Building Your Own Anti-virus Toolkit

        By Eriq Neale, ACS Lab Manager and Virus Guru (neale@unt.edu)

        A few weeks ago, I had an interesting experience trying to install a deadbolt in one of the doors of our house. Mind you, I'm not a master carpenter, but I did do quite a bit of woodworking with my grandfather and stepfather while I was growing up. But what should have taken less than an hour turned into a relative fiasco, all because I was trying to make a 7/8" drill bit do the job of a 1" drill bit. In short, I just didn't have the right tools for the job.

        Having the right tools

        We take for granted the number of daily tasks we perform using tools we have been given or have learned. To drive a car, you need several tools: a license, a car, keys, driver's education, and insurance. Preparing meals daily requires many different types of tools and utensils (or a credit card if you're lazy like me). Computer use is no different, yet many of us don't have the necessary tools to use our computers effectively.

        While there are many important computer tools we need to be productive, two specific tools should be required of everyone. The most important is a backup tool. Whether this is as simple as a floppy diskette with your important data replicated on it or a high-end tape backup system, you need some way of making backup copies of the important pieces of your computer's operating environment. In my daily job, I frequently consult with students who are having computer difficulties. I'm amazed at how many times students have brought me the only copy of their theses on the one floppy diskette they've used for years. Generally, I see these students only after that diskette has failed, and I have the sad job of telling them their work is lost.

        The other tool that should be required of everyone who touches a computer is the virus prevention tool. This tool is essentially education, though there are other components to it as well. In my experience I've found that those who are more aware of the threat of the computer virus are less likely to be victims of the virus. Individuals can begin their virus education by constructing and understanding the use of the anti-virus toolkit described below. The toolkit is a simple, yet effective, way to help protect yourself against the virus onslaught, and it will help you get back on your feet quicker if you've become a virus victim.

        Many of the tips outlined in the rest of this article are specifically for the PC architecture. Macintosh owners can adapt these suggestions for their own use.

        Building your own Anti-virus Toolkit

        Here's a basic recipe for constructing your own personal anti-virus kit. First you need a clean, write-protected, bootable diskette for your operating system. A bootable diskette is a diskette that has the basic pieces on it that are needed to load DOS on your PC. It can be constructed using the format /s command. You will need to copy the following DOS files to the diskette: FORMAT.COM, FDISK.EXE, SYS.COM, and XCOPY.EXE1. You may want to make several of these diskettes and keep them in different locations so you'll have easy access to them when you need them. Bootable diskettes are useful for many different situations, so this is something you really should put together.

        To ensure that the boot disks are clean, take them to a computer that is known to be clean and scan them there. It does no good to boot your computer from a diskette that is infected with a virus! Once you are certain that your boot disks are clean, write protect them. There is no program that can write to a write-protected floppy disk. This will keep the diskette clean even if used on an infected PC.

        Next, you'll need a set of diskettes with your favorite anti-virus package. Since UNT is licensed for F-Prot, I'll be referring to it specifically. On a high-density diskette, you can fit both the boot diskette pieces listed above and the basic pieces of F-Prot. Alternately, you can put the F-Prot installation on a separate, write-protected diskette.

        Next, you need to document your computer's default configuration information. Write down the CMOS settings, paying special attention to the hard disk type and size. Run FDISK and write down the partition information for your hard disk. Print the contents of your AUTOEXEC.BAT and CONFIG.SYS, as well as any other critical setup/configuration files on your computer such as WIN.INI and SYSTEM.INI if you are running Windows. You may also want to include the contents of this article.

        Finally, the last pieces of the toolkit you will need are time and patience. Removing a virus infection from your computer can be a lengthy process at times, and having the patience to work through the entire cleaning process will help ensure that you will not have to repeat the process soon.

        Understanding and Using the Tools in Your Anti-Virus Kit

        Now that you have your toolkit ready, sit back and wait for the virus attack. Hopefully, since you have F-Prot already installed on your system, this won't happen to you. But, if it does, here's how to begin your recovery. Let me say up front that these steps are simplifications of a much more involved process. Following these steps will get you back online in the least amount of time possible, but they do not take into account any attempt to salvage data in the process. If you are unfamiliar with any of the steps involved below, do not attempt the process by yourself. If at all possible, enlist the aid of someone who is more familiar with DOS and the makeup of your computer. If nothing else, you can take your computer to someone who specializes in removing virus infections. As a standard disclaimer, the University of North Texas, the UNT Computing Center, Academic Computing Services, and I cannot accept any responsibility for the results of the actions described below. These steps work if followed to the letter, but misinterpretation can lead to loss of data. If you have any questions or doubts, do not proceed on your own. Now, on to the recovery process.

