VIRUS ADVICE        http://www.burtonsys.com/virus_advice.txt
                    http://www.burtonsys.com/virus_advice.html

By Dave Burton (with a bit of plagiarism from various other sources)
Last updated 3-Oct-2002

CONTENTS:
I.   COMPREHENSIVE VIRUS INFORMATION ON THE WEB
II.  THE EASIEST DEFENSE
III. PRECAUTIONS FOR WINDOWS USERS
IV.  FREE VIRUS REMOVAL AND PROTECTION TOOLS
V.   FIREWALLS
VI.  HOAXES
VII. HOW TO REMOVE THE KLEZ.H VIRUS


I. COMPREHENSIVE VIRUS INFORMATION ON THE WEB:

More information about almost all computer viruses is available
on the following excellent web sites, which are run by eight
companies that make anti-virus tools:

http://www.symantec.com/avcenter/vinfodb.html  (Symantec/Norton)
http://vil.mcafee.com/                         (McAfee/NAI)
http://www.f-secure.com/v-descs/               (F-Secure)
http://www.antivirus.com/vinfo/                (Trend Micro)
http://www.sophos.com/virusinfo/analyses/      (Sophos)
http://www.virusdb.com/                        (Kaspersky)
http://www.quickheal.com/alerts.htm            (Cat Computer Services)
http://www3.ca.com/virus/                      (Computer Associates)

Sophos also has an excellent "virus prevention primer," here:
http://www.sophos.com/virusinfo/whitepapers/prevention.html

These three sites have a lot of excellent information about viruses,
virus hoaxes, anti-virus tools, etc.:

http://www.virusall.com/    <-- this site is really good!
http://www.ciac.org/ciac/
http://www.virusbtn.com/

The FBI, Stiller Research, nsclean.com, and Georgi Guninski sites also
have information about computer security issues:

http://www.nipc.gov/ (FBI)
http://www.stiller.com/
http://www.nsclean.com/
http://www.guninski.com/


Note: Determining the source of a virus or worm-laden email can
be tricky.  You can usually figure it out by examining the full
email headers.  For some viruses, it is just the "From:" address.
Magistr slightly mangles the "Return-Path" address, and leaves
the "From:" address pointing to the user of the infected machine.

However, Klez.h usually forges the "From:" address to point to an
innocent third party, and the "Return-Path:" (or UUCP From) address
usually points to the user of the infected machine.  Examine the
bottom (oldest) of the "Received:" headers for consistency with
the "Return-Path:" address, to confirm that the "Return-Path:" is
probably correct.  However, if the virus came from an AOL user,
the AOL mailservers will have changed the Return-Path address
to match the (forged) From address, and will have added an
"X-Apparently-From:" header with the actual (AOL) source of the
virus.  For more about Klez, see section VII (below).


II. THE EASIEST DEFENSE:

Most common computer viruses these days travel by email.

The easiest defense against email-borne viruses (assuming that
your computer is not already infected!) is simply to use a Yahoo
or Hotmail account for your email, instead of using Microsoft's
email clients.  Yahoo, Hotmail and some other free web-based email
services have integrated commercial virus-scanners into their email
systems.

If you let suspicious incoming emails "age" for a day or so before
scanning the attachments on Yahoo or Hotmail, you will be 99% safe
from virus-laden emails.

This is a very good solution for Internet novices.


III. PRECAUTIONS FOR WINDOWS USERS

a)  Remember the most basic rule:  Don't open file attachments
unless you have some way of knowing that they are legitimate.

(If you're saying to yourself, "duh, of course!" then skip ahead
to II.b, below.)

