Viruses: Prevention and Capture

Larry Reznick

This kind of software, from all outward appearances, is written by people who have no life beyond the vicarious excitement they derive from hearing about other people's suffering. They are software adepts without direction for their talents, rebels without a clue.

What Is a Computer Virus?

There are several kinds of software that attack your system, not all falling into the classification virus. Other kinds of attacking software include the Trojan horse and the worm.

A Trojan horse is software that stands alone. Trojan horses look wonderful. They appear to do something amazing, pretty, or helpful. But computers work quickly. As you and I can do many things, one after another, so can the computer - but much faster. So fast it appears they're doing many things at once. While that amazing, pretty, helpful operation grabs your attention like a magician's patter, the Trojan horse unleashes its full force attack on your system. It writes data all over your disk directory, rewriting your disk sectors alphabetically, or - the sledge hammer approach - reformatting your disk drive. Many layers of new cities were built atop Troy's ruins. You, too, can rebuild your entire computer data set, can't you?

A virus is software that attaches itself to other programs. When the program loads into memory it carries the virus into memory with it. When the program begins execution it executes the virus subprogram first. Once executed, a virus finds another program and attaches itself again. As with any life form, its imperative is reproduction.

But life forms don't only reproduce. Every life form entertains itself somehow. If a cold virus merely attached itself to you without making itself known, you probably wouldn't mind it very much. After all, what's a hitchhiker to you when it's microscopic and quiet?

Viruses refuse to keep quiet. They might grab some of your memory. Not much - perhaps a few thousand bytes taken directly from the operating system. The operating system controls all the memory for all other software use, including its own use. As a passive lender the operating system expects that well behaved programs will borrow some memory for a while and give the memory back later. The operating system doesn't knock on the door and ask for the loan's repayment. Such a virus, ever the system scam artist, might borrow and never give back. Each time you run such an infected program the system's memory diminishes until eventually you can't load any more programs without rebooting first. Wasn't that fun?

Now consider that the virus could take your disk space instead. Or it could take over your screen, writing some message obviously more important than the work you were doing. Or it could intercept your devices, garbling your printouts, disk transfers, modem transfers, or keystrokes. Are we having fun yet? And this kind of software is so easy to write. Any 15-year old can do it.

A worm is software that wiggles its way through an entire network of computers, moving from system to system, leaving its droppings along the way. Typically, worms sneak their way into the system through software backdoors or software design flaws. Having insinuated itself into the system, like a virus it reproduces. Its children move on to another system. The parent stays behind, continuing to reproduce, and entertains itself.

The infamous Internet worm of 1988 snuck into specific UNIX systems by exploiting a variety of software oversights. Once in, its children went out through Internet to find other systems with the same oversights while parents and siblings stayed behind, virally absorbing system resources until the infected computer was so busy processing virus operations that it couldn't process anything else. One by one, throughout Internet, systems subject to the specific software oversights were attacked and brought to their knees. The attack's effects were so significant and widespread that it made the evening news. Harry and Martha talked about it over the dinner table.

Everybody sat up and took notice when Microsoft accidentally distributed a virus with one of their software releases. Talking TV heads blathered about the Michelangelo virus due on March 6, the birthday of the great painter and sculptor, increasing the FUD factor (Fear, Uncertainty, and Doubt) throughout millions of MS-DOS users worldwide. Was it overblown? Yes, but consciousness was raised, along with the stock of companies producing virus detection software.

Virus Prevention

How do you avoid getting viruses when companies as large and presumably as careful in distribution as Microsoft deliver them to your favorite disk drive? Don't turn your computer on. While that seems extreme, keep in mind that the only way to guarantee that nothing goes wrong is to do nothing - ever. Risks exist in every worthwhile endeavor. Know the risks and reduce or avoid the worst of them. You can still get useful work done despite lacking 100% guarantees.

So turn your computer on and be careful what you put in it. Did you buy your computer with software already installed on its hard drive? Did your vendor check the system for viruses and other attacking software before delivering it to you? If not, you have to check it yourself. Ask your vendor to check that next time you buy a computer with software already on it.

Never load software from a floppy disk onto your system without checking it first. Maybe that's a little extreme, but how do you know that the manufacturer didn't slip up? Accidents happen even to the big manufacturers. Did your manufacturer check its release disks for viruses and other attacking software before delivering them to you? If not, you have to check them yourself. Ask your manufacturer to check that next time you buy software. Beware of friends bearing floppies.

You can't get a virus by looking at a text file or by reading a message on a BBS or other on-line service. Viruses only come from executing software. If the computer doesn't execute the program you can't get the virus attached to that program. So browse through that text file with software you've already verified as virus-free. Enjoy your BBS. Read your news. Chat on your favorite forum. Download your favorite text file, but don't download programs unless you're sure the BBS or on-line service regularly checks its disks and its uploads for viruses and other attacking software. If not, you have to check it yourself. Find out whether your sysop regularly checks that next time you log in. The good ones do so regularly or automatically with each upload. If your favorite sysop doesn't, ask. If the sysop still doesn't, enjoy the BBS. Just don't download anything from it.

