home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-12
/
wykvirus.zip
/
WYKVIRUS.TXT
< prev
Wrap
Text File
|
1992-05-12
|
35KB
|
953 lines
What You Need
To Know About
Computer Viruses
Written by Eugene Accardo
Copyright (c) 1992 by Eugene Accardo
--- All Rights Reserved ---
Direct any inquires about this document to:
Eugene Accardo
1204 Ave U, Suite 1123
Brooklyn, NY 11229
Compuserve I.D. 70413,3127
Forward
This document gives a general description of the computer
virus problem and how to deal with it. It is intended for the
average PC user.
Although viruses have been found in several different
operating systems, the only viruses discussed in this document
are ones that can infect DOS based computers. This includes IBM
PC's and compatibles.
The information given in this document is not an all
inclusive reference on the subject of computer viruses.
The author of this document can in no way be held
responsible for any data or monetary loss caused by a computer
virus or any actions taken to remove one from a computer.
IBM is a trademark of IBM Corporation.
WHAT YOU NEED TO KNOW ABOUT COMPUTER VIRUSES
1. What is a Computer Virus?
Despite many misconceptions, a computer virus is nothing
more then a unique type of program. It is a program that has the
ability to self replicate and store the copy of itself in another
part of a computer system (usually on a hard drive or floppy
disk). A virus will try to replicate itself without letting the
person using the computer even know that a virus is present. A
computer that has such a virus program on it is said to be
infected. A virus program can spread to other computers either
by the transfer of an infected floppy disk or by direct access
to other computers. Computers can directly access one another
either through a LAN (Local Area Network) or by connecting
remotely through modems.
A virus program's ability to replicate and spread to other
computers is similar to the behavior of biological viruses in
animals. This is why such programs are called computer viruses.
There are two main types of computer viruses; boot infectors
and file infectors.
A. Boot infector viruses infect the boot sector of a floppy
disk or hard drive. This is the area of a disk that
contains the beginning of DOS(the operating system) and is
looked at first when a computer is powered on. Once a
computer is booted up (turned on) from an infected disk, a
boot sector virus will load itself into memory. Some
viruses will also infect the boot sector of the Hard Drive
at this time, if it is not already infected. Once a boot
sector virus is in memory, it will attach a copy of itself
to the boot sector of any other disk that is accessed. Some
boot sector viruses only infect floppy disks while others
infect hard drives as well.
B. A file infector virus infects files on a floppy disk or
hard drive by attaching a copy of itself to a file that is
already on the disk. These files can be part of any program
you use such as a word processing or spreadsheet program. A
virus will usually infect only executable files. These
files have the extensions ".EXE" or ".COM" . Some viruses
will also infect overlay files and data files.
Page 1
Most file infector viruses add themselves to the end or
beginning of the file they are infecting which makes the
file larger. There are other viruses that overwrite part of
the file they are infecting to avoid changing the file's
size.
File infector viruses can only be activated from
executable file. When an infected EXE or COM file is run,
the virus will either load itself into memory, infect other
files or a combination of both. Once a file infector virus
is in memory it will infect other files as they are run.
Some viruses known as "Quick Infectors" will even infect
other files if they are opened. Files are considered opened
while copying them or just looking at them with the DOS
"DIR" command.
2. What does a virus do to a computer?
Different viruses do a variety of different things to your
computer depending on what the person who wrote the virus wanted
it to do (discussed further in the next section).
Some viruses do nothing but replicate. Although this may
seem harmless, every time a virus replicates, it takes up more
space on your hard drive or floppy disks. It also takes time for
a virus to replicate. Because of this, many viruses will slow
down the operation of your computer.
Some viruses who's main purpose is to replicate have the
unfortunate side effect of damaging files on your PC. These
viruses will attach themselves to a file in a way that damages
part of the file.
Besides replicating, many viruses perform some type of
action after a certain condition is met. This condition is
written into the virus to give it time to replicate while it
remains hidden from the user. Once a virus performs it's action,
it is usually easier to detect. The two most common conditions
used for activation are either a certain number of infections or
a particular date.
