Goner virus

[Bob Howie]

Last night at 18:18, I received an executable e-mail from an unknown server that destroyed the partition files in my hard drive, effectively wiping my hard drive out. The virus fragged my RAM and my CD-ROM as well. It got past my anti-virus software -- one of the Big 3 which I will refrain from naming -- and locked my system tight. I lost all data, programs and stuff on my drive. I have about 80 percent...all the really important stuff...backed up on Iomega Zip Disks, so I really only lost some junk and $329 to replace the hardware components and upgrade to Windows XP, which is an NT variant and, so far, pretty damn cool. I have installed both Norton's Anti-Virus 2002 and Zonelab's ZoneAlarm Pro firewall software at the recommendation of one of my MCSE tech buddies. Folks, in 12 years of piddling around with computers -- from which part of my living is made -- this is the worst virus I've ever seen and you cannot react fast enough to stop it if it hits your email. Because of the backups, I have only lost about a day's PR work here at Casa de Bob and a little time -- hell, I needed a day off anyway! But, I did lose my email program -- Eudora -- and my Day-Timers files, but I have hard copies of those and some of it like the addresses and stuff are in my Palm. With Eudora went all my email address books. So, I'm just putting this out there to let y'all know those two little creeps in France that started this came up with a dilly and y'all need to be on the lookout and back up all your files if you haven't.Regards to all.

 

[Phil Herring]

Two rules to follow

1. Never, NEVER, N-E-V-E-R, open an email attachment uless you are told, in person or by phone, to expect it. A virus will almost certainly come from someone you know and the name of the attachment will come from a document on their hard drive, making it seem real.2. If you computer 'previews' email in a pane just below your inbox, DISABLE IT! Your preview pane alone can activate some viruses (viri?).3. Call your ISP _today_ and tell them to block all email attachments containing the extensions .exe, .scr, and .pif.Do this and you're reasonably safe. Or ignore all that and switch to a Mac.

 

[Bob Howie]

Executable files

Thanks, Phil, but let me reiterate; this came in a self-executing file...in other words, when the computer received it, it opened itself and then hit the box. I don't ever open spam or mail that is sent from unidentified sources. Your advice is well taken, but let's not all forget that there's not a lock that can't be picked!

 

[Phil Herring]

Oops... mean tthat differently

Bob,Sorry, I didn't mean that as a scolding for you! My intent was to put up a stern warning to those who aren't so careful with email and attachments. My apologies - in re-reading I can see my intent did not come across.Anyway, back to this virus. It executed without opening or previewing the email?? I hadn't heard about that aspect of it yet.

 

[Bob Howie]

No offense, Phil

No offense taken...took it as just observation. Believe me, got skin plenty thick and you're gonna have to get up earlier in the day if that's the best you got to insult me with!!!A self-extracting or self-executing file is pretty common. Bugs are code; just like software code running in your box that can give commands. Lot of code is written in syntaxes like, "If this happens...do this." It's not all that sophisticated. So, some little creep writes some code that goes out there and looks for a trigger and once it gets tripped, then it unleashes commands. Computers, altho they seem intuitive, are pretty "dumb" terminals, just doing what they are told to do by the code even if it includes killing itself! You don't necessarily have to open an email for a piece of code to attack.

 

[Steve Dion]

Tell me more, tell us more!

Mr Bob:Your holding back on the manufacturer is not a good idea. The computing public needs to know who screwed who. None of these products are perfect.I was using McAfee and Norton on the same machine for several months. I was under the assumption that McAfee was doing a good job. I scanned with McAfee and then went behind it with Norton and found a virus on the machine. I sort of lost faith in McAfee at that point.I am sure that with any give mix of circumstances this senario could have been reversed.So let's have it, which product do you think let you down. Do you have that virus software setup to check automatically for updates?Inquiring Minds (no matter howie<g> small) want to know!

 

[Bob Howie]

Steve, you geek!!!

