Computer Viruses

In our health-conscious society, viruses of any type are an enemy. Computer viruses are especially pernicious. They can and do strike any unprotected computer system, with results that range from merely annoying to the disastrous, time-consuming and expensive loss of software and data. And with corporations increasingly using computers for enterprise-wide, business-critical computing, the costs of virus-induced down-time are growing along with the threat from viruses themselves. Concern is justified - but unbridled paranoia is not. Just as proper diet, exercise and preventative health care can add years to your life, prudent and cost-effective anti-virus strategies can minimize your exposure to computer viruses.

What Exactly Is A Computer Virus?
A computer virus is a program designed to replicate and spread, generally with the victim being oblivious to its existence. Computer viruses spread by attaching themselves to other programs(e.g., word processors or spreadsheets application files) or to the boot sector of a disk. When an infected file is activated - or executed - or when the computer is started from an infected disk, the virus itself is also executed. Often, it lurks in computer memory, waiting to infect the next program that is activated, or the next disk that is accessed. What makes viruses dangerous is their ability to perform an event. While some events are benign (e.g. displaying a message on a certain date) and others annoying (e.g., slowing performance or altering the screen display), some viruses can be catastrophic by damaging files, destroying data and crashing systems.

How Do Infections Spread?

Viruses come from a variety of sources. Because a virus is software code, it can be transmitted along with any legitimate software that enters your environment. In a 1991 study of major U. S. and Canadian computer users by the market research firm Dataquest for the National Computer Security Association, most users blamed an infected diskette (87 percent). Forty-three percent of the diskettes responsible for introducing a virus into a corporate computing environment were brought from home. Nearly three-quarters (71 percent) of infections occurred in a networked environment, making rapid spread a serious risk. With networking, enterprise computing and inter-organizational communications on the increase, infection during telecommunicating and networking is growing. Seven percent said they had acquired their virus while downloading software from an electronic bulletin board service. Other sources of infected diskettes included demo disks, diagnostic disks used by service technicians and shrink-wrapped software disks - contributing six percent of reported infections.

What Damage Can Viruses Do To My system?

As mentioned earlier, some viruses are merely annoying, others are disastrous. At the very least, viruses expand file size and slow real-time interaction, hindering performance of your machine. Many virus writers seek only to infect systems, not to damage them - so their viruses do not inflict intentional harm. However, because viruses are often flawed, even benign viruses can inadvertently interact with other software or hardware and slow or stop the system. Other viruses are more dangerous. They can continually modify or destroy data, intercept input/output devices, overwrite files and reformat hard disks.

What Are The Symptoms Of Virus Infection?

Viruses remain free to proliferate only as long as they exist undetected. Accordingly, the most common viruses give off no symptoms of their infection. Anti-virus tools are necessary to identify these infections. However, many viruses are flawed and do provide some tip-offs to their infection. Here are some indications to watch for:

  • Changes in the length of programs
  • Changes in the file date or time stamp
  • Longer program load times
  • Slower system operation
  • Reduced memory or disk space
  • Bad sectors on your floppy
  • Unusual error messages
  • Unusual screen activity
  • Failed program execution
  • Failed system boot-ups when booting or accidentally booting from the A drive
  • Unexpected writes to a drive
The Virus Threat:

Common And Growing
How Real Is The Threat From Computer Viruses?

Every large corporation and organization has experienced a virus infection - most experience them monthly. According to data from IBM's High Integrity Computing Laboratory, corporations with 1,000 PCs or more now experience a virus attack every two to three months - and that frequency will likely double in a year.

The market research firm Dataquest concludes that virus infection is growing exponentially. It found nearly two thirds (63%) of survey respondents had experienced a virus incident (affecting 25 or fewer machines) at least once, with nine percent reporting a disaster affecting more than 25 PCs. The 1993 Computer Crime Survey by Creative Strategies Research International and BBS Systems of San Francisco found 64 percent of U.S. respondents had experienced infection in 1993 alone. If you have only recently become conscious of the computer virus epidemic, you are not alone. Virus infections became a noticeable problem to computer users only around 1990 - but it has grown rapidly since then. According to a study by Certus International of 2,500 large U.S. sites with 400 or more PCs, the rate of infection grew by 600 percent from 1990 to 1991.

Snopes Snopes lists Virus Hoaxes that spread through e-mail and cause Virus-Like Effects. Before you forward any virus message, please verify that it really is a virus by checking Snopes. If you forward a Virus Warning that really is a Hoax, you will end up tying down the system just like a Virus would.
Scams This too is a Virus Hoax Warning site. This site also lists scams and Urban Legends.

More Viruses Mean More Infections

Virus infections are a growing problem, in part, because there are more strains of viruses than ever before. In 1986, there were just four PC viruses. New viruses were a rarity, with a virus strain created once every three months. By 1989, a new virus appeared every week. By 1990, the rate rose to once every two days. Now , more than three viruses are created every day - for an average of 110 new viruses created in a typical month. From those modest four viruses in 1986, today's computer users face thousands of virus strains.

Here is the frightening part:

Most infections today are caused by viruses that are at least three years old. That is, the infections are caused by viruses created no later than 1990, when there were approximately 300 known viruses. Today, there are thousands of viruses. If that pattern of incubation holds, the explosion of new viruses over the past few years could result in another explosion in total infections over the next few years.

The History Of Viruses
How It All Began

Today, the existence of viruses and the need to protect against them are inevitable realities. But it wasn't always so. As recently as the middle 1980s, computer viruses didn't exist. The first viruses were created in university labs - to demonstrate the " potential " threat that such software code could provide. By 1987, viruses began showing up at several universities around the world. Three of the most common of today's viruses - Stoned, Cascade and Friday the 13th - first appeared that year.

