VIRUS PROTECTION AND REMOVAL IV

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6

Safe Computing Practices (Safe Hex)

There are some common sense things you can do to help protect yourself against viruses and worms.

• Update AV Software. Obviously, the first and foremost save computing practice would be to make certain you keep your anti-virus software up to date. Do this at least weekly; more often if there are news reports of a new fast-spreading virus or worm.
• Safe Boot Disk. Most anti-virus software has an option for creating a safe boot disk which can be used to clean-boot the computer and, perhaps, also scan for viruses. This safe boot disk should be recreated now and again if it allows for virus scanning. It's important that it contains the latest virus database.
• Hard Disk Boot. Change your boot sequence so that the hard disk is the first boot disk instead of the floppy disk. It's really easy to leave a floppy disk in the drive and if that disk happens to be infected with a boot sector virus then the next time you start the computer the hard disk will become infected. If the floppy is not accessed, that infection won't take place. The boot sequence is changed in your BIOS setup information and can be switched back when you need to boot from a floppy disk.
• Use RTF Not DOC. Don't accept any Word .DOC or Excel .XLS files from anyone. If you absolutely need formatted text to edit tell people to send you a Rich Text Format (.RTF) file. But, be careful none-the-less. There are macro viruses that intercept the request to save to RTF and save the file in DOC format with an RTF extension. Word will unfortunately ignore the RTF extension and open the file as a DOC file. To be certain, you can open the RTF file in a plain text editor to make certain it's plain text, as an RTF file should be. It is also possible to embed objects into RTF files. These also could be malicious. RTF is not as safe as many make it out to be. If the file has to be formatted but does not need to be edited, consider asking for it in PDF format instead.
• Consider Alternate Software. In the politest sense this would be a recommendation to switch to software that is not as likely to be affected by viruses/worms. For many offices a switch away from Word, Excel, and Outlook/Outlook Express would be difficult as these programs came as standard software on many systems. But, it's worth consideration.
• Don't Open Attachments. Be picky and stubborn: do not accept, run, or open any unsolicited attachments to E-mail. This may seem a bit extreme but in today's world where worms send themselves out via personal address books you can't really trust anything coming from anyone; even if you know them.
• Turn off Preview. No matter what E-mail software you use, turn off the preview function. Most that preview formatted messages use IE components that have proven themselves less than secure.
• Disable Scripting. Turn off the Windows Scripting Host if you don't need it. Scripts are just fancy macros that can apply across programs and are a major vehicle for worms. Instructions here.
• Show Extensions. Set all programs to show you the full file name, particularly E-mail programs. If your program drops the extension you don't really know if the attachment is executable or not.
• Protect Floppies. Write-protect any floppy disk you place into another person's computer. If their computer is infected with a boot sector virus at least yours won't be.
• Keep Up. Keep up with the latest security patches for all the programs you use.
• Get Info. Consider subscribing to the virus alert E-mail notices your anti-virus software maker probably puts out. This is a two-edged sword, however. Many people will find they are getting many notices about viruses that they'll never see. You have to judge the inconvenience versus the information.
• Backup. Finally, but most importantly: backup, backup,backup!

Outlook and Outlook Express

This page will hopefully clarify some of the noted confusion about the ability of Outlook and Outlook Express to interact with worms and viruses. In many ways it's a shame that Microsoft had to name the programs with such similar names. With different names the confusion that currently seems to exist would not.

Despite the similar names, Outlook and Outlook Express are two different programs with two different development histories.

The Outlook E-mail client was designed as a replacement for the mail clients MS Exchange and MS Mail. Basically, it's a shoehorn of an Internet mail client into the proprietary MS Mail/Exchange clients.

Outlook Express was a rewrite and expansion of the Internet Email and News client that came with early Internet Explorer browsers (version 3 at least, not certain about version 2).

While Outlook 97 is a full OLE (MS Automation) client and server it did not make methods for accessing the address book and sending mail available to external users (the external user was assumed to know the address it wanted to send mail to). Apparently finding this too restrictive, Microsoft, in Outlook 98, made these interfaces available to external users to work with (i.e., the external user no longer needed to know an E-mail address, they could use addresses stored by Outlook). It's this change that makes it possible for Outlook 98 (and later) to be used by virus/worm authors to do their E-mail tasks for them.

