VIRUS PROTECTION AND REMOVAL

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6

Virus Protection

What do all these hackers do for a living? Contrary to popular suspicions, they don't work for the companies that provide anti-virus software… In fact, Control Freaks is very happy to provide our customers with Norton virus detection and removal software from Symantec, and help make sure your system is secure from these common threats. In the event that a virus is successful in scrambling your system, Control Freaks is there to help you recover, and prevent future attacks.

MindPride Protection services:

o Virus protection assessment
o Anti Virus software and updates
o Virus detection and removal
o Operating system and application configuration/settings
o Establishing "best practices" for avoiding exposure to viruses

Viruses are a cause of much confusion and a target of considerable misinformation even from some virus "experts." Let's define what we mean by virus:

You could probably also say that the virus must do this without the permission or knowledge of the user, but that's not a vital distinction for purposes of our discussion here. We are using a broad definition of "executable file" and "attach" here.

An obvious example of an executable file would be a program (COM or EXE file) or an overlay or library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to also realize that the system sectors on either a hard or floppy disk contain executable code that can be infected--even those on a data disk. More recently, scripts written for internet web sites and/or included in E-mail can also be executed and infected.

To attach might mean physically adding to the end of a file, inserting into the middle of a file, or simply placing a pointer to a different location on the disk somewhere where the virus can find it.

Most viruses do their "job" by placing self-replicating code in other programs, so that when those other programs are executed, even more programs are "infected" with the self-replicating code. This self-replicating code, when triggered by some event, may do a potentially harmful act to your computer.

Another way of looking at viruses is to consider them to be programs written to create copies of themselves. These programs attach these copies onto host programs (infecting these programs). When one of these hosts is executed, the virus code (which was attached to the host) executes, and links copies of itself to even more hosts.

Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often the characteristics of both a virus and a worm can be found in the same beast; confusing the issue even further.

Before looking at specific virus types you might also want to consider the following general discussions:

• Virus Behavior. Infect, then attack; common behavior of most viruses.
• Number of Viruses. Lots and lots.
• Virus Names. It's not easy nor standardized.
• How Serious Are Viruses? Worms spreading due to user inattention are a serious threat.
• What About Good Viruses? The general consensus is that there are none.
• Hardware Threats. Viruses are not the only things that can cause damage. Consider some hardware problems.
• Software Threats. Viruses are not the only things that can cause damage. Consider some software problems.

Summary

• A virus is a program that reproduces its own code.
• Generally, the first thing a virus does is to reproduce (i.e., infect).
  • Viruses balance infection versus detection possibility.
  • Some viruses use a variety of techniques to hide themselves.
• On some defined trigger, some viruses will then activate.
  • Viruses need time to establish a beachhead, so even if they activate they often will wait before doing so.
  • Not all viruses activate, but all viruses steal system resources and often have bugs that might do destructive things.
• The categories of viruses are many and diverse. There have been many made and if you get one it should be taken seriously. Don't be fooled by claims of a good virus; there is no reason at the moment to create one.

Virus Behavior

Viruses come in a great many different forms, but they all potentially have two phases to their execution, the infection phase and the attack phase:

Infection Phase

When the virus executes it has the potential to infect other programs. What's often not clearly understood is precisely when it will infect the other programs. Some viruses infect other programs each time they are executed; other viruses infect only upon a certain trigger. This trigger could be anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers want their programs to spread as far as possible before anyone notices them.

It is a serious mistake to execute a program a few times - find nothing infected and presume there are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its infection phase!

Many viruses go resident in the memory of your PC in the same or similar way as terminate and stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs that executed under DOS but stayed in memory instead of ending.) This means the virus can wait for some external event before it infects additional programs. The virus may silently lurk in memory waiting for you to access a diskette, copy a file, or execute a program, before it infects anything. This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use for their infection.

On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is possible to construct a virus which will locate itself in upper memory (the space between 640K and 1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows, a virus can effectively reside in any part of memory.

Resident viruses frequently take over portions of the system software on the PC to hide their existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet avoid detection.

Note that worms often take the opposite approach and spread as fast as possible. While this makes their detection virtually certain, it also has the effect of bringing down networks and denying access; one of the goals of many worms.

Attack Phase

Many viruses do unpleasant things such as deleting files or changing random data on your disk, simulating typos or merely slowing your PC down; some viruses do less harmful things such as playing music or creating messages or animation on your screen. Just as the infection phase can be triggered by some event, the attack phase also has its own trigger.

