| In 1983, Fred Cohen coined the term | | | | that are attached to the file. If one or more of the |
| “computer virus”, postulating a virus | | | | macros meet certain criteria, the application will also |
| was "a program that can 'infect' other | | | | immediately execute these macros. Macro viruses |
| programs by modifying them to include a possibly | | | | rely upon this auto-execution capability to gain control |
| evolved copy of itself.” The term virus is | | | | of the application’s macro system. |
| actually an acronym for Vital Information Resources | | | | Once the macro virus has been loaded and executed, |
| Under Seize. Mr. Cohen expanded his definition a year | | | | it waits for the user to edit a new document, and |
| later in his 1984 paper, “A Computer | | | | then kicks into action again. It attaches its virus |
| Virus”, noting that “a virus can spread | | | | macro programs onto the new document, and then |
| throughout a computer system or network using the | | | | allows the application to save the document normally. |
| authorizations of every user using it to infect their | | | | In this fashion, the virus spreads to another file and |
| programs. Every program that gets infected may | | | | does so in a completely discrete fashion. Users have |
| also act as a virus and thus the infection | | | | no idea of the infection. If this new file is later |
| grows.” Computer viruses, as we know them | | | | opened on another computer, the virus will once |
| now, originated in 1986 with the creation of Brain - | | | | again load, be launched by the application, and find |
| the first virus for personal computers. Two brothers | | | | other unsuspecting files to infect. |
| wrote it (Basid and Farooq Alvi who ran a small | | | | Finally, as far as a macro virus is concerned, the |
| software house in Lahore, Pakistan) and started the | | | | application serves as the operating system. A single |
| race between viruses and anti-virus programs which | | | | macro virus can spread to any of the platforms on |
| still goes on today. | | | | which the application is installed and running. For |
| Using the above explanation, it can be said that | | | | example, a single macro virus that uses Microsoft |
| viruses infect program files. However, viruses can | | | | Word could conceivably spread to Windows 3.x, |
| also infect certain types of data files, specifically | | | | Windows 95/98, Window NT, and the Macintosh. |
| those types of data files that support executable | | | | Macro viruses for Word |
| content, for example, files created in Microsoft Office | | | | In the summer of 1995, Microsoft Word 6 was the |
| programs that rely on macros. | | | | first product affected with macro virus. The first one |
| Compounding the definition difficulty, viruses also | | | | (WM/Concept.A) was really only a proof of concept - |
| exist that demonstrate a similar ability to infect data | | | | one of the installed macros (called Payload) contained |
| files that don't typically support executable content - | | | | only this remark: |
| for example, Adobe PDF files, widely used for | | | | “That's enough to prove my point” |
| document sharing, and .JPG image files. However, in | | | | Most macro viruses for Word use a feature called |
| both cases, the respective virus has a dependency | | | | 'automacros'. The basic principle is that some macros |
| on an outside executable and thus neither virus can | | | | with special names are automatically executed when |
| be considered more than a simple ‘proof of | | | | Word starts, opens a file, or closes a file. The macro |
| concept’. In other cases, the data files | | | | virus then inserts macros into NORMAL.DOT - a |
| themselves may not be infectable, but can allow for | | | | standard template which is loaded every time Word |
| the introduction of viral code. Specifically, | | | | starts. |
| vulnerabilities in certain products can allow data files | | | | In Word there are some ways to disable automacros |
| to be manipulated in such a way that it will cause the | | | | but this isn't the ultimate solution. Some macro |
| host program to become unstable, after which | | | | viruses use other methods to take control over the |
| malicious code can be introduced to the system. | | | | Word environment. |
| These examples are given simply to note that | | | | Another method of self-protection may be to set |
| viruses no longer relegate themselves to simply | | | | NORMAL.DOT to read only. But this can also be |
| infecting program files, as was the case when Mr. | | | | bypassed and, in addition, it prevents the user from |
| Cohen first defined the term. Thus, to simplify and | | | | customizing the template. |
| modernize, it can be safely stated that a virus infects | | | | Macro viruses for Excel |
| other files, whether program or data. | | | | Excel has the same opportunities for virus authors as |
| Computer viruses are called viruses because they | | | | Word. It has automacros and a directory called |
| share some of the traits of biological viruses. A | | | | XLSTART from which templates are automatically |
| computer virus passes from computer to computer | | | | loaded. |
| like a biological virus passes from person to person. | | | | But Excel does not have just normal VBA macros like |
| There are similarities at a deeper level, as well. A | | | | Word. In Excel there are so called 'formulas' - macros |
| biological virus is not a living thing. A virus is a | | | | stored in spreadsheet cells. The first macro virus |
| fragment of DNA inside a protective jacket. Unlike a | | | | using this technology was XF/Paix. |
| cell, a virus has no way to do anything or to | | | | Macro viruses for other MS Office products: |
| reproduce by itself -- it is not alive. Instead, a | | | | Writing a macro virus for other Office products is not |
| biological virus must inject its DNA into a cell. The viral | | | | difficult. There have been already some viruses for |
| DNA then uses the cell's existing machinery to | | | | Access, and it is expected that there will be macro |
| reproduce itself. In some cases, the cell fills with new | | | | viruses for Power Point in the near future. |
| viral particles until it bursts, releasing the virus. In | | | | But those macro viruses are not as dangerous as the |
| other cases, the new virus particles bud off the cell | | | | macro viruses for Word or Excel. Not because of |
| one at a time, and the cell remains alive. | | | | some limitation of these other Office products, but |
| A computer virus shares some of these traits. A | | | | because data files from these products are not so |
| computer virus must piggyback on top of some | | | | frequently shared. |
| other program or document in order to get | | | | There is one danger which can be seen in today's |
| executed. Once it is running, it is then able to infect | | | | Power Point even without native macro viruses |
| other programs or documents. Obviously, the analogy | | | | written for this product. Programmers can include in |
| between computer and biological viruses stretches | | | | their presentation any number of objects from Excel |
| things a bit, but there are enough similarities that the | | | | or Word. And these objects can be infected with |
| name sticks. | | | | macro viruses - if they edit the presentation and |
| A computer virus is a program that replicates. To do | | | | open the infected object with its parent application, |
| so, it needs to attach itself to other program files | | | | then the virus can spread further. |
| (for example, .exe, .com, .dll) and execute whenever | | | | But the current situation may change dramatically |
| the host program executes. Beyond simple replication, | | | | over the next few years. Microsoft has licensed VBA |
| a virus almost always seeks to fulfill another purpose: | | | | technology to many firms, so one can expect to see |
| to cause damage. | | | | more macro viruses for other products, too. |
| Called the damage routine, or payload, the | | | | POLYMORPHIC VIRUSES |
| destructive portion of a virus can range from | | | | This type of virus can change itself each time it is |
| overwriting critical information kept on the hard disk's | | | | copied, making it difficult to isolate. Most simple |
| partition table to scrambling the numbers in the | | | | viruses attach identical copies of themselves to the |
| spreadsheets to just taunting the user with sounds, | | | | files they infect. An anti-virus program can detect the |
| pictures, or obnoxious effects. | | | | virus’s code (or signature) because it is always |
| It’s worth bearing in mind, however, that | | | | the same and quickly ferret out the virus. To avoid |
| even without a ”damage routine”, if | | | | such easy detection, polymorphic viruses operate |
| viruses are allowed to run unabated then it will | | | | somewhat differently. Unlike the simple virus, when a |
| continue to propagate--consuming system memory, | | | | polymorphic virus infects a program, it scrambles its |
| disk space, slowing network traffic and generally | | | | virus code in the program body. This scrambling |
| degrading performance. Besides, virus code is often | | | | means that no two infections look the same, making |
| buggy and can also be the source of mysterious | | | | detection more difficult. These viruses create a new |
| system problems that take weeks to understand. So, | | | | decryption routine each time they infect, so every |
| whether a virus is harmful or not, its presence on the | | | | infected file will have a different sequence of virus |
| system can lead to instability and should not be | | | | code. |
| tolerated. | | | | STEALTH VIRUSES |
| Some viruses, in conjunction with "logic | | | | Stealth viruses actively seek to conceal themselves |
| bombs," do not make their presence known | | | | from attempts to detect or remove them. They also |
| for months. Instead of causing damage right away, | | | | can conceal changes they make to other files, hiding |
| these viruses do nothing but replicate--until the | | | | the damage from the user and the operating system. |
| preordained trigger day or event when they unleash | | | | Stealth viruses, or Interrupt Interceptors, as they are |
| their damage routines on the host system or across | | | | sometimes called, take control of key DOS-level |
| a network. | | | | instructions by intercepting the interrupt table, which |
| Impact of Viruses on Computer Systems | | | | is located at the beginning of memory. This gives the |
| Virus can be reprogrammed to do many kinds of | | | | virus the ability to do two important things: 1) gain |
| harm including the following. | | | | control of the system by re-directing the interrupt |
| 1.Copy themselves to other programs or areas of a | | | | calls, and 2) hide itself to prevent detection. They |
| disk. | | | | use techniques such as intercepting disk reads to |
| 2.Replicate as rapidly and frequently as possible, filling | | | | provide an uninfected copy of the original item in |
| up the infected system’s disk and memory | | | | place of the infected copy (read-stealthing viruses), |
| rendering the systems useless. | | | | altering disk directory or folder data for infected |
| 3.Display information on the screen. | | | | program files (size-stealthing), or both. For example, |
| 4.Modify, corrupt or destroy selected files. | | | | the Whale virus is a size-stealthing virus. It infects |
| 5.Erase the contents of entire disks. | | | | .EXE program files and alters the folder entries of |
