Definition
A virus is a computer
program that copies itself when an infected program is run. This means that along with
executable files, the code that controls your hard disk can be infected. The term computer
virus is analogous to a biological virus. A computer virus is a program that will copy its
code into one or more larger host programs when it is activated; when the infected
programs are run, the viral code is executed and the virus replicates.
The vast majority of
computer viruses also carry a payload . This is the damage that they will do to your
system after some period of time, and can range from a message on your screen to wiping
your hard disk.
TOP
Effects
The damage caused by a
virus depends on what kind of virus it is. Viruses can damage other programs immediately,
or they may be triggered into action.
There are three distinct
stages of a virus' life: activation, replication & manipulation.
Activation - this is when
the computer catches the virus, usually from an infected floppy disk, and sometimes from
infected software from other sources.
Replication - the virus
tries to infect as many sources as it can during this stage. If it infects your hard disk,
it may well remain undetected for many months, infecting every floppy disk that you use.
Manipulation - this is when
the payload of the virus starts to take effect. The payload is often triggered by a
certain date (for example Friday 13th or April 1st) or a seemingly random event (for
example the 400th reboot, or 99% of Hard Disk full). The payload can alter individual
figures in files, or delete files.
TOP
Types
of Virus
The thousands of computer
viruses that can infect your workstations fall into several major categories: Executable
viruses; Boot-sector viruses; Partition-table viruses; Memory-resident viruses; Macro
viruses; Executable viruses.
Executable viruses
An executable virus infects
your files by attaching itself to your EXE and COM files when you launch them. The virus
finds information in the executable file's header, which indicates the length of the file
and other vital information. (The file header is located at the end of an EXE file and at
the beginning of a COM file.) Once attached, executable viruses corrupt the header, either
preventing the file from working or redirecting it to run another command.
Because these viruses
destroy the executable code of the infected program, you can easily identify them, delete
the infected code, and reinstall the necessary program files. Some executable viruses seek
out only EXE files, while others seek out only COM files.
For example:: Vacsina ;
Troi; Yankee DoodleWhite ; Black Monday Leprosy
Boot-sector viruses
Boot-sector viruses corrupt
the boot sector by overwriting the sector with bad information, thus preventing your
workstation from booting. These viruses usually activate when you read or write to an
infected disk. Some boot-sector viruses copy the boot-sector information to another part
of your hard disk and then overwrite the boot sector with their own bad code. When you
reboot your workstation, the system BIOS executes the virus code from the boot sector,
which in turn executes the boot-sector information it copied elsewhere on your drive. This
means that you may not even notice you have a boot-sector virus until it's too late.
For example: ;Liberty;
AirCop ; New Zealand; Spanish Trojan
Partition-table viruses
A partition-table virus
takes aim at your hard disk's partition table. These viruses can either move or destroy(or
delete altogether) your hard disk's partition-table information. They copy the
partition-table information to another location on your hard disk and then copy their bad
code into the area normally containing the partition table. After the workstation's BIOS
loads and executes the virus during the boot sequence, the virus executes the partition
information it saved elsewhere. A virus that infects only the partition table probably
won't spread from one computer to another. It spreads by infecting your boot sector and/or
the executable files on your hard disk.
For example: Hong Kong;
LastDirSect; NOINT; Michelangelo; Asuza; Stoned III
Memory-resident viruses
Memory-resident viruses
avoid detection by loading into different areas of your workstation's memory. The virus
waits there until you launch an application; then, it infects your workstation. A few
viruses place their memory-resident code in memory normally allocated for the command
processor, either in its stack space or in the command data region of your workstation's
memory. Because these viruses tamper with the command processor, they frequently cause
your workstation to crash.
Many such viruses simply
allocate memory through a DOS call and assume you won't notice the loss of a few kilobytes
of RAM. This keeps the viruses from being overwritten while in memory. A few viruses place
their code into unallocated memory. This approach doesn't decrease the amount of available
memory on your workstation, thereby making detection less likely. However, these viruses
are more vulnerable since another application can overwrite their code.
Some viruses intercept any
memory allocation calls to the 21h interrupt, thus preventing the operating system from
allocating the memory block in which the viruses stores their information. Other viruses
do nothing about this problem, and your workstation crashes whenever it attempts to
overwrite these areas.
A large number of viruses
place themselves in the top portion of resident memory, just below the 640KB boundary.
Then, they redirect BIOS interrupt 21h, which reports the total amount of conventional
memory available in your workstation. This approach reduces the apparent amount of total
memory, preventing function calls from overwriting the virus.
Viruses may also
incorporate their code into the video-card buffers between 640KB and 768KB (A0000h and
C0000h). The amount of total memory won't change, but your workstation may crash.
Macro viruses
While most viruses infect
program files, a new breed of viruses, called macro viruses, can infect data files. Macro
viruses infect Microsoft Word documents in particular, but newer versions of macro viruses
can also infect Microsoft Excel spreadsheets. Because Microsoft controls most of the
application market, their programs have become favorite targets of virus makers.
For example: Name
Application; Alliance Microsoft Word; Boom Microsoft Word; Concept Microsoft Word;
Goldfish Microsoft Word; KillDLL Microsoft Word; Laroux Microsoft Excel; Sofa Microsoft
Excel
Macro viruses take
advantage of an application's built-in programming language. Application vendors now
include powerful programming languages in their programs so users can perform complex
tasks, and the people who create macro viruses turn this feature against software owners.
Virus makers can hide a complex macro virus in any document or spreadsheet. When you load
the infected file, your application will then spread it to any other file you open.
Initially, macro viruses
wouldn't destroy data on your hard disk. However, newer strains are more deadly.
TOP
Can
I Get A Virus From Surfing the Internet?
So you think the Internet
is cool...but you're worried about getting a computer virus while online! Well don't worry
too much, it's more rare than you think. You probably won't get a virus by just surfing
the Internet.
If you're reading this
column you're probably using a World Wide Web (Internet) browser like Netscape, Explorer,
or Mosaic. The browsing mode of all World Wide Web browsers all work the same: you click
on interactive text links, called a hypertext link, to go from computer to computer as
your surf for information that interests you.
What you may not have known
is that all the pictures and text you see on your screen have been downloaded, copied, to
your computer before you see them! They are usually stored in a folder called cache, with
numbers or names that World Wide Web browsers use to display requested information. Since
you are only downloading pictures, movies, sound, or text, it is highly unlikely that you
would actually download a virus program while surfing the Internet.
A virus program is a set of
unwanted instructions that may cause harm or just install itself into your computer
without warning. Most viruses, over 90%, are actually transferred by floppy disk, not by a
network like the Internet. In order for the script (instructions) of a virus to be
activated you'd have to run the program on your computer. Since you're just downloading
items to be displayed in a World Wide Web browser you're not actually running a program,
just opening a file. It is possible that opening a file can result in a viral infection,
as it is with macro viruses, but there aren't any viruses that work that way for World
Wide Web browsers, to date anyway.
However, web browsers do
the ability to open other programs. For example, I use Netscape to view rough drafts of my
web pages to make sure they are formatted correctly. Microsoft Internet Explorer 3.0 was
recently found to have a serious security flaw. "The flaw could let malicious
Internet publishers delete files, copy passwords and software and send orders to transfer
money by manipulating files stored on another person's personal computer," said Paul
Greene, Brian Morin and Geoffrey Elliott, students at the Worcester Polytechnic Institute
in Massachusetts who discovered the bug.
That means that files can
be executed with the program. Even a plain text file, normally inactive, can be run as a
program. If the text of the file include active viral instructions a viral action will
result. However, this is unlikely and much more difficult than other types of virus
program authoring.
TOP
Can
I Get A Virus From Email?
Electronic mail, commonly
called e-mail or email, is a way of sending text (letters) from one computer to another.
However, advancements in email has led to the sending and receiving of email attachments.
An attachment is nothing more than text either, but when decoded can be a virus infected
file or program. Let's take a look at some case examples to explain how you can get a
virus from email.
Case #1 - My email buddy
John sent me some email
telling me about his holiday weekend with his family. I sent email back to him. All of our
email letters are just text, our thoughts written while online.
Is there a chance that one
of the letters has a virus? NO!
