compootr.gif (7878 bytes)

 

Virus Facts, Hoaxes And Myths

by Happy Puter

 

bad.gif (3109 bytes)


This virus stuff is so confusing!   Just what is a computer virus anyway?


A computer virus is a program....a block of executable code....which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user.  Most puter viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files, sometimes insidiously, over a long period of time.....or attempt to destroy files and hard disks.  Others cause unintended damage.  Even benign viruses....apparently non-destructive viruses....cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.

Trojan Horse  -  a program intended to perform some covert and usually malicious act which the victim did not expect or want.  A Trojan Horse differs from a destructive virus in that it doesn't reproduce, though this distinction is by no means universally accepted.

Dropper  -  a program which installs a virus or Trojan, often covertly.

Worm  -  a program which usually spreads usually over network connections.  Unlike a virus, it does not attach itself to a host program.  In practice, worms are not normally associated with personal computer systems.

 

How does a computer virus work?

A file virus attaches itself to a file.  But see the section below on the subject of companion viruses, usually an executable application, such as a word processing program or a DOS program.   In general, file viruses don't infect data files.   However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers.  Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware....malicious software....though such extreme malware is not presently that common.
Boot sector viruses alter the program that is in the first sector....boot sector....of every DOS-formatted disk.  Generally, a boot sector infector executes its own code....which usually infects the boot sector or partition sector of the hard disk....then continues the PC bootup -start-up- process.  In most cases, all write-enabled floppies used on that PC from then on will become infected.   Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected file is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system.

 

Types of viruses

Stealth Viruses  -   viruses that go to some length to conceal their presence from programs which might notice.

Polymorphic Viruses  -   viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication.

Companion Viruses  -   viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file.  For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM.  Because of the way DOS works, when the use types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the ONLY type of companion....or 'spawning'....virus.

Armored Viruses  -   viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.

 

How do viruses spread?

A PC is infected with a boot sector virus....or partition sector virus....if it is rebooted, usually by accident, from an infected floppy disk in the A drive.  Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network.  These normally spread by accident via floppy disks which may come from virtually any source.  This includes unsolicited demonstration disks, brand-new software....even from reputable sources....disks used on your PC by salesmen or engineers, new hardware, or repaired hardware.  A file virus infects other files when the program to which it is attached is run, and so CAN spread across a network....often very quickly.  They may be spread from the same sources as boot sector viruses, but also from sources such as, files sent as AOL mail attachments, Internet FTP sites and bulletin boards.  This applies also to Trojan Horses.  A multipartite virus infects both boot sectors and files.  Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across an entire network.

 

 

blowout.gif (4050 bytes)    Twiki, twiki....hey, keep me happy!

  Go out and get me some of that good
  anti-virus software!

 

 

Hey......what was that?   Oh, no!    Does my computer have a virus?

Almost anything odd a computer may do can....and has been....blamed on some computer "virus", especially if no other explanation can readily be found.   In most cases, when an anti-virus program is then run, no virus is found.  A computer virus can cause unusual screen displays, or messages, but most don't do that.   A virus may slow the operation of the computer, but many times that doesn't happen.   Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults.  A virus may cause a drive to be accessed unexpectedly......and the drive light to go on......but legitimate programs can do that also.  One usually reliable indicator of a virus infection is a change in the length of executable .com and .exe files, a change in their content, or a change in their file date/time in the Directory listing.  But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM.  Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources.  Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant.  in short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable.

 

How do I protect against viruses?

There is really no way to guarantee that you will avoid infection.    However, the potential damage can be minimized simply by taking the following precautions.

Make sure you have a clean boot disk - test with whatever....up-to-date....antivirus software you can get hold of and make sure it is....and stays....write-protected.   Boot from it and make a couple of copies.

Use reputable, up-to-date and properly-installed anti-virus software regularly.   If you use a shareware package for which payment and/or registration is required, do it.   Not only does it encourage the writer and make you feel virtuous, it means you can legitimately ask for technical support in a crisis.

Do some reading.    If you're a home user, you may well get an infection sooner or later.    If you're a business user, it will be sooner.   Either way you'll benefit from a little background.   If you're a business user you....or your enterprise....need a policy concerning viruses.

If you use a shareware/freeware package, make sure that you have hard copy of the documentation BEFORE your system falls apart!

Always run a memory-resident scanner to monitor disk access and executable files before they're run.