Does this mean a virus without an attack phase is benign? No. Most viruses have bugs in them and these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it still steals system resources. (Also, see the "good" virus discussion.)

Viruses often delay revealing their presence by launching their attack only after they have had ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or even years after the initial infection.

The attack phase is optional, many viruses simply reproduce and have no trigger for an attack phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.) This is made worse since viruses that "just infect," with no attack phase, often damage the programs or disks they infect. This is not an intentional act of the virus, but simply a result of the fact that many viruses contain extremely poor quality code.

An an example, one of the most common past viruses, Stoned, is not intentionally harmful. Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of the entire diskette (this bug was fixed in later versions of the virus).

Number of Viruses

There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large margin). Estimates of exactly how many there are vary widely and the number is constantly growing.

In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000 different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994, the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000. 1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now.

The confusion exists partly because it's difficult to agree on how to count viruses. New viruses frequently arise from someone taking an existing virus that does something like put a message out on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in less than two minutes resulting in yet another "new" virus.

Another problem comes from viruses that try to conceal themselves from scanners by mutating. In other words, every time the virus infects another file, it will try to use a different version of itself. These viruses are known as polymorphic viruses.

One example, the Whale (a huge clumsy 10,000 byte virus), creates 33 different versions of itself when it infects files. At least one person counts this as 33 different viruses on their list. Many of the large number of viruses known to exist have not been detected in the wild but probably exist only in someone's virus collection.

David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections that we see in day-to-day operation." Now, about 180 different viruses (and some of these are members of a single family) account for all the viruses that actually spread in the wild. To keep track visit the Wildlist, a list which reports virus sightings.

How can there be so few viruses active when some experts report such high numbers? This is probably because most viruses are poorly written and cannot spread at all or cannot spread without betraying their presence. Although the actual number of viruses will probably continue to be hotly debated, what is clear is that the total number of viruses is increasing, although the active viruses not quite as rapidly as the numbers might suggest.

Summary

• By number, there are over 50,000 known computer viruses.
• Only a small percentage of this total number account for those viruses found in the wild, however. Most exist only in collections.

Virus Names

What's in a name? When it comes to viruses it's a matter of identification to the general public. An anti-virus program does not really need the name of a virus as it identifies it by its characteristics. But, while giving a virus a name helps the public at large it also serves to confuse them since the names given to a particular beast can differ from anti-virus maker to anti-virus maker.

How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore such text (mostly to spite the virus writers). And, any virus writer that insists on a particular name has to identify themselves in the process--something they usually don't want to do. So, the anti-virus companies control the virus naming process. But, that leads to the naming problem.

Viruses come into various anti-virus companies around the world at various times and by various means. Each company analyzes the virus and assigns a name to it for tracking purposes. While there is cooperation between companies when new viruses are identified, that cooperation often takes a back seat to getting a product update out the door so the anti-virus company's customers are protected. This delay allows alternate names to enter the market. Over time these are often standardized or, at least, cross-referenced in listings; but that does not help when the beast makes its first appearance.

This problem/confusion will continue. One practical and well documented example of how it affects a real-world virus listing can be seen at the WildList site on the page...

http://www.wildlist.org/naming.htm

One attempt at bringing some order to the naming problem is Ian Whalley's VGrep. VGrep attempts to collect all of the various virus names and then correlates them into a single searchable list. While useful, there is, again, the lag time necessary to collect and correlate the data.

So, get used to viruses having different names. As Shakespeare said...

What's in a name? That which we call a rose
By any other name would smell as sweet...

Summary

• Virus naming is a function of the anti-virus companies. This results in different names for new viruses.
• Different names can cause confusion for the public but not anti-virus software which looks at the virus, not its "name."
• There are different sites that attempt to correlate the various virus names for you.

How Serious Are Viruses?

It's important to keep viruses in perspective. There are many other threats to your programs and data that are much more likely to harm you than viruses. A well known anti-virus researcher once said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the growth in number of viruses and introduction of the Microsoft Word® macro viruses and VisualBasic Script worms now puts this statement into question (even though you can avoid these by just not clicking on them to open them!), it's still clear that there are many dangerous occurrences of data corruption from causes other than from viruses.

So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that it's foolish to spend much money and time on addressing the threat of viruses if you've done nothing about the other more likely threats to your files. Because viruses and worms are deliberately written to invade and possibly damage your PC, they are the most difficult threat to guard against. It's pretty easy to understand the threat that disk failure represents and what to do about it (although surprisingly few people even address this threat). The threat of viruses is much more difficult to deal with. There are no "cures" for the virus problem. One just has to take protective steps with anti-virus software and use some common sense when dealing with unknown files.

