more virus info ...
---------------
What Do Viruses Do?
I'm going to present an easy to understand but detailed explanation of viruses and other types of malicious software. For now, it's enough to understand that viruses are potentially destructive software that spreads from program to program or from disk to disk. Computer viruses, like biological viruses, need a host to infect; in the case of computer viruses this host is an innocent program. If such a program is transferred to your PC, other programs on your PC will become infected. (I'll shortly explain in more detail how this happens.) Even though some viruses do not intentionally damage your data, I consider all viruses to be malicious software since they modify your programs without your permission with occasional disastrous results.
The bottom line is that if you have a virus, you are no longer in control of your PC. Every time you boot your PC or execute a program the virus may also be executing and spreading its infection. While most viruses haven't been written to be destructive, almost all viruses can cause damage to your files--mostly because the viruses themselves are very poorly written programs. If viruses destroy nothing else, they destroy your trust in your PC--something that is quite valuable.
Are Viruses Mostly Hype?
Unfortunately not! There is some confusion about this issue because some extreme claims have been made regarding numbers of viruses and how likely you are to become infected. During the Michelangelo media extravaganza in early 1991, some exaggerated figures were presented in the media which led some people to suspect that all viruses were nothing but hype. One company was quoted in Information Week that based on their reports, one out of four PCs was infected every month! (I won't speculate on the motivation for these type of claims.) You may also hear reports of there being from ten to thirty thousand different PC viruses with the number expected to double in six to nine months. So, are we faced with impending doom? No, not quite. The truth is viruses are very wide-spread but a relatively small number (about one-hundred) account for ninety percent of all infections. Most of the twenty thousand viruses in our collection are so poorly written that they will not spread in the real world. Many of these viruses are created by kids that can't even program. They use automated viruses creation programs that produce very poor quality viruses. These viruses are so obvious that they rarely spread in the wild. Still, viruses are a real threat that we can't afford to ignore. Viruses have been found on brand-new PCs, direct from the manufacturer, and on shrink-wrapped software, direct from the publisher. Viruses are not merely hype and no one is safe from potentially being infected. If you value your data and programs, you have to take some precautions.
How Serious Are viruses?
Viruses are a problem but they are not the main thing you should be concerned about. There are many other threats to your programs and data that are much more likely to harm you than viruses. Problems such as hardware glitches, software conflicts, software bugs, and even typos are much more likely to cause undetected damage to your data than viruses. A well known anti-virus researcher once said that you have more to fear from a spilled cup of coffee than from viruses. While the growth in number of viruses now puts this statement into question, it's still clear that there are many more occurrences of data corruption from other causes than from viruses. So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that we need to address the other threats to our data as well as viruses. Because viruses have been deliberately written to invade and possibly damage your PC, they are the most difficult threat to guard against. It's pretty easy to understand the threat that disk failure represents and what to do about it, but the threat of viruses is much more difficult to deal with.
Quick Virus Guidelines
It's important to keep viruses in perspective. They are but one threat to your data and programs. They need not be regarded as mysterious and they are quite easy to understand. Here are a few tips to keep in mind when considering viruses:
You can only get a virus by executing an infected program or booting from an infected diskette. Any diskette can be infected by a boot sector virus, even non- bootable diskettes.
You cannot get a virus simply by being on a BBS, the internet, or an online service. You will only become infected if you download an infected file and execute that file. (It's important to understand that Microsoft Office files act as executable programs since they can contain macro programs that are executed when 'open' the file; so, to be safe, a MicroSoft Word document or Excel Spreadsheet should not be opened with the actual Microsoft application but rather with a viewer program such as those available from the Microsoft web site or simply disgarded.)
Most viruses are transferred by booting from an infected diskette (e.g, Stoned, Form, Stealth-B, AntiExe, Monkey). Remove diskettes from your A drive as soon as you are through with the diskette. If your CMOS permits it, change your boot order to boot from your hard disk first. If you don't know what CMOS is, check the manual for your PC; there is normally an option when you boot your PC to hit a specific key to enter CMOS setup. This allows you to change many options on your PC.
