[Table of Contents] [Search]


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Widespread Virus Myths



This information comes from <http://www.stiller.com/myths.htm>


Widespread Virus Myths

Viruses are simple! They are merely programs written to create copies of
themselves and to attach these copies to other programs. These infected
programs can be files containing executable code (most commonly .COM and
.EXE files) or <sectors.htm>boot sectors. The only way any virus can infect
your PC is by executing one of these programs or by booting from an a
diskette containing an infected boot sector. Simple right? Well, it should
be simple, but there is a lot of myth and misinformation regarding viruses
so things often appear to be not so simple. These myths are harmful to you
if you believe them.


Let's debunk the common myths and misunderstandings regarding viruses:


--Viruses Come From Online Systems?

Simply being attached to a network (such as CompuServe, or Internet), a
bulletin board system (BBS), or even a local area network will not make you
susceptible to viruses. The only way you can get a virus is to execute a
program on your PC that you obtained over the network. The mere act of
downloading a program is harmless; it's only by downloading and then
executing an infected program that your PC can become infected. I hope it's
clear that the mere act of reading electronic mail cannot infect you. (See
the <gtimes.htm>Good Times Virus Hoax)

More than 90% of all infected PCs are infected by system sector viruses
such as Michelangelo, Stoned, Monkey, or Form. These viruses only spread by
booting from an infected diskette. This makes it clear that online
communication plays no part in the spread of most viruses.

--There is a potential threat that you may want to be aware of. You are
under some threat of virus infection if your web browser or mail reader
will automatically execute MS Word. If you have MS Word installed and your
software has this capability, we strongly suggest you use the option
setting to turn it off. (See information on <vmacro.htm>Macro Viruses)

--There is another potential threat that you may want to be aware of. (This
is not a virus but falls into the category of 'dirty trick.') If you have
the device driver ANSI.SYS loaded (in your CONFIG.SYS file), someone could
send a sequence of characters to your screen (known as an ANSI sequence)
which assigns a set of key strokes to a key on your keyboard. These key
strokes could easily be something harmful like "DEL *.*". When you hit the
key that was reassigned, the command will execute just as if you had typed
it yourself. Let me reassure you that while this "trick" is possible, it is
fairly rare since many people no longer load the ANSI.SYS device driver or
use a version without keyboard remapping.=20

--Viruses Only Infect .com and .exe Files:

Viruses also infect <sectors.htm>system (boot) sectors. These viruses do
quite well because sectors do not show up as files and are therefore
"invisible" to the average user. System sector viruses account for almost
80% of all in-the-wild infection.

Viruses can also infect any file which is in some way executed. This
includes device drivers (commonly .SYS or .BIN) and overlay files. It's
even possible to write viruses for batch files, word processors, or
spreadsheet macros. (See information on <vmacro.htm>Macro Viruses)

Would you believe that a virus can infect your files without changing a
single byte in the file? Well, it's true! A companion virus infects your
files by locating a file name ending in ".EXE". The virus then creates a
matching file name ending in ".COM" which contains the viral code. The
virus may place this file in the same directory or in another directory on
your DOS path. Here's what happens. Let's say a companion virus is
executing (resident) on your PC and decides it's time to infect a file. It
looks around and happens to find a file called "WP.EXE". It now creates a
file called "WP.COM" containing the virus. If you type "WP" and hit enter,
DOS will execute "WP.COM" instead of "WP.EXE". The virus executes, possibly
infecting more files and then loads and executes "WP.EXE". The user
probably doesn't notice anything wrong. This type of virus is fortunately
easy to detect by the presence of the extra files. There are some instances
where it is normal to have both ".COM" and ".EXE" files of the same name
(such as DOS 5's DOSSHELL) but this is relatively rare. It is also possible
for a virus to plant either .COM or .EXE files for existing .BAT files, but
this is unlikely to be an effective strategy. If you use the NDOS or 4DOS
COMMAND.COM replacement, there is a further risk of a virus planting .BTM
files.=20

--You Can Get a Virus From Data?