Summary

• While viruses are a serious threat, there are other, probably more serious, threats to your data.
• If you have not taken precautions (e.g., regular backup) against general threats you have not properly protected your computer.

What About Good Viruses?

By definition, viruses do not have to do something bad. An early (and current) virus researcher, Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.

Most researchers, however, take the other side and argue that the use of self-replicating programs are never necessary; the task that needs to be performed can just as easily be done without the replication function.

Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are "Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this writing, the paper is available at:

ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip

Lest you think others have not been thinking about this, here are some of the proposals (from the above-referenced paper) for a good virus that have not worked out:

• The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus - a virus which would be able to locate other (presumably malicious) computer viruses and remove them.
• The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The idea consists of creating a self-replicating program, which will compress the files it infects, before attaching itself to them.
• The "Disk Encryptor" Virus. This virus has been published. The idea is to write a boot sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in this particular case) and a user-supplied password to ensure the privacy of the user's data.
• The "Maintenance" Virus. The idea consists of a self-contained program, which spawns copies of itself across the different machines in a network (thus acting more like a worm) and performing some maintenance tasks on those machines (like deleting temporary files).

All of the above viruses fail one or more of the standard measures typically used to judge if a virus is "good" or not. These are (again, from the above-referenced paper):

• Technical Reasons
  • Lack of Control. Once released, the person who has released a computer virus has no control on how this virus will spread.
  • Recognition Difficulty. In general it is not always possible to distinguish between a virus and a non-virus program. There is no reason to think that distinguishing between "good" and "bad" viruses will be much easier. Many people are relying on generic anti-virus defenses (e.g., activity monitoring and/or integrity checking) which will trigger a response to changes.
  • Resource Wasting. A computer virus eats up disk space, CPU time, and memory resources during its replication.
  • Bug Containment. A computer virus can easily escape a controlled environment.
  • Compatibility Problems. A computer virus that attaches itself to user programs would disable several programs on the market that perform a checksum on themselves at runtime.
• Ethical and Legal Reasons
  • Unauthorized Data Modification. It is usually considered unethical to modify other people's data without their authorization. In many countries this is also illegal.
  • Copyright and Ownership Problems. In many cases, modifying a particular program could mean that copyright, ownership, or at least technical support rights for this program are voided.
  • Possible Misuse. An attacker could use a "good" virus as a means of transportation to penetrate a system.
  • Responsibility. Declaring some viruses as "good" and "beneficial" would just provide an excuse to the crowd of irresponsible virus writers to condone their activities and to claim that they are actually doing some kind of "research."
• Psychological Reasons
  • Trust Problems. Users like to think that they have full control on what is happening in their machine.
  • Negative Common Meaning. For most people, the word "computer virus" is already loaded with negative meaning.

Summary

While frequently discussed, the general consensus is that there is no task that requires a virus.

Hardware Threats

Hardware problems are all too common. We all know that when a PC or disk gets old, it might start acting erratically and damage some data before it totally dies. Unfortunately, hardware errors frequently damage data on even young PCs and disks. Here are some examples.

Power Faults

Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe so, maybe not; it's vital to know for sure if anything was damaged.

Other power problems of a similar nature would include brownouts, voltage spikes, and frequency shifts. All can cause data problems, particularly if they occur when data is being written to disk (data in memory generally does not get corrupted by power problems; it just gets erased if the problems are serious enough).

• Brownout: Lower voltages at electrical outlets. Usually they are caused by an extraordinary drain on the power system. Frequently you will see a brownout during a heat wave when more people than normal have air conditioners on full. Sometimes these power shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe you'll get yours just as that important file is being written to disk.
• Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a power pole) can causes spikes as the circuits balance. An appliance in your home can cause a spike, particularly with older wiring. Lightning can put large spikes on power lines. And, the list goes on. In addition to current backups and integrity information for your software and data files, including a hardware voltage spike protection device between the wall and your computer hardware (don't forget the printer and monitor) can be very helpful.
• Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz (or 50 Hertz in some countries), the power supply on the computer can be affected and this, in turn, can reflect back into the computer causing data loss.

Age

It's not magic; as computers age they tend to fail more often. Electronic components are stressed over time as they heat up and cool down. Mechanical components simply wear out. Some of these failures will be dramatic; something will just stop working. Some, however, can be slow and not obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.

