ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
The ADN Connection, November/December 1995 The A3C Connection
Nov/Dec 1995 Contents When a Good Computer Goes Bad Word Macro Viruses What viruses are "going around" at UIC today? Mac Viruses
Free Seminars for Spring 1995 More on Pine: Email and a Newsreader, Too Through an X Window Darkly About the ADN Connection  

When A Good Computer Goes Bad

 
News and Reviews
Windows Mac Everyone

They have exotic, cute, fuzzy, furry names. They play songs and deliver earnest messages of protest. Most started out as pranks and were never intended to damage anything. But some are intentionally vicious and even a "harmless" computer virus can be deadly when it's in the wrong place at the wrong time. Education is the best way to combat the spread of computer viruses, so here's a first course in computer viruses and how to treat them.

Much of the information in these articles was obtained from sources on the World Wide Web, specifically from the AntiVirus Research Center at Symantec Corporation (the home of the Norton AntiVirus program), and the virus FAQ of the comp.virus newsgroup (a.k.a. VIRUS-L in its email form). URLs and other navigation instructions are given in "Want to find out more?". 
 
   
 
     
What types of viruses are there?
  A computer virus is a program written to deliberately invade a computer system without its user's permission or knowledge. They infect executable files, not data files. (Though they can damage data files.) They are "parasitic" because they attach themselves to programs or disk boot sectors and replicate themselves. This ability allows viruses to spread to infect other systems. Viruses are classified by the types of files they infect
  • Boot Viruses: which infect a disk's boot record, master boot record (mbr), file allocation table (fat), and partition table, which are all used when booting a computer from a diskette or hard drive
  • Program viruses: which infect program files with file extensions like: .com, .exe, .ovl, .drv, .sys, and .bin
  • Multipartite viruses: which infect both programs and boot sectors
Viruses are inactive until you run the infected program or boot your computer from the infected disk. When activated, the virus is loaded into the computer's memory where it can perform a triggered event (like playing the song Yankee Doodle Dandy every day at five o'clock) or spread itself. Diskettes and hard drives used in an infected system can then transport the virus to another machine.

Your computer could get a virus from anywhere; from programs downloaded from bulletin boards or FTPed from archives, and even from the programs or installation disks you get from manufacturers. You shouldn't get a virus from the PCs in the ADN public labs, so long as you always reboot them before you use them? They don't have real hard drives, so they get a new virtual hard drive, boot sector and all, every time they're booted, and a completely new copy of the operating system, too. 

Return to Contents

 
     
Boot Viruses
  Every disk, hard disk or floppy diskette, bootable or not, has a boot sector, and that boot sector may be infected with a boot virus. But since they are only transmitted during the boot process, if your hard disk starts out "clean", and you make absolutely sure that you never leave a diskette in your computer's floppy drives when you turn it on or reboot it, then you will never get a boot virus.

Of course, that's hard to do in practice. If you boot your computer with a diskette infected with a boot virus in your a: drive, the virus will be transferred to memory and then to your hard drive. Once your hard drive's boot code is infected, the boot virus will be loaded into memory every time you boot your computer, and can travel to every diskette that you use (unless it is write-protected).

You could have a boot virus on your hard drive without knowing about it. But don't leave one there for any length of time; any boot virus will eventually cause some problems and some can destroy the boot information or force a complete format of the hard drive.

 
     
Program Viruses
  Program viruses are activated and loaded into memory when you run an infected program; any program file that you run after that will also be infected with it. Infected programs may run normally for some period of time, but they will eventually develop problems, and may even bring your whole computer down. Multiple infections with different program viruses are common.

Return to Contents

 
     
How many viruses are there?
  There isn't any exact answer to this question, both because new viruses are being created literally every day and also because the identification of computer viruses is an art not a science. Even the people who study computer viruses cant agree; some group the viruses into families and do not count the closely related variants as different viruses; others say that viruses are different when their code differs in just one bit.

The virus FAQ (frequently asked questions) maintained by the VIRUS-L mail list and the comp.virus newsgroup (see "For More Information...") says that in October of 1992, there were about 1,800 IBM PC viruses, about 150 Amiga viruses, about 30 Macintosh viruses, about a dozen Acorn Archimedes viruses, several Atari ST viruses, and a few Apple II viruses. Since then, the number of viruses reported for PCs have doubled. Fortunately only a few are widespread; for example, most of the reported PC infections were caused by one of three dozen viruses.

Return to Contents

 
     
Diagnosis and Treatment
  Antivirus programs are the best way to protect your computer against viral infection -- run one whenever you have problems with your system or your programs and be sure to scan any new disks or programs before you use them. (Yes, even the install disks that you get from real companies can be infected.) But even this doesn't offer you any guarantees; you might forget to scan the wrong disk, or get one of the new viruses that are created every day that the existing antivirus programs can't treat.

Return to Contents
 

 
     
The Good Times Hoax
  Yes, the "Good Times" virus is (and was) a hoax; you cannot get a computer virus from an email message. 

But you can get one in files sent with email notes as MIME attachments, just as you can get one in files you FTP using your World Wide Web browser. You should be as cautious with these files as you are with files you receive via the "sneakernet" (files carried from one computer to another on floppy diskettes). You might want to check out McAfee's WebScan, an antivirus program designed to detect viruses transmitted on the Internet. 

Return to Contents

How Do We Spot Your Viruses?

