Recovery-Tips on Getting Rid of Virus Infections:-
Removing Boot Sector Virus:-
Remember that a boot sector virus attaches itself to instructions in the disk sector, which are loaded in to memory immediately when the system is powered on.
To remove this type of virus you must reverse the infection process, the virus out and reinstalling the original boot sector coding. To do this we must follow the following command:
1. Use the DOS utility called the SYS command as follows
Type the command SYS C: at the A> prompt. If the transfer has been completed smoothly, you get the response
2. System transferred
The SYS command may not always remove the boot sector virus, so you may need to use a program that is designed for this task. one such program is called MDISK and can be downloaded from the computer virus industry Association bulletin board.
3. Third and last option is that to try to back up all your data files before carrying out the next step- reformatting hard disk.
Removing Parasitic or File Virus:-
Follow these steps to get rid of one of these viruses-
1. Power down your system. When you switched on again, boot from a clean, write protected operating system master diskette.
2. Use a virus scanning utility program to scan the files for these programs and identify which have been infected.
3. Delete each of these infected file from the system.
4. Get out your original documentation and disks for the application program. Use them to repeat the installation procedure so that the infected files are replaced by the original non infected versions.
A Tip to Avoid the Macro Virus:-
For Microsoft Office applications, there is a simple safety measure:
Word or Excel will skip loading such a macro if the [SHIFT] key is held down while the file is being loaded from the File/Open dialog box. It does not necessarily work if the file is opened by double-clicking in File Manager or launched from ECSMail or a Web browser.
For example, to open a Word document without automatically executing any macros:
1. Save it to a file
2. Start up Word
3. From the File menu, choose Open and select the file you wish to load
4. Hold down the [SHIFT] key and click on [OK]
5. Keep the [SHIFT] key depressed until the document has finished
Some Examples of Real World Viruses:-
The W32/Pretty.virus is yet another one of those which spread by Email. This virus infects only Windows 9x and NT users. It is believed to have been originated in France almost a year ago. This virus arrives by email and its structure is something like below. Subject: C:\CoolProgs\Pretty Park.exe Test: Pretty Park.exe :)
A file named: 'prettypark.exe'
As soon as you execute this prettypark.exe attachment, the dreaded virus Will start its process of infecting your system. This file when executed copies itself to the file FILES32.VXD in c:\windows\system directory To ensure that the file FILES32.VXD (which is the Virus itself) is executed whenever any .EXE file is runned, it modifies the following Registry Key: HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open In this key, it changes the key value of 'command' from "%1" %* to FILES32.VXD "%1" %*.As a result after this Registry editing, all .EXE which is executed will in turn be infected by this virus. Once infected this virus will automatically try to email it every 30 Minutes to all the email addresses in Outlook Express's Address Book. Thus spreading itself to all quarters of the Internet. This feature or behavior is quite common amongst other email borne viruses. This is how they spread themselves and keep alive.
Pretty Park like some other intelligent viruses, does not allow users toRemove references to the itself from the registry. One trick which Anti Viral organizations have discovered is that if the Registry Editor is renamed from regedit.exe to regedit.com (On win9x systems) and from regedit32.exe to regedit32.com (On NT systems) then we can still view the entire Windows. Run the Windows registry Editor i.e. Regedit.exe in Win9x and regedit32.exe on NT. Make sure that you reboot in MSDOS from the start up disk and then launch the Registry Editor.
Now remove references to the worm from the following Registry Keys:
To remove the references to the Trojan change the value of the above key
From FILES32.VXD "%1" %* to "%1" %* (Note the space in between the new value.)
All software or services which have been referred to in the following
Registry keys start automatically with Windows. So make sure that the Following keys have no reference to the Virus:
Also delete any references to the Virus from the following:
1. Open WIN.INI in Notepad and in the 'run= line' under the [windows]
Section look for any reference to the Trojan.