Since data is not executed, you cannot become infected from data. Some of
the pro-virus kiddies love to scare people by perpetuating myths that data
or email can transmit viruses (See the <gtimes.htm>Good Times Virus Hoax).
If someone sent you a data file that contained a virus, you would have to
rename the file and then execute it to become infected!=20

Since MicroSoft Word users can receive viruses inside what appear to be
document files, they can become infected from a document sent by email or
from the Web. (See information on <vmacro.htm>Macro Viruses) The infection
can only happen when you start MS Word on your computer, so if you use MS
Word, it's important to configure your web browser or mail reader not to
launch MS Word automatically for .DOC files.=20

Data files can't infect you but you can, become infected from a diskette
that is not bootable and contains no (apparent) programs. The explanation
for this is that all diskettes have a <sectors.htm>boot sector which
contains a program that can become infected by a <vintro.htm#bootvir>boot
sector virus. If you leave such an infected diskette in your drive when you
power up or boot, your PC will be infected! This is how most viruses
spread. You will see the typical "Non-system disk or disk error" message
but the virus will have infected your PC.=20

--A Virus Can infect CMOS Memory?

PC AT (Intel 80286) type computers and later models contain a small amount
of battery backed CMOS memory to store configuration information and to
maintain the time and date. This memory is never executed, so although it
could be damaged by a virus, you can never become infected from CMOS
memory. Viruses, buggy programs, or a failing battery may damage this data
so it's vital to be able to check it and to be able to restore it in the
event that something goes wrong. If your CMOS data is corrupted you may be
unable to access your disk drives or boot your PC. Our product, Integrity
Master checks and, if necessary, reloads this data. Beware though, many
CMOS programs only handle the older 64 byte standard AT CMOS. Be sure to
check that your program can handle the new larger CMOS memories found on
almost all newer PCs made since 1992.=20

 --You Can Fool Viruses by Hiding COMMAND.COM?

COMMAND.COM is a program that executes each time you boot your PC. There
was an early virus that only infected COMMAND.COM so the idea of hiding or
renaming this file began. Today many viruses actually go out of their way
to avoid infecting this file, since some anti-virus products single out
this file and a few others for special scrutiny. With today's viruses,
hiding COMMAND.COM is utterly futile.=20

--You Can Detect Viruses by Checking File Size or Time and Date Stamps?

While it's helpful to check the file size or the time and date stamps of
your executable files for unexpected changes, this is not a reliable way to
catch viruses. Many viruses are smart enough not to change the time and
date stamps when they infect a file. Some viruses even hide the change to a
file's size when they infect a file.=20

--There Are Simple "Cures" to the Virus Problem?

Many products make claims which they can't support. Everyone would like to
just buy product X, run it, and be rid of viruses forever. Unfortunately
there is no such easy cure. It's important to understand how your
anti-virus software works and to understand its weaknesses. You can't
simply run a program and be safe one from viruses; it's important to
understand what risks you face and how your software protects (or doesn't
protect) you.=20

--Write-Protecting Your Files Prevents Viruses?

You can use the DOS ATTRIB command to set the read only bit on files. This
is so easy for a virus (or any program) to bypass, that it simply causes
more problems than it cures. This is also true on networks. However on
networks you can set the file access rights to execute-only or read-only.
This does work and will prevent the files from becoming infected from
another workstation on the network. (Please note, that we are talking about
access rights not file attributes here--the distinction is vital.)=20

--You're Safe by Running Only Retail Software?

