Computer viruses: a cautionary tale
by
Graham Davies
Updated 22 October 2009
Back to Camsoft's Homepage
This page is an introduction to the essential security measures you need to take in order to protect your computer against viruses and other intrusions. If you work in a business or an educational institution, computer security is normally taken care of by specialists in an ICT services unit, but if you use your own computer system then you need to undertake essential security measures yourself. The information on this page is based on my personal experiences.
* Anti-virus software
* Hoax viruses
* Attachments
* Holes in Windows
* Firewall software
* Spam, adware and spyware
* Useful links
* Dodgy links
* Reference: useful article on Internet security
* Known viruses and recent virus threats
Anti-virus software
It is all too easy to get blasé about computer viruses and other nasties, e.g. trojans and worms, that seek to invade your computer. Many computer users think that stories of viruses devastating computer systems worldwide are no more than publicity stunts created by companies that produce anti-virus programs. But we have seen computer viruses wreak havoc on a massive scale, causing millions of pounds worth of damage to businesses, bringing airlines' booking systems to a halt, and locking up hospitals' record systems. Anti-virus software is therefore an essential component of your computer system. I use Grisoft's AVG anti-virus software on my home network.
I receive dozens of viruses every day. Most of them used to arrive on floppy disks sent to my business by schools and universities. Now the majority arrive in email attachments from people who can't be bothered to keep their anti-virus software up to date.
Two pieces of important advice:
* First, check for updates to your anti-virus software as soon as you connect to the Internet. My virus definition files were less than seven days old when my computer was contaminated by the Funlove virus in October 2000 - the only serious contamination that I have ever experienced. Now I always run my anti-virus software in auto-protect/auto-update mode, and I manually check for updates to my anti-virus software every day as soon as I connect to the Internet.
* Second, make regular backups of everything important that you create so that you can retrieve valuable files if you have the misfortune to be hit by a virus.
Hoax viruses
I receive frequent warnings by email about non-existent viruses, known as hoax viruses, which - it is claimed - can be sent to you in messages headed by an exhortation such as "Join the Crew!", "Win a Holiday!" or "Let's watch TV". The following advice is given by CIAC (Computer Incident Advisory Capability) if you receive a virus warning that you suspect is a hoax:
See if the warning includes the name of the person submitting the original warning. Contact that person to see if he/she really wrote the warning and if he/she really touched the virus.
Websites maintained by commercial virus protection companies contain lists of genuine and hoax viruses: see Useful links.
Hoaxers have two main motives:
1. to create unnecessary anxiety about viruses,
2. to get you to delete important files from your system - in effect a do-it-yourself virus!
Attachments
Attachments to email messages can be deadly. I once received a copy of a virus via an email attachment sent to me by an old friend. I knew the email was suspect, as it referred to an attachment containing a sample of rock music in an MP3 file - definitely not my friend's style - so I zapped it before downloading it.
I reject all attachments that arrive without a clear indication of their origin and contents.Whenever I send an attachment to someone I prefix it with a separate plain text message, e.g.
Hi, Joe
I am sending you an attachment called REPORT 01. It’s an RTF file containing a report on our meeting last week. Let me know if the attachment arrives safely.
Regards
Graham
I expect other people to do the same.
I am completely ruthless when I see an unidentified attachment to an email in my mailbox. I read all my mail offline and zap all suspicious-looking emails - even those from friends and colleagues.
Holes in Windows
Some years ago a new strain of virus appeared: the Web virus. Web viruses can initiate an attack while you are just browsing the Web. Web viruses can bypass anti-virus software by slipping in through “holes” in the Microsoft Windows operating system.
Over a period of two weeks in October 2000 I contracted four viruses just by browsing the Web, but only one did serious damage: Funlove. Several computer specialists I spoke to said this was impossible to contract a virus by browsing the Web, but I was adamant that this is how the viruses got into my system. Finally, a colleague drew my attention to a message displayed at the SANS computer security website.
Email viruses are now spreading without the user opening any attachment. Personal computers running Internet Explorer (IE) version 5.0 and/or Microsoft Office 2000 are vulnerable to virus attacks using most HTML-enabled email systems, even if the email recipient opens no attachments. You don't even have to use IE; just have it installed with the default security settings. If you have not closed the hole, you can receive viruses (and spread them) by viewing or previewing malicious email without opening any attachment, or by visiting a malicious website.