An example of a virus that waits a certain number of times
before activating is the Dark Avenger. After infecting 16 files
the Dark Avenger virus will randomly write over a sector on a
hard drive. The Michelangelo virus uses a date as the condition
to make it activate. On March 6th of any year the Michelangelo
virus will overwrite the entire hard drive of a PC it is on.
Page 2
Some viruses will perform an action that is annoying but not
harmful to your PC. These viruses will display text messages on
your screen or display some kind of graphics such as a bouncing
ball or car driving across your screen. Other annoying viruses
may cause your PC's speaker to make a noise or cause your
keyboard lock up.
The most destructive types of viruses are ones designed to
perform some kind of malevolent action (such as the Dark Avenger
and Michelangelo mentioned above). This action can include
deleting files or even reformatting your entire hard drive.
3. Where do computer viruses come from?
Like any other computer program, computer viruses are
written by a programmer. Although it is unknown who wrote many
of the computer viruses, some of the authors have been
identified. Others have anonymously explain why they wrote a
virus.
Some authors only meant their virus to be a prank. These
are usually the viruses that do something annoying rather then
destructive. Unfortunately, many of these seemingly harmless
viruses have been modified into viruses that are much more
destructive.
Other virus authors only wrote a virus to prove to
themselves they could write one or as an experiment to study the
behavior of a virus. These viruses are known as research viruses
because they were never intended to be spread to the public.
However, some of these viruses were accidentally spread to other
PC's which created a snowball effect. Once a research virus
leaves the lab and starts spreading, it goes from being an
isolated experiment to become a big problem.
Many authors write viruses as a way of showing off their
programming ability. This is especially true in countries that
are not leaders in the development of commercial software such as
Bulgaria and Russia. People trained in programming in these
countries have little outlet for their talent so they turn their
efforts to writing viruses.
Because there are destructive viruses, there must also be
virus authors who want their viruses to be malevolent. These
people receive genuine pleasure from knowing something they
created will cause someone else harm.
Page 3
Except for some research viruses, the one common factor for
writing a virus is attention. There are probably many viruses
that were only written to draw attention. By attention being
drawn to the virus the author may feel that people are drawing
attention to him. The same probably holds true for people who
write graffiti on walls. Both people are using non-productive
ways to draw attention to themselves.
The reasons stated here as to why people write viruses is
based only on statements made by a few virus authors or
speculation. It will never be fully understood why every known
virus was ever written since most virus authors don't want to
admit they have written one.
4. How do viruses spread?
As stated earlier, viruses can be spread from one PC to the
next either by an infected floppy disks or computers that are
directly connected. Once a virus is released in the public there
are many ways that a virus can become widespread. Below is a
list of the more common ways viruses are spread.
A. Commercial Software - This can include application
software as well as setup software that comes with PC's,
video boards, modems etc. Most major software companies use
strict procedures to check for and prevent the spread of
viruses. Unfortunately, there have been a few cases where
companies have shipped software with viruses in them. Part
of the reason viruses can go undetected is because there are
so many new viruses appearing every day. The anti-viral
programs that a company uses to find viruses may not be able
to detect a new one. The biggest danger of viruses being
spread through commercial software is the number of disks
that can be infected. Because of the mass production of
software disks by these companies, even one virus infecting
one software product can cause thousands of infections.
B. Bulletin Boards (BBS) - Bulletin Boards are computers
set up as a means for people to exchange ideas, send
electronic mail and try out shareware programs. They are
accessed by many people over phone lines through the use of
a modem. Responsible System Operators of BBS's will screen
any file that is uploaded to them and make sure it is not
infected with a virus. With so many files being uploaded,
there is still a chance that a file with a virus attached to
it will be overlooked. As with commercial software, it may
also be possible for a BBS to be infected by an unknown
virus which can not be detected.
Page 4
C. Service Companies - It is quite common for viruses to be
spread unintentionally by service companies. A technician
from a service company may use a diagnostic program to find
out what is wrong with a PC at your office. How many other
PC's at other companies did he use this software on?
It is possible that the floppy disk with the diagnostic
program on it picked up a virus from one of the many other
PC's he used it on. The same holds true for a PC that is
taken away for repairs. Many PC's and floppy disks pass
through the doors of a computer service center.
D. Colleges - College computer labs are one of the biggest
spreaders of computer viruses. In fact, there are some
viruses that even originated at colleges. College computer
labs are used by students to either help them learn how to
use computers or to help them do research and complete their
assignments. During the day many students use the computers
and store the work they are doing on their own floppy disks.
With all of these disks coming in and out, the chance of
infection is greatly increased.
E. LANS (Local Area Networks) - In a large corporation over
a hundred PC's may be linked together by a LAN. Someone
might bring in a floppy disk that they used at home or just
purchased that has a virus on it. If the programs on the
disk are run on a PC connected to the LAN, the entire
network may be infected with the virus. File infecting
viruses can be spread through LANs this way.
As you can see, the more often a PC comes in contact with new
software or is connected to another PC, the more likely it will
be infected with a virus.
5. Anti-Viral Software
Over 20 software companies have developed programs designed
specifically to combat the computer virus problem. They use a
wide variety of techniques to help prevent the spread of viruses.
The four main techniques are listed below.
A. Scanners - This is the most common technique used to
combat viruses. When a scanner program is run, it will
search the memory of a computer and any specified files for
the presence of all known viruses. Each virus has a string
of program code that is unique to it. A scanner will search
for these strings and notify the user when one is found.
Page 5
The disadvantage of scanners is that new viruses that come
along might not yet be identified by the maker of the
scanner program. If a scanner is not looking for a virus
string it will not be able to identify it as a virus. To
deal with every new virus that comes along you must
constantly update a scanner program. Another disadvantage
of scanners is that you have to remember to use them. To
compensate for this, you can place a virus scanner program
in your autoexec.bat file so it will run every time you boot
up your computer.
B. Memory Resident Virus Detectors - This type of program is
usually placed in the autoexec.bat file so it can be loaded
into memory when a PC is booted up. Unlike a regular
scanner, a memory resident detector stays in memory all the
time and works in the background. Instead of scanning all
of the files on a PC, it will only look for viruses in
programs as they are executed. The advantage of this is you
can immediately be informed when there is any virus activity
on your PC. With a regular scanner program you would not
know you had a virus on your PC until you actually scanned
for one. The disadvantages of a memory resident virus
scanner is that it slows down the time it takes to load a
program since it will first check it for viruses. Another
disadvantage is that it uses up memory (RAM). Just like a
regular virus scanner program, most memory resident virus
scanner needs to be updated in order to find new viruses.
C. Change Detecting Program - Instead of looking for a
particular virus some anti-virus programs detect changes
caused by viruses. There are many variations of this
technique. The most common method is to first look at every
file on a hard drive and use some kind of algorithm to come
up with values to represent each file. At a later date all
the files can be looked at again and a new value for each
file is calculated. If the new value does not match the old
value the file has been altered. This alteration may have
been caused by a virus. The advantage of a change detecting
program is that it does not have to be updated for every new
virus that is created. One disadvantage is it's inability
to tell you exactly what virus your PC is infected with.
Another disadvantage is it's inability to tell the
difference between a file changed by a virus or a change
caused by the normal operation of a program. Finally, a
very advanced virus may be able to infect a file without
changing the value created by the change detecting program.
Page 6
D. Virus Removal Programs - This type of program only
removes viruses once they are discovered and identified by
either a scanner or memory resident program. Some of them
are designed only to remove a particular virus while others
can remove all known viruses. A few such programs only give
you the option to delete an infected file. Most removal
programs will do the best they can to restore the infected
file back to the way it was before being infected.
Some viruses will infect files in a manner that makes
deleting the entire file the only way to get rid of the
virus. The disadvantage of most virus removal programs is
that they also have to be updated for each new virus that
appears.
