Today’s PC viruses, Trojan Horses, worms, and blended threats can cause run-of-the-mill Windows or application problems, out-of-memory errors, intermittent failures to fully start up, or installation or operation problems with applications. But these problems could also be caused by your typical hardware or software malfunction. In this Drill Down, I will provide some guidance to help you determine whether the culprit in question is indeed a virus.
Types of infections
In the “olden days,” there were only a couple of types of viruses. One type would infect .exe files, adding a foreign string to them so that when they executed, the virus would run and do its dirty work. Another type would travel from PC to PC via floppy disk, hidden in the boot sector, and when a PC was booted from an infected floppy, the virus would copy itself to the boot sector of that PC.
These viruses still exist but are nowhere near as common as the newer varieties. Some people would argue that the newer ones are not really “viruses” per se, because they lack some of the defining characteristics of a virus, such as the ability to attach themselves to a program file or infect the system area of a disk. Some of the common virus types out there today (and permit me to use the loose, generic definition of virus in this article) include:
- Trojan horse: a program that appears to do something useful but actually delivers a harmful effect, such as opening up a security hole, spreading itself via e-mail, or deleting or damaging files.
- Worm: a program that spreads by making copies of itself. It may or may not do any additional harm.
- @m: A “mailer” is a type of worm that attaches itself to e-mail a user sends.
- @mm: A “mass mailer” is a type of worm that automatically sends itself to multiple addresses from a user’s address book.
- Back door: A program that sends information back to its creator about the infected system, making it easy for that person to hack into the infected system and take control of it or read sensitive data.
- Blended threat: A combination of infection types in a single item. For example, a worm that infects a boot sector, deletes important files, and/or opens a security back door would be a blended threat.
Most of the viruses circulating at this writing are blended threats, so they don’t neatly fall into any one category. This also makes them more dangerous, easier to spread, and more difficult to eradicate.
You probably have a virus if…
The symptoms in the bulleted list below are rarely caused by anything except a virus, so if you detect any of these issues on an end user’s PC, you should strongly suspect virus infection.
- The user received an e-mail with an odd attachment and opened it, with unexpected results—such as the appearance of odd dialog boxes or a sudden degradation in system performance.
- There is a double extension on an attachment that the user recently opened, such as .jpg.vbs.
- An antivirus program is disabled for no apparent reason (perhaps with an X through its icon in the notification area), and it cannot be enabled. The system may also report an error condition.
- An antivirus program will not install on the PC (or appears to install, but then will not run), but other programs will.
- Odd dialog boxes or messages appear onscreen.
- Several files are missing, especially those of a common type. For example, some viruses have a side effect of deleting all graphic files of a particular type.
- Someone tells the user they have recently received strange e-mails from them containing random attached files or a virus.
- The PC starts performing actions seemingly on its own, like moving the mouse pointer, opening or closing windows, running programs, or opening and closing the CD tray. This is a symptom of someone actually using a back door to operate the PC, rather than a symptom of the existence of the back door.
- You notice the presence of new users with full security permissions that you know you did not create, or you notice inappropriate permissions assigned to existing users. Again, this is more often a symptom of back door hacking than virus infection.
- The mouse pointer changes to some different graphic.
- Odd icons appear on the desktop that the user did not place there, although the user has not installed any new applications lately that could have placed them there.
- Strange sounds or music plays from the speakers for no apparent reason.
- File sizes or date/time stamps have changed on files that the user knows he or she did not alter.
- A program that was used successfully recently has disappeared, and the user knows that he or she did not uninstall it.
It’s much easier to spot double-extension files if the display of extensions for known file types in Windows is turned on. To do that, choose Tools, Folder Options, and deselect the Hide extensions for known file types check box on the View tab.
You might have a virus if…
A virus infection could also cause some of the following symptoms. Keep in mind that these symptoms are also typical of ordinary Windows system problems, so they cannot be definitively viral symptoms without running a complete virus scan with updated definitions.
- Windows will not start at all, even though the user has made no system changes, installed or removed any programs, or made any Registry edits since the last time it started successfully.
- Windows will not start because certain critical system files are missing (and you see an error message listing those files), and the user is confident that he or she did not accidentally delete them.
- The PC starts up normally sometimes, but at other times will hang before the desktop icons and taskbar appear.
- The PC runs very slowly and/or takes a long time to start up.
- Out-of-memory error messages appear, even though the PC has plenty of RAM.
- Viewing the system processes via Task Manager shows that an unknown process is consuming a high percentage of the CPU time.
- From the Task Manager view, you notice programs or processes running that you do not recognize, even after shutting down all running programs and system tray utilities.
- New applications will not install properly.
- Windows spontaneously reboots for no apparent reason.
