Sophos reports concern about some of the new features that are appearing in new viruses. They expect some really nasty viruses in the near future. They even expect to have to make changes in how they scan for viruses.

The attached file may be one of the following file types: WAV, DOC, MP3, BMP, JPG, GIF, TXT, XLS, HTM, MPG, ZIP, DAT, plus one of these extensions: .pif, .bat, or .scr.

Yaha copies itself to the Recycle Bin and the Windows directory using a random name followed by EXE when it is executed. The worm then modifies the registry to allow itself to run every time the computer is rebooted.

The worm tries to delete any anti-virus software it finds as well as any other processes that may be able to stop the worm. It then runs a screensaver that shakes the desktop screen and displays the following text messages: True Love never Ends, U r My Best Friend, or U r so cute today #!#!

KWBot alters registry keys so that the copy is run each time Windows is started and then disguises itself as a movie file or application. When first executed, the worm copies itself to the Windows system folder as xplorer32.exe. The worm also opens a connection on Internet Relay Chat (IRC) that may give control of your computer to an attacker. An up-to-date virus program should detect and eliminate this worm.

• The first level of protection depends upon you. NEVER open an attachment that you get in your e-mail unless you know what it is. Often these attachments will insert a virus onto your system. It may not be apparent that it is doing harm at this point; it may do its harm much later (when you least expect it). The attachment may even be useful.
• Be aware that viruses will probably come from someone you know who let their system become infected. Many of these viruses spread themselves by sending new messages to everyone in your address book. The new viruses have started using some of these addresses as the from address.
• If you are planning to send files to someone, I recommend that you agree on a phrase that you include in the message to prove that it came from you. Ideally, this should be different for each person you are sending to. Although that may be difficult to maintain. The phrase should not be one that would normally appear like "here is the file I promised".
• If you get an unexpected file that you are tempted to open, verify it with the sender first.
• Update your Windows system. There have been lots of security holes found in the various versions of Windows that are possible entry points into your system. Keep your system up-to-date by running Windows Update. If you deleted the icon, you can just go to Windows Update and click the link to get you the product update. It will check your system and tell you which updates are available. Be sure to get at least the security updates.
• Turn off the preview pane in Outlook Express. Most of the viruses require you to do something, but at least one virus has been launched automatically when the message was viewed. Just pointing to the message and previewing the message also launched the virus.
• Delete strange messages. If you suspect a message, delete it before reading it. Spam is pretty easy to detect from the subject and the from: and to: addresses. I do not know how many viruses come in on spam, but why take chances.
• Some ISPs offer spam filtering services (such as EarthLink’s Spaminator) that filter out the spam so it never makes it to your inbox. They keep the mail in a special Web page for a couple of weeks in case there was something that you want to retrieve. I was amazed at the amount of spam being sent to my EarthLink address, considering I never provide that address to anyone.
• Increase your security settings for e-mail. If you are using Outlook Express, go to Tools/Options and select the security tab. Set the Internet Explorer security zone to "Restricted sites zone." This will protect you from ActiveX functions running from e-mail. You will get a warning each time a bad e-mail tries to get through. There is no good reason to allow ActiveX in e-mail. If you use a different e-mail client, search for an equivalent setting.
• Run a firewall. A firewall can hide your system from many intruders. This is even more important if you have a high-speed link, but it is valuable for any system. I recommend the free ZoneAlarm program, although there are lots to choose from. You have to hunt a little to find the free version n their web site but it is still there. Keep this program up-to-date for better protection; a flaw was recently found in a different firewall and you need to download the patch to complete your protection.
• Use an anti-virus program and keep the definitions up-to-date. An anti-virus can protect you when you do something stupid (like opening an attachment). I do not like all of the stuff some of the virus program do and recommend turning off some of the options. I will detail that information in a future column.

• Use AdAware (found at Lavasoft USA) to identify and remove spyware from your system. These are typically programs that are free or advertising-based and may be reporting your Internet activities back to the owners. This program is free although they offer an enhanced version for a small fee ($15). I also like PestPatrol. The free personal evaluation version will detect many more items but you have to register to have it remove anything. This program is available bundled with the Pro version of ZoneAlarm and that may be the best way to get it.
• If you are told to delete a file or something similar, do a search on the Internet for that filename to see if it is a hoax. Be especially wary when they say that the anti-virus people can not detect it.
• In case you missed it the first time, DO NOT OPEN ATTACHMENTS. Opening attachments is how most of these viruses get into systems.

Virus writers are very busy these days. The best protection is knowledge. If you know what is happening you can adapt accordingly. This column highlights the new viruses and tells you how to avoid being infected.

Ken Hopkins is a software developer who writes mission critical applications, including security products. If you have comments or suggestions please send them to him at virus@hopkinscomputing.com. If you would like to write this column, let him know and he will help you learn enough to take over.