the best-known problems affecting online users. The dangers
computer viruses have gotten a lot of attention (not always accurately)
from newspapers and radio and TV news. The good news is that
controlled. The bad news is that despite that, far too many people fail
to take simple precautions and so viruses, old and new, continue to
viruses have been
at least twenty years. Early viruses were identified as early as 1981,
spreading on Apple II floppy diskettes. By 1986, viruses were spreading
to the now-popular IBM-PC type of personal computer, the ancestor of
of today’s computers.
these early viruses
boot sector viruses. These were actually relatively difficult to catch.
They spread via floppy diskettes, but even if you used an infected
your computer would only be infected if the disk was inserted at the
the computer was booting. When it tried (and usually failed) to boot
the floppy diskette, the computer read the floppy’s boot
contained the virus code, which then spread to the computer hard
boot sector. Then, if an uninfected floppy diskette was in the drive
the computer was rebooted, the virus would spread to that
sector, potentially infecting other computers.
a message near the start of boot: “Your computer is stoned.
read the message on computers infected with the Stoned Virus. Along
the boot message, these viruses could cause various types of damage or
reduce computer performance.
late 1980s, file
also becoming common: viruses that changed a standard computer program,
such as the main DOS file Command.com, and were loaded into memory when
the infected file was run.
a related type of
Internet worm got a lot of publicity when, as a grad
got out of hand, replicating itself much more quickly than he had
It quickly spread itself to a large percentage of the computers
to this early Internet, clogging the Net with its attempts to spread
In 1992, a virus, Michelangelo got quite a lot of press, with the
that it would cause massive damage on the painter’s birthday.
its effects were quite limited, especially compared to the hype.
mid-1990s, a new
type of virus became
prevalent. Macro viruses were written in the macro languages included
popular applications—most often Microsoft Word. Attached to
when the document was loaded, the macro infected the
attaching itself to all documents subsequently opened with that copy of
the application. Besides spreading themselves, macro viruses could also
be programmed to damage files on the host computer.
the appearance of
with Back Orifice (a pun on Microsoft’s Back Office
programs are installed by innocent users thinking they are legitimate
may have legitimate functions. But they enable outsiders to take
of the infected computer. 1999’s Melissa was a combination of
virus that also infected Outlook and Outlook Express, sending itself
email to people listed in the address book. Infecting Outlook and
Express has become the most common way for virus infections to spread
the early part of the new decade.
have been found for
phones, for Palm PDAs, and on most computer platforms, but the most
targets, by far, are Windows-powered computers, particularly via the
and Outlook Express email programs. Trojans are often spread by users
instant messaging software (ICQ, AOL Messenger, MSN Messenger, etc) and
among peer-to-peer file-sharing networks.
in popularity in
2002/03 have been
worms infecting Web servers and SQL database servers. While these
infect individual users, they can have the affect of slowing or
down whole sections of the Internet, indirectly affecting millions of
Sadly, in most cases, these could have been prevented if network system
administrators had made sure they were up-to-date on patching their
operating systems and server software. In August 2003, the Blaster worm
infected many ordinary users, and a relative shut down Air Canada's
system. Again, users who had bothered to get Microsoft's mid-July
update were safe from this infection.
August 2003, the
Sobig virus apparently
was designed to allow infected computers to be used to help distribute
detail on the history
can be found at http://www.cknow.com/vtutor/vthistory.htm
which was the source for this discussion. The New York Times, in
2004 ran a piece called The
Underground looking at some of the people who actually
viruses and worms: http://www.nytimes.com/2004/02/08/magazine/08WORMS.html
(free registration required)).
is a Virus?
A virus is a
of code that causes an unexpected, usually negative, event. Viruses are
often disguised games or images with clever marketing titles such as
is a Worm?
in the active memory of a computer and duplicate themselves. They may
copies of themselves to other computers, such as through email or
Relay Chat (IRC).
is a Trojan Horse?
A Trojan horse
program is a
program that pretends to be a benign application; a Trojan horse
purposefully does something the user does not expect. Trojans are not
since they do not replicate, but Trojan horse programs can be just as
people use the term to
to non-replicating malicious programs, thus making a distinction
Trojans and viruses.
