MORE ABOUT COMPUTER VIRUSES (part 3)

CLEANING THE VIRUS

To manually clean this virus follow the below steps:
Delete the following files if present:
C:\Windows\kak.htm
C:\Windows\System\*.hta
C:\Windows\Start Menu\Programs\Startup\kak.hta
C:\Windows\Menu Demarrer\Programmers\Demarrage\kak.hta
Rename the following files:
Before renaming the following, ensure that ae.kak is present at

the root of C drive by typing the following at a MS-DOS prompt:
cd\
dir ae.kak
If present type:
del autoexec.bat
ren ae.kak autoexec.bat
The hole within Outlook Express can be fixed by disabling Active

Scripting in Outlook Express preferences or by visiting

Microsoft's update page for an update to this hole.



RÉSUMÉ Virus

W97M.Melissa.BG (Resumé Worm Virus)
The Resumé Virus was announced to be wild Friday May 26 2000.

While not expected to be as severe as the ILOVEYOU virus it has

already spread more the recent NEWLOVE virus. 
The e-mail will contain the subject:
Resume - Janet Simons
Upon opening the e-mail the message body will contain:
To: Director of Sales/Marketing,
Attached is my resume with a list of
references contained within. Please
feel free to call or email me if you
have any further questions regarding
my experience. I am looking forward
to hearing from you. 
Sincerely, 
Janet Simons. 
Included in the document contains resume.doc, explorer.doc or

normal.dot. If any of these files are ran the virus will first

send itself to all users in the computer's e-mail address book

and copy the following files to the hard disk drive:
C:\Data\Normal.dot
C:\Windows\Start Menu\ Programs\Startup\Explorer.doc
Once these files have been copied successfully onto the computer

it will then release its destructive pay load attempting to

delete all drives A-Z.



NYB Virus

Information about the NYB Virus
SIZE: 512 bytes.
INFECTS: Floppy Boot sectors and Master Boot Records.
WHAT IT DOES: Simple virus which infects diskettes and Master

Boot records. After infected each time booting up the computer

will then load into high memory. Once in high memory the virus

will then have the capability of infecting all non-write

protected diskettes used in the computer. Once the diskette is

infected there is a 1/512 chance that the the virus activates.

When activated the virus will attempt to access a location on

the floppy drive that does not exist causing floppy drive

possibly causing physical damage to the floppy drive. Generally

this only occurs on older floppy disk drives.
METHODS OF CLEANING VIRUS: It is recommended that all viruses be

cleaned utilizing a Virus Protection program. However an

alternate method of cleaning the virus is booting from a clean

write protected boot diskette with fdisk.exe on it. Boot from

the diskette and once at the A:\> type FDISK /MBR
ADDITIONAL INFORMATION: The FDISK /MBR command by default is a

non-destructive command. It is not recommended you run this

command if you have one of the following:
 Any type of advanced security program.
 Boot manager such as partition magic.
 You believe your computer is infected with the Monkey B virus.

If infected with the Monkey B virus it is a possibility that the

hard disk drive information could be lost.



STONED EMPIRE MONKEY VIRUS
ABOUT STONED EMPIRE MONKEY VIRUS

The Monkey virus was first discovered in Edmonton, Canada, in

the year 1991. The virus spread quickly to USA, Australia and UK

and is now one of the most common boot sector viruses.
As the name indicates, Monkey is a distant relative of Stoned.

Its technical properties make it quite a remarkable virus,

however the virus infects the Master Boot Records of hard disks

and the DOS boot records of diskettes, just like Stoned. Monkey

spreads only through diskettes.
Monkey does not let the original partition table remain in its

proper place in the Master Boot Record, as Stoned does. Instead

it moves the whole Master Boot Record to the hard disk's third

sector, and replaces it with its own code. The hard disk is

inaccessible after a diskette boot, since the operating system

cannot find valid partition data in the Master Boot Record -

attempts to use the hard disk result in the DOS error message

"Invalid drive specification".
When the computer is booted from the hard disk, the virus is

executed first, and the hard disk can thereafter be used

normally. The virus is not, therefore, easily noticeable, unless

the computer is booted from a diskette.
The fact that Monkey encrypts the Master Boot Record besides

relocating it on the disk makes the virus still more difficult

to remove. The changes to the Master Boot Record cannot be

detected while the virus is active, since it reroutes the

BIOS-level disk calls through its own code. Upon inspection, the

hard disk seems to be in its original shape.



