Virus Center

Viruses can afflict your applications, operating system and data files. In many cases, viruses are relatively harmless, and will not impair the performance of your system overall. However, more lethal varieties can rewrite your mainboard BIOS program, delete critical files for the operating system, or destroy data files. Some viruses can even proliferate via e-mail by using your e-mail client's address book to find other hosts. If you receive the same message (from a single sender who may be a frequent correspondent), several times over, chances are a virus is sending these messages. If you machine is behaving strangely when it boots up, when an application is launched, shuts down unexpectedly, or data files seem to have disappeared or their names inexplicably have changed, this could be the handiwork of a virus.

The basic rule of thumb is to asses your virus risk and implement the appropriate protection. Macro Viruses, for example, which affect Microsoft Office, are hardly likely to indicate their presence on your machine. Stealth viruses can remain dormant on your PC and unleash their payload only after a specific sequence of keystrokes or a specified date is reached. If you suspect your system has been infected by a virus, don't take any chances. You should update your virus engine at least once a month to protect for the newest viruses especially if you are a frequent internet users. Viruses are most frequently delivered through e-mail as attachments and are executed when the message attachment is opened. If you receive a suspect message, deleting it is the safest recourse. Remember to also remove mail from the "deleted items" or "trash". If your machine is part of a network, copying and sharing files also puts you at risk. You may need to deploy antivirus protection to each workstation and participating servers on the network. In a large offices, you might have to insist on a policy about using diskettes and downloading files from suspect sources. A virus outbreak can cause data loss and downtime. The best kind of approach is preventative rather than curative.

Another kind of risk is trojan's such as BackOrffice and Subseven, which allow remote users to access files, parse passwords, shutdown Windows and other things while you are online. For this kind of attack to succeed, the hacker mus obtain your IP address, and install the trojan "server" files on your machine. IRC programs such as Mirabilis ICQ are make it easier to obtain this type of information. Beware of "gifts" from unknown sources and take the appropriate precautions to protect your information and privacy. We have listed a number of "sniffer" tools to detect and defray this type of attack. You should also apply Windows updates to reduce your vulnerability to "spoofing" and "nuking". These are attacks perpetuated maliciously to either to purge sensitive filess from your machine, impair its internet performance or force the operating system to crash.

This is an email-aware worm which propagates itself by searching the windows address book, ICQ database and documents for e-addresses. The subject line, message bodies, and attachment file names are random but may include phrases such as "lets be friends", "congratulations" or "eager to see you". Once executed, the worm attempts to disable your anti-virus program and can affect all executable files such as Microsoft Word, Excel and Adobe Acrobat. There is no automatic removal for this virus. You must update your virus definition to at least April 18, 2002 before your virus protection can prevent infection. Microsoft recommends that users of Outlook Express upgrade to version 6 or 5.5/service pack 2 to stop malicious code within e-mail from executing when an infected message is being read.

Who is vulnerable ?
- All Windows
- Microsoft Outlook Express (all versions)
- All Email Databases
- Network shares and mapped drives

Payload
- Large scale e-mailing: Searches the Windows address book, ICQ database and local files for email addresses and email itself to the contacts.
- The worm copies itself to local, mapped, and network drives as a random file in the format "wink(random variable).exe"
- The worm infects executables files by overwriting the original file with itself.

Required Action
- Update your anti-virus product to at least April 18, 2002. Both Network Associates and Symantec have published updates which will identify and remove infected files. You may need to re-install your antivirus product if your windows is affected by this worm.
- Delete the source files - “W32.Elkern.4926” and “wink%.exe” which are loaded into the windows and program files folders. Your anti-virus should quarantine infected files when windows is scanned. Your infected files may include application or system files which cannot be repaired. You must clear the quarantine folder to remove the infected files from windows and replace the delete system or application files with good copies. THERE IS NO REPAIR PROCEDURE for infected files. (Note If your computer is infected with the W32.Klez.H@mm virus, the best method is to contact your hardware vendor. This worm infects ".exe" files and once detected by your anti-virus product will be placed in the quarantine folder. If you attempt to delete these files from the quarantine folder your programs associated with these ".exe files" will cease to run). We do not recommend the current removal tool as an effective treatment for W32.Klez.
- The worm creates an automatic routine when windows is started. You must remove registry keys associated with this worm to prevent automatic re-infection. Delete the following registry keys if they exist

HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - wink<variable>.exe
HKEY_Local_Machine\System\CurrentControlSet\Services - wink<variable>.exe

Your anti-virus product will not remove these keys automatically. Failure to remove these keys may prompt this worm to regenerate.
- Install all required Microsoft patches for Windows. Please note, these patches will not protect your windows from infection but will alert you before the infected file is executed. Alternatively, you can update your browser and mail client to Microsoft Internet Explorer version 6 and Microsoft Outlook Express version 6. You can find that here.