It is therefore important to patch all holes in the Microsoft Windows operating system:
* Check the Microsoft website for regular updates of Windows that include patches for holes: http://www.windowsupdate.com
* Check the Microsoft website for information about security threats: http://www.microsoft.com/security/
Whatever you do, don't install a patch that comes from an unknown source. I have been sent so-called patches in email attachments that actually contained viruses!
Firewall software
You are always vulnerable to hackers connecting to your computer while you are online, and some websites contain invisible scripts that can do untold damage to your computer. I am connected to the Internet most of the day via my ADSL phone line. I have therefore installed the ZoneAlarm firewall on my computer to keep out potential hackers and other unwanted intrusions. The basic version of ZoneAlarm is free, but the professional version, ZoneAlarm Pro, gives you greater security at a reasonable price. ZoneAlarm Pro warns you if it sees information going out of your computer by any route other than those that you have designated as "legal", e.g. your email system or your browser. It also warns you if someone is trying to hack in. At least half a dozen attempts are made every half hour to hack into my computer while I am connected to the Internet. Most of these attempts are harmless, e.g. Microsoft checking to see if I require updates to Windows, music sites trying to find out my tastes in music, etc., but I have noticed several malicious attempts to hack into my computer.
Everyone is vulnerable while they are online. If you think your system is secure from intruders then you can run a series of tests at the Gibson Research Corporation (GRC) site in the ShieldsUP! section. GRC will try to hack into your computer and report if they succeed: http://www.grc.com. My system passed with flying colours! There is a wealth of useful information on network security at the GRC site.
Spam, adware and spyware
Spam, adware and spyware are a growing nuisance.
Spam
Spam is the term for unsolicited email advertisements, the Internet equivalent of junk mail. A spammer can email an advertisement to millions of email addresses, newsgroups, and discussion lists at very little cost in terms of money or time. The term spam comes from a sketch in the Monty Python's Flying Circus TV series. A useful email filter that pre-processes emails for you and enables you to bounce back and delete spams from your mailbox before they hit your computer is MailWasher. The basic version of MailWasher is free, but I prefer the MailWasher Pro version, which is available at a modest cost and has additional security features. MailWasher Pro spots incoming viruses as well as spam.
Rule No. 1: Don't display your email address at your website and don't display anyone else's email address at your website. This is because there are programs (often referred to as robots or simply bots) that search the Web and harvest email addresses that can be used by spammers. Such robots may hunt for email addresses beginning with a common name, e.g. "robert", "ann" or "sue", or for a business address ending in ".co.uk" or ".com". These are then stored in mass mailing lists and sold to spammers who bombard the recipients with endless junk emails. See the WillMaster article Spam-proofing your website on different ways of hiding or disguising your email address to avoid it being harvested by spammers:
http://www.willmaster.com/library/web-development/spam-proofing_your_web_site.php
Some sites require you to enter your email address in order to buy goods or services or to "register" for their services. You can, however, fool the spammers by entering a death-dated or tracker address that is not your real address: see http://www.sneakemail.com
If you find that an email that you send out for a legitimate reason is blocked or if you suddenly begin receiving lots of strange bounced emails, then it may be due to the fact that you have been identified as a sender of spam emails as a result of the actions of spammers who use your ISP or even your personal email address as the sender's address. Millions of spam emails are sent out by spammers who use popular ISPs such as AOL CompuServe, Hotmail and Yahoo, and then legitimate users suffer for their inconsiderate actions. For further comprehensive information on this topic, see the Spamhaus and SpamCop websites. Both sites maintain a database of known spammers and offer spam blocking services.
