What are Trojans and Worms?

A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted).

A dropper is a program which installs a virus or Trojan, often covertly.

A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ.

Do we have to fear virus?

Computer viruses are not Devils. They are just computer programs with self-replication function. That means they are able to make copy of itself. Since the process is automatic, the program is able to spread inside a computer or inside a network.

Anti-virus software is designed by international companies to detect and clean such virus programs. With up-to-date virus signature, almost all viruses can be detected and removed easily. For new viruses not detected by anti-virus software, a new virus signature update will usually be available within a week.

Can data files be infected?

Usually not. The exception is data files that contain executable code, which can be infected by viruses. A good example of this is a Microsoft Word file (.DOC, .DOT). Although Word files are technically data files, they may contain macros, which are executable and therefore susceptible to infection. Most of the virus infections reported today are from macro viruses.

Can firewalls detect virus?

Firewalls don't screen computer viruses. As the location of firewalls is a good place for scanning, some firewalls has plug-in virus scanning module. And some programs scan virus at a point either before or after a firewall.

Note that scanning FTP or HTTP traffic adds heavy network overhead but blocks only one of the sources of virus. Virus can get into the local intranet through floppy disks, CDROM or even a brand new PC.

Can viruses hide in the computer's CMOS memory?

No. The data in the CMOS is not executable. The CMOS contains system data, which is stored on a chip inside the computer. A malicious virus can alter values in the CMOS as part of its payload causing the system not to reboot, but it cannot spread or hide itself in the CMOS.

Are there CMOS viruses?

Although a virus can write to (and corrupt) a PC's CMOS memory, a virus can NOT ' hide ' there. The CMOS memory is not ' addressable '. Data stored in CMOS would not be loaded and executed in a PC.

A virus could use CMOS memory to store part of its code, but executable code stored there must first be moved to DOS memory in order to be executed. Therefore, a virus cannot spread from, or be hidden in CMOS memory. And there is no known virus that store code in CMOS memory.

There had been reports of a trojanized AMI BIOS. It is not a virus, but a ' joke ' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. If the date is the 13th of November, it stops the boot up process and plays ' Happy Birthday ' through the PC speaker.

Are there BIOS viruses?

Theoretically, it is possible to have a virus that hide in BIOS and being executed from BIOS. Current technology enables programs to write codes into BIOS. BIOS is the place storing the first piece of program being executed when a PC boot up.

Why some viruses can be detected but not cleaned with the anti-virus software?

Anti-virus software not only detect viruses, but also other types of malicious codes, which may not be cleanable. For example, trojan horse is a type of malicious code that should be deleted instead of cleaned. In other cases, the virus may have corrupted the file and made it impossible to clean / recover. Nevertheless, there are some tips you can do to maximize the likelihood of recovering the file using anti-virus software:

• Check whether the pattern file and scan engine are up-to-date.
• Make sure there is enough free space on the disk.
• If the pattern and engine are the latest, obtain a virus sample and send it to antivirus vendors for recommended actions.

Can email message be infected?

Plain electronic mail messages with pure text and contain no executable code will not be infected. However, files attached to the message may be infected. If you receive an e-mail with attached files from an unknown source, the best approach is to scan it before running the file or opening it in Word or Excel. If you open the file attachments directly, you risk infecting your computer. The latest generation of antivirus software can usually be configured to scan e-mail attachments before you can open them.

Can e-card be infected?

It really depends on the types of greeting cards you receive. If someone emails you a greeting card which requires you to view the card online at a web site, this kind of greetings cards may not be infected. However, if the sender attaches an HTML / EXE file (with the e-card) to an email, and you open the attachment or forward the attachment to others, that attachment file may be infected.

Will virus infect my machine if I connect to the Internet and view Web pages/download programs?

If you' re only viewing Web pages written with HTML only (i.e. no Active X, JAVA, ..., etc.), the answer is ' NO'. However, if you run Active X controls and JAVA applets, or run programs downloaded from the Internet, it is possible that these programs contain virus and affect your machine.