There presently does not appear to be a way to use the Visual Basic Application language tools built into Outlook for macro virus purposes (as you can with Word and Excel) but future changes may allow this.

Outlook Express, unlike Outlook, does not presently make any of its mail routines available to MS Automation (at least in all present shipping versions--who knows what the future may bring).

So, in general, when you see a worm/virus description talk about "Outlook" you can generally assume it means the Outlook program and not the Outlook Express program.

But, as with everything, there is at least one (and in the future more?) caveat. The KAK worm specifically targets Outlook Express by changing the default signature to one containing JavaScript code that acts as a worm. (This is a special case where it appears the worm author was trying to "infect" a program that was not supposed to be able to be infected.)

Disable Scripting

In order to run VisualBasic Scripts (VBS files) on your computer you must have the Windows Scripting Host (WSH) installed and working on your computer. While scripting allows you to closely integrate some application software, it also allows worms such as LoveLetter (as one example) to use your copy of Outlook to send itself to all the people in your address book (and other malicious things!).

In order to avoid these sorts of attacks it's often best to just disable the Windows Scripting Host. Most people don't need/use it. Following are instructions for removing WHS.

Windows98

Typically, WSH is installed if you choose a standard install of the OS, if you install the IE5 browser, or if you directly install WSH from Microsoft. To turn it off...

• Open the Add/Remove Control Panel application. Either "Start | Settings | Control Panel" or double click "My Computer" and "Control Panel" then double click "Add/Remove Programs."
• Click on the "Windows Setup" tab.
• Scroll to "Accessories" and double click that entry. An accessories windows that looks like the following should open...

• Scroll down the accessories list until you find "Windows Scripting Host" and then click on the checkbox next to the entry to deselect it (i.e., remove the check mark in the box).
• Click OK to close the window(s) and OK again to close the "Add/Remove Programs" window.

(Windows 98 is the only OS Computer Knowledge has tried this process on. Following are brief instructions believed to work for other operating systems.)

Windows95

Basically, you have WSH installed if you've installed the IE5 browser or WSH itself. In order to stop it from running you have to disassociate the VBS extension with the WSH. Right click "My Computer" on the Desktop or in Windows Explorer. Select "Open." Click on the "View" menu and select "Options...." Now click on the "File Types" tab. Scroll down to "VBScript Script File" (if not found stop here and cancel out; you don't have scripting active). Click on the "VBScript Script File" and select "Remove." Confirm and then quit the File Types application.

WindowsNT 4.0

Basically, you have WSH installed if you've installed the IE5 browser or WSH itself. In order to stop it from running you have to disassociate the VBS extension with the WSH. Log on as an administrator. Right click "My Computer" on the Desktop or in Windows Explorer. Select "Open." Click on the "View" menu and select "Options...." Now click on the "File Types" tab. Scroll down to "VBScript Script File" (if not found stop here and cancel out; you don't have scripting active). Click on the "VBScript Script File" and select "Remove." Confirm and then quit the File Types application.

Windows 2000

WSH is normally installed. In order to stop it from running you have to disassociate the VBS extension with the WSH. Log on as an administrator. Right click "My Computer" on the Desktop or in Windows Explorer. Select "Open." Click on the "View" menu and select "Options...." Now click on the "File Types" tab. Scroll down to "VBScript Script File" (if not found stop here and cancel out; you don't have scripting active). Click on the "VBScript Script File" and select "Remove." Confirm and then quit the File Types application.

Backup Strategy

Too many people wait for a problem to happen or a virus to attack their PC before they take any action. Once a virus reveals its presence on your PC, it may be too late to recover damaged files. There are many viruses that cannot be successfully removed due to the way the virus infects the program. It's absolutely vital to have protection before the virus strikes. If you wait until you notice that your hard disk is losing data, you may already have hundreds of damaged files.

And, don't forget problems caused by hardware or software glitches. A good backup is excellent protection against those unscheduled events as well.

It's essential to carefully protect all your software and regularly back up the data on all your disks. Do you have a single disk that you can afford not to regularly backup? It's rare to find any PC that does not have some type of important data stored on it (why would you store it if you at least didn't feel it was important at the time?).

