MINDPRIDE Computer Services
 
Home | About Us | Our Services | Contact Information | Tutorials, Articles & Dictionaries | Site Map

HOME 

 

About Us

WhyUS

Services

Virus Alerts

 

Contact

Estimates

Refer A Friend

Site Map

 

Links

Privacy Policy

Disclaimer

MakePayment

 

VIRUS PROTECTION AND REMOVAL III

 

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6

Virus Protection

Finding a virus on your system may not be easy; they often don't cooperate. Using anti-virus tools is important.

A virus may or may not present itself. Viruses attempt to spread before activating whatever malicious activity they may have been programmed to deliver. So, viruses will often try to hide themselves. Sometimes there are symptoms that can be observed by a trained casual observer who knows what to look for (but, don't count on it).

Virus authors often place a wide variety of indicators into their viruses (e.g., messages, music, graphic displays). These, however, typically only show up when the virus payload activates. With DOS systems, the unaccounted for reduction of the amount of RAM known to be in the computer is an important indicator resident viruses have a hard time getting around. But, under Windows, there is no clear indicator like that. The bottom line is that one must use anti-virus software to detect (and fix) most viruses.

Your main defense is to detect and identify specific virus attacks to your computer. There are three methods in general use. Each has pros and cons and are discussed via these links. Often, a given anti-virus software program will use some combination of the three techniques for maximum possibility of detection.

In a more general sense, check here for some ideas about using the above-referenced methods and other useful information:

Another line of defense is continuing education. Click below to see some sources of on-going information.

Summary

  • Viruses, by design, are hard to find using standard tools. SCANDISK and MEM can help, but don't rely on them to find viruses and never rely on DOS commands to eliminate a virus.
  • Anti-virus software helps using techniques of:
    • Scanning
    • Interception
    • Integrity Checking
  • You can help by taking some common sense precautions and keeping educated.

 

Scanning

Scanning looks for known viruses by a signature or characteristics that make new viruses similar to existing viruses. This requires that anti-virus makers and users keep products up to date.

Once a virus has been detected, it is possible to write scanning programs that look for telltale code (signature strings) characteristic of the virus. The writers of the scanner extract identifying strings from the virus. The scanner uses these signature strings to search memory, files, and system sectors. If the scanner finds a match, it announces that it has found a virus. This obviously detects only known, pre-existing, viruses. Many so-called "virus writers" create "new" viruses by modifying existing viruses. This takes only a few minutes but creates what appears to be a new virus. It happens all too often that these changes are simply to fool the scanners. (Please use the above as "concept" information. Writing a scanner today is quite a bit more complex.)

Note: Newer scanners often employ several detection techniques in addition to signature recognition. Among the most common of these is a form of code analysis. The scanner will actually examine the code at various locations in an executable file and look for code characteristic of a virus (e.g., a jump to a non-standard location, etc.). A second possibility is that the scanner will set up a virtual computer in RAM and actually test programs by running them in this virtual space and observing what they do. These techniques are often lumped under the general name "heuristic" scanning. Such scanners may also key off of code fragments that appear similar to, but not exactly the same as, known viruses.

The major advantage of scanners is that they allow you to check programs before they are executed. Scanners provide the easiest way to check new software for known or suspected viruses. Since they have been aggressively marketed and since they provide what appears to be a simple painless solution to viruses, scanners are the most widely-used anti-virus product.

Too many people seem to regard "anti-virus product" and "scanner" as synonymous terms. The peril here is that if too many people depend solely upon scanners, newly created viruses will spread totally unhindered causing considerable damage before the scanners catch up with the viruses. An example of this was the attack by the Maltese Amoeba (Irish) virus in the UK. This virus was not detected prior to its destructive activation on November 1, 1991. Prior to its attack, it had managed to spread quite widely and none of the existing (mostly scanner-based) products detected this virus.

According to the December 1991 Virus Bulletin:

Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use ... detected this virus.

This indicates the potential hazard of depending upon scanner technology for complete virus protection. (More recent examples have been fast-spreading viruses that also act like worms [e.g., Melissa]. Anti-virus software makers react rapidly to these threats but there is still some delay and users have to be constantly alert.)

