Virus Info Reviews Basics FAQs Lists Submit Papers Other Sites Main

Quick Reference Guide

- A virus is a program, it has to be executed to do anything
- If you think you have a virus, scan your drive
- The code that gets control first wins, so boot clean
- Windows doesn't fit on a bootable floppy disk
- Replace affected objects with known clean backups
- If it can find it, it should clean it
- No known virus has ever damaged hardware
- Computers only follow instructions
- A program is a set of instructions
- Programs must be stored somewhere
- Infected files that don't contain programs are false alarms
- Image files are not programs
- Bootsectors only execute during bootup
- Application macros only execute within their application
- Viruses must self-replicate
- Viruses must have a host
- A trojan horse program cannot be disinfected
- There is no best anti-virus product
- Just say no to FDISK /MBR

Feel like making a comment? E-mail me


A virus is a program, it has to be executed to do anything

A surprisingly important point for the newbie, and a wonderful mantra.

Repeat after me folks: "A virus is a program, it has to be executed before it can do anything"

That's right, it's not some magic piece of pixie dust lodged in your computer somewhere or some wierd cyborg germ that leaps from person to computer and computer to person. It's a program like your word processor or mouse driver, you get it from downloads or software disks or email attachments and when you delete it it's gone.

And what constitutes executing a program? Three major things are running an application program (like a text editor or game), booting from a disk with an infected dos bootsector or master boot record, or launching an infected document in one of the components of MS-Office (ie. Word, Excel, Access, etc).

Back to Quick Reference


Computers only follow instructions

Everything that happens on a computer can be reduced to processing instructions and manipulating data as a result of those instructions. When you copy a file you're causing the computer to execute a string of instructions that read that file and then write it back out on an unused portion of the disk. When you print a file you're causing the computer to execute instructions which send that file to the printer with an instruction that tells the printer to take each character and print it on the page. When you view a file you're causing the computer to execute instructions which read the file and put bytes in memory reserved for video display in such a way as to represent the contents of that file.

This may be a rather complex way to look at things from the novice's point of view and in the end it really isn't necessary to understand the computer in this manner, only to know about it and it's consequence. That being that in a computer nothing happens without some instructions being processed, and those instructions aren't processed unless either you tell the computer to do so (by directly instructing the computer to do so or by configuring some other program to do it) or the computer is designed to process those instructions automatically (like the bootsector program).

Back to Quick Reference


A program is a set of instructions

For our purposes, 'program' will mean any collection of instructions of an unspecified type (such as dos commands or machine code or macro language instructions).

Such programs can take the form of batch (*.bat) files, bootsectors, executable (*.exe or *.com) files, application macros, scripts (vbscripts, javascript, certain types of *.ini files), some *.sys files, and vxd's.

As a result, these are all viable targets for viruses and need to be protected.

Back to Quick Reference


Image files are not programs

Image files are not programs, nor are sound files, text files, *.zip files, or cmos data. This is because these objects are supposed to contain pure data, without computer instructions of any kind.

Instructions can be inserted into these files of course, instructions are only a special kind of data, but image viewers, sound players and the like are designed to view images and play sounds not search through files for instructions to execute. None of the data in these objects are executed because it is assumed that they do not contain instructions.

Because these things are not executed, they cannot be infected they can only be corrupted.

Back to Quick Reference


Bootsectors only execute during bootup

Just a simple thing to remember, bootsectors only execute during the boot process (when you turn your computer on or reset/restart it). For this reason bootsector viruses can only become active during such an event. Bootsectors are special little programs on floppy disks and hard disks that help load the operating system. So if you find a bootsector virus on your computer it is almost certainly because at some point in the past the computer attempted to boot while an infected floppy disk was in drive A:. If all you did was scan some new diskette and detected virus, then the virus likely hasn't infected your computer yet because you didn't accidentally try to boot from the infected disk.

That floppy disk became infected by being used in someone else's infected computer or in your computer during a previous infection.

