Is it a virus?

Viruses are often blamed for non-virus problems

In fact, more cases of  false positive virus infections are encountered by customer support staff and anti-virus vendors than are actual virus infections, and not only with inexperienced users. Typically symptoms of viral infection such as unusual messages, screen colour changes, missing files, slow operation, and disk access or space problems may all be attributable to non-virus problems.

Possible culprits included lost CMOS data due to a faulty system battery, another user's misuse, fragmented hard disks, reboot corruption, or even a practical joke. For instance, some PCs play the Happy Birthday song through their speakers ever November 13. Sounds like a virus payload, but it happens only in computers containing BIOS chips from a certain batch that was sabotaged by a former programmer at the BIOS vendor, Switching out the BIOS eliminates the singing message.

How do you know if a virus reside on my computer?

Many people assume that if there is something wrong with their computer, it is because they have a virus. How do you know when you have a virus? Well, it is important to be able to detect a virus as early as possible. Every moment counts when you are dealing with a virus. The more time it takes you to realise you have a virus, increases the chance that it will spread. This is especially important when dealing with a network. If you are unable to stop right away, it will spread throughout the whole system. The first thing you should do in order to ensure that a virus is stopped as soon as possible is to contact your system Administrator right away, and if not available always refer to the emergency procedures that should be available from you institution.

Viruses do have different characteristics, but there are some changes you can look for to see if a virus exist. Some viruses, display messages, music or pictures but there are not the main indicators. The main indicators are the changes in size and content of your programs. There are several questions that you should be asking yourself if you think you have a virus.

Ø       Are there changes in your file lengths or date created?
Ø       Does it take longer than usual to load up and run your programs?
Ø       Does your disk drive light stay on when you are not running programs?
Ø       Gradual slowdown in system capabilities or activity
Ø       Are your executable or regular files disappearing with no apparent reason?
Ø       Are strange things appearing on display (like unusual message)?
Ø       Is there anything out of the ordinary happening to your computers i.e. your system is rebooting by itself?
Ø       Are a lot of people phoning your regarding an email that you sent, but you didn't?

If you can answer yes' to any of these questions, contact your System Administrator right away.

Basic Safe computing Tips
Ø       Use and update anti-virus software regularly.
Ø       Scan any newly received disks and files before loading, opening, copying, etc.
Ø       Never assume disks and/or files are virus-free.
Ø       To help avoid boot viruses, do not leave diskettes in your computer when shutting it down, or turning it on.
Ø       Do not open e-mail attachments from an unknown sender.

Advanced virus prevention tips (targeted to System Administrator/Help desk personal).
Include in your policy and training that employees who work on computers at home must follow the same anti-virus procedures they use at the office (whether on personal machines or company-supplied portables).

Consider any suspicious computer behaviour to be possibly virus-related and follow it up.

Write-protect any data source diskette before inserting it in the drive, and use anti-virus software to scan it before doing anything else.

Files that must be received from outside the organization, such as from the Internet, should be download directly to quarantined scanning areas whenever possible.

You may want to consider dedicating an isolated computer (not connected in any way to the network) to the task of testing all new files and/or diskettes. Then all files on the control machine can be systematically scanned for viruses before anyone has access to them. (Note that some compressed files may have to be decompressed before scanning.)

What is a Computer Virus?

A virus is a program, which reproduces its own code by attaching itself to other programs in such a way that the virus program is executed when the infected program is executed. The term computer virus and virus are used very loosely in everyday conversation and have been synonymous with trouble. (Viruses, worms, Trojan horses, and logic bombs) are all unwanted, uninvited, potentially dangerous, but there are important distinctions among them. The differences lie in whether the category requires a program and whether it makes copies of itself. They may cause damage, but is not integral to the definitions. The following table defines each one:





Trojan Horses (Droppers)

A Trojan horse program is not a virus. The key distinction between a virus and a Trojan horse program is that a Trojan horse program does not replicate itself. The term is more often used to refer to .COM or .EXE (ex: Back Orifice) Back Orifice is a program developed and released by The Cult of the Dead Cow (cDc). It is not a virus. It is a remote administration tool with potential for malicious misuse. If installed by a hacker, it has the ability to give a remote attacker full system administrator privileges to your system. It can also 'sniff' passwords and confidential data and quietly e-mail them to a remote site. Back Orifice is an extensible program--programmers can change and "enhance" it over time. Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.


 A worm is a program that distributes multiple copies of itself within a system or across a distributed system. (ex:  Anna Kournikova worm). Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other computer program files. Worms can create copies on the same computer, or can send the copies to other computers via a network.

Logic Bombs

A logic bomb is a modification to a program, which causes damage when triggered by a condition such as a specific date arriving on the system clock or the presence or absence of data such as a name in a payroll database. (ex: CIH 1.0x virus)


What are the 6 categories of viruses?