Another major drawback to scanners is that it's dangerous to depend upon an old scanner. With the dramatic increase in the number of viruses appearing, it's risky to depend upon anything other than the most current scanner. Even that scanner is necessarily a step behind the latest crop of viruses since there's a lot that has to happen before the scanner is ready:

  • The virus has to be detected somehow to begin with. Since the existing scanners won't detect the new virus, it will have some time to spread before someone detects it by other means.
  • The newly-discovered virus must be sent to programmers to analyze and extract a suitable signature string or detection algorithm. This must then be tested for false positives on legitimate programs.
  • The "string" must then be incorporated into the next release of the virus scanner.
  • The virus scanner or detection database must be distributed to the customer.

In the case of retail software, the software must be sent to be packaged, to the distributors, and then on to the retail outlets. Commercial retail software takes so long to get to the shelves, that it is almost certainly out of date. Virtually all product makers today provide some way to obtain updates via the Internet in order to help speed up the update process.

If you depend upon a scanner, be sure to get the latest version directly from the maker. Also, be sure that you boot from a clean write-protected copy of DOS before running the scanner for the first time at least; there's a good chance that the scanner can detect a resident virus in memory, but if it misses the virus in memory, the scanner will wind up spreading the virus rather than detecting it. Every susceptible program on your disk could be infected in a matter of minutes this way! (See Fast and Slow Infectors.)

Ghost Positives

One possible defect of scanners you might run into are termed "ghost" positives.

When DOS/Windows reads from a disk it does not read exactly what is requested; it also reads a bit ahead so that when the next read request comes in DOS may just have the material needed in a memory buffer and it can be provided much faster. Likewise, when a scanner reads files it has to compare each with the detection database. These are stored in memory.

If, after scanning, the scanner does not clear its buffers in memory and you immediately run a second scanner then the second scanner may see the first scanner's strings in memory and if it uses the same string(s) could identify that virus as being in memory.

This is why it's important to run your scanner (or other anti-virus product) after a cold boot. One of the features of a cold boot is a complete memory check and this check overwrites all of memory, clearing out all false traces of viruses.

False Alarms

Despite the most extensive testing it is possible that a scanner will present false alarms (i.e., indicate a file as infected when it really is not). You will usually note this just after an update where a file you've had on your system suddenly shows up as infected. If it's a single file, previously clean, that exhibits this characteristic you can rest a bit easier; but you should nevertheless check with your anti-virus software maker.

Testing a Scanner

You don't need a virus to test the installation of a scanner. Most good scanners today are programmed to detect a standard test file called the EICAR test file. You can easily make this test file. Simply type or copy the following string into a text editor like Notepad:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now save that file under the name EICAR.COM. This is an actual program that, when run, will display the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE! and, when scanned, should activate your anti-virus program.

Note: This is not a virus. It is simply a file designed to activate the detection routines in scanners that support it. (Some suggest you need a "good" virus to test scanners. The problem is that to adequately test a scanner you need a virus "zoo" and have to install each virus in the zoo and test against it. This is something few users would want to do. The EICAR test file tests the installation of anti-virus software and that should be sufficient.)

Summary

  • Scanning depends on prior knowledge of a virus in order to detect it. This is done by recognizing some sort of signature that represents the virus or some program characteristic that indicates a virus may be present.
  • Scanners allow you to check programs before execution. That is their main advantage.
  • Scanners need to be regularly updated. Don't depend on an old scanner.
  • Some viruses attempt to defeat scanners by changing their code on the fly. Current scanners attempt to analyze code on the fly as a way of countering this.
  • Never run two scanners in a row without cold booting to clear memory between. If you do, you may find "ghost" positives.

 

Integrity Checking

Integrity products record information about your system for later comparison in order to detect changes. Just detecting changes is not enough, however; the detection must have some "intelligence" behind it to avoid confusion.

Integrity checking products work by reading your entire disk and recording integrity data that acts as a signature for the files and system sectors. An integrity check program with built-in intelligence is the only solution that can handle all the threats to your data as well as viruses. Integrity checkers also provide the only reliable way to discover what damage a virus has done.