Hijack risks
In July 2004 my business, Camsoft, had to take the unprecedented step of shutting down all our email addresses. This is because the addresses had been hijacked by purveyors of spam. We had been suffering from the effects of viruses and spam for several years but, thanks to the efficient mail filtering system that we use, these intrusions were no more than an annoyance. On 15 July 2004, however, we suddenly began to receive hundreds of bounced "undeliverable mail" messages per day and lots of irate emails emails of the "how dare you send me spam" variety. It is evident that our email addresses had been spoofed as senders' addresses by a number of different spam companies and we were perceived as the guilty party. We therefore no longer display our email address at our website. We use a contact form for people who wish to email us: see our Homepage. Let us hope that the politicians who have put in place completely ineffective legislation to combat spammers and hijackers will eventually realise that their soft-touch approach is wrecking e-commerce. It is small comfort to know that we are not alone: see "The Death of Email" by John Dvorak (24 May 2004) at:
http://www.pcmag.com/article2/0,1759,1599324,00.asp
Adware
Adware is software that has secretly been installed on your computer by a remote site. Many free programs (freeware and shareware) and plug-ins that you download from the Web install hidden software that sends details of the websites you visit and other information from your computer (which can include your email address) to advertisers so they can target you with pop-up ads and spam. See Ad-Aware, a useful program tthat keeps adware out of your computer.
Spyware
Spyware is similar to adware - it may be used synonymously - but it implies more sinister motives on the part of the person who has dumped it onto your computer, e.g. stealing private information such as bank account numbers, credit card numbers, passwords, etc.
Cookies
Cookies may be dumped onto your computer when you visit a website. A cookie is a piece of information that may be stored on a user's computer by a Web browser when the user visits a website for the first time. Websites use cookies to recognise users who have previously visited them. The next time that the user visits that site, the information in the cookie is sent back to the site so that the site can tailor what it presents to the user. Cookies may be used for innocent purposes, e.g. recording your preferences at an online shopping site, but they can also be used in more insidious ways.
Cleaning up your computer
Adware, spyware and cookies are also known as tracking software. You should clean up your computer to remove tracking software stored on your computer, especially after downloading and installing freeware, shareware or plug-ins from the Web. SpyBot Search and Destroy or Spy Sweeper will do a good clean-up job. When I first used SpyBot S&D it found no less than 14 tracking programs on my hard disk, dating back around three years! Spy Sweeper found one tracking program that SpyBot S&D missed. Most of these packages were probably ineffective, however, because I had set my firewall to a high level of security to block intrusions, and I am alerted each time a new program attempts to send information out from my computer.
Removing Web clutter
Finally, it is a good idea to get rid of Web clutter at regular intervals. Not only does it take up space on your hard disk, but it may contain harmful code. A useful piece of software is Window Washer, which enables you to remove caches, cookies and other clutter at regular intervals.
Useful links
* Ad-Aware: http://www.lavasoft.com - Keeps adware and spyware out of your computer. I use this on my own computer.
* avast! http://www.avast.com - anti-virus software and info. There is a basic free version and an enhanced version for which you have to pay. I use this on my own computer.
* AVG: http://www.avg.com - anti-virus software by Grisoft. There is a basic free version and an enhanced version for which you have to pay. I use this on my own computer. I use this on my own computer.
* Benign: A product that neutralizes or strips out the code in your email that makes viruses, worms, scripts and other potentially harmful things run: http://www.firetrust.com/products/benign
* CKNow: Lots of information about computers in general, including viruses, spam etc: http://www.cknow.com
* The Cleaner: http://www.moosoft.com - a handy package that hunts for trojans lurking in your system.
* Firewall Guide: http://www.firewallguide.com
* F-Secure: http://www.f-secure.com - anti-virus software and info.
* MailWasher: http://www.mailwasher.net and http://www.firetrust.com - an efficient email filtering system for removing spam and viruses.
* McAfee VirusScan: http://mcafee.com - anti-virus software and info.
* Norton Antivirus by Symantec: http://www.symantec.com - anti-virus software and info.
* SANS computer security website: http://www.sans.org
* SpamCop: http://www.spamcop.net - info on spam.
* SpamFreeze: A free tool that lets users post a URL to blogs and websites instead of their actual email address. This helps keep their email address out of the hands of spammers and scammers: http://www.spambutcher.com/spamfreeze/
* Spamhaus: http://www.spamhaus.org - info on spam.
* Spy Sweeper by Webroot: http://www.webroot.com - software for spotting and removing adware and spyware.
* Sophos: http://www.sophos.com - anti-virus software and info.
* SpyBot Search and Destroy: http://www.safer-networking.org - software for spotting and removing adware and spyware.
* Trend Micro: http://uk.trendmicro.com - anti-virus software and info.
