By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful The purpose of this bulletin is to give you some basic information about viruses and trojans so that you might be able to avoid contracting one. If you do contract one, there is information here on how you might recover. While this information might be interesting to a non-technical person, in order to apply this information it is assumed that the reader is comfortable with DOS. If you're not comfortable with DOS and you've contracted a virus, this information might help give you some ideas on how you can avoid the situation to begin with! Let's define two important terms: 1. Trojan: a trojan is a program that once run will immediately do some harm to your system. It might be something like formatting your disk, deleting files, or some other immediate damage. 2. Virus: A virus will usually NOT immediately do any harm. It will hide itself somewhere on your disk, and begin duplicating itself by infecting other programs on your system. As time goes by, the virus will begin to make itself known in any number of evil ways (most common is the scrambling of information on the disk, printing annoying messages, causing problems during the boot-up process, or slowing down the apparent speed of the computer so that it is crawling-slow.) If it isn't obvious, while neither of these two items is good, a trojan is not as bad as a virus, because it is pretty simple to identify the culprit, and (attempt at least) to recover and go on with your life. A virus is very bad, because it will have probably worked its way into your backups, and if it is a subtle virus, it may do only slight harm (changing a few characters here and there). Here are some simple things you can to do help reduce your chances of catching a computer virus, and/or make your recovery much more simple: 1. Make frequent backups. I recommend you do a complete backup once a month (that's everything, programs, data, utilities, etc.). Then backup your data as often as makes sense. The best way to gage how often you should backup your system is to ask yourself the question: "If my system crashed now, how much would I lose?" If the answer to this question makes you cringe, then it is time for a backup. If you use your system a lot, the backup should probably be daily, or at least weekly. 2. Have more than one generation of backup. For By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful example, have a backup for each day of the week, so if it is Friday and something happened (lost data, virus struck, or whatever) you can go back to Thursday. If Thursday's backup is either bad, or didn't have what you wanted maybe Wednesday's will, etc. 3. Keep your original disks write protected. Keep them in a safe place, and don't put them in your machine unless you FIRST scan your system for known viruses (more on this later). This will help insure that your original disks are virusfree. 4. Use a virus protection program on a regular basis. There are several commercial systems, but one of the best ones available is shareware, it is called SCAN and is available on any decent Bulletin Board System (BBS). These programs will check your entire system for KNOWN viruses. While this is good... the keyword is "known" viruses. New ones are born all the time, don't assume you are absolutely "safe" because you use a virus program. 5. Always scan new software before you install it in your computer. It takes only a few moments to do, and can save you a lot of pain and suffering. 6. Before running a batch file, type it out and look at it. If the batch file "INSTALL.BAT" says: "FORMAT C:" running it could be a bad thing to do. Always look for programs on the disk such as: "REM .EXE" (ideally look for such files that are hidden using a program that will show hidden files, like PCTools, Norton, XTGold, or similar programs). I've heard of a batch file that looked like this: REM Install on drive C: COPY *.* C: The the sneaky thing about this program, is that the space following the "M" in "REM" was really the dos character "ALT-255" which LOOKS like a space, but is not. On the disk was a program called: REM .EXE (Where that space was the special character that looked like a space). 7. Before any holiday Christmas, famous birthdays, famous dates (July 4th, etc.), significant celestial events, for example, summer solstice, etc. set your computer's date to the day AFTER the significant date. For example, on July 3rd, set the date to July 5th, then after the date has passed, reset the - 2 - By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful date to the current date. 8. You should have a bootable disk with the same version of DOS you use on your computer. This disk should have the FORMAT command, FDISK, and possibly DEBUG on it. It is a good idea to put PKUNZIP (or whatever archive program you might use) if you use an archive program. Another disk should have ALL the DOS programs on it. To make a system disk BEFORE trouble strikes, use the "FORMAT A:/S" command, and copy over the files specified in this step. Write protect this disk, and put it in a SAFE place. Virus Facts: 1. The virus is 100% harmless...until you run it. This means you can put a virus infected disk in drive A:, but unless you run something from that disk it can't hurt you. BUT the instant you run anything on that disk (that is infected with a virus) essentially anything is possible from that moment forward. 2. I forget the exact statistic, but something like 75%+ of all viruses are spread via COMMERCIAL software, NOT through Bulletin Board Systems! When you think about this, it starts to make sense. a) Who would suspect a commercial program like Lotus of having a virus? Most people would not even bother to check to see if it is clean. b) Files on a BBS are downloaded by dozens of people all the time. Some of these people won't bother to see if the file is safe, but MANY will and report problems immediately to the Sysop (System Operator). When you consider the millions of people using thousands of BBSs all over the world, word travels fast about infected files, and so their life-span is very short in the BBS community. Commercial files get infected from three main places: I. At the source (rare) by an employee who is unhappy with the company. II. At a computer store who opens the software package to demo it...but it turns out they were infected by a - 3 - By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful virus, and they put the software back in the box, it also has a virus on it. III. Computer stores, that allow exchange of software. Someone accidently or intentionally infects a piece of software, and returns it to the store. They shrink-wrap it, and put it on the shelf. How would you know if you're infected (or might be)? 1. You'd discover the virus while scanning your machine for viruses using some kind of virus detection soft- ware. 2. You'd get some message that is "out of the blue", (such as: 'legalize marijuana' or 'your computer is stoned'). 