So, why isn't everyone using an integrity checker? In fact, many anti-virus products now incorporate integrity checking techniques. One problem with many products is that they don't use these techniques in a comprehensive way. There are still too many things not being checked.

Some older integrity checkers were simply too slow or hard to use to be truly effective. A disadvantage of a bare-bones integrity checker is that it can't differentiate file corruption caused by a bug from corruption caused by a virus. Advanced integrity checkers that incorporate the capability to analyze the nature of the changes and recognize changes caused by a virus have become available. Some integrity checkers now use other anti-virus techniques along with integrity checking to improve their intelligence and ease of use.

If you choose an integrity checker, be sure it has all these features:

  • It's easy to use with clear, unambiguous reports and built-in help.
  • It hides complexity, so that complicated details of system file or system sector changes are only presented if they contain information the user must act upon.
  • The product recognizes the various files on the PC so it can alert the user with special warnings if vital files have changed.
  • It's fast. An integrity checker is of no use if it's too slow.
  • It recognizes known viruses, so the user doesn't have to do all the work to determine if a change is due to a software conflict, or if it's due to a virus. This also helps protect the integrity checker against attacks by viruses directed at it.
  • It's important that the integrity computation be more sophisticated than a mere checksum. Two sectors may get reversed in a file or other damage may occur that otherwise rearranges data in a file. A simple checksum will not detect these changes. A cryptographic computation technique is best.
  • It's comprehensive. Some integrity checkers, in order to improve their speed, don't read each file in its entirety. They read only portions of larger files. They just spot check. This is unacceptable; it's important to know the file hasn't changed, not just that some of the file hasn't changed.
  • It checks and restores both boot and partition sectors. Some programs check only files.
  • For protection, it should have safety features built in (e.g., ability to define the signature information file name and store the information on a floppy disks).

While using an integrity checker is an excellent way to monitor changes to your system, with today's operating systems so many files change on a regular basis it's imperative that you also use a good up-to-date scanner along with the integrity checker or for the integrity checker to have that capability built in.

Summary

  • Integrity checking products read the disk and create signature information to determine changes.
  • Coupled with virus identification, using integrity checking should be able to detect most any virus with the bonus of also detecting data corruption.

 

Interception

Monitoring for system-level routines that perform destructive acts can help, but such monitoring is fairly easily bypassed. Do not depend on it alone.

Interceptors (also known as resident monitors) are particularly useful for deflecting logic bombs and Trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening (such as installing itself as a resident program). If it finds such a request, the interceptor generally pops up and asks you if you want to allow the request to continue. There is, however, no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus itself. Some viruses even manage to disable the monitoring program itself. Indeed, for one widely-distributed anti-virus program several years back it only took eight bytes of code to turn its monitoring functions off.

It is important to realize that monitoring is a risky technique. Some products that use this technique are so annoying to use (due to their frequent messages popping up) that some users consider the cure worse than the disease!

Summary

  • Interceptors are useful for some simple logic bombs and Trojans.
  • It would be unwise to depend entirely upon behavior monitors as they are easily bypassed.

 

AV Product Use Guidelines

First, understand how your anti-virus product works. Then, start with a known-clean computer and follow specific steps to assure good virus detection/protection. Do research on specific products before purchase.

Most modern anti-virus products use a combination of techniques. However, they still get almost all of their protection from their scanner component. It's vital to understand exactly how your product works so that you understand what type of protection you really have (you might want to review the comments about scanning, interception, and integrity checking on other tutorial pages). Here are some rules that will help you make sure that you get maximum protection out of whatever product you have:

  • First, you should check your computer's setup information to make certain that the boot sequence starts with the floppy drive. If you don't, and it starts with the hard drive then any boot sector virus on your computer will gain control before you run the anti-virus program(s). To get to the BIOS setup you will typically have to press a key or keystroke combination during the time the BIOS is checking the computer's memory. Once in setup you can check the boot sequence (one of the techniques used to protect against boot sector viruses on floppy disks is to set the boot sequence to check the hard drive first--but if this is set then you won't be able to boot from a clean floppy as indicated below; thus, this check).
  • Be sure to cold boot your PC from a write-protected diskette before virus checking, particularly if you suspect you have a virus. Most anti-virus products make this recommendation, but this rarely gets done because the recommendation is often buried in some obscure location in the documentation. If your PC's memory is infected with a virus that your scanner does not recognize, you could infect all the programs on your disk if you do not boot from a clean disk. Don't take this chance; boot from a write-protected diskette before you scan. (In some cases, the AV product might come with a bootable CD-ROM instead. If so, then set the BIOS default to boot from the CD and use that disc.)
  • If you are using a product which depends mostly on its scanner component, make sure that you always have the latest version. Scanners are often frequently updated (one AV program vendor says they update files on the Internet hourly if needed).
  • Before you execute or install any new software, check it first (yes, commercial software has come from the factory infected). If it comes with an install program, check again after you install the software; an install program will frequently change or decompress executable programs. After you first execute brand new software do an additional check of your system to make sure everything is as it should be.
  • If your product contains a scanner component, check all diskettes brought in from another location; even data diskettes! Inevitably someone will leave a data diskette in their A: drive, potentially spreading a boot sector virus if the diskette is infected (assuming you have not reset the boot sequence back to booting from the hard disk first).
  • If the anti-virus software has a component that installs under Windows in order to scan all files before they are opened by all means install that component. This is a valuable service that is well worth the small amount of slowdown and resource use you will experience.

What's the best anti-virus product?

The simple answer is that there is no definite answer to the question! For one thing, a "good" anti-virus product integrates well with your particular system and system setup. If you are on a network with diskless workstations, for example, you might want to install the anti-virus software on the server. If you don't regularly exchange or download files you might find a less intrusive anti-virus product more to your liking. And so on.

Relying on magazine articles is also not the best way to decide upon an anti-virus product. Valid testing requires special setups to make certain products are being tested against real viruses under conditions those viruses might be found (e.g., it would not be a particularly useful test to place boot sector viruses into zip archives and then testing an anti-virus product against that archive).

One measure of anti-virus software is ICSA approval. To obtain this approval a scanner must detect all viruses on the current version of the Wild List in addition to 90% of the full NCSA test suite. You can obtain more information about this at:

http://www.icsa.net/services/product_cert/

If you want to try an anti-virus product, many producers have evaluation versions at their web site.

Summary

  • Understand your anti-virus product and what you can expect from it.
  • Check setup to be certain you are booting from the floppy disk and then cold boot from a known-clean, write-protected diskette.
  • Scan only with the latest version of any scanner.
  • Check all new software and all data diskettes before use and again after the installation.
  • Install any scan-on-use component your anti-virus product may have.
  • Do a bit of research and look for certification when you purchase anti-virus software.

 

File Extensions

There is currently a big push toward relying heavily on recognizing "bad" file extensions and acting solely on this knowledge. That's not necessarily a good thing as extensions can be misleading.

One of the most asked questions lately is "What extensions should I scan and/or watch for in E-mail attachments?" While a valid question, some caveats must be attached to the answer.

First, it's important to note that over time Microsoft (and others) appear to be working toward making file extensions as the sole indicator of file content and creator unnecessary. This already exists on the Macintosh where the file creator information is in the file itself so the file name and extension is no indicator at all of the type of file.

Such behavior is starting to appear under Windows as well. Microsoft Word, for example, will actually examine a file it's asked to open and, despite the name ending in .DOC, if the file is a template file will open the file as a template (.DOT) file instead. Some Word macro viruses take advantage of this characteristic and save infected files in template format with a .DOC extension.

Another variant of this behavior on Windows computers would be the Scrap Object file which actually can contain most anything from simple text to complex programs. When opened, the operating system determines what the content is and acts accordingly.