Let me qualify this by saying that no lock on earth is secure against anyone who is dead set toward picking it, ok? And, in somewhat fairness because one never knows, of the two products you mentioned, it wasn't Norton...okay! Got it now??I don't know how it happened, but it blasted right through every protection protocol I had in place and, yes, they were all being updated. I didn't have a firewall in place...do know. As it turns out, I only lost about 10-15% of the stuff I had on the old box and most of that was just old junk anyway that won't be missed, so I was pretty lucky. I had done the last full data backup in late Sept., so I only lost a smidge. I'm still up at this hour Central because I had to get the box back on line 'cuz need to do a little work tomorrow...now to pay for the damn fixes!!! God! I hate that!!! I'm telling you, pal, it went through my system faster than grease through a goose at Christmas and I didn't stand a chance. Buddy got fragged same way, but haven't had a chance to really talk to him. So far, so good. Been on line a few hours and ZoneAlarm seems to be doing the job and Anti-Virus 2002 is checking everything in and out to make sure nothing is piggybacking.It happened at 6:18p last night and my ISP said nothing came back out my box after that, so that indicates to me my box died before the thing could attach to my email address book and then send itself out again. There was no ISP activity from my box after 6:18p last night and I got that in a confirming email from my ISP after I got back up tonight. I gave the ISP as much as we could figure out so they would be alerted to it and they've found some indication other clients got hit too.If you got someone who can do a forensic postmortem on the hard drive, I will send it to you. The partitions are out of it, so I'm sure the data is there, but it just can't read it. I yanked the old hard drive and put in a new one. Maybe some of those wizards you got working out there with you can postmortem this thing and come up with something.By the way, I need your email address again.Thanks.Howie

 

[Bob Howie]

Oh, yeah....

What hacks me REALLY off about all this, of course, was that I was planning on leaving for my boat this morning! NOT rebuilding a computer and restoring files!! I have to leave Sunday for Wichita and this is cutting into my sailing time!! Aarrggh!!!!

 

[Steve Dion]

Steve the Geek, does not have a good ring!

I am not going to send you my email address. If you get the Goner again, you try to give it to me.Besides I have not gotten my cold beer yet!

 

[Peggie Hall/Head Mistress]

Question:

First, some background:Since changing ISPs, I have yet to post to any site where my e-mail address is exposed, which means that--so far!--I've yet to receive any spam at my new address. Although I've changed it in all the directories here, I've only given it to about a dozen people...but I know if one of them becomes infected, I'm vulnerable. However, I've kept my previous ISP active and check for e-mail to the old address via webmail, so I don't have to pay roaming charges to log onto it directly. I use Netscape, because everything I've read about viruses seems to indicate that 99% of 'em are written to attack Outlook.No matter who any e-mail seems to be from, I NEVER open ANY attachment unless it's specifically referenced in the body of the e-mail and is in context with the conversation.Now the question--2 questions, actually:Is my computer vulnerable to a self-executing virus in an e-mail that's never downloaded to my computer...that I only access via webmail? Providing I don't touch it, but only read the header and then delete, that is?Is Netscape REALLY any safer than IE?

 

[Doug T.]

Vulnerabilies

If you don't download the attachment it can't hurt you. If you don't run the attachment after it's downloaded it can't hurt you. The trouble is, some e-mail programs automatically do both. Outlook in particular is troublesome in this respect.Netscape mail is generally pretty safe. My company got clobbered because we use MS Exchange and Outlook. My client's company uses Netscape mail and was not affected at all.(By the way, I don't understand how a virus can cause hardware failure. Software can't "break" your hardware. It might overwrite or corrupt your firmware or BIOS, but that can be pretty easily corrected.)

 

[Peggie Hall/Head Mistress]

Thanks, Doug...but--

That covers attachments, but apparently "Goner" is self-executing...no attachment, the virus is in the e-mail itself. Can it attack a computer if the e-mail has been downloaded to the inbox, but is never opened?

 

[Doug T.]

