Attention, Netgear router owners!

IMPORTANT! If you have one or more Netgear routers with a model number RP614, RP614v2, DG814, MR814 or HR314 then it is very important that you update the firmware in your router. You could be one of the more than half-million Netgear router users who, because of the default firmware in the router, are causing problems for the University of Wisconsin. Links to details and upgrade sources are available on my page, netgear-error.html.

How not to deal with computer security:

A Must-Read file:

Claymania:
English: Safe Hex - Safe Computing Tips
Français: Conseils "Safe Hex"
Deutsch: Safe Hex - Sicher am Computer.

W32/Klez.E@mm, W32/Klez.H@mm, etc. ...

... or "Virus-of-the-Month Club".

Bookmark this spot: Klez information.

I have received more than a dozen copies of this one and a bogus report that a message that I allegedly sent couldn't be delivered because it was infected (but I never sent the message). This worm has some really nasty features:

1. On unpatched systems it can use the IE MIME-type vulnerability to get itself to run automatically.
2. It can disable your antivirus program.
3. It sometimes forges the sender address to some other email address found on the infected user's machine so it can appear to have been sent by an innocent third party. (That's what happened to me.) The envelope sender ("MAIL FROM:") in the SMTP transaction is also forged to some other address found on the infected machine. Addresses for the recipient and the two forged senders ("From:" and "MAIL FROM") are harvested from the infected user's addressbook or from his/her browser or newsreader cache.
   A request: If you are in charge of a server that filters for infected messages and attempts to notify the senders that they have infected machines, PLEASE do not send notices to the alleged senders when Klez is detected! Use appropriate lookup tools to find out who owns the connecting IP address and notify the person in charge there. The envelope sender and the alleged sender in the "From:" header are innocent third parties who probably have no connection whatsoever with the sending machine. Why should I get a notification (sometimes with the original virus attached) because some infected user in New Zealand or India was looking at my web site when the worm went scrounging through his machine looking for addresses to forge?
4. The "H" variant will sometimes pretend it's a disinfection tool to wipe out the "E" version of itself and trick people into running it that way.

Links to more information:

1. F-Secure Computer Virus Information Pages: Klez.H
   • Klez removal tool (read the page above and the KLEZTOOL.TXT file in the zip archive before using the tool).
2. McAfee - AVERT -- W32/Klez.e@mm
3. McAfee - AVERT -- W32/Klez.h@MM
4. McAfee.com - Virus Information Library -- W32/Klez.h@MM
5. Symantec Security Response - W32.Klez.A@mm
6. Symantec Security Response - W32.Klez.D@mm
7. Symantec Security Response - W32.Klez.E@mm
8. Symantec Security Response - W32.Klez.gen@mm
9. Symantec Security Response - W32.Klez.H@mm
   • SARC Reference - W32.Klez Removal Tool
10. Sophos virus analysis: W32/Klez-A
11. Sophos virus analysis: W32/Klez-B
12. Sophos virus analysis: W32/Klez-C
13. Sophos virus analysis: W32/Klez-D
14. Sophos virus analysis: W32/Klez-E
15. Sophos virus analysis: W32/Klez-F
16. Sophos virus analysis: W32/Klez-G
17. Sophos virus analysis: W32/Klez-H
    • Instructions for removing W32/ElKern-C and W32/Klez-H
18. AVG Anti-Virus - Virus Alert -- Klez
    • I-Worm/Klez.H removal instructions.
    • Win32/Elkern.C removal instructions.
19. Metropolitan Network BBS Inc., AVP in Switzerland -- Win32.Elkern.c
20. Metropolitan Network BBS Inc., AVP in Switzerland -- I-Worm.Klez
    • AVP special removal utility for Klez: clrav.com
21. Klez.J
    • NOD32 cleaner for Klez -- Windows 95/98/ME
    • NOD32 cleaner for Klez -- Windows NT/2000/XP
    • NOD32 updater in case you use NOD32 and the worm destroyed some NOD32 files
22. Download - Antivirus - Security - Norman -- Klez.G
    • Klez tool to repair Norman Antivirus if it has disabled NVC5
23. RAV AntiVirus - Virus Description -- Win32/Klez.H@mm
    • RAV AntiVirus - Free Cleaning Tools
      • Download Win32/Elkern.C Removal tool
24. Vet: Wib32.Klez.E
25. Vet: Win32.Klez.F
26. Vet: Win32.Klez.H
27. (About the MIME-header vulnerability and how to get the patch to fix it.) http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
28. Klez Virus: Xtra Help
29. Visit Norman De Forest's Anti-Spam Page and read up on viewing and interpreting full email headers because the worm can forge an innocent third party in the "From:" address.

W32/Gibe.A@mm.

Bookmark this spot: Gibe information.

A new worm going around starts off faking the source:

From:	"Microsoft Corporation Security Center" <rdquest12@microsoft.com>
To:	"Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update

with an attachment named q216309.exe. The body of the message (described in the pages linked below) may fail to display. The worm has a bug that inserts some ASCII NULLs in the message and at least one mailreader, pine, halts its display of body text when an ASCII NULL is encountered. Since the first two NULLS are at the start of the body text, nothing is displayed.

