Welcome to Blaisdell's Little Corner of the Web
Albion | Freeware | Freeware From A-Z | Security | Virus Information |
Index
Are Web-based e-mail accounts less virus-prone
than Outlook?
What you need to do to prevent getting computer viruses in
the first place!
Removal Tools from Symantec 
Here
The
Anatomy of a Hoax
Should I Worry About Code Red?
Worm poses as plea for peace
Latest updates and Service from C|Net & Bohunky0
The NYB virus keeps re-appearing
The NYB virus keeps re-appearing
It seems a reader has had his Windows XP computer infected with the NYB virus. He has Norton Antivirus installed and updated, and although it detects and removes the virus, it keeps coming back. He has tried two other virus detectors and they all have the same problem. Well, the reason they are all having the same problem is because the NYB virus is a boot sector virus, which makes it nasty to get rid of. If you find yourself in this same situation, you could be re-infecting yourself from infected floppy drives, so you may want to scan and clean all your floppy disks. Another possibility is that you could be re-infecting yourself from your own master boot record. You may need to go to another Windows XP computer and create a bootable floppy for use in your infected computer. Boot off the clean boot disk, type "fdisk /mbr" (sans quotes) at the command line, and press Enter. This should fix your recurring virus problem. For more information on the NYB virus, follow this link to the Symantec Antivirus Research Center's article on the NYB virus.
Q. Are Web-based e-mail accounts less
virus-prone than Outlook?
Is it true that if I use a Web-based e-mail service such as Yahoo I'll be
safe from Outlook-related viruses?
A. No. Many new viruses do not require a PC-based e-mail client such
as Outlook in order to spread. These new viruses, including Klez, have their own e-mail
client (SMTP) and can find e-mail addresses within cached Web pages on an infected
machine, bypassing the need to use Outlook's Address Book. Larger Web-based e-mail
services, such as Hotmail and Yahoo Mail, screen mail hosted on their sites for viruses,
but there's no beating having a good antivirus product on your desktop just in case.
| ROBERT VAMOSI |  |
 |
 Worms:
Despite patching, infection continues. Why? Several fast-spreading worms have been attacked via Internet Explorer in the past few weeks. They're getting in, thanks to a known vulnerability that Microsoft patched last March. So why are people's systems still being infected? Rob investigates. |
Worm poses as plea for peace
Humankind's capacity for inhumanity should no longer surprise us--certainly not after
Sept. 11. So why should anyone be the least bit taken aback by the fact that some
miscreant would use this horrific tragedy as a way to spread a computer virus? Still, that
some miscreant did leaves me shaking my head. Watch out for the "Vote Virus."
It's spreading via e-mail to users of Microsoft's Outlook e-mail program under the subject
line, "Peace between America and Islam!" The body reads: "Hi. Is it a war
against America or Islam!? Let's vote to live in peace!" However, when the
accompanying attachment--WTC.exe--is opened, the virus deletes all the files on the
computer's hard drive and sends itself to everyone in your address book.
Go to the full
story by Robert Lemos.
Should I Worry About Code Red?
Q: I keep hearing about the Code Red worm, but so far I haven't come across it myself. Should I worry? What should I do about it? I'm using Windows 98 Second Edition.
A: Win 98 Second Edition? No worries! CodeRed (aka W32/Bady, I-Worm Bady, W32/Bady.worm, etc.) and its offspring, CodeRed II (aka CodeRed.v3, CodeRed.C, W32.Bady.C and CodeRed III) target systems running Windows NT or Windows 2000 with the Internet Information Services Web server (IIS). Running Windows 98, you're safe from this particular nasty.
The reason you hear so much about CodeRed is that variants continue to appear, making it newsworthy. It also attacks the sort of machines used by larger companies, giving it another newsworthy twist. Other, more prevalent viruses sink into obscurity once their news value declines. After all, who wants to hear that the ancient (it first appeared in 1999), unmodified Kak worm is still out there causing a lot more grief to most users than CodeRed.
