While most of the software products in the marketplace today are useful, constructive, and beneficial, there is also other software which serves a darker purpose - the computer "virus". Such rogue software is designed to load and run without the user’s knowledge, often hiding in normal programs. Viruses also execute their functions without prompting users for permission, they do not warn of potential dangers to the system, and they do not produce error messages when problems are encountered. Essentially, a computer "virus" is a fragment of executable code which runs secretly, and is capable of cloning itself in other programs.

Technically, there is nothing in this definition to indicate that a virus is necessarily destructive - that’s a twist added by the virus programmers themselves. But legitimate software does not need to run secretly, hide itself in other programs, or duplicate itself without a user’s knowledge or permission. So the very nature of a computer virus makes it an ideal vehicle for spreading computer chaos. This chapter is intended to explain the nature and operations of computer viruses, show you how they spread and manifest themselves, and explain some procedures you can take to protect yourself and your customer from their effects.

We use the term "virus" to describe virtually any type of destructive software. Although this is a good, general term, it is also a misnomer - a virus is actually only one of many destructive software types. There are at least nine types of recognized rogue software, and most are considered every bit as deadly as a virus. Each type of software has a different mode of operation. As a technician, you should understand how these software types operate.

Simply speaking, a software bug is an error in program coding or logic that results in faulty or unexpected operation. Bugs are rarely intentional, but the vast majority of serious system-crippling bugs are caught during the developer’s alpha and beta testing processes. In order for serious bugs to get through into a finished product (the kind of bugs that can cause serious memory errors of damage hard drive files), the developer would have to do little (if any) testing on various PC platforms. Serious bugs are typically not intended as malicious, but they suggest a dangerous lack of concern on the part of the software developer. There are two clues that suggest the presence of software bugs; first, it is only a single program (usually the one you just installed or started using) that causes the problem, and the problem will not be detected by any anti-virus tool (the application will be reported as clean). Software containing serious or persistent bugs is often referred to as "bug ware".

The Trojan horse is largely considered to be the grandparent of today’s virulent software. Basically, the Trojan horse is a destructive computer program concealed in the guise of a useful, run-of-the-mill program such as word processor or graphics program. Well-developed user shells or seemingly normal operations trick the user into believing that the program is harmless - until the virulent code is triggered - then the program’s true nature is revealed. The Trojan horse tactic is the most popular means of introducing viruses by distributing seemingly harmless software which actually contains virulent code. Fortunately, most virulent code can be detected by scanning new software before it is executed for the first time. To prevent the spread of Trojan horses, be suspicious of unwanted or unsolicited software arriving through the mail, or as e-mail attachments. Also beware of software that sounds too good to be true (i.e. a TSR that will increase Windows performance by 100X, get SVGA graphics on an EGA video adapter, use AOL for free, etc.)

Just as a chameleon hides itself by mimicking its background, software chameleons mask virulent code with an image of a legitimate application. Of course, the mask is just a facade - like a demonstration program or a simulation. What makes a chameleon different from a Trojan horse is that it almost never causes system damage. Instead, it generally makes a modification to a program. In one classic case, a chameleon was introduced to a large multi-user platform. When the user typed in their name and password, it was recorded to a secret file. The chameleon’s author later accessed the system, entered their own code, and downloaded the accumulated list of passwords. Thus, the author now had access to various user data for their own illegal purposes. In another case, a chameleon was planted into a banking program which automatically diverted a few tenths of a cent (round-offs) off of every transaction into a secret account. Ultimately, the chameleon’s author had amassed hundreds of thousands of dollars in the secret account.

The software bomb is just what the name implies - when the infected program is launched, the virulent "bomb" code executes almost immediately and does its damage. Software bombs typically contain no bells or whistles - they also make little effort to cloak themselves, and almost no effort to replicate. As a consequence, the software bomb is quick and easy to develop. Its somewhat clumsy nature also make them fairly easy to spot with anti-virus tools.

Where the software bomb is used for immediate and indiscriminate destruction, a logic bomb is set to go off when a particular logical condition is met. For example, the logic bomb may "detonate" (erase files, calculate subsequent payroll records incorrectly, reformat the disk, or so on) if payroll records indicate that the bomb’s author is fired or laid off, or their payroll statements do not appear for over four weeks. A logic bomb can be triggered by virtually any system condition. However, the "bomb" approach is fairly easy to spot with anti-virus techniques.

Instead of triggering a bomb immediately or through system status conditions, a time bomb uses time or repetition conditionals. For example, a time bomb can be set to "detonate" after some number of program runs, on a particular day (i.e. April 1st or Friday 13th), or at a certain time (i.e. midnight). Time bombs are often used as a means of "making a statement" about a particular date and time. This kind of bomb architecture is relatively easy to spot with anti-virus tools. Table 51-1 lists the activation dates of many known computer viruses.

The purpose of a replicator (also called a rabbit) is to drain system resources. It accomplishes this function by cloning copies of itself. Each clone copy is launched by the parent that created it. Before long, the multitude of copies on disk and in memory soak up so many resources that the system can no longer function In effect, the system is crippled until the copies are removed and the replicating virus is eliminated. This type of behavior is particularly effective at shutting down large, multi-user systems or networks. Since the virulent code is self-replicating, it is easy to spot with anti-virus tools.

