I have a virus problem - what do I do? (Computer virus)
The following guidelines will, one hopes, be of assistance. However,
you may get better use out of them if you read the rest of this
document before acting rashly...
If you think you may have a virus infection, *stay calm*. Once
detected, a virus will rarely cause (further) damage, but a
panic action might. Bear in mind that not every one who thinks s/he
has a virus actually does (and a well-documented, treatable virus
might be preferable to some problems!). Reformatting your hard disk
is almost certainly unnecessary and very probably won't kill the
virus.
If you've been told you have something exotic, consider the
possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still, use more
than one. If there's a problem with the package, use the publisher's
tech support and/or try an alternative package. If you don't have a
package, get one (see section on sources below). If you're using
Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable
to your situation.
Try to get expert help *before* you do anything else. If the problem
is in your office rather than at home there may be someone whose job
includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
* Do not attempt to continue to work with an infected system, or let
other people do so.
* Generally, it's considered preferable to switch an infected
system off until a competent person can deal with it: don't allow
other people to use it in the meantime. If possible, close down
applications, Windows etc. properly and allow any caches/buffers
to flush, rather than just hit the power switch.
* If you have the means of checking other office machines for
infection, you should do so and take appropriate steps if an
infection is found.
* If you are unable to check other machines, assume that all
machines are infected and take all possible steps to avoid
spreading infection any further.
* If there are still uninfected systems in the locality, don't use
floppy disks on them [except known clean write-protected DOS boot
floppies]
* users of infected machines should not *under any circumstances *
trade disks with others until their systems and disks are cleaned.
* if the infected system is connected to a Novell network, Appleshare
etc., it should be logged off all remote machines unless someone
knowledgeable says different. If you're not sure how to do this,
contact whoever is responsible for the administration of the
network. You should in any case ensure that the network administrator
or other responsible and knowledgeable individual is fully aware of
the situation.
* No files should be exchanged between machines by any other means
until it's established that this can be done safely.
* Ensure that all people in your office and anyone else at risk are
aware of the situation.
* Get *all* floppy disks together for checking and check every one.
This includes write-protected floppies and program master disks.
Check all backups too (on tape or file servers as well as on floppy).
2) Minimal Glossary (Computer virus)
[There is room for improvement and expansion here. Contributionswill be gratefully accepted.]
* AV - AntiVirus. Sometimes applied as a shorthand term foranti-virus researchers/programmers/publishers - may includethose whose work is not
AV research, but includesvirus-control. (See also Vx.)
* BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
* BIOS - Basic Input Output System
* CMOS - Memory used to store hardware configuration information
* DBR - DOS Boot Record* DBS - DOS Boot Sector
* False Positive - When an antivirus program incorrectly reports avirus in memory or infecting a file or system area.Heuristic scanners & integrity checkers are, bydefinition, somewhat more prone to these. Also knownas false alarms, though this may have a widerapplication.
* False Negative - Essentially, a virus undetected by an antivirusprogram.
* In-the-wild - describes viruses known to be spreadinguncontrolled to real-life systems, as opposed tothose which exist only in controlled situationssuch as anti-virus research labs. Virus codewhich has been published but not actually foundspreading out of control is not usually regardedas being in-the-wild.
* MBR - Master Boot Record (Partition Sector)
* TSR - A memory-resident DOS program, i.e one which remains inmemory while other programs are running. A good TSR shouldat least detect all known in-the-wild viruses and a goodpercentage of other known viruses. Generally, TSRs are notso good with polymorphic viruses, and should not be relied onexclusively. Most TSR scanners don't detect macro viruses.
* vx - Those who study, exchange and write viruses, not necessarilywith malicious intentions So we're frequently told here...
* VxD - A Windows program which can run in the background. A scannerimplemented as a VxD has nearly all the advantages of a DOS TSR, but can have additional advantages: for instance, a good VxD will scan continuously *and* for all the viruses detected by anon-demand scanner.
* Zoo - suite of viruses used for testing.See the comp.virus
FAQ for fuller definitions of some of these terms andothers which aren't addressed here.
3) What is a virus (and what are Trojans and Worms)? (Computer virus)
A (computer) virus is a program (a block of executable code) whichattaches itself to, overwrites or otherwise replaces another programin order to reproduce itself without the knowledge of the PC user.
Most viruses are comparatively harmless, and may be present foryears with no noticeable effect: some, however, may cause randomdamage to data files (sometimes insidiously, over a long period)or attempt to destroy files and disks. Others cause unintendeddamage. Even benign viruses (apparently non-destructive viruses)cause significant damage by occupying disk space and/or mainmemory, by using up CPU processing time, and by the time and expensewasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covertand usually malicious act which the victim did not expect or want.It differs from a destructive virus in that it doesn't reproduce,(though this distinction is by no means universally accepted).
A dropper is a program which installs a virus or Trojan, oftencovertly.A worm is a program which spreads (usually) over networkconnections. Unlike a virus, it does not attach itself to ahost program. In practice, worms are not normally associatedwith personal computer systems. There is an excellentand considerably longer definition in the Mk.
2 version of theVirus-L FAQ.
(The following is a slightly academic diversion)
A lot of bandwidth is spent on precise definitions of some ofthe terms above. I have Fridrik Skulason's permission to includethe following definition of a virus, which I like because itdemonstrates most of the relevant issues.
#1 A virus is a program that is able to replicate - that is, create(possibly modified) copies of itself.
#2 The replication is intentional, not just a side-effect.
#3 At least some of the replicants are also viruses, by thisdefinition.
#4 A virus has to attach itself to a host, in the sense that executionof the host implies execution of the virus.--
#1 is the main definition, which distinguishes between viruses and Trojansand other non-replicating malware.
#2 is necessary to exclude for example a disk-copying program copying adisk, which contains a copy of itself.
#3 is necessary to exclude "intended" not-quite-viruses.
#4 is necessary to exclude "worms", but at the same time it has to bebroadenough to include companion viruses and .DOC viruses.
Post a Comment