What You Need To Know About Computer Viruses Written by Eugene Accardo Copyright (c) 1992 by Eugene Accardo --- All Rights Reserved --- Direct any inquires about this document to: Eugene Accardo 1204 Ave U, Suite 1123 Brooklyn, NY 11229 Compuserve I.D. 70413,3127 Forward This document gives a general description of the computer virus problem and how to deal with it. It is intended for the average PC user. Although viruses have been found in several different operating systems, the only viruses discussed in this document are ones that can infect DOS based computers. This includes IBM PC's and compatibles. The information given in this document is not an all inclusive reference on the subject of computer viruses. The author of this document can in no way be held responsible for any data or monetary loss caused by a computer virus or any actions taken to remove one from a computer. IBM is a trademark of IBM Corporation. WHAT YOU NEED TO KNOW ABOUT COMPUTER VIRUSES 1. What is a Computer Virus? Despite many misconceptions, a computer virus is nothing more then a unique type of program. It is a program that has the ability to self replicate and store the copy of itself in another part of a computer system (usually on a hard drive or floppy disk). A virus will try to replicate itself without letting the person using the computer even know that a virus is present. A computer that has such a virus program on it is said to be infected. A virus program can spread to other computers either by the transfer of an infected floppy disk or by direct access to other computers. Computers can directly access one another either through a LAN (Local Area Network) or by connecting remotely through modems. A virus program's ability to replicate and spread to other computers is similar to the behavior of biological viruses in animals. This is why such programs are called computer viruses. There are two main types of computer viruses; boot infectors and file infectors. A. Boot infector viruses infect the boot sector of a floppy disk or hard drive. This is the area of a disk that contains the beginning of DOS(the operating system) and is looked at first when a computer is powered on. Once a computer is booted up (turned on) from an infected disk, a boot sector virus will load itself into memory. Some viruses will also infect the boot sector of the Hard Drive at this time, if it is not already infected. Once a boot sector virus is in memory, it will attach a copy of itself to the boot sector of any other disk that is accessed. Some boot sector viruses only infect floppy disks while others infect hard drives as well. B. A file infector virus infects files on a floppy disk or hard drive by attaching a copy of itself to a file that is already on the disk. These files can be part of any program you use such as a word processing or spreadsheet program. A virus will usually infect only executable files. These files have the extensions ".EXE" or ".COM" . Some viruses will also infect overlay files and data files. Page 1 Most file infector viruses add themselves to the end or beginning of the file they are infecting which makes the file larger. There are other viruses that overwrite part of the file they are infecting to avoid changing the file's size. File infector viruses can only be activated from executable file. When an infected EXE or COM file is run, the virus will either load itself into memory, infect other files or a combination of both. Once a file infector virus is in memory it will infect other files as they are run. Some viruses known as "Quick Infectors" will even infect other files if they are opened. Files are considered opened while copying them or just looking at them with the DOS "DIR" command. 2. What does a virus do to a computer? Different viruses do a variety of different things to your computer depending on what the person who wrote the virus wanted it to do (discussed further in the next section). Some viruses do nothing but replicate. Although this may seem harmless, every time a virus replicates, it takes up more space on your hard drive or floppy disks. It also takes time for a virus to replicate. Because of this, many viruses will slow down the operation of your computer. Some viruses who's main purpose is to replicate have the unfortunate side effect of damaging files on your PC. These viruses will attach themselves to a file in a way that damages part of the file. Besides replicating, many viruses perform some type of action after a certain condition is met. This condition is written into the virus to give it time to replicate while it remains hidden from the user. Once a virus performs it's action, it is usually easier to detect. The two most common conditions used for activation are either a certain number of infections or a particular date. An example of a virus that waits a certain number of times before activating is the Dark Avenger. After infecting 16 files the Dark Avenger virus will randomly write over a sector on a hard drive. The Michelangelo virus uses a date as the condition to make it activate. On March 6th of any year the Michelangelo virus will overwrite the entire hard drive of a PC it is on. Page 2 Some viruses will perform an action that is annoying but not harmful to your PC. These viruses will display text messages on your screen or display some kind of graphics such as a bouncing ball or car driving across your screen. Other annoying viruses may cause your PC's speaker to make a noise or cause your keyboard lock up. The most destructive types of viruses are ones designed to perform some kind of malevolent action (such as the Dark Avenger and Michelangelo mentioned above). This action can include deleting files or even reformatting your entire hard drive. 