Make sure you have at least two backups for all of your files. Backups are essential not only to safely recover from virus infections, but also to recover from the other threats to your data.
Be sure to check all new software for viruses. Even shrink-wrapped software from a major publisher may contain a virus.
Software attacks against your computer:
Viruses are one specific type of program written deliberately to cause harm to someone's computer or to use that computer in an unauthorized way. There are many forms of malicious software; sometimes the media calls all malicious software viruses, but it's important to understand the distinction between the various types. Let's examine the different types of malicious software:
Logic Bombs
Just like a real bomb, a logic bomb will lie dormant until triggered by some event. The trigger can be a specific date, the number of times executed, a random number, or even a specific event such as deletion of an employee's payroll record. When the logic bomb is triggered it will usually do something unpleasant. This can range from changing a random byte of data somewhere on your disk to making the entire disk unreadable. The changing of random data on disk may be the most insidious attack since it would do a lot of damage before it would be detected.
Trojans
These are named after the Trojan horse which delivered soldiers into the city of Troy. Likewise, a trojan program is a delivery vehicle for some destructive code (such as a logic bomb or a virus) onto a computer. The trojan program appears to be a useful program, but when a certain event occurs, it will attack your PC in some way.
Worms
A worm is a self-reproducing program which does not infect other programs as a virus will, but instead creates copies of itself, which create even more copies. These are usually seen on networks and on multi-processing operating systems, where the worm will create copies of itself which are also executed. Each new copy will create more copies quickly clogging the system. The so called Morris ARPANET/INTERNET "virus" was actually a worm. It created copies of itself through the ARPA network, eventually bringing the network to its knees. It did not infect other programs as a virus would, but simply kept creating copies of itself which would then execute and try to spread to other machines.
Viruses:
Here's our definition:
A virus is a program which reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed.
You could also say that the virus must do this without the permission or knowledge of the user.
What Viruses Do:
Our virus definition is very general and covers all viruses. Let's consider specifically how this works. Viruses are programs just like any other on your PC. They consist of instructions for (what I like to call "code") that your computer executes. What makes viruses special is that they do their "job" by placing self-replicating code in other programs, so that when those other programs are executed, even more programs are "infected" with the self-replicating code. "Self-replicating code" is simply a program that copies itself to other programs. This self-replicating code, when triggered by some event, may do a potentially harmful act to your computer--but this is strictly optional. Only a minority of viruses contain deliberately destructive code. You could say that viruses are distributed in the form of a trojan. In other words, the virus code has been planted in some useful program. Since the virus infects other useful programs, absolutely any piece of executable code can suddenly become a trojan delivery vehicle for the virus.
Another way of looking at viruses is simply to consider them to be a program which can create copies of itself. These copies are inserted in other programs (infecting these programs). When one of these other programs is executed, the virus code (which was inserted in that program) executes, and places copies of itself in even more programs.
You'll notice that I used the word "attach" in our definition of a virus. This is because viruses can "attach" themselves to a program without directly modifying that program. This might seem hard to believe at this point, but I'll explain later exactly how they accomplish this trick.
When you consider our definition of viruses, it's important to understand that "programs" may exist in places that you don't expect. For example, all diskettes contain boot sectors which are "programs" that are executed when you boot your PC and Microsoft Office files (such as MS Word Documents and Excel Spread Sheets) can contain macros which are "programs" that can be executed when you open these files.
General Virus Behavior
Viruses come in a great many different forms, but they all potentially have two phases to their execution, the infection phase and the attack phase:
When the virus executes it will infect other programs. What is often not clearly understood is precisely when it will infect the other programs. Some viruses infect other programs each time they are executed, other viruses infect only upon a certain trigger. This trigger could by anything; it could be a day or time, an external event on your PC, a counter within the virus etc. Some viruses are very selective about when they infect programs; this is vital to the virus's survival. If the virus infects too often, it is more likely to be discovered before it can spread far. Virus writers want their programs to spread as far as possible before anyone detects them. This brings up an important point which bears repeating:
It is a serious mistake to execute a program a few times -- find nothing infected and presume there are no viruses in the program. You can never be sure that the virus simply hasn't triggered its infection phase!
