TECH FAQ

1. A virus is a program that is designed to infect multiple files on a single computer. It cannot infect other networked computers without human assistance. It will spread to other systems by way of an infected floppy disk, a (infected) shared file on a network drive, or by manually sending the infected file as an e-mail attachment, just to name a few. As part of its payload, the virus will only infect certain types of files, depending on what it was intended to do. Most will infect executable (.EXE and .COM) files, but viruses can be made to infect several different file types.

Virus Examples: W95.CIH (Chernobyl), Sampo, and Hare. 

2. Worms don't rely too much on human assistance when spreading from computer to computer, but more on human error (negligent maintenance of systems and opening infected e-mail). Instead of infecting as many files as possible, a worm's goal is to spread to as many computers as possible. Most worms spread via e-mail, through an unpatched vulnerability, or through shared drives. Worms spreading through e-mail often attach themselves to personal documents found on your hard drive and will mail the document to others without your knowledge. When spreading through shared drives, you can become infected by a worm from a system half way around the world. It is not limited to your own network. Worms that spread through a network in this manner are often called "network aware".

Worm examples: Nimda, Code Red, Sadmin, Magistr, and SirCam. 

3. In most cases a Trojan is an application that may appear useful to the end user, but it also has an underlying malicious intent (i.e., it will perform functions the user hadn't intended). An individual wishing to exploit another user's system will often wrap a Trojan in an application or script that the user would want to execute. Trojans are commonly found in games, screen savers and other applications (e.g., the Whack-a-Mole game). When the infected file is launched on the system, the Trojan silently installs in the background, allowing the individual that sent the Trojan to control your computer remotely, record all of your keystrokes (including passwords and account info), take screen shots of your desktop and control your file system. Trojans also come as stand alone applications and can be installed by a user sitting at the machine (this is common in public or student labs). 

Trojans can do anything the user executing the file has privileges to do. Including changing, deleting and transferring files as well as installing other Trojans, viruses and Distributed Denial of Service (DDOS) Zombies. Trojans are often used by the attacker to look for other remote systems to exploit under the "safety net" of your network. Trojan examples: NetBus, Back Orifice, and SubSeven. 

4. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following links: 

VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00

http://www.faqs.org/faqs/computer-virus/faq/ 

alt.comp.virus (Frequently Asked Questions)

http://www.claws-and-paws.com/virus/faqs/acvfaq.1.shtml 

5. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following link: 

Viruses and the Macintosh FAQ

http://www.sherpasoft.org.uk/MacSupporters/macvir.html 

6. If you are looking for information on a specific virus, check your anti-virus vendor's on-line database for more information. For general information, visit the following links: 

OpenAnti-Virus Project

http://www.openantivirus.org/ 

The Linux/Unix Anti-Virus Project

http://lavp.sourceforge.net/ and http://sourceforge.net/projects/lavp/ 

7. As virus programmers grow more sophisticated, the means of infection from a virus have also grown more sophisticated. Many viruses have multiple means of transmission and can be classified as both a virus and a worm. Some of the most common infection methods are: 

Opening an infected e-mail attachment

On systems with no e-mail client or SMTP server configured, some worms will install their own SMTP engine, which allows them to send infected messages.

Exploiting an unpatched software vulnerability. You receive or preview the e-mail and become infected. (e.g., Wscript.Kakworm and Nimda)

Via Windows Networking/Shared Hard Drives - No user interaction required!

Visiting websites that contain hostile code - User interaction may not be required.

Downloading infected applications from the Internet

Receiving an infected attachment via IRC, an Instant Messenger or other file sharing application

Sharing infected floppy disks

Local user installing with intent of infecting the system

Infecting shared or mapped drives on a server (A shared drive on any operating system can store infected files!) 

8. E-mail copies of personal documents from your hard drive to friends and strangers Delete/corrupt system and personal data

Allow outsiders to control your system

Replace the text of your documents with profanity or other phrases

Hamper your ability to navigate or enter text

Flash the system BIOS or erase the CMOS leaving the system unbootable

Cause system instability

Port scan other networks looking for vulnerabilities

Deface webpages

Anything within the technical capability of the virus author 

9. Computer viruses are in theory, assigned names according to the CARO Naming Convention. Most anti-virus companies use this same basic convention, though they may have tacked on their own prefixes and suffixes. The virus authors have their personal opinion about what their creation should be named and may include their name in the source code of the virus. Some virus names are based on the author's intended name, while others may be named by the company researching the first copy discovered in the wild. A great example of this is the Code Red worm which was named by the eEye Digital Security Team after the new flavor of Mountain Dew soda. Rumor has it they ingested great amounts of Code Red Mountain Dew while analyzing the new worm, thus naming it Code Red. 

Since there really is no enforced standard naming convention, you may find that one virus has several different names depending on the reporting organization's own naming conventions. 

10. Some viruses can infect or alter data files, but since a virus has to be executed to spread, a data file typically cannot spread a virus. Exceptions to this are documents containing a Macro virus or an executable embedded object. Documents containing these objects do have the ability to propagate a virus. 

Be aware that what appears to be a data file may not be. Depending on how your system is configured, you may not be able to see multiple file name extensions. The final extension may be hidden. For example, an executable file named FILE.JPG.EXE may appear to the user to be a graphic file named FILE.JPG. This trick is often used to fool users into opening an infected executable file that otherwise appears to be an innocent data file. 

