Virus Detection and Protection
Viruses are nasty pieces of software that have taken on the characteristics of an infectious disease,
spreading germs that infect unsuspecting and unprotected PCs.
Remember The following characteristics define a computer virus:
l A virus attaches itself to another piece of programming code in memory, on a floppy disk, or on a
downloaded file, or it has the form of an executable file and runs when opened on the target
system.
l A virus replicates itself and infects other systems, propagating itself from one computer to another.
Horses, worms, and germs
Not all viruses do catastrophic damage to a system. Many viruses are just nuisances or pranks, playing music, simulating system meltdowns, or displaying misinformation during the system boot. Viruses that are malicious can and do cause considerable damage in the form of lost data.
Instant Answer Many different types of programs are classified as viruses, including many that aren't
actually viruses:
l Trojan horse: Based on Greek mythology. Like the gift horse that hid the attacking army, the viral Trojan horse hides a virus program by imitating or camouflaging itself as a legitimate application. When executed, it springs the virus, often creating other Trojan horses to avoid detection.
l Worm: A self-contained program that spreads itself to other systems, usually over a network connection. Worms create many different nasty effects when they run.
l Virus impostor or gag programs: Demented jokes created by programmers with not enough to do, obviously. These programs simulate the effects of a virus, scaring users into believing that they've been infected. It's not unusual for users to hear the truth from the jokester, about halfway through the apparent reformatting of their hard disk.
Also keep in mind that some of the nastiest viruses are not viruses at all. Virus hoaxes spread through
the rumor mill (especially on the Internet) and tell of untold horrors that will happen at 13 minutes after midnight on the day the creator of a certain candy bar was born, or something like that. Before it gets started, I just made that one up.
Viruses and how they spread
Computer viruses are a form of electronic warfare developed solely to cause human misery. The evil,
sick, and talented minds that develop computer viruses would like nothing better than to have your boot sectors catch cold or have your disk drives develop dysentery.
Five major virus classes exist, each with any subclasses:
l Remember Boot sector viruses (system viruses): These viruses target the boot program on every bootable floppy disk or hard disk. By attaching itself to the boot sector program, the virus is guaranteed to run whenever the computer starts up. Boot sector viruses spread mostly by jumping from disk to disk.
l File viruses: File viruses modify program files, such as .exe or .com files. Whenever the infected program executes, the virus also executes and does its nastiness. File viruses spread by infected floppy disks, networks, and the Internet.
l Macro viruses: The newest general class of virus, macro viruses take advantage of the built-in macro programming languages of application programs such as Microsoft Word and Microsoft Excel. Macro languages allow users to create macros, script-like programs that automate formatting, data entry, or frequently repeated tasks. A macro virus, most commonly found in Microsoft Word documents, can cause as much damage as other viruses and can spread by jumping from an opened document to other documents.
l BIOS program viruses: This type of virus attacks flash BIOS programs by overwriting the system BIOS program and leaving the PC unbootable.
l E-mail viruses: The latest trend in viruses and the ones getting most of the press these days. The Melissa virus was an e-mail virus that spread by e-mailing itself from one computer to another using the PC's e-mail address book.
Because a virus is a program, it can only infect programs. A virus can't hide anywhere that it doesn't blend into the scenery. Viruses that infect graphic files, e-mail, or text files are just myths. It would be
like trying to hide a bright red ball among bright white balls. However, viruses can be attached to text files or e-mail and transmitted or copied to a new host system.
Playing hide and seek with viruses
As virus detection software becomes more sophisticated, so are the viruses. Most antivirus software
works by recognizing a predefined pattern of characters unique to individual viruses, a sort of fingerprint, called its signature. As viruses get more devious, they include new ways to elude the virus
detectors. These tricks, as a group, are called cloaking.
Some of the cloaking techniques used are the
following:
l Polymorphing: Allows viruses to change their appearance, signature, and size each time they infect a system.
l Stealth virus: Hides its damage in such a way that everything appears normal.
l Directory virus: Hides itself by lying. It changes a directory entry to point to itself instead of the files it is replacing. No actual change is made to the affected files, and they appear normal on directory lists and in Windows Explorer lists, which allows the virus to avoid detection.
Combating viruses
Viruses manifest themselves on a PC in a wide variety of ways, including spontaneous system reboots; system crashes; application crashes; sound card or speaker problems; distorted, misshapen, or missing video on the monitor; corrupted or missing data from disk files; disappearing disk partitions; or boot disks that won't boot.
In spite of the efforts of the virus developers, the best defense against virus infection is antivirus software, also called scanners or inoculators. Don't you just love all this medical talk?
Here are the general types of antivirus software in use today:
l Remember Virus scanner software: This run-on-demand software scans the contents of memory and the disk drive, directories, and files that the user wants to check. This type of software is the most common form of antivirus program.
l Memory-resident scanner software: This kind of scanner stays in memory, automatically checking the environment, including incoming e-mail and browser documents for viruses.
l Behavior-based detectors: A more sophisticated form of memory-resident scanner, a behaviorbased
detector looks for suspicious behavior typical to virus programs. Some stereotyping is involved, and some good processes may be interrupted, but safe is better than sorry.
l Startup scan antivirus software: This software runs when the PC boots and does a quick scan of boot sectors and essential files to detect boot sector viruses before the PC boots up.
Most antivirus software uses a database of virus profiles and signatures for reference, commonly referred to as DAT, short for data or database, files. This database should be updated frequently; most antivirus packages include a provision for a set number or an unlimited number of updates.
Remember Keep in mind that not all detected viruses are viruses. On occasion, what may look like a
virus to the virus scanner may be an innocent look-alike program or data file. This detection of the lookalike is called a false positive. Before you don your surgical robes and glove up, investigate the virus to find out more about it--how it works and what damage it does. This investigating may save you from removing an important file from a customer's PC because you suspected it to be a virus. Don't get me wrong; most scanner alarms are for viruses, but proceed with caution, especially on a customer's machine.
No comments:
Post a Comment