|
||||||||||||||||||
|
||||||||||||||||||
![]() |
||||||||||||||||||
|
Note: updates since the 31-May-2002 version of this document are in red. I. COMPREHENSIVE VIRUS INFORMATION ON THE WEB:More information about almost all computer viruses is available on the following excellent web sites, which are run by eight companies that make anti-virus tools: http://www.symantec.com/avcenter/vinfodb.html (Symantec/Norton) http://vil.mcafee.com/ (McAfee/NAI) http://www.f-secure.com/v-descs/ (F-Secure) http://www.antivirus.com/vinfo/ (Trend Micro) http://www.sophos.com/virusinfo/analyses/ (Sophos) http://www.virusdb.com/ (Kaspersky) http://www.quickheal.com/alerts.htm (Cat Computer Services) http://www3.ca.com/virus/ (Computer Associates) Sophos also has an excellent "virus prevention primer," here: http://www.sophos.com/virusinfo/whitepapers/prevention.html These three sites have a lot of excellent information about viruses, virus hoaxes, anti-virus tools, etc.: http://www.virusall.com/ <-- this site is really good! http://www.ciac.org/ciac/ http://www.virusbtn.com/ The FBI, Stiller Research, nsclean.com, and Georgi Guninski sites also have information about computer security issues: http://www.nipc.gov/ (FBI) http://www.stiller.com/ http://www.nsclean.com/ http://www.guninski.com/ Note: Determining the source of a virus or worm-laden email can be tricky. You can usually figure it out by examining the full email headers. For some viruses, it is just the "From:" address. Magistr slightly mangles the "Return-Path" address, and leaves the "From:" address pointing to the user of the infected machine. However, Klez.h usually forges the "From:" address to point to an innocent third party, and the "Return-Path:" (or UUCP From) address usually points to the user of the infected machine. Examine the bottom (oldest) of the "Received:" headers for consistency with the "Return-Path:" address, to confirm that the "Return-Path:" is probably correct. However, if the virus came from an AOL user, the AOL mailservers will have changed the Return-Path address to match the (forged) From address, and will have added an "X-Apparently-From:" header with the actual (AOL) source of the virus. For more about Klez, see section VII (below). II. THE EASIEST DEFENSE:Most common computer viruses these days travel by email. The easiest defense against email-borne viruses (assuming that your computer is not already infected!) is simply to use a Yahoo or Hotmail account for your email, instead of using Microsoft's email clients. Yahoo, Hotmail and some other free web-based email services have integrated commercial virus-scanners into their email systems. If you let suspicious incoming emails "age" for a day or so before scanning the attachments on Yahoo or Hotmail, you will be 99% safe from virus-laden emails. This is a very good solution for Internet novices. III. PRECAUTIONS FOR WINDOWS USERS:a) Remember the most basic rule: Don't open file attachments unless you have some way of knowing that they are legitimate. (If you're saying to yourself, "duh, of course!" then skip ahead to II.b.) What does that mean, exactly? Here are some examples: o If it is a program, and the sender didn't write it himself, don't run it, period. If someone sends you a "fun" program or screensaver that they "found" somewhere, do not open it. It doesn't matter whether they tried it or not -- these things can contain "time bombs" so that they appear to work as advertised for a while before doing their damage, so testing it cannot prove that it is safe. o If the file attachment comes from a stranger, you cannot know that it is legitimate, so don't open it. o If it appears to be from someone you know, but there's nothing to prove that it is really from him, then you can't know that it is legitimate, so don't open it. Worms/viruses routinely forge email headers, so most computer worms & viruses that you will receive will appear to be from someone you know. o On the other hand, if your colleague told you on the phone, "I'll send you the JPEG picture this afternoon," and, as promised, it shows up, it is pretty safe. (But avoid Word .doc files and Excel .xls files if possible, since they occasionally contain macro viruses.) o Or if the email contains identifying information that could not have been written by a stranger (e.g., if it is signed, "your little brother, Frank"), it is probably safe. b) Some common viruses, such as Badtrans, Klez & Yaha, exploit flaws in the Outlook Express "preview pane" feature to run automatically, without being explicitly opened. A good remedy is to use a non-Microsoft email client, such as Eudora, Pegasus Mail, or the Mozilla mail client, instead of Outlook Express or Outlook. Pegasus and Mozilla are free, and Eudora is free for personal use. Users of Outlook Express (or Outlook) should make the following setting change to prevent viruses like Badtrans from running automatically when email is viewed in the Outlook Express or Outlook preview pane. First you need to start Outlook Express or Outlook (not Internet Explorer). Then set: Tools -> Options -> Security -> Restricted Sites Zone (Note: some newer computers with pre-installed software might come with