DETECTING THE VIRUS

It is difficult to spot the virus, since it does not activate in

any way. A one-kilobyte reduction in DOS memory is the only

obvious sign of its presence. The memory can be checked MS-

DOS's CHKDSK and MEM programs. However, even if MEM reports that

the computer has 639 kilobytes of basic memory instead of the

more common 640 kilobytes, it does not necessarily mean that the

computer is infected. In many computers, the BIOS allocates one

kilobyte of basic memory for its own use.
The Monkey virus is quite compatible with different diskette

types. It carries a table containing data for the most common

diskettes. Using this table, the virus is able to move a

diskette's original boot record and a part of its own code to a

safe area on the diskette. Monkey does not recognize 2.88

megabyte ED diskettes, however, and partly overwrites their File

Allocation Tables. Some revisions are can be spotted by running

fdisk and displaying the partition information if you see % # or

any other strange characters as the partition , label, etc its a

good possibility that you may have the virus, to check this you

can run FDISK


INFORMATION ABOUT REMOVAL

The relocation and encryption of the partition table render two

often-used methods of removing a MBR Virus unviable. One of

these is the MS-DOS command FDISK /MBR, capable of removing most

viruses that infect Master Boot Records. The other is using a

disk editor to restore the Master Boot Record back on the zero

track. Although both of these procedures destroy the actual

virus code, the computer cannot be booted from the hard disk

afterwards.

There are six different ways to remove the Monkey virus:
1.   Purchase a Virus protection utility and have it clean

the Virus, while not all virus protection programs are capable

of removing this virus generally additional add-ons can be

installed allowing the virus protection utility to remove the

virus. 
2.   The original Master Boot Record and partition table can

be restored from a backup taken before the infection. Such a

backup can be made by using, for example, the MIRROR /PARTN

command of MS-DOS
3.   The hard disk can be repartitioned by using the FDISK

program, after which the logical disks must be formatted. All

data on the hard disk will consequently be lost, however.
4.   The virus code can be overwritten by using FDISK /MBR,

and the partition table restored manually. In this case, the

partition values of the hard disk must be calculated and

inserted in the partition table with the help of a disk editor.

The method requires expert knowledge of the disk structure, and

its success is doubtful. Usually this causes the current

partitions to double causing more havoc.
5.   It is possible to exploit Monkey's stealth capabilities

by taking a copy of the zero track while the virus is active.

Since the virus hides the changes it has made, this copy will

actually contain the original Master Boot Record. This method is

not recommendable, because the diskettes used in the copying may

well get infected.
6.   The original zero track can be located, decrypted and

moved back to its proper place. As a result, the hard disk is

restored to its exact original state. Some virus scanners have

this capability, and can successfully remove the virus. 

soure: https://www.234mp3s.co/

Read more »

MORE ABOUT COMPUTER VIRUSES (part 2)

COMMON VIRUSES

The following is a listing of some of the more commonly found computer viruses and information about each of those viruses.
AnnaKournikova.jpg.vbs
CAP
CIH
I Love You Worm
KAK
Resume
NYB
Stoned Empire Monkey Virus
 
Annakournikova.jpg.vbs Virus
VIRUS INFORMATION

02/12/2001 - This script was created by a worm generating tool. When ran, the script copies itself to the Windows directory  as "AnnaKournikova.jpg.vbs" and attempts to mail separate email messages using MAPI messaging, to all recipients in the Windows Address book.


SYMPTOMS

E-mails all individuals in the Windows Address book.
Infects the registry adding the following two keys
HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1 or 0
On January 26th, the script attempts to connect to the web site http://www.dynabyte.nl


HOW TO DETECT VIRUS

The virus is sent through mail with the following:
Subject: Here you have, )
Body: 
Hi:
Check This!
Attachment: AnnaKournikova.jpg.vbs


METHOD OF REMOVAL

If you believe you have been infected by this virus or you have the file AnnaKournikova.jpg.vbs file in your Windows directory to remove this virus obtain the latest update or DAT file from the virus protection software you have installed on your computer.


