What are computer viruses, worms, and Trojan horses?
What is a virus?
A computer virus, according to Webster's Collegiate Dictionary, is "a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files, and that usually performs a malicious action (such as destroying data)". Two categories of viruses, macro viruses and worms, are especially common today. Computer viruses are never naturally occurring; they are always man-made. Once created and released, however, their spread is not directly under human control.

A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.
Since 1987, when a virus infected ARPANET, a large network used by the Defense Department and many universities, many antivirus programs have become available. These programs periodically check your computer system for the best-known types of viruses.
Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.
A

Macro viruses
A macro is a piece of code that can be embedded in a data file. Some word processors (e.g., Microsoft Word) and spreadsheet programs (e.g., Microsoft Excel) allow you to attach macros to the documents they create. In this way, documents can control and customize the behavior of the programs that created them, or even extend the capabilities of the program. For example, a macro attached to a Microsoft Word document might be executed every time you save the document and cause its text to be run through an external spell checking program.
A macro virus is a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Many people do not think that viruses can reside on simple document files, but any application which supports document-bound macros that automatically execute is a potential haven for macro viruses. By the end of the last century, documents became more widely shared than diskettes, and document-based viruses were more prevalent than any other type of virus. It seems highly likely that this will be a continuing trend.

Worms
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. The difference is that unlike viruses, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms are often also referred to as viruses.

What is a Trojan horse?
Named after the wooden horse the Greeks used to infiltrate Troy, a Trojan horse is a program that does something undocumented which the programmer intended, but that the user would not approve of if he or she knew about it. According to some people, a virus is a particular case of a Trojan horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.
Some tips for avoiding computer viruses
Computer viruses implant instructions in other programs or storage devices and can attack, scramble, or erase computer data. The danger of computer viruses lies in their ability to replicate themselves and spread from system to system. Few computing systems are immune to infection.
High-risk behaviors
The following activities are among the most common ways of getting computer viruses. Minimizing the frequency of these activities will reduce your risk of getting a computer virus:
• Freely sharing computer programs and system disks, or downloading files and software through file-sharing applications such as BitTorrent, eDonkey, and KaZaA
• Clicking links in instant messaging (IM) that you receive out of the blue with only a link or general text; for more information, see the Knowledge Base document What should I do if my computer is infected with an AIM Trojan?
• Downloading executable software from public-access bulletin boards or web sites
• Using your personal disk space (e.g., floppy disks) with public computers or other computers that are used by more than one person
• Opening email attachments from people you don't know or without first scanning them for viruses; for more information, see the Knowledge Base documents Using Symantec/Norton AntiVirus Corporate Edition in Windows, how do I immediately scan a file, folder, or drive for viruses? and Using Norton AntiVirus for Mac OS or Mac OS X, how do I immediately scan a file, folder, or drive for viruses?
• Opening any email attachment that ends in .exe, .vbs, or .lnk on a computer running Microsoft Windows (at Indiana University, UITS blocks certain attachments that commonly harbor viruses from being delivered via email; for more information, see the Knowledge Base document At IU, what types of attachments are blocked from my email account?)
• Continually running your Windows computer as an administrator; for more information, see the Knowledge Base document In Windows 2000 and later, why should I avoid running my computer as an administrator or Power User?
Signs of a virus infection
Note: For a list of resources to help you find information about particular viruses, see the Knowledge Base document Where can I find information on computer viruses?
If your computer begins to act strangely, or if it stops being able to do things it has always done in the past, it may be infected with a virus. Symptoms such as longer-than-normal program load times, unpredictable program behavior, inexplicable changes in file sizes, inability to boot, strange graphics appearing on your screen, or unusual sounds may indicate that a virus is on your system. However, it is important to distinguish between virus symptoms and those that come from corrupted system files, which can look very similar. Remain calm and objective, and rule out more standard causes before suspecting a virus.
How to avoid computer viruses
Prevention is a matter of vigilance and avoiding contact with unknown files, web sites, and disks. It is usually the unwary who get computer viruses. Following is a list of some recommendations for safe computing:
• The most important thing you can do to keep your computer safe is to install virus detection software and keep the virus patterns up to date. Antivirus programs perform two general functions: scanning for and removing viruses in files on disks, and monitoring the operation of your computer for virus-like activity (either known actions of specific viruses or general suspicious activity). Most antivirus packages contain routines that can perform each kind of task.
Note: The Indiana University Information Technology Security Office (ITSO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec AntiVirus software?) and that you update your virus definitions daily and scan your computer weekly. For instructions, see:
o Windows: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
o Mac OS and OS X: In Norton AntiVirus for Mac OS or Mac OS X, how do I schedule automatic LiveUpdates and virus scans?

