Tips & Tricks - Collected by SK Nayak

Computer V I R U S

Viirus tips

Introduction
What’s a virus?
Where do viruses come from?
Are there many types of viruses?
How do viruses spread?
Tips on Virus Alert

Introduction :

You are working away on your computer, engrossed in your spreadsheet when a message pops up, "You’re now Stoned." What was that?

While trying to open a database of business contacts, your friend gets a message that the file cannot be read. She doesn’t have a backup of the file—now all the information that she collected over years is lost.

You are copying files from a floppy disk to the hard drive, and you find that all the files are only 1kB in size after being copied.

How did these happen? What could be wrong? Could these be the work of... viruses?

If things seem slow on your PC, files mysteriously disappear, or the computer crashes for no apparent reason, your PC may well be under a virus attack. A computer virus attack can cause a whole lot of damage to your program and data files. You may not even notice them for a long time while they quietly go about deleting and damaging your important files. If viruses are not found and removed in time, you may find one day that your hard disk has been formatted, and that is not a pleasant thing at all.

So what are these viruses? How do they spread? Here we answer some of your questions on computer viruses.

What’s a virus?

A computer virus is a program that spreads across computers by attaching a copy of itself to the files on your computer. When you run the infected file the virus goes into action. A virus is usually harmful and can corrupt data, overwrite files, or use up system resources and slow it down in the process. Some may be merely annoying like asking you to type in a certain message to continue or popping up messages on the screen.

Where do viruses come from?

Viruses are usually written by mischievous programmers to cause trouble. Some people say that it is an example of creativity gone astray. It all started in 1986 when two Pakistani programmers Amjad and Basit created a virus called Brain. They were upset over the fact that they couldn’t land a good job. The Brain virus was rather tame and didn’t cause any real damage. When it infected a disk, it would simply change the volume label to "(c) Brain". It only worked on 360 kB disks (you can find these in museums today).

When word about Brain got around, other programmers got into the act. The first few viruses were not very dangerous. A virus called Pong showed a bouncing ball on the screen and another called Joshi would ask you to type in "Happy birthday Joshi" for the system to continue working. Though these menaces were around, programs to detect and remove them (called anti-virus programs) were rare. Most programs were shareware or freeware. But by 1990, malicious viruses started appearing. These included Dark Avenger, Jerusalem, and 1260. These viruses would deliberately delete or damage files from hard disks and floppies. Only after these viruses appeared on the scene did companies sit up and take notice. Commercial virus scanners were developed—the foremost was the McAfee Viruscan. By 1993, smarter viruses such as stealth and polymorphic viruses that evaded virus scanners appeared.

Are there many types of viruses?

Yes, there are. Let’s look at the main types depending on the area they infect.

Boot sector viruses: These viruses infect the boot sector of disks. A boot sector stores the programs that have to be executed when you start your PC. By infecting this area of a disk, the virus loads itself whenever you boot with that disk. It then remains in your PC’s memory and infects any other disk you use on your system.

There’s a more dangerous virus type you’ve to watch out for—the Partition Sector virus. It stays in an area called the Master Boot Record (MBR) which stores the information about the partitions on your hard drive. The partition sector also has a program that is run every time you power up your PC. So when you start your PC the virus is loaded into memory straight away. Some viruses also encrypt the contents of the Master Boot Record. This makes removal of the virus dangerous—removing it might mean that the contents of your hard disk cannot be accessed any more (since only the virus can decrypt the MBR contents).

File viruses: These are by far the most infectious kind. File viruses attach a copy of themselves onto the beginning of an executable file (files with a .COM or .EXE extension). When you run the infected file, the virus code gets executed. The more intelligent viruses then execute the actual file—so everything appears normal. But the virus is now in your PC’s memory. When another "clean" executable file is run, the virus attaches itself to that file. It soon infects most of the programs on your hard disk. So all your precious data is at great risk.

Cluster viruses: Cluster viruses store a single virus copy in a certain area on the disk. Then they change the DOS directory information so that the location of each program in the File Allocation Table (FAT) points to the area where the virus sits. When you run a program, the virus gets to work, and then it runs the original program. And this increases the chances of your data getting corrupted.

