Penn State Anti-Virus Page



This page is edited consistently for reliability. Last modified 19-Aug-96.

This page is available at URL: http://cac.psu.edu/~santoro/cac/virus.html


Purpose of this Page

This page is intended as a resource for Penn State faculty, staff and students in the continuing fight against computer viruses and other forms of nasty software. This page will contain the following information:


Recommendations

In order to protect oneself from computer file loss due to nasty software we recommend that every computer owner take the following steps at a minimum:


Virus News - Penn State

Current virus news will be posted here and on the Usenet NEWS newsgroup psu.comp.virus.


Virus Report Form

In order to better track incidents of viral infection among the Penn State computing community, we have created a virus report form. Please use this form to report any verified virus infections. This information will only be used for tracking purposes.

If you have questions, please contact CAC HelpDesk at 863-1035


Anti-Virus Software Suggestions

Following are suggestions for commercial anti-virus software for various types of computer system and operating system. These are merely suggestions to guide the user in obtaining anti-virus software. These are not endorsements of specific packages or guarantees of reliability.

IBM-PC with DOS and/or Windows 3.1

IBM-PC with Windows 95

IBM-PC with Windows NT

IBM-PC with OS/2

Macintosh


PSU-CAC Antivirus Archives

The Center for Academic Computing maintains a library of many current shareware antivirus packages and information for IBM-PC and Macintosh computers. Following are links to these libraries. Links to virtually all antivirus sites on the Internet are included further down in this page. If you use any of this software you may want to bookmark the archives to more easily check for newer versions at a later time.

Again, we strongly recommend that you purchase commercial anti-virus software since this usually more reliable than the free/shareware software and comes with vendor support and documentation.


Other Antivirus Archives

Here are some other archives of antivirus software. The many links further down on this page also contain links to these, and other, sites.


Virus documentation and Conferences

Following are some useful documents and conferences regarding viruses.

Catalogs, Organizations, Clearinghouses, etc.


Articles Regarding Viruses & Nasty Software

As online articles regarding computer viruses and nasty software are found, they will be added to this list.


Security and Anti-Virus Sites

These sites may have useful infromation and/or links to other useful anti-virus or computer security sites.


Following is a locally-written article about viruses for new computer owners.

What are Microcomputer Viruses?

Microcomputer viruses, trojan horses, and bombs are various forms of 'nasty' or 'destructive' software. These are program segments written to cause destruction to the computer files of the unwary computer user. They typically attach themselves to legitimate computer programs and use these legitimate programs as a means of spreading themselves among computer users.

WHERE DO COMPUTER VIRUSES COME FROM?

Computer viruses and other nasty software are created by programmers with malicious intent. The programmer typically does not know the intended victim of the nasty software. The nasty software is then 'released' into the world of computer users in one of a number of ways.

The typical virus or trojan horse attaches itself to a legitimate computer program in a process called 'infection'. The infection is usually done in a way that does not noticeably interfere with the running of the program itself. However, behind the scenes, the nasty software uses its 'host' program as a platform from which to infect other available programs. A virus or trojan horse can only infect program code files.

When a given program is infected it will not 'look' any different to the casual observer. There may be a small increase in file size, and there will likely be a change in any file checksum, but otherwise the program will appear to work the same as always. If the program is copied and given to another user, or copied onto a network for wide distribution, the infection will have an opportunity to spread. As a result, most infections are passed among users through program-sharing mechanisms such as bulletin-board systems, computer clubs, and network servers. Infections also spread through normal disk sharing and there have actually been cases where commercial software was infected while still in its shrink-wrap container!

THE TWO STAGES OF VIRUS ACTIVITY

Computer viruses and trojan horses have two primary stages of activity. The first stage is known as the 'infectious' stage because all the software does at this stage is reproduce itself. It reproduces by looking at all available file structures for programs to which it may attach a copy of itself. The infectious stage typically lasts a fairly long time in order to guarantee that nothing amiss is suspected and that the virus has ample opportunity to spread.

The second stage of virus activity is the 'damage' stage. This is where the virus carries out whatever destructive programming it was developed for. Examples include deleting files, randomly rewriting the disk FAT table, displaying a useless graphic and freezing up the system, etc. Usually once this stage is reached it is too late to do anything other than erasing the infected files and restoring the system from your backup archives.

PREVENTION - THE BEST MEDICINE

By far the best way to deal with nasty software infections is to avoid ever having them in the first place. Following a few simple steps can greatly reduce your chances of receiving an infection and will greatly increase your probability of recovery should an infection occur.

WHAT DO I DO IF I SUSPECT A VIRUS?

First of all - DON'T PANIC! If you have been following the prevention suggestions mentioned above you will probably get through this infection with minimal loss.

Your most important initial step is to identify the virus, determine the extent of the infection, and attempt to locate the source of the initial infection. If you religiously run a scan or shield program you will likely have caught the virus or trojan horse as it attempted to enter your system. If you are part of an office or network that frequently shares programs and data files you will want to notify the other users in your area as they will need to check out their systems as well.

Boot your computer from the write-locked system disk and run your scan program from a different write-locked floppy disk. Make sure you scan all hard disk volumes first. You will also want to scan all floppy disks if possible. This should identify the virus and tell you the extent of the infection on your system. What you do next depends on the exact virus found. Most viruses can be disabled with a disinfectant program, however you will typically have to tell the disinfectant the name of the virus to be disabled. You will then have to restore program files that were infected from your backup archives. If you have caught the virus early enough the amount of work required to completely eliminate it from your system, or from all of the systems in your office, will be fairly short. However, be wary of the potential for reinfection! Many users would want to install a shield program at this point, even if only for a few weeks, to identify other floppy disks or disk volumes that may have evaded the original scanning.


This page is maintained and made available for educational use by Dr. Gerry Santoro, gms@psu.edu