ACTIONS TO CURB THE SPREAD OF VIRUS
The first known virus was an assembly language program called Creeper. It was created by Bob Thomas from the Bulletin Board Network in 1970 as a demonstration. A very simple creature‑ its only function in life was to perpetuate itself, duplicating every time it was run. So that it could clone more efficiently, Creeper's creator/programmer gave it the ability to spread from one computer to another within the constellation on its home network. Everywhere Creeper went, it left behind the message, "I'm the Creeper, catch me if you can!" Unfortunately, Creeper got out of control, and before long, there was another self‑replicating program called Reaper which found copies or Creeper, deleted them, and then deleted itself.
Since then computer viruses have been a major concern for most, if not all, computer users. Thousands of different viruses have been created and maliciously planted in computer systems around the world. These viruses have the ability to spread themselves and sometimes even mutate faster than the common cold.
Most viruses does nothing more then entertain computer users by displaying some sentimental or romantic massage. However there are a number of them that cause a computer network down and put organization into chaos. These few black sheep need attention to look after.
2. Category of viruses
Three basic categories of computer viruses exist:
Boot infectors are incorporated into the boot sectors of diskettes and hard disks. This type of virus gains control of a system when it is initially booted and retains control at all times. When a diskette is inserted and accessed for the first time, the virus transfers itself to sector 0 of the diskette, and it infects the subsequent system booted from this diskette. Only by booting from an infected diskette can this type of virus spread. Two infamous boot infectors are the Pakistani Brain virus and Alameda virus.
System infectors are attached to either an operating system module or a system device driver. A well‑known system infector virus is the Lehigh virus.
generic application infectors
Generic application infectors make up the third and most widespread category of viruses. These viruses may attach to any application program. This type of virus gains control when an infected application program is run. At that point, the virus searches the system for additional host programs, either on hard disks or diskettes. After the search ends, usually with further spread of the virus, it returns control to the host program. Well‑known generic application infectors include the Scores virus, Israeli virus, and nVir virus.
3. Types category of viruses
3.1 Memory Resident: The virus loads into memory with the host program and stays resident when other programs are executed. In memory, it can easily replicate itself into boot sectors or subsequently executed programs. This is the most common virus characteristic.
3.2 Non‑Resident: The virus does not stay resident in memory after a host program is closed. It can only infect while a host program is executed. Programs loaded subsequently to the closing of the infected program are not in danger of further infection.
3.3 Stealth: The virus has the ability to hide from detection by anti‑virus software by covering clues of its existence in a system. A virus is only able to use this characteristic if it is currently active in memory. It covers its tracks two main ways:
3.31 Full Stealth ‑ Anti‑virus software scans diskettes or hard drives looking for virus signatures (code segments that are telltale signs of a virus program). The virus has the ability to redirect disk reads to avoid detection.
3.3.2 Size Stealth ‑ Anti‑virus software checks the boot table for unexpected changes in file size. The virus has the ability to alter disk directory data in boot tables. It changes host file size to hide its existence.
3.4 Encrypting: The virus hides by encrypting or transforming itself so virus scanners cannot recognize its signature. However, in order to be active and spread, it must first decrypt itself. It can be detected at this point.
3.5 Polymorphic: The virus has the ability to mutate by changing its own code segments or signature by which it can be identified. Each infection looks different from a previous one. This is one of the most challenging viruses to detect.
3.6.1 Triggered Event: The virus is programmed to perform its action when triggered by a specific event: a date, time of day, sequence of key stokes or functions (i.e. the Michelangelo virus is triggered by the date March 6 when it reformats the hard drive .
3.7 Multipartite viruses
Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected file is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system.
3.8 Macro viruses
Macro viruses typically infect global settings files such as Word templates so that subsequently edited documents are contaminated with the infective macros.
The Trojan Horse was an instrument of war used by the Greeks to gain access to the city of Troy. In computer terminology, Trojan Horse is a program that looks innocent and clean, but carries hidden virus with it. When the program is executed or by some other means, the virus will silently creep out from it and starts it's activities. The Trojan Horse it's self doesn't reproduce.
A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems.
COMPANION VIRUSES ‑
viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the only type of companion (or 'spawning') virus.
ARMOURED VIRUSES ‑
viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.
11. Encrypting: The virus hides by encrypting or transforming itself so virus scanners cannot recognize its signature. However, in order to be active and spread, it must first decrypt itself. It can be detected at this point.
Triggered Event: The virus is programmed to perform its action when triggered by a specific event: a date, time of day, sequence of key stokes or functions (i.e. the Michelangelo virus is triggered by the date March 6 when it reformats the hard drive
VIRUS INFECTION PROCESS
Creation of virus by programmer; the virus program is then incorporated into a popular public domain software program. The infected public domain software program is then uploaded to a computer bulletin board using phone lines. Bulletin board users download the infected program to their systems' hard disks or diskettes.
When the infected program is run on the user's system, the virus replicates itself onto an operating system file on the active disk drive. Typically, the virus copies itself onto other disks' operating system files when certain DOS command (e.g., DIR) are executed. The virus quickly spreads from the user's system to other user systems either through providing infected diskettes directly to other users or uploading infected programs to bulletin boards. At a predetermined point (e.g., a specific date), the virus activates, often leaving programs and data files unusable.
Spread of viruses
Once the virus has made contact, it utilizes its self‑replicating code and copies itself to other programs and causes additional infections. With society's dependence on the sharing of information, the virus can spread easily and quickly. Viruses have managed to bring many computer systems and networks to a standstill by destroying valuable data.
The computer virus usually infects its subject, the host program, using one of two approaches. The first approach requires the virus to attach itself to an existing piece of code. In the alternative approach, the virus removes a piece of code and takes its place. The virus binds itself either externally or internally. If it binds externally, it will increase the size of the program and increase the potential of detection. If the virus binds itself internally, it will fill the free space in a section of code and make detection difficult. Once infected, the host program remains relatively unchanged and continues to function properly until the virus program calls on itself to activate. Activation of the virus depends on execution of the host program. The virus must use the read and write channels to replicate and perform its task, whether it displays a message on a monitor or destroys files. The virus may activate either after the host program is executed a certain number of times or on a date and time written into the virus program. The typical virus infection process is shown in Exhibit A
There have been numerous reported incidents involving compute viruses. There may also be many unreported incidents because victims are afraid that the negative publicity would damage their reputations. Customer confidence may be reduced if a virus incident was reported, especially if major losses occurred. Four well‑known computer virus incidents are described in the following paragraphs.
The Lehigh Virus. In November 1987, hundreds of diskettes were infected at Lehigh University in Pennsylvania. The virus copied itself from disk to disk four times and destroyed the contents of the original disk. Each infected diskette did the same. By activating after only four infections, the likelihood of detection before data destruction is very low. Users reported inoperative diskettes, and it was discovered that the write dates on several Command.Com files had changed, which indicated alteration of the files. The virus attached itself to the operating system by intercepting the main MS‑DOS interrupt, which controls disk and screen input and output. An antidote program, FIX, was written to read the Command. com file and erase the virus.
The Macintosh Virus. Although harmless, this virus came on a graphics program disk from a manufacturer still in the shrink‑wrapped packaging. The virus displayed a universal peace message and afterwards destroyed itself.
The IBM Christmas Tree. This virus produced a Christmas greeting and a drawing of a Christmas tree on IBM's internal communication network. The virus duplicated itself every time a machine accessed the system and it infected machines and disks. IBM detected and removed the virus.
The New Zealand Marijuana Virus. Some of the microcomputers at Databank Systems Ltd in Wellington were infected with a virus that blanks a monitor during use and flashes a message encouraging the legalization of marijuana. The virus was incorporated into the boot sector of infected disks. Databank, which handles all funds transfers among New Zealand banks, was able to avoid loss of data because of a computer security program. A major catastrophe was avoided through the use of effective backup procedures.
Antiviral techniques can be classified into safe user procedures and antivirus software. Safe user procedures include the following:
1. Make backup copies of programs and data files.
2. Such public domain software as freeware and shareware should be used with extreme care.
3. Users should test all software, both retail‑purchased and public domain.
4. Users should create meaningful volume labels on all hard disks and diskettes, and routinely check volume labels for changes.
5. Users should be wary of such unusual system activities as less available system memory than normal or turned‑on access lights in a system device when there should be no activity.
6. Be wary of opening emails containing attachments of executable files (e.g. exe, com, and vbs files).
In addition to safe user procedures, antiviral programs can help combat the virus threat. There are three categories of antiviral programs:
Regarding the first category, prevention programs monitor system activities and watch for signs of attempted replication. The programs monitor loading and downloading procedures and watch for indications of a virus trying to gain access to executable programs. When a virus is detected, the system freezes before the virus completes infiltration and notifies the user so that the virus can be removed. Unfortunately, boot infectors cannot be prevented in this manner because they occur before the prevention program is loaded up.
