ANTI-VIRUS MEASURES VERSION 1.05 July 18,1988 Copyright InterPath Corporation 1988 All rights reserved 408 988 3832 4423 Cheeney Street, Santa Clara CA 95054 PURPOSE: This document outlines the various types of commonly found viruses and suggests measures that can be taken to minimize the risks of infection and procedures that may be used to recover from infected systems. TYPES OF VIRUSES: There are currently three classes of viruses: Boot infectors, system infectors and general executable program infectors. Their characteristics are: Boot Infectors: Boot infectors attach themselves to sector 0 of floppy disks and, occasionally, hard disks. They gain control when the system is initially booted and remain in control at all times. Many have the capability to trap warm boot requests ( ) and remain in control even if booted from a non-infected floppy, with the result that the clean floppy becomes instantly infected. Boot infectors typically create bad disk sectors to which the original boot sector is copied, along with the remainder of the virus code. Boot infectors may be from 2 to 7 sectors in length. Boot infectors can be benign or malignant. The Pakistani Brain virus, for instance, is a benign boot infector virus in its original form. It has been hacked however into a very malignant form which can infect hard disks and which destroys FAT entries, deletes files, and performs other malicious activities. System Infectors: A number of viruses attach themselves to command.com and other system files that remain memory resident. They gain control after system boot and infect hard disks or other bootable floppies that contain the appropriate system files. System infectors may activate after a given period of time or they may instantly begin subtle modifications in system processing - including increasing the time to perform system functions, subtle scrambling of data or modification of system error messages or informational messages. The Jerusalem (Israeli) virus is an example of such a virus. (The Israeli virus is also able to act as a general .com and .exe infector as well as being a system infector). Activation may take place after a specified period of time has elapsed or after a specific number of invocations. Activation may include scrambling the FAT, erasure of specific files, low level disk format or modification of non-executable files containing numeric or other ascii data. General .COM and .EXE infectors. This class of virus is the most dangerous from an infection standpoint since these viruses can spread to almost any program in any system. They infect in two generic ways: 1. By gaining control each time the infected program is executed and copying itself to other .com or .exe files on the fixed or floppy disk prior to passing control to the host program. This is the most common infection technique. 2. By remaining memory resident and infecting each program that is loaded for execution. This technique is used by the Jerusalem virus but is less common than the above method. Some of these viruses attach themselves externally to .com or .exe files and thus change the file size. They may or may not modify the creation date and time. Others insert themselves internally in the executable host program's dead space and are thus "invisible" to anything other than a binary compare routine. Some viruses continue to infect the same program multiple times until the program becomes too large to fit into memory. Most, however, check to see if the host has already been infected and pass over previously infected files. PREVENTION TECHNIQUES: Prevention can be divided into two areas: 1) safe user practices and 2) anti-viral tools. 90% of all virus infections, or the damaging results of infection, can be easily prevented by following safe usage guidelines. Most of the other 10% of infections, or damaging results, can be avoided by the use of anti-viral software or hardware tools. Safe user practices: 1. !! NEVER BOOT FROM ANY FLOPPY OTHER THAN !! !! THE ORIGINAL WRITE PROTECTED DISKETTE !! !! FROM THE ORIGINAL DISTRIBUTION PACKAGE !! The above recommendation is extremely important. Most of the boot sector infector viruses can ONLY infect your system if you boot from an infected floppy diskette. Booting from borrowed, unknown or multiple diskettes greatly increases the opportunity for infection. 2. One and only one boot diskette should be assigned to each and every floppy based PC (systems without a fixed disk), and that diskette should be CLEARLY labeled as the boot diskette for that system. 3. If you have a system with a fixed disk - NEVER boot from a floppy drive. The only exceptions to this involve recovering from a viral infection as described in the section below. 4. Treat public domain and shareware software with caution. Viruses are difficult to detect and usually do not modify the operation of the infected program in any way prior to activation. Thus a friend or acquaintance might in all good faith recommend a program that is infected without their knowledge of its infection. If possible, limit use of such programs to systems without fixed disks. If you do use them on fixed disks, allocate separate subdirectories for the public domain programs. This will limit exposure since some viruses limit their replication activities to the current subdirectory. You should not place public domain or shareware software in the root directory. 5. Create meaningful volume labels on all fixed and floppy disks at format time. Develop a habit of checking volume labels each time a DIR command is executed. Keep a look out for changes in the volume labels. 6. Watch for changes in the pattern of your system's activities. Do program loads take longer than normal? Do disk accesses seem excessive for simple tasks? Do unusual error messages occur with regularity? Do access lights on any of the system devices turn on when there should be no activity on that device? Do you have less system memory available than usual? Do programs or files disappear mysteriously? Do you suddenly notice a reduction in available disk space? Any of these signs can be indicative of viral infections. 7. If you are in a corporate or multi-system environment, minimize the exchange of executable code between systems wherever feasible. When using resources on someone else's PC (a laser printer, for example), transfer the necessary data on a diskette that contains no executable code. Also, do not use diskettes that are bootable or that contain system files. 8. If operating in a network environment, do not place public domain or shareware programs in a common file server directory that could be accessible to any other PC on the network. 9. If operating in a network environment, allow no-one other than the system administrator to use the file server node. 10. If using 3270 emulators connected to mainframe systems, keep all 3270 emulation software together in a separate subdirectory and do not include ANY executable code in the subdirectory that is not part of the emulator suite. If possible, limit such terminals to 3270 emulation only, and remove all other software from the disk. 3270 emulators are the major gateways through which viruses jump from PCs to mainframes. Anti Viral Tools: Hardware: Write protect tabs go a long way toward limiting viral spread. All boot floppies should be write protected as a matter of course. For certain high security environments, you can even purchase write protect systems for hard disks. Some flexibility may be lost, but the protection factor is high. In addition to write protection, you should consider removing floppies from drive slots and storing them in filing cases when they are not being actively referenced. We have yet to hear of a virus jumping direct from system memory to a diskette that was not inserted. Software: Software protection falls into three general categories: programs that help prevent the virus from initially infecting your system, programs that detect infection after it has occurred, and programs that identify pre-existing infections. All three types of protection have their pros and cons. INFECTION PREVENTION PROGRAMS: These programs are TSR (terminate and stay resident) programs that monitor system activity and watch for characteristic viral replication activities. They check all disk I/O and cause a warning to be displayed when unauthorized activities are attempted. Such activities are: writes to executable programs, system device drivers, the boot sector, etc. They typically re- direct the operating system's interrupt vectors and thus intercept requests from all other programs. This type of protection has the advantage of stopping viruses before they enter the system, thus avoiding the tasks associated with removing viruses. The disadvantage, however, is that viruses can be, and have been, written to avoid detection using this type of system. Also, no software technique can prevent initial infection from a boot sector virus. (Another reason to follow the above procedures to avoid boot sector infections). Programs that are available that help prevent initial infection are: C-4, from InterPath 408 988 3832 Disk Defender, from Director Technologies 312 491 2334 Data Physician, from Digital Dispatch 612 571 7400 Virus Implant Protector, From Leemah Datacom Security Corp 415 786 0790 VirALARM 2000, From Lasertrieve 201 906 1901 ACE System, From Security Dynamics 617 547 7820 INFECTION DETECTION SYSTEMS: First, as a note of explanation, these programs only work if the system they are running on HAS NOT BEEN INFECTED prior to installation. They cannot tell you whether you system has already been infected. They all assume that the system is clean. They work by looking at key information on the system disks (file sizes, dates, checksums, etc.) and periodically re-checking this information to see if it has changed. The advantage of this approach is that it is much more difficult for viruses to avoid detection and the technique is therefor much more