Introduction To Computer Viruses Distributed by: DOLFIN DEVELOPMENTS Written by: Michael B. Cameron INTRODUCTION Computer viruses were originally thought of as nothing more than harmless "pranks", designed by mainframe programmers who were experimenting with artificial intelligence. These programmers had altered existing programs designed originally to "digest" data, to now seek out and "destroy" data. This led to the development of what became known as "Core Wars", whereby a number of programmers would release these altered programs into the core memory of a computer simultaneously where they would seek out and destroy each other. The last program left alive won. This was the beginning; nothing more than intellectual curiosity. Today the sophisticated descendents of these programs are responsible for millions of dollars worth of damage to the computing industry a year in lost computer time, service charges and actual damage to the systems or their contents. However, all is not lost. With proper protection procedures, good anti-virus software and an educated user base, viruses will become the equivalent of a hardrive crash. Once understood and prepared for, viruses are just another part of "doing business" in the computer world. That is the purpose of this brief document; to introduce you, the user, to; the concept of viruses; how to protect your system from them and how to remove them should you discover a computer virus. How a virus works A virus will infect a computer system by attacking one of the following areas : The partition table (master boot record); The DOS boot sector of hard disks or floppy disks; Or Executable files including operating system files. Executable files include operating system files, .COM files, .EXE files, overlay files, or any files loaded into memory and executed. The virus enters a system by a number of avenues; By downloading a file from an electronic bulletin board and then executing the program; By copying programs (pirateing software) that have been in contact with an infected system or that contain a trojan program (a useful program that actually hides the virus inside), or by booting a system from a disk other than the original operating system diskette. Once a virus is activated by one of the methods mentioned previously, it goes through a number of logical steps to attempt to gain control of your system, depending on the type of virus it is. A boot sector virus will move the systems original boot sector or overwrite it and install itself as the new boot sector, thereby gaining control of the system and enabling it to monitor all system events and infect any disk it comes into contact with. An .EXE or .COM infector will attempt to infect other files whenever an infected file is run. Another form of infection involves infecting the control files on a system, Command.COM and it's two hidden counterparts, thus allowing the virus to install itself every time the system is booted. Once a virus has installed itself by its mode of choice it will begin the replicating phase. During this phase the virus will attempt to infect other files or disks at every opportunity or according to it's own internal logic. For example some viruses will infect an .EXE or .COM file every time a DOS command is executed. During this phase the system may experience or exhibit a number of symptoms: A noticeable slow down in system speed which may eventually lead to shut down, Unauthorized disk access when system events do not require it (copying to floppy or hardrive), Time and or Date of Files being altered, Volume labels on the disk being changed (the pakistani Brain virus does this), Errors running files, Dos errors occurring, eg. Sector not found, etc. The difficult part of virus detection is distinguishing a legitimate hardware or software problem from a virus infection. The best rule of thumb is "WHEN IN DOUBT, SCAN!". This way if it is a virus problem you will know immediately before you run up a large service charge and if it is not a virus you can begin to look elsewhere for the cause of system problems. PROTECTING YOUR SYSTEM Here are a few simple rules to follow to protect your system and minimize the chances of getting infected. 1. NEVER BOOT YOUR SYSTEM WITH ANY DISK OTHER THAN THE ORIGINAL SYSTEM DISKETTES 2. ALWAYS USE ORIGINAL DISKETTES WHENEVER POSSIBLE WHEN INSTALLING OR OPERATING PROGRAMS ON YOUR SYSTEM 3. MAKE BACKUPS OF ALL YOUR ORIGINAL DISKETTES AND WORK FROM THESE. 4. WRITE PROTECT ALL PROGRAM DISKETTES AND STORE THEM IN A SECURE AREA. 5. NEVER SAVE FILES TO ORIGINAL DISKETTES. USE A DESIGNATED DISKETTE FOR YOUR WORK. 6. BACK UP YOUR SYSTEM REGULARLY ESPECIALLY DATA FILES. TAPE BACKUPS ARE PREFERRED. 7. LIMIT ACCESS TO YOUR SYSTEM BY USING PASSWORDS AND PHYSICAL BARRIERS LIKE KEY LOCKS. 8. TREAT ANY NEW DISKETTE OR PROGRAM AS SUSPECT UNTIL IT HAS BEEN SCANNED AND VERIFIED VIRUS FREE. (this includes diskettes handed back and forth at work) 9. IF POSSIBLE, INSTALL A TSR ANTI-VIRUS UTILITY TO MONITOR YOUR SYSTEM AND ALERT YOU OF POSSIBLE PROBLEMS. 10.SCAN YOUR SYSTEM FOR VIRUSES ON A REGULAR BASIS. DAILY IF POSSIBLE. VIRUS DETECTION AND REMOVAL If you believe you might have a virus or you know for sure, here are the steps you should follow to ensure proper detection and removal of the virus from your system. 1. Make sure you have a valid copy of Scan and Clean on a write protected diskette. 2. Insert the diskette in your system and type the following "Scan C: /m " where C: represents the drive in question and the /m option will examine your memory for "stealth"type viruses. 3. If you have a virus the program will inform you and give you the alias of the virus used to clean the virus. eg. [stoned] 4. If you have a virus, at this point POWER DOWN YOUR SYSTEM ! Initiate a Cold Boot as many viruses can survive a warm boot (Ctl+Alt+Del) and remain in memory, thereby thwarting disinfection. 5. Turn you system back on and using your write protected copy of Clean type the following; "Clean [virus] C:" Where [virus] is the alias, eg. [stoned] and C: is the infected drive, A: B: C: D: 6. Clean will then attempt to remove the virus and repair infected areas. Clean will also inform you of the number of infections and disinfections as it progresses. 7. Once the virus has been removed, scan your system again to ensure it is clean. Then you must scan all of your diskettes or logical drives to determine if they are infected. 8. If you find you have infected diskettes follow these steps again. 9. Inform others in your area or department so they may check their systems as well. Do not keep an infection secret! It is better that others be informed so that Supervisors can act upon your information to ensure a secure working environment. 10.If at any time you experience problems SCANning or CLEANing your system, contact a technician or supervisor who is familiar with disinfecting procedures or contact your McAfee Agent for support. CONCLUSION Chances are at some point in your future you will come in contact with a virus or be aware of an infection. If you are prepared and informed you can quickly and effectively protect and or disinfect your system. By following the guidelines set out in this brief you can minimize your chances of an infection. However no system can ever be "guaranteed" secure. So back up your data and Scan your system regularly. Always get your anti-virul utility from a secure source; McAfee Agent, Supervisor or McAfee authorised BBS. Your best protection is to be prepared. Don't think "It won't happen to me". If you are lucky it won't, but if it does you should be ready. Someday systems may be totally immune to viruses; however for the time being they are prevalent and replicating. With proper procedures and education viruses will become just another "part of doing business". If you have any questions please consult the documentation that is included with your programs or feel free to contact us at DOLFIN Developments Ltd. for assistance of any kind. You are free to distribute this document for personal use. Any Business, Agency or Govt. office must aquire a Corporate Licence to use this document internally. Michael B. Cameron Data Security Specialist DOLFIN Developments Ltd. (416) 829-4344 þCopyright; DD 1991