A
computer virus is an executable file that can harm the
contents of your hard drive
and prevent you from performing common tasks on your computer.
HOW
ARE COMPUTER VIRUSES TRANSMITTED?
Most computer viruses are sent through e-mail. This is
how most viruses are
spread to thousands of users in just a few days. Once
you have the virus,
every e-mail that you send will be carrying the virus...
All of your friends catch
it from you, then their friends catch it from them, and
so on.
Here's
some information on a few of the most common viruses going
around:
W32.erkez
There
is virus circulating the Internet right now called W32.erkez.
If you notice that you are getting lots of returned messages
and not intentionally sending these messages out, you
might have the W32.erkez virus. If your anti-virus software
(ex. Norton or Mcafee) is not running properly and giving
you errors, you might have the virus.
If you only suspect that your computer is infected
with this virus, you may run the removal tool. It will
not harm your computer in any way.
Download
this removal tool here. Save it to
your desktop and run it. Let is scan your system and it
should clear up any infections
--------------------------------------------------------------------------------
W32.Gaobot.AFW
W32.Gaobot.AFW is a worm that spreads through
open
network shares and several Windows vulnerabilities. The worm also spreads through backdoors installed by Beagle and Mydoom
worms, and the Optix family of backdoors. The worm also has the ability to act as a backdoor server program and attack other
systems. Additionally, the worm attempts to kill the process of many anti-virus and security applications.
Click here for more info and removal instructions
--------------------------------------------------------------------------------
W32.Blaster.Worm
W32.Blaster.Worm
is a worm that will exploit the DCOM RPC vulnerability
(described in Microsoft Security Bulletin MS03-026 ) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
using TCP port 135. This worm will attempt to download
and run the Msblast.exe file.
Removal
Tool link:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
--------------------------------------------------------------------------------
KLEZ
http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
This
powerful virus targets and disables virus scanning software,
among other things. Click the link below for more information,
including ways to protect yourself from KLEZ, or uninstall
it if you have already been infected.
--------------------------------------------------------------------------------
'Vote'
worm
TROJ_VOTE.A
is currently spreading in-the-wild. This destructive,
mass-mailing Trojan was created using Visual Basic 5.
It propagates via Microsoft Outlook by sending emails
to all addresses listed in an infected user’s address
book. It arrives in an email with the following:
Subject:
Fwd:Peace BeTween AmeriCa And IsLam !
Message Body: Hi!
iS iT A waR Against AmeriCa Or IsLam!
Let’s Vote To Live in Peace!
Attachment: WTC.EXE
TROJ_VOTE.A
deletes certain antivirus products installed in a system,
drops the files WTC.exe MixDaLaL.vbs, and Zacker.vbs.
It also modifies the infected user’s Internet Explorer
startup page, and formats the infected user’s drive
c:\.
It
parses drives and directories in search of HTM and HTML
files and overwrites them with the following string:
AmeRiCa
...Few Days WiLL Show You What We Can Do !!! It's Our
Turn >>> ZaCkEr is So Sorry For You.
This
program requires that the Visual Basic Runtime Library
MSVBVM50.DLL is installed in order to execute.
--------------------------------------------------------------------------------
W32.Sircam.Worm@mm
This
worm arrives as an email message with the following content:
Subject:
The subject of the email will be random, and will be the
same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's
computer and will have the extension .bat, .com, .lnk
or .pif added to it.
Message: The message body will be semi-random, but will
always contain one of the following two lines as the first
and last sentences of the message.
First
line: Hi! How are you?
Last line: See you later. Thanks
Between these two sentences, some of the following text
may appear:
I
send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
Name
of attachment: A file from the sender's computer with
the extension .bat, .com, .lnk, or .pif added to it.
W32.Sircam.Worm@mm
contains its own SMTP engine, and propagates in a manner
similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate
under Windows NT or 2000.
Removal
instructions:
SARC
has created a tool to remove this worm.
CAUTION:
In
some cases, if you have had NAV quarantine or delete infected
files, you will not be able to run .exe files, however
you will still be able to run the removal tool.
If you are using Windows Me, and a copy of the worm is
detected in the _Restore folder when running the tool,
the tool cannot remove it from that folder, as it is protected
by Windows. See the document Cannot repair, quarantine,
or delete a virus found in the _RESTORE folder, and then
run the tool again.
