TicklingDuo
3rd Level Yellow Feather
- Joined
- Oct 23, 2001
- Messages
- 3,733
- Points
- 0
As I posted last evening, we have again been infected by the virus that's going around. I'm about to wipe my system again. But, before I did, I went through and did some exploring, both of security sites and my own system. I thought I'd share what I discovered so that others may benefit from it and help prevent infection of other systems.
What we've learned about the virus....
1) It morphs (changes itself) to avoid detection by antivirus software. Our scan comes up clean. Yet, we can see that it's there doing damage, updating itself and sending itself out.
2) It mails itself out to people in your addres book. This can either show up as being from you or from someone else in your address book.
3) It can change your firewall settings. We had everything blocked and it no longer is. Access was reopened to those programs that it morphed into.
4) It creates duplicates of exe programs and uses them to update and spread itself...(IE, RealPlayer, Microsoft Word, etc.).
5) It attaches itself at random to files being sent via e-mail and FTP (including forwarded mail).
6) It reopens or creates new ports to use as a backdoor for internet access.
I'm sure there is much more we'll find out about this damned thing. But, that's what we've learned so far...after having been infected 4 times now!
Here are some safeguards that are recommended to help stem the spread of the virus...
1) Eliminate your active addres book. Save your necessary addresses to a text file from which you can get them when you need them. It's an inconvenience, but keeps it from spreading through you to your online contacts.
2) Do not upload or e-mail files to others unless you absolutely have to. If you really have to send a file out, note the exact size of the file in the description or within the test of the e-mail and instruct the recipient to not open it unless the size matches what's shown.
3) Even if an e-mail appears to be from someone you know, don't open any files unless you know they sent it to you. Set the e-mail aside and check first if you aren't sure.
4) Come up with a "code" that can be put in the subject line of all e-mails you send out. For example...put "!" in front of the subject. Then, let everyone you send mail to know to delete (without opening) any mail from you that does not have that code in it. The simple act of opening the e-mail can release this virus into your system with no outward appearance of anything being wrong.
5) Eliminate the remote access option on your system. This can be used by the virus to access your computer from outside OR access other computers from your own system.
6) For site owners - Check your sites on a regular basis to be sure that a file hasn't been changed since you put it up.
7) For those with firewalls (hopefully everyone) re-check your settings daily to be sure they haven't been changed to lower your defenses. Disable all unused ports and keep watch for new ones showing up. (maiking a note of which programs use which ports by default will aid in this.)
BTW....the only way to get this damned thing off your system is to wipe and reformat your harddrive. The security systems haven't come up with anything to fix it yet because of the fact that it morphs. So, if you think you're infected, wipe and reformat.
(As Venray has now posted below, symantec fiinally came up with a possible fix for this thing. So, wiping may now prove unnecessary. See his link for more info.)
OK, that's it for now. I hope this information helps. If we all pay attention and use the safeguards, maybe we'll finally beat this stupid thing!
Ann
What we've learned about the virus....
1) It morphs (changes itself) to avoid detection by antivirus software. Our scan comes up clean. Yet, we can see that it's there doing damage, updating itself and sending itself out.
2) It mails itself out to people in your addres book. This can either show up as being from you or from someone else in your address book.
3) It can change your firewall settings. We had everything blocked and it no longer is. Access was reopened to those programs that it morphed into.
4) It creates duplicates of exe programs and uses them to update and spread itself...(IE, RealPlayer, Microsoft Word, etc.).
5) It attaches itself at random to files being sent via e-mail and FTP (including forwarded mail).
6) It reopens or creates new ports to use as a backdoor for internet access.
I'm sure there is much more we'll find out about this damned thing. But, that's what we've learned so far...after having been infected 4 times now!
Here are some safeguards that are recommended to help stem the spread of the virus...
1) Eliminate your active addres book. Save your necessary addresses to a text file from which you can get them when you need them. It's an inconvenience, but keeps it from spreading through you to your online contacts.
2) Do not upload or e-mail files to others unless you absolutely have to. If you really have to send a file out, note the exact size of the file in the description or within the test of the e-mail and instruct the recipient to not open it unless the size matches what's shown.
3) Even if an e-mail appears to be from someone you know, don't open any files unless you know they sent it to you. Set the e-mail aside and check first if you aren't sure.
4) Come up with a "code" that can be put in the subject line of all e-mails you send out. For example...put "!" in front of the subject. Then, let everyone you send mail to know to delete (without opening) any mail from you that does not have that code in it. The simple act of opening the e-mail can release this virus into your system with no outward appearance of anything being wrong.
5) Eliminate the remote access option on your system. This can be used by the virus to access your computer from outside OR access other computers from your own system.
6) For site owners - Check your sites on a regular basis to be sure that a file hasn't been changed since you put it up.
7) For those with firewalls (hopefully everyone) re-check your settings daily to be sure they haven't been changed to lower your defenses. Disable all unused ports and keep watch for new ones showing up. (maiking a note of which programs use which ports by default will aid in this.)
BTW....the only way to get this damned thing off your system is to wipe and reformat your harddrive. The security systems haven't come up with anything to fix it yet because of the fact that it morphs. So, if you think you're infected, wipe and reformat.
(As Venray has now posted below, symantec fiinally came up with a possible fix for this thing. So, wiping may now prove unnecessary. See his link for more info.)
OK, that's it for now. I hope this information helps. If we all pay attention and use the safeguards, maybe we'll finally beat this stupid thing!
Ann
Last edited:
