[ Go to April 1997 Table of Contents ]

Virus Alert!
Thousands of PC viruses are out there, and each day more insidious invaders appear-to be safe, you have to know your enemy and know how to fight back.

-- by Lenny Bailes

Computer viruses come in many forms, from relatively harmless pests to intruders intent upon destruction. They're easily and unobtrusively transmitted, and the methods they use to avoid detection nearly match the sophistication of the tools designed to find and eradicate them.

Today, the threat of a virus worming its way into your PC is greater than ever, with the Internet explosion and ever-growing use of e-mail making file swapping an everyday thing.

Antivirus experts have identified and cataloged as many as 10,000 computer viruses. Luckily, PC users have to worry about only 700 of those viruses-the ones known to be in circulation, or "in the wild," in virus-speak. Viruses in the wild are the ones you're most likely to pick up from casually copied floppy disks, poorly managed shareware sites, infected rental PCs and documents transmitted as e-mail attachments.

In past years, new viruses appeared at a clip of about 100 to 150 a year, but in 1996 the proliferation rate approached epidemic proportions. The 1996 Virus Prevalence Survey conducted by the National Computer Security Association (NCSA) revealed that macro viruses carried and spread by documents created with Microsoft Word have become the most prevalent virus type in North America. The Symantec AntiVirus Research Center (SARC) reports that three to six new computer viruses are discovered every day. According to the SARC, since December 1996, researchers have documented 205 Word macro viruses-up from 42 known to exist in August 1996.

The numbers add up to a simple fact: The risk of infection and file damage from computer viruses is significantly greater today than it has been in the past. Previously, most viruses caused relatively little damage with annoying-but nondestructive-symptoms such as messages that flashed across your screen. A handful of viruses were hell-bent on destruction, programmed to corrupt files or partitions, or otherwise separate you from your data. Interestingly, many of these activated themselves only on specific trigger dates-like the famed Michelangelo-so their effects could often be avoided.

Inevitably, the threat of a virus stirs visions of lost, unrecoverable data. While that happens relatively rarely, there is a real-and significant-loss associated with all viruses: lost money. It's the money your company spends to install antivirus software on your PCs and servers. And the impact on productivity costs you plenty, too. Someone has to check and inoculate infected machines, and the users of those PCs aren't likely to be very productive during the process.

To combat viruses effectively, you have to arm yourself with knowledge. You should know the types of viruses out there, the forms they take, how they proliferate on your hard disk and what the most effective remedies are.

Know Your Enemy

A virus is a rogue program designed to copy itself into your PC's memory and onto your hard disk. Once active in memory, a virus can interfere with the operating system, corrupt program and data files, or simply post intrusive messages on the screen. There are two common ways for a virus to enter your system: Your operating system may read it at boot time, or it may load itself into memory along with a frequently used system file or application.

Boot-sector viruses, like Michelangelo and Stoned, once were the most common means of PC infection. They're typically transmitted to other machines when an infected floppy disk is left in a drive and the PC is rebooted. The operating system reads the boot record of the floppy, and the virus is transferred to the hard disk's master boot record. You may see the familiar "non-system disk" error message, but the damage has probably already been done, with the boot-sector virus loaded into memory.

File viruses are the second most common. These are bits of code that attach themselves to system files, such as COMMAND.COM, DOS utility programs and other applications. When you run the infected program, the virus also loads into memory. Once there, it may replicate by writing itself to other executable programs on your hard disk. The virus may also attack the operating system, playing tricks with your screen display or disabling programs.

Some viruses don't replicate themselves on your hard disk, but they can cause sudden damage. They're referred to variously as Trojans, time bombs or logic bombs. They'll attach to an application to get loaded into memory and then wait for a certain date or system event to trigger them. They don't infect other files, so there may be no indication your system is infected until they do their deadly deed.

Multipartite viruses are the switch-hitters in the virus lineup. They originate as boot-sector or file viruses; once loaded into memory, they exhibit traits of both types. Tequila is a multipartite that starts as a file virus but eventually infects boot sectors; AntiCAD attacks your system from a floppy boot record and then invades EXE and COM files on your hard disk.

Macro viruses are currently the most prevalent. (See the sidebar, "Anatomy of a Macro Virus.") Similar to file viruses, macro viruses attach themselves to documents. Interestingly, it's the flexibility of Microsoft's WordBasic and VBA programming languages that makes it relatively easy to create a virus that attacks these apps' documents. A macro virus conceals itself as a macro in a document. When you open the infected document, the macro virus can execute any instructions supported by the application's macro language. It can prevent saving the document, insert random data, corrupt templates and styles-and worse. Through calls to system DLLs, it can delete files and execute DDE commands that destroy the file system on your hard disk.

Viruses can sometimes disguise themselves to evade discovery even by sophisticated detection utilities. Stealth viruses can fool detection programs by returning the information the detectors expect from a normal file. Some antivirus utilities find viruses by checking the disk's boot sector and files for byte patterns that indicate virus code. But clever virus writers break up their code into encrypted segments that decrypt only when the virus loads into memory. Polymorphic viruses may change the location of their encryption/decryption algorithms from file to file, making them even more difficult to detect.

