Virus Information and Technology

What is a Virus?

Types of Viruses:

• Program
• Boot
• Multipartite

How Viruses Contaminate:

• Boot Sector
• Program

Virus Characteristics:

• Memory Resident or Non-Resident
• Stealth
• Full
• Size
• Polymorphic
• Encrypting
• Triggered Event

Troubleshooting and Virus Infection:

• Symptoms Commonly Reported:

What is a Virus?

A parasitic program written intentionally to enter a computer without the users permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself thus continuing to spread. Though some virus's do little but replicate others can cause serious damage or effect program and system performance. A virus should never be assumed harmless and left on a system.

Types of Viruses:

• Program: Executable program files such as .Com, .Exe, .Ovl, .Drv, .Sys, .Bin
• Boot: Boot Record, Master Boot, FAT and Partition Table.
• Multipartite: Both program and boot infector.

How Viruses Contaminate and Spread:

A virus is inactive until the infected program is run or boot record is read. As the virus is activated it loads into the computers memory where it can perform a triggered event or spread itself. Disks used in an infected system can then carry the virus to another machine. Programs downloaded from bulletin boards can also spread a virus. Data files, however, can not transfer a virus but they can become damaged.

• Boot Infectors: Every disk contains a boot sector whether it is a bootable disk or not. When the computer is powering up looking for the Boot information and reads an infected disk in the A: drive the virus is transfer to the computers hard drive. Once the boot code on the drive is infected the virus will be loaded into memory on every startup. From memory the boot virus can travel to every disk that is read and the infection spreads. Most Boot virus's could be on a system for a long time without causing problems. However there are some nasty ones that will destroy the boot information or force a complete format of the hard drive.
• Program Infectors: When an infected application is run the virus activates and is loaded into memory. While the virus is in memory any program file subsequently run becomes infected. Multiple infections are very common and will certainly cause system problems. Program files may function without any problems for some time but eventualy programs have problems or multiple infection brings the sytem down. The data the program produces may be a first sign of infection such as saving files without proper DOS names.

Virus Characteristics:

Viruses normally have multiple characteristics. Their characterisitics are:

• Memory Resident: Loads much like a TSR staying in memory where it can easily replicate itself into programs of boot sectors. Most common.
• Non-Resident: Does not stay in memory after the host program is closed, thus can only infect while the program is open. Not as common.
• Stealth: The ability to hide from detection and repair manifests in two ways.
  1. Full - Virus redirects disk reads to avoid detection.
  2. Size - Disk directory data is altered to hide the additional bytes of the virus.
• Encrypting: Technique of hiding by transformation. Virus code converts itself into cryptic symbols. However, in order to launch (execute) and spread the virus must decrypt and can then be detected.
• Polymorphic: Ability to mutate by changing code segments to look different from one infection to another. This type of virus is a challenge for ant-virus detection methods.
• Triggered Event: An action built into a virus that is set off by the date, a particular keyboard action or DOS function. It could be as simple as a message printed to the screen or serious as in reformatting the hard drive or deleting files.
• In the Wild: A virus is referred to as "in the wild" if is has been verified by groups that track virus infections to have caused an infection outside a laboratory situation. A virus that has never been seen in a real world situation is not in the wild, and sometimes referred to as "in the zoo".

Troubleshooting and Virus Infection:

Anti-Virus programs are the best way to protect against virus infection but not everyone has one and new virus's are continually developing. When troubleshooting program or system problems watch for telltale signs of a virus presence. When a program says it has removed a virus from memory it does not mean any files have been disinfected.

Symptoms commonly reported:

"My program takes longer to load suddenly."
"The program size keeps changing."
"My disk keeps running out of free space."
"When I run CHKDSK it doesn't show 655360 bytes available."
"I keep getting 32 bit errors in Windows."
"The drive light keeps flashing when I'm not doing anything."
"I can't access the hard drive when booting from the A: drive."
"I don't know where these files came from."
"My files have strange names I don't recognize."
"Clicking noises keep coming from my keyboard."
"Letters look like they are falling to the bottom of the screen."
"My computer doesn't remember CMOS settings, the battery is new."