this set by default, which is good.) (This applies to Outlook Express 5.0-6.0, and to Outlook 98. There are probably similar settings that need to be adjusted in other versions of Outlook, but I don't know whether they are identical.) Also, with some versions of Outlook Express and Internet Explorer 5.xx, it might be necessary to make an additional setting change, in Internet Explorer: Internet Explorer 5.xx: Tools -> Internet Options -> Security -> Restricted Sites -> Custom Level -> Downloads / File Download -> Disable (Note: if it was already disabled, that is good.) This won't protect you if you "open" an infected executable email attachment. So don't! Most people should never need to open any attachments except .jpg or .jpeg files (photos), and perhaps .rtf or .txt files (documents). Also, the same rules apply when someone sends you a file via IRC. Some viruses spread that way, too. However, Windows' default file viewing options can hide the true file extension, so that you can be fooled into opening a .com, .exe, .doc, .xls, .xlw, .vbs, .bat, .pif, .scr, or other infected file if it is named "file.jpg.exe" or similar. Until you change the option, Windows hides the last dot and extension, supposedly as a "user-friendly" feature. To reduce your likelihood of being fooled, change the option: First, start Windows Explorer or Windows NT Explorer, then find the Options menu item under either View or Tools. Then select the "View" pane. Then uncheck the checkbox option labeled "Hide file extensions for known file types" or similar, or click the radio button for "Show hidden files and folders." (Microsoft seems to rearrange and reword the menus in every new version of Windows): Windows Explorer or Windows NT Explorer: Tools -> Folder Options -> View -> (or: View -> Options -> View -> ) then select Show hidden files and folders or uncheck Hide file extensions for known file types or uncheck Hide MS-DOS file extensions for file types that are registered Unfortunately, changing the option does not work for .pif files. You can see for yourself, by performing a little experiment: 1) Copy an innocuous program file, like calc.exe, to c:\ (or some other suitable location), and rename it to README.TXT.pif 2) Run Windows Explorer or Windows NT Explorer and view the files in c:\ 3) Note that README.TXT.pif is shown as README.TXT 4) Double-click on it, and see that the program (calc.exe) runs If that program had been a malicious file attachment, it could have wiped out your hard disk drive! (Thank you, Microsoft.) But there is a subtle visible clue, which can tip you off about the threat. Look again at "README.TXT" (really README.TXT.pif) in Windows Explorer. Note the "MS DOS" shortcut icon IV. FREE VIRUS REMOVAL AND PROTECTION TOOLS:The most common viruses/worms going around right now seem to be Klez/ElKern/Foroux, Bugbear, Magistr, Yaha/Lentin, Sircam, Goner, Badtrans, Qaz, and Hybris. There are free removal tools available for all nine of these, and for many other viruses. This site has a quite comprehensive list of virus removal tools: http://virusall.com/downrem.html Symantec/Norton has many free virus removal tools, including tools for removing Bugbear, Sircam, Goner, Badtrans, Hybris, Nimda, Qaz, Kriz, the most common Klez/ElKern variants, Yaha (Lentin), and several others (but not Magistr or CIH/Chernobyl), here: http://www.symantec.com/avcenter/tools.list.html McAfee/NAI also has a few, here: http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp Sophos also has some, including free Magistr, CIH/Chernobyl, and Yaha/Lentin removal tools: http://www.sophos.com/support/disinfection/ Gibson Research has a CIH/Chernobyl recovery tool, here: http://grc.com/cih.htm Kaspersky has a free tool to remove Klez, Sircam and Goner, here: ftp://ftp1.avp.ch/utils/clrav.com Cat Computer Services has free removal tools for Klez.h, CIH/Chernobyl, and some others, here: http://www.quickheal.com/othdown.htm Note: Klez.h (and some other Klez variants) are sometimes identified as Klez.gen. SRN Micro (Solo AntiVirus) and Prognet (Fire AntiVirus) are closely related companies, with similer web sites but somewhat different selections of free virus removal tools. They offer free tools to remove Klez, Badtrans, Sircam, Kriz, CIH/CHernobyl, Goner, and some others, here: http://www.srnmicro.com/downloads/ or http://fireav.com/downloads/ or http://www.antivirus-download.com/downloads/ BitDefender has free removal tools for Klez, Kriz, Magistr, Sircam, Qaz, Badtrans, and others, here: http://www.bitdefender.com/html/free_tools.php Trend Micro has free removal tools for Klez, Goner (tool & instructions), and Sircam (tool & instructions); enter the virus name in the search box on their web site: http://www.trendmicro.com eScan/Microworld and F-Secure also have free Klez removal tools, here: http://www.mwti.net/form.asp?url=free.asp ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip Note: there are many variants of Klez; the free removal tools might not remove all of them. "The Cleaner" is a product which claims to be able to remove many kinds of worms & viruses, including Magistr. It has a 30 day free trial period: http://www.moosoft.com/ Also, one