Ami Isseroff
Presented by the PEACE Mid-East Dialog Group MideastWeb and PeaceWatch
Additions and Corrections are Welcome
Contents
What is a
Virus?
How Viruses are Propagated
How to Prevent Virus Infection
Viruses versus Hoaxes
Recent common e-mail 'Worms'
: Sircam Virus zipped_files.exe
W95.MTX happy99.exe
Spy Software, SPAM & Cookies
Links: Virus News
More About Hoaxes Anti Virus Software and Information
A virus (or worm or Trojan horse (people argue about the names of different variants) is a bit of unwanted software that loads itself into memory and/or may be written as a file on your disk. It may attach itself to other software, damaging it in some way, or it may take over some system function such as email and cause it to work improperly. Some viruses will wreck your system immediately and obviously. Others will cause changes that might not be detectable at first - slower performance, or odd problems booting the computer, or crashes in e-mail programs. Word Macro viruses attack Word templates and destroy macros, styles, heading numbering and other features. Email and Web 'worms' d propagate themselves by attachment to outgoing mail.
If the virus trashes your system, you will probably realize that a virus is at workd. The subter viruses are harder to detect. If your computer or e-mail software is behaving strangely, it may be infected. If people tell you they got attachments from you that you never sent, a "Worm" is at work. If some styles in an MS Word document cause the program to crash, or do strange things, probably the template of that document had a macro virus at some time in the past, if it doesn't have one now. If your disk suddenly has less room, or gives read errors, the boot sector might be infected. These are only a few sympoms of infection.
Viruses can be transmitted in these ways (among others):
By copying software from a disk.
By booting from a disk with an infected boot sector.
By running software downloaded from the Web.
By opening an e-mail attachment.
Across an Intranet
By "attack" from outside sources if you keep your connection to the Internet open for long periods (for example, if you have an ADSL connection).
Other methods are less probable - but e-mail programs (and viruses) are getting more sophisticated. It is unwise to say that a particular infection route is ‘impossible.’
How to Prevent Virus Infection
Following the Rules is OK, but not enough – There are a few rules to follow in order to avoid virus infection:
Get a good anti-virus program and keep it updated - it will need updating as often as once a week!
Do not open e-mail attachments or files from unknown sources.
Do not copy software from untrusted sources.
Good rules, but not enough. Every infection that I got came from trusted sources - seems you cannot trust anyone anymore! Worms or Trojan horses like happy99 and zipped_files propagate themselves by sending mail to people who know each other, using fake sender addresses.
Every infection that I got came while an anti-virus program was running. It is impossible for the anti-virus companies to find detection methods and cures for viruses before they know about them. Be sure to update virus definitions frequently.
Anti-virus protection is offered free of charge by several firms including AVG and TrendMicro at present. A firewall comes free with your operating system and even better firewalls can be downloaded for free. Do not run your computer without anti-virus a working firewall.
Virus programs are often not as effective in cleaning up a virus as deletion of the actual virus-causing file. ‘Disinfected’ files sometimes do not run correctly. If you have a Word template that has been infected by a virus, it is best to delete the template and get a fresh copy from someone. The template is probably defective. Likewise, it is a good idea to get a new copy of any affected software programs.
Some other things that can help:
Don’t play games or run doubtful copies of software on software connected to a corporate intranet or Internet.
Close all other MS Office files before opening an attachment.
If you get a virus, cure it, tell everyone you know immediately and send the cure if possible. Be sure to tell the person who sent it as soon as possible. Do not send e-mail or copy files to another computer if you suspect you have a virus.
If someone sends you mail about a virus, check if it is or could be a hoax. Search the Web for information. If the anti-virus software companies don’t know about it, tell them. If they do, then it is time to update your antivirus program. In either case, if it is a real virus, warn everyone in your mailing list after you get rid of the virus and are sure it is gone.
