DOS Doctor Tales



		Viruses Viruses Viruses


	We get strange error messages about programs we do not have when the Computer starts up... The Computer seems to be running very slowly and freezes up lately...Do you think we might have a virus? We've got a virus program so we do not understand what has happened. This type of conversation is repeated all to frequently these days. Currently a sizeable portion of my work is repairing the Computer after the machine has been infected with a virus. This is certainly far more costly to the Client than purchasing and using a reputable virus scanning product. If all their data has been lost, as it is can be, I cannot help them. So many of the people who fail to use a Virus program fail to have any backup of their data. Many times the user is unaware that their Computer is infected and may carry on using it for days or weeks with the possibility of all sorts of compromises to the security of their data and their software. Many viruses operate in the back ground sending information over the Internet about habits or personal details including passwords and credit card numbers. The worst types of viruses may simply delete your data files or the whole hard drives contents. Without backup you are back to square one with a computer useless to you and all the personal data gone forever. Backing up of data should be done regularly but many users would rather someone else did it for them. It's all too difficult for many people. They justify to themselves that nothing will ever happen to their data. It is not very important so why bother? It's all too hard. They will never get a virus as they are so careful with e-mail and only open attachments from people they know. They will never have a theft from their premises and besides Hard Drives are so reliable these days. They paid extra to get an extended warranty which will cover them for any failures. Nothing could be so far from the truth. Anyone of those scenarios could and does happen day after day to hundreds of Computer users here in Australia. Hard Drive still fail even when they are sometimes only weeks old. No warranty ever covers you for loss of your data. Everyone will get at least one virus infection on their Computer at some time and some users who never learn will possibly get a deal more. Incidentally most viruses these days come by attachment from friends or other people you have corresponded with via e-mail. Fire and theft are easily understood so it makes sense to locate what backup's you may have in a different location from the Computer to cover for fire and theft situations. There are many Virus Scanning products available. The most popular in Australia are Norton, McAfee, and VET. Some special products available for large networks and there are also some Freeware products. I personally consider it is worth the expense to purchase a commercial product to ensure you have the best possible protection and service available from the product's representative in the case of a serious virus infection. The need to keep the Virus scanner's database (sometimes called signatures or data files) up to date is paramount as all virus scanner products perform the same basic function. They use their database to compare virus code with the binary code in the actual files on the hard drive.Over 51,000 viruses are now known to exist and many more being written and released every day. If your data files are two to three months out of date then you have no protection for the latest viruses which are usually the ones that are circulating the most throughout the world at this time. I had a call from a regular client late one Friday. Her computer had a virus infection. Once she had run her Norton Anti Virus program to remove the virus she could no longer use any of her applications. Yes I would come over Saturday morning and see what I could do. When I arrived on Saturday it was obvious that the computer was infected with the W32.SirCam.137216 Virus / Worm. The trouble was that my client had been a little late in using the update features of her Norton AV. The first she knew about this virus was via warning e-mails from friends informing her that a recent e-mail she had sent them were infected. Of course my client then immediately used the update feature to retrieve the latest data files and then ran the Norton AV program. Norton AV correctly identified the SirCam Virus and deleted it. The trouble was because the computer had been infected (the virus had done its nasty work) the subsequent effect of the virus file deletion was no executable files (most programs etc) would operate on the computer. An effect of the SirCam virus and its predecessors like the Navidad virus is that they alter the computer's registry to change the default settings for executable files. From the users point of view the computer functions normally once infected and all programs run as normal. Please realise things are not as normal and only due to a bug (software error) in this virus program the payload (deletion of all files on the C Drive) is not activated. In addition this virus is sending its self to everyone in your address book! When some Anti-virus programs (in my clients case Norton AV version 4), are run on an infected computer the automatic deletion by the program of the actual virus file (SirC32.exe) is the natural action to take. Because of this