ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

Is that a virus, or a malfunction?

Faithe Wempen Tech Republic

Published: 28 Oct 2002 18:03 GMT

Today's PC viruses, Trojan horses, worms, and blended threats can cause run-of-the-mill Windows or application problems, out-of-memory errors, intermittent failures to fully start up, or installation or operation problems with applications. But these symptoms could also be caused by typical hardware or software malfunctions, making diagnosing the problem a bit tricky. Here are some suggestions for determining if a PC has a virus.

Types of infections

In the "olden days," there were only a couple of types of viruses. One type would infect .exe files, adding a foreign string to them so that when they executed, the virus would run and do its dirty work. Another type would travel from PC to PC via floppy disk, hidden in the boot sector, and when a PC was booted from an infected floppy, the virus would copy itself to the boot sector of that PC.

These viruses still exist but are nowhere near as common as the newer varieties. Some people would argue that the newer ones are not really "viruses" per se, because they lack some of the defining characteristics of viruses, such as the ability to attach themselves to a program file or infect the system area of a disk. Some of the common virus types out there today (and permit me to use the loose, generic definition of virus in this article) include the following:

Trojan horse: This is a program that appears to do something useful but actually delivers a harmful effect, such as opening up a security hole, spreading itself via e-mail, or deleting or damaging files.
Worm: This is a program that spreads by making copies of itself. It may or may not do any additional harm.
@m: A "mailer" is a type of worm that attaches itself to e-mail that a user sends.
@mm: A "mass mailer" is a type of worm that automatically sends itself to multiple addresses from a user's address book.
Back door: This is a program that sends information back to its creator about the infected system, making it easy for that person to hack into the infected system and take control of it or read sensitive data.
Blended threat: This is a combination of infection types in a single item. For example, a worm that infects a boot sector, deletes important files, and/or opens a security back door would be a blended threat.

Most of the viruses circulating at this writing are blended threats, so they don't neatly fall into any one category. This also makes them more dangerous, easier to spread, and more difficult to eradicate.

You probably have a virus if...

The symptoms in the bulleted list below are rarely caused by anything except a virus, so if you detect any of these issues on an end user's PC, you should feel confident in suspecting virus infection.

The user received an e-mail with an odd attachment and opened it with unexpected results, such as the appearance of odd dialog boxes or a sudden degradation in system performance.
There is a double extension on an attachment that the user recently opened, such as .jpg.vbs.
An antivirus program is disabled for no apparent reason (perhaps with an X through its icon in the notification area), and it cannot be enabled. The system may also report an error condition.
An antivirus program will not install on the PC (or appears to install, but then will not run), but other programs will.
Odd dialog boxes or messages appear onscreen.
Several files are missing, especially those of a common type. For example, some viruses have a side effect of deleting all graphic files of a particular type.
Someone tells the user they have recently received strange e-mails from them containing random attached files or a virus.
The PC starts performing actions seemingly on its own, like moving the mouse pointer, opening or closing windows, running programs, or opening and closing the CD tray. This is a symptom of someone actually using a back door to operate the PC, rather than a symptom of the existence of the back door.
You notice the presence of new users with full security permissions that you know you did not create, or you notice inappropriate permissions assigned to existing users. Again, this is more often a symptom of back door hacking than virus infection.
The mouse pointer changes to some different graphic.
Odd icons appear on the desktop that the user did not place there, although the user has not installed any new applications lately that could have placed them there.
Strange sounds or music plays from the speakers for no apparent reason.
File sizes or date/time stamps have changed on files that the user knows he or she did not alter.
A program that was used successfully recently has disappeared, and the user knows that he or she did not uninstall it.

Tip -- make it easier to see double-extensions

It's much easier to spot double-extension files if the display of extensions for known file types in Windows is turned on. To do that, choose Tools, Folder Options, and deselect the Hide Extensions For Known File Types check box on the View tab.