Preventing and Recovering From Computer Viruses
| UO Computing Center Microcomputer Services |
|
|
Practicing
Safe Computing Preventing and Recovering From Computer Viruses |
|
1. Language/Terms used throughout Workshop 1. Language/Terms used throughout Workshop [Top of Page] Boot Record: A small section of the hard or floppy disk in which DOS looks for instructions on how to start the computer. Located in the Boot Sector. File Allocation Table (FAT): A small database located on all hard or floppy disks that shows the computer where to access files on the disk. Logical Drive: A drive that the operating system recognizes instead of the actual physical drive. C:, D:, and E: can be three logical drives carved out of a single physical drive. The computer keeps track of this information in the Partition Table. Master Boot Record (MBR): The boot record located at the very first physical sector of every hard disk that holds the Master Boot Program. The Master Boot Program looks up information in the Partition Table to find bootable partitions and then instructs the system to go to the beginning of the bootable partition and execute any instructions the system finds there. Operating System (OS): The software that is initially loaded into the computer to prepare the system for operation. Partition Table: A file that maintains the Logical Drive structure of the hard drive. Payload: The action or destruction caused by a virus. Physical Drive: The actual piece of hardware that is used for long-term storage of data. The physical drive can be divided into Logical Drives (C:, D:, etc.), and also contains the Boot Sector and Partition Table data that tells the Operating System how the logical drives are set up. Terminate & Stay Resident (TSR): A type of application or device driver that is initially loaded into RAM and remains active while the system is running. Also known as a memory resident program.
2. What is a Computer Virus? [Top of Page] A computer virus is a "parasitic" program written intentionally to enter
a user's computer without their knowledge or permission. A virus attaches
itself to a file or boot sector and replicates itself to other files,
disks, etc. in an effort to spread. In 1986 there were 4 known viruses--today
there are thousands. While a large number are designed to simply alert
the user to their presence, many carry destructive payloads that can cause
damage--sometimes unintentionally--to individual files, disks, or entire
harddrives. 3. Types of Viruses [Top of Page] Viruses can be divided into two primary categories--Boot Viruses and Program viruses. A third type, Multipartite, are viruses that exhibit behaviors of both Boot and Program viruses. Boot viruses are programs that infect the Boot Record, Master Boot Record (MBR), File Allocation Table (FAT), or partition table of a disk. Program Viruses infect executable program files such as .com, .exe, .ovl, .drv, .sys, and .bin. Also with the recent development of Macro Viruses, document files such as .doc or .dot are also susceptible to program viruses. 4. How Viruses Work [Top of Page] Boot viruses attack the boot sector of a disk. Every disk (floppy drive or hard drive) has what is known as a boot sector (even if it is not "bootable.") The boot sector is where the information required by the computer's hard drive and operating system to start up the computer is permanently stored. Boot viruses normally operate by supplanting the existing Master Boot Record located in the Boot Sector with its own viral code. This code is then read into memory every time the computer boots up, allowing the virus to deliver its payload while continuing to infect other disks that come into contact with the computer. Program viruses attach themselves to an application or document file.
When the program is run (or the document opened) the program virus is
run as well and is loaded into memory. While in memory the program virus
can deliver its payload and infect other executable or document files. 5. Characteristics of Viruses [Top of Page] Computer viruses exhibit a variety of characteristics that make them difficult to detect and remove. Most viruses are memory resident--they load into the computer's memory while the computer is on or the infected program is active. Many viruses take steps to avoid detection. These "stealth" viruses can redirect disk reads being made by anti-viral software, alter the disk directory data so that the size of the infected file does not appear changed, or even remove themselves from infected files or locations as anti-viral software is scanning--reinfecting the files once the scan has moved on. Particularly insidious are polymorphic viruses. Polymorphic viruses are programs that are designed to change their code to look different throughout the life of the virus. These viruses are remarkable difficult to detect and remove. Finally, most viruses activate based upon some triggered event. A particular date, date range, time, or keyboard command will set the virus into motion. A recent example of a virus that is triggered by a specific event is the Michelangelo virus, which routinely strikes on March 6th, the date of Michelangelo's birthday. 6. More about Boot Viruses [Top of Page] Boot virus's work by copying code to the disk's boot record. Boot viruses normally move the existing boot record to a different location on the disk--often the last sector on the physical or logical drive. When the infected computer is started up, the virus is read as part of the boot process. The virus gets loaded into memory and then passes the boot process to the original boot record. Boot viruses can disrupt computer activities and cause damage in many ways:
7. More about Program Viruses [Top of Page] Program viruses infect a computer by attaching code to an executable program or document. The code is actually inserted into the file in such a way that the program will continue to work properly but the viral code will also be executed and load the virus into memory. Program viruses are active as long as the program that is infected is active, unless the payload of the program virus includes infecting another program or the master boot record. Program viruses can often be detected by a change in an executable file's file size or memory usage. 8. Macro Viruses - the latest threat [Top of Page] In 1994 a new kind of program virus was unleashed--the Macro Virus. With the release of Word 6, Microsoft added the Word Basic programming language, allowing users to create their own macros to automate repetitive tasks. This macro language also opened the door to the possibility to write harmful macros that, if run, could change the text of a file, modify other programs on a hard drive, or worse. Macro Viruses are considered Program viruses because a macro is a piece of code inserted into an existing file that is passed along through the use of the file, in this case a document file. To date most of the Macro Viruses have been relatively benign or at most annoying--rearranging certain words, inserting text, and changing document files into templates. Often, though, these viruses can be just as or even more destructive than other viruses. The MDMA virus contains instructions to delete executable files from the system folder of various operating systems, causing Windows 3.1 and Windows 95 to crash or simply vanish from a user's computer. Macro Viruses are fast becoming the number one viral problem for computer users. The basic reasons for this alarming increase in Macro Viruses are that they are easy to write and easy to spread. Microsoft designed the macro language of Word to be simple to use. A user creates a macro by "recording" actual procedures or commands (Replace "a" with "an," Save Document, etc.). Because the code is inserted into a document, the propagation of the virus is assured. Documents are saved to floppies and taken to a different location to print or edit. Documents are attached via e-mail programs and sent to colleagues. What makes Macro Viruses even more dangerous is their ability to operate on different platforms. Any system that can run Word 6.0 or higher--Windows 3.1, Windows 95, Windows NT, the MacOS, or OS/2--can be infected by or spread a Macro Virus. Because of their large number and also the potential for other programs
with similar macro languages (such as Excel) to exist, Macro Viruses are
hard to eradicate. New ones appear daily. Anti-viral protection against
Macro Viruses has only recently caught up with the most common viruses.
Freeware protection has been lacking on some platforms, especially the
MacOS. Updates to shareware and commercial anti-viral software come at
regular intervals, but lag one to two months behind existing Macro Viruses. 9. Hoax Viruses [Top of Page] Hoax viruses are messages propagated on the internet warning that an e-mail message exists that, if read, will infect a computer and cause unimaginable damage. The hoax is that the alleged message never exists and couldn't possibly do the damage it claims. The warning message itself turns out to be the "virus"--propagated by the users forwarding on the warning. The payload of a hoax virus is annoyance and fear. Recent examples of hoax viruses include the Good Times virus, Pen Pal, AOL4Free and Deeyenda. Any message that claims an e-mail based virus exists that, if read, will delete files from a hard drive, scan for personal information such as credit card numbers and passwords, and transmit that data out on the internet should be treated with a high degree of skepticism. Important caveats to the hoax virus phenomenon: An e-mail message could very easily contain an attached file that is a virus. If the attached program were run then a virus could easily infect a machine and cause damage. Also, recent viruses have been written that exploit certain e-mail programs and will actually propagate themselves by sending out e-mail with viral attachments to random addressed found in the e-mail program. So, while there currently are no viruses that can do what most hoaxes claim, some viruses are beginning to take on characteristics of "hoax" viruses. 10. Virus Issues under various Operating Systems [Top of Page]
The MacOS has far fewer viruses to contend with than other operating systems. With less than 300 (including Macro Viruses), the MacOS has been comparatively safe from computer viruses. The recent development of cross-platform Macro Viruses and the absence of freeware anti-viral solutions to deal with Macro Viruses have reawakened people to viruses on the MacOS. Most boot sector viruses are "DOS" viruses. While boot sector viruses affect any PC platform with a Master Boot Record, MBR viruses rely on the computer using DOS real mode drivers to execute system and program commands. Many program viruses are also DOS specific, and will only execute in DOS or DOS boxes under graphic operating systems (including SoftWindows or another DOS emulator for the MacOS). Boot sector viruses and macro viruses are the main viral problems for Windows 3.x users. Some Windows 3.x specific program viruses exist and can infect Windows 3.x programs. Windows 3.x viruses can also infect Windows 3.x programs running under other operating systems (like 95 or NT) but usually have no affect on the parent OS or non-3.x programs. While it is romantic to think that Windows 95 took DOS away completely, in fact DOS is still alive