 The magazine of the Melbourne PC User Group Viruses and SOHO computers Russell Langley |
 |
Between June 1993 and July 1994, Don Gingrich wrote half-a-dozen especially good articles in PC Update titled "Dr Don's Virus Clinic." This article summarises many of his ideas for new members, especially for those with Small Office, Home Office (SOHO) businesses using DOS or Windows, who are nowadays at considerable risk from thousands of computer viruses.
What's a virus?
God-made human viruses have been around since earliest times. There are currently about 1000 species, with new varieties appearing slowly. They are characterised by being so small that they can't be seen by normal microscopes (hence "ultramicroscopic.") They cause human diseases varying from mild, such as herpes, to fatal, such as rabies.
Computer viruses on the other hand are man-made, yet surprisingly are a lot like human viruses. The first computer virus was created in Pakistan in 1986, and skilful oddballs all around the world have now built the varieties up to over 3000, with increases every day. Computer viruses are miniature programs, and are hidden so that they don't show in a listing of directory file names. Their destructiveness varies from mild (e.g. slowing performance) to disastrous (e.g. destruction of hard disk).
There are two types of computer virus. The commonest are boot sector viruses, which live insidiously in the first (outermost) tracks of formatted floppy and hard disks, from where they multiply and damage any part of the rest of the disks. The other type is file viruses, which live parasitically attached to program files. Data files can be damaged by viruses, but do not usually carry the infection (though data disks can have boot sector viruses).
Who is at risk?
Be reassured that you personally can't catch a computer viruses! They spread from infected computers via floppy disks and modems, and they attack your hard disk. This means that any computer with floppy disks but no hard disk is immune to attack. Those using networks don't have to worry provided their networks are closely monitored by an expert. Also HPFS partitions of hard disks with OS/2 are relatively secure. But DOS and Windows SOHO owners must vigilantly protect their hard disks against these widespread infections which can silently destroy all your essential business data.
How to avoid infections
Theorem 1
The only way to get infected by boot sector viruses is to boot with an infected floppy disk in Drive A.
Such booting also applies to rebooting, whether by pressing your reset button or Ctrl+Alt+Del key combination. The infected floppy disk can be a data disk, or a brand new shrink-wrapped program disk, or even a blank formatted disk.
Therefore you won't get infected by Boot Sector Viruses if you
- Happen to boot with any clean floppy disk in Drive
- Copy files from an infected floppy disk in Drive A
- Delete files on an infected floppy disk in Drive A
- Copy any files from BBSs or Internet.
The only way to get infected by file viruses is to run an infected program.
The infected program files are usually .COM or .EXE, but other related files (.SYS, .DLL, .OVL, etc) can harbour these viruses and infect your hard disk when they're used by their parent programs.
Therefore you won't get infected by file viruses if you merely
- Copy infected files (e.g. from floppies, or from BBSs)
- Copy packed files (.ZIP, .LZH, etc) containing infected files
- Unpack packed files (.ZIP, .LZH, etc) containing infected program files.
Write-protected floppy disks cannot be infected from an infected hard disk.
Therefore always write-protect your floppy disks before putting them in someone else's computer.
Ways of detecting virus infections
1. Virus Detector Programs
Special programs are available for diagnosing virus infections. Shareware and Freeware programs (such as Scan and F-Prot) are available from Melb PC's shareware library, or by modem from our BBS. Commercial alternatives (such as Vet and Dr Solomon's Anti-Virus Toolkit) are available from Software shops. Using these detectors will identify and name any viruses present on your hard disk or floppy disks. Get updates of your chosen detector every two months or so, else you'll miss newly released viruses.
2. Virus Warning Programs
Many virus detector programs can be loaded as Memory Resident or TSR utilities which monitor all disk activities, and warn you distinctly about any unexpected changes about to be made to your disks or files.
3. Checksum Programs
These are special programs which compute a unique "checksum" number based on a file's content. Using such a program on a dozen or so commonly used clean program files gives you a dataset which can be compared with repetitions made subsequently. Checksum tests can discover changes to the tested files caused by new viruses which your virus detector program can't yet recognise. McAfee's VALIDATE.COM is an example that actually does two different checksums on each tested file.
Practical virus testing
Choice of protection procedure depends on a computer's risk of virus infection, and this varies with environment, thus
- High risk are those computers that can be accessed by persons under the age of 18 years. Such computers should be protected by memory resident virus warners, and by a multiple checksum test daily. an absolute way of avoiding boot sector virus infections is to get your computer supplier to modify your startup sequence so that the computer always boots from drive C instead of first trying to boot from drive A.
- Medium risk are computers in small offices with multiple users. Memory resident virus warners are indicated in these circumstances, plus a weekly checksum test. Booting from drive C only is worth considering here, too.
- Low risk are home and office computers accessed by one or two users who can be trusted to be careful. They must test every floppy disk that has been in somebody else's computer before copying or running any of that floppy's files. Such a test is done by running your favourite virus detector program from your hard disk, specifying the suspect floppy disk as target. In addition, a weekly checksum test, and an occasional full testing your hard disk is reassuring. Do that full test by running your favourite virus detector program from a write-protected floppy disk, specifying your hard disk as target (e.g. A:\SCAN C:)
- Packed (archived, zipped) are compressed files that should be unpacked in a directory of their own (e.g. C:\WORK). Then as soon as the unpacking is finished, test that whole directory (e.g. SCAN C:\WORK). Compressed .EXE files need to be tested before you run them, and again after, check all their unpacked files.
A single virus can copy itself and spread very quickly into multiple files and locations. You can also catch multiple viruses simultaneously. Curing them is hardly a job for novices, and even old-timers may need to get expert help with difficult viruses. The cost of such help is much less than the cost of a new hard disk!
If you discover a single file infected, it can mean one of
- You have discovered a very early infection
- That file may be giving a false positive test
- You might have altered that file using a hex editor.
On floppy disks with a positive test, copy any clean files, then kill all boot sector and/or remaining file viruses on that floppy by formatting that floppy (using FORMAT A: /U).
I believe that the facts in this article are essentially true. However, virus detectors vary in their efficiency and there can never be a guarantee that all viruses, especially those in the future, will abide by these general rules.
Reprinted from the November 1995 issue of PC Update, the magazine of Melbourne PC User Group, Australia
