VirusesYou can't go near a computer without someone talking about a virus. And the Internet is a great source of them (both the talk and the virus). While it is true that many new viruses appear every day, relatively few of them actually spread far enough to become a problem. Certainly fewer than 1000 viruses account for over 99% of the infections worldwide, and many of those viruses are several years old. If you get a virus (and sooner or later everyone does), and don't get rid of it, there is a strong likelihood that eventually you'll pass it on to someone else (possibly a friend or a coworker) who may get upset. When you are talking about a virus, you are really talking about a computer infestation. A computer infestation is any unwanted program that is unknowingly transmitted to a computer. It is designed to do varying degrees of damage to data and software. Computer infestations do not do damage to the PC hardware. However, when boot sector information is destroyed on a hard drive, it can appear as though the hard drive is physically damaged. Over 99% of viruses that actually spread 'in the wild' are memory resident, so there is the possibility of incompatibilities between the virus and some other program you are running (for example, Jerusalem tries to use one of the resources that Novell NetWare uses, so you can't run both Novell NetWare and Jerusalem on the same system). Remember, not all computer problems are the results of viruses. Sometimes problems on a PC are caused by an error or bug in software, and can look and act very much like a virus. What most people refer to as viruses really fall into three categories of computer infestations. They are viruses, worms, and Trojan horses. Viruses: A virus is a program that can replicate itself by attaching itself to other programs. The infected program must be executed in order for a virus to execute. When a virus executes, it may simply replicate itself, or it may also do damage by immediately performing some negative action. Also, a virus may be triggered to perform a negative action at some future point in time, such as on a particular date or at the time some logic within the host program is activated. Worms: A worm is a program that spreads copies of itself throughout a network without needing a host program. A worm is seldom seen except on a network where it becomes a problem because of overloading the network as it replicates itself. The worm does damage by its presence rather than by performing a negative action as a virus does. The worm overloads memory or hard drive space by replicating itself over and over again. The recent Melissa "virus" was closer to a worm than a virus. Trojan horse: A Trojan horse also does not need a host program to work. It is substituted for a legitimate program and cannot replicate itself. Trojan horse infestations cannot replicate themselves and require human intervention to move from one location to another, and therefore they are not as common as viruses. How do I tell if I have a virus: Some warnings that might suggest a virus is at work include a program that takes longer than normal to load, unusual error messages occur regularly, less memory than usual is available, files mysteriously disappear, strange graphics display on your computer monitor, the computer makes strange noises, the system is unable to recognize the CD-ROM, executable files have changed size, files constantly get corrupted, file extensions or file attributes change without reason, a message displays from the virus scanner software, or the number of bad sectors on the hard drive continues to increase. Around 95% of the viruses do no more than make a copy of themselves and do some minor extras like beeping the keyboard, or displaying a message. Acquiring a virus: Viruses, worms, and Trojan horses have not been known to physically damage a hard drive or other hardware device. The damage they do ranges from the very minor (such as displaying bugs crawling around on a screen) to the major (such as totally erasing everything written on a hard drive). The damage done by an infestation is called the payload, and can be accomplished in a variety of ways. A virus may be programmed to drop its payload only in response to a triggering event such as a date, opening a certain file, or pressing a certain key. They can be spread by trading floppy disks containing program files, connecting the computer to an unprotected network, buying software from an unreliable source, downloading programs from the Internet, using floppy disks from unknown sources, using shared network programs, using preformatted floppy disks that have been used, not write-protecting original program disks, and using e-mail that automatically executes a word processor to read attached files. Sometimes, when you receive an e-mail it will have an attachment. An attachment can contain a virus. However, simply receiving e-mail that contains an attachment poses no threat -- as long as the attachment is not executed. Macro viruses can be sent as e-mail attachments. Once a program containing a virus is copied to your PC, the virus can spread itself only when the infected program is executed. It can either be a memory-resident virus and stay in memory, still working, even after the host program is terminated. Or it can be a non-memory-resident virus. This means that it is terminated when the host program is closed. After a virus is loaded into memory, it looks for other programs that are loaded into memory. When it finds one, it copies itself into the other program in memory and then into that same program file on the disk. A virus becomes more dangerous the longer it stays loaded into memory and the more programs that are opened while it is there. For this reason, if you use a computer that has been used by other people (such as in a computer lab), always reboot the computer before you begin work. And shut the machine off to insure that all memory-resident programs are erased from memory. How a virus hides: A program is called a virus because it has an incubation period (does not do damage immediately), it is contagious (can replicate itself), and it is destructive. In order to avoid detection by antivirus software, a virus sometimes hides itself. There are four ways that a virus can hide itself. Sometimes a virus can use more than one method at the same time. A boot sector virus can hide in the program code that is part of the Master Boot Record on a hard drive or part of the boot record program that loads the OS on the active partition