or more of the free general-purpose anti-virus packages can probably remove your virus infection. Yes, you read that correctly! Some of the less well-known general-purpose anti-virus packages can be had for free, for home use. They appear to be very credible alternatives to the expensive big two (Norton & McAfee): http://www.grisoft.com/ http://www.frisk.is/f-prot/download/ (DOS version is free) http://www.free-av.com/ Plus these, which require a web connection when you use them: http://www.pandasoftware.com/activescan/com/ http://housecall.antivirus.com/ http://security.norton.com/us/intro.asp?venid=sym&langid=us and some others listed at http://virusall.com/downscan.html Plus, many of the non-free anti-virus utilities have free 25-day or 30-day demo versions or shareware versions available. Some are available at the manufacturers' web sites, such as NOD32 from Eset, and Solo AntiVirus from SRN Micro: http://www.nod32.com/scriptless/download/trial.htm http://www.srnmicro.com/downloads/evaluate/TrySolo.exe Others are at the usual shareware web sites. E.g., Tucows has demos for F-Secure, Norton, Kaspersky, eScan, Panda, and others: http://www.tucows.com/system/virus95.html But don't get "Admiral VirusScanner" or "In Vircible Anti virus" because they are "spyware" -- see the usual spyware list sites: http://www.spychecker.com/ & http://www.tom-cat.com/spybase/spylist.html (Note: "spyware" is similar to "scumware" -- you don't want it.) Note: Real anti-virus tools do not show up in your email mailbox as unsolicited file attachments. So don't be fooled! One of the Klez variants tries to induce you to run it by claiming to be an antidote to, of all things, the Klez.E worm/virus. It says: NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. That is a lie. The email attachment is the virus/worm. Don't run it. V. FIREWALLS:Firewall programs are not really anti-virus tools, though they can help to prevent some kinds of virus infection. But they are useful for preventing other kinds of security problems, like having your computer's hard disk drive accidentally appear in the Microsoft Network Neighborhood of your neighbor down the road, who happens to have a cablemodem like yours. Especially if you have an "always on" high speed DSL or cablemodem internet connection, you should use some sort of firewall. Two very good, free (for personal use) firewalls for MS Windows are "ZoneAlarm" and "Tiny Personal FireWall," available here: http://www.zonelabs.com/products/za/ http://download.cnet.com/downloads/0-10105-108-71881.html?tag=st.dl.10105.upd.10105-108-71881 Both ZoneAlarm and TPFW are much better than some of the non-free firewalls, such as "BlackICE Defender" and the Symantec/Norton product. ZoneAlarm is probably easier to install than TPFW, but TPFW might be a bit more flexible, and is preferred by some technically savvy users. The best source of information for MS Windows users about Firewalls and related security issues is Steve Gibson's site: http://www.grc.com/ Steve's "Shields Up" test can tell you whether your computer and Internet connection have the most common internet security "leaks." Testing your system is free, very easy, and well worth your time. Steve rates Windows firewalls here: http://grc.com/lt/scoreboard.htm VI. HOAXES:"Virus warning" emails which ask you to forward them on to lots of other people are almost always hoaxes. Don't forward them. (This includes the sulfnbk.exe and jdbgmgr.exe virus hoaxes.) In fact, almost all emails which ask you to forward them on to lots of other people are untrue. Most are pure hoaxes, a few are partially true, and almost none are entirely true. If you receive any message that asks you to forward it on to lots of other people, you can be almost certain that it is a hoax or a scam. I've seem 'em all: the virus warnings, the Proctor and Gamble smears, the lost or dying child heartstring- tuggers, the MLM scams, the Madaline Murray O'Hair / FCC story, the internet tax hoaxes, etc., etc.. They are all false. (Note: the email claiming to be a Klez antidote program is false, too. Running it will infect, rather than protect, your computer; see above.) Only if such an email chain-letter references a verifiable, recognizable, on-line source for more information (such as www.microsoft.com/something) should you even consider the possibility that it might be true. Even then it probably is not. Of the hundreds of chain emails I've received over the last few years, only three were verifiably or probably true. (One of the true ones was a plug for the National Day of Prayer in 1999 or 2000; the 2nd was a note from a Mrs. Lindsey Yeskoo about President Bush's personal prayer request which he shared with her when she met him briefly in Shanghai in October, 2001; the 3rd was from an Amnesty International affiliate about the stoning sentence of a Nigerian woman named Amina Lawal.) Usually, the easiest way to verify that email chain-letters are untrue is to look for them on one of the "hoax buster" web sites. Also, virus warning chain-letters can be checked on the usual virus information web sites (Section I, above). Here are some "hoax buster" web sites for checking suspected email