Introduction to Viruses

What is a computer virus? How can you avoid a nasty infection? For this and other Frequently Asked Questions, see the Introduction to Viruses below.

Warnings and Notices

Check these sites for the latest warnings and information about computer viruses.

Library and Computing News - user friendly notices
Latest Virus News - the latest alerts from Sophos.com
Symantec website - another site to look for alerts and fixes.

JCU Virus Protection

JCU has a site license for Sophos Anti-virus software

Licensing and Offers - Sophos Licensing Documentation
Sophos for JCU staff and student standalone and home use only
IT Support Sophos Installation Guide
Sophos Website

Introduction to Viruses

An InfoHelp How To...? Guide

this guide in Word

1. What is a computer virus?

A computer virus is a program designed to spread itself by first infecting program files or the system areas of hard and floppy disks and then making copies of itself. Viruses usually operate without the knowledge of the computer user.

2. What kind of files can spread viruses?

Viruses can infect any type of executable code, not just the files that are commonly called 'program files'. Viruses can be spread by:

• Executable code in the boot sector of infected floppy disks
• Executable code in the system area of infected hard drives
• Word processing and spreadsheet documents that use infected macros
• Infected HTML documents that contain JavaScript or other types of executable code

Since virus code must be executed (run) to have any effect, files that the computer treats as pure data are safe. This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt files. For example, just viewing picture files won't infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file, that the computer will actually try to execute.

Note: A security vulnerability does exist in Windows XP SP1 and some versions of Microsoft software like Office 2003. A buffer overrun vulnerability exists in the processing of .jpg image formats that could allow remote code execution on an affected system. See here for more information.

3. How do viruses spread?

When you start a program that's infected by a virus, the virus code will execute (run) and try and infect other programs. This can infect the same computer or other computers connected to it on a network. The newly infected programs will try to infect more programs and computers.

When you share a copy of an infected file with other computer users, opening the file may also infect their computers; and files from those computers may spread the infection to yet more computers.

If your computer is infected with a boot sector virus, the virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, then the virus on the computer will try to infect more floppies inserted into it.

4. What do viruses do to computers?

Viruses are software programs, the actual effect of a virus depends on how it was programmed by the person who wrote the virus.

Some viruses are designed to overwrite boot sectors and interfere with your computer's operation (boot viruses), others damage your computers memory operation then try and spread themselves around by picking up e-mail or network addresses off your computer (worm viruses). Still others will wipe files from the hard drive and destroy system files (Trojan viruses) and finally there are ones that infect document files, electronic spreadsheets and databases of several popular software packages (Macro viruses).

Viruses can't do any damage to hardware: they won't melt down your CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings.

5. Virus Hoaxes

With increased use of the Internet there is a growing number of viruses that can be spread via email. Many computer users use the Internet to warn friends and colleagues of these threats. At the same time, there has also been a growth of virus hoax warnings. These warnings describe viruses with impossible characteristics. They can cause panic and lead to misconceptions about computer viruses. Forwarding these hoax warnings on only perpetuates the problem, and can waste time and system resources.

Identifying a Hoax

Virus hoaxes follow a basic which should give it away for what it is. Typical phrases in the body of a virus hoax might be:

• Do not open! Doing so will result in the deletion of all of the files on your hard drive!
• Forward this message to all your friends!
• This is not a hoax!
• Look for emphatic statements, the frequent use of UPPERCASE LETTERS and multiple exclamation points!!!!!!!

Basically, warning messages encouraging you to forward the information to all your email contacts will often be hoaxes. Read these messages carefully and use your common sense. Look for inconsistencies, some hoaxes have nothing to do with viruses. Instead they may promise the user something for free in return for forwarding the message. A good source of information on common e-mail Hoaxes can be found at: http://www.symantec.com/avcenter/hoax.html

6. What's the story on viruses and E-mail?

You can't get a virus just by reading a plain-text E-mail message or Usenet post. What you have to watch out for are encoded messages containing embedded executable code (i.e., JavaScript in an HTML message) or messages that include an executable file attachment (i.e., an encoded program file or a Word document containing macros).

In order to activate a virus, your computer has to execute (or run) some type of code. This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk. There's no special hazard in files attached to Usenet posts or E-mail messages: they're no more dangerous than any other file.

Here are some points to remember when receiving or reading email messages:

1. If you receive an email with an attached file from an unknown source, simply delete it.
2. Virus programs must have code that is executed in order to infect. If you "double-click" an attached file on an email message, you are executing code and may infect your machine.

Note: Newer anti-virus software is capable of scanning these attachments before they are opened. James Cook University uses a virus protection program called Sophos, which scans all incoming and outgoing email message attachments for viruses. If it detects a virus it will replace the infected file with a "Virus Warning.txt" file to prevent the recipient's computer from becoming infected. For more information see the Email Spam and Attachments Guide.

7. What is 'spoofing' is it some kind of spam?

No 'spoofing' is not spam, it is caused by a computer virus. Sender forging' or 'spoofing' is when an email address of an infected computer is replaced with another address, often randomly plucked off the infected computer by the virus. Sender forging is normally done just before the virus sends itself out to more potential victims. By changing the address in the 'Sender' field, no one knows who sent the email or where it came from.