of the hard drive. On a floppy disk, a boot sector virus hides in the boot program of the boot sector. One of the most common ways a virus is spread is on a floppy disk that is used to boot a PC. During the boot, when the boot program is loaded into memory, so is the virus. It can then spread to other programs. However, a floppy disk does not have to be bootable to spread a virus. All floppy disks have a Master Boot Record. If a PC is configured to first boot from drive A before drive C, and if a floppy disk is in the drive when the PC is booted, BIOS reads the Master Boot Record on the disk. If the disk is not bootable, an error message displays, such as "Nonsystem disk or disk error." If the disk is then removed and the user presses any key, the PC will then boot from the hard drive. However, if the Master Boot Record of the floppy disk contains a boot sector virus, the virus might already have been loaded into memory. When the system boots from the hard drive, the virus is then spread to the boot sector of the hard drive. A file virus hides in an executable (.exe or .com) program or word processing document that contains a macro. A macro is a small program that is contained within a document and can be automatically executed when the document is first loaded, or can be executed later by pressing a predetermined keystroke. Viruses that hide in macros of document files are called macro viruses. One variation of a file virus is a virus that searches a hard drive for files with .exe file extensions and then creates another file with the same filename, but using the .com file extension. When the operating system executes a program, it first looks for the program name with the .com file extension. It then finds the virus, which it executes. The virus is loaded into memory and then loads the program with the .exe extension. This virus is then free to do damage or spread itself to other programs. A virus cannot work if it is contained in a data file with no embedded macros. Sometimes a virus will copy itself to a data file by mistake. Once the virus is there, it can no longer do any damage, since the data is not a program and, therefore, cannot be executed from memory. The only possible damage from the virus in a data file is the corrupted data caused by the virus overwriting what was already in the file. Prevention: Some things you can do to protect against viruses is to buy an anti-virus program (and keep it updated), set a virus scan to check all word-processor documents, do backups on a regular basis, only buy software from reputable vendors, don't trade program files on floppy disks, download software from the Internet sparingly (and be sure to scan it), reboot the computer before you use it, set your CMOS settings to boot from drive C then drive A. To prevent spread of a boot sector virus, don't press a key to cause the PC to move on to the hard drive after it has already attempted to boot from the floppy disk. Rebooting your PC by pressing [CTRL] [ALT] [DEL] may not be enough to prevent the problem, as the loaded virus can still hide in memory. Turn the PC off, remove the floppy disk, and then turn the PC back on. This kind of virus infection is a good reason to configure your computer to always boot from the hard drive first, and then, if the hard drive is not bootable, to boot from the floppy drive. This boot order will normally prevent BIOS from reading a Master Boot Record of a floppy disk that is inserted during boot. The order of booting from the A and C drives is determined in CMOS setup. Incidentally, many CMOS setups have an option that prevents writing to the boot sector of the hard drive. This does not always work against viruses, but must be turned off before trying to install Windows 95 or Windows NT, which both must write to the MBR during installation. Windows 95 does not tell you that you must turn the feature off and start the installation over until about halfway through the installation. Anti-Virus software: One thing a virus attempts to do is hide from anti-virus software. AV software detects a virus because it has previously been programmed to search out and recognize a particular virus. It detect a virus that it knows exists by looking for distinguishing characteristics of the virus called the virus signature. AV software cannot detect a virus it does not know to look for. Therefore, update your AV software frequently. There are two methods by which a virus attempts to hide from AV software. They are by changing its distinguishing characteristics (its signature) and by attempting to mask the fact that it is present. Polymorphic viruses change their distinguishing characteristics as they replicate themselves. Mutating in this way makes it more difficult for AV software to recognize the presence of the virus. Encrypting viruses can transform themselves into a nonreplicating program in order to avoid detection. However, it must transform itself back into a replicating program in order to spread or replicate itself. It can then be detected by AV software. A stealth virus actively conceals itself in one of the following ways. Since AV software may detect a virus by noting the difference between a program's file size before the virus has infected it and after the virus is present, the virus alters operating system information so as to mask the size of the file it is hiding in. The virus monitors when files are opened or closed. When it sees that the file it is hiding in is about to be opened, it temporarily removes itself from the file or substitutes a copy of the file that does not have the virus included. The virus keeps a copy of this uninfected file on the hard drive just for this purpose. Before you go out to the Internet (and certainly before you start downloading files or sending e-mail), you should get a quality anti-virus software. You should then install it, and update it on a regular basis. Be sure you get one that has a strong on-access scanner (checks all files whenever they are accessed by a program or the operating system). Other features to look for include: the ability to download new software upgrades from the Internet, the ability to automatically execute at startup, the ability to detect macros in word-processing documents as the document is being loaded, and the ability to automatically monitor files being downloaded form the Internet. For more information about viruses, anti-virus software, and rumors in e-mail, check out the following Web sites: |
|
© Copyright 2001, P/K Solutions, Inc. All Rights Reserved |