Since I have received three copies in the last five days (March 7, 2002 to March 11, 2002), this worm rates inclusion here. Here's what I could find about it:

1. F-Secure Computer Virus Information Pages: Gibe.
2. McAfee - AVERT.
3. Symantec Security Response - W32.Gibe@mm.
4. Sophos virus analysis: W32/Gibe-A.
5. WORM_GIBE.A - Description and solution.
6. Gibe.A Information (including the fact that some copies of the worm may be corrupted).

W32.Magistr.39921@mm.

(a.k.a. W32/Magistr.b@mm and W32/Magistr.32768@mm)

Bookmark this spot: Magistr information.

This one has landed in my inbox a few times recently and a few users at my ISP have been infected with it. Be aware that there is more than one version of this worm out and the removal tools are version specific. If you get infected with W32/Magistr.A@mm you will have to look for the tool for that variant yourself. (If I tried to cover everything this page would take an hour to load and I would need 57 hours per day to keep the site relatively up-to-date -- besides the time needed to deal with spam.) Check several antivirus databases for aliases to see if your infection has more than one name.

This one is nasty. Besides making your icons run away from the mouse cursor, the worm can also trash your entire hard drive's contents or (on vulnerable systems) trash your flash BIOS so you need a new motherboard.

1. McAfee.com - Virus Information Library.
2. Viren News Forum bbs0104.html.
3. Symantec Security Response - W32.Magistr.39921@mm.
4. Sophos virus analysis: W32/Magistr-B.
   1. Instructions for disinfecting W32/Magistr-B.
   2. magibsfx.exe -- SWMAGISB disinfection utility (download to an uninfected machine) -- 53884 bytes.
   3. SWMAGISB notes -- for instructions on how to use the SWMAGISB utility to disinfect the W32/Magistr-B virus.
5. PE_MAGISTR.B - Description and solution.
   1. PE_MAGISTR.B - Technical details.
   2. fix_magistr_b.com -- disinfection tool from Trend Micro.
   3. readme_magistr_b.txt -- instructions for fix_magistr_b.com ***READ FIRST***.
6. A.C.V Reference Desk [other virus information sites]

It is important to follow disinfection instructions very carefully. The file at http://www.antivirus.com/vinfo/security/readme_magistr_b.txt warns people twice about the trojan portion of the worm:

*************************************
I   Important Note:

  If during the scanning the Trojan was detected in WIN.COM or NTLDR,
  DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash
  your hard drive after you restart.

  Please make backup copies of your WIN.INI and SYSTEM.INI before running
  this tool.
[snip]

  If during the scanning the Trojan was detected in WIN.COM or NTLDR,
  DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash
  your hard drive.

  For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one
  that was detected.

  For NT/2K, restore NTLDR from backup.

W32.Badtrans.b@mm.

Bookmark this spot: Badtrans information.

November 24, 2001: I get a suspicious message with an attachment that has an extension doesn't match it's declared "Content-Type:" header. F-Prot for DOS with the latest definitions at that time (November 20, 2001) fails to find anything.
November 25, 2001: I get a similar message addressed to the user-support mailing list.
November 27, 2001: Another two arrive and now F-Prot does detect a worm in all four copies once I grab the newly updated virus definitions. It's the W32.Badtrans.b@mm worm. Then a fifth copy arrives from a user here.

Watch out for this one. Like a number of other worms, it exploits a vulnerability in Microsoft Internet Explorer that allows it to run automatically the moment you view the worm. It also contains a backdoor trojan and a password-stealing keyboard logging trojan. Check out the links below and fetch (and install, of course) the patch from Microsoft that plugs the Internet Explorer hole.

1. Incorrect MIME Header Can Cause Internet Explorer to Run E-mail Attachment (Q290108)
2. AXENT : SWAT : Disable Embedded Scripting
3. Anti Virus Information
4. Sensible Security Solutions - Worm_Badtrans.b Virus Information
5. AntiVirus Alert, Nov 25, 2001
6. How to NOT hide extensions in Windows
7. OL2000: Information About the Outlook E-mail Security Update (Q262631)
8. F-Secure Computer Virus Information Pages: BadTrans.B
9. F-Secure Computer Virus Information Pages: BadTrans.B Disinfection Instructions
10. McAfee - AVERT W32.Badtrans.b@mm
11. Microsoft Security Bulletin (MS01-020)
12. Symantec Security Response - W32.Badtrans.B@mm
13. Sophos virus analysis: W32/Badtrans-B
14. Instructions for removing W32/Badtrans-B
15. WORM_BADTRANS.B - Trend Micro Virus Encyclopedia
16. I-Worm.BadtransII, virus description [VirusList.com®]
17. BadtransII Is Out There [ VirusList.com® ]
18. Windows95 viruses information
19. Win32.Badtrans.29020
20. Metropolitan Network BBS Inc., AVP in Switzerland I-Worm.BadtransII
21. Novinky [NOD32 Antivirus]
22. Norman - the data security company
23. RAV AntiVirus Website W32/Badtrans.b@mm
24. Microsoft Security Update, March 29, 2001
25. Vet: Win32.Badtrans.29020

Nimda.

Bookmark this spot: Nimda information.

