By Kenneth L. Bechtel, II
of the paper:
1. Set definitions for types of viruses.
2. Describe Viral Symptoms.
3. Understand how viruses are caught and spread.
4. Understand what you can do to delay or prevent
5. Be able to take appropriate actions while under
a suspected or actual viral attack.
Computer Anti-Virus Community does not have a 100% Agreement on
what constitutes a virus. The definitions I am about to give
are accepted by a majority, but there are some variations..
1. VIRUS: A virus is a malicious,
but not necessarily destructive, unauthorized, self-replicating
string of computer code (or program). Argumentatively, a virus
is parasitic, meaning it copies itself from and to another program
and or system environment. Some people believe that a virus does
not need to be self-replicating or require a host.
2. TROJAN HORSE: A Trojan
Horse is a malicious, usually destructive program hidden within
what appears to be an interesting or useful program, e.g., a
spreadsheet, calendar program or a game. Argumentatively, some
people consider a trojan horse a virus. Trojan Horses, however,
are not self-replicating. Rather they rely upon unsuspecting
users to spread them.
3. LOGIC BOMB: A malicious
program set to "go off" under a certain set of circumstances,
when something happens, or does not happen. Examples would be
a date, a logon or the deletion of a user. These are generally
destructive. Some people consider Logic Bombs viruses. Like the
Trojan Horse they are not self-replicating. However, unlike a
Trojan Horse, a Logic Bomb maybe programmed into a Virus or even
a Trojan Horse. Logic Bombs are the most common means of employee
revenge and are often targeted to one system or company.
4. WORMS: By themselves
are non destructive, and are used to infiltrate systems. Worms
were originally used by system maintenance and administrators
to locate trouble spots, but they were mutated to gain illegal
access and passwords. The most troublesome worms are the ones
that are so poorly programmed that they cause too many copies
of themselves to infest a host machine, thus causing a system
overload, resulting in a system crash. A Worm is a stand alone
program (non-parasitic) that can be self-replicating that could
have a Virus or Logic Bomb as a "Payload". Some people
consider Worms a virus. The most famous Worm would be the Internet
1. TYPES OF VIRUSES:
- Common or File
Infector - Attaches itself to an Executable (.EXE) or Command
(.COM) files. Every time an infected program is run, the virus
will load itself into memory and infect the next non-infected
program that is run.
- Multiparte - These
viruses will infect either programs or boot sectors. These can
be one of the most difficult infections to clean up if not done
- Boot Sector Virus
- resides in the boot sector of a disk, hard or floppy. The boot
sector is that portion of a disk that gives it its identity, (i.e.
High density, Low density, IBM Apple, Mac, etc.) After a given
number of boots, the virus activates and the system is usually
destroyed. The destruction may be rewriting the boot sector
making it unbootable, or scrambling the File Allocations Table
(FAT), which tells the computer where to find files and programs
on the disk
- Stealth Virus - Can
be any one of the previously mentioned types, but were designed
to defeat anti-viral scanning and other anti-viral detection software
- Macro Viruses - The
newest in the Computer virus family, while macro viruses have
only been around since 1995, they have already surpassed the older
viruses in number of new variants in a measured time, as well
as speed and width of spread. Fortunately, right now most infections
are limited to the Microsoft Office suite, there are viruses for
other applications, like the Amipro Spreadsheet program.
2. HOW CAUGHT/ SPREAD:
- Bottom line, viruses are caught and spread from
infected machines by sharing floppies or files. Some software
has been shipped from the companies infected by viruses, but they
are few and far between. A virus has NEVER
been created by a user pressing the wrong keys.
- Trojan Horses are caught and spread by using
unfamiliar software, usually downloaded from an Electronic Bulletin
Board Service (BBS), the Internet or other unknown/ questionable
sources. Most BBS' do their best to scan for viruses, but some
still get through.
- Modems - although direct modem contact has not
been a source of infection, the transfer and later execution of
infected files has been a major source of infections.
- Boot sectors are infected by trying to boot off
an infected diskette. The diskette does not need to be a bootable
(system) diskette to be able to transmit a boot sector virus.
The message "NON SYSTEM DISKETTE" is on your diskettes
boot sector, and all disks/ diskettes have a boot sector.
- Viruses, especially logic bombs can and are spread
by disgruntled employees. They see this as a way to right wrongs
done to them by the company.
- E-Mail has helped the proliferation of Macro
Viruses, like no other vector. While the E-mail text itself can
not spread a virus, E-mail attachments are ready transmitters.
3. SYMPTOMS: Each virus has its
own set of symptoms, just as human viruses do. What I am going
to give are generic symptoms and should not be considered exclusive
or all inclusive. These are some of the many different symptoms
- Frequent System Crashes.
