Andrés Valencia

Antivirus Information

This section offers information and tools to keep your PC free of computer viruses and other malwares.

- General Virus Information
- Anti-Virus Online Scanners
- Anti-Virus Software

General Virus Information

Usually a virus has two distinct functions:

• Spreads itself from one file to another without your input or knowledge.
  Technically, this is known as self-replication and propagation.
• Implements the symptom or damage planned by the perpetrator.
  This could include erasing a disk, corrupting your programs or just creating havoc on your computer.
  Technically, this is known as the virus payload, which can be benign or malignant at the whim of the virus creator.

A benign virus is one that is designed to do no real damage to your computer.
For example, a virus that conceals itself until some predetermined date or time and then does nothing more than display some sort of message is considered benign.

A malignant virus is one that attempts to inflict malicious damage to your computer, although the damage may not be intentional. There are a significant number of viruses that cause damage due to poor programming and outright bugs in the viral code.
A malicious virus might alter one or more of your programs so that it does not work as it should. The infected program might terminate abnormally, writing incorrect information into your documents.
Or, the virus might alter the directory information on one of your system areas. This might prevent the partition from mounting, or you might not be able to launch one or more programs, or programs might not be able to locate the documents you want to open.

Some of the viruses identified are benign; however, a high percentage of them are very malignant. Some of the more malignant viruses will erase your entire hard disk, or delete files.

How Virus Infections Spread:

• Infected Floppy Diskettes
• 'Pirated' Software in Diskettes and CDs
• Computer Networks
• Corrupt e-mail Files
• Internet Downloads
• Demo and Free-Trial Disks

The High Cost of Viruses

Viruses can be equally devastating to the home user. If you notice any of the following symptoms on your home PC or portable computer, you may have a virus.

Common Symptoms of Computer Viruses:

• Longer Program Load Times
• Slower System Operation
• Reduced Memory or Disk Space
• Unusual Error Messages
• Unusual Screen Activity
• Failed Program Execution
• Frequent System Crashes

Viruses: The Threat is Real

The National Center for Computer Crime Data in Los Angeles estimates that American business have lost as much as $550 million from unauthorized access to computers yearly. The amount of lost time may be incalculable.

As an indication of the severity of the problem, the federal government has helped to form a virus SWAT team called the Computer Emergency Response Team. Its job is to investigate security threats in major computer networks across the country. The Software Publishers Association has also adopted certain measures to address the problem.

Furthermore, in the last year many Fortune-listed companies have begun to establish computer policies to deal with viruses. In many cases those new procedures will set practices for testing in all software before it is put on a network and restrict the downloading of software from electronic bulletin boards. Literally no one who uses computers--not the government nor the police nor even your local bank--is immune from computer viruses.

Suppose a space shuttle executed order from a virus-infected software program. Or an air traffic controller was given incorrect information from a fouled system. Or your company’s financial records were suddenly eradicated or permanently altered.

These are not necessarily fantasies of impending doom. Thus far, computer viruses have hit a variety of systems, including Fortune 500 companies, government agencies, major universities, newspapers, and large networks linking vast numbers of computers and huge volumes of information.

Symantec Security Response offers white papers on a range of issues relating to Internet security at http://securityresponse.symantec.com/avcenter/whitepapers.html

Security information is of a time-critical nature.
The Symantec Threat Explorer contains information about major security developments, including Symantec's response to the situation.

Types of Computer Viruses:

File Infectors:

These are viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .DLL, .BIN, .OVL and .OVY. With this type of virus, uninfected programs usually become infected when they are executed with the virus in memory. In other cases they are infected when they are opened, or the virus simply infects all of the files in the directory it was run from.

Boot Sector Infectors:

Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there, and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by these viruses.
You get a boot sector virus, by leaving an infected diskette in a drive and rebooting the machine. When the boot sector program is read and executed, the virus goes into memory and infects your hard drive.
Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.
NOTE: Both floppy diskettes and hard drives contain boot sectors.

Master Boot Record Infectors:

The first physical sector of every hard disk (Side 0, Track 0, Sector 1) contains the disk's Master Boot Record and Partition Table.
The Master Boot Record has a small program within it called the Master Boot Program which looks up the values in the partition table for the starting location of the bootable partition, and then tells the system to go there and execute any code it finds. Assuming your disk is set up properly, what it finds in that location (Side 1, Track 0, Sector 1) is a valid boot sector.
On floppy disks, these same viruses infect the boot sectors.