The second group of antiviral programs is referred to as infection detectors. These programs can detect viruses soon after the initial infection has occurred. Detectors are effective against most generic viruses and have two forms. One is called a vaccination, which will place a selftest mechanism in each program. The selftest is executed each time a program is run and checks for any alteration of the sequence of instructions. However, vaccinated programs can become reinfected. The second type of detector program is called a snapshot. Snapshots are one of the most effective means of defense. This program makes a log of all important information when a system is initially installed. This allows the system to be periodically compared with the log to check for changes that might have occurred because of a virus. However, using a snapshot can be very time‑consuming.
The third group of antiviral programs is known as infection identifiers. These programs are basically antidotes for specific viruses. Unfortunately, these too have disadvantages because a great deal of time is usually required to create an antidote. Not only are antiviral programs growing rapidly, but so are the varieties of viruses. Antiviral programs range in price from $10 to hundreds of dollars.
Combating computer viruses is not only tiresome but also time consuming and a waste of resources. Most organizations take multiple steps in combating viruses, spending millions of dollars.
The strongest defense against viruses is a good knowledge of what viruses are and how they spread. Thus in this paper, I cover four main actions against virus, Preparation, Prevention, Detection, and Recovery.
Under each of these categories the following suggestions is given.
Updated system disks should be backups often and on a regular basis.
Any available security system including anti‑virus software should be utilized to the best of its abilities. Diskless workstations should be used if possible.
Be aware of any unfamiliar behavior and responses from monitor and keep an eye out for tell‑tale signs of viruses, inform users of the dangers of viruses, and use checksum and scanning software whenever possible.
Users should know their resources, on a network have a clean computer to work from, and have software that can aid in eliminating the virus from your computer.
Some actions will be discussed to curb viruses include user education, virus prevention, virus detection, and system recovery. Education is the key to the success of any actions taken to control viruses. Prevention includes methods for limiting susceptibility to viruses. Detection involves recognizing existing viruses on disks and in memory. Recovery deals with eradicating the virus when it is detected.
The purpose of virus education is to make users appreciate the architecture of viruses and understand how they spread and infect computer. The topic of computer viruses is a very fast‑changing subject. New strains appear around the world very rapidly. Up‑to‑date information is essential when combating computer viruses. Information regarding the most up‑to‑date viruses is essential.
Good Anti‑Virus Policy depends on the knowledge and cooperation of users. Users should be aware of the dangers viruses present and know what immediate action should be taken in the case of an infection.
The following seven steps should be undertaken with particular attention paid to security gaps on the more vulnerable micro side.
1. Establish corporate data security policies. It is essential that senior management send a clear signal to employees regarding the gravity of the computer virus threat. This can be accomplished by drafting a clear and concise corporate data security policy and distributing it throughout the organization. The policy should spell out standards and guidelines for protecting information assets based on their sensitivity, including each employee's responsibility for maintaining security within the organization. Then employees should read and sign a security statement acknowledging having a role and a responsibility in maintaining security.
As part of these policies, businesses should institute a data security awareness program. It is not enough to distribute a standardized security contract to all employees and then file away the signed copies. To ensure that a corporate commitment to data security is communicated and, more importantly, upheld throughout the organization, businesses should institute ongoing data security awareness programs, including internal training and the distribution of written instructions dealing with specific problem areas.
As part of the security awareness program, for example, employees should be instructed to "log off" (turn off) their terminals when they are away from them for a coffee break or meeting.
Employees should also be trained to identify early signs and symptoms of computer viruses or suspected security breaches. These include reduced system performance, unexplained data loss or alteration, out‑of‑ balance accounting data, activation of obsolete accounts, presence of unfamiliar graphics or messages, file size and data changes, unnecessary activation of devices during program execution, and a disproportionate number of computations for simple instructions.
Most importantly, employees must be drilled in the proper procedures to follow should a virus be identified.
2. Establish password management procedures. A common data security oversight involves failure to change vendor‑supplied passwords that come with new software. A software package from, say, ABC Systems Corp., may use the vendor password "ABC Test." This password should be changed immediately‑‑to a confidential, six‑to‑eight alphametric password‑‑to prevent unauthorized access to the system.