2. Now, open SYSTEM.INI and in the 'shell= line' under the [boot] section, remove all references except the reference to Exporer.exe
Then look for the following Registry key:
This key is not found on all systems. If you find it delete it.
Now reboot and delete the Trojan .exe file itself. If you had followed the
Above procedure correctly without any errors, then the worm will be deleted otherwise you will get an error message. Also delete the
2. Disk Killer:-
The disk killer is a boot sector virus and the most destructive of the new strains to emerge in late 1989. When it activates, it displays the following message:
Disk killer version 1.0
From ogre computers
Now killing disk.
Please do not power
Down your system.
Ten seconds before the message is displayed, disk killer has initiated a low level format of the hard disk.
Powering down immediately when the warning appears on the screen is not effective, as every thing on the disk has been destroyed before you can react.
3. Dark Avenger :-
Dark avenger is a .COM and .EXE file infector that promises to be a steadilyincreasing problem because it is both very infectious and destructive. Dark avenger seeks new hosts programs virtually any moment of application program activity, including loading, executing, transferring code or data between systems.
4. Zero bug:-
The Zero bug is another .COM infector from Europe. It originates and destroys data both quickly and efficiently. We should be practically concerned about zero bugs because it incorporates a new method of outwitting many of the virus detection programs now on the market.
Some detection programs rely on monitoring program size to identify hidden infections. Many viruses attach and conceal themselves within the code of application programs, inevitably increasing the size of those programs above the manufacture standard. The zero bug hides in application programs, but it may be undetected by changing a program’s new identification detailed back to the manufacture’s standard. This is one of the most ingenious and effective methods to concealment of virus. So that it automatically renders obsolete many antiviral programs and utilities that rely entirely on snapshots, checksums, or other device to compare the status of a program against the original specification to seek symptoms of a virus infection.
The Alabama is a .COM and an .EXE file infector that also introduced a new disturbing device. Whenever file are copied or otherwise activated on an infected system, Alabama renames them, giving them the name of another existing file on the victim’s system. Soon all the data file listing are scrambled- the data is still there but you cannot access it effectively because you do not know under what file name it is stored .
6. Yankee Doodle
The Yankee Doodle is, fortunately, an innocuous virus is its original form. it is activated by a computer’s internal clock; at 5 p.m. it causes the tune “Yankee Doodle dandy” to be played over computer’s speaker . Initially, this virus did not destroy data or overloaded systems byReplicating out of control.
As the name implies, the Sunday virus activated when internal clock of the system it has infected reaches Sunday. Upon activation of Sunday, the operated is the greeted by following message.
Today is Sunday. Why are you working?
All work and no play make you a dull boy.
All work and no play make you a dull boy.
Before or during the display of the message, the Sunday virus has garbled the FAT (file allocation table) section of operating system so that files cannot be located.
Ghost infects both boot sectors and the .COM files on disks and floppies. So in addition to using the SYS command to disinfect the boot sector, it is also necessary to remove all infected .COM files.
Brain another boot sector infector that is also called as “Pakistani brain” or the “Basit” after its creators in Lahore, Pakistan, who were the only ones ever to put there names, address, and telephone number in the copyright on a virus. But it was the time of 1986, when virus was yet not perceived to be a major threat that could expose there creatorTo retribution if caught.
Basit and Amjad Alvi installed the brain on pirated software that they sold from their Brain software &computer services shop in Lahore. Tourists could not resist the temptation of being able to purchase the copies of word perfect and other popular propriety software for few bucks and so snapped up the infected disks. One pirated program can breed many others and so the brain spread like a bushfire around the world ,and was renamed the hard disk brain ,the clone, the shoe, and the Houston virus as it required more capabilities to infect and cause damage .
All versions of Brain retain the original’s clever techniques of replicating quickly whenever it finds an hospitable environment and concealing itself to avoid detection .the brain takes immediate control of the system by infecting the boot sector of the disk, then extends that control by splitting itself up into the section of programming that are hidden in various places on the disk, which are then flagged as bad sectors so that they can not be read by the user.