The Symptoms

Determining if your PC is infected can be difficult, but at the first sign of odd behavior-improper booting, a familiar program refusing to run or the inability to save a document-think virus. Other unusual behavior, such as sluggish hard disk performance, frequent floppy drive accesses or unfamiliar screen messages, could be evidence, too. Of course, there may be other reasons for these symptoms, but there's a good chance that a virus is the cause. You should stop using the PC, get an antivirus package and install it immediately.

More experienced users may know that certain programs have specific date signatures and file sizes. If you know this information, you should check COMMAND.COM, WIN.COM and other executables; if there's evidence of change, an antivirus remedy is in order.

Some viruses go for broke, infecting as many files as they can before they're detected. Others are slow infectors, contaminating files over a longer period of time and hoping not to arouse suspicion. Slow infectors attach themselves to executables that would be modified during normal use, such as software packages that incorporate new configuration information in their program files. This tactic can help avoid detection by antivirus utilities that track file date and size.

Many viruses in the wild are not programmed to erase files on the hard disk or inflict similar damage. But they, too, can become destructive. The Stoned virus was supposed to simply display the messages "Your PC is Stoned" and "Legalize Marijuana" every eighth time the infected system booted. But the author calculated his code for 360KB low-density floppy disks. When the virus found its way onto higher-capacity floppies, it destroyed their boot sectors, making the files on the floppy disks inaccessible.

The Cure

There are a lot of effective ways to find and eliminate viruses, but prevention should be the keystone of any antivirus strategy. If you back up your critical data files and conscientiously use a good virus-detection package, you should be well protected.

Some other steps to prevent virus infection or to successfully recover from an attack are:

-- Install a real-time antivirus program on every PC in your organization. If you can't do this, you should at least set up a floppy-scanning workstation, where all floppy disks brought from home, received from business associates and so forth can be scanned.

-- If you use e-mail, make sure your antivirus software checks sent and received messages.

-- In addition to data files, you should back up critical system files (workstation and network) daily.

-- Create floppy boot disks for each PC; write protect them and store them in a safe place.

-- If your PC offers options for setting the system startup drive, set it to bypass the A: drive (floppy drive) and boot directly from the C: drive.

Choosing a Workstation Antivirus Program

Good workstation antivirus programs now include real-time sensing to monitor each new file as it is copied to or created on your hard disk. This feature checks the spread of viruses through e-mail attachments or files shared over a network. A good workstation antivirus package should also include real-time shields against macro infections and boot-sector viruses and, at shutdown, it should check any diskette that may have been left in the A: drive.

Other things to keep in mind when choosing an antivirus package are:

-- In addition to scanning byte patterns on your hard disk, the antivirus program should track suspicious program behavior, such as attempts to change boot records and extraneous read/write operations. Heuristic scanning helps counter stealth and polymorphic viruses.

-- The antivirus utility should be able to clean most infected files. Avoid antivirus packages that can only delete infected files.

-- A scheduler makes it easy to automate antivirus scanning.

-- The documentation that comes with an antivirus program (either in help file or printed format) should identify virus types and describe their symptoms.

-- Because the number of viruses changes daily, make sure the program you buy is backed by one year of technical support and free virus pattern updates.

Other features to look for include: a facility for creating emergency recovery boot floppies, selective scanning of network drives and automatic updating via the Internet.

Choosing an Antivirus Program for a Network

Because your network can convey a crippling virus just as easily as it does your company's information, a solid network antivirus program is absolutely essential. All the key vendors of workstation antivirus programs, including Symantec, McAfee and Trend Micro Devices, also have versions designed for Windows NT and Novell NetWare servers.

Good network antivirus utilities will have some features that may not be in their workstation equivalents:

-- Network antivirus packages should monitor all shared resources on the network and issue warnings when network clients introduce infections.

-- Antivirus software for networks should offer multiple, configurable virus disposition options, allowing for immediate file disinfection, file deletion or quarantine of contaminated files to a specified directory.

-- When a serious infection occurs, a network antivirus program should notify users and initiate a server shutdown. The system administrator should be able to deal with infected files remotely.

-- The real-time sensor should scan and protect newly mounted drives and directory resources that dynamically change their assignments and drive letters.

A bonus in a server-based antivirus utility is the ability to scan and disinfect client drives.

Don't Panic-Be Prepared

Ross Greenberg, a pioneer in the antivirus software industry, often says he'd be far less successful than he is today if everyone took precautions-like backing up data-and knew what steps to take when a virus hit.

Information is a company's greatest asset. Preparation, vigilance and effective virus-fighting tools can help protect that information, avoid disaster and maybe keep you in business.

Lenny Bailes is a San Francisco-based instructor and consultant. Contact him care of the editor at the e-mail addresses here.

Windows Magazine, April 1997, page 231.

[ Go to April 1997 Table of Contents ]