Even if John sends the user
the script for a virus the virus won't be run as a program unless the file is saved to the
hard drive and opened inside of a program, run in a shell program, or run under the flawed
Microsoft Internet Explorer 3.0 program. Bottom line, just sending text back and forth
will not give you a virus 99.99999999999% of the time (extremely unlikely if even
practically possible).
Case #2 - Dating Teenagers
You've probably all seen
the ad on TV where the teenage couple ends their date while Dad waits up at home. Then
they go home and send email back and forth to one another. The girl takes a picture of
herself and sends it as an email attachment to the boyfriend. The boyfriend finds a
picture of an Angel, modifies the picture sent to him to make her head appear on the body
of an Angel, and sends it back to her.
Is it likely that a virus
was transferred with the picture? NO!
A picture sent across the
Internet is usually in .gif or .jpg format. These are special compressed picture formats
that make colored images smaller for faster Internet transfers. Since the Internet browser
is displaying a picture inside of the browsing window the picture file is being opened.
However, the instructions are only for displaying dots on a screen within a browsing
window...nothing viral of the sort. More importantly, a picture doesn't have any command
associated with it as does a macro or wizard based PC file.
Case #3 - Spreadsheet Mania
A business executive is
running late for an important meeting. He decides to send email to his associate to have
him cover for him at the meeting until he can arrive. He attaches a spreadsheet to his
email to be used in the presentation. Is it possible that the spreadsheet file contains a
virus? YES!
In this case the associate
is actually downloading and opening a file sent to him, the spreadsheet. A spreadsheet is
designed to do things that pictures and sounds don't, like auto-calculate values, make use
of macro commands, etc. In this case the spreadsheet file should be checked with a
antivirus scanning software program prior to being opened. To lower the risk of infection
both partners should regularly scan their computers for viruses and should avoid sharing
floppies from other computers. *Macro viruses are a huge portion of the growing viral
community.
Case #4 - Software
Downloads
Elizabeth really likes her
new shareware game so she decides to zip the file and send it to her friend Stacy. Stacy
reads her email message and clicks on the attachment link to decompress and save the new
game to her hard drive. She then opens the game and has fun playing it.
Is it possible that Stacy
will get a virus by playing the downloaded game? YES! In this case it's more likely than
you think. If Elizabeth really likes shareware games and shares software all the time it's
likely that she has been swapping disks with others too. Over 90% of all viruses are
passed by a floppy disk. If Elizabeth has an infected game file and sends it to Stacy,
Stacy may infect her hard drive when she runs the program. Stacy can avoid this problem by
scanning her new software and disks with antivirus software prior to running any program
or opening any new file.
You may run across email in
a newsgroup, or even personal mail sent to you, warning you of the dangerous Deeyenda, Pen
Pal, Good Times, or other "viruses." They are actually hoaxes. Most hoaxes are
official sounding, usually reference official sources, and are spread like wildfire
through the email community.
Since this was written
originally creators of email viruses have become a lot more sophisticated and some can be
transmitted by email especially if you use the preview pane in older versions of Outlook
Express. The best solution is to update your version of Outlook Express. Or you can close
the preview pane. Then you can delete mail without opening it and you will only get a
virus from email if you fully open the message and/or its attachment. To close the preview
pane follow the instructions in the box below.
If you need antivirus
software to scan your email attachments and downloads check out my download recommendations page.
TOP
Can
I Get A Virus By Downloading Software?
You're surfing the Internet
without fear of viruses until you click on a link and a little box comes up telling you
that you're downloading software. Can you get a virus from the software you're
downloading? What do you need to do to make sure you don't get a virus? These are
questions you've probably asked yourself if you've ever downloaded software.
The fact is that if you
download and run software on your machine you do run the risk of getting a virus. Any
program that you run on your computer has the potential to contain viral instructions. So,
should you download software and take the risk? Yes, but follow a few guidelines first.
When you're online only
download software from well established sites like http://oak.oakland.edu/. Sites like
these, universities, don't want viruses anymore than you do. They scan all of their
software for viruses before making it available to you. Thus, any large, well established
site will have antivirus scanning in place for your protection.
After downloading software
scan it with a virus before actually running the program or opening the file. As long as
you don't run the program or open the file the viral instructions can't be executed. Most
antivirus software packages can detect viruses in a newly downloaded program, even if it
is zipped!
It's also a good idea to
have antivirus scanners running all the time. DOS 6.X has some great antivirus tools built
in for your protection. F-Prot also has a bundled scanner called VSHIELD that can help
protect against viruses as you work on your computer.
Also make sure you make
regular backups of any important work.
Remember that you are in
control. As long as you don't download from obscure sites and you have some antivirus
protection in place you don't have much to worry about. Besides, most viruses aren't
destructive and are easily detected by an updated antivirus program.
TOP
Can
I Get A Virus From a JAVA Applet?
Modern web sites may
include JAVA applets. JAVA is a programming language used by web page developers to create
cool animations and little programs that run on your machine, called Applets. For example,
a stock broker might program a JAVA based applet to help you manage a stock portfolio.
On March 29, 1996, an
Online Business Consultant published an article titled "Deadly Black Widow on the
Web: Her Name is JAVA." This report identified a potential security issue in the new
JAVA language but somehow resulted in a rumor about a JAVA applet virus called "Black
Widow." There is NO SUCH VIRUS.
Sun Systems, creator of the
JAVA language, responded to this rumor by creating a page illustrating hostile applets
that are rude or malicious in design. The hostile attacks are refered to as "denial
of service attacks." They are designed to take up your computer processing or memory
resources, tricking you into thinking that a dangerous viral attack has been launched on
your computer. In other words, they prey upon your fear!
According to John Zukowski,
a JAVA expert who maintains the Mining Co. JAVA site, "... assuming a perfect
(bug-free) virtual machine, its rather difficult (fairly impossible) to do anything
destructive. A few bugs have been found but were corrected rather quickly."
As you can see it's not
always clear what to believe. There's so much hype out there to prey off your fears that
things can get out of hand on the Internet from time to time. Symantec, a leader in
antivirus protection, even published a news release in 1996 indicating that
"...AntiVirus Research Center (SARC) has developed the first native-Java virus
scanner for Java applets sent over the Internet." I'd like to know how this is done
since there hasn't even been a true JAVA virus ever invented or proven possible!
A recent virus hoax warning
about the Deeyenda virus (no such virus) exacerbates the situation by stating that is
"most likely to attack those users viewing Java enhanced Web Pages (Netscape 2.0+ and
Microsoft Internet Explorer 3.0+ which are running under Windows 95)." Unfortunately
new users of the Internet take the email hoax as true and forward it on to thousands of
other Internet users.
Bottom line - there are no
JAVA viruses. Is it possible that a JAVA based virus will be created in the future? Yes,
anything is possible. However, it is unlikely based on how the JAVA language is created
and how it works on networked computers. If an antivirus program does claim to protect you
against JAVA viruses don't believe them. The only thing they might be able to look for are
the "denial of service attacks," just a harmless annoying joke on the user
anyway.
TOP
Can
I Get A Virus From a Cookie?
Cookies are a new feature
of the Internet that many users may have been using without even knowing it! A cookie is a
way of setting preferences on a client machine (yours) for use with a host machine at a
later time. Another name for cookies is "magic cookies."
For example, you may use
cookies to keep track of a stock portfolio with a page online. When you access the stock
broker page it accesses the cookie from your computer and displays the appropriate
information on your screen for the settings contained inside of the cookie.
To see if you're getting
cookies you can change your preferences--the settings--of your World Wide Web browser to
alert you if a cookie is requested. In Netscape 3.0 Gold select "Network
Preferences..." from the Options menu, click on the "Protocols" tab and
click on the checkbox for alerting you when you accept a cookie. Then surf the Internet -
You'll be amazed at how many sites are using cookies!
The cookie is a text file
saved in your browser's directory or folder and stored in RAM while your browser is
running. Most of the information in a cookie is pretty mundane stuff, but some Web sites
use cookies to store personal preferences. (MSN, and Netscape all have Personalization
processes that use cookies to store information). If you want to see what information is
stored in your cookie file, use a text editor or a word processor to open a file called
cookies.txt or magiccookie in your browser's folder or directory.