If you want to know the types of viruses to watch for, avoid the news headlines and check out Trend Micro's real-time virus watch (http://wtc.trendmicro.com/wtc/).Or, go to my favourite anti-virus resource, Symantec's AntiVirus Research Center (aka SARC, at http://www.symantec.com/avcenter) and check out the
Distribution and Damage graphs for each virus. You'll find that familiar names such as Kak, Sircam, Melissa and Loveletter crop up far more frequently than CodeRed.
For those readers who are running IIS on Win NT or 2000 and who haven't, yet, done
anything about protecting their systems from CodeRed, say a mea culpa or two and then rush
right over to SARC or Microsoft's Code Red pages
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp).
Hoaxes are as bad as a real virus. They plug up servers, frighten people into doing things which should not be done and are a general nuisance. The worst part of the problem is they are almost always propagated by well meaning people who are alarmed at what they read in an email.
In that light, lets take a look at a recent hoax widely broadcast over the web.
Hoax has victims trashing harmless file
A hoax e-mail warning people that their PCs may contain a virus called sulfnbk.exe is
propagating in the United Kingdom and tricking its victims into trashing a harmless, and
potentially helpful, Windows utility. The e-mail is circulating in the United States as
well. Bo has received one and I am willing to bet it won't be long before you receive one
as well. Don't be fooled. Antivirus experts were quick to point out that the e-mail does
not contain a worm and is being passed around by well-meaning people alarmed at its
contents.
May 30, 2001, 11:15 a.m. PT | Read Full Story
This is a report from C|Net.com
Just what is SULFNBK.EXE Bo?
It's a utility shipped as part of the Windows 98 operating system that allows users to
restore long file names. Thus, anyone using the Windows 98 operating system would find
this file on their system. If the hoax were received by these users, and believed, many
might delete the file thinking their antivirus software had somehow failed to detect the
virus. In fact, it wouldn't be the first time signature-based scanners failed to detect a
new virus, making the entire hoax even easier to believe.
Bo's Findings: Microsoft's computer security team, on 29 May 2001, intercept numerous emails with SULFNBK.EXE attachments -- all infected with the well-known Magistr virus. Microsoft's claim contradicts details found on McAfee's website and agrees with details found on Symantec's website. Which in part states:
Note from Bo:
Although the email about the Sulfnbk.exe is a hoax, [never accept an email from someone that has an EXE, COM, VBS, or BAT
file attached}. There is a very real chance that someone, knowing of the hoax, could send
you an email with an infected Sulfnbk.exe attached. Saying that they know you deleted it from your machine and that you
can use the file they sent you to replace it. That could be a real virus. There is no
need. If you have inadvertently deleted the file you will find it on your installation CD
and you can replace it yourself by using the Extract Command. Go to Bohunky0's Windows 98
Tips, Tricks, And Tweaks page II to learn how to use the Extract command.
Update: Several readers have written saying that they can't find the Sulfnbk.exe file using the System File Checker or using
the Extract command starting with the Base4.cab file. There is good reason for that
actually. It isn't part of the regular cab string. You will find Sulfnbk.exe in the Precopy1.cab file. If you have WinZip
or another archiving software you can extract it that way. If not you can use the single
file extract command as explained on Bohunky0's Windows 98 Tips,
Tricks, And Tweaks page II. Just be sure to extract it to your C:\Windows\Command folder if you installed windows
using it's default locations. If not substitute that for the path I have listed. Good
luck......Bo
Also if this hoax were spread it could conceivably clog email servers in much the same way
a "Denial of Service" virus is spread. So, in a real sense a hoax can
be as bad as the real thing. Lets not forget either that some unscrupulous person could
entail a more destructive payload aimed at the gullible.
The Bo Advise? As a rule of thumb most of this type of email is nothing more than a hoax. Also it is advisable to check with Virus Hoax and Myths @ VMyths.com before you innocently add to the confusion.
