Filename: VIRUS.TXT
WWW URL: http://www.firmware.com/support/bios/virus.htm
FTP URL: ftp://ftp.firmware.com/text/virus.txt
Revision: 07/30/99 TLS Micro Firmware Technical Support
Summary: Information on how to detect and remove viruses including
recommended programs and sources for more information.
Modern computer hardware and software is so complex that many mysterious problems can arise due to incompatibilities, bugs, improper installation/configuration, etc. These types of problems are more common than virus infections but viruses are more common than most people realize. It is fairly easy to rule out the possibility of a virus infection using a high-quality anti-virus program.
Including variants, there are over 24,000 known computer viruses that can infect DOS/Windows-based PCs. Most of these are relatively rare but many of them are quite common. Stoned, Michaelangelo, Monkey, and Jerusalem are a few examples of viruses that have been common in the past.
Most viruses can be categorized as either boot-sector infectors or file infectors. Boot sector viruses travel from system to system by way of infected floppy disks. If an infected floppy disk is used to boot a system or if it is left in drive A: when a system is turned on, such that it attempts to boot from the floppy disk, even if it is not a bootable diskette, resulting in the message "Non-system disk, remove and replace", then the bootable hard drive will become infected. Once the hard drive has become infected, the virus loads into memory each time the system is booted from that drive and will typically infect any floppy disks accessed from that point on. File infector viruses usually infect only COM or EXE or other program files rather than data files. Some viruses are written to cause specific types of damage, others may cause various problems even though they aren't necessarily intended to. Some viruses will alert you to their presence, most will not.
There are many anti-virus programs on the market. Some are DOS-based, others are Windows or Windows 95 programs. Most can be installed so that they remain in memory and are constantly watching for any viruses that may attempt to enter the system. Even if such a program has been installed, there may be conditions under which a virus can infect the system, plus as many as a hundred new viruses appear monthly and some may not be recognized by any particular anti-virus program. So it is important to keep an anti-virus program up to date - most can be updated by obtaining new versions or updates from the manufacturer periodically. It is also recommended to do a thorough check periodically using the procedure described below. Many people assume that their system could not possibly be infected since they don't use a modem and/or have only installed commercial software using the original diskettes. Most virus infections did not happen through a modem (although some serious viruses do travel this way) and there have been many cases of commercial software in sealed packages containing viruses.
The only surefire way to completely rule out a virus infection is to boot the system from a known uninfected, write-protected diskette in drive A: and then run a recent version of a good anti-virus program, which will check memory, boot sectors, and either just program files or all files, depending on what you tell the program to do. It is important to boot from a diskette since the hard drive may be infected, in which case the virus can load into memory and many viruses can hide from anti-virus programs if they load into memory first. It may be necessary to create a diskette on another system to insure that it is clean. Also the Microsoft installation disks used to install DOS are usually write-protected from the factory so it is fairly safe to assume that DISK 1, which should be bootable (unless it is from an upgrade version) is clean. Note that write-protecting a diskette prevents any virus from being able to infect it.
Most anti-virus programs can remove most but not all of the viruses that they can detect. The best way to get rid of file-infector viruses is to delete the infected files. Most boot sector viruses can be removed by just removing the partition with FDISK and then repartitioning and reformatting the drive. If a boot sector virus is found on the hard drive it should be considered imperitive to check all floppy disks at the site as well, since many of them may be infected and can then reinfect the system. If the Monkey virus is found, it is best to use the KILLMONK program to remove it. This is a commonly available shareware program which we keep on our FTP site. Note that even the best anti-virus programs can give false alarms. Also it is a good idea to use more than one virus detection program. It may be advisable to seek help from a qualified technician if a virus is found or suspected.
We have a program on our website that can be used to erase the boot sector of a hard drive, which should remove any boot sector virus. Using this program will also wipe out all data on the drive, which will then need to be repartitioned and reformatted. The program is called ZAPART and can be found here:
http://www.firmware.com/support/atapro/
The anti-virus program I recommend is called F-Prot. This program comes from Iceland and is made by Fridrik Skulason. It is DOS-based and easy to use. F-Prot is free for home use. This is one of the best, if not the best, anti-virus program. Like all anti-virus programs, F-Prot is updated frequently (every few months). Also note that there is a commercial version of F-Prot, called F-Prot Professional.
F-PROT can obtained through its source at:
An excellent source for PC virus info, including links to other sites, is the Virus Bulletin site:
A very interesting source for information on PC viruses is Patricia Hoffman's Virus Summary (or VSUM). This is a hypertext database which lists all known viruses and describes what each one does, where it came from, when it was discovered, how to remove it, etc. VSUM is updated regularly. Can be downloaded from the web at:
Another good source for virus info:
For info on virus hoaxes and virus myths:
http://www.datafellows.fi/news/hoax.htm
There are a couple of USENET newsgroups dedicated to computer viruses - comp.virus and alt.comp.virus.