Virus
Information
Table of Contents
2) Detecting A Virus
Common Virus Symptoms
Note
Most viruses will cause several of these symptoms, however these
symptoms may also be caused by hardware or software failures.
General Properties of Viruses
Viruses can carry another virus and infect the system with that
virus as well.
Can infect files even if they are just copied.
Can be polymorphic (capable of modifying its own code with the
possibility of billions of permutations. This makes a virus even
more difficult to detect)
Can be Memory resident or Non-memory Resident.
Can be a stealth virus (Will not manifest itself until it has
completed infecting the system)
Might not ever show any outward signs
How Viruses Effect Anti-Virus
Software
Viruses can specifically target Anti-Virus programs, infecting
them or simply preventing them from finding the virus. The virus
may remove itself from infected files so that it will not be
detected. It may also move from memory into files, or from one
part of memory to another.
How Viruses Affect Files
Viruses can Affect any kind of file but will generally attack
.COM, .EXE, .SYS, .BIN, .PIF or specific data files. These files
can be infected multiple times. Infected data files can appear to
be fine on infected systems, but on systems that are not infected
the data will be corrupted. This will have unpredictable results.
Files can be infected in the following ways:
It can increase their size and then hide the size differences if
the virus is memory resident.
It can corrupt files randomly.
It can cross-links data and executable files.
It can prevent files from being opened. An attempt to open such a file can result in the message "out of file handles."
It can delete files as they are executed.
It can cause write protect errors when executing .EXE files from write protected disks
It can convert .EXE files to .COM format.
Infected programs may reboot the system upon
execution.
How Viruses Affect
CHKDSK
A virus may cause DOS CHKDSK to give false information. It may return file allocation errors, lost sectors, or cross-linking when none of these errors exist. It can also cause errors that do exist not to be reported.
Occasionally CHKDSK will give an "Invalid
Drive Specification" error if it is run when the virus is
present.
How Viruses Affect Write-able Media (Hard Drives and Floppies)
Once the hard drive is infected, it can infect any other non-write-protected disk that is accessed.
Modify the File Allocation Table, changing the number of available sectors.
Overwrite or infect a diskette's boot sector or hard drive's master boot record (partition table) and FAT.
Modify part of the root directory
If the virus is resident, the altered master boot sector may not be detected.
Change the volume label.
Mark clusters as bad in the FAT.
Randomly overwrite sectors on the hard disk, or the entire hard drive. Attempts to access the HDD can result in the drive being inaccessible, giving the message "Invalid drive specifications"
May cause file allocations errors and cross-linking.
Logical partition can be corrupted; partitions
may be decreased in size
Occasionally a directory of the root directory might show garbage.
The directory order may be altered so .COM files, for example, appear first in the directory.
May reformat the hard drive
Replace the Master Boot Record (MBR) of the hard drive with its own code. The original MBR is encrypted and hidden elsewhere on the drive. All attempts to read the MBR are routed through the virus, so Windows cannot use 32-bit disk access. Also, if the computer is started using a bootable floppy disk, it will appear as though the hard drive has no MBR.
Cause a "Sector not found error"
message to appear, when you attempt to execute a uninfected
program from a write protected diskette.
How Viruses Affect
Other Hardware
A virus can cause intermittent printing problems with the system
printer.
It can disable COM1 and LPT1 and reset its counter.
The virus can activate and interfere with the keyboard causing a
single keypress to repeat several times.
It can alter system time.
It can randomly cause unexpected access to other drives.
It can randomly write data to the drive and to the system I/O
ports. This will most likely result in garbage been written to
the screen and possibly to the printer.
The system can experience intermittent system hangs.
How Viruses Affect Memory
Viruses almost always decrease or occupy available memory but
will generally try to hide that fact.
How Viruses Affect System Speed
Extend boot time.
Progressively slows down the system,
Increases disk access times.
Hangs the system, and only a hard reset will clear it.
Outward Signs of Viruses
Can cause clicking noises, beeps, or music to be heard from the
speakers or on-board buzzer.
The system display may intermittently shake, and the system hang.
A message may appear on the screen which may sound
"genuine" such as:
Internal stack overflow. System halted"
Cascade what is displayed on the screen until it reaches the
bottom of the screen
"Write fault error writing device COMl" when an attempt
to copy a file was made, even if the source and destination of
the copy was a disk drive, not the COM port.
The virus may attempt to do a screen dump.
Detecting A Virus
Note
Before assuming that a virus is causing hardware or software
failures, check for hardware or software driver or TSR conflicts,
that is try a clean system boot.
