Computer Virus Guide

ICT Services Secure IT Computer Virus Guide

What is a computer virus?

A computer virus is a program designed to spread itself by first infecting program files or the system areas of hard and floppy disks and then making copies of itself. Viruses usually operate without the knowledge of the computer user. A ‘worm’ is a similar program to a virus but spreads by exploiting vulnerabilities in a program or operating system.

What kind of files can spread viruses?

Viruses can infect any type of executable code, not just the files that are commonly called 'program files'. Viruses can be spread by:

  • Executable code in the boot sector of infected disks

  • Executable code in the system area of infected hard drives

  • Word processing and spreadsheet documents that use infected macros

  • Infected HTML documents that contain JavaScript or other types of executable code

Since virus code must be executed (run) to have any effect, files that the computer treats as pure data are safe. This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt files. For example, just viewing picture files won't infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file that the computer will actually try to execute.

How do viruses spread?

When you start a program that's infected by a virus, the virus code will execute (run) and try and infect other programs. This can infect the same computer or other computers connected to it on a network. The newly infected programs will try to infect more programs and computers.

When you share a copy of an infected file with other computer users, opening the file may also infect their computers; and files from those computers may spread the infection to yet more computers.

If your computer is infected with a boot sector virus, the virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, then the virus on the computer will try to infect more floppies inserted into it.

Worms spread by attempting to exploit a vulnerability in a piece of software, usually the computer's operating system, and using these exploits to execute code without the user's intervention. Worms usually probe for these vulnerabilities across local area networks and the internet, infecting any unpatched machines they find.

What do viruses do to computers?

Viruses and worms are software programs; the actual effect of a virus depends on how it was programmed by the person who wrote the virus.

Some viruses are designed to overwrite boot sectors and interfere with your computer's operation (boot viruses), others damage your computers memory operation then try and spread themselves around by picking up e-mail or network addresses off your computer (worm viruses). Still others will wipe files from the hard drive and destroy system files (Trojan viruses) and finally there are ones that infect document files, electronic spreadsheets and databases of several popular software packages (Macro viruses).

Viruses can't do any damage to hardware: they won't melt down your CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings.

Virus Hoaxes

With increased use of the Internet there is a growing number of viruses that can be spread via email. Many computer users use the Internet to warn friends and colleagues of these threats. At the same time, there has also been a growth of virus hoax warnings. These warnings describe viruses with impossible characteristics. They can cause panic and lead to misconceptions about computer viruses. Forwarding these hoax warnings on only perpetuates the problem, and can waste time and system resources.

Identifying a Hoax

Virus hoaxes follow a basic which should give it away for what it is. Typical phrases in the body of a virus hoax might be:

  • Do not open! Doing so will result in the deletion of all of the files on your hard drive!

  • Forward this message to all your friends!

  • This is not a hoax!

  • Look for emphatic statements, the frequent use of UPPERCASE LETTERS and multiple exclamation points!!!!!!!

Basically, warning messages encouraging you to forward the information to all your email contacts will often be hoaxes. Read these messages carefully and use your common sense. Look for inconsistencies, some hoaxes have nothing to do with viruses. Instead they may promise the user something for free in return for forwarding the message. A good source of information on current email and virus Hoaxes can be found at:

http://www.sophos.com/en-us/threat-center/threat-analyses/hoaxes.aspx

What's the story on viruses and E-mail?

You can't get a virus just by reading a plain-text email message. What you have to watch out for are encoded messages containing embedded executable code (i.e., JavaScript in an HTML message) or messages that include an executable file attachment (i.e., an encoded program file or a Word document containing macros).

In order to activate a virus, your computer has to execute (or run) some type of code. This could be a program attached to an email, a Word document you downloaded from the Internet, or something received on a USB flash drive. There's no special hazard in files attached to email messages: they're no more or less dangerous than any other file.

Here are some points to remember when receiving or reading email messages:

  1. If you receive an email with an attached file from an unknown source, simply delete it.

  2. Virus programs must have code that is executed in order to infect. If you "double-click" an attached file on an email message, you are executing code and may infect your machine.

