4.0 Virus Control
Copyright(c), 1996 - Management Analytics and Others - All Rights Reserved
4.1 Background on Viruses
Government computers have been exposed to virus type programs for
a number of years. A virus is a quickly spreading program that
"infects" other programs by modifying them to include a copy of
itself. Once activated, the program can cause various
detrimental effects to normal system operation. The impact can
range from the annoying, including various messages, to the
damaging, resulting in destruction of data and software to actual
operating system damage.
Worms are a virus-like program that spreads through a system by
copying itself from one location to another. Worms do not infect
other programs as do viruses, but they can compete for computing
resources with other programs such as what occurred from the
notorious DECnet worm. A Trojan Horse is a program that
masquerades as a useful program but does something malicious.
This program does not replicate or infect other programs. The
effects to a system are akin to those of viruses.
4.1.1 Virus Problems
The primary reason viruses are such a problem is the
vulnerability of IS resources. Safeguard programs take time to
run, and many users are in too much of a hurry to wait. Another
reason for a viruses spread is that users often simply are not
aware of the viruses presence until it is too late. This is true
for both stand-alone and networked computers.
Generally, there are two main classes of viruses. The first
class consists of the FILE INFECTORS which attach themselves to
ordinary program files. These usually infect executable files.
The second category is SYSTEM or BOOT-RECORD INFECTORS: those
viruses which infect executable code found in certain system
areas on a disk which are not ordinary files.
On DOS based systems, there are ordinary boot-sector viruses,
which infect only the DOS boot sector, and MBR viruses which
infect the Master Boot Record on fixed disks and the DOS boot
sector on diskettes. Examples include Brain, Stoned, Empire,
Azusa, and Michelangelo. Such viruses are always resident
viruses. Finally, a few viruses are able to infect both (the
Tequila virus is one example). These are often called
MULTI-PARTITE viruses or BOOT-AND-FILE viruses.
4.1.2 Virus Symptoms
There are various symptoms which indicate a virus is present.
Symptoms include messages, music and graphical displays.
However, the main indicators are changes in file sizes and
contents.
VIRUS INFECTION INDICATORS
- Odd system behavior
- Decrease is system response
- Memory reduction
- Change in size or date of files
- Application program failures
- Alteration of commands
- Unusual error messages
- System down time increase
- System slowdown
- Consistent output loss
- Unusual noises or tones
- Increase in bad sectors
- Program failures
4.1.3 NISE EAST (NAVCIRT) Virus Protection Toolbox
The NRL IS Security Office supplies users with an applications
program called NISE EAST Computer Security Toolbox V3.0. This applications
program is authorized by NISE EAST and contains VIRSCAN, a viral
signature scanning program created and distributed by NORMAN ARMOUR. It is
a command-line program that scans MS-DOS based systems and
compatible disk drives for the presence of viral signatures.
To accomplish this objective, VIRSCAN uses the database of viral
signatures contained in two files on its diskette. The two files
are VIRSIG.LST and ADDENDA.LST. VIRSCAN can only identify viral
signatures for known computer viruses whose signatures have been
entered into its signature database. VIRSCAN may produce
occasional false alarms, but this is preferred over not reporting
possible infections.
4.1.3.1 User Toolbox Requests
Upon receipt of a user request for Toolbox 3.0, and a blank floppy disk, the IS Security
Office will diskcopy the master Toolbox disk from NISE EAST. A
label with the following message will then be placed on the disk,
along with a write protection tab.
NISE EAST Computer Security Toolbox 3.0
Type: install
U.S. Government Property
(for Government computers only)
The user's code will be placed on the label in the upper right
corner. The new disk, a copy of the Department of the Navy
authorization letter, and the NRL IS Security Group Virus
Protection Memo will then be sent to the user.
4.1.4 Virus Reporting (Stand-Alone Systems)
A computer virus infection is a reportable security incident.
Department of the Navy (DON) policy requires that each formal
computer security incident be reported by the NRL IS Security
office to the Naval Computer Incident Response Team (NAVCIRT) as
soon as possible.
