What are the symptoms and indications of a virus infection?

Viruses try to spread as much as possible before they deliver their "payload", but there can be symptoms of virus infection before this, and it is important to use this opportunity to spot and eradicate the virus before any destruction.

There are various kinds of symptoms which some virus authors have written into their programs, such as messages, music and graphical displays. However, the main indications are changes in file sizes and contents, changing of interrupt vectors or the reassignment of other system resources. The unaccounted use of RAM or a reduction in the amount known to be in the machine are important indicators. The examination of the code is valuable to the trained eye, but even the novice can often spot the gross differences between a valid boot sector and an infected one. However, these symptoms, along with longer disk activity and strange behavior from the hardware, can also be caused by genuine software, by harmless "prank" programs, or by hardware faults.

The only foolproof way to determine that a virus is present is for an expert to analyze the assembly code contained in all programs and system areas, but this is usually impracticable. Virus scanners go some way towards that by looking in that code for known viruses; some will even try to use heuristic means to spot viral code, but this is not always reliable. It is wise to arm yourself with the latest anti-viral software, but also to pay close attention to your system; look particularly for any change in the memory map or configuration as soon as you start the computer. For users of DOS 5.0, the MEM program with the /C switch is very handy for this. If you have DRDOS, use MEM with the /A switch; if you have an earlier version, use CHKDSK or the commonly-available PMAP or MAPMEM utilities. You don't have to know what all the numbers mean, only that they change. Mac users have "info" options that give some indication of memory use, but may need ResEdit for more detail.

What steps should be taken in diagnosing and identifying viruses?

Most of the time, a virus scanner program will take care of that for you. (Remember, though, that scanning programs must be kept up to date. Also remember that different scanner authors may call the same virus by different names. If you want to identify a virus in order to ask for help, it is best to run at least two scanners on it and, when asking, say which scanners, and what versions, gave the names.) To help identify problems early, run it on new programs and diskettes; when an integrity checker reports a mismatch, when a generic monitoring program sounds an alarm; or when you receive an updated version of a scanner (or a different scanner than the one you have been using). However, because of the time required, it is not generally advisable to insert into your AUTOEXEC.BAT file a command to run a scanner on an entire hard disk on every boot.

If you run into an alarm that the scanner doesn't identify, or doesn't properly clean up for you, first verify that the version that you are using is the most recent, and then get in touch with one of the reputable antivirus researchers, who may ask you to send a copy of the infected file to him. See also question C10.

What is the best way to remove a virus?

In order that downtime be short and losses low, do the minimum that you must to restore the system to a normal state, starting with booting the system from a clean diskette. It is very unlikely that you need to low-level reformat the hard disk!

If backups of the infected files are available and appropriate care was taken when making the backups (see D10, this is the safest solution, even though it requires a lot of work if many files are involved.

More commonly, a disinfecting program is used. If the virus is a boot sector infector, you can continue using the computer with relative safety if you boot it from a clean system diskette, but it is wise to go through all your diskettes removing infection, since sooner or later you may be careless and leave a diskette in the machine when it reboots. Boot sector infections on PCs can be cured by a two-step approach of replacing the MBR (on the hard disk), either by using a backup or by the FDISK/MBR command (from DOS 5 and up), then using the SYS command to replace the DOS boot sector.

What does the (insert name here) virus do?

If an anti-virus program has detected a virus on your computer, don't rush to post a question to this list asking what it does. First, it might be a false positive alert (especially if the virus is found only in one file), and second, some viruses are extremely common, so the question "What does the Stoned virus do?" or "What does the Jerusalem virus do?" is asked here repeatedly. While this list is monitored by several anti-virus experts, they get tired of perpetually answering the same questions over and over again. In any case, if you really need to know what a particular virus does (as opposed to knowing enough to get rid of it), you will need a longer treatise than could be given to you here.

For example, the Stoned virus replaces the disk's boot record with its own, relocating the original to a sector on the disk that may (or may not) occur in an unused portion of the root directory of a DOS diskette; when active, it sits in an area a few kilobytes below the top of memory. All this description could apply to a number of common viruses; but the important points of where the original boot sector goes - and what effect that has on networking software, non-DOS partitions, and so on are all major questions in themselves.

