Keeping Virus Away

Let us see some of the thing that you should follow to keep the virus away from infecting your system.

To prevent a virus infection one method could be to never to use the floppy disk network, modem etc., but this is not possible in the real life, without and exchange of data and program a computer will not be much use.

Therefore, to prevent a virus infection one can take some precautions such as

Keep the floppy disk drive door open

whenever the system is booted from a hard disk drive, if you have some disk in the floppy drive then keep the drives door open.

Keeping the door closed will give the boot sector virus from the floppy disk to become active. Once again use a boot sector infected floppy disk to read and write data, but only when the system is booted using the infected floppy, even if it is not a bootable floppy, the virus will get a chance to become active.

Do not use pirated software 

Pirated software, specially games and demonstration packages are one of the main carriers of the viruses.

Buy original software from the known dealers, this will keep your system virus free.

Get share ware for some reputed company/BBS

Shareware software should be obtained from some reputed dealer, well known BBS operator or directly from the program author. This again will reduce the chance of virus infecting your system.

Run virus scanner/checker program regularly

One should run the latest available virus scanner program regularly. DOS provides MSAV (Microsoft Anti Virus) program with the current verson of DOS. this can be used to regularly check the system for any infection.

Also some other food virus scanning programs such as Nashot from Nash Systems, IAVT, SCAN from McAfee Associates, Norton Anti Virus from Norton etc available.

Use a memory resident anti virus program

Use some memory resident, TSR (terminate and stay resident) program, that can monitor different activities on the system and inform the user of any program tries a virus like activity such as directly writing to the FAT table, writing on track 0, formatting hard disk, trying to be memory resident etc.

Current verson of DOS provides a TSR program for this purpose known as VSAFE. This program can be made memory resident and made to alert the user on different virus like activities.

Use write protect tab on the floppy disks

Always the floppy disk containing program must have read only tabs on them. Also, if you are taking your data files on floppy to some other place for reading then put the read-only tabs on them because even if there is no executable program in them the boot sector of the floppy could become infected.

Always keep current verson of Anti-virus software

Everyday some new virus is made so, you cannot get a virus scanner, install it and forget about it. The old virus scanner may not recognize new viruses so always try to get the latest verson of lthe scanner software. keep the software uptodate by getting current verson.

Backup the data regularly

Finally, even after all this precaution you may get infected. Therefore, whatever protection you follow, you must backup your important data regularly. This will help in the worst virus infection. You can always reformat and restore the data.

Watch out when you get a service Engineer's visit

One main source of virus infection on many computers is the computer service Engineers. These SE's carry diagnostic diskettes with them and use it on many different systems. Most of the time these disks are not write protected. Even if these disks are write protected, sometime when they see some good utility on a system they copy it on their diskette. This gives the virus in the system a chance to infect these disks.

Do not open e-mail attachments from unknown address

In this Internet era, the e-mail attachment are one of the biggest medium of virus infection. One should never open an e-mail attachment coming from unknown address. Even attachments from known addresses should be scanned with latest anti-virus software before opening.

Take care when downloading files from Internet

When downloading files from the Internet is should be scanned properly. Download files from reputable web sites such as shareware.com, download.com, tucows.com etc.

 

Where Do Viruses Live?

We have already said that a computer virus is an executable program code. Because a virus is a computer program, it cannot do anything unless it is executed, for this reason the virus program writers make these virus programs to infect some executable program, or some executable part of the drive such as MBR, DBR etc.

When the infected program or the infected MBR, DBR etc, is executed the virus will also be executed with it, providing a chance for the virus to become active.

A virus can never spread if you copy the data file from one infected floppy or hard disk drive and use it on some other clean system. On this type of situation only chance of infection comes if the data file contain some macro and is infected with macro virus.

How Does a Virus Work

Now that we have seen the different types of the viruses, let us see how these viruses infect a system.

A virus comes to a system from another infected system, may be by copying a progrm from the infected system, or booting and infected floppy, or from opening any infected file over the network.

Once a virus infects a system it becomes memory resident, every time the infected part of the system is used.

For example, a virus that has infected MBR, DBR, or the system files, will become active every time the system is switched on or a virus that has infected a .COM or.EXE program will become active when that particular infected program is run.

After becoming active in the memory, virus starts to monitor different activities of the system, such as the disk read/write operation, keyboard operation, system clock etc.

The worm part of lthe virus starts to replicate the virus to new programs and disks. The bomb part of the virus waits for some specific event to make the bomb active and does the destruction for which it is programmed.

When you suspect a virus, press reset key or turn the machine off and then boot from a protected floppy disk or CD-ROM and clean virus using some good anti-virus software.

Types of Computer Virus

WORM

Worms were one of the first computer viruses. A program written as worm virus normally do not do any destructive work, a worm's main work is to replicate itself, i.e. to keep-on copying itself to any new disk used in the system, or in the network copying to new systems, and keep spreading.

The original worm programs were made as experimental programs in computer labs to test if a program can be made to replicate itself.

Most of the current viruses contain a worm program in them to manage the replication part of the virus.

To spread, these worms stay resident in the computer's memory and keep a watch on disk access activities. Whenever a new disk is put in the drive and a disk access command such as DIR is given, these program immediately copy themselves to some .EXE, .COM etc. executable program in the new disk.

