Posts Tagged ‘virus detection’

McAfee maintain a list and profile of nearly all the viruses out in the computer world, and also grade their current risk status. Computer users who want to keep themselves abreast of each new virus threat, would do well to consult this list occasionally.

It’s an illuminating line-up, bringing home to computer users the high levels of risk and danger that they face in their everyday dealings with computers.

Let’s take one day in particular, when McAfee drew our attention to three new Trojan viruses. On the 26th October, 2006, McAfee added to their list of viruses to look out for the following three names:

• Generic Dropper!bei!1938a8cf8776;
• Generic.dx!gcq!4894f6dd2862;
• Generic PWS.y!bce!eac18f0df91a.

All are trojans and before we take a quick look at the first one in the list, the Generic Dropper!bei!1938a8cf8776, lets remind ourselves what a trojan is.

Named for very apt reasons after the Trojan Horse in Greek mythology, a trojan is malware which appears to have a desirable, or necessary function, but in reality allows unauthorised access to a user’s computer. In other words, just like the Trojan Horse which was presented as a gift, only to conceal soldiers that gained unwanted access.

What distinguishes them from viruses and worms, is that they are not self-replicating. What’s more, to fulfil their evil deeds, they require a degree of interaction from the hacker, or cybercriminal. And trojans need not be faithful to their creators; hackers can, by using a port scanner to scan network computers, be on the hunt for an available trojan which will give them access to a vulnerable machine.

Because they don’t self-replicate, they have to be spread manually by unwitting computer users, or hackers. They are most commonly activated executing programmes distributed by e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Infection symptoms of the detection are the files, registry and network communication detailed in the McAfee virus characterisation section. Here McAfee provides bares the Generic Dropper!bei!1938a8cf8776 to the public, including file name (in this case virus.exe), its length (81,920 bytes) and its CRC (2581E782).

It’s known by other computer security companies as:

• Avast – Win32:Malware-gen;
• Avira – TR/Drop.Agent.AP;
• Dr.Web – BackDoor.IRC.Sdbot.4889;
• Eset – a variant of Win32/Injector.AEH;
• FortiNet – W32/VB.AD!tr;
• Kaspersky – Trojan-Dropper.Win32.VB.mwb;
• Sophos – Mal/VB-AD;
• Symantec – W32.SillyFDC.

Guest Article by Neil Camp

The world is plagued with a number of recurring viruses and if you are unfortunate enough to get one of the monsters below, then you can use a free tool from McAfee to not only remove it from your computer, but also help repair any damage that might have been done in the attack.

Take a look at the list below and if your PC is infected with one of these, then McAfee can help:

• Sasser (virus name) – McAfee Avert Stinger (removal tool);
• Bagle – McAfee Avert Stinger;
• Zafi – McAfee Avert Stinger;
• Mydoom – McAfee Avert Stinger;
• Lovsan/Blaster – McAfee Avert Stinger;
• Klez – Klez Removal Tool;
• Bugbear – Bugbear Removal Tool.

Let’s take a look at one of the best known of the suspects above: Sasser. This can be removed using the McAfee Avert Stinger tool. With the Sasser, the indication that you have been infected comes with the prescence of the file avserve3.exe and registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve3.exe" = C:\WINDOWS\avserve3.exe.

The Sasser, which is known in the trade as a worm, spreads by exploiting a Microsoft software vulnerability and it spreads from machine to machine with no user intervention needed.

It employs a propagation mechanism which has been used many times before. Basically, Sasser spends its time scanning random IP addresses in the hope that it will spot an exploitable system. When it comes across such a system, the worm exploits it by overflowing a buffer in LSASS.EXE. And it creates a remote shell on TCP, port 9996.

Once that’s been achieved, it creates an FTP script which is named cmd.ftp on the remote host and executes it. Then the FTP.EXE application, via the FTP script, is used to retrieve the worm back to the remote host, from the infected machine. After that particular process, the worm is then executed. What happens then is that the FTP script instructs the victim computer to download and execute the worm from the infected host.

Sasser come sunder many guises, including Sasser.G, W32. Sasser and Worm.Win32Sasser.g. (this often depends on which anti-virus programme has labelled a particular virus).

The McAfee Avert Stinger is a stand-alone tool which is used when a particular virus needs to be detected and then removed. McAfee make it clear that it is not to be used instead of anti-virus protection software, but as a specific tool when dealing with a particular type of virus attack.

Guest Article by Neil Camp

McAfee, like all computer security companies, see spam as one of the main enemies in the computer age.

Spam is a waste of everyone’s time, clogs up the ether with its pointlessness and is it a major carrier of computer viruses. It serves no purpose whatsoever and if the world were rid of it, then 80% of the email traffic would drop overnight.

So what can you do to avoid spam? Here’s some top tips.