Serious outbreaks of some of these viruses began to appear over the next two years. The Datacrime and Friday the 13th viruses became major media events, presaging the concern that would later surround the Michelangelo virus. Perhaps surprisingly, tiny Bulgaria became known as the world's Virus factory in 1990 because of the high number of viruses created there. The NCSA found that Bulgaria, home of the notorious Dark Avenger, originated 76 viruses that year, making it the world's single largest virus contributor. Analysts attribute Bulgaria's prolific virus output to an abundance of trained but unemployed programmers; with nothing to do, these people tried their hands at virus production, with unfortunately successful results.

This growing activity convinced the computer industry that viruses were serious threats requiring defensive action. IBM created its High Integrity Computing Laboratory to lead Big Blue's anti-virus research effort. Symantec began offering Symantec Anti-Virus, one of the first commercially available virus defenses. These responses came none too soon. By 1991, the first polymorphic viruses -that can, like the AIDS virus in humans, change their shape to elude detection -began to spread and attack in significant numbers. That year too, the total number of viruses began to swell, topping 1,000 for the first time.

Virus creation proliferated, and continues to accelerate, because of the growing population of intelligent, computer-literate young people who appreciate the challenge - but not the ethics - of writing and releasing new viruses. Cultural factors also play a role. The U.S. - with its large and growing population of computer-literate young people - is the second largest source of infection. Elsewhere, Germany and Taiwan are the other major contributors of new viruses.

Another reason for the rapid rise of new viruses is that virus creation is getting easier. The same technology that makes it easier to create legitimate software - Windows-based development tools, for example - is, unfortunately, being applied to virus creation. The so-called Mutation Engine appeared in 1992, facilitating the development of polymorphic viruses. In 1992, the Virus Creation Laboratory, featuring on-line help and pull down menus brought virus creation within the reach of even non-sophisticated computer users.

More PCs And Networks Mean More Infections, Too

The growing number of PCs, PC-based networks and businesses relying on PCs are another set of reasons for rising infections: there are more potential victims. For example, in the decade since the invention and popularization of the PC, the installed base of active PCs grew to 54 million by 1990. But that number has already more than doubled (to 112 million PCs in 1993) and will climb to 134 million PCs by 1994.

Not only are PCs becoming more common -they are taking over a rising share of corporate computing duties. A range of networking technologies - including Novell NetWare, Microsoft Windows NT and LAN Manager, LAN Server, OS/2 and Banyan VINES - are allowing companies to downsize from mainframe-based computer systems to PC-based LANs and, now, client-server systems. These systems are more cost-effective and they are being deployed more broadly within organizations for a growing range of mission-critical applications, from finance and sales data to inventory control, purchasing and manufacturing process control.

The current, rapid adoption of client-server computing by business gives viruses fertile new ground for infection. These server-based solutions are precisely the type of computers that are susceptible - if unprotected - to most computer viruses. And because data exchange is the very reason for using client-server solutions, a virus on one PC in the enterprise is far more likely to communicate with - and infect - more PCs and servers than would have been true a few years ago.

Moreover, client-server computing is putting PCs in the hands of many first-time or relatively inexperienced computer users, who are less likely to understand the virus problem. The increased use of portable PCs, remote link-ups to servers and inter-organization and inter-network e-mail all add to the risk of infections, too. Once a virus infects a single networked computer, the average time required to infect another workstation is from 10 to 20 minutes - meaning a virus can paralyze an entire enterprise in a few hours.

What Is Ahead?

The industry's latest buzz-phrase is "data superhighway" and, although most people haven't thought about those superhighways in the context of virus infections, they should. Any technology that increases communication among computers also increases the likelihood of infection. And the data superhighway promises to expand on today's Internet links with high-bandwidth transmission of dense digital video, voice and data traffic at increasingly cost-effective rates. Corporations, universities, government agencies, non-profit organizations and consumers will be exchanging far more data than ever before. That makes virus protection more important, as well.

In addition to more opportunities for infection, there'll be more and more-damaging strains of viruses to do the infecting. Regardless of the exact number of viruses that appear in the next few years, the Mutation Engine, Virus Creation Laboratory and other virus construction kits are sure to boost the virus population. Viruses that combine the worst features of several virus types, such as polymorphic boot sector viruses, are appearing and will become more common. Already, Windows-specific viruses have appeared. Virus writers, and their creations, are getting smarter. In response to the explosion in virus types and opportunities for transmission, virus protection will have to expand, too.

The Costs Of Virus Infection

Computer viruses have cost companies worldwide nearly two billion dollars since 1990, with those costs accelerating, according to an analysis of survey data from IBM's High Integrity Computing Laboratory and Dataquest. Global viral costs are projected to climb another 1.9 billion dollars in 1994 alone.

The costs are so high because of the direct labor expense of cleanup for all infected hard disks and floppies in a typical incident. The indirect expense of lost productivity - an enormous sum - is higher, still. In a typical infection at a large corporate site, technical support personnel will have to inspect all 1,000 PCs. Since each PC user has an average of 35 diskettes, about 35,000 diskettes will have to be scanned, too.

On average, it took North American respondents to the 1991 Dataquest study four days to recover from a virus episode - and some MIS managers needed fully 30 days to recover. Even more ominously, their efforts were not wholly effective; a single infected floppy disk taken home during cleanup and later returned to the office can trigger a relapse. Some 25 percent of those experiencing a virus attack later reported such a re-infection by the same virus within 30 days.

Cleanup is costing each of these corporations an average $177,000 in 1993 - and that sum will grow to more than $254,000 in 1994. If you're in an enterprise with 1,000 or more PCs, you can use these figures to estimate your own virus-fighting costs. Take the cost-per-PC ($177 in 1993, $254 in 1994) and multiply it by the number of PCs in your organization.

