Sarasota PC Monitor
Tech Talk (01/02)
Is your computer really safe?
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.Protecting your computer from Internet and email in truders is getting more difficult all the time. The latest case in point is the Goner.A worm and the BadTrans worm. These two virus/worms are rapidly making their way around the Internet and can create havoc without your reading or opening your email. In addition, if you are using WinMe, WinXP, or GoBack, removal of these worms, or other viruses, can require that you turn off these processes. That, of course, causes you to lose all of the restore points that have been set up. More on this later.
I spent some time this past week cleaning the BadTrans worm off a client's computer. He uses AOL as his Internet provider. Now AOL keeps your email on their computer and supposedly doesn't have the "security holes" that are found in Outlook and Outlook Express. However, this didn't stop the BadTrans worm from transferring itself to my client's computer. It arrived as an attachment named "images.doc.pif". Indeed, it appeared to be a reply to an email that my client had just recently sent. Naturally he highlighted the text of the message, which turned out to be blank. That was enough to automatically activate the worm and it transferred rapidly to his hard disk. Since he doesn't use Outlook Express, the question becomes, how was this worm activated? The answer turns out to be Internet Explorer. All versions of IE 5.XX have a weakness which permits an HTML email to run automatically when the message is displayed. There are patches available from Microsoft to fix this problem, but how many users download security patches or are even aware of them?
Once this BadTrans worm is downloaded it copies itself to a file call "kernel.exe" and then deletes the original file. So if you search for "images.doc.pif" you won't be able to find it. It then modifies the Registry so that "kernel.exe" will run whenever the computer starts. And, this is a hidden command that does not show up in the MsConfig list of startup files. Now comes the really bad part. This worm creates a file called "Kdll.dll" and places it in the Windows\System folder. This file is a keystroke logger and logged information is stored in a file called "Cp_25389". It copies any key strokes associated with words starting with "LOG", "PAS", "REM", etc. that show in the active window. This means that any LOGon names, PASswords, or other security keystrokes are recorded by this logger program. The program also has a timer function that checks the active window once per second and then is activated for 60 seconds if any of the key phrases are found. Finally, every 30 seconds the log file and cached passwords are sent to a list of Internet mail addresses. Do you get the picture? Any keystrokes related to your Internet activities that involve user names and passwords can be captured and sent off to unknown parties. If you do Internet banking or have on-line investment accounts, they can be opened by anyone getting this information in this manner.
The BadTrans worm also emails itself to anyone in your Outlook or Outlook Express address book. It will also email itself as a reply to any unread email. As email comes in, it will rapidly send out copies of itself to the sender as if it were a reply that you generated. Just like Goner.A it sends silently and erases all traces of the sent messages. It uses 16 different attachment names and several different extensions. However, every attachment also has two extensions, not just one. Any attachment with two suffixes should be considered dangerous and should be deleted.
The Goner.A worm is not quite as dangerous as BadTrans. But it is a very wide spread infection and is spread by email. It appears to be a screen-saver that is being sent to you by someone you know. At least they had your address in their address book.
One of the first things this worm does on your computer is to delete any executable files related to your anti-virus software. It also deletes the primary ZoneAlarm file. Once it has found the primary file for your A-V software and/or ZoneAlarm, it also deletes all other files in the same directory. This effectively destroys your firewall and anti-virus software. It also terminates these processes in memory so they are no longer running. That means you lose your protection immediately.
The next thing the worm does is to install a back door that can be used for denial of service attacks. These can also be sent via the IRC channel or through the ICQ channel.
So how do you protect yourself from viruses like these? First and foremost, keep your virus definitions (pattern files) up to date. Too many computers still have the original files from when the computer or the software was purchased. The virus definition files have never been updated. The computer I referred to in the beginning of this article had McAfee software with definition files dated from September 1999. That was why the BadTrans virus slipped through without being caught. Yes, I did insist on updating the software. Actually it turned out to be simpler to download the latest version of PC-Cillin instead of the McAfee. With PC-Cillin, the pattern file updates are automatically checked every 24 hours or when the computer is on-line. To maintain the maximum A-V protection you MUST get updates at least weekly from your anti-virus publisher. They all provide updates over the Internet.
The second line of defense if you use Outlook, Outlook Express or Internet Explorer is install the latest security updates. You should periodically check the Microsoft Website for security bulletins. Go to: www.microsoft.com/technet/default.asp and then click on the Security site for the current listing of patches and updates. The update for Microsoft Explorer has been available since March. Another method is to sign up to receive security bulletins from Microsoft or from your Anti-virus company. They all send out notices on new viruses/worms and the fixes that are available.
Now to another problem. If you are running Windows Me you have a "System Restore" built into the program. Your anti-virus program may tell you that one or more files in the Restore\Temp or _Restore\Archive folders are infected with a virus. The files saved by the System Restore application are protected so they can't be changed or deleted. If a virus infected file is included in a restore point, there are several ways to remove it. Microsoft recommends the "FIFO" system. Since the Restore data store is limited in size, it automatically purges the oldest data. When the files reach 90% of the capacity of the data store, the oldest files are deleted to make room for new files. If your data store is more than 200 MB in size, you can reduce it to this value. Then the oldest files will be removed to reduce the total size of the data. However, this may not remove the infected files as they may be the newer files. The second option is just to wait until the infected files are automatically purged.
In my opinion, the third option is the more desirable choice. This option is to disable the System Restore feature and reboot the system. This should delete all the data files in the Restore folders. However, I would next do a complete A-V scan to insure no viral remnants remain. Only after that would I re-enable the System Restore feature. Disabling and re-enabling System Restore is done in the Control Panel by double-clicking the System icon. Then click Performance, File System and Troubleshooting. For more information on System Restore and virus removal see the following web sites:
http://service4.symantec.com/SUPPORT/nav.nsf/pfdocs/2000092513515106
or the Microsoft KnowledgeBase article Q263455at :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263455
Although Microsoft doesn't have any explicit information on the Windows XP System Restore, I suspect it functions similarly to WinMe. The other questionable application is GoBack. If you received any virus warnings related to files saved by GoBack, you may have to follow the disable option to remove the infected files. I would suggest than anyone using GoBack should check this out before a problem occurs. I was not able to find any relevant information on Roxio's Website. Remember, if the back-up files are infected, a restore to an earlier time won't solve your problem.
With the ability of viruses and worms to auto-run when they show up in your email it becomes even more important to stay up to date. You should also ensure that you have a set of floppy disks, sometimes called rescue disks. These allow you to clean boot your system from a floppy and to run your A-V software from the floppy disks. Remember, the virus makers are always one step ahead of the anti-virus producers and Microsoft. Even after you take all the possible precautions, you can still get caught. So try to keep all your tools up-to-date.
*Dr. Lewis is a former University and Medical School professor. He has more than 20 years of experience working with personal computer hardware and software. He can be reached via e-mail at brian_klewis@hotmail.com or voice mail at 941-925-3047. :
Copyright 2002. This article is from the January 2002 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/The Sarasota Personal Computer Users Group, Inc. has 1,300+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.
See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.