Welcome to Blaisdell's Little Corner of the Web
Albion | Freeware | Freeware From A-Z | Security | Virus Information |
Are Web-based e-mail accounts less virus-prone than Outlook?
What you need to do to prevent getting computer viruses in the first place!
Removal Tools from Symantec Here
The Anatomy of a Hoax
Should I Worry About Code Red?
Worm poses as plea for peace
Latest updates and Service from C|Net & Bohunky0
The NYB virus keeps re-appearing
The NYB virus keeps re-appearing
It seems a reader has had his Windows XP computer infected with the NYB virus. He has Norton Antivirus installed and updated, and although it detects and removes the virus, it keeps coming back. He has tried two other virus detectors and they all have the same problem. Well, the reason they are all having the same problem is because the NYB virus is a boot sector virus, which makes it nasty to get rid of. If you find yourself in this same situation, you could be re-infecting yourself from infected floppy drives, so you may want to scan and clean all your floppy disks. Another possibility is that you could be re-infecting yourself from your own master boot record. You may need to go to another Windows XP computer and create a bootable floppy for use in your infected computer. Boot off the clean boot disk, type "fdisk /mbr" (sans quotes) at the command line, and press Enter. This should fix your recurring virus problem. For more information on the NYB virus, follow this link to the Symantec Antivirus Research Center's article on the NYB virus.
Q. Are Web-based e-mail accounts less
virus-prone than Outlook?
Is it true that if I use a Web-based e-mail service such as Yahoo I'll be safe from Outlook-related viruses?
A. No. Many new viruses do not require a PC-based e-mail client such as Outlook in order to spread. These new viruses, including Klez, have their own e-mail client (SMTP) and can find e-mail addresses within cached Web pages on an infected machine, bypassing the need to use Outlook's Address Book. Larger Web-based e-mail services, such as Hotmail and Yahoo Mail, screen mail hosted on their sites for viruses, but there's no beating having a good antivirus product on your desktop just in case.
Worms: Despite patching, infection continues. Why?
Several fast-spreading worms have been attacked via Internet Explorer in the past few weeks. They're getting in, thanks to a known vulnerability that Microsoft patched last March. So why are people's systems still being infected? Rob investigates.
Worm poses as plea for peace
Humankind's capacity for inhumanity should no longer surprise us--certainly not after Sept. 11. So why should anyone be the least bit taken aback by the fact that some miscreant would use this horrific tragedy as a way to spread a computer virus? Still, that some miscreant did leaves me shaking my head. Watch out for the "Vote Virus." It's spreading via e-mail to users of Microsoft's Outlook e-mail program under the subject line, "Peace between America and Islam!" The body reads: "Hi. Is it a war against America or Islam!? Let's vote to live in peace!" However, when the accompanying attachment--WTC.exe--is opened, the virus deletes all the files on the computer's hard drive and sends itself to everyone in your address book.
Go to the full story by Robert Lemos.
Should I Worry About Code Red?
Q: I keep hearing about the Code Red worm, but so far I haven't come across it myself. Should I worry? What should I do about it? I'm using Windows 98 Second Edition.
A: Win 98 Second Edition? No worries! CodeRed (aka W32/Bady, I-Worm Bady, W32/Bady.worm, etc.) and its offspring, CodeRed II (aka CodeRed.v3, CodeRed.C, W32.Bady.C and CodeRed III) target systems running Windows NT or Windows 2000 with the Internet Information Services Web server (IIS). Running Windows 98, you're safe from this particular nasty.
The reason you hear so much about CodeRed is that variants continue to appear, making it newsworthy. It also attacks the sort of machines used by larger companies, giving it another newsworthy twist. Other, more prevalent viruses sink into obscurity once their news value declines. After all, who wants to hear that the ancient (it first appeared in 1999), unmodified Kak worm is still out there causing a lot more grief to most users than CodeRed.
If you want to know the types of viruses to watch for, avoid the news headlines and check out Trend Micro's real-time virus watch (http://wtc.trendmicro.com/wtc/).Or, go to my favourite anti-virus resource, Symantec's AntiVirus Research Center (aka SARC, at http://www.symantec.com/avcenter) and check out the
Distribution and Damage graphs for each virus. You'll find that familiar names such as Kak, Sircam, Melissa and Loveletter crop up far more frequently than CodeRed.
For those readers who are running IIS on Win NT or 2000 and who haven't, yet, done
anything about protecting their systems from CodeRed, say a mea culpa or two and then rush
right over to SARC or Microsoft's Code Red pages
The Anatomy of a Hoax
Hoaxes are as bad as a real virus. They plug up servers, frighten people into doing things which should not be done and are a general nuisance. The worst part of the problem is they are almost always propagated by well meaning people who are alarmed at what they read in an email.
In that light, lets take a look at a recent hoax widely broadcast over the web.
Hoax has victims trashing harmless file
A hoax e-mail warning people that their PCs may contain a virus called sulfnbk.exe is propagating in the United Kingdom and tricking its victims into trashing a harmless, and potentially helpful, Windows utility. The e-mail is circulating in the United States as well. Bo has received one and I am willing to bet it won't be long before you receive one as well. Don't be fooled. Antivirus experts were quick to point out that the e-mail does not contain a worm and is being passed around by well-meaning people alarmed at its contents.
May 30, 2001, 11:15 a.m. PT | Read Full Story This is a report from C|Net.com
Just what is SULFNBK.EXE Bo?
It's a utility shipped as part of the Windows 98 operating system that allows users to restore long file names. Thus, anyone using the Windows 98 operating system would find this file on their system. If the hoax were received by these users, and believed, many might delete the file thinking their antivirus software had somehow failed to detect the virus. In fact, it wouldn't be the first time signature-based scanners failed to detect a new virus, making the entire hoax even easier to believe.
Bo's Findings: Microsoft's computer security team, on 29 May 2001, intercept numerous emails with SULFNBK.EXE attachments -- all infected with the well-known Magistr virus. Microsoft's claim contradicts details found on McAfee's website and agrees with details found on Symantec's website. Which in part states:
Note from Bo:
Although the email about the Sulfnbk.exe is a hoax, [never accept an email from someone that has an EXE, COM, VBS, or BAT
file attached}. There is a very real chance that someone, knowing of the hoax, could send
you an email with an infected Sulfnbk.exe attached. Saying that they know you deleted it from your machine and that you
can use the file they sent you to replace it. That could be a real virus. There is no
need. If you have inadvertently deleted the file you will find it on your installation CD
and you can replace it yourself by using the Extract Command. Go to Bohunky0's Windows 98
Tips, Tricks, And Tweaks page II to learn how to use the Extract command.
Update: Several readers have written saying that they can't find the Sulfnbk.exe file using the System File Checker or using the Extract command starting with the Base4.cab file. There is good reason for that actually. It isn't part of the regular cab string. You will find Sulfnbk.exe in the Precopy1.cab file. If you have WinZip or another archiving software you can extract it that way. If not you can use the single file extract command as explained on Bohunky0's Windows 98 Tips, Tricks, And Tweaks page II. Just be sure to extract it to your C:\Windows\Command folder if you installed windows using it's default locations. If not substitute that for the path I have listed. Good luck......Bo
Also if this hoax were spread it could conceivably clog email servers in much the same way a "Denial of Service" virus is spread. So, in a real sense a hoax can be as bad as the real thing. Lets not forget either that some unscrupulous person could entail a more destructive payload aimed at the gullible.
The Bo Advise? As a rule of thumb most of this type of email is nothing more than a hoax. Also it is advisable to check with Virus Hoax and Myths @ VMyths.com before you innocently add to the confusion.
Five tip-offs that you might be looking at a hoax:
Q. What cna I do to reduce my chances of getting a computer virus Bo?
A. I have said it before so it is time to place it here so I need not repeat myself quite so much.
must buy, install, update, and religiously use one of the major anti-virus packages. Any
one will do. They all work fine.
Make Windows show you file name extensions. Many of my friends disagree but, dammit, the only way you can tell if you're about to run a program is to look at the file name extension - EXE, COM, BAT, VBS, VBE, and so on. I know it's retro. I know that, in this enlightened day and age, knowledge of file name extensions is considered (yech!) DOS arcana. But it'll bite you in the butt one day. (Showing file name extensions also helps you keep from accidentally naming a file, oh, resume.txt.doc. Don't laugh. Happens every day.) See below for an explanation:
In particular watch for files with .VBS or .VBE at the end of the file name. These are VB Script files (the language used by the 'I Love You' virus. Unlike normal programs (.EXE files) it's very unlikely that you'd get a VBScript file sent to you for a legitimate purpose.
To view file extentions in Win 9.x machines:
Don't open or run files attached to messages, unless you know for a fact that the file is clean. Some common sense helps. If you get a message from your Uncle Harry and it says, "Hey, take a look at these pictures of your cousins," you're probably fine. But if you get a message from the guy down the hall that says "A real friend sent this message to you," I mean, good grief! Whaddya want, a big neon push button that says KICK ME?
There's no such thing as a 'trusted source'. Even if your sainted maiden aunt who only uses her computer on Sundays sends you an email attachment - check it. Even Microsoft can't be trusted to supply clean files - on too many occasions we've seen virus infected documents supplied on Microsoft CD or their web site. Trust no-one.
According to Microsoft's list of lame virus excuses, users should be wary of email from people they don't know. But the more recent viruses are sent via addresses from the Outlook Contacts list - so an infected attachment is very likely to come from someone you DO know.