Several "virus experts" have suggested that users avoid downloading
software and avoid shareware. There are no facts to support this! The most
common viruses are <vintro.htm#bootvir>boot sector viruses that spread when
someone boots from an infected disk. To spread boot sector viruses, a
physical disk must be passed around and then booted. Michelangelo spread
widely because software distribution disks were infected with this virus.
There was no reported incident of this virus spreading via shareware. It
is, of course, wise to make sure that you download your software from a
source that screens each program for known viruses. Quite a few viruses
have been shipped directly from the software manufacturer in the shrink
wrapped packages. One major software company has on at least two separate
occasions shipped a virus with their product. Buying shrink wrapped retail
software is much more dangerous than many people think it is, since some
retailers accept returned software and then simply rewrap the software and
sell it again. This software could have easily been infected by the first
user who tried it and then returned it.=20

--You Can Write-protect Your Hard Disk?

There are several programs that claim to write-protect your hard disk.
Since this is done in software, it can be bypassed by a virus. This
technique, however, will stop some viruses and will protect your disk from
someone inadvertently writing to it.

It IS possible to write-protect a disk using hardware, but this technology
does not seem to be readily available.

--While write-protecting your files and your hard disk are of questionable
value, you definitely CAN write-protect your floppy disks. Just cover the
notch on the 5.25 inch diskettes, or on 3.5 inch diskettes slide the little
tab to expose the hole. The only risk here is that some diskette drives may
be defective and still allow writing on the diskette. If in doubt, do a
test and check out your drive.=20

--Viruses Are The Most Serious Threat to Your Data?

As I mentioned in the <vintro.htm>Introduction to viruses, viruses are
among the less likely threats that you face. Problems such as bugs and
conflicts with resident software (especially disk caches!) are much more
likely to damage to your programs and data than viruses.=20

--"Safe Hex"is the Solution to Viruses?

You may have heard this rumor: "You don't need an anti-virus product, just
backup your disk regularly and keep an eye on your programs." Yes, it is
vital to have good backups, but that is no longer enough. You may also have
heard that provided you don't share programs or download (practice "safe
hex"), you have nothing to worry about. This is no longer sufficient
protection; every time you buy a software package you are exposing yourself
to potential virus infection. It is not possible to be safe from viruses by
secluding your PC! There are now some very sophisticated viruses that can
do substantial damage. Although they may not be very likely to attack your
system when compared to other threats, they do represent a very real and
very dangerous threat -- a threat you cannot ignore or combat merely with
good backups, seclusion or common sense.=20

--Software Is Useless Against Viruses?

Maybe we should just surrender to viruses and wait for a fool-proof
hardware solution? It is true that certain types of software can allow
viruses to spread; scanners will miss new viruses written after the scanner
was released and no program can actually stop a virus once it is executing
on your PC. Viruses can defeat any software defense -- right? Wrong! The
viruses are playing on your turf, so you have an advantage. All viruses
must change something on your PC in order to infect it. These changes can
be detected even if the virus is not known. A virus can attempt to hide
these changes by using stealth techniques to intercept attempts to read the
disk but in that case the virus can be detected because of its prepense in
your PC's memory. A virus will always betray itself in the memory, system
sectors, or executable files. There is no way a virus can hide from a full
integrity check.=20


----------

Integrity Master Provides Full Protection!=20

-- <intmast.htm#alberts>Order your registered copy NOW via the WWW!=20

--<AVSW.htm>How to Get the Most From Your Anti-virus Product

--<intmast.htm>Learn how Integrity Master can protect your PC


-- <stiller.htm>Back To The Stiller Research Home Page

--<mailto:support@stiller.com>Write to Stiller Research: support@stiller.com



----------
Copyright =A9 1997 Stiller Research. Document Last Modified April 18


>>     In schoen gebunden Buechern blaettert man gern.     <<

Peter D. Verheyen   <wk> 315.443.9937      <fax> 315.443.9510
<Email>                        mailto:pdverhey@dreamscape.com
<Webmaster>                http://www.dreamscape.com/pdverhey
<Listowner>       mailto:Book_Arts-L-request@listserv.syr.edu


[Subject index] [Index for current month] [Table of Contents] [Search]