|
 Avoiding
Detection
Encryption
Virus detection programs
will look for programming code that allows programs to replicate
or clone. This is one way that it searches for and recognizes
possible viruses. Using encryption, virus programs can change
from replication code and back, trying to avoid this type of
detection.
Polymorphism
Another way that a virus
can be detected is by its signature. Each virus has a signature,
or a piece of code that is specific to that individual program.
Virus detection programs look for these signatures when scanning
the files on your drive. Polymorphic viruses are created with
the ability to change their signature each time they clone or
reproduce.
Stealth
Detection programs note the
characteristics of files and watch for any changes, which might
indicate an infection. When a Stealth virus infects a file,
it can modify the characteristics of that file so that it still
reports the same date, time, checksum, and size. It can also
monitor the Operating Systems call for a file and remove itself
temporarily, or load an uninfected copy of the file that it
has made for just that purpose.
Targets
 Boot
Sector Virus
Boot Sector Viruses write themselves into the Boot Sector of
a Hard Drive or Floppy Diskette. Every disk has a boot partition
that contains coded information.
The hard drive has a Master Boot Record that
contains partition information as well as another boot record
for the operating system. The boot sector on a bootable floppy
disk contains the code necessary to load the operating system
files. The boot sector on a non-system disk contains the information
that will display the message 'Non-system disk or disk error,
remove and press any key when ready'. The boot sector of an
infected floppy contains the coding that will infect the hard
drive's partition sector.
If an infected floppy is left in the drive at
boot up, it loads the virus into memory and copies itself to
the partition sector of the hard drive. Now, everytime the computer
is booted from the hard drive, the virus in the partition sector
loads itself into memory, then passes control to the original
boot sector that it has stored elsewhere on the disk. Any floppy
inserted into its drive will become infected every time a read
or write operation takes place. This is one of the most common
results. There are also boot sector viruses that, once they've
infected a HD, will completely scramble the partition sector
or destroy the FAT. Boot Sector Viruses are difficult to remove
and usually require the use of an anti-virus program. If not
caught in time, infection can advance to the point where the
hard drive has to be re-partitioned and reformatted. At this
stage, all your files and data are lost. Hopefully, you've made
backups!
File Infector Virus
These files wait in memory for a suitable program file to be
loaded. When the file makes a disk write operation the virus
will replicate itself inside the disk file or will create another
file with the same name but a .COM extension. When the operating
system starts the program, the .COM file is executed, loading
the virus into memory. Then the virus loads the real program.
Many, many files can be infected before detection. These viruses
often target files such as COMMAND.COM, IO.SYS and MSDOS.SYS.
Anti-virus programs are the only way to get rid of these viruses.
The only sure-fire prevention is to completely isolate your
machine from the Internet, floppy disks, CD's, and any other
type of removable media.
Multipartite Virus
These viruses contain properties of both boot sector and file
infector viruses.
 Infection
Local Memory Infection
At this stage the virus is loaded into memory
and probably has not infected too many files. If your Virus
Detection Program finds a virus in memory then you should perform
a cold boot to a clean boot disk. A warm boot does not re-initialize
the memory and may leave the virus there. Files that may have
become corrupted by not closing down properly may have to be
repaired or deleted using CHECKDISK or SCANDISK. These files
will probably have to be replaced.
Local Disk Infection
This is a very aggressive
stage. Your computer could experience loss of data, scrambled
FAT, damaged partitions and corrupted files. If caught in time,
you can run an anti-virus program from an uninfected emergency
boot disk and remove the virus. You will have to re-install
affected files and applications, probably the Operating System,
and use a data recovery tool of some sort. If left too long
however, your system could be destroyed to the point of having
to repartition, reformat, reinstall the OS, and then using a
data recovery tool (your backups, for one).
* Backups are generally used to recover your
data in the event of a virus infection. If you've backed up
after virus infection, then the backups could also be infected.
Data files are less likely to be affected by a virus but should
be scanned before they are replaced. Do Not use backups to recover
the Operating System however, as these files could be infected
too.
Shared File Infection
Networks and Intranets use
shared files. If these are infected, every work station on the
network could become infected as it uses the shared file. This
involves closing down the entire network and cleaning, removing,
and re-installing on each workstation and all servers.
Again, it's very important
to keep your AV files up to date. If your computer should happen
to get a virus, document everything you see and any information
that your virus detection program gives you. Information on
how to remove the virus should be obtained from a reputable
source. On another computer you can visit your AV manufacturer's
website. They can offer support and virus removal information,
even if removal has to be done manually. In fact, it's probably
a good idea to get to know the site now, before it becomes necessary.
|