| 6.Lie dormant for a specified time or until a given | | | | infected files when other programs attempt to read |
| condition is met, and then become active. | | | | them. The Whale virus adds 9216 bytes to an |
| 7.Open a back door to the infected system that | | | | infected file. Because changes in file size are an |
| allows someone else to access and even control of | | | | indication that a virus might be present, the virus |
| the system through a network or internet | | | | then subtracts the same number of bytes (9216) |
| connection. | | | | from the file size given in the directory/folder entry |
| 8.Some viruses can crash the system by causing | | | | to trick the user into believing that the file’s |
| some programs (typically Windows) to behave oddly. | | | | size has not changed. |
| How viruses spread from one system to another? | | | | An antivirus program which is not equipped with |
| The most likely virus entry points are email, Internet | | | | anti-stealth technology will be deceived. |
| and network connections, floppy disk drives, and | | | | COMPANION VIRUSES |
| modems or other serial or parallel port connections. In | | | | A companion virus is the exception to the rule that a |
| today's increasingly interconnected workplace | | | | virus must attach itself to a file. The companion virus |
| (Internet, intranet, shared drives, removable drives, | | | | instead creates a new file and relies on a behavior of |
| and email), virus outbreaks now can spread faster | | | | DOS to execute it instead of the program file that is |
| and wider than ever before. | | | | normally executed. These viruses target EXE |
| The following are some common ways for a virus to | | | | programs. They create another file of the same |
| enter the users’ computer system: | | | | name but with a COM extension containing the virus |
| •Email attachments | | | | code. These viruses take advantage of a property |
| •Malicious scripts in web pages or HTML email | | | | of MS-DOS which allows files to share the same first |
| •FTP traffic from the Internet (file downloads) | | | | name in the same directory (e.g. ABC.EXE and |
| •Shared network files & network traffic in | | | | ABC.COM) but executes COM files in preference to |
| general | | | | EXE files. |
| •Demonstration software | | | | For example, the companion virus might create a file |
| •Pirated software | | | | named and place it in the same directory as |
| •Shrink-wrapped, production programs (rare) | | | | CHKDSK.EXE. Whenever DOS must choose between |
| •Computer labs | | | | executing two files of the same name where one |
| •Electronic bulletin boards (BBS) | | | | has an .EXE extension and the other a .COM |
| •Diskette swapping (using other people’s | | | | extension, it executes the .COM file. This is not an |
| diskettes for carrying data and programs back and | | | | effective way of spreading but has one big |
| forth) | | | | advantage - it does not amend files in any way and |
| High risk files | | | | so can escape integrity tests or resident protection. |
| The most dangerous files types are: | | | | Another method which can be used by companion |
| .EXE, .COM, .XLS, .DOC, .MDB | | | | viruses is based on defined path. A virus simply puts |
| Because they don't need any special conversion to | | | | an infected file into the path listed before the |
| infect a computer -- all they've got to do is run and | | | | directory within the original program. |
| consequently the virus spreads. It has been | | | | PROGRAM VIRUSES |
| estimated that 99% of all viruses are written for | | | | Like normal programs, program viruses must be |
| these file formats. | | | | written for a specific operating system. The vast |
| A list of possible virus carriers includes: | | | | majority of viruses are written for DOS but some |
| EXE - (Executable file) | | | | have been written for Windows 3.x, Windows 95/98, |
| SYS - (Executable file) | | | | and even UNIX. All versions of Windows are |
| COM - (Executable file) | | | | compatible with DOS and can host DOS viruses with |
| DOC - (Microsoft Word) | | | | varying degrees of success. Program viruses infect |
| XLS - (Microsoft Excel) | | | | program files, which commonly have extensions such |
| MDB - (Microsoft Access) | | | | as .COM, .EXE, .SYS, .DLL, .OVL, or .SCR. Program |
| ZIP - (Compressed file, common in the USA) | | | | files are attractive targets for virus writers because |
| ARJ - (Compressed file, common in the USA) | | | | they are widely used and have relatively simple |
| DRV - (Device driver) | | | | formats to which viruses can attach. |
| BIN - (Common boot sector image file) | | | | Malicious Programs and Scripts |
| SCR - (Microsoft screen saver) | | | | Viruses that infect agent programs (such as those |
| Common Symptoms Of Virus Infection | | | | that download software from the Internet; for |
| Computer does not boot. | | | | example, JAVA and ActiveX). |
| Computer hard drive space is reduced. | | | | WORM |
| Applications will not load. | | | | A worm is a computer program that has the ability |
| An application takes longer to load than normal | | | | to copy itself from machine to machine. Worms |
| time period. | | | | normally move around and infect other machines |
| Hard dive activity increases especially when | | | | through computer networks. An entire LAN or |
| nothing is being done on the computer. | | | | corporate e-mail system can become totally clogged |
| An anti virus software message appears. | | | | with copies of a worm, rendering it useless. Worms |
| The number of hard drive bad sectors steadily | | | | are commonly spread over the internet via e-mail |
| increases. | | | | message attachments and through internet relay chat |
| Unusual graphics or messages appear on the | | | | channels. |
