Q. I am getting periodic messages from an ISP’s postmaster, saying that it is unable to deliver mail to a specific email address at that ISP. I have never heard of the addressee. Do I have a virus on my machine that is doing this? Is it true that I can only get a virus by opening an attachment on an email? A. No, you are seeing the side effect of one of several internet worms that attach themselves to a machine’s TCP/IP protocol stack, and then use the compromised machine to propagate to other machines. Current worms using this exploit are MyDoom and Novarg. They do so by reading the inbox, address book, and cache (temporary internet files) of the compromised machine to get email addresses. The worm randomly selects one of the addresses in the list and uses that address to forge the ‘From:’ of the email that is then sent to all of the addresses in the compromised machine. This adds to the confusion caused by the worm, as it will hinder identifying the compromised machine. For the second part of your question, you want to maintain your antivirus signature file—when Novarg hit, it took about 8 hours for the antivirus vendors to figure out how it works and create a signature file entry. However, a lot of client computers got compromised during the next few days because they didn’t have up-to-date antivirus signatures. In addition, you have to set your Internet Explorer, and Outlook or Outlook Express to not open active content. Set them to “High Security.” In Eudora, you want to not use the Microsoft viewer. Lastly, keep your system up-to-date by running Windows Update frequently. Q. I’ve heard about Spybot Search & Destroy. (www.safer-networking.org) In searching the web, I’ve seen accolades, as well as horror stories. Does anyone have any comments? A. It, and Adaware 6 from LavaSoft (www.lavasoft.de) are both excellent freeware utilities that identify programs that you probably don’t want on your machine. However, you still need to know what is going on, as some components that are flagged as spyware may in fact be things that you need. For example, there is a program called “BackWeb” which has legitimate uses, but is often flagged as spyware. BackWeb is used by some applications (such as F-Secure) to do periodic and frequent tests for updated antivirus signature files, and if found, to download them from the web and install on your computer. It works in the background, and is sensitive to your use of the internet connection, so that it has little impact upon the responsiveness of your machine. You wouldn’t want to disable/uninstall BackWeb if you are using it for A/V updates. However, checking for updates can be abused—for example a well-known mouse vendor sets things up to do a daily test for driver updates for the mouse. How critical is that? Q. A comment - I understand that the most recent security patch for Internet Explorer contains a fix for a security hole in Windows that could be exploited even if you are not using IE as your browser. A. Thank you for the notification—another reason go to the Windows Update site frequently. Q. I signed up for SBC/Yahoo! which included an email account. I have never used the email account, yet within a few days I started getting spam addressed to the new account. How is this possible? A. (a) SBC/Yahoo! sells email addresses. When you sign up, there is a check box to prevent this, but most don’t see it and once the address is out — its out. (b) Spammers generate email addresses using common names and send them blindly to domains. So if your email address at SBC/Yahoo! is not particularly unique, it could have been generated. Q. I have a laptop with XP Home edition on it. Now, when I boot I get a Windows Explorer with the heading C:\WINNT\SYSTEM32 and in the right window of Windows Explorer I get a pane that says “the files in this folder are hidden” etc. What has happened? A. Somehow in either your Start/Programs/Start Up or in your Registry in the key HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\Windows\ Current Version\Run you have the entry C:\Windows\System32. If in either place, it will do this. How it got there is another story—however I have observed this on machines that were hit by the Novarg internet worm. (See first question) Update your antivirus, run a scan, and then delete the entry. Q. Is there an equivalent to MSConfig in Windows XP? A. Yes. Here is a Microsoft Knowledgebase article that tells how to use it: http://support.microsoft. com/default.aspx?scid=kb;en-us;310560 . You also might look at Xteq System’s X-Setup (www.xteq.com/products/xset/)or go to www.microsoft.com/downloads/search.aspx?displaylang=en and do a search on TweakUI. Q. I have Windows 98 with a dial-up connection. A short while after I connect, the machine slows down drastically. I do a Control-Alt-Delete and I don’t see anything unusual. Any suggestions? A. Again, it could be spyware which, because it runs as a ‘process’ rather than an application, won’t show in the Task Manager you get when you do a Control-Alt-Delete. Another possibility is that your connection quality is deteriorating over time and the modem is continuously downgrading to compensate for detected errors until it just drops out. If you must use a dial-up connection, you can stack the deck in your favor by (a) using an external modem, or (b) using a ‘hardware-based’ internal modem. External and ‘hardware-based’ modems do the processing of data within the modem, as opposed to ‘win-modems’ which require the computer’s CPU to do the processing of compression and error correction etc. Today, 56K win-modems are available for under $20, and hardware-based modems are more likely to be $50 or more. Q. I have an old-reliable 386-based computer that I use for miscellaneous tasks. The clock battery went dead. I replaced the battery, but I can’t boot the machine. It doesn’t recognize the hard disk. What can I do? A. In addition to keeping the real-time clock in the PC running, the battery is also responsible for keeping the CMOS BIOS settings alive. They disappeared as well—and that’s where your hard drive parameters are kept. In newer machines, the BIOS can query the hard drives which will report back what the drive parameters are — heads, tracks and cylinders. In older machines, you have to enter these yourself. The numbers should be printed on the hard disk, or if you get the model number you can do a search on Google and come up with the values. You then get into the BIOS setting screen (typically by pressing the DEL key during the power-on self-test) and enter the values for the hard drive(s). You will probably also have to identify the floppy drive(s) as to whether they are 1.44MB 3.5" floppy or 1.2MB 5.25" floppy, etc. Once you do that, save the settings (usually Esc followed by F10 followed by a “Y”) and boot the machine. None of this will erase data on the hard disk, but having the wrong value for the drive parameters could cause a problem if you try writing. Fortunately, you can’t write without an operating system, and you won’t boot the operating system until you have the parameters correct. |
| Bruce Preston is president of West Mountain Systems, a consultancy in Ridgefield, CT specializing in database applications. A DACS director, Bruce also leads the Access SIG. Members may send tech queries to Bruce at askdacs@dacs.org. |
|