- Applications behaving erratically.
- Unexplained file size increases.
- System inexplicably slows down.
- Difficulty in accessing data files.
- Excessive, unexplained disk access.
- Strange or unusual displays or messages, or
As you can see these symptoms are very similar to
"common" computer malfunctions, and in fact, most symptoms
occur due to programming incompatibilities. The most "Successful"
viruses have no intentional payload, which would tip the user
to it's presence on the infected system. Notice, I have NOT
said a word about damaged hardware, that is because hardware
can NOT be damaged by software, and viruses are software.
While rumors abound about exploding monitors and engraved hard
drives, no one has yet to produce a hardware damaging virus.
The following are some steps to use to protect your
- Purchase and use an Anti-Viral Product.. Whatever
package you choose will be based on cost and what your needs are,
as a minimum, any scanner product should be NCSA Certified. I
also recommend that what ever you do, don't rely on just one package,
double your bets and you'll be better off.
- When available, change the attributes to Read-Only
Command (.COM) and executable (.EXE) files, and System (.SYS)
files. This will not stop viruses, but it will slow, or stop
someone from intentionally or unintentionally deleting programs.
When you are updating a file, remember to return the attributes
to normal, or else a "ACCESS DENIED" message will be
- Purchase your software from a reputable dealer
and scan it before installing.
- Do not "Share" software. While this
is illegal, it is also is a large source of infections.
- Keep a dedicated disk for taking work home and
to the office, and scan this disk often.
- Disable auto launch from E-mail clients, it should
be a policy to scan all incoming Documents and spreadsheets before
- Where possible, MS-Word should be set to save
files in a Rich Text Format (RTF) as a default. This has a penalty
of loosing some formatting options, but it does not save
- The cheapest method to protect against boot sector
viruses is to change (where possible) the boot sequence of the
computers, making it boot first from the hard drive, and then
the floppy, or totally disable floppy boots. In most business,
and home environments, there is little need to ever boot from
a floppy. In the odd event that there is a requirement to boot
from floppy, e.g., failed hard drive, you can always reset the
5. TAKE APPROPRIATE ACTIONS: When
you discover that you are infected or being attacked by a virus,
or if you suspect you may be under attack, take the following
- IMMEDIATELY stop all computer processing.
Copy down the message that your Anti-Viral Product gives you
and turn off the computer. Do not use this system until it is
verified to be clean.
- Contact a local computer vendor or user's group
to find someone experienced in viral cleanup. Tell them all the
appropriate info, e.g., symptoms, messages, etc.
- If experienced Anti-Virus Technicians are not
available, follow theses instructions:
- Boot the infected system from a clean system
- Run a virus scanning utility.
- Clean up all infected files by using a disinfectant
program or deleting them.
- Re-scan the infected disk to identify multiply
infected files, or diskette.
- Reinstall all application from distribution diskettes.
- Scan again to detect any possible "Shrink
Wrap" infected programs.
- If the scan shows no trace of the virus you
may begin computing again. Keep your eyes open for renewed symptoms.
- After the system is clean, scan all diskettes
to attempt to find the source of the infection.
VIRUSES ARE NOT SOMETHING TO EXPERIMENT WITH,
THEY ARE DANGEROUS.
The Following is a list of recommended additional
reading. While this list is not all inclusive, it is a good starting
point. All these books were written in the 90's and are relatively
current as for content.
COMPUTERS UNDER ATTACK: INTRUDERS, WORMS &
Edited by Peter J. Denning (1990, 150pp)
Dr. Lance J. Hoffman (1990, 384pp)
COMPUTER VIRUS SURVIVAL GUIDE
David Stang (1991, 87pp)
PC VIRUS CONTROL HANDBOOK
Robert Jacobson (1990, 162pp)
EXECUTIVE GUIDE TO COMPUTER VIRUSES
Charles Rustein (1992, 60pp)
All the above books and more are available through
your local bookstore of from the National Computer Security Association
(NCSA) whose address is as follows:
1200 Walnut Bottom Drive
Carlisle, PA 17013
Disclaimer: While as
a computer specialist, I realize some of what I have written is
over simplified or seemingly flawed. Please remember my target
audience is Viral beginners. This paper is not intended to be
all inclusive. For more information, contact your local library
or book store. This paper is only to provide basic working knowledge
of viruses and help the user protect themselves. I take no responsibility
for any infection, damage or data loss the reader may incur.
There is no 100% method, other than not using your P.C., to prevent
a viral infection. If you follow the above suggestions, you will
be fairly safe from infections.
The Author may be contacted:
on CompuServe at user # 72154,3302
Via Internet: firstname.lastname@example.org