Therefore, it is better if you first try to answer your question yourself. There are several sources of information about the known computer viruses, so please consult one of them before requesting information publicly. Chances are that your virus is rather well known and that it is already described in detail in at least one of these sources. (See the answer to question A7, for instance.)

What are "false positives" and "false negatives"?

A FALSE POSITIVE (or Type-I) error is one in which the anti-viral software claims that a given file is infected by a virus when in reality the file is clean. A FALSE NEGATIVE (or Type-II) error is one in which the software fails to indicate that an infected file is infected. Clearly false negatives are more serious than false positives, although both are undesirable.

It has been proven by Dr. Fred Cohen that every virus detector must have either false positives or false negatives or both. This is expressed by saying that detection of viruses is UNDECIDABLE. However his theorem does not preclude a program which has no false negatives and *very few* false positives (e.g. if the only false positives are those due to the file containing viral code which is never actually executed, so that technically we do not have a virus).

In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign programs because the string was not well chosen. False negatives are more common with virus scanners because scanners will miss a completely new or a heavily modified virus.

One other serious problem could occur: A positive that is misdiagnosed (e.g., a scanner that detects the Empire virus in a boot record but reports it as the Stoned). In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. Some more recent products store information about the original programs to allow verification of recovery processes.

Could an anti-viral program itself be infected?

Yes, so it is important to obtain this software from good sources, and to trust results only after running scanners from a "clean" system. But there are situations where a scanner appears to be infected when it isn't.

Most antiviral programs try very hard to identify only viral infections, but sometimes they give false alarms. If two different antiviral programs are both of the "scanner" type, they will contain "signature strings" to identify viral infections. If the strings are not "encrypted", then they will be identified as a virus by another scanner type program. Also, if the scanner does not remove the strings from memory after they are run, then another scanner may detect the virus string "in memory".

Some "change detection" type antiviral programs add a bit of code or data to a program when "protecting" it. This might be detected by another "change detector" as a change to a program, and therefore suspicious.

It is good practice to use more than one antiviral program. Do be aware, however, that antiviral programs, by their nature, may confuse each other.

Where can I get a virus scanner for my Unix system?

Basically, you shouldn't bother scanning for Unix viruses at this point in time. Although it is possible to write Unix-based viruses, we have yet to see any instance of a non-experimental virus in that environment. Someone with sufficient knowledge and access to write an effective virus would be more likely to conduct other activities than virus-writing. Furthermore, the typical form of software sharing in an Unix environment would not support virus spread.

This answer is not meant to imply that viruses are impossible, or that there aren't security problems in a typical Unix environment -- there are. However, true viruses are highly unlikely and would corrupt file and/or memory integrity. For more information on Unix security, see the book "Practical Unix Security" by Garfinkel and Spafford, O'Reilly & Associates, 1991 (it can be ordered via e-mail from nuts@ora.com).

However, there are special cases for which scanning Unix systems for non-Unix viruses does make sense. For example, a Unix system which is acting as a file server (e.g., PC-NFS) for PC systems is quite capable of containing PC file infecting viruses that are a danger to PC clients. Note that, in this example, the UNIX system would be scanned for PC viruses, not UNIX viruses.

Another example is in the case of a 386/486 PC system running Unix, since this system is still vulnerable to infection by MBR infectors such as Stoned and Michelangelo, which are operating system independent. (Note that an infection on such a Unix PC system would probably result in disabling the Unix disk partition(s) from booting.)

In addition, a file integrity checker (to detect unauthorized changes in executable files) on Unix systems is a very good idea. (One free program which can do this test, as well as other tests, is the COPS package, available by anonymous FTP on cert.org.) Unauthorized file changes on Unix systems are very common, although they usually are not due to virus activity.

Why does my anti-viral scanner report an infection only sometimes?

There are circumstances where part of a virus exists in RAM without being active: If your scanner reports a virus in memory only occasionally, it could be due to the operating system buffering disk reads, keeping disk contents that include a virus in memory (harmlessly), in which case it should also find it on disk. Or after running another scanner, there may be scan strings left (again harmlessly) in memory. This is sometimes called a "ghost positive" alert.