11. Viruses can infect e-mail or other files stored on any servers to which the infected computer has write access. If the files are shared, other users who access the files could be infected. If the virus creates multiple copies of itself, it is possible that the hard disk can run out of space (creating a denial of service to anyone depending on access to that hard drive). 

12. Yes. Aside from any questions of hostile scripting, Nimda was the first documented virus that could spread from an infected web server to a vulnerable web browser. 

Risk of infection from webpages can be mitigated by running real-time anti-virus software that monitors every viewed webpage, or using a web browser with script and program execution disabled. 

13. Since virus behaviors vary so widely, the only way to be 100% sure is to scan your system with anti-virus software that has up-to-date scan strings. If you know the name of the virus you think it may be infected with, you can also locate the technical information (about the virus) on your anti-virus vendors web site. This information typically includes symptoms, file names, and registry entries that may be associated with the virus. 

14. Turn your computer off and call the tech support specialist in your building. Removing the infected computer from the network minimizes the impact on others. 

15. This depends entirely on your local anti-virus solution. Most viruses must be removed with an anti-virus product as opposed to manual removal. Manual removal may not be possible if the virus alters existing files on the hard drive. Check your anti-virus vendor's website for removal instructions. 

Occasionally, a virus may do so much damage or require so much effort to recover that reformatting the hard drive, restoring from a last known clean backup, and bringing the machine up to current patch levels and recommended configurations is also an option. 

16.  Some newer worms work without the presence of a mail client or server. These worms come with their own SMTP engine and can turn the infected system into a mail server, allowing the worm to send infected e-mail to other users without your knowledge. 

17. E-mail is only one method used by worms to spread. Most worms are also network aware. A network aware worm can scan entire networks looking for systems with Windows Networking installed. The worm will connect to these Windows systems and write its payload to any available shared hard drives. Even if the worm cannot access remote networks, it can still infect other systems on your local network. 

18. If your e-mail client is set up to display HTML e-mail or allow scripts, you do not have to open the message to become infected. Due to a security vulnerability in some versions of Internet Explorer, simply viewing the message in the preview pane of your client can allow it to infect the system. This can happen unexpectedly if you leave your computer running and mail client open while you are away. Plain text e-mail is generally considered trustworthy. 

19. If your anti-virus software is implemented properly, it should stop most viruses from infecting your system. However, new viruses (and variations on old ones) can slip through to infect the system. If your anti-virus software doesn't have a scan string to recognize the threat, it will not stop the virus. If the user disables a portion of the software or doesn't keep it up to date, the software may fail to detect the threat.

Best Practices

Keeping Intruders Out of Your Computer

Computer viruses and worms can cause you to lose information and access to your computer. E-mail containing a virus program may even look like it comes from someone you know, such as a close friend or a co-worker. By knowing the facts and using the tools available, you can help prevent viruses and worms.

Computer Viruses and Worms

What Is a Computer Virus or Worm?

Viruses and worms are mini computer programs that may arrive innocently in an e-mail attachment but can be destructive to your computer. Viruses may hide in a computer's program or system files and then wait to do their damage at a particular date or time. Computer viruses often look like something they are not, such as a picture, a screen saver or even a Web link.

Worms are software components that are capable of infecting a computer and then using that computer to infect another computer via the Internet. The cycle is repeated, and the population of worm-infected computers grows rapidly. Worms differ from viruses because of their ability to continue growing under their own power and to spread very quickly without assistance from another program.

If you are WGSD staff member, you have access to anti-virus software, which helps protect against worms and viruses.

WGSD Internet Safety / Security Tips

* Use great care when "surfing the web." Don't give out your primary e-mail address unless you absolutely have to. When filling out web forms, look out for check boxes where you might be agreeing that you want e-mail solicitations from that site or related ones. Be careful in using your e-mail address in chat rooms, bulletin boards, ect. 

* The magic word is: DELETE! Delete unwanted e-mail. If you do not recognize the sender of the e-mail you should likely delete the message, especially if the subject line contains something you do not want or are unfamiliar with. You should also be wary of any email that contains an attachment, especially if you are unfamiliar with the sender. Do not execute attachments from unknown persons. Do not execute attachments, even from known users, unless you are expecting one or have verified there should be one. 

* Please don't forward/resend chain letters or hoaxes. Addresses are frequently collected from these letters and added into spammers' data bases. If a message looks pretty weird ("new virus will surely blow up your computer! Warn everyone you know!" or "Cute little girl kidnapped by dog pack!"), try to confirm its contents before passing it along to thirty friends. You can always check to see if something is real or a hoax by going to various websites that monitor the veracity of such e-mail. A couple of those sites arehttp://www.snopes.com OR http://www.urbanlegends.com 

* DO NOT try to unsubscribe. Many times there will be a link at the bottom of an unwanted e-mail that tells you to 'click here to unsubscribe.' This is often an attempt by the spammer to validate your e-mail address. If you actually use the link, it will likely tell the spammer that your address if valid and they can send more spam to you. 

* Please be aware that if you are receiving email that is embarrassing or obscene that it most likely doesn't reflect on you or your computer usage. Some people are afraid that they will "get in trouble" for simply receiving such email. There is so much of this type of e-mail being sent out world wide that everyone in the district has received or will receive e-mail of this type at some time. Just follow the guidelines contained in this e-mail and know that we are doing our best to block all of this type of e-mail. 

* Use floppy disks, CDs, and flash drives with caution. Those that are used on multiple computers can be a virus risk. 

* Back up your data regularly. In the event that a virus does infect your computer, this will prevent losing information.

.