Virus Protection

It's hard to ignore a big market clamoring for your wares. For years, McAfee has produced software that reflected their research into and solutions for viruses and other system attacking software. They still produce among the best such software even after late-comers delivering short-term solutions leaped on the FUD bandwagon. McAfee's software has the right price, too. You can download the latest version from HAL-PC BBS.

Our Sysop, Frank Leonard, is vigilant and very careful about checking software uploads. New files arriving on HAL-PC's BBS are automatically checked by the BBS software for viruses. From time to time he takes preventive measures to be sure nothing gets by. He's seen software attacks on his clients' systems. They aren't pretty. Such attacks are costly to the client's ability to get useful work from the system. Prevention is the key.

Prepare for disaster. Don't wait until after it strikes. Create an emergency boot floppy disk right now. Grab a spare floppy and put it into your disk drive right now. You don't have one available, you say? Pick up one of the dozen America On-line floppies you received in the mail. You don't need all of them. Insert a disk in the drive and format that disk.

Don't merely erase the files on the floppy disk - format it and put a copy of the operating system on it. If your hard drive is free of viruses you won't put a virus on your floppy disk. If your hard drive has already been attacked you must clean the virus from your hard drive before using or even creating a floppy. Otherwise you'll just transfer the virus to the floppy. Transfer the virus to floppy, then clean your hard drive, then use the infected floppy and you'll only replace the virus on your clean hard drive. When your hard drive is already infected, find a friend with a clean hard drive to make the emergency boot floppy for you. While your hard drive is clean now, make that emergency boot floppy now.

To format and put the operating system on it from an MS-DOS command line, type: format/s a: [use your boot drive letter]

The /s option puts the system on the floppy after it's formatted. If format reports an error during its work, throw the disk away. If the disk isn't perfect, you don't want it. Floppy disks are too cheap to worry about little errors when constructing something as important as an emergency boot disk.

When you finish formatting, reboot the computer with the floppy in the disk drive. Be sure that the floppy reboots without error. If so, the format and operating system installation will work for you in the future. If you can't reboot from this floppy, don't use it for anything important. Grab another floppy and try again.

Operating system files take up some of the disk's space, but you'll still have plenty of space for important files. Several standard MS-DOS files will be important for recovery. You need only a minimal complement of utilities to recover the system. Copy the following files on your emergency boot floppy:
CHKDSK: Checks and corrects directory errors and other filesystem errors.
DEBUG: Executes system ROM programs like SCSI disk formatters or BIOS drivers.
FDISK: Divides large disk drives into smaller partitions.
FORMAT: Formats disk drives and optionally installs the operating system.
SYS: Installs the operating system on a disk already prepared to receive one. For example, if you have all these files in your c: \dos directory, execute the following commands: cd \dos, copy chkdsk.*, copy debug.* a:, copy fdisk.* a:, copy format.* a:, copy sys.* a:

Other programs worth installing on the disk include your favorite text editor and other disk checking or disk recovery utilities. Don't try to put everything on this floppy. This floppy is intended only to recover your system in an emergency, not to run all your regular operations in your favorite environment. Minimalism is your watchword here. Don't put a full-blown word processor on this disk, or Microsoft Windows. These just won't fit and they aren't helpful for this disk's purpose. Don't put the EDIT program that comes with MS-DOS because you have to put QBASIC on the floppy with it. Together they take about one third of your floppy disk's space. Find a small but helpful text editor. You can probably download one from HAL-PC or some other BBS that judiciously virus-checks its files. Take time to get to know how that text editor works.

Finally, download the McAfee software. To find out about the McAfee software, log in to HAL-PC's BBS. (I presume that you already have PKUNZIP. If you don't already have it, download PKZ204G.EXE, too. I typically download or copy this file to a RAMdisk because I don't want the file hanging around after I'm done with it. The file changes several times a week as HAL-PC receives new files. I can download it again another time when I need to find new software. Once the file is on the disk, change to its directory and run the command: PKUNZIP allfiles

This extracts the file ALLFILES.LST. Browsing through this file with a text browsing utility such as MS-DOS's more (painful), Vern Buerg's list utility (nice), or your favorite text editor, find references to McAfee. As of July 1, 1995, Sacra Bytes' ALLFILES.LST, a 651,202 byte file - now you know another reason why I get rid of it when I'm done - shows the following entries, all from McAfee:

EXEBG2.ZIP (02/25/93) Finds/Removes ExeBugII virus

KILLMONK.ZIP (03/25/93) Finds/Removes Monkey virus

M-DISK.ZIP (03/31/90) McAfee's Hard Disk Boot Sector virus

OSC-200.ZIP (04/20/94) OS/2 virus scanner - new

OSC-221E.ZIP (04/26/95) Latest antivirus program for OS/2.