Courtesy of the Symantec Corporation's AntiVirus Research Center, here are some typical complaints that indicate to us that you might have a virus.
  • Suddenly, my program is taking longer to load.
  • The program size keeps changing.
  • My disk keeps running out of free space.
  • When I run chkdsk it doesn't show 655360 bytes available.
  • I keep getting 32-bit errors in Windows.
  • The drive light keeps flashing when I'm not doing anything.
  • I can't access my hard drive when I boot from my a: drive.
  • I don't know where these files came from.
  • My files have strange names I don't recognize.
  • I'm getting clicking noises coming from my keyboard.
  • Letters look like they are falling to the bottom of the screen.
  • My computer doesn't remember its CMOS settings, even though the battery is brand new.
  • My computer keeps playing strange beeps and noises.
Return to Contents 		 
     
How Can You Spot a Virus?
  Sometimes it's easy to tell that you have a virus; it will display a message, play music, or paint a picture. But you can't depend on these types of clues. Some viruses never advertise their presence in this way, and even those that do might be around for a while before they let you know. That's why some viruses have triggers or counters -- so they can spread as much as possible before they deliver their "payload". So don't wait and see; take positive steps to locate and eradicate viruses before they do any damage.

Viral infections can cause changes in file sizes and contents, changes in interrupt vectors, the reduction or unaccounted use of your machine's RAM, or strange behavior of hard drives or other hardware are also important clues. Of course, any or all of these symptoms could also be caused by program bugs or hardware problems.

So how can you tell? Get a good virus scanning program, and make sure you keep keep it up to date. (I recommend some below.) You could run a virus detecting program every time you reboot; some continue to run TSRs (terminate and stay resident programs). You might not want to do this though; with today's large hard drives, scanning your hard disk will take a long time. But you should run your anti-virus program on new programs and disks or when you have any other indications of possible problems.

For more positive detection, consider using use two anti-virus programs. No anti-virus program will find every virus; with two, you'll be better protected against both false positives (the program saying that you have a virus when you don't) and false negatives (the program saying you don't have a virus when you do). However, it is possible for one anti-virus program to see the effects left by another anti-virus program and identify them as a virus.

Also, get to know your computer. Make it a habit to look at its memory use each time you start the computer: On a PC (DOS 5 or higher), use: mem /c
On a Mac, the info options give some indication of memory use, but you may need to use ResEdit for more detail. You don't have to know what the memory-use numbers mean; you only have to know whether they've changed.

Return to Contents

 
     
How to Remove a Virus
  The first thing to do if you find that your system or disks have a virus is to not panic. You can recover from this, and you probably will not even have to reformat your hard disk!

If you have a program infecting virus and have uninfected backups of the infected files, you can boot your computer from a clean diskette (one that you know is virus-free), and then restore the infected files from your backups.

If you have a boot sector infecting virus, you could continue using your computer with the virus, so long as you always boot it from a clean system diskette. However, sooner or later you will leave an infected diskette in the machine when it reboots. To cure boot sector infections in PCs: first, replace the Master Boot Record (the mbr) on its hard disk, either by using a backup or the fdisk /mbr command (DOS 5 and up), and then use the sys command to replace its DOS boot sector.

In any case, keep in mind that just removing the virus from memory, either with a disinfecting program or by booting from a clean disk, is not enough. You may have treated the symptoms, but you haven't cured the disease. To prevent reinfection you must also disinfect any infected files or diskettes. This can be tedious, but it's necessary.

Return to Contents

What's the Best Anti-virus Program?

[These days this question is very easy to answer. The ACCC has a site license for Norton AntiVirus that allows you to use it on any personal computer that you own, at school or a home, for no cost. NAV is easy to install and update -- it will update itself if you want to -- and it works great. For more information, see the ACCC AntiVirus Web page. -- Ed.]

Actually, this question is very hard to answer, because I feel the best antivirus program would be one that will rid my system of all viruses. Unfortunately, that doesn't exist. But here are a few that have worked for well for me.

Shareware virus scanners: McAfee: Version 2.27e for DOS, all varieties of MS Windows, and OS/2, at http://www.mcafee.com/, and FProt: Version 2.20 for DOS, at http://www.fprot.com/. Both are shareware and should be registered if you continue to use them. New versions of both are released every three to four months; they can be FTPed from their Web sites. I like them because I can get them fast over the Internet and because they have found and cleaned almost every virus I have encountered except for SMEG.

Commercial anti-virus programs: Two of the best and most reliable commercial programs are Norton AntiVirus and IBM AntiVirus. The programs themselves are not available on the Internet, but the updates that kept them current are:

Note added 4/98: These days, add Dr. Solomon's, which the ADN distributes at no cost under a site license. For further information, documentation, and downloading, see: http://www.uic.edu/depts/accc/software/antivirus/
And visit Dr. Solomon's on the Web at: http://www.drsolomon.com/Return to Contents

For More Information...

The World Wide Web support sites given above for the Norton and IBM anti-virus program updates are also very good places to look for information about computer viruses. There's also a virus FAQ; use Inform with the search keyword virus. [Sorry, Inform doesn't exist anymore. But you can do a search on the ACCC home page instead. -- Ed.] The official virus Usenet/Netnews newsgroup virus.comp; alt.comp.virus is less authoritative but much more active.
Comments are appreciated; send them to
Thom Clark, tclark@uic.edu
  
 

The ADN Connection, Nov/Dec 1995 Previous: Nov/Dec 1995 Contents Next: Word Macro Viruses

2002-6-29  connect@uic.edu
UIC Home Page Search UIC Pages Contact UIC