Widespread Virus Myths
Viruses are simple but often surrounded by much
hype and misinformation. (Many people want you to believe you must be an expert
to understand viruses...but this just isn't so!) Viruses are merely programs
written to create copies of themselves and to attach these copies to other
programs (which are then considered to be infected by the virus).
These infected programs can be files containing executable code (most
commonly .COM and .EXE files), or boot sectors. A virus can
only infect your PC if you execute an infected program or by booting from a
diskette containing an infected boot sector. Simple right? Well, it
should be simple, but there is a lot of myth and misinformation regarding
viruses so things often appear to be not so simple. These myths are harmful to
you if you believe them.
Let's debunk the common myths and misunderstandings regarding
viruses:
Viruses Come
From Online Systems?
Simply being attached to a network (such as CompuServe,
or Internet), a bulletin board system (BBS), or even a local area network, will
not make you susceptible to viruses. The only way you can get a virus is
to execute a program on your PC that you obtained over the network. The
mere act of downloading a program is harmless; it's only by downloading and then
executing an infected program that your PC can become infected. I hope it's
clear that the mere act of reading electronic mail cannot infect you. (But you
must beware that MS Word documents/templates and other MS Office files can
contain programs that are activated when you open them. I'll explain this
further shortly.) (See the Good
Times Virus Hoax)
Most infected PCs are infected by system sector viruses such as Michelangelo,
Stoned, Monkey, or Form. These viruses only spread by booting from an infected
diskette. This makes it clear that online communication plays no part in the
spread of most viruses.
There is a
potential threat that you may want to be aware of. You are under some threat of
virus infection if your web browser or mail reader will automatically execute MS
Word, MS Excel, MS Access or MS Power Point. If you have these MS Office
products installed and your software is configured to launch these products, we
strongly suggest you use the option setting menu to turn this off or substitute
one of the free viewer programs that Microsoft provides. (See our information on
Macro Viruses) and
details of the very first MS Word
macro virus (WM/Concept).
There is another
potential threat that you may want to be aware of. (This is not a virus but
falls into the category of 'dirty trick.') If you have the device driver
ANSI.SYS loaded (in your CONFIG.SYS file), someone could send a sequence of
characters to your screen (known as an ANSI sequence) which assigns a set of key
strokes to a key on your keyboard. These key strokes could easily be something
harmful like "DEL *.*". When you hit the key that was reassigned, the command
will execute just as if you had typed it yourself. Let me reassure you that
while this "trick" is possible, it is fairly rare since many people no longer
load the ANSI.SYS device driver or use a version without keyboard remapping.
Viruses Only
Infect .com and .exe Files:
Viruses also infect system (boot) sectors. These
viruses do quite well because sectors do not show up as files and are therefore
"invisible" to the average user. System sector viruses account for almost 80% of
all in-the-wild infection.
Viruses can also infect any file which is in some way executed. This includes
device drivers (commonly .SYS or .BIN) and overlay files. It's even possible to
write viruses for batch files, word processors, or spreadsheet macros. (See
information on Macro Viruses)
Would you believe that a virus can infect your files without changing a
single byte in the file? Well, it's true! A companion virus infects your files
by locating a file name ending in ".EXE". The virus then creates a matching file
name ending in ".COM" which contains the viral code. The virus may place this
file in the same directory or in another directory on your DOS path. Here's what
happens. Let's say a companion virus is executing (resident) on your PC and
decides it's time to infect a file. It looks around and happens to find a file
called "WP.EXE". It now creates a file called "WP.COM" containing the virus. If
you type "WP" and hit enter, DOS will execute "WP.COM" instead of "WP.EXE". The
virus executes, possibly infecting more files and then loads and executes
"WP.EXE". The user probably doesn't notice anything wrong. This type of virus is
fortunately easy to detect by the presence of the extra files. There are some
instances where it is normal to have both ".COM" and ".EXE" files of the same
name (such as DOS 5's DOSSHELL) but this is relatively rare. It is also possible
for a virus to plant either .COM or .EXE files for existing .BAT files, but this
is unlikely to be an effective strategy. If you use the NDOS or 4DOS COMMAND.COM
replacement, there is a further risk of a virus planting .BTM files.
