E-Musings Mon Immorata

Becoming A Virus Statistic Lovgate virus destroys data and forces disk re-partitioning and format It's quite ironic that a security expert like me should be taken down by one of the many viruses he blathers about! But after losing over 4 years of carefully collected data including irreplaceable system updates, drivers and other software patches, many from now long-defunct web sites I've learned my lesson well. Even though I didn't actually download the Lovegate Trojan I still failed to protect my computer against evil like it. My sad saga began with my (now) ancient Pentium III suffering a display hardware failure. This i810-type board features embedded graphics and no AGP slot. When I used an old office Celeron 400 + VIA Chip set with AGP 2X slot support I broke the rules of basic security with no firewall or antivirus software installed. Leaving my new computer quite vulnerable! Things got worse and there were no individual user profiles giving all users a common full Administrator access profile! Why was I so careless. I guess because the Celeron loaner was just a stop-gap arrangement for a week before I got my new Prescott-powered PC; something I've still to acquire. My hard disk was infected by the Lovegate Trojan that replaced just about every .EXE file with a modified version containing the worm script! The worm also inserted a hidden .INF file in the root of each partition so that no matter how many times I attempted to clean the drives the worm would return. And if this wasn't enough, any PC with a hard drive that had my infected drive mounted in it would in turn be infected! Luckily for me Lovegate (W32.HLLW.Lovgate@mm, W32.HLLW.Lovegate.B@mm, W32.HLLW.Lovegate.C@mm, W32.HLLW.Lovegate.D@mm, W32.HLLW.Lovegate.E@mm, W32.HLLW.Lovegate.F@mm, W32.HLLW.Lovegate.G@mm, W32.HLLW.Lovegate.H@mm, W32.HLLW.Lovegate.I@mm, W32.HLLW.Lovegate.J@mm, W32.HLLW.Lovegate.K@mm, W32.HLLW.Lovegate.L@mm, W32.Lovegate.R@mm, W32.Lovegate.W@mm, WORM_LOVGATE.C, Win32/Lovegate.C@mm, W32/Lovegate.c@M, I-Worm.Supnot.c, W32/Lovegate-B, Win32.Lovegate.C) is a mass emailer that uses MAPI with separate back door capabilities (on Port 10168). This worm also targets installed security software to lower the chances of its detection. And affects all Windows versions. But the attack is particularly virulent and vicious on Windows 2000, XP and 2003. Actually what really alerted me to the possible presence of a virus was a message would appear every time a connection to the Internet was made. seeks user permission for messages being sent via MAPI by any Windows application. Lovegate's mail server attempts to reply (with an infected copy of itself) to the addressee of any incoming message. However thanks to Outlook Express 6, I was able to download and send virus-free messages, but Lovegate's attempts to send messages using MAPI's auto-reply function would fail. Proving that the various Windows security updates applied were effective. To confirm my suspicious I carefully looked at the various running processes in Windows 2000 Task Manager. And noted strange files Ravmond.exe, NetMeeting.Exe and multiple instances of IEXPLORE.exe (case-specific). The CPU utilization too would hit 100%. It was when I searched Google for "Ravmond" that I found myself a virus statistic! Luckily my ISP has rather extreme security measures with almost all ports bar Ports 80 (Web), 21 (FTP), 25 (POP3), 110 (SMTP) 144 (IMAP) blocked by default nullifying any attempts by the backdoor to connect. Worm removal was painful with all EXE and COM files infected, including downloads. The only files that escaped were document files as well as my .TGZ and BZ2 archived data backups (being supposedly non-Windows formats). Despite re-installing Windows 2000 twice, the infection returned. I finally had to delete all disk partitions. Then re-partition the disk and successfully setup Windows 2000 afresh. This took me the better part of a week. I'm not really sure how I received the virus. Possibly by email but more likely as an unwanted inclusion in a downloaded file. As a result of this attack, I'm extremely skeptical about downloads from the web; regardless of their source. And have now configured a volatile disk in part of the system RAM into which I will download files then scan them before installing them. I've also upgraded my antivirus and firewall solution to the highly-rated PC-Cillin 2004 Internet Security. This suite includes a firewall, anti-virus as well as mail scanning, anti-spyware and Trojan blocking features. I liked it as a Beta and I'm thrilled with it now. ZoneAlarm 5 in comparison is buggy, more expensive and tends towards process over kill besides actually throttling TCP/IP bandwidth to half of what's available! Although Google's GMail offering is still in limited Beta, it seems to have shaken other web mail providers. A relatively unknown site, Spymac is offering a 1 GB mail account. But my efforts to register a new account failed with errors varying between "user name in use" to bizarrely "The User you're registering doesn't exist anymore. It seems that you took more than 1 hour to register. Your username is being reserved just for one hour" when I'd only been connected to the new for less than 10 minutes! Yahoo has enhanced its web-based mail offering to 100 MB of space with support for 10 MB attachments. And for $19.95 annually, Yahoo Mail Plus account also gives no ads, mail forwarding, POP3 and SMTP access from the desktop. Even Hotmail plans to unveil an enhanced version in July 2004. But to keep a free account but get around the restriction on POP3 and SMTP access, you can always turn to ePrompter. This connects to just about every major web mail provider including RediffMail. This software is in Beta and recent versions attempt to "phone home" supposedly for updates, but you can configure your firewall to block such behavior. You could try and download an earlier missing such advanced tracking features from the Tucows Network. For those luckily enough to acquire a GMail account, you no longer have to contend with ActiveX controls. Or keeping all your mail on the site. Use POP Goes the GMail (PGtGM), a free GMail bridge utility that installs as a local mail server to download GMail messages so you can view them using Outlook Express or Thunderbird. Thunderbird 0.7 uses the (equally-new) Firefox 0.9 Extension Manager with an uninstall feature. Older extensions won't work but are disabled to prevent crashes. New features include multiple identities for a single user account, improved Junk mail detection, new interface to viewing vCards, color quoting and support for raw mailto URLs containing spaces in the subject. Firefox 0.9 also sports a new theme plus browser options interface has been revamped as has the file download manager. What I really like the browser migration feature that on first startup integrates existing IE and Opera Favorites and browsing history. For a more detailed explanation of what's new for Firefox click here. For both software I recommend the MOOX-enhanced builds that are more stable than Mozilla offerings and are available in processor-specific versions. And finally If you would like to send a personalized snapshot of a US soldier with 2 Iraqi teens visit God Bless the Children of Iraq. Or review random images from what other visitors have left behind. Stay Safe and Alert. More next week. Click Here to Email Me