Many viruses go resident in the memory of your PC just as a terminate and stay resident (TSR) program such as Sidekick(R) does. This means the virus can wait for some external event such as inserting a diskette, copying a file, or executing a program to actually infect another program. This makes these viruses very dangerous since it's hard to guess what trigger condition they use for their infection. Resident viruses frequently corrupt the system software on the PC to hide their existence.
The second phase is the attack phase. Many viruses do unpleasant things such as deleting files or changing random data on your disk, simulating typos or merely slowing your PC down; some viruses do less harmful things such as playing music or creating messages or animation on your screen. Just as the virus's infection phase can be triggered by some event, the attack phase also has its own trigger. Viruses usually delay revealing their presence by launching their attack only after they have had ample opportunity to spread. This means that the attack may be delayed for years after the initial infection. The attack phase is optional, many viruses simply reproduce and have no trigger for an attack phase. Does this mean that these are "good" viruses? No, unfortunately not! Anything that writes itself to your disk without your permission is stealing storage and CPU cycles. This is made worse since viruses which "just infect", with no attack phase, damage the programs or disks they infect. This is not intentional on the part of the virus, but simply a result of the fact that many viruses contain extremely poor quality code. One of the most common viruses, the STONED virus is not intentionally harmful. Unfortunately the author did not anticipate other than 360K floppy disks, with the result that the virus will try to hide its own code in an area on 1.2mb diskettes which causes corruption of the entire diskette.
Now that we've examined general virus behavior, let's take a closer look at the two major categories of viruses and how they operate.
System Sector Viruses (AKA Boot Sector Viruses)
These are viruses which plant themselves in your system sectors. System sectors are special areas on your disk containing programs that are executed when you boot your PC. Sectors are not files but simply small areas on your disk that your hardware reads in single chunks. Under DOS, sectors are most commonly 512 bytes in length. These sectors are invisible to normal programs but are vital for correct operation of your PC. They are a common target for viruses. There are two types of system sectors found on DOS PCs, DOS boot sectors and partition sectors (also known as Master Boot Records or MBRs). If the term boot sector is new to you, then please read the page on system sectors for more details on why system sectors are important and how they work.
System sector viruses (also commonly referred to as boot sector viruses) modify the program in either the DOS boot sector or the partition sector. Since there isn't much room in the system sector (only 512 bytes), these viruses often have to hide their code somewhere else on the disk. These viruses sometimes cause problems when this spot already contains data which is then overwritten. Some viruses, such as the Pakistani BRAIN virus mark the spot where they hide their code as having bad sectors. This is one reason to be alarmed if CHKDSK or Scandisk suddenly reports additional bad sectors on your disk. These viruses usually go resident in memory on your PC, and infect any floppy disk which you access. Simply doing a DIR on a floppy disk may cause it to be infected. Some viruses will infect your diskette as soon as you close the drive door. Since they are active in memory (resident), they can hide their presence. If BRAIN is active on your PC, and you use a sector editor to look at the boot sector of an infected diskette, the virus will intercept the attempt to read the infected boot sector and return instead a saved image of the original boot sector. You will see the normal boot sector instead of the infected version. Viruses which do this are known as stealth viruses. In addition to infecting diskettes, some system sector viruses spread by also infecting files.
File Viruses
In terms of sheer number of viruses, these are the most common kind. The simplest file viruses work by locating a type of file that they know how to infect (usually a file name ending in ".COM" or ".EXE") and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered. The more sophisticated file viruses modify the program so that the original instructions are saved and executed after the virus finishes. Just as system sector viruses can remain resident in memory and use "stealth" techniques to hide their presence, file viruses can hide this way also. If you do a directory listing, you will not see any increase in the length of the file and if you attempt to read the file, the virus will intercept the request and return your original uninfected program to you. This can sometimes be used to your advantage. If you have a "stealth" virus (such as 4096 or Dir-2), you can copy your program files (*.EXE and *.COM files) to files with other extensions and allow the virus to automatically disinfect your files! If you "COPY *.COM *.CON", and then cold boot your PC from a known good copy of DOS and "REN *.CON *.COM", this will disinfect the renamed files.
