 |
|
How to Avoid Boot Sector VirusesSolution:Virus Information
This page contains text that was provided courtesy of Symantec. They are the manufacturers of Norton Anti-Virus. This text will likely be able to answer most of your questions regarding what a computer virus is, how it works, and how to protect yourself. It also contains several links which will be able to provide you more information.
To contact customer support at Symantec and Norton Anti-Virus and the other Norton Products point your browser to http://www.symantec.com. We do not provide support for Norton products.
They also have a special website just for the Anti-Virus portion. That division is called the Symantec Anti-Virus Research Center. You can find them at:
http://www.sarc.com
Understanding Viruses and Virus Types, Including Trojans, Hoaxes, Worms, Macros, and Boot Viruses (1999041209131106)
Norton Antivirus Knowledge Base
Technical Note
Understanding Viruses and Virus Types, Including Trojans, Hoaxes, Worms, Macros, and Boot Viruses
Situation:You want to know the difference between the various types of viruses and malicious programs, and you want to know how to protect your computer from them.
Definition of a VirusThis document discusses the following topics:* Definition of a Virus* Types of Viruses* How Viruses Spread* Virus Damage* How to Practice Safe Computing* Boot Sector Viruses - What They Are, What Are the Risks, How to Avoid Them* Email Attachments* Hoax Viruses* Trojan Horse Viruses* Worm Viruses* File Downloads* Additional Safe Computing Habits* Prevent and Prepare for Data Loss* How to submit a possible virus
Types of VirusesA computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus need meet only two criteria. First, it must execute itself, often placing some version of its own code in the path of execution of another program. Second, it must replicate itself. For example, it may copy itself to other executable files or to disks that the user accesses. Viruses can invade desktop machines and network servers alike.
How Viruses SpreadPC viruses fall into three major categories: program (or parasitic) viruses, boot sector viruses, and macro viruses.
* Program viruses infect program files. These files typically have extensions such as .COM, .EXE, .OVL, .DLL, .DRV, .SYS, .BIN, and even .BAT. Examples of known program viruses include Jerusalem and Cascade.
* Boot sector viruses infect the system area of a disk -- that is, the boot record on floppy diskettes and hard disks. All floppy diskettes and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned. (Another class of viruses, known as multipartite viruses, infects both boot records and program files.)
* Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains, however, are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are literally thousands of them in the wild now.
Virus DamageThe most common way a boot virus spreads is by starting a computer with an infected floppy diskette in drive A:. Often this happens accidentally by leaving a data disk in drive A: when starting the computer. The infected floppy diskette immediately writes its code to the master boot record (MBR). The MBR runs each time a computer is started, so from then on, the virus runs each time the computer is started.
File infectors generally spread by a user inadvertently running an infected program. The virus loads into memory along with the program. It then infects every program run by either that original program, or by anyone on that computer. This happens until the next time the machine is powered down.
How to Practice Safe ComputingMost viruses have a "payload," or "trigger," the action or destruction the virus performs. Some viruses are programmed to damage the computer by corrupting programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses, however, can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and the bugs may lead to system crashes and data loss.
With all the hype, it is easy to believe that viruses lurk in every file, every email, every web site. However, a few basic precautions can minimize your risk of infection. Practice safe computing and encourage everyone you know to do so as well.
Make sure your virus definitions are up-to-date. Use LiveUpdate (or your preferred method) to download the latest virus definitions at least once a week. For more information on updating virus definitions, please see the document SARC SUPPORT: Downloading and Using Virus Definitions.
Keep Norton AntiVirus (NAV) Auto-Protect running with the correct options on your computer at all times. "Correct options" are set automatically when NAV is installed and include the following:* Make sure that you have set NAV to scan floppy disks on access and at shutdown. For more information, see the document Checking Floppies for Boot Viruses Upon Access. Set NAV Auto-Protect to launch at startup and to scan files when any of these file or program operations occur:* Run* Open* Copy* Move* Create* Download. These precautions will keep you protected against almost all virus threats!
What Are Boot Sector VirusesWhat Are the Risks of Boot Sector VirusesBoot sector viruses are viruses that infect the "boot sector" of a hard drive or a floppy disk. What is a boot sector? When a computer starts up, one of the first things it has to do is examine a special part of your hard drive (or floppy disk if one is in the floppy drive) for information, or code, about how to boot up. This is the boot sector. As the machine starts and it reads that special code, it also "loads" some of that code into RAM (memory).
If a boot sector virus has infected the drive's boot sector, then that bit of code has been overwritten by the virus or it coexists with the virus. As the infected computer boots up, it loads not the normal, "clean" code, but viral code. Once the virus is loaded into memory, every single time you try to access a floppy disk in your floppy drive, that virus in memory checks to see if it exists on that floppy. If it exists on the floppy, nothing happens. But if the floppy disk is not yet infected, the virus writes a copy of itself to that floppy's boot sectors. If anyone leaves that floppy disk in their floppy drive the next time they boot up, the virus will load into memory and start the process again.
What happens if you boot from an infected floppy disk, but your machine is not infected? If you boot a computer using an infected floppy but the machine itself is clean, once that virus loads into memory, it will check the local hard drive's boot sectors to see if a copy of itself exists. If not, it will copy itself to the boot sector of the hard drive, and now that machine is infected.
Though boot sector viruses are not receiving as much attention as macro viruses, they are still alive and well "in the wild." Just as you should treat every gun as if it were loaded, treat every floppy as if it were infected. Since boot sector viruses spread via floppy disks and bootable CDs, every floppy disk and CD should be scanned for viruses. Shrink-wrapped software, demo disks from suppliers, and "trial" software are NOT exempt from this rule. Viruses have been found even on retail software.