People who have the same kind of mentality as virus-inventors, but do not have the ingenuity, engage in the less harmful pastime of inventing fake virus warnings and other Internet hoaxes. Charity and get-rich chain letters and virus warnings are popular hoaxes. There are also shady get-rich-quick pyramid schemes that are simply fraud. Suha Arafat is NOT going to share her wealth with you and neither is Miriam Abacha.
Charity and Get Rich – Charity letter schemes say something like “There is a little girl dying of cancer. For every letter you send to a friend, Microsoft (or Disney or another large corporation) will donate 3 cents to save poor Marsha-Anne.” The variation of this is that each person sending out the letter will get the money because Microsoft is testing out an e-mail program. You can check in any search engine that such letters are hoaxes by just writing some quoted text and the word hoax as a query. For example:
"Susan Barnes need your help" Hoax
delete these and explain to the person who sent them that no software or hardware in the IP routing process usually “reads” your mail, and there is no way anyone or anything could know how many copies of a letter were sent, because there is no guarantee that your mail will go through a particular gateway where the program that counts it would be located.
Virus Hoaxes – Some of these warnings say: “Microsoft recently announced “ or “IBM announced” etc. Some may look just like descriptions of actual viruses. Before passing on the message, check if it is a hoax in a search engine. For example, submit this query to a search engine:
"'Bloat' spreads in a manner similar to the recent Word-Macro virus" Hoax
If it is more than a few days old and it is a hoax it will be listed at several different sites and the hoax will be explained. If .
Check at the Web site of the corporation or group they mention. It won’t be surprising if you find nothing. If the warning says there is an e-mail letter (no attachment) and that it can wreck your system before you open it, it is almost certainly untrue. If you have checked and are certain that the report is untrue, it is a good idea to tell the person who sent the message and others. But please, make sure you know it is untrue and cite your reasons.
Important - If the message says "Please send this to all your friends" - it is almost certainly a hoax. If the message says that the virus or worm disables the computer, erases the boot sector etc. it has to be a hoax. A virus that wipes out the computer it attacks cannot propagate to any other computer and would be harmless!!
IMPORTANT - Do NOT delete any files in your computer on the advice of an email about viruses. Usually those files are legitimate. You can damage your operating system by deleting files that are required.
Real Virus (or Worm or Trojan Horse) warnings will usually come from a friend, or from someone who got mail from an acquaintance who really had the virus. If you hear about a virus from popular media, you can assume that the report is at least partly true, though the effects might be exaggerated.
A good deal of unwarranted panic has been caused by the press and others by exaggeration of the potential effects of viruses such as Melissa and Chernobyl and Michelangelo. More recently, denial of service attacks propagated by viruses have done real damage.
BEFORE you send out any virus warning to any friends (or soon to be ex-friends) please take the time to use a search engine. Type the name of the supposed virus in the search form or some text from the letter. In a few seconds, you can find out if it is real or a hoax, and save yourself a great deal of embarrassment.
Curing Viruses - The best cure is prevention. Make sure that you have an updated antivirus program and get online updates from a popular anti-virus site. Virus programs may need updating several times a week. Don't open e-mail attachments unless you know who sent them and the e-mail,
BE Careful. Virus Removal Tools and antivirus tools that "Fix" files sometimes "Fix" things in such a way that your computer stops working, or the files are worthless and cause crashes. I saw it happen. Fix Bad system files by replacing them with good ones. Fix bad MS Word or other application files by copying the information to a new file.
How to check if you have an e-mail worm or virus - send yourself mail. If you have it, you will probably get a letter with the virus attachment by return mail.
The information on this page regarding specific viruses rapidly becomes obsolete as new viruses are introduced. That doesn't mean the old ones are not still around. If you think your computer may have a virus consult Symantec, McAffee, TrendMicro or another directory maintained by a virus protection vendor.
Sircam Virus achieved notoriety in the summer of 2001. It sent out various documents that you have stored in your personal documents folder as infected attachments.