Be aware that many file viruses (such as 4096 which is also known as Frodo) also infect overlay files as well as the more usual *.COM and *.EXE files. Overlay files have various extensions, but ".OVR" and ".OVL" are common examples.
Macro Viruses
There is particular type of file virus that that many people don't understand. These are the files from the MicroSoft Office applications (e.g, MS Word, MS Excel, MS Access, etc.). These programs all have their own macro languages (a BASIC like language) built in. The associated files (MS Word documents or templates and MS Excel spreadsheet files) are usually thought of only as data files so many people are surprised that they can be infected. But these files can contain programs (the macro language) that are executed when you load one of these files into the associated product. The program inside of these files is interpreted by the MS Office application. What is now a language originally began as a very simple macro language that the user could use to combine keystrokes to automate some routine function. The macro language in these products has since grown substantially and now is a fully capable language based on Visual Basic (VBA). Since anything that contains a program can potentially be infected by a virus, these files can harbor viruses.
Read about the the threat of MS Word macro viruses (e.g., Concept) or MS Excel Macro Viruses.
What gives these viruses a chance to execute is the fact that Microsoft has defined special macros that will automatically execute. The mere act of opening an infected MS Word document or an infected MS Excel spread sheet can allow the virus macros to be executed. (One simple prevention for this type of virus is to use the freely available (from Microsoft) viewer programs to rather than MS Word or MS Excel to view these type of files. Even MS Access database files (*.mdb files) can contain macro viruses. Read about: MS Access Macro Viruses.
Macro viruses have been very successful because most people regarded spreadsheets and documents as data, not as programs (and because many anti-virus programs were very slow to address this threat). If you use a mail reader or Web browser, it is very important to use a viewer rather than the full MS Office program (i.e, MS Word or MS Excel) if you want to automatically open downloaded MS Word documents or MS Excel spreadsheets.
---------------
How Does Anti-virus Software Work?
There are several techniques that can be used to detect or eliminate viruses. Each technique has its strengths and weaknesses. It's vital to understand exactly how much protection your anti-virus software can offer you. I'll explain how each technique works and what its weaknesses are. I'll also explain how to get the most protection out of this software. It would be ideal if anti-virus software actually stopped viruses from infecting your PC. One type of software (the interceptor) attempts this but it is no longer regarded as a primary defense against viruses since viruses can easily bypass this type of protection. The other anti-virus techniques attempt to detect viruses. If you can detect an existing virus, you can remove it and prevent it from spreading. The most popular technique to detect viruses is by scanning so I'll start there.
How Do Virus Scanners Work?
Once someone has detected and analyzed a virus, it is possible to write programs that look for telltale code (signature strings) characteristic of the virus. Remember, a virus must add its code to the infected file or boot sector. The writers of the scanner extract identifying pieces (signature strings) from code that the virus inserts. The scanner uses these signature strings to search memory, your files and system sectors. If there's a match, the scanner announces that it has found a virus. This obviously detects only known, preexisting, viruses and may result in a false virus indication (false-positive) if an innocent program contains code similar to a virus. Many so called virus writers create "new" viruses by modifying existing viruses. This takes only a few minutes but creates what appears to be a new virus. It happens all too often that these viruses are changed simply to fool the scanners. The repeatedly make small changes to a virus until the scanners will no longer detect the virus. This requires little or no programming skill but allows someone to claim they wrote a new virus.
