Service as low as $12.46 per month
  
pennswoods logo
Weather
My Account |

 

Questions about Viruses? Viruses, worms, trojans and such are on the rise on the internet as it becomes home to more and more computers and people. This really isn't the crisis you might imagine; there are simple measures that can be taken to prevent and clean infections. Pennswoods is now filtering email for common viruses and worms to prevent their spread.
If, however, you were to receive an infected email, listed below are some profiles of common viruses and some links to information on them. A note on viruses:

Viruses propagate mostly due to carelessness. If you receive a suspicious email attachment: don't open it! Just delete the email and attachment and you'll be fine. Other viruses spread through holes in software. There is little you can do about this except to either not run susceptible software (Outlook Express is notoriously susceptable to attacks and is also frequently attacked.) on your computer or keep your software up-to-date with software patches.
Software patches and updates for Windows:
Klez
04-30-02
Klez is the newest virus to hit the Internet. Actually, it's kinda old, but it's spreading recently. It is spreading extremely rapidly - in over two weeks the estimated infection is 7% of computers world wide and rising. Klez is a worm that distributes from Outlook Express. The two tricks it does to cause it to spread so rapidly are
  • It can spoof email addresses. It picks a random email address from OE's address book and sends itself as being from that address.
  • It has a random subject, so there is no easy way to ID it.
The Postini Message Center is filtering Klez - we caught over 800 emails with in in one day alone. Users may get emails saying they are getting viruses from mailer-daemon, postmaster, support, etc... but in fact that is just Klez spoofing addresses. Additional information:
Badtrans
10-18-01
Badtrans has been around for a while, but I've seen a marked increase in its distribution lately. This virus distributes itself via email in the form of an attached executable file with the extension PIF or SCR with a size of 13KB. Opening the attachment will cause the program to execute and display this message: "File data corrupt: probably due to a bad data transmission or bad disk access." (Which yielded the name badtrans.) The virus then opens a back door to allow remote access to the computer and starts a keylogging program. When the computer reboots the virus sends out infected emails. Once again, never open a suspicious-looking email attachment. Additional information:
Nimda
09-19-01
This virus cleverly incorporates many of the propagation and infection methods used by other viruses this summer and before. All unpatched versions of Windows using Internet Explorer/Outlook Express 5.5 Sp1 and earlier, or IIS are vulnerable to this virus. The virus, once established on the victim system, attempts to propagate through email that when viewed auto-executes an attached executable file due to misset mime-types. Nimda also spreads using exploits in IIS like CodeRed does. Visiting a webpage containing the nimda virus will cause your computer - if susceptable- to become infected. Additional information:
CodeRed
08-01-01
I'm only posting this worm because of the fear the media has been spewing to the general public: many people believe they may be affected by this virus when actually they will not.
This virus only affects computers running IIS (IIS is the Microsoft webserver software.) with the Indexing Service installed or Microsoft Index Server. In short, if you're not running IIS or Microsoft Index Server you have nothing to worry about. Do you have this software installed? Probably not. IIS is a part of Windows NT (This includes Windows 2000, which is actually a version of NT; but not ME, 98, 95 or any other.) and Microsoft Index Server is a part of Windows 2000. If you are running Windows NT or 2000, I encourage you to download the patch from Microsoft. Additional information:
W32.Magistr
07-24-01
This virus has become increasingly prevalent lately. It will probably appear as an email containing some sort of marked-up text with an executable attachment of 35 - 45 Kbytes in length. (Never open an executable attachment, folks.) The title and body of the email are generated from the contents of some file on the infected computer. Here is part of an infected email I received today: \fs28 \f0 \pard \s14 \qc \sl-0 \tx720 FREE PARKING~CONCE.SSiON SEC URID\up6 T \plain \i \fs28 EASY LOAD-C JNLOAD\par
\pard \s14 \qc \sl-0 \tx720 ANTI QUE/MODERK FIREA RAtS-HA NDG CINS-KNJJTS-AMMO-ROOKS\par
\pard \s14 \qc \sl-0 \tx720 A COESSORIES-POCKE T WA WHES-AJIUTAR y ITEMS-MUCH MORE\par
\fs18 \f0 \pard \s15 \li3168 \fi-1728 \sl-220 \tx1500 \tx3220 R & P ~ SPORT\tab SHOW~ >HC 35 BOY 30 B \up6
If you receive an email resembling this, please delete it without opening the attached file. If you do not open the attached file, your computer will not be infected. Additional information:
W32.SirCam
07-24-01
I have seen a few infections of this; it appears as a large (The ones I have seem are over 100K.) file attached to an email message. The attached file actually has the extension .PIF, but that is preceded by another false extension such as XLS or ZIP. The body of the email will begin with the statement "Hi! How are you?" and end with "See you later. Thanks" If you receive an email resembling this, please delete it without opening the attached file. If you do not open the attached file, your computer will not be infected. Additional information:
Hybris
This particular virus infects a computer in such a way that every time an email is sent from that computer, the virus sends itself to that email address. For instance, your friend sends you an email. The virus watches this email being sent, gets the email address, and then waits a few moments before sending an infected email to the same address. In short, you're receiving this virus from people who send you email. When you receive an email infected with Hybris, you may open it with no harmful effects - and there's nothing interesting in the body of the email - but do not open the attached file. Here's what to do to find out who's unwittingly sending you infected email: When you receive an email that shows the subject as Snowhite and the Seven Dwarfs - The REAL story, look at the timestamp on the mail. Then, look to see if you have any other email that has a timestamp within a couple minutes before the time shown on the "hahaha" email. If there is such an email with a similar time, check to see who you received that email from. This is likely the person who is infected with the virus. Please contact this person to let him or her know they are infected and should seek to disinfect his computer. There are now many variants of the hybris virus, but you may easily recognise them. Most have sexual references - like the original - and may appear to be sent by the following: leather, xena, anna, etc. Amoung the new variants the body of the email is short and is almost completely composed of sexual references. Like original, attached is an executable file with any number of extensions. You may block incoming email infected with the original Hybris:
    In Outlook Express,
  1. Click on Tools at the top of the screen
  2. Click on Message Rules
  3. Click on Mail
  4. A new screen will open up. In the first box, 1. Select the Conditions for your rule: check the box next to Where the subject line contains specific words
  5. Under 2. Select the Actions for your rule check the box next to Delete it from server
  6. Under 3. Rule Description (click on the underlined value to edit it): click on the highlighted words, "contains specific words"
  7. A new window will appear, titled Type Specific Words. In the first white box, type Snowhite and the Seven Dwarfs - The REAL story
  8. Click the Add button
  9. Click OK
  10. Click OK
  11. Click OK
Now, whenever you receive the original hybris virus, it will be instantly deleted. Other info: this virus infects C:\WINDOWS\SYSTEM\WSOCK32.DLL, and other files, depending on the variant. Variants of Hybris may display a moving swirl on the screen of the infected computer and/or may have a different email. To temporarily remove the the infection, download and run this program: Win98 WinME
For a permanent fix, download an antivirus package. Additional Information:
Kak.Wscript
All this worm really does is spread. It is transmitted using the Microsoft Outlook [Express] email client and takes the form of a script hidden in the email message from the infected system. When the infected email is read, the script activates and infects the victim system.

To remove the infection, download and run this program: Kakcleaner

For more information:
W95.MTX
Mtx spreads in the same way as Hybris, by hooking email addresses and sending itself to them. You'll have no problem reading your email, just be careful not to open the attached file. Mtx infects other files on the infected system, eventually considerably decreasing the performance of the system.

To remove the infection, download and run this program: fix_w95.mtx.exe

For more information:
http://ca.com/virusinfo/encyclopedia/descriptions/m/mtx.htm
http://vil.mcafee.com/dispVirus.asp?virus_k=98797&
Keypanic
This trojan will display an offensive message every time you type something: "You are...!" To remove this trojan:
  1. Click on the Start button
  2. Click Find
  3. Click Files or Folders
  4. In the Named box, type datcheck
  5. In the Look In box, make sure the C: drive is listed
  6. Click the Find Now button
  7. This search should find a file in the C:\Windows\System folder with the name datcheck.exe
  8. Delete this file by right-clicking on it and choosing Delete
  9. Empty your Recycle bin, then reboot your computer. The virus should be gone.

For more information:
http://www.symantec.com/avcenter/venc/data/keypanic.trojan.html