Computer Viruses

 

Computer Viruses

 

What are computer viruses?

According to Fred Cohen’s well-known definition, a computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be called a “virus”. However, Cohen uses the terms within his definition (e.g. “program” and “modify”) a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses.

     Computer viruses are bits of code that damage or erase information, files, or software programs in your computer, much like viruses that infect humans, computer viruses can spread, and your computer can catch a virus when you download an infected file from the Internet or copy an infected file from a diskette. Once the viruses is embedded into your computer’s files, it can immediately start to damage or destroy information, or it can wait for a particular date or event to trigger its activity.

What are the main types of viruses?

Generally, there are two main classes of viruses. The first class consists of the file Infectors which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS,.OVL,.PRG,&.MNU files.

File infectors can be either direct action or resident. A direct-action virus selects one or more other programs to infect each other time the program which contains it is executed ,and thereafter infects other programs when “they” are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident.

The second class is system or boot-record infectors: those viruses, which infect executable code, found in certain system areas on a disk that are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses.

Finally, a few viruses are able to infect both (the Tequila virus is one example). There are often called “multipartite” viruses, though there has been criticism of this name; another name is “boot-and -file” virus.

File system or cluster viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered; only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors.

What are macro viruses?

Many applications provide the functionality to create macros. A macro is a series of commands to perform some application-specific task. Macros are designed to make life easier, for example, to perform some everyday tasks like text-formatting or spreadsheet calculations.

Macros can be saved as a series of keystrokes (the application record what keys you press); or they can be written in special macro languages (usually based on real programming languages like C and BASIC). Modern applications combine both approaches; and their advanced macro languages are as complex as general purpose programming languages. When the macro language allows files to be modified, it becomes possible to create macros that copy themselves from one file to another. Such self-replicating macros are called macro viruses.

Most macro viruses run under Word for Windows. Since this is a very popular word processor, it provides an effective means for viruses to spread. Most macro viruses are written using the macro language WordBasic. WordBasic is based on the good old BASIC programming language. However, it has many (hundreds of) extensions (for example, to deal with documents: edit, replace string, obtain the name of the current document, open new window, move cursor, etc.).

What is a Trojan horse program?

A type of program that is often confused with viruses is a ‘Trojan horse’ program. This is not a virus, but simply a program (often harmful) that pretends to be something else.

For example, you might download what you think is a new game; but when you run it, it deletes files on your hard drive. Or the third time you start the game, the program E-mail your saved passwords to another person.

Note: simply download a file to your computer won’t activate a virus or Trojan horse; you have to execute the code in the file to trigger it. This could mean running a program file, or opening a Word/Excel document in a program (such as Word or Excel) that can execute any macros in the document.

What kind of files can spread viruses?

Viruses have the potential to infect any type of executable code, not just the files that are commonly called “program files”. For example, some viruses infect executable code in the boot sector of floppy disk or in system areas of hard drives. Another type of virus, known as a “macro” virus, can infect word processing and spreadsheet documents that use macros. And it’s possible for HTML documents containing JavaScript or other types of executable code to spread viruses or other malicious code.

Since viruses code must be executed to have any effect, files that the computer treats as pure data are safe. This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, .etc., as well as plain text in .txt files. For example, just viewing picture files won’t infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file which the computer will actually try to execute.

How do viruses spread?

The methodology of virus infection was pretty straightforward when first computer viruses such as Lehigh and Jerusalem started appearing. A virus is a small piece of computer code, usually form several bytes to a few tens of bytes, that can do, well, something unexpected. Such viruses attach themselves to executable files— programs, so that the infected program, before proceeding with whatever tasks it is supposed to do, calls the virus code. One of the simplest ways to accomplish that is to append the virus code to the end of the file, and insert a command to the beginning of the program file that would jump right to the beginning of the virus code. After the virus is finished, it jumps back to the point of origination in the program. Such viruses were very popular in the late eighties. The earlier ones only knew how to attach themselves to .Com files, since structure of a .COM file is much simpler than that of an .EXE file—yet another executable file format invented for MS-DOS operating system. The first virus to be closely studied was the Lehigh virus. It attached itself to the file that was loaded by the system at boot time—COMMAND.COM. the virus did a lot of damage to its host, so after three-four replications it was no longer usable. For that reason, the virus never managed to escape the university network.

When you execute program code that’s infected by a virus, the virus code will also run and try to infect other programs, either on the same computer or on other computers connected to it over a network. And the newly infected programs will try to infect yet more programs.

