Finally Back, Serious PC Questions (Off-Topic)

by stabbim , Des Moines, IA, USA, Thursday, February 09, 2017, 17:05 (2632 days ago) @ Morpheus

So is it true?

1) Can a virus differentiate between an external hard drive and an internal one and know when to strike?

TBH, this is probably the wrong question. I think that either the technician explained it badly, or you mangled his explanation. I believe what he was trying to get at (assuming he isn't just plain crazy) was that those stored copies of programs on your external drive are not actually RUNNING. The thing to understand is that files on a drive are JUST files, until they are executed. If you are not actually browsing to the external drive and running the programs from that location, then those files are most likely not doing anything.

It's not a question of the virus actively thinking "am I on an internal or external drive" and then making a decision about whether to execute an attack. It's simply a matter of whether it ever runs in the first place.

2)Can nothing stop--or at least find--something like this??

Others have sort of already covered it, but the answer is along the lines of "maybe" or "eventually." There is no magic identifier to say whether content is good or bad. Antivirus programs identify things based on known patterns, and if something hasn't been seen before and identified as a malicious actor, then no, they probably won't identify it. There is a concept known as "heuristics" where they will try to identify software that behaves in a suspicious matter, but that's still just pattern matching. Based on behavior rather than specific content, but still kind of relying on known quantities.

3) Is it possible for a virus to have a "scheduled release"? Maybe something I installed a long time ago and only started attacking recently?

Of course it's possible. I mean, your computer does know the current date, doesn't it? That being said, it's not usually how things work. It's more likely that you simply didn't execute a given file until recently.

An alternative explanation is that it wasn't actually from any pirated software. You may have gotten infected through some other vector such as an email attachment or a compromised website (compromised ads are a thing, too), and the technician simply saw some illegitimate software and ASSUMED that was the source, because it's a common vector.

4) Can a virus really wipe out a whole operating system, and why?

Yes, of course. The "can" part is kind of a silly question, no offense. I mean, anything that can write data to the hard disk can potentially damage files. The more significant question is "why," and the answer there is that it's usually not intentional. The thing from 80's movies where a big skull comes up on the screen and your computer dies doesn't really happen, mostly. Most malicious software is designed to either steal information (passwords, account numbers, etc.) or to take over the affected PC in such a way that it can be given instructions remotely - these are the "botnets" you hear about, comprised of many infected machines, which are collectively used to DDoS various services (among many other tasks, that's just a well-known example). So, as you can imagine, the people making these things do NOT want your PC to stop running. The ideal scenario for them is that the PC continues to run, continues to be connected to the internet, and (in the case of keylogging/information siphoning) even continues to be used. Typically when a virus causes a PC to stop working, it was an accident. The software was probably trying to modify the system, either to hide itself or simply to accomplish whatever purpose it has, and the author simply failed to account for some particular condition present on that machine. Odd as this may sound, virus authors aren't as concerned about damaging PCs as legit software companies, and as a result, their quality control sometimes isn't as good. :P

The partial exception here is a relatively new breed known as "ransomware." These things encrypt your files. If you're not familiar with encryption, it basically means they're scrambled in such a way that they can't be opened without decryption software and a specific key. They then demand a ransom payment in exchange for the decryption instructions (and key). I say that this is a partial exception because they aren't intended to actually stop the PC from running. They still want the OS to generally run, so that you can get to a point where you SEE that your files won't open, and can read their ransom demands (which are typically placed in the same folder as encrypted files). For this reason, ransomware typically only targets certain file extensions which are commonly used for information people might find important (or of sentimental value - think family photos), but are NOT critical for the system to operate - .JPG, .DOCX, .PDF, etc.

5)Most importantly, is there really no other way to find out the identity/location of the virus than play Minesweeper with my applications and guarantee another two week billion dollar service by someone else?

What is the current status of your PC? Is it running? If so, I would simply let it run for a few weeks without installing anything that isn't a KNOWN OK program straight from the manufacturer, and don't execute any programs stored on the external drives. I know it might be hard to do without some things, but just go with it. Periodically scan your external drives with Malwarebytes. If there is something new out in the wild, that will probably eventually be updated to find it. Of course, not having inspected your PC myself, I can't verify whether there actually WAS a virus. Also, make a backup of your PC in its CURRENT state. I don't mean manually copy files to an external drive, I mean a proper system image backup, that stores the EXACT drive contents. Keep that backup disconnected when not in use. The intention here is that if something does go wrong later, you could put the PC back to a working state with relatively little effort.