A major drawback to scanners is that it's hazardous to depend upon an old scanner. With the dramatic increase in the number of viruses appearing (more than 6,000 different viruses as this is being written), it's risky to depend upon anything other than a current scanner. Even that scanner is necessarily a step behind the latest crop of viruses since there's a lot that has to happen before the scanner is ready to handle new viruses:
The virus has to be detected somehow to begin with. Since the existing scanners can't detect the new virus, it has time to spread before someone detects it by other means. This requires something other than a scanner to detect the virus to begin with. If everyone depended only upon scanning, new viruses might never be detected.
The newly discovered virus must be sent to the programmers to analyze and extract a suitable signature string. This string must be tested for false positives on legitimate programs.
This string must be incorporated into the next release of the virus scanner.
The virus scanner must be distributed to the customer.
For some viruses it's impossible to isolate a small section of code to use as a signature string. These viruses are called polymorphic and require the writer of the scanner to write special code to recognize this virus. This a requires a lot more work than simply isolating a signature string to scan for the virus. Some well-known existing scanners do not reliably detect some existing polymorphic viruses more than a year after the virus became known. (In an upcoming article I'll cover polymorphic viruses in more detail.)
In the case of retail software, the software must be sent to be
Scanning is the only technique that can recognize a virus while the virus is still safely sitting on a diskette or in an upload directory. Therefore scanning is the primary automatic technique that BBS sysops and software librarians use to check new programs. If scanning is your only defense against viruses, you can dramatically improve the odds that you will detect a new virus by using two or more scanners. If I run any any scanner against my virus collection there will be one hundred to several hundred viruses missed by that scanner. If I run current releases of the three best scanners against this collection only a small number of viruses is missed by all three products. The more scanners the merrier!
An important warning for using scanners:
If you depend upon a scanner, be sure to get the latest version directly from the developer and consider using multiple scanners. Also, be sure that you boot from a clean write-protected copy of DOS before running the scanner; there's a good chance that the scanner can detect a resident virus in memory, but if it misses the virus in memory, the scanner will wind up spreading the virus rather than detecting it. Each and every susceptible program on your disk could be infected in a matter of minutes this way!
To get maximum protection out of your scanner, follow these rules:
Scan all new diskettes, even if they contain no programs. Any diskette may harbor a boot sector virus.
Be sure to cold boot your PC from a write-protected diskette before checking the hard disk for viruses. Most anti-virus products make this recommendation, but this rarely gets done because the recommendation is often buried in some obscure location in the documentation. If your PC is infected with a virus that your scanner does not recognize, you could infect all the programs on your disk. Don't take this chance; boot from a write-protected diskette before you scan.
Before you execute or install any new software, scan it first. If it comes with an install process, scan again after you install the software.
Unless you have additional anti-virus protection, make sure that you have the latest version of your scanner.
If you are exposed to many new programs consider using multiple scanners to maximize the odds that you will detect newer viruses.
Using Disinfectors:
Most vendors that sell scanners also sell a disinfector (often it's the same program). A disinfector has the same limitations that a scanner has, in that it must be current to be safe to use and it's always one step behind the latest crop of viruses. The disinfector, however, has an even bigger disadvantage: Many viruses simply cannot be removed without damaging the infected file. There have also been many reports that files are still damaged even when the program claims to have disinfected the file. A disinfector like a scanner can be a very handy tool in your anti-virus arsenal, but it must be used with care. If you use a disinfector, be sure you have the latest version and be sure to use a tool to verify that all files and system sectors are correctly restored.
There are a large number of viruses that no product can disinfect or remove from infected files at all. These viruses modify the programs in such a way that removal is not possible. The most common of these are the viruses that overwrite part of the programs they infect. The only way to remove these viruses is to restore the infected files from a backup.
It's ironic that even the most common file infecting virus of all won't be safely disinfected from all files. One of the oldest and most common infectors of files is the Jerusalem (1813) virus. All disinfectors naturally claim to be able to remove Jerusalem and its many variants. While Jerusalem will be correctly removed from many programs, there are some programs from which Jerusalem cannot be removed without damaging the original program. In spite of this, most (if not all) disinfectors claim to disinfect Jerusalem infected programs. A very dangerous situation! I'd like to stress that:
You cannot safely depend upon disinfectors as a way to recover from virus infections.