What does that mean, exactly?  Here are some examples:

 o  If it is a program, and the sender didn't write it himself,
    don't run it, period.  If someone sends you a "fun" program
    or screensaver that they "found" somewhere, DO NOT OPEN IT.
    It doesn't matter whether they tried it or not -- these things
    can contain "time bombs" so that they appear to work as
    advertised for a while before doing their damage.  So testing
    it CANNOT prove that it is safe.

 o  If the file attachment comes from a stranger, you cannot know
    that it is legitimate, so DON'T OPEN IT.

 o  If it appears to be from someone you know, but there's nothing
    to PROVE that it is really from him, then you can't know that it
    is legitimate, so DON'T OPEN IT.  Worms/viruses routinely forge
    email headers, so most computer worms & viruses that you will
    receive will appear to be from someone you know.

 o  On the other hand, if your colleague told you on the phone,
    "I'll send you the JPEG picture this afternoon," and, as promised,
    it shows up, it is pretty safe.  (But avoid Word .doc files and
    Excel .xls files if possible, since they occasionally contain
    "macro viruses.")

 o  Or if the email contains identifying information that could
    not have been written by a stranger (e.g., if it is signed,
    "your little brother, Frank"), it is probably safe.

b)  Some common viruses, such as Badtrans, Klez & Yaha, exploit flaws
in the Outlook Express "preview pane" feature to run automatically,
without being explicitly opened.

A good remedy is to use a non-Microsoft email client, such as
Pegasus Mail, Eudora, or the Mozilla mail client, instead of
Outlook Express or Outlook.  Pegasus and Mozilla are free, and
Eudora is free for personal use; see http://www.pmail.com/,
http://www.mozilla.org/ and http://www.eudora.com/, respectively.

Users of Outlook Express (or Outlook) should make the following
setting change to prevent viruses like Badtrans from running
automatically when email is viewed in the Outlook Express or
Outlook preview pane.

First you need to start Outlook Express or Outlook (not Internet
Explorer).  Then set:

     Tools -> Options -> Security -> Restricted Sites Zone
     (Note: some newer computers with pre-installed software
     might come with this set by default, which is good.)

(This applies to Outlook Express 5.0-6.0, and to Outlook 98.  There
are probably similar settings that need to be adjusted in other
versions of Outlook, but I don't know whether they are identical.)

Also, with some versions of Outlook Express and Internet Explorer
5.xx, it might be necessary to make an additional setting change,
in Internet Explorer:

   Internet Explorer 5.xx:
     Tools -> Internet Options -> Security ->
       Restricted Sites -> Custom Level ->
         Downloads / File Download -> Disable
   (Note: if it was already disabled, that is good.)

This won't protect you if you "open" an infected executable email
attachment.  So don't!  Most people should never need to open any
attachments except .jpg or .jpeg files (photos), and perhaps .rtf
or .txt files (documents).

Also, the same rules apply when someone sends you a file via IRC.
Some viruses spread that way, too.

However, Windows' default file viewing options can hide the true
file extension, so that you can be fooled into opening a .com, .exe,
.doc, .xls, .xlw, .vbs, .bat, .pif, .scr, or other infected file
if it is named "file.jpg.exe" or similar.  Until you change the
option, Windows hides the last dot and extension, supposedly as a
"user-friendly" feature.  To reduce your likelihood of being fooled,
change the option:

First, start Windows Explorer or Windows NT Explorer, then find
the Options menu item under either View or Tools.  Then select the
"View" pane.  Then uncheck the checkbox option labeled "Hide file
extensions for known file types" or similar, or click the radio
button for "Show hidden files and folders."  (Microsoft seems to
rearrange and reword the menus in every new version of Windows):

  Windows Explorer or Windows NT Explorer:
    Tools -> Folder Options -> View ->
    (or: View -> Options -> View -> )
      then select "Show hidden files and folders"
      or uncheck "Hide file extensions for known file types"
      or uncheck "Hide MS-DOS file extensions for file types that are registered"

Unfortunately, changing the option does NOT work for .pif files.
You can see for yourself, by performing a little experiment:
1) Copy an innocuous program file, like calc.exe, to c:\ (or some
   other suitable location), and rename it to README.TXT.pif
2) Run Windows Explorer or Windows NT Explorer and view the files in c:\
3) Note that README.TXT.pif is shown as README.TXT
4) Double-click on it, and see that the program (calc.exe) runs

If that program had been a malicious file attachment, it could
have wiped out your hard disk drive!  (Thank you, Microsoft.)

