Kurt Wismer
December 1998
Author's note - This document contains information geared mainly towards prevention. It is best to read and follow it now as opposed to simply holding on to it until you get infected and need advice.
Table of Contents
The purpose of this document is to serve as an educational tool. I have felt for a long time now that the computer virus is much like a headache and that the average user should be able to administer proper anti-virus techniques on their computer as easily as they administer Tylenol, instead of having to run frantically to a specialist all the time (especially since most of those same specialists make available several tools that would take care of almost all the problems a user is likely to encounter).
As such this document contains a lot of preventative measures and advice for various decision making circumstances. This is the reasoning behind the name of this document and behind it's format, as it is not intended to go into detailed technical minutiae (unless warranted by obscure and unbelievable circumstances) but instead to be an average-joe-friendly document regarding secure measures for virus prevention, detection, and recovery. Unfortunately it's not possible to get away with a complete lack of technical terms - anything I feel isn't obvious I will explain in the glossary at the end.
This is sort of an anti-FAQ, I don't present questions and then answers as I don't feel that type of presentation is appropriate to reach people who might not be sure they even need to know about this stuff let alone have specific questions.
I'm also not going to go into great detail about what a virus is, many documents already do that and the average person probably doesn't need to know that.
A virus is just a kind of program (it can be any kind of program, not just an *.exe / *.com file) and it has to be executed before it can do anything. The two defining characteristics are that it has to self-replicate (make copies of itself) and it requires a host program to execute the virus when the host gets executed.
Now for a list of ingredients for an AV strategy.
These are deceptively important ingredients to a good AV strategy and should be made religiously. They are, in fact, the most important security procedure a user can perform.
Why should you back up your hard drive? Besides the obvious threat of virus infection, there's also trojan horses, accidental deletion, corruption due to buggy software, corruption due to power spikes, corruption due to media failure, etc... Somewhere, at some point you WILL need to restore from back ups, regardless of what precautions you take.
What should you back up? Everything that you don't fully intend to delete (which includes that which you're ambivalent about - you may find a use for that pop-up 4 digit display calculator yet!). Default program files are a must for backing up; personal data files can be remade to a large extent but remaking the programs themselves is beyond the abilities of most of us, you'd have to find them (or buy them) all over again.
To save yourself hassle, though, personal data files should be backed up too - but as you probably realize, data files change a lot so obviously they need to be backed up regularly while programs themselves (which for the most part shouldn't change at all) need only be backed up once. For this reason it may (especially if you're doing the backup manually) be easier to keep the two types of backups separate and save yourself a lot of redundant effort.
Program backups (backups of the software itself) should likely be made as soon as you acquire the software (scan it first though). Data backups should be made on a regular basis, the interval between backups being dependant on the average rate at which new data is generated and the value of that data (ie. in a system where incredible amounts of very valuable data are being produced, backups would probably take place every day at least; a single home user who might generate a new text file every week containing his/her shopping list probably wouldn't need to backup that data more than once a month if at all but thats an unlikely and rather artificial example). Data backups can also be amalgamated (grouped together) into sets and stored for extended periods of time before being replaced by the next set of data backups so that small errors that grow with time but go unnoticed in early stages (like what might occur on a system with a data diddler on it or simply with progressive file corruption) don't contaminate the only backups you have and render the data completely lost. In essence, you'd have a fixed number of backups and the oldest one would be replaced by the one you just made.
Backups can (obviously) be made on any writable media other than the hard disk (there'd be no point in storing the copy in the same place as the original as the copy would be just as insecure as the original), that includes floppy disks, tape cartridges, magneto-optical-erasable or floptical disks, SyQuest disks, Iomega ZIP or JAM disks, or even on paper (though that would be tedious to restore to the hard drive should it get lost - and you'd use up paper each time you made a new backup). There are more extensive systems that make use of methods beyond the scope of what we would conventionally think of as a backup (such as file mirroring on separate media) but such systems are costly and few average users would require such extensive measures.
Unfortunately every system is different and has different requirements, and data has different value in different contexts so no hard and fast rules about backups are possible - in this document it is only feasible to stress their importance and give some general tips.
Something that far too many people need but don't have are recovery disks. These are disks that one uses with anti-virus software (possibly even containing that anti-virus software) so that one can effectively deal with computer viruses. The reason is that there are many viruses now for which it is a requirement to boot from a clean bootable diskette before removal of the virus is a viable option. Booting from a clean disk removes memory resident viruses (and especially stealth viruses) from memory. To that end, it's often best to make use of them whether you have such a virus or not (it will be nearly impossible for the average user to know for certain if it's required so just use this in all cases).