Cookies and Viruses
A normal text based cookie
cannot be of any danger to your computer or spread any viruses. Whether or not cookies can
be dangerous or spread viruses has to do with whether or not a file is
"executable," meaning if it's a program rather than data. UNIX files, for
instance, have some combination of the properties "readable,"
"writable" and "executable." The executable property is necessary to
enable a program in a file to do something. If a cookie is not stored in an executable
format for that platform, it cannot do something hostile.
Most cookies are not
executable. In general Cookies are stored as text files and cannot be dangerous or pass on
viruses. Even if a cookie is executable it cannot automatically spread on a virus unless
you execute it. But of course with the bugs in Internet Explorer 3.0, it will let a site
run a application.
In theory, if a executable
cookie was set with malicious contents, then IE3.0 could execute it, then it could effect
you're computer with a virus, but the maximum contents of a cookie is only 4Kb so the
virus could not do a great deal. Please note this is only a theory and I have never seen a
cookie that was able to spread a virus. This would take a great deal of work, and this
theory is trivial compared to other loopholes in the net.
The general controversy is
not what cookies can do to your computer, but what information they can store, and what
they can pass on to servers.
In other words, cookies are
just simple ASCII text files that store personal information about you, your computer, or
your preferences for a given web page. There are NO known cookie viruses in the wild.
TOP
Where
do viruses come from?
Global Access Networks and
EMail
Today one of the primary
sources of viral infection is the Internet. The most part of cases of infection takes
place while exchanging messages in the Word/Office97 formats. The unsuspecting user of an
infected by macro virus editor software sends infected letters to addressees, who in their
turn send new infected letters and so on.
Email Conferences, File
Servers, FTP and BBS
General access file servers
and email conferences are also one of the main sources of virus spreading. Virtually every
week there appear messages that some user infected his computer with a virus which had
been downloaded from a BBS system, FTP server, or emailed to some Usenet group.
Often enough authors of
viruses upload infected files to several BBS/FTP sites, or are sent to several groups
simultaneously, often these files are camouflage as new versions of some software
(sometimes as new versions of anti-virus software).
In case of mass virus
outflows to BBS/FTP file servers thousands of computers main visually simultaneously
become infected, but in most cases DOS or Windows viruses are uploaded, which in most
cases have much lower speed of spreading then macro viruses have. For this reason
incidents like this virtually never lead to mass epidemics, which is not so for macro
viruses.
Local Access Networks
The third way of "fast
infection" is via local access networks. If no necessary safety measures are taken,
an infected workstation after logging on to a network infects one or several system
utility files on a network server (LOGIN.COM in case of Novell NetWare):
The next day when users log
on to the network, they run infected files from server, and therefore the virus is granted
access to users' workstations:
Instead of LOGIN.COM
utility there may be other software, residing on the server, such as standard document
templates or Excel spreadsheets used by company employees, etc.
Pirated Software
Illegal copies of software,
as it has always been, are one of the main "danger zones". Often piracy software
on diskettes and even on CDs contains files, infected with all kinds of viruses.
General Access Personal
Computers
Computer systems
installations in educational institutions also present danger. If one of the students
infected such an installation with virus, brought by him on a diskette, then all the other
students using this computer will also get the parasite on their diskettes.
The same goes for home
computers too, is more than one person uses them. There offer arise situations when a son
or a daughter, being students and working on a multi-user computer in college or school,
acquire viruses from there and take them to home computer, from which it gets into a
computer network of Dad's or Mom's company.
Repair Services
Cases like that are seldom
but still possible, when a computer is infected while being repaired. Repair personnel are
also humans and are prone to negligence to basic rules of computer security. Having once
forgotten to write protect one of his floppies, such person will pretty soon spread the
viruses to computers of his clients and most likely will lose them (clients).
TOP
How
to protect your computer against viruses
- To adequately protect your
computer against viruses it's essential that you follow the five guidelines below..
- Use updated antivirus
software on your computer at all times.
- Back up all important work
often! Be sure to back up work to a floppy or external disk (i.e. ZIP or MO) - any disk on
the computer may be corrupted by a virus if it strikes on your computer.
- Stay informed about
computer antivirus.
- Make up an emergency
startup (boot) disk. For many Windows users it's as easy as going to Add/Remove control
panel and clicking on the "Startup Disk" tab to make a startup disk. Lock the
disk when you're done and see if you can boot your computer up from your new startup disk.
Put the disk in a safe place in case of emergency.
- Use a second package for a
second opinion. Sometimes one package detects a virus that another does not. A second
opinion from time to time is just good common sense - especially since it's free if you
use a demonstration trialware packages.
TOP
Detecting
& Removing Viruses
So, how do you KNOW if you
really have a virus? A lot of times your computer may bomb because of a low memory
environment (time to get more RAM), conflicts with other software programs, or just
because. It's sometimes difficult to figure out what causes malfunction, but experts can
help you configure your computer to run more stable. As far as viruses go, the best bet is
to use professional software to detect viruses. If you use two or more programs and they
don't detect a virus it's probably not a virus.
What happens if it's a new
virus, will it still be detected? Well actually, most packages include heuristic methods
to detect changes in the size of a file, common 'virus like' signatures, and other cool
stuff. So, new and previously unknown viruses can be detected in many cases.
Because an average of 5-8
new PC viruses come out every day it's important that you use updated software. most
software packages update their software every 6 months or so, and update signature
file/databases every week or so. If you're connected to the Internet you can often
download updated signature files and databases, used to store information about known
viruses, for free or almost free. Symantec, makers of Norton's Antivirus, provides free
signature file upgrades.
Also, make sure you use
software than can detect both system and macro viruses. Most leaders in the field have
combined both in their software, but other packages may only scan for regular system
viruses OR just macro viruses. You need protection from both types of viruses, so check
your documentation.
TOP
Antivirus
Software
Which software package to
use is a common question. The answer is - use at least one, preferably two! There are some
differences between them, like file size, ability to scan zipped files and email, the
update process, cost, etc. But for the most part, they all do a great job if installed
correctly and updated often.
Testing Software To Make
Sure It Works
Whatever you do, don't find
a site with actual viruses and download them to see if your software detects them! A group
out of Europe has developed an EICAR Test File. After installing this test file on your
drive run your software to see if it detects it. If it doesn't it's time to reinstall the
software or get updates/new software.
Preventative Measures
There are some important
preventative measures that you should take to protect yourself from any sort of data
failure, infection, or problem. This first is called "choke-hold," and the
second is Boot Camp. If you ever get a virus, you'll be glad you participated in virus
choke-hold and Boot Camp. *Note, Windows 95/98 users can make a startup disk using the
Add/Remove control panel.
Updating virus
definitions/signatures
According to IBM
researchers, computer hackers create new viruses at the rate of about three per day--over
a thousand new viruses per year. So, a virus scanner that's two or three years old won't
detect and eradicate the newer computer viruses cropping up every day. That's why it's
extremely important that you regularly update your antivirus package's virus definition
file or virus signature file.
Remember:
- A virus can not appear on
your computer all by iself. You have to get it by sharing infected files or diskettes, or
by downloading infected files from the Internet.
- A write-protected diskette
can not become infected with a virus.
- You can not get a virus by
reading the body of a email message, although one could be carried in an attachment (e.g.,
a Word or Excel file). These attachments should be scanned before you read them.
TOP
How
Do I Get Anti-Virus Software?
You should install
anti-virus software on your desktop computer to protect it from viruses. McAfee's
VirusScan (4.03) and Norton Antivirus are recommended for the Windows environment
and the latest version of Virex (5.9.1) for the Macintosh. You can buy them from the
distributors in your area.
You also can download
anti-virus software directly from the Web.
Anti-virus programs are the
most effective means of fighting viruses. But I would like to point out at once that there
are no anti-viruses guaranteeing 100 percent protection from viruses. Any declarations
about their existence may be considered to be either an advertising trick or a sign of
incompetence.
It is also necessary to pay
attention to some terms used in anti-virus programs discussion:
False Positive - when an
uninfected object (file, sector or system memory) triggers the anti-virus program. The
opposite term - False Negative - means that an infected object came undetected.
On-demand Scanning - virus
scan starts on user request. In this mode the anti-virus program remains inactive until
user invokes it from command line, batch file or system scheduler.