But there IS a subtle visible clue, which can tip you off about
the threat.  Look again at "README.TXT" (really README.TXT.pif)
in Windows Explorer.  Note the "MS DOS" shortcut icon beside it
(or, under Win95, a plain "shortcut" icon).  That's the clue,
indicating that it is an executable program.  If it had really been
a text file, it would have had a Notepad icon beside it.

So: BEWARE of files with MS DOS icons -- they are EXECUTABLE
programs, regardless of the apparent file extension.  Do not
open them!

c)  There are some truly hideous bugs in Microsoft's email and
browser products, some of which let attached viruses run automatically
when the email is viewed either manually or in the "preview pane,"
even if Outlook Express is configured for the "Restricted Sites Zone."

Fortunately, Microsoft has fixes available, but that won't help you if
you don't have them.  So, if you use Microsoft Internet Explorer 5.xx
or 6.0, and especially if you use Outlook or Outlook Express, it is
very important that you apply the latest security and "cumulative
patch" (formerly "security rollup") fixes.

The most important fix included in the latest "Cumulative Patch"
is MS01-020, which fixes a critical bug exploited by Klez.  For
details of how that bug works, see
http://www.burtonsys.com/microsoft_mime_bug.txt

Note: for a nice table of older Microsoft security fixes, see:
http://www.zianet.com/bwd/securitybulletins.asp
Unfortunately, it is not very up-to-date.

If you use Internet Explorer 6.0, then you need to install the MS02-047
"Cumulative Patch."  (See details below.)

If you use Internet Explorer 5.5, then you need to first make sure
that you have either SP1 or SP2 installed, then install the MS02-047
"Cumulative Patch."  (See details below.)

If you use Internet Explorer 5.01 under Windows 2000, then you need to
first make sure that you have IE 5.01 SP2 installed, or Windows 2000 SP3
installed (which also installs IE 5.01 SP3).  Then install the MS02-047
"Cumulative Patch."  (See details below.)

If you use Internet Explorer 5.01 under any operating system other than
Windows 2000, you cannot use MS02-047, so you must instead use the
earlier MS02-015 "Cumulative Patch," (see details below).  Or, better
yet, upgrade to Internet Explorer 5.5 or 6.0.  But if you insist on
sticking with IE 5.01 under Win-9x/Me, first make sure that you have
IE 5.01 SP2 installed, then apply MS02-009 and MS02-015 (details below).

Note: Internet Explorer 5.00 and earlier are no longer supported by
Microsoft, and Internet Explorer 5.01 is only supported on Windows 2000.

However, if you are running IE 5.01 or IE 5.5, then you might need to
apply a "Service Pack" before you can apply the "Cumulative Patch."

Note: to check which service packs are already installed, start Internet
Explorer and click on  Help -> About,  and look at the "Update Versions"
line.  If you see "SP1", "SP2" or "SP3" then you already have Service
Pack 1, 2 or 3, respectively, installed in your copy of Internet
Explorer.

If you are running IE 5.01, you must first apply Service Pack 2 (SP2),
unless it is already installed, before you can apply the Cumulative
Patch update.  If you are running IE 5.5, you should first apply SP2
unless either SP1 or SP2 is already installed.

For IE 5.5, if you don't already have either SP1 or SP2 installed, then
get SP2 here:
http://www.microsoft.com/Windows/ie/downloads/recommended/ie55sp2/default.asp
or here: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q276369

For IE 5.01, if SP2 is not already installed, then get it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q267954  or here:
http://www.microsoft.com/Windows/ie/downloads/recommended/ie501sp2/default.asp

For IE 6.0, there are no Service Packs (yet).

