NOTE: Sign up for our *low bandwidth* virus alert list here: http://www.computerexpertsgroup.com/maillist
9/28/2006:
There is another exploit targetting Windows users using Internet Explorer. It comes in through specially crafted web pages or email viewed in Microsoft Outlook or Outlook Express.
The attack is on a vulnerability in Microsoft's WebViewFolderIcon ActiveX control, and can do things like install spyware, viruses, remote access software, etc. on affected machines.
There is currently no fix available from Microsoft.
Your antivirus may or may not currently protect against this vulnerability, but a very easy way to protect your machine is to do the following. (NOTE: if you are at a business with IT staff, please forward this to an IT person, and they will make the determination on whether it must be done for you.)
To set the ''kill bit'' for the WebViewFolderIcon ActiveX control Internet Explorer:
1) Click on the following link, tell Internet Explorer to open the file, and answer 'Yes' when asked if you want to add the information to the registry: http://www.computerexpertsgroup.com/virus/cxgl-USCERT-TA06-270A.reg
The original US-CERT alert can be read here.
Please contact Computer Experts Group, Ltd. at 914-644-6471 with any questions you may have.
9/21/2006:
There is a zero-day exploit targetting Windows users using Internet Explorer. It comes in through specially crafted web pages or email viewed in Microsoft Outlook or Outlook Express.
The attack is on a vulnerability in Microsoft's Vector Markup Language (VML), and can do things like install spyware, viruses, remote access software, etc. on affected machines.
There is currently no fix available from Microsoft.
Your antivirus may or may not currently protect against this vulnerability, but a very easy way to protect your machine is to do the following. (NOTE: if you are at a business with IT staff, please forward this to an IT person, and they will make the determination on whether it must be done for you.)
To DISABLE VML in Internet Explorer:
1) Click on the ''Start menu''
2) Click on ''Run''
3) Copy and paste the following text into the ''run'' box:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
4) Click ''OK''. A box should come up that says ''DLLUnregisterServer in ... succeeded.''
5) Click ''OK'' on that box, and continue to work normally.
You shouldn't see any negative affect on browsing or work.
Should you *need* to re-enable the VML support, you may do the same as above, except in step 3, put in the following command:
regsvr32 "%ProgramFiles%\\Common Files\\Microsoft Shared\\VGX\\vgx.dll"
Please contact Computer Experts Group, Ltd. at 914-644-6471 with any questions you may have.
1/24/2006:
There is a worm targetting Windows users. It comes in through email, but relies on ''social engineering'' to get you to open it.
Our customers are advised to make sure they have UP-TO-DATE antivirus protection on their computers. If you are unsure, or don't have it, home users are urged to go to http://www.avast.com to download and register the FREE home version of Avast antivirus. There is a ''pro'' version for corporate users with inexpensive licensing available, especially for multi-year licenses.
See http://www.us-cert.gov/current/current_activity.html#nyxemworm for more information.
8/9/2005:
There is another worm targetting the Windows operating system. You may obtain this patch by running Windows Update (http://windowsupdate.microsoft.com), or directly by downloading the patch from Microsoft here: http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
1/26/2004:
There is an extremely fast-moving mass-mailing worm going around the internet right now.
It may come from a domain (or e-mail address) that you recognize, but may have no message body. There is an attachment that has one of the following extensions: .bat, .cmd, .exe, .pif, .scr, and .zip.
DO NOT OPEN THIS FILE. It will infect your system, then it seems to find any e-mail addresses on your system (from the Windows Address Book, html files, etc. -- not sure).
If you notice odd behavior (maybe your virus scanner is constantly checking outgoing mail), check the following:
1) See if there is a file called "shimgapi.dll" in c:\windows\system32 (or wherever your system folder is). If it's there, you're infected.
2) check the file "taskmon.exe" in c:\windows\system32 -- if it has today's date (or something similar), you're infected.
3) (FOR ADVANCED USERS ONLY) Check to see if there is a registry key HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Run - TaskMon=c:\windows\system32\taskmon.exe
To disable the virus, do the following (partly taken from Norton Antivirus's site, but modified: original page)
a) If you are running Windows XP or Windows ME, you must turn off 'System Restore' (see the section titled 'Disabling System Restore (Windows Me/XP)' in the Norton Antivirus page above)
b) SHUT DOWN YOUR SYSTEM
c) Restart in Safe Mode (press F8 repeatedly as soon as you start your computer -- it will give you an advanced menu -- choose 'Safe Mode' and press enter)
d) BE CAREFUL from here on out. If you delete the wrong file, you could do more damage than good. Please call us for assistance if you are unsure.
e) Once in Safe Mode, open 'My Computer', go to the C: drive, go into the Windows folder, go into the System32 folder, find 'shimgapi.dll', right-click on it, and delete it.
f) While still in the System32 folder, find 'taskmon.exe'. If it has today's date (or something close), right-click on it, and delete it.
g) Restart your system, update your virus definitions, and be careful not to open any more attachments you're unsure of!
9/10/2003:
Microsoft has announced yet another set of vulnerabilities in all NT-based versions of Microsoft Windows. It is a continuation of the same problem that allowed "Blaster" (see 8/13/2003 below) to run rampant. PLEASE NOTE that these patches supercede the Blaster patch, so even if you are patched for Blaster, you should run this patch, too.
This vulnerability affects Windows NT, 2000, XP and 2003 Server. Since Microsoft's site is innundated with download requests, we have mirrored (without permission) the appropriate patches on the Computer Experts Group site.
Click on the appropriate file for your operating system, save it and run the file. If you're unsure, click on the "Start" menu, click on "Run", and type "winver". Click "OK". It will tell you what operating system you have.
The administrative scanning tool can be found here.
8/13/2003:
There is currently a fast-moving worm spreading around the internet that affects Windows NT, 2000, XP and 2003 Server. Since Microsoft's site is innundated with download requests, we have mirrored (without permission) the appropriate patches on the Computer Experts Group site.
Click on the appropriate file for your operating system, save it and run the file. If you're unsure, click on the "Start" menu, click on "Run", and type "winver". Click "OK". It will tell you what operating system you have.
If your system is already infected, you can run the FixBlast.exe file first, then immediately run the operating system patch after.
Locally mirrored w32.blaster operating system patches for:
Removal Tools:
Here are local copies (without permission) of some of Symantec's virus removal tools:
