Tech Talk (10/00) Viruses, Viruses, Viruses

Sarasota PC Monitor

Tech Talk (10/00)

Viruses, Viruses, Viruses

by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.

This was not the topic I originally had in mind for this month's article. However, the events of the last two weeks have conspired against me and twisted my arm to write on this topic. I have had more trouble with viruses in this two-week period than I had in the preceding twelve months. In addition, they were all of different types. None of these viruses were on my computers. They were affecting systems that I happened to be working on when I stumbled across the problem.

The first virus I found when I was trying to teach a client how to e-mail pictures in Outlook Express. Every time I sent an attachment, we received an error indicating that the file could not be sent (MSIMN caused an invalid page fault in module KERNEL32.dll). After spending some time with no success, I quit trying. Then, back in my office, searching for the problem in my TechNet files, I found the answer. It seems that the Happy99 virus is responsible for this error because it is trying to attach itself to all outgoing mail. That is its method of spreading around the world. Using a clean boot floppy and a DOS anti-virus program with updated definitions we were able to remove all the Happy99 files. After that, we had no problem sending attachments. In this case, the anti-virus software had not been updated since it had been purchased. Luckily, he had no serious virus problems. However, my client and his children had unwittingly exchanged the virus between themselves several times. I hope with this anti-virus update he, and they, can break the chain.

The next virus was a "worm" type that used the Windows Scripting Host. In this case, every time the system was booted, the screen had an open window entitled "C:\Windows\Start Menu\Programs\Startup\Kak.hta". This was something I had never seen before. My client insisted it had something to do with the ComCast Cable system he had installed months before. The window started appearing shortly after that installation. Again, I didn't really do anything at that time about this window. It was only as a result of a comment by our astute editor (Thanks, Gary), that I started checking on the origin of "Kak.hta". Again, in the TechNet files, I found references to the Wscript/Kak.worm virus. I was able to remove this "worm" by using the floppy anti-virus software I mentioned earlier.

In this case, the virus spreads via e-mail using a "hole" in Outlook Express. Microsoft has published a patch for Outlook Express that now prevents this from happening <www.microsoft.com/technet/security/bulletin/ms99-032.asp. Symantec has also published a small program, noscript <www.symantec.com/avcenter>, which keeps Windows Scripting from running. Using this program, you can turn scripting either on or off. The "KAK" worm attaches itself to outgoing e-mail as a signature, not as an attachment. When the recipient is using Outlook Express, the worm is automatically activated, even if you don't read the message. So you end up with it on your computer. If you haven't updated Outlook Express with the recent patches, I strongly urge you to do so. Running noscript is also a useful preventative measure.

The third virus was really far more destructive than either of the previous viruses. In this case, I was dealing with a three computer home network. There had been some slow-down of the computers and the server had just started recording an error message related to the anti-virus software. We removed and reinstalled the AV software and the message immediately recurred after rebooting the computer. The next step was to download the latest updates to the AV software. We installed it and again re-booted the server. During the process of loading Windows, the AV software came up with a virus warning. At the same time, an error message stated that the explorer was corrupt and we needed to reinstall Windows. The AV software message indicated that the virus was "W32.funlove.4099". We started to remove the virus after doing a clean boot with a floppy and using the same anti-virus software that worked in the previous cases.

I also downloaded more information about this particular virus. It seems the W32.funlove.4099 virus infects EXE, OCX and SCR files. That is, all executable programs, Active-X files, and screensaver files. It is active in RAM and can infect files that have NOT been run. It will also spread itself across any available network without any action on the part of the user. So where did it come from? The server was networked to two other machines, but it was also part of the ComCast network. The two local machines were probably infected from the server because it was the first one to exhibit the error message. So all we can speculate is that somehow the virus was transmitted over the external network. Since the server in this case, did not have updated AV software, the virus was not caught immediately. In addition, the firewall software had not been installed. If it had been, that might have blocked the entrance of the virus.

The problem was, we now had three computers that had every EXE, OCX and SCR file infected. That meant there were literally hundreds of files that had to be repaired (492 on the server) and one file, flcss.exe, which had to be deleted. The software had to scan every file on the hard disk, not just applications. That all added up to thousands of files (28,992 on the server). After several hours of swapping floppy disks I set up a ZIP drive with the AV program and the updated definitions. Even with that system it took an additional two hours just to clean the server. You have to be certain that every infected file is repaired as it only takes one to re-infect all the files.

The alternative to repairing the files was to boot each computer with a clean floppy, partition all the drives and reformat the system. Then all the software and data files would have to be re-installed. That is a rather labor intensive process. Once the Zip drive was setup, the process did not require any further intervention until it was completed.

So what do we learn from all this. First, that it is absolutely essential to keep your Anti-Virus software updated frequently. That is the only way you can prevent most problems. However, also remember, the virus writers are always a step ahead of the anti-virus writers. You can still become infected even if you do update your virus definitions weekly or bi-weekly. Since many viruses are similar in structure and action, the software MAY catch them before the complete definition is available in an update. Second, I can't overemphasize the importance of having a clean bootable floppy and AntiVirus setup on clean floppies. Remember, in this case the anti-virus software on the hard disk had been corrupted and could not prevent further contamination. Safe computing requires that constant attention be paid to your computer and its software. You must be prepared for disaster.

*Dr. Lewis, a former university & medical school professor, is a computer consultant doing instruction, hardware/software services and system upgrades.

He is available to help you with your home or business computer problems. He does make house calls and can be reached via e-mail at klewis@hotmail.com or voice mail at 941/925-3047. :

Return to Brian Lewis' Index

Return to Columnist's Index

_______________________________________________________________ Copyright 2000. This article is from the October 2000 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/

The Sarasota Personal Computer Users Group, Inc. has 1,600+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.

See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.