IMPORTANT! If you have one or more Netgear routers with a model number RP614, RP614v2, DG814, MR814 or HR314 then it is very important that you update the firmware in your router. You could be one of the more than half-million Netgear router users who, because of the default firmware in the router, are causing problems for the University of Wisconsin. Links to details and upgrade sources are available on my page, netgear-error.html.
English: Safe Hex - Safe Computing Tips
Français: Conseils "Safe Hex"
Deutsch: Safe Hex - Sicher am Computer.
Bookmark this spot: Klez information.
I have received more than a dozen copies of this one and a bogus report that a message that I allegedly sent couldn't be delivered because it was infected (but I never sent the message). This worm has some really nasty features:
Links to more information:
Bookmark this spot: Gibe information.
A new worm going around starts off faking the source:
From: "Microsoft Corporation Security Center" <firstname.lastname@example.org> To: "Microsoft Customer" <'email@example.com'> Subject: Internet Security Update
with an attachment named q216309.exe. The body of the message (described in the pages linked below) may fail to display. The worm has a bug that inserts some ASCII NULLs in the message and at least one mailreader, pine, halts its display of body text when an ASCII NULL is encountered. Since the first two NULLS are at the start of the body text, nothing is displayed.The page, "Microsoft Policies on Software Distribution" on Microsoft's web site clearly states that Microsoft never sends updates by email.
Since I have received three copies in the last five days (March 7, 2002 to March 11, 2002), this worm rates inclusion here. Here's what I could find about it:
Bookmark this spot: Magistr information.
This one has landed in my inbox a few times recently and a few users at my ISP have been infected with it. Be aware that there is more than one version of this worm out and the removal tools are version specific. If you get infected with W32/Magistr.A@mm you will have to look for the tool for that variant yourself. (If I tried to cover everything this page would take an hour to load and I would need 57 hours per day to keep the site relatively up-to-date -- besides the time needed to deal with spam.) Check several antivirus databases for aliases to see if your infection has more than one name.
This one is nasty. Besides making your icons run away from the mouse cursor, the worm can also trash your entire hard drive's contents or (on vulnerable systems) trash your flash BIOS so you need a new motherboard.
It is important to follow disinfection instructions very carefully. The file at http://www.antivirus.com/vinfo/security/readme_magistr_b.txt warns people twice about the trojan portion of the worm:
************************************* I Important Note: If during the scanning the Trojan was detected in WIN.COM or NTLDR, DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash your hard drive after you restart. Please make backup copies of your WIN.INI and SYSTEM.INI before running this tool. [snip] If during the scanning the Trojan was detected in WIN.COM or NTLDR, DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash your hard drive. For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one that was detected. For NT/2K, restore NTLDR from backup.
Bookmark this spot: Badtrans information.
November 24, 2001: I get a suspicious message with an attachment that
has an extension doesn't match it's declared "Content-Type:" header.
F-Prot for DOS with the latest definitions at that time (November 20,
2001) fails to find anything.
November 25, 2001: I get a similar message addressed to the user-support mailing list.
November 27, 2001: Another two arrive and now F-Prot does detect a worm in all four copies once I grab the newly updated virus definitions. It's the W32.Badtrans.b@mm worm. Then a fifth copy arrives from a user here.
Watch out for this one. Like a number of other worms, it exploits a vulnerability in Microsoft Internet Explorer that allows it to run automatically the moment you view the worm. It also contains a backdoor trojan and a password-stealing keyboard logging trojan. Check out the links below and fetch (and install, of course) the patch from Microsoft that plugs the Internet Explorer hole.
Bookmark this spot: Nimda information.
Sep 20, 2001 (Nimda).
URLs in above:
Central Command (AVP):
SANS Emergency Incident Handler:
Patches for vulnerabilities:
Bookmark this spot: Code Red information.