Sep 20, 2001 (Nimda).
URLs in above:
   Removal Tools
   =============
   Central Command (AVP):
      http://www.centralcommand.com/toolsregister.html
   Network Associates:
      http://download.nai.com/products/mcafee-avert/NimdaScn.zip
   Trend Micro:
      http://www.antivirus.com/vinfo/security/fix_nimda1.zip
   Further Info
   ============
   CERT:
      http://www.cert.org/advisories/CA-2001-26.html
   F-Secure Corp:
      http://www.datafellows.com/v-descs/nimda.shtml
   Microsoft:
      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
   Network Associates:
      http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
   SANS Emergency Incident Handler:
      http://www.incidents.org/react/nimda.php
   Sophos:
      http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
   Symantec:
      http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
   Trend Micro:
      http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
   Patches for vulnerabilities:
   ============================
      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
      http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
      http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The Code Red Worm.

Bookmark this spot: Code Red information.

Code Red had been pounding relatively ineffectively against my ISP's servers lately. View a tech report entry (with other data snipped). WARNING: May be dangerous to view with Internet Explorer. Although it is just plain text showing the URL that Code Red attempts to submit to an IIS server, and was previously on this page as plain <PRE>formatted text (and *not* as a hyperlink), I have had one report from an IE user that his browser locked up just viewing this part of my page.

While the attacks have died down -- due mainly to the fact that Code Red-infected systems have mostly been closed or infected with Nimda -- there are still some infected servers out there and the holes it exploited could be used by other worms so the appropriate patches to prevent it are still recommended.

Some links to information about the Code Red worm (and more to add later when I can find them again):

1. Sensible Security Solutions - Code Red Virus Information.
2. SARC and Symantec:
   1. Write-up - CodeRed Worm.
   2. Write-up - CodeRed II .
   3. Write-up - Trojan.VirtualRoot (dropped by CodeRed II).
   4. Reference - CodeRed Removal Tool (instructions and download link).
   5. How to back up the Windows registry (a good idea when making any changes to the registry in case an error is made -- not just when getting rid of references to worms or viruses).
3. eEye Digital Security:
   1. CodeRed Scanner.
   2. (advisory about Code Red).
   3. News (currently mostly about Code Red).
4. BugTraq Archive: Full analysis of the .ida "Code Red" worm.
5. TROJ_BADY.A - Trend Micro Virus Encyclopedia
   (TROJ_BADY.A is another name for Code Red).
6. McAfee - AVERT (W32/CodeRed.a.worm).
7. PGP Security - Research - COVERT (Code Red alert).
8. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
9. CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
10. National Infrastructure Protection Center (NIPC) - Warnings - 2001 Advisories - 01-013.
11. National Infrastructure Protection Center (NIPC) - Warnings - 2001 Advisories - 01-015.
12. Microsoft:
    1. Microsoft Security Bulletin MS01-033.
    2. Microsoft Security Bulletin MS01-044.
    3. Microsoft Security Bulletin (MS00-052).
    4. Microsoft Security Bulletin (MS00-052):
       Frequently Asked Questions.
    5. Microsoft Personal Security Advisor.
    6. Information on 'Code Red' IIS worm.
    7. Windows 2000 Service Pack 1.
    8. Windows 2000 Service Pack 2.

W32/Sircam-A.

Bookmark this spot: Sircam information.

I received 11 copies, one 754KB in size, before my ISP started blocking it. Not only is it larger than most worms but it also tacks on a random file from the infected user's computer to the end of itself and then opens that after running on a newly-infected computer to hide its real purpose. It can therefore cause a major privacy breach. The copies I have received have included Microsoft Word documents with an article about the works of Leonard Cohen a purchase confirmation from an Australian company with the customer's name and address (but fortunately not her credit card number), and a psychiatric paper probably intended for publication in some medical journal. A couple of Excel worksheets included one that appears to be a doctor's records about a (luckily unidentifiable) patient. And a ZIP file from Mexico that contained six extractable, boring snapshots of three young men.

Information I could find so far:

• TROJ_SIRCAM.A - Trend Micro Virus Encyclopedia:
  • Profile of the worm.
  • Technical description.
• Virus Encyclopedia.
• F-Secure Computer Virus Information Pages: Sircam.
• I-Worm.Sircam, virus description [VirusList.com®].
• Sophos virus analysis: W32/Sircam-A.
• SARC Write-up - W32.Sircam.Worm@mm.
• Frisk Software International / Virus Info / Sircam.
  They warn infected users:

<quote>

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm's reference from the EXE file startup key in the Registry.

Warning! This is really important! The system might become unusable if the worm's file is deleted without modifying the EXE startup key first.

After that the system can be safely disinfected with an anti-virus program. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner.

</quote>

Hybris Worm.

I have received more than 180 copies of this worm (I lost exact count around 165) at the time of this writing and will probably get even more. Be aware that the worm does not really come from the alleged hahaha@sexyfun.net address in the "From:" header. That was a fictitious address and domain used by the worm's author. As a public service, someone else later registered the sexyfun.net domain to set up a web site on how to combat the worm. Following are links to some information on it:

Anti-Virus Info:

• Hybris: The Story Continues -- Kaspersky™ Anti-Virus.
• I-Worm.Hybris, virus description [VirusList.com®].
• Metropolitan Network BBS Inc., AVP in Switzerland -- I-Worm.Hybris.
• F-Secure Computer Virus Information Pages: Hybris.
• McAfee - AVERT -- W32/Hybris.gen@M.
  • Removal Instructions
    [includes *.CAB file names to find WSOCK32.DLL].
• Removal Instructions from Claymania site:
  • English: Hybris Removal Instructions
  • en Français: Instructions pour la désinfection de Hybris
  • in het Nederlands: Hybris Verwijder Instructies
  • Deutsch: Anweisungen zur Entfernung von Hybris
• Sensible Security Solutions - W32/Hybris.gen@M Virus Information.
• Sophos virus analysis: W32/Hybris-B.
• www.symantec.com -- W95.Hybris.gen
• Do You Have The W95.Hybris.gen Virus?
  • How to read your email headers.
  • I got rid of the virus, but now I'm missing WSOCK32.DLL. Help!
• Claymania site on restoring wsock32.dll:
  • English: Wsock32.dll Extraction Instructions
  • en Français: Instructions pour le rétablissement de wsock32.dll
  • in het Nederlands: Wsock32.dll Herstel Instructies
  • Deutsch: Anweisungen zur Extrahierung von wsock32.dll

Hybris in the News:

• Vandals behind spread of Hybris worm named.
• Hybris virus: Sleeper hit of 2001.

The latest Alerts:

Links to the latest virus alerts from various anti-virus companies.

TROJAN ALERT,

reported in the news.admin.net-abuse.email newsgroup:

A new tactic encountered by one regular to that newsgroup is to use JavaScript and ActiveX on a web site to attempt to install a bogus hosts file on your computer so the abuser can intercept your accesses to a number of web sites, act as a proxy to pass your password and cookie data back and forth between you and those sites, and also log your passwords and cookies so he has access to any accounts you may have on those sites. The postings include a list of the sites that can be intercepted: hotmail.com, yahoo.com, msn.com, altavista.com, google.com, paypal.com, ebay.com, buy.com, microsoft.com, icq.com, usa.net, usa.com, netscape.net, netscape.com, aol.com, web.de, excite.com, qwest.net, dell.com, hp.com, sony.com, gateway.com, ibm.com, bestbuy.com, prodigy.net, att.com, att.net, earthlink.net, earthlink.com, mail.com, lycos.com, av.com, mp3.com, hollywood.com, cnn.com, nba.com, nhl.com, nfl.com, usatoday.com, weather.com, money.com, geocities.com, amazon.com, bankamerica.com, wu.com, westernunion.com, c2it.com, visa.com, internet.com, ivillage.com, real.com, x10.com, about.com, www.hotmail.com, www.yahoo.com, www.msn.com, www.altavista.com, www.google.com, www.paypal.com, www.ebay.com, www.buy.com, www.microsoft.com, www.icq.com, www.usa.net, www.usa.com, www.netscape.net, www.netscape.com, www.aol.com, www.web.de, www.excite.com, www.qwest.net, www.dell.com, www.hp.com, www.sony.com, www.gateway.com, www.ibm.com, www.bestbuy.com, www.prodigy.net, www.att.com, www.att.net, www.earthlink.net, www.earthlink.com, www.mail.com, www.lycos.com, www.av.com, www.mp3.com, www.hollywood.com, www.cnn.com, www.nba.com, www.nhl.com, www.nfl.com, www.usatoday.com, www.weather.com, www.money.com, www.geocities.com, www.amazon.com, www.bankamerica.com, www.wu.com, www.westernunion.com, www.c2it.com, www.visa.com, www.internet.com, www.ivillage.com, www.real.com, www.x10.com, and www.about.com. Oh, and the malicious code installs a porn-dialler, too.

The ILOVEYOU Worm/Trojan and Variations.

First, see the Virus Alerts mentioned above. Then check out:

• Microsoft's information on security patches:
  1. Microsoft Security.
  2. Microsoft TechNet Security.
  3. Information on the VBS/Loveletter Virus.
  4. Protect Against Viruses with the Outlook E-mail Security Update.
• ... or check out Forté for
  1. their no-cost Free Agent Newsreader
  2. or their US $29 Agent News and Mail Reader which does not support HTML and, therefore, can't launch malicious HTML, JavaScript, or ActiveX and which can be made less likely to execute attachments.

  CIH Alert!

  A new virus has recently been discovered in the wild that can actually damage some computers. Potentially affected are those with motherboards with Flash BIOS. On some motherboards there is no hardware disable for altering the BIOS and this virus takes advantage of that on its triggering date to reprogramme the BIOS on such machines with garbage. The result is a machine that can't boot at all and a motherboard that has to be replaced or be sent back to the factory for reprogramming.

  More than a million computers affected in one day!

  Norman Antivirus has an article available describing the extent of the damage experienced by users on April 26, 1999 because of this one virus. The number of accesses to their web server reached record heights in April, 1999 due to two viruses, the CIH virus and the "Melissa" Word Macro virus/worm.

  I have gathered some CIH-related links on a separate page for your convenience.

  Some antivirus sites with fixes are:

  • F-Prot version 3.14b.
  • Version 3.14e in Garbo archives.
  • Garbo directory -- in case there's an update sice I checked last.
    
  • www.avp.ch.
  • www.avp.tm.
  • Norman Antivirus (no relation to me) [NEW address], Information in English, and their page of
    • Fixes for specific file and system viruses [NEW address].

  For more, read some of what has been said about this virus in the alt.comp.virus newsgroup.

  Is Your Computer Playing Music?

  Has your computer suddenly started playing music? If so, check the CPU fan and the power supply in your computer. A lot of people have asked in the alt.comp.virus newsgroup what virus can cause their computers to suddenly play music. The reply given over and over and ... is that it is unlikely to be a virus. Some modern computers have a detection circuit to warn you of failure of the fan that sits on top of your CPU (not to be confused with your power supply fan which is completely different) and will play a musical passage to alert you when the fan fails or if the power supply voltages drift out of tolerance. Most reports mention "Fur Elise" by Beethoven. One mentioned the song "It's a Small, Small World" but that may have been derived from "Fur Elise" and may be the same song. For more on this, see Microsoft's note,
  Q261186 - Computer Randomly Plays Classical Music.

  If, however, the music you hear is "Happy Birthday" instead of "Fur Elise" then you may have another problem. Some AMI BIOS chips were shipped a few years ago that had been sabotaged by an ex-employee to freeze up on his birthday in November and just play "Happy Birthday". The only cure is to replace the BIOS.

  Attention, Toshiba Laptop Owners!

  Your Toshiba notebook computer may be infected.

  Do you have one of these Toshiba notebook computers?

  • Tecra 730XCDT;
  • Tecra 510CDT;
  • Portege 300CT;
  • Portege 660CDT;
  • Satellite Pro 460CDT;
  • Satellite Pro 440CDX;
  • Satellite Pro 430CDT;
  • Satellite Pro 430CDS; and
  • Satellite 220CDS.
  If so, you may have received one of the computers that was accidentally infected by the AntiEXE virus before shipping.

  Read the news story, "Toshiba ships notebooks with virus"
  and then visit Toshiba's site to read the
  "Procedure to Correct Notebook Computer Software Problem".

  Anti-Virus Sources:

  Français?

  • Montjoie - Ressources anti-virus francophones (Francois Pirsch).

  How about Spanish?

  "http://www.netup.cl/~ahumadaz"

  The newsgroup: "chile.comp.virus"

  (You can view it with DejaNews if it isn't available on your ISP's newsserver.)

  The Concept Macro Virus.

  As it is now over a year since I first reported on the Concept virus on my home page, I feel that it is not the unknown that it once was. It is still dangerous and (except for one month) has maintained its spot as Number One on the infection Hit Parade since January, 1996. When I first reported on it, it was unique -- the only macro virus "in the wild". However, this is no longer the case. Giving such specific information so prominently on one macro virus when there are now hundreds of them (close to two thousand variations) may give readers the mistaken impression that the Concept virus is the only macro virus to worry about. I have now moved it off my main home page and have a new page on the Concept Macro Virus and, to come later, other macro viruses.

  Anti-Virus Frequently Asked Questions.

  The alt.comp.virus FAQ is now available as DOS hypertext

  • from David Harley's web site http://webworlds.co.uk/dharley/ and
  • from ftp://ftp.gate.net/pub/users/ris1/acvfaqht.zip courtesy of Ed Fenton, who [Harley says] has done a brilliant job of organising it, using the Orpheus hypertext compiler.

  This consists of all four parts of the FAQ plus the supplementary guide to virus-related FAQs in a single hypertext document, with a rather nifty search engine.

  The straight text versions remain available at both these sites, among others.

  At the J and A Virus Info site, I have found a web-browsable hypertext version of the alt.comp.virus FAQ. (They used to list my antivirus page <Brag, brag!> but some links had to be sacrificed in the latest versions to make room for other information <sob>.)

  A Not-So-Frequently Asked Question and the "Junkie" virus:

  I have run across a set of symptoms that I have never seen adequately described in any anti-virus software documentation or on any of the other anti-virus web sites that might make people mistakenly think that some of their software is unrecoverable when it isn't. The scenario is:
  (1) the user has just upgraded from an earlier version of MS-DOS.
  (2) his (or her) *.COM utilities now crash (TREE.COM is an example).
  (3) an anti-virus utility reports an infection by the "Junkie" virus.
  (4) the anti-virus utility is used to clean the system and reports success.
  (5) the *.COM utilities still crash.

  The user may be under the impression that the *.COM utilities have been damaged beyond repair. This is not necessarily the case. What has happened is due to the stupidity of the Junkie virus. It seems that the author's intent was to infect *.COM files but an omission in the virus of any check on the last letter of the extension of the file to be infected makes the virus infect any file with an extension that starts with "CO". The result is that, if an upgrade is attempted on a Junkie-infected system, the virus infects the compressed *.CO_ files before EXPAND has a chance to look at them. By the time EXPAND sees the files they are infected and no longer have the compressed-file signature at the beginning of the file that indicate a valid compressed file. The virus has over-written that part of the file. EXPAND then assumes that the file was not compressed after all and just copies it without expansion to its destination, renaming it to have a ".COM" extension. No error message is issued by EXPAND. The resulting *.COM files now consist of an executable virus and an unusable compressed file that crashes as soon as the virus does its thing and transfers control to the rest of the file.

  When an anti-virus utility is used to clean the files, the files are restored (except for some possible one to fifteen bytes of extra padding at the end to a paragraph boundary) to their original state. In the case of the *.COM files, they are restored to uninfected COMPRESSED files. They are still not usable *.COM files until EXPAND has a chance, again, to de-compress them to their usable state.