* Window Washer by Webroot: http://www.webroot.com - a package for removing caches, cookies and other Web clutter from your computer. I use this on my own computer.
* ZoneAlarm: http://www.zonelabs.com - a reliable firewall package. I use this on my own computer.
Dodgy links
Websites are constantly being reorganised and Web addresses are constantly being changed. This can be an annoyance, especially if you maintain lists of useful websites, e.g. like the list immediately above and my substantial list of Favourite Websites. But there is now a more sinister aspect to this phenomenon: dodgy links, i.e. those that have been transmogrified into something other than what you expected. Click here for further information: http://www.camsoftpartners.co.uk/DodgyLinks.htm
Reference: useful article on Internet security
A very useful article concerning the question of Internet security has recently appeared as a chapter in Lewis P. (2002) The changing face of CALL: a Japanese perspective, Lisse: Swets & Zeitlinger (LLLT Series Vol. 2). The chapter is titled "Security on the Internet: resources for teachers" and has been written by James Duggan.
Known viruses and recent virus threats
These are real virus threats. My computer has been sent all the following viruses. This is my personal virus diary in reverse chronological order. There are hundreds more viruses floating around on the Internet. Most anti-virus sites contain a database of known viruses and information on how to get rid of them. See Useful links. For some reason or other, my system has been blissfully free from virus attacks for over three years
W32.Mytob.LO@mm
After a long period of no viruses or worms attempting to enter my system, this one appeared on 2 November 2005. It's a mass-mailing worm that opens a back door and lowers security settings on the compromised computer. You can recognise it by the following subject headings in your emails:
* Your password has been updated
* Your password has been successfully updated
* You have successfully updated your password
* Your new account password is approved
* Your Account is Suspended
* *DETECTED* Online User Violation
* Your Account is Suspended For Security Reasons
* Warning Message: Your services near to be closed.
* Important Notification
* Members Support Security measures
* Email Account Suspension
* Notice of account limitation
Netsky and Bagle/Beagle tried to create havoc in July 2004, bombarding my mailboxes around 40 times per day, but all attempts to break into my system were blocked by my anti-virus software. There are several variants of Netsky, two of which go under the names of Moodown and SomeFool.
W32.Mydoom@mm (aka W32.Novarg.A@mm)
This one began to threaten my system in January 2004, constantly bombarding all three of my mailboxes and succeeding in locking up one of my ISPs for several hours per day. So far it has been filtered out by the three different lines of defence that protect my system. MyDoom appears to be set to break all records for creating havoc. Don't bother to reply to the senders' addresses warning them that they have sent you a virus, because they are unlikely to be the real source and it will just confuse them.
W32.Sobig.F@mm
This mutation of the original Sobig virus reared its head on 19 August 2003, bombarding two of my mailboxes with around 20 copies per day every day over a sustained period. Universities and schools were the principal sources of the virus, but the personal details of the senders' addresses were spoofed. The main symptom of the virus is body text containing the message: "See the attached file for details" or "Please see the attached file for details". Don't bother to reply to the senders' addresses warning them that they have sent you a virus, because they are unlikely to be the real source and it will just confuse them.
W32.Sobig.E@mm
In July 2003 I received three copies of Sobig.E, a mutation of the original Sobig. It was immediately recognisable by the message contained in the body text, namely: "See the attached zip file for details". Beware of unidentified attachments! It spoofs the sender's address, so don't bother replying to them.
W32.Yaha.F@mm
In March 2003 I received 30-40 copies of variations of this mass-mailing worm every day. The worm sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters "ht". The worm randomly chooses the subject and body of the email message. It also attempts to terminate anti-virus and firewall processes. I don't know who sent this worm as the sender's name was usually disguised as "tracy senger".