If you are on a network, or have a full time connection
to the Internet, disconnect the computer from the network
and the Internet. Disable or password protect file sharing
before reconnecting computers to the network or to the
internet. Because this worm spreads by using shared folders
on networked computers, to ensure that the worm does not
reinfect the computer after it has been removed, Symantec
suggests sharing with read-only access or using password
protection. For instructions on how to do this, see your
Windows documentation or the document How to configure
shared Windows folders for maximum network protection.
CAUTION:
Do not skip this step. You must disconnect from the network
before attempting to remove this worm.
To
obtain the W32.Sircam.Worm@mm removal tool, please click
here.
--------------------------------------------------------------------------------
W97M.Melissa.W
W97M.Melissa.W
is a Word 97 macro virus. The subject of the email message
is: Important Message From <your name>. This worm
is functionally identical to the original W97M.Melissa.A
worm that was discovered in 1999. 97M.Melissa.W is a typical
macro virus, which has an unusual payload. When you open
an infected document, the virus attempts to email a copy
of the document to up to 50 other people using Microsoft
Outlook. The macro disables the Macro item on the Tools
menu in Microsoft Word. It infects Microsoft Word 97 and
Microsoft Word 2000 documents by adding a new VBA5 (macro)
module named Melissa. Although there is nothing unique
in the infection routine of this macro virus, it has a
payload that uses Microsoft Outlook to send an attachment,
which is the infected document that is being opened. For
more information on this virus go to http://service1.symantec.com/sarc/sarc.nsf/html/W97M.Melissa.W.html
--------------------------------------------------------------------------------
W32.Navidad
W32.Navidad
is a mass-mailing worm program. The worm replies to all
Microsoft Outlook Inbox messages that contain a single
attachment. The worm utilizes the existing email subject
line and body, and attaches itself as Navidad.exe. Due
to bugs in the code, after being executed, the worm causes
your system to stop functioning correctly.
http://www.symantec.com/avcenter/venc/data/w32.navidad.fix.html
--------------------------------------------------------------------------------
"Snow
White"
Believe
it or not, there are certain steps that you can take to
prevent yourself from getting the Hahaha/Snow White/Hybris
virus from an email source. Because the virus always comes
from the same email address (Hahaha@sexyfun.net), creating
a simple mail filter in your email program will rid yourself
from ever getting the Hahaha virus through email. Here's
how:
Netscape
4.7 uses:
1.
Bring up the Netscape Messenger (mail program)
2. In the top menu, click on EDIT, and then MESSAGE FILTERS
3. When the "Message Filters" window appears,
click on the "NEW" button to the right
4. Using the picture below, fill in the blanks accordingly
5.
When you are done typing, press the "OK" button,
and then the "OK" button again. The mail filter
will be activated and any Hahaha virus emails will be
automatically deleted the next time you receive one.
Outlook
Express users:
1. Bring up the Outlook Express mail program
2. In the top menu, click on TOOLS, then MESSAGE RULES,
and then MAIL
3. When the "Message Rules" window comes up,
look to the right and click on the "NEW" button.
4. Using the pictures below, fill in the blanks accordingly,
checking the boxes in the diagram:
5. After checking the boxes as listed above, click the
"contains people" phrase in blue
6. When the "Select People" window comes up,
(1.) type " Hahaha@sexyfun.net " in the first
box, (2.) then click "ADD", and (3.) then click
"OK" as the picture below dictates
7. When you get back to the "New Mail Rule"
window, type "Hahaha virus filter" in the "4.
Name of the rule:" box, as below:
8. When you get back to the "Message Rules"
window, press the "OK" button. The mail filter
will be activated and any Hahaha virus emails will be
automatically deleted the next time you receive one.
One
of the more current and advanced viruses is sent through
email with the return address listed as Hahaha@sexyfun.net.
The "Snow White" virus, also known as the "W95.Hybris.gen"
virus, may not initially be noticable on your system,
but in time it can cause some serious damage. Once the
dwarf4you.exe program is launched, it attaches itself
to numerous important system files. The attachment may
also have one of several different names, including, but
not limited to:
anpo
porn(.scr
atchim.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enano porno.exe
joke.exe
midgets.scr
sexy virgin.scr.
