PREVENTION

Even for an expert, removing a computer virus can be a difficult task without the
help of computer virus removal tools. Some computer viruses and other unwanted
software, such as spyware, even reinstall themselves after the viruses have been
detected and removed. Fortunately, by updating the computer and by using
antivirus tools, you can help permanently remove unwanted software.

Quick Virus Guidelines

It's important to keep viruses in perspective. They are but one threat to your data
and programs. They need not be regarded as mysterious and they are quite easy to
understand. Here are a few tips to keep in mind when considering viruses:

You can only get a virus by executing an infected program or booting from an
infected diskette. Any diskette can be infected by a boot sector virus, even non-
bootable diskettes.
You cannot get a virus simply by being on a BBS, the internet, or an online
service. You will only become infected if you download an infected file and
execute that file. (It's important to understand that Microsoft Office files act as
executable programs since they can contain macro programs that are executed
when 'open' the file; so, to be safe, a MicroSoft Word document or Excel
Spreadsheet should not be opened with the actual Microsoft application but rather
with a viewer program such as those available from the Microsoft web site or
simply discarded.)
Most viruses are transferred by booting from an infected diskette (e.g, Stoned,
Form, Stealth-B, AntiExe, Monkey). Remove diskettes from your A drive as soon
as you are through with the diskette. If your CMOS permits it, change your boot
order to boot from your hard disk first. If you don't know what CMOS is, check
the manual for your PC; there is normally an option when you boot your PC to hit
a specific key to enter CMOS setup. This allows you to change many options on
your PC.
Make sure you have at least two backups for all of your files. Backups are
essential not only to safely recover from virus infections, but also to recover from
the other threats to your data.
Be sure to check all new software for viruses. Even shrink-wrapped software from
a major publisher may contain a virus.
Software attacks against your computer:

Viruses are one specific type of program written deliberately to cause harm to
someone's computer or to use that computer in an unauthorized way. There are
many forms of malicious software; sometimes the media calls all malicious
software viruses, but it's important to understand the distinction between the
various types. Let's examine the different types of malicious software:

Logic Bombs
Just like a real bomb, a logic bomb will lie dormant until triggered by some event.
The trigger can be a specific date, the number of times executed, a random
number, or even a specific event such as deletion of an employee's payroll record.
When the logic bomb is triggered it will usually do something unpleasant. This
can range from changing a random byte of data somewhere on your disk to
making the entire disk unreadable. The changing of random data on disk may be
the most insidious attack since it would do a lot of damage before it would be
detected.
Trojans
These are named after the Trojan horse which delivered soldiers into the city of
Troy. Likewise, a trojan program is a delivery vehicle for some destructive code
(such as a logic bomb or a virus) onto a computer. The trojan program appears to
be a useful program, but when a certain event occurs, it will attack your PC in
some way.
Worms
A worm is a self-reproducing program which does not infect other programs as a
virus will, but instead creates copies of itself, which create even more copies.
These are usually seen on networks and on multi-processing operating systems,
where the worm will create copies of itself which are also executed. Each new
copy will create more copies quickly clogging the system. The so called Morris
ARPANET/INTERNET "virus" was actually a worm. It created copies of itself
through the ARPA network, eventually bringing the network to its knees. It did
not infect other programs as a virus would, but simply kept creating copies of
itself which would then execute and try to spread to other machines.
How Do Virus Scanners Work?

Once someone has detected and analyzed a virus, it is possible to write programs
that look for telltale code (signature strings) characteristic of the virus.
Remember, a virus must add its code to the infected file or boot sector. The
writers of the scanner extract identifying pieces (signature strings) from code that
the virus inserts. The scanner uses these signature strings to search memory, your
files and system sectors. If there's a match, the scanner announces that it has
found a virus. This obviously detects only known, preexisting, viruses and may
result in a false virus indication (false-positive) if an innocent program contains
code similar to a virus. Many so called virus writers create "new" viruses by
modifying existing viruses. This takes only a few minutes but creates what
appears to be a new virus. It happens all too often that these viruses are changed
simply to fool the scanners. The repeatedly make small changes to a virus until
the scanners will no longer detect the virus. This requires little or no programming
skill but allows someone to claim they wrote a new virus.

