IT@TT - Online

Bugger All

I may be waxing poetic, but before you beatify me, check out the latest virus. This too is designed to take advantage of all those lonely-hearts that use the Web. Matcher disguises itself as a romance-related utility; just like Naked Wife, Anna and ILoveYou did before. The worm takes advantage of oft-mentioned but rarely plugged 'holes' in the Microsoft Outlook family of products. I specifically use "rarely" because the entire process of downloading and then applying the Office service packs are remarkably tedious. In any case specific patches for Outlook Express are rare; its often simpler to upgrade your Internet Explorer.

Matcher.A or the Lonely Hearts virus is a self-propagating virus that takes advantage of Windows scripting vulnerabilities. It arrives by email with the subject as "Matcher," the body as "Want to find your love mates!!! Try this its cool... Looks and Attitude Maching to opposite sex" and MATCHER.EXE as the attachment. Clicking the attachment will infect your system. Incidentally, if you don't have the Windows Scripting Host, or have disabled it, you may be lucky enough to avoid being bugged (more on this later).

Once your system is infected, Matcher mails a copy of itself to every contact in your Address Book. uniquely displays a Windows Search icon. After the second email has been sent from you PC, up pops an error dialog titled ExplorerExe which contains the message "Run-Time error '-2147667259 (80004005)': There must be at least one name or distribution list in the To, Cc, or Bcc box."

To add further insult to injury, the worm also modifies your AUTOEXEC.BAT file. Now you really know you're infected as you get "from: Bugger" every time you boot your PC before Windows loads. This worm seems to have more annoyance value than a destructive pay load.

So focus and you shall remove. As this step requires Registry editing, for safety BEFORE YOU BEGIN do backup your Windows Registry. That way if you "bugger up" (pardon the pun), you can always restore the database. From Start|Run type c:\Windows\Regedit.exe. Next using Edit|Find,locate the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
@="C:\%winsys%\matcher.exe" where %winsys% refers to your Windows system directory. And delete it. Next use C:\Windows\System\Sysedit.exe to delete "echo From: Bugger" from the AUTOEXEC.BAT file. Finally, from Windows Explorer delete the C:\%winsys%\matcher.exe file. Restart your PC for a clean feeling.

If you subscribe to the better safe than sorry way, dial in to the Internet and go to the free Trend HouseCall service (www.antivirus.com) to check your system in real time. All major antivirus vendors have updated their virus signature files. So update your version immediately.

If you use Outlook (97/2000/2002 or Express) and consider prevention always better than the cure, take the extra trouble to download and install the recommended security updates. You can also hunt around as both have been included on magazine CDs sold in India. You may lose some functionality. But I'm sure you, like I did, can update trusted contacts about the best way to send email attachments (as .ZIP or .RAR files; never .EXE).

You should also disable the Windows Scripting Host (WSH) (see Tips in this issue). Most Indian ISPs no longer need a login script to access their networks. So why leave this back door open. Recent virus outbreaks exploit known Windows scripting vulnerabilities.

Also avoid opening, or clicking on, any and all file attachments. Even when the email is from a known source. Instead use a free service like MyDocsOnline (www.mydocsonline.com) to exchange files. You can also share files from your account. First upload the file into your account. Then select the check box next to it and click on the Give Button. You can send a single file,, with comments, to up to 3 users at a time. The recipient receives an email containing a like to the shared file. This link is valid for 7 days.

And never, ever open attachments. Even if the e-mail is from a known source because that's the first thing such viruses take advantage of. Always scan any attached files first. And if its not something you solicited delete it. Better safe than sorry. And finally setup a regular system scan policy; even for home use.

Govind Menon
[email protected]

Top

Other Articles