Virus
of the
Month Club
Ken Hopkins
Sacramento PC Users Group
Contact Information:
Ken Hopkins
For me to ask for someone to take over my column after writing the very first few articles, it is very odd. But I am. I have been trying to find someone to write a column such as this for a quite awhile and I thought that it might be easier if this column's next author knew what content and format Sacra Blue wants. Well, this is it. If you think you can continue this column, please let me know.
|
|
Virus of the Month Club
It seems that every month, there is some new deadly computer virus launched upon the world. The best protection is knowledge. If you know what is happening you can adapt accordingly. This column will highlight the new viruses and tell you how to avoid being infected.
|
Not a lot of new stuff this month but there were lots of reports of activity. People are not taking precautions to keep these pests out of their computers.
Klez is King
The Klez.h has continued to spread through the Internet. It was reported to account for 96 percent of all viruses for May. I have seen fewer instances in my own mail so maybe it is slowing down. This one is a real pain to clean up—you do not want it to take root in your system. If you take the precautions I recommend each month, it will not get you.
Shakira Fans Beware
A new attempt to trick people to launch their virus uses the name of the Grammy-winning Colombian rock star, Shakira. This one is not destructive and just sends e-mail. The Shakira worm arrives as e-mail with the subject line "Sharkira pics." The body text is "Hi :i have sent the photos via attachment have funn..." The attached file is shakirapics.jpg.vbs. If you open the attached file, the worm copies itself into the Windows folder as shakirapics.–jpg.vbs, then makes a few changes to the Registry so that it loads and keeps itself from spreading twice.
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached VBS file in Shakira. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated anti-virus software. You may also disable the Windows Scripting Host on your computer to further thwart Shakira.
Scams
The government has published a report about Internet scams. The highest per incident loss was $5,575 for victims of the Nigerian e-mail fraud. I found it interesting that 59 people admitted losing money to that particular scam.
Breakthroughs in Viruses
These are not good breakthroughs. The virus writers have learned new tricks. I guess the anti-virus software was getting too good with the standard stuff so they had to make something new.
A new virus, Simile.D, has the capability to infect both Windows and Linux systems. As an added twist, it randomizes the size of the virus that is sent out. This one is not particularly harmful but when this technique is applied to a dangerous virus, it will be a mess.
A report came through of a proof-of-concept virus that infects through image files like sounds and pictures. I was concerned until I saw that it required a special reader to do its job. I feel that the reader is the infection and is something that the virus detector can find. If image files could really be infected, virus scans would take a lot longer (especially on my MP3 computer).
Worms for Profit?
The Fretheme worm, in circulation in the U.S. and Europe, is spreading via e-mail and a flaw in Internet Explorer. This worm does not do any real damage. It just tries to connect you to some Web sites. This is an attempt to drive up their page counts (presumably to get paid advertising revenue). The worm has many variants and arrives with a subject line: "Re: Your password!" The attachment is Decrypt-password.exe.
Lame Copy Protection
The copy protection being put onto music CDs by the music companies has been broken by non-technical means. The copy protection puts a special data track as the first track on the CD. Music players ignore this track, computers see it as data. The reports I see say that simply taking a felt tip marker and drawing on the CD in some special way will cause the computer to skip the data track on go right to the music. I do not like the protection but I like the cure less. I am sure there will be a software solution soon.
Protecting Your System
As viruses become even more powerful, you must make your defenses even more powerful.
- The first level of protection depends upon you. NEVER open an attachment that you get in your e-mail unless you know what it is. Often these attachments will insert a virus onto your system. It may not be apparent that it is doing harm at this point; it may do its harm much later (when you least expect it). The attachment may even be useful.
- Be aware that viruses will probably come from someone you know who let their system become infected. Many of these viruses spread themselves by sending new messages to everyone in your address book. The new viruses have started using some of these addresses as the from address.
- If you are planning to send files to someone, I recommend that you agree on a phrase that you include in the message to prove that it came from you. Ideally, this should be different for each person you are sending to. Although that may be difficult to maintain. The phrase should not be one that would normally appear like "here is the file I promised".
- If you get an unexpected file that you are tempted to open, verify it with the sender first.
- Update your Windows system. There have been lots of security holes found in the various versions of Windows that are possible entry points into your system. Keep your system up-to-date by running Windows Update. If you deleted the icon, you can just go to Windows Update and click the link to get you the product update. It will check your system and tell you which updates are available. Be sure to get at least the security updates.
- Turn off the preview pane in Outlook Express. Most of the viruses require you to do something, but at least one virus has been launched automatically when the message was viewed. Just pointing to the message and previewing the message also launched the virus.
- Delete strange messages. If you suspect a message, delete it before reading it. Spam is pretty easy to detect from the subject and the from: and to: addresses. I do not know how many viruses come in on spam, but why take chances.
- Some ISPs offer spam filtering services (such as EarthLink’s Spaminator) that filter out the spam so it never makes it to your inbox. They keep the mail in a special Web page for a couple of weeks in case there was something that you want to retrieve. I was amazed at the amount of spam being sent to my EarthLink address, considering I never provide that address to anyone.
- Increase your security settings for e-mail. If you are using Outlook Express, go to Tools/Options and select the security tab. Set the Internet Explorer security zone to "Restricted sites zone." This will protect you from ActiveX functions running from e-mail. You will get a warning each time a bad e-mail tries to get through. There is no good reason to allow ActiveX in e-mail. If you use a different e-mail client, search for an equivalent setting.
- Run a firewall. A firewall can hide your system from many intruders. This is even more important if you have a high-speed link, but it is valuable for any system. I recommend the free ZoneAlarm program, although there are lots to choose from. You have to hunt a little to find the free version n their web site but it is still there. Keep this program up-to-date for better protection; a flaw was recently found in a different firewall and you need to download the patch to complete your protection.
- Use an anti-virus program and keep the definitions up-to-date. An anti-virus can protect you when you do something stupid (like opening an attachment). I do not like all of the stuff some of the virus program do and recommend turning off some of the options. I will detail that information in a future column.
I am not as hard core about anti-virus program as others because I take the precautions I have just given. I do not run all the automatic checks that these programs wish to enable. I do a periodic manual check of my systems and always come up clean. I often run a check after something strange happens, just to eliminate virus as a possible cause.
- Use AdAware (found at Lavasoft USA) to identify and remove spyware from your system. These are typically programs that are free or advertising-based and may be reporting your Internet activities back to the owners. This program is free although they offer an enhanced version for a small fee ($15). I also like PestPatrol. The free personal evaluation version will detect many more items but you have to register to have it remove anything. This program is available bundled with the Pro version of ZoneAlarm and that may be the best way to get it.
- If you are told to delete a file or something similar, do a search on the Internet for that filename to see if it is a hoax. Be especially wary when they say that the anti-virus people can not detect it.
- In case you missed it the first time, DO NOT OPEN ATTACHMENTS. Opening attachments is how most of these viruses get into systems.
Virus writers are very busy these days. The best protection is knowledge. If you know what is happening you can adapt accordingly. This column highlights the new viruses and tells you how to avoid being infected.
Ken Hopkins is a software developer who writes mission critical applications, including security products. If you have comments or suggestions please send them to him at virus@hopkinscomputing.com. If you would like to write this column, let him know and he will help you learn enough to take over.
|
|