| screen | | | | For example, the Code Red worm replicated itself |
| Files are missing (deleted) | | | | over 250,000 times in approximately nine hours on |
| A message appears that hard drive cannot be | | | | July 19, 2001. |
| detected or recognized. | | | | A worm usually exploits some sort of security hole in |
| Strange sounds come from the computer. | | | | a piece of software or the operating system. For |
| Some viruses take control of the keyboard and | | | | example, the Slammer worm (which caused mayhem |
| occasionally substitute a neighboring key for the one | | | | in January 2003) exploited a hole in Microsoft's SQL |
| actually pressed. Another virus "swallows" | | | | server. |
| key presses so that nothing appears on the screen. | | | | Worms use up computer time and network |
| Also interesting are system time effects. Clocks | | | | bandwidth when they are replicating, and they often |
| going backwards are especially frightening for | | | | have some sort of evil intent. A worm called Code |
| workers who cannot wait to go home. More seriously | | | | Red made huge headlines in 2001. Experts predicted |
| though, this type of virus can cause chaos for | | | | that this worm could clog the Internet so effectively |
| programs which depend on the system time or date. | | | | that things would completely grind to a halt. |
| Some viruses can cost the user dearly by dialing | | | | The Code Red worm slowed down Internet traffic |
| out on his modem. We do not know of one which | | | | when it began to replicate itself, but not nearly as |
| dials premium telephone numbers but no doubt we | | | | badly as predicted. Each copy of the worm scanned |
| shall see one soon. One particularly malicious virus dials | | | | the Internet for Windows NT or Windows 2000 |
| 911 (the emergency number in the USA) and takes | | | | servers that do not have the Microsoft security |
| up the valuable time of the emergency services. | | | | patch installed. Each time it found an unsecured |
| Categories of viruses | | | | server, the worm copied itself to that server. The |
| Depending on the source of information different | | | | new copy then scanned for other servers to infect. |
| types of viruses may be categorized in the following | | | | Depending on the number of unsecured servers, a |
| ways: | | | | worm could conceivably create hundreds of |
| PDA VIRUSES | | | | thousands of copies. |
| The increasing power of PDAs has spawned a new | | | | The Code Red worm was designed to do three |
| breed of viruses. Maliciously creative programmers | | | | things: |
| have leveraged the PDA's ability to communicate with | | | | •Replicate itself for the first 20 days of each |
| other devices and run programs, to cause digital | | | | month |
| mayhem. | | | | •Replace Web pages on infected servers with a |
| The blissfully safe world where users of these | | | | page that declares "Hacked by Chinese" |
| devices could synchronize and download with | | | | •Launch a concerted attack on the White House |
| impunity came to an end in August 2000 with the | | | | Web server in an attempt to overwhelm it |
| discovery of the virus Palm Liberty. Since then, many | | | | The most common version of Code Red is a |
| more viruses have been discovered. | | | | variation, typically referred to as a mutated strain, of |
| Though not yet as harmful as their PC-based cousins, | | | | the original Ida Code Red that replicated itself on July |
| these viruses still pose a threat to unsuspecting | | | | 19, 2001. |
| users. Their effects vary from the harmless flashing | | | | TROJAN HORSES |
| of an unwanted message or an increase in power | | | | Trojans, another form of malware, are generally |
| consumption, to the deletion of all installed programs. | | | | agreed upon as doing something other than the user |
| But the threat is growing, and the destructiveness of | | | | expected, with that “something” |
| these viruses is expected to parallel the development | | | | defined as malicious. Most often, Trojans are |
| of the devices they attack. | | | | associated with remote access programs that |
| MULTIPARTITE VIRUSES | | | | perform illicit operations such as password-stealing or |
| A virus that combines two or more different | | | | which allow compromised machines to be used for |
| infection methods is called a multipartite virus. This | | | | targeted denial of service attacks. One of the more |
| type of virus can infect both files and boot sector of | | | | basic forms of a denial of service (DoS) attack |
| a disk. Multi-partite viruses share some of the | | | | involves flooding a target system with so much data, |
| characteristics of boot sector viruses and file viruses: | | | | traffic, or commands that it can no longer perform its |
| They can infect .com files, .exe files, and the boot | | | | core functions. When multiple machines are gathered |
| sector of the computer’s hard drive. On a | | | | together to launch such an attack, it is known as a |
| computer booted up with an infected diskette, the | | | | distributed denial of service attack, or DDoS. |
| typical multi-partite virus will first make itself resident | | | | Because Trojan horses do not make duplicates of |
| in memory then infect the boot sector of the hard | | | | themselves on the victims disk (or copy themselves |
| drive. From there, the virus may infect a PC's entire | | | | to other disks), they are not technically viruses. But |
| environment. Not many forms of this virus class | | | | because they can do harm, many experts consider |
| actually exist. However, they do account for a | | | | them to be a type of virus. Trojan horses are often |
| disproportionately large percentage of all infections. | | | | used as by hackers to create a back door to an |