Five tip-offs that you might be looking at a hoax:
Q. What cna I do to reduce my chances of getting a computer virus Bo?
A. I have said it before so it is time to place it here so I need not repeat myself quite so much.
You
must buy, install, update, and religiously use one of the major anti-virus packages. Any
one will do. They all work fine.
Make Windows show you file name extensions. Many of my friends disagree but,
dammit, the only way you can tell if you're about to run a program is to look at the file
name extension - EXE, COM, BAT, VBS, VBE, and so on. I know it's retro. I know that, in
this enlightened day and age, knowledge of file name extensions is considered (yech!) DOS
arcana. But it'll bite you in the butt one day. (Showing file name extensions also helps
you keep from accidentally naming a file, oh, resume.txt.doc. Don't laugh. Happens every
day.) See below for an explanation:
In particular watch for files with .VBS or .VBE at the end of the file name. These are VB Script files (the language used by the 'I Love You' virus. Unlike normal programs (.EXE files) it's very unlikely that you'd get a VBScript file sent to you for a legitimate purpose.
To view file extentions in Win 9.x machines:
Don't open or run files attached to messages, unless you know for a fact that the
file is clean. Some common sense helps. If you get a message from your Uncle Harry and it
says, "Hey, take a look at these pictures of your cousins," you're probably
fine. But if you get a message from the guy down the hall that says "A real friend
sent this message to you," I mean, good grief! Whaddya want, a big neon push button
that says KICK ME?
There's no such thing as a 'trusted source'. Even if your sainted maiden aunt who
only uses her computer on Sundays sends you an email attachment - check it. Even Microsoft
can't be trusted to supply clean files - on too many occasions we've seen virus infected
documents supplied on Microsoft CD or their web site. Trust no-one.
According to Microsoft's list of lame
virus excuses, users should be wary of email from people they don't know. But the
more recent viruses are sent via addresses from the Outlook Contacts list - so an infected
attachment is very likely to come from someone you DO know.
To make sure you do save and not directly
open an attachment, Microsoft has an add-on called the E-mail Attachment Security
Update. Sounds impressive doesn't it? It's a typical Microsoft effort to make their
security efforts appear better than they are. All the 'Security Update' does is force you
to save to disk certain types of files that are more likely to carry viruses. It's a good
move and worth getting, but its not worth the considerable weight that Microsoft gives it
in their defense. You can get the update for Outlook 97, 98 or 2000.
Outlook 2000 E-mail Attachment Security Update
http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
Outlook 98 E-mai Attachment Security Update
http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
Outlook 97 E-mail Attachment Security Update http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
Patch
Internet Explorer (Or better yet, upgrade to the newest version) so Outlook and
Outlook Express don't automatically run programs when you preview messages. Details are
below:
Users of IE 5.5 need to download a patch from Microsoft, see
http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
for the latest details.
Looking at a message in Outlook
2000's preview pane cannot infect you. (Although it may be possible with Outlook 97, 98,
or Outlook Express. You cannot be infected by opening a document or spreadsheet with one
of the viewers that ship with Windows.
Picture attachments (mostly those
ending with .jpg or .gif ) are safe -malicious code can't be attached to them.
However Word, Excel or Powerpoint documents can
have programs included in them and should always be virus checked.
If in doubt - do a virus scan. It only takes a few moments and won't hurt the attachment.
While it's possible to get infected by viewing
random Web sites, it's extremely rare. It's also possible to get infected when
you install software from a shrink-wrapped package that you bought on a store shelf, but
that's quite unusual, too.
It's possible to get infected when you use the
"normal" security settings in Word and Excel (Tools | Macro |
Security | Security Level set to "Medium"), but in almost every case you have to
give explicit permission for the infecting macro to run.
On the other hand, it's quite easy to get infected
by running a program attached to an email message - even a message from someone
you know and trust. It's also very easy to get infected if you set Word or Excel's
security levels to "Low" - anyone who does should be checked for suicidal
tendencies.
Don't
ever open (or run) a file attached to an email message until you contact the
person who sent you the message and make sure it's OK. Once you get the go-ahead, manually
run the attachment through your anti-virus software before you open it, just for good
measure.
INCREASE YOUR SECURITY LEVEL
Of course now there is the viruses which use a venerability in OE which allows scripts on
a plain text email. Come on MS, who needs a VBS script to run on an email, text or
otherwise. Just admit it Microsoft, you screwed up...so lets fix it! Some of the things
which Microsoft should've built into Windows/Outlook in the first place. I quote:
Have your network administrator filter out all mail
attachments with VBS, VBE, EXE, COM, or BAT extensions.
Change the secure content zone to Restricted Sites:
In Outlook, select Tools | Options | Security. On that tab there is a drop down in the
center panel labeled Zone:. In the drop down, selected Restricted Sites. In Outlook
Express, you also go to the Tools | Options | Security tab but here it is the top panel
and it is a radio button called Restricted Sites.
Adjust the Restricted Sites setting to disable
Active Scripts: With Outlook, you can access the detailed security settings by clicking
the button marked Zone Settings on Outlook's Tools | Options | Security tab. Or with
either program, you can open IE, pick Tools | Options | Security (in IE, not Outlook or
OE). In this dialog, select Restricted Zones in the top window and click on Custom Level.
Scroll down to the fourth item from the end which is Scripting | Active Scripting.
Microsoft's crazy default is Enable. Change that to Disable. DO IT NOW.
It's really that simple.
Most important? Don't Panic!
"Panicky users may overwhelm antivirus websites as they try to update their software.
Antivirus vendors will do everything in their power to support customers, but they still
can't provide updates all at once to the entire planet. See
http://Vmyths.com/resource.cfm?id=31&page=1
for other things you should remember when virus hysteria strikes.
In short: Put on your B.S sniffer, wouldja? If somebody you don't know sends you
a message out of the blue that says they love you, well, jeeeez. Get a life, OK? Crimony.
I wonder how many straight men got infected by ILOVEYOU messages from other straight men?
Worse still how many genuine emails of undying love and devotion have been deleted in the virus hysteria? Some budding romances may have been deleted along with files
Viruses have become increasingly complex and virus infections involve more system
elements than ever before. The Symantec AntiVirus Research Center
has developed tools to automatically conduct what would often amount to extensive and
tedious manual removal tasks. If your system has become infected, the tools listed below
should aid you in repairing the damage.
Removal Tools From TuCows - Thanks Dennis
Other Quick Fixes from around the web
| Threat | Tool |
| VBS.Potok@ | Removal Tool |
| W32.Sircam.Worm@ | Removal Tool |
| VBS.Haptime | Removal Tool |
| W95.HybrisF | Removal Tool |
| W32.Kriz | Removal Tool |
| W32.Navidad | Removal Tool |
| W32.HLLW.QAZ.A | Removal Tool |
| W95.MTX | Removal Tool |
| W32.FunLove.4099 | Removal Tool |
| Wscript.Kakworm | Removal Tool |
| Wscript.Kakworm.B | Removal Tool |
| Happy99.Worm | Removal Tool |
| VBS.Loveletter | Removal Tool |
| PrettyPark.Worm | Removal Tool |
| VBS.Stages.A | Removal Tool |
| W2K.Stream | Removal Tool |
| AOL.Trojan.32512 (BuddyList) | Removal Tool |
| W95.CIH | Removal Tool |
| Worm.ExploreZip | Removal Tool |
CNET CatchUp services:
 |
 |
|
 Scan your PC for any out-of-date software.  Open last
scan |
|
|||
|
 |
|
Check your software for vulnerabilities. Open last
scan |
|
|||
|
 |
|
 Detect adware and other third-party components. [more]  Open last scan
|