Disinfectors are helpful but they should be viewed only as an aid. Disinfectors can't remove many viruses at all and can't remove even the most common viruses from some files; it's simply not safe to expect a disinfector to be able to remove viruses from files.
A further problem with many disinfection programs is that some of your programs may no longer work after being disinfected yet the disinfector gives you no indication that it has failed to correctly restore the original program. You can more safely use a disinfector if you have the capability to verify that the original file was correctly rebuilt. (Our product Integrity Master gives you this capability but many products that claim to do checksumming or integrity checking read only part of the file and can't really check that a file is correctly restored.) Unless you have a product capable of full integrity checking, I strongly suggest that you restore your files from a backup, rather than depending upon the disinfector to do the job correctly.
Using Interceptors to Protect Against Viruses:
Interceptors (also known as resident monitors) are particularly useful for deflecting logic bombs and trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening (such as installing itself as a resident program). If it finds such a request, the interceptor generally pops up and asks you if you want to allow the request to continue. There is, however, no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus itself. Some viruses attempt to modify the interrupt 13H and 26H vectors to disable any monitoring code. It is important to realize that monitoring is a risky technique. Some products that use this technique are so annoying to use (due to their frequent messages) that some users consider the cure worse than the disease! An interception (monitoring) product would be a useful adjunct to another protection program, as protection against some the more simple minded logic bombs. The bottom line here is that there are many ways for viruses to bypass interceptors so you cannot depend on an interceptor as your primary defense.
Using Inoculators
There are two types of inoculators or so-called immunizers. One modifies your files or system sectors in an attempt to fool viruses into thinking that you are already infected. The inoculator does by making the same changes that the viruses use to identify the file or sector as infected. Presumably, the virus will not infect anything because it thinks everything is already infected. In the early days of viruses this technique may have had some value but this works only for a very small number of viruses and is generally considered a useless technique today.
The second technique is actually an attempt to make your programs self-checking by attaching a small section of check code onto your programs. When your program executes, the check code first computes the check data and compares it with the stored data. It will warn you if it finds any changes to the program. This can be circumvented by existing stealth viruses plus the self-checking code and check data can be modified or disabled. Another problem arises because some programs refuse to run if they have been modified in this way. This also creates alarms from other anti-virus programs since the attached self-check code changes the original program in the same way a virus would. Some products use this technique to substantiate their claim to detect unknown viruses. Needless to say, I do not recommend this approach either.
Using An Integrity Checker
Integrity check based products work by reading all of your disk and recording integrity data which acts as a signature for the files, boot sectors, and optionally other areas. In order for a virus to infect your PC, it must change something on that PC. The integrity check identifies these changes and alerts you to the virus. An integrity check program is the only solution that can handle all the other threats to your data along with viruses. Integrity checkers also provide the only reliable way to find what damage a virus has done. Since a virus must change or add something to your PC, a well written integrity checker should be able to detect any virus not just known viruses.
So, why isn't everyone using an integrity checker? Until recently, there hasn't been an integrity checker available without some significant drawbacks. First, an integrity checker generally won't identify a virus by name unless it also includes a scanner component. In fact, many anti-virus products now incorporate integrity checking techniques. One problem with many products is that they don't use these techniques in a comprehensive way. There are still too many things not being checked. Some older integrity checkers were simply too slow or hard to use to be truly effective. A disadvantage of a bare-bones integrity checker is that it can't differentiate file corruption caused by a bug from corruption caused by a virus. Only recently, have advanced integrity checkers (e.g., Integrity Master) become available that incorporate the smarts to analyze the nature of the changes and recognize changes caused by a virus. (Integrity Master uses scanning and other anti-virus techniques along with integrity checking to improve its intelligence and ease of use.)
If you use an integrity checker, be sure to verify that your product will read all files and system sectors in their entirety rather than just spot checking. It's vital to be able to know positively that all your files are in good shape.
