Any diskette that has been properly formatted contains an executable program in the boot sector. If the diskette is not "bootable," all that boot sector does is print a message like "Non-system disk or disk error; replace and strike any key when ready", but it's still executable and still vulnerable to infection. If you accidentally turn your machine on with a "non-bootable" diskette in the drive, and see that message, it means that any boot virus that may have been on that diskette *has* run, and has had the chance to infect your hard drive, or whatever. So when thinking about viruses, the word "bootable" (or "non-bootable") is really misleading. All formatted diskettes are capable of carrying a virus.
Can a virus hide in a PC's CMOS memory?
No. The CMOS RAM in which system information is stored and backed up by batteries is ported, not addressable. That is, in order to get anything out, you use I/O instructions. So anything stored there is not directly sitting in memory. Nothing in a normal machine loads the data from there and executes it, so a virus that "hid" in the CMOS RAM would still have to infect an executable object of some kind in order to load and execute whatever it had written to CMOS. A malicious virus can of course *alter* values in the CMOS as part of its payload, but it can't spread through, or hide itself in, the CMOS.
A virus could also use the CMOS RAM to hide a small part of its body (e.g., the payload, counters, etc.). However, any executable code stored there must be first extracted to ordinary memory in order to be executed.
Can a virus hide in Extended or in Expanded RAM?
Theoretically yes, although no such viruses are known yet. However, even if they are created, they will have to have a small part resident in conventional RAM; they cannot reside *entirely* in Extended or in Expanded RAM.
Can a virus hide in Upper Memory or in High Memory?
Yes, it is possible to construct a virus which will locate itself in Upper Memory (640K to 1024K) or in High Memory (1024K to 1088K), and a few currently known viruses (e.g. EDV) do hide in Upper Memory.
It might be thought that there is no point in scanning in these areas for any viruses other than those which are specifically known to inhabit them. However, there are cases when even ordinary viruses can be found in Upper Memory. Suppose that a conventional memory-resident virus infects a TSR program and this program is loaded high by the user (for instance, from AUTOEXEC.BAT). Then the virus code will also reside in Upper Memory. Therefore, an effective scanner must be able to scan this part of memory for viruses too.
Can a virus infect data files?
Some viruses (e.g., Frodo, Cinderella) modify non-executable files. However, in order to spread, the virus must be executed. Therefore the "infected" non-executable files cannot be sources of further infection.
However, note that it is not always possible to make a sharp distinction between executable and non-executable files. One man's code is another man's data and vice versa. Some files that are not directly executable contain code or data which can under some conditions be executed or interpreted.
Some examples from the IBM PC world are .OBJ files, libraries, device drivers, source files for any compiler or interpreter, macro files for some packages like MS Word and Lotus 1-2-3, and many others. Currently there are viruses that infect boot sectors, master boot records, COM files, EXE files, BAT files, and device drivers, although any of the objects mentioned above can theoretically be used as an infection carrier. PostScript files can also be used to carry a virus, although no currently known virus does that.
Can viruses spread from one type of computer to another?
The simple answer is that no currently known viruses can do this. Although the disk formats may be the same (e.g. Atari ST and DOS), the different machines interpret the code differently. For example, the Stoned virus cannot infect an Atari ST as the ST cannot execute the virus code in the bootsector. The Stoned virus contains instructions for the 80x86 family of CPU's that the 680x0-family CPU (Atari ST) can't understand or execute.
The more general answer is that such viruses are possible, but unlikely. Such a virus would be quite a bit larger than current viruses and might well be easier to find. Additionally, the low incidence of cross-machine sharing of software means that any such virus would be unlikely to spread -- it would be a poor environment for virus growth.
Can DOS viruses run on non-DOS machines (e.g. Mac, Amiga)?
In general, no. However, on machines running DOS emulators (either hardware or software based), DOS viruses - just like any DOS program - may function. These viruses would be subject to the file access controls of the host operating system. An example is when running a DOS emulator such as VP/ix under a 386 UNIX environment, DOS programs are not permitted access to files which the host UNIX system does not allow them to. Thus, it is important to administer these systems carefully.
Can mainframe computers be susceptible to computer viruses?
Yes. Numerous experiments have shown that computer viruses spread very quickly and effectively on mainframe systems. However, to our knowledge, no non-research computer virus has been seen on mainframe systems. (The Internet worm of November 1988 was not a computer virus by most definitions, although it had some virus-like characteristics.)
Computer viruses are actually a special case of something else called "malicious logic", and other forms of malicious logic -- notably Trojan horses -- are far quicker, more effective, and harder to detect than computer viruses. Nevertheless, on personal computers many more viruses are written than Trojans. There are two reasons for this:
Some people say that disinfecting files is a bad idea. Is that true?