Unlike most other types of virulent code, the worm travels through a network computer system. The worm travels from computer to computer - usually without doing any real damage. Worms rarely replicate except in cases where it is absolutely necessary to continue traveling through the system, and delete all traces of their presence. A worm is another typical network presence used to seek out and selectively alter or destroy a limited number of files or programs. For example, a worm can be used to enter a network and alter or erase passwords. Since worms can be tailored for specific jobs, they are often difficult to spot unless the worm is known.

The most recognized and dynamic of the rogue software is the virus. A virus modifies other programs to include executable virulent code - in some cases, the virulent code mutates and changes as it is copied. Expertly engineered viruses do not change the infected file date, time stamps, file size, its attributes, or its checksums. As a result, viruses can be extremely difficult to detect and even harder to erase - and the task becomes even more difficult as viruses become increasingly powerful and sophisticated. With today’s "high overhead" operating systems such as Windows 95 or Windows NT, viruses can usually hide and replicate quite easily in any of the numerous .DLL files, .VXD files, or other modules normally in operation. Given their predilection toward stealth and replication, viruses tend to linger in systems to spread themselves between hard drives and floppy disks, and network connections where they disrupt data, cause system errors, and generally degrade system performance. Eventually, most viruses will self-destruct, typically taking the hard drive files with it.

As you might have suspected, all virulent code is not created equal. Viruses are as varied as legitimate application software - each technique provides the virus author with an array of advantages and disadvantages. Some viral techniques are preferred because they are more difficult to detect and remove, but require extra resources to develop. Other viral techniques are easier to develop, but lack the stealth and sophistication that more powerful viruses demand. Still other viral techniques stand a better chance of infecting multiple systems. This part of the chapter explains the major infection modes used by modern viruses.

DOS relies on a series of hidden files (i.e. IO.SYS and MSDOS.SYS). The files are hidden, they can not be directly executed, and they are not easily deleted, renamed, or copied. Thus, it is necessary to have a command processor which allows the user to interact with the operating system. For DOS, the command processor is COMMAND.COM. When you see the command line prompt (i.e. A:\> or C:\>), you know that COMMAND.COM is loaded and active. When you enter a command line, the processor parses (interprets) the command and attempts to determine a proper response.

By placing a virus in the command processor (infecting the COMMAND.COM), the virus has access to a large number of DOS facilities - especially user interface and disk access. Consider the DIR command used to produce a disk directory. An infected COMMAND.COM can allow its virus to search for and infect other files before running the actual directory function (thus the virus is concealed). The function may take a bit longer to execute, but most users barely notice. If you insert a floppy disk in drive A: and take a directory, you risk infecting files on the floppy disk. By making a bootable floppy disk, that disk will likely contain an infected COMMAND.COM file as well. Since viruses are active once a program is started, and COMMAND.COM is started every time DOS is loaded, command processor infections are serious and spread viruses very quickly.

Every PC ever made requires a "bootable" disk which has access to DOS. When the PC boots (starts up), the computer automatically attempts to load the operating system files from the boot disk. Startup files are typically kept in the disk boot sector (sometimes referred to as the master boot record). If a virus is able to infiltrate the boot sector and interfere with the loading process, it can very effectively cripple the entire computer. Viruses that infect the boot sector but does not shut the boot disk down are often capable of remaining resident in memory - even during a warm boot. When bootable floppy disks are used during the warm boot, boot sector viruses can easily infect the bootable floppy. Top boot sector infecting viruses include:

• NYB (Alias B1)
• AntiEXE (Alias Newbug) - can cause file damage.
• AntiCMOS (Alias LENART) - can blank CMOS/BIOS values.
• Monkey A or B - encrypts the partition table upon infection, and causes "Invalid drive specification" errors when booting the computer from a clean floppy.
• Form_A - infects boot sectors only, but doesn’t infect the MBR.
• Da’Boys - like Form_A, but works with GoldBug virus to cause damage.
• WelcomB (Alias BUPT.9146) - mostly found in Southeast Asia.
• Stoned - most MBR/BS viruses are based on the original Stoned.
• Michelangelo - reformats the hard drive on March 6.

Since boot sector viruses are loaded along with the DOS kernel and command processor, they are typically active before a user ever has a chance to launch an anti-virus application. With access to all of DOS’s resources, the boot sector virus can alter directory listings to show an expected file date, size, and attributes when in fact such files have been infected - a tactic that can render some anti-virus packages useless.

