WinMagWeb Search Site Map Feedback



Virus Utilities
ALL ABOUT ...
- Virus Alert
- Know Your Enemy
- The Symptoms
- The Cure
- Anatomy of a MacroVirus
- Tips for a Virus-Free PC

- Safety on the Net

PRODUCT REVIEWS
EDITORS' PICKS
SHOP SMART


ISDN
ALL ABOUT ...
PRODUCT REVIEWS
EDITORS' PICKS
SHOP SMART



IBG Home

Virus Utilities

Virus Alert

Know Your Enemy

A virus is a rogue program designed to copy itself into your PC's memory and onto your hard disk. Once active in memory, a virus can interfere with the operating system, corrupt program and data files, or simply post intrusive messages on the screen. There are two common ways for a virus to enter your system: Your operating system may read it at boot time, or it may load itself into memory along with a frequently used system file or application.

Boot-sector viruses, like Michelangelo and Stoned, once were the most common means of PC infection. They're typically transmitted to other machines when an infected floppy disk is left in a drive and the PC is rebooted. The operating system reads the boot record of the floppy, and the virus is transferred to the hard disk's master boot record. You may see the familiar "non-system disk" error message, but the damage has probably already been done, with the boot-sector virus loaded into memory.

File viruses are the second most common. These are bits of code that attach themselves to system files, such as COMMAND.COM, DOS utility programs and other applications. When you run the infected program, the virus also loads into memory. Once there, it may replicate by writing itself to other executable programs on your hard disk. The virus may also attack the operating system, playing tricks with your screen display or disabling programs.

Some viruses don't replicate themselves on your hard disk, but they can cause sudden damage. They're referred to variously as Trojans, time bombs or logic bombs. They'll attach to an application to get loaded into memory and then wait for a certain date or system event to trigger them. They don't infect other files, so there may be no indication your system is infected until they do their deadly deed.

Multipartite viruses are the switch-hitters in the virus lineup. They originate as boot-sector or file viruses; once loaded into memory, they exhibit traits of both types. Tequila is a multipartite that starts as a file virus but eventually infects boot sectors; AntiCAD attacks your system from a floppy boot record and then invades EXE and COM files on your hard disk.

Macro viruses are currently the most prevalent. (See the sidebar, "Anatomy of a Macro Virus.") Similar to file viruses, macro viruses attach themselves to documents. Interestingly, it's the flexibility of Microsoft's WordBasic and VBA programming languages that makes it relatively easy to create a virus that attacks these apps' documents. A macro virus conceals itself as a macro in a document. When you open the infected document, the macro virus can execute any instructions supported by the application's macro language. It can prevent saving the document, insert random data, corrupt templates and styles--and worse. Through calls to system DLLs, it can delete files and execute DDE commands that destroy the file system on your hard disk.

Viruses can sometimes disguise themselves to evade discovery even by sophisticated detection utilities. Stealth viruses can fool detection programs by returning the information the detectors expect from a normal file. Some antivirus utilities find viruses by checking the disk's boot sector and files for byte patterns that indicate virus code. But clever virus writers break up their code into encrypted segments that decrypt only when the virus loads into memory. Polymorphic viruses may change the location of their encryption/decryption algorithms from file to file, making them even more difficult to detect.


The Symptoms




Copyright © 1997 CMP Media Inc.