...Anti-Viruses...

What is a Virus?

A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system.

A virus is a piece of software designed and written to adversely affect your computer by altering the way it works without your knowledge or permission. In more technical terms, a virus is a segment of program code that implants itself to one of your executable files and spreads systematically from one file to another. Computer viruses do not spontaneously generate: They must be written and have a specific purpose. Usually a virus has two distinct functions:

• Spreads itself from one file to another without your input or knowledge. Technically, this is known as self-replication and propagation.
• Implements the symptom or damage planned by the perpetrator. This could include erasing a disk, corrupting your programs or just creating havoc on your computer. Technically, this is known as the virus payload which can be benign or malignant at the whim of the virus creator.

A benign virus is one that is designed to do no real damage to your computer. For example, a virus that conceals itself until some predetermined date or time and then does nothing more than display some sort of message is considered benign.

A malignant virus is one that attempts to inflict malicious damage to your computer, although the damage may not be intentional. There are a significant number of viruses that cause damage due to poor programming and outright bugs in the viral code. A malicious virus might alter one or more of your programs so that it does not work as it should. The infected program might terminate abnormally, write incorrect information into your documents. Or, the virus might alter the directory information on one of your system area. This might prevent the partition from mounting, or you might not be able to launch one or more programs, or programs might not be able to locate the documents you want to open.

Some of the viruses identified are benign; however, a high percentage of them are very malignant. Some of the more malignant viruses will erase your entire hard disk, or delete files.

Types of Viruses

A computer virus is a program designed to replicate and spread on its own, preferably without you knowing it exists. Computer viruses spread by attaching themselves to another program (such as your word processing or spreadsheet programs) or to the boot sector of a diskette. When an infected file is executed, or the computer is started from an infected disk, the virus itself is executed. Often, it lurks in memory, waiting to infect the next program that is run, or the next disk that is accessed. In addition, many viruses also perform a trigger event, such as displaying a message on a certain date, or deleting files after the infected program is run a certain number of times. While some of these trigger events are benign (such as those that display messages), other can be detrimental. The majority of viruses are harmless, displaying messages or pictures, or doing nothing at all. Other viruses are annoying, slowing down system performance, or causing minor changes to the screen display of your computer. Some viruses, however, are truly menacing, causing system crashes, damaged files and lost data.

• File Infectors: These are viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL and .OVY. With this type of virus, uninfected programs usually become infected when they are executed with the virus in memory. In other cases they are infected when they are opened (such as using the DOS DIR command) or the virus simply infects all of the files in the directory it was run from (a direct infector).
• Boot Sector Infectors: Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the boot sector program is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk. NOTE: Both floppy diskettes and hard drives contain boot sectors.
• Master Boot Record Infectors: The first physical sector of every hard disk (Side Ø, Track Ø, Sector 1) contains the disk's Master Boot Record and Partition Table. The Master Boot Record has a small program within it called the Master Boot Program which looks up the values in the partition table for the starting location of the bootable partition, and then tells the system to go there and execute any code it finds. Assuming your disk is set up properly, what it finds in that location (Side 1, Track Ø, Sector 1) is a valid boot sector. On floppy disks, these same viruses infect the boot sectors. You get a Master boot Record virus in exactly the same manner you get a boot sector virus--by leaving an infected diskette in a drive and rebooting the machine. When the boot sector program is read and executed, the virus goes into memory and infects the MBR of your hard drive. Again, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.
• Multi-partite Viruses: Multi-partite viruses are a combination of the viruses listed above. They will infect both files and MBRs or both files and boot sectors. These types of viruses are currently rare, but the number of cases is growing steadily.

How Viruses Contaminate and Spread

A virus is inactive until the infected program is run or boot record is read. As the virus is activated it loads into the computers memory where it can perform a triggered event or spread itself. Disks used in an infected system can then carry the virus to another machine. Programs downloaded from bulletin boards can also spread a virus. Data files, however, can not transfer a virus but they can become damaged.

• Boot Infectors: Every disk contains a boot sector whether it is a bootable disk or not. When the computer is powering up looking for the Boot information and reads an infected disk in the A: drive the virus is transfer to the computers hard drive. Once the boot code on the drive is infected the virus will be loaded into memory on every startup. From memory the boot virus can travel to every disk that is read and the infection spreads. Most Boot virus's could be on a system for a long time without causing problems. However there are some nasty ones that will destroy the boot information or force a complete format of the hard drive.
• Program Infectors: When an infected application is run the virus activates and is loaded into memory. While the virus is in memory any program file subsequently run becomes infected. Multiple infections are very common and will certainly cause system problems. Program files may function without any problems for some time but eventualy programs have problems or multiple infection brings the sytem down. The data the program produces may be a first sign of infection such as saving files without proper DOS names.

