Virus Protection and Safe Computing
Common questions about computer viruses and how to live with them

 

The answers apply mainly to the Microsoft Windows operating system.

For information about Macintosh and Linux antivirus programs see:
http://antivirus.about.com/   or   http://www.info.apple.com/usen/security/index.htm

First-The Essentials

1. Install an antivirus program and keep it up to date.

2. Update your operating system and Internet applications with the latest "patches". In the case of Windows, use Windows Update to install Critical Updates from the desktop Startmenu or at: http://windowsupdate.microsoft.com or http://v4.windowsupdate.microsoft.com/en/default.asp

3. Update Microsoft browsers via Windows Update :
http://windowsupdate.microsoft.com or http://v4.windowsupdate.microsoft.com/en/default.asp 
or from the Microsoft Download Centre http://www.microsoft.com/downloads/search.aspx?displaylang=en
  
4. Install a Firewall, especially if you have a cable or ADSL connection (See here)

5. If you have the choice, do not login to your Operating System as Administrator, but as a User. See Networks and Passwords

6. Be aware, keep informed, practice Safe Computing by reading Defensive Computing or take advice from one of the following:
http://www.microsoft.com/security/protect/      http://www.f-secure.com/virus-info/tips.shtml 
and  http://www.info.apple.com/usen/security/index.html for Apple users

7. And subscribe to e-mail newsletters for virus information.   See here for more
 

  What is a Virus (or a Worm or a Trojan)?

All of these can be called Malware, or Malicious software.

A virus is a computer program or code that replicates itself and infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself.

A worm is a program that copies itself from one disk to another by e-mail or other transport mechanism. Worms infect computers, but do not infect files. They can simply be identified and then deleted. However, they often make registry or startup file changes so that they are executed on boot-up. They are now very sophisticated, can avoid detection by antivirus programs and even disable them (and firewalls), so that you may have no protection whatsoever. It is probable that a lot of spam is sent out from such infected computers, unknown to the owner of the machine.

A trojan is a program that neither replicates nor copies itself; it may arrive in an e-mail, in a program, or by simply viewing a web page (if your browser has an unpatched vulnerability). It can be commanded to do tasks such as sending information away from your computer, or it may open a "back door" which allows a remote computer to control your machine.

Spyware is sometimes planted in your computer without your knowledge or permission when you install a new program or while you are connected to the Internet.
Futher reading: http://www.melbpc.org.au/pcupdate/2408/2408article7.htm.  A dialler may redirect your dialup connection to a remote destination and you will be charged for the phone call. See http://www.melbpc.org.au/pcupdate/2405/2405article4.htm

All must be regarded as harmful, though some viruses and worms are not. See http://securityresponse.symantec.com/avcenter/refa.html for definitions.


Why should you be concerned about viruses?

Because you are likely to be infected at some time, especially if you take no precautions.  See: http://www.melbpc.org.au/pcupdate/2411/2411article6.htm
 
Although your ISP may have a virus scanner for e-mail, some viruses may slip through. You can also be infected from other sources such as some Internet sites (Web surfing), removable media (floppy disks, CD-ROMS etc), and Internet messaging (Windows Messaging, IRC etc) or file-sharing (via Internet or internal network).
Infection with a virus may result in great inconvenience, the possible loss of some of your data and programs, revelation of your private information (including passwords and credit card numbers), or even destruction of your system.

You may also spread the infection to many other users via addresses stored on your computer, or in files you share with others. Your computer could be taken over and made a base for attacks on others. Therefore, it is in everybody's interest for you to be informed about how viruses spread, and ways to avoid and control them. And it is important to recognise a Hoax for what it is, so as not to be panicked into unnecessary action.

How will I know if I have a virus?

You may be alerted by other persons who believe you have sent them a  virus. This may not be true, because Melb PC and other ISPs scan mail for viruses, and many viruses use false "from" addresses which are randomly selected or generated. The message bearing the virus most likely came from a computer on which your address is recorded, but you should check your system nevertheless.