Unlike command processor or boot sector infections which target a limited number of low-level operating system files, many viral strains today simply focus on the infection of any executable file (.EXE or .COM files). Since COMMAND.COM is executable, it can also be infected by these "general-purpose" viruses, but not as deeply or cleverly as viruses specially designed for that purpose. Often, general file infections are loaded into memory once an infected application is started. Afterward, the virus can easily spread to other executable files anytime other executable files are listed (i.e. open file, save file, and so on). This type of infection tends to proliferate very quickly within the infected PC. Since disks are often shared between various computers, general infections also stand a good chance of infecting multiple machines - creating an "epidemic". The problem with such proliferation is that you must locate and disinfect EVERY copy of the virus (on common floppies as well) to remove it. If you miss a copy and run that infected application later, the whole cycle can start all over again. Under Windows 95, viruses can also infect other executable code such as .DLL and .VXD files. Top file infecting viruses include:

• Jerusalem - many variants, many names, multiple infections of the same file.
• Die Hard 2 (Alias DH2) - very stealthy.
• BUA.2263 - displays an obscene graphic. Original distribution via Internet. Mildly polymorphic.
• Green Caterpillar - displays a caterpillar like the Centipede arcade game.
• Screaming Fist - several variants, some polymorphic.
• Little Red - polymorphic.
• DAME, PS-MPC, MTE, VCL, TRIDENT - these are all mutation/polymorphism engines, that enable a novice virus writer to create a nasty virus.
• Natas - origin in mexico. A polymorphic multipartite virus widespread in the US southwest.
• Digress - drops MusicBug.MBR on boot record.
• OneHalf - extremely polymorphic multipartite virus. Requires special handling.

Multi-purpose infections are a more potent form of general-purpose virus which combines two or more virus techniques. For example, a multi-purpose virus can infiltrate a system's boot sector, then move on to the command processor, then spawn parasitic viruses that infect ordinary executable files. Since the virus finds its way into so many areas of the PC, it is very difficult to remove completely. If the virus changes or morphs as it works, it may be virtually impossible to spot with anti-virus tools. As a consequence, multi-purpose infections are particularly pernicious.

The file-specific infection is generally a type of worm specifically designed to seek out and corrupt specific files or types of files. Often, the file-specific infection is created and introduced by someone with a score to settle - perhaps an ex-employee or competitor. Since an outright search for the desired file(s) would take some time (and almost certainly be noticed), the file-specific infection latches onto a variety of files throughout the system, spreading its search capability without attracting attention. When the desired files are located, the virus either erases them outright, or corrupts them over time resulting in application or data corruption. Another advantage of infecting multiple files is that the damaged file(s) will invariably be reloaded, so the virus is able to "hang around" in the system to continue harassing the target file(s).

Where many viruses are loaded and active only while the infected file is running, the memory-resident infection remains active in memory throughout the entire computing session. The advantage to memory-resident viruses is that - like ordinary TSRs - the virus can continue infecting other files and corrupting data throughout the system regardless of which application is running.

In an effort to spread infection even faster, multipartite viruses target both file and boot sectors. Multipartite infections usually enter the system through either an infected executable file and wind up copying themselves to the boot sector and load each time the system starts - subsequently infecting files in the system.

A "macro" is little more than a simple programming language which is embedded into documents and spreadsheets. When used properly, a macro can automate many of the time-consuming and redundant tasks related to document/spreadsheet processing or formatting. The problem is that macros are so powerful, they can be written to actually cause havoc on the PC. Since macros are typically started automatically when a document or spreadsheet is opened, damage usually takes place immediately. In other cases, the template is altered - infecting subsequent documents or spreadsheets. New anti-virus tools are being designed to check for macro viruses.

Computer viruses are a real threat, and one that should always be taken seriously, But in most cases, computer viruses are rarely the harbingers of doom and gloom that many novices (and much of the PC media) perceive them to be. Now that you have an idea of the nature of viruses and other rogue software, it’s time dispel some persistent myths surrounding viruses:

• No anti-virus software is 100% effective - Although anti-virus products are constantly being updated to protect against the latest virus threats, there is no such thing as a "foolproof" virus protection program - new viruses are constantly being designed to bypass them. The best protection is to scan for viruses regularly using a current anti-virus tool, and always keep your vital files backed up.
• A virus cannot hide inside a data file - Data files (such as images) cannot spread a virus on your computer. Only executable program files (and files containing executable macros) can spread viruses. A computer virus COULD infect a data file, but it would be a useless effort - since a data file is not executed, only loaded, the virus would not be able run or to replicate itself.

NOTE: Text and spreadsheet files supporting macros CAN be "infected" with destructive macros. Scan text and spreadsheet files for macro viruses before loading them.