On-the-fly Scanning - all
the objects which are processed in any way (opened, closed, created, read from or written
to etc.) are being constantly checked for viruses. In this mode the anti-virus program is
always active, it is memory resident and checks objects without user request.
TOP
Which
Anti-Virus Program is Better?
Which anti-virus program is
the best? The answer is - any program, if no viruses live in your computer and you use
only reliable virus free software source and no other. However if you like using new
software or games, are an active email user, using Word or exchanging Excel spreadsheets
for that, then you still should use some kind of anti-virus. Which one exactly - you
should decide that for yourself, but there are several points of comparison of different
anti-viruses with each other.
The quality of anti-virus
programs is determined, to my mind, by the following points, from more to less important:
Reliability and convenience
of work - absence of anti-virus "hangs" and other technical problems, requiring
special technical knowledge from user.
Quality of detection of all
major kinds of viruses, scanning inside document files, spreadsheets (Microsoft Word,
Excel, Office97), packed and archived files. Absence of false positives. Ability to cure
infected objects. For scanners (see below), this means the availability of timely updates,
that is the speed of tuning scanner to new viruses.
Availability of versions of
anti-virus for all the popular platforms (DOS, Windows 3.xx, Windows95, WindowsNT, Novell
NetWare, OS/2, Alpha, Linux etc.), not only on demand scanning but also scanning
on-the-fly capabilities, availability of server versions with possibility of network
administration.
Speed of work and other
useful features, functions, bells and whistles.
Reliability of anti-virus
programs is the most important criterion, because even the "absolute anti-virus"
may become useless, if it will not be able to finish the scanning process and hangs,
leaving a part of disks and files unchecked, thereby leaving the virus in the system
undetected. The anti-virus may also be useless if it demands some special knowledge from
user - most users are likely to simply ignore the anti-virus messages and press [OK] or
[Cancel] at random, depending on which button is closer to the mouse cursor and this time.
And if the anti-virus will ask ordinary user complicated questions too often, the user
will most likely stop running such an anti-virus and even delete it from disk.
Virus detection quality is
the next item for quite an obvious reason. anti-virus programs are called anti-virus
because their main purpose is to detect and remove viruses. Any highly sophisticated
anti-virus is useless if it is unable to catch viruses, or does it with low quality. For
example, if an anti-virus can not detect a certain polymorphic virus with 100% success,
then after the system has been infected with this particular virus, such an anti-virus
detects only part (say 99%) of all the infected files in system. As little as 1% of
infected files will remain undetected, but when this virus has infiltrated the system
again, the anti-virus misses this 1% for the second time, but this time this will be 1% of
the 99% left from the last time, i.e. 1.99%. And so on until all the files will become
infected with anti-virus being perfectly happy about it.
Therefore detection quality
is the second most important criterion of anti-virus quality; even more important than its
multi-platform availability, various convenient features and so on. However if an
anti-virus with high quality of detection causes lots of false positives, then its level
of usefulness drops significantly, because user has to either delete uninfected files or
analyze suspicious files all by himself, or gets used to these frequent false alarms and
in the end misses the real virus warning.
Multi-platform availability
is the next item on the list, because for each OS only a native for that OS program can
make extensive use of this OS features. Non-native anti-viruses are often not as useful or
sometimes even destructive. For example the "OneHalf" virus has infected a
Windows95 or WindowsNT system. If you use a DOS anti-virus for disk decryption (this virus
encrypts disk sectors), the results may be disappointing: the information on disk will be
damaged beyond repair, because Windows95/NT would not allow the anti-virus to use direct
sector reads/writes while decrypting sectors. Whereas a native Windows95 or NT anti-virus
fulfills this task flawlessly.
On-the-fly checking
capability is also a rather important feature of an anti-virus. Immediate forced virus
check of all incoming files and diskettes gives virtually 100% guarantee of virus free
system, if, of course, the anti-virus is able to detect the supposed viruses. Anti-viruses
capable of continuous care of the file server health (for Novell Netware, Windows NT, and
recently after massive invasion of macro viruses, also for email servers, that is scanning
all the incoming mail) are very useful. If a file server version of an anti-virus contains
network administration features, its value increases even more.
The next important
criterion is working speed. If full system check requires several hours to complete, it is
unlikely that most users are going to run it frequently. Also the slowness of anti-virus
does not imply that it catches more viruses or does it better than its faster counterpart.
Different anti-viruses utilize different virus scanning algorithms, some being faster and
of higher quality while another may be slower and not so of such quality. Everything here
depends on the abilities and competence of developers of a particular anti-virus.
Various additional options
are last in the anti-virus quality criteria list because very often these options have no
effect on overall usefulness. However these additional options make user's life much
easier and maybe push him to run anti-virus more often.
TOP
Types
of anti-viruses
The most popular and
effective anti-virus programs are anti-virus scanners. They are followed by CRC scanners
(a.k.a. checksummer, integrity checker) for their effectiveness and popularity. Often both
of these methods are being united into one versatile anti-virus program, making it much
more powerful. Various behavior blockers and immunizers are also used in some cases.
Scanners
The principle of operation
of anti-virus scanners is based on checks of files, sectors and system memory, and search
for known and new (unknown to scanner) viruses. To search for known viruses so-called
"masks" are used. A virus mask is a virus specific constant sequence of code. If
a virus contains no constant mask or the size of the mask is insufficient, other methods
are used. An example of such a method is an algorithmic language describing all possible
code sequences which one may meet in files infected with that virus. Some anti-viruses use
this approach to detect polymorphic viruses.
"Heuristic
scanning" - that is, analysis of sequence of instructions in the code being checked,
accumulation of some statistics, and decision making ("possibly infected" or
"not infected") for each object being checked - is also used in many scanners.
Because heuristic scanning is in many aspects a probability method of virus search, it
abides by many laws of the theory of probabilities. For example, the higher is the
percentage of detected viruses, the larger is the number of false positives.
Scanners may be also
divided into two categories - "general" and "special". General
scanners are designed to find and disarm all kinds of viruses irrespective of the type of
OS for which this scanner was designed. Specialized scanners are designed to disarm a
limited number of viruses or only one class of viruses, for example, macro viruses.
Specialized scanners designed only for macro viruses are often the most convenient and
reliable solution for protection of document flow in MS Word and MS Excel based office
systems.
Scanners are also divided
into resident, working on-the-fly; and non-resident, doing system check only on request.
As a rule, resident scanners provide better system protection, because of their immediate
reaction to the appearance of virus, whereas nonresident scanners can only detect viruses
when executed.
Scanners of all types have
common advantages like versatility, and common disadvantages like obligatory huge virus
databases and relative slowness of virus search.
CRC scanners
CRC scanners operate by
calculating CRC sums (checksums) for actual disk files/system sectors. These CRC sums then
are saved to anti-virus's database with some other data like file sizes, dates of last
modification etc. On subsequent runs CRC scanners compare database information with
currently calculated values. If database entry for a file differs from the file's current
characteristics, the CRC scanners report file modification or possible virus infection.
CRC scanners using anti-Stealth algorithms are a rather
powerful weapon against viruses: virtually 100% of viruses are detected almost immediately
after their infiltration into computer. But this kind of anti-viruses has one innate
drawback significantly lowering their effectiveness. CRC scanners cannot catch a virus
immediately after its infiltration but do this only after some time, when the virus has
already spread over the computer. CRC scanners cannot detect viruses in newly arrived
files (in email, on diskettes, restored backup files or uncompressed archives), because
their database does not have entries for these files. Moreover, there periodically emerge
viruses, which take advantage of such a "weakness" of CRC scanners, infecting
only the newly created files and therefore invisible for CRC scanners.
Behavior Blockers
Anti-virus behavior
blockers are memory resident programs intercepting potential virus danger and warning user
about it. Such virus danger may be detected during write calls to executable files, boot
sector writes or MBR writes, attempts of programs to go TSR etc., that is during
operations characteristic for viruses in their attempts to spread.
Blockers have the advantage
of being able to spot and block the virus at the earliest stage of infection, which is
often useful in situations when a well known virus repeatedly emerges out of nowhere.
Known ways of overriding blocker's protection and lots of false alarms are the
disadvantages of blockers, which apparently lead to their complete failure among users.
