Virus, Spyware, and Adware Information

***Remember to keep your anti-virus program updated for protection against the latest viruses.***


Virus Information

For a list of the latest virus threats, information about the virus, and how to remove them you may visit the Symantec Security Response website.
This site provides you with removal tools for some of the newer viruses that are out and also instructions on how to remove the virus.

A virus is a file that can infect other files in a computer or a network and can produce undesired side-effects. These effects can range from harmless messages to data corruption or destruction. Some viruses can format your hard disk or destroy the FAT (File Allocation Table) and the disk directories, others can generate minor effects such as occasional displaying of on-screen messages, erasure or modification of data, music or interference or difficulties with printer output.

It is estimated that there are more than 25,000 known viruses in the computer environment. Possible sources of virus transmission are diskettes, CDs, network cables, telephone cables (with a modem) and the Internet.

Closely related to computer viruses are Trojan Horses and Worms.

A Trojan Horse is a program that performs some undesired action while pretending to do something else. One common class of Trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragmenter that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself.

A Worm is a self-propagating virus. The worm disguises itself as an email attachment. This attached file is the actual worm code, and it propagates by locating valid email addresses. The worm modifies wsock32.dll and patches itself into this file so that two APIs Connect() and Send() can hook into the worm’s code. Win32/SKA.A can see all network activities on the current machine. When someone posts an email message to another user or to a news server, the worm sends a copy of its email message with an attachment of its code. These types of chain letter worms are very successful because people usually trust messages they receive from friends and associates. 32-bit worms are much more successful than viruses that spread relatively slowly. A worm can infect 100000s of machines around the globe in a single day.

There are four main classes of computer viruses: file infectors, cluster infectors, macro viruses and system infectors. About 85 percent of all known viruses infect files containing applications such as COM or EXE files under DOS and spreadsheet programs or games. Cluster infectors modify the file system so that they are run prior to other programs, but  they do not actually attach themselves to programs. The third category, macro viruses, are independent of operating systems and infect files that are usually regarded as data rather than as programs. System infectors store themselves in the boot sector on floppies or a master boot record  (MBR) for hard disks and hence are invoked whenever the disk is used to boot the system.

A virus must be executed by someone, perhaps unwittingly, in order to spread. Such as booting from an infected floppy disk. System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine.

We recommend that you take all necessary precautions with e-mail messages that include attached files. Unless you know its source or are expecting the attached file, delete it without opening the attachment.


We can differentiate the following types of viruses:


Types of infections

Damaging the hardware under Windows 95/98
Virus attacks took a big step in 1998 when the Win95/CIH became the first virus to damage system hardware, specifically the flash BIOS. CIH, like Win95/Anxiety, implements a PE infection mechanism based on VxD calls. Because the virus executes its damage routine in Ring0 (system level), you can't prevent the damage caused by the port commands (e.g. IN, OUT).

Infecting Kernel32.dll
Virus writers have written several Win32 viruses that attack kernel32.dll, which most PE applications load and use to access the most important Win32 API set, such as file functions. These viruses work by patching the export address of one exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus writers can easily infect this type of file. These viruses can be per process resident (i.e., the viruses run actively as part of a process or several processes). As a result, each process that uses kernel32.dll, which is any process that uses the basic Win32 file functions and directory functions, links to the virus code. The infected DLL attaches to every program that has kernel32.dll imports. Whenever the application calls the API with the attached virus code, the virus code gets control in the address spaces of the infected application.

Every system DLL contains a pre-calculated checksum that the linker places in the DLL's PE header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If the calculated checksum doesn't match the checksum in the DLL's header, the system loader stops with an error message at the blue screen during system boot. However, this doesn't mean that a virus writer can't implement such a virus for NT. The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method and uses the CIH damage routine, but the damage routine doesn't work under NT because the virus runs in Ring3 (user mode).

Kernel-mode driver viruses
This type of virus adds x number of bytes to the end of applications that run in user mode. The virus modifies the entry point so that it points to the start of the virus code. The virus tries to install the virus driver to the system and uses hard-coded IDs to call native APIs. It can monitor all file access and infect applications on the fly. It can infect anything it wants. Fortunately these kind of viruses are hard to program and are scarce.

Complex Win32 viruses
These viruses use polymorphic engines to make detection of virus code extremely difficult. Some implement polymorphic engines that can change the virus code from byte to byte in different generations. So you can't use a constant search string to detect the virus code unless you use antivirus modules such as code emulation. Another approach to polymorphic viruses is writing metamorphic viruses. These viruses consist of small modules that viruses can place in a virtually endless order using various sets of instruction sequences that differ in code but have the same result when executed. Several of these viruses consist of pieces of assembly code that is encrypted multiple times.

Counter measures

Infected DLLs can be hard to clean from the system because applications map these files from the disk to memory, and you can't modify these files once they load. Whereas you can boot an infected Win9x machine from a clean system diskette, it's much more complicated when you're using Win2000 and NT with NTFS. In these situations, you need to use utilities such as NTFSDOS that can boot the system for write access. Windows System File Checker (SFC) will fix the modified system components automatically. To use SFC, type sfc.exe from the command prompt. SFC is not a virus security feature, but it helps reduce the risk of spreading viruses under Win2000.

