The following guidelines will, one hopes, be of assistance. However, you may get better use out of them if you read the rest of this document before acting rashly...
If you think you may have a virus infection, *stay calm*. Once detected, a virus will rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus.
If you've been told you have something exotic, consider the possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still, use more than one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable to your situation.
Try to get expert help *before* you do anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
* Do not attempt to continue to work with an infected system, or let
other people do so.
* Generally, it's considered preferable to switch an infected
system off until a competent person can deal with it: don't allow
other people to use it in the meantime. If possible, close down applications,
Windows etc. properly and allow any caches/buffers to flush, rather
than just hit the power switch.
* If you have the means of checking other office machines for
infection, you should do so and take appropriate steps if an infection
is found.
* If you are unable to check other machines, assume that all machines
are infected and take all possible steps to avoid spreading infection
any further.
* If there are still uninfected systems in the locality, don't use
floppy disks on them [except known clean write-protected DOS boot
floppies]
* users of infected machines should not *under any circumstances* trade
disks with others until their systems and disks are cleaned.
* if the infected system is connected to a Novell network, Appleshare
etc., it should be logged off all remote machines unless someone
knowledgeable says different. If you're not sure how to do this,
contact whoever is responsible for the administration of the network.
You should in any case ensure that the network administrator or other
responsible and knowledgeable individual is fully aware of the situation.
* No files should be exchanged between machines by any other means
until it's established that this can be done safely.
* Ensure that all people in your office and anyone else at risk are
aware of the situation.
* Get *all* floppy disks together for checking and check every one.
This includes write-protected floppies and program master disks.
Check all backups too (on tape or file servers as well as on floppy).
What is a virus (and what are Trojans and Worms)?
A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted).
A dropper is a program which installs a virus or Trojan, often covertly.
A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems.
How do viruses work?
A file virus attaches itself to a file, usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malware is not at present common.
Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on will become infected.
Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected *file* is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system.
How do viruses spread?
A PC is infected with a boot sector virus (or partition sector virus) if it is (re-)booted (usually by accident) from an infected floppy disk in drive A. Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network. These (normally) spread by accident via floppy disks which may come from virtually any source: unsolicited demonstration disks, brand-new software (even from reputable sources), disks used on your PC by salesmen or engineers, new hardware, or repaired hardware.
A file virus infects other files when the program to which it is attached is run, and so *can* spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.)
A multipartite virus infects boot sectors *and* files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network.
How can I avoid infection?
There is no way to guarantee that you will avoid infection. However, the potential damage can be minimized by taking the following precautions:
* make sure you have a clean boot disk - test with whatever (up-to-date!)
antivirus software you can get hold of and make sure it is (and stays)
write-protected. Boot from it and make a couple of copies.
* use reputable, up-to-date and properly-installed anti-virus software
regularly. If you use a shareware package for which payment and/or
registration is required, do it. Not only does it encourage the writer
and make you feel virtuous, it means you can legitimately ask for
technical support in a crisis.
* do some reading. If you're a home user, you may well get an
infection sooner or later. If you're a business user, it'll be sooner.
Either way you'll benefit from a little background. If you're a business
user you (or your enterprise) need a policy.
* don't rely *solely* on newsgroups like this to get you out of
trouble: it may be a while before you get a response (especially
from a moderated group like comp.virus), and the first response you
act upon may not offer the most appropriate advice for your particular
problem.
* if you use a shareware/freeware package, make sure you have hard
copy of the documentation *before* your system falls apart!
* always run a memory-resident scanner to monitor disk access and
executable files before they're run.
* if you run Windows, a reputable anti-virus package which includes
DOS *and* Windows components is likely to offer better protection
than a DOS only package. If you run Windows 95, you need a proper
Win95 32-bit package for full protection.
* make sure your home system is protected, as well as your work PC.
* check all new systems and all floppy disks when they're brought
in (from *any* source) with a good virus-scanning program.
* acquire software from reputable sources: 2nd-hand software is
frequently unchecked and sometimes infected. Bear in mind that shrink-wrapped
software isn't necessarily unused. In any case, reputable firms have
shipped viruses unknowingly.
* once formatted, keep floppies write-disabled except when you need
to write a file to them: then write-disable them again.