• Keep your operating system current with the latest patches and updates. The writers of viruses and worms often exploit bugs and security holes in operating systems and other computer software. Software manufacturers frequently release patches for such holes. For information on obtaining the latest patches, see the Knowledge Base documents For Windows 98, Me, NT, 2000, or XP, how can I get software updates and patches? and For Mac OS or Mac OS X, how do I obtain and install system software updates?
• Back up your files. Viruses are one more very good reason to always back up your files.
Note: If you back up a file that is already infected with a virus, you can re-infect your system by restoring files from the backup copies. Check your backup files with virus scanning software before using them.
• Keep your original application and system disks locked (or write-protected). This will prevent the virus from spreading to your original disks.
• If you must insert one of your application disks into an unknown computer, lock (write-protect) it first, and unlock your application disk only after verifying that the machine is virus-free.
• Obtain public-domain software from reputable sources. Check newly downloaded software thoroughly using reputable virus detection software on a locked floppy disk for any signs of infection before you copy it to a hard disk. This can also help protect you from Trojan horse programs.
• Quarantine infected systems. If you discover that a system is infected with a virus, immediately isolate it from other systems. In other words, disconnect it from any network it is on and don't allow anyone to move files from it to another system. Once the system has been disinfected, you can copy or move files.

What are some examples of popular virus hoaxes?
There are many computer viruses around, and it is wise to protect your computer from virus, worm, and Trojan horse attacks. However, you should view with care any unsubstantiated warnings you receive by email or see on newsgroups. Some of these warnings may be legitimate, but in most, the information is false and the danger is overstated. Below is official information on some specific virus hoaxes. If you receive messages about these, do not send them to others. UITS also encourages you to respond to senders of such messages, informing them that these are virus hoaxes.
For more information about virus hoaxes, see the US Department of Energy's Computer Incident Advisory Capability (CIAC) Hoaxbusters page, the F-Secure Corporation's Hoax Warnings web site, or the Symantec Security Response Hoaxes web site. Also check the Information Technology Security Office (ITSO) Resources page.

