Widespread Virus Myths

Viruses are simple but often surrounded by much hype and misinformation. (Many people want you to believe you must be an expert to understand viruses...but this just isn't so!) Viruses are merely programs written to create copies of themselves and to attach these copies to other programs (which are then considered to be infected by the virus).

These infected programs can be files containing executable code (most commonly .COM and .EXE files), or boot sectors. A virus can only infect your PC if you execute an infected program or by booting from a diskette containing an infected boot sector. Simple right? Well, it should be simple, but there is a lot of myth and misinformation regarding viruses so things often appear to be not so simple. These myths are harmful to you if you believe them.

Let's debunk the common myths and misunderstandings regarding viruses:

--Viruses Come From Online Systems?

Simply being attached to a network (such as CompuServe, or Internet), a bulletin board system (BBS), or even a local area network, will not make you susceptible to viruses. The only way you can get a virus is to execute a program on your PC that you obtained over the network. The mere act of downloading a program is harmless; it's only by downloading and then executing an infected program that your PC can become infected. I hope it's clear that the mere act of reading electronic mail cannot infect you. (But you must beware that MS Word documents/templates and other MS Office files can contain programs that are activated when you open them. I'll explain this further shortly.) (See the Good Times Virus Hoax)

Most infected PCs are infected by system sector viruses such as Michelangelo, Stoned, Monkey, or Form. These viruses only spread by booting from an infected diskette. This makes it clear that online communication plays no part in the spread of most viruses.

--There is a potential threat that you may want to be aware of. You are under some threat of virus infection if your web browser or mail reader will automatically execute MS Word, MS Excel, MS Access or MS Power Point. If you have these MS Office products installed and your software is configured to launch these products, we strongly suggest you use the option setting menu to turn this off or substitute one of the free viewer programs that Microsoft provides. (See our information on Macro Viruses) and details of the very first MS Word macro virus (WM/Concept).

--There is another potential threat that you may want to be aware of. (This is not a virus but falls into the category of 'dirty trick.') If you have the device driver ANSI.SYS loaded (in your CONFIG.SYS file), someone could send a sequence of characters to your screen (known as an ANSI sequence) which assigns a set of key strokes to a key on your keyboard. These key strokes could easily be something harmful like "DEL *.*". When you hit the key that was reassigned, the command will execute just as if you had typed it yourself. Let me reassure you that while this "trick" is possible, it is fairly rare since many people no longer load the ANSI.SYS device driver or use a version without keyboard remapping.

--Viruses Only Infect .com and .exe Files:

Viruses also infect system (boot) sectors. These viruses do quite well because sectors do not show up as files and are therefore "invisible" to the average user. System sector viruses account for almost 80% of all in-the-wild infection.

Viruses can also infect any file which is in some way executed. This includes device drivers (commonly .SYS or .BIN) and overlay files. It's even possible to write viruses for batch files, word processors, or spreadsheet macros. (See information on Macro Viruses)

Would you believe that a virus can infect your files without changing a single byte in the file? Well, it's true! A companion virus infects your files by locating a file name ending in ".EXE". The virus then creates a matching file name ending in ".COM" which contains the viral code. The virus may place this file in the same directory or in another directory on your DOS path. Here's what happens. Let's say a companion virus is executing (resident) on your PC and decides it's time to infect a file. It looks around and happens to find a file called "WP.EXE". It now creates a file called "WP.COM" containing the virus. If you type "WP" and hit enter, DOS will execute "WP.COM" instead of "WP.EXE". The virus executes, possibly infecting more files and then loads and executes "WP.EXE". The user probably doesn't notice anything wrong. This type of virus is fortunately easy to detect by the presence of the extra files. There are some instances where it is normal to have both ".COM" and ".EXE" files of the same name (such as DOS 5's DOSSHELL) but this is relatively rare. It is also possible for a virus to plant either .COM or .EXE files for existing .BAT files, but this is unlikely to be an effective strategy. If you use the NDOS or 4DOS COMMAND.COM replacement, there is a further risk of a virus planting .BTM files.

