|
|
FAQ on Computer Viruses
What is a Virus?
What are the Types of Viruses?
How Do Viruses Contaminate and Spread?
What are Virus Characteristics ?
Troubleshooting and Virus Infections
Where can I get more information on
viruses, etc.?
What are computer viruses (and why should I
worry about them)?
What is a Trojan Horse?
What is a stealth virus?
What is a polymorphic virus?
What are fast and slow infectors?
What is a sparse infector?
What is an armored virus?
Virus Detection What are the symptoms and indications
of a virus infection?
What steps should be taken in diagnosing and identifying
viruses?
What is the best way to remove a virus?
What are "false positives" and "false
negatives"?
Could an anti-virus program itself be infected?
Where can I get a virus scanner for my UNIX system?
Why does my anti-virus scanner report an infection
only sometimes?
I think I have detected a new virus. What do I
do?
I have an infinite loop of sub-directories on
my hard drive. Am I infected?
Is it possible to protect a computer system with
only software?
Is it possible to write-protect the hard disk
with only software?
Will setting DOS file attributes to READ ONLY
protect them from viruses?
Will the protection systems in DR DOS work against
viruses?
Will a write-protect tab on a floppy disk stop
viruses?
Do local area networks (LANs) help to stop viruses
or do they facilitate their spread?
What is the proper way to make backups?
Can boot sector viruses infect non-bootable floppy
disks?
Can a virus hide in a PC's CMOS memory?
Can a virus hide in Extended or in Expanded RAM?
Can a virus infect data files?
Can viruses spread from one type of computer to
another?
Can
DOS viruses run on non-DOS machines (e.g. Mac, Amia)?
Some people say that disinfecting files is a bad
idea. Is that true?
Can I avoid viruses by avoiding shareware/free
software/games?
Can
I contract a virus on my PC by performing a "DIR" of an infected floppy
disk?
Can
a DOS virus survive and spread on an OS/2 system using the HPFS file system?
Can normal
DOS viruses work under MS Windows?
Miscellaneous
Questions How many viruses are there?
How
often should we upgrade our anti-virus tools to minimize software and labor
costs and maximize our protection?
I was told that
the Stoned virus displays the text "Your PC is now Stoned" at boot
time. I have been infected by this virus several times, but have never seen
the message. Why?
I
was infected by both Stoned and Michelangelo. Why has my computer became unbootable?
And why, each time I run my favorite scanner, does it find one of the viruses
and say that it is removed, but when I run it again, it says that the virus
is still there
How
Viruses Work ?
How
Viruses Spread Sources ?
Who
has shipped viruses with their shrink-wrapped product?
What
kind of files can spread viruses?
How
do viruses spread?
What
do viruses do to computers?
What
is a Trojan horse program?
What's
the story on viruses and E-mail?
What
can I do to reduce the chance of getting viruses from E-mail?
What
is AnnaKournikova Virus ?
What
are the known viruses, their names, major symptoms and possible
cures?
Where
can I get free or shareware antivirus programs?
What
can I do to avoid contracting a computer virus?
How
can I tell if I have a virus?
I
have a virus, what should I do?
How
can I tell if I have a Trojan Horse program running on my computer?
How
can I protect myself from getting a virus?
What
types of files do you recommend that I scan and set for auto-protection?
What
are some good indications that my computer has a virus?
What
are the most common ways to get a virus?
How
can I test my anti-virus software to make sure it works?
What
should I do if I get a virus?
How
can I avoid infection?
How
does antivirus software work?
What
is a Virus?
A parasitic program written intentionally to enter a computer without the user's
permission or knowledge. The word parasitic is used because a virus attaches
to files or boot sectors and replicates itself thus continuing to spread. Though
some viruses do little but replicate, others can cause serious damage or affect
program and system performance. A virus should never be assumed harmless and
left on a system.
What
are the Types of Viruses?
Virus are classified by the ways they infect computer systems:
Program: Executable program files such
as .Com, .Exe, .Ovl, .Drv, .Sys, .Bin
Boot: Boot Record, Master Boot, FAT and
Partition Table.
Multipartite: Both program and boot infector.
How
Viruses Contaminate and Spread ?
A virus is inactive until the infected program is run or boot record is read.
As the virus is activated it loads into the computers memory where it can perform
a triggered event or spread itself. Disks used in an infected system can then
carry the virus to another machine. Programs downloaded from bulletin boards
can also spread a virus. Data files, however, can not transfer a virus but they
can become damaged.
Boot Infectors: Every disk contains a
boot sector whether it is a bootable disk or not. When the computer is powering
up looking for the Boot information and reads an infected disk in the A: drive
the virus is transfer to the computers hard drive. Once the boot code on the
drive is infected the virus will be loaded into memory on every startup. From
memory the boot virus can travel to every disk that is read and the infection
spreads. Most Boot virus's could be on a system for a long time without causing
problems. However there are some nasty ones that will destroy the boot information
or force a complete format of the hard drive.
Program Infectors: When an infected application is run the virus activates
and is loaded into memory. While the virus is in memory any program file subsequently
run becomes infected. Multiple infections are very common and will certainly
cause system problems. Program files may function without any problems for some
time but eventualy programs have problems or multiple infection brings the sytem
down. The data the program produces may be a first sign of infection such as
saving files without proper DOS names.
What
are Virus Characteristics ?
Viruses normally have multiple characteristics. Their characterisitics are:
Memory Resident: Loads much like a TSR staying
in memory where it can easily replicate itself into programs of boot sectors.
Most common.
Non-Resident: Does not stay in memory after the host program is closed, thus
can only infect while the program is open. Not as common.
Stealth: The ability to hide from detection and repair manifests in two ways.
Full - Virus redirects disk reads to avoid detection.
Size - Disk directory data is altered to hide the additional bytes of the virus.
Encrypting: Technique of hiding by transformation. Virus code converts itself
into cryptic symbols. However, in order to launch (execute) and spread the virus
must decrypt and can then be detected.
Polymorphic: Ability to mutate by changing code segments to look different from
one infection to another. This type of virus is a challenge for ant-virus detection
methods.
Triggered Event: An action built into a virus that is set off by the date, a
particular keyboard action or DOS function. It could be as simple as a message
printed to the screen or serious as in reformatting the hard drive or deleting
files.
In the Wild: A virus is referred to as "in the wild" if is has been
verified by groups that track virus infections to have caused an infection outside
a laboratory situation. A virus that has never been seen in a real world situation
is not in the wild, and sometimes referred to as "in the zoo".
Note: Not all viruses are named the same names in AntiVirus programs.
Troubleshooting
and Virus Infection
Anti-Virus programs are the best way to protect against virus infection but
not everyone has one and new virus's are continually developing. When troubleshooting
program or system problems watch for telltale signs of a virus presence. When
a program says it has removed a virus from memory it does not mean any files
have been disinfected.
Symptoms commonly reported:
"My program takes longer to load suddenly."
"The program size keeps changing."
"My disk keeps running out of free space."
"When I run CHKDSK it doesn't show 655360 bytes available."
"I keep getting 32 bit errors in Windows."
"The drive light keeps flashing when I'm not doing anything."
"I can't access the hard drive when booting from the A: drive."
"I don't know where these files came from."
"My files have strange names I don't recognize."
"Clicking noises keep coming from my keyboard."
"Letters look like they are falling to the bottom of the screen."
"My computer doesn't remember CMOS settings, the battery is new."
Where can I get more information on
viruses, etc.?
There are four excellent books on computer viruses available that should cover
most of the introductory and technical questions you might have:
"Computers Under Attack: Intruders, Worms
and Viruses," edited by Peter J. Denning, ACM Press/Addison-Wesley, 1990.
This is a book of collected readings that discuss computer viruses, computer
worms, break-ins, legal and social aspects, and many other items related to
computer security and malicious software. A very solid, readable collection
that doesn't require a highly-technical background. Price: $20.50.
"Rogue Programs: Viruses, Worms and Trojan Horses," edited by Lance
J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of collected readings
describing in detail how viruses work, where they come from, what they do, etc.
It also has material on worms, trojan horse programs, and other malicious software
programs. This book focuses more on mechanism and relatively less on social
aspects than does the Denning book; however, there is an excellent piece by
Anne Branscomb that covers the legal aspects. Price: $32.95.
"A Pathology of Computer Viruses," by David Ferbrache, Springer-Verlag,
1992. This is a recent, in-depth book on the history, operation, and effects
of computer viruses. It is one of the most complete books on the subject, with
an extensive history section, a section on Macintosh viruses, network worms,
and UNIX viruses (if they were to exist).
"A Short Course on Computer Viruses", by Dr. Fred B. Cohen, ASP Press,
1990. This book is by a well-known pioneer in virus research, who has also written
dozens of technical papers on the subject. The book can be obtained by writing
to ASP Press, P.O. Box 81270, Pittsburgh, PA 15217. Price: $24.00.
A somewhat dated, but still useful, high-level description of viruses, suitable
for a complete novice without extensive computer background is in "Computer
Viruses: Dealing with Electronic Vandalism and Programmed Threats," by
Eugene H. Spafford, Kathleen A. Heaphy, and David J. Ferbrache, ADAPSO (Arlington
VA), 1989. ADAPSO is a computer industry service organization and not a publisher,
so the book cannot be found in bookstores; copies can be obtained directly from
ADAPSO @ +1 703-522-5055). There is a discount for ADAPSO members, educators,
and law enforcement personnel. Many people have indicated they find this a very
understandable reference; portions of it have been reprinted many other places,
including Denning & Hoffman's books (above).
It is also worth consulting various publications such as Computers & Security (which, while not restricted to viruses, contains many of Cohen's papers) and the Virus Bulletin.
What
are computer viruses (and why should I worry about them)?
According to Fred Cohen's well-known definition, a computer virus is a computer
program that can infect other computer programs by modifying them in such a
way as to include a (possibly evolved) copy of itself. Note that a program does
not have to perform outright damage (such as deleting or corrupting files) in
order to to be called a "virus". However, Cohen uses the terms within
his definition (e.g. "program" and "modify") a bit differently
from the way most anti-virus researchers use them, and classifies as viruses
some things which most of us would not consider viruses.
Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. (See the definition of "Trojan".) Be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious - don't assume too much about what a virus can or can't do!
Viruses are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem.
What is a Trojan Horse?
A trojan horse is a program that does something undocumented which the programmer
intended, but that the user would not approve of if he knew about it. According
to some people, a virus is a particular case of a Trojan Horse, namely one which
is able to spread to other programs (i.e., it turns them into Trojans too).
According to others, a virus that does not do any deliberate damage (other than
merely replicating) is not a Trojan. Finally, despite the definitions, many
people use the term "Trojan" to refer only to a non-replicating malicious
program, so that the set of Trojans and the set of viruses are disjoint. What
are the main types of PC viruses?
Generally, there are two main classes of viruses. The first class consists of
the file infectors which attach themselves to ordinary program files. These
usually infect arbitrary .COM and/or .EXE programs, though some can infect any
program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU
files.
File infectors can be either direct action or resident. A direct- action virus selects one or more other programs to infect each time the program which contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when they are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident.
The second category is system or boot-record infectors: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses.
Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called multi-partite viruses, though there has been criticism of this name; another name is "boot-and-file" virus.
File system or cluster viruses (e.g. Dir-II) are those which modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered, only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors.
What is a stealth virus?
A stealth virus is one which hides the modifications it has made in the file
or boot record, usually by monitoring the system functions used by programs
to read files or physical blocks from storage media, and forging the results
of such system functions so that programs which try to read these areas see
the original uninfected form of the file instead of the actual infected form.
Thus the virus modifications go undetected by anti-virus programs. However,
in order to do this, the virus must be resident in memory when the anti-virus
program is executed.
Example: The very first virus that infected PCs and compatibles, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo.
Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed.
What is a polymorphic
virus?
A polymorphic virus is one which produces varied (yet fully operational) copies
of itself, in the hope that virus scanners will not be able to detect all instances
of the virus.
One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine).
One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
What are fast and slow
infectors?
A typical file infector (such as the Jerusalem) copies itself to memory when
a program infected by it is executed, and then infects other programs when they
are executed.
A fast infector is a virus which, when it is active in memory, infects not only programs which are executed, but even those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once. Examples are the Dark Avenger and the Frodo viruses.
The term slow infector is sometimes used for a virus which, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus.
What is a sparse infector?
The term sparse infector is sometimes given to a virus which infects only occasionally,
e.g. every 10th executed file, or only files whose lengths fall within a narrow
range, etc. By infecting less often, such viruses try to minimize the probability
of being discovered by the user. What is a companion virus?
A companion virus is one which, instead of modifying an existing file, creates
a new program which (unknown to the user) gets executed by the command-line
interpreter instead of the intended program. (On exit, the new program executes
the original program so that things will appear normal.) The only way this has
been done so far is by creating an infected .COM file with the same name as
an existing .EXE file. Note that those integrity checkers which look only for
modifications in existing files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.)
What is an armored virus?
An armored virus is one which uses special tricks to make the tracing, disassembling
and understanding of their code more difficult. A good example is the Whale
virus. Miscellaneous Jargon and Abbreviations
BSI = Boot Sector Infector: a virus which takes control when the computer attempts
to boot (as opposed to a file infector).
CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there.
DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines.
MBR = Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector 0).
RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active.
TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change (see C11). A very few PCs with unusual memory managers/settings may report in excess of 640K.
TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.
Virus Detection What
are the symptoms and indications of a virus infection?
Viruses try to spread as much as possible before they deliver their "payload",
but there can be symptoms of virus infection before this, and it is important
to use this opportunity to spot and eradicate the virus before any destruction.
There are various kinds of symptoms which some virus authors have written into their programs, such as messages, music and graphical displays. However, the main indications are changes in file sizes and contents, changing of interrupt vectors or the reassignment of other system resources. The unaccounted use of RAM or a reduction in the amount known to be in the machine are important indicators. The examination of the code is valuable to the trained eye, but even the novice can often spot the gross differences between a valid boot sector and an infected one. However, these symptoms, along with longer disk activity and strange behavior from the hardware, can also be caused by genuine software, by harmless "prank" programs, or by hardware faults.
The only foolproof way to determine that a virus is present is for an expert to analyze the assembly code contained in all programs and system areas, but this is usually impracticable. Virus scanners go some way towards that by looking in that code for known viruses; some will even try to use heuristic means to spot virus code, but this is not always reliable. It is wise to arm yourself with the latest anti-virus software, but also to pay close attention to your system; look particularly for any change in the memory map or configuration as soon as you start the computer. For users of DOS 5.0, the MEM program with the /C switch is very handy for this. If you have DRDOS, use MEM with the /A switch; if you have an earlier version, use CHKDSK or the commonly-available PMAP or MAPMEM utilities. You don't have to know what all the numbers mean, only that they change. Mac users have "info" options that give some indication of memory use, but may need ResEdit for more detail.
What steps should be
taken in diagnosing and identifying viruses?
Most of the time, a virus scanner program will take care of that for you. (Remember,
though, that scanning programs must be kept up to date. Also remember that different
scanner authors may call the same virus by different names. If you want to identify
a virus in order to ask for help, it is best to run at least two scanners on
it and, when asking, say which scanners, and what versions, gave the names.)
To help identify problems early, run it on new programs and diskettes; when
an integrity checker reports a mismatch, when a generic monitoring program sounds
an alarm; or when you receive an updated version of a scanner (or a different
scanner than the one you have been using). However, because of the time required,
it is not generally advisable to insert into your AUTOEXEC.BAT file a command
to run a scanner on an entire hard disk on every boot.
If you run into an alarm that the scanner doesn't identify, or doesn't properly clean up for you, first verify that the version that you are using is the most recent, and then get in touch with one of the reputable antivirus researchers, who may ask you to send a copy of the infected file to her.
What is the best way
to remove a virus?
In order that downtime be short and losses low, do the minimum that you must
to restore the system to a normal state, starting with booting the system from
a clean diskette. It is very unlikely that you need to low-level reformat the
hard disk!
If backups of the infected files are available and appropriate care was taken when making the backups, this is the safest solution, even though it requires a lot of work if many files are involved.
More commonly, a disinfecting program is used. If the virus is a boot sector infector, you can continue using the computer with relative safety if you boot it from a clean system diskette, but it is wise to go through all your diskettes removing infection, since sooner or later you may be careless and leave a diskette in the machine when it reboots. Boot sector infections on PCs can be cured by a two-step approach of replacing the MBR (on the hard disk), either by using a backup or by the FDISK/MBR command (from DOS 5 and up), then using the SYS command to replace the DOS boot sector. Do not use FDISK /MBR if you have Monkey or any other virus that encrypts the MBR!
What are "false
positives" and "false negatives"?
A false positive (or Type-I) error is one in which the anti-virus software claims
that a given file is infected by a virus when in reality the file is clean.
A false negative (or Type-II) error is one in which the software fails to indicate
that an infected file is infected. Clearly false negatives are more serious
than false positives, although both are undesirable.
It has been proven by Dr. Fred Cohen that every virus detector must have either false positives or false negatives or both. This is expressed by saying that detection of viruses is undecidable. However his theorem does not preclude a program which has no false negatives and very few false positives (e.g. if the only false positives are those due to the file containing virus code which is never actually executed, so that technically we do not have a virus).
In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign programs because the string was not well chosen. False negatives are more common with virus scanners because scanners will miss a completely new or a heavily modified virus.
One other serious problem could occur: A positive that is misdiagnosed (e.g., a scanner that detects the Stoned.Empire virus in a boot record but reports it as the Stoned.Standard). In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. Some more recent products store information about the original programs to allow verification of recovery processes.
Could an anti-virus
program itself be infected?
Yes, so it is important to obtain this software from good sources, and to trust
results only after running scanners from a "clean" system. But there
are situations where a scanner appears to be infected when it isn't.