Disinfecting a file is completely "safe" only if the disinfecting process restores the non-infected state of the object completely. That is, not only the virus must be removed from the file, but the original length of the file must be restored exactly, as well as its time and date of last modification, all fields in the header, etc. Sometimes it is necessary to be sure that the file is placed on the same clusters of the disk that it occupied prior to infection. If this is not done, then a program which uses some kind of self-checking or copy protection may stop functioning properly, if at all.
None of the currently available disinfecting programs do all this. For instance, because of the bugs that exist in many viruses, some of the information of the original file is destroyed and cannot be recovered. Other times, it is even impossible to detect that this information has been destroyed and to warn the user. Furthermore, some viruses corrupt information very slightly and in a random way (Nomenklatura, Phoenix), so that it is not even possible to tell which files have been corrupted.
Therefore, it is usually better to replace the infected objects with clean backups, provided you are certain that your backups are uninfected (see D10). You should try to disinfect files only if they contain some valuable data that cannot be restored from backups or compiled from their original source.
Can I avoid viruses by avoiding shareware/free software/games?
No. There are many documented instances in which even commercial "shrink wrap" software was inadvertently distributed containing viruses. Avoiding shareware, freeware, games, etc. only isolates you from a vast collection of software (some of it very good, some of it very bad, most of it somewhere in between...).
The important thing is not to avoid a certain type of software, but to be cautious of ANY AND ALL newly acquired software. Simply scanning all new software media for known viruses would be rather effective at preventing virus infections, especially when combined with some other prevention/detection strategy such as integrity management of programs.
Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk?
If you assume that the PC you are using is virus free before you perform the DIR command, then the answer is no. However, when you perform a DIR, the contents of the boot sector of the diskette are loaded into a buffer for use when determining disk layout etc., and certain anti-virus products will scan these buffers. If a boot sector virus has infected your diskette, the virus code will be contained in the buffer, which may cause some anti-virus packages to give the message "xyz virus found in memory, shut down computer immediately". In fact, the virus is not a threat at this point since control of the CPU is never passed to the virus code residing in the buffer. But, even though the virus is really not a threat at this point, this message should not be ignored. If you get a message like this, and then reboot from a clean DOS diskette and scan your hard-drive and find no virus, then you know that the false positive was caused by the fact that the infected boot-sector was loaded into a buffer, and the diskette should be appropriately disinfected before use. The use of DIR will not infect a clean system, even if the diskette it is being performed on does contain a virus.
Is there any risk in copying data files from an infected floppy disk to a clean PC's hard disk?
Assuming that you did not boot or run any executable programs from the infected disk, the answer is generally no. There are two caveats: 1) you should be somewhat concerned about checking the integrity of these data files as they may have been destroyed or altered by the virus, and 2) if any of the "data" files are interpretable as executable by some other program (such as a Lotus macro) then these files should be treated as potentially malicious until the symptoms of the infection are known. The copying process itself is safe (given the above scenario). However, you should be concerned with what type of files are being copied to avoid introducing other problems.
Can a DOS virus survive and spread on an OS/2 system using the HPFS file system?
Yes, both file-infecting and boot sector viruses can infect HPFS partitions. File-infecting viruses function normally and can activate and do their dirty deeds, and boot sector viruses can prevent OS/2 from booting if the primary bootable partition is infected. Viruses that try to directly address disk sectors cannot function because OS/2 prevents this activity.
Under OS/2 2.0, could a virus infected DOS session infect another DOS session?
Each DOS program is run in a separate Virtual DOS Machine (their memory spaces are kept separated by OS/2). However, any DOS program has almost complete access to the files and disks, so infection can occur if the virus infects files; any other DOS session that executes a program infected by a virus that makes itself memory resident would itself become infected.
However, bear in mind that all DOS sessions share the same copy of the command interpreter. Hence if it becomes infected, the virus will be active in *all* DOS sessions.
Can normal DOS viruses work under MS Windows?
Most of them cannot. A system that runs exclusively MS Windows is, in general, more virus-resistant than a plain DOS system. The reason is that most resident viruses are not compatible with the memory management in Windows. Furthermore, most of the existing viruses will damage the Windows applications if they try to infect them as normal EXE files. The damaged applications will stop working and this will alert the user that something is wrong.
However, virus-resistant is by no means virus-proof. For instance, most of the well-behaved resident viruses that infect only COM files (Cascade is an excellent example), will work perfectly in a DOS window. All non-resident COM infectors will be able to run and infect too. And currently there exists at least one Windows-specific virus which is able to properly infect Windows applications (it is compatible with the NewEXE file format).
Any low level trapping of Interrupt 13, as by resident boot sector and MBR viruses, can also affect Windows operation, particularly if protected disk access (32BitDiskAccess=ON in SYSTEM.INI) is used.