VIRUS PROTECTION AND REMOVAL III
VIRUS PROTECTION AND REMOVAL
Finding a virus on your system may not be easy; they
often don't cooperate. Using anti-virus tools is important.
A virus may or may not present itself. Viruses attempt to spread before
activating whatever malicious activity they may have been programmed to deliver.
So, viruses will often try to hide themselves.
Sometimes there are symptoms that can be observed
by a trained casual observer who knows what to look for (but, don't count on
Virus authors often place a wide variety of indicators into their viruses
(e.g., messages, music, graphic displays). These, however, typically only show
up when the virus payload activates. With DOS systems, the unaccounted for
reduction of the amount of RAM known to be in the computer
is an important indicator resident viruses have a hard time getting
around. But, under Windows, there is no clear indicator like that.
The bottom line is that one must use anti-virus software
to detect (and fix) most viruses.
Your main defense is to detect and identify specific virus attacks to your
computer. There are three methods in general use. Each has pros and cons and are
discussed via these links. Often, a given anti-virus software program will use
some combination of the three techniques for maximum possibility of detection.
In a more general sense, check here for some ideas about using the
above-referenced methods and other useful information:
Another line of defense is continuing education. Click below to see some
sources of on-going information.
- Viruses, by design, are hard to find using standard tools. SCANDISK and
MEM can help, but don't rely on them to find viruses and never rely on DOS
commands to eliminate a virus.
- Anti-virus software helps using techniques of:
- Integrity Checking
- You can help by taking some common sense precautions and keeping educated.
Scanning looks for known viruses by a signature or
characteristics that make new viruses similar to existing viruses. This
requires that anti-virus makers and users keep products up to date.
Once a virus has been detected, it is possible to write scanning programs
that look for telltale code (signature strings) characteristic of the virus. The
writers of the scanner extract identifying strings from the virus. The scanner
uses these signature strings to search memory, files, and system sectors. If the
scanner finds a match, it announces that it has found a virus.
This obviously detects only known, pre-existing, viruses.
Many so-called "virus writers" create "new" viruses by modifying existing
viruses. This takes only a few minutes but creates what appears to be a new
virus. It happens all too often that these changes are simply to fool the
scanners. (Please use the above as "concept" information. Writing a scanner
today is quite a bit more complex.)
Note: Newer scanners often employ several detection techniques in
addition to signature recognition. Among the most common of these is a form of
code analysis. The scanner will actually examine the code at various locations
in an executable file and look for code characteristic of a virus (e.g., a jump
to a non-standard location, etc.). A second possibility is that the scanner will
set up a virtual computer in RAM and actually test programs by running them in
this virtual space and observing what they do. These
techniques are often lumped under the general name "heuristic" scanning.
Such scanners may also key off of code fragments that appear similar to, but not
exactly the same as, known viruses.
The major advantage of scanners is that they allow you
to check programs before they are executed. Scanners provide the easiest
way to check new software for known or suspected viruses. Since they have been
aggressively marketed and since they provide what appears to be a simple
painless solution to viruses, scanners are the most widely-used anti-virus
Too many people seem to regard "anti-virus product" and "scanner" as
synonymous terms. The peril here is that if too many
people depend solely upon scanners, newly created viruses will spread totally
unhindered causing considerable damage before the scanners catch up with
the viruses. An example of this was the attack by the Maltese Amoeba (Irish)
virus in the UK. This virus was not detected prior to its destructive activation
on November 1, 1991. Prior to its attack, it had managed to spread quite widely
and none of the existing (mostly scanner-based) products detected this virus.
According to the December 1991 Virus Bulletin:
Prior to November 2nd, 1991, no commercial or shareware scanner (of
which VB has copies) detected the Maltese Amoeba virus. Tests showed that not
ONE of the major commercial scanners in use ... detected this virus.
This indicates the potential hazard of depending upon scanner technology for
complete virus protection. (More recent examples have been fast-spreading
viruses that also act like worms [e.g., Melissa].
