a fix. To prevent this exposure go to Windows Update to grab any critical updates or patches.If you have already updated your system,  then you'll already have the fix that prevents Blaster from infecting your computer. To make sure you have the right fix, go to Settings | Control Panel | Add/Remove Software then scroll down to the long list of fixes.  Look for one labeled with the number 823980  - that's the fix you need. If that patch (823980) is installed already you can rest easy.

More info and patch availability below:

What can you do?
It goes without saying, that's why I am saying it, update your virus definitions and run a full system scan of your computer.
Think you are already infected? Here is how to find out:

  1. Press Ctrl + Alt + Del
  2. Choose Task Manager
  3. Choose the Processes tab
  4. Click on the 'Show processes for all users' option
  5. Click on the heading 'Images' to sort the list alphabetically.
  6. Look down the list for  msblast.exe
  7. If you find it, click on that entry then 'End Process'

That will stop the worm from running for this instance, but you still have to remove it from your computer.

Symantec has released a free removal tool in case you need it. As usual Symantec has done the job that Microsoft won't do.   Their security response page has lot's of details on detection and removal, granted most of the details you won't need but it's nice to know it's there. There's some suggestions for blocking ports using a firewall to prevent future attacks and that's tempting to do in the heat of the moment.  However those ports can be necessary for you to do your work so make sure you know what you're doing.

The Microsoft Instructions Newsletter
Microsoft has just released a document which describes how users of various Microsoft Systems Software can protect themselves. It also describes who is at risk and how to minimize that risk. Click here for the details of this newsletter.

Thanks for stopping by

Attention Telemarketers:

I do not allow organizations to use my name or to contact me to make solicitations other than as permitted in my Junkbusters Declaration.

Version Dec 7 Copyright 2001 Larry Blaisdell

Found a broken link? Want to contact me about a problem or a solution? Click here

| Try Bohunky0's Tech Support Help Web | Bo Explains Internet Security Needs |