Situation

Thisdocumentdiscussescomputervirusesandhowtheydifferfromtrojans,worms,andhoaxes.

Solution
Thetermvirusisoftenusedasagenericreferencetoanymaliciouscodethatisnot,infact,atruecomputer
virus.Thisdocumentdiscussesviruses,Trojans,worms,andhoaxesandwaystopreventthem.

Whatisavirus?
Acomputervirusisasmallprogramwrittentoalterthewayacomputeroperates,withoutthepermissionor
knowledgeoftheuser.Avirusmustmeettwocriteria:
Itmustexecuteitself.Itwilloftenplaceitsowncodeinthepathofexecutionofanotherprogram.
Itmustreplicateitself.Forexample,itmayreplaceotherexecutablefileswithacopyofthevirusinfected
file.Virusescaninfectdesktopcomputersandnetworkserversalike.
Somevirusesareprogrammedtodamagethecomputerbydamagingprograms,deletingfiles,orreformatting
theharddisk.Othersarenotdesignedtodoanydamage,butsimplytoreplicatethemselvesandmaketheir
presenceknownbypresentingtext,video,andaudiomessages.Eventhesebenignvirusescancreateproblems
forthecomputeruser.Theytypicallytakeupcomputermemoryusedbylegitimateprograms.Asaresult,they
oftencauseerraticbehaviorandcanresultinsystemcrashes.Inaddition,manyvirusesarebugridden,andthese
bugsmayleadtosystemcrashesanddataloss.
Therearefiverecognizedtypesofviruses:
Fileinfectorviruses
Fileinfectorvirusesinfectprogramfiles.Thesevirusesnormallyinfectexecutablecode,suchas.comand
.exefiles.Thecaninfectotherfileswhenaninfectedprogramisrunfromfloppy,harddrive,orfromthe
network.Manyofthesevirusesarememoryresident.Aftermemorybecomesinfected,anyuninfected
executablethatrunsbecomesinfected.ExamplesofknownfileinfectorvirusesincludeJerusalemand
Cascade.
Bootsectorviruses
Bootsectorvirusesinfectthesystemareaofadiskthatis,thebootrecordonfloppydisksandharddisks.
Allfloppydisksandharddisks(includingdiskscontainingonlydata)containasmallprogramintheboot
recordthatisrunwhenthecomputerstartsup.Bootsectorvirusesattachthemselvestothispartofthe
diskandactivatewhentheuserattemptstostartupfromtheinfecteddisk.Thesevirusesarealways
memoryresidentinnature.MostwerewrittenforDOS,but,allPCs,regardlessoftheoperatingsystem,
arepotentialtargetsofthistypeofvirus.Allthatisrequiredtobecomeinfectedistoattempttostartup
yourcomputerwithaninfectedfloppydiskThereafter,whilethevirusremainsinmemory,allfloppy
disksthatarenotwriteprotectedwillbecomeinfectedwhenthefloppydiskisaccessed.Examplesofboot
sectorvirusesareForm,DiskKiller,Michelangelo,andStoned.
Masterbootrecordviruses
Masterbootrecordvirusesarememoryresidentvirusesthatinfectdisksinthesamemannerasbootsector
viruses.Thedifferencebetweenthesetwovirustypesiswheretheviralcodeislocated.Masterboot
recordinfectorsnormallysavealegitimatecopyofthemasterbootrecordinandifferentlocation.
WindowsNTcomputersthatbecomeinfectedbyeitherbootsectorvirusesormasterbootsectorviruses
willnotboot.Thisisduetothedifferenceinhowtheoperatingsystemaccessesitsbootinformation,as
comparedtoWindows95/98.IfyourWindowsNTsystemsisformattedwithFATpartitionsyoucan
usuallyremovethevirusbybootingtoDOSandusingantivirussoftware.IfthebootpartitionisNTFS,
thesystemmustberecoveredbyusingthethreeWindowsNTSetupdisks.Examplesofmasterboot
recordinfectorsareNYB,AntiExe,andUnashamed.

Multipartiteviruses
Multipartite(alsoknownaspolypartite)virusesinfectbothbootrecordsandprogramfiles.Theseare
particularlydifficulttorepair.Ifthebootareaiscleaned,butthefilesarenot,thebootareawillbe
reinfected.Thesameholdstrueforcleaninginfectedfiles.Ifthevirusisnotremovedfromthebootarea,
anyfilesthatyouhavecleanedwillbereinfected.ExamplesofmultipartitevirusesincludeOne_Half,
Emperor,AnthraxandTequilla.
Macroviruses
Thesetypesofvirusesinfectdatafiles.Theyarethemostcommonandhavecostcorporationsthemost
moneyandtimetryingtorepair.WiththeadventofVisualBasicinMicrosoft'sOffice97,amacrovirus
canbewrittenthatnotonlyinfectsdatafiles,butalsocaninfectotherfilesaswell.Macrovirusesinfect
MicrosoftOfficeWord,Excel,PowerPointandAccessfiles.Newerstrainsarenowturningupinother
programsaswell.Allofthesevirusesuseanotherprogram'sinternalprogramminglanguage,whichwas
createdtoallowuserstoautomatecertaintaskswithinthatprogram.Becauseoftheeasewithwhichthese
virusescanbecreated,therearenowthousandsofthemincirculation.Examplesofmacrovirusesinclude
W97M.Melissa,WM.NiceDay,andW97M.Groov.