Is my disk infected with the Stoned virus?

Of course the answer to this, and many similar questions, is to obtain a good virus detector. There are many to choose from, including ones that will scan diskettes automatically as you use them. Remember to check all diskettes, even non-system ("data") diskettes.

It is possible, if you have an urgent need to check a system when you don't have any anti-viral tools, to boot from a clean system diskette, and use the CHKDSK method (mentioned in C1) to see if it is in memory, then look at the boot sector with a disk editor. Usually the first few bytes will indicate the characteristic far jump of the Stoned virus; however, you could be looking at a perfectly good disk that has been "innoculated" against the virus, or at a diskette that seems safe but contains a totally different type of virus.

I think I have detected a new virus; what do I do?

Whenever there is doubt over a virus, you should obtain the latest versions of several (not just one) major virus scanners. Some scanning programs now use "heuristic" methods (F-PROT, CHECKOUT and SCANBOOT are examples), and "activity monitoring" programs can report a disk or file as being possibly infected when it is in fact perfectly safe (odd, perhaps, but not infected). If no string-matching scan finds a virus, but a heuristic program does (or there are other reasons to suspect the file, e.g., change in size of files) then it is possible that you have found a new virus, although the chances are probably greater that it is an odd-but-okay disk or file. Start by looking in recent VIRUS-L postings about "known" false positives, then contact the author of the anti-virus software that reports it as virus-like; the documentation for the software may have a section explaining what to do if you think you have found a new virus. Consider using the BootID or Checkout programs to calculate the "hashcode" of a diskette in the case of boot sector infectors, rather than send a complete diskette or "live" virus until requested.

CHKDSK reports 639K (or less) total memory on my system; am I infected?

If CHKDSK displays 639K for the total memory instead of 640K (655,360 bytes) - so that you are missing only 1K - then it is probably due to reasons other than a virus since there are very few viruses which take only 1K from total memory. Legitimate reasons for a deficiency of 1K include:

  1. A PS/2 computer. IBM PS/2 computers reserve 1K of conventional RAM for an Extended BIOS Data Area, i.e. for additional data storage required by its BIOS.
  2. A computer with American Megatrends Inc. (AMI) BIOS, which is set up (with the built-in CMOS setup program) in such a way that the BIOS uses the upper 1K of memory for its internal variables. (It can be instructed to use lower memory instead.)
  3. A SCSI controller.
  4. The DiskSecure program.
  5. Mouse buffers for older Compaqs.
If, on the other hand, you are missing 2K or more from the 640K, 512K, or whatever the conventional memory normally is for your PC, the chances are greater that you have a boot-record virus (e.g. Stoned, Michelangelo), although even in this case there may be legitimate reasons for the missing memory:

  1. Many access control programs for preventing booting from a floppy.
  2. H/P Vectra computers.
  3. Some special BIOSes which use memory (e.g.) for a built-in calendar and/or calculator.
However, these are only rough guides. In order to be more certain whether the missing memory is due to a virus, you should:

  1. run several virus detectors;
  2. look for a change in total memory every now and then;
  3. compare the total memory size with that obtained when cold booting from a "clean" system diskette. The latter should show the normal amount of total memory for your configuration.
Note: in all cases, CHKDSK should be run without software such as MS-Windows or DesqView loaded, since GUIs seem to be able to open DOS boxes only on whole K boundaries (some seem to be even coarser); thus CHKDSK run from a DOS box may report unrepresentative values.

Note also that some machines have only 512K or 256K instead of 640K of conventional memory.

I have an infinite loop of sub-directories on my hard drive; am I infected?

Probably not. This happens now and then, when something sets the "cluster number" field of some subdirectory the same cluster as an upper-level (usually the root) directory. The /F parameter of CHKDSK, and any of various popular utility programs, should be able to fix this, usually by removing the offending directory. *Don't* erase any of the "replicated" files in the odd directory, since that will erase the "copy" in the root as well (it's really not a copy at all; just a second pointer to the same file).


Back to top