CAP Virus
INFORMATION ABOUT THE CAP VIRUS

The CAP virus is contracted through Microsoft Word documents consisting of several encrypted macros and generally will leave the following message within the comments:
'C.A.P: Un virus social.. y ahora digital..
'"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !
One of the noticeable effect that CAP has is that when saving your document no matter what type of format you are attempting to save your documents in it will always save the documents in the DOC extension even if you save as a different format.
When infecting your computer CAP will delete all currently installed macro's on your computer and will modify up to five already-existing menus, redirecting the menus to the virus code. Fortunately most latest virus scanners can detect and clean the CAP virus however unfortunately all of the macros that have been deleted cannot be recovered from your computer.

CIH Virus
INFORMATION ABOUT CIH VIRUS

The CIH which was first located in Taiwan is a virus which infects Windows 95 and Windows 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed. and overwrites most of the data on the computers hard disk drive. This virus also includes another unique feature which will attempted to overwrite the Flash BIOS chip of the machine. If the Virus is successful at doing this, the machine will be unable to boot at all unless the chip is reprogrammed. Another feature that this virus includes is the capability of not increasing the size of the EXE file which infects, therefore would not be noticed by any user unless an virus scanner detects it.
Later on, CIH was available by accident from several commercial web sites, including the Origin Systems website where a download related to the popular Wing Commander game was infected. This issue has been contained.

CIH VARIANTS

CIH v1.2 TTIT (CIH 1003) which activates on April 26th of any year, and is the most common CIH variant.
CIH v1.3 TTIT (CIH 1010) which activates on Jun 26th of any year.
CIH v1.3 TTIT (CIH 1010.B) which activates on Jun 26th of any year.
CIH v1.4 TATUNG (CIH 1019) which activates on the 26th of every month.




I love you Worm Virus
INTRODUCTION

The Love Bug was first reported Thursday (05/04/2000) afternoon Hong Kong time and early morning in Europe and sense then it has been duplicated by several copycats causing several more additional similar variants to appear. The virus has caused companies, governments and end-users extreme grief shutting down mail systems, mail servers, bank systems and even causing issues with pagers. The worm has been reported to have come from a 27 and 23 year old couple in the Philippines after a raid of their Apartment on Monday (05/08/2000).
The Love Bug infects all users who are using Microsoft Windows and Microsoft Outlook. The following is what will be the subject, message and the actual attachment for each of the currently known wild viruses. If you see this mail do not attempt to open the attachment and simply instead delete the mail even if the message is from someone you know well.