        If you suspect you have a virus, or F-Prot has told you that you do, get your toolkit and boot from your boot diskette. Then run F-Prot from the protected diskette and follow the instructions it gives you. For the more common viruses, this is all you'll need to do to eradicate the infection and return to business as usual. As a follow-up step, you'll need to scan every diskette you've used in your computer to identify and remove the source of the original infection. If you choose to skip this step, you can probably expect to be infected again within a few weeks2.

        That was the simple process.. Unfortunately, F-Prot, as well as all other anti-virus programs, can not clean or remove every virus. Any package that tells you it can fix every virus problem is lying. The good news is, again, that for most common types of viruses, you don't need to use an anti-virus package to remove the virus. Depending on the type of virus that is infecting your computer, you can take two approaches to cleaning your system.

        If you are infected with a file-infector virus, a virus that replicates itself within an executable program, the easiest and safest method of cleaning is to delete the programs that you suspect may be infected. To be completely safe, you should remove every executable program on your computer to eliminate the possibility that you overlooked anything. This is where backups come into play. If you have good backups, you can recover the files you delete from your backup, rather than reinstalling the program from its original diskette.3 You will need to be aware, however, of the programs in your backup. If the files on your backup are infected, restoring from backup will do you no good.

        If you are infected with a boot sector infector, a virus that replicates itself by writing itself to the boot sector of disks and diskettes, you have many options for eradicating the virus. If you have a floppy diskette that is infected and is not a bootable diskette, you may copy the files off the diskette to another disk, reformat the diskette, then copy the files back to the diskette. This, of course, assumes that the computer you are using is clean. If you have a floppy diskette that is a regular boot disk (i.e.., not one that is used to install an operating system or run a game or something like that), you can overwrite the boot sector by reinstalling the operating system. This is done with the SYS command. Put your diskette in a clean computer (drive A: for this example) and execute the command SYS A: from the hard disk. This will overwrite the boot sector of the floppy and reinstall the DOS pieces. The same can be done for a hard disk boot sector that is infected. Boot from your clean floppy diskette, then execute the command SYS C: from the floppy diskette.

        If you are infected with a virus that infects the partition table of your hard disk, like the Da'Boys virus, you are in for quite a bit of work. Once the Da'Boys virus has infected your computer, it moves the partition table of your hard disk to a different location. One side-effect of this is that you will not be able to see the hard disk if you boot from a floppy diskette. The only guaranteed way to recover from an infection of this kind is to rebuild your hard disk from scratch.. Again, good backups are a necessity here, because you will not be able to recover any data from your computer once you begin the disinfection process. Boot your computer from the clean floppy diskette and run FDISK. Delete any partition that appears on your boot drive. Then recreate the partition table based on the data you collected for your toolkit. You will have to reboot your computer once the new partition is created. When rebooted, you can format and install DOS back on the hard disk by executing the command FORMAT C: /S from the floppy diskette. Then you will want to install your anti-virus software on the hard disk. After that, you can reboot from the hard disk and begin reinstalling your software.

        Final Thoughts

        As I said earlier, the most important piece to any computer work is maintaining good backups. Sometimes, only backups will help you recover from a catastrophic event. Also, be sure to scan every floppy diskette you use in your computer on a regular basis, especially after cleaning a virus infection. Boot sector viruses only transfer by booting, even accidentally, from an infected floppy diskette. But with this toolkit, you will have the essential elements to arm yourself against virus attacks and begin the road to recovery quickly. As with all tools, some training or practice is necessary, so become familiar with each piece of the puzzle. Read about how the programs work, and spend some time becoming familiar with your virus scanner. And do not hesitate to ask questions of someone who may be able to help you. When dealing with viruses, there are no dumb questions.

        1 XCOPY is a personal preference. You may choose to use DOS COPY instead.

        2 The notion comes from personal experience as well as the experience of others.

        3 You should also write-protect your software intallation diskettes before you use them in your computer. While some original diskettes can be infected at the manufacturing plant, the most common source of infection of original diskettes is running the installation programs on an infected computer. Many comanies are now shipping software on diskettes that are already write-protected.

        Previous Article <== ==> Next Article

        If you have problems or questions about this server, please contact us as soon as possible. You can send mail to the following address: www@unt.edu