A Beginner's guide to viruses

What is the "Virus problem" I hear so much about?

One of the most common questions that gets asked in various support forums about viruses, is one that goes like this "How do I know if I have a computer virus" or maybe you've seen this question asked in it's other format:  "I have symptom X - what virus do I have?"

This is actually a very difficult question to answer. It's very hard these days to look at a list of symptoms and decide if the problem is down to a virus or caused by something else. There used to be various things you could check to look for signs of infection but this is no longer the case, and so many people who own computers these days don't want to have to get too involved in technical details, so it can be hard to say for sure. If the runes are so hard to read how can we tell if a computer is infested and what can we do about it? Read on to find out.

There is a virus problem, and it's not going to go away any time soon. Some virus authors write computer viruses with some malicious purpose in mind, others write them to see how far they can make them spread, others just write viruses as a technical exercise, to see if a certain technique is possible and viable. There are as many different reasons as there are authors and I'm not going to sterotype them or belittle them here. Whatever their motives were in creating the virus, you probably don't want it on your system. If a virus erases your company accounts then the fact it didn't mean to is no comfort.

Most of the thousands of viruses a scanner claims to detect are not actually a threat, because there are 2 lists of viruses maintained by most authorities on the subject… The list of "known viruses", and the list of viruses that are "in the wild" vary greatly as quite a lot of virus authors create viruses and send samples to anti virus companies only - they have no intention of spreading them. This is a very easy way to achieve the fame and recognition that some authors want, they get their name attached to a virus that every virus scanner detects, people get to hear about their creation as details of it are released onto anti virus websites all over the place, but nobody actually gets hurt. This is also the reason that virus scanners claim to detect between 20,000 and 40,000 viruses despite the fact that most people will tell you that the only way to find a virus on the Internet is either through bad luck or by going looking for trouble.

One very recent (at the time I first wrote this) virus/worm that has caught everyone's attention is the happy99 worm. Its author, who operates under the name "Spanksa", released it into the wild very recently. Most people on the Internet have heard of this worm, and most people who use things like Usenet will either of come across this worm, or will know people who have. In a recent debate in the alt.comp.virus newsgroup, the worm's author speculated that since its release into the wild, happy99 has infected at least 9000 to 15,000 people.

Lets just compare that to the great scare in 1992 over the Michelangelo virus. Some anti-virus experts at the time predicted that this virus would attack around 5 Million computers, and in the event a mere 5000 were affected. Of course, if you were one of the unlucky 5000 the problem was very serious for you but certainly the amount of people affected by the problem then was far less than expected, and far less than have been infected by Happy99 despite the fact that today most people are far more aware of computer security and anti virus precautions.

What is a computer virus?

A computer virus is a program that copies itself, nothing more, nothing less. Most people assume that any program that sets out to harm your computer is a "computer virus" and this is not so; a program does not have to harm anyone to be a computer virus, it just has to copy itself. On the other hand, a harmful program does not have to be a computer virus; most of these kinds of programs are called "Trojans" after that wooden horse in the legend of Troy.

You may wonder why we bother to make such a technical distinction, after all, it's all bad, right? Well in order to effectively fight something you need to be able to identify what it does and how it does it. You'd be concerned if your doctor wanted to give you the same treatment for a broken arm and for blocked sinuses because "they both hurt, right"? Now you are aware there is a distinction, from here on in, I'm going to refer to all bad programs as viruses, just to make things easier to read.

If viruses are not always intended to be harmful, then why do people want to get rid of them? The fact of the matter is that there is no way of knowing when you have a virus if it intends to harm your system or not, so its safest to get rid of it (It's safer still not to catch one in the first place, of course).

Another good reason to get rid of viruses even if you know they are not intentionally harmful is because they may harm you by accident. Viruses are not subject to the same pre release testing and debugging schedules that other programs undergo, and you know how even these tested programs can still have problems. For example, you cannot contact a virus author for technical support and bug fixes for viruses (For some reason, most virus authors will insist they are doing nothing wrong or illegal but still insist on remaining anonymous).

Finally, of course, there is the fact that if you send a virus infected file to someone else they will probably be very upset. This kind of thing can cause a serious dent in your reputation if you are a company that sends a lot of files to clients, and even for a private home user, you can find yourself in trouble if you knowingly spread a virus, no matter how harmless it is.

So what should we be doing?

Well the very first thing I am going to ask everyone to do is to not panic. Everyone reading this has access to a computer, either at home or at work, for a reason. We all use our computer for many different diverse reasons, some people rely on their computers to greater or smaller degrees than others, but all of us use a computer because we expect it to do something for us. You should not let worry about computer viruses, or hackers, or any other thing that you hear about these days stop you doing that thing that may you decide to start using computers. There are things you should do, like practice "safe computing" when using your computer, and there is software you should buy, such as virus scanners, to assist you in this, but you should treat the issue similar to taking out car insurance; you look around, buy a policy that fits your needs, and then you stop worrying about it and get on with your life.

