Computer viruses: checklist for recovery.
Whether you like to admit it or not, computer viruses, trojan horses, worms, etc., are now a very real threat in our computing world. Because of the possible damage that can occur because of an infection, every company using computers needs to assess the dangers, plan for the best defense, and execute that defense plan. But because no defense plan can guarantee that an infection will not occur, everyone needs to know how to recover in such a way that the possibility of being reinfected is minimized. Even a good recovery plan is not a guarantee, but it is certainly better than a poor recovery plan or no plan at all. The purpose of this article is to suggest a step-by-step method to recover from an infection.
Are You Infected?
First, you must be able to tell whether you've been infected by a computer virus. Sometimes the signs are obvious. After watching an interesting display of computer graphics, your terminal may suddenly display the message, "Got'cha-all your files have been deleted." Or you may find that your hard disk has been reformatted.
But sometimes the signs are less obvious. Suspicious access to your hard disk through a game of some sort, deleted files, larger than normal numbers of bad sectors on your hard disk, the inability to load a program into memory or programs taking much longer than usual to loadthese are also symptoms of an infection.
But whatever the signs, if you suspect a virus attack, then take the time to investigate further and/or undertake a recovery. Your problems may stem from an aging hard drive, but it's worth while just making that determination.
The following checklist is designed to guide you through an orderly recovery process. You would be wise to "practice" recovering your system before it becomes a necessity. But even if your first run through is for real, you should find the instructions clear and easy to follow.
Please note that this checklist is geared to IBMs and compatibles with hard disks. But it should work with other machines; try it and see.
Step 1. Don't panic! You can, and you will, recover from this infection. Breathe deeply and read these instructions through all the way to the end. If you have any questions about these procedures or would prefer to have a professional assist you or perform the recovery for you, give the author a call.
Step 2. Tum off your computer and all associated peripherals. This stops the spread of viruses from your machine and removes any memory-resident viruses. Do not reboot your system using Control-Alternate-Delete, since that can give control of the system to a command.com virus, plus a warm boot does not necessarily remove memory-resident viruses.
Step 3. Disconnect all data transfer lines. Only peripheral devices absolutely necessary for the operating of the computer (and possibly a printer directly connected to the computer) should remain connected. This prevents furthur infections from coming in or going out.
Step 4. Be sure you have everything you will need to assist in this process before proceeding:
* most recent back-up(s) of your system
* original manufacturer's diskettes for the software on your system
* empty diskettes or back-up tapes (enough to back up up your hard disk twice)
* utility software
* antiviral software/hardware
Note: All references to running software in the remaining portions of this checklist always refer to using the original manufacturer's diskette. If some of the software packages that you're running are unofficial copies of copyrighted software, you should take the time and expense to purchase clean copies. While manufacturer's diskettes are not guaranteed to be clean, it is usually safe to assume that they are virus-free.
Step 5. Write-protect all diskettes to be used in this recovery other than those that will be used in backing up the hard disk.
Step 6. Turn on your machine with the original operating system diskette in the floppy drive. This is done so that an operating system type of virus will not have control of your system as you proceed through the recovery steps.
Step 7. Execute the command (for DOS users) CHKDSK C: /V > C:CHKDSK.LST or directly to your printer using > PRN. This will produce a list of all directories and files including volume labels. Review this list for any strange volume labels such as "BRAIN" or any unknown files.
Take the time to scan the boot sector of your hard disk using a utility such as Norton's Advanced Utilities or Mace Gold, again looking for strange data. Also, use a utility such as the Mace Htest/Hformat or a diskette supplied by the manufacturer of your hard disk to run a diagnostic test to determine if your problems could be due to a failing disk, Obviously if you have one of the more graphic indications of a virus, like "Got'cha...," you may choose to skip this step, but why not see if there are any hardware-related problems you should know about.
Step 8. Back up your hard disk onto new media and seal the back-ups to prevent accidental use. You may wish to send these back-ups to a company dealing with viruses to try and uncover the perpetrator of this crime, or you may need to use these back-ups to assist in recovering a clean system if your other back-ups are found useless for whatever reason.
If you do not have other recent back-ups, you might wish to separate this step into two distinct back-ups: one for data and other nonexecutable files, and the second for executable files, including *.exe, *.com, *.bat, overlays, etc. The CHKDSK list produced in Step 6 will aid you immensely in this.
Step 9. Perform a low-level format on the infected disk using a utility such as the Mace Htest/Hformat or by following the instructions supplied by the manufacturer of your hard disk. Some viruses have been known to resist the DOS FORMAT command, so a low-level format is required.
At this time you may wish to install a hardware write-protect device for your PC's hard disk. As of this writing, there is only one patented device of this type; it is called Disk Defender and is supplied by Director Technologies, Inc. Ross M. Greenberg of Software Concepts Design is also working on a hardware board.
Recover the intial disk configuration using the FDISK and FORMAT commands or follow the instructions specific to your hardware. Execute the CHKDSK command again and make note of the number of bad sectors. You win probably want to monitor this value in the future.