At a briefing before the U.S. Congress in 1993, NYNEX, one of North America's largest telecommunications companies, described its experience with virus infections:

  • Since late 1989, the company had nearly 50 reported virus incidents and believes it experienced another 50 unreported incidents.
  • The single user, single PC virus incident is the exception. More typical incidents involved 17 PCs and 50 disks at a time. In the case of a 3Com network, the visible signs of infection did not materialize until after 17 PCs were infected. The LAN was down for a week while the cleanup was conducted.
  • Even the costs of dealing with a so-called benign virus are high. A relatively innocuous Jerusalem-B virus had infected 10 executable files on a single system. Because the computer was connected to a token ring network, all computers in that domain had to be scanned for the virus. Four LAN administrators spent two days plus overtime, one technician spent nine hours, a security specialist spent five hours, and most of the 200 PC on the LAN had to endure 15-minute interruptions throughout a two-day period.

In the October 1993 issue of Virus Bulletin, Micki Krause, Program Manager for Information Security at Rockwell International, outlined the cost of a recent virus outbreak at her corporation:

  • In late April 1993, the Hi virus was discovered at a large division of Rockwell located in the U.S. The division is heavily networked with nine file servers and 630 client PCs. The site is also connected to 64 other sites around the world (more than half of which are outside the U.S.). The virus had entered the division on program disks from a legitimate European business partner. One day after the disks arrived, the Hi virus was found by technicians on file servers, PCs and floppy disks. Despite eradication efforts, the virus continued to infect the network throughout the entire month of May.
  • 160 hours were spent by internal PC and LAN support personnel to identify and contain the infections. At $45.00 per hour, their efforts cost Rockwell $7,200.
  • Rockwell also hired an external consultant to assist Rockwell employees in the cleanup. 200 hours were spent by the consultant, resulting in a cost of $8,000.
  • One file server was disconnected from the LAN to prevent the virus from further propagating across the network. The server, used by approximately lOO employees, was down for an entire day. Rockwell estimated the cost of the downtime at $9,000 (100 users @ $45/hr for 8 hours, with users accessing the server, on average, 25% of the normal workday).
  • While some anti-virus software was in use, Rockwell purchased additional software for use on both the servers and the client PCs for an additional $19,800.
  • Total Cost of the virus incident at Rockwell was $44 ,000.

Technical Overview
Computer Viruses And How They Work

Viruses are small software programs. At the very least, to be a virus, these programs must replicate themselves. They do this by exploiting computer code, already on the host system. The virus can infect, or become resident in almost any software component, including an application, operating system, system boot code or device driver. Viruses gain control over their host in various ways. Here is a closer look at the major virus types, how they function, and how you can fight them.

File Viruses

Most of the thousands of viruses known to exist are file viruses, including the Friday the 13th virus. They infect files by attaching themselves to a file, generally an executable file - the .EXE and. COM files that control applications and programs. The virus can insert its own code in any part of the file, provided it changes the hosts code, somewhere along the way, misdirecting proper program execution so that it executes the virus code first, rather than to the legitimate program. When the file is executed, the virus is executed first.

Most file viruses store themselves in memory. There, they can easily monitor access calls to infect other programs as they're executed. A simple file virus will overwrite and destroy a host file, immediately alerting the user to a problem because the software will not run. Because these viruses are immediately felt, they have less opportunity to spread. More pernicious file viruses cause more subtle or delayed damage - and spread considerably before being detected.

As users move to increasingly networked and client-server environments, file viruses are becoming more common. The challenge for users is to detect and clean this virus from memory, without having to reboot from a clean diskette. That task is complicated because file viruses can quickly infect a range of software components throughout a user's system. Also, the scan technique used to detect viruses can cause further infections; scans open files and file viruses can infect a file during that operation. File viruses such as the Hundred Years Virus can infect data files too.

Boot Sector/Partition Table Viruses

While there are only about 200 different boot sector viruses, they make up 75 percent of all virus infections. Boot sector viruses include Stoned, the most common virus of all time, and Michelangelo, perhaps the most notorious. These viruses are so prevalent because they are harder to detect, as they do not change a files size or slow performance, and are fairly invisible until their trigger event occurs - such as the reformatting of a hard disk. They also spread rapidly.

The boot sector virus infects floppy disks and hard disks by inserting itself into the boot sector of the disk, which contains code that's executed during the system boot process. Booting from an infected floppy allows the virus to jump to the computer's hard disk. The virus executes first and gains control of the system boot even before MS-DOS is loaded. Because the virus executes before the operating system is loaded, it is not MS-DOS-specific and can infect any PC operating system platform-MS-DOS, Windows, OS/2, PC-NFS, or Windows NT.

The virus goes into RAM, and infects every disk that is accessed until the computer is rebooted and the virus is removed from memory. Because these viruses are memory resident, they can be detected by running CHKDSK to view the amount of RAM and observe if the expected total has declined by a few kilobytes. Partition table viruses attack the hard disk partition table by moving it to a different sector and replacing the original partition table with its own infectious code. These viruses spread from the partition table to the boot sector of floppy disk as floppies are accessed.

Multi-Partite Viruses

These viruses combine the ugliest features of both file and boot sector/partition table viruses. They can infect any of these host software components. And while traditional boot sector viruses spread only from infected floppy boot disks, multi-partite viruses can spread with the ease of a file virus - but still insert an infection into a boot sector or partition table. This makes them particularly difficult to eradicate. Tequila is an example of a multi-partite virus.

Trojan Horses

Like its classical namesake, the Trojan Horse virus typically masquerades as something desirable -e.g., a legitimate software program. The Trojan Horse generally does not replicate (although researchers have discovered replicating Trojan Horses). It waits until its trigger event and then displays a message or destroys files or disks. Because it generally does not replicate, some researchers do not classify Trojan Horses as viruses, but that is of little comfort to the victims of these malicious stains of software.

File Overwriters

These viruses infect files by linking themselves to a program, keeping the original code intact and adding themselves to as many files as possible. Innocuous versions of file overwriters may not be intended to do anything more than replicate but, even then, they take up space and slow performance. And since file overwriters, like most other viruses, are often flawed, they can damage or destroy files inadvertently. The worst file overwriters remain hidden only until their trigger events. Then, they can deliberately destroy files and disks.