Safe Computing

One area that is often overlooked is one of "Safe Computing practices" - the idea that we protect ourselves by following a list of common sense procedures designed to prevent virus infections making their way onto our computers as well as relying on technological solutions to the computer virus problem. Not very exciting but very important. After all, what's less painful in real life, getting your broken arm mended or avoiding breaking it in the first place? Check anything before installing it onto your computer. This means that when you buy new software, or use the CD on the cover of a computer magazine or when you download shareware from the Internet, scan it first with a virus scanner.

The above advice also applies to "trusted sources" such as friends, and big software companies. If you trust a friend not to send you a virus that just means that you trust them not to intentionally send you a virus. What if they don't use a virus scanner, or don't keep it up to date. Who knows what they could send you by accident?

DON'T run software from unverifiable sources. If you receive e-mail from someone, or see something on the newsgroups, that has a file attached, be very careful about opening it. If people were more careful about opening files like this, for example, the happy99 worm would not be a problem.

This also extends to running strange files friends send you. I know there is only one person who should be sending me notes that say "I love you", so I was suspicious when these sorts of notes arrived in my mailbox from all kinds of people. I didn't open these files because of my suspicion, and I avoided another major virus panic.

Backup your programs and data on a regular basis. If a virus does hit you, then you can just recover your data from the back up. This has the advantage of being good protection against such things as hard drive failures too.

Get a virus scanner that you feel comfortable with using, make sure you update it on a regular basis, and use it to run a scan of your computer on a regular basis. One good strategy is to update your virus scanner on a regular basis, say weekly or monthly whatever you feel comfortable with, and whenever you install an update, run a full scan of your computer. Not only does this check your computer for viruses, it also tests your scanner is still working as you expect it to.

If you exchange files with a lot of people, or download stuff from the Internet on a regular basis, consider using 2 virus scanners. No scanner is 100% perfect, and having 2 means that one might catch something the other misses.

This last one really only applies to businesses. Have a clear anti-virus policy, spell out what this policy expects from your staff, and make sure they are aware of the policy, and how to follow it. Don't just tell people to do something, or assume they know what you are talking about; if you tell people "Scan files before using them" provide a virus scanner and training on how to use it.

Anti-Virus Software

There are several tools that you can use to protect yourself from computer viruses, and most people will probably have at least one of them, the virus scanner. Virus scanners are designed by their producers to work in two modes, on demand and on access.

• On demand scanning is where the scanner waits until it is told to scan by the user, at which point it scans the file, folder, drive or system as instructed to by its user.
• On access scanning is where a virus scanner loads into memory when your computer starts up, and scans each file you use, as you use it.

Each approach has its own advantages and disadvantages. An on access scanner can catch an infected file before it has chance to run, because its in memory all the time, but it cannot do any detailed analysis of files as you run them because it would slow your system down too much. An on demand scanner can take the time to analyse files in detail, and apply advanced heuristic scanning techniques that can sometimes catch brand new viruses that the scanner is not really set up to deal with yet, but cannot catch files as they are run, because it only comes into play when the user asks it to scan something. As anti-virus companies realise that both approaches have their own peculiar strengths and weaknesses they tend to produce products that include both on access and on demand scanning - the best of both worlds.

Both kinds of scanners do have one major weakness however, they mostly work on pattern matching virus code to samples in the scanner's database (ok I am simplifying a lot here) and as such, they are only as good as their last update. They rely on the user to download updates on a regular basis, in order to detect new viruses.

Another type of anti-virus product is the "generic scanner" - this works in a broadly similar manner to normal anti-virus scanners, by scanning code looking for signs of viruses. While a conventional scanner looks for patterns in the code that match known virus code, the generic scanner looks for code that exhibits signs of "virus like" activity and stops them from running.

Generic scanners can work quite well because they know that viruses will always want to do certain things, such as copy themselves and infect files on a hard disk without the user's knowledge, and there is only so many ways that this can be done. If you watch out for code that tries to do these things you can intercept a lot of virus activity and warn the user that something untoward is going on with their system.

The advantage of generic scanners is they don't need to be updated anything like as often as a conventional scanner, and they don't need to be able to pick out a pattern in some code to identify something wrong going on, they just need to be able to identify "virus like" activity on the system.

There are two big downsides to this approach but You knew it was too good to be true, right? The first problem is that these kinds of scanners can sometimes miss stuff that a normal scanner would pick up - there is a lot going on in the modern computer and its very difficult to monitor everything and still let the computer run at a reasonable speed - and lets face it, most people like the idea of virus protection, but don't like the idea of their virus protection slowing their computer down.

The other disadvantage is that generic scanners do expect their users to know a little bit about their computer system and the stuff that is on them, so that when they tell you that a piece of software is suspicious you can make an informed decision as to what to do with it.

Top