Virus Category

What they infect

File virus

Executables (program files) . These are able to infect over networks. File viruses usually replace or attach themselves to COM and EXE files. They can also infect files with the extensions SYS, DRV, BIN, OVL and OVY, or other file extensions executable by the operating system.

File viruses may be resident or non-resident, the most common being resident or TSR (terminate-and-stay-resident) viruses. Many non-resident viruses simply infect one or more files whenever an infected file runs.

Also: Parasitic Virus, Fire Infector, File Infecting Virus.

Cluster viruses modify the directory table entries so the virus starts before any other program. The virus code only exists in one location, but running any program runs the virus as well. Because they modify the directory, cluster viruses may appear to infect every program on a disk. Also: File System Virus

Macro virus

Data files. A macro virus is a malicious macro. Macro viruses are written in a macro programming language and attach to a document file (such as Word or Excel). When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus. These are able to infect over networks.

Boot virus

Boot sectors of hard drives and floppy disks. These are to spread over networks. A boot sector infector virus places its starting code in the boot sector of the machine. When the computer tries to read and execute the program in the boot sector, the virus goes into memory where it can gain control over basic computer operations. From memory, a boot sector infector can spread to other drives (floppy, tape, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk. Also: Boot Virus, Boot Sector Virus, BSI. Before you attempt the repair, you must have a clean, write-protected Rescue Disk.

Multipartite virus

Both executable file and boot sectors. These are able to infect over networks. Multipartite viruses use a combination of techniques including infecting documents, executables and boot sectors to infect computers. Most multipartite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multipartite viruses may infect the entire system.

Removing multipartite viruses requires cleaning both the boot sectors and any infected files.

Polymorphic virus

Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection from anti-virus software. Some polymorphic virus use different encryption schemes and require different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its decryption routine.

Stealth virus

Stealth viruses attempt to conceal their presence from anti-virus software. Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a "clean" image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection. Stealth viruses must be running to exhibit their stealth qualities.


Because a macro virus infects files, it is technically a file virus. However, unlike a traditional file virus it targets data files instead. Macro viruses are becoming increasingly common (one year ago the were about 80% of new viruses created); therefore they still deserve to be treated as a separate category.

What kind of files can spread viruses?
Viruses have the potential to infect any type of executable code, not just the files that are commonly called 'program files'.  For example, some viruses infect executable code in the boot sector of floppy disks or in system areas of hard drives.  Another type of virus, known as a 'macro' virus, can infect word processing and spreadsheet documents that use macros.  And it's possible for HTML documents containing JavaScript or other types of executable code to spread viruses or other malicious code.
Since virus code must be executed to have any effect, files that the computer treats as pure data are safe.  This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt files.  For example, just viewing picture files won't infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file that the computer will actually try to execute.

How do viruses spread?

When you execute program code that's infected by a virus, the virus code will also run and try to infect other programs, either on the same computer or on other computers connected to it over a network.  And the newly infected programs will try to infect yet more programs.

When you share a copy of an infected file with other computer users, running the file may also infect their computers; and files from those computers may spread the infection to yet more computers.

If your computer is infected with a boot sector virus, the virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, and the virus copy on the hard disk will try to infect still more floppies.

Some viruses, known as 'multipartite' viruses, can spread both by infecting files and by infecting the boot areas of floppy disks.

What do viruses do to computers?

Viruses are software programs, and they can do the same things as any other programs running on a computer.  The actual effect of any particular virus depends on how it was programmed by the person who wrote the virus.

Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others don't do anything but try to spread themselves around.  But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading.

Note:  Very few viruses can damage hardware: the CIH virus can damage your CPU, but can not burn your hard drive, cause your monitor to explode, etc.  Warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings with the exception of the CIH virus.

What's the story on viruses and E-mail?

You can't get a virus just by reading a plain-text E-mail message or Usenet post.  What you have to watch out for are encoded messages containing embedded executable code (i.e., JavaScript in an HTML message) or messages that include an executable file attachment (i.e., an encoded program file or a Word document containing macros).

In order to activate a virus or Trojan horse program, your computer has to execute some type of code.  This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk.  There's no special hazard in files attached to Usenet posts or E-mail messages: they're no more dangerous than any other file.

What can I do to reduce the chance of getting viruses from E-mail?

Treat any file attachments that might contain executable code as carefully as you would any other new files: save the attachment to disk and then check it with an up-to-date virus scanner before opening the file.

If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, I strongly recommend that you disable this feature.

My personal feeling is that if an executable file shows up unexpectedly attached to an E-mail, you should delete it unless you can positively verify what it is, who it came from, and why it was sent to you.