• Viruses cannot spread to all types of computers - Viruses are limited to a given family of computers. For example, a virus designed to spread on IBM PCs cannot infect an IBM 4300 series mainframe, or infect a Commodore C64, or infect an Apple Macintosh. However, cross-platform software can spread on any system capable of opening and reading the infected file(s). Word macro viruses can spread on any platform that reads Word files.
• A computer cannot be infected by calling an infected BBS, FTP, or web site - BBS and FTP sites containing infected files cannot write information onto your computer under its own direction. Your communications software (or web browser) performs this task. You can only transfer an infected file to your computer if you let your software do it. If an infected file is transferred to your computer it cannot spread until you execute the downloaded file. If a file is scanned after being downloaded - and found to be infected - it can be safely deleted before infecting other components of the computer.
• Compressed file archives can be infected - Although an "archive" file (i.e. a .ZIP file) cannot be infected itself, the executable files contained in the archive CAN be infected. You can decompress the archive without executing any of the files in the archive, then scan the files with an anti-virus tool BEFORE installing the software or running any of the executable files in the archive.
• A boot sector virus cannot travel in downloaded software - BBS and Internet download sites deal only in program files, and do not pass along copies of disk boot sectors. Since boot sector viruses can only spread by "booting" (or attempting to boot the computer from an infected diskette), downloading is generally immune to boot-sector viruses. However, you should still scan all downloaded files before executing them for the first time.
• Damaged files do not always indicate a virus attack - This is a very common misconception about viruses. Damaged files can be caused by many things (including the result of a power surge, power drop-off, static electricity, magnetic forces, failing hardware components, a bug in another software package, dust, fingerprints, spilled coffee, and so on). Power failures and spilled cups of coffee have destroyed more data than any viruses. Still, you should run your virus checker just to be sure.
• Backups are still valuable - even with a virus - Suppose a virus is backed up with your files. It could not be a boot infecting virus because the back-up software will not back up the boot sector. If you had a file infecting virus, you could restore important documents, databases, and your data, without restoring an infected program - or delete the infected program(s) and restore them specifically from the original installation disks.
• Read-Only files are NOT immune to infection - Some computer users believe you can protect yourself by using the DOS ATTRIB command to set the read-only attribute on program files. However, ATTRIB is software, and what it can do, a virus can easily undo. While this tactic may be marginally successful at halting very old or simple viruses, the ATTRIB command very rarely halts the spread of viruses.
• Viruses cannot infect write-protected disks - Since viruses can modify read-only files, people tend to believe they can also modify write-protected floppy diskettes. The disk drive senses a protected diskette and refuses to write on it. This is controlled by the hardware - not software. You can physically disable an floppy drive’s write-protect sensor, but you cannot override it with a software command. Write-protecting your diskettes are a free and easy means of halting the spread of viruses - especially boot sector viruses.

Even with the most comprehensive, accurate, aggressive, up-to-the-minute anti-virus package available, anti-virus tools alone will not always protect a PC from the ravages of a virus or other rogue software. Trying a suspicious piece of software without testing it first, forgetting to virus scan the system regularly, and even intentional sabotage can render an anti-virus tool useless. Before trouble strikes, you can take some pro-active steps to prevent the spread of viruses, and ease your recovery should a virus actually strike:

• Check for viruses regularly - you would be surprised how many people buy anti-virus products - only to use them sporadically, or leave them sitting unused until it is too late. Remember that anti-virus tools are always behind viruses - you need to use your anti virus tools consistently and aggressively in order to catch viruses before they do their damage. If you are regularly trying new shareware or commercial products, you should be sure to check for viruses religiously. Also check for viruses if you routinely swap disks between home and work PCs or a variety of different computers.
• Backup your data - this may sound a bit cliché, but frequent, complete backups are one of the most foolproof and reliable means of protecting your vital data. No virus can destroy the backup. Even though the backup may contain a virus, it is better to restore an infected backup (then clean it immediately) then forego the backup entirely. The problem with backups is frequency - how often should it be done? That really depends on how often you use your system. Businesses with active, rapidly-changing databases should backup their data at least daily. Casual home users who use only a few utilities infrequently would probably receive little benefit from frequent backups. Most small offices and home offices would be well-served to backup every month or so. If new applications or data files are changed dramatically in the mean time, the backup can be updated as needed. The yardstick is simple enough - "if my hard drive were erased now, would I be able to restore it and move on?" When the answer to that question is "no", it’s time to back up the system. If the contents of your system changes frequently, it may make sense to keep several generations of backup. That way, if Thursday’s backup doesn’t have the files you need, maybe Monday's will.
• Keep your original disks write-protected - while write protection is not foolproof, it can prevent an infected system from spreading its infection to the diskettes - and thereby proliferating to other systems. This can be doubly important for original program distribution disks.
• Keep an eye out for mysterious or hidden files - while most modern drive utilities have no trouble revealing hidden files, some virulent code may indeed be saved with hidden file attributes. Also check batch files before running them to be sure that there are no destructive commands (such as FORMAT C:).
• Beware of famous dates - time bombs often trigger on holidays such as Christmas, New Year, July 4th, or other famous holidays or dates. The day before a special day, set the system clock to the day AFTER. For example, on July 3rd, set the system calendar to July 5th. After the holiday has passed, you can easily reset the clock to the correct date.
• Keep a bootable diskette on-hand - before trouble strikes, invest about 5 minutes and make yourself a clean bootable floppy disk. The disk should also have a copy of FORMAT, FDISK, DEBUG, PKUNZIP (or your favorite decompression utility), and any other DOS utilities that you need during startup. Be sure to write protect the floppy disk and keep it in a safe place.