Some gateway applications that scan email attachments for viral content email auto-reply when a virus is found. If the 'Sender' name has been forged, the auto-reply can be received by an innocent party, causing undue confusion and stress.

We recommend that users do not respond to emails from auto-responders accusing them of being infected and spreading a virus. However, you should consider double-checking your computer for the latest viruses just in case you are genuinely infected.

Known viruses that employ 'spoofing' as a method of propogation are: BugBear, Fizzer, Mimail, Klez and Sobig-F.

8. What is Phishing?

Phishing attempts to fraudulently acquire sensitive information, such as usernames, password and credit card details. Recent phishing attempts have targeted the customers of banks and online payment services like eBay and PayPal. Phishing is typically carried out using email or an instant message, and often directs users to give details at a website, although phone contact has been used as well. The techniques employed involve link manipulation and website forgery so be very careful about clicking on links contained in email, even from known contacts. More information on Phishing can be found at Wikipedia here:

http://en.wikipedia.org/wiki/Phishing

9. What can I do to reduce the chance of getting viruses from E-mail?

Treat any file attachments that might contain executable code as carefully as you would any other new files: save the attachment to floppy disk and check it with an up-to-date virus scanner before opening the file.

If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, disable this feature.

If an executable file (extensions like .EXE .COM or .VBS) shows up unexpectedly attached to an e-mail, you should delete it unless you can positively verify what it is, who it came from, and why it was sent to you.

Just because an E-mail appears to come from someone you trust, this does NOT mean the file is safe or that the supposed sender had anything to do with it.

10. How did Spammers obtain my email address?

Rest assured that it was not from a direct intrusion against one of our servers like LearnJCU - we have security measures in place which would prevent that and the Student Contact details as found on the Contacts page can only be accessed from an internal (JCU IP address) connection. Some of the most common way that spammers extract email addresses are:

• By searching. They use specialized search engines ( Spambots ) to collect email addresses from web pages, newsgroups, bulletin boards, discussion forums, white & yellow pages, mailing lists, ... etc. automatically.
• By guessing. They can generate a random sequence of characters, hoping to match a few valid addresses.
• By purchasing. They can buy or exchange email addresses from other spammers.
• By having access to some persons' computers through Trojan viruses, that person has you in their address book and they obtain it from there.
• By social engineering. Spammers use a hoax to convince people into giving their email addresses.
• People may be required to submit their email addresses on the Internet (e.g. before downloading some software or subscribing to a forum), and these email addresses may be released to unknown persons.
• People may leave their email addresses in some dubious questionnaire that are found on the Internet.

Some general tips on avoiding virus infections:

1. Install anti-virus software from a well-known, reputable company, UPDATE it regularly, and USE it regularly. New viruses come out every single day; an anti-virus program that hasn't been updated for several months will not provide much protection against current viruses. Sophos is the university standard virus protection software (see JCU standing offers) Contact your faculty IT Support Officer (or log a call with them through InfoHelp) to arrange to have Sophos installed on your office computer, or consult the Sophos Guide to install the software on your home computer.
2. In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good anti-virus software packages) and set it to start automatically when you start your computer. This will protect you by checking for viruses each time your computer accesses an executable file. Note: All computers in the GATCF labs have virus protection software installed on them that performs this function automatically for you.
3. Virus scan any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs spreading virus infections.
4. Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening text-only files and Word/Excel documents from unknown or 'dubious' sources. This includes posts in newsgroups, downloads from web or ftp sites that aren't well-known or don't have a good reputation, and executable files unexpectedly received as attachments to e-mail or during an on-line chat session.
5. You should make sure that Macro Virus Protection is enabled in all Microsoft programs, and you should NEVER run macros in a document unless you know what they do. No normal person adds macros to a document, so avoiding all macros is the smart thing to do.
6. If your e-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message (the main culprit here is Outlook Express), I strongly recommend that you disable this feature.
7. Be extremely careful about accepting programs or other files during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat.
8. Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent backup may be the only way to recover your data.

Ideally, you should back up your entire system on a regular basis. If this isn't practical, at least backup files that you can't afford to lose or that would be difficult to replace: important documents, bookmark files, address books, e-mail, etc.

Dealing with virus infections:

First, keep in mind InfoHelp's "First Law of Computer Virus Complaints":

"Just because your computer is acting strangely or one of your programs doesn't work right, this does NOT mean that your computer has a virus."

1. If you haven't used a good, up-to-date anti-virus program on your computer, do that first. Many problems blamed on viruses are actually caused by software configuration errors or other problems that have nothing to do with a virus.
2. If you do get infected by a virus, follow the directions in your anti-virus program for cleaning it. If you have backup copies of the infected files, use those to restore the files. Check the files you restore to make sure your backups weren't infected.
3. For assistance, check the web site and support services for your anti-virus software.
4. If you are on campus and using a JCU owned computer then contact InfoHelp. We will either be able to assist you directly or refer your problem to your Faculty/School IT Support Officer.

Note: In general, drastic measures such as formatting your hard drive or using FDISK should be avoided. They usually don't fix a virus infection, and may do more harm than good, unless you're very knowledgeable about the effects of the particular virus you're dealing with.