Some people have absolutely nothing better to do!!!

But actually, most virus' (the older ones at least) start out as jokes to play on people. Then they get modified to do something else and they end up being bad jokes.

Today though, I think most of these email virus' are made by the spammers in order to collect address.

I don't care how careful you think you are, if your pc connects to the internet, has a floppy drive, or has a CD drive...then you must have an anti-virus package. Now just because you have an anti-virus package do not think you are protected...update it daily or everytime you get on the computer...whichever comes first.

Sections - (click on link below to goto a section on this page)

• I need help removing one NOW!
• I need to track where an email virus came from
• Rootkits or Root Kits
• My Internet start page always goes to some site I didn't set (hi-jack)
• Email virus'
• Tips
• Myths
• DO NOT be Nieve
• Anti-Virus Software
• Virus' around the World

I need help removing one NOW!

1. If you got a really "good" virus, in that I mean some virus' have alot of different counter measures in them to make sure they survive and can actually shut down or prevent install of an anti-virus package, then you need to download Stinger from http://vil.nai.com/vil/averttools.aspx.
2. Then find an "online" scanner, one that doesn't require you to actually install something.
3. Then get a anti-virus package that has "real-time" protection (monitors all files being opened on your pc) and keep it UPDATED.

• Tools
  • McAffee www.mcafee.com Stinger http://vil.nai.com/vil/averttools.aspx
  • Symantec www.symantec.com removal tools http://securityresponse.symantec.com/avcenter/tools.list.html
  • http://www.avast.com/eng/avast_cleaner.html
• Online Scanners
  • http://housecall.trendmicro.com/
  • www.ravantivirus.com
• Free AV
  • Microsoft - http://www.microsoft.com/security_essentials/
    updates - http://www.microsoft.com/security/portal/Definitions/ADL.aspx
    

Rootkits

What? What the heck is that?

According to Wikipedia - http://en.wikipedia.org/wiki/Rootkit

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

The word "rootkit" came to public awareness in the 2005 Sony CD copy protection controversy, in which Sony BMG music CDs placed a rootkit on Microsoft Windows PCs.

But the biggest thing about them is:

The rootkit (which can intercept anything) can actually "hide" files from the OS(or at least from you seeing them). This is not by just setting the attributes, they do some low level stuff and just dont show them...even at the DOS prompt...

Rootkit Revealer (but it only shows you the files are there)

http://www.sysinternals.com/utilities/rootkitrevealer.html

 

Blacklight (its beta and only works till March)

http://www.f-secure.com/blacklight/

I need to track where an email virus came from

How to figure out where it came from

You need to look at the "headers" of the email, the information that is hidden and tells you everything about the email like what machine it came from, server it came through...and a bunch of other trackable information

• Outlook Express - open the message, goto "File", "Properties", "Details" tab.

• Outlook - open the message, goto "View", "Options", "Internet Headers" (at bottom of window).

 

Look for the "Received: from" line, there will probably be multiple of these lines, 1 for every mail server hop it made. Look for the very last one before the Date, From, Subject.

 

This line might contain something that looks like a machine name (like OWNER) and a server domain name (like ATL.SOMECOMPANY.COM) and an IP address in bracket (like [22.123.222.99]). So, in this case the message came from a PC called OWNER from the Atlanta office(just a guess at the ATL of the SomeCompany).

Example:

Received: from ownerxp(rrcs-22-123-222-99.central.biz.rr.com[22.123.222.99]) by youremailserver.com

This example shows a machine named "ownerxp" on the Business RoadRunner network(good guess at the biz.rr) sent this email. Trace routing this address will give you more of a clue where this business might be located geographically.

 

Sometimes the server domain name won't point you to the direct company, so take the IP address(the one in brackets) and use the tools below to trace route where it actually came from. Trace routing an IP might not get you all the way to a noticeable company name(usually stopping at a firewall), but with some abbreviation resolution and watching where the hops go you can get pretty close.

Tools

Trace Route and other cool tools - www.dnsstuff.com (awesome tool that looks up an IP on every different kind of black list out there)

www.tracert.com - some of the servers don't work

tracert stops at a big-ole-named firewall, look here for abbreviations - http://www.sarangworld.com/TRACEROUTE/showdb.php

look up a domain name - http://www.networksolutions.com/en_US/whois/ or use the above dnsstuff, but Network Solutions is like the originator of controlling domain names.