A useful trick to help avoid catching bootsector viruses is to enter the CMOS Setup Program during your next bootup and change the boot sequence from A:,C: to C:,A: (or just plain C:) so that under normal circumstances the computer will not attempt to boot from the floppy disk (whether it's infected or not).

Back to Quick Reference


Application macros only execute within their application

Application macros are programs written in the application's macro programming language, but such languages tend to be interpreted and require the application to interpret their instructions. As such the macros cannot execute outside of the application because the interpreter would not be present. they also can't stay active once the application has closed for the same reason.

Back to Quick Reference


Programs must be stored somewhere

A program has to be recorded in some way so that it isn't lost when the computer is turned off. That means it has to be stored on the a disk (the contents of RAM are lost each time the computer is turned off).

What this means is that, so long as the virus (being a type of program itself and having the further requirement of needing a host program) isn't active in memory, a scanner that knows how to find a particular virus should be able to tell you with certainty whether it resides on your computer or not. There's no where else for the virus to hide.

For this reason, if you perform a clean boot and your up to date, top quality scanner doesn't detect any viruses then chances are there are no viruses on your system.

Back to Quick Reference


The code that gets control first wins, so boot clean

Clean booting is a method of starting up your computer in such a way as to make sure that no viruses can be active. This in turn allows you to check for and remove any viruses that might be present on the disk without the possible virus being able to interfer.

In general the clean boot procedure is as follows:

  1. Turn the computer off, pause, and then turn it back on.
  2. Insert a known clean, bootable, write protected floppy disk into drive A:.
  3. Enter the CMOS Setup Program (pressing ESC or DEL during the memory test is usually how it is done, and it should tell you right on the screen which key to press).
  4. Make sure that A: is installed in the CMOS and that it is the first drive in the boot sequence (ie. A:,C: instead of C:,A:). If you've reversed the boot sequence to avoid catching boot sector viruses perform this step anyways, you can set it back to C:,A: afterwards.
  5. Save any changes you made and then exit the CMOS Setup Program and let the boot procedure continue normally.

The computer should boot to the dos prompt an no programs from the hard disk should be executed (because you can't know beforehand whether or not they've been infected). The computer should NOT boot to Windows, nor should you try and load Windows because Windows doesn't fit on a floppy disk so to execute it you would have to run it from the hard drive - which is something you already know you don't want to do.

At this point the clean boot is completed and you may proceed with running a dos scanner from a floppy disk.

(N.B. Some makes of computers store their CMOS Setup Program on their hard disk and can't be accessed in the manner described above so this method won't work "as is" on them.)
(N.B. There are a couple of viruses that take advantage of a bug in MS-DOS and cause the computer to freeze if you attempt to perform a clean floppy boot - to get around this you must either use a version of MS-DOS that doesn't have the bug (v3.2 and earlier), a patched version of MS-DOS, or a non-MS DOS like PC-DOS.)

Back to Quick Reference


Windows doesn't fit on a bootable floppy disk

Windows is big, your floppy is small. It pretty much goes without saying that Windows won't fit on a floppy.

As such, for the purposes of clean booting you'll have to do without Windows and Windows programs and fall back on DOS. With a well defined procedure for your clean boot this shouldn't be a big deal even for the novice.

Back to Quick Reference


Viruses must self-replicate

One of the requirements of a virus is that it must be able to self-replicate. It does this by infecting new host programs. This is the means by which the virus spreads. If it doesn't replicate then it can't spread without help and cannot be called a virus.

Back to Quick Reference


Viruses must have a host

Another one of the requirements of a virus is that it needs a host. The host program (or infected program) is a program which, when executed, causes the virus to be executed. Without this the virus could never be executed and if it doesn't get executed it can't do anything. A virus is, after all, just a program.

Back to Quick Reference


Infected files that don't contain programs are false alarms

Since viruses are programs and programs are a bunch of instructions then if you find a virus in a file that can't be infected (ie. isn't a program and/or doesn't contain instructions) it's usually a false alarm (the virus isn't actually there).