As any doctor will tell you, the first step toward recovery is diagnosis - recognizing the subtle (and not so subtle) signs of viral activity can give you an edge in stopping the activities of a virus, and save you a substantial amount of time in needless hardware troubleshooting. The following part of this chapter illustrates some of the more important signs of virus activity:

• You see a warning generated by a virus scanner - your anti-virus package has detected a virus either in memory, or in one or more executable files. Once the anti-virus package has completed its infection report, go ahead and attempt to disinfect as many files as possible. Many of today’s viruses cannot be removed without damaging the executable file, so be prepared to restore the infected files from a backup or original installation disks. After the system is cleaned (and damaged files restored), go ahead and check for viruses again. Repeat this procedure until the entire system is clear.
• You see some sort of bizarre message (i.e. "legalize marijuana" or "your computer is stoned") - unfortunately, when a virus reveals itself in this way, it has probably already done its damage to your system. Launch your anti-virus software as soon as possible and remove any occurrences of the virus. Be prepared to restore damaged executable files and corrupted data files.
• You notice that your machine is acting strangely for no apparent reason - this may happen especially on holidays and other important days of the year. Applications may freeze, crash, or produce unusual error messages without warning. You may notice excessive or random disk access where there was none before. The system may behave unusually slowly - files and programs may take a long time to load. Familiar applications may not respond to the keyboard or mouse properly. Leave the application as soon as possible and run your anti-virus tools.
• The computer starts to boot, but freezes before displaying a DOS prompt - chances are that you’ve got a command processor infection. Boot the system from a clean, write-protected floppy disk, then try switching to the infected hard drive. If you cannot access the hard drive, it may be defective, or the virus may have affected the drive’s partition table. Run an anti-virus package to check the system and eliminate any virulent code. When the system is clean, try a drive maintenance package such as DrivePro from MicroHouse to check and rebuild any corrupted boot sector/partition table data.
• Programs and data files become erased or corrupted without warning - this is a classic sign of a virus at work. It is highly unlikely that the random loss of a single file is due to a hardware defect. DOS drive access works in terms of clusters, and most files require several clusters. If a cluster - or a sector within that cluster - were to fail, the file would still appear in the directory. Run your anti-virus package and check for viruses in memory as well as on disk.
• You see an error message indicating a problem with the file allocation table or the partition table - while this may indeed be the result of a hard drive fault, you should make it a point to boot the system from a write-protected floppy disk and check for viruses. If the system checks clear, go ahead and try a package like Drive Pro by MicroHouse to check and reconstruct the damaged boot areas.
• Programs access more than one disk drive where they did not before - it is exceptionally rare for a program to try accessing more than one drive unless it is explicitly instructed to do so by you. For example, if you save your new word processing document to drive C:, there will be no reason for the program to access drive A:. This kind of behavior suggests that a virus is attempting to slip its operations into normal disk access activities. Leave your application and run a virus checker.
• The number of bad disk sectors increases steadily - it is not uncommon for viruses to create bad disk sectors and hide within them to escape detection. Since DOS is designed to step over bad sectors, some anti-virus programs will not detect viruses using that tactic - leaving you to back up as much of the drive as possible and perform a new low-level format of the drive. Before resorting to that tactic, however, try an anti-virus package.
• The amount of available system RAM suddenly or steadily decreases - DOS provides the MEM function which allows you to peek at conventional, upper, extended, and expanded memory. If you find that certain programs no longer have enough memory to run, consider the possibility of a memory-resident virus or replicator or some sort. Try your anti-virus package. If you have a memory-resident anti-virus product available, try loading that on the system for a while.
• Memory maps (such as the DOS MEM function) reveal strange TSRs not loaded by CONFIG.SYS or AUTOEXEC.BAT - you can use the MEM function to reveal any drivers or TSRs loaded in the system. If you see a strange or unexpected TSR, you may be faced with a memory-resident virus. Run your anti-virus package. If you have a memory-resident anti-virus product available, try loading that on the system for a while.
• File names, extensions, attributes, or date codes are changed unexpectedly - this is another classic sign of viral activity which is usually attributable to older virulent code which lacked the sophistication to hide its own actions. A reliable anti-virus program should be able to deal with any viruses effectively.
• Unknown files mysteriously appear - this is a tough call for technicians new to a system, but as a computer user, you are generally pretty aware when a new data file is created on your own system (i.e. a new word processor document or a new spreadsheet). However, when unknown executable files are created, a virus may be at work. Newly created files may be hidden, so use a directory tool which displays hidden files (such as Windows Explorer). Try your anti-virus software to locate and eliminate potential viruses.

Even with the best anti-virus tools, regular testing, and consistent backups, systems can still be susceptible to the ravages of computer viruses. When dealing with viruses, you must understand what can and cannot be infected. Programs can be infected - that's all. Programs are any file which has an extension of: .EXE, .COM, .BAT, .SYS, .BIN, .DRV, .OVL, .DLL, .VXD, and of course the two hidden system files that compose the DOS kernel. With the rise of macro viruses, data files such as Microsoft Word and Excel files can also be infected - spreading their havoc with the file’s macro is run. Other data files such as images certainly can be corrupted, damaged, or completely destroyed, but they cannot be infected. For example, if you download an Internet image (i.e. a .JPG file), it cannot contain a virus. It is not impossible to infect programs inside an archive (such as .ZIP, .ARC, .ARJ, .LZH, or .ZOO), but it is EXTREMELY unlikely since a virus does not want you to know it’s there - but the programs may have been contaminated before being placed in the archive. When a you suspect the presence of a virus in the system, the following procedures can help you optimize the "damage control":

