Computer Viruses

by Alan Zisman (c) 1994. First published in Our Computer Player, September 1994
 

"Computer viruses-- Evil Nerds from behind the former Iron Curtain are out to destroy North
American Productivity"

You might have read that headline in a supermarket
tabloid. Even if it didn't really appear there, it reflects what many
believe about computer viruses.

Well, I've got some bad news and some good news.

First the bad news-- yes, there are such things as computer viruses (
many coming from East European programmers), and they can destroy data
on your hard drive.

But despite that, the danger of computer virus infection is much less
than commonly believed.
 

WHAT ARE VIRUSES?
 

Computer viruses are computer programs. Like any other programs,
someone has written them. Like biological viruses, computer viruses
can multiply and spread, and like biological viruses, they can cause
damage to their host... in this case, to your computer's hard drive,
and its data.

There have been suggestions that many viruses originated with over-
educated and under-employed computer programmers, often in Eastern
European countries such as Bulgaria.

There are two major varieties of viruses. Boot sector viruses infect
the (surprise!) boot sector of your hard disk (or floppy disk)... a
small area on the disk that is read when your computer boots up.

Many of the most common viruses are boot sector viruses. The STONED
virus, for example, runs a "Your computer is stoned" message at boot
up time. Ha Ha! You can only become infected with a boot sector virus
by booting your computer with an infected disk in the boot drive.

The second type of virus infects executible files (files ending in
EXE or COM on PCs). It springs into life when you run an infected
executible file, and (among other effects) copies its code into other
executible files on your drive.

There are also other nasty sorts of computer programs, given names
like TROJAN HORSES (which pretend to be useful programs, but actually
do damage), or WORMS, like 1989's Internet Worm, which clogged that
network, seeking passwords.
 

HOW DO COMPUTERS GET INFECTED?

There are a lot of myths and rumours about how viruses are spread.
Many people are afraid that their computer can become infected by
logging on to a bulletin board (BBS), or by downloading messages or files.

This is totally untrue.

If you followed the description of types of viruses, you'd notice that
you can only get a boot sector virus by booting with an infected disk,
and you only get an executible virus by actually running an infected
program. Logging onto a bulletin board, or downloading mail or zipped
files cannot infect your computer.

You could, however, get a virus by downloading an infected program, and
then by running that program.

Aware of that danger, and also aware of the unjustified bad reputation
that BBSs have received, most sysops running BBSs go to great lengths
to make sure that all files on their systems are free of viruses. If
you're not sure about a particular BBS, leave a message to the sysop,
asking what precautions they take before running files downloaded from
that board.

Instead, most viruses are spread from floppy disks. Many people make
copies of software (legally or otherwise), and pass them around. Note
that boot sector viruses are actually pretty hard to spread... I keep
an disk infected with a boot sector virus around for demonstration purposes-- inserting the
disk in my floppy disk drive doesn't infect my hard drive. Neither
does reading a data file from that disk, or even running a executable
program on that disk (although if that file was infected with an
executible virus, this would spread the infection).

The only way to infect my hard drive with the boot sector virus is to
close the floppy drive door, and reboot my computer. The disk isn't a
system disk, and the computer refuses to boot... but in the instant
that it reads the floppy's boot sector, the infection spreads.

While this seems hard to do, we all try to boot our computers with a
data disk in the floppy drive now and again-- and if that disk is
infected with a boot sector virus... poof, you're infected.

So people pirating software often accidentally spread viruses.
Unfortunately, you're not safe if you stick to original, shrink-
wrapped software packages.

There have been too many cases of reputible companies spreading
viruses on production runs of their software. Aldus infected a several
thousand Mac users with a "universal message of peace" in early 1988. Novell sent out
3,800 copies of diskettes infected with the Stoned III virus in late
1991.

And too many retailers take returned software, re-shrink wrap it, and
put it back on the shelves for sale. Those disks could have become
infected by the user who returned it to the store.
 

HOW CAN I TELL IF I'VE BEEN INFECTED?

Some viruses give obvious signs of infection... "Your computer is
stoned" for example. Typed characters falling to the bottom of the
screen with the CASCADE virus. Other symptoms are more subtle:

-- Your system seems more sluggish than normal, especially during
program startup.

-- Your hard drive light flashes at seemingly random times (this can
happen in Windows when you're running low on memory and using your
swap file... that doesn't mean, however, that Windows is a virus, as some DOS
zealots believe).

-- Odd error messages or crashes from previously well-behaved software.

-- Files or directories that seem to appear or disappear without
reason.

-- A decrease in free ram.

-- Executible files that suddenly grow in size. The Jerusalem virus
will enlarge *.COM files by 1813 bytes, and *.EXE files by 1808 bytes,
for example.

-- An unexpalinable drop in free space on your drive.

Any unexplainable change in your computer's behaviour MAY be due to a
virus infection. There are many other possible causes, however, and
while you should check for infection, in most cases, expecially when
using complex environments such as Windows, there turns out to be a
non-viral reason (such as often turning off your computer while
leaving Windows running).
 

WHAT CAN I DO IF I THINK MY COMPUTER IS INFECTED?