3. Where do computer viruses come from? Like any other computer program, computer viruses are written by a programmer. Although it is unknown who wrote many of the computer viruses, some of the authors have been identified. Others have anonymously explain why they wrote a virus. Some authors only meant their virus to be a prank. These are usually the viruses that do something annoying rather then destructive. Unfortunately, many of these seemingly harmless viruses have been modified into viruses that are much more destructive. Other virus authors only wrote a virus to prove to themselves they could write one or as an experiment to study the behavior of a virus. These viruses are known as research viruses because they were never intended to be spread to the public. However, some of these viruses were accidentally spread to other PC's which created a snowball effect. Once a research virus leaves the lab and starts spreading, it goes from being an isolated experiment to become a big problem. Many authors write viruses as a way of showing off their programming ability. This is especially true in countries that are not leaders in the development of commercial software such as Bulgaria and Russia. People trained in programming in these countries have little outlet for their talent so they turn their efforts to writing viruses. Because there are destructive viruses, there must also be virus authors who want their viruses to be malevolent. These people receive genuine pleasure from knowing something they created will cause someone else harm. Page 3 Except for some research viruses, the one common factor for writing a virus is attention. There are probably many viruses that were only written to draw attention. By attention being drawn to the virus the author may feel that people are drawing attention to him. The same probably holds true for people who write graffiti on walls. Both people are using non-productive ways to draw attention to themselves. The reasons stated here as to why people write viruses is based only on statements made by a few virus authors or speculation. It will never be fully understood why every known virus was ever written since most virus authors don't want to admit they have written one. 4. How do viruses spread? As stated earlier, viruses can be spread from one PC to the next either by an infected floppy disks or computers that are directly connected. Once a virus is released in the public there are many ways that a virus can become widespread. Below is a list of the more common ways viruses are spread. A. Commercial Software - This can include application software as well as setup software that comes with PC's, video boards, modems etc. Most major software companies use strict procedures to check for and prevent the spread of viruses. Unfortunately, there have been a few cases where companies have shipped software with viruses in them. Part of the reason viruses can go undetected is because there are so many new viruses appearing every day. The anti-viral programs that a company uses to find viruses may not be able to detect a new one. The biggest danger of viruses being spread through commercial software is the number of disks that can be infected. Because of the mass production of software disks by these companies, even one virus infecting one software product can cause thousands of infections. B. Bulletin Boards (BBS) - Bulletin Boards are computers set up as a means for people to exchange ideas, send electronic mail and try out shareware programs. They are accessed by many people over phone lines through the use of a modem. Responsible System Operators of BBS's will screen any file that is uploaded to them and make sure it is not infected with a virus. With so many files being uploaded, there is still a chance that a file with a virus attached to it will be overlooked. As with commercial software, it may also be possible for a BBS to be infected by an unknown virus which can not be detected. Page 4 C. Service Companies - It is quite common for viruses to be spread unintentionally by service companies. A technician from a service company may use a diagnostic program to find out what is wrong with a PC at your office. How many other PC's at other companies did he use this software on? It is possible that the floppy disk with the diagnostic program on it picked up a virus from one of the many other PC's he used it on. The same holds true for a PC that is taken away for repairs. Many PC's and floppy disks pass through the doors of a computer service center. D. Colleges - College computer labs are one of the biggest spreaders of computer viruses. In fact, there are some viruses that even originated at colleges. College computer labs are used by students to either help them learn how to use computers or to help them do research and complete their assignments. During the day many students use the computers and store the work they are doing on their own floppy disks. With all of these disks coming in and out, the chance of infection is greatly increased. E. LANS (Local Area Networks) - In a large corporation over a hundred PC's may be linked together by a LAN. Someone might bring in a floppy disk that they used at home or just purchased that has a virus on it. If the programs on the disk are run on a PC connected to the LAN, the entire network may be infected with the virus. File infecting viruses can be spread through LANs this way. As you can see, the more often a PC comes in contact with new software or is connected to another PC, the more likely it will be infected with a virus. 