|
Previous | Table of Contents | Next |
The best way to prevent against file viruses is to scan every incoming program for viruses using a virus scanner. If your organization uses a medium-to-large-sized network, you should scan all incoming files on a stand-alone PC before they are used on any machine connected to the network.
Behavior blockers also can be used to detect virus activity for those new viruses that sneak past the antivirus scanner.
Even the seasoned user considers repairing file virus infections difficult. The most effective way to repair infected program files is to replace them from uninfected, backup copies. If backups are not available, use an antivirus program to repair the infected executable files.
Although file virus repair is usually best left to an antivirus program, it is possible, in some instances, for the user to repair files that are infected by a read-stealthing virus.
While the virus is memory resident on the computer, complete the following steps:
When the user copies the PROGRAM.EXE file to the PROGRAM.XEX file, the DOS command shell generates two open file system service requests to open PROGRAM.EXE and PROGRAM.XEX. The virus resident handler intercepts the first request, determines that its dealing with an infected executable program, and disinfects the program, writing the cleansed program back to the disk.
The virus also intercepts the second open file request, but because this file is not an executable file (the extension is not .COM or .EXE), it does not perform any further processing on the file. The recently cleansed version of the program is then copied to the XEX file, and the DOS command shell issues two close file service requests.
Again, the virus intercepts both requests. The first request closes the PROGRAM.EXE file. The virus detects that its dealing with an executable program (the extension is .EXE), and reinfects the program. However, the second request closes the PROGRAM.XEX file which, according to the virus, is not an executable file. Thus, the file is closed normally, and contains the uninfected contents of the original .EXE file. Next, the user deletes the infected .EXE, leaving the uninfected .XEX file.
At this point, the virus has been removed from the copy of the executable file, but it is still resident in the computers memory. Therefore, the user must boot from an uninfected DOS floppy disk, so that the virus never has a chance to install itself into memory. After the user boots from the floppy, he can safely rename each backed up file to its original name; because the virus is not resident on the computer, it cannot intercept the file open and file close system service requests to reinfect the programs.
So How Do the Antivirus Programs Do It?
Antivirus programs typically use their virus scanner component to detect and repair infected program files. If a file is infected by a nonoverwriting virus (one that allows the original program to execute after it does its dirty work), then the program can most likely be repaired successfully.
When a nonoverwriting virus infects an executable file, it must store certain information about the host program within its viral body. This information is used to execute the original program after the virus finishes executing. If this information is present in the virus, the antivirus program can locate it, decrypt it if necessary, and copy it back to the appropriate areas of the host file. Finally, the antivirus program can cut the virus from the file.
Alternatively, the antivirus program can use integrity information to repair infected programs. See Integrity Checkers for more information.
Currently, no foolproof ways to prevent macro virus infection exists. Be sure to scan all incoming documents with an antivirus scanner before editing or even viewing documents.
The best way to repair a macro virus infection is to use an antivirus program. Most of the major antivirus manufacturers are adding macro detection and repair capabilities to their antivirus scanners. Microsoft is also distributing a macro-based antivirus program to remove the Word for Windows Concept virus. (This shows how powerful the macro language is!)
The Windows NT operating system constitutes a paradigm shift from other Microsoft operating systems. It differs from other current PC operating systems in several ways:
This section describes the major virus types and how they function under Windows NT, and native Windows NT viruses.
MBR viruses typically are acquired in one of two different ways. The first method involves booting off of an infected floppy disk. The second method involves running a dropper program from a DOS session that directly drops the virus onto the hard drives MBR; multipartite computer viruses sometimes attempt this type of infection.
Previous | Table of Contents | Next |