To make sure you do save and not directly
open an attachment, Microsoft has an add-on called the E-mail Attachment Security
Update. Sounds impressive doesn't it? It's a typical Microsoft effort to make their
security efforts appear better than they are. All the 'Security Update' does is force you
to save to disk certain types of files that are more likely to carry viruses. It's a good
move and worth getting, but its not worth the considerable weight that Microsoft gives it
in their defense. You can get the update for Outlook 97, 98 or 2000.
Outlook 2000 E-mail Attachment Security Update http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
Outlook 98 E-mai Attachment Security Update
Outlook 97 E-mail Attachment Security Update http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
Internet Explorer (Or better yet, upgrade to the newest version) so Outlook and
Outlook Express don't automatically run programs when you preview messages. Details are
Users of IE 5.5 need to download a patch from Microsoft, see
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp for the latest details.
Looking at a message in Outlook 2000's preview pane cannot infect you. (Although it may be possible with Outlook 97, 98, or Outlook Express. You cannot be infected by opening a document or spreadsheet with one of the viewers that ship with Windows.
Picture attachments (mostly those ending with .jpg or .gif ) are safe -malicious code can't be attached to them.
However Word, Excel or Powerpoint documents can have programs included in them and should always be virus checked.
If in doubt - do a virus scan. It only takes a few moments and won't hurt the attachment.
While it's possible to get infected by viewing random Web sites, it's extremely rare. It's also possible to get infected when you install software from a shrink-wrapped package that you bought on a store shelf, but that's quite unusual, too.
It's possible to get infected when you use the "normal" security settings in Word and Excel (Tools | Macro | Security | Security Level set to "Medium"), but in almost every case you have to give explicit permission for the infecting macro to run.
On the other hand, it's quite easy to get infected by running a program attached to an email message - even a message from someone you know and trust. It's also very easy to get infected if you set Word or Excel's security levels to "Low" - anyone who does should be checked for suicidal tendencies.
Don't ever open (or run) a file attached to an email message until you contact the person who sent you the message and make sure it's OK. Once you get the go-ahead, manually run the attachment through your anti-virus software before you open it, just for good measure.
INCREASE YOUR SECURITY LEVEL
Of course now there is the viruses which use a venerability in OE which allows scripts on a plain text email. Come on MS, who needs a VBS script to run on an email, text or otherwise. Just admit it Microsoft, you screwed up...so lets fix it! Some of the things which Microsoft should've built into Windows/Outlook in the first place. I quote:
Have your network administrator filter out all mail attachments with VBS, VBE, EXE, COM, or BAT extensions.
Change the secure content zone to Restricted Sites: In Outlook, select Tools | Options | Security. On that tab there is a drop down in the center panel labeled Zone:. In the drop down, selected Restricted Sites. In Outlook Express, you also go to the Tools | Options | Security tab but here it is the top panel and it is a radio button called Restricted Sites.
Adjust the Restricted Sites setting to disable Active Scripts: With Outlook, you can access the detailed security settings by clicking the button marked Zone Settings on Outlook's Tools | Options | Security tab. Or with either program, you can open IE, pick Tools | Options | Security (in IE, not Outlook or OE). In this dialog, select Restricted Zones in the top window and click on Custom Level. Scroll down to the fourth item from the end which is Scripting | Active Scripting. Microsoft's crazy default is Enable. Change that to Disable. DO IT NOW.
It's really that simple.
Most important? Don't Panic!
"Panicky users may overwhelm antivirus websites as they try to update their software.
Antivirus vendors will do everything in their power to support customers, but they still
can't provide updates all at once to the entire planet. See
for other things you should remember when virus hysteria strikes.
In short: Put on your B.S sniffer, wouldja? If somebody you don't know sends you a message out of the blue that says they love you, well, jeeeez. Get a life, OK? Crimony. I wonder how many straight men got infected by ILOVEYOU messages from other straight men?
Worse still how many genuine emails of undying love and devotion have been deleted in the virus hysteria? Some budding romances may have been deleted along with files
Removal Tools from Symantec:
Viruses have become increasingly complex and virus infections involve more system elements than ever before. The Symantec AntiVirus Research Center has developed tools to automatically conduct what would often amount to extensive and tedious manual removal tasks. If your system has become infected, the tools listed below should aid you in repairing the damage.
Removal Tools From TuCows - Thanks Dennis
Other Quick Fixes from around the web
Removal Tools from Symantec:
|AOL.Trojan.32512 (BuddyList)||Removal Tool|
|Adware and Updates
Do you have adware on your PC? Do you know what it is? Do you know what it's doing? Is it benign? Should you care? So many questions--and often too few answers. To help you understand the risks, CNET has put together an Adware Scorecard that will tell you if you are hosting a notorious adware "evildoer" or a passive software supporter. Run the CatchUp Adware Detect service to rate your risk on the Adware Scorecard.
CNET CatchUp services:
Scan your PC for any out-of-date software.
Open last scan
Check your software for vulnerabilities.
Open last scan
Detect adware and other third-party components. [more]
Open last scan