Because of the disadvantages of each of the above anti-viral
techniques, using a combination of all of them is much more
effective. A complete virus protection program will include all
of the techniques given above. At the end of this document is a
list of anti-viral programs that include all of these techniques.
6. How to prevent virus infections
The best way to prevent a virus from infecting a PC is to
keep it as isolated as possible. This means not installing any
new software. It also means you cannot connect the PC to any
modem or a LAN. Although this will prevent your computer from
getting a virus, it is not very practical. It would be unfair to
deprive a PC user of the latest and greatest software he or she
might want. You would also be limiting a PC's capability by not
connecting it to a LAN or modem for fear of being infected by a
virus.
The most practical way to prevent a PC from getting infected
with viruses is to follow a set of specific procedures.
Following, is a list of procedures that should be taken to help
keep your PC virus free. The more of them that you use, the less
likely your PC will be infected.
A. Periodically use a scanner and change detecting program
to check for virus activity. The frequency of using these
programs should be determined by the number of new files you
receive and how often your PC communicates with other
computers in a day. If you are constantly using new files
and connecting to other computers it would be good idea to
use scanners and change detector programs every day. For
most users, running these programs once a week should be
sufficient.
Page 7
B. Have a memory resident virus detector loaded into memory
every time you turn on your PC. This may not be practical
if the speed of the programs you are using is critical.
Loading a memory resident detector may also use up too much
memory or interfere with other memory resident programs.
The only way to see how a memory resident detector affects
your PC is to try it.
C. When you want use any new software follow these steps:
1. Make sure the hard drive of the PC you are going to
install the new software on has recently been backed
up.
2. Load a memory resident virus detector program into
the PC's memory.
3. Use a change detecting program prior to installing
the software.
4. Use a scanning virus detector to check the floppy
disks that the new software is on for known viruses.
5. If your PC is connected to a LAN, make sure all
network communication is stopped before installing the
software.
6. If the new software includes a program to install it
on your PC, run a scanner and change detector program
after the installation process is complete.
7. Run the new software on your PC.
8. Once again, run the scanner and change detecting
program again.
With all these precautions being taken it is highly unlikely
that a virus goes undetected when installing new software.
If all of the anti-virus programs used above are not
available, use whichever ones you have in the order listed.
D. Keep all of the write protection tabs on your floppy
disks in the read only position. On 5 1/4" disks this is
done by placing tape (which usually comes with the disks)
over the square notch on the outer edge of the disk.
E. Make sure any disks that salesmen or service technicians
use in your PC have been scanned for viruses.
Page 8
F. Never boot up (turn on) your PC with a floppy disk in
the A: drive. If a floppy disk infected with a boot sector
virus is in the A: drive when booting up, the hard drive may
become infected. If you must boot up from the A: drive,
make sure the floppy disk has been checked for viruses.
G. Update your anti-virus software as often as possible.
The older your software is, the less likely it can detect
new viruses that appear.
H. Backup your software on a regular basis. Although
backups can't prevent viruses from infecting your PC, the
importance of frequent backups can not be stressed enough.
If a virus damages your files, restoring them from a backup
might be the only way to get them back. Even without the
threat of viruses, there are many reasons to back up your
hard drive.
I. Educating everyone that uses a computer where you work or
at home about viruses is an important step. An unsuspecting
user can infect an entire office before a person
knowledgeable about viruses finds out. All of the
procedures listed above will be ineffective if they are not
followed by everyone.
7. How to tell if your PC is infected with a virus
If you have a memory resident virus detector loaded, it will
notify you immediately when a program being executed has a known
virus in it. A scanner program will notify you of a known virus
if it encounters one while scanning files or memory.
