by Alan Zisman (c)
1994. First published
in Our Computer Player, September 1994
"Computer viruses-- Evil Nerds from behind the former
Iron Curtain are
out to destroy North
You might have read that headline in a supermarket
tabloid. Even if it didn't really appear there, it reflects what many
believe about computer viruses.
Well, I've got some bad news and some good news.
First the bad news-- yes, there are such things as
many coming from East European programmers), and they can destroy data
on your hard drive.
But despite that, the danger of computer virus
infection is much less
than commonly believed.
WHAT ARE VIRUSES?
Computer viruses are computer programs. Like any other
someone has written them. Like biological viruses, computer viruses
can multiply and spread, and like biological viruses, they can cause
damage to their host... in this case, to your computer's hard drive,
and its data.
There have been suggestions that many viruses
originated with over-
educated and under-employed computer programmers, often in Eastern
European countries such as Bulgaria.
There are two major varieties of viruses. Boot sector
the (surprise!) boot sector of your hard disk (or floppy disk)... a
small area on the disk that is read when your computer boots up.
Many of the most common viruses are boot sector
viruses. The STONED
virus, for example, runs a "Your computer is stoned" message at boot
up time. Ha Ha! You can only become infected with a boot sector virus
by booting your computer with an infected disk in the boot drive.
The second type of virus infects executible files
(files ending in
EXE or COM on PCs). It springs into life when you run an infected
executible file, and (among other effects) copies its code into other
executible files on your drive.
There are also other nasty sorts of computer programs,
like TROJAN HORSES (which pretend to be useful programs, but actually
do damage), or WORMS, like 1989's Internet Worm, which clogged that
network, seeking passwords.
HOW DO COMPUTERS GET INFECTED?
There are a lot of myths and rumours about how viruses
Many people are afraid that their computer can become infected by
logging on to a bulletin board (BBS), or by downloading messages or
This is totally untrue.
If you followed the description of types of viruses,
you'd notice that
you can only get a boot sector virus by booting with an infected disk,
and you only get an executible virus by actually running an infected
program. Logging onto a bulletin board, or downloading mail or zipped
files cannot infect your computer.
You could, however, get a virus by downloading an
then by running that program.
Aware of that danger, and also aware of the
unjustified bad reputation
that BBSs have received, most sysops running BBSs go to great lengths
to make sure that all files on their systems are free of viruses. If
you're not sure about a particular BBS, leave a message to the sysop,
asking what precautions they take before running files downloaded from
Instead, most viruses are spread from floppy disks.
Many people make
copies of software (legally or otherwise), and pass them around. Note
that boot sector viruses are actually pretty hard to spread... I keep
an disk infected with a boot sector virus around for demonstration
purposes-- inserting the
disk in my floppy disk drive doesn't infect my hard drive. Neither
does reading a data file from that disk, or even running a executable
program on that disk (although if that file was infected with an
executible virus, this would spread the infection).
The only way to infect my hard drive with the boot
sector virus is to
close the floppy drive door, and reboot my computer. The disk isn't
system disk, and the computer refuses to boot... but in the instant
that it reads the floppy's boot sector, the infection spreads.
While this seems hard to do, we all try to boot our
computers with a
data disk in the floppy drive now and again-- and if that disk is
infected with a boot sector virus... poof, you're infected.
So people pirating software often accidentally spread
Unfortunately, you're not safe if you stick to original, shrink-
wrapped software packages.
There have been too many cases of reputible companies
viruses on production runs of their software. Aldus infected a several
thousand Mac users with a "universal message of peace" in early 1988.
Novell sent out
3,800 copies of diskettes infected with the Stoned III virus in late
And too many retailers take returned software,
re-shrink wrap it, and
put it back on the shelves for sale. Those disks could have become
infected by the user who returned it to the store.
HOW CAN I TELL IF I'VE BEEN INFECTED?
Some viruses give obvious signs of infection... "Your
stoned" for example. Typed characters falling to the bottom of the
screen with the CASCADE virus. Other symptoms are more subtle:
-- Your system seems more sluggish than normal,
-- Your hard drive light flashes at seemingly random
times (this can
happen in Windows when you're running low on memory and using your
swap file... that doesn't mean, however, that Windows is a virus, as
-- Odd error messages or crashes from previously
-- Files or directories that seem to appear or
-- A decrease in free ram.
-- Executible files that suddenly grow in size. The
will enlarge *.COM files by 1813 bytes, and *.EXE files by 1808 bytes,
-- An unexpalinable drop in free space on your drive.
Any unexplainable change in your computer's behaviour
MAY be due to
virus infection. There are many other possible causes, however, and
while you should check for infection, in most cases, expecially when
using complex environments such as Windows, there turns out to be a
non-viral reason (such as often turning off your computer while
leaving Windows running).
WHAT CAN I DO IF I THINK MY COMPUTER IS INFECTED?
Turn off your computer and remove any floppy disks.
Label them as
possibly infected, so you can check them later. Notify your network
manager, if you're on a network, and disconnect the network cables.