LOVE BUG VARIANTS

Variant A (Original Virus)
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The virus begins by copying itself into the Windows directory placing Win32dll.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. Once these files have been placed on the hard disk drive the virus will then place it self into the computer registry making the virus initiate on each of the following boots. The virus will also attempt to delete the HideSharePwds, DisablePwdCaching and DisablePwdCaching from the computer registry. Once these modifications have been made to the computer it will then send it self to each of the individuals in the address book with the Subject ILOVEYOU. To complete the destruction the destruction the virus will search out .js, .jse, .css, .wsh, .sct and .hta creating a duplicate of each of the files found with the .vbs extension. Finally it will search and delete all files with the ".jpg" and ".jpeg" (these are the most commonly found image file format on the Internet.) Next the virus will search for ".mp3" and ".mp2" files replacing all files found with ".vbs" extension and hiding the original ".mp3" and ".mp2" files.
Variant B
Subject: Susitikim shi vakara kavos puodukui...
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Variant C
Subject: fwd: Joke
Message: *No Message*
Attachment: VeryFunny.vbs
Variant D
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Creates registry entries as WIN- -BUGFIX.exe instead of WIN-BUGSFIX.exe.
Variant E
Subject: Mothers Day Order Confirmation
Message: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep  it in a safe place. Thanks Again and Have a Happy Mothers Day!
Attachment: Mothersday.vbs
VariantF
Subject: Dangerous Virus Warning
Message: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs
Variant G
Subject: Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm.
Attachment: protect.vbs
Special Notes: Virus claims to be from support@symantec.com (which is a well known virus protection software company) this mail however of course is not from Symantec. In addition this variant of the worm will delete all files ending with .com and .bat seriously damaging the computer.
Variant H
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: This virus is exactly like Variant A except that the begining comments which give credit to the author of the worm and information about worm have been removed.
Variant I
Subject: Important! Read carefully!!
Message: Check the attached IMPORTANT coming from me!
Attachment: Imporant.TXT.vbs
Special Notes: The beginning of the code has been changed giving credit to another author "BrainStorm / @ElectronicSouls"
Variant J
Subject: Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm. Appears to be same as Variant G.
Attachment: protect.vbs
Special Notes: Variant J of the ILOVEYOU worm appears to be a slightly modified version of Variant G.
Variant K
Subject: How to protect yourself from the ILOVEYOU bug!
Message: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs.
Variant L
Subject: I Cant Believe This!!!
Message: I Cant Believe I have Just Received This Hate Email .. Take A Look
Attachment: KillEmAll.TXT.VBS
Special Notes: Replaces GIF & BMP images instead  of JPG & JPEG images, hides WAV & MID instead of MP3 and MP2 and copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk drive.
Variant M
Subject: Thank you For Flying with Arab Airlines
Message: Please check if the bill is correct, by opening the attached file.
Attachment: ArabAir.TXT.vbs
Special Notes: Replaces DLL & EXE files instead of JPG & JPEG files. Hides SYS & DLL files instead of MP2 and MP3 files. Copies file onto hard drive no-hate-FOR-YOU.HTM.
Variant N
Subject: Variant Test
Message: This is a Variant to the vbs virus
Attachment: IMPORTANT.TXT.vbs
Special Notes: Copies itself as sndvol32.vbs and IEAKDLL.vbs. Internet Explorer start page changes to http://astalavista.box.sk. Overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm.
Variant O
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The script.ini has been modified slightly.
Variant P
Subject: Yeah, Yeah another time to DEATH...
Message: This is the Killer for VBS.LOVE-LETTER.WORM
Attachment: LOOK.vbs
Special Notes: Sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. Overwrites *.ZIP and *.RAR files and hides *.PAS and *.ASM files.
Variant Q
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: copies itself as MSUser32.vbs and User32DLL.vbs. Overrights *.XLS and *.MDB files. Hides *.EXE and *.LNK files. Creates a LOOK.HTM file.
Variant R
Subject: Bewerbung Kreolina
Message: Sehr geehrte Damen and Herren!
Attachment: BEWERBUNG.TXT.vbs
Special Notes: Sends BEWERBUNG.HTM into connected IRC chat rooms.
Variant S
Subject: ILOVEYOU
Message: Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Additional comment lines have been added into the virus.
Variant T
Subject: Recent Virus Attacks-Fix
Message: Attached is a copy of the script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
Attachment: BAND-AID.DOC.VBS
Special Notes: Sets the Internet Start page to a virus related page. Deletes *.BAT, *.GIF, *.TIF, *.TIFF, *.WAV, *.LNK, *.BAK, *.DOC, *.XLS, *.RTF, *.TXT, *.HTM, *.HTML, *.XML, *.MNY, *.ZIP, *.BMP, *.CAB and *.INF extentions.
Variant U
Subject: UOL.TXT.vbs
Message: O UOL tem um grande presente para voce, e eh exclusivo. Veja o arquivo em anexo. http://www.uol.com.br.
Attachment: UOL.TXT.vbs
Special Notes: Sets home page to http://www.uol.com.br and hides *.EXE, *.COM and *.INI files.
Variant V
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Several comment lines have been modified.
Variant W
Subject: IMPORTANT: Official virus and bug fix
Message: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
Attachment: Bug and virus fix.vbs
Special Notes: Sets Internet Explorer Start Page to a virus related page. Overwrites *.EXE, *.COM, *.DLL, *.SYS, *.PWL, *.TXT.
Variant X
Subject: NEUE Anti-Virus-Liste
Message: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
Attachment: ANTI-VIRUS-LISTE.TXT.vbs
Special Notes: Overwrites *.MDB, *.PDF, *.WSH, *.DOT, *.HTA, *.JS, *.DRV and *.INI files. Hides *.XLS and *.DOC files.
Variant Y
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: Like earlier LOOK various however hides MP3 and MP2 files.
Variant Z
Subject: BUG & VIRUS FIX
Message: I got this from our system admin. Run this to help prevent any recent or future bug & virus attacks. It may take a small while up update your files.
Attachment: MAJOR BUG & VIRUS FIX.vbs
Special Notes: Sets home page as virus related page. Overwrites *.COM, *.DLL, *.EXE, *.TXT, *.BAT and *.SYS files.
Variant "Catolina" or "Postcard" in Italian
Subject: C’è una cartolina per te! (Here is a postcard for you)
Message: Ciao, un tuo amico ti ha spedito una cartolina virtuale... mooolto particolare! (Hello my friend, this is a virtual post card ... very special)
Attachment: CARTOLINA.VBS
Special Notes: Sets home page as http://www.vije.it an Italian music site.
Variant "BabyPic" for adults only
Subject: My baby pic!!!
Message: Its myanimated baby picture !!
Attachment: MYBABYPIC.EXE
Special Notes: Program written in Visual Basic with a explicit graphic animated image. When opened and viewed the virus copies itself to a local file system and sends e-mail to each MS Outlook user in the recipients' address book. The worm creates a set of files and registers them in the startup section of Windows system registry, enabling execution each time the computer starts.
The virus contains a very dangerous payload that can easily wipe out data on the computer, enable and disable on/off NumLock, CapsLock and ScrollLock keys; send buffer messages ".IM_BESIDES_YOU_" and may send one of various text messages. In addition MyBabyPic also corrupts files with .VBS, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .PBL, .CPP, .PAS, .C, .H, .JPG, .JPEG, .MP2 and MP3 extensions.