- Applications that used to run normally are now crashing frequently. Removing and reinstalling them does not solve the problem.
- A disk utility such as Scandisk reports multiple serious disk errors.
- A partition completely disappears.
The key to distinguishing virus-related system problems from ordinary ones is often situational. What did the user do right before the problem started? It never hurts to ask. If possible, check the user’s e-mail box to see whether an e-mail containing a virus might still be hanging around there. Check his or her Deleted Items and Sent Items folders as well to see if the virus may have been spread to others.
For definitive virus detection, you must turn to an antivirus program with updated definitions. If a reputable antivirus program will install, run, and complete a check successfully, and if its definitions have been updated within the last 24 hours, you can be fairly confident that the problem is not a virus. Otherwise, virus infection is still a credible suspect.
Are the definitions up to date?
Updated virus definitions are essential; otherwise, performing a complete system scan for a virus is a waste of time. And these days, new viruses are discovered almost every day, so definitions updated within the last 24 hours are preferable.
Most antivirus programs can’t detect viruses that they don’t know about. There are exceptions, such as programs that monitor the file sizes and dates of essential system files and warn you if they are about to be changed. However, the vast majority of threats circulating today are not true viruses because they do not actively infect your existing .exe files or boot sector. Instead, they are Trojan horses, back door programs, or worms, whose behaviors won’t normally trigger that kind of proactive detection. Therefore, updated definition files are your only reliable line of defense against new virus threats.
Norton AntiVirus, for example, checks for new definitions on the company’s server and installs them automatically. Be warned, however, that some services (such as Symantec’s Live Update) update their servers only once a week except during peak periods of virus problems, so you might not always get the latest updates by running Live Update. Going manually to the company’s Web site and comparing the date of the most recently posted definitions to the date shown in your software is one way to ensure you have the latest stuff, but that can be a little taxing. Symantec offers an Intelligent Updater service that updates virus definitions every business day, which is a great alternative for administrators with mission-critical PCs to support.
Do a full system scan
Assuming your virus definitions are up to date, you can be reasonably certain that if an antivirus program successfully completes a full system scan and tells you there is no virus, there probably is no virus. If you remain skeptical, check one of the major virus security Web sites after 24 hours; it’s possible that a brand-new variant has slipped in. If that’s the case, other people should be reporting it and it should be all over the virus community’s news within 24 hours.
If your antivirus program won’t run, or won’t do a full system scan, or if you buy a new copy and it won’t install, this is a significant sign there is a virus infection. For example, many varieties of the W32.Klez.mm mass-mailing worm include commands that disable your antivirus software and make it difficult or impossible to install new antivirus software.
If you think you might have a W32.Klez.mm virus or a variant thereof, you’ll need to download and run a special Klez removal tool. Symantec offers a free one on its Security Response Web site, where you can also view a list of removal tools for many other specific viruses.
Avoiding future infections
End users seem prone to fall for every hoax and every encouragement to “click here,” which makes it especially difficult for support professionals to protect those PCs. Here are some tips geared toward safeguarding your users against their own gullibility and protecting your servers against virus attacks.
- Tell your end users not to open attachments unless they are expecting them, and not to run programs they download from the Internet unless they have been scanned for viruses.
- Encourage end users to keep Windows and Internet Explorer updated with the latest security patches. Simply visiting a Web site can cause infection if certain patches are not installed, so if possible, set up automatic updates for Windows and IE.
- By default, many operating systems (especially server versions) install with extra services that you don’t need, such as an FTP server, telnet, and a Web server. Remove any that are not critical so a virus has fewer avenues of attack.
- Be quick to disable or block access to network services when a blended threat exploits one of them, and keep it sealed off until you can apply a fix.
- Keep patch levels up to date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, Mail, and DNS services.
- Use strong passwords yourself, and enforce an aggressive password policy that requires complex passwords and frequent changes. This helps limit the damage in the event that a computer is compromised through a back door.
- Configure your e-mail server to block or remove e-mail that contains file attachments that are commonly used to spread viruses, such as VBS, BAT, EXT, PIF, and SCR files. Recommend to users that they send any files that legitimately need to be mailed in those formats in compressed archives (ZIP files).
- Frequently check the security advisories provided by the makers of antivirus software to find out what the latest threats are. An excellent one is the Security Advisories list from Symantec.
Tell us your story
Unfortunately, there is no magic formula for determining whether a virus is the source of PC problems. Many virus symptoms are identical to the symptoms of normal system problems. The guidelines above, however, can help you make an educated guess. Obviously, an updated antivirus program is your best line of defense against viruses; educating users and being quick to isolate problems can also help keep virus infection to a minimum among the PCs you support.
Have you found any common symptoms of viruses that I have not mentioned in this article? If so, please post them in the discussion for this article and share them with the TechProGuild community.