You can also classify viruses in the many ways they infect your computer. Here are the main ones.

Stealth viruses: These viruses try to conceal their presence by hiding the modifications they make. When any application asks for some disk information—file sizes, free disk space, and so on—the virus intercepts it and gives back the original information instead of the actual information. For instance, you ask your PC for a directory listing. If there is a stealth virus at work, it intercepts your query. Instead of reporting a larger file size for an infected file (say, 44 kB), the virus reports the original size of the file (say, 42 kB). So everything looks normal, and you don’t smell a virus.

Polymorphic viruses: Most virus scanners look for "search strings" within a program to detect viruses. For example, the code for the "Stoned" virus contains the string (set of characters or phrase) "Your PC is now Stoned!" Polymorphic viruses encrypt their code on each infection so that the virus codes of two infected files don’t look the same. So detecting these viruses is much harder.

Multipartite viruses: These are particularly nasty. They can infect both the boot sector as well as files. So they spread much more quickly than other viruses. Fortunately, their occurrence is rare.

Fast, slow, and sparse infecting viruses: A fast infecting virus infects files whenever they are accessed. So whenever you read a file, or write or modify it, or just do a directory listing, the file gets infected. This makes them easier to detect but they can be dangerous too. When you run a virus scan all files are read. If your virus scanner is outdated and can’t catch the virus, your entire hard disk will be infected.

Slow infecting viruses infect files only when you modify or create files. Sparse infectors get into action only under certain conditions. For example, such a virus might infect a file only on a certain date or it might infect files above a certain size.

Macro viruses: Some time back it was an accepted fact that viruses couldn’t be executed by viewing pure data such as graphic files, documents, spreadsheets, and so on. That is still largely true. But a new breed of viruses called macro viruses has made the viewing of word processor documents potentially more dangerous. Here’s how they work.

Office suites like Microsoft Office have grown in features over the years. Today, Microsoft Office packs within it a full programming language—Visual Basic for Applications (VBA). This lets users write their own programs to automate repetitive tasks. For example, if you want to replace the occurrence of "Madras" in multiple documents with "Chennai", you can write a macro in VBA to do this instead of doing it manually. Macros are stored in document templates as well as documents. VBA also has a feature that lets you automatically run a macro when a document is opened. To do this, all you have to do is create a macro called AutoOpen. This macro will run automatically. Some nasty people caught onto the fact that this feature could be used to spread harmful codes, and macro viruses were born. A macro virus creates a macro called AutoOpen and writes some code into it that enables it to spread to other documents—usually by infecting the default Normal.DOT template. This problem has now reached very serious proportions because of the frequent exchange of documents, and spreadsheets among people. Microsoft Office 97 now includes a feature that will let you disable macros when files are opened.

Worms, Trojan horses, and logic bombs: While these are not strictly viruses, they deserve a mention. Worms are usually found on networks and do not infect files the way viruses do. Instead, they replicate and keep creating copies of themselves in memory, which in turn create more copies. Fortunately, with proper resource monitoring, they are easy to detect.

Trojan horses are programs that pretend to do something useful but actually harm your system in some way. Trojans don’t spread easily as you must distribute the actual program to other people for it to work. A logic bomb is a program that activates some malicious code once a certain event occurs. This could be a certain date, the hard disk capacity reaching a certain size or even a file with a certain name (such as john.doc) existing on your hard disk. A logic bomb is very difficult to detect because it doesn’t infect files and only gets triggered after a certain event.

How do viruses spread?

Viruses almost always depend upon exchange of data to spread. Here are the major ways they spread.

Pirated software: Commercial software is usually scanned very thoroughly for viruses (though viruses have been known to be on software from some reputed software vendors also). The average software pirate collects lots of software on his hard disk and then burns them onto a CD with a CD writer. If the pirate’s system is infected, the executable files on the newly created CD could be infected as well. These would then infect your system when you install the software. Vendors of assembled PCs sometimes install software on the system you buy from them. A virus scanner is not usually among them. In the bargain, you could be getting a free virus pre-installed for you.

Exchange of programs among friends and relatives: Here’s what usually happens. Anil has a virus on his system. His friend Kartik asks him to give him a copy of a great utility that Anil has. Anil gives it to him on a disk, which gets infected. Kartik takes it home and installs it on his father’s computer. Now his computer is also infected.

