VIRUS ADVICE

Visitor Book

Home

This is some basic advice that I hope visitors with little knowledge of virus might find useful. Although this is off topic for this website, I regularly receive infected emails from fans. Rather than continually putting advice in the visitor book, I have decided to maintain this page. This page contains all the advice that I can give. As I find useful resources elsewhere on the web, I will mention them here.

Related Topics: *NEW 3rd August 2002*

I occasionally get queries about related issues such as parasites and computer security. I am not going to provide much advice other than the very basics about these matters because I have little experience of these problems. I will however mention useful resources that I have come across. This subject is dealt with on the Parasites Advice page.

What does a virus do:

Different viruses do different things. Some will delete or corrupt files, some simply email other people in your address book or anyone whose email address was on a webpage you recently visited. Some are triggered on a particular date rather than straight away. Others aim to clog up the internet. Some aim to embarrass you (notably the sircam virus which chooses random files from your disk drive and emails them to other people).

Tips to avoid getting infected:

Get a virus checker and make sure that you regularly request updated virus definitions. This doesn't guarantee that you won't get a virus but significantly reduces the chances of it happening.

Most virus arrive by email. The mail tools 'Outlook' and 'Outlook Express' are particularly prone. Viruses turn up as attachments to the emails. Usually, if you don't open the attachment then you wont get the virus. For this reason, turn off the preview option in your mail tool. Don't open any executable attachment i.e. any file with .exe, .bat, .vbs, scr or .pif on the end of the filename (note this may not be an exhaustive list).

Word and Excel attachments can also be infected. If you are not expecting these attachments then don't open them. Don't assume that the attachment is OK simply because it has been sent by a friend. A lot of viruses actually work by sending emails to those in your address book. If you are unsure, contact the sender but don't open it.

If the email is strange in terms of what it is saying then delete it. The Sircam virus for instance, as part of its message asks you for advice about the attachment. Some viruses evolve so over time the wording that gets passed on, may change. So if you've heard a warning about a virus which uses a particular wording and you receive something that is different but similar, then chances are that it is the same virus.

Virus emails aren't just in English. I have for instance received the Snowwhite virus in French and the Sircam virus in Spanish. So if you receive an email in a language that you don't yourself use, delete it.

When deleting an email, make sure that is also deleted from your 'Deleted Items'/trash can folder.

Another common way that a virus turns up is on CDs that come with computer magazines. Don't use these CDs unless you have a virus checker.

A very rare method of getting a virus is through visiting websites. I'm mentioning this because the latest big virus to hit the scene is the Nimda virus and this is one method by which you may be infected. Those with particular versions of Microsofts Internet Explorer Browser (5 and 6) are susceptible to this virus. You are strongly advised to visit the Microsoft website and make sure that you install the latest patches.

If you get a virus:

If you have virus protection software then get advice from the company that supplies it. There will be advice on their website.

If you don't have virus protection software then these companies often still provide free of charge, tools for removing the virus, downloadable from their website.

The service provider that you use to get onto the web, may also be willing to help you with advice.

The process of removing a virus often isn't simple and may involve the deletion of some files.

Virus protection software companies:

Norton

McCaffee

Grisoft -Note grisoft provides a free version for personal use for users from the UK and non-European users. The updates are usually monthly which isnt ideal given how quickly viruses can spread but it is certainly better than nothing.

UPDATE: 27/11/2001

Recieved a couple of emails infected with W32.Badtrans.B@mm in the last 24 hours -this virus involves emails with .doc,.mp3 or .zip attachments followed by .pif or .scr. In both cases opening the email (not the attachment) resulted in my email software crashing. This crashing is probably down to the particular combination of software that I am using. However for those users with early versions of IE5 what is actually happening at this stage is that the virus is taking advantage of a weakness which means that it is executed automatically when the email is opened. To avoid this weakness, you need to install the latest patches available on the Microsoft website.

On the second occurrance, I had a quick look at the mail properties for clues to the identity of the virus. The filename of the attachment was 'ME_NUDE.MP3.SCR' . Other typical filenames and more detailed info that can aid identification can be found on http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html. Given the unusual symptoms of this virus I deleted the emails as quickly as possible without trying to find out the source email addresses.

A particular feature of this virus is that it installs a monitor that logs your keystrokes in an attempt to find security info such as passwords. If it detects such info, it emails the passwords etc to a variety of email addresses. So if you've been infected, as well as getting your infection removed, it is also wise to change any passwords etc. Again look at the above page for more detailed info.

UPDATE: 26/05/2002

A quick warning to everyone about the W32.klez.gen@mm -I've been getting quite a few infected emails the last couple of days. Again it involves emails with attachments. Fans are reminded that you need to make sure that you keep upto date with the latest patches available on the Microsoft website. More info on this virus is available at http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html

UPDATE: 02/06/2002

The virus that is most frequently hitting my inbox at the moment is variations on the virus mentioned above. W32.klez.h@mm turns up in many forms -an email with the subject line of 'the Garden of Eden' is one. Another one which I'll mention because it is bound to catch more people out, has 'Worm Klez.E immunity' as the subject line and a message of :

Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

Dont open this email. More info at http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

Infact in general I would recommend that you delete any email that claims to provide a patch or a tool for immunity to a virus -there is an increasing trend for viruses to use this form of email. Again these emails in most cases are going to come from an infected friends or contacts computer.

Also be very careful about emails that would seem to come from a software provider. There has for instance been an email that looks like it comes from Microsoft claiming to have a general purpose security patch as an attachment. Firstly Microsoft would never send out such emails -they generally expect you to find out such things from their website (or in the case of XP, through the 'Help and Support Centre' Windows Update which depending on which options you set, could be done automatically for you). Even if a software provider did take to emailing you to inform you of these things, they would never provide it as an attachment to the email.

On a similar theme, there is a false virus email which basically advises the reader to remove the file jdbgmgr.exe from their PC. This is a hoax -this file should not be deleted. This is such a large problem that Microsoft mention it on their homepage. If you have deleted the file, then goto http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993& for further info and advice about recovery of the file.