W32.Badtrans-B is an email-aware worm which forwards a multi-part message to addresses found on the infected computer as an email message with no text. The addresses are found by searching the address book, unread messages in the default mail folders such as “inbox” or “unsent messages” and webpages in "My Documents". The worm generates a subject line by reading e-mail on the infected machine and replies to unread messages. Hence, the e-mail will originate from a familiar address. The subject line may be randomly generated as follows
Re: <subject found by reading mail on infected machine> or may may also read "Re:" with no further text if the e-mail address has been captured from a web page. The worm attempts to create a name for the attached infected file by randomly generating it from three separate parts. The first part is taken from the list:

FUN
HUMOR
DOCS
S3MSONG
Sorry_about_yesterday
ME_NUDE
CARD
SETUP
SEARCHURL
YOU_ARE_FAT!
HAMSTER NEWS_DOC
New_Napster_Site
README
IMAGES
PICS

For this reason the attached file can be called a large number of different names, including:
YOU_ARE_FAT!.DOC.pif
Sorry_about_yesterday.MP3.scr
IMAGES.DOC.pif

Who is vulnerable ?
-    Windows 95/98/Me and Windows NT/2000 operating systems.
-    Microsoft Outlook Express and Microsoft Outlook
-    Microsoft Exchange

Threat level: High
- once the e-mail is read in any Microsoft mail client, the machine becomes infected
- the source message will appear to be a legitmate response to an earlier correspondence.

Payload
- Large scale e-mailing: Emails everyone in the Microsoft Outlook or Outlook Express address book
- Compromises security settings : If the trojan was successfully downloaded and installed, anyone could gain access to vital information such as passwords and credit card details stored on the computer

Required Action
- Update your antivirus product with the current definition files. Both Network Associates and Symantec have published updates which will identify and remove infected files. You can find the updated definitions here on the virus center.
- Delete the source files - “kdll.dll” and “kernel32.exe” which are loaded into the windows\system folder. Your antivirus may quarantine these files when windows is scanned. You must clear the quarantine folder to remove the infected files from windows.
- Remove registry keys associated with this worm from HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kernel32exe. Your antivirus product may not remove this automatically. This key allows the worm to initialise the next time windows is restarted.
- Install all required Microsoft patches for Windows. Please note, these patches will not protect your windows from infection but will alert you before the infected file is executed. You can find the patches under the windows updates here. Alternatively, you can update your browser and mail client to Microsoft Internet Explorer version 6 and Microsoft Outlook Express version 6.

W32.Vote.A
Updated 26 September, 2001.

W32.Vote.A is delivered as an email attachment called "WTC.exe". It may originate from a familar address and relates to the World Trade Center disaster. When executed, it will exploit your Microsoft Outlook / Microsoft Outlook Express address book to propagate itself. In addition, the worm contains a Backdoor.Trojan which will make your files accessible from the internet. The worm will attempt to disable your Antivirus program by deleting specific files and folders on reboot. Finally, it will attempt to delete the files in your C:\Windows directory, which will disable windows. We strongly recommend you take immediate action to protect yourself from infection by updating to the latest antivirus definition.

How do you get infected ?
- via e-mail : The virus will send itself as an e-mail, subject of the email "Fwd:Peace BeTweeN AmeriCa and IsLaM!".
- message :
Hi
iS iT A waR Against AmeriCa Or IsLaM ! ?
Let's Vote To Live in Peace !
- name of the attachment : WTC.exe
- Size of the attachment : 55808 Bytes

Who is vulnerable ?
- Microsoft Outlook Express / Microsoft Outlook

Payload
- Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook
- Deletes files : After reboot, the worm attempts to delete all files in the Windows folder
- Compromises security settings : If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full remote access to the computer.

