Introduction
1... What is a Virus?2... Identifying the Threat
3... Minimising the Virus Threat
4... Anti-Virus Tools
5... Booting Clean
6... Booting Clean Under Windows 95
7... What Users Need to Know
8... Glossary of Virus terms
The virus threat is real. It is not the world-shattering problem sometimes outlined in the pages of the press; nor is it the non-existent 'urban myth' suggested by others. Many 'in the wild' viruses cause no damage; but a significant number are specifically designed to cause data loss. Like other problems facing IT professionals, the virus threat should be assessed realistically. It is important to identify those areas of the organisation which interface with the outside world; and which are the likely source of a virus infection. The appropriate anti-virus tools should be selected, designed to provide a layered defence of the system (perimeter defences, in-depth protection of laptops PCs, desktop PCs and servers, etc.). It is important to look at the way data is handled within the organisation; and to take routine precautions to minimise the risk of infection.
You can download the best protection software right now and immediately defend against this threat. Download these products and protect yourself:
Norton AntiVirus
Automatically updates its virus definitions when you're connected
to the Internet to give you the latest in protection.
Click here for more on Norton AntiVirusMcAfee VirusScan
Detects 100% of viruses -- including those on disks, Internet
downloads, email attachments, and shared files.
Click here for more on McAfee VirusScanAVG Antivirus
This company has a free 30 day trial virus program.
Click here for more on AVG Antivirus
Chapter 1 - What is a Virus?
A virus is a piece of self-replicating code; in other words, it is software which is designed to
copy itself.Boot sector viruses infect the boot sector of floppy disks and the partition sector [or, in some
cases, the boot sector] of hard disks, when the PC is booted from an infected floppy disk.
Executable file viruses infect program files, on local drives or network drives. Macro viruses
infect the macros within document and spreadsheet files.In addition to the code necessary for the virus to copy itself, most successful 'in the wild'
viruses try to conceal themselves, from users and from anti-virus programs [if a virus quickly
draws attention to itself, it is unlikely to spread very far]. Some viruses contain a payload; this
may be anything from a screen display, or message, or damage to data files. However, not all
viruses contain a payload. If the virus does contain a payload, there must be a trigger which
causes the virus to deliver its payload. The trigger may be a particular system date, the
number of re-boots, the number of floppy disks infected or something else which software can
be designed to do.It is worth noting that virus authors, unlike commercial software vendors, do not have to make
their software compatible with other programs; they do not have to beta test their software
or provide technical support on their products; for this reason, viruses may produce unintended
consequences [they may make the system unstable, or prevent other software from working
properly].Chapter 2 - Identifying the Threat
You can't manage what you can't measure! In order to implement an effective anti-virus
strategy, it is essential to identify the sources of any possible virus infection. You should
consider the following.Floppy disks and CDs brought into an organisation [including shrink-wrapped software
from original manufactures, disks from other organisations [suppliers, marketing
agencies, etc.] ] bring with them the risk of virus infection. The movement of floppy
disks and CDs between different sites within an organisation may also help to spread a
virus. Boot sector viruses [which spread via floppy disks] are still common; and viruses
have been found on CDs.Desktop PCs used at home [and laptop PCs] are a potential source of virus infection. The
use of laptop PCs, in particular, has become commonplace in the last few years. Floppy
disks and CDs used in these PCs may not have been checked for viruses. And the
employee may not be the only person using the PC [spouse, children, friends, etc.]. It is
important to recognise that these PCs, which are not under the direct control of an
organisation's IT Department, may be more exposed to virus infection than those which
are under the direct control of the organisation.The use of e-mail within corporate organisations provides an effective way for viruses to
spread. It is not possible to become infected by a virus simply by reading a text message
[in spite of the many virus hoaxes ['Good Times', 'Irina', 'Penpal Greetings', 'Deeyenda',
'AOL4FREE', 'Join the Crew', etc.] which supposedly spread via text messages] ].