5. Anti-Viral Software Over 20 software companies have developed programs designed specifically to combat the computer virus problem. They use a wide variety of techniques to help prevent the spread of viruses. The four main techniques are listed below. A. Scanners - This is the most common technique used to combat viruses. When a scanner program is run, it will search the memory of a computer and any specified files for the presence of all known viruses. Each virus has a string of program code that is unique to it. A scanner will search for these strings and notify the user when one is found. Page 5 The disadvantage of scanners is that new viruses that come along might not yet be identified by the maker of the scanner program. If a scanner is not looking for a virus string it will not be able to identify it as a virus. To deal with every new virus that comes along you must constantly update a scanner program. Another disadvantage of scanners is that you have to remember to use them. To compensate for this, you can place a virus scanner program in your autoexec.bat file so it will run every time you boot up your computer. B. Memory Resident Virus Detectors - This type of program is usually placed in the autoexec.bat file so it can be loaded into memory when a PC is booted up. Unlike a regular scanner, a memory resident detector stays in memory all the time and works in the background. Instead of scanning all of the files on a PC, it will only look for viruses in programs as they are executed. The advantage of this is you can immediately be informed when there is any virus activity on your PC. With a regular scanner program you would not know you had a virus on your PC until you actually scanned for one. The disadvantages of a memory resident virus scanner is that it slows down the time it takes to load a program since it will first check it for viruses. Another disadvantage is that it uses up memory (RAM). Just like a regular virus scanner program, most memory resident virus scanner needs to be updated in order to find new viruses. C. Change Detecting Program - Instead of looking for a particular virus some anti-virus programs detect changes caused by viruses. There are many variations of this technique. The most common method is to first look at every file on a hard drive and use some kind of algorithm to come up with values to represent each file. At a later date all the files can be looked at again and a new value for each file is calculated. If the new value does not match the old value the file has been altered. This alteration may have been caused by a virus. The advantage of a change detecting program is that it does not have to be updated for every new virus that is created. One disadvantage is it's inability to tell you exactly what virus your PC is infected with. Another disadvantage is it's inability to tell the difference between a file changed by a virus or a change caused by the normal operation of a program. Finally, a very advanced virus may be able to infect a file without changing the value created by the change detecting program. Page 6 D. Virus Removal Programs - This type of program only removes viruses once they are discovered and identified by either a scanner or memory resident program. Some of them are designed only to remove a particular virus while others can remove all known viruses. A few such programs only give you the option to delete an infected file. Most removal programs will do the best they can to restore the infected file back to the way it was before being infected. Some viruses will infect files in a manner that makes deleting the entire file the only way to get rid of the virus. The disadvantage of most virus removal programs is that they also have to be updated for each new virus that appears. Because of the disadvantages of each of the above anti-viral techniques, using a combination of all of them is much more effective. A complete virus protection program will include all of the techniques given above. At the end of this document is a list of anti-viral programs that include all of these techniques. 6. How to prevent virus infections The best way to prevent a virus from infecting a PC is to keep it as isolated as possible. This means not installing any new software. It also means you cannot connect the PC to any modem or a LAN. Although this will prevent your computer from getting a virus, it is not very practical. It would be unfair to deprive a PC user of the latest and greatest software he or she might want. You would also be limiting a PC's capability by not connecting it to a LAN or modem for fear of being infected by a virus. The most practical way to prevent a PC from getting infected with viruses is to follow a set of specific procedures. Following, is a list of procedures that should be taken to help keep your PC virus free. The more of them that you use, the less likely your PC will be infected. A. Periodically use a scanner and change detecting program to check for virus activity. The frequency of using these programs should be determined by the number of new files you receive and how often your PC communicates with other computers in a day. If you are constantly using new files and connecting to other computers it would be good idea to use scanners and change detector programs every day. For most users, running these programs once a week should be sufficient. Page 7 B. Have a memory resident virus detector loaded into memory every time you turn on your PC. This may not be practical if the speed of the programs you are using is critical. Loading a memory resident detector may also use up too much memory or interfere with other memory resident programs. The only way to see how a memory resident detector affects your PC is to try it. C. When you want use any new software follow these steps: 1. Make sure the hard drive of the PC you are going to install the new software on has recently been backed up. 2. Load a memory resident virus detector program into the PC's memory. 3. Use a change detecting program prior to installing the software. 4. Use a scanning virus detector to check the floppy disks that the new software is on for known viruses. 5. If your PC is connected to a LAN, make sure all network communication is stopped before installing the software. 6. If the new software includes a program to install it on your PC, run a scanner and change detector program after the installation process is complete. 