deletion, the actual virus file is no longer present as required in the amended registry settings for executable files therefore no programs (including the registry editor, REGEDIT.EXE) are able to be executed. An exception is My Computer and a few other simple things. The amended entry in the registry is shown below with SirC32.exe needed to be present to execute a program. (run an executable file) HKEY_CLASSES_ROOT\exefile\shell\open\command="C:\recycled\SirC32.exe" "%1" %" The registry needs to be corrected to the default setting as shown below. If I was able to use REGEDIT.EXE it would be simple to correct this setting. HKEY_CLASSES_ROOT\exefile\shell\open\command="%1" % This is the state my client's computer was in when I arrived. No programs were able to be run. The client was using Windows 95. What were the options available to me? With the actual virus off the computer I could have simply started from a Boot Diskette and in DOS reload Windows 95 from the clients CD ROM. This would reset the registry entry to the correct value without reference to SirCam. Had my client been using Windows 98 I could have used a prior registry backup. This is a major advantage of Windows 98 and subsequent Microsoft Operating Systems because there is an automatic backup of 5 days worth of critical files. These files are the registry (System.dat & User.dat) plus Win.ini & System.ini. The files are contained in cabinet files normally located in the C:\windows\sysbckup folder and labelled rb000.cab rb001.cab etc. If this option was available to me I could have used the F8 key at start-up and selected from the menu to halt at "command prompt only". Typing SCANREG.EXE. from the Windows folder would show me a list of previous backups and maybe allow me to use one from a time before the infection without the incorrect registry entry for executable files. The simplest option and the one I took was to use an special .inf file I had on diskette for such occasions. Inf files are typically used to install driver software for items such as modems, video cards, sound cards and the like. From the VET web site I had downloaded a copy of a .inf file which would reset the registry immediately to the correct settings for executable files and allow all the programs to operate. Using "My Computer" I explored the diskette drive and located the SirCam.inf file. Using the right mouse button whilst pointing to this file I selected "install" from the menu and within one second the registry settings were corrected. The Symantec (Norton AV web site) also offers a special file to correct this setting. Incidentally had my client been using VET instead of Norton AV the clean up procedure invoked with VET in addition to deleting the virus files included resetting the registry automatically. I do like the VET product very much for its intuitive virus removal techniques. Although these days VET is owned by an overseas company I believe the product is still written and supported from here in Melbourne. This is not to say other products do not do a good job however older versions of products whilst recognising viruses do not provide complete clean ups and maybe create the situation I was faced with. In another recent virus episode I was called to a home computer which was running very slowly. Internet use had become erratic and new error messages at start-up complained there were not enough stacks available. This message worried me as stacks was a variable setting harking back to the old DOS days before Windows 95/98. The default setting controlled by the MSDOS.SYS file in Windows 95/98 was the normal maximum. I was warned before I arrived that others had gone over the computer and failed to rectify its performance and correct the error message. With trepidation therefore I approached the job. Noticing that the user had a Modem and an Internet connection I set about checking to see what, if any, virus scanner the user had been operating on his computer. He had VET but unfortunately the virus data files were over 12 months out of date leaving him exposed to the thousands of new viruses written and released during that period. He did have a current licence from VET however he had been unsure what to do to update the data files. I quickly set about downloading the latest update file and installing it. When I re-booted instead of the error messages VET identified and deleted two different viruses. Within 20 seconds the problems were identified and the offending virus files removed and configuration settings automatically corrected. I followed up with a complete scan of his whole hard drive. The complete scan identified a word macro virus in many word documents and some remnants of the major two viruses. Upon a subsequent re-boot the computer started without error messages and a check of Internet performance proved it to be back to its normal response without the lag he had been experiencing. Incidentally of the three different viruses removed two were of a type that send data back to a server somewhere in China. One specifically looking for any password files or data on the computer and also capturing keystrokes when typing passwords. I hope the readers either have an up to date virus scanner product or if not they purchase one immediately. I know however that an ever increasing amount of my future computer repair work will be removing and repairing virus damage.