Additionally, beware of the disk that has been to someone's home office or school computer lab. It is always possible that their antivirus protection had been turned off, and the floppy may have become infected. If the floppy is not scanned, it could infect the workplace, too. Update your virus definitions at least weekly and set NAV to scan all floppies upon access and on shut down.
Avoid leaving a floppy disk in the computer when you shut it down. On restart, the computer will attempt to read from the floppy drive and this is when the boot sector virus could infect the hard drive.
Always write-protect your floppy disks after you have finished writing to them.
Simply reading or opening an email message cannot spread a virus. However, if your email system is set in any way to "auto-run" attachments, you are definitely at risk.
Email attachments are a major source of virus infections. Microsoft Office attachments for Word, Excel, and Access can be infected by Macro viruses. Other attachments can contain "file infector" viruses. Norton AntiVirus Auto-Protect will scan these attachments for viruses as you open or detach them. Keep NAV Auto-Protect running constantly on your computer to avoid infecting yourself or others via email attachments.
Be suspicious of email attachments from unknown sources. Opening or running those attachments can be like "taking candy from strangers.".
Newer viruses can send email messages that appear to be from people you know. Some warning signs:* Do you usually receive email from this person?* If yes, does the person usually use phrases like "Read me NOW!! URGENT!!!"?* Does your email system format the subject lines to read "Important message from <person_you_know>"?* If the body of the email says "Here is the document you requested" or "here's the information you wanted," did you, in fact, ask for it?
Hoax viruses are messages about viruses that are supposed to spread simply by reading email. These messages are extremely common. In fact, they amount to little more than chain letters. Common indicators of a hoax virus are listed below. If you receive an email with all or most of the following phrases, it's very likely a hoax:* If you receive an email titled [email virus hoax name here], do not open it!* Delete it immediately!!! * It contains the [hoax name] virus.* It will delete everything on your hard drive and [extreme and improbable danger specified here].* This virus was announced today by [reputable organization name here].* Forward this warning to everyone you know!!!
Most hoax virus warnings do not deviate far from this pattern. If you are unsure if a virus warning is legitimate or a hoax, search the Symantec AntiVirus Research Center (SARC) web site at http://www.symantec.com/avcenter/hoax.html. If the email contains a file you are supposed to run, it is probably a Trojan Horse (see next section), and you should consider submitting to Symantec Antivirus Research Center (SARC). Please refer to http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606 How to Submit a Possible Virus Sample to the Symantec AntiVirus Research Center for assistance on submitting a virus sample.
Trojan Horses are impostors -- files that claim to be something desirable but, in fact, are malicious. A very important distinction from true viruses is that they DO NOT replicate themselves, as viruses do. They are not really viruses, but are often referred to as viruses.
Reputable, public sites are extremely unlikely to contain Trojan Horse files. However, unsolicited email attachments or downloadable files could certainly be Trojan Horses. Many Word macro viruses are also considered Trojan Horses. For a full listing of Trojan Horses, go to the SARC website at http://www.symantec.com/avcenter/vinfodb.html and search for "trojan."
Worm viruses are programs that replicate themselves from system to system without a use of a host file. This is in contrast to viruses, which require a host file to infect and then spread from there. Many macro viruses are considered worms.
Although worm viruses generally "live" inside of other files, usually Word or Excel type documents, there is a difference between how worms and viruses use the host file. Usually the worm creator will release a document that already has the "worm" macro inside the document. This document will not -- and should not -- change because of the worm's code or specification. The entire document will travel from computer to computer, so the entire document should be considered the worm.
A good way to look at this is to imagine that you have a binary worm (EXE or executable). It has an EXE header and the body of the code. Thus, the worm is EXE "header" + "code" and not just the EXE "code". To extend this to a worm, a worm document would be like the header of the executable. Without the document, the worm would not work and would not be a worm.
Bulletin Board Systems (BBS) and the Internet are a source of nearly unlimited information, files and programs. Unfortunately, any publicly posted file could potentially be infected with a virus. Minimize the risk of infection by scanning files with NAV as you download them. This is a default feature of NAV's Auto-Protect. In addition, make sure that Auto-Protect is constantly running on your computer and that your virus definitions are up-to-date.
Use common sense. If a file or program seems too good to be true, it probably is.
Many of the most virulent viruses (including Melissa) were originally downloaded from pornographic newsgroups, web sites, and user groups.
Backing up your files is a lot like flossing your teeth. It can be time consuming. It can seem pointless. But as your dentist says, "Don't floss all your teeth -- just the ones you want to keep." It takes only one major loss of data to make you wish you had been backing up your files all along. Therefore, back up your important data files on a regular basis. Keep the media -- whether floppy, Zip, Jaz, or tape -- in a protected place and write protect them.
Please refer to http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606 How to Submit a Possible Virus Sample to the Symantec AntiVirus Research Center for assistance on
Contact Information
Telephone Postal address 888-206-6486 PO Box 1122, Queen Creek, AZ 85242
- Electronic mail
General Information: info@webworldinc.com Customer Support: support@webworldinc.com Webmaster: webmaster@webworldinc.com
[ Home | What's New | FAQ | Downloads | Services | Search Engines]
[ Hosted Sites | Products | Feedback ]
Send mail to webmaster@webworldinc.com with questions or comments about this web site.
Copyright © 2001 Web World, Inc.
Last modified: December 17, 2004