It arrives as an email message with the following content:
Subject: The subject of the email is the same as the file name of the email
attachment.
Attachment: The attachment is a file taken from the sender's computer and will have
the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the
following two lines (either English or Spanish) as the first and last sentences of the
message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Between these two sentences, some of the following text may appear:
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for
Among other exploits, it infected an FBI computer and sent out confidential documents. It is especially popular in the Middle East. We have gotten dozens of infected mails, sometimes from email addresses that do not exist - though the header information shows that the virus was mailed from that address.
Sircam can fill up your hard drive with rubbish. It makes changes to the autoexec.bat file, the registry and the recycled folder, and it can also distribute itself accross shared networks.
A tool for undoing the damage caused by the virus is available free of charge here.
Don't Use It Unless:
You have an installation copy of your version of Windows
You cannot delete using manual procedures.
Automatic removal programs can make your computer stop working. Only a technician will be able to restore Windows in that case.
Manual Removal
See the sections that follow for detailed instructions.
NOTE: If you are on a network, or have a full time connection to the Internet,
disconnect the computer from the network and the Internet. Follow the removal procedure on
all computers, including the server. Disable or password protect file sharing before
reconnecting computers to the network or to the internet.
To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you
run a .exe file. Follow these instructions to fix this.
Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first
make a copy of the Registry Editor as a file with the .com extension, and then run that.
1. Do one of the following, depending on which operating system you are running:
1. Click Start, and click Run.
2. Click Browse, and browse to the \Winnt folder.
3. Double-click the Command.com file, and then click OK.
2. Type the following and then press Enter:
copy regedit.exe regedit.com
3. Type the following and then press Enter:
start regedit.com
1. Proceed to the section "To edit the registry and remove keys and changes made
by the worm" only after you have accomplished the previous steps.
NOTE: This will open the Registry Editor in front of the DOS window. After you
finish editing the registry and have closed Registry Editor, close the DOS window.
To edit the registry and remove keys and changes made by the worm:
CAUTION: We strongly recommend that you back up the system registry before making
any changes. Incorrect changes to the registry can result in permanent data loss or
corrupted files. Please make sure you modify only the keys specified in this document. For
more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the
following steps. If you are concerned that you cannot follow these steps correctly, then
please do not proceed. Consult a computer technician for more information.
1. Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer
to other file extensions. One of these file extensions is .exe. Changing this extension
can prevent any files ending with an .exe extension from running. Make sure you browse all
the way along this path until you reach the \command subkey.
Do not modify the HKEY_CLASSES_ROOT\.exe key.
Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey
2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %* (That is, type
the following characters: quote-percent-one-quote-space-percent-asterisk.)
NOTE: On Win9x and WinNT systems, the Registry Editor will automatically enclose
the value within quotation marks. When you click OK, the (Default) value should look
exactly like this: ""%1" %*" On Win2k systems, the
addtional quotation marks will not appear. On Win2k systems, the (Default) value should
look exactly like this: "%1" %*
4. Make sure you completely delete all value data in the command key prior to typing the
correct data. If a space is left accidentally at the beginning of the entry, any attempt
to run program files will result in the error message, "Windows cannot find
.exe." or "Cannot locate C:\ <path and file name>."
5. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\SirCam
CAUTION: Make sure that you go all the way down to the SirCam key, and that it is
selected.
6. With the SirCam key selected, click Delete and then click Yes to
confirm.. This will delete the key and all of its subkeys. Since this key was created by
the worm it can be safely deleted.
7. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\RunServices
8. In the right pane, look for and select the value
Driver32.
9. Press Delete, and then click Yes to confirm.
To remove the worm:
You will need to get a recent copy of an antivirus program such as Norton or Mcaffee to
scan all files and detect the virus.
1. Click Start, and click Run.
2. Type the following, and then click OK.
edit c:\autoexec.bat
The MS-DOS Editor opens.