Or you may be alerted by your antivirus software, if installed. Exactly what message did your anti-virus software give you? Write this down before you click the "OK" button that dismisses the warning.

You may be alarmed! because your computer is behaving abnormally - can’t open some programs, strange things happening, it locks up, or won’t start. But do not assume a virus is responsible for any computer problem that may be readily and simply fixed. And note that even if some odd system behaviour is due to a virus, the "three R" solution (re-partition, reformat and reinstall) is seldom necessary or appropriate.

You may also get a False Alarm in the form of a Joke or a Hoax. False alarms can be more time-consuming and wasteful than actual virus detection incidents. Hoaxes come in e-mail messages or attachments, are often in bold or capital letters, offer exciting rewards, or warn you to do something to prevent some catastrophe. They may be harmless, but can cause a lot of trouble if you follow their instructions. Do not forward any such warning message to all your contacts without verification. A good website to check if it is a Hoax is: http://www.symantec.com/avcenter/hoax.html

How could I have got a virus when I have antivirus protection installed?

Your AntiVirus program may not be up-to-date, or more likely your operating system and browser have not had the latest "patches" installed. This is particularly important when upgrading to or reinstalling a new operating system, after which you are vulnerable until you have installed the patches to bring it up to date.
You may have taken the precaution of installing AntiVirus software, but lapsed in keeping it and your operating system updated. To be effective, antivirus software should have been updated within the last week at least, best within the last 24 hours. Or you may have been unlucky enough to acquire one of the latest new viruses, for which a signature update has not yet been prepared (it takes at least a few hours for new virus threats to be countered, and for your software company to offer a "fix"). Download and install the latest update when it becomes available, then do a full scan of your system.

What should I do if I have a virus?

Don’t panic!
Help is available if you ask for it . Always contact your Antivirus software vendor first, or look for advice on their webpage if you can.

Contact Melb PC Internet Help by telephoning the First Aid (Help) line (95678066, 10 am to 3pm) or the Melb PC office (95678000) to avoid using your computer. But read on, to help yourself.

  • Avoid using your computer, especially to go online, until the virus is "cleaned". Most viruses are transmitted by e-mail, but by simply connecting to the MelbPC Intranet or the Internet you can be sending copies of the virus out of your computer. The virus usually has its own means of sending mail out even when you are not accessing your email account. So, only connect to the Net if you have to, for example, to get help, or to obtain an Update or Patch for your operating system, or to update your AntiVirus Program (subsequently referred to here as AVP, see below). And make sure our Firewall is active if you do need to connect, especially for updates to Windows XP. Then disconnect till your computer is cleaned.

  • If you have an Anti-Virus Program (AVP) - Check that it is up to date. This means it has been updated within the last week at least, best within the last 24 hours. If it is not up to date (and it probably is not if you have acquired a virus), then do so at once. Then do a full scan of all your hard disks. This means that the scan includes boot sectors, memory, and files of all types,including those in subfolders. Most AVPs are set to do this by default, after a Typical or Standard intallation, but you should check the configuration if you feel capable. Try the toolbar of the program, possibly under Options.

    It is unwise to scan for viruses with an out-of-date AVP because the program must open the files to scan them. If the AVP cannot recognise or destroy the virus(es) it may release or activate some that have until that time been dormant. If you have taken the precaution of installing anti-virus software, but have had a temporary lapse in its maintenance, it will be easier to recover from a virus infection.

    Likewise, if you were unlucky enough to have acquired the very latest virus for which a signature update has not yet been prepared, it will be simpler and quicker to download and install the latest update when it becomes available than to start from scratch. All AVPs, and particularly updates, must be obtained from a reliable source.