Code Red had been pounding relatively ineffectively against my ISP's servers lately. View a tech report entry (with other data snipped). WARNING: May be dangerous to view with Internet Explorer. Although it is just plain text showing the URL that Code Red attempts to submit to an IIS server, and was previously on this page as plain <PRE>formatted text (and *not* as a hyperlink), I have had one report from an IE user that his browser locked up just viewing this part of my page.
While the attacks have died down -- due mainly to the fact that Code Red-infected systems have mostly been closed or infected with Nimda -- there are still some infected servers out there and the holes it exploited could be used by other worms so the appropriate patches to prevent it are still recommended.
Some links to information about the Code Red worm (and more to add later when I can find them again):
Bookmark this spot: Sircam information.
I received 11 copies, one 754KB in size, before my ISP started blocking it. Not only is it larger than most worms but it also tacks on a random file from the infected user's computer to the end of itself and then opens that after running on a newly-infected computer to hide its real purpose. It can therefore cause a major privacy breach. The copies I have received have included Microsoft Word documents with an article about the works of Leonard Cohen a purchase confirmation from an Australian company with the customer's name and address (but fortunately not her credit card number), and a psychiatric paper probably intended for publication in some medical journal. A couple of Excel worksheets included one that appears to be a doctor's records about a (luckily unidentifiable) patient. And a ZIP file from Mexico that contained six extractable, boring snapshots of three young men.
Information I could find so far:
If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):
This will remove the worm's reference from the EXE file startup key in the Registry.
Warning! This is really important! The system might become unusable if the worm's file is deleted without modifying the EXE startup key first.
After that the system can be safely disinfected with an anti-virus program. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner.
I have received more than 180 copies of this worm (I lost exact count around 165) at the time of this writing and will probably get even more. Be aware that the worm does not really come from the alleged firstname.lastname@example.org address in the "From:" header. That was a fictitious address and domain used by the worm's author. As a public service, someone else later registered the sexyfun.net domain to set up a web site on how to combat the worm. Following are links to some information on it:
Links to the latest virus alerts from various anti-virus companies.
First, see the Virus Alerts mentioned above. Then check out:
A new virus has recently been discovered in the wild that can actually damage some computers. Potentially affected are those with motherboards with Flash BIOS. On some motherboards there is no hardware disable for altering the BIOS and this virus takes advantage of that on its triggering date to reprogramme the BIOS on such machines with garbage. The result is a machine that can't boot at all and a motherboard that has to be replaced or be sent back to the factory for reprogramming.
Norman Antivirus has an article available describing the extent of the damage experienced by users on April 26, 1999 because of this one virus. The number of accesses to their web server reached record heights in April, 1999 due to two viruses, the CIH virus and the "Melissa" Word Macro virus/worm.
I have gathered some CIH-related links on a separate page for your convenience.
Some antivirus sites with fixes are:
Has your computer suddenly started playing music? If so, check
the CPU fan and the power supply in your computer. A lot of people have
asked in the alt.comp.virus newsgroup
what virus can cause their computers to suddenly play music. The reply
given over and over and ... is that it is unlikely to be a virus. Some
modern computers have a detection circuit to warn you of failure of the
fan that sits on top of your CPU (not to be confused with your power
supply fan which is completely different) and will play a musical passage
to alert you when the fan fails or if the power supply voltages drift out
of tolerance. Most reports mention "Fur Elise" by Beethoven.
One mentioned the song "It's a Small, Small World" but that may
have been derived from "Fur Elise" and may be the same song.
For more on this, see Microsoft's note,
Q261186 - Computer Randomly Plays Classical Music.
If, however, the music you hear is "Happy Birthday" instead of "Fur Elise" then you may have another problem. Some AMI BIOS chips were shipped a few years ago that had been sabotaged by an ex-employee to freeze up on his birthday in November and just play "Happy Birthday". The only cure is to replace the BIOS.
Your Toshiba notebook computer may be infected.
Do you have one of these Toshiba notebook computers?