  The solution is:
  (1) run your antivirus programme on your original installation disks and specify ALL FILES and not just executable files to clean the virus out of your *.CO_ files.
  (2) delete and re-install the *.COM files from the cleaned *.CO_ files.
  or, if you don't have the installation disks, (you got your computer with pre-installed software, no disks, and the dealer infected the system):
  (1) rename all of your (now disinfected) *.COM files to *.CO_ and then...
  (2) run EXPAND on them again to expand them to usable *.COM files.

  This tip may just get your programmes working again when you thought they were damaged beyond repair.

  Note: I have been informed by one antivirus vendor that COMMAND.COM is the only file that can get infected by the Junkie virus on a Windows 95 machine (which probably also applies to Windows 98, Windows 2000, and Windows ME). One possible reason for that is that COMMAND.COM would be the first target of the virus and (since COMMAND.COM on those systems is really a *.EXE file with a *.COM extension) infecting that file renders the system incapable of booting so the infection can't spread any further on subsequent boots.

  Virus Myths

  The Computer Virus Myths home page [note the new address] is a good place to start to find out what is NOT a virus. There are a lot of false rumours floating around about phoney viruses. The Science Fiction and Fantasy Writers of America also have a section of their site devoted to those Urban Myths concerning viruses. You might also want to follow one of the links there for more information.

  Other pages related to hoaxes are:

  1. WARNING, CAUTION, DANGER, AND BEWARE! Gullibility Virus Spreading over the Internet!
  2. Hoaxes & Myths - Antivirus Net Links.
  3. IT Services - Virus Hoaxes.
  4. Yahoo! Society and Culture : Mythology and Folklore : Urban Legends : Computer Viruses.
  5. Computer Virus Myths treatise -- a to z.
  6. Yahoo! Search Results -- "virus hoaxes".
  7. Gullibility Virus.
  8. Current Internet Hoaxes, Urban Legends, and other digital lies... - Urban Legends and Folklore.
  9. The Hoax That Cried Virus.
  10. Hoax Encyclopedia.
  11. HOAXBUSTERS Home Page.
  12. CIAC Internet Hoax Information including
      • The Risk and Cost of Hoaxes and
      • Recognizing Hoaxes.
  13. Internet Hoaxes Email Rumors and Urban Legends - Current Netlore Debunked.
  14. Hoax: the Deeyenda virus.
  15. Internet Mailing Lists -- includes links to virus hoax sites.
  16. FAQ - Good Times Virus Hoax.
  17. Well-Known Urban Legends page 6.
  18. Good Times Spoof.

  Macintosh Viruses.

  I have been too busy with other things to keep track of the Macintosh avti-virus scene (especially since I don't use a Mac) and it has recently (July 9, 2000) been brought to my attention that my Mac links were broken and providing me with substitutes ("Thanks, Werner!"). I also did some looking around the net and came up with a couple more links. So here is my new, up-to-date (as of March, 2004) skimpy collection of Macintosh anti-virus links:

  • Viruses and the Mac FAQ [Google Groups archive]
  • Viruses and the Mac FAQ [at http://www.faqs.org]
  • A directory full of a lot of *.hqx antivirus files I can't decompress so I don't know what they are can be found at:
    ftp://mirror.apple.com/mirrors/info-mac/_Anti-Virus
    

  Atari Viruses.

  There is not much out there for the Atari but I did find

  • one ftp site with some Atari antivirus utilities included.
    • Read their index to find out what is available there.
  • Hallvard Tangeraas in Norway has a lot of information about
    • Atari ST computers including an
      • Atari ST virus list.

  Amiga Virus.

  I hesitate to add the plural "es" to the word "virus" above as I have run across only one reference so far on an Amiga virus, on the CIAC web site.

  Viruses and Unix Security.

  CyberSoft has

  • some interesting things to say about the vulnerability of Unix systems and
  • some products which address the issues they discuss.
  Unix users might want to check this out.

  A McAfee press release reported in February 5, 1997 that they had discovered the first Linux virus. The page that used to contain this press release appears to have been changed but there is now more information on Linux viruses available.

  • Linux.Bliss.
  • BLISS VIRUS.
  • F-Secure Computer Virus Information Pages: Linux/Bliss.
  • F-Secure Computer Virus Information Pages: Linux/Staog.

  Other anti-virus sites.

  News on the Security Front,

  The latest news and gossip on the computer security and anti-virus front can be found in The Crypt Newsletter -- very interesting reading.

  Independent Information.

  • There is a good evaluation of many different virus scanners available for viewing or downloading at the University of Tampere, Virus Research Unit, Department of Computer Science, P.O.BOX 607, 33101 TAMPERE, FINLAND.
  • Hitchhikers Internet Services has one of the two most complete collection of AntiVirus Resources and information I have found on the Internet. Their site is well worth a look.
  • The Eddy Willems Free Anti-Virus Consultancy [NEW ADDRESS] is the other most complete and comprehensive site I have found on fighting viruses. Another site worth visiting.
  • National Institute of Standards and Technology, Security Research Clearinghouse.
  • Virus Bulletin.
  • Telstra Corporation Computer and Network Security Reference Index.
  • At the VSUM Web Site you will find a regularly updated chart of the effectiveness of various antivirus utilities for detecting viruses. Note that they do not rate any of the programmes for disinfecting ability, just detection. But this is still useful information to have.
  • For relatively up-to-date versions of several antivirus programmes, you might try one of the software repositories:
    • http://www.simtel.net/simtel.net/msdos/virus-pre.html -- simtel archives. [NEW address] The Oakland mirror at http://oak.oakland.edu/pub/simtelnet/msdos/virus/ appears to have been discontinued.
    • ftp://garbo.uwasa.fi/pc/virus/ -- garbo archives.
    • http://www.chips.navy.mil/oasys/virus/.
  • The U.S. Department of Energy hosts the CIAC Security Web Site (Computer Incident Advisory Capability), where they have notes on several computer security issues. You might want to pay a visit to their CIAC Virus Database and read up on your favourite virus.
  • The CERT Coordination Center may be a worthwhile place to visit to get the latest security advisories.

  Unzipping utilities.

  If you download any of the antivirus programs from the sites below, you are probably going to need to unzip them. If you don't have an unzipping utility, a free unzipping program from Info-Zip to uncompress the downloaded antivirus files can be downloaded from the Garbo Archives at:

  • unz532x.exe -- InfoZip's UnZip, 16-bit version:
        "ftp://garbo.uwasa.fi/pc/arcers/unz532x.exe"
  • unz532x3.exe -- InfoZip's UnZip, 16 and 32-bit versions:
        "ftp://garbo.uwasa.fi/pc/arcers/unz532x3.exe"
  The shareware version of PKZIP and PKUNZIP is also available at:
  pkz204g.exe -- pkunzip and pkzip version 2.04g
      "ftp://garbo.uwasa.fi/pc/arcers/pkz204g.exe"
  InfoZip's UnZip's advantage is that it's free. PKWare's PKZIP and PKUNZIP have tha advantage of supporting a couple of older and rare compression methods that are not supported by InfoZip's UnZip. I have run across a few older *.zip files that couldn't have the complete contents extracted by UnZip but none of the antivirus software that I know of has this problem.

  Antivirus Distributers.

  • Symantec -- spammers!
  • Dr Solomon's Software (formerly S&S Software), now owned by NAI. (Warning! See note below about their [lack of] "Privacy Statement".) Their official site is no longer at http://www.ibmpcug.co.uk/~drsolly/ although Dr. Solomon's personal home page still appears to be there.
    • Their Canadian representative, Sensible Security Solutions, has a web site at http://www.canada-av.com.
  • Data Fellows -- providers of F-Secure which combines two antivirus engines including the F-Prot (see below) engine. You may be interested in subscribing to the DataFellows mailing lists through their subscription form and get the latest news on anti-virus or security related matters.
  • Check out F-PROT by Frisk [NEW URL, Nov 11, 2004]. Their DOS version (see below for download addresses) is free for personal use. You might also want to check out their Fpwin [NEW URL] (formerly "Fp-Win") (for Windows 95 or higher). Unlike their DOS version, it's not freeware for personal use but may suit you better and a trial version is available. Now available in beta-test form is Fplin, a Linux version of F-Prot! You can download the latest version of F-Prot for DOS and definitions from:
    • http://files.f-prot.com/files/dos/f-prot.zip (Latest version on May 23, 2005 was version 3.16b; April 7, 2005; 2799127 bytes).
    • F-Prot, Latest Virus Signature Files (Latest version on December 7, 2005 was released on December 5, 2005; 3146334 bytes).
    • Frisk has a page listing, for the various operating systems they support, the current version numbers and dates for F-Prot.
      • If you prefer to stick with the DOS version of F-Prot but want to be able to check single files instead of entire directories or drives, you might want to try the procedure that I used to enable the scanning of a single file by right-clicking on it. (Note that I have had some reports that this doesn't work with Windows ME because Windows ME will neither close the DOS window nor allow you to do so when you are finished the check and conflicting reports from others that it does work with Windows ME.)
    • ftp://garbo.uwasa.fi/pc/virus/ -- directory.
    • ftp://garbo.uwasa.fi/pc/virus/fp-314e.zip
    • For some strange reason, F-Prot can't be found in the Simtel Archives at this time (March 30, 2002, 02:58 a.m., Atlantic Standard Time).
    • Creating emergency boot disks can also be a challenging task for a computer beginner. AVDisk have available some free programs that can create emergency boot disks and emergency antivirus floppies for a variety of antivirus software including F-Prot.
    • The Claymania antivirus site has more information and tips related to using F-PROT for DOS including how to use F-Prot from a boot floppy set and how to replace the macro.def file with the smaller nomacro.def file (you don't need to be in DOS to check for macro viruses as they won't run unless you open an infected file with Microsoft Word) to get the files to fit on floppies and a list of all of the F-Prot command line switches. Note that the definition files need not be on floppy in the order they specify. The new file sizes may require arranging them differently. F-Prot will prompt you to switch floppies when it needs a particular definition file if you use the /LOADDEF switch.
  Those using their F-MACROW.EXE for disinfecting Word macro viruses will probably want to get the latest version. The copy of F-MACROW.EXE that comes with F-PROT 2.28b is version 1.07. The latest MACRO.DEF files require version 1.08a which can be downloaded from
  • ftp://ftp.f-prot.com/pub/fm-108a.zip
  before downloading the the latest macro definition file from
  • ftp://ftp.f-prot.com/pub/macrdef2.zip.
  The definition file is updated on almost an hourly basis as new macro viruses or variants are discovered.
  
• Stiller Research also has a good write-up on macro viruses as well as promoting their anti-virus tools.
• IBM is taking the virus threat seriously. Check out their new web site dedicated to anti-virus issues, "antivirus online". WARNING: Their site is very lynx-hostile with graphical links and imagemaps for almost all navigation.
• Safetynet Inc. Computer Security and Antivirus Software -- NEW address! Their legacy address at http://www.safe.net/ still works but they prefer you use the new address.
• McAfee is now part of NAI. Warning! Before you download anything or view anything from their site you should read their [ lack of ] "Privacy Statement" with a browser that you know does not give out personal information about you. Their alleged "Privacy Statement" says in part:
  

   

  <QUOTE:>

  For each visitor to our Web page, our Web server automatically recognizes the consumer's domain name and e-mail address (where possible).

   

  We collect the domain name and e-mail address (where possible) of visitors to our Web page, the e-mail addresses of those who post messages to our bulletin board, the e-mail addresses of those who communicate with us via e-mail and information volunteered by the consumer, such as survey information and/or site registrations.

   

  The information we collect is used to improve the content of our Web page, used to notify consumers about updates to our Web site, shared with other reputable organizations to help them contact consumers for marketing purposes and used by us to contact consumers for marketing purposes.

   

  <END QUOTE:>

   

  To paraphrase what they say, "If we can get your address we will spam you and we'll sell your address to other spammers." They do go on to say that they will put on a do-not-mail list if you ask -- in other words, opt-out.

  NAI's McAfee Online -- download the latest version of VirusScan, version 3.03: [NOTE: on the comp.virus newsgroup, a couple of people have reported a trashed hard disk after upgrading to VirusScan 3.00 on a Windows 95 machine. Until I can find out whether it was (a) a bug in the upgrade, (b) a coincidence, (c) a bug in Windows 95, or (d) a false alarm, you might consider performing a complete backup of your hard disk and make sure that you have the boot floppy disks necessary to restore your drive in case of a complete trashing of your partition before installing the 3.00 upgrade on a Windows 95 system.]
  • McAfee Download Sites for VirusScan [new address!] -- all systems.
  • Other sites:
  • Full installation:
    • scni312e.zip -- ftp.vse.cz SAC.
    • scni312e.zip -- lewsun.md.ucl.ac.be.
    • scni312e.zip -- www.vhc.se.
    • scni255e.zip -- lewsun.md.ucl.ac.be.
    • scni255e.zip -- www.vhc.se.
  • Upgrade:
    • scn-312e.zip -- ftp.vse.cz SAC.
    • scn-312e.zip -- lewsun.md.ucl.ac.be.
    • scn-312e.zip -- www.vhc.se
    • scn-304e.zip -- garbo.uwasa.fi -- garbo archives.
    • SCN-303E.ZIP -- www.chips.navy.mil
    • scn-255e.zip -- www.vhc.se
    • http://osuno.fciencias.unam.mx/ftp/AntiVirus/ -- A Mexican site with several of the McAfee versions for different platforms.
    • Version 2.52 -- French version
      • scn22cfe.zip -- lewsun.md.ucl.ac.be French. Note that I don't know if this is just a version with French commands and messages or whether this requires a French version of DOS. You're taking your chances here. Read the documentation. It will probably tell you.
• Safe@Home.
• Sophos antivirus.
• The SBABR Homepage [NEW ADDRESS] -- backup-and-restore for MBR, CMOS, and other critical system areas as well as generic replacement of suspicious floppy boot sectors. A new (to me) company in Italy. So far I haven't found out any more about them than what is on their web site.

Alien Invaders might want to check out this CERT advisory.

Is it "viruses" or "virii" when speaking about more than one virus? One poster to the alt.comp.virus newgroup has an answer:

"i thought we settled this a long time ago, the term varies depending on the number... viri for one, virii for two, viriii for three, viriv for four, virv for five, and so on..."

Has your favourite newsgroup been invaded by the porn spammers? One such spammer, advertising a CD with "10000 Celebrity Nude Photos", inspired this hilarious response in the alt.comp.virus newsgroup -- an imaginary review of erotic scanners. (My sincere thanks to the poster -- who granted me permission to include it here.)

From the "Are you sure it's satire?" department:

SatireWire:
Foot-and-Mouth First Virus Unable To Spread Through Microsoft Outlook.

Fun and Games!

Core Wars:

Do you want to write your own programs designed to clobber others and run them with no fear of getting caught? Will your little sister's program trash yours first or will your grandfather's program beat both of yours? Write your own combatitive programs designed for a machine that doesn't exist and run them on the REDCODE simulator and may the best code win.

Other Security Issues.

Java Security

There is some concern over security leaks in the Java language. The following sites have some excellent information on that subject:

Princeton University Safe Internet Programming Group

News last updated 30-April-1997.

Sun Microsystems/JavaSoft "Applet Security" FAQ.

Sun Microsystems/JavaSoft "Denial of Service" White Paper

Last updated 10-May-1996.

Also, here is the Netscape Navigator 2.02 Security FAQ

Last updated 16-May-1996.

Links above last checked between
August 15, 2001 and August 17, 2001.

Back to Norman's Home Page.

Webmaster: Norman De Forest.
If you have any comments about this page,
please send me an email message.