COMPUTER VIRUSES
 
The term computer virus is common, but it is possible that many computer users are not aware of the true definition. Often, many computer anomalies will be blamed on viruses when other factors such as hardware conflicts and software bugs may be at fault. What follows is a close look at viruses, their nature, and their actions.
 
 
 
DEFINITION OF A COMPUTER VIRUS.
 
A computer virus is a program. It is written in a way similar to other programs but have several properties that make it different from ordinary computer programs.
 
Like biological viruses, a computer virus is a small, simple entity(1). It does not perform a useful function on its own, but will reproduce itself and move from host to host(2). A virus will usually have two basic tasks to complete. It will reproduce by copying itself into previously uninfected files or locations, and it will perform whatever special tasks its programmer designed it to do. Depending on the maliciousness of the programmer, those special instructions may play a little song on a particular day of the week, delete and alter data, or alter the way the computer functions.
 
 
 
TYPES OF VIRUSES
 
Computer viruses are classified by how they infect a computer system(3).
 
A boot sector virus infects the boot sector of hard drives and diskettes. The boot sector is a portion of a hard drive or diskette that contains the vital information a computer needs for configuration during startup, or boot up. The computer uses this information to figure out how files are arranged, where the root directory is, and how the basic operating system files should be loaded.
 
A boot sector virus replaces the original boot sector and stores the original somewhere else on the disk. When a computer is booted from this disk, the virus will move into the computers Random Access Memory (RAM). Everything may run normally except that every diskette inserted into the computer will become infected.
 
 
File infector viruses infect executable files, or programs on the computer. Executable files are files that do something, as opposed to data files that contain information. They can be recognized by a .exe or .com extension. A file infector virus attaches itself, or writes itself, into the program's code and increases the size of the program's file. Whenever the program is executed, or run, the virus will be activated and loaded into the computer's RAM(3). Throughout the day, the virus will copy itself into every program that is run on that computer, causing a widespread infection(4).
 
A Trojan horse is a virus disguised as a legitimate program. A Trojan horse will be activated when that program is run, and many of them can cause serious damage to a computer. Unlike other virus types, Trojans do not replicate themselves. They are spread only as fast as their program is distributed by normal means. A Trojan may appear as a popular computer game on a computer Bulletin Board System, but when it is downloaded and run, instead of the latest version of Doom, the user gets a formatted hard-drive(16).

Macro viruses are transmitted by document files rather than executable programs. Macro viruses are written in high level programming language (macro language) such as Word Basic and stored in the framework of certain types of word processor documents. These programs are executed when the document is opened in a word processor such as Microsoft Word. Macro viruses are among the most common viruses in the world.

Encrypted viruses were designed to evade detection by virus detection software that looked for specific virus signatures. Each time the encrypted virus infects a new file, its code is saved in a different sequence, thus avoiding detection by virus scanners looking for an exact signature match(17).
 
Stealth viruses are able to hide from immediate detection by virus scanners. They essentially sit in waiting until a virus scanner runs a scan. When the scanner passes by the infected file, the virus attaches to the scanner itself, and will spread to every subsequently scanned file(18). To prevent infection from these viruses, good virus scanners check themselves and the computers' RAM before initiating a scan of files.
 
Multiparteid viruses are particularly difficult to remove because they have characteristics of both boot sector viruses and file infecting viruses(18). The virus could be successfully removed from a file, only to reappear because of a reinfection from the boot sector.
 
A Worm is a class of network virus that spreads through the pathways provided by network-attached computers. Worms are designed to travel through electronic linkage, and are now believed to travel the Internet(19).

 

CREATION OF VIRUSES
 
Virus writers are often young males with a fair to excellent knowledge of various programming languages(5). There is no doubt that their programming skills are good but their attitude is in serious question. They are known by names such as The Dark Avenger and Hellraiser, and live on underground Bulletin Boards such as Nightmare's Edge, and on the Internet(5). They communicate through anonymous Internet addresses and untraceable phone lines(5), lurking around the back-halls and dark alleys of the information superhighway.
 
These virus writers may live a life of stealth, but they nearly always sign their work. In the source code for a Trojan horse virus called "Toxic", the author, "Izzy Stradlin", gives strong warnings to those who would improve on his work. He warns that anybody can alter or improve on his code, but his name must remain attached to it. Near the end of his comments, he apologizes that this virus may not be the best, but he will be writing improvements.
 
