That Virus is No Joke!

Kenn's
Tech
Notes

20010502: That Virus is No Joke!

May/2001
Tech Note #2

A few weeks ago, I had occasion to look at a workstation which had an odd problem. Most of the desktop was covered by a hypnotic, whirling, spiral vortex of black and white which could not be stopped or sent to the background. By booting into DOS mode, I was able to determine that the application in question was being launched by the run= line in WIN.INI. The line looked something like this:

run=KAIKUKOE.EXE

I removed the reference from WIN.INI, rebooted the machine, and everything appeared to be back to normal. I thought someone had perhaps played a trick on this user. I e-mailed myself the executable, so that I could check the Internet for further information about this prank. When I got back to my workstation, I was welcomed by a message from my anti-virus software informing me that I had been e-mailed a file called KAIKUKOE.EXE which contained the virus W32/Hybris.gen@MM.

I looked up this virus, and discovered that this executable and the reference to it in WIN.INI are only the tip of the iceberg. This virus originated in South America in October 2000. McAfee Anti-Virus DAT files have detected and cleaned it since October 25, 2000. The virus contains multiple components: it infects WSOCK32.DLL using a battery of different methods, e-mails itself to other computers, downloads plugins from the Internet, posts plugins to a newsgroup every full moon, and the executable which runs via WIN.INI is given a random eight-character name. It is never the same twice. The plugins are signed using public-key cryptography, and only the virus author has the private key to approve which plugins will be accepted by the virus. The spiral graphic is only one of numerous plugins which may be run on the infected machine.

In order to fully clean this virus from a system using McAfee's software, you must boot into single-mode DOS, or from a floppy, and use the command-line scanner with the latest DAT files to run SCANPM.EXE C: /CLEAN /ALL. And after that, you still have to restore the original WSOCK32.DLL file.

However, the point of this tech note is not to alert techs to this particular virus. If you are interested in more information about W32/Hybris.gen@MM please see this web site.

The message I would like to get out to all Division techs is that the viruses of today are vastly more sophisticated than the viruses of old. W32/Hybris.gen@MM is just one of literally thousands of viruses we may encounter. Every virus has its unique characteristics and poses a different threat. Although workstations should have their DAT files updated weekly, even this precaution is not sufficient protection. A computer which has been infected prior to updating the DAT files has no guarantee that the DAT update after the fact will fully clean, or in some cases even detect the existing virus! Depending on the virus and how the anti-virus software is configured, the tech may have to take comprehensive individual action, such as in the example above.

Because our standard anti-virus configuration no longer uses ScreenScan (see September/1999 Tech Note #2 and the WSD1 Windows 9x Anti-Virus FAQ), there is no regular virus scan of all files on the workstations. Only "incoming" files are checked.

The viruses of today can not only infect boot sectors and executables, and format hard drives, they can infiltrate the system, flash the BIOS, propagate and update themselves, and if there's some other sort of damage that you can imagine they might do, there's either a virus out there that will do it, or someone's writing that virus right now.

DISCLAIMER: This document is intended for the reference of computer support personnel within Winnipeg School Division No. 1. There is no warranty or liability if procedures recommended here have an adverse affect on any systems. Use them at your own risk. Any trademarks mentioned are the property of their owners, none of whom have certified any information provided here. Opinions expressed here are personal only and do not represent the policy of Winnipeg School Division No. 1 or any other organization anywhere.

Got a Tech Note to share? Submissions are most welcome! [Click here.]
To return to the Tech Notes home page, click here.
To download a copy of all the May/2001 Tech Notes in Rich Text Format, click here.

Click here to visit the Information "Super-Cul-De-Sac". This page was updated
2001 June 9

This page hosted by
Get your own Free Homepage
Check out my neighbours here in Silicon Valley Peaks by clicking here.