GEN 110 - Freshman Seminar: Computers and Society

Dr. R. M. Siegfried

Computer Viruses

What is a Virus?

A virus (in biology) is a microorganism that reproduces by injecting its own genetic material into an organism's cells. It takes over the cell's reproductive mechanism and uses it to produce copies of itself. Eventually, the cell bursts, releasing the new viruses creates from the original virus's DNA.

A computer virus is a computer program (or a program fragment) that hides itself within a larger program and uses the access that it provides to spread itself to other computers and cause damages to computer data or other unwanted effects. The most common ways of spreading the infection is by floppy disk or by e-mail.

The FBI defines a virus "as any program undetected to the user that has the capacity to infect other computer system by re-creating itself unpredictably or causing some other specific action predetermined circumstances."

In the early 1990s, Computer Virus Industry Association received an average of 15- 20 reports daily. Dozens of different strains exist. Most enter computer systems inadvertently by authorized user. McAfee (publisher of the antivirus program ViruScan) reports that there are currently 60,000 computer viruses in existence.

What types of viruses are there?

Computer virus can typically fall into one of the following categories:

Trojan Horses " programs design to fool the user into believing that they have accessed another computer and tricks them into providing user names, passwords and other vital data that can be misused.
Logic Bombs (or time bombs) - programs designed to trigger certain (unwanted) events at a particular day and time or if a set of occurrences take place.
Worm - a self-replicating program that infects computers in order to duplicate itself. The most significant difference between a worm and a virus is that worms do no damage beyond the computer time that they consume replicating themselves.
Macroviruses - programs segments that use the macro language built into programs such as word processors, spreadsheets and e-mail programs to spread themselves and do other mischief.

Infamous Virus Attacks

What is generally considered the first computer virus attack took place at AT&T Bell Labs in the late 1960s. During his Turing Lecture, Ken Thompson described the game Core Wars, which was frequently played by members of the Technical Staff. Each player would start with a portion of the computer's memory (also known then as core) available for them and would try to take over the other player's memory space. The Technical Staff of AT&T Bell Labs considered it a helpful technical exercise (as well as a good way ("blowing off steam"), but they did not all think that Thompson should have been so public about this).
The first use of the term "virus" to refer to self-replicating code came appeared in David Gerrold's book "When Harlie Was One". Fred Cohen of Lehigh University was the first to apply to the current species of malicious programs.
The Cookie Monster virus (actually a Trojan horse) would demand display "I want a cookie" and other demanding messages unless the user typed the word "cookie". If the user didn't do this, it would start destroying files.
Joseph Popp distributed copies of a Trojan horse program that claimed to have information on AIDS and demanded that the user pay $189 for a year of daily use (365 program runs) or $389 for lifetime use. The disk contained a virus that spread slowly before starting to damage data (similar to HIV's behavior). Popp was arrested and charged in Britain for the damage that he caused (the first person ever charged with writing a malicious program. He claimed insanity as a defense and the prosecution dropped the charges, agreeing with that assessment.
Robert Tappan Morris, Jr., release an Internet Worm in October 1988 that virtuallyshut down the Internet because of its overly virulent rate at which it duplicated itself on UNIX computers. He was eventually convicted and sentenced to 3 years probation, 400 hours of community service and a fine of $10,000.
The Pakistani virus supposedly owes its origins to a pair of brothers who sold "bootleg" copies of Lotus 1-2-3 to American tourists because they were bound by tighter copyright laws than Pakistani citizens. The virus would erase the contents of the user's hard drive.
The first American convicted of a virus attack was a Texas programmer who left behind a logic bomb that erased 30,000 payroll records. He was convicted in 1989.
The Michelangelo virus was set to erase hard drives of all infected computers on March 2, 1998 (Michelangelo's 517th birthday). It was not much of a real threat.
The Love Bug spread the e-mail message with the subject "I love you" and propagated to recipients of e-mail from the reader via Microsoft Outlook.

How Do Viruses Work?

System Viruses

Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues.

If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a bulletin board, then other programs get infected. This is how the virus spreads.

The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they did was replicate themselves. Unfortunately, most viruses also have some sort of destructive attack phase where they do some damage. Some sort of trigger will activate the attack phase, and the virus will then "do something" -- anything from printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, or the number of times the virus has been replicated, or something similar.

As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and on college campuses where lots of people share machines they spread like wildfire.

In general, both executable and boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact discs cannot be modified, and that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined because operating systems now protect the boot sector.

Both boot sector viruses and executable viruses are still possible, but they are a lot harder now and they don't spread nearly as quickly as they once could. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but that environmental niche has been largely eliminated by huge executables, unchangeable CDs and better operating system safeguards.

[ http://computer.howstuffworks.com/virus4.htm]

Macro Viruses

Macro viruses use the built-in Word.Basic macro language available in Microsoft Word 6.0 and later. A variant of this language existed in Word 2.0 for Windows, but these macro viruses only run on the version of Word.Basic in Word 6.0 and later. Macintosh versions of Word earlier than 6.0 do not have a macro language though converters are available to allow Word 5 to read Word 6 files. Any Word 6 files converted to Word 5 will have all their macros removed during the conversion process and cannot be infected with a virus.

A virus needs two things to infect a system: they need to get on the system and they need to get executed. Macro viruses get on a system by being attached to template files in Word versions 6 and 7 or any document in Word version 8. Template files can contain text just like a normal document, but they can also hold macros. To get executed on your system, macro viruses take advantage of the fact that if a macro is named AutoOpen or AutoClose the macro is run automatically when a document is opened or closed. They also take advantage of the fact that if a macro has a name like FileOpen or FileSaveAs the macro replaces the menu command with the same name and runs when the menu command is selected. These two methods allow a macro to be run without the user explicitly running the macro or even realizing that he has done so.

When a macro virus has gotten onto a system and is run, the first thing it does is to see if it is in the normal.dot template file or in a document. If the virus is running on the normal.dot template, it looks for a document to infect. When it has infected a document, it saves that document as a Word template file but changes the file name to end in .DOC instead of .DOT, to make the file appear to be a document instead of a template. If it is running on a document, it copies itself onto the normal.dot template.

When the virus is finished infecting a document file, it runs its payload procedure which can do nothing or can do something nasty such as format your hard drive. Word.Basic is a full programming language and a Word.Basic macro can do anything any other program can do including read or write files, send e-mail, change system settings, and so forth. What it does depends on the whim or malicious intent of the virus writer.

[http://computer.howstuffworks.com/framed.htm?parent=virus.htm&url=http://www.cert.org /advisories/CA-1999-04.html]

How do anti-virus programs work?

Most system viruses have known "signature patterns", a sequence of bits that always appear. Virus writers use these to prevent the virus from re-infecting infected disks (this makes detection harder). Similarly macro viruses usually have the same sequence of instructions. By checking for known signatures of known viruses, they can spot the known viruses easily.

Unfortunately, there are always new viruses coming out. Some anti-virus programs look for certain behaviors that are typical of certain classes of viruses. This is harder to do and some of these behavior can be typical of innocent programs as well.

What to do avoid being a victim

Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.
Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.
Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.
Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.
Do not download any files from strangers.
Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.
Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.
Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.
When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and email. One example is the security site section of Microsoft located at http://www.microsoft.com/security.
If you are in doubt about any potential virus-related situation you find yourself in, you may report a virus to our virus team.

[http://us.mcafee.com/virusInfo/default.asp?id=tips]

[Back to the Notes Index]