When you share a copy of an infected file with other computer users, running the file may also infect their computer; and files from those computers may spread the infection to yet more computers.

If your computer if infected with a boot sector virus, the virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, and the virus copy on the hard disk will try to infect still more floppies.

Some viruses, known as ‘multipartite’ viruses, and spread both by infecting files and by infecting the boot areas of floppy disks.

What do viruses do to computers?

Viruses are software programs, and they can do the same things as any other program running on a computer. The accrual effect of any particular virus depends on how it was programmed by the person who wrote the virus.

Some viruses are deliberately designed to damage files or otherwise interfere with your computer’s operation, while other don’t do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading.

Note that viruses can’t do any damage to hardware: they won’t melt down your CPU, burn out your hard drive, cause your monitor to explode, etc. warnings about viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings.

Modern viruses can exist on any system form MS DOS and Window 3.1 to MacOS, UNIX, OS/2, Windows NT. Some are harmless, though hard to catch. They can play a jingle on Christmas or reboot your computer occasionally. Other are more dangerous. They can delete or corrupt your files, format hard drives, or do something of that sort. There are some deadly ones that can spread over networks with or without a host, transmit sensitive information over the network to a third party, or even mess with financial data on-line.

What’s the story on viruses and E-mail?

You can’t get a virus just by reading a plain-text E-mail message or Usenet post. What you have to watch out for are encoded message containing embedded executable code (i.e., JavaScript in HTML message) or message that include an executable file attachment (i.e., an encoded program file or a Word document containing macros).

In order to activate a virus or Trojan horse program, you computer has to execute some type of code .This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk. There’s no special hazard in files attached to Usenet posts or E-mail messages: they’re no more dangerous than any other file.

What can I do to reduce the chance of getting viruses from E-mail？

Treat any file attachments that might contain executable code as carefully as you would any other new files: save the attachment to disk and then check it with an up-to-date virus scanner before opening the file.

If you E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, I strongly recommend that you disable this feature.

My personal feeling is that if an executable file shows up unexpectedly attached to an E-mail, you should delete it unless you can positively verify what it is, Who it came from, and why it was sent to you.

The recent outbreak of the Melissa virus was a vivid demonstration of the need to be extremely careful when you receive E-mail with attached files or documents. Just because an E-mail appears to come from someone you trust, this does NOT mean the file is safe or that the supposed sender had anything to do with it.

Some General Tips on Avoiding Virus Infections

1.         Install anti-virus software from a well-known, reputable company. UPDATE it regularly, and USE it regularly.

New viruses come out every single day; an a-v program that hasn’t been updated for several months will not provide much protection against current viruses.

2.         In addition to scanning for viruses on a regular basis, install an ‘on access’ scanner (included in most good a-v software packages) and configure it to start automatically each time you boot your system. This will protect your system by checking for viruses each time your computer accesses an executable file.

3.         Virus scans any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs spreading virus infections.

4.         Anti-virus programs aren’t very good at detecting Trojan horse programs, so be extremely careful about opening binary files and Word/Excel documents from unknown or ‘dubious’ sources. This includes posts in binary newsgroups, downloads from web/ftp sites that aren’t well-known or don’t have a good reputation, and executable files unexpectedly received as attachments to E-mail.

5.         Be extremely careful about accepting programs or other flies during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat.

6.         Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive and a recent backup may be the only way to recover your data.

Ideally, you should back up your entire system on a regular basis. If this isn’t practical, at least backup files you can’t afford to lose or that would be difficult to replace: documents, bookmark files, address books, important E-mail, etc.

Dealing with Virus Infections

First, keep in mind “Nick’s First Law of Computer Virus Complaints”:

“Just because your computer is acting strangely or one of your programs doesn’t work right, this does not mean that your computer has a virus.”

1.       If you haven’t used a good, up-to-date anti-virus program on your computer, do that first. Many problems blamed on viruses are actually caused by software configuration errors or other problems that have nothing to do with a virus.

2.       If you do get infected by a virus, follow the direction in your anti-virus program for cleaning it. If you have backup copies of the infected files, use those to restore the files. Check the files you restore to make sure your backups weren’t infected.

3.       for assistance, check the web site and support service for your anti-virus software.

Note: in general, drastic measures such as formatting your hard drive or using FDISK should be avoided. They  are frequently useless at cleaning a virus infection, and may do more harm than good unless you’ re very knowledgeable about the effects of the particular virus you’re dealing with.