Required Action
- Update your anti-virus product with the current definition files. Both Network Associates and Symantec have published updates which will identify and repair infected files. You can find the updated definitions here on the virus center.
- Start your AntiVirus program, and make sure that it is configured to scan all files.
- Run a full system scan
- Delete all files that are detected as W32.Vote.A@mm. If the worm has run and your AntiVirus program is installed in C:\Program Files\****** AntiVirus, you should reinstall the Antivirus program. A full brief on this virus in available on the VirusEd.

W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers. In addition, this virus has a dangerous payload which can affect the performance of windows and document files. As a result, this is considered a high risk virus. We strongly recommend you take immediate action to protect yourself from infection.

Who is vulnerable ?
- All versions of windows
- Microsoft Outlook Express and Microsoft Outlook
- Servers running Internet Information Server (IIS)

Payload
- all "exe" files are subject to infection. Programs may become unuseable
- document files created with Microsoft Office or Wordpad are infected
- system may become unstable or noticeably slow down
- remote access to files and programs on the infected machine

Required Action
- Update your antivirus product with the current definition files. Both Network Associates and Symantec have published updates which will identify and repair infected files. You can find the updated definitions here on the virus center.
- Install all required Microsoft patches for Windows. Please note, these patches will not protect your windows from infection but will alert you before the infected file is executed. You can find the patches under the windows updates.

a. Internet Explorer v6. To download click here or visit the windows update at Microsoft (approx 17mb).
b. If you want to avoid a full upgrade, apply Internet Explorer v5 SP2. Also available here but can be found on the Microsoft update center
c. Windows patches. Click here for the windows update page.

- Adjust your security options for Internet Explorer to stop automatic file downloads. Right click start -> settings -> control panel. Under "internet options", select the "security" tab. Under the "internet", alter the feature under "customize" for download to read "disable " or "prompt". Click OK to save the change and close your control panel.
- Rename your Windows script files. Go to start -> find files and folders -> type "*script.exe" in the named location. The look-in location should point to the entire C drive. You may have as many as three files - wscript.exe, cscript.exe, vbscript.exe. You can rename this files with a "bin" extension. This will disable the execution of scripts.

If you are already infected
- apply the removal tool. Click here to get it. There is also a readme which explains how to use this tool
- check the windows registry for the affected keys
- edit the system.ini. Remove the Shell = explorer.exe load.exe -dontrunold and replace this with Shell = explorer.exe
- update and scan your windows with a current antivirus definition from your antivirus vendor
- replace infected files which could not be repaired including "riched20.dll". You can download your riched files here. A full brief on this virus in available on the VirusEd.
- In some cases, the only way to be certain that the virus has been removed is to rebuild your windows. If you need to do this, ensure that you secure any work files which you may need to restore when the rebuild is complete.

There are reported incidents of Melissa worm. This is an e-mail worm which uses your address book to find other targets, and affects certain macros in Microsoft Office. Updating your antivirus product will reduce the risk, but we have found instances where this virus was overlooked by Trend Micro's PC cillin 98. Both Network Associates Mcafee VirusScan and Symantec's Norton Antivirus have proven reliable at detecting and removing this threat. A full brief is available on Virus Ed.

Description: W32.NewApt.Worm is a new worm, which like Melissa, propagates by email and has its own SMTP (email) engine. The worm will search various files on the hard drive to find email address, which it sends itself to. The messages will contain something which looks like the following in HTML compatible email clients such as Outlook Express and Netscape Communicator

Description: This worm copies a file called "explore.exe" to the "c:\ window\system" directory and then adds a line to the "win.ini" file in the windows directory, which reads " c: \windows\system\explore.exe ". This executes the virus the next time the machine is rebooted. Once this file is loaded into memory, any files with the extension ".c", ".cpp", ".h", ".asm", ".doc", ".ppt" or ".xls" are reported as "zero-length" or empty files. This list notably includes both word and excel files which will become unreadable after the infection takes place.

worm.explorezip arrives as an e-mail which reads "Hi (recipient's name), I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped DOCS. Bye" . The sender will almost always be someone familiar. If you try to open to open the attachment, the message "cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please hit F1 for help" is displayed.

Download the most recent virus definition for Symantec's Norton Antivirus (look below for updates). If you are not already using Norton Antivirus, click here to get that.