Backups of all software (including operating systems) should be made regularly.
Prevention includes creating user awareness, implementing hygiene rules, using disk authorization software or providing isolated 'quarantine' PCs.
Detection involves the use of anti-virus software to detect, report and disinfect viruses.
Containment involves identifying and isolating the infected items.
Recovery involves disinfecting or removing infected items and recovering or replacing corrupted data.

Techniques to detect viruses

String search
The first step in detecting a virus in a file is to search for a unique piece of its code or of its data within files. This method is used for simple viruses. Although the string search technique is not considered foolproof it is still the basis of most anti virus programs.

Algorithmic search
This technique consists of determining whether a file has been infected by observing certain parameters that commonly appear in infected files.

This consists of recording file characteristics in the file itself or in separate files. This information is later used to determine whether the file was modified, which almost always implies a virus attack.

Investigation method
This method is very effective for unknown viruses and tries to discover viruses that are active in memory, but have not been discovered by a conventional memory scan. It basically consists of testing the virus so as to discover its infection capacity.

Anti-stealth method
It consists of controlling the system resources first, before any other application, and therefore does not allow itself to be manipulated by other applications. This isolation system only makes sense when the virus is in memory, i.e. when it is active, as this is when we try to avoid the effects of the virus on the system.


1. Be careful when downloading software or other items.
2. Don't run programs directly from the Internet unless you trust their source..
3. Avoid opening files attached to e-mail messages, unless you trust their source.
4. Scan new programs before running or installing them onto your system.
5. After you have an anti-virus program installed, keep it on auto-detect and keep the virus signature files up to date. Most programs offer an easy online updating option.

Disinfecting a virus

You should never work with a virus in memory. A virus or any other program can only get into memory when it is run. When you run an infected program, the virus is activated, and that is what we want to prevent by booting from a clean, virus-free boot diskette. When a virus is active in memory, it interferes with the operations performed and, at best, it could re-infect cleaned files if you go on working with the computer (without re-booting) after the disinfection is finished.

Some necessary program features:

A good anti-virus program will check RAM, boot sectors and system files. It should: have an auto-detect function which scans your system in the background, scan email attachments, documents and spreadsheets when opening them, enable you to scan any area of your system, on demand or scheduled. It should scan for all sorts of (unknown) viruses such as Trojan horses.



Spyware and Adware Information

What is spyware?

To explain what spyware is, we'll first explain what adware is. Adware is 'freeware', whereby ads are embedded in the program. These ads will show up when you open the program. Most adware authors provide the free version with ads and a registered version whereby the ads are disabled. As such, you the user have the choice, you either use the freeware with ads served or you purchase the registered version.

Spyware, however, is published as 'freeware' or as 'adware', but the fact that an analysis and tracking program (which reports your activities to the advertising providers' web site for storage and analysis, the 'spyware' agent) is also installed on your system when you install this so-called 'freeware', is usually not mentioned. Even though the name may indicate so, spyware is not an illegal type of software in any way. But what the adware  and spyware providers do with the collected information and what they're going to 'feed' you with, is beyond your control.

Hardware spyware

Nowadays spyware can even be found accompanying hardware you buy and install in your system. Yes, the software you install with hardware purchased from certain manufacturers (some even well-known) may include spyware agents.

Spyware categories

Spyware threats

Spyware threats come in different flavors. The spyware agent can be malware (modifies system settings, and can perform undesirable tasks on your system), hijacker (redirects your browser to web sites), dialer (dials a service, most likely porn sites, for which you are billed!), trojan horse (is attached to a program, and performs undesirable tasks on your system), collectware (collects information about you and your surfing habits).

In addition to doing a detailed check of your browser history, spyware can install DLLs and other executables files, send continuous data to the parent, leave a backdoor open for hackers to intercept your personal data or enter your computer, can install other programs directly on to your computer without your knowledge, can send/receive cookies to other spyware programs and invite them into your computer (even if you have cookies disabled), and they can add Trojan horses to your system. Most spyware and adware programs are independent executable files which take on the authorization abilities of the victim. They include auto install and auto update capabilities and can report on any attempts to remove or modify them.

Spyware programs can reset your auto signature, disable or bypass your uninstall features, monitor your keystrokes, scan files on your drive, access your applications, change homepages in addition to displaying advertising content online or offline. They can read, write and delete files and even reformat your hard drive and they do this while sending a steady stream of information back to the advertising and marketing companies. The majority of these programs once installed can not easily be deleted from your system by normal methods and often leave components behind to continue to monitor your behavior and reinstall themselves.



***Download the following programs to a location on your computer such as My Documents or the Desktop. Once the program has finished downloading double-click on the file to start the setup process.***

***You will need to update the following software after it is installed.***


If you are using AVG 6.0 Free Edition you will need to upgrade to version 7.0 as version 6.0 will be discontinued at the end of 2004.

AVG 8.0 Free Edition


Avast! 4 Home Edition
*NOTE: You will need to click on the US link for the English version of this program. Once you have downloaded this program and have it installed you will need to register the program to get a serial number for it. Click here to register Avast! 4 Home Edition.

Housecall from
Here is a free online virus scanner to scan your computer with.


Spyware and Adware

Spybot Search & Destroy