Top tip is do not spread your email around. Never post your e-mail address in an unobfuscated form on the Internet. But if you have to post your internet address, make sure you obfuscate it in such a way that it cannot be harvested. Better still, create a small graphic image that contains your email address, as the harvesters cannot read this. Bear in mind that spammers play the numbers game. They trawl for millions of addresses out there and guess others with specially created computer programmes. Don’t make their life easy.

Another top tip is checking to see how visible your email address is. Type it into a search engine and see if it has been posted into in any newsgroups, or discussions forum, and see if you can remove it, as this might be a good way to cut spam down.

Also consider using a number of email addresses, say one for friends and family, and one for business. This way you can greatly reduce your chances of spam. You could easily create an address that you only use for newsgroups and such places, and then, if it become burdened with spam, drop it altogether. Don’t be afraid of changing your email address as a way of avoiding spam.

Another good way of foxing the spammers is having a complicated email address made up of numbers, as well as letters, and a part of it made up of random sequences. This works against dictionary attackers.

When it come to completing web forms, always have a look at the website’s privacy policy, as avoid giving your email address, or indeed, any other personal details, to a site which admits that they sell them on to third parties. If you can, check the box which opts you out of third party mailings.

A very important rule this – never respond to spam, ever. Because a spammer lives for a reply and even if you innocently send a request saying you’d like to be removed from the list, this confirms to them that the address is valid, you have seen the email and indeed, you have replied. This means that your email address is basically in-play. Your name could then be added to a list of working email addresses which could be very valuable to the spammer and sold between them.

Along the same lines as the last point, never, ever buy anything from a spammer, or goods which have been brought to your attention via spams. Once sending spam become unprofitable, then it will die.

Get into the habit of as soon as you see the spam message, delete it. Do not open it. By using graphics within the spam email, spammers are able to track who received it and who opened. This is why many email providers give you the option of opening the graphic image within the email – resist that temptation. Simply bin it.

Do not use links within emails (always go to a site via your web browser, or your own bookmarks), and never reply to emails, purporting to be from a site you know, asking for financial information, or personal details. Guard such data vigorously.

Above all else, ensure that your anti-virus software is up to date and that your firewall (designed to stop people not only breaking in, but taking goods out), is also doing its job.

Guest Article by Neil Camp

When it comes to detecting viruses and preventing attacks, the McAfee has some good advice for computer users.

Top of the tip list is beware of what you open. In other words, do not open any files that are attached to email, instant messages, or offered as downloads, unless you are completely confident about their origin.

Even if a file is from a friend, or from someone you know, still be careful as people can have their mailbox hijacked and emails sent from their computer without their knowledge. This means that an email might find yourself in your inbox from what you think is a trustworthy source, only for you to find out that it is far from trusty. Best thing to do is just check that your contact has indeed sent you an email with a file.

Keep an eye open for suspicious subject lines in emails. This is usually a dead giveaway that something is wrong. If it looks odd, it usually foretells trouble and its best to delete it without opening it at all.

Chain emails might seem charming to some, but they effectively are spam and go towards clogging up the ether whilst serving no real purpose. Delete and avoid expanding the chain. Bear in mind that over 80% of emails sent around the world are spam.

When it comes to downloading files off the internet, be very careful indeed. There are many free things on the internet and not all of these are good. Many screensavers, games, or seemingly useful bits of code can harbour nasty viruses that end up attacking your computer. So ensure you know where that file is coming from. Also watch out for innocent looking media playing devices which a site might say is necessary when downloading and watching film clips. These are often bits of code which do a lot more than let you watch some film. They often contain viruses that open up your computer for the cybercriminals to march around unhindered.

Okay, and this might seem obvious, but to many it’s not: get anti-virus software on your computer. Do not send, or receive emails, and do not surf the internet without very good protection from a credible anti-virus software programme. And be wary of any box that suddenly flashes up and warns you that it has detected a virus and you must download a programme to remove it immediately. These are usually tricks to get you to download malware – code that sits on your computer and opens you up to attack from cybercriminals.

McAfee anti-virus programmes, like all such good applications, continuously updates from the internet, meaning that you are protected from new viruses and sudden attacks.

Back-up your files on at least a weekly basis, if not a daily basis. Regular and proper back-up means that should you be unfortunate to catch a major virus, then you won’t lose all your files and work, as well as have an effectively useless computer.

Also, check with the developer of your operating system for any updates, or patches as they are commonly known. These are sent out to close holes – known as bugs – in software code which cybercriminals use to find a way into a system. Most updates or patches are automatic, but do ensure your system is completely up-to-date.

Above all, if you think it doesn’t smell right, then always err on the side of caution. Be suspicious and it might just save you a lot of time and money.

Guest Article by Neil Camp