4.0 Virus Control

Top - Help

Copyright(c), 1996 - Management Analytics and Others - All Rights Reserved

4.1 Background on Viruses

Government computers have been exposed to virus type programs for a number of years. A virus is a quickly spreading program that "infects" other programs by modifying them to include a copy of itself. Once activated, the program can cause various detrimental effects to normal system operation. The impact can range from the annoying, including various messages, to the damaging, resulting in destruction of data and software to actual operating system damage.

Worms are a virus-like program that spreads through a system by copying itself from one location to another. Worms do not infect other programs as do viruses, but they can compete for computing resources with other programs such as what occurred from the notorious DECnet worm. A Trojan Horse is a program that masquerades as a useful program but does something malicious. This program does not replicate or infect other programs. The effects to a system are akin to those of viruses.

4.1.1 Virus Problems

The primary reason viruses are such a problem is the vulnerability of IS resources. Safeguard programs take time to run, and many users are in too much of a hurry to wait. Another reason for a viruses spread is that users often simply are not aware of the viruses presence until it is too late. This is true for both stand-alone and networked computers.

Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect executable files. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files.

On DOS based systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called MULTI-PARTITE viruses or BOOT-AND-FILE viruses.

4.1.2 Virus Symptoms

There are various symptoms which indicate a virus is present. Symptoms include messages, music and graphical displays. However, the main indicators are changes in file sizes and contents.

VIRUS INFECTION INDICATORS

Odd system behavior

Decrease is system response

Memory reduction

Change in size or date of files

Application program failures

Alteration of commands

Unusual error messages

System down time increase

System slowdown

Consistent output loss

Unusual noises or tones

Increase in bad sectors

Program failures

4.1.3 NISE EAST (NAVCIRT) Virus Protection Toolbox

The NRL IS Security Office supplies users with an applications program called NISE EAST Computer Security Toolbox V3.0. This applications program is authorized by NISE EAST and contains VIRSCAN, a viral signature scanning program created and distributed by NORMAN ARMOUR. It is a command-line program that scans MS-DOS based systems and compatible disk drives for the presence of viral signatures.

To accomplish this objective, VIRSCAN uses the database of viral signatures contained in two files on its diskette. The two files are VIRSIG.LST and ADDENDA.LST. VIRSCAN can only identify viral signatures for known computer viruses whose signatures have been entered into its signature database. VIRSCAN may produce occasional false alarms, but this is preferred over not reporting possible infections.

4.1.3.1 User Toolbox Requests

Upon receipt of a user request for Toolbox 3.0, and a blank floppy disk, the IS Security Office will diskcopy the master Toolbox disk from NISE EAST. A label with the following message will then be placed on the disk, along with a write protection tab.

NISE EAST Computer Security Toolbox 3.0

Type: install

U.S. Government Property

(for Government computers only)

The user's code will be placed on the label in the upper right corner. The new disk, a copy of the Department of the Navy authorization letter, and the NRL IS Security Group Virus Protection Memo will then be sent to the user.

4.1.4 Virus Reporting (Stand-Alone Systems)

A computer virus infection is a reportable security incident. Department of the Navy (DON) policy requires that each formal computer security incident be reported by the NRL IS Security office to the Naval Computer Incident Response Team (NAVCIRT) as soon as possible.

If a virus or a suspected virus is detected by a user at NRL, take the following actions:

1. Notify your ADP System Manager and the ADP Security Office of the infection and take the necessary actions to minimize the spread of the virus within your activity.

2. Notify all activities that may have received infected diskettes or network files from your activity. Everyone concerned must know about the virus so that it may be stopped and removed.

3. If possible, capture samples of the virus(es) on diskette (no more than 1 diskette per virus). Forward them with the information in paragraph 5 below via your ISSM for analysis to the NRL IS Security Office, Code 1220.2

4. Use Toolbox or a commercial antiviral software to remove the infection.

5. Provide the following information to NRL IS Security Office via your ISSM.

a) Name of the virus

b) How the virus was first detected and identified?

c) Damage or observations resulting when the virus triggers

d) Damage caused to your systems, if any

e) Source of the virus, if known

f) Other locations, within or outside of your activity, possibly infected as a result of sharing infected media or files

g) Number and types of systems infected (i.e. hard disks and servers)

h) Number of floppy diskettes infected (approximate)

i) Method of clean-up (removal software, format disk, etc.)

j) Number of work hours expended to remove the infection (approximate)

k) Your name, phone and location

The ADP Security Office will make an immediate and thorough investigation of all virus infections reported.

4.1.5 Prevention

Scan all disks before they are used. Be cautious of all newly acquired software. Check new software for infection before it is run for the first time. Never boot from an unprotected diskette. Backup files and programs. Watch for unusual operation indicators. Use virus detection software.

4.2 Network Virus Protection

Networks at greatest risk to virus like infections (worms, etc.) are users of UNIX and PC-DOS, loosely administered networks, networks which permit dial-up access, homogeneous networks where most systems employ the same operating systems or hardware, and open networks which allow any organization to be connected. Defense organizations such as NRL not only need to be concerned because of the potential damage a virus might cause, but also because of potential news media attention and organizational oversight.

4.2.1 Network Protection Precautions

System administrators can take a number of steps to minimize the potential for a virus attack.

1. Change passwords frequently

2. Prohibit the introduction of any unapproved software

3. Continuously monitor and investigate performance utilization changes or other unusual activities

4. Continuously update and maintain access controls and integrity measures

5. Maintain updated program and operating system access

6. If possible, restrict write access to particular data objects on an individual basis

7. Train users to report unusual behavior or results immediately

8. Ensure remote diagnostic lines are only connected when needed

9. Set system software defaults in positions which reduce potential security vulnerabilities

4.2.2 Incidence Response Activities (Network Virus/Worm Attack)

While NRL is seldom the identifying organization, incidents involving self replicating-computer viruses in computer systems and networks have underscored the need for NRL wide coordination and support. When a network virus is discovered on Milnet, Arpanet, or NSFnet, the Naval Computer Incident Response Team (NAVCIRT) will immediately advise all Navy organizations of its existence and suggested actions.

The IS security office will work closely with other federal agencies to coordinate identification and response efforts when acute computer network security incidences of this type are detected. The IS Security Group will ensure suggested NAVCIRT corrective actions are implemented. Upon initial discovery of a previously undetected network related virus infection, the NRL IS Security Office will contact NAVCIRT immediately to formulate a combined response.

4.3 Recovering Essential Resources

If you believe that your computer is infected with a virus - DON'T PANIC! Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus could have done. If you are not sure what to do, leave your computer turned off until you contact the NRL IS Security Group to remove the virus for you. Viruses can be extremely unforgiving unless they are removed correctly.

4.4 Follow-up

Even if a virus is properly removed, damage is often done to the application software to which the virus attached itself. The best approach when eliminating a virus infection is to reinstall the program from the trusted master after removal.