and well in Windows 95. Windows 95 was designed to permit compatibility (or at least co-existence) among DOS, Windows 3.x and Windows 95 programs. When a Windows 95 computer boots up, DOS real mode drivers are used, and will continue to be used as long as drivers in the autoexec.bat or config.sys files are used over Windows 95 protected mode drivers. This makes Windows 95 machines just as susceptible to boot sector viruses as a DOS/Win 3.x machine. Because of the networkability of the operating system, Windows 95 makes certain types of viruses (such as macro viruses) easier to spread via e-mail and the internet. Virtual Device Drivers (VxD) that are used in the operation of Windows 95 and require access to files and system settings, may be especially vulnerable to viral attack because of their authority in the operating system. While no NT-native viruses exist, it is only a matter of time. Windows NT offers more built-in security through file protections, memory restrictions and boot procedures. NT, (especially NTFS) offers levels of file and directory protections that will prohibit read and write requests by programs and users without sufficient access privileges. NT also provides unique memory allocation space for "non-compatible" software programs (such as Windows 3.x programs), keeping any program viruses isolated not only from NT but also from other programs it could normally infect. Both disk access and memory protections can be disabled by users, potentially limiting their effectiveness. If employed, however, these restrictions can curtail both the impact and propagation of computer viruses. Because NT completely supplants the real mode drivers with its own NT protected mode drivers during boot up; boot sector viruses are normally "neutered" just after they are loaded. A master boot record virus could easily infect an NT machine (by having an infected disk in the drive when the computer boots) but this virus would be stopped by NT when the protected mode drivers and NT boot process takes over the computer. Normally, a boot sector virus on an NT machine will either cause no damage or keep the computer from booting into NT at all. When the boot sector virus infects the machine it moves the MBR to a different location. If the MBR gets overwritten or is corrupted, NT will be unable to find it and will, consequently, crash. NT on a dual-boot machine could suffer similar consequences or worse--if a logical or physical drive that NT needs to map to is infected by a boot sector virus NT will often interpret the virus as a damaged MBR and will be unable to access that drive. NTFS, if infected with a boot sector virus, will most often crash upon start up because of the bootstrap process of NTFS. When the computer boots up with a virus the virus is loaded and then passes boot control on to the master boot record (stored in a different location). The MBR then passes control to the NTFS bootstrap program, which tries to load the entire boot record into memory, including the original MBR. Because it cannot know where the MBR is located (the virus is occupying its original location) it will load a corrupted boot record and crash. 11. Anti-Viral Solutions [Top of Page] Anti-viral programs have matured tremendously in the past few years. Ability to deal with stealth viruses, polymorphic viruses, and the host of new viruses discovered daily have made many programs more than worth the time and money of their installation and maintenance. A few freeware anti-viral programs also exist that provide a degree of protection and can be useful in combating computer viruses. The Disinfectant program for the Mac, last updated in 1995, provides the most comprehensive freeware protection for the MacOS. Disinfectant does not protect against macro viruses, but can handle the majority of non-macro viruses found on the MacOS. Data Fellows offers a free limited version of their F-PROT anti-viral program that does a good job of identifying and removing most PC viruses. The free companion program F-MACROW provides protection against macro viruses. Both of these programs are written for a 16-bit operating environment, and will not scan for or remove any possible Windows 95 or NT viruses. Both will run under these operating systems, however. Shareware and Commercial anti-viral software is generally more effective in identifying and eradicating computer viruses. Virex, SAM (Symantec Antivirus for the Mac) and McAfee's VirusScan are three of the most common MacOS anti-viral tools available. Norton AntiVirus, F-Prot Professional, McAfee's VirusScan, and Sophos Sweep are some of the more popular DOS/Windows anti-viral programs. The University of Oregon currently has a site license for the Symantec antiviral products (SAM and Norton AntiVirus). Use of these products is free to current University of Oregon students, faculty and staff. Microcomputer Services provides support and updates for the Symantec products. Contact Microcomputer Services at 346-4412, through email at microhelp@oregon, in person in Room 202 of the Computing Center, or on the web at the Microcomputer Services web site.
12. Anti-Viral Resources on the Web [Top of Page] The Symantec Anti-Viral Resource Center: http://www.symantec.com/avcenter/index.html Data Fellows Virus Information Center: :http://www.datafellows.fi/news/vir-news/ McAfee's Virus Info Library: http://www.mcafee.com/support/techdocs/vinfo/index.html The AVP VIRUS ENCYCLOPEDIA: The A-Z Antivirus Page: Donāt Spread that Hoax: http://crew.umich.edu/~chymes/Hoaxes/Think.html The Hitchhikers AntiViral Resources: http://www.hitchhikers.net/av.shtml
|
|
Last Update |
[Home][CC
Home][UO Home] [VMS/UNIX][Network
Services] |