Good Times
From CIAC Hoaxbusters:
The "Good Times" virus warnings are a hoax. There is no virus by that name in existence today. These warnings have been circulating the Internet for years. The user community must become aware that it is unlikely that a virus can be constructed to behave in the manner ascribed in the "Good Times" virus warning.
In the early part of December 1994, CIAC started to receive information requests about a supposed "virus" which could be contracted via America Online, simply by reading a message.
CIAC has also seen other variations of this hoax. The main one is that any electronic mail message with the subject line of "xxx-1" will infect your computer.
This rumor spreads widely, mainly because many people delete the message without reading it, believing that they have saved themselves from being attacked. These first-hand reports give a false sense of credibility to the alert message.
If you encounter this message, ignore it or send a follow-up message stating that this is a false rumor.
Irina
From CIAC Hoaxbusters:
The "Irina" virus warnings are a hoax. The former head of an electronic publishing company circulated the warning to create publicity for their new interactive book by the same name. The publishing company has apologized for the publicity stunt that has back-fired and panicked Internet users worldwide. The original warning claimed to be from a Professor Edward Pridedaux of the College of Slavic Studies in London; there is no such person or college.
Penpal greetings
From the F-Secure Corporation Hoax Warnings Pages:
This is not a virus, but a widespread hoax, warning about a dangerous email message titled 'Penpal greetings'. No such danger exists.
This hoax is very similar to Good Times.
Deeyenda
From the F-Secure Corporation Hoax Warnings Pages:
This is another virus hoax. There are a lot of warnings about this 'virus' going around, but such a virus does not exist, and no future virus will be named 'Deeyenda'. Ignore the hoax warnings and do not redistribute them.
Join the Crew
From the F-Secure Corporation Hoax Warnings Pages:
This is not a virus, but a version of the Good Times hoax. It was started by a message posted to some Usenet newsgroups in February 1997. The original message was like this:
... just to let you guys know one of my friends received an email called "Join the Crew," and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what mail you read. Just trying to be helpful...
Ignore these messages and do not pass them on.
Returned Mail or Unable to Deliver
From the F-Secure Corporation Hoax Warnings Pages:
This is a hoax warning about an email virus that does not exist. It looks like this:
There is a new virus going around in the last couple of days!!! DO NOT open or even look at any mail that you get thar [sic] says: "Returned or Unable to Deliver" This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that says [sic] this. AOL has said this is a very dangerous virus, and there is NO remedy for it at this time, Please Be Careful, And forward to all your on-line friends A.S.A.P.
Again, ignore this hoax warning and do not pass it on.
Win a Holiday
From the F-Secure Corporation Hoax Warnings Pages:
This is a false warning of a malicious email which does not exist. Here's an example of the hoax:
If you receive an email titled "WIN A HOLIDAY" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday (16/2/98) morning from Microsoft; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in your address book so that this may be stopped. Also, do not open or even look at any mail that says "RETURNED OR UNABLE TO DELIVER" This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that say this. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time. Please practice cautionary measures and forward this to all your online friends = ASAP.
Ignore this hoax warning and do not pass it on.

What are boot sector viruses, and how can I prevent them?
On this page:
• What boot sector viruses do
• Symptoms
• How they spread
• Precautions and damage control
________________________________________
What boot sector viruses do
Boot sector viruses infect or substitute their own code for either the DOS boot sector or the Master Boot Record (MBR) of a PC. The MBR is a small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk.
Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can spread to every disk that the system reads. Boot sector viruses are typically very difficult to remove, as most antivirus programs cannot clean the MBR while Windows is running. In most cases, it takes bootable antivirus disks such as a Symantec/Norton AntiVirus (SAV/NAV) rescue set to properly remove a boot sector virus.
Some common boot sector viruses include Monkey, NYB (also known as B1), Stoned, and Form.
Symptoms
A boot sector virus can cause a variety of boot or data retrieval problems. In some cases, data disappear from entire partitions. In other cases, the computer suddenly becomes unstable. Often the infected computer fails to start up or to find the hard drive. Also, error messages such as "Invalid system disk" may become prevalent.
How they spread
Boot sector viruses are usually spread by infected floppy disks. In the past, these were usually bootable disks, but this is no longer the case. A floppy disk does not need to be bootable to transmit a boot virus. Any disk can cause infection if it is in the drive when the computer boots up or shuts down. The virus can also be spread across networks from file downloads and from email file attachments. In most cases, all write-enabled floppies used on an infected PC will themselves pick up the boot sector virus.
In the past, setting the computer to boot first from the C: (hard) drive and then the A: (floppy) drive, or never to boot from the A: drive at all, was a reasonable precaution against boot sector viruses. This is no longer the case, as viruses are now more dangerous and spread in more ways.
You can configure some CMOS setups to prevent writing to the boot sector of the hard drive. This may be of some use against boot sector viruses. However, if you need to reinstall or upgrade the operating system, you will have to change the setting back to make the MBR writable again.

Precautions and damage control
Prevention is usually a matter of vigilance and avoiding contact with unknown disks. The following suggestions will help keep your systems and data safe:
• The best protection against boot sector viruses is the same as against viruses in general: a good antivirus program with up-to-date virus definitions. Antivirus programs do two key things:
o Scan for and remove viruses in files on disks
o Monitor the operation of your computer for virus-like activity and look for known actions of specific viruses or general suspicious activity
Note: The Indiana University Information Technology Security Office (ITSO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec AntiVirus software?) and that you update your virus definitions daily and scan your computer weekly. For instructions, see:
o Windows: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
o Mac OS and OS X: In Norton AntiVirus for Mac OS or Mac OS X, how do I schedule automatic LiveUpdates and virus scans?

• Back up your files, so that you can restore them if a virus damages them.
Note: If you back up a file that is already infected with a virus, you can re-infect your system by restoring files from the backup copies. Check your backup files with virus scanning software before using them.
• Keep your original application and system disks locked (write-protected). This will prevent the virus from spreading to your original disks.
• If you must insert one of your application floppy disks into an unknown computer, lock it first. Unlock your application disk only after verifying that the computer is free of viruses.
• Obtain public-domain software from reputable sources. Don't download software directly to a hard disk. Rather, save it to a floppy disk, lock the floppy disk, and check it thoroughly using reputable virus detection software. Don't copy it to your hard disk until you know it is safe. This can also help protect you from Trojan horse programs.
• Quarantine any infected computer. If you discover that a computer is infected with a virus, immediately isolate it from other computers. In other words, disconnect it from any network it is on. Don't allow anyone to copy or move files from it until the entire system has been reliably disinfected.

What should I do if my computer has a virus?
Note: For a list of resources to help you find information about particular viruses, see the Knowledge Base document Where can I find information on computer viruses?
First, do not panic if your computer seems to have a virus. Common software problems, such as program execution errors and corrupted files, can create symptoms that appear to be virus-related. If you just installed new software, try uninstalling it and see if the problems disappear. Otherwise, the easiest way both to find out if your problem is indeed a virus, and also to remove a virus, is to obtain a commercial antivirus program, install it, and immediately update the virus patterns and scan your computer.
Note: The Indiana University Information Technology Security Office (ITSO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec AntiVirus software?) and that you update your virus definitions daily and scan your computer weekly. For instructions, see:
• Windows: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
• Mac OS and OS X: In Norton AntiVirus for Mac OS or Mac OS X, how do I schedule automatic LiveUpdates and virus scans?
If you cannot boot your computer, you should seek the services of a technology professional. At Indiana University, contact the UITS Support Center at 812-855-6789 or via email at ithelp@iu.edu . You may also visit a Support Center walk-in office.
For information about Support Center walk-in offices (hours and locations), please see the Knowledge Base document UITS Support Center walk-in locations and services.
No matter which antivirus software package you choose, it is important to update it on a regular basis. Viruses are constantly evolving, and new ones being created, so an out-of-date antivirus program may not detect or protect against the most recent variants. Also, it is possible that your computer could be compromised by means other than a virus, e.g., through a software vulnerability. You should keep your hardware and software up to date as new patches are released.
Note: With certain system-level infections, antivirus software cannot entirely remove or repair viral problems and cannot account for changes that may have been made during the infection. In these cases, you will need to perform a clean installation of the operating system. For more information, see the Knowledge Base document In Windows, how do I safely rebuild my computer after a system-level compromise?

What is security software?
There are two main types of security software: virus protection software (such as Symantec/Norton AntiVirus, or SAV/NAV) and adware and spyware removal software. It is important to understand the ways in which you can use these two different types of security software.
Virus protection software
Antivirus software prevents and removes computer viruses. It usually includes a "real-time" protection feature that will attempt to stop incoming viruses before they infect your computer. Antivirus software requires regular updating to keep it effective against new viruses. Additionally, you can use it to scan your computer for viruses.
Note: The Indiana University Information Technology Security Office (ITSO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec AntiVirus software?) and that you update your virus definitions daily and scan your computer weekly. For instructions, see:
• Windows: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
• Mac OS and OS X: In Norton AntiVirus for Mac OS or Mac OS X, how do I schedule automatic LiveUpdates and virus scans?
Note: It is good practice to run security software scans in Safe Mode to ensure maximum results. If you don't scan in Safe Mode, the security software may not be able to detect or remove all of the security threats it finds. For more information about Safe Mode and how to enter it, see the Knowledge Base document In Windows 2000 or XP, how can I boot into Safe Mode?