Employees should be instructed to take password selection seriously, they shouldn't use their first or last names or a spouse's name. And, during baseball season, they shouldn't use METS or CUBS. It's not all that difficult for an unauthorized user to figure out these kinds of passwords.
The frustrating part is that changing a password involves little more than pressing a few buttons‑‑it's not a technical process at all. The problem is that many users are either unaware of its importance or have a nonchalant attitude toward computer security.
3. Control the uploading of programs from the micro to the mainframe computer. Businesses should be very reluctant when it comes to allowing programmers on microcomputers to upload new programs into the mainframe.
4. Test new or upgraded software in an isolated computer environment. Computer environments have both test and production machines and for very good reason. New or upgraded software should always be run through the test machine first. Many companies have minimized virus penetration by testing microcomputer software on an isolated test or "quarantined" microcomputer. Some businesses try to cut corners by implementing the system in the production machine and building in back‑out procedures in the event a problem is discovered. This is particularly true with micros.
5. Purchase software from reputable sources. There's no such thing as a free lunch; employees who copy free software from electronic bulletin boards are asking for trouble.
It is quite common for microcomputer users to rely on electronic bulletin boards and "shareware." But many viruses have been identified with these bulletin boards, including one "antiviral" software package that actually caused more damage than it was intended to prevent.
6. Back up data and programs on a regular basis and store them offsite. This defensive step allows businesses to go back to earlier software versions to eliminate a virus and identify corrupt data. The only other option is to re‑key essential data from existing paper records‑‑and that would be extremely time‑consuming or, in some case, impossible.
Many times backups are stored right next to the computers. That defeats the purpose of backups because, in the event of a fire, flood, or simply a plumbing or electrical problem, these disks would likely be destroyed along with the originals.
Similarly, when a company purchases a new software package, it should make a copy of the package and work off the copy, storing the original offsite. In this way, it will be possible to restore a system that has been infected by a time‑released virus.
7. Establish an effective disaster recovery plan. Such a plan won't help companies prevent virus attacks, but it will expedite resumption of normal operations following an emergency. And emergencies come in all shapes and sizes‑‑floods, fires, electrical blackouts, as well as viruses
Preparation is a very important part of protecting a personal computer from a virus attack. Preparation takes place before a virus attack occurs. The first step in preparing is to make regular and sound backups of data. A backup is a copy of all of the data on the computer. It serves the purpose of replacing data that has been lost, corrupted or damaged. The frequency of making backups depends on how often data is changed on the computer. They should be made often enough so that if all data on the computer was lost, the data and work could be recovered in a reasonable amount of time and with as little loss as possible. Files frequently worked on may require backups every few hours; in this case, it would not be necessary to backup the entire computer, only the single file. A sound backup ensures the integrity of the data is intact at the time of the backup. Integrity is the correctness or reliability of the data. A corrupt backup won't be of any use when it needs to be restored. Backups can be tested for soundness by restoring the data to ensure that the data could be used again if necessary.
The second step in preparation is to create write‑protected system disks. This should also be done in advance. This disk should contain all system files in addition to the AUTOEXEC.BAT and CONFIG.SYS files. Any other system files or device drivers should also be included (Hruska 76). All of these files should be copied onto the floppy disk. If the computer becomes infected with a virus, this disk can be used to reboot the computer. Booting a computer is the process of starting up the operating system when the computer is switched on. The system can be loaded from the hard drive or a prepared floppy known as a "system disk." The operating system maintains lists of files, runs programs, and provides other basic functions for a computer to operate properly. Without an operating system a personal computer is useless. If the operating system has a virus, it is necessary to use a system disk for boot up. When booting from an uninfected system disk, you are guaranteed to have a clean environment to work from. After creating a system disk, you should write‑protect (see Section V: Prevention) it so that none of the data can be changed, and a virus cannot infect it.
The last portion of preparation is planning. A plan should be constructed to direct action if a virus attack occurred. Resources should be outlined in the plan. You should know who to go to for help and who will be able to help repair any damage. For example, on Brigham Young University campus a student can go to the Student Computing Support Center for help. The planning should also involve education about viruses and the steps involved in recovery.