You Can Get a
Virus From Data?
Since data is not executed, you cannot become infected from
data. Some of the pro-virus kiddies love to scare people by perpetuating myths
that data or email can transmit viruses (See the Good Times Virus Hoax). If someone
sent you a data file that contained a virus, you would have to rename the file
and then execute it to become infected!
Since MicroSoft Word users can receive viruses inside what appear to be
document files, they can become infected from a document sent by email or from
the Web. (See information on Macro
Viruses) The infection can only happen when you start MS Word on your
computer, so if you use MS Word, it's important to configure your web browser
or mail reader not to launch MS Word automatically for .DOC files.
(Make sure your web browser does not launch any MS Office applications for
any file you receive over the web or via email. All MS Office applications
(currently MS Word, Excel, MS Access and MS Power Point viruses exist), contain
a macro language that allows these files to contain programs that are
automatically executed when you open the file.)
Viruses From
Data Diskettes?
Data files can't infect you but you can, become infected
from a diskette that is not bootable and contains no (apparent) programs. The
explanation for this is that all diskettes have a boot sector which contains a
program that can become infected by a boot sector virus. If you
leave such an infected diskette in your drive when you power up or boot, your PC
will be infected! This is how most viruses spread. You will see the typical
"Non-system disk or disk error" message but the virus will have infected your
PC.
Can You Get a
Virus From Web Cookies?
Cookies are data files that some web sites will
store on your disk. Since they are not executed, there is no threat from them
beyond wasting some disk space. In spite of claims that some vendors make
regarding cookies, there is no reason to scan your Cookies for viruses. Read
more about whether Cookies pose a
threat to your PC.
You Can Get a
Virus From Graphic files?
Graphic files (such as *.JPG or *.GIF files)
contain images; they are not executed but rather simply displayed. They are data
files and as such pose no threat from viruses. Be careful though, we have seen
postings of graphic files that contain an included viewer program. This program
can easily be infected and should be carefully checked for viruses before
executing. Read more about whether Graphic files pose a threat to your
PC.
A Virus Can
infect CMOS Memory?
PC AT (Intel 80286) type computers and later models
contain a small amount of battery backed CMOS memory to store configuration
information and to maintain the time and date. This memory is never executed, so
although it could be damaged by a virus, you can never become infected from CMOS
memory. Viruses, buggy programs, or a failing battery may damage this data so
it's vital to be able to check it and to be able to restore it in the event that
something goes wrong. If your CMOS data is corrupted you may be unable to access
your disk drives or boot your PC. Our product, Integrity Master checks and, if
necessary, reloads this data. Beware though, many CMOS programs only handle the
older 64 byte standard AT CMOS. Be sure to check that your program can handle
the new larger CMOS memories found on almost all newer PCs made since 1992.
You Can Fool
Viruses by Hiding COMMAND.COM?
COMMAND.COM is a program that executes each
time you boot your PC. There was an early virus that only infected COMMAND.COM
so the idea of hiding or renaming this file began. Today many viruses actually
go out of their way to avoid infecting this file, since some anti-virus products
single out this file and a few others for special scrutiny. With today's
viruses, hiding COMMAND.COM is utterly futile.
You Can Detect
Viruses by Checking File Size or Time and Date Stamps?
While it's helpful to
check the file size or the time and date stamps of your executable files for
unexpected changes, this is not a reliable way to catch viruses. Many viruses
are smart enough not to change the time and date stamps when they infect a file.
Some viruses even hide the change to a file's size when they infect a file.
There Are Simple
"Cures" to the Virus Problem?
Many products make claims which they can't
support. Everyone would like to just buy product X, run it, and be rid of
viruses forever. Unfortunately there is no such easy cure. It's important to
understand how your anti-virus software works and to understand its weaknesses.