Polymorphic Viruses

More and more of today's viruses are polymorphic in nature. The recently released Mutation Engine - which makes it easy for virus creators to transfom simple viruses into polymorphic ones - ensures that polymorphic viruses will only proliferate over the next few years. Like the human AIDS virus that mutates frequently to escape detection by the body's defenses, the polymorphic computer virus likewise mutates to escape detection by anti-virus software that compares it to an inventory of known viruses. Code within the virus includes an encryption routine to help the virus hide from detection, plus a decryption routine to restore the virus to its original state when it executes. Polymorphic viruses can infect any type of host software; although polymorphic file viruses are most common, polymorphic boot sector viruses have already been discovered.

Some polymorphic viruses have a relatively limited number of variants or disguises, making them easier to identify. The Whale virus, for example, has 32 forms. Anti-virus tools can detect these viruses by comparing them to an inventory of virus descriptions that allows for wildcard variations -much as PC users can search for half-remembered files in a directory by typing the first few letters plus an asterisk symbol. Polymorphic viruses derived from tools such as the Mutation Engine are tougher to identify, because they can take any of four billion forms.

Stealth Viruses

Stealth aircraft have special engineering that enables them to elude detection by normal radar. Stealth viruses have special engineering that enables them to elude detection by traditional anti-virus tools. The stealth virus adds itself to a file or boot sector but, when you examine the host software, it appears normal and unchanged. The stealth virus performs this trickery by lurking in memory when it's executed. There, it monitors and intercepts your system's MS-DOS calls. When the system seeks to open an infected file, the stealth virus races ahead, uninfects the file and allows MS-DOS to open it. All appears normal. When MS-DOS closes the file, the virus reverses these actions, reinfecting the file.

Boot sector stealth viruses insinuate themselves in the system's boot sector and relocate the legitimate boot sector code to another part of the disk. When the system is booted, they retrieve the legitimate code and pass it along to accomplish the boot. When you examine the boot sector, it appears normal - but you are not seeing the boot sector in its normal location. Stealth-viruses take up space, slow system performance, and can inadvertently or deliberately destroy data and files. Some anti-virus scanners, using traditional anti-virus techniques, can actually spread the virus. That is because they open and close files to scan them -and those acts give the virus additional chances to propagate. These same scanners will also fail to detect stealth viruses, because the act of opening the file for the scan causes the virus to temporarily disinfect the file, making it appear normal.

Anti- Virus Tools And Techniques

Anti-virus software tools can use any of a growing arsenal of weapons to detect and fight viruses, including active signature-based scanning, resident monitoring, checksum comparisons and generic expert systems. Each of these tools has its specific strengths and weaknesses. An anti-virus strategy that uses only one or two of the following techniques can leave you vulnerable to viruses designed to elude specific defenses. An anti-virus strategy that uses all of these techniques provides a comprehensive shield and the best possible defense against infection.

Signature-Based Scanners Scanners - which, when activated, examine every file on a specified drive - can use any of a variety of anti-virus techniques. The most common is signature-based analysis. Signatures are the fingerprints of computer viruses - distinct strands of code that are unique to a single virus, much as DNA strands would be unique to a biological virus. Viruses, therefore, can be identified by their signatures. Virus researchers and anti-virus product developers catalog known viruses and their signatures, and signature-based scanners use these catalogs to search for viruses on a user's system. The best scanners have an exhaustive inventory of all viruses now known to exist. The signature-based scanner examines all possible locations for infection - boot sectors, system memory, partition tables and files - looking for strings of code that match the virus signatures stored in its memory.

When the scanner identifies a signature match, it can identify the virus by name and indicate where on the hard disk or floppy disk the infection is located. Because the signature-based scanner offers precise identification of known viruses, it can offer the best method for effective and complete removal. The scanner can also detect the virus before it has had a chance to run, reducing the chance that the infection will spread before detection. Against these benefits, the signature-based scanner has limitations. At best, it can only detect viruses for which it is programmed with a signature. It cannot detect so-called unknown viruses - those that have not been previously discovered, analyzed and recorded in the files of anti-virus software. Polymorphic viruses elude detection by altering the code string that the scanner is searching for; to identify these viruses, you need another technique.

Stealth viruses can elude detection by scanners by removing their tell-tale traces when the file is opened for the operation of the scan. To detect them, a scanner must include an anti-stealth defense that monitors MS-DOS calls at a very low level as the scan is under way. When it sees other code intercepting open/close calls, the anti-stealth defense suspects an unknown stealth virus is at work. It then re-scans the file in question while it is closed - and after it has been re-infected. If the result of the two scans is different, the anti-virus software alerts the user to the virus activity. Another drawback of signature-based scanners is their inherent inability to stay current on virus detection. They offer no protection against viruses discovered after their inventory of signatures is assembled. Periodic update files are available but these will offer a lag between the time a virus could infect your system and the time you'll receive the update. You must continually install updates on all of your systems - and run the risk that individual users may fail to use them properly.

Terminate-And-Stay-Resident (TSR) Monitoring

Virus scanners generally operate in batch mode, scanning all the files on a system, hard disk or floppy disk, when requested by the user. TSR monitors, on the other hand, operate like other TSR programs, that is, in the background, while other programs are running. Anti-virus TSR programs can provide any combination of protective activities, including real-time monitoring of disks and files, expert system analysis of virus-like behavior and code, and stealth- and polymorphic-specific detection.

The advantage of TSR-based virus protection is its automatic nature. Users, especially less-experienced users, do not need to activate the software or remember to run it. That makes it more convenient and more useful, since it is always operating. TSR monitors protect systems invisibly, continuously, without user intervention.

However, every technique has its weaknesses. The full-time, automatic nature of anti-virus TSRs can also be a problem. They can take up scarce memory space needed for other TSRs or software. They can cause false alarms triggered by over-reactions to normal disk writes and the unconventional techniques of backup, data compression and sector editing software. Beyond being annoying, false alarms can lead some users to deactivate the TSR, reducing protection.

