The morning of May 1st saw a new virus spreading across the Internet named “SASSER”. A few days later, other variations appeared. The Sasser virus attacks primarily Windows XP, 2000 and 2000 Server operating systems, but there are some reports of Windows 98 systems being attacked. Removal tools were not released until May 3rd, making it a bit harder to remove the virus at first. Sasser creates 128 separate threads to scan IP ranges in search of vulnerable systems and, when one is found, creates a buffer overflow condition, after which it drops an FTP script (cmd.ftp) to the impacted system and executes it. The script then downloads and executes the worm from the infected host.

• Signs that your computer has the Sasser Worm:Sluggish system, reduced availability of bandwidth.
• LSASS.EXE may crash, causing a reboot of the infected system.
• WIN.LOG created on the root of C:\ (contains IP of localhost).
• Presences of avserve.exe (the worm)

Then to make things even more interesting, you need to watch out for another bogus e-mail message that purports to provide the free removal tool for the Sasser virus. The Netsky.AC worm was discovered on May 2, 2004. Netsky.AC pretends to be a removal tool for the Sasser.B, Bagle.AB, Mydoom.F, MSBlast.B and NetSky.AB worms. In a similar fashion to some of the earlier Bagle variants, Netsky.AC masquerades as a message from or composed by a security vendor/domain admin. Netsky.AC drops files named “comp.cpl” and “wserver.exe” to the Windows folder, activating when you re-start your computer the next time. The Netsky virus has also been impacting lots of computers around the San Antonio area in recent weeks, and it always originates with a strange e-mail message that has a short or cryptic subject and message, plus an attachment that is usually a PIF, SCR, or EXE type of file.

Let me give you three hints or tips on how to protect your computer from these threats, and then I’ll cover the topic of Spyware a bit more later on.

1. Immediately, right now, you need to be update your anti-virus program. If your program’s anti-virus files are more than a few days old, especially if they are older than a week old, you are seriously at risk.
   
   
2. Next, if you have not updated your computer with all of the recommended Windows Critical Updates as of today, please do yourself a favor and run that program now after connecting to the Internet. If you cannot find the “Windows Update” listed on your “program files” menu, simply point your browser to Microsoft and it will automatically redirect you to the correct server for running that program remotely.
   
   
3. What type of firewall are you running? If you don’t know, or don’t have one running, you need to remedy that situation right now. Windows XP has one built into its network connection software (used for DSL/Cable connections) but I don’t recommend it for most users.

A firewall is a program that blocks uninvited guests from entering your computer from the Internet, and really good firewalls will block outbound programs from accessing the Internet unless you have given permission first. There are many good firewall programs out there, some free, some cheap, and some not so cheap. I prefer ZoneAlarm, which falls into the “free” or “Cheap” category. The free version is fine for most home users, the “pro” version costs you around $40 to register after the first 30 days. This program will block the outside world from accessing your computer unless and until you tell it to allow a particular program. The “pro” version lets you tailor each port for in/outbound if you have special applications (like PC Anywhere) which use ports other than the standard web (80), secure web (443), or mail (25 & 110). I did not have any of my customers who already ran ZoneAlarm call me with reports of being infected by the Sasser Worm Virus. You can download ZoneAlarm free.

Spyware / Adware Detection & Removal:
Next, as promised earlier, I want to educate you more about Spyware or Adware. I’ve already discussed that issue in previous columns, but it continues to dominate my service calls from customers with computers that have started running slower, experiencing higher than usual popup ads, or other strange behavior. I’ve been using a combination of three removal tools to combat the problem, with SpyBot being one of my favorites, followed closely by SpyBlaster and Adware.

Watch out for bogus software claims.
Don’t be fooled by false advertisement from look-a-likes called SpyHunter or SpyKiller. SpyHunter claims in their advertising to be free, and it is, unless it finds a problem, and then they want you to pay up to $79.95 to activate it. I had one customer already caught by this program, but fortunately they balked at paying for what they thought should have been free software. Another false lead for help is the website www.noadware.net claiming to be the free version of SpyBlaster. Don’t be deceived into paying for these programs.

SpyBot – Search & Destroy version 1.2
(Download)
The release of the latest version of Spybot - Search & Destroy adds some truly useful features to an already excellent app. Not only does Spybot check your system against a comprehensive and timely database of adware and other undesirable system invaders, the new Immunize feature provides a front-line defense against a plethora of uninvited Web-borne flotsam, blocking it before it reaches your computer. The functionality of Spybot makes it a must-have for all Internet users, and this version is a worthwhile upgrade if you have a previous install. SpyBot version 1.2, after you update it from their website, will detect over 12,500 possible variations of Spyware on your computer.

SpyBlaster version 3.1
(Download)
You really need to update to the new version if you were running an earlier version of this software. It detects and patches about 1500 possible openings in your computer, preventing web sites from auto-installing plug-ins without your knowledge. SpyBlaster will:

• Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
• Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
• Restrict the actions of potentially dangerous sites in Internet Explorer.

Ad-Aware from LavaSoft version 6.0
(Download)
If you are not running the latest version, you need to click that update button inside this program, or visit their website to download this free program. LavaSoft claims that it has the ability to comprehensively scan your memory, registry, hard, removable and optical drives for known datamining, aggressive advertising, and tracking components.

Ad-Aware and Spybot will sometimes report conflicts with each other, reporting that the other program might falsely claim their program is adware or spyware. Simply ignore such message and move on to run each of these programs in their “easy” or “automatic” mode and you should be safe.

ISPs (Internet Service Providers) have started trying to help protect you by screening your e-mail for potential SPAM or virus carrying messages. Locally owned World-Net.net has some fairly sophisticated mail filters that you can control via a web browser interface and their plans start as low as $6.95 a month for single user accounts. STIC.net is also offering mail filtering with similar controls and their rates start as low as $9.95 a month. Some national ISP’s such as EV1.net offers anti-spam controls, as does Earthlink.net and AOL.com. Ask your ISP’s techsupport what they can do to help you protect yourself from unwanted e-mail, viruses, spyware and adware.

The question for you this month is not “are you paranoid?” but instead “are you paranoid enough?” Scrutinize your inbound e-mail for suspicious messages, even from sources you think you know and trust. Keep your anti-virus program manually updated at least once a week or more frequent. Watch your computer for changes in behavior. Be very suspicious if a web site asks you to install some strange named plug-in or to accept a secure certificate issued by the same place you are logged into at the time. If the certificate is not from Thawte, Verisign or XRampSSL, I’d think twice about accepting it. There are some other valid sources for secure certificates (used with https:// type web sites for credit card or confidential info input) but these are some of the primary valid certificate authorities trusted by everyone.