Serendipity lends a hand.
A chance conversation at an exhibition made me realise that users have not got a clue when it comes to looking for viruses. The vendors of antiviral software do little to help. They may produce an excellent manual on how to use their software, but it is rare to find details on how to look for viruses.
The conversation made me realise that whilst I had expounded good practice on a number of occasions, that advice was scattered throughout the book. There was an obvious need to gather it in one place and make it more explicit. It would also do no harm to reiterate what had already been said.
What follows is the procedure to be taken to search for a virus. It should be taken as read that the software used is capable of finding and correctly identifying any viruses that you may have. The procedure is aimed at scanners, but it can be extended to integrity checkers.
First turn off the machine. If it is already off leave it in that state.
Search for and dig out your original operating system disks. You will need the first of the set (if more than one) which will be a boot disk. The disk should be write protected, if not ensure that it is. If the disk was not found to be write protected there is the possibility that it may be corrupted, and this procedure relies on the fact that the disk is clean. There is also the small possibility that you were shipped an infected disk. If the disk is not the same version as that installed on the machine it does not matter, nor does it matter if it is not even the same operating system (that is you can mix MS and IBM). What you must not do is run any DOS programs on the hard disk if different versions are used.
Next insert the boot disk into the machine and turn on the machine to boot the system. If you are running a later version of DOS you will go into set up mode. Press the appropriate escape key.
You should now have the system prompt. It may prove necessary to enter the current date and time if these are not valid.
Remove the boot disk and insert a write protected disk containing a DOS version of your scanner. Execute the scanner and follow whatever is outlined in the manual for a detailed scan. You should not have any deletion or disinfection options selected. If you do find any viruses, note what they are, copy off and replace with originals. Only if this is not possible should the disinfection option be selected.
Although the scanner will self check (or should if well designed) it is advisable to scan the floppy containing the scanner.
You may wish to scan multiple floppies. For some scanners this is not possible from the floppy disk. It may therefore be necessary to install the scanner to hard disk. You should at this stage scan the original operating system disks to validate the original assumption that were clean. Not a perfect solution but the best that you can do unless you are able to obtain some shrink wrapped disks or earlier versions than you are currently using.
Once the system is clean you may wish to install the antiviral software.
Whilst the system is in a known clean state you should create a clean boot disk that can be used in future searches. If sufficient room you may wish to make your scan disk a boot disk.
When you have finished reboot the system from the hard disk. You can now use all your applications. If you are using extra drives that were not previously accessible due to drivers not being loaded these should now also be scanned.
Two points to note in this procedure.
First, the system is booted from floppy and scanned from floppy. To scan from hard disk may be convenient but it is not reliable. The procedure outlined is the only way to defeat stealth viruses.
Second, Windows software is not used. It is not sufficiently reliable and is very vulnerable to stealth viruses.
And the original problem.
A user had ran a scanner, detected a virus and thought that it had been removed. A scan of the system showed it not to be present. A later scan with a different scanner showed the stealth virus to be present. The led to doubts as to the effectiveness of the first scanner (which could be valid). A likely scenario is that a scan was performed with the stealth virus active, it was thus able to take evasive action and avoid detection. The second scan was performed whilst the virus was dormant, leading to easy detection. A second possibility is that the user put the virus back on the system. The latter is always difficult to check as users are always adamant that they did not put it there.
Following the procedure outlined above will ensure that assuming the scanner is capable of finding the virus it will be able to do so as a stealth virus will not be active.
There are a couple of exceptions that this procedure will not cope with but these are situations that need expert help together with an in depth knowledge of the specific viruses involved.
Hopefully you will not find a virus but if you do it will be necessary to scan all your floppy disks. You should attempt to track down the source and warn them that they may have a virus. They should be advised to follow this same procedure to check out their system. The author grants you permission to pass them a copy of this appendix, provided that you indicate the source and recommend that they purchase a copy of the book.
Reproduced with kind permission from Virus: A computer malaise - Keith Parkins (Books on Disk : 1995) (c) Keith Parkins 1995.