Fighting Against Viruses

Another threat to your network's security is the virus. A virus is a self-replicating piece of software code. Because a virus can copy itself, it can easily (and unfortunately ) be spread from computer to computer.

Viruses can be spread on floppy disks and other removable storage media. If you take an infected disk out of a computer and place it in another computer, you have spread the virus. Computers can also become infected with a virus that spreads over the network because of infected shares.

The Internet also serves as a source of virus infection. Viruses can inadvertently be downloaded from the Internet. Viruses can also be spread via email messages.

Interestingly, many viruses do little more than copy themselves ; not all are designed to format your hard drive or corrupt a certain file type. A lot of the viruses you run into are just elaborate jokes (although this does not make them any less annoying).

One of the first viruses I remember dealing with, back in my college days, was the Brain virus. Brain was (and still is) a boot sector virus that can load itself into the computer's memory (we will discuss the different types of viruses in a moment). Well, to make a long story short, Brain quickly spread to nearly every floppy disk being used on the college campus (this is in the days of 360KB, 5 1/4'' floppy disks). However, it was very easy to find the infected disks because the virus would change the volume name on the floppies to BRAIN. The virus really didn't do much more damage than that.

Although everyone fears viruses, many viruses don't do a whole lot more than replicate and spread. However, as the network administrator, it is your job to destroy viruses with impunity, whether they are just jokes or are designed to wreak havoc on your network data.



Educating your users about the importance of network resources and providing some training to your users on how to use the network should also negate some of the network implosions you face as a network administrator. If you have a problem user account, you can also audit logon attempts by the user if you suspect the account is being used to access the network by someone other than the user. Auditing user logon attempts can be monitored in all of the different NOS environments. In Windows Server 2003, logon auditing is turned on using a security feature called Group Policy. Once auditing is enabled, unsuccessful logon attempts for your various users are compiled in the Event Viewer (discussed in Chapter 19).

Now, I don't want to understate the fact that viruses can do a lot of damage to a computer system. Viruses can delete programs and files, and they can completely overwrite a hard disk. Viruses can be backed up along with the files that you routinely back up on the network (say, from a file server). This means that in the case of a disaster, you only have infected data files to restore to your file server.

Viruses can even find the administrator's password and pass it on to someone outside the network. This person can then log on to the network as the administrator and do all sorts of damage. So, although many viruses are just annoying and take time and money to clean up, some viruses can pose a very large security risk to the network.



Although many viruses are actually executable programs that, when launched, replicate and damage your computer system, there are other types of viruses (such as macro viruses) that can hide in a document or spreadsheet rather than an executable file. If you open the file containing the virus, you infect your computer system.

Types of Viruses

A number of different virus types have evolved over the years . These different types of viruses have been classified based on how they infect a computer:

  • Boot sector viruses . Some of the first viruses were boot sector viruses. A boot sector virus typically spreads through infected floppy disks or other removable storage media. Boot sector virus infections are helped along by user forgetfulness. If I place a boot sector virus-infected disk in my computer, nothing will happen unless I reboot the system (meaning turning it off for the day and then turning it on the next morning) and have forgotten to remove the infected disk from the floppy drive. On boot up, the boot sector virus is loaded into the computer's memory (because the computer will try to boot from the floppy). The virus can then infect the hard drive or any disks you place in the floppy drive once the computer is up and running. The Brain virus, discussed earlier, and the Exebug virus are both examples of boot sector viruses.



"Hip" computer terminology seems to propagate faster than a computer virus. Viruses, worms, and other types of software designed to mess up your computer (and everyone's computer, for that matter) are often called malware (malicious software).

  • File viruses . Although fairly uncommon now, file viruses actually infect an executable file such as an EXE or COM file (and you know that your operating system is made up of a bunch of executable files). When the infected file is run, the file virus is loaded into the computer's RAM. It can then infect other executable files as they are run on the computer. One form of the file virus is the overwriting virus, which actually overwrites the executable file that it infects. Another form of the file virus is the companion virus. This virus will masquerade as a COM file with the same name as an EXE file on your system. When you run the program, the macro will run first because COM files take precedence over EXE files. The virus will do its thing and then the actual EXE program will run. This means you may not notice that the virus is actually on your system. Examples of file viruses are the Dark Avenger virus and the KMIT virus.

  • Macro viruses . The macro virus is a fairly recent virus type. Macro viruses are typically written in Visual Basic code and can infect documents and spreadsheet data files rather than executables. When an infected document is loaded into an application such as Microsoft Word, the virus code runs just like any other macro would in that particular application. Another scary thing about macro viruses is that they are not operating system-specific. Because Microsoft Excel can run on a Macintosh and a Windows-based PC, the macro virus can actually be spread between the two platforms if the infected Excel worksheet is shared. Macro viruses are also not confined to Microsoft applications and have popped up in other office suites, such as Lotus SmartSuite. An example of a macro virus is the famous Melissa virus, a Word macro virus that automatically spread itself via email.

  • Multipartite viruses . A multipartite virus has the characteristics of both a boot sector virus and a file virus. It can spread from the boot sector of a drive to another drive, and it can also attack executable files on the computer. Some multipartite viruses can even infect device drivers (such as the drivers for your network interface card). An example of a multipartite virus is Pastika. This virus is only activated on certain days of the month (typically the 20st and 22nd of the month) and can actually overwrite your hard drive.