If a virus or a suspected virus is detected by a user at NRL,
take the following actions:
- 1. Notify your ADP System Manager and the ADP Security
Office of the infection and take the necessary actions to
minimize the spread of the virus within your activity.
- 2. Notify all activities that may have received infected
diskettes or network files from your activity. Everyone
concerned must know about the virus so that it may be stopped and
removed.
- 3. If possible, capture samples of the virus(es) on diskette
(no more than 1 diskette per virus). Forward them with the
information in paragraph 5 below via your ISSM for analysis to
the NRL IS Security Office, Code 1220.2
- 4. Use Toolbox or a commercial antiviral software to remove
the infection.
- 5. Provide the following information to NRL IS Security
Office via your ISSM.
- a) Name of the virus
- b) How the virus was first detected and identified?
- c) Damage or observations resulting when the virus
triggers
- d) Damage caused to your systems, if any
- e) Source of the virus, if known
- f) Other locations, within or outside of your activity,
possibly infected as a result of sharing infected media or files
- g) Number and types of systems infected (i.e. hard disks and
servers)
- h) Number of floppy diskettes infected (approximate)
- i) Method of clean-up (removal software, format disk, etc.)
- j) Number of work hours expended to remove the infection
(approximate)
- k) Your name, phone and location
The ADP Security Office will make an immediate and thorough
investigation of all virus infections reported.
4.1.5 Prevention
Scan all disks before they are used. Be cautious of all newly
acquired software. Check new software for infection before it is
run for the first time. Never boot from an unprotected diskette.
Backup files and programs. Watch for unusual operation
indicators. Use virus detection software.
4.2 Network Virus Protection
Networks at greatest risk to virus like infections (worms, etc.) are users of UNIX
and PC-DOS, loosely administered networks, networks which permit
dial-up access, homogeneous networks where most systems employ
the same operating systems or hardware, and open networks which
allow any organization to be connected. Defense organizations
such as NRL not only need to be concerned because of the
potential damage a virus might cause, but also because of
potential news media attention and organizational oversight.
4.2.1 Network Protection Precautions
System administrators can take a number of steps to minimize the
potential for a virus attack.
- 1. Change passwords frequently
- 2. Prohibit the introduction of any unapproved software
- 3. Continuously monitor and investigate performance
utilization changes or other unusual activities
- 4. Continuously update and maintain access controls and
integrity measures
- 5. Maintain updated program and operating system access
- 6. If possible, restrict write access to particular data
objects on an individual basis
- 7. Train users to report unusual behavior or results
immediately
- 8. Ensure remote diagnostic lines are only connected when
needed
- 9. Set system software defaults in positions which reduce
potential security vulnerabilities
4.2.2 Incidence Response Activities (Network Virus/Worm
Attack)
While NRL is seldom the identifying organization, incidents
involving self replicating-computer viruses in computer systems
and networks have underscored the need for NRL wide coordination
and support. When a network virus is discovered on Milnet,
Arpanet, or NSFnet, the Naval Computer Incident Response Team
(NAVCIRT) will immediately advise all Navy organizations of its
existence and suggested actions.
The IS security office will work closely with other federal
agencies to coordinate identification and response efforts when
acute computer network security incidences of this type are
detected. The IS Security Group will ensure suggested NAVCIRT
corrective actions are implemented. Upon initial discovery of a
previously undetected network related virus infection, the NRL
IS Security Office will contact NAVCIRT immediately to formulate
a combined response.
4.3 Recovering Essential Resources
If you believe that your computer is infected with a virus -
DON'T PANIC! Sometimes a badly thought out attempt to remove a
virus will do much more damage than the virus could have done.
If you are not sure what to do, leave your computer turned off
until you contact the NRL IS Security Group to remove the virus
for you. Viruses can be extremely unforgiving unless they are
removed correctly.
4.4 Follow-up
Even if a virus is properly removed, damage is often done to the
application software to which the virus attached itself. The
best approach when eliminating a virus infection is to reinstall
the program from the trusted master after removal.