A major drawback to scanners is that it's hazardous to depend upon an old

scanner. With the dramatic increase in the number of viruses appearing (more
than 6,000 different viruses as this is being written), it's risky to depend upon
anything other than a current scanner. Even that scanner is necessarily a step
behind the latest crop of viruses since there's a lot that has to happen before the
scanner is ready to handle new viruses:

The virus has to be detected somehow to begin with. Since the existing scanners
can't detect the new virus, it has time to spread before someone detects it by other
means. This requires something other than a scanner to detect the virus to begin
with. If everyone depended only upon scanning, new viruses might never be
detected.
The newly discovered virus must be sent to the programmers to analyze and
extract a suitable signature string. This string must be tested for false positives on
legitimate programs.
This string must be incorporated into the next release of the virus scanner.
The virus scanner must be distributed to the customer.
For some viruses it's impossible to isolate a small section of code to use as a
signature string. These viruses are called polymorphic and require the writer of
the scanner to write special code to recognize this virus. This a requires a lot more
work than simply isolating a signature string to scan for the virus. Some well-
known existing scanners do not reliably detect some existing polymorphic viruses
more than a year after the virus became known. (In an upcoming article I'll cover
polymorphic viruses in more detail.)
In the case of retail software, the software must be sent to be

Scanning is the only technique that can recognize a virus while the virus is still
safely sitting on a diskette or in an upload directory. Therefore scanning is the
primary automatic technique that BBS sysops and software librarians use to check
new programs. If scanning is your only defense against viruses, you can
dramatically improve the odds that you will detect a new virus by using two or
more scanners. If I run any any scanner against my virus collection there will be
one hundred to several hundred viruses missed by that scanner. If I run current
releases of the three best scanners against this collection only a small number of
viruses is missed by all three products. The more scanners the merrier!

An important warning for using scanners:

If you depend upon a scanner, be sure to get the latest version directly from the
developer and consider using multiple scanners. Also, be sure that you boot from
a clean write-protected copy of DOS before running the scanner; there's a good
chance that the scanner can detect a resident virus in memory, but if it misses the
virus in memory, the scanner will wind up spreading the virus rather than
detecting it. Each and every susceptible program on your disk could be infected in
a matter of minutes this way!

To get maximum protection out of your scanner, follow these rules:

Scan all new diskettes, even if they contain no programs. Any diskette may harbor
a boot sector virus.
Be sure to cold boot your PC from a write-protected diskette before checking the
hard disk for viruses. Most anti-virus products make this recommendation, but
this rarely gets done because the recommendation is often buried in some obscure
location in the documentation. If your PC is infected with a virus that your
scanner does not recognize, you could infect all the programs on your disk. Don't
take this chance; boot from a write-protected diskette before you scan.
Before you execute or install any new software, scan it first. If it comes with an
install process, scan again after you install the software.
Unless you have additional anti-virus protection, make sure that you have the
latest version of your scanner.
If you are exposed to many new programs consider using multiple scanners to
maximize the odds that you will detect newer viruses.

Using Disinfectors:

Most vendors that sell scanners also sell a disinfector (often it's the same
program). A disinfector has the same limitations that a scanner has, in that it must
be current to be safe to use and it's always one step behind the latest crop of
viruses. The disinfector, however, has an even bigger disadvantage: Many viruses
simply cannot be removed without damaging the infected file. There have also
been many reports that files are still damaged even when the program claims to
have disinfected the file. A disinfector like a scanner can be a very handy tool in
your anti-virus arsenal, but it must be used with care. If you use a disinfector, be
sure you have the latest version and be sure to use a tool to verify that all files and
system sectors are correctly restored.

There are a large number of viruses that no product can disinfect or remove from
infected files at all. These viruses modify the programs in such a way that
removal is not possible. The most common of these are the viruses that overwrite
part of the programs they infect. The only way to remove these viruses is to
restore the infected files from a backup.

It's ironic that even the most common file infecting virus of all won't be safely
disinfected from all files. One of the oldest and most common infectors of files is
the Jerusalem (1813) virus. All disinfectors naturally claim to be able to remove
Jerusalem and its many variants. While Jerusalem will be correctly removed from
many programs, there are some programs from which Jerusalem cannot be
removed without damaging the original program. In spite of this, most (if not all)
disinfectors claim to disinfect Jerusalem infected programs. A very dangerous
situation! I'd like to stress that:

You cannot safely depend upon disinfectors as a way to recover from virus
infections.