Most antivirus programs try very hard to identify only virus infections, but sometimes they give false alarms. If two different antivirus programs are both of the "scanner" type, they will contain "signature strings" to identify virus infections. If the strings are not "encrypted", then they will be identified as a virus by another scanner type program. Also, if the scanner does not remove the strings from memory after they are run, then another scanner may detect the virus string "in memory".
Some "change detection" type antivirus programs add a bit of code or data to a program when "protecting" it. This might be detected by another "change detector" as a change to a program, and therefore suspicious.
It is good practice to use more than one antivirus program. Do be aware, however, that antivirus programs, by their nature, may confuse each other.
Where can I get a virus
scanner for my UNIX system?
Basically, you shouldn't bother scanning for UNIX viruses at this point in time.
Although it is possible to write UNIX-based viruses, we have yet to see any
instance of a non-experimental virus in that environment. Someone with sufficient
knowledge and access to write an effective virus would be more likely to conduct
other activities than virus-writing. Furthermore, the typical form of software
sharing in an UNIX environment would not support virus spread.
This answer is not meant to imply that viruses are impossible, or that there aren't security problems in a typical UNIX environment -- there are. However, true viruses are highly unlikely and would corrupt file and/or memory integrity. For more information on UNIX security, see the book "Practical UNIX Security" by Garfinkel and Spafford, O'Reilly & Associates, 1991.
However, there are special cases for which scanning UNIX systems for non-UNIX viruses does make sense. For example, a UNIX system which is acting as a file server (e.g., PC-NFS) for PC systems is quite capable of containing PC file infecting viruses that are a danger to PC clients. Note that, in this example, the UNIX system would be scanned for PC viruses, not UNIX viruses.
Another example is in the case of a 386/486 PC system running UNIX, since this system is still vulnerable to infection by MBR infectors such as Stoned and Michelangelo, which are operating system independent. (Note that an infection on such a UNIX PC system would probably result in disabling the UNIX disk partition(s) from booting.)
In addition, a file integrity checker (to detect unauthorized changes in executable files) on UNIX systems is a very good idea. (One free program which can do this test, as well as other tests, is the COPS package, available by anonymous FTP on cert.org.) Unauthorized file changes on UNIX systems are very common, although they usually are not due to virus activity.
Why does my anti-virus
scanner report an infection only sometimes?
There are circumstances where part of a virus exists in RAM without being active:
If your scanner reports a virus in memory only occasionally, it could be due
to the operating system buffering disk reads, keeping disk contents that include
a virus in memory (harmlessly), in which case it should also find it on disk.
Or after running another scanner, there may be scan strings left (again harmlessly)
in memory. This is sometimes called a ghost positive alert. Is my disk infected
with the Stoned virus?
Of course the answer to this, and many similar questions, is to obtain a good
virus detector. There are many to choose from, including ones that will scan
diskettes automatically as you use them. Remember to check all diskettes, even
non-system ("data") diskettes.
It is possible, if you have an urgent need to check a system when you don't have any anti-virus tools, to boot from a clean system diskette, and use the CHKDSK method to see if it is in memory, then look at the boot sector with a disk editor. Usually the first few bytes will indicate the characteristic far jump of the Stoned virus; however, you could be looking at a perfectly good disk that has been "innoculated" against the virus, or at a diskette that seems safe but contains a totally different type of virus.
I think I have detected
a new virus. What do I do?
Whenever there is doubt over a virus, you should obtain the latest versions
of several (not just one) major virus scanners. Some scanning programs now use
"heuristic" methods, and "activity monitoring" programs
can report a disk or file as being possibly infected when it is in fact perfectly
safe (odd, perhaps, but not infected). If no string-matching scan finds a virus,
but a heuristic program does (or there are other reasons to suspect the file,
e.g., change in size of files) then it is possible that you have found a new
virus, although the chances are probably greater that it is an odd-but-okay
disk or file. Contact the author of the anti-virus software that reports it
as virus-like; the documentation for the software may have a section explaining
what to do if you think you have found a new virus. CHKDSK reports 639K (or
less) total memory on my system. Am I infected?
If CHKDSK displays 639K for the total bytes available memory instead of 640K
(655,360 bytes) - so that you are missing only 1K - then it is probably due
to reasons other than a virus since there are very few viruses which take only
1K from total memory. Legitimate reasons for a deficiency of 1K include:
A PS/2 computer. IBM PS/2 computers reserve 1K
of conventional RAM for an Extended BIOS Data Area, i.e. for additional data
storage required by its BIOS.
A computer with American Megatrends Inc. (AMI) BIOS, which is set up (with the
built-in CMOS setup program) in such a way that the BIOS uses the upper 1K of
memory for its internal variables. (It can be instructed to use lower memory
instead.)
A SCSI controller.
The DiskSecure program.
Mouse buffers for older Compaqs.
If, on the other hand, you are missing 2K or more from the 640K, 512K, or whatever
the conventional memory normally is for your PC, the chances are greater that
you have a boot-record virus (e.g. Stoned, Michelangelo), although even in this
case there may be legitimate reasons for the missing memory:
Many access control programs for preventing booting
from a floppy.
H/P Vectra computers.
Some special BIOSes which use memory (e.g.) for a built-in calendar and/or calculator.
However, these are only rough guides. In order to be more certain whether the
missing memory is due to a virus, you should: (1) run several virus detectors;
(2) look for a change in total memory every now and then; (3) compare the total
memory size with that obtained when cold booting from a "clean" system
diskette. The latter should show the normal amount of total memory for your
configuration.
Note: in all cases, CHKDSK should be run without software such as MS-Windows or Desqiew loaded, since GUIs seem to be able to open DOS boxes only on whole K boundaries (some seem to be even coarser); thus CHKDSK run from a DOS box may report unrepresentative values.
Note also that some machines have only 512K or 256K instead of 640K of conventional memory.
I have an infinite loop
of sub-directories on my hard drive. Am I infected?
Probably not. This happens now and then, when something sets the "cluster
number" field of some subdirectory the same cluster as an upper-level (usually
the root) directory. The /F parameter of CHKDSK, and any of various popular
utility programs, should be able to fix this, usually by removing the offending
directory. Don't erase any of the "replicated" files in the odd directory,
since that will erase the "copy" in the root as well (it's really
not a copy at all; just a second pointer to the same file). Protection plans
What is the best protection policy for my computer?
There is no "best" anti-virus policy. In particular, there is no program
that can magically protect you against all viruses. But you can design an anti-virus
protection strategy based on multiple layers of defense. There are three main
kinds of anti-virus software, plus several other means of protection (such as
hardware write-protect methods).
1) Generic monitoring programs. These try to prevent virus activity before it happens, such as attempts to write to another executable, reformat the disk, etc.
2) Scanners. Most look for known virus strings (byte sequences which occur in known viruses, but hopefully not in legitimate software) or patterns, but a few use heuristic techniques to recognize virus code. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program which is about to be executed. Most scanners also include virus removers.
3) Integrity checkers or modification detectors. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides generic detection. On the other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which modifications are intentional and which might be due to viruses, although a few products give the user help in making this decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes called an integrity shell). A third implementation is as a self-test, i.e. the checksumming code is attached to each executable file so that it checks itself just before execution.
3a) A few modification detectors come with generic disinfection. Sufficient information is saved for each file that it can be restored to its original state in the case of the great majority of virus infections, even if the virus is unknown.
Of course, only a few examples of each type have been given. All of them can find their place in the protection against computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you would arrange a combination of methods that cover the loopholes between them.
A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and PanSoft's Immunise are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (CONFIG.SYS or AUTOEXEC.BAT). Most importantly, new files should be scanned as they arrive on the system. If your system has DR DOS installed, you should use the PASSWORD command to write-protect all system executables and utilities. If you have Stacker or SuperStore, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal; using a software write-protect system (such as provided with Disk Manager or Norton Utilities) may help, but the best solution (if possible) is to put all executables on a disk of their own, protected by a hardware read-only system that sounds an alarm if a write is attempted.
If you do use a resident boot virus detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source; the reason why viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten with most people's lax scanning policies.
Organizations should devise and implement a careful policy, that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them.
Other anti-virus techniques include: (a) Creation of a special MBR to make the hard disk inaccessible when booting from a diskette (the latter is useful since booting from a diskette will normally bypass the protection in the CONFIG.SYS and AUTOEXEC.BAT files of the hard disk). (b) Use of Artificial Intelligence to learn about new viruses and extract scan patterns for them. (c) Encryption of files (with decryption before execution).
Is it possible to protect
a computer system with only software?
Not perfectly; however, software defenses can significantly reduce your risk
of being affected by viruses when applied appropriately. All virus defense systems
are tools - each with their own capabilities and limitations. Learn how your
system works and be sure to work within its limitations.
From a software standpoint, a very high level of protection/detection can be achieved with only software, using a layered approach.
ROM BIOS - password (access control) and selection
of boot disk. (Some may consider this hardware.)
Boot sectors - integrity management and change detection.
OS programs - integrity management of existing programs, scanning of unknown
programs. Requirement of authentication values for any new or transmitted software.