WAYS TO PROTECT YOURSELF

Regardless of who sends you the mail if there is an attachment verify before opening it that it does not end with .vbs. VBS (Visual Basic Script). If the attached file ends with .vbs it is recommended that you delete the e-mail.
In addition the user or system administrator can disable the execution of VBS files by following the below instructions.
Windows 95 Users
1.   Open My Computer
2.   Click View / Options
3.   Click the "File Types" tab
4.   Locate and "VBScript Script File" in the registered file types listing.
5.   Single click "VBScript Script File" to highlight the file.
6.   Select Remove and confirm the file deletion.
Windows 98 Users
1.   Click Start / Settings / Control Panel
2.   Double click Add/Remove Programs
3.   Click the "Windows Setup" tab
4.   Double click "Accessories" from the Components listing
5.   Locate "Windows Scripting Host" from the Accessories component list and Uncheck the selection.
6.   Click Ok and then Apply and Windows Scripting Host will be uninstalled from the computer.
Windows NT Users
1.   Open My Computer
2.   Click View / Options
3.   Click the "File Types" tab
4.   Locate and "VBScript Script File" in the registered file types listing.
5.   Single click "VBScript Script File" to highlight the file.
6.   Select Remove and confirm the file deletion.
Windows 2000 Users
1.   Open My Computer
2.   Click View / Options
3.   Click the "File Types" tab
4.   Locate and "VBScript Script File" in the registered file types listing.
5.   Single click "VBScript Script File" to highlight the file.
6.   Select Delete and confirm the file deletion.
TO MANUALLY REMOVE THE VIRUS
The Love Letter Virus (Variants A, B, C, E, F and H) can be removed manually by following the below steps:
•   Click Start / Find / Files or Folder and search for *.VBS and delete all files found on the hard disk drive.
•   Search for the file LOVE-LETTER-FOR-YOU.HTM generally found in the Windows System directory and delete it.
•   Search for WIN-BUGSFIX.EXE and WINFAT32.EXE generally found in the Internet Explorer download directory and delete these files.
•   Once these files have been deleted empty the recycle bin and restart the computer and the Virus should be effectively removed from the computer.
It is also recommended if you are currently running a Virus protection software program that you update it with the latest virus update. Generally doing this will also remove all traces of this virus as all major virus companies have updates on their pages. 
INFORMATION ABOUT THE NEWLOVE VIRUS
Announced to be Wild 05/18/2000 the NEWLOVE virus was first reported at Israel. When ran the virus copies itself into the Windows folder and gives itself either a name from the recent document folder or gives itself a random name and extension. Once copied into this directory the virus will then send itself to all the individuals in your address book. It will then search all drives connected to the host system and replace each file with copies of itself and adds the extension .VBS to the original filename.
This virus has more damage potential then the original LoveLetter virus in addition will rename the subject line to random quires therefore cannot easily be detected as the Subject Line could be anything. It is recommended that all PC users and
NewLove Virus
Subject: Begins with FW and then will be named from the Recent Documents folder or a random name.
Message: Message is empty
Attachment: The attachment is a Randomly-selected VBS filename from the Windows Folder.
Special Notes: When ran the virus copies itself into the Windows folder and gives itself either a name from the recent document folder or gives itself a random name and extension. Once copied into this directory the virus will then send itself to all the individuals in your address book. It will then search all drives connected to the host system and replace each file with copies of itself and adds the extension .VBS to the original filename.


