Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 4: Boot and file viruses

[an error occurred while processing this directive]

Ch 4. Part 2: File Viruses

Contents

  1. Introduction

  2. Prophylactics

  3. How do I remove a file virus from the hard drive

  4. How do I remove file viruses from diskettes?

  5. The most common file viruses

  6. What to do if F-prot is unable to disinfect the virus

1. Introduction

File viruses work by locating a type of file that they know how to infect (usually an executable file with extensions ".COM" and  "EXE") and inserting virus code in such a way that it will be executed first after the program will be loaded in memory.  Most file viruses are programmed for the DOS environment. For explanation of term "polymorphic", "multipartite" see AvJargon.htm

File viruses are quite rare in the typical large corporation environment, because executable are not so often exchanged between the users in such an environment. So if anti-virus software found a virus in your computer, it might be a false alarm.  Following are some common symptoms of the false alarms:

Following is usually the case if you have real file virus infection:

Although not definitive, but useful check is that if after booting from AV Rescue Disk you will compare size of file with size of the same file on another user PC suspected file is larger in size for pure file viruses disinfection can be done by replacing infected files with original non infected from other user PC. This option is safer that disinfection as anti-virus program can corrupt the file during the disinfection. Also virus can overwrite some  part of the executable and disinfection became impossible.

In NetWare environment file viruses are usually can be considered as a symptom of poor system administration. the typical blunder is that users have access to the important directories on the server in Write mode. The most dangerous situation is when due to oversight user has write access to the executables in SYS:\LOGIN directory.  This cases cause the majority of large site infections, and can cost thousands of dollars in lost data and productivity. In such cases not antivirus software installation, but additional training in NetWare administration is required.

 The only way to infect a computer with a file virus is to run an  infected file on the computer.  If you just download the file you cannot infect the computer. So it is recommended to   check downloaded file with anti-virus program. At the same time cases of infecting computer by downloading files from the Internet are very rare. 

Because the early anti-virus products used search strings to detect viruses, some virus writers started making their viruses harder to detect by making  them polymorphic. Making the virus encrypt its body with different key  with every infection and modify decrypting routine so that it will be harder to detect.

The goal of a computer virus is to spread. In trying  to meet this goal, some virus writers have added another ability to infect not only executables file but system areas (boot sector and MBR). Such viruses are called multipartite.  Ability to infect boot  sectors, the master boot record increase chances of propagation of the virus, as it can propagate via floppies that do not contain any executable files.

We will assume that AV package has reported that you have a virus in memory on login and that you want to know if it is a file virus and how to get rid of it. If name of the virus reported by F-prot is one of the above then you have a file virus. If name is different then the simplest way to check if is a file virus is to reboot from AV Rescue disk and check how many files will be reported as infected.  See AV-LOCAL.HTM on how to create one. Once you have removed the virus from your hard disk, be sure to scan all your diskettes.

2. Prophylactics

 If server is configured properly, a file virus has very slim chances to propagate from workstation to the server and then to other workstations (only via GROUP directories) and infection will be localized on that particular PC. If  virus manage to propagate from one use to another via server some blunder with permissions for files usually can be found. for example if  directory  SYS:\LOGIN is not protected from all users virus can infected the LOGIN.EXE file and then infect each user connected to that server. Again, the most important directory to check is SYS:\LOGIN directory. It contains files like LOGIN.EXE that are used on  each login. So improper permissions for this directory can lean to infection of all users that login after LOGIN.EXE was infected.

Typical scenario of infection is using some old floppy with utilities. So it is important to check floppies with AV program before use.

3. How do I remove a file virus from the hard drive

The easiest way is to use AV Rescue Disk. Reboot from the latest copy (old version can miss the virus if it is a new strain).

Important: Disk should be write-protected before booting from it. After removing the virus from your hard disk please scan all your diskettes. Most probably they are infected too and without disinfection you will reinfect computer again and again.

4. How do I remove file viruses from diskettes?

After removing a file virus from your hard disk, it's important to scan all your diskettes. All file viruses also infect executable on floppies; if you backup executables to a floppy and  don't remove the virus, you'll probably will  reinfect your hard disk from this floppy.

6. What to do if F-prot is unable to disinfect the virus

First one needs to get the latest version of F-prot, if such is available. In order to do this please check the following link ftp://www.datafellows.com/f-prot/free/. If new version of F-prot does not exists or does not detect/disinfect the virus, it is recommended to try the latest version  of McAfee SCAN. Evaluation version is available from www.mcafee.com. For complex and polymorphic viruses the best AV program is Dr.Web from http://ras1.dials.ccas.ru/www_av/home.htm.  It has the best heuristical capabilities among industrial strength scanners and in many cases can correctly remove new strain of the virus. If only one scanner will report about the virus, but two others will not, it is probably a false positive.


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater�s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright � 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019