| Tequila and Anticad are the examples of multipartite | | | | infected system. Trojans, such as BackOrrifice are |
| viruses. | | | | very dangerous. If anyone runs this program and his |
| BOMBS | | | | computer is connected to the internet, then the |
| The two most prevalent types of bombs are time | | | | hacker can take control of that computer - transfer |
| bombs and logic bombs. A time bomb hides on the | | | | files to or from the computer, capture screen |
| victim’s disk and waits until a specific date | | | | contents, run any program or kill any running process, |
| before running. A logic bomb may be activated by a | | | | etc. |
| date, a change to a file, or a particular action taken | | | | Once a Trojan is installed onto the system this |
| by a user or a program. Bombs are treated as | | | | program has the same privileges as the user of the |
| viruses because they can cause damage or disruption | | | | computer and can exploit the system to do |
| to a system. | | | | something the user did not intend such as: |
| BOOT SECTOR VIRUSES | | | | Delete files |
| Until the mid-1990s, boot sector viruses were the | | | | Transmit to the intruder any files that the user |
| most prevalent virus type, spreading primarily in the | | | | can read |
| 16-bit DOS world via floppy disk. Boot sector viruses | | | | Change any files that the user can modify |
| infect the boot sector on a floppy disk and spread to | | | | Install other programs with the user’s |
| a user's hard disk, and can also infect the master | | | | privileges |
| boot record (MBR) on a user's hard drive. Once the | | | | Execute privilege-elevation attacks—the |
| MBR or boot sector on the hard drive is infected, the | | | | Trojan can attempt to exploit a weakness to raise |
| virus attempts to infect the boot sector of every | | | | the level of access beyond the user running the |
| floppy disk that is inserted into the computer and | | | | Trojan. If successful, the Trojan can operate with |
| accessed. Examples of boot sector viruses are | | | | increased privileges. |
| Michelangelo, Satria and Keydrop. | | | | Install viruses |
| Boot sector viruses work like this: Let us assume | | | | Install other Trojans |
| that the user received a diskette with an infected | | | | The Following Tips Will Help The User To Minimize |
| boot sector. The user copied data from it but forgot | | | | Virus Risk: |
| to remove it from drive A:. When he started the | | | | If the users are truly worried about traditional (as |
| computer next time the boot process will execute | | | | opposed to e-mail) viruses, they should be running a |
| the infected boot sector program from the diskette. | | | | more secure operating system like UNIX. One should |
| The virus will load first and infect the hard disk. Note | | | | never hear about viruses on these operating systems |
| that this can be prevented by changing the boot | | | | because the security features keep viruses (and |
| sequence in CMOS (Let C: drive boot before A:). By | | | | unwanted human visitors) away from the hard disk. |
| hiding on the first sector of a disk, the virus is loaded | | | | If the users are using an unsecured operating |
| into memory before the system files are loaded. This | | | | system, then buying virus protection software is a |
| allows it to gain complete control of DOS interrupts | | | | nice safeguard. Some popular anti virus programs |
| and in the process replaces the original contents of | | | | include: |
| the MBR or DOS boot sector with their own | | | | •McAfee Virus Scan |
| contents and move the original boot sector data to | | | | •Norton Anti Virus |
| another area on the disk. Because the virus has | | | | •Virex |
| infected a system area of the hard disk it will be | | | | •PC—cillin |
| loaded into memory each time the computer is | | | | •Avast! |
| started. It will first take control of the lowest level | | | | •AVG Anti Virus System |
| disk system services before executing the original | | | | Automatic protection of anti-virus software |
| boot sector code which it has stored in another part | | | | should be turned on at all times. |
| of the hard disk. The computer seems to behave | | | | The users should perform a manual scan (or |
| exactly as it should. Nobody will notice the extra few | | | | schedule a scan to occur automatically) of their hard |
| fractions of a second added to the boot sequence. | | | | disks weekly. These scans supplement automatic |
| During normal operation the virus will happily stay in | | | | protection and confirm that the computer is |
| memory. Thanks to the fact that it has control of | | | | virus-free. |
| the disk services it can easily monitor requests for | | | | Scan all floppy disks before first use. |
| disk access - including diskettes. As soon as it gets a | | | | Disable floppy disk booting -- most computers |
| request for access to a diskette it will determine that | | | | now allow the user to do this, and that will eliminate |
| there is a diskette in the floppy drive. It will then | | | | the risk of a boot sector virus coming in from a |
| examine its boot sector to see if it has already been | | | | floppy disk accidentally left in the drive. |
| infected. If it finds the diskette clean it will replace | | | | The users should Enable Automatic Update option |
| the boot sector with its own code. From this | | | | of their anti-virus software in order to update their |
| moment the diskette will be a "carrier" | | | | virus definition files. |
| and become a medium for infections on other PC's. | | | | Creation and maintenance of a rescue disk should |
| The virus will also monitor special disk requests for | | | | be done by the user in order to facilitate recovery |
| access to the boot sector. The boot sector contains | | | | from certain boot viruses. |
| its own code, and a request to read it could be from | | | | Periodic backups of the hard disk should be done. |
| an anti-virus program checking for virus presence. | | | | Users’ should buy legal copies of all |
| The virus will not allow the boot sector to be read | | | | software they use and make write-protected |
| and will redirect all requests to the place on the hard | | | | backups. |
| disk where it has backed up the original contents. In | | | | Email messages and email attachments from |
| this way nothing unusual is detected. Such methods | | | | unknown people should not be opened. Attachments |
| are called stealth techniques and their main goal is to | | | | that come in as Word files (.DOC), spreadsheets |
| mask the presence of the virus. Not all boot viruses | | | | (.XLS), images (.GIF and .JPG), etc., are data files and |
| use stealth but those which do are common. | | | | they can do no damage (noting the macro virus |
| Boot viruses also infect the non-file (system) areas | | | | problem in Word and Excel documents mentioned |
| of hard and floppy disks. These areas offer an | | | | above). A file with an extension like EXE, COM or |
| efficient way for a virus to spread from one | | | | VBS is an executable, and an executable can do any |
| computer to another. Boot viruses have achieved a | | | | sort of damage it wants. Further it should be verified |
| higher degree of success than program viruses in | | | | that the "author" of the email has sent |
| infecting their targets and spreading. | | | | the attachments. Newer viruses can send email |
| Boot virus can infect DOS, Windows 3.x, Windows | | | | messages that appear to be from a person user |
| 95/98, Windows NT, and even Novell Netware | | | | know. |
| systems. This is because they exploit inherent | | | | The potential users should make sure that Macro |
| features of the computer (rather than the operating | | | | Virus Protection is enabled in all Microsoft applications, |
| system) to spread and activate. | | | | and they should never run macros in a document |
| Cleaning up a boot sector virus can be performed by | | | | unless they know specifically the functionality of the |
| booting the machine from an uninfected floppy | | | | macros. |
| system disk rather than from the hard drive, or by | | | | Appropriate Passwords should be assigned to the |
| finding the original boot sector and replacing it in the | | | | shared network drives. |
| correct location on the disk. | | | | Things that are not viruses! |
| CLUSTER VIRUSES | | | | Joke programs |
| This type of virus makes changes to a disks file | | | | Joke programs are not viruses and do not inflict any |
| system. If any program is run from the infected disk, | | | | damage. Their purpose is to frighten their victims into |
| the program causes the virus to run as well. This | | | | thinking that a virus has infected and damaged their |
| technique creates the illusion that the virus has | | | | system. For example, a joke program may display a |
| infected every program on the disk. | | | | message warning the user not to touch any keys or |
| E-MAIL VIRUSES | | | | else the computer’s hard disk will be |
| These types of viruses can be transmitted via e-mail | | | | formatted. |
| messages sent across private networks or the | | | | Droppers |
| internet. Some e-mail viruses are transmitted as an | | | | A dropper is a program that is not a virus, nor is it |
| infected attachment- a document file or program | | | | infected with a virus but when run it installs a virus |
| that is attached to the message. This type of virus is | | | | into memory on to the disk, or onto a file. Droppers |
| run when the victim opens the file that is attached to | | | | have been written sometimes as a convenient carrier |
| the message. Other types of email viruses reside | | | | for a virus and sometimes as an act of sabotage. |
| within the body of the message itself. To store a | | | | Hoaxes |
| virus, the message must be encoded in html format. | | | | There must be very few people on email who |
| Once launched many e-mail viruses attempt to | | | | haven't received a chain letter with the subject line |
| spread by sending messages to everyone in the | | | | warning of a virus doing the rounds. These are often |
| victim’s address book; each of those contains | | | | hoaxes and meant to scare people and have fun at |
| a copy of the virus. | | | | their expense. The warnings encourage the recipient |
| The latest thing in the world of computer viruses is | | | | of the e-mail to pass the warning to the netizens and |
| the e-mail virus called Melissa virus which surfaced in | | | | thus create an unnecessary furor, besides clogging |
| March 1999. Melissa spread in Microsoft Word | | | | mailboxes, as it usurps an air of credibility. |
| documents sent via e-mail, and it worked like this: | | | | Methodology of virus detection applied by antivirus |
| Someone created the virus as a Word document | | | | softwares: |
| uploaded to an Internet newsgroup. Anyone who | | | | Three main methods exist for detecting viruses: |
| downloaded the document and opened it would | | | | integrity checking (also known as checksumming), |
| trigger the virus. The virus would then send the | | | | behavior monitoring and pattern matching (scanning). |
| document (and therefore itself) in an e-mail message | | | | Integrity checking |
| to the first 50 people in the person's address book. | | | | Antivirus programs that use integrity checking start |
| The e-mail message contained a friendly note that | | | | by building an initial record of the status (size, time, |
| included the person's name, so the recipient would | | | | date, etc.) of every application file on the hard drive. |
| open the document thinking it was harmless. The | | | | Using this data, checksumming programs then |
| virus would then create 50 new messages from the | | | | monitor the files to see if changes have been made. |
| recipient's machine. As a result, the Melissa virus was | | | | If the status changes, the integrity checker warns |
| the fastest-spreading virus ever seen and it forced a | | | | the user of a possible virus. |
| number of large companies to shut down their e-mail | | | | However, this method has several disadvantages, the |
| systems at that time. | | | | biggest being that false alarms are altogether too |
| The ILOVEYOU virus, which appeared on May 4, | | | | common. The records used by checksumming |
| 2000, was even simpler. It contained a piece of code | | | | programs are often rendered obsolete by legitimate |
| as an attachment. People who double clicked on the | | | | programs, which, in their normal course of operations, |
| attachment allowed the code to execute. The code | | | | make changes to files that appear to the Integrity |
| sent copies of itself to everyone in the victim's | | | | checker to be viral activity. Another weakness of |
| address book and then started corrupting files on the | | | | integrity checking is that it can only alert the user |
| victim's machine. This is as simple as a virus can get. | | | | after a virus has infected the system. |
| It is really more of a Trojan horse distributed by | | | | Behavior monitoring |
| e-mail than it is a virus. | | | | Behavior Monitoring programs are usually terminate |
| The Melissa virus took advantage of the | | | | and stay resident (TSR) and constantly monitor |
| programming language built into Microsoft Word called | | | | requests that are passed to the interrupt table. |
| VBA, or Visual Basic for Applications. It is a complete | | | | These programs are on the lookout for activities that |
| programming language and it can be programmed to | | | | a virus might engage in--requests to write to a boot |
| do things like modify files and send e-mail messages. | | | | sector, opening an executable program for writing, or |
| It also has a useful but dangerous auto-execute | | | | placing itself resident in memory. The behavior these |
| feature. A programmer can insert a program into a | | | | programs monitor is derived from a user-configurable |
| document that runs instantly whenever the | | | | set of rules. |
| document is opened. This is how the Melissa virus | | | | Pattern matching |
| was programmed. Anyone who opened a document | | | | Using a process called "pattern matching," |
| infected with Melissa would immediately activate the | | | | the anti-virus software draws upon an extensive |
| virus. It would send the 50 e-mails, and then infect a | | | | database of virus patterns to identify known virus |
| central file called NORMAL.DOT so that any file saved | | | | signatures, or telltale snippets of virus code. Key |
| later would also contain the virus! It created a huge | | | | areas of each scanned file are compared against the |
| mess. | | | | list of thousands of virus signatures that the |
| FILE INFECTING VIRUSES | | | | anti-virus software has on record. |
| File infectors operate in memory and usually infect | | | | Whenever a match occurs, the anti-virus software |
| executable files with the following extensions: *.COM, | | | | takes the action the user has configured: Clean, |
| *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS. They | | | | Delete, Quarantine, Pass (Deny Access for Real-time |
| activate every time the infected file is executed by | | | | Scan), or Rename. |
| copying themselves into other executable files and | | | | Self Defense Mechanisms Evolved By Viruses |
| can remain in memory long after the virus has | | | | Virus authors of course wish that their child |
| activated. | | | | successfully lives. For this reason there are many |
| Thousands of different file infecting viruses exist, but | | | | viruses outfitted with some self-defense mechanisms |
| similar to boot sector viruses, the vast majority | | | | against anti virus systems. |
| operates in a DOS 16-bit environment. Some, | | | | Passive Defense : |
| however, have successfully infected the Microsoft | | | | Viruses use a variety of methods to hide themselves |
| Windows, IBM OS/2, and Apple Computer Macintosh | | | | from antivirus programs. Passive defense uses |
| environments. | | | | programming methods which make analysis of the |
| File viruses can be separated further into | | | | virus more difficult, e.g. polymorphic viruses which |
| sub-categories by the way they manipulate their | | | | were developed to counter scanners looking for |
| targets: | | | | constant strings of virus code. |
| TSR FILE VIRUSES | | | | Today antivirus systems are capable of analyzing |
| A less common type of virus is the | | | | polymorphic code and searching for virus identifiers in |
| terminate-and-stay-resident file virus. As the name | | | | the decrypted body. The virus authors reacted by |
| suggests these infect files usually these are .com and | | | | making the encryption too complex for antivirus |
| .exe files. there are however some device driver | | | | software to unravel, thus mistaking it for a clean |
| viruses, some viruses that infect overlay files, and | | | | program. |
| although over 99% of executable programs have the | | | | Active Self-defense : |
| extension .com and .exe, some do not .For a TSR | | | | Viruses actively defend themselves by protecting |
| virus to spread some one has to run an infected | | | | their own code or by attempting to damage antivirus |
| program. The virus goes memory resident typically | | | | software. A simple method is to locate antivirus |
| looking at each program run thereafter and infects it. | | | | software databases and amend or delete them. |
| Examples of TSR file viruses are Dark Avenger and | | | | More sophisticated resident viruses use stealth |
| Green Caterpillar. | | | | techniques. When they detect a request to use an |
| OVERWRITING VIRUSES | | | | infected file, they can temporarily "clean" |
| These viruses infect by overwriting part of their | | | | it or report its original (uninfected) parameters. They |
| target with their own code but, by doing so, they | | | | can monitor which programs are being executed and |
| damage the file. The file will never serve another | | | | react if it is antivirus software. The list of such |
| purpose other than spreading the virus further. | | | | reactions is endless. Usually, the execution of the |
| Because of this they are usually detected quickly and | | | | antivirus program is refused, but it could be erased |
| do not spread easily. | | | | (often accompanied by a bogus error message) or |
| PARASITIC VIRUSES | | | | the virus suspends its activities while it runs. There |
| These viruses attach themselves to executables | | | | are occasionally extremely 'clever' viruses which |
| without substantially changing the contents of the | | | | modify the code of a specific AV program to partially |
| host program. They attach by adding their code to | | | | disable it. |
| the beginning, end, or even middle of the file and | | | | There are very rare viruses which consider an |
| divert program flow so that the virus is executed | | | | attempt to run an anti-virus program as arrogant and |
| first. When the virus has finished its job, control is | | | | immediately reply with some revenge action - for |
| passed on to the host. Execution of the host is a | | | | example hard disk formatting. |
| little delayed but this is usually not noticeable. | | | | Trap |
| MACRO VIRUSES | | | | A trap is the most malicious form of self-defense and |
| Many older applications had simple macro systems | | | | works as follows. Although the user’s |
| that allowed the user to record a sequence of | | | | computer is infected but everything appears to work |
| operations within the application and associate them | | | | correctly. Once the user discovers the virus and |
| with a specific keystroke. Later, the user could | | | | removes it things get complicated - programs no |
| perform the same sequence of operations by merely | | | | longer run properly or the hard disk may become |
| hitting the specified key. | | | | inaccessible even when booting from a clean system |
| Newer applications provide much more complex | | | | diskette. |
| macro systems. User can write entire | | | | The best known trap virus is One_Half. It |
| macro-programs that run within the word processor | | | | continuously encrypts the data on a hard disk (two |
| or spreadsheet environment and are attached | | | | tracks on every boot). If it is removed from the |
| directly onto word processing and spreadsheet files. | | | | partition sector before data files are decoded then |
| Unfortunately, this ability also makes it possible to | | | | some files will become inaccessible. At this stage the |
| create macro viruses. | | | | situation is serious but recovery of the data is still |
| Macro viruses currently account for about 80 percent | | | | possible. However, if the user runs a disk utility |
| of all viruses, according to the International Computer | | | | (Scandisk etc.) to repair the damage then the data |
| Security Association (ICSA), and are the fastest | | | | will almost certainly be lost forever. |
| growing viruses in computer history. Unlike other virus | | | | These utilities are designed to repair relatively minor |
| types, macro viruses aren’t specific to an | | | | damage to file system and do not recognize the |
| operating system and spread with ease via email | | | | encrypted data. |
| attachments, floppy disks, Web downloads, file | | | | REFERENCE: |
| transfers, and cooperative applications. | | | | 1. Mary Landesman “What is a virus?” |
| Macro viruses are, however, application-specific. A | | | | 2. NetGuide “What are computer viruses? |
| macro virus is designed to infect a specific type of | | | | “– |
| document file, such as Microsoft word or excel files. | | | | 3. Marshall Brain “How Computer Viruses |
| They infect macro utilities that accompany such | | | | Work” How Computer Viruses Work.htm |
| applications as Microsoft Word and Excel, which | | | | 4. AVG Anti Virus Free Edition Help |
| means a Word macro virus cannot infect an Excel | | | | Developed by Grisoft Inc |
| document and vice versa. A macro virus is embedded | | | | 5. Norton Anti-virus Help |
| in a document file and can travel between data files | | | | Developed by Symantec Corporation |
| in the application and can eventually infect hundreds | | | | 6. Trend Micro PC-cillin Help |
| of files if undeterred and in the process do various | | | | Developed by Trend Micro Inc |
| levels of damage to data from corrupting documents | | | | 7. Peter Norton “Computer Viruses” |
| to deleting data. | | | | Introduction to Computers, Tata McGraw Hill Co: |
| Macro viruses are written in "every man's | | | | 8. Dr.Solomon ”About Viruses” |
| programming language" -- Visual Basic -- and are | | | | &”Virus Prevention” |
| relatively easy to create. They can infect at different | | | | Dr.Solomon’s Virus Encyclopedia, |
| points during a file's use, for example, when it is | | | | Dr.Solomon’s Software Ltd. |
| opened, saved, closed, or deleted | | | | 9. C.A.Schmidt ”Virus” |
| A typical chronology for macro virus infection begins | | | | The Complete Computer Upgrade And Repair Text |
| when an infected document or spreadsheet is loaded. | | | | Book,Dreamtech |
| The application also loads any accompanying macros | | | | 10. S. |