Prevention consists of techniques used to prevent a virus from entering a computer. Using one technique is never 100% safe. Prevention requires following standards. The first part of prevention is educating the user, or creating user awareness (Hruska 77). Users need to understand that the use of some types of software can lead to viruses. Most manufacturers check the software products they sell in stores to guarantee that they don't contain any viruses. However, producers of shareware and public domain software may not take the same precautions as producers of licensed software. Caution should be taken when installing shareware, public domain, and pirated software. These types of software are typically virus carriers (Louw 66).
Controlling which disks are used in a computer is the next part of prevention. Viruses are spread when an infected disk is used in a computer. Viruses also spread when many people use a single computer, one person may have a virus on a disk and infect that computer, then anyone after that person would carry the virus on their disk to other computers. Viruses also often spread when one person uses many computers. If a computer, which contains a virus, is used by that person then any computer used after will be infected by the virus.
Another prevention technique is write‑protecting disks. When a disk is write‑protected, files including viruses cannot be written or saved on the disk. Files can only be read from the disk. This is also called a read‑only disk. On a 3‑1/2 inch disk, write‑protection is done by sliding the square shutter in the corner open so you can see through the hole (Figure 3). On a 5‑1/4 inch disk there is a square notch in the side. When this notch is covered the disk is write‑protected (Figure 4). This can be done by covering the notch with a piece of tape. When disks are write‑protected, they are safe to use in infected computers because viruses can not be saved to the disk and then transferred to other computers.
On a network, there is one preventive measure that is not available for stand‑alone PCs. Diskless workstations are PCs that are sometimes equipped with a hard disk but are without any floppy disk drives. The reason for diskless workstations is that if the user does not have the means of introducing floppy disk into the PC, he will also not have the opportunity of introducing a virus. This technique holds only to a certain extent. It is true that diskless workstations will prevent accidental introduction of viruses into the network; however, malicious introduction of viruses is not prevented since the virus code can be input through the keyboard. But since most viruses are introduced accidentally, this can eliminate a many of them.
Let us examine a particular sequence of events by which a virus could infect your computer. Suppose that you invite a friend to come over and use your computer. The friend brings in a few programs to aid in this work, such as a favorite text editor. Without the friend having realized it, the text editor may be infected with a virus. Using that editor on your machine causes the virus to spread from the editor to a program stored on your machine, perhaps to a spreadsheet program. The virus has now infected your spreadsheet program. When you subsequently use that spreadsheet, the virus can spread to another program. Suppose you then visit a computer lab on campus and bring your spreadsheet along. Now the computer you used has the virus. If this computer is connected to a network, you may send the virus program to another user over the network. In either case, the virus can spread to more users and more machines, via floppy disks or networks. Each copy of the virus can make multiple copies of itself and can infect any program to which it has access. As a result, the virus can spread exponentially (White). Each of the infected programs in each of the infected machines can execute whatever other instructions the virus author intended. If these instructions are harmful or disruptive, the pervasiveness of the virus may cause the harm to be widespread.
VI. Viruses and Networks
The interchange of programs on stand‑alone PCs (non‑networked) is almost exclusively done by floppy disks and, as a consequence, is relatively slow and physically controllable. The danger from a large scale virus attack in a non‑networked organization is comparatively limited, if reliable virus‑detection software is used. An attack is likely to be limited to a few PCs before it is detected and isolated. PC networks are a different situation. Networks allow high speed sharing of data and programs. This interchange, allowing hundreds of simultaneous users, is also much more difficult to control.
A network is a group of computers that can communicate with each other, share peripherals (such as hard disks and printers), and access remote hosts or other networks. Networks usually consist of two or more computers connected to each other by a medium that allows the computers to communicate. This communication usually deals with the transferring of documents, messages, mail, memos, and other files between computers.
We will discuss Novell's NetWare, one of the most popular networks in the country, to gain a better understanding of the dangers of viruses on networks. A NetWare network consists of workstations, peripherals (i.e. printers), and one or more file servers (the central computer on the network). NetWare network users can share the same files, send messages directly between individual workstations or users, and protect files with an extensive security system. (Hruska 97)
If proper network security features are not used, the possibility of a large scale virus attack in a networked organization is much greater and the chances of successful containment much smaller than on stand‑alone PCs. The virus usually enters a network through a user's workstation. In a typical scenario, the user infects his workstation by executing an infected application that he obtained from a floppy, from the Internet, or copied from an infected disk. The virus becomes memory resident and will then typically try to infect an application which is run or any drive which is accessed. The only type of virus which cannot be spread over a network is a boot‑sector virus since this would require booting off of the network. While this is possible for workstations without hard drives, a workstation which has its own hard drive does not boot off the network.