Then for IE 5.5 or IE 6, or for IE 5.01 under Windows 2000, apply
MS02-047 (a/k/a Q323759), about 2-2.5 MB (~8-15 minutes to download
with a typical dial-up modem):
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Or for IE 5.01 under Win-9x/Me or NT 4, apply MS02-009 (a/k/a q318089),
about 300 KB (~2 minutes to download with a typical dial-up modem):
http://www.microsoft.com/technet/security/bulletin/MS02-009.asp
then apply MS02-015 (a/k/a Q319182), about 2-2.4 MB (~8-15 minutes
to download with a typical dial-up modem):
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp

Note #1: Microsoft fixes should generally be applied in chronological
order, according to the dates on which they were released.

Note #2: Unless you are running Windows XP, when applying two or more
Microsoft fixes which prompt you to reboot the computer, you really
should let it reboot the computer after each one.  Or, with NT 4 or
Windows 2000, you may apply them all and then run Microsoft's
QChain.exe utility before rebooting the computer.  Get QChain here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q296861

d)  All Windows 9x/ME/NT/2K/XP users should apply these Microsoft
Java/VM updates:
http://www.microsoft.com/technet/security/bulletin/ms02-013.asp
http://www.microsoft.com/technet/security/bulletin/MS02-052.asp (Q329077)
MS02-013 is 4.3 MB.  Fortunately, MS02-052 is only 168 KB, so it
is a quick download.  Unfortunately, even though Microsoft says that
these fixes are "critical" for users of all versions of Windows
9x/Me/NT/2K/XP, they now seem to be only available through Microsoft's
cumbersome "Windows Update" facility (search for "Q329077"), which
only supports Windows 2000 & XP.  There probably is some way for
Win 9x/Me users to get the fixes from Microsoft's web site, but I
haven't figured out how.  Perhaps you can just lie about what version
of Windows you are using?

MS02-052 is apparently the same for all versions of Windows, and it
can also be downloaded as vm-sfix3.exe (Q329077) - 167,168 bytes from
http://ftp.uni-stuttgart.de/pub/systems/winxp/fixes/security-bulletins/usa/vm-sfix3.exe

Or delete Microsoft's Java VM and use Sun's, instead:
http://java.sun.com/j2se/1.4/download.html
Sun's is said to be slower, but safer.

Or perhaps IBM's, which has a good reputation for high performance:
http://www7b.boulder.ibm.com/wsdd/wspvtdownload.html  (newest)
http://www.ibm.com/developerworks/java/jdk/118/jre-info.html  (stable)

e.1)  If you run Windows XP, you should first disable its dangerous
"SSDP Discovery Service" (UnPnP) as described here:
http://grc.com/UnPnP/UnPnP.htm

Then install Windows XP Service Pack 1:
http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/
(Note: despite what it says on that page, this service pack is for
both the "Home Edition" and the "Professional Edition" of Windows XP.)

Unfortunately, SP1 is huge, so downloading and installing it is
tedious if you only have a slow modem connection.  But if you are
in a hurry, you can use this quick, stop-gap fix from Steve Gibson
for the worst of the bugs repaired by SP1:
http://grc.com/xpdite/xpdite.htm
However, you still should install SP1 as soon as you can.

e.2) If you run Windows 95/98/Me, and you "share out" your disk over
a network using passwords to limit access, you need to apply this fix,
for a bug that is exploited by the Opaserv virus:
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

f)  If you are running Microsoft Outlook (as opposed to Outlook
Express) as your email client, then be sure to apply the latest
Outlook email security updates.
For Outlook 98, get:
http://office.microsoft.com/downloads/9798/Out98sec.aspx
For Outlook 2000, get:
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx and then
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp
For Outlook 2002, get:
http://www.microsoft.com/technet/security/bulletin/MS02-021.asp

g)  Macro virus avoidance, Part 1:  If you use Microsoft Office XP
(Word 2002, Excel 2002, etc.) then you should apply Office XP
Service Pack 2 (SP2), from:
http://office.microsoft.com/downloads/2002/oxpsp2.aspx
Unfortunately, this is a 15.5 MB download, about 1.5 hours by modem.
But it is the only MS Office update you need, so you can skip the
next paragraph's instructions for applying MS01-034 and MS02-031.