Finally, there is the issue of double extensions. To make your viewing easier, Windows offers the option of turning off the viewing of file extensions. If you do that, however, you can easily be fooled by files with double extensions. Most everyone has been conditioned, for example, that the extension .TXT is safe as it indicates a pure text file. But, with extensions turned off if someone sends you a file named BAD.TXT.VBS you will only see BAD.TXT. If you've forgotten that extensions are actually turned off you might think this is a text file and open it. Instead, this is really an executable VisualBasic Script file and could do serious damage. For now you should always have viewing extensions turned on. Here's how...

In Windows 98 double click to open "My Computer" and then select "View"|"Folder Options". Select the "View" tab and then scroll down to the entry that says "Hide file extensions for known file types" and make certain it's not checked. Click OK and then close the My Computer window. With this move you will now see extensions in file directory windows and the option will be picked up by other Microsoft programs like Outlook.

Hide Extensions Dialog

Extensions

So, with the thought in mind that file extensions are likely being phased out over time and can be spoofed, here are some to watch out for ("?" represents any character):

.386 Windows Enhanced Mode Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.ADE Microsoft Access Project Extension. Use of macros makes this vulnerable.
.ADP Microsoft Access Project. Use of macros makes this vulnerable.
.ADT Abstract Data Type. According to Symantec these are database-related program files.
.APP Application File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
.ASP Active Server Page. Combination program and HTML code.
.BAS Microsoft Visual Basic Class Module. These are programs.
.BAT Batch File. These are text files that contain system commands. There have been a few batch file viruses but they are not common.
.BIN Binary File. Can be used for a variety of tasks and usually associated with a program. Like an overlay file it's possible to infect .BIN files but not usually likely.
.BTM 4DOS Batch To Memory Batch File. Batch file that could be infected.
.CBT Computer Based Training. It's never been made clear why or how these can become infected but Symantec includes them in their default listing.
.CHM Compiled HTML Help File. Use of scripting makes these vulnerable.
.CLA
.CLASS 		Java Class File. Java applets are supposed to be run in a "sandbox" and thus be isolated from the system. However, users can be tricked into running an applet in a mode that the sandbox considers "secure" so Class files should be scanned.
.CMD Windows NT Command Script. A batch file for NT.
.COM Command (Executable File). Any executable file can be infected in a variety of ways.
.CPL Control Panel Extension. Similar to a device driver which is executable code and, as such, can be infected and should be scanned.
.CRT Security Certificate. Can have code associated with it.
.CSC Corel Script File. A type of script file that is executable. Any executable should be scanned.
.CSS Hypertext Cascading Style Sheet. Style sheets can contain code.
.DLL Dynamic Link Library. Can be used for a variety of tasks associated with a program. DLLs typically add functions to programs. Some contain executable code; others simply contain functions or data but you can't tell by looking so all DLLs should be scanned.
.DOC MS Word Document. Word documents can contain macros that are powerful enough to be used for viruses and worms.
.DOT MS Word Document Template. Word templates can contain macros that are powerful enough to be used for viruses and worms.
.DRV Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.EML or
.EMAIL 		MS Outlook Express E-mail. E-mail messages can contain HTML and scripts. Many viruses and worms use this vector.
.EXE Executable File. Any executable file can be infected in a variety of ways.
.FON Font. Believe it or not, a font file can have executable code in it and therefore can be infected.
.HLP Help File. Help files can contain macros. They are not a common vector but have housed a Trojan or two.
.HTA HTML Program. Can contain scripts.
.HTM
.HTML		 Hypertext Markeup Language. HTML files can contain scripts which are more and more becoming vectors.
.INF Setup Information. Setup scripts can be changed to do unexpected things.
.INI Initialization File. Contains program options.
.INS Internet Naming Service. Can be changed to point unexpected places.
.ISP Internet Communication Settings. Can be changed to point unexpected things.
.JS
.JSE		 JavaScript. As script files become vectors more often it's best to scan them. (.JSE is encoded. Also keep in mind that these can have other, random, extensions!)