If a user with a virus accesses a network, the user will execute LOGIN.EXE which is stored on the file server. LOGIN.EXE opens the user's access to the allotted file areas on the file server. If LOGIN.EXE itself or any other executables are not write‑protected, they will become infected. Later, any user who accesses LOGIN.EXE will infect his workstation, which in turn will spread the infection further. LOGIN.EXE is one of many programs which everyone uses frequently. Other commonly used programs include PRINT.EXE, E‑mail, or WIN.EXE. On a typical active network, an infection can spread onto most workstations within minutes. An infected LOGIN.EXE, or any infected program executed by the system login process, can cause user workstations to become infected whenever a user logs into the network.
One of the benefits of NetWare is that it has an extensive security system. Though traditional security systems offer little protection against viruses, NetWare was designed in such a way that it can give fairly good virus protection if set up correctly. One example of this is the way file protection is set up. Traditionally, a file can have certain file attributes (read, write and execute) turned on and off. One of these is a write attribute. When turned on, a file cannot be written to, overwritten, or deleted. It seems logical that if a file had this attribute, a virus would not be able to infect it. However, viruses have developed to such a level that it will turn this attribute off, infect the file, and then turn it on again. To protect against this, NetWare has setup a secondary level of security that dictates who can and cannot use a particular file. With this set up properly, a virus will be extremely limited to what it can infect (Hruska 105). One problem with this is when a supervisor or administrator uses the network, he has access to all the files by virtue of his position. If he accidentally introduces a virus into the network, it will spread as if there was no security system at all.
If a virus does pass preventive measures, a dependable method of detection is necessary. Personal observation is an important part of detection. Some signs or strange occurrences indicate the presence of a virus and should be watched for. These are called virus symptoms, just as congestion or fever are symptoms of infection in a person. Some common symptoms of computer infection include:
1. Programs suddenly take longer to load.
2. The size of a program changes.
3. The disk runs out of free space when it seems to have plenty.
4. The CHKDSK command does not show the correct amount of bytes available.
5. Bit errors frequently occur while running Windows.
6. The disk drive is active when it should not be.
7. The hard drive is inaccessible when booting from a floppy drive.
8. Unrecognized files appear.
9. File names change.
10. The keyboard makes a clicking noise.
11. The screen becomes distorted.
12. Text on screen does unusual things.
13. CMOS settings, AUTOEXEC.BAT, or CONFIG.SYS files change unexpectedly (Symantec).
A large part of detection is anti‑virus software. Like a doctor, anti‑virus software often uses the above listed symptoms to identify and eradicate an infection. There are three primary types of anti‑viral software:
1. Monitoring programs: Attempt to prevent infections before a virus can attack. These programs monitor writes to other executable programs, attempts to reformat the disk, etc.
2. Scanners: Look for strings known as signatures (byte sequences or code that occurs in viruses, but hopefully not legitimate software) or patterns that are common or are known to exist in specific viruses. A scanner may be designed to examine specified disks or files on demand, or it may be resident in memory, examining each executed program. Most scanners also include virus removers called disinfectors.
3. Integrity Checkers or Modification Detectors: Compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected. The "checksum" is a unique identifier, often a number, which is derived from a program. When the program changes, the "checksum" changes. Later newly calculated values are compared with the original ones to see if a virus has modified the files. This identifies unknown viruses and known ones. It therefore provides a more "comprehensive" form of virus detection. Unfortunately, changes to a file can also be due to reasons other than viral infection causing "false‑positives." It is usually left up to the user to decide whether the modifications were intentional or might be due to a virus. Integrity checkers can "checksum" entire disks or specified files. They can also be resident in memory, checking each program about to be executed. Another integrity checking implementation is a Self‑Test, i.e., the "checksumming" code is attached to each executable file so that it checks the file just before execution (Hruska 88).
Virus scanners are very useful for checking disks before they are used in a computer, to prevent the computer from obtaining a virus. Virus scanners should also periodically be used to check the hard drive of the computer. Viruses are found by scanning a file's contents and comparing it with a library of known virus characteristics. The virus is then given a name and the user is notified that there is a virus present on the system. The disadvantage of this software is that it continually needs to be updated as new viruses may spread at anytime.