Peggy: e-mail doesn't self-execute

I received about three dozen copies of that particular e-mail virus over the last couple days from various and sundry people. I read the message in the first one, but didn't download/open/execute the attachement. (I got four identical messages from the same person -- I was on four different distribution lists -- and that looked mighty suspicious.) I simply deleted them -- no harm done.A plain e-mail message CANNOT "self-execute" -- it is simply text (or HTML/Java). The attachment CAN execute without you doing anything IF your e-mail software is configured to do so. Outlook "previews" can cause this to happen, and the virus writers count on the Outlook users to have their software configured that way.Also, some systems are configured to open/execute an attachment automatically when you download it. For example, if someone sends you a Word or Excel document as an e-mail attachment, and you click on the icon or link in your e-mail message, what happens? If MS Word or MS Excel automatically start up and let you view the document YOU ARE VULNERABLE!!! If instead, the system prompts you to either open it or save it to disk, then if you simply save it to disk, you're safe.

 

[Bob Howie]

Viruses

A bit of clarification -- look, y'all, if someone wanted to frag a computer from outside, all that person has to do is gain access...a new-fangled thing called "hacking." Also, a virus is not simple text; Doug is right, simple text cannot do any harm to anyone. Viruses, worms and their ilk are all code; same stuff from which is written the kinds of software that allows us to use these forums. Malicious code can be sent that runs around out there looking for a trigger to execute. Viruses are time bombs simply running around in the system looking for that trigger. All they have to do is gain access either by e-mail portals, DSLs or ISDNs. After having been in charge of some IT departments, I can tell you that if viruses had to have an action by an operator, anti-virus programs and firewalls would not be necessary. The whole point of this missive is simply to let everyone know that precautions should be taken because this thing is a very mean bug and there are those out there that would take the virus and "improve" it to do any number of things. Just so you know..

 

[Peggie Hall/Head Mistress]

But, but. but ...doug...

You're saying there is no such thing as a "self executing" e-mail. My name for it may be wrong, but I have received e-mails in the past--fortunately only spam, nothing malicious--that had "triggers" embedded in in the headers...no attachment. Just clicking on the subject line to delete it, launched me to the sender's website. In fact, I couldn't delete the e-mail without either including it in a "select all" batch selected from another message, or going to my ISP's webmail site. If triggers that launch a website can be embedded in the subject line of an e-mail, what is to prevent virus code from being embedded in the subject line...making that e-mail effectively "self-executing," whether that's the right name for it or not?In fact, from what I've heard about "goner," I thought that's the way it works.

 

[Jon Bastien]

Bob's MOSTLY right...

Bob states that 'it's not necessary for the user to trigger a virus' (or words to that effect). He's MOSTLY right about that. In todays computing world, software makers are trying to produce applications to make our computing tasks easier to accomplish, and incorporate 'features' into their software to help us along- Things like 'auto-executing' e-mail attachments or running (my favorite peeve) Visual Basic scripting (.vbs). When you receive your computer or software, the 'out-of-the-box' setting for these convenience functions is usually 'enabled' by default. If you don't go back and change these settings (disable .vbs scripting, turn off preview panes, turn off auto-execution, etc) then Doug is right- YOU ARE VULNERABLE, and there's little or nothing you can do to protect yourself until you change these settings. In the case of autoexecution (.vbs or otherwise), the user's trigger action was to open the e-mail (and let the software do the rest for you). Bob may not have hit a button that said 'Run this virus', but he probably (unknowingly) had his Eudora software set (by default) to do it for him. Moral: The e-mail itself is harmless if left alone or deleted. It's the software that opened the e-mail and ran the attachment that did the damage. Any e-mail client that runs .vbs scripting is vulnerable until .vbs is disabled.NOW, for a few suggestions on how to protect yourself from e-mail viruses.My biggest recommendation is to use a web-based mail service such as Yahoo or Hotmail. Yahoo is very feature packed, I get VERY little spam from them, and most of it's caught by their spam filter. By using their web interface, I have virtually NO chance of an e-mail virus infecting my machine just by opening a suspect e-mail. If I want to run a suspect attachment, I have to download it first, which brings me to my... Second recommendation- NEVER open ANY attachment until it has been scanned by TWO major anti-viruses. I use Norton and McAfee- They're both good programs. Sometimes Norton finds them first, other times McAfee is first- it's about a 50/50 shot on who's fastest. It mostly depends on whose developers can get a good definition for the virus incorporated into their software first. Finally, do your best to keep e-mail simple. All the bells and whistles that go with making e-mail cool (backgrounds, fonts, sounds, borders, etc) also open the door for security holes like viruses or hackers. If plain text will do what you want it to, use it. If simple HTML works, go for it. If you need to code backgrounds or scripts into e-mail, perhaps a better solution is to build a web page with the info, and send a link to the web page via e-mail. To address Peggie's question about auto-execution... What I suspect happened was that she received an E-mail in HTML format, and there was a Java pop-up script embedded into the page somewhere (just like the annoying pop-up ads on the web). I've been to some sites that are so obnoxious that I've had to disconnect my web connection to get the pop-ups to stop. Can this be prevented? Maybe- depends on your e-mail client and web browser.Compute carefully, folks. It's a wild web, and not everyone on it's nice.--Jon Bastien...A network administrator and computer security technician in my day job.