Computer user should take special caution when surfing the Internet:

• Enable real-time scanning of anti-virus software and use latest virus signature.
• Do not execute unsigned ActiveX control or ActiveX control from un-trusted source.
• If possible, disable running active scripting in browser setting.
• Scanning all programs attached in an email before execution.
• Avoid downloading programs from un-trusted Web sites, since they have high risk of virus infection.

Why would I want a firewall?

The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done.

What can a firewall protect against?

Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside'' world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.

Firewalls are also important since they can provide a single "choke point'' where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.

This is an important point: providing this ``choke point'' can serve the same purpose on your network as a guarded gate can for your site's physical premises. That means anytime you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only an outside gate and no receptionist or security staff to check badges on the way in. If there are layers of security on your site, it's reasonable to expect layers of security on your network.

What can't a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a ``helpful'' employee inside who can be fooled into giving access to a modem pool. Before deciding this isn't a problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how much difficulty a user who forgot his password has getting it reset. If the people on the help desk believe that every call is internal, you have a problem.

Lastly, firewalls can't protect against tunneling over most application protocols to trojaned or poorly written clients. There are no magic bullets and a firewall is not an excuse to not implement software controls on internal networks or ignore host security on servers. Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't ``fire and forget''.

What about viruses?

Firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security-consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack--attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of sendmail, ghostscript, and scripting mail user agents like OutLook.

Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, modems, and Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet--and the vast majority of viruses are caught via floppy disks.

Nevertheless, an increasing number of firewall vendors are offering ``virus detecting'' firewalls. They're probably only useful for naive users exchanging Windows-on-Intel executable programs and malicious-macro-capable application documents. There are many firewall-based approaches for dealing with problems like the ``ILOVEYOU'' worm and related attacks, but these are really oversimplified approaches that try to limit the damage of something that is so stupid it never should have occurred in the first place. Do not count on any protection from attackers with this feature.

A strong firewall is never a substitute for sensible software that recognizes the nature of what it's handling--untrusted data from an unauthenticated party--and behaves appropriately. Do not think that because ``everyone'' is using that mailer or because the vendor is a gargantuan multinational company, you're safe. In fact, it isn't true that ``everyone'' is using any mailer, and companies that specialize in turning technology invented elsewhere into something that's ``easy to use'' without any expertise are more likely to produce software that can be fooled.

How can I protect myself against Viruses?

By taking these procautionary steps, you can feel assured that you are doing your part in keeping your computer Virus-Free:

• NEVER download and/or run an attached file on an e-mail from a stranger or from an unknown address. Be VERY cautious when downloading/running one from a friend (most likely if they pass you a virus, they won't know they did!).
• NEVER have your e-mail program set to automatically run attached files. VERY IMPORTANT! This is especially true for browsers and/or e-mail programs which automatically execute Microsoft Word after opening an e-mail. TURN OFF THEOPTION TO LAUNCH OR EXECUTE ANY PROGRAMS after receiving e-mail.
• NEVER run an executable file you've just received without first running it through an updated anti-virus utility.
• If your computer is on a network, make sure you have security steps in place to prevent unauthorized users putting files on your computer. Networks are ideal virus transmitters since they are accessed by many computers and there usually is a great deal of interaction between these computers
• MAKE SURE you've got a good anti-virus program that is updated often from the company (check out the anti-virus links below).
• TAKE CARE in using floppy disks! The more computers a floppy has been used on, the better the chance of a virus infecting it. ALWAYS run floppies through an anti-virus program before using it and be extremely cautious when booting your computer from a floppy disk (it's adviseable not to do so).
• KEEP YOUR E-MAIL SOFTWARE UPDATED! Software companies are always finding problems with their software and if they are good about it, will post patches to update your e-mail software. Continually check your software company's website for updates to your e-mail software!

How to spot a hoax computer virus alert

1. Did a genuine computer security expert send you the alert?

   The "Experts" claim things which amount to the fact that "If your mother-in-law forwarded an alert, which came from her dentist, who got it from a podiatrist, who got it from his secretary's daughter, who supposedly received it at college directly from IBM's virus experts... then it Must be a Hoaz.