To make a recovery disk set:
BOOT disk
You should now patch A:\IO.SYS by executing the commands "ATTRIB -R -S -H A:\IO.SYS" and "DEBUG A:\IO.SYS". You should now see a '-' prompt, type "d 2a18 2a1a" and press return. You should see "07 72 03" somewhere around the middle of the output line. If this is the case type the following lines:
e 2a18 07 72 06 w qand back at the DOS prompt:ATTRIB +R +S +H A:\IO.SYS
If at any point where it says "you should see" if you didn't then press enter until you get a '-' prompt, type "q" and then "ATTRIB +R +S +H A:\IO.SYS". If you were unable to perform this patch it doesn't matter all that much as is needed only in relatively rare circumstances. *1* See the end of this section.
device=a:\himem.sys dos=high
AV disk
DECOMPRESSION disk
To update an AV program on a recovery disk:
To update a compression program on a recovery disk:
(Important Note: You cannot start making recovery disks on your computer if your computer is already infected by a computer virus - make those recovery disks NOW while you're still capable of doing so, otherwise you're going to have to find someone else who isn't infected who can make recovery disks for you.)
*1*This process (in particular the patching of A:\IO.SYS) is necessary to deal with a security loophole that has existed in MS-DOS since version 3.2 which would hang the computer when booted from the hard disk or from a floppy disk.
The bug does not exist in current versions of PC-DOS or most other non-MS operating systems so those can be used instead without the patch (effectively the batch file should be reduced to include only the first line in that case). In the case of Win95 users, I still suggest using a DOS 6.X recovery disk to start because the above patch may not work on Win95 and also because Win95 leaves a copy of the MBR in a memory buffer even after a clean boot from a floppy - which can interfer with the user's ability to use anti-virus products on the drive (it causes false alarms in the case of MBR infections). A bootable Win95/DOS7.x should be made aswell if that is the operating system your computer is running on - so that you can deal with the newer filesystems and long filenames if you have them.
That's right, "Verified". The clean boot commonly discussed isn't good enough anymore (and hasn't been for some time - but people haven't updated what they say yet).
A regular clean boot is a requirement for secure anti-virus scheme because, in essense, the code that gets control first wins. If a virus is already actively running in memory when a user attempts to apply a software based anti-viral technique it is possible for the virus to circumvent that technique, regardless of what it is or how complex it is. The virus can do this before the software is allowed to run or during the operation of the anti-viral software. A clean boot is a hardware based anti-viral technique for removing all possible viruses from the computer's memory so that subsequent software based av techniques can't be actively circumvented. In theory is absolutely secure if you know that the disk you're booting off of is clean but there's a problem.
There exists a mechanism by which a virus can make sure it gets loaded even when a simple clean boot is performed. It isn't magic, although it may seem impossible at first. What happens is that a virus (typically an MBR infector) making use of this technique changes the computers CMOS to make sure that the computer attempts to boot off of the hard drive (thus executing the virus) before checking the floppy drive (the default behaviour, the behaviour necessary for a true clean boot, is the reverse of this) regardless of whether or not a disk is put into drive A:. Apon detecting the disk in drive A:, the MBR infector would continue the boot from the floppy disk (instead of continuing from the hard disk) and make it seem to the user as if s/he had just booted from the floppy. It is now necessary to check an make sure this hasn't happened on your system when you perform a clean boot.
As such the verified clean boot is as follows:
This is not an easy subject to communicate as there are several different types of anti-virus software, some of which have broad general purpose uses while others are better suited to specialized environments. In later discussion only the first type will be mentioned but in this section I'll discuss both.
Scanners are the most widely used type of av product and the most convenient because, if used properly, they can catch a virus before it has a chance to affect your system and save you the trouble of restoring your system to it's original condition. Some more advanced scanners also know how to look for code that is commonly used in viruses and thus alert you to the presence of a possible new virus. This is called heuristic scanning and it doesn't always work as advertized (it doesn't detect all new viruses and sometimes it detects what it thinks "might" be a virus where there isn't one). Never the less it's very useful technology and most of the better av products out there now have heuristic capabilities.
The more specialized products are:
They are open to attack from multipartite infections, however, as the boot infector instance of the multipartite virus will execute before the memory resident integrity checker.
The most important thing to remember with all software, though, is to Read The F'ing Manual (RTFM). If you don't read it, you are bound to have problems.
The second most important thing to remember is to update your software regularly. Scanners typically come out with new versions or new definitions files every month or so (there is one that does so every week). Integrity checkers and other generic av software are often updated less frequently, but keeping up to date is no less important in those cases. As a general rule of thumb, unless you are keeping constant tabs on the industry (thus making sure you hear about new releases when they happen) don't go more than 2 months without looking for a more recent version of your main av software. The detection rate of the current version of your scanner can go down by as much as 10% or more over that period just from the number of new viruses that come out each month.
The strategy you use can greatly affect the security of your system against viruses and many people have only rudimentary or ad hoc strategies in place (if any). It's generally accepted in the Anti-Virus community that the best strategy is the multi-layered approach which uses the strengths of one type of software (ie. integrity checking) to supplement and make up for the weaknesses in another type of software (ie. scanning).