However, e-mail attachments are a potential threat. Since the advent of macro viruses,
which infect documents and spreadsheets, e-mail has become a very effective
mechanism for spreading viruses If a document or spreadsheet is infected, it can
become widespread very quickly by being attached to an e-mail message. This is true
even of an e-mail system, with no connection to the outside world. If users are able to
send and receive e-mail via the Internet, the threat becomes even greater.Use of the Internet is a further potential source of infection. If any users within an
organisation have direct access to the Internet they are able to download a vast range of
material [including programs and documents] . . . all potentially infected. Any file
downloaded could contain a virus; either an executable file virus or a macro virus.
Unprotected access to the Internet can provide a virus with a springboard within your
organisation.Chapter 3 - Minimising the Virus Threat
There are several steps you can take to minimise the risk of your organisation becoming
infected by a virus and, if a virus does breach your defences, to minimise the risk of data loss.1.Taking regular backups of data on your system is the most important precaution you
can take against data loss, whether that data loss is the result of hardware or software
malfunction, or virus infection. It is important to ensure that you are able to restore
data from these backups. You should also ensure that you have clean copies of all your
executable files on floppy disks [these disks should be kept write-protected].2.You should ensure that ALL incoming software comes from reputable sources. It is a
common, though mistaken, belief that shareware, free disks or games are the only
source of viruses: while such software can be a source of viruses [because it is copied
more], it is the source - NOT the function - of software which is important [viruses have
been found on shrink-wrapped software distributed by major companies, and on disks
sent out with hardware]; the playing of games is primarily a management issue, rather
than a virus issue 'per se'. For this reason, ALL incoming floppy disks should be checked
for viruses.3.Floppy disks are a common means by which viruses are spread [boot sector viruses,
which represent a large proportion of the viruses reported to Dr Solomon's Software,
can be spread only on floppy disks]. Judicious management of workstations,
particularly in relation to the use of floppy disks, can help to minimise the risks of
infection by boot sector viruses.
1.Cultivate the habit of write-protecting floppy disks, wherever possible, to prevent
virus infection.2.Discourage users from leaving floppy disks in the drive when PCs are switched off,
to prevent PCs from being inadvertently booted from a floppy disk infected with a
boot sector virus.3.If users do accidentally boot from a diskette, encourage them to power-off and
re-start the PC, rather than continuing the boot process.4.Change the CMOS setting of PCs, so that they boot in the sequence C:, A: [to
prevent the PC from booting from a floppy disk].4.Judicious network management can go a long way towards preventing the infection of
files stored on a network. As far as normal network users are concerned, a file server
issimply a hard disk at the end of a cable: it may be where their software is run from; it
may be where their data files are stored; and it is the place to which their files goon
their way to the printer. The system administrator can do a lotto protect a network
against the possibility of virus infection, simply by making use of the built-in security
features offered by most networksoftware. When a user logs-in to the network, the
network software checks, by means of a password, to see what rights have been
assigned to that user by the network supervisor. If there is a virus memory resident on
that user's PC, it has only the same rights as the logged-in user. By setting files to
'execute-only', the network supervisor can ensure that users are able to run software
without being able to change it; and if the user is unable to change software, then so is
the virus [this may also be done for data files, by setting them to 'read-only']. The
situation is different on the workstation itself: here the user is able to change file
attributes, using routines made available by the operating system; and if the user is able
to do this, then so is any virus which is memory resident on that user's PC.]Chapter 4 - Anti-Virus Tools
It is important that your organisation is equipped with the right tools with which to implement
an effective anti-virus strategy. Such a strategy should be based on the prevention of virus
infection, the earliest possible detection of any virus which breaches your organisation's outer
defences and, should a virus spread within your organisation, recovery and a return to normal
business as quickly as possible. You should consider the following when selecting which tools to
use.The tools described below are designed both for prevention and early detection of viruses.