Incompatibilities

You can have hardware problems on a perfectly healthy PC if you have devices installed that do not properly share interrupts. Sometimes problems are immediately obvious, other times they are subtle and depend upon certain events to happen at just the wrong time, then suddenly strange things happen! (Software can do this too!)

Finger Faults

(Typos and "OOPS! I didn't mean to do that!")

These are an all too frequent cause of data corruption. This commonly happens when you are intending to delete or replace one file but actually get another. By using wild cards, you may experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here; something was deleted; what was it? Or was I in the other directory?" Of course if you're a programmer or if you use sophisticated tools like a sector editor, then your fingers can really get you into trouble!

Malicious or Careless Damage

Someone may accidentally or deliberately delete or change a file on your PC when you're not around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this type of damage is done unintentionally by someone you probably know. This person didn't mean to cause trouble; they simply didn't know what they were doing when they used your PC.

Typhoid Mary

One major source for computer infections is the Customer Engineer (CE), or repairman. When a CE comes for a service call, they will almost always run a diagnostic program from diskette. It's very easy for these diskettes to become infected and spread the infection to your computer. Sales representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always check your system after other people have placed their floppy disk into it. (Better yet, if you can, check their disk with up-to-date anti-virus software before anything is run.)

Magnetic Zaps

Computer data is generally stored as a series of magnetic changes on disks. While hard disks are generally safe from most magnetic threats because they are encased within the computer compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.

Some of the more subtle sources of magnetism include:

• Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a magnetic field.
• Telephone. When ringing, telephones (particularly older phones with a bell) generate a magnetic field.
• Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the vacuum cleaner that the maintenance people slide under the desk to clean the floor does.
• Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer just above.
• Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk, can affect files on the disk. Instead of "The dog ate my homework," today it could just as easily be: "The cat sat on my homework."

Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the data is OK? These tools do not always recover good copies of the original files. Active action on your part before disaster strikes is your best defense. It's best to have a good, current backup and, for better protection, a complete up-to-date integrity-check map of everything on your disk.

Summary

• There are many different kinds of hardware threats to your data. Some include:
  • Power faults
  • Age
  • Equipment incompatibilities
  • Typos
  • Accidental or deliberate damage
  • The Customer Engineer or friendly salesperson
  • Problems with magnets
• Active action on your part can help you identify problems and, perhaps, head them off early.

Software Threats

Software threats can be general problems or an attack by one or more types of malicious programs.

Software Problems

This category accounts for more damage to programs and data than any other. We're talking about non-malicious software problems here, not viruses. Software conflicts, by themselves, are much more likely threats to your PC than virus attacks.

We run our PCs today in a complex environment. There are many resident programs (e.g., anti-virus, video drivers) running simultaneously with various versions of Windows, DOS, BIOS, and device drivers. All these programs execute at the same time, share data, and are vulnerable to unforeseen interactions between each other. Naturally, this means that there may be some subtle bugs waiting to "byte" us. Any time a program goes haywire, there's the risk it may damage information on disk.

There's the further problem that not all programs do what we hope they will. If you have just undeleted a file, you don't really know if all the correct clusters were placed back in the right order. When SCANDISK "fixes" your disk for you, you have no way of knowing exactly what files it changed to do its job. It becomes even more complex if you use other utilities to do similar tasks.

Software problems happen and can be very serious if you have not taken appropriate action in advance of the problem.

Software Attacks

These are programs written deliberately to vandalize someone's computer or to use that computer in an unauthorized way. There are many forms of malicious software; sometimes the media refers to all malicious software as viruses. This is not correct and it's important to understand the distinction between the various types as it has some bearing on how you react to the attack. The discussions that follow attempt to make clear distinctions between malicious software types. Realize that often a malicious program may have characteristics of more than one of these types (e.g., a virus that attacks files but also spreads itself across a network). Don't get wrapped up in the semantics, just try to understand the major differences.

In addition to viruses, the main thrust of this tutorial, there are:

• Logic Bombs. Just like a real bomb, a logic bomb will lie dormant until triggered by some event.
• Trojans. These are named after the Trojan horse, which delivered soldiers into the city of Troy.
• Worms. A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, that create even more copies.

Summary

• Non-malicious software problems can be a significant source of problems and one should always know their computer's exact configuration to be prepared.
• Malicious software falls into several general categories:
  • Logic bombs
  • Trojans
  • Worms
  • Viruses

That's the end of the introduction. Now for the detail...

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6

Web Page Designed By  ADAM
Copyright © 1981 - 2008 MINDPRIDE CONSULTING All rights reserved.
Revised: November 21, 2007