1. Boot from a clean, write-protected floppy disk - One of the most fundamental rules of virus defense is that a virus is harmless until it is launched by the boot sector, command processor, or application. If you can prevent the virus from loading in the first place, you stand a good chance of running an anti-virus tool successfully. Make sure that the boot disk is prepared on a virus-free PC. The disk should also contain a copy of your anti-virus package (most are designed to run from a floppy disk). Do not attempt to launch applications from the questionable hard drive until it has been checked and cleaned.
1. Use your anti-virus tools - If the system booted properly from your write-protected floppy disk, the virus(es) in your system should now be neutralized. Start the anti-virus tool contained on your floppy disk and run a comprehensive test of all system files. Also make it a point to check the boot sector and command processor. If your current tool does not support boot sector or command processor testing, you should consider using a second tool that does. When viruses are detected (chances are that more than one file will be infected), attempt to remove as many instances as possible. With luck, you can remove viruses without damaging the infected file, but this is often not possible with today’s viruses. When a file can not be "cleaned", it should be erased. Be sure to log each erased file and directory path so that you can replace only those files rather than restore entire sub-directories.
1. Start a quarantine on your computer - Since many viruses propagate by infecting floppy disks, any disks that have been in your computer should be ASSUMED to have the virus on them. By assuming the worst case situation, you are possibly saving many others from getting and spreading the virus even further. Gather up as many disks as you can find and check each for viruses. Also, do not share disks between other systems until your system has run for a while and proven itself to be virus-free.
1. Restore the backups - It is very likely that you had to destroy one or more executable files. Systematically re-load any files that were erased during the cleaning process. In most cases, you can restore the damaged files from their original, write-protected installation disks. A tape backup is another popular backup source. Try to avoid re-installing the entire application unless there is no other alternative.
1. Recheck the backup - After the deleted files have been destroyed, it is vitally important to restart your anti-virus tool and check the suspect disk again. It is not uncommon for recent backups to be contaminated as well. Verify that the drive is still virus-free. If you locate new viruses introduced in the restored files, remove the viruses again and restore the files from original, write-protected floppy disks.
1. Minimize the collateral damage - Immediately notify anybody who you have given any software, bootable disks, or even read their disks on your computer. If you have uploaded any programs to a BBS or the Internet, notify the Sysop or Webmaster of that system immediately.

There are thousands of computer viruses in the field today - each with its own aliases, modes of infection, and techniques for removal. It would be impractical to index all of that information here. Fortunately, most major anti-virus makers provide extensive virus "encyclopedias" over their Internet web sites. If you can get on-line, you can easily find detailed information on just about any virus or strain.

As the awareness of computer viruses grew through the last decade, so did the proliferation of anti-virus tools designed to combat the threat. However, you should understand that every anti-virus tool is created as a response to viruses that have already penetrated the PC environment. As a result, anti-virus products are forever playing "catch-up" with ever-more sophisticated virus programmers. No anti-virus product is 100% effective in all forms of detection. The one rule to remember with ALL anti-virus tools is that they become outdated very quickly. As a technician, you must make it a point to keep your anti-virus tools current. In the perpetual virus "arms race", you should seriously consider updating any product over 6 months old. This part of the chapter examines the major anti-virus tactics, and explains the limitations of each approach.

These are the earliest form of virus protection which appended small programs and checksums to various executable files. When the modified program is run, the anti-virus vaccine calculates the program’s checksum and compares it to the appended checksum. If the two checksums match, control is returned to the executable file and it runs normally. When the comparison fails due to file damage or the presence of a virus, a warning is generated and corrective action can be taken. There are a number of serious drawbacks to the vaccine technique which you should be familiar with:

• The vaccine (or antigen as it was called) is little more than a virus itself. Although it does not reproduce without permission or harm files, many users felt uncomfortable "inoculating" their files intentionally.
• When there are a large number of executable files, the increased disk space needed for each appended vaccine can become significant.
• Device drivers, overlay files, packed .EXE files, and executable data files can not be vaccinated.
• False alarms are typical - especially for self-modifying programs like Borland's SideKick - which force users to remove vaccine protection.
• In some cases, the modifications to an executable file in order to vaccinate it can cause unpredictable program operation - some programs simply do not work with vaccine-based viral defense.
• The virus-type behavior of vaccines often cause false alarms with other non-vaccine anti-virus programs.
• Since vaccine techniques are the same for every files, it is a simple matter for a virus to bypass the vaccine’s loading checksum test, so vaccines provided limited viral protection.

This is a plain and simple technique which utilized byte-by-byte comparisons between known-good files and potentially infected files. Any variation between the two signaled the possibility of a virus. File comparison techniques were initially embraced because they were easy to develop and quick to document, so they were an inexpensive option for anti-virus developers. However, file comparison presents some serious disadvantages in the marketplace:

• The most critical problem is the need for known-good files to be added to the disk (in addition to the normal operating files). Even for large drives, this is a hideous waste of valuable disk space.
• File comparison anti-virus tools often lack the typical resources that are considered to be standard equipment for virus management (i.e. activity logs, data encryption, comprehensive warnings indicating which virus is at work, system lockouts, and wildcard file searches).
• It is a simple matter for viruses to search a disk looking for multiple copies of a file, and infect both copies - rendering the file comparison technique useless.

