Documents

An Overview of Computer Viruses

Description
An Overview of Computer Viruses and Antivirus Software by Bob Kanish, kanish@concentric.net Contents ã ã ã ã ã ã ã ã ã ã ã ã Preface What is a Virus? What is a Macro Virus? Developing An Effective Antivirus Strategy Lines of Defense Myths & Pointers Getting the Software More Information About Viruses Glossary Disclaimer Special Alert: The Hare Virus How Current Is This Document? Preface If there's one word that can strike fear in the heart of any computer user, especially one who accesses the
Categories
Published
of 8
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  An Overview of Computer Virusesand Antivirus Software by Bob Kanish,kanish@concentric.net Contents   ã Preface ã What is a Virus? ã What is a Macro Virus? ã Developing An Effective Antivirus Strategy ã Lines of Defense ã Myths & Pointers ã Getting the Software ã More Information About Viruses ã Glossary ã Disclaimer ã Special Alert: The Hare Virus ã How Current Is This Document? Preface If there's one word that can strike fear in the heart of any computer user, especially one whoaccesses the internet, or exchanges diskettes, that word is, virus. Viruses can generate so muchfear in the cyber world that news of a new virus often spreads faster than the virus itself. As theInformation Manager of a company that produces software for the computer industry, I receivehundreds of diskettes per month and almost as many internet uploads from our customers.Consequently, I have come in contact with many viruses and I have learned quite a bit aboutthem. Through my experiences I have learned that just as important as knowing what viruses cando, is knowing what they can not do. What is a Virus? First, what is a virus? A virus is simply a computer program that is intentionally written to attachitself to other programs or disk boot sectors and replicate whenever those programs are executedor those infected disks are accessed. Viruses, as purely replicating entities, will not harm your system as long as they are coded properly. Any system damage resulting from a purelyreplicating virus happens because of bugs in the code that conflict with the system'sconfiguration. In other words, a well-written virus that only contains code to infect programs willnot damage your system. Your programs will contain the virus, but no other harm is done. Thereal damage--the erasing of files, the formatting of hard drives, the scrambling of partition tables,  etc.--is caused by intentional destructive code contained within the virus. Generally, thedestructive part of a virus is programmed to execute when certain conditions are met, usually acertain date, day, time, or number of infections. An example is the now infamous Michelangelovirus. This virus can run rampant on your computer for months and you won't notice thatanything is wrong. That is because even though your hard disk's master boot record is infectedwith the virus, the destructive code has not yet been executed. The virus is programmed totrigger its destructive code on March 6, Michelangelo's birthday. Therefore, if Michelangelocontained no destructive code, nothing bad would happen to your computer even though it wasinfected with a virus.An important thing to remember is that not all virus attacks produce catastrophic results. For example, one of the most common viruses in the world is called Form. I got Form from a floppydisk given to me by a friend who didn't know he had the virus. In fact, I didn't know I had iteither until I received a call from a company to whom I mailed my resume using that floppy disk.They called me, not to tell me that I got the job, of course, but rather that my computer had theForm virus. How embarrassing! Apparently, Form had been on my computer for a long time, butits effects were so slight that I never noticed it. The only peculiarity I encountered was a clickingsound that emitted from my PC speaker every time I pressed a key, but this only happened for one day. Later, I learned that Form is programmed to trigger this action on the 18th of everymonth. Other than that, it doesn't contain any destructive code.The only other time my system actually became infected was considerably more serious. Ithappened only a few months ago on the job. I was scanning a large stack of diskettes for viruseswhen I was distracted by a phone call. After completing the lengthy call I turned my computer off and took a short break. When I returned I booted my computer, forgetting that I had left adiskette in the A drive. I discovered my error when the floppy drive began to spin. At that point Ialso noticed that the disk was being accessed far too much for a non-system disk. Uponrebooting from the hard drive, I quickly realized my mistake. A virus called Junkie was all over my hard drive. It had infected command.com, as well as my screen reading software and allassociated drivers. The Junkie virus was alive in the boot sector of the diskette that Iinadvertently left in the drive, and it ran wild when I accidentally tried to boot from it. Junkie is a perfect example of a virus that, if written properly, would not have damaged my system. Itcontains no destructive code. It simply replicates by infecting .com files. However, not all .comfiles are structurally accurate. Without getting too technical, .com files are raw binary data read by your computer, and .exe files need to be interpreted first. There are some files, particularlyones used by memory management software, that have .com extensions, but that are actuallywritten more like .exe files. When Junkie infects one of these types of files, it becomes corrupted because it is essentially an .exe file, but Junkie has appended .com-like instructions to it; similar to repairing a can opener with parts from a toaster.After the near heart attack I had during my battle with the Junkie virus, I began to study the phenomenon very seriously, and since then, though I have run into many viruses on the job, noneof them has infected my computer. This is because I now have an effective antivirus strategy in place. What Is A Macro Virus? The most common viruses that infect computers today--viruses such as Concept, Nuclear,Showoff, Adam, Wazzu, and Laroux--are macro viruses. They replicate by a completely differentmethod than conventional viruses. We said earlier that a virus is a small computer program that  needs to be executed by either running it or having it load from the boot sector of a disk. Thesetypes of viruses can spread through any program that they attach themselves to. Macro virusescan not attach themselves to just any program. Rather, each one can only spread through onespecific program. The two most common types of macro viruses are Microsoft Word andMicrosoft Excel viruses. These two programs are equipped with sophisticated macro languagesso that many tasks can be automated with little or no input from the user. Virus writers quicklyrealized that it would be possible to construct self-replicating macros using these languages. Thereason why this is possible is because Word documents and Excel spreadsheets can contain autoopen macros. This means that when you open a Word Document in Word or an Excel spreadsheetin Excel any auto