If a 'sheep-dip' [or 'footbath'] PC is used to check incoming floppy disks and CDs, this will
provide early detection of a virus, before the infected floppy disk or CD is used within
the organisation's main system. The 'sheep-dip' PC should be stand-alone [to avoid the
risk of a virus infecting the network]. In a large organisation, it may be advisable to use
several 'sheep-dip' PCs [one per building, one per department, etc.].PCs [stand-alone or workstations] should be protected with an on-access scanner
[VirusGuard and/or WinGuard], to provide the first layer of protection 'in-depth' [rather
than at the perimeter]. The on-access scanner will scan disks and files before they are
used. The on-access scanner runs in the background [requiring no action on the part of
the user]. The user will be given a pop-up warning, to identify the virus; and the user will
not be able to use the infected disk or file. VirusGuard and WinGuard provide protection
for floppy disks, local hard disks and network drives. They are fully-configurable, to
enable greater or lesser security [for example, checking files which are written to disk
may be selected for those PCs which are downloading software, documents, etc. from a
remote location [the Internet, BBS, etc.] ]. WinGuard may be configured to
auto-disinfect, so that disks and files may be cleaned automatically, on detection. This
makes anti-virus management easier [virus removal is carried out automatically, rather
than by a member of the IT Department]. WinGuard may be configured to log all virus
incidents, allowing the IT Department to monitor all virus incidents.Network servers should be effectively protected [programs and documents may be
located on shared network drives; if they become infected, a virus will be able to spread
via the network]. At the very least, network drives should be scanned regularly from a
system administrator's PC.The increased use of e-mail systems [and the threat from e-mail attachments [mainly
infected Word for Windows documents] ] means that a virus can spread very quickly
throughout an organisation. If an organisation has an e-mail connection to the Internet,
this threat increases dramatically. Although WinGuard will prevent access to infected
e-mail attachments, this still leaves the logistical problem of removing the infected
e-mail attachment from the mail-server [and the possibility of an unprotected
workstation becoming infected]. This risk can be minimised by scanning e-mail as it
enters [or leaves] the organisation. There are many virus programs such as McAffee, or
Nortons that will provide this scan function automatically. Each work station should
have it's own virus checker.If the worst happens, and a virus does get through your defences, it is important that
you are able to recover from the infection [and make good any damage which may have
been caused] with the least possible disruption to your organisation's normal business.
The following should be considered as essential.Booting clean. Remember that most viruses are memory resident programs. Before
attempting to remove these viruses, it is essential to clear memory [using the power-off
switch] and boot the PC without loading anything from the hard disk. Booting clean is
essential, but it is not as straightforward as it may appear at first sight; for this
reason, this subject is dealt with below [see the section BOOTING CLEAN].Original copies of your applications. If your executable files cannot be disinfected [for
example, if a virus has damaged the original programs], you will need to delete any
infected files and replace them with good copies.A backup of the data on your system. If a virus has damaged any of your data, you will
need to restore the data from a backup. The most important asset of your organisation
is the data; so regular backups should be an integral part of your normal support
operation.Chapter 5 - Booting Clean
NEVER attempt to carry out a clean-up operation if there is a virus in memory. ALWAYS
power-off [to clear memory] and boot from a clean disk, to avoid running anything from the
hard disk.It is wise to ensure that you have a system disk for PCs within your organisation. However, you
should consider the following.Your DOS system disk should allow you to access the hard disk of PCs running any
version of DOS within the organisation. This may mean creating several system disks
[although MS-DOS 5.x and MS-DOS 6.x will allow access to earlier DOS versions].You may need to load one or more device drivers in order to access some PCs in your
organisation [for example, if the PC is compressed using Stacker, SuperStore, etc.]. If
this is the case, your system disk should contain clean copies of these device drivers;
and you should create a CONFIG.SYS with the commands necessary to load them.If you have a network, you should create a disk containing clean copies of the relevant
network drivers; to enable you to connect to the network without running any programs
[which may be infected] from the network.Check the machine's CMOS settings, to ensure that drive A is installed (Exebug virus, for
example, removes the CMOS entry for drive A, thus forcing a boot from drive C:. The
virus loads into memory from the partition sector and re-installs drive A [thus 'faking' a
clean boot] ].Your system disk(s) [and other utilities] should be created in advance of any virus outbreak; a
clean-up is not the occasion to discover that you lack the tools necessary to deal with a virus
outbreak. We would recommend that you put together a set of 'emergency tools', in advance of
any virus infection: these tools should be kept up-to-date. Most all virus detection software companies allow free online updates for the software.Chapter 6 - Booting Clean Under Windows 95
A system disk may be created under Windows 95, using the syntax
FORMAT A:/U/S
This will enable the PC to be booted clean. However, we have found that this is NOT sufficient
for removing some boot sector virus infections; in a few cases, an attempt to boot clean in
this way causes the PC to 'hang'. In these cases, you should proceed as outlined above, using a
DOS system disk.