  • If you do not have an AVP  - Ask for help from Melb PC (see above), or buy a commercial AVP, online or on CD-ROM, or download a free AVP from http://www.free-av.com/ or http://www.grisoft.com

    Note that a free program may be less useful than one you pay for, e.g. you may not get telephone support, or updates may be less frequent. And you may sooner or later be required to pay for it. The AVP you obtain may be a few months old. It is unwise to scan for viruses with an out-of-date AVP because the program must open the files to scan them. If the AVP cannot recognise or destroy the virus(es) it may release or activate some that have until that time been dormant. It must be updated to be effective. This must be done online before you (next)

    Do a full scan on all your hard disks (see 2 above). The scan should report that the virus has been cleaned, deleted, quarantined or neutralised. It may also tell you if some elements could not be removed, or that the scan was incomplete (e.g.,unable to scan .zip, .cab,or .dat files).

  • If your computer will not start, and you have a Rescue Diskette created when you installed your AVP, this might be the time to use it, but you will need to know what to do. If you are not sure, try contacting your AVP support line first. If you do not have a Rescue disk, you may be able to recover with a bootable Startup disk, plus appropriate advice. Occasionally a virus will need to be removed in Windows Safe Mode, or by booting into DOS (and use an AVP for DOS), because it can escape detection and removal when Windows is started in the usual way.

  • Transmission of the virus In most cases, the virus/worm selects addresses in your address book and message folders, and even anywhere on your hard disks, to which it send copies of itself by e-mail. It is not practicable to hide or delete these addresses, and most viruses/worms make up false ones anyway! So the best you can do is to avoid going online, or to minimise the length of time you stay connected to the Net until the virus has been cleaned.

  • AVPs cannot eradicate all viruses completely.  While the Internet Help (iHelp) team will give whatever help they can, expert help may be required from the AVP vendor by telephone, or from their website. Some viruses, by their nature, cannot be "cleaned". They may have created new files which remain on your system (residual files), and these may need to be removed manually (including editing the Windows Registry), or require a Removal Tool. They may also have renamed, altered or deleted some files. This may require reinstallation from original or backup copies of your software. Occasionally a virus will need to be removed in Windows Safe Mode, or by booting into DOS (and use an AVP for DOS), because it can escape detection and removal when Windows is started in the usual way.

  • Change your passwords. Some types of malware steal your passwords and other information, sending it away to a remote site. So it is advisable to change passwords and to review all security settings after recovering from a virus attack. It is good practice to change your passwords periodically.
What can I do to protect my computer from viruses?

The most important things are
  1. to install good AntiVirus software (see What anti-virus programs are recommended? for a list), and to keep it constantly updated,

  2. to update your operating system and browser, which for almost everyone is Windows and Internet Explorer (see Internet Explorer Updates and Windows Updates, below), and

  3. to install, activate, and properly configure a Firewall


Operating System and Internet Explorer Updates - See http://www.melbpc.org.au/pcupdate/2408/2408article7.htm

Some e-mail programs are particularly targeted by virus writers, e.g. Outlook and Outlook Express. These are vulnerable because of their association with Internet Explorer. When you look at an HTML message in the preview pane or open message window you're actually looking at a browser window. So any vulnerability of Internet Explorer is 'inherited' by the email program. because of Internet Explorer's close integration with Windows. Internet Explorer can be "patched", but if you don’t install the patches, simply changing to Netscape, Opera, Eudora, or The Bat as your e-mail client will not protect you if you retain the vulnerable copies of Internet Explorer on your computer. Most users do not try to uninstall Internet Explorer completely (though it is possible), so the recommended updates and patches should be installed, otherwise the susceptibility remains. Currently it is recommended to upgrade to Internet Explorer 6.x for later versions of the Windows operating system (it cannot be installed with Windows 95). You can have it installed and still use a different browser or e-mail client if preferred.

The IE 6 installation from the Web should be Typical or Full, not Minimal or Custom,  or preferably, install it from a Melb PC Monthly CD-ROM which is quicker and more reliable.

