Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Ch 4. Part 2: File Viruses

Contents

1. Introduction

2. Prophylactics

3. How do I remove a file virus from the hard drive

4. How do I remove file viruses from diskettes?

5. The most common file viruses

6. What to do if F-prot is unable to disinfect the virus

1. Introduction

File viruses work by locating a type of file that they know how to infect (usually an executable file with extensions ".COM" and  "EXE") and inserting virus code in such a way that it will be executed first after the program will be loaded in memory.  Most file viruses are programmed for the DOS environment. For explanation of term "polymorphic", "multipartite" see AvJargon.htm

File viruses are quite rare in the typical large corporation environment, because executable are not so often exchanged between the users in such an environment. So if anti-virus software found a virus in your computer, it might be a false alarm.  Following are some common symptoms of the false alarms:

•      Only one file is infected on your hard disk.
•      The infected file is not an executable file  e.g. has other extensions than .EXE, .COM, sometimes .BIN, .OVL and OVR. In very rare cases they can attach themselves to the .DLL, .OVL, . SYS, and .  386 files.
• The virus is not in a list of most frequent viruses. Please consult recent versions of:
  McAfee top 10 virus list (http://www.mcafee.com/support/techdocs/vinfo/dkd.asp),
  Symantec top 10 lists.

  As an educated guess the following viruses have some probability to infect workstations.:

• Jerusalem (many variants, some has a bug leading to  multiple infections of the same  EXE file).
• Hydra
• Yankee Doodle
• Die Hard 2 (stealth)
• Little Red (Polymorphic)
• Natas (polymorphic multipartite).
• OneHalf ( Polymorphic, multipartite)
• Cascade
• Dark Avenger
• Vienna
•      Virus is not found in memory.
•      More than one virus scanner used on the computer  in question (for example F-prot and McAfee).
•      Virus was detected by Inoculate on the LAN drive, but extension of the file does not correspond to executable(see above).

Following is usually the case if you have real file virus infection:

• LOGINCHK package has found virus in memory during login processing;
• After rebooting from the AV Rescue Disk several executable files (EXE and COM) were reported as infected
• Only one executable file was infected, but the name of the virus is present in the "Top 10 viruses" list.

Although not definitive, but useful check is that if after booting from AV Rescue Disk you will compare size of file with size of the same file on another user PC suspected file is larger in size for pure file viruses disinfection can be done by replacing infected files with original non infected from other user PC. This option is safer that disinfection as anti-virus program can corrupt the file during the disinfection. Also virus can overwrite some  part of the executable and disinfection became impossible.

In NetWare environment file viruses are usually can be considered as a symptom of poor system administration. the typical blunder is that users have access to the important directories on the server in Write mode. The most dangerous situation is when due to oversight user has write access to the executables in SYS:\LOGIN directory.  This cases cause the majority of large site infections, and can cost thousands of dollars in lost data and productivity. In such cases not antivirus software installation, but additional training in NetWare administration is required.

 The only way to infect a computer with a file virus is to run an  infected file on the computer.  If you just download the file you cannot infect the computer. So it is recommended to   check downloaded file with anti-virus program. At the same time cases of infecting computer by downloading files from the Internet are very rare. 

Because the early anti-virus products used search strings to detect viruses, some virus writers started making their viruses harder to detect by making  them polymorphic. Making the virus encrypt its body with different key  with every infection and modify decrypting routine so that it will be harder to detect.

 The goal of a computer virus is to spread. In trying  to meet this goal, some virus writers have added another ability to infect not only executables file but system areas (boot sector and MBR). Such viruses are called multipartite.  Ability to infect boot  sectors, the master boot record increase chances of propagation of the virus, as it can propagate via floppies that do not contain any executable files.

We will assume that AV package has reported that you have a virus in memory on login and that you want to know if it is a file virus and how to get rid of it. If name of the virus reported by F-prot is one of the above then you have a file virus. If name is different then the simplest way to check if is a file virus is to reboot from AV Rescue disk and check how many files will be reported as infected.  See AV-LOCAL.HTM on how to create one. Once you have removed the virus from your hard disk, be sure to scan all your diskettes.

2. Prophylactics

 If server is configured properly, a file virus has very slim chances to propagate from workstation to the server and then to other workstations (only via GROUP directories) and infection will be localized on that particular PC. If  virus manage to propagate from one use to another via server some blunder with permissions for files usually can be found. for example if  directory  SYS:\LOGIN is not protected from all users virus can infected the LOGIN.EXE file and then infect each user connected to that server. Again, the most important directory to check is SYS:\LOGIN directory. It contains files like LOGIN.EXE that are used on  each login. So improper permissions for this directory can lean to infection of all users that login after LOGIN.EXE was infected.

Typical scenario of infection is using some old floppy with utilities. So it is important to check floppies with AV program before use.

3. How do I remove a file virus from the hard drive

The easiest way is to use AV Rescue Disk. Reboot from the latest copy (old version can miss the virus if it is a new strain).

Important: Disk should be write-protected before booting from it. After removing the virus from your hard disk please scan all your diskettes. Most probably they are infected too and without disinfection you will reinfect computer again and again.

4. How do I remove file viruses from diskettes?

After removing a file virus from your hard disk, it's important to scan all your diskettes. All file viruses also infect executable on floppies; if you backup executables to a floppy and  don't remove the virus, you'll probably will  reinfect your hard disk from this floppy.

6. What to do if F-prot is unable to disinfect the virus

First one needs to get the latest version of F-prot, if such is available. In order to do this please check the following link ftp://www.datafellows.com/f-prot/free/. If new version of F-prot does not exists or does not detect/disinfect the virus, it is recommended to try the latest version  of McAfee SCAN. Evaluation version is available from www.mcafee.com. For complex and polymorphic viruses the best AV program is Dr.Web from http://ras1.dials.ccas.ru/www_av/home.htm.  It has the best heuristical capabilities among industrial strength scanners and in many cases can correctly remove new strain of the virus. If only one scanner will report about the virus, but two others will not, it is probably a false positive.