The recent outbreak of the Melissa virus was a vivid demonstration of the need to be extremely careful when you receive E-mail with attached files or documents.  Just because an E-mail appears to come from someone you trust, this does NOT mean the file is safe or that the supposed sender had anything to do with it.

Some general tips on avoiding virus infections:

1.  Install anti-virus software from a well known, reputable company, UPDATE it regularly, and USE it regularly. New viruses come out every single day; an a-v program that hasn't been updated for several months will not provide much protection against current viruses.

2.  In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good a-v software packages) and configure it to start automatically each time you boot your system.  This will protect your system by checking for viruses each time your computer accesses an executable file.

3.  Virus scan any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs spreading virus infections.

4.  Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening binary files and Word/Excel documents from unknown or 'dubious' sources.  This includes posts in binary newsgroups, downloads from web/ftp sites that aren't well known or don't have a good reputation, and executable files unexpectedly received as attachments to E-mail or during an on-line chat session.

5.  If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, I strongly recommend that you disable this feature.

6.  Be extremely careful about accepting programs or other files during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems.  And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat.

7.  Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent backup may be the only way to recover your data. Ideally, you should back up your entire system on a regular basis.  If this isn't practical, at least backup files that you can't afford to lose or that would be difficult to replace: documents, bookmark files, address books, important E-mail, etc.

Where can I go to find information on how to protect myself against macro viruses?

The following strategies provide a guide is the most effective ways to avoid a macro virus infection. Macro virus control will be discussed in terms of the following objectives:

Ø       Preparation
Ø       Prevention
Ø       Detection
Ø       Containment
Ø       Recovery

Initially, the definition of what constitutes a macro virus must be made. A macro virus is a virus written in one of the many macro languages. It spreads via infected files, which can be documents, spreadsheets, databases or any computer program that employs any of the macro languages.

Ø      Preparation:
Preparation strategies involve education, awareness, and formation of a team for the purpose of creating prevention policies, selection of anti-virus software, and a fail-safe plan in the event that an unknown macro virus surfaces.


All staff members should be aware of the macro virus risk. Then, depending on the philosophy of the direction, the education process should intensify to enable those who need increased knowledge (such as a help desk, system administrator, etc.) to understand and cope with this threat. Educate everyone regarding the importance of using anti-virus software. Continuously update employees with the latest information regarding macro viruses and the latest update for the anti-virus program.


As a result of a well-planned education program, there will be an increased awareness of ways to avoid infection. Alertness for macro (viral) type behaviour becomes evident. Promote this by providing incentives to those staff members who identify potential dangers existing in their areas.

Form a Team:

Whether you opt for a team or simply an individual, it is absolutely essential to have a methodology in place prior to a virus crisis. The team then needs to formulate specifics for designing the policy to work with you AV software. Designating key individuals who will handle the virus incident. Instruction, at all levels, for the procedures to follow if a virus is reported; i.e. what the user needs to do, what the system administrator needs to do, who is informed etc. Setting up the education process.

Outline a plan for action in the event of a virus epidemic. Think of this as Fire Drill. Incorporate a review process to allow these policies to grow and change to fit the company and new technology.

Ø      Prevention:

Create Prevention Policies: We suggest the following measures are implemented and, even though they may be inconvenient at times, make a commitment to stick to them.

Daily Backups:    

Try a method of rotating tapes so that if a virus is not detected immediately, there is a good copy of files prior to the infection. Stopping the source through policy and by utilizing AV tools. Consider the possibility of infection brought in via disks that travel to and from employee's homes. Is this something you want to disallow? Perhaps you need to assure that any disk brought, either out or in, to the facility is scanned.

Consider the possibility of infection by employees downloading files from unknown sources, including the Internet. Should access to these be controlled?

Consider the possibility of remote users attaching to the network and causing an infection.

Consider inter-office disk sharing. Do employees hand disks to one another and should this practice be restricted?

Infection can come from files attached to e-mail, Inadvertent spread of infection via inter-departmental exchanges.

Consider using something such as Word Viewer, which is not capable of using macros, for viewing and printing Word documents. Consider using a format, e.g. .txt or .rtf that cannot carry macros.

Intentional sabotage. Track all incidence of infection to its source and keep real-time virus protection active. Scan for viruses daily and tighten security. Eliminate any apprehension on the part of employees for reporting either real or suspected viruses. Scan, scan and scan. Even software that is purchased and packaged could be infected. Ascertain that you hardware (workstations, memory, processor power, and servers) will adequately support the AV software you have selected. Think about what or where is the weakest link in the chain in your company and strengthen it.

Alert all necessary personnel of the incident. It is critical to determine if the infection has spread and, if so, just how widespread it actually is.