Experts who have been chasing viruses since the early 1980's claim that there are more than 2000 viruses in existence today, but that most of the damage is done by only 10 percent of them. Some viruses that have evolved in strains, such as the Jerusalem family and the Stoned family, are the most resilient and have been causing destruction for years.
 
Viruses are transmitted, imported and exported by many methods. The Stoned.LZR virus, for example, was imported into Helsinki, Finland on packaged, preformatted diskettes(7). The importer scanned samples of the diskettes, but since only about 10 percent of them were infected, they slipped through these precautions to reach the North American market(11).
 
 
 
SIGNS AND SYMPTOMS OF VIRUS INFECTION
 
As a rule of thumb, the most general observation any user can make regarding virus detection is to simply watch for the unexpected. The known symptoms of virus infection is constantly changing. Computer users should know that unusual changes in the way their computer operates may be a sign of virus infection, but that fortunately, software bugs, hardware bugs and human error are most often the cause for such anomalies(8).
 
More specific signs of virus infection include(8):
 

 

For example, one of the most resilient viruses, Jerusalem, which actually exists in several strains, infects .COM and .EXE files(9). When the virus is spreading, an infected .COM file will increase in size by 1,822 bytes, while an infected .EXE file will expand between 1,808 to 1,822 bytes. As the programs are executed during normal use, the infected files will be reinfected, adding another 1,808 bytes each time. The infected files, however, will not show any change in their date and time stamps when shown in the DOS directory listing. Some strains of the Jerusalem virus will have a black box or black window appear on the left lower side of the screen that scrolls up the screen as the screen scrolls. Finally, the virus itself activates on Friday the 13ths, and deletes any infected program when the user attempts to run or activate it(12).

 

The Joker virus, isolated in 1989(10), displays bogus error messages on the users' screen such as:

Water detect in Co-Processor

I am hungry! Insert HAMBURGER into drive A:

Invalid Volume ID Format failure

Insert tractor toilet paper into printer

 

HOW VIRUSES AFFECT STUDENTS

Students are often in a unique situation in that they must use possibly infected computers on campus. Lack of money for virus protection software, or lack of knowledge about viruses, may preclude them from adequately defending themselves against this threat. They may be unaware that the gradual changes they are experiencing in the way their computer functions is the work of a virus.

 

THE DEGREES OF DAMAGE CAUSED BY COMPUTER VIRUSES

The damage a virus attack can inflict to a student's computer system is varied. From unusual sounds to corruption of files, the damage can go virtually unnoticed, or be catastrophic.

Common virus damage includes(2)(9):

For example, the Anthrax virus inserts the following text strings files(9):into infected files:
 
Damage, Inc.
ANTHRAX
 
The infamous Michelangelo virus(15) activates on March 6 and system hard disk with random characters from memory, causing considerable damage.overwrites the

 

MODES OF TRANSMISSION

Risk factors are activities that increase the possibility of contracting a computer virus. An individual who has more of these risk factors stands a greater chance of contracting and/or spreading a virus than an individual who has fewer risk factors. Risk factors consist of activities that can spread viruses from one computer to another. Some common risk factors include(10):

 

 

To illustrate how risk factors are encountered, consider a Computer Engineering student in third semester at Algonquin College. This student cannot avoid being exposed to many different computers that may be infected with viruses. Data Structures, 68000 Family Assembly Language, Logic and Technical Report Writing all require the use of editors, compilers, assemblers, computer aided drafting or word processors. The first three require that at least some time be spent using a PC on the campus.

 
Several risk factors become apparent when considering a student's daily activities.
With the appearance of computer technology in most areas of education in the last ten years, a campus computer is a piece of equipment used by literally hundreds of different students. Many risk factors for spreading and contracting viruses exist within the structure of student life, and some may be unavoidable. Students can no more afford the inconvenience and expense of a single virus infection than a corporation can afford a mass infection.
 
 
ALTERNATIVES FOR STUDENTS
Simply stating there is a problem is not enough when trying to deal with computer viruses. What follows are some simple, inexpensive solutions to try to reduce the risks for infection.
 
Virus Protection Software.
Evaluation or shareware versions of McAfee Scan, ThunderByte, Virus Alert, F-ProT, and many others are available on the Internet and at most shareware vendors.
 
Get one of these packages and depend on it.
 
All shareware and evaluation software is subject to registration payment for legal ownership and upgrading privileges. These packages are all fully functional as they are and were evaluated in their shareware version. These packages also have fully functional virus cleaning capabilities, which is very important once a virus has been found.
 