--You Can Get a Virus From Data?

Since data is not executed, you cannot become infected from data. Some of the pro-virus kiddies love to scare people by perpetuating myths that data or email can transmit viruses (See the Good Times Virus Hoax). If someone sent you a data file that contained a virus, you would have to rename the file and then execute it to become infected!

Since MicroSoft Word users can receive viruses inside what appear to be document files, they can become infected from a document sent by email or from the Web. (See information on Macro Viruses) The infection can only happen when you start MS Word on your computer, so if you use MS Word, it's important to configure your web browser or mail reader not to launch MS Word automatically for .DOC files.

(Make sure your web browser does not launch any MS Office applications for any file you receive over the web or via email. All MS Office applications (currently MS Word, Excel, MS Access and MS Power Point viruses exist), contain a macro language that allows these files to contain programs that are automatically executed when you open the file.)

--Viruses From Data Diskettes?

Data files can't infect you but you can, become infected from a diskette that is not bootable and contains no (apparent) programs. The explanation for this is that all diskettes have a boot sector which contains a program that can become infected by a boot sector virus. If you leave such an infected diskette in your drive when you power up or boot, your PC will be infected! This is how most viruses spread. You will see the typical "Non-system disk or disk error" message but the virus will have infected your PC.

--Can You Get a Virus From Web Cookies?

Cookies are data files that some web sites will store on your disk. Since they are not executed, there is no threat from them beyond wasting some disk space. In spite of claims that some vendors make regarding cookies, there is no reason to scan your Cookies for viruses. Read more about whether Cookies pose a threat to your PC.

--You Can Get a Virus From Graphic files?

Graphic files (such as *.JPG or *.GIF files) contain images; they are not executed but rather simply displayed. They are data files and as such pose no threat from viruses. Be careful though, we have seen postings of graphic files that contain an included viewer program. This program can easily be infected and should be carefully checked for viruses before executing. Read more about whether Graphic files pose a threat to your PC.

--A Virus Can infect CMOS Memory?

PC AT (Intel 80286) type computers and later models contain a small amount of battery backed CMOS memory to store configuration information and to maintain the time and date. This memory is never executed, so although it could be damaged by a virus, you can never become infected from CMOS memory. Viruses, buggy programs, or a failing battery may damage this data so it's vital to be able to check it and to be able to restore it in the event that something goes wrong. If your CMOS data is corrupted you may be unable to access your disk drives or boot your PC. Our product, Integrity Master checks and, if necessary, reloads this data. Beware though, many CMOS programs only handle the older 64 byte standard AT CMOS. Be sure to check that your program can handle the new larger CMOS memories found on almost all newer PCs made since 1992.

--You Can Fool Viruses by Hiding COMMAND.COM?

COMMAND.COM is a program that executes each time you boot your PC. There was an early virus that only infected COMMAND.COM so the idea of hiding or renaming this file began. Today many viruses actually go out of their way to avoid infecting this file, since some anti-virus products single out this file and a few others for special scrutiny. With today's viruses, hiding COMMAND.COM is utterly futile.

--You Can Detect Viruses by Checking File Size or Time and Date Stamps?

While it's helpful to check the file size or the time and date stamps of your executable files for unexpected changes, this is not a reliable way to catch viruses. Many viruses are smart enough not to change the time and date stamps when they infect a file. Some viruses even hide the change to a file's size when they infect a file.

--There Are Simple "Cures" to the Virus Problem?

Many products make claims which they can't support. Everyone would like to just buy product X, run it, and be rid of viruses forever. Unfortunately there is no such easy cure. It's important to understand how your anti-virus software works and to understand its weaknesses. You can't simply run a program and be safe one from viruses; it's important to understand what risks you face and how your software protects (or doesn't protect) you.