If you use Microsoft Word 97, Word 2002, or any version in between,
or Microsoft Excel 2002, then you should apply the latest available
Security Update and/or Cumulative Patch.  It is not clear from
Microsoft's web site whether or not MS01-034 is included in MS02-031,
so I recommend applying both.  First, everyone should apply MS01-034:
http://www.microsoft.com/technet/security/bulletin/MS01-034.asp
Then, if you have MS Office 2000 SR-1a or SP2, Office XP SP1, Word
2000, Word 2002, or Excel 2002, you should also apply MS02-031:
http://www.microsoft.com/technet/security/bulletin/MS02-031.asp

h)  Macro virus avoidance, Part 2:  The "97" and later versions of
Microsoft Word, Excel, PowerPoint and Access, and Microsoft Project
4.1 and later, include a feature to help protect against infection
by macro viruses.  (Earlier versions don't support macros, so they
are naturally immune to this threat.)  If you have the vulnerable
versions of any of these programs, you should make sure that the
protection feature is enabled.  To enable the feature, start each
of the programs and then:

For "97" versions:
  "Tools" -> "Options" -> "General"
    check the "Macro virus protection" check box
      then click "OK"

For more recent versions:
  "Tools" -> "Macro" -> "Security"
    select either "Medium" or "High"
      then click "OK"

For more information about the "Macro Virus Protection" feature, see:
http://office.microsoft.com/assistance/9798/o97mcrod.aspx

However, that document contains one piece of bad advice.  Discussing
how you should answer when prompted about how to handle a document
containing macros, it says:

   Disable Macros -  You should choose this command if you are unsure
   of the source of the document, but you still want to open it.
   Enable Macros - You should choose this command if you know who
   created the document.

That advice is WRONG, WRONG, WRONG!  Macro viruses infect documents
AFTER they are created, without regard for who created them.  So the
source of the document DOES NOT MATTER.  You should ALWAYS answer
"Disable Macros," except for those rare files that you know require
macros to display properly (which is almost never the case for Word
documents).

i)  Macro virus avoidance, Part 3:   Do not send Microsoft Word .doc
files in email.  Instead, save your file in "Rich Text Format" and
send the .rtf file.  If you send .rtf files instead of .doc files,
the recipients need not worry as much about receiving macro viruses
from you, and .rtf files are usually more compact, too.  (However,
a .doc file that has been renamed to have a .rtf extension can still
have macro viruses in it.)

j)  Apply the latest Cumulative Patch for Windows Media Player:
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp

k)  "Share out" disk drives only sparingly over your network.  Grant
only "read-only" access unless write access is really necessary,
and don't share out your system drive (probably C:) unless really
necessary.  Viruses like Qaz, Klez, and others spread via network
shares, simply by opening and modifying program files on other
computers over the network.

l)  To safely view a suspicious message in Outlook Express, without
opening it, right-click on the message summary line, then:

   "Properties" -> "Details" -> "Message Source..."

To safely view a suspicious message in Outlook (not Outlook Express),
highlight the message summary line, then from the main program menu
bar at the top of the window:

   "File" -> "Save As..."
     change the "Save as type..." to "Text Files (*.txt)"
       adjust the file name and location as desired
         click "Save"

then open the saved .txt file in Notepad.

Or you can drag the message over to Outlook's "Tasks" folder and
examine it there, though that won't show the message body for HTML
formatted messages.

m)  If you are a "techie" person doing "techie things," like
running a web server or using a VPN connection, you should also
read the advice of our friend, Mike McKee, here:
http://www.burtonsys.com/mike_advice.txt


IV. FREE VIRUS REMOVAL AND PROTECTION TOOLS:

The most common viruses/worms going around right now seem to be
Klez/ElKern/Foroux, Bugbear, Magistr, Yaha/Lentin, Sircam, Goner,
Badtrans, Qaz, and Hybris.  There are free removal tools available
for all nine of these, and for many other viruses.

This site has a quite comprehensive list of virus removal tools:
http://virusall.com/downrem.html

Symantec/Norton has many free virus removal tools, including tools
for removing Bugbear, Sircam, Goner, Badtrans, Hybris, Nimda, Qaz,
Kriz, the most common Klez/ElKern variants, Yaha (Lentin), and
several others (but not Magistr or CIH/Chernobyl), here:
http://www.symantec.com/avcenter/tools.list.html

McAfee/NAI also has a few, here:
http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp

Sophos also has some, including free Magistr, CIH/Chernobyl, and
Yaha/Lentin removal tools:
http://www.sophos.com/support/disinfection/

Gibson Research has a CIH/Chernobyl recovery tool, here:
http://grc.com/cih.htm

Kaspersky has a free tool to remove Klez, Sircam and Goner, here:
ftp://ftp1.avp.ch/utils/clrav.com

Cat Computer Services has free removal tools for Klez.h, CIH/Chernobyl,
and some others, here:
http://www.quickheal.com/othdown.htm
Note: Klez.h (and some other Klez variants) are sometimes identified
as Klez.gen.

SRN Micro (Solo AntiVirus) and Prognet (Fire AntiVirus) are closely
related companies, with similer web sites but somewhat different
selections of free virus removal tools.  They offer free tools to
remove Klez, Badtrans, Sircam, Kriz, CIH/CHernobyl, Goner, and some
others, here:
http://www.srnmicro.com/downloads/  or
http://fireav.com/downloads/  or
http://www.antivirus-download.com/downloads/

BitDefender has free removal tools for Klez, Kriz, Magistr, Sircam,
Qaz, Badtrans, and others, here:
http://www.bitdefender.com/html/free_tools.php

Trend Micro has free removal tools for Klez, Goner, and Sircam;
enter the virus name in the search box on their web site:
http://www.trendmicro.com/

eScan/Microworld and F-Secure also have free Klez removal tools,
here:
http://www.mwti.net/form.asp?url=free.asp
ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip
Note: there are many variants of Klez; the free removal tools might
not remove all of them.

"The Cleaner" is a product which claims to be able to remove many
kinds of worms & viruses, including Magistr.  It has a 30 day free
trial period:  http://www.moosoft.com/

Also, one or more of the free general-purpose anti-virus packages
can probably remove your virus infection.

Yes, you read that correctly!  Some of the less well-known
general-purpose anti-virus packages can be had for free, for home
use.  They appear to be very credible alternatives to the expensive
big two (Norton & McAfee):

http://www.grisoft.com/
http://www.frisk.is/f-prot/download/ (DOS version is free)
http://www.free-av.com/

Plus these, which require a web connection when you use them:

http://www.pandasoftware.com/activescan/com/
http://housecall.antivirus.com/
http://security.norton.com/us/intro.asp?venid=sym&langid=us
and some others listed at http://virusall.com/downscan.html

Plus, many of the non-free anti-virus utilities have free 25-day
or 30-day demo versions or shareware versions available.  Some are
available at the manufacturers' web sites, such as NOD32 from Eset,
and Solo AntiVirus from SRN Micro:

http://www.nod32.com/scriptless/download/trial.htm
http://www.srnmicro.com/downloads/evaluate/TrySolo.exe

Others are at the usual shareware web sites.  E.g., Tucows has
demos for F-Secure, Norton, Kaspersky, eScan, Panda, and others:

http://www.tucows.com/system/virus95.html

But don't get "Admiral VirusScanner" or "In Vircible Anti virus"
because they are "spyware" -- see the usual spyware list sites:
http://www.spychecker.com/ & http://www.tom-cat.com/spybase/spylist.html
(Note: "spyware" is similar to "scumware" (see http://scumware.com/ )
-- you don't want it.)

Note:  Real anti-virus tools do not show up in your email mailbox
as unsolicited file attachments.  So don't be fooled!  One of the
Klez variants tries to induce you to run it by claiming to be an
antidote to, of all things, the Klez.E worm/virus.  It says:

   NOTE: Because this tool acts as a fake Klez to fool the
   real worm,some AV monitor maybe cry when you run it.
   If so,Ignore the warning,and select 'continue'.

That is a lie.  The email attachment IS the virus/worm.  Don't run it.


V. FIREWALLS:

Firewall programs are not really anti-virus tools, though they can
help to prevent some kinds of virus infection.  But they are useful
for preventing other kinds of security problems, like having your
computer's hard disk drive accidentally appear in the Microsoft
Network Neighborhood of your neighbor down the road, who happens to
have a cablemodem like yours.

Especially if you have an "always on" high speed DSL or cablemodem
internet connection, you should use some sort of firewall.

Two very good, free (for personal use) firewalls for MS Windows are
"ZoneAlarm" and "Tiny Personal FireWall," available here:
http://www.zonelabs.com/products/za/
http://download.cnet.com/downloads/0-10105-108-71881.html?tag=st.dl.10105.upd.10105-108-71881

Both ZoneAlarm and TPFW are much better than some of the non-free
firewalls, such as "BlackICE Defender" and the Symantec/Norton
product.  ZoneAlarm is probably easier to install than TPFW, but
TPFW might be a bit more flexible, and is preferred by some
technically savvy users.

The best source of information for MS Windows users about Firewalls
and related security issues is Steve Gibson's site:

http://www.grc.com/

Steve's "Shields Up" test can tell you whether your computer and
Internet connection have the most common internet security "leaks."
Testing your system is free, very easy, and well worth your time.

Steve rates Windows firewalls here: http://grc.com/lt/scoreboard.htm


VI. HOAXES:

"Virus warning" emails which ask you to forward them on to lots
of other people are almost always hoaxes.  Don't forward them.
(This includes the sulfnbk.exe and jdbgmgr.exe virus hoaxes.)

In fact, ALMOST ALL emails which ask you to forward them on to
lots of other people are untrue.  Most are pure hoaxes, a few are
partially true, and almost none are entirely true.

If you receive any message that asks you to forward it on to
lots of other people, you can be almost certain that it is a
hoax or a scam.  I've seem 'em all: the virus warnings, the
Proctor and Gamble smears, the lost or dying child heartstring-
tuggers, the MLM scams, the Madaline Murray O'Hair / FCC
story, the internet tax hoaxes, etc., etc..  They are all false.

(Note: the email claiming to be a Klez antidote program is
false, too.  Running it will infect, rather than protect, your
computer; see above.)

Only if such an email chain-letter references a verifiable,
recognizable, on-line source for more information (such as
www.microsoft.com/something) should you even consider the
possibility that it might be true.  Even then it probably is not.
Of the hundreds of chain emails I've received over the last few
years, only three were verifiably or probably true.  (One of the
true ones was a plug for the National Day of Prayer in 1999 or
2000; the 2nd was a note from a Mrs. Lindsey Yeskoo about
President Bush's personal prayer request which he shared with her
when she met him briefly in Shanghai in October, 2001; the 3rd
was from an Amnesty International affiliate about the stoning
sentence of a Nigerian woman named Amina Lawal.)

Usually, the easiest way to verify that email chain-letters are
untrue is to look for them on one of the "hoax buster" web sites.
Also, virus warning chain-letters can be checked on the usual
virus information web sites (Section I, above).

Here are some "hoax buster" web sites for checking suspected email
hoaxes.  I suggest bookmarking at least the first two of these
links (if using Internet Explorer, add them to your "favorites"):

http://www.truthorfiction.com/
http://www.snopes.com/info/search/search.htm
http://UrbanLegends.MiningCo.com/
http://www.hoaxinfo.com/
http://www.breakthechain.org/
http://hoaxbusters.ciac.org/

One caution about snopes.com:  They have a very comprehensive
and useful hoax database, but they also have a political slant
that, IMO, makes them a less reliable source of information about
emails with political topics.


