Ref: 09580007
Title: Cleaning Up Computer Viruses
Date: 2/18/91

Copyright 3Com Corporation, 1991.  All rights reserved.

A "virus" is a nasty little program which is usually designed to destroy data
on your computer system.  Viruses may appear to be ordinary executable
programs, but they contain extra code that helps the virus to attach itself
to the host program(s).  (An "executable program" is directly executed by
the microprocessor of your system, and normally has a file extension of .COM,
.EXE, or .BAT.)

For example, a virus may enter the host via mail, gain root privilege, and
modify any existing program or file, or even the system kernel.  This
includes device drivers, even if they are linked to the kernel.  In some
cases, the virus can also be delivered by or infect a .SYS, .OVL, .BIN, or
.LIB file.  Even though these files are not normally considered executable,
the virus can attach itself to them and gain a slice of processor time when
they are loaded into memory.

Usually, the primary function of a virus is to replicate itself.  To do
this, the virus program searches disks and system memory for an appropriate
host program, such as the COMMAND.COM program on your system's hard disk.
Then the virus scans the host program for a specific, pre-programmed location
and changes one or more bytes of code to cause the execution of the newly
infected host program to "jump" into the attached viral code and execute it
instead of following the original program's execution sequence.  When
executed, the viral code will normally do such things as:

   *  Reproduce itself a specific number of time or until a specific
      date

   *  Search out a specific file or group of files and modify or
      randomize them

   *  Modify or randomize critical portions of your hard disk's format
      or specific sectors in your boot track or directory structure

   *  Many other nasty things, including copying password files and
      resetting permissions

After the virus has performed its task, it then redirects the execution of
itself back into the host program.  The host program will continue to operate
normally until a prearranged event occurs, such a specific date and time, or
after the virus has infected a number of copies of the host program, when
the virus will attack the host system.

As the common "hitchhiker" virus has evolved, it has become more sophisticated
and found other ways to replicate itself and to hide in the system.  Modern
viruses can hide in the computer's boot sector or even in the hard disk
partition table.  Some very sophisticated virus programs are Terminate and
Stay Resident (TSR) programs that hide in the system's memory and execute in
every spare cycle of the system's microprocessor.

Viruses can be transmitted by floppy disk or through most systems that
have a COM or PARALLEL port.  Therefore, 3Stations are not immune to them.


ARE YOU A GOOD CANDIDATE FOR A VIRUS?

Whether or not you are a good candidate for a virus depends on how much
unrestricted access the outside world has with your system.  Remember,
however, that a virus is not dangerous until it is EXECUTED.  You can copy
an infected program from one disk to another, but the virus will not execute
until its host program is executed.  Thus, data files such as word processing
documents generally do not make good hosts.  A host program must at some
time be loaded into memory and executed.  Although we have all heard horror
stories about viruses destroying huge amounts of data, the actual percentage
of systems that have actually been infected is statistically quite small.
For systems that were operated with discretion and common sense, the
percentage of infection is even smaller.


HOW TO PROTECT YOUR SYSTEM

1.  Know where all new programs come from.  Be especially careful of game
and utility programs, or programs that sound "too good to be true" from
Bulletin Board Systems.  (Most BBS operators are very careful about bombs
and viruses, and check every program which is uploaded to their systems.
However, a clever virus can still get through.)  Also, be wary of programs
or disks that were obtained from educational institutions.

2.  Isolate and test all new programs on a system that is totally separate
from your network.  Set up the isolated computer system with an immunizing
program running on it to check for virus-infected or bomb programs.  There
are many public domain, shareware, and commercial programs to help you
discover and destroy viruses; for example, Flushot and Interferon.

3.  Establish a procedure for viral detection and removal on both servers
and workstations.  Here are two good virus detection programs:

    SCAN.EXE
    Will scan all files on the hard drive *including* the boot sector and
    FAT table, and therefore CANNOT BE RUN ON A NETWORK DRIVE.  It
    should be used on a local hard disk or floppy.

    NETSCAN.EXE  by McAfee Associates  (408) 988-3832.
                They also have a BBS at (408) 988-4004.
    Will do the same scanning but not try to scan the boot sector and
    FATs, so it is suited for network drives.

4.  For the truly paranoid administrator, there are many private companies
that will examine your systems and destroy any viruses, bombs, or Trojan
programs.


CLEANING AN INFECTED PC

To remove a detected virus from your PC, follow these steps:

1.  Reboot your system from a write-protected DOS disk.

2.  Erase the infected program, preferably with a program such as Norton's
WIPEFILE which actively writes to each byte in each disk sector that
contained the old file.

3.  Reinstall the system files on your disk using the write-protected DOS
disk you used in step 1, and the DOS SYS program.  This will rewrite
your boot sectors, to erase any virus located there.

4.  If the infection still persists, REFORMAT your disk drive.  This is
a good idea any time after a viral infection or a bomb, to increase your
chances of erasing all replicated copies of the virus.

Note:  If you have an infected disk partition table, a simple DOS format
will not destroy the virus.  A "low level" format is required.  A low level
format is usually performed by a computer maintenance technician or a very
knowledgable user.  If you are not sure how to perform a low level format,
seek knowledgable help.

5.  It is a good idea to destroy floppy disks that were used on the
infected system.  In some cases, this can amount to a large number of disks.
Check all the other systems that have been in contact with the infected
system, and especially, check all your backups!  Be very careful that your
backup tapes or diskettes have not been infected, or you will continue to be
plagued with infections until you have erased every infected tape and
diskette.


CLEANING AN INFECTED 3COM SERVER

In the event that you are working on an infected 3Com server, follow
these steps to clean it without having to reformat the disk:

1.  Establish a 3C connection.

2.  Successfully scan all partitions using SCAN.EXE or an equivalent virus
detector program.

3.  Delete all infected files and replace them with safe ones.

Note:  If 3+Start is installed, all C:\3PLUS(3OPEN)\3START\STARTVOL\*.STR
files will not be scanned and a "No virus found" diagnostic does not
necessarily mean you are out of trouble.  You need to reboot the server
and scan all start volumes on-line, that is, boot a 3Station from each
start volume available and run SCAN C: in turn for all volumes.

After cleaning the system of all infections, you may want to consider
doing daily backups.


VIRUS NAMES

The twelve most common viruses, accounting for almost all PC infections, are

     Pakistani Brain        Lehigh              Jerusalem
     Den Zuk                Alameda             Datacrime (1280/1168)
     Cascade (1701/1704)    Stoned              Ping Pong
     Fu Manchu              Vienna (DOS 62)     April First


Other viruses which are common in Europe but rarely found in the US are

     3066 virus (Traceback)   Icelandic virus
     405 virus                Pentagon Virus

