By Steven L. Lubetkin|
Copyright � 2009 Steven L. Lubetkin. All rights reserved.
WORD COUNT: 975
This is an extended version of the column that appears in the Voice this month.
I spent the better part of a recent Sunday eradicating a particularly nasty computer virus from my daughter Shelly’s late-model laptop computer.
I was surprised to find that the computer had a virus infection, since we have a firewall and antivirus product on all of our machines.
I was even more surprised at the sophistication and extent of the infection when I opened up the patient.
When Shelly noticed the computer operating strangely and asked for my help, the first clue I had that something was wrong was in the log files of the firewall software.
For some reason, her computer was making repeated efforts to “ping” or contact a computer with a domain name somewhere in the Ukraine. The firewall was dutifully blocking these pings, but I realized that the computer had clearly become infected with a spybot or “botnet” infection.
These viruses are often called Trojan Horse infections because, like the mythical gift in Greek literature (http://tinyurl.com/2jjlkd), they get into your computer by masquerading as something more innocuous.
In my daughter’s case, she downloaded a program for viewing videos, and it told her she needed a special “codec,” or separate program for viewing high definition (HD) videos. I learned from a Google search on the name of the new video program that it was indeed the so-called HD codec that introduced the Trojan Horse into her computer.
I realized I was up against an especially devious infection when I tried to install my standard solution for spyware programs, Spybot Search & Destroy, a free program to delete programs that spy on your computer and protect it from further infestations (www.safer-networking.org).
The laptop’s web browser reported that the program’s website was not available. Then, it told me the copy of the installation program transferred over my network from another computer was corrupted and could not continue. When I successfully installed Spybot S&D from a flash drive, the virus blocked it from starting and simply rebooted the machine every time I tried to activate it.
The virus had more surprises for me, though.
Internet-connected computers, as well as websites, are identified by a string of numbers referred to as an IP address, like the string 126.96.36.199.
Most Internet service providers like Verizon, Comcast, and others, maintain a network of computers called Domain Name Servers to translate those strings of numbers into the familiar www.google.com or www.jewishvoicesnj.org.
This virus, known as a Trojan DNSChanger, gets into the deep inner workings of a PC and changes the settings that tell your computer which DNS server to use to find websites.
Alone among the computers in the house, this one had its DNS server settings pointing to a suspicious IP address somewhere in Europe, instead of the correct Verizon settings.
Because of that nearly invisible change in the way the computer accessed the Internet, it took control of the computer’s ability to access the Internet, and blocked access to sites or software that would threaten its existence.
By rerouting the computer’s Internet access to the rogue DNS server, it seemed to anticipate my efforts to install every major antivirus program, like McAfee (mcafee.com) or Symatec’s Norton Antivirus (Symantec.com).
The existing installation of ZoneAlarm Internet Security was blocked from updating its virus and spyware data files. A new installation of Kaspersky Antivirus was also blocked.
The only program that it failed to block – and which ultimately helped me defeat it – was an obscure program called ComboFix. ComboFix found and eradicated very obscure program changes the program made deep in the computer’s software. Once ComboFix had completed its scan, I was able to get the computer pointed to the right DNS servers again, and updated and ran my other antivirus and security software several times to make sure the virus was gone.
By the way, this story is a cautionary tale. Trying to remove a Trojan DNSChanger virus is not recommended for inexperienced computer users. Contact a professional for assistance unless you are really familiar with the innards of your computers.
And so, with news stories warning of a new virus threat called “Conficker” possibly striking computers worldwide in April, what can you do to protect your computers?
First and foremost, make sure you are running the latest version of your antivirus and firewall software on all your computers. Update the virus “signature” files from the antivirus manufacturer. New updates are transmitted several times a week, so pay special attention if you try to update them and the update fails. And yes, you need to install it on every computer in your home network, not just the one that provides Internet access to the rest of the network.
If you have a wireless network, be sure to activate the network’s security features and limit access to computers you know.
Also, periodically check the log files created by your antivirus software or firewall for suspicious activity. There are few legitimate reasons for your computer to be trying to make unattended contact with Internet sites in Russia, the Ukraine, or China, unless you are visiting such sites to do family research or research for homework assignments.
Scan your computers with Spybot S&D, it’s a free program and finds a lot of marketing type spyware that websites add to your system that you don’t need.
Most importantly, before you download and install that new cool program that the computer says you really, really need for the live online chat with Rob Pattinson or Kristen Stewart, the stars of “Twilight,” do a Google search on the program’s name.
If it’s a legitimate program, you’ll find lots of search results describing the program’s features and how people are using it.
If it’s a rogue program or a virus of some sort, you’ll almost certainly find warnings from other people, and may save yourself a wasted weekend trying to remove a virus.
# # # #