A computer virus is an executable file that can harm the contents of your hard drive and prevent you from performing common tasks on your computer.

HOW ARE COMPUTER VIRUSES TRANSMITTED?

Most computer viruses are sent through e-mail. This is how most viruses are spread to thousands of users in just a few days. Once you have the virus, every e-mail that you send will be carrying the virus... All of your friends catch it from you, then their friends catch it from them, and so on.


Information on a common email hoax that is going around:

SULFNBK.EXE Warning

This particular email message is a hoax. The file that is mentioned in the hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to restore long file names, and like any .exe file, it can be infected by a virus that targets .exe files. The virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the C:\Windows\Command folder. If the file is located in any other folder, or arrives as an attachment to a email message, then it is possible that the file is infected. In this case, if a scan with the latest virus definitions and with NAV set to scan all files does not detect the file as being infected, quarantine and submit the file to SARC for analysis by following the instructions in the document How to submit a file to SARC using Scan and Deliver.

If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and want to know how to restore the file, you should contact your computer manufacturer or Microsoft for assistance. As an alternative, If you are running Windows 98 or Windows Me, see the document How to extract files in Safe Mode under Windows 98 or Windows Millennium. NOTE: The instructions in this document are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products


Information on a few of the most common viruses going around:

W32/Nimda@MM

W32/Nimda@MM is a HIGH RISK virus that can infect all unprotected home users and business users of Win9x/NT/2000/ME. W32/Nimda@MM spreads via email, via shared drivers, folders or files, and via infected HTM/L (Web) pages. In addition, it will look for IIS servers to infect via the Microsoft Web Folder Transversal vulnerability vulnerability (also used by W32/CodeBlue).

It is possible to activate the virus by viewing an infected email message within the Microsoft Outlook preview pane.

The email attachment varies and may use the icon for an Internet Explorer HTML document.

Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable. It may also take up a large amount of space on your hard drive.

It will attempt to spread itself as follows:

  • The email messages created by the worm contain an attachment that can be executed even if the user does not open it and without the user's knowledge.

  • It infects HTML documents. When the infected documents are accessed (locally or remotely), the machine viewing the page is infected.

  • When the virus finds an open share, it copies itself to each folder on the drive in .EML format. This can include the START UP folder.

  • The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability.

  • It tries to use the backdoor created by W32/CodeRed.c to infect.

  • It adds worm code to .EXE files.

  • Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.

TROJ_Sircam.A

TORJ_Sircam.A is a HIGH RISK virus that attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).
It may be received in an email message containing the following information:

Subject: [filename (random)]
Body: Hi! How are you?

I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for

See you later. Thanks

--- the same message may be received in Spanish ---

Hola como estas ?

Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste

Nos vemos pronto, gracias.

--- end message ---

Although other message body possibilities are present in the virus, these aren't actually being generated frequently.

Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and create the following registry key value to load itself whenever .EXE files are executed:

HKEY_CLASSES_ROOT\exefile\shell\open\command \Default="C:\recycled\SirC32.exe" "%1" %*

As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.

It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.

The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in for communicating directly with a SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.

The program creates a registry key to store variables for itself (such as a run count, and SMTP information): HKEY_LOCAL_MACHINE\Software\Sircam

The virus may also infect other systems by using open network shares. On remote systems the file \windows\rundll32.exe may get replaced with a viral copy, while the valid RUNDLL32.EXE file is renamed to RUN32.EXE. On those systems, the AUTOEXEC.BAT file may be appended with the line: @win \recycled\sirc32.exe. Aside from e-mail overloading, it may delete files and/or fill up harddisk space by adding text entries over & over again to a sircam recycle bin file.

Indications Of Infection:

- Presence of SCam32.exe in the WINDOWS SYSTEM directory
- Presence of Run32.exe in the WINDOWS directory

Method Of Infection:

This virus sends itself, as an executable, to email recipients found in the Windows Address Book and addresses found in cached files. This executable is appended with a document, if one is found, in the MY DOCUMENTS folder. The mailing routine talks SMTP to a server and will use the server address found in infected executables. This address is presumably captured from the victim's machine which sent the virus to you. If that server is not in operation, or if relaying is not permitted, the virus attempts to use each of these three servers in succession, stopping when the first successful send occurs.

doubleclick.com.mx

enlace.net

goeke.net


W97M.Melissa.W

W97M.Melissa.W is a Word 97 macro virus. The subject of the email message is: Important Message From <your name>. This worm is functionally identical to the original W97M.Melissa.A worm that was discovered in 1999. 97M.Melissa.W is a typical macro virus, which has an unusual payload. When you open an infected document, the virus attempts to email a copy of the document to up to 50 other people using Microsoft Outlook. The macro disables the Macro item on the Tools menu in Microsoft Word. It infects Microsoft Word 97 and Microsoft Word 2000 documents by adding a new VBA5 (macro) module named Melissa. Although there is nothing unique in the infection routine of this macro virus, it has a payload that uses Microsoft Outlook to send an attachment, which is the infected document that is being opened. For more information on this virus goto http://service1.symantec.com/sarc/sarc.nsf/html/W97M.Melissa.W.html




W32.Navidad

W32.Navidad is a mass-mailing worm program. The worm replies to all Microsoft Outlook Inbox messages that contain a single attachment. The worm utilizes the existing email subject line and body, and attaches itself as Navidad.exe. Due to bugs in the code, after being executed, the worm causes your system to stop functioning correctly.
http://www.symantec.com/avcenter/venc/data/w32.navidad.fix.html

 


"Snow White"