hoaxes. I suggest bookmarking at least the first two of these links (if using Internet Explorer, add them to your "favorites"): http://www.truthorfiction.com/ http://www.snopes.com/info/search/ http://UrbanLegends.MiningCo.com/ http://www.breakthechain.org/ http://hoaxbusters.ciac.org/ http://www.truthminers.com/truth/ http://www.hoax-slayer.com/ One caution about snopes.com: They have a very comprehensive and useful hoax database, but they also have a political slant that, IMO, makes them a less reliable source of information about emails with political topics. VII. REMOVING THE KLEZ.H VIRUS:This section is for people whose computers are already infected with a Klez virus (probably Klez.H, which is also sometimes identified as Klez.gen, Klez.G, or Klez.I). If, instead, you need to find out the source of a Klez-infected email, see above. This is the Symantec/Norton info about this virus: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html This is the Sophos info about this virus: http://www.sophos.com/virusinfo/analyses/w32klezh.html This is the F-Secure info about this virus: http://www.f-secure.com/v-descs/klez_h.shtml Note: Most people who get the Klez.H virus get it because they are using an unpatched (buggy) version of Microsoft Outlook Express to read email. So after you remove the Klez.H virus, be sure to follow the instructions above to install the latest Microsoft fixes and setting changes for Outlook Express and Internet Explorer. Or delete Outlook Express from your computer and just use a Yahoo account for email! (For details about how the Outlook Express/IE bug works, see microsoft_mime_bug.txt.) If you have an anti-virus tool like Norton Anti Virus ("NAV") but can't get it to install, the reason is probably that Klez is already running, and it blocks many anti-virus tools from starting. You might be able to get your AV tool to work if you shut down the computer, turn the power off, wait 30 seconds (to clear RAM memory), and then start up the computer in "safe mode" before trying to run the AV tool. Note: If you are running Windows Me or Windows XP, then you should also disable its "System Restore" feature before shutting down. For how to do so under Win-Me, see: http://service2.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 For how to disable System Restore under Win-XP, see: http://service4.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 But the easiest way to remove the virus is probably to run one of the tools that is specifically designed to remove this particular virus. There are at least six different free Klez free removal available from various AV software vendors. Most are quite small, so you could download several of them onto a single diskette, and still have room to spare. I don't know for certain which Klez removal tool is best, but www.techtips4u.com says that it is Symantec's: http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html Cat Computer Services has one which I'm told sometimes works even when the Symantec and Kaspersky tools fail: http://www.quickheal.com/killklez.htm Kaspersky also has a simple one (also available from F-Secure): ftp://ftp1.avp.ch/utils/clrav.com or ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip I recommend that you download the Symantec/Norton tool, the CAT Computer Services tool, and the Kaspersky tool onto a diskette, then write-protect the diskette and take it to the infected computer. Then follow the instructions and run the Symantec tool first. If it fails then run the CAT tool. Then reboot and run the Kaspersky tool to verify that the Symantec or CAT tool successfully removed the virus. (For links to some other free Klez removal tools, see section IV, above.) Note #1: if you have several computers networked together, then you need to first disconnect the network (or power-off the hub). Then run the virus removal tool on every Windows computer on your network before reconnecting the network. Otherwise, Klez is likely to immediately reinfect your freshly- disinfected computers, via your network. Then go back and read the rest of this document, so you can learn how to avoid future virus infections! Note #2: I recommend that you back up your critical document and data files before disinfecting your computer. I recently helped someone remove Klez.H from her Windows-Me computer using the Kaspersky tool, and when she was done the computer would no longer boot, not even in "safe mode." I think this is unusual, but to recover we had to boot Windows-Me from the Installation CD, delete several files from the Windows system directory, and reinstall Windows-Me. (Her computer dealer had wanted to reformat the hard disk drive!) She didn't end up losing any important files, but recovering it cost us a lot of time and aggravation. BTW, to enable Win-Me to reinstall, the files we deleted from the c:\windows directory were user.dat, system.dat, classes.dat and wininit.ini, per http://www.techtips4u.com/ostt/installsafe.htm and http://www.servenet.com/ipiboard/archive010601/3927.html -Dave Burton <dburton@burtonsys.com> Burton Systems Software: http://www.burtonsys.com/ Tel: 1-919-481-0149 |
Copyright © 2001-2002, Burton Systems Software. |