Software antidotes (sometimes called disinfectors or eradicators) are a close cousin to vaccines, where the antidote "surgically removes" the virus. But antidotes are designed specifically to deal with a limited set of viral strains within a small group of program types. Often, an antidote is designed to check and remove a particular virus. For example, the media scare surrounding the Michaelangelo virus some years back resulted in a number of related "antidote" products developed specifically to check for and eradicate the virus. Such limited operation presents several serious limitations:

• The limited nature of antidotes makes them unsuited for general, system-wide use. Viruses not specifically addressed by the antidote remain totally untouched.
• Since viruses are constantly changing, antidotes must continuously be updated and expanded - otherwise, the antidotes quickly become useless. The constant expense of regular updates is often too much for the average computer user.
• Antidotes often destroy program files while trying to remove virulent code, and are reputed to suffer frequent false alarms which cause the antidote to alter good files in an attempt to remove a virus that is not there. Effectively, this destroys good files as well.
• Each executable file has its own particular characteristics and internal structure. As a result, it is virtually impossible for any one infection antidote to remove a virus from every possible file type.
• Generally, it is safer and more reliable to recover an infected file by overwriting it with an uninfected copy rather than trust an antidote to surgically remove the virus.

Currently, the virus scanner is the most widely accepted type of anti-virus tool. Scanning basically checks each executable file against a fixed set of virus "signatures" - tell-tale fragments of code that indicate the presence of particular viruses. When the virulent code is identified, it can be removed fairly accurately, but many executable files are still destroyed. The technique is fast and flexible, viruses can be identified very accurately, and there are few instances of false alarms or incompatibilities that older techniques suffer from. However, there are still limitations to virus scanning:

• Scanners rely on a fixed set of signatures - if a signature is not in the database, it is not checked. Signature databases are easy to update, but the updates can often be costly (though updates can now be downloaded easily from the Internet). Since viruses are constantly changing, signature databases become outdated quickly.
• Virus scanners cannot detect signatures that change or mutate as the infection propagates through the system. As a result, scanners are largely ineffective against stealth or polymorphic viruses.

One breed of anti-virus tool can be loaded into memory where it will remain resident (TSR) and provide "last-minute" protection against viral infiltration of disk commands and viral activity. Unfortunately, this class of anti-virus tool suffers from a set of very serious problems:

• As a TSR, the program must remain in memory. This consumes valuable memory (often significant amounts of memory) which are needed by other applications. It is not uncommon to eventually disable TSRs to free extra memory for large applications.
• False alarms are commonplace with anti-virus TSRs which mistake disk caching or normal system activity with virus activity. Even communication functions such as e-mail downloads are often interrupted as virus attacks.
• Many systems respond poorly to TSRs. When you consider that TSR technology is intended to coerce DOS to perform multitasking - a feature it was not intended to do - it is no wonder that TSR development is non-standardized. As a consequence, TSRs are often quite troublesome. When used with combinations of other device drivers and TSRs, anti-viral TSRs can present a serious problem.
• Viruses can circumvent anti-virus TSRs by accessing PC hardware directly (such as direct access of disk controllers).

The disk mapping technique is similar to the file comparison process. A mapper maintains a single data file which contains a coded "snapshot" of the protected disk. Each time a mapper is run, it notifies you about any variations between the protected disk files and the "key map". Ideally, these variations will alert you to the possibility of a virus. Many later disk mapping schemes allow users to specify exactly which files (or file types) must be monitored. However, this is not enough to overcome some inherent problems:

• Creating a "key map" of the disk can require a substantial amount of space. The space demand increases along with the number of files which must be "mapped".
• For most professional users, the state of a PC is changing constantly as files are created, modified, and deleted. This demands regular maintenance of the "key map". Such maintenance is often cumbersome and time consuming since disk mappers are typically complex systems to use.
• Disk mappers are typically tied into the boot process to ensure regular "key map" checks and updates. This results in longer (sometimes much longer) boot times.
• Disk mappers are not immune to infiltration and damage by viruses. Some viruses seek out and destroy "key map" files.

The key to dealing with computer viruses is the proper use of anti-virus tools. A quick walk through almost any software store will show you just how many anti-virus products are available. Being able to use those products properly and successfully is not always a simple task. This part of the chapter offers some guidelines to help you handle problems with the tools themselves.

NOTE: Although there are no anti-virus tools on the accompanying CD, you can easily download current, fully functional demo or shareware anti-virus tools from the resources listed at the end of this chapter.

Macro viruses can be detected by most of the current anti-virus tools now available (and you should regularly scan documents for macro viruses), but you may be able to reduce the risk of macro virus effects with the following tips:

• Mark the NORMAL.DOT template file as "read-only". This generally protects the NORMAL.DOT file from infection.
• Use Word 7.0a or Word97 from Microsoft. These versions present an Alert box when the file you are going to open contains macros or customization information. You also have the opportunity to disable unknown macros.