* make sure your data is backed up regularly and that the procedures
for restoring archived data *work* properly.
* scan pre-formatted diskettes before use.
* Get to know all the components of the package you're using and
consider which bits to use and how best to use them. Different packages
have different strengths: diversifying and mixing and matching can,
if carefully and properly done, be a good antivirus strategy, especially
in a corporate environment
* if your PC can be prevented with a CMOS setting from booting with
a disk in drive A, do it (and re-enable floppy booting temporarily
when you need to clean-boot).
CMOS settings
Some CMOSes come with special anti-virus settings. These are normally vague about what they do but typically they write-protect your hard disk's boot sector and partition sector (MBR). This can be some use against boot sector viruses but may false alarm when you upgrade your operating system.
One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A:. This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever *do* want to boot clean from floppy (for example, when running a cryptographic checksummer after a cold boot).
SCSI controllers have their own BIOS. On some systems, this will override the boot sequence set in CMOS. It's always a good idea to check with a (known clean) bootable floppy after you've disabled floppy booting that it really is disabled.
How does antivirus software work?
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings', 'signatures').
* TSR scanner - a TSR (memory-resident program) that checks for
viruses while other programs are running. It may have some of the
characteristics of a monitor and/or behaviour blocker.
* VxD scanner - a scanner that works under Windows or perhaps under
Win 95, or both), which checks for viruses continuously while you
work.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by an
unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus which targets that particular
checksummer.
Glossary
* AV - AntiVirus. Sometimes applied as a shorthand term for
anti-virus researchers/programmers/publishers - may include those whose
work is not AV research, but includes virus-control. (See also Vx.)
* BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
* BIOS - Basic Input Output System
* CMOS - Memory used to store hardware configuration information
* DBR - DOS Boot Record
* DBS - DOS Boot Sector
* False Positive - When an antivirus program incorrectly reports a
virus in memory or infecting a file. Scanners in heuristic mode and integrity
checkers are, by definition, somewhat more prone to these.
* False Negative - Essentially, a virus undetected by an antivirus
program.
* In-the-wild - describes viruses known to be spreading uncontrolled
to real-life systems, as opposed to those which exist only in controlled
situations such as anti-virus research labs. Virus code which
has been published but not actually found spreading out of control
is not usually regarded as being in-the-wild.
* MBR - Master Boot Record (Partition Sector)
* TSR - A memory-resident DOS program, i.e. one which remains in memory
while other programs are running. A good TSR should at least detect all
known in-the-wild viruses and a good percentage of other known viruses.
Generally, TSRs are not so good with polymorphic viruses, and should not
be relied on exclusively.
* vx - Those who study, exchange and write viruses, not necessarily
with malicious intentions
* VxD - A Windows program which can run in the background. A scanner
implemented as a VxD has all the advantages of a DOS TSR, but can have
additional advantages: for instance, a good VxD will scan continuously
*and* check for all the viruses detected by a command-line scanner.
* Zoo - suite of viruses used for testing.
Here are some commonly referred to anti-virus packages, including acronyms
* Vbuster.com
* AVP - AntiViral Toolkit Pro
* AVTK - Dr. Solomon's AntiVirus ToolKit
* CPAV - Central Point AntiVirus
* The Doctor (Not Dr. Solomon!)
* Disinfectant (Mac)
* DSAVTK - Dr. Solomon's AntiVirus ToolKit
* F-Prot
* FindViru(s) - DSAVTK scanner
* Gatekeeper (Mac)
* Invircible
* MSAV - MicroSoft AntiVirus
* McAfee
* NAV - Norton AntiVirus
* SCAN - ViruScan (McAfee's scanner)
* Sweep - Scanner by Sophos
* TBAV - Thunderbyte AntiVirus
* VET
The following describes the four major categories of computer viruses.
* STEALTH VIRUSES - viruses that go to some length to conceal their presence from programs which might notice.
*POLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication.
* COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the *only* type of companion (or 'spawning') virus.
* ARMOURED VIRUSES - viruses that are specifically written to
make it difficult for an antivirus researcher to find out how they
work and what they do.
Bibliography
This information was extracted from the internet newsgroup [alt.comp.virus]
Frequently Asked Questions listing.