Viruses, Worms, and Spyware

There are hundreds of malicious programs that can cause damage to your computer and information on your computer. They can also slow down your machine, and they might even use your computer to spread themselves to your friends, family, co-workers, and the rest of the Web. The good news is that with an ounce of prevention and some good common sense, you are less likely to fall victim to these threats.

Listed below are the most important tasks that are covered in this section:

A virus is a piece of computer code that attaches itself to a computer program. When a computer runs the infected program, the virus launches and embeds itself in the computer’s memory. It then looks for other programs or files to which it can attach. This process repeats each time an infected program launches. A trigger activates the virus, which may be a date or the number of times a virus replicates itself, resulting in damaged software or computer files. E-mail viruses may find an individual’s address book and send copies of an infected document to everyone listed.

Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. The difference is that, unlike viruses, worms exist as separate entities; they do not attach themselves to other files or programs.

Named after the wooden horse the Greeks used to infiltrate Troy, a Trojan Horse is a program that appears to be useful software, but instead it compromises your security and causes a lot of damage. Once it is downloaded and executed, the malicious code begins to work. The difference between Trojan Horses and viruses is that Trojan Horses do not replicate or spread on their own. They can only be transmitted intentionally via email or disk, or downloaded directly onto a PC. Many Trojan Horses are designed to steal your login ID and password and then email them to someone else who can make use of the account at your expense. Other Trojan Horses can display obscene messages or delete the contents of your hard drive.

A Rootkit is a program or a collection of programs that is similar to a Trojan Horse. A Rootkit takes Administrator level control of a system without authorization of the system's owners and managers. The goal of a Rootkit is to compromise the operating system itself. These programs are able to obscure their presence and activity from the user and virus scan software. Rootkits make this possible because they take control of the operating system. Because virus scans depend on queues from the operating system to find viruses, Rootkits can effectively hide themselves from any program on the machine. Rootkits are also difficult to remove and typically require the use of an outside operating system such as a live distribution of a clean operating system or any other program that can run prior to the booting of the operating system. Because of the high level of difficulty associated with removing a Rootkit, it is often assumed that it is easier to rebuild the system than to manually remove the malicious code.

Understanding Computer Viruses

Viruses and similar malicious programs usually spread in one of several ways: from external media such as CDs, from vulnerabilities in Windows programs, from downloads off the Internet or bulletin boards, from browsing infected Internet sites, from using Instant Messaging, and from email attachments.

If your computer begins to act strangely, or if it stops being able to do things it has always done in the past, it may be infected with a virus. Symptoms such as longer-than-normal program load times, unpredictable program behavior, inexplicable changes in file sizes, inability to boot, strange graphics appearing on your screen, or unusual sounds may indicate that a virus is on your system. However, it is important to distinguish between virus symptoms and those that come from corrupted system files, which can look very similar. Unless you have up-to-date antivirus software installed on your computer, there is no sure way to know if you have a virus or not. There are also email warnings that end up being a hoax. To determine if the email virus warning is real, you can visit the Web site at:

http://www.sarc.com/avcenter/hoax.html

If you would like to check whether you already have an antivirus software program installed on your computer, check the Programs list on the Start menu and look for an antivirus program. Many major computer manufacturers include at least a trial version of a popular antivirus software package. But just because the software is installed, doesn't mean it's "turned on," or being updated regularly.

Return to Top

Do’s to Avoid Viruses

Prevention is a matter of vigilance, using appropriate tools to protect your computer, and avoiding contact with unknown disks. It is usually the unwary who get computer viruses. Following is a list of some recommendations for safe computing:

Don’ts to Avoid Viruses

The following activities are among the most common ways of getting computer viruses. Minimizing the frequency of these activities will reduce your risk of getting a computer virus.

At Indiana University, UITS blocks certain attachments that commonly harbor viruses from being delivered via email; for more information on the types of attachments that are blocked from your email account, go to:

http://kb.iu.edu/data/ajch.html

Introducing the Norton AntiVirus Program

Norton/Symantec Endpoint Protection (SEP) is a virus protection program distributed by the Symantec Corporation. It offers an array of effective protection features, including Proactive Threat Protection, online virus definition updates, and an automatic scheduler.