Anti-virus software makers react rapidly to these threats but there is still
some delay and users have to be constantly alert.)
Another major drawback to scanners is that it's
dangerous to depend upon an old scanner. With the dramatic increase in
the number of viruses appearing, it's risky to depend upon anything other than
the most current scanner. Even that scanner is necessarily a step behind the
latest crop of viruses since there's a lot that has to happen before the scanner
- The virus has to be detected somehow to begin with. Since the existing
scanners won't detect the new virus, it will have some time to spread before
someone detects it by other means.
- The newly-discovered virus must be sent to programmers to analyze and
extract a suitable signature string or detection algorithm. This must then be
tested for false positives on legitimate programs.
- The "string" must then be incorporated into the next release of the virus
- The virus scanner or detection database must be distributed to the
In the case of retail software, the software must be sent to be packaged, to
the distributors, and then on to the retail outlets. Commercial retail software
takes so long to get to the shelves, that it is almost certainly out of date.
Virtually all product makers today provide some way to obtain updates via the
Internet in order to help speed up the update process.
If you depend upon a scanner, be sure to get the latest
version directly from the maker. Also, be sure that
you boot from a clean write-protected copy of DOS before running the scanner for
the first time at least; there's a good chance that the scanner can
detect a resident virus in memory, but if it misses the virus in memory, the
scanner will wind up spreading the virus rather than detecting it. Every
susceptible program on your disk could be infected in a matter of minutes this
way! (See Fast and Slow
One possible defect of scanners you might run into are termed "ghost"
When DOS/Windows reads from a disk it does not read exactly what is
requested; it also reads a bit ahead so that when the next read request comes in
DOS may just have the material needed in a memory buffer and it can be provided
much faster. Likewise, when a scanner reads files it has to compare each with
the detection database. These are stored in memory.
If, after scanning, the scanner does not clear its buffers in memory and you
immediately run a second scanner then the second scanner may see the first
scanner's strings in memory and if it uses the same string(s) could identify
that virus as being in memory.
This is why it's important to run your scanner (or
other anti-virus product) after a cold boot. One of the features of a
cold boot is a complete memory check and this check overwrites all of memory,
clearing out all false traces of viruses.
Despite the most extensive testing it is possible that
a scanner will present false alarms (i.e., indicate a file as infected
when it really is not). You will usually note this just after an update where a
file you've had on your system suddenly shows up as infected. If it's a single
file, previously clean, that exhibits this characteristic you can rest a bit
easier; but you should nevertheless check with your anti-virus software maker.
Testing a Scanner
You don't need a virus to test the installation of a scanner. Most good
scanners today are programmed to detect a standard test file called the EICAR
test file. You can easily make this test file. Simply type or copy the following
string into a text editor like Notepad:
Now save that file under the name EICAR.COM. This is an actual program that,
when run, will display the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
and, when scanned, should activate your anti-virus program.
Note: This is not a virus. It is
simply a file designed to activate the detection routines in scanners that
support it. (Some suggest you need a "good" virus to test scanners. The problem
is that to adequately test a scanner you need a virus "zoo" and have to install
each virus in the zoo and test against it. This is something few users would
want to do. The EICAR test file tests the installation of anti-virus software
and that should be sufficient.)
- Scanning depends on prior knowledge of a virus in order to detect it. This
is done by recognizing some sort of signature that represents the virus or
some program characteristic that indicates a virus may be present.
- Scanners allow you to check programs before execution. That is their main
- Scanners need to be regularly updated. Don't depend on an old scanner.
- Some viruses attempt to defeat scanners by changing their code on the fly.
Current scanners attempt to analyze code on the fly as a way of countering
- Never run two scanners in a row without cold booting to clear memory
between. If you do, you may find "ghost" positives.
Integrity products record information about your system
for later comparison in order to detect changes. Just detecting changes is
not enough, however; the detection must have some "intelligence" behind it
to avoid confusion.
Integrity checking products work by reading your entire disk and recording
integrity data that acts as a signature for the files and system sectors. An
integrity check program with built-in intelligence is the only solution that can
handle all the threats to your data as well as viruses.
Integrity checkers also provide the only reliable way to
discover what damage a virus has done.
So, why isn't everyone using an integrity checker? In fact, many anti-virus
products now incorporate integrity checking techniques. One problem with many
products is that they don't use these techniques in a comprehensive way. There
are still too many things not being checked.
Some older integrity checkers were simply too slow or hard to use to be truly
effective. A disadvantage of a bare-bones integrity
checker is that it can't differentiate file corruption caused by a bug from
corruption caused by a virus. Advanced integrity checkers that
incorporate the capability to analyze the nature of the changes and recognize
changes caused by a virus have become available. Some integrity checkers now use
other anti-virus techniques along with integrity checking to improve their
intelligence and ease of use.
If you choose an integrity checker, be sure it has all these features:
- It's easy to use with clear, unambiguous reports and built-in help.
- It hides complexity, so that complicated details of system file or system
sector changes are only presented if they contain information the user must
- The product recognizes the various files on the PC so it can alert the
user with special warnings if vital files have changed.
- It's fast. An integrity checker is of no use if it's too slow.
- It recognizes known viruses, so the user doesn't have to do all the work
to determine if a change is due to a software conflict, or if it's due to a
virus. This also helps protect the integrity checker against attacks by
viruses directed at it.
- It's important that the integrity computation be more sophisticated than a
mere checksum. Two sectors may get reversed in a file or other damage may
occur that otherwise rearranges data in a file. A simple checksum will not
detect these changes. A cryptographic computation
technique is best.
- It's comprehensive. Some integrity checkers, in order to improve their
speed, don't read each file in its entirety. They read only portions of larger
files. They just spot check. This is unacceptable; it's important to know the
file hasn't changed, not just that some of the file hasn't changed.
- It checks and restores both boot and partition sectors. Some programs
check only files.
- For protection, it should have safety features built in (e.g., ability to
define the signature information file name and store the information on a
While using an integrity checker is an excellent way to monitor changes to
your system, with today's operating systems so many files change on a regular
basis it's imperative that you also use a good up-to-date scanner along with the
integrity checker or for the integrity checker to have that capability built in.
- Integrity checking products read the disk and create signature information
to determine changes.
- Coupled with virus identification, using integrity checking should be able
to detect most any virus with the bonus of also detecting data corruption.
Monitoring for system-level routines that perform
destructive acts can help, but such monitoring is fairly easily bypassed. Do
not depend on it alone.
Interceptors (also known as resident monitors) are particularly useful for
logic bombs and
The interceptor monitors operating system requests that write to disk or do
other things that the program considers threatening (such as installing itself
as a resident program). If it finds such a request, the interceptor generally
pops up and asks you if you want to allow the request to continue.
There is, however, no reliable way to intercept direct
branches into low level code or to intercept direct input and output
instructions done by the virus itself. Some viruses even manage to
disable the monitoring program itself. Indeed, for one widely-distributed
anti-virus program several years back it only took eight bytes of code to turn
its monitoring functions off.
It is important to realize that monitoring is a risky
technique. Some products that use this technique are so annoying to use
(due to their frequent messages popping up) that some users consider the cure
worse than the disease!
- Interceptors are useful for some simple logic bombs and Trojans.
- It would be unwise to depend entirely upon behavior monitors as they are
AV Product Use Guidelines
First, understand how your anti-virus product works.
