Reprinted from CompuMag, Vol. 1 (1989), Issues 3 and 4 For subscription information call 1-805-273-0300 Virus Hysteria! by Richard B. Levin You're scared. Having heard how computer viruses leap from computer to computer, you've learned your system could be the next unwitting sufferer of a computer flu. After all, your friend has a friend whose cousin knows someone that witnessed a virus display "Arf! Arf! Gotcha'!" as it gobbled up data on an office PC. And your local BBSes are bubbling over with heated horror stories about bombs, Trojans and viruses, not to mention countless recommendations for anti-virus software products. It seems that every new day brings with it stories of impending computerized doom, created by evil geniuses with programming abilities far beyond those you or your associates could ever hope to achieve, much less do battle against. Relax! Hysteria over computer viruses comes in waves. The hysteria is fueled, in large part, by the popular press' frenzied, poorly researched and consistently inaccurate reporting on the subject. Computer crime is not a new story and viruses are simply the latest plot twist. Vandals sending "time-bombs" and viruses into our nation's telephone network are akin to hackers breaking into corporate or government mainframe computers and scrambling data--the techniques they use for sowing destruction may differ, but their intent and results are the same. Before you hang up your joystick in disgust, however, realize that computer vandalism has been with us, in one form or another, since the first CRT was fired-up and will remain until the last disk drive grinds to a halt. In any public endeavor there will be an anti-social element; computing is no exception. In the interest of "safe computing," the question we must ask is "how do we protect ourselves from the ravages of the computer criminal and computer viruses?" If you choose not to ignore the reality of computer viruses, there remains three ways to dispense with the problem: virus prevention software, virus detection software and safe-computing practices (which includes anti-virus software usage, among other things). As with other forms of crime prevention, virus prevention software products may provide an effective deterrent in some cases; they fail, however, when the criminal element is determined to perpetrate criminal acts. Most virus prevention software products have serious technical drawbacks users naturally overlook (we're not all computer scientists) and virus developers exploit. For example, not one of the anti-virus software programs on the market today can protect a system from a deadly disk "write" that bypasses DOS by directly manipulating the disk controller. Users of virus prevention products believe their computers are ImZ]·Yº¡¥±•± in reality,`taey're sitting ducks, safeguarded only from the simplest of viruses. Fact: it is physically impossible to prevent all manner of viruses from entering your system; no matter how many automobile alarms you may install, if the crooks want to steal the wheels badly enough, they will. This same line of reasoning remains true in the area of virus protection: if the virus developer is determined to breach your system, your system will be compromised. You can, however, detect viral infections almost immediately after they occur, which allows you to rapidly eradicate the invaders and prevent future infections. By employing the following "safe computing" measures (excerpted from the documentation that accompanies my CHECKUP virus detection system) and by installing a reliable virus DETECTION system, you are guaranteed a measure of security virus PREVENTION software can never provide: * Run CHECKUP (or another reliable virus detection system) daily. CHECKUP provides a sanitary, clean floppy disk/batch file method that is capable of detecting any virus, past, present or future. * Run major applications via DOS batch files and have CHECKUP (or another reliable virus detection system) perform a pre-run, last-minute ciõck of programs about to run. Using CHECKUP, for example: instead of typing the "WORD" command to run Microsoft Word, create a batch file named "WRD.BAT" that reads as follows: CD \WORD CHECKUP WORD.COM IF ERRORLEVEL 1 GOTO EXIT CHECKUP WORD_DCA.EXE IF ERRORLEVEL 1 GOTO EXIT CHECKUP MAKEPRD.EXE IF ERRORLEVEL 1 GOTO EXIT CHECKUP MERGEPRD.EXE IF ERRORLEVEL 1 GOTO EXIT CHECKUP MW.PGM IF ERRORLEVEL 1 GOTO EXIT CHECKUP SPELL-AM.EXE IF ERRORLEVEL 1 GOTO EXIT WORD :EXIT In the future, use the WRD command to invoke Microsoft Word. CHECKUP will examine all of Microsoft Word's executable files and will allow them to run if (and only if) they pass CHECKUP's scrutiny. Of course, unlike Microsoft Word, many applications have only one principal executable file to check, greatly simplifying implementation of pre-run checking through DOS batch files. * Regularly check and log available disk space. Aggressive viruses decrease storage space as they spread throughout a system. This activity can be identified through rigorous monitoring. The following commands, added to AUTOEXEC.BAT, will track disk usage: CD \ DIR >> DIR.LOG TYPE DIR.LOG > PRN * Observe the time it takes for programs to load--infected files take longer. Programs exhibiting longer than normal load times might be infected (see next tip for related information). * Scrutinize disk accesses whenever possible. Viruses can spend large amounts of time scanning directories and executable files as they search for new, uninfected host files. Programs conducting longer than normal disk I/O, especially during load-time, might be infected. * Periodically re-install applications from their master disks. This overwrites application files in use and any viruses incubating within them. * Once a week, use the SYS command to re-install the system files onto your boot disk(s). This eliminates viruses lurking in the boot sectors. * Use the DOS "SHELL" command to rename and relocate COMMAND.COM to a directory other than the root of your boot disk. Then place a different copy of COMMAND.COM in the root directory. This may divert viruses into infecting the decoy copy instead of your actual command processor. Refer to your DOS reference manuals for information on the SHELL command. * Boot from a certified clean floppy disk copy of your DOS master disks whenever possible. This insures your system is running under an uncorrupted operating system at all times. * Change executable file attributes to read-only. Poorly engineered viruses may not be able to alter read-only files. Executable files are those ending in a .BAT, .COM or .EXE extension or loaded in CONFIG.SYS. Many programs write to their master executable file when saving configuration information. If such a file has been converted to read-only, the read-only attribute must be removed before re-configuring and reset afterward. There are many utilities that can reset file attributes, including ATTR.COM, available for downloading from the PC-Magazine Network on CompuServe. CompuServe users can "GO PCMAGNET" to download ATTR.COM. If you own the Norton Utilities, use Norton's FA.EXE to change attributes of COMMAND.COM to read-only using Norton's FA, enter: FA COMMAND.COM /R+ Some versions of DOS provide an ATTRIB (or similar) command. Check your DOS reference manuals for more information on modifying file attributes. * Use extreme caution when working with FAT and directory editors, directory sorters, disk optimizers, file movers, format-recovery systems, partition-related tools, un-erasers and other low-level DOS utilities. These programs manipulate critical data and one bug or errant keystroke can annihilate a disk. Additionally, DOS shells should be treated with care as they also handle critical disk information. Safe bets for low-level disk management are the Norton Utilities, Advanced Edition, from Peter Norton Computing, Inc.; PC-Tools from Central Point Software and the Mace Utilities from Paul Mace Software. Among DOS shells, we recommend the Norton Commander, also from Peter Norton Computing, Inc. These programs are available at most computer retailers. * Do not run files downloaded from public access BBSes (bulletin board systems) that do not validate users who upload. If the SysOp of a bulletin board did not contact you directly (by phone, mail or automatic callback), you can be certain that other users have not been validated. (SysOps: If validating users is a burden, a practical alternative is to validate them after they upload their first file.) * Do not run files downloaded from public access BBSes where the SysOps do not test and approve all files. * Do not run files provided by shareware/public domain disk distributors, including your local users group, where the disk librarians do not test and approve all files. * Do not run self-extracting archives unless they have been tested. Self-extracting archives are a classic delivery method used by bomb developers. * Beware of suspicious-looking files. A 128 byte .COM file that un-archives without documentation and whose description reads "Great Word Processor" is suspect. * Use a binary file-viewing utility (like the one included in the Norton Commander) to examine executable code. Look for suspicious comments and messages embedded in the code. * Do not run programs unaccompanied by well-written documentation prepared by the program's author. * Do not run programs that do not include the name, address and telephone number(s) of the author within the documentation or executable(s). * Call program authors and verify the version number, time and date stamps, file sizes and archive contents of files you have received. !° Ask authors where you can get certified clean copies of their programs, then discard the copies you have and get the certified copies. * Download shareware direct from the author's BBS. Most professional shareware authors provide support BBSes for their products. You are guaranteed uncorrupted programs when you download them directly from their authors. * Do not use hacked or pirated software. Software pirates have the skill and the tools needed to create bombs and viruses. Many reported incidents of viral infections have been associated with software piracy. In fact, some of the deadliest Trojans have been modified copies of well-known applications. * Back-up your system regularly! No system exists in a vacuum, nor is any anti-virus or anti-Trojan technique foolproof. Back-up on a daily, weekly and monthly basis. When disaster strikes, users who have regularly backed-up their systems will have the last laugh (and their data)! If you are not using a virus detection system or you are using a less-than-perfect virus detection system, how can you tell if a virus has landed on your system and begun eating away at your precious data? The following guidelines, also excerpted from CHECKUP's documentation, will help you identify the viral warning signs: 1. Computer operations seem sluggish. 2. Programs take longer to load. 3. Programs access multiple disk drives when loading where they didn't before. 4. Programs conduct disk accesses at unusual times or with increased frequency. 5. Available disk space decreases rapidly. 6. The number of bad disk sectors steadily increases. 7. Memory maps reveal new TSR programs of unknown origin. 8. Normally well-behaved programs act abnormally or crash without reason. 9. Programs encounter errors where they didn't before. 10. Programs generate undocumented messages. 11. Files mysteriously disappear. 12. Names, extensions, dates, attributes or data changes on files that have not been modified by users. 13. Data files or directories of unknown origin appear. 14. CHECKUP (or another reliable virus detection system) detects changes to static objects (files). Changes detected to dynamic objects are not an indication of viral alterations. Rest assured that neither you nor anyone you know will suffer a major data loss from a viral attack if safe-computing measures are implemented religiously. When and if a viral infection is discovered, turn your computer off and contact a good viral diagnostician for eradication advice. Do not use your computer or any floppy disks associated with your computer until your system has been thoroughly cleansed. Above all, however, enjoy computing and the thousands of quality public domain and shareware programs at your disposal. Take comfort in the knowledge that safe-computing techniques, employed properly, will serve to protect your data from harm.