When a suitable software package has been selected, read all of the user documentation to understand how it is to be installed and run. Virus Alert is one that has a very useful feature that creates a Recovery Disk(10) for use when disinfecting the computer from viruses. The software creates this disk when the option is selected from the utilities menu. It is a record of all of the important configuration information for the computer's hard drive. If an infection occurs which alters the computer's configuration ( Stoned.LZR and FORM D), run the recovery program off the Recovery Disk and the computer will be automatically disinfected with all these values returned to normal. Without the disk, these values would have to be reconfigured by hand, which is a task above the knowledge levels of many computer users. The Recovery Disk can also act as a clean bootdisk to boot up the computer when a virus has infected the system.
 
The Recovery Disk can be used any time the user wants to return the configuration to the normal values, not only when recovering from a virus. This feature is particularly useful for those who enjoy "experimenting" with the computers' configuration.
 
The Recovery Disk is to be considered an essential part of the virus protection, and must be created and kept in a secure place.
 
When the software is installed and the Recovery Disk has been created, SCAN EVERY TIME AN OUTSIDE DISK IS INTRODUCED TO THE SYSTEM. Print a reminder in RED pen on regularly used outside disks to scan for viruses.
 
Limiting the Routes for Transmission of Viruses.
Any disk not being written to regularly, should be write-protected. This may not always be convenient, but a write protected disk cannot be infected with a virus.
 
Backing up Important Files.
Keep clean disks set aside for backing up important files such as electronic schematics, source code and technical reports and any other irreplaceable files.
 
BACK THESE FILES UP OFTEN.
If a virus destroys the computer, precious work will not be lost forever.
 
Safer Downloading Techniques.
When downloading from the Internet or Bulletin Boards, download the files onto a diskette first, or into a quarantine directory. Scan these downloaded before executing any program or running any installations. Many scanners cannot normally scan a compressed or should be zipped file. They decompressed, or unzipped before they can be scanned.
 
Increase Awareness About Viruses.
Students and all computer users should be aware of the risk factors for contracting and spreading computer viruses. Completely isolating a computer from the outside is simply not a practical method to prevent infection(13).
 
If risk factors are still present, reduce them by knowing which disks are shared between computers and scan them religiously.
 
References:
1. Chapman, p. 420
2. White et al, p. 1
3. MS-DOS user's manual. p. 57
4.Virus Alert Glossary
5. Sandler, p.2
6. DoDio, p. 2
7. Hypponen
8. White et al, p. 13
9. Hoffman
10. Virus Alert Documentation
11. Stoned.LZR virus documentation. Appendix C
12. VSUM. Patricia Hoffman's Virus Information Summary List. Jerusalem family viruses.
13. White et al, p 8
15. Michelangelo virus documentation. Appendix C
16. White et al, p 25
17. Virus Alert Documentation, p 5
18. Virus Alert Documentation, p 7
19. Virus Alert Documentation, p 10
 
Bibliography
 
Chapman, Charles F. Medical dictionary for the non-professional. Barrons. 1984
 
DiDio, Laura. ADebate rages over posting viruses on electronic BBS's.@ in LAN Times
10. 15. pp. 1-3. August 9, 1993.
 
Gookin, Dan. C for Dummies IDG Books Worldwide, Inc. 1994.
 
Hoffman, Patricia M. VSUM. Patricia Hoffman's Virus Information Summary List.
8 1990-1995 by Patricia M. Hoffman. Santa Clara, California.
 
Hypponen, Mikko. F-PROT Professional Support. Data Fellows Ltd. 8 1989-1995.
 
F-PROT virus database, included with F-PROT software.
 
Look Software Systems Inc. Virus Alert Version 3.34 software user documentation.
4659 Albion Road Gloucester, Ontario. Business-(613) 822-2250
Public BBS (613) 822-2160. Internet-sales@look.achilles.net
 
Microsoft Corporation. Microsoft MS-DOS 6. User's Manual. 1993
 
Sandler, Corey. AVirus, they wrote.@ in PC-Computing. 7. 9. pp. 206-208. September 1994.
 
White, Steve R. and David M. Chess. Coping with computer viruses and related problems. Thomas J. Watson Research Center. Yorktown Heights, NY. Research Report Number RC 14405. January 1989.IBM

Back to Mike's Computer Virus Information Page