Nov 2002 - Feb 2003, Featured Virus:   X97M/Divi.ad

This virus is being featured this month because we had just recently discovered and removed some infections. Even though this virus was first discovered in Jan. 2001, it is still being propagated and can subsequently still be a cause for concern.

        This is not a malicious virus, it is a macro virus affecting Microsoft Excel97 and higher, (ie) Excel2000. It is contained in the macro, "ThisWorkbook". When an infected document is opened, and the macro is allowed to execute, the virus disables Excel's macro virus warning message. While an infected document is opened, all other documents that are created or opened also become infected. This virus has interesting mode of operation, if an attempt is made to print an infected document on the 30th day of the month at noon, the print job is automatically canceled.   

        This virus is also known as (aliases) X97M.Activated.A (NAV), X97M/Divi.AD (F-PROT), X97M/Osource. This virus could be considered a variant of the Divi macro virus strain, X97M/Divi.A, X97M/Divi.B, X97M/Divi.C, X97M/Divi.D, X97M/Divi.M, X97M/Divi.O and X97M/Divi.gen. 

        Norton Symantec Antivirus or McAfee VirusScan will reliably detect and clean this virus. With this virus there are no obvious signs of infection, so only regular scans by installed virus protection software is your best strategy to detect early and prevent any widespread infections. 

 Visit either McAfee or Symantec for greater detail and more specifics should you have a need .

Oct 2002, Featured Virus:   W32.Magistr.39921@mm 
    

        This virus is a variant of an interesting lot. 

        W32.Magistr.39921@mm is a variant of W32.Magistr.24876@mm. It is also known as I-Worm.Magistr.b, W32.Magistr.B@mm, W32/Magistr.b@MM, Magistr.32768@mm, PE_Magistr.B and W95/Magistr.28672@mm.  The virus W32.Magistr.24876@mm  is also known as I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm, W32.Magistr.24876.int, W32/Disemboweler, W32.Magistr.corrupt and  W32/Magistr-A.

        Confusing and really fascinating?.. You bet!..,

        W32.Magistr.39921@mm is a mass mailing worm. It sends email messages to names in your email address book, the subject name is randomly generated and can be up to 60 characters long.   These names are taken from Eudora address book, Outlook sent items or Netscape mail sent items. The virus itself is about a 30Kb long program written in Assembler. This is very large for a virus written in pure Assembler language. This large size however is caused by virus Win32 EXE files infection algorithm, email and network spreading routines, polymorphic engines, payload routines and many anti-debugging and other tricks used by the virus writer(s) to make its detection and dis-infection difficult. This virus is one of the most complex viruses known as of this date.

        W32.Magistr will attach random infected executable and several selected text or document files to email messages.  The infection targets are all Windows PE files that are not .dll files and also .SCR files.

        This virus and its variants cause significant damage, they erase and corrupt files on the hard drive. They can erase CMOS and even flash the system BIOS. As a part of its infection procedure this Worm also drops a Trojan.

        To remove a W32.Magistr infection and the Trojan that it drops, you need to execute specific procedures.  Follow the specific instructions listed at the McAfee or Norton Symantec web sites. Here we will only indicate the different items which must be addressed.

1:   First be sure that you have the latest virus definitions file. Check the McAfee or Norton Symantec web sites. Check the appropriate site for your currently installed virus scanner.

2:   Scan your system with the “All files” setting on the virus scanner.

3:   Clean and repair any infected files.  Files that cannot be repaired or cleaned must be deleted and then restored from your Windows disk. See the appropriate link below if unsure how to restore files. Restore Windows 9x/Me   or Windows 2000/XP.

4:   Edit system.ini to look for and remove the W32.Magistr.Trojan entry. Shell = Explorer.exe in the [boot] section.

5:   Edit the registry to remove the values inserted by the virus. Ensure that you backup the registry (call it infected_bkup) before any editing. If unsure how to backup registry see the link Backup the Registry.

Sept 2002, Featured Virus:   W32.Klez 
    

        These are nasty little buggers, "Excuse my English".. This virus has many variants, they are W32/Klez.e@MM, W32/Klez.h@MM, W32/Klez.gen@MM, Worm_KLEZ.E, Worm_KLEZ.G, I-Worm.Klez.e, I-Worm.Klez.h, W32/Klez-E, W32/Klez-G and  W32/Klez-H .  Because of the number of variants, the information provided here is more of a general rather than specific nature, it is provided to say, change you alert level from Green to Yellow..  Visit either McAfee or Symantec for greater detail and more specifics.

    This virus is a Win32 Worm, it spreads by copying  itself  from one disk drive to another, or by copying itself using email or some other transport mechanism. It may arrive in the form of a joke program or software of some sort.. It can cause damage to your program files, particularly *.exe's and can also compromise the security of the computer..  It affects Windows computers, Windows 9x/Me,  Windows NT and Win 2K systems.. As a bit of trivia, this worm/virus combo apparently originated from Asia, possibly China or Hong Kong.

    What does the worm do?.. Glad that you asked!.. The "@mm" variants are mass-mailers that search the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages. The subject and attachment name of incoming emails are randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.  Some variants that are generated as a result of the initial infection will also try to infect all executable files in the \Windows\System folder.. The variants will terminate a long list or running programs, particularly your anti-virus programs. Additionally the system registry can also be modified by this virus such that the virus protection does not run properly at the next system startup....

    The worm exploits a vulnerability in Microsoft Outlook and Outlook Express, see Microsoft web site for patches/fixes for this vulnerability. Go to the Microsoft support page and do a search on "ms01-020"...

    All in all, these are nasty little buggers. Yeah, I know I repeated myself.. Well, it could be for emphasis.. So if you ever get one of these guys, lets talk about removal..  The infected machine will be out of commission for a little while..  If you have critical data on the machine, do not send it away to be fixed and/or let a tech format your hard drive..  Both McAfee and Symantec have identified procedures for removing these viruses without massive loss of data.. As usual the issue is Time and/or Money.. 

    First how would you know (or suspect) if you had one of these viruses..  1) Your virus scanner could have have detected it. [Keep auto-protect on and perform regular scans].  2) Your friend/customer/client/vendor could have called to inform you that they received an email from you with a virus.. [Keep email scanning enabled]. 3) Your machines behaves as though it's sick.. [You need a virus scanner or must keep your virus DAT files up to date.]..   Any one of the possible scenarios could lead you into a situation where you need to go through a W32.Klez variant removal process..  Don't be too quick to blame your friends though, the emails sent by Klez.E variant often have faked sender's address. The worm randomly picks sender's address from web pages or Windows Address Books. So if you get Klez.E worm in your email, it's very possible that the sender is not the person listed in the "From" field of the email header...

    The procedures outlined by McAfee and Symantec both require reasonable Computer knowledge and both require manual scanning..  McAfee suggest scanning from DOS  while Symantec has a tool "Fixklez.com" which you can download and run from Windows.. The tool focuses on the detection and repair of w32.klez variant infected files..  They both suggest that you run the machine in Safe Mode and Backup the Registry before starting the virus repair process. We tried to repair one system by using the Norton Rescue disk to boot, loaded NAV and started scanning and cleaning..  After the 24th swap of virus definition disks 4 and disk 5, we decided that there had to be a better way.. That was when we researched and discovered the "Fixklez.com" tool.. And are glad that we did, because we had only cleaned six of 52 infected files when we became frustrated with the floppy swapping..

     Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that if one of those selected files becomes infected, then that file could be stored there as a backup file, and VirusScan would be unable to delete these files. Suggest that you must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. Be sure to re-enable System Restore after completing virus removal..