secure. The disadvantage is that the system must become infected in order to detect the virus. However, if an infection can be identified soon after it occurs, it can be easily removed before it can replicate further and before it has a chance to activate. The following are programs which provide this type of protection: TRACER, from InterPath 408 988 3832 Vaccinate, from Sophco 800 922 3001 INFECTION IDENTIFICATION SYSTEMS: Programs in this category identify specific viruses on systems that are already infected and remove the virus - returning the system to its state prior to infection. This class of products may or may not repair damage done by virus activation. Products in this class may identify only a single virus or multiple types. The advantage to this class of products is that they can identify pr-existing infection and perform the removal process. The disadvantage is that they work for only a few of the specific viruses and cannot provide general purpose virus protection. Programs in this category include: DETECT, from InterPath Corporation 408 988 3832 V-FINDER, from WallyWare 408 275 6358 RECOVERY FROM INFECTION It is much more difficult to recover from an infection than it is to initially prevent the infection. Nevertheless, if strict procedures are followed, recovery can be achieved with minimum loss of data. The main problem in recovering from a virus is not the loss of data (which may indeed be considerable), but the near certainty of re-infection if the proper procedures are not followed. Nine out of ten installations that get infected experience a relapse within a week of "cleaning out" the virus. Some organizations have "eradicated" a virus as many as a dozen times, only to have it re-occur shortly after each eradication. The causes of these re-appearances can be traced to two things: 1). Many viruses do not go away after a warm boot. The Pakistani Brain virus is a good example of such a virus. In many organizations, the PC is seldom turned off and the prevailing assumption is that a will clean out system memory - an incorrect assumption. 2). Viruses initially infect fixed disk systems by way of a floppy diskette. After infection, every floppy that has been placed in the system is also likely to be infected. In large organizations, this can amount to thousands of infected diskettes that can re-infect systems if not de-activated. Understanding the above issues goes a long way toward a successful recovery from a virus infection. Recovery: When an infection is detected the following procedures should be followed: 1. Determine the extent of infection. If the virus has not attacked any fixed disks go to step - 12. If the virus has infected the boot sector only, go to addendum. 2. Power down the infected system. 3. Retrieve the original DOS diskette from the distribution package. Write protect it. Place it in the floppy boot drive and power up the system. 4. Ensure that the system has booted properly. 5. Backup all non-executable files from all directories onto newly formatted floppy diskettes or to a tape backup unit. If backing up to another fixed disk, ensure that the disk has not been infected. (if there are any doubts, assume that it is infected). DO NOT USE THE BACKUP UTILITY ON THE FIXED DISK. Use a utility from the original package. NOTE - At no point in these procedures should you execute ANY program from the infected fixed disk! 6. List all batch files on the infected disk. If any line within any of the batch files seems unusual or unfamiliar do not back-up. Otherwise, include the batch files with the back-up. 7. Perform a low level format of the infected disk. Recover the initial disk configuration using FDISK and FORMAT. 8. Execute the SYS command for the fixed disk. 9. Re-structure your directories. 10. Replace all executable programs from the original distribution packages. 11. Restore the files that had been backed up. 12. Locate all floppy diskettes that may have been inserted in the infected system within the past two years. (We know it sounds EXTREME, but if this and subsequent steps is not followed, you can be guaranteed to be re-infected within a short period of time). 13. At your discretion either: A). Destroy them all -or- B). Continue with the following steps 14. Backup all non executable files onto newly formatted floppy diskettes. 15. Format the suspect diskettes. Addendum: If the virus is a boot sector infector, the recovery process is somewhat simplified. Since boot infectors do not infect executable programs, they can be removed by doing a SYS command on the affected drive. The procedures are: 1). Power down the affected system. 2). Boot from the original DOS write protected distribution diskette. 3. Perform the SYS command on all affected devices. The above procedures will leave the virus intact on the additional bad sectors originally allocated by the virus, but these viral segments will be de-activated. This document is available on InterPath/National BBS bulletin board - 408 988 4004.