Avoiding Computer Viruses

The number of viruses being developed each day is astounding, and with the advent of the Internet, the ability of these new viruses to spread to your system is causing great concern. Computer viruses can range from simply annoying ones to downright deadly ones. They can infect your system and destroy programs, data, and even hardware on your computer workstations. Knowing what type of damage viruses can do to your systems and how to protect your systems from these attacks is one of the many things a support professional must keep in mind at all times.

In this article, we'll examine the types of viruses that can infect your systems. Then, we'll take a look at a few antivirus packages that you can use to protect your system.

Types of viruses

The thousands of computer viruses that can infect your workstations fall into several major categories:

Executable viruses

An executable virus infects your files by attaching itself to your EXE and COM files when you launch them. The virus finds information in the executable file's header, which indicates the length of the file and other vital information. (The file header is located at the end of an EXE file and at the beginning of a COM file.) Once attached, executable viruses corrupt the header, either preventing the file from working or redirecting it to run another command.

Because these viruses destroy the executable code of the infected program, you can easily identify them, delete the infected code, and reinstall the necessary program files. Some executable viruses seek out only EXE files, while others seek out only COM files. Table A lists some viruses that affect EXE and COM files.

Table A: Common Executable Viruses

Vacsina

Troi

Yankee Doodle

CD

AntiCad 256

Flash

Black Monday Leprosy

1876

Viper

3445

Rock

Stealth

Steady

AIDS II

Murphy

Spyder 

Boot-sector viruses

Boot-sector viruses corrupt the boot sector by overwriting the sector with bad information, thus preventing your workstation from booting. These viruses usually activate when you read or write to an infected disk disk.

Some boot-sector viruses copy the boot-sector information to another part of your hard disk and then overwrite the boot sector with their own bad code. When you reboot your workstation, the system BIOS executes the virus code from the boot sector, which in turn executes the boot-sector information it copied elsewhere on your drive. This means that you may not even notice you have a boot-sector virus until it's too late. Table B shows some of the more common boot-sector viruses.

Table B: Common Boot-Sector Viruses

Lezop

1253

Liberty

AirCop

New Zealand

Spanish Trojan

Anthrax

SVC60

Beijing/Bloody

12

Trackswap Filler

Trick Trojans

Partition-table viruses

A partition-table virus takes aim at your hard disk's partition table. These viruses can either move or destroy(or delete altogether) your hard disk's partition-table information. They copy the partition-table information to another location on your hard disk and then copy their bad code into the area normally containing the partition table.

After the workstation's BIOS loads and executes the virus during the boot sequence, the virus executes the partition information it saved elsewhere. A virus that infects only the partition table probably won't spread from one computer to another. It spreads by infecting your boot sector and/or the executable files on your hard disk. Table C lists some common partition-table viruses.

Table C: Common Partition-Table Viruses

Hong Kong

LastDirSect

NOINT

Michelangelo

Asuza

Stoned III

Bloomington

Music Bug

Joshi 

Memory-resident viruses

Memory-resident viruses avoid detection by loading into different areas of your workstation's memory. The virus waits there until you launch an application; then, it infects your workstation.

A few viruses place their memory-resident code in memory normally allocated for the command processor, either in its stack space or in the command data region of your workstation's memory. Because these viruses tamper with the command processor, they frequently cause your workstation to crash.

Many such viruses simply allocate memory through a DOS call and assume you won't notice the loss of a few kilobytes of RAM. This keeps the viruses from being overwritten while in memory. A few viruses place their code into unallocated memory. This approach doesn't decrease the amount of available memory on your workstation, thereby making detection less likely. However, these viruses are more vulnerable since another application can overwrite their code.

Some viruses intercept any memory allocation calls to the 21h interrupt, thus preventing the operating system from allocating the memory block in which the viruses stores their information. Other viruses do nothing about this problem, and your workstation crashes whenever it attempts to overwrite these areas.

A large number of viruses place themselves in the top portion of resident memory, just below the 640KB boundary. Then, they redirect BIOS interrupt 21h, which reports the total amount of conventional memory available in your workstation. This approach reduces the apparent amount of total memory, preventing function calls from overwriting the virus.

Viruses may also incorporate their code into the video-card buffers between 640KB and 768KB (A0000h and C0000h). The amount of total memory won't change, but your workstation may crash.

Macro viruses

While most viruses infect program files, a new breed of viruses, called macro viruses, can infect data files. Macro viruses infect Microsoft Word documents in particular, but newer versions of macro viruses can also infect Microsoft Excel spreadsheets. Because Microsoft controls most of the application market, their programs have become favorite targets of virus makers. Table D lists some of the macro viruses you should be aware of.

Table D: Common macro viruses

Name Application 
Alliance Microsoft Word
Boom Microsoft Word
Concept Microsoft Word
Goldfish Microsoft Word
KillDLL Microsoft Word
Laroux Microsoft Excel
Sofa Microsoft Excel 

Macro viruses take advantage of an application's built-in programming language. Application vendors now include powerful programming languages in their programs so users can perform complex tasks, and the people who create macro viruses turn this feature against software owners. Virus makers can hide a complex macro virus in any document or spreadsheet. When you load the infected file, your application will then spread it to any other file you open.

Initially, macro viruses wouldn't destroy data on your hard disk. However, newer strains are more deadly.

Protecting your Windows NT workstations

The first line of defense in the war against viruses begins at your workstations. We list several of the most popular Windows NT Workstation antivirus software packages in Table E. You can use the Web site addresses to find more information about each product.

Table E:

Product Company Web Site
Norton AntiVirus 4.0 for Windows 95 & Windows NT Symantex www.symantec.com
McAfee VirusScan for Windows NT McAfee/Network Associates www.nai.com
ThunderBYTE Anti-Virus Authentex/NovaStor www.authentex.com

Protecting your Windows NT server

Your second line of virus defense should reside on your server. While it's technically possible to write a virus that would infect Windows NT's core operating system, we haven't found any evidence that one actually exists. However, viruses can infect the files that are stored on your Windows NT server.

You can run virus scanners constantly on your workstations, but if you haven't scanned your servers, you can be reinfected by files that reside there. Virus scanners specifically written for Windows NT networks take advantage of the client/server architecture to speed checking of viruses on your network. Table G lists some of the virus scanners you can run on your Windows NT server.

Table G:  Antivirus products for Windows NT Server

Product Company Web Site
F-Prot Professional Command Software Systems  www.commandcom.com
IBM AntiVirus Enterprise IBM   ww.av.ibm.com/IBMAntiVirus
InocuLAN Cheyenne Software www.cheyenne.com
Sweep Sophos www.sophos.com

Updating virus definitions/signatures

According to IBM researchers, computer hackers create new viruses at the rate of about three per day-over a thousand new viruses per year. So, a virus scanner that's two or three years old won't detect and eradicate the newer computer viruses cropping up every day. That's why it's extremely important that you regularly update your antivirus package's virus definition file or virus signature file.

Conclusion

Computer viruses are a big problem these days, and it's part of a support professional's job to understand this problem and provide protection for workstation users. In this article, we've examined the various types of viruses and discussed some antivirus packages that you can use to fend off virus attacks.

Copyright © 1998, ZD Inc. All rights reserved. ZD Journals and the ZD Journals logo are trademarks of ZD Inc. Reproduction in whole or in part in any form or medium without express written permission of ZD Inc. is prohibited. All other product names and logos are trademarks or registered trademarks of their respective owners.