The
safest way to rid yourself, so far, from this virus is
to use a virus removal tool from Symantec
Click
here to download this tool : fixhybf.zip
After
downloading fixhybf.zip, double-click on the icon. You
will be presented with a dialogue box asking you to specify
where you wish to unzip the tool. Choose a location. It
is best to save directly to your drive C:/
After unzipping the file, reboot into DOS mode by clicking
on START, then SHUTDOWN, and then choosing to RESTART
IN MS_DOS MODE, change to the directory where you unzipped
fixhybf.zip and type the following at the command line
prompt. For example, if you saved it to your C:/ drive:
at the "C:/Windows" prompt, type in cd..
then at the "C:/ " prompt type in fixhybf /a
then at the "C:/ " prompt, type in fixhybf c:
NOTE:
typing the "fixhybf /a" will search all disk
drives except the floppy disk or A:/ drive, finding and
fixing the corrupted files. Typing "fixhybf c:"
will only search the C: drive, finding and fixing the
corrupted files.
If you have any further questions about the Hybris virus,
visit this page : Hybris virus
The virus-removal tool and hybris information is provided
by www.symantec.com
--------------------------------------------------------------------------------
KakWorm,
WScript
WScript.KakWorm.B
spreads using Microsoft Outlook Express. It attaches itself
to all outgoing messages via the Signature feature of
Outlook Express. Once this virus is placed on the system
it will spread itself to others and will shut windows
down on the 1st of every month at 5:00 p.m. For more information
on this Virus go to: http://www.symantec.com/avcenter/venc/data/wscript.kakworm.b.html
--------------------------------------------------------------------------------
Happy
99 Worm
HAPPY99.EXE
is a worm program, not a virus. The file is usually named
HAPPY99.EXE and appears as an attachment to an email or
article. When executed, the program opens a window entitled
"Happy New Year 1999 !!" and shows a fireworks
display to disguise its other actions. For more information
or how to remove Happy 99 go to http://www.symantec.com/avcenter/venc/data/happy99.worm.html
More
in-depth information on virus protection can be found
in our FAQ. Click here to check it out
--------------------------------------------------------------------------------
Other
Warnings
Porn
sites are taking unwitting Internet surfers on an expensive
ride — to the African nation of Chad. Subscribers
have been complaining about “free” porn Web
sites that make their money by disconnecting Net users’
phones and reconnecting them to an Internet provider in
Africa at up to $7.31 a minute. The scam is apparently
legal, because the sites have small-type disclaimers warning
that porn-hungry viewers may be rerouted for a fee. But
few people bother to read the disclaimers. The users are
tricked into download a “dialer” program that,
when launched, redirects their Internet connection in
exchange for viewing the ‘free’ porn.
Here's
some information on a common email hoax that is going
around:
--------------------------------------------------------------------------------
SULFNBK.EXE
Warning
This
particular email message is a hoax. The file that is mentioned
in the hoax, however, Sulfnbk.exe, is a Microsoft Windows
utility that is used to restore long file names, and like
any .exe file, it can be infected by a virus that targets
.exe files. The virus/worm W32.Magistr.24876@mm can arrive
as an attachment named Sulfnbk.exe. The Sulfnbk.exe file
used by Windows is located in the C:\Windows\Command folder.
If the file is located in any other folder, or arrives
as an attachment to a email message, then it is possible
that the file is infected. In this case, if a scan with
the latest virus definitions and with NAV set to scan
all files does not detect the file as being infected,
quarantine and submit the file to SARC for analysis by
following the instructions in the document How to submit
a file to SARC using Scan and Deliver.
If you have deleted the Sulfnbk.exe file from the C:\Windows\Command
folder and want to know how to restore the file, you should
contact your computer manufacturer or Microsoft for assistance.
As an alternative, If you are running Windows 98 or Windows
Me, see the document How to extract files in Safe Mode
under Windows 98 or Windows Millennium. NOTE: The instructions
in this document are provided for your convenience. The
extraction of Windows files uses Microsoft programs and
commands. Symantec does not provide warranty support for
or assistance with Microsoft products.