Then, start with a known-clean computer and follow specific steps to assure
good virus detection/protection. Do research on specific products before
Most modern anti-virus products use a combination of techniques. However,
they still get almost all of their protection from their scanner component. It's
vital to understand exactly how your product works so that you understand what
type of protection you really have (you might want to review the comments about
scanning, interception, and integrity checking on other tutorial pages). Here
are some rules that will help you make sure that you get maximum protection out
of whatever product you have:
- First, you should check your computer's setup
information to make certain that the boot sequence starts with the floppy
drive. If you don't, and it starts with the hard drive then any boot
sector virus on your computer will gain control before you run the anti-virus
program(s). To get to the BIOS setup you will typically have to press a key or
keystroke combination during the time the BIOS is checking the computer's
memory. Once in setup you can check the boot sequence (one of the techniques
used to protect against boot sector viruses on floppy disks is to set the boot
sequence to check the hard drive first--but if this is set then you won't be
able to boot from a clean floppy as indicated below; thus, this check).
- Be sure to cold boot your PC from a write-protected
diskette before virus checking, particularly if you suspect you have a virus.
Most anti-virus products make this recommendation, but this rarely gets done
because the recommendation is often buried in some obscure location in the
documentation. If your PC's memory is infected with a virus that your scanner
does not recognize, you could infect all the programs on your disk if you do
not boot from a clean disk. Don't take this chance; boot from a
write-protected diskette before you scan. (In some cases, the AV product might
come with a bootable CD-ROM instead. If so, then set the BIOS default to boot
from the CD and use that disc.)
- If you are using a product which depends mostly on its scanner component,
make sure that you always have the latest version.
Scanners are often frequently updated (one AV program vendor says they update
files on the Internet hourly if needed).
- Before you execute or install any new software,
check it first (yes, commercial software has come from the factory
infected). If it comes with an install program, check
again after you install the software; an install program will
frequently change or decompress executable programs. After you first execute
brand new software do an additional check of your system to make sure
everything is as it should be.
- If your product contains a scanner component, check
all diskettes brought in from another location;
even data diskettes! Inevitably someone will leave a data diskette in
their A: drive, potentially spreading a boot sector virus if the diskette is
infected (assuming you have not reset the boot sequence back to booting from
the hard disk first).
- If the anti-virus software has a component that installs under Windows in
order to scan all files before they are opened by all means install that
component. This is a valuable service that is well worth the small amount of
slowdown and resource use you will experience.
What's the best anti-virus product?
The simple answer is that there is no definite answer to the question! For
one thing, a "good" anti-virus product integrates well with your particular
system and system setup. If you are on a network with diskless workstations, for
example, you might want to install the anti-virus software on the server. If you
don't regularly exchange or download files you might find a less intrusive
anti-virus product more to your liking. And so on.
Relying on magazine articles is also not the best way to decide upon an
anti-virus product. Valid testing requires special setups to make certain
products are being tested against real viruses under conditions those viruses
might be found (e.g., it would not be a particularly useful test to place boot
sector viruses into zip archives and then testing an anti-virus product against
One measure of anti-virus software is ICSA approval. To obtain this approval
a scanner must detect all viruses on the current version of the Wild List in
addition to 90% of the full NCSA test suite. You can obtain more information
about this at:
If you want to try an anti-virus product, many producers have evaluation
versions at their web site.
- Understand your anti-virus product and what you can expect from it.
- Check setup to be certain you are booting from the floppy disk and then
cold boot from a known-clean, write-protected diskette.
- Scan only with the latest version of any scanner.
- Check all new software and all data diskettes before use and again after
- Install any scan-on-use component your anti-virus product may have.
- Do a bit of research and look for certification when you purchase
There is currently a big push toward relying heavily on
recognizing "bad" file extensions and acting solely on this knowledge.
That's not necessarily a good thing as extensions can be misleading.
One of the most asked questions lately is "What extensions should I scan
and/or watch for in E-mail attachments?" While a valid question,
some caveats must be attached to the answer.
First, it's important to note that over time Microsoft (and others) appear to
be working toward making file extensions as the sole indicator of file content
and creator unnecessary. This already exists on the
Macintosh where the file creator information is in the file itself so the file
name and extension is no indicator at all of the type of file.
Such behavior is starting to appear under Windows as well. Microsoft Word,
for example, will actually examine a file it's asked to open and, despite the
name ending in .DOC, if the file is a template file will open the file as a
template (.DOT) file instead. Some Word macro viruses take advantage of this
characteristic and save infected files in template format with a .DOC extension.