7. Run the new software on your PC. 8. Once again, run the scanner and change detecting program again. With all these precautions being taken it is highly unlikely that a virus goes undetected when installing new software. If all of the anti-virus programs used above are not available, use whichever ones you have in the order listed. D. Keep all of the write protection tabs on your floppy disks in the read only position. On 5 1/4" disks this is done by placing tape (which usually comes with the disks) over the square notch on the outer edge of the disk. E. Make sure any disks that salesmen or service technicians use in your PC have been scanned for viruses. Page 8 F. Never boot up (turn on) your PC with a floppy disk in the A: drive. If a floppy disk infected with a boot sector virus is in the A: drive when booting up, the hard drive may become infected. If you must boot up from the A: drive, make sure the floppy disk has been checked for viruses. G. Update your anti-virus software as often as possible. The older your software is, the less likely it can detect new viruses that appear. H. Backup your software on a regular basis. Although backups can't prevent viruses from infecting your PC, the importance of frequent backups can not be stressed enough. If a virus damages your files, restoring them from a backup might be the only way to get them back. Even without the threat of viruses, there are many reasons to back up your hard drive. I. Educating everyone that uses a computer where you work or at home about viruses is an important step. An unsuspecting user can infect an entire office before a person knowledgeable about viruses finds out. All of the procedures listed above will be ineffective if they are not followed by everyone. 7. How to tell if your PC is infected with a virus If you have a memory resident virus detector loaded, it will notify you immediately when a program being executed has a known virus in it. A scanner program will notify you of a known virus if it encounters one while scanning files or memory. A change detecting program will notify you when a change has been made to a file. If a file is changed that shouldn't be (COM and EXE files) there is a possibility that the change was caused by a virus. Before jumping to conclusions check the documentation that came with the program of the file that was changed. See if there is a normal circumstance where the file will be changed. If so, try to find out if that condition has been met. You can also contact the software company that made the program for further help. If you still believe a virus is involved, obtain a virus scanner to check for known viruses. If the scanner proves negative contact a professional or someone very knowledgeable in the area of computer viruses. Page 9 Following is a list of some of the symptoms a known or unknown virus may show on your PC: A. Your PC starts running slower for no apparent reason. B. It takes longer then usual to load (start) a program. C. Using the DOS CHKDSK or DIR commands will show much less disk space available then you expected. D. Using the DOS CHKDSK or MEM commands will show less memory (RAM) available then you expected. E. When you use the DOS DIR command, you notice a change in a file's size or date. You should not be too concerned about data files such as word processor documents of spreadsheets. These files will have their size and date changed every time you modify them. F. Your PC hangs (freezes up) for no apparent reason. G. When using the DIR command, you find a lot of files that have the same name but different extensions (example: program.com and program.exe). Some viruses create files with duplicate names but different extensions. H. The lights that comes on when accessing a hard drive or floppy disk stay on longer then usual. I. DOS displays erroneous error messages. You may see a "Write Protect Error" message even though you aren't trying to write to a hard drive or floppy disk. Another erroneous message may be the "Not Ready Reading Drive A:" appearing when you aren't trying to do anything with the A: drive. J. Unusual messages or characters are displayed on your monitor. 8. What to do once your computer is infected with a virus. Obviously, you will want to get rid of a virus as soon as you find it on your PC. Some scanner and memory resident detectors give you the option of removing a virus as soon as it finds one. At first this might seem like a good idea, but some advanced viruses (quick infectors) can infect files while you are scanning them. If such a virus is in memory, your scanner program may not find the virus in most of the files but will actually infect all of them as they are being scanned. Page 10 If your scanner discovers a known virus on your PC follow these procedures: A. Shut your PC off immediately. B. Turn on your PC with a bootable floppy disk that you know is clean of viruses in drive A: . C. Place a clean disk with virus removal software on it in drive A: . D. Run the virus removal program and remove the virus infections as they appear. Because you booted the PC with a clean disk, there will be no viruses active in memory. This will prevent any files from getting infected while running the virus removal software. E. It may not be possible to remove a virus from some files without damaging the file or deleting it all together. If some files cannot be used after removing a virus, you will have to restore them from a backup. Once the restore is completed, use a scanner program again. This is done to make sure the files were not infected before they were backed up. If the restored files turn out to be infected you will need to keep looking for older backups that are not infected. Hopefully you will find a clean backup during this process. F. Once a virus is removed from your PC you should check every other PC in your office or home for the virus. If the virus is found