|
|
|
Computer Viruses (The following paper is a reprint of the FORENSIC NEWSLETTER, issue No. 2--9 September 1994.)
By DAVID E. BARNES Ph.D. A computer virus may be merely irritating in certain instances, perplexing in other cases, and probably fatal to the computer system in some situations. Viruses can destroy the file and directory structure of your hard disk, re--format your hard disk, or simply overwrite your data files with meaningless characters. Like biological viruses, computer viruses can replicate and spread! They can travel across a local area network or through a serial communication line. The most common means of “infection” of a computer, however, is via the floppy disk. Borrowing a file or new program from a friend can infect the system, and the virus may lie dormant for weeks or months before it executes its destruct sequence. A virus is simply a program written by someone with the intent of destroying your data. There are over a thousand varieties with names like Stoned, Michelangelo, Friday the 13th, AIDS, Black Monday and Crazy Eddie, with new varieties being discovered weekly (monthly?). A computer virus can also replicate itself (a mutation) in rare cases. Viruses can be classified by how they spread from system to system as well as by how they affect the system. Boot sector viruses replace the hard disk's boot sector and thus are always loaded into computer memory before any other programs. File viruses attach to a program, i.e., any file with .COM, .EXE, .SYS, and are loaded to system memory when the program is executed. Once in memory, the virus can spread to other files infecting them as well. A Trojan virus is typically hidden within a utility or game which is free, but in fact is a program intended to infect and destroy data on your system. Some authorities may not categorize a Trojan as a virus, but the effect is the same, destroying data. New viruses, called stealth and polymorphic, may act as either boot or file viruses. The stealth virus attempts to conceal itself from antiviral software while the polymorphic type changes its own code when replicating to avoid detection from antiviral software. What can you do to protect your data from “infection” and your valuable data files from an early demise? Number One is the task which users fail to do often enough, if at all, and that is BACKUP! A routine backup will not only protect your system (data) from computer viruses, but from the loss of data as a result of power outages, hardware failure (hard disks do die eventually), and accidental, or intentional, loss of data (format c: /u, OOPS!). If you have copies of all of your programs, utilities, diagnostics, etc. on floppy disks, it is easy but time consuming to rebuild your hard disk if one of the nasty viruses causes a system crash. The only thing missing might be the most current data files which should be routinely backed up to floppy disks. Tape back--up systems make this process a little easier and faster. In the case of imaging systems, the data files are usually rather large and an optical disk system may be the preferred media. Another step in the category of BACKUP is to have a BOOT DISK. A boot disk is a floppy disk, 5.25 or 3.5 inch depending on which is A: drive, which the system can “boot” from if the hard disk happens to fail. It also should contain some useful utilities such as Norton's Disk Doctor as well as a copy of some type of Anti--viral software. In the case of a system failure, where the hard drive will not boot, the boot disk can be utilized to boot the system and hopefully repair it. Luckily, there are many anti--viral software programs available to guard your system. Norton Utilities has a feature called DISKMON (disk monitor) which will alert the user of any program which attempts to write to the boot or system areas. Norton also separately markets a program called “Norton Antivirus.” PC Tools also includes utilities for scanning your disk for a list of viruses and a “cleaning” utility to remove the virus. If you have upgraded to DOS 6.0 or later, you have a program called MSAV (Microsoft Anti--Virus) which can detect and remove most current viruses. Also included in DOS 6.0 and later versions is a memory--resident program called VSAFE, which acts like Norton's Diskmon to monitor hard disk activity in order to warn the user when a virus may be attacking the hard disk. The most well known and probably the best program for virus detection and recovery is SCAN, and it's associated programs CLEAN and VALIDATE, by McAfee Associates. This program is consistently updated to accommodate the detection of new viruses. It is available on bulletin boards across the country or directly from McAfee Associates by calling (408) 988--3882. IBIS IMAGING SYSTEMS is a division of IBIS CORPORATION, a federal computer systems integrator. For information on Forensic Products you may contact Robert Kuna at (800) 532--3344. DOS TIP: Never load software from a diskette without checking it for a virus! (Editor --— The Forensic Newsletter is published by IBIS Imaging Systems as a service to the law enforcement personnel interested in computer imaging technology. We offer our appreciation to David Barnes for allowing this reprinting as well as his past support in this specialized area. While many of us have willing jumped, and others have been forced into computer technology, we all need to stay current on computer issues. I hope you have learned from this article and please let me know if you feel other basic computer articles (not specifically directed toward fingerprints) are appropriate in your publication --—THE PRINT.)
This article was reprinted in “THE PRINT” |