You get a Master Boot Record virus in exactly the same manner you get a boot sector virus -- by leaving an infected diskette in a drive and rebooting the machine. When the boot sector program is read and executed, the virus goes into memory and infects the MBR of your hard drive.
Again, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.

Direct Infector:

A virus that is active only while an infected file is being executed.

Memory-Resident Infector:

A Memory-Resident Infector virus is much like a conventional terminate-and-stay-resident program (TSR). It takes over the system when activated. A Memory Resident Infector maintains control of the system and continues to spread as you use your computer, even if you close the infected program. It keeps control until the computer’s memory is cleared by rebooting from a "cold boot", that is, a power off or the reset button. (Some viruses can survive a Control/Alt/Delete).

Polymorphic Virus:

A virus that deliberately changes its own programming code to prevent detection. Every file that a Polymorphic Virus infects will contain a different set of instructions, even though they are all infected with the same virus.

Stealth Virus:

A virus that actively seeks to conceal itself from discovery or defends itself against attempts to analyze or remove it.
Stealth viruses have special engineering that enables them to elude detection by traditional anti-virus tools. The stealth virus adds itself to a file or boot sector but, when you examine, it appears normal and unchanged. The stealth virus performs this trickery by staying in memory after it's executed. From there, it monitors and intercepts your system's OS calls. When the system seeks to open an infected file, the stealth virus displays the uninfected version to the OS, thus hiding itself.
Some anti-virus scanners, using traditional techniques, can actually spread the virus. This is because they open and close files to scan them − and this gives the virus additional chances to propagate. These same scanners will also fail to detect stealth viruses, because the act of opening the file for the scan causes the virus to temporarily disinfect the file, making it appear normal.

Trojan Horse:

A stand-alone program that promises to be something useful or interesting (like a game), but may covertly damage or erase files on your computer while you are running it. Trojan Horses are not viruses. Trojan Horses are generally difficult to detect.

Some Trojan Horses contain communications routines that open a "backdoor" to your PC that lets a hacker use it for remotely attacking and infecting other computers while connected to the Internet.

Worm:

Programs that spread themselves from computer to computer over a network without user intervention.
Worms, unlike viruses, do not infect programs, diskettes, or files with macro capabilities. Instead, they make copies of themselves and send these copies over the network to other targeted machines by exploiting a vulnerability.
Like viruses, Worms come from anonymous or untraceable sources.
Worms are often equipped with dictionary-based password crackers and other cracker tools that enable them to penetrate more systems. Worms often steal or vandalize computer data.

Some Worms contain communications routines that open a "backdoor" to your PC that lets a hacker use it for remotely attacking and infecting other computers while connected to the Internet.

Worms that use security exploits can become widespread in a very short amount of time. Code Red, Nimda and Blaster are examples of worms that used security exploits to spread themselves quickly.

Notes:

E-mail viruses:
Just reading an e-mail message can not cause a viral infection in your computer. But attached to a message, there can be an executable file containing a virus. Never configure your e-mail program to automatically open attachments. Never open or execute attachments before they are examined by your (recently updated) antivirus program!
Consider all documents from an application controllable by a 'macro language', as executable files!

Keep your operating system and e-mail software updated, to eliminate vulnerabilities discovered in older versions that permit attachments to open automatically.
Configure your antivirus program to examine the contents of your e-mail.
Configure e-mail program for high security (Restricted Zone, in Outlook Express).

Consider that some virus fake the sending address to gain your confidence and get you to execute an attached program, believing it to come from a known address.
A good example is the W32.Klez@mm worm.
(for more information and an effective desinfecting program, see Symantec Security Response - W32.Klez.gen@mm)

Java and ActiveX:
Internet agents, such as Java or ActiveX, contain executable code that is a potential virus risk, though the problem is minimal at this moment.

Macro Viruses:

MS Word Macro Virus Family

MS Excel Macro Virus Family

Virus Hoaxes

This are viruses that DO NOT EXIST, despite rumors of their creation and distribution.

Please ignore any messages regarding supposed "viruses" and do not pass on any messages regarding them.
Passing on messages about these hoaxes on serves only to further propagate them. And some of them recommend you erase files that are part of the Windows operating system: the virus is the message!

Symantec maintains a page with information on these Virus Hoaxes.

Rob Rosenberger maintains a site on Computer Virus Myths, hoaxes and urban legends at: Vmyths.com

Test your Anti-Virus Protection:

The EICAR Standard Anti-Virus Test File

This free test file is known as the "EICAR (European Institute for Computer Anti-virus Research) Standard Anti-Virus Test File".