Locks that prevent writing to a fixed or floppy disk.
As each layer is added, invasion without detection becomes more difficult. However
complete protection against any possible attack cannot be provided without dedicating
the computer to pre-existing or unique tasks. The international standardization
of the world on the IBM PC architecture is both its greatest asset and its greatest
vulnerability.
Is it possible to write-protect
the hard disk with only software?
The answer is no. There are several programs which claim to do that, but all
of them can be bypassed using only the currently known techniques that are used
by some viruses. Therefore you should never rely on such programs *alone*, although
they can be useful in combination with other anti-virus measures. What can be
done with hardware protection?
Hardware protection can accomplish various things, including: write protection
for hard disk drives, memory protection, monitoring and trapping unauthorized
system calls, etc. Again, no tool is foolproof.
The popular idea of write-protection may stop viruses spreading to the disk that is protected, but doesn't, in itself, prevent a virus from running.
Also, some of the existing hardware protections can be easily bypassed, fooled, or disconnected, if the virus writer knows them well and designs a virus which is aware of the particular defense.
Will setting DOS file
attributes to READ ONLY protect them from viruses?
No. While the Read Only attribute will protect your files from a few viruses,
most simply override it, and infect normally. So, while setting executable files
to Read Only is not a bad idea, it is certainly not a thorough protection against
viruses! Will password/access control systems protect my files from viruses?
All password and other access control systems are designed to protect the user's
data from other users and/or their programs. Remember, however, that when you
execute an infected program the virus in it will gain your current rights/privileges.
Therefore, if the access control system provides you the right to modify some
files, it will provide it to the virus too. Note that this does not depend on
the operating system used - DOS, UNIX, or whatever. Therefore, an access control
system will protect your files from viruses no better than it protects them
from you.
Under DOS, there is no memory protection, so a virus could disable the access control system in memory, or even patch the operating system itself. On the more advanced operating systems (such as NT or UNIX) this is not possible, so at least the protection cannot be disabled by a virus. However it will still spread, due to the reasons noted above. In general, the access control systems (if implemented correctly) are able only to slow down the virus spread, not to eliminate viruses entirely.
Of course, it's better to have access control than not to have it at all. Just be sure not to develop a false sense of security and to rely entirely on the access control system to protect you.
Will the protection
systems in DR DOS work against viruses?
Partially. Neither the password file/directory protection available from DR
DOS version 5 onwards, nor the secure disk partitions introduced in DR DOS 6
are intended to combat viruses, but they do to some extent. If you have DR DOS,
it is very wise to password-protect your files (to stop accidental damage too),
but don't depend on it as the only means of defense.
The use of the password command:
PASSWORD/W:MINE *.EXE *.COM
will stop more viruses than the plain DOS attribute facility, but that isn't saying much! The combination of the password system plus a disk compression system may be more secure (because to bypass the password system they must access the disk directly, but under SuperStore or Stacker the physical disk is meaningless to the virus). There may be some viruses which, rather than invisibly infecting files on compressed disks in fact very visibly corrupt the disk.
The "secure disk partitions" system introduced with DR DOS 6 may be of some help against a few viruses that look for DOS partitions on a disk. The main use is in stopping people fiddling with (and infecting) your hard disk while you are away.
Furthermore, DR DOS is not very compatible with MS/PC-DOS, especially down to the low-level tricks that some viruses are using. For instance, some internal memory structures are "read-only" in the sense that they are constantly updated (for DOS compatibility) but not really used by DR DOS, so that even if a sophisticated virus modifies them, this does not have any effect.
In general, using a less compatible system diminishes the number of viruses that can infect it. For instance, the introduction of hard disks made the Brain virus almost disappear; the introduction of 80286 and DOS 4.x+ made the Yale and Ping Pong viruses extinct, and so on.
Will a write-protect
tab on a floppy disk stop viruses?
In general, yes. The write-protection on IBM PC (and compatible) and Macintosh
floppy disk drives is implemented in hardware, not software, so viruses cannot
infect a diskette when the write-protection mechanism is functioning properly.
But remember:
A computer may have a faulty write-protect system
(this happens!) - you can test it by trying to copy a file to the diskette when
it is presumably write-protected.
Someone may have removed the tab for a while, allowing a virus on.
The files may have been infected before the disk was protected. Even some diskettes
"straight from the factory" have been known to be infected in the
production processes.
So it is worthwhile scanning even write-protected disks for viruses.
Do local area networks
(LANs) help to stop viruses or do they facilitate their spread?
Both. A set of computers connected in a well managed LAN, with carefully established
security settings, with minimal privileges for each user, and without a transitive
path of information flow between the users (i.e., the objects writable by any
of the users are not readable by any of the others) is more virus-resistant
than the same set of computers if they are not interconnected. The reason is
that when all computers have (read-only) access to a common pool of executable
programs, there is usually less need for diskette swapping and software exchange
between them, and therefore less ways through which a virus could spread.
However, if the LAN is not well managed, with lax security, it could help a virus to spread like wildfire. It might even be impossible to remove the infection without shutting down the entire LAN.
A network that supports login scripting is inherently more resistant to viruses than one that does not, if this is used to validate the client before allowing access to the network.
What is the proper way
to make backups?
Data and text files, and programs in source form, should be backed up each time
they are modified. However, the only backups you should keep of COM, EXE and
other executable files are the original versions, since if you back up an executable
file on your hard disk over and over, it may have become infected meanwhile,
so that you may no longer have an uninfected backup of that file. Therefore:
If you've downloaded shareware, copy it (preferably as a ZIP or other original archive file) onto your backup medium and do not re-back it up later.
If you have purchased commercial software, it's best to create a ZIP (or other) archive from the original diskettes (assuming they're not copy protected) and transfer the archive onto that medium. Again, do not re-back up.
If you write your own programs, back up only the latest version of the *source* programs. Depend on recompilation to reproduce the executables.
If an executable has been replaced by a new version, then of course you will want to keep a backup of the new version. However, if it has been modified as a result of your having changed configuration information, it seems safer *not* to back up the modified file; you can always re-configure the backup copy later if you have to.
Theoretically, source programs could be infected, but until such a virus is discovered, it seems preferable to treat such files as non-executables and back them up whenever you modify them. The same advice is probably appropriate for batch files as well, despite the fact that a few batch file infectors have been discovered.
Facts and Fibs about computer viruses
Can boot sector viruses infect non-bootable floppy
disks?
Any diskette that has been properly formatted contains an executable program
in the boot sector. If the diskette is not "bootable," all that boot
sector does is print a message like "Non-system disk or disk error; replace
and strike any key when ready", but it's still executable and still vulnerable
to infection. If you accidentally turn your machine on with a "non-bootable"
diskette in the drive, and see that message, it means that any boot virus that
may have been on that diskette has run, and has had the chance to infect your
hard drive, or whatever. So when thinking about viruses, the word "bootable"
(or "non-bootable") is really misleading. All formatted diskettes
are capable of carrying a virus.
Can a virus hide in
a PC's CMOS memory?
No. The CMOS RAM in which system information is stored and backed up by batteries
is ported, not addressable. That is, in order to get anything out, you use I/O
instructions. So anything stored there is not directly sitting in memory. Nothing
in a normal machine loads the data from there and executes it, so a virus that
"hid" in the CMOS RAM would still have to infect an executable object
of some kind in order to load and execute whatever it had written to CMOS. A
malicious virus can of course alter values in the CMOS as part of its payload,
but it can't spread through, or hide itself in, the CMOS.
A virus could also use the CMOS RAM to hide a small part of its body (e.g., the payload, counters, etc.). However, any executable code stored there must be first extracted to ordinary memory in order to be executed.
Can a virus hide in
Extended or in Expanded RAM?
Theoretically yes, although no such viruses are known yet. However, even if
they are created, they will have to have a small part resident in conventional
RAM; they cannot reside entirely in Extended or in Expanded RAM. Can a virus
hide in Upper Memory or in High Memory?
Yes, it is possible to construct a virus which will locate itself in Upper Memory
(640K to 1024K) or in High Memory (1024K to 1088K), and a few currently known
viruses (e.g. EDV) do hide in Upper Memory.
It might be thought that there is no point in scanning in these areas for any viruses other than those which are specifically known to inhabit them. However, there are cases when even ordinary viruses can be found in Upper Memory. Suppose that a conventional memory-resident virus infects a TSR program and this program is loaded high by the user (for instance, from AUTOEXEC.BAT). Then the virus code will also reside in Upper Memory. Therefore, an effective scanner must be able to scan this part of memory for viruses too.
Can a virus infect data
files?
Some viruses (e.g., Frodo, Cinderella) modify non-executable files. However,
in order to spread, the virus must be executed. Therefore the "infected"
non-executable files cannot be sources of further infection.
However, note that it is not always possible to make a sharp distinction between executable and non-executable files. One man's code is another man's data and vice versa. Some files that are not directly executable contain code or data which can under some conditions be executed or interpreted.
