Site Index
The WizWorks Collection
A COMPUTER VIRUS PRIMER
My office is responsible for the regulation of financial institutions within the Province of British Columbia. That means our examiners must review the financial health of those companies on a regular basis, and part of that process includes a visit to those companies to review their financial records. They use laptop computers in that process, and often transfer data from the computers of the company under examination via floppy diskette. In 1996, one of those examiners found that he had picked up a computer virus while examining one of those financial institutions. This prompted me to make an informal survey of the office staff (about 80) to find out how common virus infections are in my neck of the woods. The results prompted me to find out more about how computer viruses spread and what can be done to prevent it. (For links to some of that information, see Computer Virus and Virus Hoax info pages on this site — RM)
The survey results indicated that 15 of the 48 who responded either had had a virus incident themselves, or had a friend who had. Several of those reported multiple incidents; those 15 respondents reported knowledge of a total of approximately 40 incidents. Only two respondents reported damage resulting from the incident.

In other words, computer virus incidents are not particularly common, but they do happen. Damage to data does not always occur, but a virus attack can be lethal to the entire contents of a hard drive. Disinfection is time-consuming and often uncertain. Sometimes, the only sure disinfection process involves destroying everything on the infected drive, and restoring from backup. Too bad if your backups aren't current, or are infected too.

Executable files and MS Word documents downloaded from the Internet do pose a risk, but reputable sites take adequate precautions to miminize that risk. Much of the literature available on the Web indicates that shared program files and computers are the most common paths for the transmission of computer viruses. If you have kids in school or college who are using shared computers on the campus and who are bringing files or diskettes home from those computers or from their campus friends, you are one of the ones most likely to find your computer hosting a virus. This means that you will need to take particular care that you don't take a virus into the office with you when you bring home a little work, and take it back to the office on a diskette. You really don't want to be the one responsible for taking down the office LAN just because you did some work at home.

Prevention is the easiest course. There are no prevention methods which offer 100% certainty, but some knowledge of what viruses are and how they operate will substantially improve your odds of avoiding or surviving a virus attack, and of avoiding passing on the virus if you get unlucky.

A virus is nothing more than a small computer program which, among other things, makes copies of itself. It may do other things as well; some of those things can be extremely hazardous to the health of your data. However, most viruses are not intentionally destructive, but some end up causing data destruction because they were not well coded.

Being tiny computer programs, viruses must trick a computer (or its operator) into loading and running them before they can do anything. Data files are never executed, so attaching a virus to a data file accomplishes nothing. The result is that, in the micro-computer world, virtually all viruses are transmitted in one of three ways:

You'll note that, other than the MS Word files, data files are not involved. The MS Word files are involved only because the macros within them are essentially programs embedded in the data file.
So, you don't have to worry very much about data files unless they contain embedded macros. But any executable file can be infected. That includes the tiny program in the boot sector of every formatted diskette which either tells the system that the diskette is not a boot diskette, or loads the system files on the diskette. So, Rule No.1: Always use a virus scanner to check any program files, MS Word documents, and pre-formatted diskettes you intend to use on your computer — even if they have come from your favourite computer store. There have been incidents of infected commercial software, and even of infected computers fresh out of the box. And a blank pre-formatted diskette can carry and transmit a boot-sector virus.

Boot-sector viruses are a highly-effective breed of virus. Relatively few viruses are of this type, but they are responsible for the vast majority of infections. Many boot-sector viruses do not touch data or program files. They attach themselves to the program which resides in the boot sector of any formatted hard drive or diskette, so they are executed when the computer accesses the boot sector during the system startup. Then they sit in memory, and infect any disk accessed by the computer regardless of whether the disk is bootable or not. But a write-protected diskette cannot be infected unless the write-protection mechanism in the computer fails. So, Rule No. 2: Always keep the write-protect tab in place on all diskettes until you need to write to that diskette. Never allow a computer to write to a software installation diskette -- it's the only copy you've got, and many software companies will not provide replacements. If the install routine insists on writing to the original diskette, abort the install, make a copy of the diskette, and re-install from the unprotected copy.

But virus scanners can detect only those viruses which they know about, and new viruses are appearing every day. Hence, Rule No. 3: Keep your virus scanner up to date. The program's documentation will tell you how you can do that. The best of today's programs make that very easy. (See Ethan.A in my Office! for what can happen if you don't! — RM)

Virus scanners are not perfect. They can't catch viruses they don't know about. And there are a number of viruses which modify themselves every time they infect a file, and so escape detection that way. However, program files are almost never changed, so a changed program file usually signifies a virus attack. So, Rule No. 4: Use an anti-virus package which can detect changes in program files, and which will alert you to any attempt to modify a program file or the system areas of any drive. Don't rely on scanners alone.

Even with all of that, it is still possible for a virus to penetrate your defenses. So, Rule No. 5: Re-scan your hard drive regularly, and use a "resident" anti-virus monitor which scans programs for viruses and checks for changes as they are loaded into memory before they are executed.

I mentioned above that the most common virus transmission route is through campus computers. It's no wonder -- a school computer has many users, some of whom are not particularly careful. With multiple users, all bringing diskettes containing the files which that user wants to work on, the odds of a virus infection in that computer rise significantly. So, Rule No. 6: Be particularly careful of diskettes or files which have come from a multiple-user computer or which are shared between a number of users; if possible, avoid them entirely. Be similarly careful with programs downloaded from a BBS or from the Internet.

But sure as fate, some day you will leave a diskette in your A: drive when you shut down, and forget to remove it before you re-start your computer the next day. So you get the message "Non-system disk - remove and strike any key when ready". "No problem," you say. "The computer didn't re-start, so I don't have to worry about a virus." Wrong!! If that diskette contained a boot-sector virus, that virus is now resident in your computer's memory and will attack any disk accessed by your computer from then on, including your hard drive. So, Rule No. 7: If you ever accidentally start your computer with any diskette in your A: drive which you have not scanned for viruses, turn off the power immediately. You can probably catch the virus before it goes further. But don't settle for a "warm boot" — some boot-sector viruses can remain in memory through a re-start which does not involve cycling the power. Re-start from a known-clean write-protected boot diskette, and run a virus scan as soon as you re-start.

All of the foregoing will substantially improve your odds if a computer virus should come your way. But there are no guarantees -- there are a few viruses out there which have some pretty sophisticated tricks up their sleeve, and can get around these defenses. But they are very rare.

An addendum for 1999: Since writing the above article, MS Word macro viruses have become the most prevalent form of virus infection by a very wide margin. The rising dominance of MS Word as the office word processor of choice has been a major factor in this development. Another factor is that macro viruses circumvent several of the precautions contained in the above "rules".

MS Word does contain a protective feature which, if enabled, will warn you if the document you are loading contains any macros and gives you the option of preventing them from running if you are not certain of the trustworthiness of the document source. But be warned: enablement of that feature is not the default, i.e., if you want that protection, you must enable it yourself. Worse, some macro viruses are smart enough to disable that protection, thus denying you any warning that there are macros in the document. This gives the macro virus a clear field in which to operate undetected.
 

Rob Mayhew
Vancouver, B.C.

copyright © 1996, 1999.

A version of this article was published in the June, 1996 issue of Networth
News, which is a quarterly newsletter published by the Ministry of Finance and Corporate Relations, Province of British Columbia, for its employees.