WhatisaTrojanhorse?
Trojanhorsesareimpostorsfilesthatclaimtobesomethingdesirablebut,infact,aremalicious.Avery
importantdistinctionfromtruevirusesisthattheydonotreplicatethemselves,asvirusesdo.Trojanscontain
maliciouscode,that,whentriggered,causeloss,oreventheft,ofdata.InorderforaTrojanhorsetospread,you
must,ineffect,invitetheseprogramsontoyourcomputersforexample,byopeninganemailattachment.The
PWSteal.TrojanisaTrojan.

Whatisaworm?
Wormsareprogramsthatreplicatethemselvesfromsystemtosystemwithouttheuseofahostfile.Thisisin
contrasttoviruses,whichrequiresthespreadingofaninfectedhostfile.Althoughwormsgenerallyexistinside
ofotherfiles,oftenWordorExceldocuments,thereisadifferencebetweenhowwormsandvirusesusethehost
file.Usuallythewormwillreleaseadocumentthatalreadyhasthe"worm"macroinsidethedocument.The
entiredocumentwilltravelfromcomputertocomputer,sotheentiredocumentshouldbeconsideredtheworm.
PrettyPark.Wormisaparticularlyprevalentexample.

Whatisablendedthreat?
Blendedthreatscombinethecharacteristicsofviruses,worms,Trojanhorses,andmaliciouscodewithserver
andInternetvulnerabilitiestoinitiate,transmit,andspreadanattack.Byusingmultiplemethodsandtechniques,
blendedthreatscanrapidlyspreadandcausewidespreaddamage.Characteristicsofblendedthreatsincludethe
following:
Causesharm
LaunchesaDenialofService(DoS)attackatatargetIPaddress,defacesWebservers,orplantsTrojan
horseprogramsforlaterexecution.
Propagatesbymultiplemethods
Scansforvulnerabilitiestocompromiseasystem,suchasembeddingcodeinHTMLfilesonaserver,
infectingvisitorstoacompromisedWebsite,orsendingunauthorizedemailfromcompromisedservers
withawormattachment.
Attacksfrommultiplepoints
Injectsmaliciouscodeintothe.exefilesonasystem,raisestheprivilegeleveloftheguestaccount,
createsworldreadandwriteablenetworkshares,makesnumerousregistrychanges,andaddsscriptcode
intoHTMLfiles.
Spreadswithouthumanintervention
ContinuouslyscanstheInternetforvulnerableserverstoattack.

Exploitsvulnerabilities
Takesadvantageofknownvulnerabilities,suchasbufferoverflows,HTTPinputvalidation
vulnerabilities,andknowndefaultpasswordstogainunauthorizedadministrativeaccess.
Effectiveprotectionfromblendedthreatsrequiresacomprehensivesecuritysolutionthatcontainsmultiple
layersofdefenseandresponsemechanisms.

Whatisanexpandedthreat?
Anexpandedthreatisanapplicationorsoftwarebasedexecutablethatiseitherindependentorinterdependent
onanothersoftwareprogram,andmeetsoneormoreofthefollowingcriteria:
Isconsideredtobenonviralinnature(thatis,doesnotspreadonitsownusingaviruslikemechanism,or
meetthedefinitionofawormorTrojanhorse),yetconformsinasignificantwaytothegeneraldefinition
ofacategoryofexpandedthreat.
HasbeensubmittedtoSymantecbyacriticalnumberofeithercorporateorindividualuserswithinagiven
timeframe.Thetimeframeandnumbermayvarybycategoryandbythreat.
Canbeshowntocreateageneralnuisancerelatedtooneofthespecifiedthreatcategories,orexhibits
behaviorthatisasyetundefinedunderabroadercategoryofexpandedthreat.
Forinformationaboutexpandedthreatcategories,readtheSymantecSecurityResponseWebsite.

