JCBS Viruses basics Tutorial
    What is a virus ?       Basic care   
  

 

The best definition we could find is :

  • A virus is a program which can replicate, ie to create (probably modified) copies of itself.
  • The replication is deliberate, and not simply a side effect.
  • At least some of replicants are in turn also viruses according to the same definition.
  • A virus has to become attached in a "server center", in the sense that the run of the centre server implies the run of the virus.

Exclusions:

  • Distinguish the viruses of " not - réplicant malware" such as the bombs of ANSI standard.
  • Distinguish the viruses and the programs such as DISKCOPY.com who can replicate.
  • It is necessary to exclude certain " foreseen viruses ", which try to replicate, but fail - they do not qualify themselves as "true" viruses.
  • It is necessary to distinguish the viruses of worms, which do not require a server center.


A Trojan horse (Trojan) is a program which pretends to make something useful (or in the least interesting), but when it is launched, it can have a harmful effect, such as modifying your FAT (File Allocation Table), to format the hard disk or to release a virus.

The viruses and the Trojans can contain a "time-bomb", foreseen to destroy programs or data in a specific date or when a certain condition is filled.

A time bomb is often designed to be harmful, for example by formating the hard disk.

Sometimes it is relatively harmless, for example by slowing down the computer on every Friday or by drawing a ball which bounces around the screen.
However, there is really no harmless virus.

Even if a virus was made to damage nothing, it can make it in certain cases, often due to the incompetence of the author of the virus or the unexpected modifications of material or software.

A virus can be modified, by the initial author or somebody else, so that a more harmful version appears.
It is also possible that the modification produces a less harmful virus, but it rarely occurred.

The damages provoked by a virus can be the deletion of data or programs, even the reformating of the hard disk,
But more subtle damages are also possible.

Some viruses can modify data or introduce typing errors in the text.
Other viruses can have no other deliberate effect that to replicate.

The main groups of viruses on PC are:

  1. the boot sector viruses ( BSV),
  2. the program viruses
  3. the application viruses.
1- A BSV infects boot sectors on floppy disks and\or hard disks.
On floppy disks, the boot sector contains normally the code to load the files of the operating system.
The BSV replaces the original boot sector by itself and stores the original boot sector somewhere else in the floppy disk or replace it totally.

When the computer is then restarted from this floppy disk, the virus takes the control and hides in the RAM.

It will load and will then run the original boot sector, then everything will be as usual.
Naturally, every floppy disk inserted into the computer will be infected by the virus, unless it is write protected .

A BSV usually hides above the memory, reducing slightly the quantity of memory which the system sees.
Most of the BSV can also infect hard disks, where the process is similar to that described above.


2- The program viruses, the second type of virus, infect the executable programs, usually Com and Exe, but they infect sometimes also DLL files or device drivers.

An infected program will contain a copy of the virus, usually at the end, in certain cases at the beginning of the original program, and in some cases the virus is inserted in the middle of the original program.
When an infected program is run, the virus can remain memory resident and infect every execution of any program.
Viruses use this method to propagate the infection are called "resident viruses ".

Other viruses can try to infect a new file when an infected program is run.
The virus then transfers the original command to the original program.
Viruses using this method to propagate the infection are called " the direct action viruses ".

It is possible that a virus uses both methods of infection.
Most of the viruses try to identify the existing infections, so they do not infect what was already infected.

This makes it possible to inoculate against specific viruses, by making the "victim" appear to be infected.

However, this method is useless as a general defense, as it is not possible to inoculate the same program against multiple viruses.


3- Application viruses, the third type of viruses do not infect
normal programs, but instead spread as "macros" in various types of files, typically word-processor documents or spreadsheets. This type of viruses can easily spread through E-mail, when users unknowingly exchange infected documents.

In general, viruses are just program - rather unusual programs perhaps, but written just like any other program. It does not take a genius to write one - many ten year old kids can easily create viruses.