Another variant of this behavior on Windows computers would be the
file which actually can contain most anything from simple text to complex
programs. When opened, the operating system determines what the content is and
Finally, there is the issue of double extensions.
To make your viewing easier, Windows offers the option of turning off the
viewing of file extensions. If you do that, however, you can easily be fooled by
files with double extensions. Most everyone has been conditioned, for example,
that the extension .TXT is safe as it indicates a pure text file. But, with
extensions turned off if someone sends you a file named BAD.TXT.VBS you will
only see BAD.TXT. If you've forgotten that extensions are actually turned off
you might think this is a text file and open it. Instead, this is really an
executable VisualBasic Script file and could do serious damage. For now you
should always have viewing extensions turned on. Here's how...
In Windows 98 double click to open "My Computer" and then select "View"|"Folder
Options". Select the "View" tab and then scroll down to the entry that says
"Hide file extensions for known file types" and make certain it's not checked.
Click OK and then close the My Computer window. With this move you will now see
extensions in file directory windows and the option will be picked up by other
Microsoft programs like Outlook.
So, with the thought in mind that file extensions are likely being phased out
over time and can be spoofed, here are some to watch out for ("?" represents any
||Windows Enhanced Mode Driver. A device
driver is executable code and, as such, can be infected and should be
||Microsoft Access Project Extension. Use
of macros makes this vulnerable.
||Microsoft Access Project. Use of macros
makes this vulnerable.
||Abstract Data Type. According to
Symantec these are database-related program files.
||Application File. Associated with a
variety of programs; these files interact with such things as database
programs to make them look like standalone programs.
||Active Server Page. Combination program
and HTML code.
||Microsoft Visual Basic Class Module.
These are programs.
||Batch File. These are text files that
contain system commands. There have been a few batch file viruses but they
are not common.
||Binary File. Can be used for a variety
of tasks and usually associated with a program. Like an overlay file it's
possible to infect .BIN files but not usually likely.
||4DOS Batch To Memory Batch File. Batch
file that could be infected.
||Computer Based Training. It's never been
made clear why or how these can become infected but Symantec includes them
in their default listing.
||Compiled HTML Help File. Use of
scripting makes these vulnerable.
|Java Class File. Java applets are
supposed to be run in a "sandbox" and thus be isolated from the system.
However, users can be tricked into running an applet in a mode that the
sandbox considers "secure" so Class files should be scanned.
||Windows NT Command Script. A batch file
||Command (Executable File). Any
executable file can be infected in a variety of ways.
||Control Panel Extension. Similar to a
device driver which is executable code and, as such, can be infected and
should be scanned.
||Security Certificate. Can have code
associated with it.
||Corel Script File. A type of script file
that is executable. Any executable should be scanned.
||Hypertext Cascading Style Sheet. Style
sheets can contain code.
||Dynamic Link Library. Can be used for a
variety of tasks associated with a program. DLLs typically add functions to
programs. Some contain executable code; others simply contain functions or
data but you can't tell by looking so all DLLs should be scanned.
||MS Word Document. Word documents can
contain macros that are powerful enough to be used for viruses and worms.
||MS Word Document Template. Word
templates can contain macros that are powerful enough to be used for viruses
||Device Driver. A device driver is
executable code and, as such, can be infected and should be scanned.
|MS Outlook Express E-mail. E-mail
messages can contain HTML and scripts. Many viruses and worms use this
||Executable File. Any executable file can
be infected in a variety of ways.
||Font. Believe it or not, a font file can
have executable code in it and therefore can be infected.
||Help File. Help files can contain
macros. They are not a common vector but have housed a Trojan or two.
||HTML Program. Can contain scripts.
|Hypertext Markeup Language. HTML files
can contain scripts which are more and more becoming vectors.
||Setup Information. Setup scripts can be
changed to do unexpected things.
||Initialization File. Contains program
||Internet Naming Service. Can be changed
to point unexpected places.
