-- Vendor-Independent Anti-Virus Information and Education Site --
By Bill Grogg
There has probably been more misinformation historically about how viruses spread than actual fact. Much of this misinformation has been sent in the form of excited e-mail spread around the globe about viruses that turned out to be hoaxes. Some of these from a few years ago are still circulating and resurfacing from time-to-time.
Other popular misconceptions were that your chances of getting a virus were much greater when using BBSs, on-line services, and the Internet, and that shrink-wrapped software was always safe.
So what are the facts about how viruses spread? Well, the way a virus spreads depends to a great extent on what type of virus it is.
A boot sector virus spreads through infected floppy disks. When a clean PC is booted from an infected disk (or even if the boot fails), it will probably become infected since the infected boot sector usually tries to infect the Master Boot Record or DOS Boot Record of the hard disk. When the floppy disk is removed and the system is rebooted, the now-infected hard disk will load the virus and it will then look for opportunities to infect any other floppy disks accessed by the system. Up until early 1996, the most common way to get a virus was from an infected floppy. Corporations were infected when employees unknowingly brought in infected disks from home to use on their office PCs, and the virus was spread around as diskettes were exchanged by people or taken from computer to computer.
Just accessing an infected floppy isn't enough to infect a PC. Since the virus's executable code resides on the floppy's boot sector, an attempt to boot from the floppy is required. You may not think you ever try to boot from a floppy, but how many times have your rebooted your system or turned it on not realizing that you had left a floppy in the drive and got the "non-system disk or disk error" message, removed the disk, and booted again without it? If that particular disk was infected with a boot sector virus, it is very likely your system is now infected as well.
File infecting viruses usually infect executable programs such as files with .EXE and .COM extensions. When any of these infected executable files is copied to another computer, that computer will become infected when the infected executable file is run for the first time. If the infected program is not executed, no infection will occur.
How do program files move from one computer to another? They can be copied to diskette and physically moved, or copied to a shared network directory for access by other machines, or copied directly to another PC via the network.
In 1997, macro viruses quickly became some of the most common and successful viruses because they are so mobile. People frequently exchange documents via e-mail or work on shared data files such as Microsoft Word documents or Microsoft Excel spreadsheets. A virus infecting one of these documents becomes active when the document is opened in the application and from that point on it infects other documents accessed by that application.
More recently, a number of viruses and worms have used programmability in e-mail clients such as Microsoft Outlook to gain access to an address book, then to send copies of themselves out via e-mail to everyone in the address book or distribution list.
What about the misconceptions mentioned earlier?
Many times you can identify a hoax by remembering that a virus is executable code. In order for infection to occur, code must be executed.
Consider the "Good Times" e-mail virus. We can determine that it is a hoax since the information being e-mailed around by it states that just reading an e-mail with the subject of "Good Times" will cause damage. Until recently, we knew this was not true since an e-mail message was just data or text. In that scenario, reading e-mail does not run executable code. This does not mean that viruses cannot spread through e-mail. As we have considered ealier, an infected executable file or document containing infected macro code can spread a virus and these can be sent with e-mail as attachments, but they do not become active without extracting them and executing them, so it is a good practice to scan your attachments before using them (see Virus Prevention for more suggestions and details).
Of course, recent history has confirmed that reading CERTAIN KINDS of e-mail CAN cause an infection. Again, text messages are not executed, but HTML-formatted e-mail can contain HTML script which could be harmful. It is a good idea to disable the running of script in HTML messages through the configuration of your e-mail client.
How about the misconception that you are living dangerously by obtaining files from BBSs, on-line services, or the Internet? Many reputable BBSs and on-line services have a policy of scanning uploaded files for viruses before releasing them for download by their users, so your chances of getting a virus from these sources is pretty slim. Infected files from sites on the Internet can be obtained, but knowing your source is a good idea. Each Internet site is like its own BBS, so each will have their own policy about virus prevention and scanning. Around 1997, Symantec unveiled a program to certify Web sites that take measures at preventing the spread of viruses through their site.
And finally, how about he misconception that you can't get a virus from shrink-wrapped software? You guessed it! Viruses have been shipped with shrink-wrapped software and via other means by large (and small) software publishers. Many software publishers do scan their master disks before sending them to manufacturing, so the chances of obtaining a virus this way are slim, still, it is a good idea to take virus prevention into your own hands to preserve your own computers and data (see Virus Prevention for more suggestions).
So, the most likely ways (from most likely to least likely) to contract a computer virus are through e-mail attachments, document files, floppy disks exchanged with friends or family, and finally by running executable programs.Return to the Timberwolf Anti-Virus Information Center table of contents