Step 10. Execute the SYS command and transfer your operating sytem back to your hard disk. However, continue using the write-protected diskette until you're finished with this recovery procedure.
Step 11. Restructure your directories and subdirectories.
Step 12. Restore all software packages from the original manufacturer's diskettes. Do not restore any shareware or "borrowed" software at this time, whether the source is a good friend or a trusted bulletin board or shareware supplier. These files will be restored last.
Step 13. For software developed in-house, review the applicable source code to be sure no one has hardcoded a virus. If all is in order, recompile and refink the programs to the appropriate directory. Restore the source code as well.
Step 14. Check the remaining data files for consistency to ensure that no data manipulations have occuffed. While there is no viral danger associated with data files, data can be corrupted and rendered useless. Transfer these files to the system once you are comfortable with them. If the data's consistency cannot be guaranteed, use only the most recent back-up in which consistency can be verified.
Step 15. Execute the CHKDSK command again as specified in Step 6. Compare the results of the two. What should be missing from the CHKDSK just performed are any files associated with your shareware or "boff owed" software for which you do not have original master diskettes. If there are any executable files still unknown to you, be extremely cautious with them. Do not restore any of these remaining files at this time.
Install Antiviral Software
Step 16. Install and execute antiviral software at this time. While the results of independent testing are not yet in, there are several products that are strong candidates: ComNETco Inc., InterPath Corp., Software Concept Designs, and Digital Dispatch, Inc. all have software to assist in virus detection, but none are foolproof. As reported in the August-September 1988 issue of Computer Virology (produced by Director Technologies, Inc.):
Since there is no memory protection hardware on the IBM XT/AT type computers, ANY program can talk directly to the registers of the disk controller circuit board and WRITE ON THE DISK without using any part of the DOS operating system! NO system cans; NO software interrupts; NO BIOS calls. A program can write directly to the disk without the DOS system even running.
So use the software of your choice, but do not be lulled into a false sense of security. The software will help, but it cannot guarantee complete protection. (For a survey of more than twenty-five software/hardware developers with antiviral products, contact the author.)
Step 17. Execute as many of your programs as possible, ten to fifteen times each. This repetition is necessary as most viruses do not necessarily activate on the first few executions. If no suspicious activity is highlighted and no unusual disk activity or degradation is observed, then your system is probably clean, but there is no guarantee.
Step 18. For the remaining software outlined in Step 15, some testing should be done prior to restoring it to your system. One way of checking for signs of a virus is to decompile the program in question and look for strange text strings, such as "Welcome to the Dungeon." But *.bat files also need to be reviewed as well as source code, since viruses can be hidden in these.
Another method is to isolate the program to be tested on a diskette with something like the Canary program from Sophco, Inc. Best done on a diskette-only system or on a system with a fully write-protected hard disk, the questionable program is executed the prescribed ten to fifteen times while executing Canary in between each repetition. If Canary responds properly and no other suspicious activity has occurred, the software is as safe to transfer to your system as the software on the original master diskettes. But once again, this is not a guarantee.
Step 19. Back up your hard disk at this time to have a complete picture of your clean system. If you become reinfected, you'll want to examine this back-up very closely.
Step 20. If your PC had been connected to a network, all other users of the network must be notified of the infection and should assume their machines and the network servers are infected. Tell them how you recovered and where to get a copy of this checklist to guide them in the recovery process. (Reprints are available from the author.)
You should use caution in reconnecting to the network until all other connected PCs are cleaned. You may wish to consider connecting to the network only when necessary. This would lessen the possibility of infections. If you had installed shareware or copies of software from friends, inform the source of your infection and how you recovered. It can only help to lessen the possibility of future infections.
Step 21. Mark any back-up diskettes and/or tapes not created in this recovery process as needing evaluation prior to use. All files, whether data or executable, should be regarded with caution and evaluated using the procedures stated above before being restored for any reason. You have no idea whether your previous back-ups contain infected files or not, so play safe and assume they are infected.
If you do not have back-ups because you "don't do back-ups," make up your mind now to change this bad habit. If your data and programs are important, you must have back-ups.
Step 22. If it is at all possible, send the back-up copy you made in Step 8 to an antiviral company for evaluation. This evaluation may lead to the uncovering of the virus's creator, and it may lead to better antiviral measures. (Contact the author if you need assistance in this area.)
Step 23. Now that you've recovered your system (or have practiced doing so), you should determine if your protection plan is adequate or if there are other steps to take to make sure your system is as secure as practical. It makes sense to modify this checklist to meet the needs of your environment. You need to fine tune this checklist so that it will be of greater assistance to you. ne ultimate defense against a viral infection is your ability to recover and restore a functioning system with a minimal loss of data, time, and hardware.
There are many other preventative measures you can and should consider using. But that is the topic for another article (or you may contact the author directly). Your comments about this article are also appreciated.