If the PC is running a version of Windows 95 which uses a 32-bit FAT [File Allocation Table], you will be unable to access files on the hard disk if the PC is booted from a DOS system disk or a system disk created under a version of Windows 95 using a 16-bit FAT. If you use a version of
Windows 95 which uses a 32-bit FAT, you should create a specific system disk for this
operating system.Chapter 7 - What Users Need to Know
The anti-virus tools deployed throughout your organisation are the most effective means of
preventing the infection and spread of a virus. The organisation's 'perimeter defence'
['sheep-dip' PCs] minimises the risk of a virus entering the organisation. The organisation's
'in-depth', desktop protection [VirusGuard and WinGuard] operates in the background,
preventing access to infected disks and files with minimal input required from the user. Server
protection adds a secondary layer of defence 'in-depth'; and makes it easier to administer the
anti-virus strategy.The more your anti-virus strategy can be lifted out of the hands of your users, and the more
automated the anti-virus scanning, the easier it will be to manage. Remember that users are
fallible; and that, in their eyes, 'the virus problem' is an IT problem [users' primary function is in
Sales, Marketing, etc.].Nevertheless, any comprehensive anti-virus policy should include guidelines for users, outlining
the ways in which they are expected to handle data so as to minimise the risk of infection. You
should consider the following.The organisation should specify a series of rules, defining how data should be handled
within the organisation. These rules should be simple and clear, or they will not be read
and/or understood by users. They should specify what users must, or must not, do.
Examples of such rules might be:
only authorised software should be used within the organisation [complete with
details of what is meant by 'authorised'];
all virus incidents should be reported to the IT Department;
employees should take reasonable precautions to avoid the possibility of virus
infection [where 'reasonable precautions' means following the specified rules and
procedures]. It should be considered a breach of company discipline if employees
fail to comply with the specified rules and procedures. Remember that if you do
not specify such rules, it will be very difficult to take disciplinary action against
anyone who willfully [or recklessly] breaches your anti-virus defences.
The procedures which employees should follow, when handling data, should be clearly
outlined. For example, clear details should be given on how incoming floppy disks and CDs
should be checked; and whether this is to be done on a separate 'sheep-dip' PC, or by the
users themselves.
You should consider providing some form of education for users. It is inadvisable to
make such 'virus awareness' or 'security' training too intense; the message should be
simple and clear. Users should be made aware of the possible consequences of a virus
infection. If users understand the way a virus could impact on them, they are more likely
to follow the rules and procedures designed to keep the organisation virus free.
Glossary of Terms as found on the Symantec Web site.
@m : Signifies the virus or worm is a "mailer". An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.
@mm : Signifies the virus or worm is a "mass-mailer". An example is Melissa, which sends messages to every email address in your mailbox.
Also known as : These are names that other antivirus
vendors use to identify this threat.
Bug : A programming error in a software program which can have
unwanted side effects.
Examples: Various web browser security problems, Y2K software
problems.
Category: Hoax - Usually an email that gets mailed in chain letter fashion describing some devastating highly unlikely type of virus, you can usually spot a hoax because there's no file attachment, no reference to a third party who can validate the claim and the general 'tone' of the message.
Category: Joke - A harmless program that causes various benign activities to display on your computer (e.g., an unexpected screen-saver).
Category:Trojan horse - A program that neither replicates or copies itself, but does damage or compromises the security of the computer. Typically it relies on someone emailing it to you, it does not email itself, it may arrive in the form of a joke program or software of some sort.
Category: Virus - A program or code that replicates, that is infects another program, boot sector, partition sector or document that supports macros by inserting itself or attaching itself to that medium. Most viruses just replicate, a lot also do damage.
Category: Worm - A program that makes copies of itself, for example from one disk drive to another, or by copying itself using email or some other transport mechanism. It may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.
Causes system instability : This payload might cause the computer to crash or to behave in an unexpected fashion.