At the moment I am aware of 6 basic layers that may or may not need to be addressed depending on the needs and capabilities of the system:
Problem Scanning and Preventative Filtering are best accomplished by known-virus scanners. Virus-Specific System Monitoring is best accomplished using the VxD (Windows only) component (not a TSR) of the known-virus scanner used for Problem Scanning and Preventative Filtering. Full Integrity Checking should be done using a good, secure integrity checker. Generic System Monitoring can be done using directed integrity checkers or full integrity checkers if they are configurable enough. Recovery is best done using back-ups, restoring by replacing affected objects with known clean back-ups is the safest and most secure method of recovery - though most people seem to prefer the convenience of disinfection by a known-virus scanner (not realizing that it's not always perfect or even possible).
What follows are the situations you should run into and what you should do as far as anti-virus security when you do.
You can run one of the memory resident anti-virus products and/or generic system monitors aswell.
Then backup the new software (if warranted).
<There are alternatives to THDPro, but be sure that the product you choose is at least comparable to THDPro in terms of it's wide range of scanners and compression types it can handle. Some newer scanners, notably AVP, do have comparable functionality to THDPro.>
In the case of major device driven media (such as a Stacker, Doublespace, or Speedstor drive) where the device drivers necessary to access them aren't loaded during the verified clean boot - scan the computer using the method above, and when everything turns up clean reboot from the hard drive so that those drivers are loaded up but nothing inside the device driven media is executed and then use the scanner on the floppy to scan the device driven media (or if you're clever, put the device drivers on the the recovery disk so that you can access them after the clean boot - but beware, this takes up space that could otherwise be used by anti-virus software).
In the case of Win95, perform the the above mentioned clean boot with the DOS 6.x boot disk and scan or otherwise check the MBR and DBS for viruses. Then boot from the Win95/DOS 7.x boot disk and check the rest of the computer.
There may be some question as to whether the disk with the integrity checker and data on it should be write protected or not - it should except when you intend to actually use it (ie. remove the write protection just before executing the integrity checker and then restore it when the integrity checker has finished). This is so that it doesn't get infected if it's accidentally put in the drive when you haven't yet performed a clean boot (ie. you might put it in by accident).
If it's the MBR or bootsector that's infected, restore it from the backups of them that you have on a recovery disk. If you don't have a backup of your bootsector or MBR it will be necessary to use the disinfection capability of your anti-virus program. These viruses will infect floppies so it will be necessary to scan your floppy disks and recover from those additional infections.
After everything is clean and working properly again, send the company who makes your anti-virus program a note saying what virus you had, how you cleaned it up, and how much you appreciate their efforts in creating such great anti-virus tools. This will improve their figures regarding which viruses are in the wild and how prevalent they are, aswell as giving them an opportunity to have someone reply if their's any additional procedures you should have used or anything they feel you need to be made aware of. It also makes some of them feel good to get the appreciation they so much deserve.
If all this fails, question whether step #2 is being followed strictly enough in all circumstances (you could be getting infected files over and over again from someone you would otherwise 'trust' - if so they should be alerted about the infection so that they can clean up their system)
Well, that's it for security, now to tie up some loose ends.
The scanner is a particularly difficult peice of software to choose. It requires you to trust the evaluations of others because exceptionally few people have the time or resources or know-how to do performance tests on scanners, but it also requires you to know WHO to trust. Magazine tests are a great source of misinformation, they have so many faults it's not funny and I'll describe some of the worse ones here so that you'll know a bad test when you see one. However, since there is no single "best" virus scanner you might want to look at the top few as opposed to the top one.
Some of the better respected independant tests in the industry have come from places like the Virus Test Centre at the University of Hamburg and the Virus Research Unit at the University of Tampere. Two other organizations that perform well respected tests are Virus Bulletin and Secure Computing. Look for tests from any of these organizations to evaluate the detection rates of different scanners (tests performed by end users themselves have notoriously poor testing protocols, and usually have unreasonably small and unrepresentative collection of viruses). Web sites for the above mentioned organisations are listed below.
An integrity checker is even more difficult to choose since there aren't any widely accepted methods for testing them. A good idea would be to look for an integrity checker that can check all files as well as the MBR and bootsector, and can store it's data on a floppy disk. Other good qualities would be the ability to alert you when there is no integrity data stored for a particular file/directory and the ability to detect companion viruses generically. Another good quality to look for in an integrity checker is what is called a key dependant algorithm (sometimes simply described as a checksum or crc algorithm that is uniquely chosen each time the software is installed.) These are things you may have to read the manual carefully to find out about though, but they are the main things to look for.
A virus is just a special sort of program, not a magical glitch that can do supernatural damage to your computer.
You can't get infected by a virus from 'reading' email.
No known virus has ever intentionally damaged hardware, nor is it likely that they will do so in the future.
It is never necessary to format a hard drive to get rid of a virus, in some instances this method won't even work.
Do not use the command "FDISK /MBR" unless specifically told to do so by the author of an anti-virus product (and sometimes not even then).
There is no "best" anti-virus product and there likely never will be one, there are only very good products and products you should probably just ignore.
CMOS memory cannot be infected, only corrupted.