on other PC's, follow the above procedures to remove it. G. Now that you have removed the virus from your PC(s) you are only half way out of the woods. Before running any programs on your PC(s) you should first check every floppy disk in your office or home for the virus. Even if you haven't touched some of these disks in years it pays to play it safe. Use a PC that you know is clean to scan for and delete any viruses found on floppy disks. H. Now that your office or home is virus free you should take the responsible actions to prevent the same virus from damaging data on someone else's PC. You should contact any other person or company that you recently exchanged floppy disks with or directly accessed their PC(s). Let them know that you had a virus on your PC(s) and that they should check their own PC(s) for the same virus. In the case of someone who gave you a floppy disk, it is important not to give the impression you are blaming them. Page 11 You should make it clear to them that you only want to make sure the same virus doesn't cause damage on their PC(s). Even if you suspect that they intentionally gave you a virus, proving it is another matter. Many people/companies are reluctant to admit that they may have passed along a virus to someone else. They fear that people will not want to do business with them and that their integrity may be questioned. On the other hand, think of the results of not letting someone know you may have passed a virus to them. If they do have the virus and it is detected, they may think you gave it to them intentionally. If the virus causes severe data loss they may even hold you responsible. In any case, the effects of not telling someone you may have given them a virus are far worse then if you let them know. If you are sure your PC is infected with an unknown virus contact the makers of the anti-virus software you are using for help in getting rid of it. You should also consider contacting a consultant who is experienced with computer viruses. While you are waiting for further help, only use your PC if it is absolutely necessary. If you haven't backed up your hard drive lately, this would be a good time to do so. If you do have a virus, it may eventually destroy all the data on your hard drive. It is better to have infected backup data then no data at all. 9. Detective Work Although it may be impossible to prove that someone gave you a virus, it is a good idea to find out where it came from. This will reduce the chance of being infected by the same virus again, from the same source. It will also give you an idea what additions or improvements need to be made to your procedures for preventing viruses. Below is a list of some of the questions you should ask. A. What was the last new software package installed on my PC(s)? B. Were any of the infected PCs recently serviced? C. Did anyone have access to my PC(s) while I wasn't around? D. Is there someone who has a motive as well as the knowledge to infect my PC(s) with a virus? Page 12 E. For file infecting viruses - Were any of the infected files recently added to my PC(s). For boot sector viruses - Were any of the infected floppy disks recently obtained? Were any of them borrowed by someone else to be used in their PC(s)? 9. Computer viruses and the law. The computer virus phenomenon is relatively new (1986 for PCs). Laws regarding computer viruses are also new. Every state has it's own set of laws defining computer crimes. Some states have well defined laws concerning computer viruses. Others have laws that are vague in defining the intentional spreading of a virus as a crime. Over the next few years there will probably be many changes in State and Federal laws regarding computer viruses. In general, if it can be proven that someone intentionally infected a computer with a malicious program, there is a good chance they can be convicted of a crime. 10. How real is the threat? Software companies that produce anti-viral programs advertise about the hundreds of viruses that can infect your PC. The Media broadcasts news of impending peril whenever the activation date of a destructive virus grows near (Michelangelo virus). Is the threat of computer viruses really so overwhelming? The answer is probably no. Although there are hundreds of known computer viruses, only about thirty of them have been found widespread throughout the world. There ia a greater chance of your data being destroyed by physical damage to your hard drive than being affected by a virus. This does not mean you should overlook the threat of viruses all together. There is, and always will be the possibility of your PC being infected. Through preventive procedures and education you can greatly reduce the threat of viruses. Computer viruses are not something to be in constant fear of, but they should not be ignored either. Page 13 References Patricia M. Hoffman's Virus Information Summary List, VSUM "The Computer Virus Handbook", Richard B. Levin, Osborne McGraw- Hill, [pp. 254-263] "The Bulgarian and Soviet Virus Factories" report, Vesselin Bontchev, Director of the Laboratory of Computer Virology, Bulgaria Academy of Science, Sofia, Bulgaria. Page 14 ANTI-VIRAL PROGRAMS All of the software except for McAfee Associates, are complete anti-viral packages that include a virus scanner, a memory resident detector, a change detector and virus remover. The McAfee Associates programs work with one another to provide the same techniques as the others to prevent virus infection. The Norton AntiVirus Symantics Corp. 10201 Torre Ave Cupertino, CA 95014 800-441-7234 Dr. Solomons Anti-Virus Toolkit Ontrack Computer Systems Inc. 6321 Bury Dr. Eden Prairie, MN 55346 800-752-1333 Central Point Anti-Virus Central Point Software 15220 NW Greenbrier Pkwy, #200 Beaverton, OR 97006 800-445-4208 Viruscan, VShield and Clean Up McAfee Associates 3350 Scott Boulevard, Building 14 Santa Clara, CA 95054-3107 408-988-3832