W32.Bugbear@mm
This worm was discovered on 30 September 2002, and it appears to have spread very rapidly. My computer was hit around 30 times by Bugbear during the first five days of its appearance via mass-mailed emails, and after that it appeared so often in my mail that I lost count. Bugbear slipped into my computer on one occasion via my Internet Explorer browser, but it was picked up by Norton AntiVirus in the Windows/Temp folder as soon as it appeared and it didn't do any damage. Bugbear has keystroke-logging and backdoor capabilities, and also attempts to terminate the processes of anti-virus and firewall programs. In other words, it tries to open up your computer to potential hackers. I have now set my firewall to display its pop-up window alert to an intrusion so that I can verify that it is still working. You can often spot Bugbear coming in via an email as it uses a range of recognisable subject lines, e.g. "Lost and found", "Membership confirmation", "hmm...", "Payment reminder", etc - others are listed at the Symantec site, but - and this is clever - it can also generate subject lines based on documents stored on the infected user's computer, including email subject lines that sound completely plausible to the recipient. Don't bother replying to anyone who sends you the virus to warn them that they are infected, as the sender's name and email subject line are quite likely to be aliases that have been plucked at random out of the infected user's address book and filing cabinet. I have received two copies of Bugbear that purported to have come from myself, each bearing a subject line that I had used in a message sent to a discussion list!
W32.Klez.E@mm
This worm has been sent to me countless times. It hasn't done any damage, however, as I now read all emails offline and delete any suspicious attachments. The symptoms of Klez are obvious. Klez is clever: it choses the subject line, message body, and attachment file name(s) at random, and the message appears to be coming from a source other than the infected person's email address - the from address is randomly chosen from email addresses that the worm finds on the infected computer.
W32.Magistr.24876@mm
This one was blocked by a discussion list server before it reached me. It had obviously distributed itself via the personal mailing list of one of the discussion list subscribers. It appears to have been embedded in a humorous EXE file.
W32.Badtrans.B@mm
This one went on the rampage for a short while. By 9 February 2002 I had received 37 copies of Badtrans following the first warning from my anti-virus software provider that it had been detected - i.e. on 24 November 2001. This version of Badtrans is a mass-mailing worm. The virus is sent via Microsoft Outlook by replying to unread email messages in the mailbox of the infected computer. The main victims are subscribers to discussion lists (e.g. JiscMail or Mailtalk lists) who (a) can't be bothered to update their anti-virus software, and (b) fail to read messages sent from the listserver or delete unwanted messages from their mailbox. It is easy to identify the virus by the presence of "Re:" at the beginning of the subject line, followed by the text of a subject lines that you have used in messages sent to discussion lists or individuals some weeks or months earlier. The "Re:" may also appear on its own - a tell-tale symptom. Badtrans itself is contained in an attachment, which you should not attempt to open. When you try to reply to the sender to let them know that they have contracted a virus you will find that their email address has been prefixed by an underscore - another tell-tale symptom - which results in your warning message bouncing back: e.g. if I were infected my email address might appear as "_graham@mail.co.uk". So remove the underscore when you reply! Fortunately, my anti-virus software has kept this virus at bay - which is a relief, as this is a nasty beast that is able to keep track of your keystrokes and send private information, e.g. passwords, to the originators of the virus - another good reason for maintaining a firewall on your computer.
W32.Sircam.Worm@mm
The Sircam worm hit quite a few personal computer owners and institutions. I received it by email over 35 times from personal friends and professional contacts, including people working in universities and government organisations - which I find truly surprising as they should be well-protected against such infections. It was reported that this virus would wreak havoc on 16 October 2001 by wiping clean any hard disk that had been contaminated, but I am not aware of this happening. Sircam is another one of those viruses that is sent automatically, so the sender is not aware of the trouble it causes. If your computer is infected it grabs a document file at random from the hard disk and sends it to everyone in your address book. Some of the documents I have been sent by Sircam appear to be confidential information that the innocent victim would probably not want to be made public. The subject line may change, but watch out for emails headed "Hi! How are you?" and/or containing the message "I send you this file in order to have your advice", or the equivalent in Spanish, and don't open them! According to one virus expert, "the removal process can be nerve racking and hair splitting". Prevention is therefore better than cure, so make sure your virus definitions are up to date as this is a nasty little beast.