||Internet Communication Settings. Can be
changed to point unexpected things.
vectors more often it's best to scan them. (.JSE is encoded. Also keep in
mind that these can have other, random, extensions!)
||Library. In theory, these files could be
infected but to date no LIB-file virus has been identified.
||Link. Can be changed to point to
||MS Access Database or MS Access
Application. Access files can contain macros that are powerful enough to
be used for viruses and worms.
||Microsoft Access MDE database. Macros
and scripts make this vulnerable.
|MHTML Document. This is an archived Web
page. As such it can contain scripts which can be infected.
||MP3 Program. While actual music files
cannot be infected, files with .mp3 extensions can contain macro code that
the Windows or RealNetwork media players will interpret and run. So, .mp3
files have expanded beyond pure music.
||Math Script Object. According to
Symantec these are database-related program files.
||Microsoft Common Console Document. Can
be changed to point to unexpected places.
||Microsoft Windows Installer Package.
||Microsoft Windows Installer Patch.
||Microsoft Visual Test Source Files.
Source can be changed.
||Relocatable Object Code. Files
associated with programs.
||Object Linking and Embedding (OLE) Control
Extension. A program that can be downloaded from a Web page.
||Program File Overlay. Can be used for a
variety of tasks associated with a program. Overlays typically add functions
to programs. It's possible to infect overlay files but not usually likely.
||Photo CD MS Compiled Script. Scripts are
||Program File. Associated with a variety
of programs; these files interact with such things as database programs to
make them look like standalone programs.
||MS-DOS Shortcut. If changed can run
||MS PowerPoint Presentation. PowerPoint
presentations can contain macros that are powerful enough to be used for
viruses and worms.
||Palmpilot Resource File. A PDA program
(yes, there are rare PDA viruses).
||Registry Entries. If run these change
||Rich Text Format. A format for
transmitting formatted text usually assumed to be safe. Binary (and
infected) objects can be embedded within RTF files, however, so, to be safe,
they should be scanned. RTF files can also be DOC files renamed and Word
will open them as DOC files.
||Screen Saver or Script. Screen
savers and scripts are both executable code. As such either may contain a
virus or be used to house a worm or Trojan.
||Windows Script Component. Scripts can be
|Shell Scrap Object File. A scrap file
can contain just about anything from a simple text file to a powerful
executable program. They should generally be avoided if one is sent to you
but are routinely used by the operating system on any single system.
||Ami Pro Macro. Rare, but can be
||Source Code. These are program files
that could be infected by a source code virus (these are rare). Unless you
are a programmer these likely won't be a concern. Extensions include, but
are not limited to: .ASM, .C, .CPP, .PAS, .BAS, .FOR.
||System Device Driver. A device driver is
executable code and, as such, can be infected and should be scanned.
||Internet Shortcut. Can send you to any
unexpected Web location.
|VBScript File. Scripts can be infected.
(.VBE is encoded.)
||Visual Basic Script. A script file may
contain a virus or be used to house a worm or Trojan.
||Virtual Device Driver. A device driver
is executable code and, as such, can be infected and should be scanned.
||Windows Script Component. Scripts can be
||Windows Script File. Scripts can be
||Windows Script Host Settings File.
Settings can be changed to do unexpected things.
||MS Excel File. Excel worksheets can
contain macros that are powerful enough to be used for viruses and worms.
The above listing has been derived from the default extension lists of
various anti-virus programs and from discussions in virus-related newsgroups. It
should not be taken as an absolute however. Some viruses/worms have been spread
in files with no extension and, as noted, an extension does not necessarily
guarantee a particular file type. The meaning for extensions not listed here
might be found at http://filext.com/.
The safe option is to allow anti-virus software to scan
- While extensions are often touted as being accurate indicators of files
that can be infected, history shows they are not. Additionally, they can be
spoofed in a variety of ways.
- The safe option is to allow anti-virus software to scan all files.
VIRUS PROTECTION AND REMOVAL