Viruses
This page provides an overview of some specific virus cases, what they are and how to stop them. Dissecting a Virus AttackI have collected over 3100 virus emails since a large outbreak of the Sober Virus started on November 21th to study the messages, see where they are coming from and how different Internet Service Providers respond to the problem. To start with here is a breakdown of the sources of the virus emails. The exact IP address is not presented here since owner is probably an unwitting victim of a virus or hacker:
This is not so much about the virus itself, but a discussion of how service providers or hosting companies address the issue. The quality of handling a virus attack and company policy varies greatly. For information about the virus and how to get rid of it, click here adelphia.net alltel.net blueyonder.co.uk btbroadband.com charter.net pacbell.net PaeTec rr.com sifycorp.com tds.net About SoberTypical Virus Email SubjectsRegistration Confirmation Protected message is attached!hi, ive a new mail address hey its me, my old address dont work at time... Paris Hilton & Nicole Richie The Simple Life: View Paris Hilton... Your Password Account and Password Information are attached! smtp mail failed Mail delivery failed Removal Instructions/More informationca.comsymantec.com mcafee.com Surviving a Virus AttackBy now you have probably received many emails like the following:  These are junk messages but they are not exactly spam emails because they are not selling anything. The sender addresses are spoofed just like other junk mail. Downloading the attached file will infect you PC with a virus. One mailbox I use for this project has received over 2500 messages like this in 24 hours. 2500 messages seems like an overwhelming pile of junk that should just be deleted, but that is exactly what the spammers want. By deleting the messages you are allowing someone else the opportunity to be infected. Infected computers send more virus emails. You have the power to stop the buck at your mailbox. System administrators will only shutdown virus sources if they are reported. But how do you research and report 2500 messages? What if I told you that these 2500 messages were only coming from 10 locations. Even if you just report one, you are helping stop the spread. Here is what you can do, you need to look at the headers of the email. The headers will tell where the email really originated from. Each email program has a different way to access the headers you may have to do a little research view the headers. When you do, find the field value "Originating-IP." The value will be series of four numbers separated by periods: 24.167.6.223. This is an IP Address. Next, open a command-line DOS window(Start, Run, CMD). At the prompt enter tracert -h 1 and the IP address and hit enter. Example:  Look at the line starting with "Tracing route..." and find the end of the string, the "rr.com" is what we are interested in, this is host of the IP address. In this case it is Road Runner ISP. Important: just because this is where the viruses are originating it does not mean they are doing it on purpose. It more than likely that the ISP is a victim of hacking and viruses. Go to the ISP's homepage and find the contact email for abuse. Copy the entire header from your virus email and forward it to the administrators. Just forward a small sample, a little reporting goes a long way. NewDot Saga
Not only is NewDot difficult to remove, but they will sue you if you
talk about it. NewDot installs very easily by simply opening an email or web page.
NewDot's registry entry will try to launch this DLL on start-up:
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL. If you delete the DLL and registry entry it will
reinstall. It may only be removed completely in safe mode.
Hijack this can help.
But NewDot is not done with you yet! They insist that their
hidden-install-forced-download-impossible-to-remove-browser-hijack is not
"spyware" but simply a new type of marketing and they will sue you if you say that
it is "spyware"(some call it "Foistware"). They have even filed a lawsuit
against the Internet Corporation For Assigned Names and Numbers for
discussing NewDot's business practices. Blaster and SVCHOST.EXE
If you are running Windows 2000 and get an SVCHOST.EXE Application Error
when you use a dial-up connection you probably have the
Blaster virus.
When you get this error, open Task Manager and you should see msblast .exe in the program list.
Download the McAfee/Network Associates Stinger program which
will clean out Blaster and other virues and run it. W32/Mydoom@mmAvoid openning unscanned attachments. Delete emails with attachments from persons you don't know. If you've got it, then get stinger.exe to remove it. Stinger 1.9.7 and the 4319 DATs will both require that infected Systems be rebooted to achieve complete removal of W32/Mydoom@mm. The shimgapi.dll file is injected into the EXPLORER.EXE process if the system has been rebooted after the infection has occurred. In this situation, a reboot and rescan is required to remove this DLL from the system. McAfee information. Gone.scr Virus: Case example of removing a virus manuallyA new virus hit Outlook email on 12.04.01. It's called "gone.scr" and infects the Outlook address book through an email attachment masked as a screen saver program.Double-clicking the attachment infects the PC. The virus then uses email addresses in the outlook address book to forward the virus and message to more people in your name. The program sits in C:\WINDOWS\SYSTEM and is hidden. The program is constantly running and accessing Outlook. Under these conditions it cannot be deleted. Also, the virus creates a registry key which launches the program on boot. The program also recreates the registry key if it's deleted or renamed. In order to disinfect, the program and registry key must be deleted and this cannot be done while Windows is running. Follow these steps:
Lovsan
An infected
machine (running msblast.exe or teekids.exe) will send out malformed packets
across the local subnet to the RPC service running on port 135. When these
packets are received by any unpatched system, it will create a buffer
overflow and crash the RPC service on that system. All this can occur
without the worm actually being on the machine. This means that the remote
shell will still get created on TCP port 4444, and the system may
unexpectedly crash upon receiving malformed exploit code.
Other symptoms may include:
By applying the MS03-026 patch to the machine, it will prevent the RPC
service from failing, in-turn solving these symptoms. **It is very important
that the machine is rebooted after the patch has been installed.** The
machine can then be updated to the latest dats/engine/config and an
on-demand scan run to pickup msblast.exe or teekids.exe, IF it exists. I
must reiterate, all these symptoms are related to the RPC vulnerability and
not necessarily due to W32/Lovsan running locally. Msblast.exe/teekids.exe
may not be present at all. Protection and DetectionBoth Norton(Symantec) and McAfee have free/trial downloads of anti-virus packages that will eliminate most viruses.Norton Virus Removal Tools McAfee Free Scan |