A change detecting program will notify you when a change has
been made to a file. If a file is changed that shouldn't be (COM
and EXE files) there is a possibility that the change was caused
by a virus. Before jumping to conclusions check the
documentation that came with the program of the file that was
changed. See if there is a normal circumstance where the file
will be changed. If so, try to find out if that condition has
been met. You can also contact the software company that made
the program for further help. If you still believe a virus is
involved, obtain a virus scanner to check for known viruses. If
the scanner proves negative contact a professional or someone
very knowledgeable in the area of computer viruses.
Page 9
Following is a list of some of the symptoms a known or
unknown virus may show on your PC:
A. Your PC starts running slower for no apparent reason.
B. It takes longer then usual to load (start) a program.
C. Using the DOS CHKDSK or DIR commands will show much
less disk space available then you expected.
D. Using the DOS CHKDSK or MEM commands will show less
memory (RAM) available then you expected.
E. When you use the DOS DIR command, you notice a change in
a file's size or date. You should not be too concerned
about data files such as word processor documents of
spreadsheets. These files will have their size and date
changed every time you modify them.
F. Your PC hangs (freezes up) for no apparent reason.
G. When using the DIR command, you find a lot of files that
have the same name but different extensions (example:
program.com and program.exe). Some viruses create files
with duplicate names but different extensions.
H. The lights that comes on when accessing a hard drive or
floppy disk stay on longer then usual.
I. DOS displays erroneous error messages. You may see a
"Write Protect Error" message even though you aren't trying
to write to a hard drive or floppy disk. Another erroneous
message may be the "Not Ready Reading Drive A:" appearing
when you aren't trying to do anything with the A: drive.
J. Unusual messages or characters are displayed on your
monitor.
8. What to do once your computer is infected with a virus.
Obviously, you will want to get rid of a virus as soon as
you find it on your PC. Some scanner and memory resident
detectors give you the option of removing a virus as soon as it
finds one. At first this might seem like a good idea, but some
advanced viruses (quick infectors) can infect files while you are
scanning them. If such a virus is in memory, your scanner
program may not find the virus in most of the files but will
actually infect all of them as they are being scanned.
Page 10
If your scanner discovers a known virus on your PC follow
these procedures:
A. Shut your PC off immediately.
B. Turn on your PC with a bootable floppy disk that you know
is clean of viruses in drive A: .
C. Place a clean disk with virus removal software on it in
drive A: .
D. Run the virus removal program and remove the virus
infections as they appear. Because you booted the PC with a
clean disk, there will be no viruses active in memory.
This will prevent any files from getting infected while
running the virus removal software.
E. It may not be possible to remove a virus from some files
without damaging the file or deleting it all together. If
some files cannot be used after removing a virus, you will
have to restore them from a backup. Once the restore is
completed, use a scanner program again. This is done to
make sure the files were not infected before they were
backed up. If the restored files turn out to be infected
you will need to keep looking for older backups that are not
infected. Hopefully you will find a clean backup during
this process.
F. Once a virus is removed from your PC you should check
every other PC in your office or home for the virus. If the
virus is found on other PC's, follow the above procedures to
remove it.
G. Now that you have removed the virus from your PC(s) you
are only half way out of the woods. Before running any
programs on your PC(s) you should first check every floppy
disk in your office or home for the virus. Even if you
haven't touched some of these disks in years it pays to play
it safe. Use a PC that you know is clean to scan for and
delete any viruses found on floppy disks.
H. Now that your office or home is virus free you should
take the responsible actions to prevent the same virus from
damaging data on someone else's PC. You should contact any
other person or company that you recently exchanged floppy
disks with or directly accessed their PC(s). Let them know
that you had a virus on your PC(s) and that they should
check their own PC(s) for the same virus.
In the case of someone who gave you a floppy disk, it is
important not to give the impression you are blaming them.
Page 11
You should make it clear to them that you only want to make
sure the same virus doesn't cause damage on their PC(s).
Even if you suspect that they intentionally gave you a
virus, proving it is another matter.
Many people/companies are reluctant to admit that they may
have passed along a virus to someone else. They fear that
people will not want to do business with them and that their
integrity may be questioned.
On the other hand, think of the results of not letting
someone know you may have passed a virus to them.
