home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-12
/
vguide.txt
< prev
next >
Wrap
Text File
|
1992-05-06
|
9KB
|
194 lines
Introduction To Computer Viruses
Distributed by:
DOLFIN DEVELOPMENTS
Written by:
Michael B. Cameron
INTRODUCTION
Computer viruses were originally thought of as nothing more than harmless "pranks",
designed by mainframe programmers who were experimenting with artificial intelligence. These
programmers had altered existing programs designed originally to "digest" data, to now seek out
and "destroy" data. This led to the development of what became known as "Core Wars",
whereby a number of programmers would release these altered programs into the core memory
of a computer simultaneously where they would seek out and destroy each other. The last
program left alive won. This was the beginning; nothing more than intellectual curiosity.
Today the sophisticated descendents of these programs are responsible for millions of
dollars worth of damage to the computing industry a year in lost computer time, service charges
and actual damage to the systems or their contents.
However, all is not lost. With proper protection procedures, good anti-virus software and
an educated user base, viruses will become the equivalent of a hardrive crash. Once understood
and prepared for, viruses are just another part of "doing business" in the computer world.
That is the purpose of this brief document; to introduce you, the user, to; the concept of
viruses; how to protect your system from them and how to remove them should you discover
a computer virus.
How a virus works
A virus will infect a computer system by attacking one of the following areas : The
partition table (master boot record); The DOS boot sector of hard disks or floppy disks; Or
Executable files including operating system files. Executable files include operating system files,
.COM files, .EXE files, overlay files, or any files loaded into memory and executed. The
virus enters a system by a number of avenues; By downloading a file from an electronic bulletin
board and then executing the program; By copying programs (pirateing software) that have been
in contact with an infected system or that contain a trojan program (a useful program that
actually hides the virus inside), or by booting a system from a disk other than the original
operating system diskette.
Once a virus is activated by one of the methods mentioned previously, it goes through
a number of logical steps to attempt to gain control of your system, depending on the type of
virus it is.
A boot sector virus will move the systems original boot sector or overwrite it and install
itself as the new boot sector, thereby gaining control of the system and enabling it to monitor
all system events and infect any disk it comes into contact with. An .EXE or .COM infector will
attempt to infect other files whenever an infected file is run.
Another form of infection involves infecting the control files on a system,
Command.COM and it's two hidden counterparts, thus allowing the virus to install itself every
time the system is booted.
Once a virus has installed itself by its mode of choice it will begin the replicating phase.
During this phase the virus will attempt to infect other files or disks at every opportunity or
according to it's own internal logic. For example some viruses will infect an .EXE or .COM
file every time a DOS command is executed.
During this phase the system may experience or exhibit a number of symptoms: A
noticeable slow down in system speed which may eventually lead to shut down, Unauthorized
disk access when system events do not require it (copying to floppy or hardrive),
Time and or Date of Files being altered, Volume labels on the disk being changed (the pakistani
Brain virus does this), Errors running files, Dos errors occurring, eg. Sector not found, etc.
The difficult part of virus detection is distinguishing a legitimate hardware or software
problem from a virus infection. The best rule of thumb is "WHEN IN DOUBT, SCAN!". This
way if it is a virus problem you will know immediately before you run up a large service charge
and if it is not a virus you can begin to look elsewhere for the cause of system problems.
PROTECTING YOUR SYSTEM
Here are a few simple rules to follow to protect your system and minimize the chances
of getting infected.
1. NEVER BOOT YOUR SYSTEM WITH ANY DISK OTHER THAN THE
ORIGINAL SYSTEM DISKETTES
2. ALWAYS USE ORIGINAL DISKETTES WHENEVER POSSIBLE WHEN
INSTALLING OR OPERATING PROGRAMS ON YOUR SYSTEM
3. MAKE BACKUPS OF ALL YOUR ORIGINAL DISKETTES AND WORK
FROM THESE.
4. WRITE PROTECT ALL PROGRAM DISKETTES AND STORE THEM
IN A SECURE AREA.
5. NEVER SAVE FILES TO ORIGINAL DISKETTES. USE A DESIGNATED
DISKETTE FOR YOUR WORK.
6. BACK UP YOUR SYSTEM REGULARLY ESPECIALLY DATA FILES.
TAPE BACKUPS ARE PREFERRED.
7. LIMIT ACCESS TO YOUR SYSTEM BY USING PASSWORDS AND
PHYSICAL BARRIERS LIKE KEY LOCKS.
8. TREAT ANY NEW DISKETTE OR PROGRAM AS SUSPECT UNTIL
IT HAS BEEN SCANNED AND VERIFIED VIRUS FREE.
(this includes diskettes handed back and forth at work)
9. IF POSSIBLE, INSTALL A TSR ANTI-VIRUS UTILITY TO MONITOR
YOUR SYSTEM AND ALERT YOU OF POSSIBLE PROBLEMS.
10.SCAN YOUR SYSTEM FOR VIRUSES ON A REGULAR BASIS. DAILY
IF POSSIBLE.
VIRUS DETECTION AND REMOVAL
If you believe you might have a virus or you know for sure, here are the steps you
should follow to ensure proper detection and removal of the virus from your system.
1. Make sure you have a valid copy of Scan and Clean on a write protected diskette.
2. Insert the diskette in your system and type the following "Scan C: /m " where C:
represents the drive in question and the /m option will examine your memory for
"stealth"type viruses.
3. If you have a virus the program will inform you and give you the alias of the virus
used to clean the virus. eg. [stoned]
4. If you have a virus, at this point POWER DOWN YOUR SYSTEM ! Initiate a
Cold Boot as many viruses can survive a warm boot (Ctl+Alt+Del) and remain in
memory, thereby thwarting disinfection.
5. Turn you system back on and using your write protected copy of Clean type the
following;
"Clean [virus] C:" Where [virus] is the alias, eg. [stoned] and C: is the infected
drive, A: B: C: D:
6. Clean will then attempt to remove the virus and repair infected areas. Clean will also
inform you of the number of infections and disinfections as it progresses.
7. Once the virus has been removed, scan your system again to ensure it is clean. Then
you must scan all of your diskettes or logical drives to determine if they are infected.
8. If you find you have infected diskettes follow these steps again.
9. Inform others in your area or department so they may check their systems as well.
Do not keep an infection secret! It is better that others be informed so that
Supervisors can act upon your information to ensure a secure working environment.
10.If at any time you experience problems SCANning or CLEANing your
system, contact a technician or supervisor who is familiar with disinfecting
procedures or contact your McAfee Agent for support.
CONCLUSION
Chances are at some point in your future you will come in contact with a virus or be
aware of an infection. If you are prepared and informed you can quickly and effectively protect
and or disinfect your system. By following the guidelines set out in this brief you can minimize
your chances of an infection. However no system can ever be "guaranteed" secure. So back up
your data and Scan your system regularly. Always get your anti-virul utility from a secure
source; McAfee Agent, Supervisor or McAfee authorised BBS.
Your best protection is to be prepared. Don't think "It won't happen to me". If you are
lucky it won't, but if it does you should be ready. Someday systems may be totally immune to
viruses; however for the time being they are prevalent and replicating. With proper procedures
and education viruses will become just another "part of doing business".
If you have any questions please consult the documentation that is included with your
programs or feel free to contact us at DOLFIN Developments Ltd. for assistance of any kind.
You are free to distribute this document for personal use. Any Business, Agency
or Govt. office must aquire a Corporate Licence to use this document internally.
Michael B. Cameron
Data Security Specialist
DOLFIN Developments Ltd.
(416) 829-4344
■Copyright; DD 1991