Number 253 - June 2004

Confession Of A Wanna Be Geek
by Mike Hutchison, Tampa PC Users Group,
Confession may be good for the soul; this one does the ego of this wannabe geek boy none. I tried to open a .pif which was attached to an email which I recieved on March 2nd. There were some minor extenuating circumstances, but we shall not dwell on them now. A .pif file is, as even I knew prior to this misadventure, a Program Information File. They hail from the Windows 3.1 days. They were used to store settings and options which told Windows how to operate the DOS program that a specific PIF was associated with. Nowadays, in XP time, the PIF has faded from the spotlight.    There is, however, one use for them that has been demonstrated recently. Namely, as a vehicle for the Netsky worm. There are at least 4 varieties of this worm. According to the Norton Support site, the other types are descendents of the W32.Netsky.C@mm. I managed to get D flavor. When I tried to open the PIF, my computer began trying to send email messages. Lots of email messages. Norton was scanning as many as 15 at one point. I had to do a Ctrl-Alt-Del to get out of Outlook Express. The W32.Netsky.D@mm is a recent variation to arrive on the scene (again, according to the Norton site it was discovered on March 1st). I had just updated my virus definitions two days previous to the day my problem occurred; in other words, the day before Norton discovered the thing. Nevertheless, this was acting like a virus, so I ran a full system scan of the affected computer. It came up clean.    I deleted the email and attachment and got Outlook Express calmed down. Thought that perhaps I had lucked out. When I ran Outlook Express the next morning, it was soon clear that I had not lucked out. Soon I had Norton scanning 30 outgoing messages. This was before I had even received my messages, let alone sent any. I have well below 30 contacts in the address book. Anyhow, next I called up tech support at my ISP to see if they were hearing anything about PIFs. They were and had been deleting them at a rapid pace. Next I described the situation to William LaMartin. Sounds like a virus, said he, and I had best get myself hither to the Norton Live Update site, which I did. The Virus Definitions part of the update was small, but Netsky must have been in there. When I did another full system scan of the computer after the Live update download, it found 41 files infected with W32.Netsky.D@mm.    These files were all PIFs but were created by the worm after the payload trigger. Then I went back to the Norton Support site and downloaded a Netsky removal tool. The Norton instructions said, among other things, to run the removal tool twice after disabling the	System Restore check box which is found in the System Restore tab when you right click My Computer and then click Properties. Norton says in the instructions for running the removal tool do not skip this step. They then recommend running Live Update for latest definitions. The removal tool can be downloaded at http://securityresponse. symantec.com/avcenter/venc/data/w32.netsky.u@mm.html.    Some background information on the Netsky D worm (once again courtesy of Norton Support): It is a mass mailing worm that scans drives C through Z on the computer, and it then uses its own SMTP engine to email itself to the email addresses that it finds. The size of the attachment is 17,424 bytes. Systems which are affected by the worm: Win 2000, Win 95, Win 98, Win ME, and Windows XP. Systems not affected by the worm: Linux, Mac, Unix and Win 3.x. One of the messages in the body of the email which brings this worm to your machine that is listed by Norton matched the one I got. To Wit: See the attached file for details. I have a customer who has people whom I have no prior knowledge of sending me email with ads for a publication attached to the email. I have no other excuse. I won't even try to claim that I thought it was a .pdf instead of a .pif. Like they say; Just don't do it. If you don't know who it is delete it. Addendum: March 9th, 2004    I was still having trouble sending email normally, so I went back into Outlook Express under Tools / Options, then clicked the Connections tab and removed the check mark from the Hang Up after Sending and Receiving check box. I think I had this checked while I was trying to get Outlook Express to stop sending all the spurious messages. Then sort of as a whim, I ran a full system scan of the machine with Norton AntiVirus. It showed 39 files infected with Netsky. Back to Norton Live Update for the latest virus definitions. This time I had Norton AntiVirus quarantine and then delete all infected files. Then back to Symantec support site for some reading about the Netsky K variation and a download of the latest Netsky Removal tool. This was Version 1.0.4 as of the morning of the 9th. It was Version 1.0.3 the first go around. I then ran the removal tool twice with System Restore disabled as before. So far all seems right in my email world. A full system scan reports no infected files.    Tech support at my ISP mentioned in response to a question from me that one does have to do something to something in a received email message to get into trouble. Still, they say it is a good idea to keep the right side of your Outlook Express workspace as one pane, stay away from the Preview pane on the bottom.
Number 253 - June 2004