AVOID VIRUS INFECTIONS
Tips from the Geekman - Gary Goodman
For the purposes of this discussion, I would like to point out three main types of viruses. 1) A traditional virus, such as a boot sector virus or an executable file. This is the type most resembling a human virus, which is a non-living fragment of DNA code that hijacks cells in the body and turns them into virus factories, and then looks for new hosts to spread to. A boot sector virus is a tiny bit of code that usually arrives in the form of an infected floppy disk, with an infected boot sector. Merely reading the contents of the disk transfers the virus to the boot sector of the hard drive, which in turn can infect more floppy disks or wipe out the hard drive. It may embed itself in the boot sector code, or may replace the boot sector code with itself, and move the boot sector information to another part of the hard drive, thereby causing itself to run the moment the hard drive is accessed at startup. Some of these can hide in memory, and then write themselves back to the hard drive at shutdown, which is why virus scanners test memory first. ("Memory" means the electronic "scratch pad" chips that the computer uses to work. Anything in memory disappears when the power goes off.) An executable virus is an executable program that either is a virus or contains a virus embedded inside it. This would have a file extension of EXE or COM or PIF or SCR. They frequently arrive as a doubled file extension so as to appear as a "safe" file, such as something.TXT.exe. An executable virus can also launch a boot sector virus or overwrite the boot sector or the partition table, essentially erasing the hard drive. Note that a Script virus below normally relies on a hidden extenstion VBS, but that extension can be unhidden by instructions on Page 2. I read about one dangerous file extension that stays hidden in Windows even when that "Hide" option is disabled: the SHS extension (Scrap object) used by the VBS/Stages.A virus. The subject of such an email can be one of the following: Life stages Funny Jokes, with the content saying something about "The male and female stages of life". The majority of users will see only an attachment of the harmless-looking name LIFE_STAGES.TXT. Part of the trick here is that the attachment will open to reveal the (dumb) joke. For this reason, I will include a special note on how to unhide that extension manually on Page 2. Some of these replace critical system files with themselves, or embed some programming code inside the file, to run every time the file is launched, thereby hiding. Antivirus software can usually clean the file and remove the code, but not always. CIH is one example of a powerful and "deadly" virus that can wipe out the hard drive and in some cases the system board. I fixed this recently on someone's computer where it had taken over or replaced the system "shell", Explorer.EXE, which is what makes Windows Desktop appear and generally runs the user interface. At
this point I must disclaim that the details are quite complex, so I won't
vouch for complete technical accuracy with the terminology and details,
nor will I engage in irrelevant attempts at technical accuracy that
would serve only to confuse the average user. This should serve as
a good general overview.
Executable and Boot Sector types are the most challenging to design, they require someone actually skilled in writing programs in assembly language or at least C++, and they use various schemes to hide out or even morph their own code to avoid detection. This morphing (poly-morphic virus) is similar to how HIV, the AIDS virus, is able to defeat scientists by continually changing and evolving it's outer protein structure so that antibodies and medicine cannot lock on, and the body can't keep up with it's changes. The CIH virus will attempt to write to the system BIOS (Basic Input-Output System) chip on the motherboard, but recent motherboards with a Flash BIOS are usually now protected in some way such that writing to them requires overcoming certain barriers like code verification and human interaction, or even physically moving a jumper on the motherboard. Typically, people are lured into launching an Executable file of this type (or using an untested floppy disk), by being led to believe it's a benign or a 'fun' program. Many of these therefore arrive as a "Trojan Horse", a benign gift with a nasty payload inside, if you know the story of the Trojan Horse. One partial exception is when a "script virus" (explained later) was somehow launched and that launched another virus, or opened a hole for a remote virus to be secretly and surreptitiously installed. A Trojan Horse
would NOT include files that are NOT executables, like JPG or GIF
or BMP pictures, AVI movies,MPG movies,RAM
Real Player streams, WAV sounds, MP3
or
M3U
sounds,
TXT text files, PDF adobe acrobat files,
WRI
and RTF
rich
text format documents, ZIP compressed containers
(not
necessarily ZIP contents). URL web links,
if you're
otherwise patched. As of today, all these are safe to open.
Any program that is not an executable and cannot run a script or macro (explained later) should be considered as safe; note however that even Windows Media Player needs to be updated + patched because a vulnerability was discovered with that program. A neutral opinion on Microsoft is that by adding more and more user-friendly and gimmick-y and advanced features to their software, they also add potential vulnerabilities that are later discovered. It's a tradeoff. As some people have quipped, if you want to be 100% safe, unplug your computer and don't turn it on. An HTML WebPage file could not infect you by itself, but it could try to run a dangerous script, if your computer isn't updated + patched . This SCAM infection is fairly easy to avoid. Don't launch an unknown Program that someone sends you without at least detaching it and scanning it first. Scan floppy disks. Scan a CD if you think a file on it could be infected. Chances are strong you will be safe. Many years ago I inserted a Windows 95 installation floppy disk at work that contained a boot virus. According to my peer, one batch of these disks was infected at the factory when they were made, however I have not verified this rumor. Today, any software vendor worth their salt is safe. I have not heard if a bootable CD could contain a boot sector virus, so I'll update that information later, but it sounds possible since they are created from bootable floppy disks, so scan them if you suspect one. These traditional viruses seem not as prevalent because
2) A worm virus such as Code Red and NIMDA of 2001. These two virii are called Worms. Some versions of this worm are using a security hole in the Internet explorer application (IFRAME). They show up on antivirus scanners as W32 types, like W32.Nimda.A@mm. NIMDA's primary trick involved a security hole in Microsoft's Internet Information Service, a "mini" personal web server, plus full-fledged web servers, and a MIME exploit. Known vulnerabilities have been corrected by free patches and updates from Microsoft. Once the IIS web service was hijacked, the worm would then use
that computer to quietly launch probes looking for more victims.
If this server actually served WebPages, then anyone accessing those WebPages
would be infected. Many
actual Web Servers were fixed before they were compromised, but certainly
in the whole world many were missed. NIMDA
also shared all hard drives with full access and some versions reported
information back to some remote computer, opening up a security hole for
other infections and exploits. It was actually a very interesting and
creative monster.
Here's one related tip: NIMDA also exploited TFTP - Trivial File Transfer Protocol - and that is not used anymore (people use FTP but not TFTP), so search your hard drive for *TFTP*.* and delete (both)TFTP.EXE. It will stay in your Recycle Bin for a while anyhow, but trust me, you don't need it. NIMDA would also probe for Shared Folders with full read-write access. If the shared folder was the "root" of the hard drive [C:], and it had no security configured, a computer that could freely access that network could write to the entire hard drive. If the Shared folder was directly accessible over the Internet, it was an easy target. Web servers are inherently potentially insecure, open to requests from anonymous users, unless locked down and monitored by a knowledgeable system administrator. Microsoft had released security updates to fix the vulnerabilities, but not everyone was diligent enough to apply the fix in time. Laptops at work were running demos of monitoring software that reported manufacturing data in real time, and that software required IIS (Internet Info Server) to work. The (often remotely assigned) sales people were not systems administrators, and thus their Laptops did not get patched or updated. As you can imagine.... These worms required no interaction from the user to launch -- it was lack of diligent interaction that caused the problem to multiply.
3) A Script or Macro virus is not a traditional "virus" per se, but it does exploit Windows and takes over your computer. These are the most common now, because they are relatively easy to write. Windows Internet Explorer and Outlook and Outlook Express all allow some scripts to run by default. The system is supposed to prevent anything powerful enough to break your system from running without your express permission.
Many WebSites serving standard HTML language also embed some form of scripting, legitimately and beneficially. Web-based scripting is supposed to be restricted to doing only "Web-related" things, such as display a Page. Javascript and J-script and Visual Basic Script embedded in a WebPage (or Email) is supposed to be restricted to not allow any type of harmful access. So, here's another quick tip: If you're not in a corporate environment, go to Add-Remove Programs in the Control Panel, and [Windows Setup] tab and remove Windows Script Host, if that's installed. WebPages will still run safe restricted scripted commands, but if you or someone else accidentally launches a WSH file, it won't be able to run. Similarly, Microsoft Office applications can run Macro code to improve
productivity. That's just fairly simple Visual Basic commands embedded
in a Document. I
have created Macros in Microsoft Word and Excel for myself, like to apply
a color to a cell, or open a specific document via a key combination or
a custom button. A Macro can be written
to do more powerful and negative things too. Unfortunately, the computer
by itself is too dumb to know if a Macro embedded in a document is friendly
or fatal, only that it exists (if Macro Warnings are enabled).
So the most common issues are three-fold:
The
most
common is the Scam
method -- social engineering
-- getting the recipient to launch the attachment. The "I
Love You" virus thrived on innocence or gullibility,
and insufficient technical knowledge to recognize the potential danger
of launching a MS Word Document with no leading information (just
a 'come on'). But that's not qualitatively different than any
other
non-computer scam.
As system weaknesses and security holes are discovered or reported in the world, Microsoft makes corrections and releases fixes, but it seems that the average person rarely applies them, and ignores the Windows Update icon on their menu. Microsoft and other parties also publish suggestions on the Web for modifying default settings (typically wide-open for maximum utility) for more security.
In
conclusion (of this
overview), it is fairly simple to avoid most of these types of infections,
by
On the other hand, your
computer experience might be hampered if you are afraid to launch any
kind of file, even a legitimate download by a legitimate WebSite that writes
software. If
you are uninformed, you might fear a free program, like SetTimehttp://www.p-squared.com
by Pete Pinter, that updates my clock to match a Navy time server, yet
install a program like Gator or AudioGalaxy (which are
not a virus but is a form of "surfing spyware"). You might delete
all Email with attachments without cause, but leave your default
Email settings vulnerable.
Gary Goodman 330 733 3518 Geekman1@Geekman1.com http://www.geekman1.com/ 12-03-2002
OR just hit BACK button on your browser |