3. You'd get some kind of message informing you that you are a victim of a virus, or your machine would do very odd things on holidays (April Fools Day, etc.). 4. Your computer would suddenly no longer boot anymore, or would crash without warning in ways it has never done before. 5. Data files that were trashed, programs that gave strange errors when you run them, or any message about the File Allocation Table or partition table are bad signs too. 6. Your computer suddenly started operating much slower than ever before -- for no apparent reason. 7. Your screen spits up split-pea soup and the monitor spins around when turned on. Ok, you think your infected...now what? 1. If you still have access to your hard disk, attempt to copy off the following information... under no circumstances should you overlay an older backup. Create a new backup, and CLEARLY MARK IT as POSSIBLE VIRUS. a) CONFIG.SYS, AUTOEXEC.BAT, and any significant batch files or configuration files that would be difficult to duplicate. - 4 - By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful b) Any critical data files (word processing files, spread sheets, databases, text files, etc.). c) Look at, and ideally print the screen of your CMOS setup (on most decent computers when you boot the system a message comes up for a brief instant that says something like: "Press DEL for setup". Do this, and capture this information, because you don't want to lose this. In fact, you should do this BEFORE anything goes wrong, so you'll have it! (Specifying a wrong drive type in your CMOS setup can ruin files on your system!) d) Note your directory structure (try using the TREE command and print it out, or sketch it out). This will make recovery of any potential loss much easier. 2. Immediately notify anybody who you have given any software, bootable disks, or even read their disks on your computer. If you have uploaded any programs to a BBS notify the Sysop of that system immediately! 3. Quarantine your computer. Any disks that have been in your computer should be ASSUMED to have the virus on them. By assuming the worst case situation, you are possibly saving many others from getting and spreading the virus even further. 4. Bulletin Board users can be helpful, if you are a member of a BBS, contact the system and describe your situation, someone might be able to help you. 5. Try to identify if you were hit by a trojan or a virus. If it was a trojan, there is no danger of it "spreading", if it is a virus you're problems might just be beginning. What can be, and cannot be infected? 1. Programs can be infected, that's all. Data files cannot be infected. Programs are anything that have an extension of: EXE, COM, BAT, SYS, BIN, DRV, OVL, and of course the two hidden system files that ARE DOS. 2. Data files certainly can be corrupted, damaged, or completely destroyed, but they cannot be infected For example, if you recover a Lotus spreadsheet - 5 - By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful (.WK1 file), it cannot contain a virus. 3. It is not impossible to infect programs inside an archive (such as .ZIP, .ARC, .ARJ, .LZH, .ZOO, etc) but it is EXTREMELY unlikely... since a virus does not want you to know it's there duplicating...and to expand an archive, infect a file, and recompress the file is not something that is too likely. Because of this ASSUMPTION you might want to consider all archive files "safe". Like data files, they could be corrupted, but it is highly unlikely that they'd be infected. Note that the file may have already been infected when it was placed into the archive. Be sure to scan all files after uncompressing an archived file -- especially if you have been struck by a virus. 4. Your partition table can be infected, which is very bad by the way, because this could destroy all the information on your disk. What some viruses (such as the stoned virus) do is to move the partition table, and replace it with the virus. While you might be able to strip out the virus, you will probably lose everything in the process...not too bad IF you have backups. But "end of the world" stuff if you don't. 5. The file "command.com" is a dos file that your machine loads automatically when it starts. Because it is a program (notice the .COM extension) it can (and often is) infected. This means just starting the machine means the virus is active. In order to start the machine without any risk of the virus being in effect, you must boot your machine from a KNOWN virus-free bootable diskette (the same version as you use is ideal, and potentially required.) You might try copying the command.com to drive C:, and using the SYS command from drive A: to reinstall DOS on drive C: if it was "lost". This is a temporary solution that MIGHT make your machine useable long enough to copy off files mentioned above. 6. Use an anti-virus program (like the shareware "CLEAN") to help remove a virus. Keep in mind, the cure is some times almost as bad as the virus. Salvaging as much stuff as possible BEFORE using a program like CLEAN is highly recommended. If you can access the hard disk try to copy off files, when you've gotten all you can, or you cannot get anything, THEN look to the virus-killers. - 6 - By: Charles R. Hague How to avoid a virus/trojan and what to do if you're not successful Final thoughts... 1. There are many different kinds of viruses. They do so many different things that it is best summarized when I say, once your infected anything is possible. Just asking for a DIRectory of a diskette might infect it. 2. Some viruses will create "bad spots" on the hard disk and hide in them. Only a low-level format will reclaim these phoney bad spots... seriously consider performing a low-level format after contracting a virus... especially if you have ANY bad spots on the disk. 3. Doing a regular format will probably zap most all viruses (so long as you are not using a virus infected format program). 4. Because viruses are hard to detect WHEN you contracted them, remember that your backups MIGHT be infected. Soon as you have restored your backup (using a KNOWN clean boot from DOS, using a known clean version of the backup program) SCAN your disk for a virus, using a KNOWN clean version of SCAN. If it detects an infected file, do NOT panic, unless you run that file you are safe, delete the offending file, and reinstall from the original disk (if possible, or obtain a copy from somewhere). Rescan your system, if it's clean, cross your fingers, if not, perhaps you were not careful, and ran an infected file by mistake. 5. Final note. There has been rumor of a virus that could live in a tiny bit of memory preserved via battery. To the best of my knowledge no such thing exists in the IBM world. But if you've tried everything else, unplug your battery after you've done everything else. Leave it unplugged for 24 hours, reset your CMOS, and start again. - 7 -