Turn off your computer and remove any floppy disks. Label them as
possibly infected, so you can check them later. Notify your network
manager, if you're on a network, and disconnect the network cables.

Find a bootable floppy with your operating system. You DO have a
bootable system disk, don't you? If not, stop and make one RIGHT NOW (
using the DOS command: FORMAT A: /S). Make sure that
it is write-protected (open the hole in the upper right of a 3 1/2"
floppy or cover the notch on a 5 1/4" disk). Place that disk in your
floppy drive, and turn the machine back on to reboot.

Now you have to check your drive with a virus scanning program. If you
have a recent version of DOS, you have both DOS and Windows versions
of a virus program included. Alternatively, there are powerful
commercial programs, available as separate packages, or as part of
larger utility packages such as PC Tools.

As well, there are several excellent shareware programs widely
available on BBSs. McAffee's SCAN and CLEAN pair are very popular, but
I prefer the Icelandic F-PROT program.

Any of these programs will check all the  boot sector and all the
files on your hard drive for infection. If they find any virus code,
they will notify you, and depending on the program, may automatically
remove the virus, or require you to run a separate program for that
step.

Now here's a problem... virus programmers are very active, and are
always devising new varieties of viruses. Virus scan-type programs can
only check for viruses that were current at the time they were
written. So if you got your virus checker a year or two ago, and left
it sitting on the shelf until you need it, it may not be able to find
your infection.

Most vendors allow you to download new virus descriptions from their
BBS for a year after purchasing their product... even the MS-DOS
programs have that option, allowing you to keep up to date. The major
shareware programs release new versions more or less quarterly.

Still, most infections involve older viruses, so even an older program
can still be effective. And as we've seen, a virus infection can, like
a cold, be more of a pain than a life (or computer) threatening
disease. And unlike the common cold, most virus infections can be
removed fairly easily.

Once you've recovered from your infection, it's time to...
 

PRACTICE SAFE COMPUTING

Some users assume that they'll be safe from infection by simply making
all their executable files read only... other users simply do this to
COMMAND.COM. This isn't very useful. It provides no protection at all
for boot sector viruses (some of the most common), and since it's so
simple to make a program read only, it's just as simple for a well-
written virus to turn off the read-only bit.

There are a few simple tricks that do work, however. For example, the
much publicized Michelangelo virus only does damage on March 6th, the
artist's birthday. If, on March 5th, you move your computer's clock
forward to March 7th, even if your computer is infected, it will not
be damaged on the 6th.

If you suspect a boot sector virus, you can clean up your (DOS) boot
sector by typing:       FDISK /MBR      at a DOS prompt. This
undocumented command quickly rewrites your Master Boot Record,
cleaning off any boot sector virus code.

Most virus packages include software to help watch for infection...
many include TSR programs to run at bootup, which will check your ram
for signs of infection, and halt the computer if any is found. This
lets you reboot from a clean floppy and remove the virus.

As well, these programs can check executible files as they start up, and
watch for suspicious behaviour.

Unfortunately, this sort of protection slows down your computer. As
well, it will make it difficult for you, the user, to legitimately do
the same kind of actions that a virus might do, such as formatting a
disk.

Other virus protection software tries to watch out for unauthorized
changes to executable files. They do that by keeping a list of files
already on your drive, and the size of each... then keep a watch for
files that change size. This clutters your drive with a bunch of
little files, and sometimes casues problems with programs that
regularly rewrite some of their own files (I know a user who got a
danger warning every time Adobe Type Manager started up!)

Have a regular back up schedule. If all else fails, you can always
reformat your hard drive, and restore from your back up. Note,
however, that a back up of an infected disk will simply restore the
infection. (A regular back up routine also limits damage from other
computer problems).

The best protection of all is to not get infected in the first place.

-- Get a virus scanning program, and update it regularly. Then run it
regularly on your computer, especially before backing up your data.

-- Back up regularly. (There are only two kinds of computer users--
those that have a backup to restore from after a virus infection
or disk crash, and those who wish they did!)

-- Check those floppy disks. Despite the problems with commercial
software, it is still safer than pirated software. Your 'friend'
giving you a copy of free games or programs is the prime spreader of
virus infections. In any event, you
should check all floppies with your virus scanning software before running
them. It only takes about a minute per disk.

-- Similarly, check out any downloaded programs, before you run them.
Most reputable BBS sysops do this, but some don't, and others let you
download programs before they've been checked 'at your own risk'.

Be particularly wary of programs that claim too much... a small
program promising marvellous performance enhancements is probably, at
best, bogus, and at worst, infected. Inform the BBS's sysop at once of
any suspicious programs.

-- Write-protect your data disks and program floppies. A write
protected disk cannot become infected (although an infected disk can
spread its infection whether its been write protected afterwards or
not).

The July 1994 verrsion of F-Prot claims to detect 1174 different
families of virus, with some families containing as many as 150
varients. It checks for as many as 4501 different viruses, but more
are being created even while you read this article. Because of this,
as long as your run new software, or even load new data floppies into
your computer, there is no 100% guarantee for safety from viruses.

Despite this, most computer problems are caused by simple bugs in
software, configuration problems, or user error. And taking some
fairly simple and common-sense precautions can avoid nearly all
danger, letting you get on with using your computer.