.LIB Library. In theory, these files could be infected but to date no LIB-file virus has been identified.
.LNK Link. Can be changed to point to unexpected places.
.MDB MS Access Database or MS Access Application. Access files can contain macros that are powerful enough to be used for viruses and worms.
.MDE Microsoft Access MDE database. Macros and scripts make this vulnerable.
.MHT
.MHTM
.MHTML 		MHTML Document. This is an archived Web page. As such it can contain scripts which can be infected.
.MP3 MP3 Program. While actual music files cannot be infected, files with .mp3 extensions can contain macro code that the Windows or RealNetwork media players will interpret and run. So, .mp3 files have expanded beyond pure music.
.MSO Math Script Object. According to Symantec these are database-related program files.
.MSC Microsoft Common Console Document. Can be changed to point to unexpected places.
.MSI Microsoft Windows Installer Package. Contains code.
.MSP Microsoft Windows Installer Patch. Contains code.
.MST Microsoft Visual Test Source Files. Source can be changed.
.OBJ Relocatable Object Code. Files associated with programs.
.OCX Object Linking and Embedding (OLE) Control Extension. A program that can be downloaded from a Web page.
.OV? Program File Overlay. Can be used for a variety of tasks associated with a program. Overlays typically add functions to programs. It's possible to infect overlay files but not usually likely.
.PCD Photo CD MS Compiled Script. Scripts are vulnerable.
.PGM Program File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
.PIF MS-DOS Shortcut. If changed can run unexpected programs.
.PPT MS PowerPoint Presentation. PowerPoint presentations can contain macros that are powerful enough to be used for viruses and worms.
.PRC Palmpilot Resource File. A PDA program (yes, there are rare PDA viruses).
.REG Registry Entries. If run these change the registry.
.RTF Rich Text Format. A format for transmitting formatted text usually assumed to be safe. Binary (and infected) objects can be embedded within RTF files, however, so, to be safe, they should be scanned. RTF files can also be DOC files renamed and Word will open them as DOC files.
.SCR Screen Saver or Script. Screen savers and scripts are both executable code. As such either may contain a virus or be used to house a worm or Trojan.
.SCT Windows Script Component. Scripts can be infected.
.SHB
.SHS		 Shell Scrap Object File. A scrap file can contain just about anything from a simple text file to a powerful executable program. They should generally be avoided if one is sent to you but are routinely used by the operating system on any single system.
.SMM Ami Pro Macro. Rare, but can be infected.
Source Source Code. These are program files that could be infected by a source code virus (these are rare). Unless you are a programmer these likely won't be a concern. Extensions include, but are not limited to: .ASM, .C, .CPP, .PAS, .BAS, .FOR.
.SYS System Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.URL Internet Shortcut. Can send you to any unexpected Web location.
.VB
.VBE 		VBScript File. Scripts can be infected. (.VBE is encoded.)
.VBS Visual Basic Script. A script file may contain a virus or be used to house a worm or Trojan.
.VXD Virtual Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.WSC Windows Script Component. Scripts can be infected.
.WSF Windows Script File. Scripts can be infected.
.WSH Windows Script Host Settings File. Settings can be changed to do unexpected things.
.XL? MS Excel File. Excel worksheets can contain macros that are powerful enough to be used for viruses and worms.

The above listing has been derived from the default extension lists of various anti-virus programs and from discussions in virus-related newsgroups. It should not be taken as an absolute however. Some viruses/worms have been spread in files with no extension and, as noted, an extension does not necessarily guarantee a particular file type. The meaning for extensions not listed here might be found at http://filext.com/.

The safe option is to allow anti-virus software to scan all files.

Summary

  • While extensions are often touted as being accurate indicators of files that can be infected, history shows they are not. Additionally, they can be spoofed in a variety of ways.
  • The safe option is to allow anti-virus software to scan all files.

 

VIRUS PROTECTION AND REMOVAL

1 - 2 - 3 - 4 - 5 - 6
  Services What We Offer Areas Covered Rates & Discounts
Estimates Maintenance Plans Links Phone Tech Support
About Us Refer A Friend Why Us? Reference Dictionaries Tutorials
Privacy Policy Service Protocol Disclaimer Contact Us

Web Page Designed By  ADAM
Copyright © 1981 - 2008 MINDPRIDE CONSULTING All rights reserved.
Revised: November 21, 2007