Read the news story,
"Toshiba ships notebooks with virus"
and then visit Toshiba's site to read the
"Procedure to Correct Notebook Computer Software Problem".
As it is now over a year since I first reported on the Concept virus on my home page, I feel that it is not the unknown that it once was. It is still dangerous and (except for one month) has maintained its spot as Number One on the infection Hit Parade since January, 1996. When I first reported on it, it was unique -- the only macro virus "in the wild". However, this is no longer the case. Giving such specific information so prominently on one macro virus when there are now hundreds of them (close to two thousand variations) may give readers the mistaken impression that the Concept virus is the only macro virus to worry about. I have now moved it off my main home page and have a new page on the Concept Macro Virus and, to come later, other macro viruses.
The alt.comp.virus FAQ is now available as DOS hypertext
This consists of all four parts of the FAQ plus the supplementary guide to virus-related FAQs in a single hypertext document, with a rather nifty search engine.
The straight text versions remain available at both these sites, among others.
At the J and A Virus Info site, I have found a web-browsable hypertext version of the alt.comp.virus FAQ. (They used to list my antivirus page <Brag, brag!> but some links had to be sacrificed in the latest versions to make room for other information <sob>.)
I have run across a set of symptoms that I have never seen adequately
described in any anti-virus software documentation or on any of the other
anti-virus web sites that might make people mistakenly think that some of
their software is unrecoverable when it isn't. The scenario is:
(1) the user has just upgraded from an earlier version of MS-DOS.
(2) his (or her) *.COM utilities now crash (TREE.COM is an example).
(3) an anti-virus utility reports an infection by the "Junkie" virus.
(4) the anti-virus utility is used to clean the system and reports success.
(5) the *.COM utilities still crash.
The user may be under the impression that the *.COM utilities have been damaged beyond repair. This is not necessarily the case. What has happened is due to the stupidity of the Junkie virus. It seems that the author's intent was to infect *.COM files but an omission in the virus of any check on the last letter of the extension of the file to be infected makes the virus infect any file with an extension that starts with "CO". The result is that, if an upgrade is attempted on a Junkie-infected system, the virus infects the compressed *.CO_ files before EXPAND has a chance to look at them. By the time EXPAND sees the files they are infected and no longer have the compressed-file signature at the beginning of the file that indicate a valid compressed file. The virus has over-written that part of the file. EXPAND then assumes that the file was not compressed after all and just copies it without expansion to its destination, renaming it to have a ".COM" extension. No error message is issued by EXPAND. The resulting *.COM files now consist of an executable virus and an unusable compressed file that crashes as soon as the virus does its thing and transfers control to the rest of the file.
When an anti-virus utility is used to clean the files, the files are restored (except for some possible one to fifteen bytes of extra padding at the end to a paragraph boundary) to their original state. In the case of the *.COM files, they are restored to uninfected COMPRESSED files. They are still not usable *.COM files until EXPAND has a chance, again, to de-compress them to their usable state.
The solution is:
(1) run your antivirus programme on your original installation disks and specify ALL FILES and not just executable files to clean the virus out of your *.CO_ files.
(2) delete and re-install the *.COM files from the cleaned *.CO_ files.
or, if you don't have the installation disks, (you got your computer with pre-installed software, no disks, and the dealer infected the system):
(1) rename all of your (now disinfected) *.COM files to *.CO_ and then...
(2) run EXPAND on them again to expand them to usable *.COM files.
This tip may just get your programmes working again when you thought they were damaged beyond repair.
Note: I have been informed by one antivirus vendor that COMMAND.COM is the only file that can get infected by the Junkie virus on a Windows 95 machine (which probably also applies to Windows 98, Windows 2000, and Windows ME). One possible reason for that is that COMMAND.COM would be the first target of the virus and (since COMMAND.COM on those systems is really a *.EXE file with a *.COM extension) infecting that file renders the system incapable of booting so the infection can't spread any further on subsequent boots.
