Thousand Oaks Personal Computer Club

This was a topic during the Q&A session of our May 23, 2002 meeting. After each virus, you'll see a link to "details". This is a link to the detailed description on the Norton/Symantec web site.

1) Easy to Recognize Viruses

The subject is always the same, the body of the message is always the same, and the attachment is always the same, or from a small list of filenames.

W95.Hybris.Gen - "Snowhite and the Seven Dwarfs" (details)

From: Hahaha@sexyfun.net
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Message: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: varies, but usually one of these: sexy virgin.scr, dwarf4you.exe, joke.exe, midgets.scr (and about 5 more)

Notice all the misspellings and the bad grammar? A lot of viruses will have misspelled words and bad grammar.

VBS.SST@mm - "AnnaKournikova" (details)

From: the person whose computer is infected
Subject: Here you have, ;o)
Message: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs

Notice how the attachment name ends in jpg.vbs? If your computer is set up to "Hide file extensions for known file types", then you may not see the "vbs" part. You may only see the "jpg" extension and think it's a picture file.

To make sure you see all extensions, open up Windows Explorer or My Computer, click on the "View" menu, and select "Folder Options". Click on the "View" tab and take the check mark out of the box that says "Hide file extensions for know file types".

2) Harder to Recognize Viruses

These viruses have a random subject and attachment. When someone's computer gets infected, the virus randomly picks files on the person's hard drive, infects the file, and attaches it to the e-mail. It may pull some text from the file and insert it into the subject line. However, the body of the message may be the same all the time.

Many viruses try and send themselves to everyone listed in your e-mail address book. A few will scan files on your hard drive looking for e-mail addresses to send to.

W32.Sircam.Worm (details)

From: the person whose computer is infected
Subject: random - the filename of the attachment
Message: Hi! How are you? I send you this file in order to have your advice. See you later. Thanks
Attachment: random - a file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.

The Sircam worm can spread itself either by e-mail, or by shared drives on a network. It will search for shared folders and copy itself to them. To protect yourself at work (or at home if you have a home network), password-protect shared folders. Or, make them read-only if you can.

W32.Badtrans.B@mm (details)

This virus is hard to recognize because the body of the message may be blank. If a computer gets infected, the virus will try and find all unread mail and reply to it. This means that it may get sent to people that are NOT in your address book.

From: the person whose computer was infected, or the virus will pick from a list of about 15 e-mail addresses including "Support", "Admin", or "Administrator"
Subject: Often, it's just "Re:"
Message: blank.
Attachment: A filename from a list of about 16. Some of the filenames are CARD, ME_NUDE, YOU_ARE_FAT!, DOCS, HUMOR, FUN, and New_Napster_Site. After the filename will be two extensions. The first will either be .doc, mp3, or .zip and the second will be .pif or .scr.

3) Even Harder to Recognize Viruses

These viruses pick a random subject, random message, and random attachment. They may come from someone you know and you might think they are legitimate e-mails.

W32.Magistr (details)

There are several varieties of this virus. The virus may pick a document file from the infected computer and insert some of the text into the e-mail message. It may send confidential information this way. This virus will use Netscape, Outlook, or Outlook Express address books.

From: the person whose computer was infected.
Subject: Randomly generated
Message: Taken from a document on the infected computer.
Attachment: One randomly named infected executable, and one or more randomly selected text or document files.

4) Really Bad Viruses!

The most recent really bad virus is Klez. When a computer gets infected, it searches not only the address book, but other files on the hard drive that may contain e-mail addresses. Then, it e-mails itself off, but substitutes someone else's name in the "From:" field.

For example, Sam Smith's computer gets infected. The virus finds e-mail addresses for "Mary May" and "Jenny Jones" on Sam's computer. The virus sends an infected e-mail to Jenny Jones, but puts Mary May's e-mail address in the "From" field. Jenny gets the infected e-mail and calls Mary up on the phone saying that she got a virus-infected e-mail from her. But, it didn't come from Mary. It really came from Sam. This is known as e-mail address spoofing.

There are many variations of the Klez virus. It can also be transmitted via shared folders.

W32.Klez (details)

From: not the person it really came from!
Subject: Random, but could be from the list on the next page.
Message: often blank, but may not be. See the next page for possible messages
Attachment: a randomly named infected file, and one other file from the hard drive. It could be a picture, web page, Word document, or other file. It might be a confidential file.

This virus may also spread to shared network folders. If you see a lot of strange files in your shared folder ending in ".rar", it's probably the virus. Password-protect your shared directory and delete the files.

Klez - List of possible subjects:

Klez - List of possible messages (if not blank):

5) Don't believe everything you get!

