Why should I care about computer viruses? Isn't all this just a bunch of hype drummed up by marketing departments for anti-virus software companies? I'm writing this in early May 1999. For the past week, the alt.comp.virus newsgroup has been flooded with pleas for help from people whose computers were clobbered by the CIH virus, which activated on April 26. Many of those people wound up having to put in large amounts of time and effort to get their computers operational; some people have had to buy replacement chips or pay for a repair shop to get their systems back in operation. And some of those people have lost data they will never be able to replace. Yet the CIH virus was well-known almost a year before it activated, and virtually every single current anti-virus program could handle it. But a lot of people didn't have a-v software, and many of those who did have it didn't use it regularly or keep it updated. So a lot of people lost time, money, and irreplaceable data when the CIH virus activated simply because they didn't take basic precautions to protect themselves. The virus threat is not going away: from reading the alt.comp.virus newsgroup, it's obvious that there are lots of people who would just love to create the same kind of havoc with their own virus creations. 

 What is a computer virus? A computer virus is a program designed to spread itself by first infecting executable files or the system areas of hard and floppy disks and then making copies of itself. Viruses usually operate without the knowledge or desire of the computer user. 

What kind of files can spread viruses? Viruses have the potential to infect any type of executable code, not just the files that are commonly called 'program files'. For example, some viruses infect executable code in the boot sector of floppy disks or in system areas of hard drives. Another type of virus, known as a 'macro' virus, can infect word processing and spreadsheet documents that use macros. And it's possible for HTML documents containing JavaScript or other types of executable code to spread viruses or other malicious code. Since virus code must be executed to have any effect, files that the computer treats as pure data are safe. This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt files. For example, just viewing picture files won't infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file, that the computer will actually try to execute.

How do viruses spread? When you execute program code that's infected by a virus, the virus code will also run and try to infect other programs, either on the same computer or on other computers connected to it over a network . And the newly infected programs will try to infect yet more programs. When you share a copy of an infected file with other computer users, running the file may also infect their computers; and files from those computers may spread the infection to yet more computers. If your computer is infected with a boot sector virus, the virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, and the virus copy on the hard disk will try to infect still more floppies. Some viruses, known as 'multipartite' viruses, can spread both by infecting files and by infecting the boot areas of floppy disks.

What do viruses do to computers? Viruses are software programs, and they can do the same things as any other programs running on a computer. The actual effect of any particular virus depends on how it was programmed by the person who wrote the virus. Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others don't do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading. Note that viruses can't do any damage to hardware: they won't melt down your CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings.

What is a Trojan horse program? A type of program that is often confused with viruses is a 'Trojan horse' program. This is not a virus, but simply a program (often harmful) that pretends to be something else. For example, you might download what you think is a new game; but when you run it, it deletes files on your hard drive. Or the third time you start the game, the program E-mails your saved passwords to another person. Note: simply downloading a file to your computer won't activate a virus or Trojan horse; you have to execute the code in the file to trigger it. This could mean running a program file, or opening a Word/Excel document in a program (such as Word or Excel) that can execute any macros in the document.

What's the story on viruses and E-mail? You can't get a virus just by reading a plain-text E-mail message or Usenet post. What you have to watch out for are encoded messages containing embedded executable code (i.e., JavaScript in an HTML message) or messages that include an executable file attachment (i.e., an encoded program file or a Word document containing macros). In order to activate a virus or Trojan horse program, your computer has to execute some type of code. This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk. There's no special hazard in files attached to Usenet posts or E-mail messages: they're no more dangerous than any other file.

What can I do to reduce the chance of getting viruses from E-mail? Treat any file attachments that might contain executable code as carefully as you would any other new files: save the attachment to disk and then check it with an up-to-date virus scanner before opening the file. If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, I strongly recommend that you disable this feature. My personal feeling is that if an executable file shows up unexpectedly attached to an E-mail, you should delete it unless you can positively verify what it is, who it came from, and why it was sent to you. The recent outbreak of the Melissa virus was a vivid demonstration of the need to be extremely careful when you receive E-mail with attached files or documents. Just because an E-mail appears to come from someone you trust, this does NOT mean the file is safe or that the supposed sender had anything to do with it.


Some general tips on avoiding virus infections:

1. Install anti-virus software from a well-known, reputable company, UPDATE it regularly, and USE it regularly. New viruses come out every single day; an a-v program that hasn't been updated for several months will not provide much protection against current viruses. 

2. In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good a-v software packages) and configure it to start automatically each time you boot your system. This will protect your system by checking for viruses each time your computer accesses an executable file. 

3. Virus scan any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs spreading virus infections. 

4. Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening binary files and Word/Excel documents from unknown or 'dubious' sources. This includes posts in binary newsgroups, downloads from web/ftp sites that aren't well-known or don't have a good reputation, and executable files unexpectedly received as attachments to E-mail or during an on-line chat session. 

5. If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, I strongly recommend that you disable this feature. 

6. Be _extremely_ careful about accepting programs or other files during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat. 

7. Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent backup may be the only way to recover your data. Ideally, you should back up your entire system on a regular basis. If this isn't practical, at least backup files that you can't afford to lose or that would be difficult to replace: documents, bookmark files, address books, important E-mail, etc.


Dealing with virus infections: First, keep in mind "The First Law of Computer Virus Complaints": "Just because your computer is acting strangely or one of your programs doesn't work right, this does NOT mean that your computer has a virus." 

1. If you haven't used a good, up-to-date anti-virus program on your computer, do that first. Many problems blamed on viruses are actually caused by software configuration errors or other problems that have nothing to do with a virus. 

2. If you do get infected by a virus, follow the directions in your anti-virus program for cleaning it. If you have backup copies of the infected files, use those to restore the files. Check the files you restore to make sure your backups weren't infected. 

3. For assistance, check the web site and support services for your anti-virus software. 

4. The "[alt.comp.virus] FAQ Part 1/4" includes an excellent section on initial steps for dealing with a suspected virus infection. 

5. For discussions about viruses and help dealing with them, visit <news:alt.comp.virus> or <news:comp.virus>; please check the newsgroup FAQs before posting. Keep in mind that posters in c.v and in a.c.v, like posters in any newsgroup, have a wide range of technical expertise and motivations. 

Note: in general, drastic measures such as formatting your hard drive or using FDISK should be avoided. They are frequently useless at cleaning a virus infection, and may do more harm than good unless you're very knowledgeable about the effects of the particular virus you're dealing with.

Please note that use of CERT/CC material on this web site in no way constitutes an endorsement of Inxtec Security International, it's services or it's personnel.

.

^{Copyright © 2001 Inxtec Corporation All Rights Reserved. ISI is a division of Inxtec Corp.}