Topic Subject: *.doc.nif file
posted 06-10-03 05:08 ET (US)   
I have received a file with extension "doc.nif" as an attachment from the Director of our institute. I have a feeling that this file could contain a virus as it has double extension. The file is an attachment in a forwared message whose author is a professor from Stanford, CA USA and since I am going to join that institution this fall, I was a little hesitant to delete it.

The curious fact is that when I tried o saving the attachment, the name that appears in "save as" menu is devoid of nif extension.

So, what do you suggest I should do?

posted 06-10-03 05:39 ET (US)     1 / 6  
You could mail the director of your institute and ask if he/she has send the mail to you telling you suspect it contains a virus.

You could also check the file with an antivirusprogram.

BTW. You are sure it is called doc.nif and not doc.pif?

There exist a fileformat that is called NetImmersion File format which use the extension nif, what it is used for I do not know.

posted 06-10-03 10:37 ET (US)     2 / 6  
Yeah, I made a mistake. The extension of the file is .doc.pif and evidently it contains a virus. Here is what has happened:

I use netscape messenger for reading mails (popped from our department mail server, unix based).

I tried to find out the extension of the attachment by using "save as" command, but did not save it.

However, after some time Norton Antivirus popped a message saying a file called has been infected with a virus called W32.HLLW.Lovgate.G@mm and another file by W32.ElKern.4926.

I shut the computer and after restarting in Safe Mode, started a scan with all files setting.
However, no virus was detected. By now I was panicking a little. I had also made a big crime by logging in as Administrator and that too with no password (as this is my home pc, I didn't put any password).

Next few proceedings were done on my linux OS. I backed up some of my important files by mounting the DOS file systems in my Linux space.

I checked the exact specifications of the two viruses and got respective virus removal tools from their site. I followed their instructions, running everything in safe mode etc. However, no infected files were detected for both the viruses.

Then, I thought I did better login as some other account holder. There again I did something very foolish. I was asked if I wished to change the password of that account as it was about to expire. I did so only to realise a moment later that I had given away the password to the virus. I am not hundred percent sure of this but I feel that that is exactly what happened. I logged in and started the scan again. This time, the scan reported that there was no boot record of any of the drives!

Now I am back to linux and totally given up. Is everything lost?
The virus evidently gets loaded each time I start windows (btw, I have win 2000). Is there any way out. I also don't happen to have a floppy drive with boot record (as the floppy has gone bad ). Is there any way out of this? PLEASE HELP!

I also have a additional hard disk with Win 2k installed in it as well and with norton antivirus (or perhaps mcafee). This is my old harddisk which I put as secondary hard disk. Can I login from this hard disk (by making it primary) and then try to remove the virus infected files?
Please reply asap.

posted 06-10-03 10:59 ET (US)     3 / 6  
I might also add that the attachment that I received didn't have one of the standard names.

Further, the reason for my initial mistake of identifying the extension is that in Netscape messenger, the attachment name appears in a small window in bottlom left corner of the header info of the email. The name was written in a manner such that a part of it was hidden. Therefore, the "p" appeared as "n".

posted 06-10-03 17:57 ET (US)     4 / 6  
First sorry for not responding faster. I had an important meeting this afternoon and most of the evening.
If your antivirus software found W32.ElKern.4926 on your computer, you also have W32.Klez.H@mm as ElKern is spread with Klez.H. This means you have 3 virus/worms on your computer.

If the infected computer is connected to a local network or use Cable or DSL, remove the networkcable untill you have made a fresh installation. This is because at least one of above virus/worms can actively spread via a network without you having to do anything else then installing the virus/worm and after that go online.

I would not count on your second harddisk being free of any of above virus/worms as they search the infected computer for the windows/system folder and installs themselves there. The only OS's that seems to go free are Mac, Unix and Linux.

All above have eachs its own agressive way of trying to protect itself and for trying to spread as fast as possible via network or the internet, this includes trying to make antivirus software useless.

I hope your computer is able to boot from a CD as your coctail of virus/worms are too much to cope with. The very best and only real good solution will be a total fresh installation of your computer.

Make sure to put a password on your operating system using at least 8 characters and try use a mix of letters and numbers. This is because Lovgate try logging onto the computer using the Administrator account and trying with the most common used passwords including no password at all.

When getting online again it might be a good idea to change all passwords you use on the internet starting with bankaccounts and other places where the password is not send to you via email, then change your email passwords and last passwords on accounts where the password is send to you by email.

Sorry for the bad tidings

posted 06-11-03 08:37 ET (US)     5 / 6  
Oh last I managed to remove the virus. The actual virus was in fact W32.Bugbear@mm . My previous Norton 2001 did keep the virus out but the diagnosis was incorrect (even though I had the lates virus definition...that of 4 June).

One of the symptoms was not matching with either of the two viruses which was the fact that in normal running mode, my antivirus software was not being run. This is a special feature of W32.Bugbear@mm not common to the ones I had mentioned earlier.

I have scanned my system over and over again now and there is indeed no sign of any viruses. I will remain offline in windows OS for a few days just to be careful.

At least now I can get back to playing Emperor!

posted 06-11-03 11:41 ET (US)     6 / 6  
Hoping you did find the correct virus and got it removed.

Happy gaming

