Types of infections
In the "old days," there were only a couple of types of viruses. One
type would infect .exe files, adding a foreign string to them so that when they
executed, the virus would run and do its dirty work. Another type would travel
from PC to PC via floppy disk, hidden in the boot sector, and when a PC was
booted from an infected floppy, the virus would copy itself to the boot sector
of that PC.
These viruses still exist but are nowhere near as common as the newer varieties.
Some people would argue that the newer ones are not really ďvirusesĒ per se,
because they lack some of the defining characteristics of viruses, such as the
ability to attach themselves to a program file or infect the system area of a
disk. Some of the common virus types out there today include the following:
Trojan horse: This is a program that appears to do something useful
but actually delivers a harmful effect, such as opening up a security hole,
spreading itself via e-mail, or deleting or damaging files.
Worm: This is a program that spreads by making copies of itself. It
may or may not do any additional harm.
@m: A "mailer" is a type of worm that attaches itself to
e-mail that a user sends.
@mm: A "mass mailer" is a type of worm that automatically
sends itself to multiple addresses from a user's address book.
Back door: This is a program that sends information back to its
creator about the infected system, making it easy for that person to hack
into the infected system and take control of it or read sensitive data.
Blended threat: This is a combination of infection types in a
single item. For example, a worm that infects a boot sector, deletes
important files, and/or opens a security back door would be a blended
Most viruses are blended threats, so they
donít neatly fall into any one category. This also makes them more dangerous,
easier to spread, and more difficult to eradicate.
You probably have a virus ifÖ
The symptoms in the bulleted list below are rarely caused by anything except a
virus, so if you detect any of these issues on an end user's PC, you should feel
confident in suspecting virus infection.
The user received an e-mail with an odd attachment and opened it with
unexpected results, such as the appearance of odd dialog boxes or a sudden
degradation in system performance.
There is a double extension on an attachment that the user recently
opened, such as .jpg.vbs.
An antivirus program is disabled for no apparent reason (perhaps with an X
through its icon in the notification area), and it cannot be enabled. The
system may also report an error condition.
An antivirus program will not install on the PC (or appears to install,
but then will not run), but other programs will.
Odd dialog boxes or messages appear onscreen.
Several files are missing, especially those of a common type. For example,
some viruses have a side effect of deleting all graphic files of a
Someone tells the user they have recently received strange e-mails from
them containing random attached files or a virus.
The PC starts performing actions seemingly on its own, like moving the
mouse pointer, opening or closing windows, running programs, or opening and
closing the CD tray. This is a symptom of someone actually using a back door
to operate the PC, rather than a symptom of the existence of the back door.
You notice the presence of new users with full security permissions that
you know you did not create, or you notice inappropriate permissions
assigned to existing users. Again, this is more often a symptom of back door
hacking than virus infection.
The mouse pointer changes to some different graphic.
Odd icons appear on the desktop that the user did not place there,
although the user has not installed any new applications lately that could
have placed them there.
Strange sounds or music plays from the speakers for no apparent reason.
File sizes or date/time stamps have changed on files that the user knows
he or she did not alter.
A program that was used successfully recently has disappeared, and the
user knows that he or she did not uninstall it.
Watch your e-mail client (like Outlook) for the sudden presence of "delivery failure" alerts for e-mails sent to people you do not know.
There's no foolproof way to restrict variations of viruses from getting onto your PC, But you can stop the virus from sending out copies of itself by installing a good personal firewall or Anti-Virus program (like Norton AntiVirus).
A virus infection could also cause some of the following symptoms. Keep in mind
that these symptoms are also typical of ordinary Windows system problems, so
you'd have to run a complete virus scan (with updated definitions) before you
could definitively diagnose a virus.
Windows will not start at all, even though the user has made no system
changes, installed or removed any programs, or made any registry edits since
the last time it started successfully.
Windows will not start because certain critical system files are missing
(and you see an error message listing those files), and the user is
confident that he or she did not accidentally delete them.
The PC starts up normally sometimes, but at other times will hang before
the desktop icons and taskbar appear.
The PC runs very slowly and/or takes a long time to start up.
Out-of-memory error messages appear, even though the PC has plenty of RAM.
Viewing the system processes via Task Manager shows that an unknown
process is consuming a high percentage of the CPU time.
From the Task Manager view, you notice programs or processes running that
you do not recognize, even after shutting down all running programs and
system tray utilities.
New applications will not install properly.
Windows spontaneously reboots for no apparent reason.
Applications that used to run normally are now crashing frequently.
Removing and reinstalling them does not solve the problem.
A disk utility such as Scandisk reports multiple serious disk errors.
A partition completely disappears.
The key to distinguishing virus-related system problems from ordinary ones is
often situational. What did you do right before the problem started? It
never hurts to ask. If possible, check the your e-mail box to see whether an
e-mail containing a virus might still be hanging around there. Check your Deleted Items, and
Sent Items folder as well to see if the virus may
have been spread to others.
For definitive virus detection, you must turn to an antivirus program with
updated definitions. If a reputable antivirus program will install, run, and
complete a check successfully, and if its definitions have been updated within
the last 24 hours, you can be fairly confident that the problem is not a virus.
Otherwise, virus infection is still a credible suspect.
Are the definitions up to date?
Most antivirus programs canít detect viruses that they donít know about.
There are exceptions, such as programs that monitor the file sizes and dates of
essential system files and warn you if they are about to be changed. However,
the vast majority of threats circulating today are not true viruses because they
do not actively infect your existing .exe files or boot sector. Instead, they
are Trojan horses, back door programs, or worms, whose behaviors won't normally
trigger that kind of proactive detection. Therefore, updated definition files
are your only reliable line of defense against new virus threats.
AntiVirus, for example, checks for new definitions on the companyís server
and installs them automatically. Be warned, however, that some services (such as
Symantecís Live Update) update their servers only once a week except during
peak periods of virus problems, so you might not always get the latest updates
by running Live Update. Going manually to the companyís Web site and comparing
the date of the most recently posted definitions to the date shown in your
software is one way to ensure you have the latest stuff, but that can be a
little taxing. Symantec offers an Intelligent
Updater service that updates virus definitions every business day, which is
a great alternative for administrators with mission-critical PCs to support.
If you think you might have a W32.Klez.mm virus or
a variant thereof, youíll need to download and run a special Klez removal
tool. Symantec offers a free one on its Security
Response Web site, where you can also view a list
of removal tools for many other specific viruses.
Do a full system scan
Assuming your virus definitions are up to date, you can be reasonably certain
that if an antivirus program successfully completes a full system scan and tells
you there is no virus, there probably is no virus. If you remain skeptical,
check one of the major virus security Web sites
after 24 hours; itís possible that a brand-new variant has slipped in. If
that's the case, other people should be reporting it and it should be all over
the virus communityís news within 24 hours.
If your antivirus program wonít run or wonít do a full system scan, or if
you buy a new copy and it wonít install, this is a significant sign there is a
virus infection. For example, many varieties of the W32.Klez.mm mass-mailing
worm include commands that disable your antivirus software and make it difficult
or impossible to install new antivirus software.
Unfortunately, thereís no simple magic formula for determining whether a virus
is the source of PC problems. Many virus symptoms are identical to the symptoms
of normal system problems. The guidelines above, however, can help you make an