3. Remove the line "@win \recycled\sirc32.exe" if it is present.
4. Click File and then click Save.
5. Exit the MS-DOS Editor
To rename the Run32.exe file:
If this file exists, it should be renamed back to its original name. If a computer is
infected more the once over a shared directory on a network, the run32.exe file will be
overwritten with an infected copy of the rundll32.exe. If you see more then one entry in
the Autoexec.bat, you will need to delete the run32.exe and the rundll32.exe files and
extract an new copy of rundll32.exe from a clean back up or the Windows install CD.
NOTE: As an alternative, you can extract the file from the
Windows installation files.
1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the
following file names:
run32.exe
4. Click Find Now or Search Now.
5. Right-click the Run32.exe file and then click Rename.
6. Rename it to:
RUNDLL32.exe
7. Press Enter.
What it does - W95.MTX and its brothers all do the same sort of thing. They send a copy of the file that carries the virus to anyone that gets e-mail from you. If your Microsoft Explorer browser crashes when you try to go to certain anti-virus sites, you probably have this virus. If your e-mail client program crashes while sending mail, you probabaly have the virus. You may not be able to view this page if have the virus. If you have a file called Wsock32.MTX in your windows\system directory, then you have W95.MTX. To check if you have the virus, send yourself e-mail.
How to get rid of it - Do not use the Fixmtx.exe automatic removal program, unless you are ready to reinstall MS Windows. To clean the system temporarily you need to make sure that you either have a Windows setup disk of the same version as the one you have and that you have the registration key, or that you at least have clean copies of these files: rundll32.exe, win32.exe, wsock32.dll.
Delese these files:
\windows\wininit.ini
\windows\wininit.bak
Fix the system registry:
1 Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following subkey:
HKey_Local_Machine\Software\[Matrix]
4. Press Delete, and then click Yes to confirm.
5. Navigate to and select the following subkey:
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
6. Delete the following value in the right pane:
SystemBackup C:\WINDOWS\MTX_.EXE
7. Click Yes to confirm.
8. In the left pane, click the My Computer key.
9. Click the Edit menu, and then click Find.
10. In the Find what box, type mtx and then click Find
Next.
11. If any entries are found that refer to Mtx_.exe, then you should delete them. Because
this is a string search, it could find entries for legitimate programs that happen to
contain this string. Make sure that the references is to Mtx_.exe before you delete it. To
continue the search if an entry is found, press F3. Keep doing this until no more entries
are found.
12. Perform another Find operation, but this time search for [MATRIX].
Delete any entries that are found.
13. Click the Registry menu, and then click Exit to save
the changes and close the Registry Editor.
14. Restart the computer.
If all goes well, you should not have wininit.int or wininit.exe files in the windows\system directory.
1. Use Dos to delete these files from the Windows directory (called "Windows" or "Win95" or "Win98" or "WinNT" usually):
ie_pack.exe
win32.dll
mtx_.exe
Make sure they are deleted. If any of the files are not deleted, you may have to restart the computer in "safe" mode to delete them.
Delete wsock32.dll from windows\system. This will probably have to be done in safe mode.
Extract new copies of essential files from either the directory on the hard disk that has has them in Windows cabinet files or from the CD, or copy them from friends or backup:
Note - If you have updated explorer - try running the setup file for explorer rather than extracting it.
To check if you have cured the virus - send yourself e-mail.
Zipped_files.exe (a.k.a Worm.ExploreZip) If
you get e-mail that reads:
Hi [your name]!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Sincerely
[someone you know]
<<zipped_files.exe>>
do not open the attached file!! It will try to send mail to every name in your inbox, replicating itself, and then will go ahead and delete Word doc files, and c and assembler source files on your hard drive as well as other things.
For instructions on how to 'cure' the virus if you've got it, click here. From what I heard, after the virus hits, there isn't much left worth saving. You can keep it in an e-mail folder as a souvenir - or delete it. It may not be necessary to tell the sender that they have this “worm” - they already know...
