 The magazine of the Melbourne PC User Group Viruses The DOS Doctor |
When the computer starts up we get strange error messages about programs we
don't have... The computer seems to be running very slowly and freezes up lately... Do you think we might
have a virus? We've got a virus program - we don't understand what is happening.
This type of conversation is repeated all to frequently these days. Currently a sizeable portion of my work
is repairing the computer after it has been infected with a virus. This is certainly far more costly to
clients than if they had purchased and used a reputable virus scanning product. If all their data has been
lost, as it can be, I cannot help them. Many of the people who fail to use an antivirus program also fail to
have any useful backup of their data.
Many times the user is unaware the computer is infected and may carry on using it for days or weeks with the
possibility of all sorts of compromises to the security of their data and their software. Many viruses
operate in the background sending information over the Internet about user habits, or personal details
including passwords and credit card numbers. The worst types of viruses may simply delete your data files or
the entire hard drive contents. Without backup you are back to square one with a computer that is useless to
you, and all your irreplaceable, personal data, gone forever.
Backing up of data should be done regularly but many users would rather someone else did it for them. It's
all too difficult for many people. They justify to themselves that nothing will ever happen to their data. It
is not very important so why bother? It's all too hard. They will never get a virus as they are so careful
with e-mail and only open attachments from people they know. They will never have a theft from their premises
and besides, hard drives are so reliable these days. They paid extra to get an extended warranty that will
cover them against any failures.
Nothing could be further from the truth. Any one of those scenarios could and does happen day after day to
hundreds of computer users here in Australia. Hard drives still fail, even when they are sometimes only days
or weeks old. No warranty ever covers you for loss of your data. Everyone will get at least one virus
infection on their computer at some time and some users who never learn will possibly get a lot more.
Incidentally, most viruses these days come by attachment from friends or other people with whom you have
corresponded via e-mail. Fire and theft are easily understood so it makes sense to relocate whatever backups
you have to a different location, away from the computer, to cover those situations.
There are many virus scanning products available. The most popular in Australia are Norton, McAfee, and VET.
Some special products are available for large networks and there are also some Freeware products. I
consider it is worth the relatively small expense to purchase a commercial product, to ensure you have the
best possible protection. Not to mention the services available from the product's representative in the case
of a serious virus infection.
The need to keep the virus scanner's database (sometimes called signatures or data files or
virus definitions) up to date is paramount, as all virus scanner products perform the same basic
function. They use their database to compare known virus code with the binary code in the files on your
computer's hard drive.
In excess of 55,000 viruses are now known to exist and many more being written and released every day. If
your data files are two to three months out of date, then you have no protection against the latest viruses
and those are the ones that are usually circulating the most throughout the world at any given time.
I had a call from a regular client late one Friday. Her computer had a virus infection. Once she had run her
Norton Antivirus program to remove the virus she could no longer use any of her applications. Yes, I would
come over next morning and see what I could do.
When I arrived on Saturday it was obvious that the computer was infected with the W32.SirCam.137216
Virus/Worm. The trouble was that my client had been a little late in using the update features of her Norton
AV. The first she knew about this virus, was via warning e-mails from friends informing her that recent
e-mails she had sent out were infected. Of course my client immediately used the update feature to retrieve
the latest virus definitions and then ran the Norton AV program. Norton AV correctly identified the SirCam
Virus and deleted it. The trouble was, because the computer had already been infected (the virus had
already done its nasty work) the subsequent effect of the virus file deletion was that no executable
files would operate on her computer (ie. most programs).
An effect of the SirCam virus and its predecessors like the Navidad virus is that they alter the Windows
Registry to change the default settings for executable files. From the users point of view the computer
appears to function normally once infected and all programs run as normal. Please realise things are
definitely not normal and it's due only to a bug (software error) in this virus program, the intended
payload (deletion of all files on the C: Drive) is not activated. In addition this virus is sending
itself to everyone in your e-mail address book!
When some antivirus programs (in my clients case Norton AV version 4), are run on an infected computer,
automatic deletion by the program of the actual virus file (SirC32.exe) is the natural action to take.
Because of this deletion, the actual virus file is no longer present as required by the amended registry
settings for executable files, therefore no programs (including the registry editor, REGEDIT.EXE) are able to
be executed. One exception is My Computer and a few other simple things are unaffected.