Symptom 51-1. You can not run more than one anti-virus product at a time. This is not an uncommon problem, and occurs most frequently when memory-resident virus protectors conflict with file-based anti-virus tools. When you run more than one anti-virus program, there is always the risk of strange results and false alarms. For example, some anti-virus programs store their "virus signature strings" unprotected in memory. Running incompatible or conflicting anti-virus tools may detect other signature strings or memory-resident activity as a virus. Run only one anti-virus program at a time.

Symptom 51-2. Your anti-virus tool does not function, or causes other drivers to malfunction. Some "terminate-and-stay-resident" (TSR) software may conflict with some anti-virus programs, especially memory-resident anti-virus programs. When problems occur, try booting the system from a clean bootable disk so that there are no other drivers or TSRs in the system aside from the anti-virus tool.

Symptom 51-3. You notice that your anti-virus tool is slowing disk access dramatically, or it locks up under Windows. Normally, many anti-virus tools (especially memory-resident tools) will slow disk access a bit. When there is a tremendous reduction in disk performance, or the tool freezes during operation, it may be that the disk cache being used conflicts with the anti-virus product. Try increasing the number of buffers in the CONFIG.SYS file. If problems continue, try disabling the disk caching software while running the anti-virus product.

Symptom 51-4. The anti-virus tool is reporting false alarms. It is not uncommon for anti-virus products to report false alarms. This happens most often due to conflicts with other memory-resident software running in the system. Try running the software from a clean boot disk. The nature of anti-viral detection techniques also plays a role in reporting false errors. For example, file comparison is a typical technique, but files can be changed for many reasons other than a virus, so false alarms are a strong possibility. Other techniques also have flaws which may result in false alarms.

Symptom 51-5. You are unable to remove the memory-resident anti-virus tool. There is probably another TSR running in the system which is conflicting with the anti-virus tool. You may have to reboot the system in order to clear the anti-virus tool. In the future, try loading the anti-virus tool last - after all other drivers and TSRs are loaded.

Symptom 51-6. The virus scanner is only scanning files very slowly. This is usually an issue with certain older virus scanning software. Ideally, you should be able to correct this problem by upgrading to the latest patch or version of the virus scanner. If you cannot patch or update the program, try scanning only the "Program files" and not "All files" or "Compressed files".

Symptom 51-7. The virus scanner seems to conflict with the boot sector when it scans. If the virus scanner is conflicting with your boot sector (either upon installation or after installing) try choosing the "Custom" setup feature and disable the initial system scan during installation. Then edit the scanner’s configuration to skip the boot scan. As an example for McAfee’s VirusScan product, edit your DEFAULT.VSC file and under the [Scan Options] section, change bSkipBootScan=0 to bSkipBootScan=1. This will skip the boot sector scan when you run VirusScan. This will mean that the boot sector will not be scanned for viruses.

Symptom 51-8. You receive a; "Cannot Load Device Drivers Error" from the virus scanner. This error typically occurs on platforms that have been upgraded from Windows 3.1 to Windows 95, but have not completely uninstalled the 3.1 version of virus scanner (or a previous installation of a Windows 95 virus scanner was not completely removed from the system). You’ll need to remove all traces of the virus scanner manually from SYSTEM.INI and WIN.INI. Let’s use McAfee’s VirusScan as an example. Open the SYSTEM.INI file and remove:

device=MCSCAN32.386

device=MCUTIL.386

device=mCKRNL.386

device=MCFSHOOK.386

device=vshield.386

Open the WIN.INI file and remove:

load = C:\MCAFEE\VIRUSCAN\VSHWIN.EXE

And remove the section:

[VIRUSCAN]

WSCAN=C:\McAfee\VIRUSCAN\WSCAN.EXE

Of course, you should be sure to remove the correct entries for your particular virus scanner.

Symptom 51-9. You receive an "Insufficient memory" message when the virus scanner is loading under Windows95. This error is usually caused when Windows 95 uses a DOS version of a virus scanner to scan the root directory of C: at startup, and there is not enough conventional memory to run the DOS virus scanner. Try updating the virus scanner program or patching it to a later version if possible, or disable virus scanning on Windows 95 startup.

Symptom 51-10. You receive a "Cannot create events" error when the virus scanner is loading. This is usually due to an improperly located KERNEL32.DLL file. Search your computer for the file KERNEL32.DLL on the root of your hard drive (C:). If you move this file to C:\Windows\System where it belongs, this should resolve this issue. Some new systems are shipped with the KERNEL32.DLL file improperly located in the root directory.

That’s all for Chapter 51. Be sure to review the glossary and chapter questions on the accompanying CD. If you have access to the Internet, take some time to review the anti-virus resources listed below:

Command Software Systems: http://www.commandcom.com/

IBM: http://www.av.ibm.com/

McAfee: http://www.mcafee.com or http://www.networkassociate.com/

NCSA: http://www.ncsa.com/

S&S Software International: http://www.drsolomon.com/

Symantec: http://www.symantec.com/avcenter

VSUM: http://www.vsum.com