This article is from the Computer Viruses FAQ, by Nick FitzGerald firstname.lastname@example.org with numerous contributions by others.
Many people associate destruction--file corruption, reformatted disks
and the like--with viruses. Machines infected with viruses that do this
kind of damage often display such damages too. This is unfortunate, as
usually viruses can be detected or prevented from infecting long before
they can inflict any (serious) damage, though many viruses have no
"payload" at all. Note that viruses that simply reformat the hard disk
shortly after infecting a machine tend to wipe themselves out faster
than they spread, so don't get far.
Thus, the more successful viruses typically try to spread as much as
possible before delivering their payload, if any. As these tend to be
the viruses you are most likely to encounter, you should be aware that
there are usually symptoms of virus infection before any (or much!)
damage is done.
There are various kinds of symptoms that some virus authors have written
into their programs, such as messages, music and graphical displays.
The main indications, however, are changes in file sizes and contents,
changing of interrupt vectors, or the reassignment of other system
resources. The unaccounted use of RAM or a reduction in the amount
reported to be in the machine are important indicators. Examination of
program code is valuable to the trained eye, but even a novice can often
spot the gross differences between a valid boot sector and some viral
ones. These symptoms, along with longer disk activity and strange
behavior from the hardware, may instead be caused by genuine software,
by harmless "joke" programs, or by hardware faults.
The only foolproof way to determine that a virus is present is for an
expert to analyse the assembly code contained in all programs and system
areas, but this is usually impracticable. Virus scanners go some way
towards performing this analysis by looking in that code for known
viruses; some even use heuristic means to spot "virus-like" code, but
this is not always reliable. It is wise to arm yourself with the latest
antivirus software and to pay close attention to your system. In
particular, look for any unexpected change in the memory map or
configuration as soon as you start the computer. For users of DOS 5.0+,
the MEM program with the /C switch is very handy for this. If you have
DR DOS, use MEM with the /A switch; if you have an earlier DOS version,
use CHKDSK or the commonly-available MAPMEM utility. You don't have to
know what all the numbers mean, only that they have changed
*unexpectedly*. Mac users have "info" options, which give some
indication of memory use, but may need ResEdit to supply more detailed
If you run Windows on your PC and you suddenly start getting messages at
Windows startup that 32-bit Disk Access cannot be used, this often
indicates your PC has been infected by a boot-sector virus.