Log in ....Tribune

Dot.ComLatest in ITFree DownloadsOn hardware

Monday, April 22, 2002

Deadly 10 you should be aware of
Vipul Verma

THE virus threat on the Internet is unlimited and during the recent past some deadly viruses devastated millions of computers the world over. Most of these viruses entered the computer through e-mail attachments and have caused losses ranging from data deletion to even bringing down the computer systems and servers. Some of the recent viruses, which have created havoc among the computer users, are described below:Illustration by Rajiv Kaul


This is a recent version of the notorious Nimda worm, which is fast spreading and has been rated as low risk by the experts. But nevertheless it is destructive in nature and can cause damage to your data and system. It is also known as NIMDA.A-O. Like its previous version, this virus also arrives through the e-mail attachment with a file called README.EXE, with no text in the message body and also without any subject. However, the worst feature of this virus is that unlike other e-mail attachment viruses, it gets activated without being opened by the user as it uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. Thus, if you have received this virus and even if you have not opened it, you are running a potential threat of attack by this devil. The first clue that you have got this virus is that your favourite Media Player will usually open Winamp or Windows Media Player. Moreover, since you cannot see the embedded .Exe file in Microsoft Outlook, thus the problems could be even more severe. It can get spread by 4 ways, which includes e-mail, network shared drives, unpatched IIS servers and file infection. The solution to this virus is available with all major anti virus companies like Norton from Symantec Corporation, McAfee, Sophos, Trend Micro.



Another worm from the Nimda den. This is also known as W32/Nimda.E@mm, PE_NIMDA.E-O, NIMDA.E. This worm is quite similar to the one mentioned earlier as it is also being rated as a low risk virus but is destructive in nature. This is also basically an Internet virus and spreads via e-mail but can also enter your system by visiting a Website hosted on an infected system, via open network shares; via unpatched IIS systems (both 4.0 and 5.0). However, it arrives with an attachment called SAMPLE.EXE. This virus is equally deadly as the PE_NIMDA.A-O and by exploiting the known vulnerability in Internet Explorer and IIS systems, it exposes your system to a great risk as it makes irreversible changes by changing user-specified values in such a way as to open the system to further attack. Thus over a period of time all original values are lost. This virus also works as a file virus infecting Win32 Portable Executable programs as well as files with extensions: html, htm, asp. In case of infection by this virus, the first possible solution is disabling the shared drives on your system. If disabling the shared drives is not possible, then allow only read access and then by using the modern antivirus tools, hunt down the virus and restore your data.



Another deadly virus on the prowl is FUNLOVE.4099. This is again a Win32 category virus, rated by experts as low risk virus, but is a fast-infecting, memory-resident Windows ’95, ’98 and NT virus that also spreads to network shares and, under NT, can interfere with security. Though this is not a new virus yet has been affecting computer users since late 1999. This virus attacks all Win32 type files such as .EXE, .SCR, and .OCX in all Windows-based systems including Windows 9X, NT, 2000. This virus also propagates through the shared network folders with write access and then attacks the files prone to the risk. Now when the infected file is being run, this virus swings into action and created the file FLCSS.EXE in the system directory. It then extracts its code from the end of the infected host, writing this code into FLCSS.EXE, which is then executed. However, this virus is not destructive in nature but it exposes the security loopholes of the system.



This is one of the recent viruses on the prowl and is rated as medium-risk worm. Though this virus is rated as non-destructive in nature yet since its pervasiveness is of high nature, thus it is deadly virus to combat. Some of the aliases of this virus are WORM_MYPARTY.A, MYPARTY.A, MYPARTY, W32.Myparty@mm. MYPARTY, which came into light on January 27, 2002, arrives as an attachment with your e-mail with the subject: line - 'new photos from my party!' with the message in the message body


My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! This real catch of this e-mail lies in its attachment, which is www.myparty.yahoo.com. This is actually an .exe file, which is being renamed to .com, in order to befool the person who gets this email. On double clicking the attachment file, the virus swings into action, and it checks the local operating system, date and the file name, from where it has been executed. Basically, this virus multiplies itself with the addresses available in your address book and sends itself to all your contacts. This virus also sends an address at gala.net, which is presumably monitored by the creator of the virus as it only contains the count of the number of messages distributed from the infected machine. The unique thing about this virus is that it affects the Windows 98 and Windows NT machines differently.



This is a new version of the Win32.Magistr.24876 virus, recognised as a destructive virus. Like its predecessor, this new variant is also a highly destructive and pervasive virus, and gets spread by the e-mail. The working of this virus is though like other viruses as it affects the Windows ’98, NT, 2000 system and attack on Windows executables files infecting Windows executable files, and then mails out the infected files over the Internet, and spreading itself over a local network. This virus actually uses its own SMTP engine to deliver the files containing the virus and attacks the address books available on your system, which includes not only the Outlook address book, but also Windows address book, Eudora address book etc. Thus, it attaches the infected file with the e-mail with the subject, body, attachment name constructed at random from .txt or .doc files found on the infected machine to all entries listed on your address book. This is a deadly virus and can erase hard drive data and CMOS/ Flash memory on Win9x systems, within a shorter time span. This is a deadly virus and is rated highly destructive and is also known as Win32.Magistr.29188, W32/Magistr.B, I-Worm.Magistr.b, , PE_MAGISTR.B etc. This virus carries its payload through the attachment to the email, which could also contain some non-common attachment formats like .DOC, .GIF, and .TXT etc.