Multi-Level Generic Detection

Signature-based detection is useful against known viruses, for which tell-tale signature code can be identified and stored for comparison with suspect code. But it cannot detect unknown viruses. Multi-level generic detection fills this gap. The technique is, as the name suggests, a combination of defenses, including checksum comparison, intelligent checksum analysis and cleaning, and expert system virus analysis. These tools meet the need to detect unknown viruses. Together with signature-based analysis, these tools produce the highest available detection of known and unknown viruses, the least false alarms, and the lowest risk of additional contamination during anti-virus activity.

Checksum comparison is based on comparing the current checksums of a suspect file or disk to checksums recorded when the system was in a known, clean state. Checksums are the fingerprints of a file - a unique representation of a file's bit sequence. The checksum is created by an algorithm that reads a file's bytes sequentially, essentially creating a unique numeric code that represents the file. Any subsequent change to the file will produce a change in the checksum calculation. Comparing two checksums of the same file at different times can flag file changes caused by a virus.

Intelligent checksum analysis and cleaning improves upon traditional checksum comparisons in three ways. First, it distinguishes between legitimate changes to a file and those that might be caused by a virus, thanks to additional algorithms that can recognize file writes, for example, updating a device driver. It works to understand when and why the file was changed, leading to greater accuracy in distinguishing viruses from legitimate file changes. Second, it includes generic cleaning as well as generic detection. It can disinfect files, restoring them to their original condition; traditional checksums can only detect viruses. Third, it provides better security against viruses that specifically target anti-virus software. Together , these advances increase scanning speed, provide better and faster detection and cleaning against unknown viruses, and reduce the need for frequent updates.

Expert system virus analysis adds two major benefits to the virus protection mix: it can locate previously unknown viruses (i.e., viruses without recorded signatures} and it can identify those viruses - as well as known viruses - without having any previous system information to use for comparison. The expert system is superior to checksum-based generic anti-virus technology that may be triggered by non-virus file changes. It detects a higher percentage of boot sector viruses without using signature checking.

An expert system is a series of proprietary algorithms that performs millions of tests on your system's software, examining the code flows, calls and executions, and other software functions. It assigns a number of points to the software based on the results of each of these tests, and identifies a virus on the basis of these point scores. Unlike rules-based approaches, the best expert system does not execute code in order to analyze it; it can analyze unopened files and identify virus code. As a result, the expert system avoids the risk of additional system infection associated with opening files that may contain stealth viruses. As mentioned earlier, polymorphic viruses created with a virus construction toolkit such as the Mutation Engine can assume any of up to four billion forms. The best anti-virus products include an expert system that can identify and clean these viruses. First, it must perform thousands or millions of tests on suspect code to determine the presence of a virus. Then, it runs tests to identify the virus' decryption code and decrypt the virus. In its true state, the virus can be positively identified if it is listed in the inventory of the anti-virus software. The expert system algorithms detect and save the virus - specific decryption code, so they can then use this code to retrieve the original file information and restore or clean the host file to its original condition.

Computer Viruses: Preparation, Prevention, Detection, and Recovery

History of Viruses

The first known self-replicating programs were not really viruses; instead, they were known as rabbits. They replicated in memory and "took over" the computing time of the machine, leaving little time or space for more important programs. These "rabbits" began to be produced in the 1960s.

Next came the "worm" programs in the 1970s. These programs were inspired by a fiction book called "The Shockwave" in which a self-replicating program reproduced segments of itself all over a network. The first worm created was called "creeper". It would begin running on one system, copy itself to another, delete itself on the original system and continue on the new one. Later, creeper was modified to replicate itself as well as to migrate. Now it could invade the system in earnest. Then a new worm called the "reaper" was created to move through the system destroying all copies of the creeper that it found When it found no more copies of creeper, the reaper deleted itself from the system. Thus, creeper and reaper were the first truly infectious programs invented, and reaper can be classified as the first anti-infection program.

The first examples of true viruses were created in 1980 for the Apple 2 computer. The first virus was done as a research project. It was a program called "Elk Cloner," which was essentially a boot-sector virus. Some of the symptoms of this virus included printing a poem, printing a version number to indicate how many replications since the original, and infecting a disk by placing a copy of itself in the boot sector of the disk. It kept a counter of how many infections it caused and which generation it was. In 1983, Dr. Fred Cohen did research pertaining to data security and how viruses can invade a secure system and destroy it. Dr. Cohen quickly became and still is one of the recognized authorities on viruses due to his continuing research.

In 1984, a popular book written by William Gibson called Neuromancer glorified the computer hacker and created the cult which became known as Cyberpunk. This book served as an introduction course and a bible for beginning hackers and virus writers. One hacker who was influenced in this way was Robert T. Morris, who wrote the infamous "Internet worm", one of the most successful and well known viruses of all time. Although called a worm, this was actually a virus which took advantage of certain well known bugs in the UNIX system and used them to crash the system. It used the mail system to propagate itself over the Internet without the users knowledge. It was written at Cornell Universities in October of 1988 and was placed on the Internet deliberately. The cost of the Internet worm was estimated at $100,000 to $10 million with an estimated 6000 infections during the original outbreak. Infection was overcome for the most part by the 4th of November, 1988, but was detected as late as December 1989. Morris was indicted and sentenced on May, 4 1990.

Viruses continue to be written, but the most common viruses are the early ones, which still plague computer systems throughout the world. Because of legal ramifications, there are few virus writers in the United States and in most industrialized countries. Today, the most and the best viruses and virus writers can be found in the "Bulgarian Virus Factory". Bulgaria has no laws limiting the writing or spreading of viruses, and it is considered a game by many hackers. Some even consider it a thing of pride and fame to have written a virus. Fortunately, they also have many anti-virus researchers in the same places.