If you run Windows, a reputable anti-virus package which includes DOS AND Windows components is likely to offer better protection than a DOS only package. If you run Windows 95, you need a proper Win95 32-bit package for full protection.

Make sure your home system is protected, as well as your work PC.

Check all new systems and all floppy disks when they're brought in....from any source whatsoever....with a good virus scanning program.

Acquire software from reputable sources......2nd-hand software is frequently unchecked and sometimes infected.  Bear in mind that shrinkwrapped software isn't necessarily unused.  In any case, numerous reputable firms have shipped viruses unknowingly in the past.

Once formatted, keep all of your floppies write-disabled except when you need to write a file to them, then write-disable them again.

Make sure your data is backed up regularly and that the procedures for restoring archived data work properly.

Scan pre-formatted diskettes before use.

Get to know all of the components of the package that you're using and consider which features to use and how best to use them.  Different packages have different strengths: diversifying and mixing and matching can, if carefully and properly done, be a good antivirus strategy, especially in a corporate environment.

If your PC can be prevented with a CMOS setting from booting with a disk in drive A.....do it.   Then re-enable floppy booting temporarily when you need to clean-boot.

 



Asked ya for anti-virus software.  I did!  But did ya listen?  Noooo,
ya didn't!  Nobody ever thinks they'll be the one who gets blasted!

demonpc.gif (10372 bytes)

Now some pesky lil' kid hacker's virus has made me an
InSaNe DeMoN 'PuTeR
and you're gonna have to pay a computer tech type big
money just to get rid of it!  Bwaaahaaahaahaaaahaaaa!


Its All About The Pentiums



 

How does anti-virus software work?

Scanner   --   conventional scanner, command-line scanner, on-demand scanner....a program that looks for known viruses by checking for recognisable patterns such as 'scan strings', 'search strings' and 'signatures'.

TSR scanner   --   a TSR or memory-resident program that checks for viruses while other programs are running.  It may have some of the characteristics of a monitor and/or behaviour blocker.

VxD scanner   --   a scanner that works under Windows, Win 95, or both, which checks for viruses continuously while you work.

Heuristic scanners   --   scanners that inspect executable files for code using operations that might denote an unknown virus.

Monitor/Behaviour Blocker   --   a TSR that monitors programs while they are running for behaviour which might denote a virus.

Change Detectors/Checksummers/Integrity Checkers   --   programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus.

Cryptographic Checksummers  --   use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer.

 

I think I have a virus problem.   What should I do now?

If you think you may have a virus infection, STAY CALM.  Once detected, a virus will rarely cause further damage, but a panic action might.  Bear in mind that not every one who thinks she/he has a virus actually does......and a well documented, treatable virus might be preferable to some machine problems!  Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus.  If you've been told that you have something exotic, consider the possibility of a false alarm and check again with a different anti-virus package.  If you have a good antivirus package, use it.  Even better still, use more than one.  If there's a problem with the package, use the publisher's tech support and/or try an alternative package.   If you don't have an anti-virus package, get one.  If you're using Microsoft's package (MSAV) get something more up-to-date!   And you should try to get expert help BEFORE you do anything else.  If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents.

 

Common Computer Virus Hoaxes And Facts



The Windows ME hoax   -   Windows ME is not a specially designed virus distributed by Microsoft as part of a not so covert attempt by Bill Gates to take over the world.  Although Bill Gates is in fact trying to take over the world, Windows ME is not a virus.....it just acts a lot like one on your computer.

The 'It Takes Guts To Say Jesus' virus hoax   --    There is NO Jesus virus that erases everything on your hard drive just by opening an email with 'It Takes Guts To Say Jesus' in the Subject field.

The 'Returned Or Unable To Deliver' virus hoax   --    There is NO virus that can physically attach itself to your computer components or hardware and render them useless.  If there was such a virus I'd love to get a look at the code for something that could do that.

The AOL password stealer hoax   --   The AOL password stealer virus was not created by America Online's programmers to steal your password so dozens of extremely bored AOL employees can use your America Online account to access XXX porno sites on the Internet.  The AOL password stealer virus was, however, created by two bored 15 year old nerds in Columbus, Ohio........so THEY can use your America Online account to access XXX porno sites on the Internet.

The Good Times virus hoax   --    There is NO Good Times virus that trashes your hard disk and puts your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject field.  There IS at least one file virus christened Good Times by the individual who posted it in an attempt to cause confusion.  It is more commonly referred to as GT-spoof.