All versions of Internet Explorer require updates or patches. Many members will be using IE 6.0 with Windows 98. Updates for these versions are now hard to find!

Get updates for later versions via Windows Update (Go to Windows Update from Internet Explorer | Tools menu and follow the prompts), which can be configured to update automatically (see below), or accessed via these links: http://windowsupdate.microsoft.com, http://v4.windowsupdate.microsoft.com/en/default.asp
 
You are advised to install "Critical" Updates for Internet Explorer and for your version of Windows. Read the information shown to decide whether to install "Recommended" Updates.

Automatic Windows Updates need Microsoft Internet Explorer. To set up automatic Windows Update:
See http://support.intel.com/support/network/sb/CS-010266.htm for all Windows OS versions and http://www.theeldergeek.com/automatic_updates.htm for Windows XP only.

What antivirus programs are recommended?

This is a matter of personal preference, as all the well-known programs are effective. A Web search will lead to information and download sites. Here is a list which is not comprehensive, and is in alphabetical order and not necessarily by recommendation :

Can I get a free antivirus program?

Yes, but note that a free program may be less useful than one you pay for, e.g. you may not get telephone support, or updates may be less frequent. Or you may sooner or later be required to pay for it. Note that after installing the program it is necessary to update it regularly.
  1. AntiVir Personal Edition is available from http://www.free-av.com/
  2. AVG Personal Edition, from http://www.grisoft.com/
  3. Avast! 4 Personal Edition available from http://www.avast.com/i_idt_153.html
Will I be completely protected if I install an antivirus program?

No, because no anti-virus checker can be said to be 100% effective, even if it is frequently updated. There is a constant battle between virus writers and virus eradicators, and variants may appear when the code is altered slightly. New viruses are appearing all the time, and may infect some computers before a "fix" is written for them. And an AVP will not help if your operating system is not "patched" up to date.

It would be wise to adopt "defensive computing" practices, see Defensive Computing
Even if your ISP (e.g., Melb PC) provides virus scanning on your Internet connection, a virus may occasionally slip through, so it is important to have your own virus protection. There are other sources of infection also.

Are there any software programs that are immune from virus attack?

The answer to this has to be "No", but virus creators tend to concentrate their efforts on the programs that are most widely used, so that the virus spreads easily and has maximum effect-usually damaging! It is true that some are less likely to be attacked, or less vulnerable.  But see How can I protect my computer from viruses? for an explanation of major weaknesses, and Defensive Computing (below).

Are there any software programs that are immune from virus attack?

The answer to this has to be "No", but virus creators tend to concentrate their efforts on the programs that are most widely used, so that the virus spreads easily and has maximum effect-usually damaging! It is true that some are less likely to be attacked, or less vulnerable.  But see How can I protect my computer from viruses? for an explanation of major weaknesses, and Defensive Computing (below).


Defensive Computing (Other precautions you can take)

  • Never open attachments to e-mails (even from an apparently trusted source, because the "From" address can be faked, called "phishing") or never open without first scanning them with an up-to-date Anti-Virus program (AVP). Your anti-virus software may be set to do it by default, but you can do it manually to be sure. You may choose to open only those attachments which you have asked someone to send to you (and you should scan them too). Regard all unsolicited mail and forwarded messages (even if forwarded from someone you know) as suspicious. Beware of persuasive messages with strange headings, or invitations that promise rewards or excitement. For image files, open the viewing application (e.g., Irfanview) first and open the pictures in it, instead of double-clicking on the attachment. Don't trust the icons or file extensions on attachments; they may be deliberately falsified to mislead you into opening a file which seems harmless. Try to get all attached documents sent to you in Rich Text Format (*.rtf), or do not enable macros in Word.