SCN-222E.ZIP (06/27/95) Ver 222 of Scan from John McAfee

SENTRY02.ZIP (04/10/90) Boot Sector virus checker

VIRPRES.ZIP (07/22/92) Virus Presentation-from McAfee-Desktop

VSH-214E.ZIP (01/26/95) VShield version 2.xx

VSH-221E.ZIP (04/26/95) Latest version of VShield v.2.21,

WSC-222E.ZIP (06/29/95) Latest Windows VSan

ONET102.ZIP (03/06/93) OS/2 version of VIRUSCAN

NETSC102.ZIP (03/06/93) Network Scan utility

Aside from these files you'll find some other virus scanning and cleaning software on the BBS, and some files containing more detailed information about viruses than this article covers. Scanning programs check whether a virus has already infected your system. Cleaning programs attempt to eliminate the virus, usually by eliminating the file containing the virus. Once the file is eliminated you'd have to reinstall that file from uninfected master floppies.

Certain nasty viruses attach themselves to your disk's boot sector - a program that runs every time you boot the disk drive. McAfee's VShield program is a memory resident program that monitors the kinds of activities viruses typically do, such as write to the disk drive, so see whether an unauthorized write happens.

Log back in to HAL-PC's BBS and download the McAfee files relevant to your needs. Once downloaded, unzip the archive and place the files on your emergency boot floppy disk. For example, say that I've down-loaded SCN-222E.ZIP from the BBS to my RAMdisk on drive D: and I want to install it on my drive A: containing my emergency boot disk. With PKUNZIP already installed on my disk, I'd run the following commands: a: then PKUNZIP d:scn-222e.zip

This extracts all the files, including documentation text files, and puts over 840,000 bytes on your floppy disk. Scan your emergency boot floppy by typing: scan a: /all which tells SCAN to check only drive A: for everything it can find, which includes a memory check for viruses already resident, waiting to attack your files. When SCAN finishes its work, it prints a report showing how many files it analyzed, how many it scanned - only executable files can launch viruses - and how many it found were infected. It also shows information about its check of the master boot record and the other disk boot sectors. If SCAN found any infections, you could clean them by typing: scan a: /clean

If you want to check all disk drives, type: scan /adl which checks All Drives Local. A list of all options prints if you type SCAN all by itself on the command line. If you decide you can't live without this software, register it. The disk contains a LICENSE.TXT file telling you how to register.

Once installed on the floppy, pull that emergency boot disk out of the drive and flip the write-protect tab. The write-protect tab on a 3.5" floppy is a black square in a slot in the disk's upper corner. On the back of the disk you'll see where that tab slides within its slot. If you slide the tab up and click it into place so you can see light through the hole, your floppy is write-protected. No virus can overwrite your protected disk.

Even write-protected, though, your disk is vulnerable to temperature, magnetism, and curious minihumans. Label your emergency boot floppy, date it, identify that you put the SCAN software on it, and put it in a safe place, preferably somewhere you can find it easily when you're panicky.

Operating Virus Free

Now that you have your emergency boot floppy tested and ready for use, maintain vigilance over your system's files. Don't download software unless the remote system checks that software or you check it yourself. You can't check the file while it is still a ZIP archive. You must unzip it first so the scanning software can look at the executable file as the computer would load it.

Never run software without checking it. Viruses can't attack unless you execute them as programs, so reading a text file won't harm your system, but running the software that reads the text file might.

Don't accept floppy disks from anyone without either checking them first or checking your system after using them. Looking at files on the disk doesn't harm anything but running the programs may.

If you accidentally boot from a floppy disk and the system reports, "Nonsystem Disk," don't simply remove the disk and press a key to continue. A virus may have loaded off the floppy's boot sector. Pull the floppy out of the drive and either press the hardware reset button, or cycle the power. CTRL-ALT-DEL may not be good enough because that's a software reset. The virus could attach itself to the software handling that keystroke combination.

Just as you back up frequently, virus check frequently. Scanning for viruses with every system boot is probably extreme, but if you back up once a week or once a month, what can a little extra time for a virus check - before you back up - cost you?

Don't back up your viruses. Scan first to see if you've been hit. If you backup your virus-attacked software, you'll only get hit again if you ever restore the infected software. Scan first, then back up.

Relax! Fifteen-year-olds are not out to get you. Mass media start panics at the slightest hint of trouble in the name of news. Doing so keeps their audience. You don't have to fall for it. The last Michelangelo virus scare was little more than that - a scare, not an epidemic. Protecting the flow of new executable files into your system will reduce the likelihood you'll get infected. Vigilance when you acquire new software from any source will reduce the harm any potential infection could deliver. Preventive measures keep your system working for you.

Reprint from Sacra Blue, The Magazine of The Sacramento PC Users Group.

E-mail me at webmaster@hal-pc.org with any comments you have and tell me what you want to see here.

Back to the User Journal Home Page