Compromises security settings : This payload might attempt to gain access to passwords or other system-level security settings. It might also search for openings in the Internet processing components of the computer to install a program on that system that could be controlled remotely by someone over the Internet.
Damage : The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.
Degrades performanc : This payload slows computer operations. This might involve allocating available memory, creating files that consume disk space, or causing programs to load or execute more slowly.
Deletes files : This payload deletes various files on the hard disk. The number and type of files that might be deleted vary among viruses.
Distribution : This component measures how quickly a threat is able to spread itself.
Encrypted Virus : A virus that uses encryption to hide itself from virus scanners. That is, it jumbles up it's program code to make it difficult to detect.
Geographic distribution : This measures the range of
separate geographic locations where infections have been reported.
The measures are high (global threat), medium (threat present
in a few geographic regions), and low (localized or non-wild threat).
Infection length : This is the size, in bytes, of the viral code
that is inserted into a program by the virus. If this is a worm
or Trojan horse the length represents the size of the file.
Large scale e-mailing : This type of payload involves sending emails out to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that address book.
Mobile Code : Code (software) that is transferred from a host to a client (or another host computer) to be executed (run). When we talk about malicious mobile code we may use a Worm as an example.
Modifies files : This payload changes the contents of files on the computer and might corrupt files.
Name of attachment : Most worms are spread as attachments to emails. This field indicates the usual name or names that the attachment might be called.
Number of countries : This is a measure of the number of countries where infections are known to have occurred.
Number of infections : This measures the number of computers that are known to be infected.
Number of site : This measures the number of locations with infected computers. This normally refers to organizations such as companies, government offices, and the like.
Payload : This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.
Payload trigger : This is the condition that causes the virus to activate or drop its destructive payload. Some viruses trigger their payloads on a certain date. Others might trigger their payload based on the execution of certain programs or the availability of an Internet connection.
Polymorphic Virus : A virus that has the ability to change its byte pattern when it replicates thereby avoiding detection by simple string scanning techniques.
Ports : This field indicates the TCP/IP ports that the threat might attempt to use.
Releases confidential information : This payload might attempt to gain access to important data stored on the computer such as credit card numbers.
Removal : This measures the skill level needed to remove the threat from a given computer. Removal sometimes involves deleting files and modifying registry entries. The three levels are difficult (requires an experienced technician), moderate (requires some expertise), and easy (requires little or no expertise).
Retrovirus : A computer virus that actively attacks an anti-virus program or programs in an effort to prevent detection.
Sequence number : Sequence numbers are used only by the Norton AntiVirus Corporate products, and are an alternate method of representing the date of the latest definitions or required definitions. Sequence numbers are assigned to signature sets sequentially, and they are always cumulative. A signature set with a higher sequence number supersedes a signature set with a lower sequence number.
Shared drives : This field indicates whether or not the threat will attempt to replicate itself through mapped drives or other server volumes to which the user might be authenticated.
Size of attachment : This field indicates the size of the file that is attached to the infected email.
Subject of email : Some worms spread by sending themselves to other people through email. This field indicates the subject of the email that is sent by the worm.
Target of infection : This field indicates the types of files that might be infected by the virus.
Technical description : This section describes the specific details of the infection such as registry entry modifications and files that are manipulated by the virus.
Threat assessment : This is a severity rating of the virus, worm or Trojan horse. It includes the damage that this threat causes, how quickly it can spread to other computers (distribution), and how widespread the infections are known to be (wild).
Threat containment : This is a measure of how well current antivirus technology can keep this threat from spreading. As a general rule, older virus techniques are generally well-contained; new threat types or highly complex viruses can be more difficult to contain, and are correspondingly more a threat to the user community. The measures are high (the threat is well-contained), medium (the threat is partially contained), and low (the threat is not currently containable).
Time stamp of attachment : This field indicates the date and time of the file attachment.
Virus definitions : This field indicates when virus definitions that include protection for this virus were publicly available via LiveUpdate, the Intelligent Updaters or Special Definitions.
Wild : The wild component measures the extent to which a virus is already spreading among computer users. This measurement includes the number of independent sites infected, the number of computers infected, the geographic distribution of infection, the ability of current technology to combat the threat, and the complexity of the virus.