Note: Newer anti-virus software is capable of scanning these attachments before they are opened. James Cook University uses a virus protection program called Sophos, which scans all incoming and outgoing email message attachments for viruses. If it detects a virus it will replace the infected file with a "Virus Warning.txt" file to prevent the recipient's computer from becoming infected. For more information see the Email Spam and Attachments Guide.

What is 'spoofing'? Is it some kind of spam?

‘Sender forging' or 'spoofing' is when an email address of an infected computer or compromised email account is replaced with another address, often randomly plucked off the infected computer by the virus. Sender forging is normally done just before the virus sends itself out to more potential victims. By changing the address in the 'Sender' field, no one knows who sent the email or where it came from.

Some gateway applications that scan email attachments for viral content email auto-reply when a virus is found. If the 'Sender' name has been forged, the auto-reply can be received by an innocent party, causing undue confusion and stress.

We recommend that users do not respond to emails from auto-responders accusing them of being infected and spreading a virus. However, you should consider double-checking your computer for the latest viruses just in case you are genuinely infected.

Known viruses that employ 'spoofing' as a method of propagation are: BugBear, Fizzer, Mimail, Klez and Sobig-F.

What can I do to reduce the chance of getting viruses from Email?

Treat any file attachments that might contain executable code as carefully as you would any other new files: save the attachment to disk and check it with an up-to-date virus scanner before opening the file.

If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, disable this feature.

If an executable file (extensions like .EXE .COM or .VBS) shows up unexpectedly attached to an e-mail, you should delete it unless you can positively verify what it is, who it came from, and why it was sent to you.

Just because an E-mail appears to come from someone you trust, this does NOT mean the file is safe or that the supposed sender had anything to do with it.

Some general tips on avoiding virus infections:

  1. Install anti-virus software from a well-known, reputable company, UPDATE it regularly, and USE it regularly. New viruses come out every single day; an anti-virus program that hasn't been updated for several months will not provide much protection against current viruses. Sophos is the university standard virus protection software; log a call through the IT Help Desk to arrange to have Sophos installed on your JCU owned computer, or consult the Sophos Guide to install the software on your home computer.

  2. In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good anti-virus software packages) and set it to start automatically when you start your computer. This will protect you by checking for viruses each time your computer accesses an executable file. Note: All computers in the GATCF labs have virus protection software installed on them that performs this function automatically for you.

  3. Make sure you scan any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed disks and CD-ROMs spreading virus infections.

  4. Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening text-only files and Word/Excel documents from unknown or 'dubious' sources. This includes posts in newsgroups, downloads from web or ftp sites that aren't well known or don't have a good reputation, and executable files unexpectedly received as attachments to e-mail or during an on-line chat session.

  5. You should make sure that Macro Virus Protection is enabled in all Microsoft programs, and you should NEVER run macros in a document unless you know what they do

  6. Be extremely careful about accepting programs or other files during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat.

  7. Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive and a recent backup may be the only way to recover your data.

Ideally, you should back up your entire system on a regular basis. If this isn't practical, at least backup files that you can't afford to lose or that would be difficult to replace: important documents, bookmark files, address books, e-mail, etc.

Dealing with virus infections:

First, keep in mind our "First Law of Computer Virus Complaints":

"Just because your computer is acting strangely or one of your programs doesn't work right, this does NOT mean that your computer has a virus."

  1. If you haven't used a good, up-to-date anti-virus program on your computer, do that first. Many problems blamed on viruses are actually caused by software configuration errors or other problems that have nothing to do with a virus.

  2. If you do get infected by a virus, follow the directions in your anti-virus program for cleaning it. If you have backup copies of the infected files, use those to restore the files. Check the files you restore to make sure your backups weren't infected.

  3. For assistance, check the website and support services for your anti-virus software.

  4. If you are on campus and using a JCU owned computer then contact the IT Help Desk. We will either be able to help you directly or refer your problem to your Desktop Support Team for further assistance.