There is also such a
notable line of anti-virus means hardware anti-virus blockers. Most common of them is
protection against MBR writes built into BIOS. However as in the case of software blockers
such a protection is easily overridden by direct writes to controller ports, whereas a
single run of a DOS utility FDISK immediately causes false positive reaction of the
protection.
There are some more types
of blockers with greater versatility, but in addition to the above mentioned disadvantages
they have also problems of compatibility with standard hardware configuration of
computers, and are difficult to set up and configure. All this makes hardware blockers
extremely unpopular compared to other means of anti-virus protection.
Immunizers
Immunizers are divided into
two types: the ones warning about the infection, and the ones blocking certain viruses'
attempts to infiltrate system. Immunizers of the first kind usually append themselves to
the end of files (like file viruses do) and at each launch of the file check it for
changes. They have only one, but lethal, drawback: their complete incapability to spot a
Stealth virus infection. For this reason such immunizers, like blockers, are now virtually
not used.
The second type of
immunization protects system from being infected with virus of a certain kind. Disk files
are modified in such a way that the virus considers them already infected (for example the
notorious "MsDos" string to protect from the ancient "Jerusalem"
virus). For resident virus protection a small TSR program is placed in computer memory;
the virus stumbles onto it and considers the system already infected.
Immunization of such kind
cannot be versatile because it is impossible to immunize files for all known viruses: some
viruses consider files infected, if file modification time contains "62" in the
"seconds" field, others - "60". But despite of that such immunizers
may quite reliably protect computer from new unknown virus up to the moment when it will
become detectable by anti-virus scanners.
TOP
Tips
on Usage of Anti-Virus Programs
Always see that you have
the latest antiviral software version available. If software updates are available, check
them for "freshness". Usually new versions of anti-viruses are announced, so it
is sufficient to visit the corresponding WWW/ftp/BBS sites.
Anti-virus
"nationality" in most cases does not matter because at present time the
processes of virus emigration to other countries and antiviral software immigration is
limited only by the speed of the Internet, so both viruses and anti-viruses know no
borders.
If there was found a virus
on your computer, it is imperative not to panic (for those who "meet" viruses
daily a remark like this may seem funny). Panicing never does any good; thoughtless
actions may result in bitter consequences.
If the virus is found in
some newly arrived file(s) and has not infiltrated the system yet, there is no reason to
worry: just kill the file (or remove the virus with your favorite antiviral program) and
may well keep on working. If you have found virus in several files at once or in the boot
sector, the problem becomes more serious, but still it can be resolved - anti-virus
developers are no drones.
Once more you should pay
attention to the term "false positive". If in some SINGLE file
"living" in your computer system for a long time some single anti-virus has
detected a virus, this is most likely a false positive. If this file has ran several
times, but the virus still did not crawl to other files, then this is extremely strange.
Try to check this file with some other anti-viruses. If they all keep silence, send this
file to the research lab of the company that developed the anti-virus which was triggered
by it.
However if a virus has
really been found in your computer, you should do the following:
In case of detection of a
file virus, if the computer is connected to a network, you should disconnect it from the
network and inform the system administrator. If the virus has not yet infiltrated the
network, this will protect server and other workstations from virus attack. If the virus
has already infected the server, you disconnection from the network will not stop it from
infiltrating into your computer again after its treatment. Reconnection to the network
must be done only after all the servers and workstations have been cured.
If a boot virus has been
found, you should not disconnect your computer from the network: viruses of this kind do
not spread over it (except file-boot viruses, of course).
If the computer is infected
with macro virus, then instead of disconnecting from network it is enough to make sure
that the corresponding editor (Word/Excel) is inactive on any computer.
If a file or boot virus has
been detected, you should make sure that either the virus is non- resident, or the
resident part of it has been disarmed: when started, some (but not all) anti-viruses
automatically disable resident viruses in memory. Removal of virus from memory is
necessary to stop its spreading. When scanning files anti-viruses open them; many resident
viruses intercept this event and infect the files being opened. As a result most part of
the is be infected because the virus has not been removed from memory. The same thing may
happen in case of boot viruses - all the diskettes being checked may become infected.
If the anti-virus you use
does not remove viruses from memory, you should reboot the computer from a known
uninfected and well write-protected system diskette. You should do a "cold" boot
(by pressing Reset or power off/on) because several viruses "survive" after
"warm" boot. Some viruses imply technique allowing the to survive even the
"cold" boot (see the "Ugly" virus for example), so you should also
check the item "boot sequence A:, C:" in the machine's BIOS to ensure DOS boots
from the system diskette and not from infected hard drive.
Besides
resident/non-resident capabilities it is useful to make yourself acquainted with other
features of the virus: types of files it infects, its effects etc. The only known source
of such information, containing data of this kind on virtually all known viruses is
"The AVP Virus Encyclopedia".
With the help of the
anti-viral program you should restore the infected files and them check them for
functionality. Before treating or at the same time you should backup the infected files
and print/save the anti-virus log somewhere. This is necessary for restoring files in case
if the treatment proves itself to be unsuccessful due to an error in treating module of
the anti-virus or because of inability of this anti-virus to cure this kind of virus. In
this case you will have to resort to the services of some other anti-virus.
It is much more reliable,
of course, to simply restore the backed up files (if available), but still you will need
to resort to anti-virus - what if not all the copies of the virus have been destroyed, or
some backed up files are infected, too.
It is worth mentioning,
that the quality of restoration of files by many antiviral programs leaves much to be
desired. Many popular anti- viruses often irreversibly damage files instead of curing
them. Therefore if loss of files is undesirable, you should execute all the previous
recommendations completely.
In case of a boot virus it
is necessary to check all the diskettes whether they are bootable (i.e. contain DOS files)
or not. Even a completely blank diskette may become a source of viral infection - it is
enough to forget it in the drive and reboot (of course, if diskette boot is enabled in
BIOS).
Besides the above mentioned
items you should pay special attention to the cleanness of modules, compressed with
utilities like LZEXE, PKLITE or DIET, files inside archives (ZIP, ARC, ICE, ARJ, etc.) and
self-extracting files data (created by the likes of ZIP2EXE). If you accidentally pack a
virus infected file, it will be virtually impossible to detect and remove virus from it
without unpacking. In this case a situation in which all the antiviral programs, unable to
scan inside archives, report that all disks are virus free, but after some time the virus
re-emerges, will become typical.
Colonies of virus may
infiltrate backup copies of software, too. Moreover, archives and back up copies are the
main source of long known viruses. A virus may "sit" in a distribution copy of
some software for ages and then suddenly appear after software installation on a new
computer.
Nobody can guarantee
removal of all copies of computer virus, because a file virus may attack not only
executables but also overlay modules not having COM or EXE extensions. A boot virus may
remain on some diskette and appear suddenly after an attempt to boot from it. Therefore it
is sensible to use some resident anti-virus scanner continuously for some time after virus
removal (not to mention that it's better to use scanner at all times).
TOP
What
If My Computer Gets a Virus?
Not all damage to your
programs and files is caused by viruses: worn out floppies, failing hard drives, user
error, and poorly written programs can all cause you to lose data. If your computer is
behaving strangely, or if you think your computer has a virus, use an anti-virus program
to find out.
If your computer is
infected with a virus, DON'T PANIC! Use an anti-virus program to remove the virus
yourself, or turn your computer off and find someone who knows how to remove the virus.
If a virus is active in
memory, it may prevent anti-virus programs from working correctly. To be sure no virus is
active, turn off your computer and reboot from a known-clean system diskette before you
begin the disinfection process.
Eliminate all copies of the
virus as quickly as possible. Check all your diskettes, and warn anyone else who may have
infected files or disks.
Remember, most viruses can
be removed without permanent damage to your system, and most virus infections can be
prevented. With proper care, your computer can remain virus-free.
TOP
Detection
of an Unknown Virus
In this chapter we discuss
the situations which user faces when he suspects, that his computer is infected, but none
of the anti-viruses known to him tested positive.. How and where to look for virus? What
tools are needed for that, what methods to use and what rules to follow?
The very first rule is -
don't panic. This will never do any good. You are neither the first nor the last person on
Earth whose computer became infected. Besides, not every computer malfunction is
attributed to virus. You should remind yourself of the 3 c's more often - "cool, calm
and collected". And viral infection is not the worst thing that could happen to a
computer.
