WHMurray@DOCKMASTER.ARPA (08/22/89)
>1) Is the possibility of virus infection limited to executable > programs (.com or .exe extensions)? Or can an operating system be > infected from reading a document file or graphic image? While a virus must succeed in getting itself executed, there are a number of solutions to this problem besides infecting .exe and .com. While it will always be sufficient for a virus to dupe the user, the most successful ones are relying upon bootstrap programs and loaders to get control. >2) Are there generic "symptoms" to watch for which would indicate a virus? Any unusual behavior may signal the presence of a virus. Of course most such unusual behavior is simply an indication of user error. Since there is not much satisfaction to writing a virus if no one notices, most are not very subtle. However, the mandatory behavior for a successful virus is to write to shared media, e.g., floppy, diskette, network, or server. (While it may be useful to the virus or disruptive to the victim to write to a dedicated hard disk, this is not sufficient for the success of the virus.) >3) Any suggestions on guidelines for handling system archiving > procedures so that an infected system can be "cleaned up"? WRITE PROTECT all media. Preserve vendor media indefinitely. Never use the backup taken on one system on any other. Be patient when recovering; be careful not to reinfect. (Computer viruses are persistent on media.) Quarantine systems manifesting strange behavior. Never try to reproduce symptoms on a second machine. Never share media gratuitously. (Note that most PC viruses are traveling on shared MEDIA rather than on shared PROGRAMS.) ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A - --------------------------------------------------------------------