VII. REMOVING THE KLEX.H VIRUS:

This section is for people whose computers are ALREADY infected
with a Klez virus (probably Klez.H, which is also sometimes
identified as Klez.gen, Klez.G, or Klez.I).  If, instead, you
need to find out the source of a Klez-infected email, see the
end of section I (above).

This is the Symantec/Norton info about this virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
This is the Sophos info about this virus:
http://www.sophos.com/virusinfo/analyses/w32klezh.html
This is the F-Secure info about this virus:
http://www.f-secure.com/v-descs/klez_h.shtml

Note: Most people who get the Klez.H virus get it because they
are using an unpatched (buggy) version of Microsoft Outlook
Express to read email.  So after you remove the Klez.H virus,
be sure to follow the instructions above to install the latest
Microsoft fixes and setting changes for Outlook Express and
Internet Explorer.  Or delete Outlook Express from your computer
and just use a Yahoo account for email!
(For details about how the Outlook Express/IE bug works, see
http:\\www.burtonsys.com\microsoft_mime_bug.txt )

If you have an anti-virus tool like Norton Anti Virus ("NAV")
but can't get it to install, the reason is probably that Klez
is already running, and it blocks many anti-virus tools from
starting.  You might be able to get your AV tool to work
if you shut down the computer, turn the power off, wait
30 seconds (to clear RAM memory), and then start up the
computer in "safe mode" before trying to run the AV tool.

Note: If you are running Windows Me or Windows XP, then
you should also disable its "System Restore" feature
before shutting down.  For how to do so under Win-Me, see:
http://service2.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
For how to disable System Restore under Win-XP, see:
http://service4.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

But the easiest way to remove the virus is probably to run
one of the tools that is specifically designed to remove
this particular virus.  There are at least six different
free Klez free removal available from various AV software
vendors.  Most are quite small, so you could download
several of them onto a single diskette, and still have room
to spare.

I don't know for certain which Klez removal tool is best,
but http://www.techtips4u.com/ says that it is Symantec's:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

Cat Computer Services has one which I'm told sometimes works
even when the Symantec and Kaspersky tools fail:
http://www.quickheal.com/killklez.htm

Kaspersky also has a simple one (also available from F-Secure):
ftp://ftp1.avp.ch/utils/clrav.com or
ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip

I recommend that you download the Symantec/Norton tool, the CAT
Computer Services tool, and the Kaspersky tool onto a diskette,
then write-protect the diskette and take it to the infected
computer.  Then follow the instructions and run the Symantec tool
first.  If it fails then run the CAT tool.  Then reboot and run
the Kaspersky tool to verify that the Symantec or CAT tool
successfully removed the virus.

(For links to some other free Klez removal tools, see
section IV, above.)

Note #1: if you have several computers networked together, then
you need to first disconnect the network (or power-off the
hub).  Then run the virus removal tool on every Windows
computer on your network before reconnecting the network.
Otherwise, Klez is likely to immediately reinfect your freshly-
disinfected computers, via your network.

Then go back and read the rest of this document, so you can
learn how to avoid future virus infections!

Note #2: I recommend that you back up your critical document
and data files before disinfecting your computer.  I recently
helped someone remove Klez.H from her Windows-Me computer using
the Kaspersky tool, and when she was done the computer would no
longer boot, not even in "safe mode."  I think this is unusual,
but to recover we had to boot Windows-Me from the Installation
CD, delete several files from the Windows system directory, and
reinstall Windows-Me.  (Her computer dealer had wanted to reformat
the hard disk drive!)  She didn't end up losing any important
files, but recovering it cost us a lot of time and aggravation.
BTW, to enable Win-Me to reinstall, the files we deleted from the
c:\windows directory were user.dat, system.dat, classes.dat and
wininit.ini, per http://www.techtips4u.com/ostt/installsafe.htm
and http://www.servenet.com/ipiboard/archive010601/3927.html


-Dave Burton   <dburton@burtonsys.com>
Burton Systems Software: http://www.burtonsys.com/
Tel: 1-919-481-0149