For Indiana University students, faculty, and staff, IUware offers Symantec Endpoint Protection (SEP) for Windows computers, and Symantec Norton Antivirus for Mac OS (NAV) for Macintosh systems. At Indiana University, Norton/Symantec Endpoint Protection is the only Symantec product available under IU’s agreement with Symantec. Users may install copies on multiple computers, such as a desktop, laptop, home computer, etc. It provides full virus protection (when kept updated) and doesn't expire. It is the only version that will be available on IUware CDs and is available from IUware Online at:

http://iuware.iu.edu/

Other Virus Protection Options

Norton/Symantec Endpoint Protection (SEP) is freely availably to all IU students, faculty and staff, but if you would like to use a different program, here are some alternative options.

http://free.avg.com

Protecting Your Machine Before Installing Norton

Trial versions of antivirus software are often shipped with new computers and may only have a subscription for virus updates for a limited time period. If the antivirus program no longer receives updates, then the computer is vulnerable to viruses. Therefore, you may want to install new antivirus software that is up to date. Always be certain to uninstall your current product before installing the new one. Leaving the previous version installed can cause conflicts on your system. However, it is important that you download the latest virus definitions before removing the old program, or your machine may be at risk for a certain period of time.

Note: Check with your LSP before removing or installing antivirus software on your IU computer.

Before installing SEP for Windows, be sure that you do not have any existing versions of antivirus software on your computer. To do this, open your Control Panel, then double-click the Add or Remove Programs icon. In the list that appears, check to see if you have any entries such as:

If you find these or any other virus-scanning programs, remove them before installing SEP. If you have any problems uninstalling the old antivirus software, please contact the UITS Support Center before attempting to install SEP. Symantec offers manual removal instructions and other utilities at:

http://symantec.com/techsupp/

Note: Always follow the manufacturer’s antivirus instructions when installing the software. In the simulated exercises, we will be using the Symantec Endpoint Protection.

Steps to follow to keep your machine protected before uninstalling your antivirus software program are:

  1. Obtain the antivirus software you want to install.
  2. Download the latest virus definitions.
  3. Disconnect the computer from the network.
  4. Uninstall the old antivirus program or older versions of Norton. If you have a managed installation, check with your LSP for the password.
  5. Reboot the computer.
  6. Install the new antivirus software.
  7. Install the latest virus definitions.
  8. Reconnect to the Internet.
  9. Run LiveUpdate to download all of the latest virus definitions and the scanning engine.

    You should run the LiveUpdate two or more times to be sure that you get the latest scanning engine updates. You will finally get a message stating that your antivirus client is completely up to date.

By following the above procedure, your system will not be left unprotected while you are uninstalling the old program and installing the new antivirus software.

Return to Top

Understanding Proactive Threat Protection

Proactive Threat Protection allows the virus software to monitor incoming and outgoing data. It is enabled by default during the SEP install to intercept viruses attempting to access your computer from email or the network. This option also prevents your machine from exporting viruses if a file is infected.

Once Proactive Threat Protection is enabled, SEP is designed to start running as soon as your computer's operating system starts. It runs unobtrusively in the background, checking all vulnerable files for possible infection by mischievous, sometimes malevolent programs called viruses and worms. SEP does this by looking for the identifying signatures of these worms and viruses and comparing them to known viruses for which it has files. When it detects an infected file, it notifies you and manages the infection according to your preferences. For maximum protection against new viruses, you must keep SEP up to date.

Click the screenshot below to see the simulation for confirming that Proactive Threat Protection is enabled.

Windows XP

Start Simulation

Windows Vista

Windows 7

Launch Video

Note: To access Norton Symantec Endpoint Protection, alternatively you can double-click the yellow icon (which looks like a shield) in the lower right corner of the taskbar.

Understanding LiveUpdates and Virus Definitions

After the installation is complete, you will be prompted to run the LiveUpdate program. LiveUpdate for SEP is a program that updates the virus definitions to the latest version, as well as the virus scanning engine. These virus definitions are what SEP uses to scan your computer for viruses.

An Internet connection must be available. After the program is downloaded, the update is immediately incorporated in SEP. Then SEP will get the updates from the Symantec Web site. You should keep updating until there are no more live updates. Later, you will see where to schedule LiveUpdates automatically rather than having to do this manually.

Click the screenshot below to see the simulation for running LiveUpdate manually.

Windows XP

Start Simulation

Windows Vista

Windows 7

Launch Video

New virus definitions are available at least weekly from Symantec. Symantec Endpoint Protection retrieves the new virus definitions from a Symantec site, and then replaces the old definitions in the Symantec Endpoint Protection directory. A modem or Internet connection is required, so dial-up users will have to connect to the Internet before obtaining updates.

You may manually check for current updates, or SEP will run LiveUpdate at the times and dates you set. If it prompts you to choose how to connect to the Symantec Web site in order to obtain the latest virus definition updates, choose the default setting Find device automatically. If you are connected via Ethernet, LiveUpdate will use that existing Internet connection. If you are connected by modem and have a PPP connection, LiveUpdate will dial and get the updates from Symantec.