KAK
VIRUS INFORMATION

The KAK virus is a virus written in Javascript that will only work in the French and English versions of Windows 95 and Windows 98 and replicates through e-mail VIA Outlook Express 5.0.
The Virus activates the first day of each month. If the machine is restarted after 5 PM the computer will display a message:
Kagou-Anti-Kro$oft say not today!

Read more »

MORE ABOUT COMPUTER VIRUSES (part 1)

VIRUS ABCs

One of the biggest fears of having computers are viruses, viruses are malicious programs designed entirely for destruction and havoc. Viruses are created by people who either know a lot about programming or know a lot about computers.
Once the virus is made it will generally be distributed through shareware, pirated software, e-mail or other various ways of transporting data, once the virus infects someone's computer it will either start infecting other data, destroying data, overwriting data, or corrupting software.
The reason that these programs are called viruses is because it is spreads like a human virus, once you have become infected either by downloading something off of the Internet or sharing software any disks or write able media that you placed into the computer will then be infected. When that disk is put into another computer their computer is then infected, and then if that person puts files on the Internet and hundreds of people download that file they are all infected and then the process continues infecting thousands if not millions of people.


HOW VIRUSES ARE CONTRACTED

The majority of viruses are contract by floppy's by bringing information from one source and then put onto your computer. VIRUSES can infect disks and when that disk is put into your computer your computer will then become infected with that virus, a recent survey done in 1997 by NCSA given to 80 percent of PC users showed that 90% of PC users contract viruses by floppy diskettes.
In the survey done above it showed that the other 20% of viruses were contracted by email attachments and over the Internet. This means that you received an email with an attached file and opened the file. Or downloaded a file over the Internet.


VIRUS PROPERTIES

Your computer can be infected even if files are just copied. Because some viruses are memory resident as soon as a diskette or program is loaded into memory the virus then attaches itself into memory.
Can be Polymorphic. Some viruses have the capability of modifying their code which means one virus could have various amounts of similar variants.
Can be memory / Non memory resident. Depending on the virus can be memory resident virus which first attaches itself into memory and then infects the computer. The virus can also be Non memory resident which means a program must be ran in order to infect the computer.
Can be a stealth virus. Stealth viruses will first attach itself to files on the computer and then attack the computer this causes the virus to spread more rapidly.
Viruses can carry other viruses and infect that system and also infect with the other virus as well. Because viruses are generally written by different individuals and do not infect the same locations of memory and or files this could mean multiple viruses can be stored in one file, diskette or computer.
Can make the system never show outward signs. Some viruses will hide changes made such as when infecting a file the file will stay the same size.
Can stay on the computer even if the computer is formatted. Viruses have the capability of infecting different portions of the computer such as the CMOS battery or master


HOW VIRUSES MAY EFFECT FILES

VIRUSES can effect any files however usually attack .com, .exe, .sys, .bin, .pif or any data files. Viruses have the capability of infecting any file however will generally infect executable files or data files such as word or excel documents which are open frequently.
It can increase the files size, however this can be hidden. When infecting files virtues will generally increase the size of the file however with more sophisticated viruses these changes can be hidden.
It can delete files as the file is ran. Because most files are loaded into memory and then ran once the program is in memory the Virus can delete the file.
It can corrupt files randomly. Some destructive viruses are not designed to destroy random data but instead randomly delete or corrupt files.
It can cause write protect errors when executing .exe files from a write protected disk. Viruses may need to write themselves to files which are executed because of this if a diskette is write protected you may receive a write protection error.
It can convert .exe files to .com files. Viruses may use a separate file to run the program and rename the original file to another extension so the exe is ran before the com.
It can reboot the computer when a files is ran. Various computers may be designed to reboot the computer when ran.