ICQPass
Received twice from an unknown source while browsing the Web on 9 May 2001 and again on 11 June 2001. I'm not sure how this one works, as the information provided at anti-virus sites is sketchy. It appears to have been set up in order to steal passwords, e.g. in order to allow a hacker access to your bank accounts if you use an online banking system, or to make use of your ISP password in order to use your ISP account illegally. My ISP password has been stolen and abused three times, which I suspect may be due to traces of ICQPass having been left on my hard disk - which have now been removed. Fortunately, my ISP spotted the invasion each time and blocked access immediately - thanks CompuServe! ICQPass should not be confused with the harmless ICQPass, which is designed to retrieve any of your own passwords that you have forgotten. ICQPass was trapped by my anti-virus software each time it arrived in an EXE file that was in the process of being created by the virus, but I still had to intervene manually. A file AUTORUN.INF addressing the EXE file (which may appear under various names, e.g. COMAND.EXE - sic, with one "M") was created in the root directory of my hard disk. This had the effect of stopping the Windows My Computer program from working, but all was OK when I deleted the AUTORUN.INF file. A consquence of the first invasion of ICQPass was that all my stored passwords were destroyed - not a problem as I keep a record of them all elsewhere - a salutary warning.
W95.Hybris.Worm
Received seven times between 7 March 2001 and 5 December 2001. The early copies I received appear to have been triggered by code embedded in a Web page, but recent copies have been attached to emails. Watch out for attachments to email messages containing "Snow White and the Seven Dwarves" in the subject line.
W97M.Ethan.A
Received on floppy, 27 January 2001. A fairly old Word 97 macro virus. Easy to remove from infected files.
W32.Blebla.B.Worm (aka Romeo and Juliet)
I received a warning about this one on 4 January 2001 from a friend whose computer had been infected because he hadn't patched a Windows hole. It's a worm virus, discovered 30 November 2000. It can only be trapped if you have patched the relevant hole and installed recent virus definitions. Apparently, this one originated in Poland.
W32.HLLW.Bymer
I received this one four times between 23 November 2000 and 7 April 2001 while browsing the Web. This is one of those viruses that can slip in through a Windows hole. Another copy tried to sneak in by email on 22 June 2001. The main symptom is much the same as that described for W32.Funlove.4099, i.e. the creation of a fake WININIT.EXE in the Windows/System folder - not the WININIT.EXE in the main Windows folder, which is the real one. In addition a new line may be inserted in the WIN.INI file, which tries to run the fake WININIT.EXE file when the computer is booted up. This line has to be removed manually with SYSEDIT. A variation of Bymer tries to create a file called MS212INIT.EXE in the Windows/System folder, and a new line is inserted in the WIN.INI file, which attempts to run this MS212INIT.EXE file.Check your Windows/System folder for the presence of either of these EXE files, as this indicates that the Bymer has invaded your system.
WScriptKAK Worm
This appeared in several variations. They were all detected and suppressed by my anti-virus software.
VBS.NETWORK
The main symptom of VBS is that you find multiple copies of the Windows NETWORK.VBS program on your hard disk. One copy is supplied with Windows and is genuine. It appears in the Windows/Samples/WSH directory. If you find any other copies on your hard disk then they may harbour viruses.
W32.HLLW.Qaz.A
The main symptom of W32.HLLW.Qaz.A is that it replaces the Windows NOTEPAD.EXE program in the main Windows directory with one containing the virus, renaming the genuine NOTEPAD.EXE program as NOTE.COM. If you find NOTE.COM on your hard disk, have a look at anti-virus sites for information on how to remove it.
W32.Funlove.4099
This is the only virus that has ever managed to sneak into my computer. It hit me hard in 2000. It appears to have found a "hole" in Windows while I was browsing the Web. The results were dramatic. It degraded my computer's performance by re-allocating memory, creating files that consumed disk space and caused programs to load or execute more slowly – especially Windows Scandisk, Format, Defrag and Norton AntiVirus. Windows Shut Down would often hang too, and my modem would dial my Internet service provider randomly. Norton AntiVirus quarantined the program containing the virus, i.e. a fake WININIT.EXE program which the virus had created in the Windows/System folder, and the Win98 WIN.INI file had been modified so that it called up this fake program on startup. So first I had to stop Win98 calling the fake WININIT.EXE program. The original, genuine WININIT.EXE program had been untouched by the virus and was still in its original location in the main Windows directory. Getting rid of this virus was hard work.
Back to Camsoft's Homepage
© Graham Davies 2009 under a Creative Commons Attribution-Noncommercial-No Derivative Works, UK, England & Wales Licence.
Tidak ada komentar:
Posting Komentar