Some examples from the IBM PC world are .OBJ files, libraries, device drivers, source files for any compiler or interpreter, macro files for some packages like MS Word and Lotus 1-2-3, and many others. Currently there are viruses that infect boot sectors, master boot records, COM files, EXE files, BAT files, MS Word documents, and device drivers, although any of the objects mentioned above can theoretically be used as an infection carrier. PostScript files can also be used to carry a virus, although no currently known virus does that.
Can viruses spread from
one type of computer to another?
The answer is yes and no! No "low-level virus" -- one written in assembly
language and designed to directly address the CPU -- can spread between machines
having incompatible CPUs. Although the disk formats may be the same (e.g. Atari
ST and DOS), the different machines interpret the code differently. For example,
the Stoned virus cannot infect an Atari ST as the ST cannot execute the virus
code in the bootsector. The Stoned virus contains instructions for the 80x86
family of CPU's that the 680x0-family CPU (Atari ST) can't understand or execute.
However, a "high-level virus" -- one written in a macro language, for instance, could run on any machine for which there was software that could correctly interpret that macro language. Thus macro viruses that can infect a document for Word for Windows (Windows) will operate correctly on any machine that runs MS Word, including the Macintosh, DOS, Windows, OS/2, NT, etc.
Can DOS viruses run
on non-DOS machines (e.g. Mac, Amiga)?
In general, no. However, on machines running DOS emulators (either hardware
or software based), DOS viruses - just like any DOS program - may function.
These viruses would be subject to the file access controls of the host operating
system. An example is when running a DOS emulator such as VP/ix under a 386
UNIX environment, DOS programs are not permitted access to files which the host
UNIX system does not allow them to. Thus, it is important to administer these
systems carefully. Are mainframe computers susceptible to computer viruses?
Yes. Numerous experiments have shown that computer viruses spread very quickly
and effectively on mainframe systems. However, to our knowledge, no non-research
computer virus has been seen on mainframe systems. (The Internet worm of November
1988 was not a computer virus by most definitions, although it had some virus-like
characteristics.)
Computer viruses are actually a special case of something else called "malicious logic", and other forms of malicious logic -- notably Trojan horses -- are far quicker, more effective, and harder to detect than computer viruses. Nevertheless, on personal computers many more viruses are written than Trojans. There are two reasons for this:
Since a virus propagates, the number of users to which damage can be caused is much greater than in the case of a Trojan;
It's almost impossible to trace the source of a virus since viruses are not attached to any particular program.
For further information on malicious programs on multi-user systems, see Matt Bishop's paper, "An Overview of Malicious Logic in a Research Environment", available by anonymous FTP on Dartmouth.edu (129.170.16.4) as "pub/security/mallogic.ps".
Some people say that
disinfecting files is a bad idea. Is that true?
Disinfecting a file is completely "safe" only if the disinfecting
process restores the non-infected state of the object completely. That is, not
only the virus must be removed from the file, but the original length of the
file must be restored exactly, as well as its time and date of last modification,
all fields in the header, etc. Sometimes it is necessary to be sure that the
file is placed on the same clusters of the disk that it occupied prior to infection.
If this is not done, then a program which uses some kind of self-checking or
copy protection may stop functioning properly, if at all.
None of the currently available disinfecting programs do all this. For instance, because of the bugs that exist in many viruses, some of the information of the original file is destroyed and cannot be recovered. Other times, it is even impossible to detect that this information has been destroyed and to warn the user. Furthermore, some viruses corrupt information very slightly and in a random way (Nomenklatura, Phoenix), so that it is not even possible to tell which files have been corrupted.
Therefore, it is usually better to replace the infected objects with clean backups, provided that you have backups and are certain that your backups are uninfected. You should try to disinfect files only if they contain some valuable data that cannot be restored from backups or compiled from their original source.
Can I avoid viruses
by avoiding shareware/free software/games?
No. There are many documented instances in which even commercial "shrink
wrap" software was inadvertently distributed containing viruses. Avoiding
shareware, freeware, games, etc. only isolates you from a vast collection of
software (some of it very good, some of it very bad, most of it somewhere in
between...).
The important thing is not to avoid a certain type of software, but to be cautious of all newly acquired software. Simply scanning all new software media for known viruses would be rather effective at preventing virus infections, especially when combined with some other prevention/detection strategy such as integrity management of programs.
Can I contract a virus
on my PC by performing a "DIR" of an infected floppy disk?
If you assume that the PC you are using is virus-free before you perform the
DIR command, then the answer is no. However, when you perform a DIR, the contents
of the boot sector of the diskette are loaded into a buffer for use when determining
disk layout etc., and certain anti-virus products will scan these buffers. If
a boot sector virus has infected your diskette, the virus code will be contained
in the buffer, which may cause some anti-virus packages to give the message
"xyz virus found in memory, shut down computer immediately". In fact,
the virus is not a threat at this point since control of the CPU is never passed
to the virus code residing in the buffer. But, even though the virus is really
not a threat at this point, this message should not be ignored. If you get a
message like this, and then reboot from a clean DOS diskette and scan your hard-drive
and find no virus, then you know that the false positive was caused by the fact
that the infected boot-sector was loaded into a buffer, and the diskette should
be appropriately disinfected before use. The use of DIR will not infect a clean
system, even if the diskette it is being performed on does contain a virus.
Is there any risk in copying data files from an infected floppy disk to a clean
PC's hard disk?
Assuming that you did not boot or run any executable programs from the infected
disk, the answer is generally no. There are some caveats:
you should be somewhat concerned about checking the integrity of these data files as they may have been destroyed or altered by the virus.
if any of the "data" files are interpretable as executable by some other program (such as a Lotus macro) then these files should be treated as potentially malicious until the symptoms of the infection are known.
A file that doesn't end in .COM or .EXE is not necessarily a datafile. An overlay file contains executable code and can end in any extension. Some viruses, such as Satan Bug, infect overlay files. Be sure your scanner has checked all files -- not just executables -- before being confident that your "data files" are uninfected.
The copying process itself is safe (given the above scenario). However, you should be concerned with what type of files are being copied to avoid introducing other problems.
Can a DOS virus survive
and spread on an OS/2 system using the HPFS file system?
Yes, both file-infecting and boot sector viruses can infect HPFS partitions.
File-infecting viruses function normally and can activate and do their dirty
deeds, and boot sector viruses can prevent OS/2 from booting if the primary
bootable partition is infected. Viruses that try to directly address disk sectors
cannot function because OS/2 prevents this activity. Under OS/2 2.0, could a
virus infected DOS session infect another DOS session?
Each DOS program is run in a separate Virtual DOS Machine (their memory spaces
are kept separated by OS/2). However, any DOS program has almost complete access
to the files and disks, so infection can occur if the virus infects files; any
other DOS session that executes a program infected by a virus that makes itself
memory resident would itself become infected.
However, bear in mind that all DOS sessions share the same copy of the command interpreter. Hence if it becomes infected, the virus will be active in all DOS sessions.
Can normal DOS viruses
work under MS Windows?
Most of them cannot. A system that runs exclusively MS Windows is, in general,
more virus-resistant than a plain DOS system. The reason is that most resident
viruses are not compatible with the memory management in Windows. Furthermore,
most of the existing viruses will damage the Windows applications if they try
to infect them as normal EXE files. The damaged applications will stop working
and this will alert the user that something is wrong.
However, virus-resistant is by no means virus-proof. For instance, most of the well-behaved resident viruses that infect only COM files (Cascade is an excellent example), will work perfectly in a DOS window. All non-resident COM infectors will be able to run and infect too. And there are several Windows-specific virus which are able to properly infect Windows applications (it is compatible with the NewEXE file format).
Any low level trapping of Interrupt 13, as by resident boot sector and MBR viruses, can also affect Windows operation, particularly if protected disk access (32BitDiskAccess=ON in SYSTEM.INI) is used.
Miscellaneous Questions
How many viruses are there?
It is not possible to give an exact number because new viruses are being created
literally every day. Furthermore, different anti-virus researchers use different
criteria to decide whether two viruses are different or one and the same. Some
count viruses as different if they differ by at least one bit in their non-variable
code. Others group the viruses in families and do not count the closely related
variants in one family as different viruses. How do viruses spread so quickly?
This is a very complex issue. Most viruses don't spread very quickly. Those
that do spread widely are able to do so for a variety of reasons. A large target
population (i.e., millions of compatible computers) helps... A large virus population
helps... Vendors whose quality assurance mechanisms rely on, for example, outdated
scanners help... Users who gratuitously insert new software into their systems
without making any attempt to test for viruses help... All of these things are
factors. What is the plural of "virus"? "Viruses" or "viri"
or "virii" or...
The correct English plural of "virus" is "viruses." The
Latin word is a mass noun (like "air"), and there is no correct Latin
plural. Please use "viruses." When reporting a virus infection (and
looking for assistance), what information should be included?
Try to provide the following information in your requests for assistance: -
The name of the virus (if known); - The name of the program that detected it;
- The version of the program that detected it; - Any other anti-virus software
that you are running and whether it has been able to detect the virus or not,
and if yes, by what name did it call it; - Your software and hardware configuration
(computer type, kinds of disk(ette) drives, amount of memory and configuration
(extended/expanded/conventional), TSR programs and device drivers used, OS version,
etc.)