It is recommended that on a network, virus‑specific software be installed on a file server for use on workstations. The virus check of the server can be performed overnight or when the server workload is low. It is recommended that a separate workstation is used to initiate the task. This helps eliminate the chances that the workstation is infected during the course of the day. It is important to guarantee a clean, virus‑free environment on a workstation before running anti‑virus software or investigating a virus‑infected network.
After a virus has been detected, it is very important to isolate it and get rid of it as quickly as possible. Viruses tend to spread exponentially. Therefore, every moment is crucial once an infection is discovered (White).
Oddly enough, even though there are lots of programs for cleaning up viruses, they are not the recommended method. Software is very useful in detecting the viruses, but there are too many possibilities to be able to clean all viruses correctly. However, if it is the only thing available, use it. There are many anti‑virus software packages available, and you can clean your disk with them if the virus is dormant, but this is not the most effective method except for old, well‑known viruses.
CAUTION: The restoration process should not be done by an amateur. If you are unfamiliar with computers and viruses, get help from someone who is more experienced. Otherwise, you may do more damage than good.
The first step in clean‑up is to evaluate the infection. Find out how many computers are infected, how much damage has been done so far on the infected systems, and what other systems have been in contact with the infected systems. It is also very important to find the source of the infection. Finding the source helps prevent reinfection after the cleanup has been done. When you know which computers, files, and data have been infected, you must isolate them to contain the infection, much like putting them in quarantine.
Next, get all available backups and check to make sure they are clean. Then do one more backup of the infected data immediately before disinfecting the computer. The reason for this last backup has to do with encryption. If the virus has encrypted some of the data, then the only way to recover the data is through the virus itself. Only back up the damaged data. Do not back up damaged or infected executables.
Now you must reboot the computer from an UNINFECTED source. If you can, use a pre‑prepared system disk to boot up, one that is known to be clean and has been write‑protected. From that point on do not run any programs which may be infected. Check all your backups to make sure that they are uninfected. It does no good to get rid of a virus by restoring another infected copy of the data/program. For a program infector virus, use write‑protected disks to restore the original copy of the programs. The disks from the manufacturer are the best source for restoring programs as they are guaranteed to be clean. Use these to overwrite the infected files. For a boot‑sector virus, the best method is to copy all data from the disk onto a clean disk, reformat the original disk, and copy the data back. For a hard drive you can also use the FDISK /MBR command to remake the boot sector. After the infection has been removed from the hard drive, clean and replace all diskettes which may also be infected using the same methods.
The most difficult step is restoring data which may have been damaged while the virus was in memory. This is the reason for all the backups. Find among your backups the most recent, clean, usable version of your data. Double check to make sure that the backup is undamaged and uninfected. Then copy the data on top of the existing version. Make another backup immediately.
When the system has been cleaned and restored, watch for reinfection which is likely for a system that has been infected once. A file which was missed in the cleanup process can be responsible for reinfecting the system. If the original source of infection is unknown, it too may be responsible for infecting the system again.
The main areas of focus when it comes to viruses are education, preparation, prevention, detection, and recovery. All of these parts are necessary. Education is the awareness of what to do and where to get help. Preparation involves a backup system and the creation and storage of clean system disks. Prevention includes ways to limit your computers susceptibility to viruses. Detection deals with how to find a virus that has infected your computer. Finally, recovery is the process of repair and rescue of damaged data. Computer viruses like biological ones, can be dangerous if ignored or treated incorrectly, but through proper understanding and the use of correct procedures, they are no worse than the common cold.
X. Works Cited
Bontchev, Vesselin. Bulgarian and Soviet Virus Factories, Bulgarian Academy of Sciences; Sofia, Bulgaria.
Ferbrache, David. A Pathology of Computer Viruses, Springer‑Verlag; London, England. (1992).
Hruska, Jan. Computer Viruses and Anti‑Virus Warfare, Second Revised Edition, Ellis Horwood Limited; Chichester, England. (1992).
Louw, Eric and Duffy, Neil. Managing Computer Viruses, Oxford University Press; New York. (1992).
Lundell, Allan. VIRUS! The Secret World of Computer Invaders that Breed and Destroy, Contemporary Books; Chicago, Illinois. (1989).
Symantec. Virus Information and Technology.
White, Steve R., Chess, David M., and Kuo, Chengi Jimmy, Coping with Computer Viruses and Related Problems.