It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name: Sophos SWEEP, for example, calls it "EICAR-AV-Test").

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE"). It is also short and simple -- in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product which supports the EICAR test file should "detect" it in any executable file which starts with the following 68 characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Copyright © 1997 Sophos Plc.
All rights reserved.

Reprinted here by permission of Sophos Plc.

Original information from Paul Ducklin, 15th October 1997, Sophos (Updated on January 13 '03).

You can try creating your own copy of EICAR.txt (68 bytes) by selecting and copying to a new document in your text editor the 68 characters above and saving the result as as EICAR.txt.

Also, you can download and save a version of the file (from www.eicar.org).

Then, you should try to create a copy of EICAR.txt as EICAR.com; your Anti-Virus program should not let you create the new file. You should have to temporarily deactivate it.

After creating EICAR.com, re-activate your Anti-Virus program.

Then, you should try to run EICAR.com; your Anti-Virus program should not let you run EICAR.com. You should have to again temporarily deactivate it.

After running EICAR.com, again re-activate your Anti-Virus program.

Then you should scan the folder (directory) where you put EICAR.com; your Anti-Virus program should "detect" it as a virus.

Anti-Virus Online Scanners

Analyze your PC Security with the Symantec Security Check:   (Free)

The Web-based Security Scan and Virus Detection will help ensure a safe and productive Internet experience for you and your family. Security Scan determines whether your PC is protected from hackers, viruses, and privacy threats. Virus Detection uses Symantec's virus detection technology to check for virus infections. After analyzing your PC's current level of protection, we'll show you how you can enjoy the Internet and protect yourself at the same time.

System Requirements:

• Microsoft Windows 95/98/XP or Windows NT/2000, or Mac OS 8.1 or newer
• Microsoft Internet Explorer 4.01 or newer (MS Internet Explorer 4.5 for the Mac)
• Cookies must be enabled in your browser's security settings
• If you are going through a firewall, it must be configured to transmit browser information (user agent) to the Web server
• If you use the AOL browser, please upgrade to the latest version [Keyword: Upgrade]
• ActiveX and Java Script must be enabled in your browser's security settings

Analyze your PC with the Trend Micro HouseCall AntiVirus - Scan Online:   (Free)

The Web-based HouseCall AntiVirus - Scan Online will help ensure a safe and productive Internet experience for you and your family. HouseCall uses Trend Micro's virus detection technology to check for and eliminate virus infections, spyware, worms and other malware.

System Requirements:

• Microsoft Windows 95/98/XP or Windows NT/2000, or Mac OS X 10.4 or newer
• Microsoft Internet Explorer 4.0, Mozilla Firefox 1.5 or newer
• ActiveX or Java Script must be enabled in your browser's security settings
• [HouseCall 6.5 has two independent Core Engines to choose from: ActiveX or Java]

Analyze your PC with the F-Secure Online Scanner:   (Free)

The Web-based F-Secure Online Virus Scanner will help ensure a safe and productive Internet experience for you and your family. The Online Virus Scanner uses F-Secure's virus detection technology to check for and eliminate virus infections and spyware.

System Requirements:

• Microsoft Windows XP/2000/Vista
• Microsoft Internet Explorer 6.0 or newer
• ActiveX and Java Script must be enabled in your browser's security settings

Analyze your PC with the Panda Active Scan:   (Free analysis)

Analyze your PC with the Panda Active Scan for Virus, Spyware, Hacking and Potentially Unwanted Tools, Dialers, Security Risks and Suspicious files.

Don't Analyze your PC with the RAV AntiVirus - Scan Online

Secunia Advisory SA9424:
Release Date: 2003-08-04; Highly Critical
Impact: System access from remote
Solution Status: Unpatched

RAV ActiveX Component Remotely Exploitable Buffer Overflow:

Description:
A vulnerability has been identified in RAV AntiVirus online scanning ActiveX component possibly allowing malicious HTML documents to execute arbitrary code.

The problem is an unchecked buffer in the "update()" function.
Supplying a long string causes a buffer overflow which may allow malicious websites or emails to execute arbitrary code on the client system.

Solution: (in case you have used the RAV AntiVirus - Scan Online)
Delete the DLL files associated with the RAV AntiVirus online scanning ActiveX component.

Provided and/or discovered by: Tri Huynh from Sentry Union.

Procedure:
In Microsoft Internet Explorer 6, select "Internet Options" in the "Tools" menu.
In the "General" tab, select "Settings" for the "Temporary Internet files",
Select "View Objects",
Delete the "CRAVOnline" object by GeCAD.