Virus Education

The topic of computer viruses is a very fast-changing subject. New strains appear around the world very rapidly. Up-to-date information is essential when combating computer viruses. Many sources we use are taken from the Internet's World Wide Web (WWW) in order to access the most up-to-date information available on viruses. Good Anti- Virus Policy depends on the knowledge and cooperation of users. Users should be aware of the dangers viruses present and know who to contact in the case of an infection.

A computer virus is a parasitic program written intentionally to enter a computer without the user's permission or knowledge. Virus programs are called parasitic because they often attach themselves to ordinary programs. The behavior exhibited by computer viruses parallels viruses that infect people. Many viruses replicate themselves and spread across computers, usually causing serious damage and degrading program and system performance.

Some viruses seem cute or funny. These viruses may make letters fall from the screen or cause your computer to make odd sounds. Though seemingly harmless, a virus should never be assumed so. Most viruses are very destructive. Some delete or encrypt data on the hard drive and on floppy drives so that information is inaccessible without the virus in memory. Some viruses cause the system to reboot without notice causing loss of any unsaved work.

A virus is dormant until an infected program is executed. or run. or an infected boot record is read. The virus activates as the computer loads it into memory where it can perform a specific, often damaging task and replicate itself. Viruses often spread by contact via diskettes. A disk may become contaminated by an infected computer. Subsequently, all computers in which the disk is used are most likely to become infected also. Data files can also become damaged, but cannot transfer a virus. Usually, by the time a virus shows itself, infection is massive. Viruses are classified by what they attack when they infect computer systems. Types of contaminators include:

  • Program Infectors: A virus attaches itself to executable programs such as: .cam, .EXE, .OVL, .DRV, .SYS, and .BIN" files. A virus becomes active and often spreads when an infected program is loaded into memory. While in memory , the virus infects programs that are subsequently executed.
  • Boot Infectors: The virus modifies the boot sector or boot tables, FAT (file allocation table), and partition tables. Every disk has a boot sector. The boot sector on the hard disk controls how your operating system starts when you turn on the computer. A boot infector replaces the disk's original boot sector with its own. Once the viral boot sector is read, it is loaded into memory where it may spread and inhibit system performance. Boot tables are stored on a diskette or hard drive and tell the computer how files are stored on the disk. A virus will change the data contained in the table making the computer read from the wrong part of the disk.
  • Multipartite: Multipartite viruses have the abilities of both program and boot infector types. Once a computer is infected, a virus may display several different characteristics.
    Virus characteristics include the following:
    1. Memory Resident: The virus loads into memory with the host program and stays resident when other programs are executed. In memory, it can easily replicate itself into boot sectors or subsequently executed programs. This is the most common virus characteristic.
    2. Non-Resident: The virus does not stay resident in memory after a host program is closed. It can only infect while a host program is executed. Programs loaded subsequently to the closing of the infected program are not in danger of further infection.
    3. Stealth: The virus has the ability to hide from detection by anti-virus software by covering clues of its existence in a system. A virus is only able to use this characteristic if it is currently active in memory. It covers its tracks two main ways:
      • Full Stealth - Anti-virus software scans diskettes or hard drives looking for virus signatures (code segments that are telltale signs of a virus program). The virus has the ability to redirect disk reads to avoid detection.
      • Size Stealth -Anti-virus software checks the boot table for unexpected changes in file size. The virus has the ability to alter disk directory data in boot tables. It changes host file size to hide its existence.
      • Encrypting: The virus hides by encrypting or transforming itself so virus scanners cannot recognize its signature. However. in order to be active and spread, it must first decrypt itself. It can be detected at this point.
      • Polymorphic: The virus has the ability to mutate by changing its own code segments or signature by which it can be identified. Each infection looks different from a previous one. This is one of the most challenging viruses to detect.
      • Triggered Event: The virus is programmed to perform its action when triggered by a specific event: a date, time of day, sequence of key strokes or functions (i.e. the Michelangelo virus is triggered by the date March 6 when it reformats the hard drive.
    Preparation

    Preparation is a very important part of protecting a personal computer from a virus attack. Preparation takes place before a virus attack occurs. The first step in preparing is to make regular and sound backups of data. A backup is a copy of all of the data on the computer. It serves the purpose of replacing data that has been lost, corrupted or damaged. The frequency of making backups depends on how often data is changed on the computer. They should be made often enough so that if all data on the computer was lost, the data and work could be recovered in a reasonable amount of time and with as little loss as possible. Files frequently worked on may require backups every few hours; in this case, it would not be necessary to backup the entire computer, only the single file. A sound backup ensures the integrity of the data is intact at the time of the backup. Integrity is the correctness or reliability of the data. A complete backup won't be of any use when it needs to be restored. Backups can be tested for soundness by restoring the data to ensure that the data could be used again if necessary.

    The second step in preparation is to create write-protected system disks. This should also be done in advance. This disk should contain all system files in addition to the autoexec.BAT and CONFIG.SYS files. Any other system files or device drivers should also be included. All of these files should be copied onto the floppy disk. If the computer becomes infected with a virus, this disk can be used to reboot the computer. Booting a computer is the process of starting up the operating system when the computer is switched on. The system can be loaded from the hard drive or a prepared floppy known as a system disk. The operating system maintains lists of files, runs programs, and provides other basic functions for a computer to operate properly. Without an operating system a personal computer is useless. If the operating system has a virus, it is necessary to use a system disk for boot up. When booting from an uninfected system disk, you are guaranteed to have a clean environment to work from. After creating a system disk, you should write-protect (see Section V: Prevention) it so that none of the data can be changed, and a virus cannot infect it.

    The last portion of preparation is planning. A plan should be constructed to direct action if a virus attack occurred. Resources should be outlined in the plan. You should know who to go to for help and who will be able to help repair any damage. For example, on Brigham Young University campus a student can go to the Student Computing Support Center for help. The planning should also involve education about viruses and the steps involved in recovery.