Virus Characteristics

Viruses normally have multiple characteristics. Their characterisitics are:

• Memory Resident: Loads much like a TSR staying in memory where it can easily replicate itself into programs of boot sectors. Most common.
• Non-Resident: Does not stay in memory after the host program is closed, thus can only infect while the program is open. Not as common.
• Stealth: The ability to hide from detection and repair manifests in two ways.
  • Full - Virus redirects disk reads to avoid detection.
  • Size - Disk directory data is altered to hide the additional bytes of the virus.
• Encrypting: Technique of hiding by transformation. Virus code converts itself into cryptic symbols. However, in order to launch (execute) and spread the virus must decrypt and can then be detected.
• Polymorphic: Ability to mutate by changing code segments to look different from one infection to another. This type of virus is a challenge for ant-virus detection methods.
• Triggered Event: An action built into a virus that is set off by the date, a particular keyboard action or DOS function. It could be as simple as a message printed to the screen or serious as in reformatting the hard drive or deleting files.
• In the Wild: A virus is referred to as "in the wild" if is has been verified by groups that track virus infections to have caused an infection outside a laboratory situation. A virus that has never been seen in a real world situation is not in the wild, and sometimes referred to as "in the zoo".

Note: Viruses are sometimes referred to differently depending on the AntiVirus programs being used.

Troubleshooting and Virus Infection

Anti-Virus programs are the best way to protect against virus infection but not everyone has one and new virus's are continually developing. When troubleshooting program or system problems watch for telltale signs of a virus presence. When a program says it has removed a virus from memory it does not mean any files have been disinfected. Symptoms commonly reported:

• "My program takes longer to load suddenly."
• "The program size keeps changing."
• "My disk keeps running out of free space."
• "When I run CHKDSK it doesn't show 655360 bytes available."
• "I keep getting 32 bit errors in Windows."
• "The drive light keeps flashing when I'm not doing anything."
• "I can't access the hard drive when booting from the A: drive."
• "I don't know where these files came from."
• "My files have strange names I don't recognize."
• "Clicking noises keep coming from my keyboard."
• "Letters look like they are falling to the bottom of the screen."
• "My computer doesn't remember CMOS settings, the battery is new."

Macintosh Viruses

• What Viruses Do
  • Some viruses are programmed specifically to damage the data on your computer by corrupting programs, deleting files, or erasing your entire hard disk. Many of the currently known Macintosh viruses are not designed to do any damage. However, because of bugs (programming errors) within the virus, an infected system may behave erratically.

  
  

• What Viruses Don't Do
  • Computer viruses don't infect files on write-protected disks and don't infect documents, except in the case of Word macro viruses, which infect only documents and templates written in Word 6.0 or higher. They don't infect compressed files either. However, applications within a compressed file could have been infected before they were compressed. Viruses also don't infect computer hardware, such as monitors or computer chips; they only infect software. In addition, Macintosh viruses don't infect DOS-based computer software and vice versa. For example, the infamous Michelangelo virus does not infect Macintosh applications. Again, an exception to this rule are the Word and Excel macro viruses, which infect spreadsheets, documents and templates which can be opened by either Windows or Macintosh computers. Finally, viruses don't necessarily let you know that they are there - even after they do something destructive.

  
  

• How Viruses Spread
  • Viruses spread when you launch an infected application or start up your computer from a disk that has infected system files. For example, if a word processing program contains a virus, the virus activates when you run the program. Once a virus is in memory, it usually infects any application you run, including network applications (if you have write access to network folders or disks). Viruses behave in different ways. Some viruses stay active in memory until you turn off your computer. Other viruses stay active only as long as the infected applications is running. Turning off your computer or exiting the application removes the virus from memory, but does not remove the virus from the infected file or disk. That is, if the virus resides in a system file, the virus will activate the next time you start your computer from the infected disk. If the virus resides in an application, the virus will activate again the next time you run the application.

Home | Anti-Viruses | Hackers | Manufactures | Drivers | Good Links | Problem/Solutions Database | E-Mail | Guy's Web Page