It is helpful if you can use more than one scanning program to identify a virus, and to say which scanner gave which identification. However, some scanning programs leave "signatures" in memory which will confuse others, so it is best to do a "cold reboot" between runs of successive scanners if you are getting confusing results.
How often
should we upgrade our anti-virus tools to minimize software and labor costs
and maximize our protection?
This is a difficult question to answer. Antivirus software is a kind of insurance,
and these type of calculations are difficult.
There are two things to watch out for here: the general "style" of the software, and the signatures which scanners use to identify viruses. Scanners should be updated more frequently than other software, and it is probably a good idea to update your set of signatures at least once every two months.
Some antivirus software looks for changes to programs or specific types of virus "activity," and these programs generally claim to be good for "all current and future virus programs." However, even these programs cannot guarantee to protect against all future viruses, and should probably be upgraded several times per year.
Of course, not every anti-virus product is effective against all viruses, even if upgraded regularly. Thus, do not depend on the fact that you have upgraded your product recently as a guarantee that your system is free of viruses!
I was told
that the Stoned virus displays the text "Your PC is now Stoned" at
boot time. I have been infected by this virus several times, but have never
seen the message. Why?
The "original" Stoned message was ".Your PC is now Stoned!",
where the "." represents the "bell" character (ASCII 7 or
"PC speaker beep"). The message is displayed with a probability of
1 in 8 only when a PC is booted from an infected diskette. When booting from
an infected hard disk, Stoned never displays this message.
Recently, versions of Stoned with no message whatsoever or only the leading bell character have become very common. These versions of Stoned are likely to go unnoticed by all but the most observant, even when regularly booting from infected diskettes.
Contrary to some reports, the Stoned virus -does NOT- display the message "LEGALISE MARIJUANA", although such a string is quite clearly visible in the boot sectors of diskettes infected with the "original" version of Stoned in "standard" PC's.
I was infected
by both Stoned and Michelangelo. Why has my computer became unbootable? And
why, each time I run my favorite scanner, does it find one of the viruses and
say that it is removed, but when I run it again, it says that the virus is still
there?
These two viruses store the original Master Boot Record at one and the same
place on the hard disk. They do not recognize each other, and therefore a computer
can become infected with both of them at the same time.
The first of these viruses that infects the computer will overwrite the Master Boot Record with its body and store the original MBR at a certain place on the disk. So far, this is normal for a boot-record virus. But if now the other virus infects the computer too, it will replace the MBR (which now contains the virus that has come first) with its own body, and store what it believes is the original MBR (but in fact is the body of the first virus) at the same place on the hard disk, thus overwriting the original MBR. When this happens, the contents of the original MBR are lost. Therefore the disk becomes non-bootable.
When a virus removal program inspects such a hard disk, it will see the second virus in the MBR and will try to remove it by overwriting it with the contents of the sector where this virus normally stores the original MBR. However, now this sector contains the body of the FIRST virus. Therefore, the virus removal program will install the first virus in trying to remove the second. In all probability it will not wipe out the sector where the (infected) MBR has been stored.
When the program is run again, it will find the first virus in the MBR. By trying to remove it, the program will get the contents of the sector where this virus normally stores the original MBR, and will move it over the current (infected) MBR. Unfortunately, this sector still contains the body of the first virus. Therefore, the body of this virus will be re-installed over the MBR ad infinitum.
There is no easy solution to this problem, since the contents of the original MBR is lost. The only solution for the anti-virus program is to detect that there is a problem, and to overwrite the contents of the MBR with a valid MBR program, which the anti-virus program will have to carry with itself. If your favorite anti-virus program is not that smart, consider replacing it with a better one, or just boot from a write-protected uninfected DOS 5.0+ diskette, and execute the program FDISK with the option /MBR. This will re-create the executable code in the MBR without modifying the partition table data. (Note that if you have Monkey or a similar virus, your partition table is encrypted, and this approach will simply make things worse!)
In general, infection by multiple viruses of the same file or area is possible and vital areas of the original may be lost. This can make it difficult or impossible for virus disinfection tools to be effective, and replacement of the lost file/area will be necessary.
How Viruses Work
Use of Memory
Can a virus hiden in the memory regions on peripheral devices such a video DRAM/VRAM
or printer buffers? Can a virus access/hide in a printer buffer as long as it
is powered on, & can it then infect other PC's connected to the same printer
in a sharing arrangement? A computer maintenance instructor that I know claims
that viruses can remain active in a system even after "power off"
due to either the battery back-up for CMOS or even power remaining in capacitors
in the power supply etc.
What RAM can viruses use? I mean can they use video RAM printer RAM, or keyboard RAM? If so, what anti-virus products will scan these areas of RAM for them?
No susan.. viruses cannot use printer ram, keyboard ram, cmos, etc. Never heard
of keyboard ram anyway. They can use conventional ram, upper memory (UMB), high
memory (HMA). Not yet for EMS/XMS
Shrink-Wrap Software
We've noticed at least one other message on this list which mentions a virus
in mouse drivers, and wonder if anybody has a) confirmed such "sightings"
b) contacted the manufacturers about the alleged problems.
Usually these reports come about because someone discovers they have a virus after they have themselves infected many diskettes. They tend to blame the last thing they bought. It is impossible to establish where the infection came from when this happens.
There is nothing very unusual about shrink wrapped software coming directly from the producer with a virus already on it, it is just that the other thing happens much more often. If the commercial disk concerned was supplied permanently write protected, it might be worth investigating, but it will still be difficult to establish anything for certain. You will have to look for other, unconnected, fresh copies to examine under controlled conditions.
When a virus is distributed by a publisher, two things can happen. Some companies own up, issue warnings, and generally do the right thing. Others deny.
Who has shipped viruses
with their shrink-wrapped product?
Courtesy of IBM, my computer's master boot record has become infected with what
Virus Alert calls "Neuville" and what Scan calls "2KB".
The virus came on IBM's new Disk Manager 6.0.3, shipped directly from IBM Canada.
(Although I normally scan everything, I didn't scan the boot sector of this
disk, thinking naively that it was safe because of the source.) I caught the
infection with a routine scan shortly after the virus installed itself on my
MBR. No other files or floppies are reported affected, and I can boot from a
(clean) floppy.
What kind of files can spread viruses?
Viruses have the potential to infect any type
of executable code, not just
the files that are commonly called 'program files'. For example, some
viruses infect executable code in the boot sector of floppy disks or in
system areas of hard drives. Another type of virus, known as a 'macro'
virus, can infect word processing and spreadsheet documents that use
macros. And it's possible for HTML documents containing JavaScript or other
types of executable code to spread viruses or other malicious code.
Since virus code must be executed to have any
effect, files that the
computer treats as pure data are safe. This includes graphics and sound
files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt
files. For example, just viewing picture files won't infect your computer
with a virus. The virus code has to be in a form, such as an .exe program
file or a Word .doc file, that the computer will actually try to execute.
When you execute program code that's infected
by a virus, the virus code
will also run and try to infect other programs, either on the same computer
or on other computers connected to it over a network . And the newly
infected programs will try to infect yet more programs.
When you share a copy of an infected file with
other computer users,
running the file may also infect their computers; and files from those
computers may spread the infection to yet more computers.
If your computer is infected with a boot sector
virus, the virus tries to
write copies of itself to the system areas of floppy disks and hard disks.
Then the infected floppy disks may infect other computers that boot from
them, and the virus copy on the hard disk will try to infect still more
floppies.
Some viruses, known as 'multipartite' viruses,
can spread both by infecting
files and by infecting the boot areas of floppy disks.
What do viruses do to computers?
Viruses are software programs, and they can do
the same things as any other
programs running on a computer. The actual effect of any particular virus
depends on how it was programmed by the person who wrote the virus.
Some viruses are deliberately designed to damage
files or otherwise
interfere with your computer's operation, while others don't do anything but
try to spread themselves around. But even the ones that just spread
themselves are harmful, since they damage files and may cause other problems
in the process of spreading.
Note that viruses can't do any damage to hardware:
they won't melt down your
CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings
about viruses that will physically destroy your computer are usually hoaxes,
not legitimate virus warnings.
What is a Trojan horse program?
A type of program that is often confused with
viruses is a 'Trojan horse'
program. This is not a virus, but simply a program (often harmful) that
pretends to be something else.
For example, you might download what you think
is a new game; but when you
run it, it deletes files on your hard drive. Or the third time you start
the game, the program E-mails your saved passwords to another person.
Note: simply downloading a file to your computer
won't activate a virus or
Trojan horse; you have to execute the code in the file to trigger it. This
could mean running a program file, or opening a Word/Excel document in a
program (such as Word or Excel) that can execute any macros in the document.
What's the story on viruses and E-mail?
You can't get a virus just by reading a plain-text
E-mail message or Usenet
post. What you have to watch out for are encoded messages containing
embedded executable code (i.e., JavaScript in an HTML message) or messages
that include an executable file attachment (i.e., an encoded program file or
a Word document containing macros).