If you are not sure of
yourself, ask a system programmer for help; he will locate the virus and help to remove it
(if it is really a virus), or he might help to find the reason for such a
"strange" behavior of computer.
You should not call
anti-virus companies and ask, "I think I have a virus in my computer. What should I
do?". They will not be able to help you, because to remove a virus they need somewhat
more information. For an anti-virus company to be of real help, you should send them a
sample of virus - an infected file in case of a file virus, or an infected diskette (or
its image) in case of a boot virus. How to detect infected files/disks will be told
further.
Don't forget to boot up
computer from a backup copy of DOS on a virus free and write-protected diskette before
running any kind of antiviral software, and use subsequent programs only from diskettes.
This is necessary to protect the system from a resident virus because it may block program
execution or use their run to infect the checked files/disks. Moreover, there are a lot of
viruses destroying data on disks, if they "suspect" that their code has been
uncovered. This condition, of course, does not apply to macro viruses and disks
partitioned in one of the new formats (NTFS, HPFS) - after DOS boots up, such a disk
becomes inaccessible for DOS programs.
Detection of a Boot Virus
As a rule, boot sectors of
disks carry small programs, whose purpose is to determine borders and sizes of logical
disks (for MBR of hard drives) or operating system boot up (for boot sector).
In the beginning you should
read the contents of the sector, suspected for virus presence. DISKEDIT from Norton
Utilities or AVPUTIL from AVP Pro are best suited for that.
Some boot viruses virtually
immediately may be detected by the presence of various text strings (for example, the
"Stoned" virus contains the strings: "Your PC is now Stoned!",
"LEGALISE MARIJUANA!"). Some boot viruses infecting hard disks may be found in
the opposite way, by absence of strings which must be in the boot sector. Such strings
are: system file names (for example, "IO SYSMSDOS SYS") and error message
strings. Absence of or change in header string of the boot sector (the string containing
DOS version number or software vendor name, e.g. "MSDOS5.0" or
"MSWIN4.0") may also be a signal of viral infection, but only if the computer
has no Windows95/NT installed - these systems for reasons unknown to me record random text
string into diskette's boot sector header.
Standard MS-DOS loader
located in MBR occupies less than half a sector, and many viruses infecting the MBR of a
hard drive are easily spotted by the increase in the size of code in MBR sector.
But there also are viruses
which infiltrate the loader without changing its text strings and with minimum changes in
loader code. To detect such a virus in most cases it is sufficient to format a diskette on
a 100% uninfected computer, save its boot sector as a file, use this diskette for some
time on the infected computer (read/write several files) and afterwards compare its
current boot sector with the original one on an uninfected computer. If boot code
underwent some changes - the virus is caught.
Also there are viruses
using more complicated infecting technique, for example, changing as little as 3 bytes of
the Disk Partition Table, corresponding to the address of the active boot sector. To
identify such a virus it is necessary to explore boot sector codes in greater detail, up
to the complete analysis of algorithm of its code.
These arguments are based
on the fact that standard loaders (programs saved by the operating system in boot sectors)
employ standard algorithms of loading of operating system and are implemented in
accordance with this system's standards. However if disks have been formatted with other
utilities than standard DOS ones (for example, Disk Manager), then to detect a virus in
them one should analyze operating algorithm and implementation of loaders created by such
an utility.
Detection of a File Virus
As already mentioned,
viruses are divided into resident and non-resident. Resident viruses found so far stood
out for their much greater craftiness and sophistication in comparison with non-resident.
Therefore we shall discuss the simplest case for starters - attack of an unknown
non-resident virus. Such a virus activates itself on start of any infected programs, does
all it has to, passes control to the host program and afterwards (unlike resident viruses)
does not interfere with its work. To detect such a virus it is necessary to compare file
size on disks and in backup copies (the reminder about the importance of keeping such
copies has already become commonplace). If this doesn't help you should do a byte compare
of distribution copies with working copies you use. At present there are many such
programs, the simplest of them (COMP utility) can be found in DOS.
One may also examine a hex
dump of executables. In some cases it is possible to immediately detect viral presence by
some text strings residing in its code. For example, many viruses contain strings
".COM", "*.COM", ".EXE", "*.EXE", "*.*",
"MZ", "COMMAND" etc. These strings may often be found at the top or
end of infected files.
There is yet one more
method of visual detection of virus in a DOS file. It is based on the fact that
executables, the source code of which was in high level programming language, have a quite
definite inside structure. In the case of Borland or Microsoft C/C++ program code segment
is in the very beginning of file, immediately followed by data segment, containing
copyright notice with the name of compiler vendor company in the beginning. If the data
segment in the dump is followed by one more code segment, then it might very well be that
the file is infected with virus.
The same is true for most
part of the viruses, whose target is Windows and OS/2 files. In these OS executables have
the following standard order of segments: code segment(s) followed by data segments. If a
data segment is followed by one more code segment, it may be a signal of presence of
virus.
If a user is familiar with
the assembly language, he may try to figure out the code of suspicious programs. For a
quick look most suitable are the following utilities: HIEW (Hacker's View) or AVPUTIL. For
more detailed analysis one will require a disassembly software - Sourcer or IDA.
It is recommended to run
one of the resident antiviral behavior blocker and follow its messages about
"suspicious" actions of programs (writes to COM or EXE files, writes to absolute
disk addresses etc.). There are blockers not only intercepting such actions, but also
displaying messages about the originating addresses of such calls (AVPTSR is one of such
blockers). Having discovered such a message one should find out what program caused it and
analyze its code with the help of a resident disassembler (for example, AVPUTIL.COM).
Tracing the interrupts INT 13h and 21h is often a great help in analysis of TSR programs.
One must note that the
resident DOS blockers often are powerless when working in a DOS window under Windows95/NT,
because Windows95/NT allow viruses to work bypassing the blocker (and all the rest TSR
programs with it). DOS blockers are also unable to stop the spreading of Windows viruses.
The above methods of
detection of file and boot viruses are suitable for most resident and non-resident
viruses. But these methods fail if a virus is Stealth by design, which renders useless the
majority of modern resident blockers, file comparison and sector read utilities.
Detection of a Macro Virus
Characteristic displays of
macro viruses are:
- Word: inability to convert
infected Word document to other format.
- Word: infected files have
the Template format, because when infecting, Word viruses convert files from Word Document
format to Template format.
- Word 6 only: inability to
save document to another directory or disk with the Save As command.
- Excel/Word:
"alien" files are present in the STARTUP directory
- Excel versions 5 and 7:
Cookbooks contain redundant and hidden Sheets.
To check the system for
viral presence you may use the Tools/Macro menu item. If "alien" macros have
been found, they may belong to a virus. But this method fails in case of Stealth viruses,
which disable this menu item, which in itself is sufficient to consider the system
infected.
Many viruses contain errors
or work incorrectly in various versions of Word/Excel, resulting in Word/Excel error
messages, for example:
WordBasic Err = Error
number
If such a message appears
while editing a new document or table, and you definitely do not use run any user macros,
then this may also serve as a sign of system infection.
Changes in Word, Excel and
Windows system configuration files are also a signal about possible infection. Many
viruses change menu items under Tools/Options in that way or another - enable or disable
the following functions: "Prompt To Save Normal Template", "Allow Fast
Save", "Virus Protection". Some viruses set file passwords after infecting
them. A lot of viruses creates new sections and/or options in the Windows configuration
file (WIN.INI).
Of course, such obvious
facts like appearing messages or dialogues with strange contents or on a different
language than the default for this installation are also signs of virus.
Detection of a TSR Virus
If traces of virus activity
have been found in computer but no visible changes in files or system sectors of discs can
be found, then it is quite possible that the computer is infected by one of the Stealth
viruses. In this case it is necessary to boot DOS from a verified virus free diskette with
backup copy of DOS, and do the same as in case non- resident viral infection. But
sometimes this is undesirable, and in a few cases - impossible (for example there are
known cases of purchase of new computers which have already been virus infected). Then you
will have to detect and neutralize the resident part of the virus, implemented with the
use of Stealth technology. One might ask, where in memory and how to look for the virus or
for its resident part? There are several ways of infecting memory:
DOS viruses
A virus may infiltrate the
interrupt vector table
The best way to detect such
a virus is to look through the map of memory distribution, which reflects a list of
resident programs (example of such map see in table 3.1). A detailed memory map contains
information about all the blocks, into which memory is divided: Memory Control Block (MCB)
address, name of the block's owner program, address of the owner's Program Segment Prefix
(PSP) and a list of intercepted by this block interrupt vectors.