The Computer Virus Myths home page [note the new address] is a good place to start to find out what is NOT a virus. There are a lot of false rumours floating around about phoney viruses. The Science Fiction and Fantasy Writers of America also have a section of their site devoted to those Urban Myths concerning viruses. You might also want to follow one of the links there for more information.
Other pages related to hoaxes are:
I have been too busy with other things to keep track of the Macintosh avti-virus scene (especially since I don't use a Mac) and it has recently (July 9, 2000) been brought to my attention that my Mac links were broken and providing me with substitutes ("Thanks, Werner!"). I also did some looking around the net and came up with a couple more links. So here is my new, up-to-date (as of March, 2004) skimpy collection of Macintosh anti-virus links:
There is not much out there for the Atari but I did find
I hesitate to add the plural "es" to the word "virus" above as I have run across only one reference so far on an Amiga virus, on the CIAC web site.
A McAfee press release reported in February 5, 1997 that they had discovered the first Linux virus. The page that used to contain this press release appears to have been changed but there is now more information on Linux viruses available.
The latest news and gossip on the computer security and anti-virus front can be found in The Crypt Newsletter -- very interesting reading.
If you download any of the antivirus programs from the sites below, you are probably going to need to unzip them. If you don't have an unzipping utility, a free unzipping program from Info-Zip to uncompress the downloaded antivirus files can be downloaded from the Garbo Archives at:
For each visitor to our Web page, our Web server automatically recognizes the consumer's domain name and e-mail address (where possible).
We collect the domain name and e-mail address (where possible) of visitors to our Web page, the e-mail addresses of those who post messages to our bulletin board, the e-mail addresses of those who communicate with us via e-mail and information volunteered by the consumer, such as survey information and/or site registrations.
The information we collect is used to improve the content of our Web page, used to notify consumers about updates to our Web site, shared with other reputable organizations to help them contact consumers for marketing purposes and used by us to contact consumers for marketing purposes.
To paraphrase what they say, "If we can get your address we will spam you and we'll sell your address to other spammers." They do go on to say that they will put on a do-not-mail list if you ask -- in other words, opt-out.NAI's McAfee Online -- download the latest version of VirusScan, version 3.03: [NOTE: on the comp.virus newsgroup, a couple of people have reported a trashed hard disk after upgrading to VirusScan 3.00 on a Windows 95 machine. Until I can find out whether it was (a) a bug in the upgrade, (b) a coincidence, (c) a bug in Windows 95, or (d) a false alarm, you might consider performing a complete backup of your hard disk and make sure that you have the boot floppy disks necessary to restore your drive in case of a complete trashing of your partition before installing the 3.00 upgrade on a Windows 95 system.]
Alien Invaders might want to check out this CERT advisory.
Is it "viruses" or "virii" when speaking about more than one virus? One poster to the alt.comp.virus newgroup has an answer:
"i thought we settled this a long time ago, the term varies depending on the number... viri for one, virii for two, viriii for three, viriv for four, virv for five, and so on..."
Has your favourite newsgroup been invaded by the porn spammers? One such spammer, advertising a CD with "10000 Celebrity Nude Photos", inspired this hilarious response in the alt.comp.virus newsgroup -- an imaginary review of erotic scanners. (My sincere thanks to the poster -- who granted me permission to include it here.)
Foot-and-Mouth First Virus Unable To Spread Through Microsoft Outlook.
Do you want to write your own programs designed to clobber others and run them with no fear of getting caught? Will your little sister's program trash yours first or will your grandfather's program beat both of yours? Write your own combatitive programs designed for a machine that doesn't exist and run them on the REDCODE simulator and may the best code win.
There is some concern over security leaks in the Java language. The following sites have some excellent information on that subject:
Links above last checked between
August 15, 2001 and August 17, 2001.
Webmaster: Norman De Forest.
If you have any comments about this page,
please send me an email message.