In order to activate a virus or Trojan horse
program, your computer has to
execute some type of code. This could be a program attached to an E-mail, a
Word document you downloaded from the Internet, or something received on a
floppy disk. There's no special hazard in files attached to Usenet posts or
E-mail messages: they're no more dangerous than any other file.
What can I do to reduce the chance of getting viruses from E-mail?
Treat any file attachments that might contain
executable code as carefully
as you would any other new files: save the attachment to disk and then check
it with an up-to-date virus scanner before opening the file.
If your E-mail or news software has the ability
to automatically execute
JavaScript, Word macros, or other executable code contained in or attached
to a message, I strongly recommend that you disable this feature.
My personal feeling is that if an executable
file shows up unexpectedly
attached to an E-mail, you should delete it unless you can positively
verify what it is, who it came from, and why it was sent to you.
The recent outbreak of the Melissa virus was
a vivid demonstration of the
need to be extremely careful when you receive E-mail with attached files or
documents. Just because an E-mail appears to come from someone you trust,
this does NOT mean the file is safe or that the supposed sender had anything
What is AnnaKournikova Virus ?
This is a high risk virus. The script arrives as an email attachment. Opening this attachment infects your machine.This script was created by a worm generating tool. Once infected, the script attempts to mail itself to all recipients found in the Windows Address Book. As such, the particulars of its actions may vary. The most common variant functions as follows. When run, the encrypted script copies itself to the WINDOWS directory as "AnnaKournikova.jpg.vbs". It attempts to mail a separate email message, using MAPI messaging, to all recipients in the Windows Address Book using the following information
What are the known viruses,
their names, major symptoms and possible
cures?
The reader should be aware that
there is no universally accepted naming convention for viruses, nor is there
any standard means of testing. As a consequence nearly *all* virus information
is highly subjective and
open to interpretation and dispute.
There are several major sources
of information on specific viruses. Probably the largest one is Patricia Hoffman's
hypertext VSUM. While VSUM is quite complete it only covers PC viruses and it
is regarded by
many in the antivirus field as being inaccurate, so we advise you not to rely
solely on it. It can be downloaded from most major archive sites.A more precise
source of information is the Computer Virus Catalog,
published by the Virus Test Center in Hamburg. It contains highly technical
descriptions of computer viruses for several platforms: DOS, Mac, Amiga, Atari
ST and Unix. Unfortunately, the DOS section is quite
incomplete. The CVC is available by anonymous FTP from ftp.informatik.uni-hamburg.de
(IP = 134.100.4.42), directory pub/virus/texts/catalog. (A copy of the CVC is
also available by anonymous FTP on corsa.ucr.edu in the directory pub/virus-l/docs/vtc.)
Another small collection of good technical descriptions of PC viruses,
called CARObase is also available from ftp.informatik.uni-hamburg.de, in
the directory /pub/virus/texts/carobase.
A fourth source of information is
the monthly Virus Bulletin, published in the UK. Among other things, it gives
detailed technical information on viruses (see A8); a one year subscription,
however, costs $395. US
subscriptions can be ordered by calling (203) 431 8720 (GMT-5/-4) or writing
to 590 Danbury Road, Ridgefield, CT 06877; for European subscriptions, the number
is +44 1235 555139 (GMT+0/-1) and the address is: 21 The Quadrant, Abingdon,
OXON, OX14 3YS, ENGLAND.
Another source of information is
the book "Virus Encyclopedia" which is part of the printed documentation
of Dr. Solomon's AntiVirus ToolKit (a commercial DOS antivirus program). It
is more complete than the CVC
list and just as accurate; however it lists only DOS viruses. This book may
be available separately
The on-line help system of the shareware
antivirus product Anti-Virus Pro contains a large and relatively exact collection
of virus descriptions and even includes demonstrations of several of the audio
and visual effects produced by some viruses. However the text can be difficult
to read because English is not the author's native tongue.
Where can I get free or shareware antivirus programs?
The Virus-L/comp.virus archive sites carry publicly distributable antivirus software products. Up-to-date listings of these antivirus archive sites are posted monthly to Virus-L/comp.virus (see A5 for details). Many freeware/shareware DOS antivirus programs are available from the SimTel Software Repository. This collection of software is available via anonymous FTP from ftp.coast.net (IP = 141.210.10.117), with antivirus software in the directory /SimTel/msdos/virus. Note that the SimTel archive is "mirrored" at many anonymous FTP sites, including wuarchive.wustl.edu (IP = 128.252.135.4, /systems/ibmpc/simtel/virus),
and nic.funet.fi (IP = 128.214.248.6, /pub/msdos/SimTel/virus).
Most of
this software can also be obtained via e-mail in uuencoded form from
various TRICKLE sites, especially in Europe.
Likewise, Macintosh antivirus programs can be
found in /pub/tools/mac at
coast.cs.purdue.edu.
A list of many antivirus programs, including
commercial products and one
person's rating of them, can be obtained by anonymous ftp from
corsa.ucr.edu (IP = 138.23.166.33) in pub/virus-l/docs/reviews in the
file slade.quickref.rvw. This directory also contains detailed product
reviews of many products.
What can I do to avoid contracting a computer virus?
The best way to protect your PC from becoming
infected is to understand how viruses are transmitted and to develop and employ
safe surfing habits.
Computer viruses are transmitted through a variety of means.
They can be transmitted through e-mail as an
attachment.
They can be attached to legitimate programs such as a screen saver or even an
AV utility.
They can be disguised as a computer software program.
They can be hidden in floppy disks or CD's. (It has been confirmed that a boot
sector virus has been transmitted in factory direct, shrink-wrapped CD's.)
It has been theorized, though not confirmed, that viruses can be transmitted
through hostile Java applets and ActiveX programs.
How can I tell if I have a virus?
If your PC has contracted a virus and your AV utility hasn't picked it up, there are a few symptoms you the user will notice that may strike you as strange .
You keep running out of disks space. (On your
hard drive or on a floppy or CD.)
Strange file names suddenly appear.
Your disk drive opens and closes on its' own.
The drive light keeps flashing when no operation has been enabled. (Such as
happens while loading a program or defragmenting the hard drive.)
You keep getting error messages that contain the text '32bit'.
Strange messages appear on your screen.
I have a virus, what should I do?
1. Stop all data transmissions. Do not send any
e-mail or access any sites that require a sign in procedure.
2. If you merely suspect it, run your AV. utility and confirm it. If your AV.
software is out of date, update it. If the update period has expired, re-subscribe.
It is preferable that you have at least two up to date AV. scanners.
3. If your AV utility found it, the utility will likely have the capability
of either isolating or deleting the virus. If it cannot, take a note of the
virus name and the AV. utility name and version number and contact your software
vendor. They will assist you in ridding your PC of the virus.
4. As a last recourse, you can reformat your hard drive using write protected
disks that have already been scanned and then re apply your backed up files.
How can I tell if I have a Trojan Horse program running
on my computer?
The tell tale signs are the same as are described in computer viruses. They can be avoided by practicing safe surfing habits and regularly running a good, up to date AV. scanner
Aureate and Radiate spy ware is another thing
altogether.
These programs come as part of a legitimate shareware or trial ware program
you download. These programs allow the software manufacturer to track your surfing
habits 'in order to better serve the consumer' according to what I have read
at most software sites. (Does this sound familiar?)
It should be noted that full, registered versions of software do not come with
Aureate or Radiate spy ware. Also, you can delete the spy ware programs from
trial and shareware, but there is the risk that the programs will be rendered
useless.
It is, in my opinion, best to avoid these programs altogether by using only
full registered versions of any software programs you intend to use.
How can I protect myself from getting a virus?
You should buy a good anti-virus program like Fix-It Utilities or SystemSuite. In today's world having anti-virus software is not optional. A good anti-virus program will perform real-time and on-demand virus checks on your system, and warn you if it detects a virus. The program should also provide a way for you to update its virus definitions, or signatures, so that your virus protection will be current (new viruses are discovered all the time). It is important that you keep your virus definitions as current as possible.
Once you have purchased an anti-virus program, use it to scan new programs before you execute or install them, and new diskettes (even if you think they are blank) before you use them.
You can also take the following precautions to protect your computer from getting a virus:
Always be very careful about opening attachments
you receive in an email -- particularly if the mail comes from someone you do
not know. Avoid accepting programs (EXE or COM files) from USENET news group
postings. Be careful about running programs that come from unfamiliar sources
or have come to you unrequested. Be careful about using Microsoft Word or Excel
files that originate from an unknown or insecure source.
Avoid booting off a diskette by never leaving a floppy disk in your system when
you turn it off.
Write protect all your system and software diskettes when you obtain them. This
will stop a computer virus spreading to them if your system becomes infected.
Make sure that you have a clean, write-protected, system rescue (or boot) disk
that contains anti-virus scanning/cleaning software. If you have Fix-It Utilities
or SystemSuite you can use the generic system rescue disk included in the box.
However, the virus definitions may be out of date on the generic disk, so it
is much better to make the 2-Disk Rescue Set using Fix-It Utilities or SystemSuite.