Some symptoms or results of virus activity may imitate hardware
failures. Run a virus scan (using McAfee Scan if available) if
any of the following symptoms occur:
1. Continuing and intermittent file or FAT corruption
(cross-linked files or truncated files) detected by CHKDSK.EXE
2. Diskettes are corrupted when written to.
3. Random reboots or random system lock ups.
4. Serial or parallel ports fail or are not detected.
5. Decrease of available DOS memory.
When a virus is detected, scan and clean ALL floppy diskettes to
prevent a re-infection.
If a virus scan program is not immediately available, the
following procedures may uncover a virus if it is present in the
system:
1. Check if a virus is loaded in memory. Many viruses are
terminate and stay resident (TSR) . The following steps will
detect most unsophisticated viruses by comparing memory sizes on
a hard drive boot to a floppy drive boot.
a. Boot normally from the hard drive and type:
CHKDSK
b. Note the number listed in the "total bytes memory"
line. This value is usually "655360" or
"654336."
c. Boot the system from a write protected bootable diskette.
d. Type
CHKDSK
again and note the "total bytes memory" number. If this
number is different than step B, a virus is probably present.
2. Check for stealth virus activity. Some viruses deliberately
hide file size growth when the virus is loaded in memory.
Normally, when these types of viruses are loaded, FAT allocations
are resolved by the virus. Booting the system from a clean
diskette will show the allocation errors that the virus created
hiding the file size growth.
a. Boot normally from the hard drive and type:
CHKDSK
b. Note any file allocation errors or lost clusters.
c. Boot from the write-protected bootable diskette.
d. Type
CHKDSK C:
e. If several more errors are detected than step 2B, suspect
virus activity.
a. Boot from a bootable diskette.
b. Type
DEBUG
c. Load the boot sector into memory by typing:
L 0000 2 0 1
d. Check for the beginning of the text string "Non-system
disk...," which is present in the real boot sector:
S 0000 lFFF 4E 6F 6E 20
e. An address will be displayed if the text string is found. If
the cursor moves to the next line without displaying an address,
the boot sector has probably been replaced. Quit from DEBUG (type
Q
FDISK /MBR
Repeat the procedure again, starting with step 3B to verify the
boot sector is fixed.
4. Check the partition table. Some viruses hide in the partition
table
to prevent deletion. FDISK may be used to check the partition
size.
a. Boot from a bootable diskette.
b. Run FDISK:
FDISK
c. Select option 4, "View Partition Table."
d. Under "Partition", "C:1" should have a
"Usage" of 100%. If the drive has not been
re-partitioned and the CMOS hard drive type is correct, this may
be a virus.
Common Viruses And Their
Symptoms
Overview
Many viruses exhibit hardware failure symptoms and error
messages. Below lists some of the common viruses by their
symptoms. Use Mcafee, Norton or PC Tools anti-virus software to
detect and remove the viruses. Most viruses can also be removed
by replacing the infected files with known-clean originals. Some
require DOS FDISK /MBR and SYS commands to replace damaged boot
record and COMMAND.COM.
Symptoms & Errors Caused
ByViruses
"Bad or missing command interpreter" HAPPY NEW YEAR
GUPPY
LEPROSY
COM1 and LPT1 are disabled; AZUSA
"Write fault error writing device COMl"; BLJEC
"Write fault error on device PRN"
POSSESSED
"Divide Overflow" ANTO
CHECKSUM-1569
FEIST
LOCKUP
MUTATION INTERRUPT
TERMINATOR- 3549
VCL
VIENNA
YUKON OVERWRITING
Disk Drive spins continuously 382
"General Failure error reading drive"; ATHENS
"Sector not found, not ready error reading drive" HYDRA-4
PASCAL-4260
WILLISTROVER III
"Invalid drive specification" 1452
"Invalid drive or file name" 2568
ATTENTION
BEEPER
CHANGSHA
EUROPE-92
EXEBUG
GODOY
GROWING BLOCK
GUPPY
MONKEY
R-11
SOLANO-2000
TIMID
"Internal stack overflow. System halted" AIRCOP
CAZ
KEYPRESS
GUILLON
"Keyboard stuck key failure" SENTINEL-5
Print Screen key failure 1024 PS
"Sector Not Found" NOMEMKLATURA
System beeps and buzzes ALL SYS 9
BOMBER
CHRIS
EUROPE-92
IRAQUI WARRIOR
KEYPRESS
MURPHY
MURPHY
PARASITE
"Unrecoverable system error, system halted" MUNICH