Whatisavirushoax?
Virushoaxesaremessages,almostalwayssentbyemail,thatamounttolittlemorethanchainletters.Someof
thecommonphrasesusedinthesehoaxesare:
Ifyoureceiveanemailtitled[emailvirushoaxnamehere],donotopenit!
Deleteitimmediately!
Itcontainsthe[hoaxname]virus.
Itwilldeleteeverythingonyourharddriveand[extremeandimprobabledangerspecifiedhere].
Thisviruswasannouncedtodayby[reputableorganizationnamehere].
Forwardthiswarningtoeveryoneyouknow!
Mostvirushoaxwarningsdonotdeviatefarfromthispattern.Ifyouareunsurewhetheraviruswarningis
legitimateorahoax,additionalinformationisavailableattheSymantecSecurityResponsehoaxessite.

Whatisnotavirus?
Becauseofthepublicitythatviruseshavereceived,itiseasytoblameanycomputerproblemonavirus.The
followingarenotlikelytobecausedbyavirusorothermaliciouscode:
Hardwareproblems.Therearenovirusesthatcanphysicallydamagecomputerhardware,suchaschips,
boards,andmonitors.
Thecomputerbeepsatstartupwithnoscreendisplay.Thisisusuallycausedbyahardwareproblem
duringthebootprocess.Consultyourcomputerdocumentationforthemeaningofthebeepcodes.
Thecomputerdoesnotregister640KBofconventionalmemory.Thiscanbeasignofavirus,butitisnot
conclusive.SomehardwaredriverssuchasthoseforthemonitororSCSIcardcanusesomeofthis
memory.Consultwithyourcomputermanufacturerorhardwarevendortodetermineifthisisthecase.
Youhavetwoantivirusprogramsinstalledandoneofthemreportsavirus.Whilethiscouldbeavirus,it
canalsobecausedbyoneantivirusprogramdetecttheotherprogram'ssignaturesinmemory.For

additionalinformation,seeShouldyourunmorethanoneantivirusprogramatthesametime?
YouareusingMicrosoftWordandWordwarnsyouthatadocumentcontainsamacro.Thisdoesnotmean
thatthemacroisavirus.
Youarenotabletoopenaparticulardocument.Thisisnotnecessarilyanindicationofavirus.Try
openinganotherdocumentorabackupofthedocumentinquestion.Ifotherdocumentsopencorrectly,
thedocumentmaybedamaged.
Thelabelonaharddrivehaschanged.Everydiskisallowedtohavealabel.Youcanassignalabeltoa
diskbyusingtheDOSLabelcommandoffromwithinWindows.

Whatissafecomputing?
Withallthehype,itiseasytobelievethatviruseslurkineveryfile,everyemail,everyWebsite.However,a
fewbasicprecautionscanminimizeyourriskofinfection.Practicesafecomputingandencourageeveryoneyou
knowtodosoaswell.
Generalprecautions
Besuspiciousofemailattachmentsfromunknownsources.
Verifythatattachmentshavebeensentbytheauthoroftheemail.Threatscansendemailmessagesthat
appeartobefrompeopleyouknow.
Donotsetyouremailprogramto"autorun"attachments.
ObtainallMicrosoftsecurityupdates.
Backupyourdatafrequently.Keepthe(writeprotected)mediainasafeplacepreferablyinadifferent
locationthanyourcomputer.
SpecifictoSymantecEndpointProtection
Makesurethatyouhavethemostrecentvirusandspywaredefinitions.SymantecSecurityResponse
updatesSymantecEndpointProtectiondefinitionsinresponsetonewvirusthreatsthreetimesdaily.By
default,theunmanagedclientchecksforupdateseveryfourhoursthemanagedclientupdatesfromthe
SymantecEndpointProtectionManagerassoonasnewcontentisavailable.YoucanalsorunLiveUpdate
manually.Othercontent,suchasIntrusionPreventionsignatures,isupdatedlessfrequently,butasneeded.
Foradditionalinformation,pleaseseeVirusDefinitions&SecurityUpdates.
AlwayskeepAutoProtectrunning.SymantecSecurityResponsestronglyrecommendsthatyouhave
scanssettoscanallfiles,notjustprogramfiles.
Scanallnewsoftwarebeforeyouinstallit.
Scanallmediathatsomeoneelsehasgivenyou.
Usecautionwhenopeningemailattachments.Emailattachmentsareamajorsourceofvirusinfections.
MicrosoftOfficeattachmentsforWord,Excel,andAccesscanbeinfectedbyMacroviruses.Other
attachmentscancontainfileinfectorviruses.FilesystemAutoProtectwillscantheseattachmentsfor
virusesasyouopenordetachthem,asdotheclientemailscanners.

Additionalinformation
Forthemostuptodateinformationonviruses,visittheSymantecSecurityResponseWebsite.
Tosubmitafileyoususpectmaybemaliciousorathreat,seeHowtocollectandsubmittoSymantecSecurity
ResponsesuspiciousfilesfoundbytheSymHelputility.

Security1:1series
Security1:1Part1VirusesandWorms
Security1:1Part2Trojansandothersecuritythreats

LegacyID
1999041209131148
TermsofuseforthisinformationarefoundinLegalNotices.