This is now relatively old but is still the chart topper. It is rated as high-risk virus and is also known as Win32.SirCam.137216, Win32.SirCam.137216, W32/SirCam.A, SCAM.A, TROJ_SCAM.A, . This is also an Internet virus, which spreads through the e-mail. This worm comes with the message, which could be either in English or Spanish language and has the message as follows

Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks.

Though there is one more line in the message, but it may vary. The infected attchment, which comes with the e-mail, has though a variable name, but has two extensions against the common one extension. These extension may be "PIF", "LNK", "BAT", "EXE" or "COM". On running these files, the virus attacks the system and comes into action, when the Windows restarts. It gets further active, when any .exe program is being run. This worm then gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It then adds one of these files to the end of itself and stores itself in the Recycled folder. Now, it adds the second extension after the first extension and it attached to the email, which is being sent by the infected machine. As mentioned earlier, it is a deadly virus and can delete all files, directories and sub-directories, on the partition, where the Windows is loaded.



This is also an Internet worm, which spreads through the e-mail. However, the risk associated with this virus is relatively low as it has been rated as low risk worm. This virus is essentially a variant of the virus BADTRANS.A and is also known by the other names like W32/Badtrans-B, BADTRANS.B, W32/ Badtrans@MM, W32.Badtrans.B@mm, W32/ BadTrans.B-mm. This virus propagates via MAPI32 client by replying to all contacts in your address book by replying to all unread and read messages and attaches itself with the reply and normally has randomly chosen double extension file name. When the receiver of the infected mail opens the infected attachment then the worm copies it self to the Windows system directory as Kernel32.exe, it modifies the registry to deliver the payload next time the system is rebooted. That’s not the end to the mischief of this virus as it may also spy on your system, by placing a keylogging Trojan with a file named as KDLL.DLL. This Trojan spies on the critical information of your system like the username and password and send them via e-mail to a particular e-mail address, which could sometimes be risky for your overall security in the cyber world. Like other recent viruses, this virus also detects the security holes in the Internet Explorer and thus when the user views an HTML e-mail with which the worm is attached then the Internet Explorer launches the attached program automatically even without actually opening by the receiver of the e-mail.



Another deadly virus on the prowl and has been rated as a medium risk destructive virus. This virus is also known by the nicknames like GONE.A, WORM_GONER.A, I- Worm.Goner, Gone, W32/Goner@MM, Win32.Goner.A@mm, W32/Goner.ini, W32/Goner-A, Pentagone and it spreads via e-mail and attacks the Microsoft Outlook. This was basically masquerades as a screen saver and can also attack the ICQ and MIRC users. It is a memory resident worm and has been complied in Visual Basic. Since this virus is destructive in nature so it also deletes some of your critical flies in the memory that are crucial for running the application. Thus in this way, it brings on your system to halt. This virus arrives with an e-mail message with the subject line "Hi" and with the attachment "gone.scr". The message, which is normally accompanied by this e-mail read something like

How are you ?

When I saw this screen saver, I immediately thought about you

I am in a hurry, I promise you will love it!

Therefore, this is a destructive virus and can cause serious damage to your system.



This is a Java script Trojan , which has been rated as low risk and non-destructive in nature. However this virus changes the start-up page of the Internet Explorer in the infected machine. This is also an e-mail virus and propagates by mass mailing from the infected machine. It is also known by the names like HTML.VMExploit, EXCEPTION, EXCEPTION.GEN, Coolsite, Coolsite.A etc. This virus attacked the security hole in the Microsoft virtual machine to deliver its payload. However this payload is non-destructive in nature in most of the cases and normally it changes the button caption, redirects the link to a particular Web site and also the changes the appearance of Internet Explorer. But it is not been reported for any destructive payload like deletion of files and critical information etc.



With this virus, it is adequately proved that the Internet and cyber world are the biggest threat for the virus attack. All of the top-10 viruses of this month are found to be propagating through e-mail and the Internet. Maldal.E virus is also an e-mail virus, which is reported to be of high risk and destructive in nature. This virus attacks Microsoft Outlook to propagate itself and send it to all contacts in the address book. The virus attaches itself with the e-mail with the subject line of the computer name of the infected PC that sent the message. It also carries a message in the message box, which could be any one of the long list of the messages, which includes Test this game, I wish u like it, I have got this file for you, Surprise !!!, download this game and have fun, desktop maker ,you may need it , have you ever got a gift, What women wants, Don't waste any time ,Subscribe now , Make your pc funny !, new program from my fun groups, Map of the world, Create your Ecard, looooooooooooooooool, Send it to everybody you love , Its made by me, Our symbol, If you have an elegant taste, Test your mind, 1 + 1 = 3 !!!, Singer , search for any song and sing, For everybody wants to marry a woman that he doesn't love! nowadays, there is no womanhood !!, Just Try to fix it, Keep these advertisements run and earn and earn 0.25 $ per 10 minute, See this file etc. The e-mail may arrive with any of these messages. But this virus has destructive payload, which actually deletes some of your critical files. This virus is reported to be carrying the payload to delete the filenames with extension .com, bat, mdb, xls, doc, lnk, ppt, jpg, mpeg, ini, dat, zip, txt.