    Prevention

    Prevention consists of techniques used to prevent a virus from entering a computer. Using one technique is never 100% safe. Prevention requires following standards. The first part of prevention is educating the user, or creating user awareness. Users need to understand that the use of some types of software can lead to viruses. Most manufacturers check the software products they sell in stores to guarantee that they don't contain any viruses. However, producers of shareware and public domain software may not take the same precautions as producers of licensed software. Caution should be taken when installing shareware, public domain, and pirated software. These types of software are typically virus carriers.

    Controlling which disks are used in a computer is the next part of prevention. Viruses are spread when an infected disk is used in a computer. Viruses also spread when many people use a single computer, one person may have a virus on a disk and infect that computer, then anyone after that person would carry the virus on their disk to other computers. Viruses also often spread when one uses many computers. If a computer, which contains a virus, is used by that person then any computer used after will be infected by the virus. Another prevention technique is write-protecting disks. When a disk is write-protected, files including viruses cannot be written or saved on the disk. Files can only be read from the disk. This is also called a read-only disk. On a 3-1/2 inch disk, write-protection is done by sliding the square shutter in the corner open so you can see through the hole. On a 5-1/4 inch disk there is a square notch in the side. When this notch is covered the disk is write-protected. This can be done by covering the notch with a piece of tape. When disks are write-protected, they are safe to use in infected computers because viruses can not be saved to the disk and then transferred to other computers.

    On a network, there is one preventive measure that is not available for stand-alone PCs. Diskless workstations are PCs that are sometimes equipped with a hard disk but are without any floppy disk drives. The reason for diskless workstations is that if the user does not have the means of introducing floppy disk into the PC, he will also not have the opportunity of introducing a virus. This technique holds only to a certain extent. It is true that diskless workstations will prevent accidental introduction of viruses into the network; however, malicious introduction of viruses is not prevented since the virus code can be input through the keyboard. But since most viruses are introduced accidentally, this can eliminate a many of them.

    Let us examine a particular sequence of events by which a virus could infect your computer. Suppose that you invite a friend to come over and use your computer. The friend brings in a few programs to aid in this work, such as a favorite text editor. Without the friend having realized it, the text editor may be infected with a virus. Using that editor on your machine causes the virus to spread from the editor to a program stored on your machine, perhaps to a spreadsheet program The virus has now infected your spreadsheet program. When you subsequently use that spreadsheet, the virus can spread to another program. Suppose you then visit a computer lab on campus and bring your spreadsheet along. Now the computer you used has the virus. If this computer is connected to a network, you may send the virus program to another user over the network. In either case, the virus can spread to more users and more machines, via floppy disks or networks. Each copy of the virus can make multiple copies of itself and can infect any program to which it has access. As a result, the virus can spread exponentially. Each of the infected programs in each of the infected machines can execute whatever other instructions the virus author intended. If these instructions are harmful or disruptive, the pervasiveness of the virus may cause the harm to be widespread.

    Viruses and Networks

    The interchange of programs on stand-alone PCs (non-networked) is almost exclusively done by floppy disks and, as a consequence, is relatively slow and physically controllable. The danger from a large scale virus attack in a non-networked organization is comparatively limited, if reliable virus-detection software is used. An attack is likely to be limited to a few PCs before it is detected and isolated. PC networks are a different situation. Networks allow high speed sharing of data and programs. This interchange, allowing hundreds of simultaneous users, is also much more difficult to control.

    A network is a group of computers that can communicate with each other, share peripherals (such as hard disks and printers), and access remote hosts or other networks. Networks usually consist of two or more computers connected to each other by a medium that allows the computers to communicate. This communication usually deals with the transferring of documents, messages, mail, memos, and other files between computers.

    We will discuss Novell's NetWare, one of the most popular networks in the country, to gain a better understanding of the dangers of viruses on networks. A NetWare network consists of workstations, peripherals (i.e. printers), and one or more file servers (the central computer on the network). NetWare network users can share the same files, send messages directly between individual workstations or users, and protect files with an extensive security system.

    If proper network security features are not used, the possibility of a large scale virus attack in a networked organization is much greater and the chances of successful containment much smaller than on stand-alone PCs. The virus usually enters a network through a user's workstation. In a typical scenario, the user infects his workstation by executing an infected application that he obtained from a floppy, from the Internet, or copied from an infected disk. The virus becomes memory resident and will then typically try to infect an application which is run, or any drive which is accessed. The only type of virus which cannot be spread over a network is a boot-sector virus since this would require booting off of the network.

    While this is possible for workstations without hard drives, a workstation which has its own hard drive does not boot off the network. If a user with a virus accesses a network, the user will execute LOGIN.EXE which is stored on the file server. LOGIN.EXE opens the user's access to the allotted file areas on the file server. If LOGIN.EXE itself or any other executables are not write-protected, they will become infected. Later, any user who accesses LOGIN.EXE will infect his workstation, which in turn will spread the infection further. LOGIN.EXE is one of many programs which everyone uses frequently. Other commonly used programs include PRINT.EXE, E-mail, or WIN.EXE. On a typical active network, an infection can spread onto most workstations within minutes. An infected LOGIN.EXE, or any infected program executed by the system login process, can cause user workstations to become infected whenever a user logs into the network.

    One of the benefits of NetWare is that it has an extensive security system. Though traditional security systems offer little protection against viruses, NetWare was designed in such a way that it can give fairly good virus protection if set up correctly. One example of this is the way file protection is set up. Traditionally, a file can have certain file attributes (read, write and execute) turned on and off. One of these is a write attribute. When turned on, a file cannot be written to, overwritten, or deleted. It seems logical that if a file had this attribute, a virus would not be able to infect it. However, viruses have developed to such a level that it will turn this attribute off, infect the file, and then turn it on again. To protect against this, NetWare has setup a secondary level of security that dictates who can and cannot use a particular file. With this set up properly, a virus will be extremely limited to what it can infect. One problem with this is when a supervisor or administrator uses the network, he has access to all the files by vinue of his position. If he accidentally introduces a virus into the network, it will spread as if there was no security system at all.

