• Tech FAQ


    1. A virus is a program that is designed to infect multiple files on a single computer. It cannot infect other networked computers without human assistance. It will spread to other systems by way of an infected floppy disk, a (infected) shared file on a network drive, or by manually sending the infected file as an e-mail attachment, just to name a few. As part of its payload, the virus will only infect certain types of files, depending on what it was intended to do. Most will infect executable (.EXE and .COM) files, but viruses can be made to infect several different file types.
    Virus Examples: W95.CIH (Chernobyl), Sampo, and Hare. 

    2. Worms don't rely too much on human assistance when spreading from computer to computer, but more on human error (negligent maintenance of systems and opening infected e-mail). Instead of infecting as many files as possible, a worm's goal is to spread to as many computers as possible. Most worms spread via e-mail, through an unpatched vulnerability, or through shared drives. Worms spreading through e-mail often attach themselves to personal documents found on your hard drive and will mail the document to others without your knowledge. When spreading through shared drives, you can become infected by a worm from a system half way around the world. It is not limited to your own network. Worms that spread through a network in this manner are often called "network aware".

    Worm examples: Nimda, Code Red, Sadmin, Magistr, and SirCam. 

    3. In most cases a Trojan is an application that may appear useful to the end user, but it also has an underlying malicious intent (i.e., it will perform functions the user hadn't intended). An individual wishing to exploit another user's system will often wrap a Trojan in an application or script that the user would want to execute. Trojans are commonly found in games, screen savers and other applications (e.g., the Whack-a-Mole game). When the infected file is launched on the system, the Trojan silently installs in the background, allowing the individual that sent the Trojan to control your computer remotely, record all of your keystrokes (including passwords and account info), take screen shots of your desktop and control your file system. Trojans also come as stand alone applications and can be installed by a user sitting at the machine (this is common in public or student labs). 

    Trojans can do anything the user executing the file has privileges to do. Including changing, deleting and transferring files as well as installing other Trojans, viruses and Distributed Denial of Service (DDOS) Zombies. Trojans are often used by the attacker to look for other remote systems to exploit under the "safety net" of your network. Trojan examples: NetBus, Back Orifice, and SubSeven. 

    4. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following links: 

    VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00
    http://www.faqs.org/faqs/computer-virus/faq/ 
    alt.comp.virus (Frequently Asked Questions)
    http://www.claws-and-paws.com/virus/faqs/acvfaq.1.shtml 

    5. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following link: 

    Viruses and the Macintosh FAQ
    http://www.sherpasoft.org.uk/MacSupporters/macvir.html 

    6. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following links: 

    OpenAnti-Virus Project
    http://www.openantivirus.org/ 
    The Linux/Unix Anti-Virus Project
    http://lavp.sourceforge.net/ and http://sourceforge.net/projects/lavp/ 

    7. As virus programmers grow more sophisticated, the means of infection from a virus have also grown more sophisticated. Many viruses have multiple means of transmission and can be classified as both a virus and a worm. Some of the most common infection methods are: 
    Opening an infected e-mail attachment
    On systems with no e-mail client or SMTP server configured, some worms will install their own SMTP engine, which allows them to send infected messages.
    Exploiting an unpatched software vulnerability. You receive or preview the e-mail and become infected. (e.g., Wscript.Kakworm and Nimda)
    Via Windows Networking/Shared Hard Drives - No user interaction required!
    Visiting websites that contain hostile code - User interaction may not be required.
    Downloading infected applications from the Internet
    Receiving an infected attachment via IRC, an Instant Messenger or other file sharing application
    Sharing infected floppy disks
    Local user installing with intent of infecting the system
    Infecting shared or mapped drives on a server (A shared drive on any operating system can store infected files!) 