Programs used by service engineers: This is quite common. Let’s say that your PC has a problem. You call a service engineer to fix it. The engineer brings a floppy which has some utilities. The disk is infected with a virus. The service engineer boots your PC with his floppy so that no additional drivers or programs are loaded into memory. He does this with good intentions as he wants to identify the precise cause of the problem. Unfortunately, he has just given the virus on his disk a free run since any memory-resident virus scanning program is also disabled.

Internet downloads: It’s true that an executable file that you download could have a virus, but the problem is not as serious as it is hyped up to be. If you download some shareware from popular download sites such as DOWNLOAD.COM, it would have been well scanned for viruses before being put up on the site. What you do have to watch out for though, are any .exe attachments your friends or associates send you. These could be infected.

Next month, we tell you a little more about viruses—how to detect and remove them. We will also answer some of the frequently asked questions about viruses.

With a good anti-virus program and precaution, you can keep computer viruses at bay

Once we shake off the ini-tial fear of computers, many of us go about work-ing, happily typing away without any worries. Everything may look fine, but may not be—especially if your PC has a few viruses. And if you think viruses won’t attack your PC, think again. If you don’t take action now, you could end up with damaged programs, lost data, or maybe a crashed hard disk.

Last month we talked about viruses—what they are, what are the different types, and what harm they can do. Here we’ll look at ways to tackle the virus menace. Does my PC have a virus? How do I know? What should I do? What about my data? We also answer some of your questions about keeping your PC virus-free.

Spot a virus

Viruses are written by programmers to cause trouble. Most are meant to cause harm and they usually try to hide all traces of their presence. If your PC has suddenly started acting funny, it could mean you have a virus. Here are some of the common things that could mean your PC is infected

Windows or your other applications don’t load properly, or give strange error messages You find that files that were there on your hard disk earlier have now disappeared Strange characters or messages appear on your screen from time to time Programs seem to run very slowly or run out of memory Your computer "freezes" without any apparent reason

But these symptoms don’t necessarily mean that your PC is infected. It could mean that there’s some problem with your hardware or your software. For instance, if you have deleted some program from your PC without properly uninstalling it, you could get some error messages.

Or someone could have deleted some files without your knowledge—that could explain missing files. Your PC could have some faulty memory chips or a software bug in an application, making it hang frequently. Whatever the reasons, it’s still a good idea to check your system for viruses. Now how do we do that?

Scan your PC

Use an anti-virus software or a virus scanner. Some of the popular ones are McAfee VirusScan, Norton Anti-Virus, F-Prot, Nashot, and Red Alert. A good anti-virus software should have two main applications. One is a memory resident one—this lies low in the background and checks all the applications you run for any signs of a virus or virus-like activity. This will alert you if any virus tries to infect the system. The other application is a full-scale scanning program that scans all your floppy disks and hard disks for viruses. A good anti-virus program should also be able to find macro viruses hostile Java and ActiveX applets.

But before you run a virus scan you’ve to be sure that the scanning program itself isn’t infected. Many of the anti-virus software check themselves first before loading so that you can be warned. But it’s still a good idea to start off "clean". This means that you load only your operating system on your PC—this is done from a floppy disk, no other programs on the hard disk are loaded up. This brings down the chances of a virus getting activated.

Let’s see how you can get rid of a virus on your system:

Make sure you have a "clean" bootable disk. You should ideally create this when you have installed only your operating system, say Windows 95. To create a boot disk in Windows 95 go to Start-Settings-Control Panel-Add/Remove Programs. Click on the Startup Disk tab and select "Create Disk". This will wipe out everything on your floppy, so make sure the floppy doesn’t have something you don’t want to lose. Write-protect this floppy (push the little notch in the corner back till a little square hole is visible). This will prevent any programs from writing anything onto the disk. Most good anti-virus programs also let you create "rescue disks". These disks are bootable and contain a virus-free copy of the anti-virus program which you can run in case there is a virus infection. Reboot your computer with your clean boot disk or anti-virus "rescue disk" in the floppy drive. This ensures that no boot sector virus will load itself into the PC’s memory. Run your anti-virus software from the floppy drive to find the infected files and fix them. When the virus has been removed, the program will tell you so. After all viruses have been removed, run the virus scan again to re-check your system. Check all your floppy disks for viruses, even ones that you haven’t used recently. An old floppy could have sneaked a virus into your PC long ago and you wouldn’t have even known it. Now we get to the most important part. Try to guess where you could have got the virus from. Think back—when was the virus first found and what data did you exchange at the time. This is important because if you got the virus from a friend’s disk, there is a good chance that your friend’s other disks may be infected too. So you have to take extra care to avoid another infection. Remember that while good virus scanners can find most viruses and remove them from executable files, they usually cannot repair any damage that a virus has done to your data files. You have no choice but to restore them from backup copies.

How viruses work

Can I get a virus from a floppy disk even if I only have data files on it?

Yes. Even if you don’t have any applications on the floppy, it could still be infected by a boot sector virus. It is a common misconception that only executable files can have viruses. And there are macro viruses too which are part of Word or Excel files.

If my PC is acting funny, is it definitely because of a virus? Not necessarily. It’s more likely to be a software problem. It could have a bug in it. Or it could be a faulty driver, or maybe your hardware has a problem.

Can I get a virus through e-mail messages? No. E-mail messages are only text and cannot be executed, so you’re perfectly safe. Many e-mail hoaxes have floated on the Internet—the "Good Times" and the "Join the crew!" virus hoaxes, for instance. These messages carry a warning message that if you open any e-mail with Good Times, or some similar phrase in the subject line, your hard disk would get wiped out (or some other damage would happen). Some people panic and send copies of these messages to all their friends and colleagues. Don’t believe any of these. But any binary attachments that you get from other people could be infected. Scan these before you run them.

Can viruses hide inside graphic files and text files? A lot of people get paranoid about this, but no, a virus just cannot spread through graphic files. It is theoretically possible for a virus to store its code inside a GIF file. But since a GIF file isn’t executed on a computer (they are viewed in a graphics program), the virus instructions also cannot be executed. The same explanation holds good for other kinds of data files too—PageMaker files, AutoCAD files, and so on. The only exceptions are Microsoft Word and Excel files which can contain macro viruses (See November issue for an explanation).

If I am connected to the Internet, will I catch a virus? You won’t get a virus just by connecting to the Internet. But if you download some application that is infected with a virus, your PC will get infected when you run the application.

I’ve heard that some Websites put "cookies" on your computer. Can these have a virus? A cookie is a small text file that some Websites store on your hard disk every time you visit them. Cookies store some information about you so that the Web page can be customized to suit your interests. A cookie can only be read by the Web server that created it. Since a cookie is merely a text data file and contains no executable code, there is no harm from them.

Is my data completely safe if I use an anti-virus software? No. No anti-virus program is completely fool-proof. Some viruses are clever enough to escape the notice of a virus scanner. If you don’t keep your virus scanner updated with the latest virus definitions, a new virus unknown to the scanner could infect your system.

Some people also turn off the background virus monitoring in their scanners because they think it slows things down. This just makes it easier for viruses to get in. And if your PC already has a virus infection, it is possible that the virus may have already damaged some program or data files. A virus scanner may be able to remove the virus, but it cannot recover your files.

Okay. If I get an update to the anti-virus, is my data safe? An up-to-date scanner will protect your system to a large extent, but it is not completely foolproof. The reason is that when a new virus is detected, it usually will have infected a system. Then someone has to give a copy of the infected file to the anti-virus company so that they can analyze the virus code. The company has to find a reliable way of removing the virus from your system. This takes time and it can be a few months before a cure for that particular virus is released. So there’s a a tiny chance that you could be infected with an (as yet) unknown virus.

If I have an anti-virus program, do I need backups? Yes, you do. Remember, an anti-virus program is only a second line of defense against viruses. Your first strategy should always be to make regular backups of your data. If something horrible happens (like your hard disk gets wiped out), your virus scanner won’t help! You can re-install your applications from the original CD or disk, but you’ll have lost the data. If you have proper backup files you can get back to work immediately. If you don’t, you’ll have to start your work from scratch.