Ø      Recovery:

Run your AV software on the infected system. Disinfect and run it again just to be sure the system is clean. In an emergency, if for some reason the files cannot be disinfected, they can always be saved in a format that does not use macro (i.e. txt format). The content can then be deleted. Restore backups of files if necessary.

Javascript/ActiveX and Cookies what  are they?

Java is a programming language that is translated/compiled into bytecode, rather that into processor-specific code this is why it is so portable and platform independent. The introduction of Java applets has taken the World Wide Web by storm. Information servers can customize the presentation of their content with server-supplied codes, which executes inside the Web browser. We examine the Java language and the HotJava, Netscape and Microsoft Internet Explorer browsers, which support it, and find a significant number of flaws, which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in Java and browsers.

ActiveX programs, however, unlike Java applets, reside on the user's hard drive. That is, when the browser encounters an ActiveX control that does not reside on the user's system, the browser downloads and saves a copy of each ActiveX control to the user's hard drive. If someone wanted to write an ActiveX control that scans your hard drive and sends him all your  personal files, then writes a virus to your boot sector, then shouts obscenities at you, then formats your hard drive, he could. Then he could have it digitally signed and placed on the web. The best part is, he could even register the digital signature under a fake name. Remember, the big premise here is that you can identify who did damage to you, then no one will write malicious ActiveX controls for fear of getting caught. The fact of the matter is, it's pretty easy to get a digital signature, and it's just as easy to get a digital signature under a fake name, as it is to get a signature under your real name. And if he can do it, so could someone from Finland, Cuba, China, where ever. How do you hold someone responsible for uploading a virus to your machine when they live in another country? Even better, who do you prosecute when it turn out the holder of the digital signature doesn't even exist? Many people think that just because they see a little green fakey certificate the control is safe. Don't be fooled.

A cookie is a text file that your browser maintains on your computer's hard drive. The cookies.txt file contains significant information about the individual using the browser.

Ø      RTF (Rich Text Format)

Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it's supported by a number of word processors on a number of different platforms. For instance, if  someone uses Word on a PC to create RTF files, he could share them with someone else, who uses an entirely different word processor on a Macintosh. All versions of Word dating back to Word 1.0 natively support RTF. Word can open and process RTF documents, and Word documents can be saved in RTF if desired. However, there is a security vulnerability involving the way Word opens such files, and this could allow macros to run without the user's permission.

Until now, an RTF exploitation that does an end run around Microsoft's built-in checks for potentially malicious Word macros has been theoretical. A new Trojan called GOGA was discovered in the wild. This Trojan which is invited into unsuspecting user's computers by RTF documents opened in the Word program. One install on the PC, Goga collects information about the user's Internet accounts and relays it to a location where the Trojan's creator might receive it.

Microsoft Word can alert users when a document they are about to open contains macros scripts which automate Word tasks and which also have access to system resources of the PCs on which they execute. However, the security hole reported not long ago allows a Word template file containing macros to be loaded without such checks if that file is linked to an RTF document. The linked template can even reside on a remote Web site. Once up and running, the macro's code in the Word template extracts a binary executable from the original RTF file. That code then searches the infected computer for Internet-account logon and password information, storing it in a test file. Goga then launches a script that posts the contents of the text file in the guest book of Web site open to the public. Presumably, the hacker who created the program can then retrieve the information from the public site anonymously.

Ø      What's a macro?

In general, the term macro refers to a small program that automates commonly performed tasks within a operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for instance, companies to develop macros that perform sophisticated productivity tolls running within Word, Excel, or other because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the users wants them to. In this case, however, there is a flaw in the security model, which can occur when opening an RTF document that is linked to a template containing a macro.

Ø      What's a template?

A template can be thoughts of as a skeleton document. For instance, a template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, she or he could use the template as a foundation upon which to develop her or his actual paper. Example of templates can be found in the Microsoft Office Template Gallery.

Like other documents, templates can contain macros. When Word is used to open a document that's based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this isn't done correctly.

Ø      What's a cookie?

A cookie on the World Wide Web is a line of text with a server address and an ID number stored on your computer (usually in a file named cookie.txt). Cookies, on their own, are not harmful. They do not contain any information that you have not voluntarily entered on your own. They are not applications or virus spreaders. They can't, for instance, be used to search your local hard drive. Furthermore, cookies may only be read by the site that sent them. Cookies may be used to track where you go on a site or to pass information from one page to the next (so you don't, for example, have to enter your name and address every time you submit a form).

To protect your privacy, be sure to close your browser completely after you have finished conducting business with a Web site that uses cookies. If you are concerned about the potential use of the information gathered from your computer by cookies, you can set your browser to prompt you before it accepts a cookie. Most Internet browser does have settings that let you identify and/or reject cookies.

For additional info refer to this site:

Non-Active Sitemap

Copyright © 2000-2014
Contact Information 519.221.9132 : Web Contact