Suggested Policy

• All original software (program) diskettes should immediately be write-protected, copied and stored in two secure, separate locations after installation. If you are using an integrity check program, immediately record (initialize) the integrity data for the new programs after installing. (Store CD-ROMs in a fire-secure location since you only have one copy of them.)
• Determine a schedule for full backups by considering how frequently your data changes. It is an excellent idea to have three full sets of backup tapes or data cartridges and to store one set at another location to protect against fire, theft, or some other disaster. If your data is critical, you may wish to have a separate cycle of backups (e.g., quarterly or yearly) that can be used to recover when someone damages (or deletes) a vital file, but the deletion isn't discovered until months later.
• The full backups should be coordinated with periodic incremental backups. The incremental backup, which copies just the files that have changed, normally runs very quickly and takes just a minute or so. Many people find that an incremental backup run at the end of each day works quite well. This way their data is protected should anything happen overnight. One rule of thumb for incremental backups is to do them when it would become difficult or not cost effective to re-enter the data.
• Make sure you use reliable backup hardware and software. Periodically test by restoring from a backup. Too many people have discovered that their backup program couldn't recover their files when it was too late. If you use an integrity check program you can verify that the restored files are correct. If you cannot afford to play with your operational system, test your restore on a different system. This will also tell you if you will be able to restore to a new system should the current one have to be replaced.
• Be certain you store the recovery program for your backups with your backups. Some people have regularly backed up their data only to find the only version of the recovery program was on their backups and not available to actually run.

When you store your backup use great caution where you store it. Pick a place that will be safe as a physical location. Plan ahead for flood, for example. Don't store your backups in the basement if your business is next to a river! Plan ahead for fire; and if the location is protected by sprinklers what will the water do to the backups? What about physical access? And, so on.

Summary

• Plan for problems before they happen by having a good (and current) backup.
• Develop a backup strategy based on how much work you are willing to do to reenter information.
• Keep at least one backup copy off-site.
• Test your ability to restore from your backup before you have to and be certain to store the recovery program with the back.

That basically the end of the tutorial. Thank you for reading to this point. But, that's only the start of virus information...

On-going Virus Information

The first place to check often is the web site of your anti-virus provider. There you should find alerts for the latest viruses, information about using their product in the most efficient manner, and, of course, the latest updates. Often you will also find you can join a mailing list and receive upgrade and alert notices automatically via E-mail.

You can also check other anti-virus software vendor sites for their latest alerts and, if you have time and bandwidth to spare join their mailing lists as well. (The link to your left will direct you to a list of some anti-virus software vendors.)

Also, don't forget to check the Computer Knowledge site. Our monthly newsletter often has notes about new viruses and other security items you should be aware of.

http://www.cknow.com/cknewsletter/

There are several usenet newsgroups dedicated to computer viruses. Of these, comp.virus is the best largely because it is moderated by virus experts so the trash postings are suppressed. Unfortunately, the moderator(s) have not been able to process messages very often and so the newsgroup has been quiet for a long time now. The alt.comp.virus newsgroup is quite active as an alternative but there are a considerable number of posts in the group that offer either no benefit or are just plain wrong. Use caution if you read alt.comp.virus or any of the other related alt groups.

There are many more sources of information listed in the alt.comp.virus FAQ. It's posted regularly to alt.comp.virus and comp.virus and is available on the web at:

http://www.sherpasoft.com/acvFAQ/

Specific Virus Descriptions

Some anti-virus vendor sites have databases describing specific viruses in varying detail. Check the FAQ link just above for some links or check the AVP, Data Fellows, Symantec, and McAfee vendors sites (click on the anti-virus software link).

Different vendors sometimes have different names for the same virus. If you can't find a particular virus on one site, check another. You can also check the Virus GREP database which attempts to cross reference all the different virus names. See:

http://www.virusbtn.com/VGrep/

Books

Books which may be of use (a few of these are somewhat dated but still of some value for learning the basics): Next chapter

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6

Web Page Designed By  ADAM
Copyright © 1981 - 2008 MINDPRIDE CONSULTING All rights reserved.
Revised: November 21, 2007