A: A computer virus may be loosely defined as program code that
replicates itself on execution and creates undesirable effects. Some antivirus
software vendors say that a computer virus is any program that replicates
itself. Others contend that a virus can be any ill-intentioned program.
In the absence of a precise definition, there is
consensus in one area: The likelihood that your PC will be hit by a
virus increases immeasurably if you access the Internet, swap software
with friends, exchange files via e-mail or are hooked up to a network.
Q. What does a virus do?
A. Virtually every virus tries to do one thing first: Spread
to other programs and data files on your hard disk. When you boot up from
an infected disk, open an infected file or run an infected program,
the virus's code is copied into your PC's memory. From there, the code
usually attempts to attach itself to other files. The rogue code may also
alter data-file contents, cause program crashes, display annoying screen
messages, degrade system performance or even destroy all of your disk
files. There are even viruses that can detect your e-mail program, and
then compose and send messages with infected attachments.
Q. Can a virus damage hardware?
A. The simple answer is no, not directly. Theoretically, your
hardware could be affected by a virus that exerts unusual stress
on your system by doing something like accessing the hard disk continuously
or switching your video card to unsupported settings. Realistically,
however, the risk of hardware damage from a virus is minimal.
Q. What kinds of viruses are out there?
A. In the past, virus experts classified pernicious code as viruses,
virus carriers, Trojans, bombs, hoaxes and urban legends. But distinguishing
viruses from other types of destructive programs is less useful than understanding
how a virus can gain entry to your PC-and the rules of that game have changed
radically. Not too long ago, a message on the Web declared that it's
a myth that viruses can hide inside a data file or in electronic
mail, or in the text of a Web page. Perhaps at that time it was, but today,
it's possible to conceal destructive code in all three places. And
you can't trust the intentions of programmers involved in such untrustworthy
activity: So-called benign "virus hoax" messages have been known
to go so far astray that they've brought Internet servers to their knees.
Q. What are the most common viruses?
A. According to statistics compiled by the National Computer
Security Association, 80 percent of the viruses currently reported
"in the wild" are Microsoft Word macro viruses, with the number of
known macro viruses growing from about 50 to more than 1,000 in the
past year. A macro virus lodges itself within the document or macro templates
used by certain applications, primarily Microsoft Word. Other members
of the rogues' gallery include: Boot Sector Viruses. These infect a diskette's
or hard disk's boot sector, which is normally read by the operating system
at bootup or when the disk is accessed. Typically, a boot sector virus
spreads when an infected diskette is left in the A: drive and the
PC is rebooted. Boot sector viruses may interfere with the startup
process or destroy the disk's directory table.
File Viruses.
A file virus's code attaches itself to operating system executables
such as COMMAND.COM or WIN.COM. From there, the code may infect other
applications. Multipartites Viruses. Multipartites are distributed
in one format and then transform to another. They may, for example, begin
by infecting the master boot record and then move on to attack EXE or COM
files.
Stealth Viruses.
A stealth virus disguises its presence in memory or on disk. A stealth
virus that has corrupted a drive's boot sector may intercept a request
from diagnostic utilities examining the boot sector and transmit a false
image of the original, uninfected boot record.
Polymorphic Viruses.
These viruses dynamically change their code as they spread from file
to file, making detection difficult. As of this writing, WM.Concept,
a Word macro virus, is believed to be the most prevalent, followed by Form.A,
a boot sector virus, and One Half.3544, a multipartite boot sector virus
that also infects COM and EXE files.
Q. What does a macro virus do?
A. A macro virus hides in an application's document template
or special macro file. The WordBasic language built into Microsoft
Word allows sophisticated formatting instructions to be executed automatically
within any Word document. WordBasic also permits direct access to operating
system controls, making it possible to create macros that can delete
files, reboot the system or even reformat an entire disk. Since only Word
template documents (usually files with a DOT extension) can contain macros,
virus programmers put their destructive code in a document template and
rename it with a DOC extension. When you open the infected file,
it loads into Word as its own style template. If the file contains
an AutoOpen macro, all of the macro instructions execute immediately. Destructive
instructions can then be copied to the global macro pool, stored in a template
called NORMAL.DOT. From there, the code can spread to other document templates
and ruin the format of other documents as you open them.
Q. I don't use Word, so I don't have to worry
about macro viruses, right?
A. For the most part, you're safe. But a few relatively rare macro
viruses that infect Microsoft Excel and Lotus Ami Pro have been discovered.
Q. I know diskettes can carry viruses. How else
can I catch one?
A. The popularity of file hunting on the Web, coupled with utilities that automatically download and unpack Zip archives or open e-mail attachments, can greatly increase the risk of virus infection.
If you download files from the Internet or receive e-mail messages with file attachments, you run the same risk of infection as you would copying those files from a diskette. The spread of Word macro viruses can be attributed largely to the increased flow of e-mail messages containing Word documents as file attachments. Simply double-clicking the message's document icon to open the file can infect all the Word templates on the hard disk.