WHAT VIRUSES MAY DO

The following are possibilities you may experience when you are infected with a virus. Remember that you also may be experiencing any of the following issues and not have a virus.
Once the hard drive is infected any disk that is non-write protected disk that is accessed can be infected.
 Deleted files
 Various messages in files or on programs.
 Changes volume label.
 Marks clusters as bad in the FAT.
 Randomly overwrites sectors on the hard disk.
 Replaces the MBR with own code.
 Create more then one partitions.
 Attempts to access the hard disk drive can result in error messages such as invalid drive specification.
 Causes cross linked files.
 Causes a "sector not found" error.
 Cause the system to run slow.
 Logical partitions created, partitions decrease in size.
 A directory may be displayed as garbage.
 Directory order may be modified so files such as COM files will start at the beginning of the directory.
 Cause Hardware problems such as keyboard keys not working, printer issues, modem issues etc.
 Disable ports such as LPT or COM ports
 Caused keyboard keys to be remapped
 Alter the system time / date
 Cause system to hang or freeze randomly.
 Cause activity on HDD or FDD randomly.
 Increase file size.
 Increase or decrease memory size.
 Randomly change file or memory size.
 Extended boot times
 Increase disk access times
 Cause computer to make strange noises, make music, clicking noises or beeps.
 Display pictures
 Different types of error messages


DETECTING VIRUSES

The most commonly used method of protecting against and detecting viruses is to purchase a third party application designed to scan for all types of viruses. A list of these protection programs are listed above.
Alternatively a user can look at various aspects of the computer and detect possible signs indicating a virus is on the computer. While this method can be used to determine some viruses it cannot clean or determine the exact virus you may or may not have.
If you have Windows95 / Windows 98 you can click on start, settings, control panel, system, and under system go to performance and determine if the file system is 32-bit. If the file system is running in MS-DOS compatibility mode check the box indicating what is running in MS-DOS compatibility mode to determine if the master boot record has been modified. If the Master boot record has been modified its a good possibility that you may have a virus on the computer.
Another method is to check fdisk. In fdisk choose four to display the partition information if you have multiple partitions such which have scrambled text such as % or strange characters this can be another indication of a virus on the computer.


VIRUS MYTHS

The following text is comments we have heard that are absolutely not true or are false spreading rumors.
"If I download a file onto a disk I don't have to worry about a viruses." - This is not true, just because you place a file on a disk does not mean that your hard drive cannot be infected. Because around half of the computer viruses are memory resident the virus will load itself into memory and will then infect your hard drive and data on the diskette.
"If I buy sealed software I don't have to worry about viruses." - This is not always true just because the program may be surrounded in plastic doesn't mean that it cannot be infected with a virus. When the software is written to the diskette is when the virus will be attached to the diskette. While this does not happen frequently it is still a possibility.
"If I just by registered software I don't have to worry about viruses." - This is not always true because there have been cases were company's did not know that there was a virus on there software and accidentally shipped software that had viruses on it. While this does not happen frequently it is still a possibility.
"If I don't download anything off of the Internet I don't have to worry about viruses." - This is not always true while you may not be on the Internet you still can be infected by viruses on diskettes and or CDs.
"If I just read my E-mail, I will not have to worry about viruses." - Not true there are viruses out there that are distributed through e-mail also files can be attached with e-mail.
"If I don't get on the Internet I don't have to worry about viruses." - This unfortunately is not the case over 90% of users contract viruses with floppy diskettes the other percentage is over the Internet.
"You can contact viruses from just looking at web pages." - Another rumor that is spreading around. You cannot contract a virus just by looking at a web page however can contact a virus if you were to download a file from that web page.
"You can contact a virus by reading your e-mail." - Not fully true, by just opening an e-mail message to read its contents you can not contract a virus, unless that e-mail message contains an attachment and you were to save that attachment to your hard drive or another storage media. Our recommendation to help prevent virus through e-mail would be to not open files that contain attachments from individuals you do not trust / know. Extra Note: A new virus called the Bubble boy can infect computers by a user just opening their mail however requires the user be using Internet Explorer 5.0, Windows 98, and Microsoft Outlook.


MACRO VIRUSES

Macro viruses are becoming a big threat to the computer community, a macro virus is a virus designed in a word processor, which is just a macro designed to destroy, corrupt, infect, erase files or delete files or data on the hard disk drive. These viruses are fast becoming a threat, because they are so easily created and capable of transmitting extremely fast and with a lot of older virus scanners not being able to detect them these are growing fast there are now over 1000 different macro viruses. Because these are becoming such a threat virus companies are becoming aware of this and with new virus scanners are also having the capability of scanning for macro viruses.

Read more »