You can't simply run a program and be safe one from viruses; it's important to
understand what risks you face and how your software protects (or doesn't
protect) you.
Write-Protecting
Your Files Prevents Viruses?
You can use the DOS ATTRIB command to set the
read only bit on files. This is so easy for a virus (or any program) to bypass,
that it simply causes more problems than it cures. This is also true on
networks. However on networks you can set the file access rights to execute-only
or read-only. This does work and will prevent the files from becoming infected
from another workstation on the network. (Please note, that we are talking about
access rights not file attributes here--the distinction is vital.)
You're Safe by
Running Only Retail Software?
Several "virus experts" have suggested that
users avoid downloading software and avoid shareware. There are no facts to
support this! The most common viruses are boot sector viruses that
spread when someone boots from an infected disk. To spread boot sector viruses,
a physical disk must be passed around and then booted. Michelangelo spread
widely because software distribution disks were infected with this virus. There
was no reported incident of this virus spreading via shareware. It is, of
course, wise to make sure that you download your software from a source that
screens each program for known viruses. Quite a few viruses have been shipped
directly from the software manufacturer in the shrink wrapped packages. One
major software company has on at least two separate occasions shipped a virus
with their product. Buying shrink wrapped retail software is much more dangerous
than many people think it is, since some retailers accept returned software and
then simply rewrap the software and sell it again. This software could have
easily been infected by the first user who tried it and then returned it.
You Can
Write-protect Your Hard Disk?
There are several programs that claim to
write-protect your hard disk. Since this is done in software, it can be bypassed
by a virus. This technique, however, will stop some viruses and will protect
your disk from someone inadvertently writing to it.
It IS possible to write-protect a disk using hardware, but this technology
does not seem to be readily available.
While
write-protecting your files and your hard disk are of questionable value, you
definitely CAN write-protect your floppy disks. Just cover the notch on the 5.25
inch diskettes, or on 3.5 inch diskettes slide the little tab to expose the
hole. The only risk here is that some diskette drives may be defective and still
allow writing on the diskette. If in doubt, do a test and check out your drive.
Viruses Are The
Most Serious Threat to Your Data?
As I mentioned in the Introduction to viruses, viruses
are among the less likely threats that you face. Problems such as bugs and
conflicts with resident software (especially disk caches!) are much more likely
to damage to your programs and data than viruses.
"Safe Hex"is the
Solution to Viruses?
You may have heard this rumor: "You don't need an
anti-virus product, just backup your disk regularly and keep an eye on your
programs." Yes, it is vital to have good backups, but that is no longer enough.
You may also have heard that provided you don't share programs or download
(practice "safe hex"), you have nothing to worry about. This is no longer
sufficient protection; every time you buy a software package you are exposing
yourself to potential virus infection. It is not possible to be safe from
viruses by secluding your PC! There are now some very sophisticated viruses that
can do substantial damage. Although they may not be very likely to attack your
system when compared to other threats, they do represent a very real and very
dangerous threat -- a threat you cannot ignore or combat merely with good
backups, seclusion or common sense.
Software Is
Useless Against Viruses?
Maybe we should just surrender to viruses and wait
for a fool-proof hardware solution? It is true that certain types of
software can allow viruses to spread; scanners will miss new viruses written
after the scanner was released and no program can actually stop a virus once it
is executing on your PC. Viruses can defeat any software defense -- right?
Wrong! The viruses are playing on your turf, so you have an advantage. All
viruses must change something on your PC in order to infect it. These changes
can be detected even if the virus is not known. A virus can attempt to hide
these changes by using stealth techniques to intercept attempts to read the disk
but in that case the virus can be detected because of its prepense in your PC's
memory. A virus will always betray itself in the memory, system sectors, or
executable files. There is no way a virus can hide from a full integrity check.
How to
Get the Most From Your Anti-virus Product
Learn how Integrity Master can protect
your PC
Back To The Stiller Research Home
Page
mailto:support@stiller.com
Copyright © 1994-1999 Stiller Research. Document
Last Modified May 3, 1999