If you use your browser to cruise the Web and just read text and look
at pictures, the chances of activating a process that will infect your
hard disk are very small. Still, Java apps and Microsoft's ActiveX
controls potentially offer malicious programmers new points of entry to
your computer via the Internet. These "hostile applets" can be embedded
in a Web page so that once your browser connects, they can inflict
damage similar to that of a true virus.
Q. How can I tell if my system is infected?
A. If you're not using an antivirus utility, virus code may be
lurking undetected on your hard disk. Some time-delayed viruses show
no signs of their presence until they manifest themselves at a particular
time or date. The most famous example, the Michelangelo virus, hides
in the boot sector and only pops up on March 6, the real Michelangelo's
birthday.
The best way to avoid virus infection is to install an antivirus utility and run frequent scans of your hard disk. But if your system is unprotected, there are some symptoms of virus activity to be on the lookout for.
Unusual system performance may indicate a virus is at work. Your system
may run more slowly than usual; programs may crash unexpectedly or
start exhibiting strange behavior (menus won't open, files can't be saved
and so forth). In the worst cases, directory listings may be garbled
or the system may refuse to start. Other symptoms to watch for include
changes in the file size or time and date signatures of common system programs.
If you notice any of those symptoms, stop using the PC and install and
run an antivirus program as soon as possible.
Q. How do I know if an antivirus program is a
good one?
A.Virtually all antivirus packages from established companies are now capable of detecting and expunging 90 to 100 percent of known viruses that currently exist in the wild. Norton AntiVirus 2.0, our WinList selection, is a good bet for protecting your system.
Most antivirus programs now include terminate-and-stay-resident utilities that intercept and block the copying or reception of infected files in real time. There are, however, some distinguishing factors. An antivirus program should be certified by the National Computer Security Association, which regularly tests and evaluates antivirus products.
The antivirus vendor should have an established history in the field. The most reliable products come from companies that have research facilities throughout the world. When you buy their products, you should get the benefits of up-to-the-minute virus lists and detection capabilities. Often, these companies post virus detection pattern updates on the Web so quickly that the virus is thwarted before it has a chance to spread.
Many antivirus utility vendors offer 24-hour disinfection turnaround on submitted virus samples that can't be removed by the current versions of their programs. Specific features of an antivirus package may be important considerations. Some users want disinfection routines that immediately purge detected viruses-no questions asked. Others will want software with more sophisticated disposition options, such as the ability to quarantine samples for later examination, create file exception lists for programmers and beta testers, perform heuristic tests that find unknown viruses or bypass heuristic analysis to scan faster.
If your PC is frequently connected to the Internet, you should use an
antivirus product that offers supplementary protection for Web browsers
and e-mail clients. An antivirus utility should be able to clean most infected
files, leaving your data intact. Some antivirus utilities can only erase
infected files from your hard disk. Easy updates are important. Some antivirus
programs can upgrade themselves automatically over the Internet.
Q. What basic preventive measures can I take
immediately?
A. Try these for starters: Disable program features that automatically
open e-mail attachments or launch downloaded program files.
Create an emergency boot disk for your PC and write-protect it.
If your PC has options for setting the system startup drive, set it to bypass the A: drive and boot directly from C:
Take advantage of Word 97's ability to disable all macros when opening a template.
Back up all of your Word template (DOT) files to an unused directory and change the file extensions. If you don't frequently create new macros for your documents, you may also turn on the read-only file attribute for each of your template files.
Keep your antivirus program up to date. A dozen or more new macro
viruses are reported to antivirus research facilities every day.
False Alarm!
Not long ago, an electronic book publisher circulated a warning for a dread virus called "Irina" to create publicity for an interactive book of the same name. The virus warning was, alas, a hoax, and the publicity was ill-gotten and quite unfavorable.
You may have received similar e-mail announcements that post dire warnings. They're fairly common, and they generally say that as you read the message, a hidden virus is fiddling with your favorite programs or rendering your data files unreadable. These "hoax" virus alerts may be amusing to sophisticated users-often carrying ridiculous threats like your serial port pinouts are being changed or the rotation of your hard disk has been reversed.
But virus hoaxes-even those that are only intended to be humorous-can be as frightening and disruptive as the real thing. Sometimes, even experts may have difficulty separating fact from fantasy. It's always better to be safe than sorry, so if you receive a virus warning, here are several ways to determine its authenticity:
If a message urges you to pass it along to your friends, don't. It could contain a virus.
If you receive a virus alert claiming to be from an official government or research organization, examine the PGP signature on the message. If there is no PGP signature, it's probably a hoax.
Contact the person alleged to have sent the message to see if the signature is genuine.
Check the Web before investing time and energy responding to "new,
deadly virus" announcements. All major antivirus vendors maintain "hype
alert" sections at their Web sites. Be sure to check out the "Computer
Virus Myths" site at http://kumite.com/myths/
an extensive history of
computer-virus urban legends.