Now - to correct some common misconceptions, here are a few bits of information about what viruses cannot do.

A virus cannot appear all by itself, it has to be written, just like any other program.

Not all viruses are intentionally harmful - some may only cause minor damage as a side effect - however, there is no such thing as a "harmless" virus.

Reading plain data from an infected diskette cannot cause an infection. (However, it is not trivial to determine what "plain data" is)

A write-protected diskette cannot become infected, if the hardware is working properly.

It used to be the case that a virus could not infect a computer unless it was booted from an infected diskette or an infected program was run on it, but alas, this is no longer true. It is possible for a virus infection to spread, just by the act of reading an infected Microsoft Word document,
for example, or through use of Lotus Notes, to name two well-known applications.

It also used to be the case that a virus could not infect data files or spread from one type of computer to another - a virus designed to infect
Macintosh computers could not infect PCs or vice versa, but with the appearance of application viruses this has changed as well - there are now a few viruses that can infect WinWord as well as MacWord.

Apart from using anti-virus programs, there are several ways to protect your computer from viruses:

BASIC CARE against VIRUSES

Write it, think it, say it, say it again: MAKE BACKUPS!!!

Keep good backups (more than one) of everything you do not want to lose. This will not only protect you
from serious damage caused by viruses, but is also necessary in the case of a serious hardware failure.

Never boot a computer with a hard disk from a diskette because that is the only way the hard disk could become infected with a boot sector virus. (Well, strictly speaking, it can happen if you run a "dropper" program too, but that happens extremely rarely).

If your BIOS allows you to change the boot sequence to "C: A:", do it. This will give you very good protection against boot sector virus infections.

Should you, by accident, have left a non-bootable diskette in drive A: when you turn the computer on, the message " Not a system disk" may ppear. If the diskette was infected with a virus, it will now be active, but may not have infected the hard disk yet (Most boot sector viruses will do it right way, however). If this happens, remove the diskette from the A: drive and turn the computer off (or press the reset button). It is important to note that pressing Ctrl-Alt-Del is not sufficient, as a few viruses can survive that.

Keep all diskettes write-protected unless you need to write to them.
When you obtain new software on a diskette, write-protect the diskette before you make a backup copy of it. If it is not possible to make a backup of the diskette, because of some idiotic copy-protection, I do not recommend using the software.

Be really careful regarding your sources of software. In general, shrink-wrapped commercial software should be "clean", but there have been a few documented cases of infected commercial software and even Microsoft has occasionally distributed infected files.
Public-Domain, Freeware and Shareware packages do not have to be any more dangerous than "regular" commercial programs - it all depends on the source. If you obtain software from a BBS, check what precautions the SysOp takes against viruses. If he does not screen the software made available for downloading, you should find another source.

Check all new software for infection before you run it for the first time. It may even be advisable to use a couple of scanners from different manufacturers, as no single scanner is able to detect all viruses.

Obtain Shareware, Freeware and Public-Domain software from the original author or reliable distribution sites, if at all possible.

Look out for any "unusual" behavior on your computer, like:
  • Does it take longer than usually to load programs ?
  • Do unusual error messages appear ?
  • Does the memory size seem to have decreased ?
  • Do the disk lights stay on longer than they used to ?
  • Do files just disappear ?

    Anything like this might indicate a virus infection (or just that Windows is misbehaving).

    If your computer is infected with a virus - DON'T PANIC! Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus could have done. If you are not sure what to do, leave your computer turned off until you find someone to remove the virus for you.

    Finally, remember that some viruses may interfere with the disinfection operation if they are active in memory at that time, so before attempting to disinfect you MUST boot the computer from a CLEAN system diskette - preferaply one that has been kept write-protected since it was originally created.

    It is also a good idea to boot from a clean system diskette before scanning for viruses, as several "stealth" viruses are very difficult do detect if they are active in memory during virus scanning.