Community Articles

Dealing with Computer Viruses

Bill Alderson, Technology Consulting Officer, NetQoS, Inc.

Recently, several nasty viruses emerged, including the now famous ILOVEYOU virus. Unfortunately, many systems had first-hand contact with that particular virus.

Since May 26, 2000, the anti-virus community has been tracking a new worm known as VBS_STAGES. According to the National Infrastructure Protection Center (NIPC), VBS_STAGES can be spread using PIRCH, ICQ, mIRC, and Outlook. When someone receives an e-mail containing the virus, the e-mail might also have a shell scrap file attached. The title of the attachment is LIFE_STAGES.TXT.SHS. After depositing this file, the worm deletes the registry entry and then creates 10 random files throughout the system. The worm does not damage existing files, but can overload e-mail systems. To positively identify the rogue e-mail, watch for an attachment size of 39,936 bytes. The subject field for infected messages contains the text Life Stages, Funny, or Jokes. The subject might begin with Fw: and might end with text, but not always.

The modus operandi of the infected e-mail depends on the shell scrap (SHS) files. Even if you set up your operating system to show all file extensions, the SHS extension remains hidden. The file appears as LIFE_STAGES.TXT; therefore, some users think this is just a text file. When you open the file, a joke about life’s stages appears while the worm gets silently installed in the background. If you save the file to disk, it will show up in Windows Explorer with a file type of Scrap Object. At a system (DOS) prompt in Windows 9X or NT, the full SHS file extension will be visible.

How do you protect yourself against this virus and other existing and future threats of this type?

The good news is that major anti-virus tools have been updated to recognize and eliminate this particular virus. Unfortunately, because new viruses are born almost daily, it is critical that you adhere to the following guidelines to reduce your risk of infection:

1. Keep your virus detection software up to date. Check the vendor's web site frequently to obtain virus signature updates. Also always install the current version and patches for your e-mail client and related software.

2. Stay informed. Check virus and other security alerts regularly using one of the major security alert sites such as http://www.cert.org or http://www.sans.org. You can also obtain virus warnings from your anti-virus vendor’s web site.

3. Stay safe. Do not open unsolicited or unknown e-mail attachments. Because you can activate some viruses simply by previewing infected e-mail messages, disable the preview feature in your e-mail client software.

These common sense tips might help you prevent infection by VBS_STAGES or similar viruses. Because many of us will be unfortunate enough to have this virus invade our organizations, it is important to know how to recognize it. More importantly, be prepared to gather forensic data about this or other virus infections to help you determine who sent the rogue file. Examine the following analyzer decode of a POP3 (Post Office Protocol 3) frame. This is an example of what you might see if the VBS_STAGES virus was sent to your organization:

Virus

Line 7 shows the e-mail sender and Line 8 gives the recipient’s address. Line 9 shows the Jokes signature subject. Line 10 contains the message date and time. Line 26 provides the attachment name, which confirms that this e-mail contains the interesting file. Lines 32 and 33 further verify the attachment. The decode does not reveal the attachment’s size.

To locate this frame in a trace file you already collected, search for text strings such as life_stages or shs in your analyzer's detail or hex windows. If you suspect that you are the target of malicious e-mails, try to capture the traffic as it enters your network by setting up a capture filter or a trigger to look for a known data pattern such as the file name. In the example above, you could capture the frame or set off a trigger event if you set the pattern match filter to locate the hex equivalent of life_stages (6C 69 66 65 5F 73 74 61 67 65 73) at offset 044A.

No flawless safeguards exist, but by following these recommendations, you can maximize fending off these new viruses. If you do become a victim, take steps to locate the virus source and report the forensic evidence according to your organization’s security policies.

sitemap | legal | request info | contact

 

NetQoS - Network Performance Management Products and Services for the world's largest networks. © 2001-2008 NetQoS, Inc. All rights reserved.

 

 

 

Products: NetQoS Performance Center - Network Monitoring | NetQoS SuperAgent - Service Level Reporting | NetQoS ReporterAnalyzer - Network Traffic Analyzer | NetQoS NetVoyant - SNMP Polling | NetQoS VoIP Monitor - VoIP Performance Monitoring | NetQoS GigaStor - Network Analysis | NetQoS Allocate - IT Cost Accounting

IT Solutions: VoIP Performance | MPLS Management | WAN Troubleshooting | Network Capacity Planning | Service Level Reporting | Network Management | WAN Optimization | NetFlow | Application Delivery | Bandwidth Utilization | Cisco WAAS | Cisco NetFlow | NetFlow Monitoring | Network Management Software | SNMP Polling | Application Performance Monitor | Network Monitoring Software | Network Performance Software | Network Behavior Analysis | NetFlow Analyzer

Resource Room: Network Performance Monitoring Whitepapers | Case Studies | Data Sheets | Networking Webinars | Networking Podcasts | Industry Initiatives | Network Performance | Network Management News | Network Performance Management Articles | Network Tools

Services: NetQoS Product Implementation | NetAnalyst Training | Network Consulting Services | VoIP Readiness | Network Certification Training