Today’s PC viruses, Trojan horses, worms, and blended threats can cause run-of-the-mill Windows or application problems, out-of-memory errors, intermittent failures to fully start up, or installation or operation problems with applications. But these symptoms could also be caused by your typical hardware or software malfunction, making diagnosing the problem a bit tricky. Here are some suggestions for determining if a PC has a virus.
Types of infections
In the “olden days,” there were only a couple of types of viruses. One type would infect .exe files, adding a foreign string to them so that when they executed, the virus would run and do its dirty work. Another type would travel from PC to PC via floppy disk, hidden in the boot sector, and when a PC was booted from an infected floppy, the virus would copy itself to the boot sector of that PC.
These viruses still exist but are nowhere near as common as the newer varieties. Some people would argue that the newer ones are not really “viruses” per se, because they lack some of the defining characteristics of viruses, such as the ability to attach themselves to a program file or infect the system area of a disk. Some of the common virus types out there today (and permit me to use the loose, generic definition of virus in this article) include the following:
- Trojan horse: This is a program that appears to do something useful but actually delivers a harmful effect, such as opening up a security hole, spreading itself via e-mail, or deleting or damaging files.
- Worm: This is a program that spreads by making copies of itself. It may or may not do any additional harm.
- @m: A “mailer” is a type of worm that attaches itself to e-mail that a user sends.
- @mm: A “mass mailer” is a type of worm that automatically sends itself to multiple addresses from a user’s address book.
- Back door: This is a program that sends information back to its creator about the infected system, making it easy for that person to hack into the infected system and take control of it or read sensitive data.
- Blended threat: This is a combination of infection types in a single item. For example, a worm that infects a boot sector, deletes important files, and/or opens a security back door would be a blended threat.
Most of the viruses circulating at this writing are blended threats, so they don’t neatly fall into any one category. This also makes them more dangerous, easier to spread, and more difficult to eradicate.
You probably have a virus if…
The symptoms in the bulleted list below are rarely caused by anything except a virus, so if you detect any of these issues on an end user’s PC, you should feel confident in suspecting virus infection.
- The user received an e-mail with an odd attachment and opened it with unexpected results, such as the appearance of odd dialog boxes or a sudden degradation in system performance.
- There is a double extension on an attachment that the user recently opened, such as .jpg.vbs.
- An antivirus program is disabled for no apparent reason (perhaps with an X through its icon in the notification area), and it cannot be enabled. The system may also report an error condition.
- An antivirus program will not install on the PC (or appears to install, but then will not run), but other programs will.
- Odd dialog boxes or messages appear onscreen.
- Several files are missing, especially those of a common type. For example, some viruses have a side effect of deleting all graphic files of a particular type.
- Someone tells the user they have recently received strange e-mails from them containing random attached files or a virus.
- The PC starts performing actions seemingly on its own, like moving the mouse pointer, opening or closing windows, running programs, or opening and closing the CD tray. This is a symptom of someone actually using a back door to operate the PC, rather than a symptom of the existence of the back door.
- You notice the presence of new users with full security permissions that you know you did not create, or you notice inappropriate permissions assigned to existing users. Again, this is more often a symptom of back door hacking than virus infection.
- The mouse pointer changes to some different graphic.
- Odd icons appear on the desktop that the user did not place there, although the user has not installed any new applications lately that could have placed them there.
- Strange sounds or music plays from the speakers for no apparent reason.
- File sizes or date/time stamps have changed on files that the user knows he or she did not alter.
- A program that was used successfully recently has disappeared, and the user knows that he or she did not uninstall it.
It’s much easier to spot double-extension files if the display of extensions for known file types in Windows is turned on. To do that, choose Tools, Folder Options, and deselect the Hide Extensions For Known File Types check box on the View tab.
You might have a virus if…
A virus infection could also cause some of the following symptoms. Keep in mind that these symptoms are also typical of ordinary Windows system problems, so you’d have to run a complete virus scan (with updated definitions) before you could definitively diagnose a virus.
- Windows will not start at all, even though the user has made no system changes, installed or removed any programs, or made any registry edits since the last time it started successfully.
- Windows will not start because certain critical system files are missing (and you see an error message listing those files), and the user is confident that he or she did not accidentally delete them.
- The PC starts up normally sometimes, but at other times will hang before the desktop icons and taskbar appear.
- The PC runs very slowly and/or takes a long time to start up.
- Out-of-memory error messages appear, even though the PC has plenty of RAM.
- Viewing the system processes via Task Manager shows that an unknown process is consuming a high percentage of the CPU time.
- From the Task Manager view, you notice programs or processes running that you do not recognize, even after shutting down all running programs and system tray utilities.
- New applications will not install properly.
- Windows spontaneously reboots for no apparent reason.
- Applications that used to run normally are now crashing frequently. Removing and reinstalling them does not solve the problem.
- A disk utility such as Scandisk reports multiple serious disk errors.
- A partition completely disappears.
The key to distinguishing virus-related system problems from ordinary ones is often situational. What did the user do right before the problem started? It never hurts to ask. If possible, check the user’s e-mail box to see whether an e-mail containing a virus might still be hanging around there. Check his or her Deleted Items, and check the Sent Items folder as well to see if the virus may have been spread to others.
For definitive virus detection, you must turn to an antivirus program with updated definitions. If a reputable antivirus program will install, run, and complete a check successfully, and if its definitions have been updated within the last 24 hours, you can be fairly confident that the problem is not a virus. Otherwise, virus infection is still a credible suspect.
Are the definitions up to date?
Most antivirus programs can’t detect viruses that they don’t know about. There are exceptions, such as programs that monitor the file sizes and dates of essential system files and warn you if they are about to be changed. However, the vast majority of threats circulating today are not true viruses because they do not actively infect your existing .exe files or boot sector. Instead, they are Trojan horses, back door programs, or worms, whose behaviors won’t normally trigger that kind of proactive detection. Therefore, updated definition files are your only reliable line of defense against new virus threats.
Norton AntiVirus, for example, checks for new definitions on the company’s server and installs them automatically. Be warned, however, that some services (such as Symantec’s Live Update) update their servers only once a week except during peak periods of virus problems, so you might not always get the latest updates by running Live Update. Going manually to the company’s Web site and comparing the date of the most recently posted definitions to the date shown in your software is one way to ensure you have the latest stuff, but that can be a little taxing. Symantec offers an Intelligent Updater service that updates virus definitions every business day, which is a great alternative for administrators with mission-critical PCs to support.
If you think you might have a W32.Klez.mm virus or a variant thereof, you’ll need to download and run a special Klez removal tool. Symantec offers a free one on its Security Response Web site, where you can also view a list of removal tools for many other specific viruses.
Do a full system scan
Assuming your virus definitions are up to date, you can be reasonably certain that if an antivirus program successfully completes a full system scan and tells you there is no virus, there probably is no virus. If you remain skeptical, check one of the major virus security Web sites after 24 hours; it’s possible that a brand-new variant has slipped in. If that’s the case, other people should be reporting it and it should be all over the virus community’s news within 24 hours.
If your antivirus program won’t run or won’t do a full system scan, or if you buy a new copy and it won’t install, this is a significant sign there is a virus infection. For example, many varieties of the W32.Klez.mm mass-mailing worm include commands that disable your antivirus software and make it difficult or impossible to install new antivirus software.
Unfortunately, there’s no simple magic formula for determining whether a virus is the source of PC problems. Many virus symptoms are identical to the symptoms of normal system problems. The guidelines above, however, can help you make an educated guess.