  • Show all file extensions  Configure Windows to always show file extensions. From Windows Explorer | Tools | Folder Options, uncheck "Hide file extensions for known file types". Then it will not be possible for an EXE or VBS file to masquerade as a TXT or JPG file. And never open attachments with extensions VBS, SHS, or PIF, which are almost never used in normal attachments. Also, do not open attachments with double file extensions, like NUDE.JPG.EXE or NAME.DOC.PIF.

    Microsoft NEVER DISPLAYS .shs, .pif, and .lnk file extensions, whether you have hide file extensions on or off. Therefore, as further protection for Melb PC members, all attached files with extensions as above (plus .scr for good measure) passing through the Melb PC virus checker will be renamed with an underscore replacing the first letter of the extension. With the underscore, they are no longer executable under Windows unless the missing letter is replaced (at your own risk!).

    Other Executable files (e.g., .exe, .htm,.html) may also have a double extension (.bad) added . You may try renaming them as .txt and opening them in a text editor like Notepad, or you can restore the executable extension as above. The attachments are unchanged otherwise.

  • Disabling the Preview pane  In Outlook and Outlook Express, “Auto preview” and “Preview” respectively can allow activation of a virus in a message being viewed in the pane (see explanation under IE Updates "What can I do...?" above). In other words, if the message is highlighted, (one message in the list always is), it will open in the Preview Pane without being clicked. This is a useful feature that many do not want to disable.

    It need not be disabled if the appropriate updates have been installed, and your Anti-Virus Program is kept up to date.
    To disable the Preview pane (esp.for users of Windows 95):
    • In Outlook Express 97, from View|Layout|remove tick from “Show preview pane”.
    • In Outlook 97, from View|Define views|Tick “messages” and not “messages with autopreview”.

  • Previewing your mail on the mail server  You can avoid having to download your mail before you read it (and this is also one way of disposing of Spam mail) by using programs such as MailWasher which also allows you to set bounceback criteria "for lists where unsubscribe proves difficult". But don't use it to bounce SPAM; this is quite ineffective as many "from" addresses are fictitious, and you will merely increase traffic on the Internet (and specifically on our Internet feed), with messages either returning to the wrong address, or being marked undeliverable, and returned. MailWasher works with all email programs unless they are Web based such as Hotmail, Yahoo and AOL. Mailwasher can be found as a free download at: http://www.mailwasher.net/

    Mailwasher Pro with increased functionality is available at: http://www.firetrust.com/en/download/mailwasher-pro

  • Or you can use to MelbPC Endymion Webmail in 2 ways:

    1. Or via the External Home Page (http://www.melbpc.org.au and then Webmail Access).
    2. In your browser address bar enter URL: https://websec.melbpc.org.au/webmail/mailman.cgi (a secure connection)

    Then enter your username and password and "login". Here, you can see the size of your mailbox, read, send, and delete messages, but you cannot download them to your computer.

  • Review Security Settings   In Internet Explorer, these should be set at "Internet", in Tools | Internet Options | Security, and Custom Level should be "Medium". In Outlook Express, from Tools | Options | Security set the level to "Restricted Sites Zone", and tick "Warn me if other applications try to send mail as me". Do not tick "Do not allow attachments to be saved or opened that could potentially be a virus" unless you DO NOT have an up-to-date antivirus program, because if you do, some attachments which do not contain viruses (but are regarded by Outlook Express as potentially harmful), may be barred.
    This is a view of Security Settings opened in Internet Explorer via "Tools"
     
  • Other sources of infection  Be Aware that other viruses can reach you via infected files in floppy disks or CD-ROMs, in files downloaded from the Internet (including newsgroups), or exchanged via IRC, ICQ, etc. (for example, see: http://www.irchelp.org/irchelp/security/trojan.html), and by simply browsing some Web pages or clicking on innocent-looking messsages. This may include reading messages in Hotmail, Yahoo Mail, and AOL, though email scanning is now very effective. So an up-to-date Operating Syatem and AVP with “Resident” protection are essential.

    As a general rule, when in doubt never click "OK" or "Close", rather "kill" the dialogue box with the "X" in the top right-hand corner.