If they do have the virus and it is detected, they may think
you gave it to them intentionally. If the virus causes
severe data loss they may even hold you responsible. In any
case, the effects of not telling someone you may have given
them a virus are far worse then if you let them know.
If you are sure your PC is infected with an unknown virus
contact the makers of the anti-virus software you are using for
help in getting rid of it. You should also consider contacting a
consultant who is experienced with computer viruses. While you
are waiting for further help, only use your PC if it is
absolutely necessary. If you haven't backed up your hard drive
lately, this would be a good time to do so. If you do have a
virus, it may eventually destroy all the data on your hard drive.
It is better to have infected backup data then no data at all.
9. Detective Work
Although it may be impossible to prove that someone gave you
a virus, it is a good idea to find out where it came from. This
will reduce the chance of being infected by the same virus again,
from the same source. It will also give you an idea what
additions or improvements need to be made to your procedures for
preventing viruses. Below is a list of some of the questions you
should ask.
A. What was the last new software package installed on my
PC(s)?
B. Were any of the infected PCs recently serviced?
C. Did anyone have access to my PC(s) while I wasn't
around?
D. Is there someone who has a motive as well as the
knowledge to infect my PC(s) with a virus?
Page 12
E. For file infecting viruses - Were any of the infected
files recently added to my PC(s).
For boot sector viruses - Were any of the infected floppy
disks recently obtained? Were any of them borrowed by
someone else to be used in their PC(s)?
9. Computer viruses and the law.
The computer virus phenomenon is relatively new (1986 for
PCs). Laws regarding computer viruses are also new. Every state
has it's own set of laws defining computer crimes. Some states
have well defined laws concerning computer viruses. Others have
laws that are vague in defining the intentional spreading of a
virus as a crime. Over the next few years there will probably be
many changes in State and Federal laws regarding computer
viruses.
In general, if it can be proven that someone intentionally
infected a computer with a malicious program, there is a good
chance they can be convicted of a crime.
10. How real is the threat?
Software companies that produce anti-viral programs
advertise about the hundreds of viruses that can infect your PC.
The Media broadcasts news of impending peril whenever the
activation date of a destructive virus grows near (Michelangelo
virus). Is the threat of computer viruses really so
overwhelming? The answer is probably no. Although there are
hundreds of known computer viruses, only about thirty of them
have been found widespread throughout the world. There ia a
greater chance of your data being destroyed by physical damage to
your hard drive than being affected by a virus. This does not
mean you should overlook the threat of viruses all together.
There is, and always will be the possibility of your PC being
infected. Through preventive procedures and education you can
greatly reduce the threat of viruses.
Computer viruses are not something to be in constant fear
of, but they should not be ignored either.
Page 13
References
Patricia M. Hoffman's Virus Information Summary List, VSUM
"The Computer Virus Handbook", Richard B. Levin, Osborne McGraw-
Hill, [pp. 254-263]
"The Bulgarian and Soviet Virus Factories" report, Vesselin
Bontchev, Director of the Laboratory of Computer Virology,
Bulgaria Academy of Science, Sofia, Bulgaria.
Page 14
ANTI-VIRAL PROGRAMS
All of the software except for McAfee Associates, are
complete anti-viral packages that include a virus scanner, a
memory resident detector, a change detector and virus remover.
The McAfee Associates programs work with one another to provide
the same techniques as the others to prevent virus infection.
The Norton AntiVirus
Symantics Corp.
10201 Torre Ave
Cupertino, CA 95014
800-441-7234
Dr. Solomons Anti-Virus Toolkit
Ontrack Computer Systems Inc.
6321 Bury Dr.
Eden Prairie, MN 55346
800-752-1333
Central Point Anti-Virus
Central Point Software
15220 NW Greenbrier Pkwy, #200
Beaverton, OR 97006
800-445-4208
Viruscan, VShield and Clean Up
McAfee Associates
3350 Scott Boulevard, Building 14
Santa Clara, CA 95054-3107
408-988-3832