--Write-Protecting Your Files Prevents Viruses?

You can use the DOS ATTRIB command to set the read only bit on files. This is so easy for a virus (or any program) to bypass, that it simply causes more problems than it cures. This is also true on networks. However on networks you can set the file access rights to execute-only or read-only. This does work and will prevent the files from becoming infected from another workstation on the network. (Please note, that we are talking about access rights not file attributes here--the distinction is vital.)

--You're Safe by Running Only Retail Software?

Several "virus experts" have suggested that users avoid downloading software and avoid shareware. There are no facts to support this! The most common viruses are boot sector viruses that spread when someone boots from an infected disk. To spread boot sector viruses, a physical disk must be passed around and then booted. Michelangelo spread widely because software distribution disks were infected with this virus. There was no reported incident of this virus spreading via shareware. It is, of course, wise to make sure that you download your software from a source that screens each program for known viruses. Quite a few viruses have been shipped directly from the software manufacturer in the shrink wrapped packages. One major software company has on at least two separate occasions shipped a virus with their product. Buying shrink wrapped retail software is much more dangerous than many people think it is, since some retailers accept returned software and then simply rewrap the software and sell it again. This software could have easily been infected by the first user who tried it and then returned it.

--You Can Write-protect Your Hard Disk?

There are several programs that claim to write-protect your hard disk. Since this is done in software, it can be bypassed by a virus. This technique, however, will stop some viruses and will protect your disk from someone inadvertently writing to it.

It IS possible to write-protect a disk using hardware, but this technology does not seem to be readily available.

--While write-protecting your files and your hard disk are of questionable value, you definitely CAN write-protect your floppy disks. Just cover the notch on the 5.25 inch diskettes, or on 3.5 inch diskettes slide the little tab to expose the hole. The only risk here is that some diskette drives may be defective and still allow writing on the diskette. If in doubt, do a test and check out your drive.

--Viruses Are The Most Serious Threat to Your Data?

As I mentioned in the Introduction to viruses, viruses are among the less likely threats that you face. Problems such as bugs and conflicts with resident software (especially disk caches!) are much more likely to damage to your programs and data than viruses.

--"Safe Hex"is the Solution to Viruses?

You may have heard this rumor: "You don't need an anti-virus product, just backup your disk regularly and keep an eye on your programs." Yes, it is vital to have good backups, but that is no longer enough. You may also have heard that provided you don't share programs or download (practice "safe hex"), you have nothing to worry about. This is no longer sufficient protection; every time you buy a software package you are exposing yourself to potential virus infection. It is not possible to be safe from viruses by secluding your PC! There are now some very sophisticated viruses that can do substantial damage. Although they may not be very likely to attack your system when compared to other threats, they do represent a very real and very dangerous threat -- a threat you cannot ignore or combat merely with good backups, seclusion or common sense.

--Software Is Useless Against Viruses?

Maybe we should just surrender to viruses and wait for a fool-proof hardware solution? It is true that certain types of software can allow viruses to spread; scanners will miss new viruses written after the scanner was released and no program can actually stop a virus once it is executing on your PC. Viruses can defeat any software defense -- right? Wrong! The viruses are playing on your turf, so you have an advantage. All viruses must change something on your PC in order to infect it. These changes can be detected even if the virus is not known. A virus can attempt to hide these changes by using stealth techniques to intercept attempts to read the disk but in that case the virus can be detected because of its prepense in your PC's memory. A virus will always betray itself in the memory, system sectors, or executable files. There is no way a virus can hide from a full integrity check.


Integrity Master Provides Full Protection!

Order your registered copy NOW via the WWW!

--How to Get the Most From Your Anti-virus Product

--Learn how Integrity Master can protect your PC

-- Back To The Stiller Research Home Page

--mailto:support@stiller.com



Copyright 1994-1999 Stiller Research. Document Last Modified May 3, 1999