open macros contained within the document will execute automatically andyou won't even know it's happening. In addition to auto open macros, both of these programsmake use of a global macro template, which means that any macros stored in this global file willautomatically execute whenever something is opened in that program. Macro viruses exploitthese two aspects to enable themselves to replicate.Here's how it works... You open an infected document in Microsoft Word. (Remember, Worddocuments can contain auto open macros). These macros, which in this example, contain a virus,execute when the document is opened and copy themselves into the global template that Worduses to store global macros. Now, since the infected macros are now part of your global templatefile they will automatically execute and copy themselves into other word documents whenever you open any document in Microsoft Word. Excel macro viruses work in relatively the sameway. Because Word documents and Excel spreadsheets contain auto open macros it is importantto think of them as computer programs in a sense. In other words, when you open Worddocuments in Word, or excel spreadsheets in Excel, you could be executing harmful code that is built right into the objects you're opening. They should be checked thoroughly for viruses beforeyou open them in their respective programs. It is important to have an effective anti-virusstrategy in place to prevent infection by these and all other kinds of viruses. Developing an Effective Antivirus Strategy Anyone who does a lot of downloading, or accesses diskettes from the outside world on a regular  basis should develop an antivirus strategy. The most important weapon in your antivirus arsenalis a clean, write-protected bootable system diskette. Booting from a clean write-protecteddiskette is the only way to start up your system without any viruses in memory. No virusscanner/cleaner of any quality will run if there is a virus in memory because more programs can be infected by the virus as the scanner opens the files to check them. This diskette should alsocontain a record of your hard disk's master boot record,  partition table, and your computer's CMOSdata. Most antivirus packages contain utilities that can store this information for you.Lastly, this diskette should contain your favorite scanning/cleaning software because a virus mayhave infected this program on your hard drive. Running it from a clean diskette will ensure thatyou're not spreading the virus further.A second effective defense against viruses is a clean backup of your hard drive. Many antivirus packages will attempt to disinfect infected programs for you so that the virus is no longer in your system. However, there are times when removing the harmful code from programs or from themaster boot record does not solve the problem completely. Some programs may not run properly because their code has been altered, or your system may not boot properly because of thealterations made to the master boot record. In addition, there are some viruses, Midnight for example, that encrypt or scramble the data files associated with a program which are then  descrambled by the virus when the program is executed. If you remove the virus from the program the data is still scrambled and the virus is not there anymore to descramble it. A goodreliable backup ensures that all of these problems are solved and everything is back to normal.The third part of your antivirus strategy should be antivirus software, preferably more than one package since no one product can do everything. There are many products out there to help youguard against viruses. Since other people have gone to great lengths to review these products Iam not going to go into detail about them. I will briefly talk about which programs I use to giveyou an example of how antivirus software can be used, but please remember that these are onlymy opinions and should not be considered advertisements for these products. At the end of thisarticle I will tell you where to find more reviews than you can imagine. Again, these are only myopinions. Lines of Defense I personally use three antivirus packages concurrently. The first is viruscan from Mcafee Associates. I use it mainly because when my company started to become virus-conscious wewanted to get a comprehensive package to guard against them. Everybody we knew seemed touse Mcafee so that's what we bought. I must tell you that after seeing what some other productscan do I am not that impressed with Mcafee anymore. One reason is that Mcafee tends to mis-diagnose some viruses. This is a problem because if your computer is infected with virus A, butMcafee thinks it's virus B, it will attempt to disinfect a virus that's not there, which can badlymess things up on your system. I will say that if you are a casual computer user, Mcafee is probably all you'll ever need because it is easy to use and it does a good job disinfecting mostcommon viruses. I still use Mcafee just because it's there, but I never take its word as gospel.The second program I use is calledf- protfrom Frisk Software. I like f-prot quite a bit because ituses two different methods to scan for viruses. It uses signature-based scanning like all other  programs, but it also uses heuristics. What the hell does that mean? All antivirus scanners check for viruses by checking your files for certain search strings called signatures. Each virus that isrecognizable by the program has a signature associated with it, along with data to disinfect thevirus if possible. F-prot goes a step further. In addition to detecting known viruses through theuse of search strings, it also analyzes your files to see if they contain virus-like code. It checksfor things such as time-triggered events, routines to search for .com and .exe files, software loadtrapping so that the virus can execute first and then start the program, disk writes that bypassDOS, etc. heuristics is a relatively new, but effective way to find viruses that do not yet have asearch string defined for them. From tests that I have run, f-prot seems to make the most accuratediagnoses of viruses.The third program I use, and my main line of defense is calledThunderbyte from Thunderbyte B.B. Thunderbyte is a complete set of utilities that, when used together, protect your computer against virtually any kind of attack. Thunderbyte's scanner also uses signatures and heuristics. Itis also able to decrypt encrypted viruses to determine what they are. As I stated earlier, f-protmakes more accurate assessments, but Thunderbyte does not have to rely on its' assessments to be able to clean a virus off of your system. This is because Thunderbyte generates a file in eachof your directories that contains a detailed record of each executable file, (the vehicle by whichviruses are spread), so that if your programs are hit by a virus, no matter which one it is, it canrebuild them back to their srcinal, uninfected state. Of course, this doesn't fix the problem Idiscussed earlier about viruses that encrypt data, but the program also has a defense against this.Thunderbyte comes with a set of memory-resident utilities that monitor the activity of your 
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x