Find a bootable floppy with your operating system. You
DO have a
bootable system disk, don't you? If not, stop and make one RIGHT NOW
using the DOS command: FORMAT A: /S). Make sure that
it is write-protected (open the hole in the upper right of a 3 1/2"
floppy or cover the notch on a 5 1/4" disk). Place that disk in your
floppy drive, and turn the machine back on to reboot.
Now you have to check your drive with a virus scanning
program. If you
have a recent version of DOS, you have both DOS and Windows versions
of a virus program included. Alternatively, there are powerful
commercial programs, available as separate packages, or as part of
larger utility packages such as PC Tools.
As well, there are several excellent shareware
available on BBSs. McAffee's SCAN and CLEAN pair are very popular,
I prefer the Icelandic F-PROT program.
Any of these programs will check all the boot
sector and all the
files on your hard drive for infection. If they find any virus code,
they will notify you, and depending on the program, may automatically
remove the virus, or require you to run a separate program for that
Now here's a problem... virus programmers are very
active, and are
always devising new varieties of viruses. Virus scan-type programs
only check for viruses that were current at the time they were
written. So if you got your virus checker a year or two ago, and left
it sitting on the shelf until you need it, it may not be able to find
Most vendors allow you to download new virus
descriptions from their
BBS for a year after purchasing their product... even the MS-DOS
programs have that option, allowing you to keep up to date. The major
shareware programs release new versions more or less quarterly.
Still, most infections involve older viruses, so even
an older program
can still be effective. And as we've seen, a virus infection can, like
a cold, be more of a pain than a life (or computer) threatening
disease. And unlike the common cold, most virus infections can be
removed fairly easily.
Once you've recovered from your infection, it's time
PRACTICE SAFE COMPUTING
Some users assume that they'll be safe from infection
by simply making
all their executable files read only... other users simply do this
COMMAND.COM. This isn't very useful. It provides no protection at all
for boot sector viruses (some of the most common), and since it's so
simple to make a program read only, it's just as simple for a well-
written virus to turn off the read-only bit.
There are a few simple tricks that do work, however.
For example, the
much publicized Michelangelo virus only does damage on March 6th, the
artist's birthday. If, on March 5th, you move your computer's clock
forward to March 7th, even if your computer is infected, it will not
be damaged on the 6th.
If you suspect a boot sector virus, you can clean up
your (DOS) boot
sector by typing: FDISK
at a DOS prompt. This
undocumented command quickly rewrites your Master Boot Record,
cleaning off any boot sector virus code.
Most virus packages include software to help watch for
many include TSR programs to run at bootup, which will check your ram
for signs of infection, and halt the computer if any is found. This
lets you reboot from a clean floppy and remove the virus.
As well, these programs can check executible files as
they start up,
watch for suspicious behaviour.
Unfortunately, this sort of protection slows down your
well, it will make it difficult for you, the user, to legitimately
the same kind of actions that a virus might do, such as formatting
Other virus protection software tries to watch out for
changes to executable files. They do that by keeping a list of files
already on your drive, and the size of each... then keep a watch for
files that change size. This clutters your drive with a bunch of
little files, and sometimes casues problems with programs that
regularly rewrite some of their own files (I know a user who got a
danger warning every time Adobe Type Manager started up!)
Have a regular back up schedule. If all else fails,
you can always
reformat your hard drive, and restore from your back up. Note,
however, that a back up of an infected disk will simply restore the
infection. (A regular back up routine also limits damage from other
The best protection of all is to not get infected in
the first place.
-- Get a virus scanning program, and update it
regularly. Then run it
regularly on your computer, especially before backing up your data.
-- Back up regularly. (There are only two kinds of
those that have a backup to restore from after a virus infection
or disk crash, and those who wish they did!)
-- Check those floppy disks. Despite the problems with
software, it is still safer than pirated software. Your 'friend'
giving you a copy of free games or programs is the prime spreader of
virus infections. In any event, you
should check all floppies with your virus scanning software before
them. It only takes about a minute per disk.
-- Similarly, check out any downloaded programs,
before you run them.
Most reputable BBS sysops do this, but some don't, and others let you
download programs before they've been checked 'at your own risk'.
Be particularly wary of programs that claim too
much... a small
program promising marvellous performance enhancements is probably,
best, bogus, and at worst, infected. Inform the BBS's sysop at once
any suspicious programs.
-- Write-protect your data disks and program floppies.
protected disk cannot become infected (although an infected disk can
spread its infection whether its been write protected afterwards or
The July 1994 verrsion of F-Prot claims to detect 1174
families of virus, with some families containing as many as 150
varients. It checks for as many as 4501 different viruses, but more
are being created even while you read this article. Because of this,
as long as your run new software, or even load new data floppies into
your computer, there is no 100% guarantee for safety from viruses.
Despite this, most computer problems are caused by
simple bugs in
software, configuration problems, or user error. And taking some
fairly simple and common-sense precautions can avoid nearly all
danger, letting you get on with using your computer.