The Modem Virus hoax   --   There is NO modem virus that spreads via an undocumented subcarrier.   Whatever that means.........

Fact   --   Any file virus CAN be transmitted as an E-mail attachment.  However, the virus code has to be executed before it actually infects.  Sensibly configured mailers don't usually allow this by default and without prompting, but certainly some mailers can support this: for instance, cc:mail can, it seems, launch attachments straight into AmiPro.    There's definitely room for a lot of discussion here.  The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of, such as opening a Word document in Word without asking.

Fact   -    There is NO known way in which a virus could sensibly be spread by a graphics file such as a JPG , a GIF or a BMP file, which do not contain executable code.  Macro viruses work because the files to which they are attached are not 'pure' data files.   In general, software cannot physically damage hardware.....and this includes viruses.  There is a possibility that specific hardware may be damaged by specific code: however, a virus which drops a particular payload on the off chance that it's running on a system with a particular type of obsolete video card seems more than usually futile.

Fact   -    Microsoft has made available a Word viewer which reads Word files, but doesn't run attached macros.  If possible, use this instead.

Fact   -   The term mail bomb refers to the intentional bombardment of an e-mail address with multiple copies of a single message......especially on America Online.

 

Common Computer Virus Myths

DOS file attributes protect executable files from infection

File attributes are set by software, and can therefore be changed by software, including viruses.  Many viruses reset a ReadOnly/System/Hidden file to Read/Write, infect it, and often reset it to the original attributes afterwards.  This also applies to other software mechanisms such as simulating hardware write-protection on a hard disk.  Basically, a file virus has the same rights of access as the user who happens to inadvertantly activate it.

 

I'm safe from viruses because I don't use Bulletin
Boards, shareware or public domain software

Many of the most widely-spread viruses are Boot Sector Infectors, which can't normally infect over a serial or network connection.  Writers of shareware, freeware etc. are no more prone to accidental infection than commercial publishers, and possibly less.  The only 'safe' PC is still in it's original wrapping....which doesn't mean that it isn't already infected....and don't forget that shrink wrapped software may have been rewrapped.

 

FDISK/MBR fixes boot sector viruses

This is a myth for most people.  In brief, don't use FDISK /MBR unless you're very sure of what you're doing because you may lose data.  Note also that if  you set up the drive with a disk manager such as EZDrive, you won't be able to access the drive until and unless you can reinstall it.

 

Write protecting suspect floppies stops infection.

This one sounds so silly I hesitate to even include it.  I've never seen it said by any serious computer users, but I've seen it so often in other contexts online, I've included it anyway.   Write-protecting a suspect floppy will only protect that diskette from "re-infection" if it's already infected.  It won't stop an infected floppy from infecting other write-enabled drives.  If  you boot with a disk in drive A which is infected with a boot-sector virus, the fact that the diskette is write-protected will make no difference at all.  Write-protecting a CLEAN floppy will indeed prevent it from being infected......but see below!

 

The write protect tab always stops a disk write.

Yeah, right.  Write protection is built into the hardware of the PC and the Mac, of course....but there's no way to cover everything.....and can't be circumvented in software.  However, it is possible for the hardware to fail.  It's not common, but it happens.  Thus when I do a cleanup, I try to create a file on a sacrificial floppy before risking my R/O boot disk.  Sometimes, I even remember.  And don't forget that a disk which you receive write-protected could have been de-protected, infected, and re-protected.  Even a 3.5" disk with the write-enable tab removed can be written to simply by covering the hole with plain old masking tape.  And, of course, shrink wrapped software could have been infected before the duplication process.

 

I can infect my system by running DIR on an infected disk

This is a myth.  If you have a clean PC system, you can't contract a boot sector virus or a file virus just by listing the files on an infected floppy.   Of course, if  your PC is infected, then you may very well infect a "clean" floppy by using the DIR A: command.  It is, of course, possible to have a scanner report a virus in memory after a DIR of a floppy with an infected boot sector.  The distinction here is that the virus is not actually loaded into memory, so the PC has not been infected.

 

 

Remember to cover your computer's backside.  Purchase a good anti-virus program and install it.  You can really save yourself a lot of serious aggravation by installing Norton Anti-Virus 4 and Dr. Solomon together.  These are both excellent anti-viral programs and having dual anti-virus software means you're very well protected!
Happy Puter
Athlon 3.4G