Here's an article I found on ExtremeTech (www.extremetech.com) about a very bad variation of the Klez virus. This would be especially dangerous if a computer in a company's IT department got infected, and everyone started receiving e-mails from the network administrator telling you to run this Klez immunity program!

Worm Writers Get Wormier

April 24, 2002
By: Mary E. BehrPC Magazine

Most viruses and worms, although wantonly destructive, are technologically clever. Today many are all that and more: They are a marvel of social engineering.

Consider an e-mail a PC Magazine staffer recently received at his personal account. The subject was "Worm Klez.E immunity." Klez.E was a very malicious worm that was first detected in January. The body of the message was the following:

Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic, most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once, and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm, some AV monitor maybe cry when you run it. If so, Ignore the warning, and select 'continue'. If you have any question, please mail to me.

The attached "tool" was none other than Klez.H, the latest variant Worm_Klez.A, which was initially encountered in October 2001. According to MessageLab's VirusEye (www.messagelabs.com/VirusEye/), at 9:21 A.M. Wednesday, April 24, the online e-mail security provider had encountered nearly 24,000 Klez.H infections in the past 24 hours. By comparison, Klez.E, the last version, was down to 1,065 infections.

As with most worms and viruses these days, Klez.H exposes another social foible--that people are lax about staying up to date on security patches. It's important to note that updated versions of Microsoft Outlook and Outlook Express are immune to the worm. See Microsoft's Windows Update (www.windowsupdate.com) and Office Update (http://office.microsoft.com) for the latest patches for your e-mail software.

Perverse propagating is not the only thing Klez.H is about. The worm modifies the system Registry to ensure that it loads at startup and goes about infecting EXE files, deleting antivirus files, and overwriting files. It also has the ability to infect a network through shared folders or drives.

The good news is that all major antivirus packages seem to catch Worm_Klez.H-- despite any e-mail message to the contrary.

6) Virus Hoaxes

Virus hoaxes are not real viruses. A hoax will generate a lot of network traffic because everyone is forwarding the warning to everyone else. The traffic it generates may be just as bad as a real virus. How to spot a hoax virus alert:

• Has the virus alert you received been forwarded a zillion times?
• Does it urge you to send it to EVERYONE you know, as fast as possible?
• Does it say that it will erase everything on your hard drive?
• Does it say that Microsoft, AOL, Intel, CNN, etc. just announced it yesterday?
• Is it on the list of virus hoaxes at Symantec, McAfee, or another web site that lists hoaxes?

If you answered "yes" to more than one of the above (especially the last one!), it's probably a hoax. Do not forward it until you check a hoax list.

Caution: There is one virus hoax that may cause you to mess up your own computer! It's called the SULFNBK.EXE Warning. It warns you that if you find this file on your computer, you should delete it immediately. Don't delete it! It's a necessary Windows file for displaying long file names. If you follow the instructions and delete this file, you may have problems with your computer!

Just Reported 4/12/2002: The Jdbgmgr.exe file hoax. It tells you to delete a file called Jdbgmgr.exe. Don't do it!

7) Practicing Safe E-Mail

• Don't open e-mail attachments unless you are absolutely sure what it is and you are expecting the file. If in doubt, call or e-mail the person back and ask them if they meant to send it to you.
  
• If you send a file to someone else, be courteous and let them know what it is and the filename. Don't just say "Check this out!", especially around the holidays when everyone is sending animated Christmas cards etc.
• Don't assume that your virus checker will catch every virus. When a brand new virus is discovered, it may be several hours before virus definitions are available. Then, you'll need to download them to be protected. If you only update your virus definitions once a week, you won't be protected against new viruses.
• Keep your virus definitions up-to-date. When you purchase anti-virus software, you have a subscription, usually 1 year. At the end of the year, you have to renew the subscription so that you can continue getting updated definition files.
• Use real-time protection. If you don't, you may not catch viruses before they do damage.

Tips on Protecting Yourself from Computer Viruses

• If you send a file to someone else, be courteous and let them know what it is and the filename. Don
• Keep your virus definitions up-to-date. When you purchase anti-virus software, you have a subscription, usually 1 year. At the end of the year, you have to renew the subscription so that you can continue getting updated definition files.
• Use real-time protection.

For examples of some common e-mail viruses, see our article on Virus Information.

Just for Fun - Is Windows a Virus?

No, Windows is not a virus. Here's what viruses do:

1. They replicate quickly -- okay, Windows does that.
2. Viruses use up valuable system resources, slowing down the system as they do so -- okay, Windows does that.
3. Viruses will, from time to time, trash your hard disk -- okay, Windows does that, too.
4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.
5. Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that's with Windows, too.

Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.

So, Windows is not a virus.

Articles - Table of Contents