Virus Avoidance Advice from Burton Systems Software        Note: updates since the 31-May-2002 version of this document are in red.I. COMPREHENSIVE VIRUS INFORMATION ON THE WEB:More information about almost all computer viruses is availableon the following excellent web sites, which are run by eightcompanies that make anti-virus tools:http://www.symantec.com/avcenter/vinfodb.html (Symantec/Norton)http://vil.mcafee.com/ (McAfee/NAI)http://www.f-secure.com/v-descs/ (F-Secure)http://www.antivirus.com/vinfo/ (Trend Micro)http://www.sophos.com/virusinfo/analyses/ (Sophos)http://www.virusdb.com/ (Kaspersky)http://www.quickheal.com/alerts.htm (Cat Computer Services)http://www3.ca.com/virus/ (Computer Associates)Sophos also has an excellent "virus prevention primer," here:http://www.sophos.com/virusinfo/whitepapers/prevention.htmlThese three sites have a lot of excellent information about viruses,virus hoaxes, anti-virus tools, etc.:http://www.virusall.com/ About, and look at the "Update Versions"line. If you see "SP1", "SP2" or "SP3" then you already have ServicePack 1, 2 or 3, respectively, installed in your copy of InternetExplorer.If you are running IE 5.01, you must first apply Service Pack 2 (SP2),unless it is already installed, before you can apply the CumulativePatch update. If you are running IE 5.5, you should first apply SP2unless either SP1 or SP2 is already installed.For IE 5.5, if you don't already have either SP1 or SP2 installed, thenget SP2 here:http://www.microsoft.com/Windows/ie/downloads/recommended/ie55sp2/default.aspor here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q276369For IE 5.01, if SP2 is not already installed, then get it here:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q267954, or here:http://www.microsoft.com/Windows/ie/downloads/recommended/ie501sp2/default.aspFor IE 6.0, there are no Service Packs (yet).Then for IE 5.5 or IE 6, or for IE 5.01 under Windows 2000, applyMS02-047 (a/k/a Q323759), about 2-2.5 MB (~8-15 minutes to downloadwith a typical dial-up modem):http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.aspOr for IE 5.01 under Win-9x/Me or NT 4, apply MS02-009 (a/k/a q318089),about 300 KB (~2 minutes to download with a typical dial-up modem):http://www.microsoft.com/technet/security/bulletin/MS02-009.asp,then apply MS02-015 (a/k/a Q319182), about 2-2.4 MB (~8-15 minutesto download with a typical dial-up modem):http://www.microsoft.com/technet/security/bulletin/MS02-015.aspNote #1: Microsoft fixes should generally be applied in chronologicalorder, according to the dates on which they were released.Note #2: Unless you are running Windows XP, when applying two or moreMicrosoft fixes which prompt you to reboot the computer, you reallyshould let it reboot the computer after each one. Or, with NT 4 orWindows 2000, you may apply them all and then run Microsoft'sQChain.exe utility before rebooting the computer. Get QChain here:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q296861d) All Windows 9x/ME/NT/2K/XP users should apply these MicrosoftJava/VM updates:http://www.microsoft.com/technet/security/bulletin/ms02-013.asphttp://www.microsoft.com/technet/security/bulletin/ms02-052.asp (Q329077)MS02-013 is 4.3 MB. Fortunately, MS02-052 is only 168 KB, so itis a quick download. Unfortunately, even though Microsoft says thatthese fixes are "critical" for users of all versions of Windows9x/Me/NT/2K/XP, they now seem to be only available through Microsoft'scumbersome "Windows Update" facility (search for "Q329077"), whichonly supports Windows 2000 & XP. There probably is some way forWin 9x/Me users to get the fixes from Microsoft's web site, but Ihaven't figured out how. Perhaps you can just lie about what versionof Windows you are using?MS02-052 is apparently the same for all versions of Windows, and itcan also be downloaded as vm-sfix3.exe (Q329077) - 167,168 bytes fromhttp://ftp.uni-stuttgart.de/pub/systems/winxp/fixes/security-bulletins/usa/vm-sfix3.exeOr delete Microsoft's Java VM and use Sun's, instead:http://java.sun.com/j2se/1.4/download.html.Sun's is said to be slower, but safer.Or perhaps IBM's, which has a good reputation for high performance:http://www7b.boulder.ibm.com/wsdd/wspvtdownload.html (newest)http://www.ibm.com/developerworks/java/jdk/118/jre-info.html (stable)e.1) If you run Windows XP, you should first disable its dangerous"SSDP Discovery Service" (UnPnP) as described here:http://grc.com/UnPnP/UnPnP.htmThen install Windows XP Service Pack 1:http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/(Note: despite what it says on that page, this service pack is forboth the "Home Edition" and the "Professional Edition" of Windows XP.)Unfortunately, SP1 is huge, so downloading and installing it istedious if you only have a slow modem connection. But if you arein a hurry, you can use this quick, stop-gap fix from Steve Gibsonfor the worst of the bugs repaired by SP1:http://grc.com/xpdite/xpdite.htmHowever, you still should install SP1 as soon as you can.e.2) If you run Windows 95/98/Me, and you "share out" your disk overa network using passwords to limit access, you need to apply this fix,for a bug that is exploited by the Opaserv virus:http://www.microsoft.com/technet/security/bulletin/MS00-072.aspf) If you are running Microsoft Outlook (as opposed to OutlookExpress) as your email client, then be sure to apply the latestOutlook email security updates.For Outlook 98, get:http://office.microsoft.com/downloads/9798/Out98sec.aspxFor Outlook 2000, get:http://office.microsoft.com/Downloads/2000/Out2ksec.aspx and thenhttp://www.microsoft.com/technet/security/bulletin/MS02-021.aspFor Outlook 2002, get:http://www.microsoft.com/technet/security/bulletin/MS02-021.aspg) Macro virus avoidance, Part 1: If you use Microsoft Office XP(Word 2002, Excel 2002, etc.) then you should apply Office XPService Pack 2 (SP2), from:http://office.microsoft.com/downloads/2002/oxpsp2.aspxUnfortunately, this is a 15.5 MB download, about 1.5 hours by modem.But it is the only MS Office update you need, so you can skip thenext paragraph's instructions for applying MS01-034 and MS02-031.If you use Microsoft Word 97, Word 2002, or any version in between,or Microsoft Excel 2002, then you should apply the latest availableSecurity Update and/or Cumulative Patch. It is not clear fromMicrosoft's web site whether or not MS01-034 is included in MS02-031,so I recommend applying both. First, everyone should apply MS01-034:http://www.microsoft.com/technet/security/bulletin/MS01-034.aspThen, if you have MS Office 2000 SR-1a or SP2, Office XP SP1, Word2000, Word 2002, or Excel 2002, you should also apply MS02-031:http://www.microsoft.com/technet/security/bulletin/MS02-031.asph) Macro virus avoidance, Part 2: The "97" and later versions ofMicrosoft Word, Excel, PowerPoint and Access, and Microsoft Project4.1 and later, include a feature to help protect against infectionby macro viruses. (Earlier versions don't support macros, so theyare naturally immune to this threat.) If you have the vulnerableversions of any of these programs, you should make sure that theprotection feature is enabled. To enable the feature, start eachof the programs and then:For "97" versions: Tools -> Options -> General check the Macro virus protection check box then click OKFor more recent versions: Tools -> Macro -> Security select either Medium or High then click OKFor more information about the "Macro Virus Protection" feature, see:http://office.microsoft.com/assistance/9798/o97mcrod.aspxHowever, that document contains one piece of bad advice. Discussinghow you should answer when prompted about how to handle a documentcontaining macros, it says: Disable Macros You should choose this command if you are unsure of the source of the document, but you still want to open it. Enable Macros You should choose this command if you know who created the document.That advice is wrong, wrong, WRONG! Macro viruses infect documentsafter they are created, without regard for who created them. So thesource of the document does not matter. You should ALWAYS answer"Disable Macros," except for those rare files that you know requiremacros to display properly (which is almost never the case for Worddocuments).i) Macro virus avoidance, Part 3: Do not send Microsoft Word .docfiles in email. Instead, save your file in "Rich Text Format" andsend the .rtf file. If you send .rtf files instead of .doc files,the recipients need not worry as much about receiving macro virusesfrom you, and .rtf files are usually more compact, too. (However,a .doc file that has been renamed to have a .rtf extension can stillhave macro viruses in it.)j) Apply the latest Cumulative Patch for Windows Media Player:http://www.microsoft.com/technet/security/bulletin/MS02-032.aspk) "Share out" disk drives only sparingly over your network. Grantonly "read-only" access unless write access is really necessary,and don't share out your system drive (probably C:) unless reallynecessary. Viruses like Qaz, Klez, and others spread via networkshares, simply by opening and modifying program files