Anti-Virus Software

AVG Anti-Virus:   (Free)

From April 24, 2008, you can get your free copy of the AVG Anti-Virus System - AVG 8.0 Free Edition, and you will be able to use it for an unlimited period of time. With AVG, you will get a high-end software solution for reliable protection against the threat of computer viruses from opening files, running programs and e-mail.
AVG Free is basic antivirus and antispyware protection for Windows Vista and XP.
[In various languages]

LinkScanner is a new security component included in the AVG 8.0 Free Edition, which provides the Search-Shield functionality. Its purpose is to scan all results of the supported Internet search engines (Yahoo!, Google, MSN), and provides you with an evaluation of a safety level of each found Website. At the same time, the LinkScanner also checks all Internet addresses typed into the address bar of your browser, or linked on other Websites.

Get the latest version at AVG Anti-Virus Free Edition AVG Free Advisor, Grisoft Corporation

Comodo Internet Security:   (Free)

If you use Windows Vista or Windows XP SP2, install a complete security program, like the Comodo Internet Security (Free), offering complete protection from Hackers, Virus, Spyware, Trojans and Identity theft, and a Host Intrusion Prevention System that stops malware from being installed. An extensive white list database of trusted applications helps reducing the number of initial alerts after installation. [Best results in the Matousec Firewall Challange]

avast! 4 Home Edition:   (Free)

Free virus protection for your home PC

New viruses are being found "in the wild" all the time. Further, the speed at which these new viruses spread is increasing all the time. A key problem is not that antivirus programs do not detect such viruses, but the fact that most users do not use any antivirus program at all or, perhaps worse, the antivirus software and/or virus definitions database is out of date.
ALWIL Software, the producer of avast!, decided in June 2001 to help to solve this situation by offering avast! Home Edition free of charge for home users who do not use their computer for profit. To get industry leading antivirus protection for your home PC, download the software, and then register it.

Get the latest version at avast! 4 Home Edition Free [In various languages]

Use only one antivirus program at a time in your PC; two antivirus programs can interfere with each other and block your PC.

a-squared Free (Free Scanner)

A² is free of charge Anti-Trojan, Anti-Worm, Anti-Dialer and Anti-Spyware optimal protection:

Security must not be a privilege.
Under this motto, EMSI Software provides the Malware scanner a-squared Free completely free of charge for private use. But it is not a limited version, it is a full tool to clean your computer from Malware. Not only Spyware, as detected by classic Anti-Spyware programs, but also especially Trojans, Backdoors, Worms, Dialers, Keyloggers and a lot of other destructive pests, which makes it dangerous to surf the Web. With English interface.
a-squared Free detects and eliminates the intrusions already occurred and residing in your PC.

Get the latest version at a-squared Free (EMSI Software)

McAfee AVERT Stinger:   (Free Scanner)

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Get the latest version at McAfee AVERT Stinger

Symantec Security Response:

Virus Removal Tools Page (Free)

Original information from Symantec Security Response

Microsoft Windows Malicious Software Removal Tool:

Microsoft released on January '05 the Microsoft Windows Malicious Software Removal Tool to help remove specific, prevalent malicious software from computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. You can download the Malicious Software Removal Tool from the Microsoft Download Center. You can also run an online version of the tool from the Microsoft Malicious Software Removal Tool Web site. To run the Malicious Software Removal Tool for the first time, you must log on to your computer with an account that is a member of the Administrators group. If you are running Windows XP, you can also run the Malicious Software Removal Tool from the Microsoft Windows Update Web site or by using Automatic Updates (this option suppresses the user interface of the tool, which runs in the background and then deletes itself).

The Malicious Software Removal Tool is released on the second Tuesday of every month. Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes Viruses, Worms, and Trojan Horses. The tool can also remove any known variants at the time of release.

Each release of the tool is cumulative. That is, each release not only helps detect and remove new malicious software families, it also helps detect and remove all the malicious software covered in earlier versions. New variants of malicious software that is detected and removed in previous releases are also covered in each monthly release.

The Microsoft Knowledge Base article, KB 890830, will be updated with information for each monthly release so that the number of the relevant article remains the same.

This tool reports anonymous information back to Microsoft in the event that an infection is found or an error is encountered.

Updated: November 1 '08

Symantec and Trend Micro Security Alerts Boxes

PC Security Section

PC Updating Section

Castellano: Sección de Información Anti Virus

Back: Home Page (PC Security and Updating Service)