   Ths is a false conclusion for they put out seems to be "If the majority of the Virus Hoaxes are written in a certain way, then all Virus Warnings written in that way are bogus!".

   Expert Advice is wonderful, however it overlooks the fact that some people who write a virus warning to their friends and family don't give a hoot if their message follows a specific set of specifications for the writing of virus warnings or not. :) Their main interest is in warning the people they know and care for. By using the idea that a Virus Warning has to come from a genuine computer security expert, you may miss out on a true virus warning.

   The best thing to do when receiving any warning is to take each Virus Warning you receive and go to McAfee's or Symantec and check out their Virus Encyclopedias and/or their Hoaz Pages. In this way you can personally see if the warning was a hoax or if it has merit.

   In the past, some Virus Hoaxes received seemed to come from a Genuine Computer Security Experts. "Real" Virus Warnings were copied and altered, then sent out for the Hoaxsters knew that some people would think that the message had all the earmarks of a "Real" Warning and they forward the hoax to others. :)

   One last note, If you do not see the Virus listed in the Hoax or Virus Encyclopedia, you may be the proud receiver of a new Virus which the Anti-Virus companies haven't checked out yet or gotten around to posting on their sites yet. Recheck the site over the course of the next day or so and odds are the Virus Name will appear on one of it's lists.

2. Does it urge you to forward the chain letter to everyone you know?

   "Genuine virus alerts won't ask you to participate in a chaotic email distribution scheme."

   This makes sense on the surface, if you speak only of the Warnings coming from Qualified Security Experts. The Flaw is that a "Genuine" (or "Real") Virus Warning is any message written about a "Genuine" (or "Real") Computer Virus... despites who writes it or how it is written.

   If Auntie Mame writes you and says she heard today from her Friend's Dentist that a Virus xalled "Melissa" or "ILoveYou" is circulating the net... then that is a Genuine Warning for the Viruses are real. :)

   Once again, check the Virus out yourself. If it shows up on the Hoax List (which it will probably most often do) then ignore the message.. or write back to the sender telling him or her it is a hoax and advise them to please check out the Virus Hoax Sites before mailing you any Warnings in the future. :)

3. Does the email offer a link to an authoritative details page?

   "Email alerts shouldn't go into detail about a computer virus. Rather, the alert should summarize the threat and provide a link to a "for more info" page stored on a well-known computer security website. Beware: some hoax alerts include generic links to respected websites. The hoaxster wants you to assume the website has important information about the virus.

   A rule of thumb: the link to more information should take you directly to more information about the threat. If it doesn't, then you should chide the sender for failing to give you accurate information."

These suggestions make sense, but the "Experts" fail to recognize the "everyday people" factor once again, nor do they seem to stress the importance in checking out all Virus Warnings yourself before you pass it on.

There is a distinct difference between how most "Experts" and "Professionals" do things and how the ordinary person does things. Often the Experts are trained to do things in a certain way, or think in a certain way. Ordinary people tend to "just do".

Once again, you should go check out what is said in the warning with a valid site like Symantec or McAfee's to be sure.

The point of the above is not to dispel the "Suggestions" about how to spot a hoax, for they are good suggestions. However they do need to be tempered with reality and not lead people into believing that every Virus Warning which is not written "just so" is a hoax, even though most probably are.

The emphasisof is to try not to take the easy way out. It doesn't take a lot of time to check out these warnings for yourself. And if you save the Anti-virus Sites to your Favorites or Bookmarks (preferably in their own folder), then it often takes even less time. You can even keep your Email Program open and flip back and forth between screens in order to check several warnings at a time.

Sources

VMyths.com

"Electronic Ephemera" FAQ and Reference Site

Internet Firewalls: Frequently Asked Questions

Virus FAQ for Internet User

General Virus FAQ

Virus Information Center - Virus FAQ

Computer Virus FAQ