The actual number of viruses "in the wild" (meaning those found on business computers and networks) at any one time varies, but in general the number is increasing. The number of macro viruses is definitely on the rise. At the time of the writing of this book, the PE_LOVGATE.J virus was a medium threat to PCs running Windows and spread via shared network drives and email. Another example of recent malware is the WORM_KWBOT.C worm that can cause file damage to PCs running Windows. Let's take a look at worms and Trojan horses and how they can threaten your network's security and resources, and then we can take a look at some strategies for protecting against virus infections.

Worms and Trojan Horses

Not all software-based threats to the network come in the form of viruses. There are also two other wonderful products from those demented folks who brought us computer virusesworms and Trojan Horses.

A worm is a program that spreads itself from computer to computer on a network. It doesn't need to be activated like a virus. It just spreads all by itself. A worm can be potentially devastating on a worldwide network such as the Internet because it can quickly spread itself throughout the entire network. Worms typically are platform-specific and exploit some weakness in a particular operating system. For example, the Linux.Ramen worm only spreads itself among computers running Linux Red Hat.

A Trojan horse (or just Trojan as it is often referred to), on the other hand, is a program that appears to be perfectly benign , such as a screensaver or a game. For example, the HAPPY99.EXE Trojan horse, when executed, provides a nice little fireworks display on your screen and then immediately uses mail addresses found in your computer's email client to send off copies of itself to these addresses (this is similar to how the Melissa virus is spread).

One of the earliest Trojans was the AIDS Information Disk Trojan, which was actually a disk sent out to medical establishments as an AIDS-awareness product. After being executed, it created a hidden directory on the computer's hard drive and eventually encrypted the entire contents of the hard drive, making it unusable.

One of the biggest threats related to Trojans is that some are actually able to invade a computer and create a portal that allows complete access to the infected machine. This means that the cracker who controls the Trojan actually can do anything he likes with your computer. He can even use it to perpetrate a denial of service attack using your computer to help generate excess traffic that is focused on a particular Web site. Denial of service attacks are discussed later in the chapter, in the section "Protecting a Network from Outside Attack."



For a great site containing information on viruses currently found in the wild, check out F-Secure, who hosts this site, provides a range of network security products. Another good place to look for information related to viruses is the SANS institute. The SANS, at, provides information on viruses and other network security issues.

Virus Protection

Protecting a network against viruses, Trojans, and worms really requires two major efforts on the part of the network administrator. First, you need to have some sort of virus protection plan. Then, once the plan has been created, it can be implemented.

Any anti-malware plan should include a list of rules that your users need to follow to keep the network safe from virus infection. These rules might include no disks from home and no personal email on the company's email system. Also, you might have to forbid file downloads from the Internet.

Although these rules might seem a little harsh, many companies have even more draconian behavior guidelines for their computer users. What's more, many companies have very harsh punishments for employees who don't follow the rules, including dismissal (which is probably because giving an employee a good flogging just isn't an option anymore). What a user does on his home computer is his business. But when you have users on a network, where the very lifeblood of the company is the data stored on the network, you really have to lay down the law as far as the rules for network computer use.

You also need to educate your users and provide them with a general overview of what a virus is and what it can do to the network. If users worldwide would have been a little more savvy, the Melissa virus might not have been able to spread so quickly across the entire globe. Although educating your users about the threat of viruses might lead to some employees crying wolf every time their computers slow down a little, having an aware user base might help to nip virus infections in the bud before they become a huge problem.

Your plan also needs to include the installation and maintenance of virus protection software. There are a number of companies that provide antivirus software: Symantec, McAfee, Norton, and Dr. Solomon's, just to name a few.

Antivirus software can be configured to protect client computers and network servers from infection. Most antivirus software can be configured so that a disk placed in a floppy drive is checked for viruses the moment a user slides it into the drive.



Because many antivirus companies provide their software in trial and shareware versions, you should test the different possibilities to make sure they will work for your particular network implementation. Setting up a test lab before implementing any type of new software is a good idea.

Antivirus software can come in a standalone version that must be installed on every computer or in a network version that runs whenever a computer boots up to the network. Some software companies that sell antivirus software also provide Web-based antivirus applications that check a computer for viruses. Figure 20.8 shows Norton Antivirus checking a computer for viruses.

Figure 20.8. Antivirus software checks a computer's drives and memory for virus infections.


Because new viruses and other malware are popping up all the time, your antivirus software has to be able to deal with the latest and greatest virus threat. This is done by downloading updates that allow the antivirus software to recognize new viruses and repair the damage they have done. Periodically checking for virus updates to your antivirus software should be part of your overall antivirus plan.



Viruses seem to pop up almost as fast as new computing platforms. Even handheld computers, such as those running the Palm OS, are not free from possible computer virus infection. A number of antivirus software manufacturers, including Computer Associates, now offer antivirus software for the Palm OS. For more about handheld computers, see Chapter 17, "Networking on the Run."

Absolute Beginner's Guide to Networking
Absolute Beginners Guide to Networking (4th Edition)
ISBN: 0789729113
EAN: 2147483647
Year: 2002
Pages: 188
Authors: Joe Habraken © 2008-2017.
If you may any questions please contact us: