VIRAL FAMILIARIZATION

By Kenneth L. Bechtel, II

Intro: Goals of the paper:

1. Set definitions for types of viruses.

2. Describe Viral Symptoms.

3. Understand how viruses are caught and spread.

4. Understand what you can do to delay or prevent Viral Attacks.

5. Be able to take appropriate actions while under a suspected or actual viral attack.

Definitions: The Computer Anti-Virus Community does not have a 100% Agreement on what constitutes a virus. The definitions I am about to give are accepted by a majority, but there are some variations..

1. VIRUS: A virus is a malicious, but not necessarily destructive, unauthorized, self-replicating string of computer code (or program). Argumentatively, a virus is parasitic, meaning it copies itself from and to another program and or system environment. Some people believe that a virus does not need to be self-replicating or require a host.

2. TROJAN HORSE: A Trojan Horse is a malicious, usually destructive program hidden within what appears to be an interesting or useful program, e.g., a spreadsheet, calendar program or a game. Argumentatively, some people consider a trojan horse a virus. Trojan Horses, however, are not self-replicating. Rather they rely upon unsuspecting users to spread them.

3. LOGIC BOMB: A malicious program set to "go off" under a certain set of circumstances, when something happens, or does not happen. Examples would be a date, a logon or the deletion of a user. These are generally destructive. Some people consider Logic Bombs viruses. Like the Trojan Horse they are not self-replicating. However, unlike a Trojan Horse, a Logic Bomb maybe programmed into a Virus or even a Trojan Horse. Logic Bombs are the most common means of employee revenge and are often targeted to one system or company.

4. WORMS: By themselves are non destructive, and are used to infiltrate systems. Worms were originally used by system maintenance and administrators to locate trouble spots, but they were mutated to gain illegal access and passwords. The most troublesome worms are the ones that are so poorly programmed that they cause too many copies of themselves to infest a host machine, thus causing a system overload, resulting in a system crash. A Worm is a stand alone program (non-parasitic) that can be self-replicating that could have a Virus or Logic Bomb as a "Payload". Some people consider Worms a virus. The most famous Worm would be the Internet Worm.

FAMILIARIZATION

1. TYPES OF VIRUSES:

  1. Common or File Infector - Attaches itself to an Executable (.EXE) or Command (.COM) files. Every time an infected program is run, the virus will load itself into memory and infect the next non-infected program that is run.
  2. Multiparte - These viruses will infect either programs or boot sectors. These can be one of the most difficult infections to clean up if not done correctly.
  3. Boot Sector Virus - resides in the boot sector of a disk, hard or floppy. The boot sector is that portion of a disk that gives it its identity, (i.e. High density, Low density, IBM Apple, Mac, etc.) After a given number of boots, the virus activates and the system is usually destroyed. The destruction may be rewriting the boot sector making it unbootable, or scrambling the File Allocations Table (FAT), which tells the computer where to find files and programs on the disk
  4. Stealth Virus - Can be any one of the previously mentioned types, but were designed to defeat anti-viral scanning and other anti-viral detection software and methods.
  5. Macro Viruses - The newest in the Computer virus family, while macro viruses have only been around since 1995, they have already surpassed the older viruses in number of new variants in a measured time, as well as speed and width of spread. Fortunately, right now most infections are limited to the Microsoft Office suite, there are viruses for other applications, like the Amipro Spreadsheet program.

2. HOW CAUGHT/ SPREAD:

  1. Bottom line, viruses are caught and spread from infected machines by sharing floppies or files. Some software has been shipped from the companies infected by viruses, but they are few and far between. A virus has NEVER been created by a user pressing the wrong keys.
  2. Trojan Horses are caught and spread by using unfamiliar software, usually downloaded from an Electronic Bulletin Board Service (BBS), the Internet or other unknown/ questionable sources. Most BBS' do their best to scan for viruses, but some still get through.
  3. Modems - although direct modem contact has not been a source of infection, the transfer and later execution of infected files has been a major source of infections.
  4. Boot sectors are infected by trying to boot off an infected diskette. The diskette does not need to be a bootable (system) diskette to be able to transmit a boot sector virus. The message "NON SYSTEM DISKETTE" is on your diskettes boot sector, and all disks/ diskettes have a boot sector.
  5. Viruses, especially logic bombs can and are spread by disgruntled employees. They see this as a way to right wrongs done to them by the company.
  6. E-Mail has helped the proliferation of Macro Viruses, like no other vector. While the E-mail text itself can not spread a virus, E-mail attachments are ready transmitters.

3. SYMPTOMS: Each virus has its own set of symptoms, just as human viruses do. What I am going to give are generic symptoms and should not be considered exclusive or all inclusive. These are some of the many different symptoms

  1. Frequent System Crashes.
  2. Applications behaving erratically.
  3. Unexplained file size increases.
  4. System inexplicably slows down.
  5. Difficulty in accessing data files.
  6. Excessive, unexplained disk access.
  7. Strange or unusual displays or messages, or documents

As you can see these symptoms are very similar to "common" computer malfunctions, and in fact, most symptoms occur due to programming incompatibilities. The most "Successful" viruses have no intentional payload, which would tip the user to it's presence on the infected system. Notice, I have NOT said a word about damaged hardware, that is because hardware can NOT be damaged by software, and viruses are software. While rumors abound about exploding monitors and engraved hard drives, no one has yet to produce a hardware damaging virus.

4. COUNTERMEASURES:

The following are some steps to use to protect your home system.

  1. Purchase and use an Anti-Viral Product.. Whatever package you choose will be based on cost and what your needs are, as a minimum, any scanner product should be NCSA Certified. I also recommend that what ever you do, don't rely on just one package, double your bets and you'll be better off.
  2. When available, change the attributes to Read-Only Command (.COM) and executable (.EXE) files, and System (.SYS) files. This will not stop viruses, but it will slow, or stop someone from intentionally or unintentionally deleting programs. When you are updating a file, remember to return the attributes to normal, or else a "ACCESS DENIED" message will be the results.
  3. Purchase your software from a reputable dealer and scan it before installing.
  4. Do not "Share" software. While this is illegal, it is also is a large source of infections.
  5. Keep a dedicated disk for taking work home and to the office, and scan this disk often.
  6. Disable auto launch from E-mail clients, it should be a policy to scan all incoming Documents and spreadsheets before opening.
  7. Where possible, MS-Word should be set to save files in a Rich Text Format (RTF) as a default. This has a penalty of loosing some formatting options, but it does not save macros.
  8. The cheapest method to protect against boot sector viruses is to change (where possible) the boot sequence of the computers, making it boot first from the hard drive, and then the floppy, or totally disable floppy boots. In most business, and home environments, there is little need to ever boot from a floppy. In the odd event that there is a requirement to boot from floppy, e.g., failed hard drive, you can always reset the CMOS values.

5. TAKE APPROPRIATE ACTIONS: When you discover that you are infected or being attacked by a virus, or if you suspect you may be under attack, take the following actions:

  1. IMMEDIATELY stop all computer processing. Copy down the message that your Anti-Viral Product gives you and turn off the computer. Do not use this system until it is verified to be clean.
  2. Contact a local computer vendor or user's group to find someone experienced in viral cleanup. Tell them all the appropriate info, e.g., symptoms, messages, etc.
  3. If experienced Anti-Virus Technicians are not available, follow theses instructions:
    1. Boot the infected system from a clean system diskette.
    2. Run a virus scanning utility.
    3. Clean up all infected files by using a disinfectant program or deleting them.
    4. Re-scan the infected disk to identify multiply infected files, or diskette.
    5. Reinstall all application from distribution diskettes.
    6. Scan again to detect any possible "Shrink Wrap" infected programs.
    7. If the scan shows no trace of the virus you may begin computing again. Keep your eyes open for renewed symptoms.
    8. After the system is clean, scan all diskettes to attempt to find the source of the infection.

VIRUSES ARE NOT SOMETHING TO EXPERIMENT WITH, THEY ARE DANGEROUS.

NOTES:

NOTES:

Additional Reading:

The Following is a list of recommended additional reading. While this list is not all inclusive, it is a good starting point. All these books were written in the 90's and are relatively current as for content.

COMPUTERS UNDER ATTACK: INTRUDERS, WORMS & VIRUSES

Edited by Peter J. Denning (1990, 150pp)

ROGUE PROGRAMS

Dr. Lance J. Hoffman (1990, 384pp)

COMPUTER VIRUS SURVIVAL GUIDE

David Stang (1991, 87pp)

PC VIRUS CONTROL HANDBOOK

Robert Jacobson (1990, 162pp)

EXECUTIVE GUIDE TO COMPUTER VIRUSES

Charles Rustein (1992, 60pp)

All the above books and more are available through your local bookstore of from the National Computer Security Association (NCSA) whose address is as follows:

ICSA

1200 Walnut Bottom Drive

Carlisle, PA 17013

http://www.icsa.net

Disclaimer: While as a computer specialist, I realize some of what I have written is over simplified or seemingly flawed. Please remember my target audience is Viral beginners. This paper is not intended to be all inclusive. For more information, contact your local library or book store. This paper is only to provide basic working knowledge of viruses and help the user protect themselves. I take no responsibility for any infection, damage or data loss the reader may incur. There is no 100% method, other than not using your P.C., to prevent a viral infection. If you follow the above suggestions, you will be fairly safe from infections.

The Author may be contacted:

on CompuServe at user # 72154,3302

Via Internet: kbechtel@bigfoot.com