on othercomputers over the network.l) To safely view a suspicious message in Outlook Express, withoutopening it, right-click on the message summary line, then: Properties -> Details -> Message Source...To safely view a suspicious message in Outlook (not Outlook Express),highlight the message summary line, then from the main program menubar at the top of the window: File -> Save As... change the Save as type... to Text Files (*.txt) adjust the file name and location as desired click Savethen open the saved .txt file in Notepad.Or you can drag the message over to Outlook's "Tasks" folder andexamine it there, though that won't show the message body for HTMLformatted messages.m) If you are a "techie" person doing "techie things," likerunning a web server or using a VPN connection, you should alsoread the advice of our friend, Mike McKee, here:http://www.burtonsys.com/mike_advice.txtIV. FREE VIRUS REMOVAL AND PROTECTION TOOLS:The most common viruses/worms going around right now seem to beKlez/ElKern/Foroux, Bugbear, Magistr, Yaha/Lentin, Sircam, Goner,Badtrans, Qaz, and Hybris. There are free removal tools availablefor all nine of these, and for many other viruses.This site has a quite comprehensive list of virus removal tools:http://virusall.com/downrem.htmlSymantec/Norton has many free virus removal tools, including toolsfor removing Bugbear, Sircam, Goner, Badtrans, Hybris, Nimda, Qaz,Kriz, the most common Klez/ElKern variants, Yaha (Lentin), andseveral others (but not Magistr or CIH/Chernobyl), here:http://www.symantec.com/avcenter/tools.list.htmlMcAfee/NAI also has a few, here:http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.aspSophos also has some, including free Magistr, CIH/Chernobyl, andYaha/Lentin removal tools:http://www.sophos.com/support/disinfection/Gibson Research has a CIH/Chernobyl recovery tool, here:http://grc.com/cih.htmKaspersky has a free tool to remove Klez, Sircam and Goner, here:ftp://ftp1.avp.ch/utils/clrav.comCat Computer Services has free removal tools for Klez.h, CIH/Chernobyl,and some others, here:http://www.quickheal.com/othdown.htmNote: Klez.h (and some other Klez variants) are sometimes identifiedas Klez.gen.SRN Micro (Solo AntiVirus) and Prognet (Fire AntiVirus) are closelyrelated companies, with similer web sites but somewhat differentselections of free virus removal tools. They offer free tools toremove Klez, Badtrans, Sircam, Kriz, CIH/CHernobyl, Goner, and someothers, here:http://www.srnmicro.com/downloads/ orhttp://fireav.com/downloads/ orhttp://www.antivirus-download.com/downloads/BitDefender has free removal tools for Klez, Kriz, Magistr, Sircam,Qaz, Badtrans, and others, here:http://www.bitdefender.com/html/free_tools.phpTrend Micro has free removal tools for Klez, Goner (tool & instructions),and Sircam (tool & instructions); enter the virus name in the searchbox on their web site: http://www.trendmicro.comeScan/Microworld and F-Secure also have free Klez removal tools, here:http://www.mwti.net/form.asp?url=free.aspftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zipNote: there are many variants of Klez; the free removal tools mightnot remove all of them."The Cleaner" is a product which claims to be able to remove manykinds of worms & viruses, including Magistr. It has a 30 day freetrial period: http://www.moosoft.com/Also, one or more of the free general-purpose anti-virus packagescan probably remove your virus infection.Yes, you read that correctly! Some of the less well-knowngeneral-purpose anti-virus packages can be had for free, for homeuse. They appear to be very credible alternatives to the expensivebig two (Norton & McAfee):http://www.grisoft.com/http://www.frisk.is/f-prot/download/ (DOS version is free)http://www.free-av.com/Plus these, which require a web connection when you use them:http://www.pandasoftware.com/activescan/com/http://housecall.antivirus.com/http://security.norton.com/us/intro.asp?venid=sym&langid=usand some others listed at http://virusall.com/downscan.htmlPlus, many of the non-free anti-virus utilities have free 25-dayor 30-day demo versions or shareware versions available. Some areavailable at the manufacturers' web sites, such as NOD32 from Eset,and Solo AntiVirus from SRN Micro:http://www.nod32.com/scriptless/download/trial.htmhttp://www.srnmicro.com/downloads/evaluate/TrySolo.exeOthers are at the usual shareware web sites. E.g., Tucows hasdemos for F-Secure, Norton, Kaspersky, eScan, Panda, and others:http://www.tucows.com/system/virus95.htmlBut don't get "Admiral VirusScanner" or "In Vircible Anti virus"because they are "spyware" -- see the usual spyware list sites:http://www.spychecker.com/ & http://www.tom-cat.com/spybase/spylist.html(Note: "spyware" is similar to "scumware" -- you don't want it.)Note: Real anti-virus tools do not show up in your email mailboxas unsolicited file attachments. So don't be fooled! One of theKlez variants tries to induce you to run it by claiming to be anantidote to, of all things, the Klez.E worm/virus. It says: NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'.That is a lie. The email attachment is the virus/worm. Don't run it.V. FIREWALLS:Firewall programs are not really anti-virus tools, though they canhelp to prevent some kinds of virus infection. But they are usefulfor preventing other kinds of security problems, like having yourcomputer's hard disk drive accidentally appear in the MicrosoftNetwork Neighborhood of your neighbor down the road, who happens tohave a cablemodem like yours.Especially if you have an "always on" high speed DSL or cablemodeminternet connection, you should use some sort of firewall.Two very good, free (for personal use) firewalls for MS Windows are"ZoneAlarm" and "Tiny Personal FireWall," available here:http://www.zonelabs.com/products/za/http://download.cnet.com/downloads/0-10105-108-71881.html?tag=st.dl.10105.upd.10105-108-71881Both ZoneAlarm and TPFW are much better than some of the non-freefirewalls, such as "BlackICE Defender" and the Symantec/Nortonproduct. ZoneAlarm is probably easier to install than TPFW, butTPFW might be a bit more flexible, and is preferred by sometechnically savvy users.The best source of information for MS Windows users about Firewallsand related security issues is Steve Gibson's site:http://www.grc.com/Steve's "Shields Up" test can tell you whether your computer andInternet connection have the most common internet security "leaks."Testing your system is free, very easy, and well worth your time.Steve rates Windows firewalls here: http://grc.com/lt/scoreboard.htmVI. HOAXES:"Virus warning" emails which ask you to forward them on to lotsof other people are almost always hoaxes. Don't forward them.(This includes the sulfnbk.exe and jdbgmgr.exe virus hoaxes.)In fact, almost all emails which ask you to forward them on tolots of other people are untrue. Most are pure hoaxes, a few arepartially true, and almost none are entirely true.If you receive any message that asks you to forward it on tolots of other people, you can be almost certain that it is ahoax or a scam. I've seem 'em all: the virus warnings, theProctor and Gamble smears, the lost or dying child heartstring-tuggers, the MLM scams, the Madaline Murray O'Hair / FCCstory, the internet tax hoaxes, etc., etc.. They are all false.(Note: the email claiming to be a Klez antidote program isfalse, too. Running it will infect, rather than protect, yourcomputer; see above.)Only if such an email chain-letter references a verifiable,recognizable, on-line source for more information (such aswww.microsoft.com/something) should you even consider thepossibility that it might be true. Even then it probably is not.Of the hundreds of chain emails I've received over the last fewyears, only three were verifiably or probably true. (One of thetrue ones was a plug for the National Day of Prayer in 1999 or2000; the 2nd was a note from a Mrs. Lindsey Yeskoo aboutPresident Bush's personal prayer request which he shared with herwhen she met him briefly in Shanghai in October, 2001; the 3rdwas from an Amnesty International affiliate about the stoningsentence of a Nigerian woman named Amina Lawal.)Usually, the easiest way to verify that email chain-letters areuntrue is to look for them on one of the "hoax buster" web sites.Also, virus warning chain-letters can be checked on the usualvirus information web sites (Section I, above).Here are some "hoax buster" web sites for checking suspected emailhoaxes. I suggest bookmarking at least the first two of theselinks (if using Internet Explorer, add them to your "favorites"):http://www.truthorfiction.com/http://www.snopes.com/info/search/http://UrbanLegends.MiningCo.com/ http://www.breakthechain.org/http://hoaxbusters.ciac.org/http://www.truthminers.com/truth/http://www.hoax-slayer.com/One caution about snopes.com: They have a very comprehensiveand useful hoax database, but they also have a political slantthat, IMO, makes them a less reliable source of information aboutemails with political topics.VII. REMOVING THE KLEZ.H VIRUS:This section is for people whose computers