 

[Bob Howie]

Thanks, Jon

Thanks, Jon. I think you've given the absolutely best explanation so far. Now a bit more about what happened to me.First, my machine here at home is maintained by a MCSE tech who works for me and all the "auto" features are disabled on the box. I have used McAfee and a couple others in the past, but only McAfee was running when this happened. I did not use a firewall. I am now. I am also no longer using Eudora.Having overseen the tech dept. of a city for 6 years and been instrumental in installing all the infrastructure computerizing said city, the techs and I agreed that all "auto" features would be disabled and inaccessible to change by anyone because of the problem you outlined.As it has been explained to me by the techs, there are some weaknesses or faults (maybe not the totally correct words) in Win98 that can be exploited and it's likely that whatever banged me took advantage of that. I don't know. I don't believe anyone actually ever fully knows totally what happened and how, so I think even the best brains in the business would have to rely at some point on just educated conjecture.Could something have been floating around in my box that was not disabled and permitted an "auto" function? Perhaps. I personally think that was unlikely, but one never truly knows, I guess.Anyway, today's a new day and really all I'm out is $329 which I consider a fairly small amount. WinXP is running just fine; so is Anti-Virus 2002 and ZoneAlarm Pro firewall. I'm using Outlook Express -- giving it a try, actually, at the recommendation of my ISP. And, everything is scanned coming in or going out to make sure I'm not sending poison pills. Folks, believe it when those in the know tell you that backups are worth their weight in gold!!! They truly are.And, like Jon recommends, compute carefully and take reasonable precautions.

 

[Phil Herring]

...or you can just run a Mac.

nm

 

[Ken Shubert]

My 2 bytes worth

I too lost a system to a virus so I switched to Norton's Antivirus and it updates weekly automatically. Frequent updates are absolutely necessary! Many of these "worms" exploit some of Microsofts problems in Outlook or Express. If the Justice Department had it's way, Microsoft would be sharing much more code with potential hackers too. It's possible to download programs to a "quarantine" file and sterilize it with some software.... but it'd have to be pretty important e-mail. I've received infected files from people I know sending e-mail that I'm expecting and they're oblivious to the problem or the cure. Word and Excel attachments are notorious "Trojan Horses".KenS/V WouffHong

 

[Jon Bastien]

Thanks for reminding me, Bob...

I forgot to include a blurb about backups. I spent 5 years as a Help Desk technician, and have witnessed more people lose time, resources, and pay (in the form of unpaid overtime...) simply because they didn't take a relatively small amount of time once a week to back up data. The expression that comes across one's face when I ask them where the backups are can usually be described as a blend of anger, fear, and helplessness- because that's when they figure out that the data's pretty much gone forever. In 5 years, only 2 people smiled and produced recent backup disks. They are ESSENTIAL, if you value your data. Worth their weight in gold? TWICE that, at least! Don't count on your system admins to back it up, either- On many networks, the backup feature doesn't work very well, or the administrators have placed the responsibility on the user.</Rant mode> ) Glad to hear you escaped from a potentially catastrophic system failure with only a small bump, Bob- Sounds like you're taking all the right steps to protect yourself against another incident....Say, aren't we supposed to be talking about sailing?--Jon BastienH25 'Adagio'P.S.- Oh, your teminology about 'weaknesses' and 'faults' is a little off- Microsoft prefers to call them 'Features' or 'Enhancements'. ;oD