Scheduling Regular LiveUpdates

You can set up SEP software to automatically update your virus definitions as often as you choose. Symantec usually posts new virus definitions in the evenings. You want your antivirus software to detect the most recently discovered viruses so it is important to update these virus definitions daily. Antivirus software is only as good as your virus definitions. If they are outdated, newer viruses may go undetected. Keep in mind, however, that SEP only protects you from the virus threats that Symantec is aware of.

Some department LSP's on the IU campus automatically schedule these updates. If a computer is not logged in or connected to the Internet during the scheduled time for the update, then the event can take place within a set number of minutes or hours of the scheduled time, which is specified when scheduling LiveUpdates.

The instructions for scheduling regular LiveUpdates vary according to your operating system and which version of SEP is installed on your computer.

To view the simulation on how to schedule LiveUpdates, click on the screenshot below.

Windows XP

Start Simulation

Windows Vista

Windows 7

Launch Video

For more information on scheduling updates, check the IU knowledge Base at:

http://kb.iu.edu/data/agzb.html

How Does Virus Scanning Work?

Virus scans should be performed on a regular basis to ensure that your computer is free of dangerous and harmful viruses, since it is possible to acquire a virus before getting an update that would recognize the virus. A virus can “slip through” in spite of your best efforts. Performing virus scans is a simple task that can be automated with most antivirus programs. When virus scans detect a virus, the antivirus program deletes or quarantines the problem area to keep it from spreading or performing any further damage.

Performing a Manual Virus Scan

Manual virus scans should be performed on files on external media, such as USB drives, questionable email attachments, or if there is the slightest possibility that a virus has invaded the hard drive. A manual scan will only allow scans on drives and files based on the permissions of the logged-in user. The next topic explains how to schedule a computer scan on a regular basis so that it runs automatically.

Click the screenshot below to see the simulation on scanning a USB drive.

Windows XP

Start Simulation

Windows Vista

Windows 7

Launch Video

Note: To scan a drive, you can open Windows Explorer and right-click the drive and select "Scan for viruses." You can also right-click on any file or folder and select "Scan for viruses."

Scheduling Regular Virus Scans

Since new viruses are always being developed, it is a good practice to schedule regular virus scans on your hard drive on a regular basis. The computer may have received a particular virus before getting an update that would have recognized it. You can schedule a scan daily, weekly, or monthly. Scheduled scans will scan the entire hard drive(s) or selected folders on the hard drive.

When a scan is set for a scheduled time and the computer is not turned on, a time range may be specified in hours or days during which the scan may occur in case of a missed event. Therefore, if the user who originally set up the scan is not logged in during the scheduled time, then the scan will start up as soon as the user logs in (as long as the time falls within the scheduled time of the missed event).

Click the screenshot below to see the simulation on how to schedule a weekly scan and how to specify a time range for a missed event.

Windows XP

Start Simulation

Windows Vista

Windows 7

Launch Video

What if a Virus Is Found?

The antivirus program will clean, quarantine, delete, or leave alone any viruses found on your computer system, depending upon the settings that were configured in the Proactive Threat Protection dialog box. If you cannot boot your computer after acquiring a virus, then you will most likely have to take your computer to a professional or to someone who can take care of the virus problem. Sometimes a virus infection may be too “deep” to just remove, and the computer system will have to be rebuilt—a good reason to always back up important data!

Download removal tools for various viruses are available from the Symantec Web site at:

http://www.symantec.com/

Return to Top

Protecting Against Spyware and Unwanted Software

Spyware is a general term used for software that performs certain activities such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent. You might have spyware or other unwanted software on your computer if:

Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information. Many of these programs track your Internet browsing habits and then provide advertising companies with marketing data. This does not mean all software which provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.

Other kinds of unwanted software will make changes to your computer that can be annoying and can cause your computer to slow down or crash. These programs have the ability to change your Web browser's home page or search page, or add additional components to your browser you don't need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them. These types of unwanted programs are also often called spyware.

There are a number of ways spyware or other unwanted software can get on your system. A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program. When you are installing something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it may appear at the end of a license agreement or privacy statement. However, unreputable services may not give you any warning of including other software.

Understanding Windows Defender

Windows Defender is software built-in to Windows that helps protect your computer from pop-ups, slow performance and other security threats caused by spyware. Windows Defender detects and removes spyware from your system as you browse the Web using Real-Time Protection. Real-Time Protection recommends actions to the user based on the types of spyware it detects.

By default, Windows Defender is enabled on Windows Vista and 7.

Return to Top