are already infectedwith a Klez virus (probably Klez.H, which is also sometimesidentified as Klez.gen, Klez.G, or Klez.I). If, instead, youneed to find out the source of a Klez-infected email, see above.This is the Symantec/Norton info about this virus:http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.htmlThis is the Sophos info about this virus:http://www.sophos.com/virusinfo/analyses/w32klezh.htmlThis is the F-Secure info about this virus:http://www.f-secure.com/v-descs/klez_h.shtmlNote: Most people who get the Klez.H virus get it because theyare using an unpatched (buggy) version of Microsoft OutlookExpress to read email. So after you remove the Klez.H virus,be sure to follow the instructions above to install the latestMicrosoft fixes and setting changes for Outlook Express andInternet Explorer. Or delete Outlook Express from your computerand just use a Yahoo account for email! (For details about howthe Outlook Express/IE bug works, see microsoft_mime_bug.txt.)If you have an anti-virus tool like Norton Anti Virus ("NAV")but can't get it to install, the reason is probably that Klezis already running, and it blocks many anti-virus tools fromstarting. You might be able to get your AV tool to work if youshut down the computer, turn the power off, wait 30 seconds (toclear RAM memory), and then start up the computer in "safe mode"before trying to run the AV tool.Note: If you are running Windows Me or Windows XP, then youshould also disable its "System Restore" feature beforeshutting down. For how to do so under Win-Me, see:http://service2.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239For how to disable System Restore under Win-XP, see:http://service4.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039But the easiest way to remove the virus is probably to runone of the tools that is specifically designed to removethis particular virus. There are at least six differentfree Klez free removal available from various AV softwarevendors. Most are quite small, so you could downloadseveral of them onto a single diskette, and still have roomto spare.I don't know for certain which Klez removal tool is best,but www.techtips4u.com says that it is Symantec's:http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.htmlCat Computer Services has one which I'm told sometimes workseven when the Symantec and Kaspersky tools fail:http://www.quickheal.com/killklez.htmKaspersky also has a simple one (also available from F-Secure):ftp://ftp1.avp.ch/utils/clrav.com orftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zipI recommend that you download the Symantec/Norton tool, the CATComputer Services tool, and the Kaspersky tool onto a diskette,then write-protect the diskette and take it to the infectedcomputer. Then follow the instructions and run the Symantec toolfirst. If it fails then run the CAT tool. Then reboot and runthe Kaspersky tool to verify that the Symantec or CAT toolsuccessfully removed the virus.(For links to some other free Klez removal tools, seesection IV, above.)Note #1: if you have several computers networked together, thenyou need to first disconnect the network (or power-off thehub). Then run the virus removal tool on every Windowscomputer on your network before reconnecting the network.Otherwise, Klez is likely to immediately reinfect your freshly-disinfected computers, via your network.Then go back and read the rest of this document, so you canlearn how to avoid future virus infections!Note #2: I recommend that you back up your critical documentand data files before disinfecting your computer. I recentlyhelped someone remove Klez.H from her Windows-Me computer usingthe Kaspersky tool, and when she was done the computer would nolonger boot, not even in "safe mode." I think this is unusual,but to recover we had to boot Windows-Me from the InstallationCD, delete several files from the Windows system directory, andreinstall Windows-Me. (Her computer dealer had wanted to reformatthe hard disk drive!) She didn't end up losing any importantfiles, but recovering it cost us a lot of time and aggravation.BTW, to enable Win-Me to reinstall, the files we deleted from thec:\windows directory were user.dat, system.dat, classes.dat andwininit.ini, per http://www.techtips4u.com/ostt/installsafe.htmand http://www.servenet.com/ipiboard/archive010601/3927.html-Dave Burton <dburton@burtonsys.com>Burton Systems Software: http://www.burtonsys.com/Tel: 1-919-481-0149 Last modified: 04-Aug-2003 (version 73.1) Copyright © 2001-2002, Burton Systems Software. |
|
