Phil's Blog

Active Virus Shield

AOL is widely regarded as an evil empire, second only to Microsoft, but this week they redeemed themselves somewhat by releasing a free Windows antivirus program, Active Virus Shield, based on Kapersky Labs' Personal Antivirus.

I've given it a whirl here and so far I'm impressed. Kapersky's Virus scanning engine is one of the best, and they are renowned for the speed of their responses to new malware. So far I'm seeing several pattern updates a day, which is what I'd expect from any proper antivirus vendor.

It's staying on my PC for a while. It may yet replace Alwil's Avast! here, but I have a certain irrational fondness for products whose support forums give the users direct contact with the developers.

Postscript, September 5th

Independent research confirms Active Virus Shield as being one of the best antivirus products. There's commentary and discussion over at cybernetnews.com.

Patch Tuesday (April)

There is another round of security updates over at Windows Update, as well as some for Word - office users should check here for updates. There's an update for MSN Messenger 6.2 hidden here too. Or go to the MSN Messenger site and download MSN Messenger 7. It's ugly, annoying, and deceptive (you tell me whether an extra you're selecting costs money or not - it's not obvious at all until some way into the process, and to me that's downright dishonest, Microsoft).

sms.ac con

Just what I feared when I started getting all those sms.ac invites. Ali Ebrahim's blog has the lowdown.

Sasser Worm

On April 30th, a new worm, Sasser, was released into the wild. This exploits a buffer overflow vulnerability in LSASS and works by scanning the internet for vulnerable PCs and infecting them directly. You don't have to open an email or visit a web site to get infected. Microsoft released a critical update to patch this vulnerability on April 23th, which can be got from Security Bulletin MS04-011 or Windows Update.

After applying the patch, reboot and disinfect your PC with McAfee's Stinger.

The Internet Storm Centre says this about Sasser.

Earlier in this weblog I gave details about patching to prevent the MS-Blaster Worm infecting your PC. There's an updated RPC patch available at MS04-012 (or from Windows Update).

The time to patch is now, not tomorrow, or next week, so get patching.

Microsoft releases its security updates on the second Tuesday of the month, in the early evening GMT. So the second Wednesday of the month is a good time to do your patching.

Another day, another worm

The last few weeks have seen a spate of email-borne computer worms. What's been unusual this time is that with MyDoom and its successors, we're seeing the virus in the wild well before the antivirus vendors have updates available. This is a trend which should wake up the antivirus companies and users. Some vendors have a weekly update cycle, with extra antivirus patterns only being released when a virus has been seen in large numbers in the wild. Too little, too late. What's needed is defence in depth. All ISPs should scan all emails going via their mail gateways for both spam and viruses. Home users should make sure that their antivirus software is always up to date. Nobody in their right mind would use Internet Explorer or Outlook Express when we have better alternatives which do not try to execute viruses for us. I use the Mozilla Firefox web browser and Mozilla Thunderbird email and news programs. I suggest you give them a try. And turn off file extension hiding in Windows while you're at it.

Blaster / Lovsan / Poza Worm

This one's a bit of a bastard. By forcing shutdown it makes it difficult to download the fixes and disinfector.

Running shutdown /a (on XP Pro only) will prevent the automatic shutdown.

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

The easiest way is to set your system clock back a month when you get the shutdown message.

CERT has detailed disinfection / recovery instructions as part of their Blaster advisory. Visualante.org has good instructions too.

The updated (April 2004) Microsoft patch for your Operating System can be found on Microsoft's Technet.

Updated Windows XP patch is here.

Details of the worm are here.

Get the patch on, disinfect with something like Mcafee's Stinger.

Then force update your antivirus program's patterns. If you don't have an antivirus program, then try Avast! Personal Edition. It's free for personal use. Trend Micro offer a free online virus scanning tool too.

Then go to Windows Update and get all the critical updates.

Using a personal firewall like ZoneAlarm would have prevented infection in the first place (if properly configured).

Yaha.K worm spreading rapidly

The Yaha.K worm, released on Dec 21st, is spreading rapidly. Three of my friends, all of whom had Norton Antivirus running on their PCs suffered infection. The worm disables Norton Antivirus making disinfection difficult. The solution is to download and run McAfee's Stinger. This will detect and remove the Yaha, Klez, Bugbear, and Elkern worms. I advise everyone to download and run it NOW.

Yaha.K Worm

The Yaha.K worm is starting to spread rapidly. There are some helpful details here.