The amended entry in the registry is shown below, with SirC32.exe needed to be present in order for you to be
able to execute a program (run an executable file).
HKEY_CLASSES_ROOT\exefile\shell\open\command="C:\recycled\SirC32.exe" "%1" %*"
The registry needs to be corrected to the default setting as shown below. If I was able to use REGEDIT.EXE,
correcting this would have been simple and easy.
HKEY_CLASSES_ROOT\exefile\shell\open\command="%1"
%*
This is the state my client's computer was in when I arrived. No
programs were able to be run. The client was using Windows 95. What options were available?
With the virus itself removed from the computer I could have simply started from a boot diskette and while
in DOS, reloaded Windows 95 from the client's CD-ROM. This would reset the registry entry to the correct
value, without the reference to SirCam.
Had my client been using Windows 98 I could have used a prior registry backup. This is a major advantage of
Windows 98 and subsequent Microsoft operating systems because there is an automatic backup of five days worth
of critical files. These files are the registry (SYSTEM.DAT and USER.DAT) plus WIN.INI and SYSTEM.INI. The
files are contained in cabinet (.CAB) files normally located in the C:\WINDOWS\SYSBCKUP folder and named
RB000.CAB, RB001.CAB etc.
If this option was available I could have used the F8 key at startup and selected from the menu to halt at
"command prompt only". Typing SCANREG.EXE from the Windows folder would show a list of previous
backups and maybe allow me to use one from a time before the infection, when the registry entry had been
correct.
The simplest option and the one I took was to use a special .INF file I had on diskette for such occasions.
INF files are typically used to install driver software for items such as modems, video cards, sound cards
and the like. From the VET Web site I had downloaded a copy of an .INF file that would reset the registry to
the correct settings for executable files and allow all programs to operate. Using "My Computer" I explored
the diskette drive and located the SirCam.INF file. Using the right mouse button whilst pointing to this file
I selected "install" from the menu and within one second the registry settings were corrected. The Symantec
(Norton AV Web site) also offers a special file to correct this setting.
Incidentally had my client been using VET instead of Norton AV the clean up procedure invoked with VET would
have deleted the virus files and reset the Windows Registry automatically. I like the VET product very much
for its intuitive virus removal techniques. Even though these days VET is owned by an overseas company I
believe the product is still written and supported from here in Melbourne. This is not to say other products
don't do a good job. However, older versions of products whilst recognising viruses, do not provide complete
cleanups and may create the situation faced in this instance.
In another recent virus episode I was called to a home computer that was running very slowly. Internet use
had become erratic and new error messages at startup complained there were not enough stacks available. This
message worried me as stacks was a variable setting harking back to the old DOS days before Windows 95/98.
The default setting controlled by the IO.SYS file in Windows 95/98 was the normal maximum. I was warned
before I arrived that others had gone over the computer and failed to rectify its performance or correct the
error message. Therefore, I approached the job with trepidation.
Noticing that the user had a modem and an Internet connection I set about checking to see what, if any virus
scanner the user had been operating on his computer. He had VET but unfortunately the virus data files were
more than 12 months out of date, leaving him exposed to the thousands of new viruses released during that
period. He did have a current licence from VET but had been unsure how to update the data files.
Quickly I set about downloading the latest update file and installed it. When I rebooted, instead of the
error messages, VET identified and deleted two different viruses. Within 20 seconds the problems were
identified, the offending virus files removed and configuration settings automatically corrected. I followed
up with a complete scan of his whole hard drive. The complete scan identified a macro virus in many Word
documents and some remnants of the two major viruses. Upon a subsequent reboot the computer started without
error messages and a check of Internet performance proved it to be back to its normal response, without the
lag he had been experiencing.
Incidentally, of the three different viruses removed two were of a type that send data back to a server
somewhere in China. One specifically looking for any password files or data on the computer and capturing
keystrokes when the user was typing passwords.
I hope readers either have an up to date virus scanner product or if not, purchase one immediately. I know
however, that an ever increasing amount of my future computer repair work will be removing and repairing
virus damage.
The doctor may be contacted for comments and suggestions at dosdoctor@wordpainters.com. We do not guarantee that all
correspondence will be answered.
Reprinted from the November 2001 issue of PC Update, the
magazine of Melbourne PC User Group, Australia