In case a virus is present
in the interrupt vector table, we get some "noise" from memory map displaying
utilities (for example, AVPTSR.COM, AVPUTIL.COM).
Another, more reliable, but
requiring a more qualified user, method is to scan the interrupt vector table with the
help of a disassembler. If codes of some program will be found there, consider the virus
code (or code fragment) discovered.
Viruses may build
themselves into DOS in several ways: infiltrate a random system driver, system buffer,
other working areas of DOS (for example, system stack area or free space in DOS or BIOS
tables).
The most
"popular" method of infection of a random system driver by virus is attachment
of virus body to the driver file and modification of this driver's header. If besides that
the virus forms a separate driver for itself, it may be discovered while looking at the
memory map containing a list of system drivers. If there is a driver in this list which is
absent in CONFIG.SYS, then this particular driver may be a virus. But if a virus
"sticks itself" to a driver before it, not forming a separate diver from its own
code, then it may be detected using methods described below.
A virus that builds itself
into a system buffer must be able to lower the overall number of buffers; otherwise it
will be destroyed by subsequent disk reads. It is not hard to write a program calculating
the actual number of buffers in the system and comparing it to the value in BUFFERS
command in CONFIG.SYS file (if CONFIG.SYS contains no BUFFERS command, the comparison is
made with the default DOS value for BUFFERS).
There are many enough ways
of viral incorporation into system tables or DOS stack area. However the implementation of
such ways requires author's extensive knowledge of various DOS versions. Besides that
there is not much free space in DOS, so creating a Stealth virus of full value of such
kind is unlikely. If nevertheless such a virus still appears, its code may be discovered
by disassembly of virus "suspicious" DOS code fragments.
A virus may infiltrate
program area as a:
- separate resident program
or separate Memory Control Block (MCB);
- internal part of some
resident program or by "sticking itself" to one.
If a virus incorporates
into application memory area as a new block, creating its own MCB for itself, or as a
separate resident program, it may be discovered while looking at a detailed memory
distribution map, showing the addresses of all MCB blocks. Usually such a virus looks like
a separate memory block (table 3.3), having no name and intercepting one or several
interrupt vectors (for example, INT 8h, 13h, 1Ch, 21h). Note that the virus can reserve
for itself a block of both conventional and upper memory (UMB).
A virus may reach outside
of memory reserved for DOS
Virtually all the boot
viruses and some of the file viruses reside outside the memory area reserved for DOS,
reducing the value of WORD at (0040:0013).
It is very easy to detect
such viruses - finding out RAM size and comparing it with actual size will do. If instead
of 640 KB (on some old PCs - 512 KB) the system reports lower value, you should examine
the "cut off" memory with the help of disassembler. If some program codes will
be found in this memory, then most probably the virus has been found.
Warning: RAM size may also
shrink by 1k or so as a result of extended memory usage or because of some types of
controllers' operation. A typical picture in this case is the following: the "cut
off" memory area is mostly filled by zeros.
A virus may build itself
into separate known TSR programs or "stick itself" to already existing memory
blocks.
A virus may infect resident
DOS files (for example, IO.SYS, MSDOS.SYS, COMMAND.COM), installable drivers (ANSI.SYS,
COUNTRY.SYS, RAMDRIVE.SYS) etc. Such virus is more difficult to detect because of its low
speed of spreading, however, the probability of attack by such a virus is also much lower.
Lately there has been an influx of "wicked" viruses which correct MCB headers or
"cheat" DOS in such a way that virus code block becomes as one with the
preceding memory block.
In this case it is much
more difficult to detect the virus - it is necessary to know the real size of programs
placed in memory, and the list of interrupt vectors they intercept. But this method is not
very convenient and not always works properly. Therefore it is recommended to use another
method , which may make easier virus detection in a situation like this. It is based on
the following property - a vast majority of viruses intercept the interrupts 13h or 21h,
incorporating with the interrupt handler, to look for uninfected files or disk sectors. In
this case to detect virus it is enough to look through the text (assembly language codes)
of these interrupt handler routines (for example, with the help of AVPUTIL.COM). However
to tell a virus from conventional programs one should have enough experience of work with
viruses and some idea of the structure of an uninfected interrupt handler. Besides one
should be careful: there are several viruses which "hang" the system when an
attempt to trace their code is made.
There are known viruses not
using interrupts to infect files or disks but working with DOS resources directly instead.
When looking for such a virus it is necessary to thoroughly examine changes in the
internal structure of infected DOS: drivers list, file allocation tables, DOS stacks etc.
This is a very painstaking job, and keeping in mind a great number of existing DOS
versions, it requires the highest qualification from user.
There are, of course,
other, more exotic ways of viral memory infection, such as infiltration into video memory,
High Memory Area (HMA) or extended/expanded memory (XMS, EMS), but viruses using these
ways are seldom enough and so far have always had at least one of the features listed
above. There also are monsters using i386 and higher protected mode. Luckily such viruses
either do not coexist with the modern OS and therefore are too visible, or do not use
Stealth technology. But it is quite possible that the DOS Stealth virus of full value,
working in protected mode, will appear some time. Such a virus will be invisible for DOS
applications, and it will be possible detected only by moving the infected files to an
uninfected computer, or after DOS reboot from a clean diskette.
Windows Viruses
Detection of a resident
Windows virus is an extremely difficult task. Virus being in the Windows environment as an
application or as a VxD driver, is virtually invisible because of several more dozens of
active applications and VxDs, not different from the virus in their external display. To
detect the virus program in active applications list or VxD list, it is imperative to have
extensive knowledge of the "internals" of Windows, and have complete information
about applications and drivers installed in this particular computer.
Therefore the only suitable
way of catching a resident Windows virus is to boot up DOS and check the Windows
executable files with the help of the methods described above.
TOP
Recovery
of Affected Objects
In most cases of viral
infection the procedure of recovery of infected files and disks means running a suitable
anti-virus capable to disinfect the system. However, if the virus is not known to any
anti-virus, it is enough to send the infected file to anti-virus developer companies, and
in some time (usually several days or weeks) receive the cure updates for this virus. But
if time presses, you will have to disinfect the virus yourself.
Recovery of Word document
and Excel spreadsheets
To disinfect Word and Excel
it is enough to save all the necessary information in non-document and nonspreadsheet
format - RTF text format is most suitable for this purpose, it contains virtually all the
information from original documents but does not contain macros. Then you should exit
Word/Excel, delete all the infected Word documents, Excel spreadsheets, Word's NORMAL.DOT
file and all the documents/spreadsheets in start-up directories of Word/Excel. After that
you should run Word/Excel and recover documents/spreadsheets from RTF files.
As a result of this
procedure, the virus will be deleted from system, and all the information will remain
virtually unchanged. But this method has several disadvantages. The main one is that the
process of converting documents and spreadsheets to RTF format and back might be very
time-consuming for large number of files. Besides that in case of Excel it is necessary to
convert each sheet in each Excel file separately. Another drawback is the loss of all
non-virus macros used in work. Therefore before beginning the described procedure one
should save their source text, and after disarming the virus restore the necessary macros
in their original form.
Boot Sector Recovery
Boot sector recovery in
most cases is rather simple and can be done with the help of DOS SYS command (for boot
sectors of diskettes and logical disks of hard drives) or with the help of the FDISK /MBR
command (Master Boot Record of hard drives). Of course one might use the FORMAT command,
but virtually in all cases SYS will do.
One should keep in mind,
that sector recovery must be done only under the condition of absence of virus in RAM. If
RAM copy of virus has not been disarmed, then it is quite possible, that the virus will
repeatedly infect diskette or hard drive after the removal of viral code (even if you use
the FORMAT utility).