Snow White Virus is a HIGH RISK virus that can infect all unprotected home users and business users of Win9x/NT/2000/ME. Believe it or not, there are certain steps that you can take to prevent yourself from getting the Hahaha/Snow White/Hybris virus from an email source. Because the virus always comes from the same email address (Hahaha@sexyfun.net), creating a simple mail filter in your email program will rid yourself from ever getting the Hahaha virus through email. Here's how:

Netscape 4.7 uses:

1. Bring up the Netscape Messenger (mail program)
2. In the top menu, click on EDIT, and then MESSAGE FILTERS
3. When the "Message Filters" window appears, click on the "NEW" button to the right
4. Using the picture below, fill in the blanks accordingly

5. When you are done typing, press the "OK" button, and then the "OK" button again. The mail filter will be activated and any Hahaha virus emails will be automatically deleted the next time you receive one.

Outlook Express users:
1. Bring up the Outlook Express mail program
2. In the top menu, click on TOOLS, then MESSAGE RULES, and then MAIL
3. When the "Message Rules" window comes up, look to the right and click on the "NEW" button.
4. Using the pictures below, fill in the blanks accordingly, checking the boxes in the diagram:

5. After checking the boxes as listed above, click the "contains people" phrase in blue
6. When the "Select People" window comes up, (1.) type " Hahaha@sexyfun.net " in the first box, (2.) then click "ADD", and (3.) then click "OK" as the picture below dictates


7. When you get back to the "New Mail Rule" window, type "Hahaha virus filter" in the "4. Name of the rule:" box, as below:



8. When you get back to the "Message Rules" window, press the "OK" button. The mail filter will be activated and any Hahaha virus emails will be automatically deleted the next time you receive one.


One of the more current and advanced viruses is sent through email with the return address listed as Hahaha@sexyfun.net. The "Snow White" virus, also known as the "W95.Hybris.gen" virus, may not initially be noticable on your system, but in time it can cause some serious damage. Once the dwarf4you.exe program is launched, it attaches itself to numerous important system files. The attachment may also have one of several different names, including, but not limited to:


anpo porn(.scr
atchim.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enano porno.exe
joke.exe
midgets.scr
sexy virgin.scr.


The safest way to rid yourself, so far, from this virus is to use a virus removal tool from Symantec

Click here to download this tool : fixhybf.zip

After downloading fixhybf.zip, double-click on the icon. You will be presented with a dialogue box asking you to specify where you wish to unzip the tool. Choose a location. It is best to save directly to your drive C:/ . After unzipping the file, reboot into DOS mode by clicking on START, then SHUTDOWN, and then choosing to RESTART IN MS_DOS MODE, change to the directory where you unzipped fixhybf.zip and type the following at the command line prompt. For example, if you saved it to your C:/ drive:

at the "C:/Windows" prompt, type in cd..
then at the "C:/ " prompt type in fixhybf /a
then at the "C:/ " prompt, type in fixhybf c:

NOTE: typing the "fixhybf /a" will search all disk drives except the floppy disk or A:/ drive, finding and fixing the corrupted files. Typing "fixhybf c:" will only search the C: drive, finding and fixing the corrupted files.


If you have any further questions about the Hybris virus, visit this page : Hybris virus

The virus-removal tool and hybris information is provided by www.symantec.com

 

KakWorm, WScript
WScript.KakWorm.B spreads using Microsoft Outlook Express. It attaches itself to all outgoing messages via the Signature feature of Outlook Express. Once this virus is placed on the system it will spread itself to others and will shut windows down on the 1st of every month at 5:00 p.m. For more information on this Virus go to: http://www.symantec.com/avcenter/venc/data/wscript.kakworm.b.html

Happy 99 Worm
HAPPY99.EXE is a worm program, not a virus. The file is usually named HAPPY99.EXE and appears as an attachment to an email or article. When executed, the program opens a window entitled "Happy New Year 1999 !!" and shows a fireworks display to disguise its other actions. For more information or how to remove Happy 99 go to http://www.symantec.com/avcenter/venc/data/happy99.worm.html

More in-depth information on virus protection can be found in our FAQ. Click here to check it out


Other Warnings

Virus Alert
W32/Nimda@MM
is a High Risk virus
Home Users: Get Protection Now
Business Users: Get Protection Now
VirusScan Online Users: Scan Now
Retail VirusScan Users: DAT File
Virus Alert
W32/SirCam@MM
is a High Risk virus
New Users: Get Protection Now
VirusScan Online Users: Scan Now
Retail VirusScan Users: DAT File

Security Notice
"Code Red"
is an Internet Worm.
Click here for more info.


Porn sites are taking unwitting Internet surfers on an expensive ride — to the African nation of Chad. Subscribers have been complaining about “free” porn Web sites that make their money by disconnecting Net users’ phones and reconnecting them to an Internet provider in Africa at up to $7.31 a minute. The scam is apparently legal, because the sites have small-type disclaimers warning that porn-hungry viewers may be rerouted for a fee. But few people bother to read the disclaimers. The users are tricked into download a “dialer” program that, when launched, redirects their Internet connection in exchange for viewing the ‘free’ porn.

Copyright © 1996 - 2004 WEBBWORKS, INC.  All rights reserved. 
WEBBWORKS.COM™ and the WEBBWORKS.COM™ Logo
are Trademarks of WEBBWORKS, INC. Company
(509) 545-9706 - 4006 Desert Drive, Pasco, WA.  99301-9405

Copyright 1996 - 2004 Webbworks, Inc. All Rights Reserved.