Magazine (July 2004)
talked to a 16 year old Dutch virus writer; read the article (http://www.pcmag.com/article2/0,1759,1612207,00.asp)
out why he does it.
do (or what not to do)…
infectors, Word macro
viruses, and other early types are still in the wild, and may be
from time to time. But by far, the most prevalent type of infectors are
spread as e-mail attachments. If you want to avoid getting infected,
answer is simple: don’t open email attachments. Receiving an
does not, by itself, infect your computer—your computer is
when you double-click on the attachment, running it.
to avoid infected
to not be connected to the Internet. But that’s too drastic a
most of us. Instead, a little common-sense and self-discipline goes a
way. Don’t open attachments, even if they appear to be from
know. Ever. (Note that you can still get infected from files or
viruses on floppy diskettes).
the attachment meets
from someone you know
* You were
receive it or
You’ve written the sender
that they intended to send it to you
Even then, you
may want to be
if, for instance:
* The attachment
is a program
extension ending in EXE, BAT, PIF, or COM)
* The attachment
is a screen
extension ending in SCR)
* The attachment
has two file
with the first one appearing to be a document like a JPG (image) and
last one a program or screen saver.
When in doubt,
attachment, be suspicious.
to be properly
need to have done a few things:
* Have your email
files some place where you can easily see them. I use the computer
* Make sure that
to always display file extensions. This is not the Windows default
See the previous part of this tutorial if you don’t know how
to do that.
* Be disciplined.
a cute green heart-shaped icon labeled
‘friends.scr’ that came in an
message addressed to me from someone named friendshipforu. The message
subject said “Best Friends !!” Could something that
friendly be nasty?
* When in doubt,
check. Go to
and type (for example) ‘friends.scr’ in the search
field. Very quickly,
I discovered that this was a well-known attachment of the W32/Yaha.B
* Even if you
that particular attachment, be suspicious. It may be a new virus, too
to have made it into Google. Or it may be an old virus with a new name.
If it seems suspicious, treat it as guilty until proven innocent.
trust your friends if
attachments appear without warning—no matter how close a
friend or how
cute the letter or attachment. While some viruses send themselves to
appearing in infected computers’ address books, but with from
like ‘friendshipforu’, others steal names and
addresses from the
books and paste them into the From: field as well as the To: field. So
strangers can be getting virus-bearing messages that appear to have
sent by you or even from me! That doesn’t make it so.
viruses is the virus
hoax email message. Here, people receive a warning about a new virus,
from someone they know, and are urged to spread the word to everyone
know. Often, the message claims that the warning originated with
IBM, NASA, or some other well-known organization.
example, I received the
from a colleague (note the all-caps):
INFORMATION TO EVERY
PERSON IN YOUR ADDRESS BOOK. IF YOU RECEIVE AN E-MAIL THAT READS
INTERNET2" DO NOT OPEN IT, AS IT CONTAINS AN EXECUTABLE NAMED
IT WILL ERASE ALL THE DATA IN YOUR HARD DRIVE AND IT WILL STAY IN
THIS INFORMATION WAS PUBLISHED YESTERDAY IN THE CNN WEB SITE.... CHECK
THE LIST BELOW, SENT BY IBM, WITH THE NAMES OF SOME E-MAILS THAT, IF
SHOULD NOT BE OPENED AND MUST BE DELETED IMMEDIATELY, BECAUSE THEY
warnings are untrue.
Because they tend to spread out of control, they duplicate like a
taking up the time and energy of thousands or millions of users. Rest
Microsoft (et al) do not spread warnings about security problems via
and do not encourage end-users to tell everyone they know.
hoaxes have been more
least one spread the word that if a users checked for the existence of
a certain file, it meant they were infected, and should delete that
Too bad that file was a normally installed part of Windows, and
it caused problems.
of online sites
keep track of
virus hoaxes. If you receive a warning about a virus, check with one of
these first. Some examples include:
* Symantec: http://www.symantec.com/avcenter/hoax.html
* McAfee: http://vil.mcafee.com/hoax.asp
* Hoaxbusters: http://hoaxbusters.ciac.org/
* VMyths: http://www.vmyths.com/
out any claims before
virus warning further.
dangerous hoaxes are
bearing attachments that claim to be legitimate security
coming from Microsoft or other sources. For example, September 2003 saw
the W32.Swen virus, transmitted along with a very well-designed message
that apparently was from Microsoft, bearing what it claimed was an
security fix. Microsoft does not
contact end-users via e-mail; rather than fixing a security problem,
attachment infected the user's computer and hijacked Outlook or Outlook
Express email software to spread itself further.
suggestion that you
can avoid infection by being self-disciplined about opening file
every one of us should (in addition to being careful) run an up-to-date
antivirus program. Even if you are responsible and don’t open
you may still become infected with a virus:
* You may run
into one of the
types on a floppy diskette or a Word document or some other way
* Some other user
sitting at your
computer and may, without thinking, open an email attachment
* A new and
to spread that (for example) runs a destructive java applet from html
embedded in an email message, without actually appearing as a
file. Or something.
always being updated
to recognize new viruses. As a result, it is important to keep whatever
software you are using up-to-date. Most modern AV software can be set
download new virus definitions on a regular basis. Weekly is probably a
good time-period to check; some people with an always on Internet
may want to set their software to check for new definitions daily.
don’t count on any
to be 100% effective. The software companies are always responding to
viruses, which means that the new virus has to appear in the wild
someone, before the AV software will become aware of it. In the
one of the computers that may receive the new virus variety may be
I’ve twice received suspicious-looking attachments that
up by my AV software, even when I manually went and downloaded the
latest virus definitions. Because I didn’t trust the
opening them and sent them (with explanation) to my AV software
in each case, later that day, they were identified as new viruses.
defense is a
combination of an
up-to-date AV program, common-sense, and paranoia.
are a number of good
programs. The most common were reviewed in the April 22, 2003 issue of
PC Magazine; their review can be found online at: http://www.pcmag.com/article2/0,4149,989867,00.asp.
choice was awarded to
AntiVirus 2003. They concluded: “Norton
AntiVirus 2003 gets our top rating for delivering both excellent
and foolproof ease of use. It has the best interface of all the
it scans all files by default, and its mail protection scans the
of ZIP files before they're sent from your PC. NAV also has a stellar
record on independent certification tests.
the rest, PC-cillin 2003's built-in firewall and free phone support are
appealing. McAfee VirusScan Home Edition 7.0 offers admirable
controls, but it requires too much knowledge on the part of
users when a virus is encountered. For power users, speed mavens, and
who want exact control over antivirus software settings: NOD32 is your
baby. It had less than half the impact on system performance of the
personal av product, and it lets you choose details such as the level
heuristics to use.”
versions of NAV
are now charging an annual renewal fee to continue automatically
virus definitions (I believe you can manually download new virus
without paying the renewal fee), and the company is reported to be
‘digital-rights management’ to ensure that a single
purchased copy is
installed on a single computer. All within their rights, of course, but
driving up the costs for home users.
include McAfee Viruscan, Panda, and PC-Cillin. Also worth considering
free virus programs. A list of free AV programs is posted at: http://www.thefreesite.com/Free_Software/Anti_virus_freeware/.
Vancouver School Board, for example, recently
McAfee on thousands of school office, classroom, and computer lab
with the free version of AVG
particular partial to the free Avast
using this one on my systems, and it seems to be working well.
nice is the way that it quietly updates itself in the
When using Avast, you need to right-click on the program's window to
the options... remember, when in doubt, right-click!)
You can find reviews and
links to ten free antivirus programs at: http://www.freeanti-virussoftware.net/
don’t have AV
installed and are afraid that you might be infected with a virus,
of the AV vendors offer free online virus-scanning services, letting you check your computer right
any of thousands of possible
Don’t be in a rush—a full scan of your system will
take a while..
Some other online
scanning sites (thanks to Charles Scaglione for these):
all of these
require ActiveX controls and work best (or perhaps only) when run from
are pretty sure you
with a particular virus variant, Symantec at: http://securityresponse.symantec.com/avcenter/tools.list.html
offers automated removal tools, along with instructions for manual
of a large number of viruses.
PC Magazine (November 8 2005) reviewed three free
antivirus programs: Avast, AVG, and AntiVir PE. Check their detailed
matter what AV software
you choose to
use, pay attention to its various options. The default settings may not
reflect the way you want the program to run. You might want to adjust
frequency that the program checks for updated virus definitions, or
the day of the week or time of day when it checks. You may want it to
completely unattended in the background, or you may want to know what
to download and install onto your system.
want to change the
if it discovers a virus. Should it delete the offending file? Try to
it? (They rarely succeed) Quarantine it? Should it inform you or do it
quietly behind the scenes? How often should you schedule scans of your
entire system (and at what times of day or night)? Should the program
all files? Inside compressed Zip files? Just the most commonly infected
types of files?
use the program to
make boot floppies
(usually you’ll need more than one) enabling you to run the
without booting to a possibly-infected hard drive? If so, do
floppy disk set and store them in a safe place.
familiar with the AV
bulk of viruses
systems running Microsoft Windows and secondarily Microsoft Outlook
Outlook Express email software. Most of what’s left consists
attacking Microsoft Word or Excel. It’s not that virus
anti-Microsoft, but that’s where most of the potential
Microsoft has made it easy for virus writers. For example,
made Visual Basic for Applications a common macro-language across its
Office applications, it gave virus writers a programming tools with
power and few built-in limitations. Most users don’t use
programmers wanted to empower and make it easier for those few users
in large corporations) who did extend the Office programs in that way.
The result, however, was that millions of other users were put at risk
from macro viruses.
exposure to those
then, also limits (though doesn’t completely eliminate) the
infection. Consider replacing Outlook Express with Eudora Mail,
Mail, Mozilla Thunderbird or some other email program. Consider
Microsoft Office with Corel WordPerfect, Lotus SmartSuite, or the free
open source Open Office. Consider replacing Windows with the Mac
system (and hardware) or Linux (which can run on your existing PC
While there are viruses for these systems, they are far far fewer in
and frequency. For instance: Norton Antivirus for Windows currently
to detect some 63,000 different virus variants. I can’t find
number for Norton Antivirus for Mac, but the number of native viruses
the Macintosh platform is probably in the few dozens. Even Microsoft
Express for Mac isn’t susceptible to Windows Outlook Express
not necessarily an
of view. For instance, in September 2001, a ZDNet columnist
Outlook Now (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814683,00.html)
New and dangerous (March 2004):
three new varients of the Bagle virus (P, Q, and R) are reported to not
use attachments, but to be able to infect a computer when the message
itself is viewed. When the message is viewed, it opens a computer port,
automatically downloading the infection-bearing program from another
infected computer. (Sort of like peer-to-peer file sharing). Infected
computers can be controlled remotely from other computers. Some of the
message titles used by this virus appear to be security warnings, and
it may come with apparent FROM: addresses making it look like it's from
network or ISP administrators.
general warnings about
not opening suspicious-looking file attachments now need to be taken a
step further; users should not even view email messages from
strangers-- even those claiming to be from corporate network
administrators. It's not clear to me at this time whether viewing
messages in email preview panes is enough to trigger the virus; to be
on the safe side, I recommend turning off this feature (turned on by
default in most email and webmail software). (Turning off the preview
pane will also help control spam).
In March 2006, C/Net's
Robert Vamosi suggests that we'll be seeing far fewer large-scale virus
attacks but a greater number of virus varients, fine-tuned for specific
these to increase in so-called 'crimeware', including
identity theft and creation of networkings of 'bots' for extortion
related to denial-of-service attacks on corporate networks. He also
suggests that this flood of virtually individualized viruses may become
more difficult for traditional antivirus applications to handle.
sure your system is
set up to display
file extensions for all files
* Make sure you
attachments are being saved on your system
* Go to one of
information on virus hoaxes and check for
* Go to
and let it scan your system
* (If it finds
the infection using one of Symantec’s automated tools or
* If you have an
make sure the virus definitions are up to date and look over the
* If you
don’t currently have
an AV program
installed, download and install the free AVG or Avast Antivirus. Make
its virus definitions are up to date. Look over the program’s
* Make a set of
* Think about
any Microsoft products with more secure alternatives