Disinfectors are helpful but they should be viewed only as an aid. Disinfectors
can't remove many viruses at all and can't remove even the most common viruses
from some files; it's simply not safe to expect a disinfector to be able to remove
viruses from files.

A further problem with many disinfection programs is that some of your programs
may no longer work after being disinfected yet the disinfector gives you no
indication that it has failed to correctly restore the original program. You can
more safely use a disinfector if you have the capability to verify that the original
file was correctly rebuilt. (Our product Integrity Master gives you this capability
but many products that claim to do checksumming or integrity checking read only
part of the file and can't really check that a file is correctly restored.) Unless you
have a product capable of full integrity checking, I strongly suggest that you
restore your files from a backup, rather than depending upon the disinfector to do
the job correctly.

Using Interceptors to Protect Against Viruses:

Interceptors (also known as resident monitors) are particularly useful for

deflecting logic bombs and trojans. The interceptor monitors operating system
requests that write to disk or do other things that the program considers
threatening (such as installing itself as a resident program). If it finds such a
request, the interceptor generally pops up and asks you if you want to allow the
request to continue. There is, however, no reliable way to intercept direct
branches into low level code or to intercept direct input and output instructions
done by the virus itself. Some viruses attempt to modify the interrupt 13H and
26H vectors to disable any monitoring code. It is important to realize that
monitoring is a risky technique. Some products that use this technique are so
annoying to use (due to their frequent messages) that some users consider the cure
worse than the disease! An interception (monitoring) product would be a useful
adjunct to another protection program, as protection against some the more simple
minded logic bombs. The bottom line here is that there are many ways for viruses
to bypass interceptors so you cannot depend on an interceptor as your primary
defense.

Using Inoculators

There are two types of inoculators or so-called immunizers. One modifies your
files or system sectors in an attempt to fool viruses into thinking that you are
already infected. The inoculator does by making the same changes that the viruses
use to identify the file or sector as infected. Presumably, the virus will not infect
anything because it thinks everything is already infected. In the early days of
viruses this technique may have had some value but this works only for a very
small number of viruses and is generally considered a useless technique today.

The second technique is actually an attempt to make your programs self-checking

by attaching a small section of check code onto your programs. When your
program executes, the check code first computes the check data and compares it
with the stored data. It will warn you if it finds any changes to the program. This
can be circumvented by existing stealth viruses plus the self-checking code and
check data can be modified or disabled. Another problem arises because some
programs refuse to run if they have been modified in this way. This also creates
alarms from other anti-virus programs since the attached self-check code changes
the original program in the same way a virus would. Some products use this
technique to substantiate their claim to detect unknown viruses. Needless to say, I
do not recommend this approach either.

Using An Integrity Checker

Integrity check based products work by reading all of your disk and recording
integrity data which acts as a signature for the files, boot sectors, and optionally
other areas. In order for a virus to infect your PC, it must change something on
that PC. The integrity check identifies these changes and alerts you to the virus.
An integrity check program is the only solution that can handle all the other
threats to your data along with viruses. Integrity checkers also provide the only
reliable way to find what damage a virus has done. Since a virus must change or
add something to your PC, a well written integrity checker should be able to
detect any virus not just known viruses.

So, why isn't everyone using an integrity checker? Until recently, there hasn't
been an integrity checker available without some significant drawbacks. First, an
integrity checker generally won't identify a virus by name unless it also includes a
scanner component. In fact, many anti-virus products now incorporate integrity
checking techniques. One problem with many products is that they don't use these
techniques in a comprehensive way. There are still too many things not being
checked. Some older integrity checkers were simply too slow or hard to use to be
truly effective. A disadvantage of a bare-bones integrity checker is that it can't
differentiate file corruption caused by a bug from corruption caused by a virus.
Only recently, have advanced integrity checkers (e.g., Integrity Master) become
available that incorporate the smarts to analyze the nature of the changes and
recognize changes caused by a virus. (Integrity Master uses scanning and other
anti-virus techniques along with integrity checking to improve its intelligence and
ease of use.)

If you use an integrity checker, be sure to verify that your product will read all
files and system sectors in their entirety rather than just spot checking. It's vital to
be able to know positively that all your files are in good shape.