You can't fix false alarms yourself, you have to either live with it, whine about it to your av developer until they fix it, or find a different av program (hopefully one without as bad a false alarm problem).

Back to Quick Reference


Replace affected objects with known clean backups

The safest, most secure method of recovering from viruses or other assorted malware is to replace all affected software objects from known clean backups - you can't get any cleaner than a known clean backup.

This means that any software object, be it a data file that got corrupted or an infected program or bootsector, should be replaced by a known clean backup. If such a backup does not exist then you may have to rely on an anti-virus product to disinfect infected files - but not all viruses can be disinfected, and anti-virus programs can't do anything about corrupted data so you will ultimately *need* backups.

Note: Backups need to be kept current - program files don't usually change unless you upgrade a software package, data changes fairly often, and things like bootsectors or MBR's can change when you upgrade the operating system (OS).

Back to Quick Reference


If it can find it, it should clean it

Usually if a program tells you that you have a specific virus that same program will be able to remove that specific virus if used properly - and instructions on how to do that should be in the program's documentation so Read The F'ing Manual (RTFM).

Restoring your files using the disinfection and/or generic removal capabilities of an anti-virus program will not always work and can't restore corrupted data so be sure to make backups.

Back to Quick Reference


If you think you have a virus, scan your drive

It is not possible, in general, to diagnose a virus problem by it's symptoms - if you think you have a virus scan your drive - if you think you have a virus your scanner can't detect, try a different scanner or send a copy of a program you think is infected to the av developer that makes your scanner.

If you really do have a virus then your scanner will probably be able to detect it and you should be able to remove it. If you go to an anti-viral forum and give them a list of your symptoms without bothering to scan first you'll just be wasting your time as the advice you get will, at best, be to scan your drive.

Back to Quick Reference


A trojan horse program cannot be disinfected

A trojan cannot be disinfected. It's that simple. There is no useful program hidden within it that you can extract and save, it's 100% bad. all you can do is delete it (or uninstall it if it's an aol trojan and you have the right av software) and recover from any damage that may have occurred if you executed the trojan.

Back to Quick Reference


There is no best anti-virus product

There is no best anti-virus product, only very good ones and ones you should probably just ignore. Comparisons of many of the more reputable products can be found at the following web sites:

Virus Test Center
[Uni-Hamburg]
http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm

Virus Research Unit
[Uni-Tampere]
http://www.uta.fi/laitokset/virus

Virus Bulletin
[Industry Periodical]
http://www.virusbtn.com

Back to Quick Reference


No known virus has ever damaged hardware

No known virus has ever damaged hardware, mainly because the people who design hardware are usually smart enough to make hardware damage by software next to impossible for their hardware. This is not to suggest that it really is impossible for software to damage hardware, only that no known virus ever has and it is unlikely that one ever will.

For the record, damaged hardware is defined as some physical breakage within the computer, not overwriting of CMOS memory or flash BIOS, not formatting (even low level formatting) of the hard drive, and not video burn-in of a single or multiple pixels on the monitor (which can happen no faster than normal monitor wear and tear and is really the same thing).

Back to Quick Reference


Just say no to FDISK /MBR

As Bruce P. Burrell is so fond of stating "Just say no to FDISK /MBR".

You see, FDISK is not an anti-virus product, it is not designed to deal with viruses and there are situations in which performing the above operation will actually make a viral problem worse rather than better.

It can be useful, but the Test of Safety for it can be quite involved and generally can't be performed by the average user. That test is to boot clean and perform a full integrity check of every partition to ensure that you have access and that nothing has been encrypted. Most people don't have full integrity checkers installed, let alone installed on floppies with all the integrity information on floppies aswell. Without this Test of Safety FDISK /MBR can easily run afoul of viruses such as Monkey or One-Half, both of which are in the wild, or even non-viral non-standard boot code like EZDrive or LILO.

Backups are good for restoring from infections, as are actual anti-virus products, use them not FDISK.

Back to Quick Reference


last modified june 8 2000 : this page hand crafted by kurt wismer