More information at: http://www.news.com/News/Item/Textonly/0,25,37658,00.html?pfv
and at other web sites.
Happy99.exe - This “Worm” or “Trojan” is quite old, but still turns up occassionally. If you get e-mail with a happy99.exe attachment and any text, from anyone, delete the file and reply to the sender giving them information about how to get rid of happy99.exe (see below) and how to get antivirus protection. Happy99.exe is similar to zipped_files.exe, but less harmful and more subtle. When you run the program it shows a harmless looking fireworks display. However, the program will attach itself to your outgoing mail instead of any attachments you want to send. You will be sending it out without knowing it. It may also cause your e-mail program to crash when trying to sent mail. This little delight cost me about a week trying to figure out what was wrong with my system.
Instructions for eliminating the Happy99.exe virus are at: http://www.cetest.nl/happy99.htm
Spy Software, SPAM and Cookies
SPAM is unwanted junk mail that you get from e-merchants. E-racketeers sell lists of addresses of unsuspecting people who have signed up for various free services, or posted their email e-mail address at a web site. Occasionally, special spy programs will download themselves and check up on what sites you visit on the Internet. These programs work through "cookies" that lodge themselves either in the Windows cookie directory or in the temporary Internet files directory that is used for caching Internet pages. A cookie is a small file that can be legitimately used to track whether or not you visited a site, and also to record personal preference information that you may have entered. However, cookies with names like "SuperTracker" are certainly up to no good from your point of view. There are freeware programs available for checking up on "spy" software and eliminating it. You should check your cookie and temporary Internet directories regularly and delete suspicious looking cookie files.
There is no way at present to eliminate SPAM. You can help fight it:
Send every SPAM letter you get with an ISP domain (for example naturalviagra@aol.com getrichquick@hotmail.com) as an attachment (so the header information is intact) to the abuse and support addresses of the web provider (eg abuse@aol.com support@hotmail.com) The subject of the letter should be SPAM. The mail is usually read by automatic sorters first.
If you can, take the time to report the domain to one of several SPAM -blocking gateways.
http://www.virusbtn.com/
- Explains about viruses and gives news of latest viruses.
http://www.av.ibm.com/ - The IBM virus
bulletin.
http://web1.nai.com/services/support/hoax/hoax.asp
http://www.ntwrkinc.com/services/support/hoax/hoax.asp
(hoax list)
http://kumite.com/myths/ (myths about
viruses)
Antivirus Software and Information
[this is not an endorsement of any product or merchant!]
Sites of popular antivirus program vendors usually have information
about viruses. These links are not shown here because some viruses cause you browser to
crash if certain names appears on a web page,
What is PEACE?
PEACE is a Mid - East Dialog Group commited to dialog, nonviolence and neighborly relations.We have no official political opinions. PEACE was started by Ameen Hannoun, a Jordanian/Palestinian and Ami Isseroff, an Israeli. Please visit the PEACE and PeaceWatch web pages, as well as those of our friends around the world You are welcome to join, and to contribute ariticles and ideas for promoting peace and dialog. More about PEACE.
Palestine-Israel-Zionism -History and Documents Additional documents at Middle East History Pages of MidEast Web Middle East News Views History
and Zionist source documents at Zionism and Israel Information Center
Background:
History of the Israeli-Palestinian Conflict
History of Zionism and the Creation of Israel (from a Zionist point of view)
Zionism - a history and brief definition
Israel-Palestina - (Dutch) Middle East Conflict, Israel, Palestine,Zionism... Israël-Palestina Informatie -gids Israël, Zionisme, Palestijnen en Midden-Oosten conflict... (Mostly in Dutch)
Back to PEACEWATCH - Israeli-Palestinian Conflict Commentary and dialog
PeaceWatch visitors since 11.12.98: |
|