This 2-Disk Rescue Set will allow you to start up your system without any viruses
in memory, and run your anti-virus software without infecting more files.
Change your system's CMOS Setup configuration to prevent it from booting from
the diskette drive. If you do this a boot sector virus will be unable to infect
your computer during an accidental or deliberate reboot while an infected floppy
is in the drive. If you ever need to boot off your Rescue Disk, remember to
change the CMOS back to allow you to boot from diskette!
Configure Microsoft Word and Excel to warn you whenever you open a document
or spreadsheet that contains a macro (in Microsoft Word check the appropriate
box in the Tools | Options | General tab).
Write-protect your system's NORMAL.DOT file. By making this file read-only,
you will hopefully notice if a macro virus attempts to write to it.
When you need to distribute a Microsoft Word file to someone, send the RTF (Rich
Text Format) file instead. RTF files do not suport macros, and by doing so you
can ensure that you won't be inadvertently sending an infected file.
Rename your C:\AUTOEXEC.BAT file to C:\AUTO.BAT. Then, edit your C:\AUTOEXEC.BAT
file to the following single line:
auto
By doing this you can easily notice any viruses
or trojans that try to add to, or replace, your AUTOEXEC.BAT file. Additionally,
if a virus attempts to add code to the bottom of the file, it will not be executed.
Finally, always make regular backups of your computer files. That way, if your
computer becomes infected, you can be confident of having a clean backup to
help you recover from the attack.
What types of files do you recommend that I scan and
set for auto-protection?
Here's a list of file extensions that you should make sure your anti-virus software scans and autoprotects:
386, ADT, BIN, CBT, CLA, COM, CPL, CSC, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL?
What are some good indications that my computer has
a virus?
A very good indicator is having anti-virus software tell you that it found several files on a disk infected with the same virus (sometimes if the software reports just one file is infected, or if the file is not a program file -- an EXE or COM file -- it is a false report).
Another good indicator is if the reported virus was found in an EXE or COM file or in a boot sector on the disk.
If Windows can not start in 32-bit disk or file access mode your computer may have a virus.
If several executable files (EXE and COM) on your system are suddenly and mysteriously larger than they were previously, you may have a virus.
If you you get a warning that a Microsoft Word document or Excel spreadsheet contains a macro but you know that it should not have a macro (you must first have the auto-warn feature activated in Word/Excel).
What are the most common ways to get a virus?
One of the most common ways to get a computer virus is by booting from an infected diskette. Another way is to receive an infected file (such as an EXE or COM file, or a Microsoft Word document or Excel spreadsheet) through file sharing, by downloading it off the Internet, or as an attachment in an email message.
How can I test my anti-virus software to make sure it works?
This is a good question and it is wise to familiarize yourself with how your anti-virus software behaves when it detects a virus, before it really happens. To find out what it does, you can download the "EICAR" Anti-Virus Test File. This is a test file that will cause no damage to your system and will allow you to test your anti-virus software. After downloading and extracting the compressed file, use a text editor to verify the file contents against that listed in the table below, then rename the file from "EICAR.ASC" to "EICAR.COM". If your anti-virus software is working properly, it will warn you that a virus has been detected when you attempt to run the .COM file.
What should I do if I get a virus?
First, don't panic! Resist the urge to reformat or erase everything in sight. Write down everything you do in the order that you do it. This will help you to be thorough and not duplicate your efforts. Your main actions will be to contain the virus, so it does not spread elsewhere, and then to eradicate it.
If you work in a networked environment, where you share information and resources with others, do not be silent. If you have a system administrator, tell her what has happened. It is possible that the virus has infected more than one machine in your workgroup or organization. If you are on a local area network, remove yourself physically from it immediately.
Once you have contained the virus, you will need to disinfect your system, and then work carefully outwards to deal with any problems beyond your system itself (for example, you should meticulously and methodically look at your system backups, and any removable media that you use). If you are on a network, any networked computers and servers will also need to be checked.
If you have a good virus protection program like Fix-It Utilities or SystemSuite, you can remove the virus and get your computer back into a safe state. Any good anti-virus software will help you to identify the virus and then remove it from your system. Viruses are designed to spread, so don't stop at the first one you find, continue looking until you are sure you've checked every possible source. It is entirely possible that you could find several hundred copies of the virus throughout your system and media!
To disinfect your system, shut down all applications and shut down your computer right away. Then, if you have Fix-It Utilities 99, boot off your System Rescue Disk. Use the virus scanner on this rescue disk to scan your system for viruses. Because the virus definitions on your Rescue Disk may be out of date and is not as comprehensive as the full Virus Scanner in Fix-It, once you have used it and it has cleared your system of known viruses, boot into Windows and use the full Virus Scanner to do an "On Demand" scan set to scan all files. If you haven't run Easy Update recently to get the most current virus definition files, do so now.
If the virus scanner can remove the virus from an infected file, go ahead and clean the file. If the cleaning operation fails, or the virus software cannot remove it, either delete the file or isolate it. The best way to isolate such a file is to put it on a clearly marked floppy disk and then delete it from your system.
Once you have dealt with your system, you will need to look beyond it at things like floppy disks, backups and removable media. This way you can make sure that you won't accidentally re-infect your computer. Check all of the diskettes, zip disks, and CD-ROMs that may have been used on the system.
Finally, ask yourself who has used the computer in the last few weeks. If there are others, they may have inadvertently carried the infection to their computer, and be in need of help. Viruses can also infect other computers through files you may have shared with other people. Ask yourself if you have sent any files as email attachments, or copied any files from your machine to a server, web site or FTP site recently. If so, scan them to see if they are infected, and if they are, inform other people who may now have a copy of the infected file on their machine.
There is no way to guarantee that you will avoid
infection. However,
the potential damage can be minimized by taking the following
precautions:
* make sure you have a clean boot disk - test
with whatever (up-to-date!)
antivirus software you can get hold of and make sure it is (and stays)
write-protected. Boot from it and make a couple of copies.
* use reputable, up-to-date and properly-installed anti-virus
software regularly. (See below) If you use a shareware package
for which payment and/or registration is required, do it. Not only
does it encourage the writer and make you feel virtuous, it means
you can legitimately ask for technical support in a crisis.
* do some reading (see below). If you're a home user, you may well
get an infection sooner or later. If you're a business user, it'll
be sooner. Either way you'll benefit from a little background.
If you're a business user you (or your enterprise) need a policy.
* don't rely *solely* on newsgroups to get you out of trouble:
it may be a while before you get a response (especially
from a moderated group like comp.virus), and the first response
you act upon may not offer the most appropriate advice for your
particular problem.
* if you use a shareware/freeware package, make sure you have hard
copy of the documentation *before* your system falls apart!
* always run a memory-resident scanner to monitor disk access and
executable files before they're run.
* if you run Windows, a reputable anti-virus package which includes
DOS *and* Windows components is likely to offer better protection
than a DOS only package. If you run Windows 95, you need a proper
Win95 32-bit package for full protection.
* make sure your home system is protected, as well as your work PC.
* check all new systems and all floppy disks when they're brought
in (from *any* source) with a good virus-scanning program.
* acquire software from reputable sources: 2nd-hand software is
frequently unchecked and sometimes infected. Bear in mind that
shrinkwrapped software isn't necessarily unused. In any case,
reputable firms have shipped viruses unknowingly.
* once formatted, keep floppies write-disabled except when you need
to write a file to them: then write-disable them again.
* make sure your data is backed up regularly and that the procedures
for restoring archived data *work* properly.
* scan pre-formatted diskettes before use.
* Get to know all the components of the package you're using and
consider which bits to use and how best to use them. Different
packages have different strengths: diversifying and mixing and
matching can, if carefully and properly done, be a good antivirus
strategy, especially in a corporate environment
* if your PC can be prevented with a CMOS setting from booting with a
disk in drive A, do it (and re-enable floppy booting temporarily when
you need to clean-boot).
CMOS settings
Some CMOSes come with special anti-virus settings.
These are normally
vague about what they do but typically they write-protect your hard
disk's boot sector and partition sector (MBR). This can be some use
against boot sector viruses but may false alarm when you upgrade your
operating system.
One sensible setting to make (if your CMOS allows)
is to adjust the
boot sequence of your PC. Changing the default boot-up drive order
from A: C: to C: will mean that the PC will attempt to boot from drive
C: even if a floppy disk has been left in drive A:. This way boot
sector virus infection can often be avoided. Remember, however, to set
your CMOS back temporarily if you ever *do* want to boot clean from
floppy (for example, when running a cryptographical checksummer
after a cold boot).
How does antivirus software work?
* Scanner (conventional scanner, command-line
scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures').
* TSR scanner - a TSR (memory-resident program) that checks for
viruses while other programs are running. It may have some of
the characteristics of a monitor and/or behaviour blocker.
* VxD scanner - a scanner that works under Windows or perhaps under
Win 95, or both), which checks for viruses continuously while
you work.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by
an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus which targets that particular
checksummer.
| Index| | Download of Anti-Virus |