The magazine of the Melbourne PC User Group
What Should You Do When a Virus Is Discovered?
 Michael Mullerworth
 
Q: How will you know if you have a virus? 
A: By being alerted or becoming alarmed.

You may be alerted by automated e-mail from the Melb PC virus checker, AvMailgate

  • that a virus was found in an e-mail addressed to you (incoming mail), or
  • that a virus was found in an e-mail sent from your computer (outgoing mail). See figure 1.


Figure 1. Automated e-mail message generated by the scanner on the mail server.

In each case the message containing the virus will not have been delivered, and the automated e-mail will include information about the virus and suggestions for action.

  • You may be alerted by persons to whom you have (unintentionally) sent the virus.
  • Or you may be alerted by your antivirus software, if installed.
  • You may be alarmed! Perhaps your computer is behaving abnormally, you can't open some programs, strange things are happening, your computer locks up, or won't start.
Y ou may also get a false alarm in the form of a joke or a nasty hoax.
 
What Should You Do?
  • First, in the case of a hoax, make sure the warning is genuine, and don't do anything, especially if the message tells you to do something "immediately, or else". These e-mail messages are often in bold or capital letters, or warn you to prevent some catastrophe. Do not forward any warning message to all your contacts without verification. A good Web site for this purpose is http://www.symantec.com/avcenter/hoax.html. See Figure 2.
  • If you have been notified that someone sent you a virus, and you know the sender, then you may contact the sender. Otherwise (if sender is unknown to you) do nothing.


Figure 2. The currently widespread jdbgmgr.exe hoax, one of many explained 
in detail at http://www.symantec.com/avcenter/hoax.html.

Some viruses are tricky because they make up false "from" addresses, or insert someone else's address ("spoofing"). By sending an e-mail reply you will only invite more virus mail or SPAM. So, if in doubt, don't reply.

  • If you are told that you have sent a virus and you are unsure of what to do, avoid using your computer. Contact iHelp, the Melb PC Internet Help by telephoning the First Aid help line, 10 am to 3 pm).

Don't panic. Help is available if you ask for it. But to help yourself, read on.

  • If you receive e-mail notification and do nothing about it, and if more viruses are detected coming from your computer a Melb PC Internet Help (iHelp) volunteer will contact you. Please remember that you are putting other people at risk, and that if you do not eradicate the virus from your computer within a reasonable time, you may be suspended from using the Melb PC Internet service.
What You CAN Do

1. Avoid using your computer, especially to go online, until the virus is cleaned. Most viruses/worms are transmitted by e-mail, but by simply connecting to the Melb PC Intranet or to the wider Internet you may be unwittingly sending copies of the virus out from your computer. The virus/worm frequently has its own means of sending mail out, even when you are not accessing your e-mail account. So, connect to the Net only if you have to, for example, to get help, or to update or obtain an antivirus program (subsequently referred to here as AVP, see below). Then disconnect until your computer is cleaned.

2. If you have an AVP installed (You were Aware!)

Check that it is up to date. This means updated within the last week at least, but better still within the last 24 hours. If it is not up to date (and it probably isn't if you have acquired a virus), then do so at once. Then do a full scan of all your hard disks. This means do a scan that includes boot sectors, memory, and files of all types, including those in subfolders. Most AVPs are set to do this by default (if you did a typical or standard installation), but if you feel capable you should check the configuration. Try the program's toolbar, possibly under Options.

If you have taken the precaution of installing antivirus software, but have had a temporary lapse in its maintenance, it will be easier to recover from a virus infection.

Likewise, if you were unlucky enough to have acquired the very latest virus for which a signature update has not yet been prepared, it will be simpler and quicker to download and install the latest update as soon as it becomes available, than to start from scratch. All AVPs, and particularly updates, must be obtained from a reliable source.

3. If your computer will not start and you have a "Rescue Disk", created when you installed your AVP, this might be the time to use it, but you will need to know what to do. If you are unsure try contacting your AVP support line first. If you do not have a rescue disk, you may be able to recover with a bootable startup disk, and some appropriate advice

4. Transmission of the Virus

A virus may infect other executable programs or documents that support macros (*.doc, *.xls). A worm usually spreads by e-mail, selecting addresses from your address book and message folders, or indeed from anywhere on your hard disks, to which it sends copies of itself. It is not practical to hide or delete these addresses, and some viruses/worms make up false ones anyway! So the best you can do is to avoid going online, or to minimise the length of time you stay connected to the Net.

5. If you do not have an AVP
 
(a) Ask for help from Melb PC (already mentioned), or
(b) Buy a commercial AVP, online or on CD-ROM, or
(c) Download a free AVP from Melb PC Online: http://online.melbpc.org.au/.

Note that the program AntiVir from the Melb PC Online Files does not scan incoming e-mail for viruses, but it will do a complete scan of your disk when commanded, for cleaning.
 
Note also that a free program may be less useful than one you purchase, eg. you may not get telephone support, or updates may be less frequent, or sooner or later you may be required to pay for it.

The AVP you obtain may be a few months old. It must be updated to be effective. This must be done online before you (next) do a full scan on all your hard disks (see item 2)

The scan should report that the virus has been cleaned, deleted, quarantined or neutralised. In some cases it may also tell you that some elements could not be removed, or that the scan was incomplete (eg. unable to scan .zip, .cab, or .dat files). Occasionally, cleaning is not possible because the file to be cleaned is marked Read Only.

AVPs Cannot Eradicate All Viruses Completely. While the Internet Help (iHelp) team will give you whatever help they can, expert help may be required from the AVP vendor by telephone, or from their Web site. Some viruses, by their nature, cannot be cleaned. They may have created new files which remain on your system (residual files), and these may need to be removed manually, or with a removal Tool (specially written program). They may also have renamed, altered or deleted some files. This may require reinstallation from original or backup copies of your software.

6. Change your passwords

Some viruses (Worms and Trojans) have the capacity to steal your passwords and other information from your computer. These are sent out via the Internet. Change passwords for safety.

7. A Last Word
Remember to review your antivirus protection when the virus has been cleaned. See Defensive Computing at http://www.melbpc.org.au/pcupdate/2205/2205article6.htm

Reprinted from the June 2002 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]