    8. E-mail copies of personal documents from your hard drive to friends and strangers Delete/corrupt system and personal data
    Allow outsiders to control your system
    Replace the text of your documents with profanity or other phrases
    Hamper your ability to navigate or enter text
    Flash the system BIOS or erase the CMOS leaving the system unbootable
    Cause system instability
    Port scan other networks looking for vulnerabilities
    Deface webpages
    Anything within the technical capability of the virus author 

    9. Computer viruses are in theory, assigned names according to the CARO Naming Convention. Most anti-virus companies use this same basic convention, though they may have tacked on their own prefixes and suffixes. The virus authors have their personal opinion about what their creation should be named and may include their name in the source code of the virus. Some virus names are based on the author's intended name, while others may be named by the company researching the first copy discovered in the wild. A great example of this is the Code Red worm which was named by the eEye Digital Security Team after the new flavor of Mountain Dew soda. Rumor has it they ingested great amounts of Code Red Mountain Dew while analyzing the new worm, thus naming it Code Red. 

    Since there really is no enforced standard naming convention, you may find that one virus has several different names depending on the reporting organization's own naming conventions. 

    10. Some viruses can infect or alter data files, but since a virus has to be executed to spread, a data file typically cannot spread a virus. Exceptions to this are documents containing a Macro virus or an executable embedded object. Documents containing these objects do have the ability to propagate a virus. 

    Be aware that what appears to be a data file may not be. Depending on how your system is configured, you may not be able to see multiple file name extensions. The final extension may be hidden. For example, an executable file named FILE.JPG.EXE may appear to the user to be a graphic file named FILE.JPG. This trick is often used to fool users into opening an infected executable file that otherwise appears to be an innocent data file. 

    11. Viruses can infect e-mail or other files stored on any servers to which the infected computer has write access. If the files are shared, other users who access the files could be infected. If the virus creates multiple copies of itself, it is possible that the hard disk can run out of space (creating a denial of service to anyone depending on access to that hard drive). 

    12. Yes. Aside from any questions of hostile scripting, Nimda was the first documented virus that could spread from an infected web server to a vulnerable web browser. 

    Risk of infection from webpages can be mitigated by running real-time anti-virus software that monitors every viewed webpage, or using a web browser with script and program execution disabled. 

    13. Since virus behaviors vary so widely, the only way to be 100% sure is to scan your system with anti-virus software that has up-to-date scan strings. If you know the name of the virus you think it may be infected with, you can also locate the technical information (about the virus) on your anti-virus vendors web site. This information typically includes symptoms, file names, and registry entries that may be associated with the virus. 

    14. Turn your computer off and call the tech support specialist in your building. Removing the infected computer from the network minimizes the impact on others. 

    15. This depends entirely on your local anti-virus solution. Most viruses must be removed with an anti-virus product as opposed to manual removal. Manual removal may not be possible if the virus alters existing files on the hard drive. Check your anti-virus vendor's website for removal instructions. 

    Occasionally, a virus may do so much damage or require so much effort to recover that reformatting the hard drive, restoring from a last known clean backup, and bringing the machine up to current patch levels and recommended configurations is also an option. 

    16.  Some newer worms work without the presence of a mail client or server. These worms come with their own SMTP engine and can turn the infected system into a mail server, allowing the worm to send infected e-mail to other users without your knowledge. 

    17. E-mail is only one method used by worms to spread. Most worms are also network aware. A network aware worm can scan entire networks looking for systems with Windows Networking installed. The worm will connect to these Windows systems and write its payload to any available shared hard drives. Even if the worm cannot access remote networks, it can still infect other systems on your local network. 

    18. If your e-mail client is set up to display HTML e-mail or allow scripts, you do not have to open the message to become infected. Due to a security vulnerability in some versions of Internet Explorer, simply viewing the message in the preview pane of your client can allow it to infect the system. This can happen unexpectedly if you leave your computer running and mail client open while you are away. Plain text e-mail is generally considered trustworthy. 

    19. If your anti-virus software is implemented properly, it should stop most viruses from infecting your system. However, new viruses (and variations on old ones) can slip through to infect the system. If your anti-virus software doesn't have a scan string to recognize the threat, it will not stop the virus. If the user disables a portion of the software or doesn't keep it up to date, the software may fail to detect the threat.