 

If everytime you open an Internet Explorer(browser) and the start page goes to somepage you never even heard of and you set it to something useful and it changes back...this is called a Hi-Jacking or Start Page Virus. In its original creation, I think it is designed as a advertising thing, kinda like popups...but the stupid thing is so annoying, that they are really being considered a virus of sorts. Some of the anti-virus packages have protection against "Start Page Virus'".

• hi-jacking removal tools:

  • HijackThis or http://209.133.47.12/~merijn/files/HijackThis.exe
  • CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html
  • Spybot S&D [recommended (use the "immunize" feature)]
  • Ad-aware
  • SpySweeper
  • refer to Spyware page for further info
• WIN-ETO (aka tswap.cc) problems? date-12/04
  • goes to http://win-eto.com/hp.htm?ID=31265
  • Your hosed, I haven't found any good removal tools.
  • The only way I know to remove it successfully is to yank the harddrive out, stick it in another machine as slave and find all the DLL's created/modified from the time you acquired the hi-jack and delete them. The files it creates are dynamic and you will be able to tell them from DLL's that should are legitiment. I would search for all DLL's in your Windows or WINNT directory then sort by date.
  • HijackThis helps with removing startup entrys, but the stupid thing still runs, even in safe mode and recreates the registry entries as soon as you delete them.
  • None of the spyware removal tools will work.
  • Supposedly Norton will protect you from getting it, but can't do nothing about it once you have it...I am too chicken to test it.

Email Virus'

Q. Who really has the virus?

A. Usually it is someone that who it came from and who it went to, have in common. Now that could be a colleague, friend, family member, or someone you responded to.

The majority of email virus' run a little program on your system that go through your files on your computer looking for email addresses. Once it makes its list, then it starts sending itself from someone in that list to someone in that list...not necessarily from the person who the virus is running on.

Q. Will I see them in my "outbox"?

A. Not necessarily

Some of the virus' use their own "send mail"(smtp) functions, in other words they really don't use your Outlook or Outlook Express to send themselves.

The older email virus' used your email client(software ie: Outlook Express) and you could actually see all the people it sent itself to.

Q. How do I protect my email from virus'?

A. Have a virus protection package that actually checks incoming and outgoing mail.

Most of the newer anti-virus packages have built-in mail client plug-ins, so that when you send/receive it scans messages.

Outlook also has a feature built-in that will warn you when another application is trying to use it to send messages.

Tips

1. update your virus defs on your home pc's, especially if you are corresponding with other internal people at your work via email or sending things to your home account.
2. tell your friends to keep their virus definitions updated
3. make it a habit that everytime you turn on your home pc, either update you virus defs immediately or check to see if they have been updated within the last 2 days.
4. be very leary of email attachments, some attachments look really legitimate. some even a really long filename so you don't see the type file it is like so: "YourDocument.doc                                       .scr" , notice the scr is way over to the right.
5. tell your friends to BCC you in emails, that way your address is not somewhere on those 50 peoples computer. (read previous section on email virus')

1. just because you have virus protection doesnt mean your protected- it has to be UPDATED frequently(almost twice a day)
2. just because you have a "firewall" or Cable/DSL Router you are protected- a firewall just stops people from seeing your pc easily from the outside

DO NOT be nieve

DO NOT be nieve about virus' thinking that you never open anything that looks suspicious, because some of them all you have to do hi-lite them and it activates some code.

Anti-Virus Software

Free

• www.free-av.com

 

Cost (but usually it is cheaper than losing all your stuff)

• www.symantec.com
• www.mcafee.com
• www.grisoft.com (used to be free)
• www.trendmicro.com
• www.pandasoftware.com
• www.sophos.com
• www.winantivirus.com
• www.bitdefender.com

Still can't find anything? go here http://www.thefreecountry.com/security/antivirus.shtml

Virus' around the world

Here is a map of virus statistics around the world.

You are here: Home-Computer Tips & Help-Virus

Previous Topic: Web Development Next Topic: Spyware/Malware