Virus protection or panic?


I have just bought your magazine and run the Pastel SOHO CD: it has a virus in the setup32.exe file on your disk. The virus is called TROJ_BO2. It may sound like IÆm complaining but IÆm not really - viruses are a part of computer life.

Mark Hannaford
Via E-mail

In follow-up emails, Mark said he was used PC-Cillin 98 with the latest signature file (548). Another reader contacted PC World about a HTML document in Help Screen (G:\Hscreen\NT00_507.HTM) that his anti-virus program reported as being infected. To date, there are no known HTML viruses, but there was something special about this particular file that I will discuss below.

All clear

The setup32.exe file in question was sent to Trend Micro, the authors of PC-Cillin. The company did not find a virus in this file, which is consistent with the scans from other anti-virus programs used by PC World. So why are these readers being given heart attacks?

Firstly, virus scanners are conservative - if in doubt they will generally warn you about a potential virus.

The second explanation is a little more complex. Anti-virus programs come in two major parts: a signature file and the software "engine". The "signature file" contains virus patterns. If a file on your PC has a known virus, the anti-virus program sees this virus pattern and will probably tell you the file is infected. However, the way the anti-virus program scans the files and interprets the results is equally important as knowing the patterns to be matched. This is handled by the software engine of the anti-virus program.

This engine has many functions: it can monitor your system for virus activity or irregular behavior such as attempts to change key system files, but it will also interpret results of the scans. Pattern matching is not an exact science as viruses are sometimes programmed to "mutate" in order to avoid detection. The anti-virus programs have to decide if part of a pattern is an mutated version of a known virus or just coincidence that some part of the software code or text looks like a virus.

Anti-virus programs are constantly being updated to combat new and even more devious viruses and their behavior, but they are also being refined to avoid false alarms. This is why it is important to not only update your signature files with the latest virus patterns, but also the software. Old software is often the cause of false reports and this best demonstrated by the HTML document that frightened the reader mentioned above. He was using a much older version of PC-Cillin. Despite there being no known HTML viruses, his program still identified this file as being infected. So what was the topic of this suspect Help Screen file? "Bogus Virus Alerts". The most likely explanation for the false alarm is that some of the key words in the text triggered a close match to an existing virus message. Similarly, the setup32.exe above probably had some code that the anti-virus program judged to be similar enough to a virus to issue a warning.

So what do I do if a CD shows a virus warning?

With any new data CD, it is prudent to scan for viruses before using it û regardless of its origin. Make sure that your anti-virus program can scan zipped or archive files. If the CD has a virus, donÆt panic. Viruses are not the end of the world (you are probably more likely to lose data from hardware failure, Windows becoming corrupted or the theft of your PC). A virus on a CD cannot be cleaned because this will require rewriting the CD. Remove the CD and contact the vendor with the name of the virus and the infected file.

Some of precautions taken when producing the PC World CDs:

PC World uses at least two resident anti-virus programs working simultaneously, plus additional virus checkers are used but these vary from month to month. The test machines are monitored for irregular behavior, they also have firewalls, a host of security patches and suspect email attachments are deleted without opening. Remember, no system is perfect: you could spend the rest of your life trying to build the perfect system and still get infected. Be careful but not paranoid.


Category:Viruses
Issue: October 1999

These Web pages are produced by Australian PC World © 1999 IDG Communications