Later when this infected disk is taken on some other machine and the infected program is executed, the virus becomes active in the new compuiter's memory, again waiting for some disk to copy itself.

These virus also spread by coping themselves to the boot sector of the floppy, after this when the infected floppy is used to boot on some machine these virus become active.

If the machine, where the virus become active contains a hard drive , then the virus also copies itself to the hard drive be writing itself to the MBR (Master Boot Record), DBR (DOS Boot Record) or the executable programs in the hard disk drive.

TORJAN

Torjan is a name given to those programs that appear as some useful utility, but they contain some hidden destructive parts. A virus that has infected a useful .COM or .EXE program makes that executble program a Torjan because the moment someone executes them, the virus will become active and starts doing its job.

For example, your word processing program WS.EXE may become infected by some virus and when you are doing some typing work in the WS, the virus active in memory, may be destroying some data on your hard disk drive.

Therefore, hiding some destructive program in a legitimate appearing program is called Torjan program. A pure Torjan virus does not replicate itself, but currently most of the virus contain a Torjan, as well as worm, so a useful looking program can destroy the data as well as can replicate itself.

BOMB

Another type of virus programs is known as bombs. These are programs that waits for some specific event to occur and when that particular event occurs the bomb becomes active destroying or corrupting the information inside the computer.

The event could be anything defined by the programmer writing this type of programs, it could be a particular date, a particular day coming on some specific date such as friday coming on 13th, it could be some event such as after virus had made 10 copies of itself it may format the hard disk drive, some programmer may write a bomb program to delete the complete FAT table, if his name is removed form payroll file.

A virus may contain bomb, worm and the Torjan horse all the three parts, to effectively replicate and destroy data.

MBR (Partition Table) Infector

Other than their working method, a virus can also be classified based on the area infected by a virus. A MBR or Partition table infector viruses infects the Master Boot Recod (MBR) of the hard dirive, (floppy disk does not contain any MBR).

These viruses become active every time the machine is booted from the hard disk drive, because during booting, first thing the BIOS does is to execute the program located in the MBR.

Removing a MBR virus is very, easy as ine needs to just overwrite the infected MBR code with a good MBR code, taking care that the partition table information is not overwritten and become corrupted.

DBR (Boot Sector) infector

Another virus type based on the area infected by them is DBR or DOS Boot Record infector viruses. These viruses very commonly spread through infected floppy disks. Every time a boot sector infected floppy is used to boot a system the virus become active in memory and starts spreading and destroying.

These viruses also infect the hard disk drive's DOS partition's boot sector and every time the machine is switched on and boot from the hard disk drive the virus becomes active in the memory.

Even if the disk is not bootable, if the disk contains a boot sector virus and by mistake if you try to boot from this disk, the virus in the DBR will become active in memory.

If you are booting from a hard disk drive, and if the A: drive of your sustem contains a floppy disk, then make sure that the drive door is open, so that the computer will not try to read the DBR of lthe floppy disk and make any DBR virus active.

Program/File Infector (Parasitic Virus)
Another type of virus do not infect the MBR or the DBR, instead they attach themselves to some executable program such as .EXE, .COM, .SYS, .OVL, .BIN, .DLL, These viruses turn the useful program which they infect into Torjan programs, anytime these infected programs are executed, the virus becomes active in memory and starts its work of replication and destruction.

Multipartite Viruses

A virus can contain all jthe above three infectors, MBR, DBR and program infector part in its program. This type of virus program is called multipartite virus.

Stealth Viruses

Stealth viruses are special type of virus, once they become active in memory they conceal themselves from detection. These viruses hide themselves from detection by a virus scanner, by constantly changing their code. The code can be changed by either using encryption or by inserting NOP (no operation) instruction at random places in the virus program.

If you try to check the MBR using the Norton's Diskedit program, the virus active in memory will show you the original MBR sector. Only when the virus is not active in memory you will be able to see the virus infected MBR. These is the reason, after a virus infection, a virus scanner program requirs you to boot from a write-protected, unindifected system disk.

Polimorphic Viruses

Viruses that change their appearance by using the encryption method to avoid detection are known as polymorphic viruses. These viruses change their code with each run by using some encryption code and also they change their encryptioon method with each run making it very difficult to detect this type of viruses by using the simple virus scanning method.

Currently, the "dark avenger" virus writer has made a mutation engine, which can make any virus a polymorophic virus. His matutation engine cause the virus program to which it is attached, to continually change its apperance, This makes detection of virus using scanning method a very difficult job.

Macro Virus

Macro viruses appeared after the introduction of macros in the various applications such as spreadsheet, work processor etc. Most of the macro viruses are written to infect Microsoft work and Microsoft Excel documents.

Macro viruses generally spread through Internet, and e-mail.

If a word or Excel file containing macro is send as attachment with the e-mail, when the document is opened by the receipent, the macro gets executed and the virus become active in his computer and starts spreading further.

Many of these viruses liik in the user's address book and send themselves as e-mail, with attachment to all available e-mail address, spreading even further.

To protect from macro virus one should never open a document with attachment, without scanning it first with latest virus scanner.

Web Applet Virus

A new type of virus can be made in the web scripting language such as Active X, Javascript, Java etc. When a web page containing infected Active X, Javascript or Java code is opened, the virus will infect your system.

Once the virus become active it can do all the works done by virus such as destroying data, spreading data, spreading itself etc.

 

My Office