    Detection

    If a virus does pass preventive measures, a dependable method of detection is necessary. Personal observation is an important part of detection. Some signs or strange occurrences indicate the presence of a virus and should be watched. These are called virus symptoms, just as congestion or fever are symptoms of infection in a person. Some common symptoms of computer infection include:

    1. Programs suddenly take longer to load
    2. The size of a program changes.
    3. The disk runs out of free space when it seems to have plenty.
    4. The CHKDSK command does not show the correct amount of bytes available.
    5. Bit errors frequently occur while running Windows.
    6. The disk drive is active when it should not be.
    7. The hard drive is inaccessible when booting from a floppy drive.
    8. Unrecognized files appear.
    9. File names change.
    10. The keyboard makes a clicking noise.
    11. The screen becomes distorted.
    12. Text on screen does unusual things.
    13. CMOS settings, AUTOEXEC.BAT, or CONFIG.SYS files change unexpectedly.

    A large part of detection is anti-virus software. Like a doctor, anti-virus software often uses the above listed symptoms to identify and eradicate an infection. There are three primary types of anti-viral software:

    1. Monitoring programs: Attempt to prevent infections before a virus can attack. These programs monitor writes to other executable programs, attempts to reformat the disk, etc.
    2. Scanner: Look for strings known as signatures (byte sequences or code that occurs in viruses, but hopefully not legitimate software) or patterns that are common or are known to exist in specific viruses. A scanner may be designed to examine specified disks or files on demand, or it may be resident in memory, examining each executed program. Most scanners also include virus removers called disinfectors.
    3. Integrity Checkers or Modification Detectors: Compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected. The "checksum" is a unique identifier, often a number, which is derived from a program. When the program changes, the "checksum" changes. Later newly calculated values are compared with the original ones to see if a virus has modified the files. This identifies unknown viruses and known ones. It therefore provides a more "comprehensive" form of virus detection. Unfortunately, changes to a file can also be due to reasons other than viral infection causing "false-positives." It is usually left up to the user to decide whether the modifications were intentional or might be due to a virus. Integrity checkers can "checksum" entire disks or specified files. They can also be resident in memory, checking each program about to be executed. Another integrity checking implementation is a Self-Test, i.e., the "checksumming" code is attached to each executable file so that it checks the file just before execution.

    Virus scanners are very useful for checking disks before they are used in a computer, to prevent the computer from obtaining a virus. Virus scanners should also periodically be used to check the hard drive of the computer. Viruses are found by scanning a file's contents and comparing it with a library of known virus characteristics. The virus is then given a name and the user is notified that there is a virus present on the system. The disadvantage of this software is that it continually needs to be updated as new viruses may spread at anytime. It is recommended that on a network, virus-specific software be installed on a file server for use on workstations. The virus check of the server can be performed overnight or when the server workload is low. It is recommended that a separate workstation is used to initiate the task. This helps eliminate the chances that the workstation is infected during the course of the day. It is important to guarantee a clean, virus-free environment on a workstation before running anti-virus software or investigating a virus-infected network.

    Recovery

    After a virus has been detected, it is very important to isolate it and get rid of it as quickly as possible. Viruses tend to spread exponentially. Therefore, every moment is crucial once an infection is discovered. Oddly enough, even though there are lots of programs for cleaning up viruses, they are not the recommended method. Software is very useful in detecting the viruses, but there are too many possibilities to be able to clean all viruses correctly. However, if it is the only thing available, use it. There are many anti-virus software packages available, and you can clean your disk with them if the virus is dormant, but this is not the most effective method except for old, very well-known viruses.

    CAUTION: The restoration process should not be done by an amateur. If you are unfamiliar with computers and viruses, get help from someone who is more experienced. Otherwise, you may do more damage than good.

    The first step in clean-up is to evaluate the infection. Find out how many computers are infected, how much damage has been done so far on the infected systems, and what other systems have been in contact with the infected systems. It is also very important to find the source of the infection. Finding the source helps prevent reinfection after the cleanup has been done. When you know which computers, files, and data have been infected, you must isolate them to contain the infection, much like putting them in quarantine.

    Next, get all available backups and check to make sure they are clean. Then do one more backup of the infected data immediately before disinfecting the computer. The reason for this last backup has to do with encryption. If the virus has encrypted some of the data, then the only way to recover the data is through the virus itself. Only back up the damaged data. Do not back up damaged or infected executables.

    Now you must reboot the computer from an UNINFECTED source. If you can, use a pre-prepared system disk to boot up, one that is known to be clean and has been write-protected. From that point on do not run any programs which may be infected. Check all your backups to make sure that they are uninfected. It does no good to get rid of a virus by restoring another infected copy of the data/program. For a program infector virus, use write-protected disks to restore, the original copy of the programs. The disks from the manufacturer are the best source for restoring programs as they are guaranteed to be clean. Use these to overwrite the infected files. For a boot-sector virus, the best method is to copy all data from the disk onto a clean disk, reformat the original disk, and copy the data back. For a hard drive you can also use the FDISK /MBR commando remake the boot sector. After the infection has been removed from the hard drive, clean and replace all diskettes which may also be infected using the same methods.

    The most difficult step is restoring data which may have been damaged while the virus was in memory. This is the reason for all the backups. Find among your backups the most recent, clean, usable version of your data. Double check to make sure that the backup is undamaged and uninfected Then copy the data on top of the existing version. Make another backup immediately. When the system has been cleaned and restored, watch for reinfection which is likely for a system that has been infected once. A file which was missed in the cleanup process can be responsible for reinfecting the system. If the original source of infection is unknown, it too may be responsible for infecting the system again.

    Click here for the Computer Page Click here for the DOS Page

    Click here to get to the Home Page