Also you should be very
careful while using FDISK /MBR. This command rewrites completely the code of the system
loader routine and does not change the Disk Partition Table. FDISK /MBR is a 100 percent
successful cure for most boot viruses, however, if the virus encrypts the Disk Partition
Table or uses nonstandard methods of infection, FDISK /MBR may result in complete loss of
information on disk. Therefore before running FDISK /MBR make sure that the Disk Partition
Table is intact. To do so boot to DOS from an uninfected diskette and check the validity
of this Table (the most suitable program for this purpose is Norton Disk Editor).
But if sector recovery with
the help of SYS/FDISK is impossible, usually figure out the operating algorithm of the
virus, find the original boot/MBR sector on disk and move it to the proper place (Norton
Disk Editor or AVPUTIL suit for this best). Doing that you should constantly keep in mind
that when rewriting system loaders you must be extra careful, because incorrect adjustment
of the MBR or boot sector may result in total loss of all the information on disk(s).
File Recovery
In the vast majority of
cases recovery of infected files is complicated enough. This procedure is impossible to be
carried out by hand without the necessary knowledge - executable file formats, assembly
language, etc. Besides that usually several dozens or hundreds of files become infected at
once, and disarm them it is necessary to create and anti-virus program of your own (or you
may also use the features of anti-virus database editor from the AVP package versions
2.x).
When curing files you
should consider the following rules:
- it is necessary to test and
cure all the executable files (COM, EXE, SYS, overlays) in all the directories of all
disks irrespective of file attributes (that is read-only, system and hidden);
- it is desirable to keep
file attributes and the date of last modification unchanged;
- the possibility of multiple
infections of one file must be regarded (virus "sandwich").
The treatment of the file
itself in most cases is carried out by one of several standard methods, depending on the
algorithm of multiplication of virus. In most cases file header recovery and size
adjustment do the job.
RAM deactivation
The RAM deactivation
procedure, like treatment of infected files, requires some knowledge of OS and assembly
language expertise.
While treating RAM it is
necessary to detect where the virus goes and change them in such a way that the virus
could not prevent the anti-virus program from working further - "disable" the
infection and Stealth routines. To do this it is required to have a complete analysis of
the virus code done, because the infection and Stealth routines may be situated in
different areas of the virus, duplicate each other and take control under different
circumstances.
In most cases to deactivate
memory it is enough to "cut off" those interrupts that are intercepted by virus:
INT 21h in case of file viruses and INT 13h in case of boot viruses (of course there are
viruses intercepting other interrupts or several interrupts at once).
TOP
The
Main Rules for protecting your system(s)
Rule No. 1
Be very careful with
programs and documents in Word/Excel formates received through global access networks.
Before executing files or opening a document/spreadsheet/databases be sure to check them
for viruses.
Use customized anti-virus
programs to check all files coming-in via Email and Internet on-th- fly.
Rule No. 2 - local access
network protection
To lower the risk of
infecting files on the server, network administrators have to make extensive use of
standard network security features: user access restrictions; setting
"read-only" or even "execute only" attributes for all that executables
(unfortunately this may not always be possible) etc.
Use customized anti-virus
programs, checking the files in use on-the-fly. If for some reason this is impossible, run
conventional anti-virus programs on server disks regularly.
The risk of a computer
network infection becomes considerably lower in case of use of diskless workstations.
It is a good idea to test
new software thoroughly on a stand-alone trial computer (preferably not connected to the
network) before deployement in the networked infrastructure.
Rule No. 3
It is better to buy
software distribution packages from official vendors than copying them for free or almost
for free from other sources or buy piracy copies (not to mention that software piracy is
illegal). This way the risk of infection is considerably lower, although there are known
cases of shrink-wrapped commercial software packages which were virus-infected.
As a consequence from this
rule follows the necessity of keeping distribution copies of software (including copies of
operating system), preferably on write-protected media.
Also use only well
established sources (official sites from manufacturers) for obtaining software over public
access networks such as the Internet. Although this is not always helpful (for example for
a long time on the Microsoft WWW server there has been a document infected with
"Wazzu" macro virus).
Rule No. 4
Try not to run unchecked
files including those received via computer network. Use only those programs received from
reliable sources. Before running the programs be sure to check them by one or several
anti-virus programs.
Even if none of the
anti-virus programs were triggered by a suspicious file downloaded from a BBS or
newsgroup, don't rush to run it. Wait for a week; it is possible that this file is
infected with some new unknown virus, in that case somebody else might "step into
it" before you and inform about it.
It is also desirable to
have some kind of a resident anti-virus monitor when working with some new software. If
the executed program is infected by a virus, such a monitor will be able to detect the
virus and prevent it from spreading.
All this leads to a
necessity limiting the number of persons using a particular computer. Multi-user personal
computers are generally more prone to infection.
Rule No. 5
Use validation and data
integrity checking utilities. Such utilities the special databases of disks system areas
(or keep the entire system areas in databases) and file information(check sums, sizes,
attributes, last modification dates etc.). You should periodically compare such database
information with actual hard drive contents, because any inconsistency might be a signal
of presence of a Trojan horse or virus.
Rule No. 6
Backup your working files
periodically. The expenses of backups of all your source code files, database files,
document files etc. are much lower than the expenses of restoring these files in case of a
virus attack or a computer malfunction.
If you have a streamer or
other mass storage device, then it makes sense to backup all the hard drive's contents.
Other rules
- If there is no need to boot
the system from a floppy drive everyday, set the boot order in BIOS Setup as
"C:,A:". This will protect your computer from catching boot viruses by
forgetting infected diskettes in the floppy drive.
- Do not rely on the built-in
BIOS virus protection, many viruses pass it by with the help of different techniques.
- The same goes for
anti-virus protection which is built into Word and Office97. This protection can also be
disabled by viruses or by the user (because it may be a nuisance).
The Problem of Macro Virus
Protection
Due to the fact that the
macro virus problem nowadays exceeds all the other virus related problems, it is worth a
more detailed explanation.
There are several
techniques and a number of built-in Word and Office97 functions aimed at prevention of
executing a virus. The most efficient of them is Word and Excel (starting from versions
7.0 a) built in virus protection. When opening the file containing any macro, this
protection informs about its presence, and suggests to disable this macro. As a result the
macro is not only disabled but also can not be seen by means of Word/Excel.
Such a protection is rather
reliable, but absolutely useless, if user works with macros of any kind: it does not make
difference between virus macros and non-virus macros and displays the warning message
before opening virtually any file. For this reason the protection becomes disabled in most
cases, which gives viruses opportunity to infiltrate the system. Besides that activating
virus protection in an already infected system not always helps -some viruses, once taken
control, with each execution disable virus protection feature and therefore completely
block it.
There are other virus
counter measures, for example the DisableAutoMacros function, however it does not prohibit
execution of other macros and blocks only those viruses which use one of the auto macros
for their propagation.
Executing Word with /M
option (or with pressed Shift key) these tables only the AutoExec macro and therefore can
not be a reliable virus protection feature.
TOP
Tips
From the Real World
- To avoid viruses
completely, use a typewriter.
- The critical step: Keep
virus signatures up to date.
- Be aware of hoaxes.
- Don't underestimate
"old-fashioned" viruses that have been around for years. They are common and
destructive.
- Don't download live viruses
from the Internet to experiment with them.
- Be conscious of new
viruses, and understand their methods of spreading.
- Don't accept disks from
friends. Even well-meaning people can pass along contaminated files.
- Don't download Internet
files, especially from newsgroups. If you must do so, take your chances with large
commercial sites, which are more likely to check files for viruses before posting them.
- Don't open executable files
attached to e-mail. Just delete the messages.
- Be wary of e-mail
attachments. If you're unfamiliar with the sender, don't execute them at all.
- If you download executable
files from the Internet, Usenet newsgroups, or FTP sites, scan them in a safe area before
executing.
- Keep your corporate
policies up-to-date. Educate employees about virus dangers.
- Update your antivirus
utility's signatures frequently--at least once a month.
- Use common sense. You don't
have to be careless because other people are.
- If you don't know the
sender of an e-mail attachment, don't open it. Delete it right away.
- Immediately after you
perform a full-system virus scan, make a full backup.
- Always scan a floppy disk
as soon as you put it in the drive. If you find a virus, tell the person who gave you the
disk.
- Be especially cautious
about downloading files from newsgroups.
TOP
Guide to the Internet
We subscribe to the HONcode principles.
Verify here