    If you have a Floppy Disk drive it is also recommended to set the startup sequence in the BIOS to C:A:, CD-ROM, C:A:, or just C:(or HDD) to prevent inadvertent booting from a floppy disk infected with a boot virus left in the drive. In the event that you need to boot from A:, you will need to reset the BIOS by entering Setup during the bootup process.

  • Resident Protection should be enabled in your AntiVirus program  This is AntiVirus protection which is activated when the computer is started, and then remains "on watch" in the background. It may also be called by other names, e.g. Real-Time Monitoring. Most Resident programs will watch for executable file types, detecting them when they are downloaded or copied, or when a file is opened. Some programs, but not all, scan e-mail messages also (usually only incoming messages, by default). But many viruses are programmed to disable AVPs.

    Any AVP installed on your computer is useless if it is inactivated. Sometimes the AVP may be disabled to prevent it interfering with another program, e.g. while running Windows Defrag, or it may be turned off while installing a new software program, and you may forget to turn it on again. Check that Resident Protection is enabled, usually by right-clicking the AVP icon in the "Tray" at the lower right hand corner of your computer screen, and selecting "Status" or a similar option, or by opening the program and checking (usually) Options.

    You can be test your system for virus infection with free scanning programs at:
    "Housecall" http://housecall.trendmicro.com/au/  
    or at http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym  

    NOTE: these URLs MUST be in ONE LINE if copied or typed - or use the main site address and then navigate from there.
Networks and Passwords

If you are connected to a network and have file-sharing enabled, important files should be password-protected. Viruses spread very easily and quickly on networks. Passwords should be jealously guarded, and changed periodically, particularly after a virus attack.  If your operating system has Administrator or Root privileges, login as a User instead of as Administrator, Superuser or Root. This will protect most of your files from being tampered with

Firewalls
Another line of defence is a firewall. These have become more necessary, even essential, as malware becomes more sophisticated. A firewall is strongly recommended if you are connected to your ISP by broadband (cable or ADSL) which, unlike Dialup connections, is "always on".  Windows XP and XP Pro have an inbuilt firewall . It may not be enabled by default. To see if it is enabled go to Control Panel>Network Connections>Properties>Advanced and make sure the tick is in place under "Internet Connection Firewall", or see http://www.thundercloud.net/infoave/tips/firewall/ for full illustrated instructions.

ZoneAlarm (http://www.zonelabs.com) is one in common use, but it is important to understand its actions and behaviour. See http://www.melbpc.org.au/pcupdate/2205/2205article5.htm
Kerio Personal Firewall ( http://www.kerio.com/kpf_home.html) is another,  see http://www.melbpc.org.au/pcupdate/2304/2304article10.htm

A firewall will block access to your computer from the Internet, and can also prevent information being sent away without your knowledge, depending on the instructions you give it. For either Resident protection or a firewall to be effective and trouble-free, each must be properly configured. Read the instructions carefully.

Firewalls should be tested to see if they are effective. Go to "Shields Up" at http://www.grc.com/ or direct to https://grc.com/x/ne.dll?bh0bkyd2

Subscribe to a (Free) AntiVirus Newsletter

Stay informed! This will get you virus alerts, details of new viruses and hoaxes, tips, and much useful information. This includes descriptions of how to recognise suspicious mail headers and message wording. From any of the major AntiVirus program vendors, e.g.,
  • http://www.sophos.com/virusinfo/notifications or
  • http://www.antivirus.com/subscriptions/default.asp

     Visits to their websites will also yield much useful information, e.g.,
    http://www3.ca.com/virus/http://www.symantec.com/avcenter , http://www.europe.f-secure.com/v-descs/  or http://antivirus.about.com/

    Virus alerts and detailed information on new viruses can be found on the MOTD page by clicking the "Latest Virus Advisory" link at: http://www.auscert.org.au/