DISCLAIMER

The content of this document is the opinion and/or statement of its author and its re-publication here does not signify any endorsement by StarLink-IRC.Org.

VIRUSES: A FEW FACTS

Author: Unkown

It seems that they're coming more frequently and with greater malicious virulence than ever. Computer viruses have infected hundreds of millions of computers worldwide, from the computer you have at home, to the ones used every day by major corporations and governments. The recent attacks by Melissa and ExploreZip have caused entire computer networks to become infected, crippling the companies and government agencies who use them. It's not surprising that there's so much fear surrounding computer viruses. No one wants them, but fears of infection and urban legend have also caused unnecessary worry. In this article, we'll discuss what viruses are, what they can (and can't) do, and what you can do to protect yourself against infection.

First I'd like to pass along a couple authoritative sources for informa- tion regarding computer viruses. The National Institute of Standards & Technology (NIST) at: http://csrc.nist.gov/virus/ maintains a website dedicated to current information about viruses, virus hoaxes, and FAQs. They also provide links to other anti-virus sources including the CIAC (part of the U.S. Department of Energy) and other reference sites. A second source of information can be found at: http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/Viruses/ Use these references often to get the latest word on viruses.

Exactly what is a virus? David Harley, author of the alt.comp.virus FAQ defines viruses and a their close cousins, Trojan horses, very succinctly below:

"A (computer) virus is a program (a block of executable code) which

attaches itself to, overwrites or otherwise replaces another program

in order to reproduce itself without the knowledge of the PC user."

"Most viruses are comparatively harmless, and may be present for

years with no noticeable effect: some, however, may cause random

damage to data files (sometimes insidiously, over a long period)

or attempt to destroy files and disks. Others cause unintended

damage. Even benign viruses (apparently non-destructive viruses)

cause significant damage by occupying disk space and/or main

memory, by using up CPU processing time, and by the time and expense

wasted in detecting and removing them."

"A Trojan Horse is a program intended to perform some covert

and usually malicious act which the victim did not expect or want.

It differs from a destructive virus in that it doesn't reproduce,

(though this distinction is by no means universally accepted)."

"A dropper is a program which installs a virus or Trojan, often

covertly."

Viruses exist in several forms: file viruses, boot sector/partition sector viruses, and multipartite viruses. There are also so-called Microsoft Macro viruses (which typically affect only Microsoft documents, such as Word, Excel, or PowerPoint documents). We'll discuss Macro viruses separately.

File viruses are typically contained in an infected application you might have received from a friend or you may have downloaded across the net. Regardless how you received the infected file, launching the application triggers the virus to infect your system. Typically such viruses attach themselves to key system files so that every time you start up the infected system on your hard drive, the virus is loaded into memory and waits to infect other applications as you open them. If one of your infected applications makes its way to someone else, the cycle begins again. This is how most viruses are spread via networks and on the internet.

Boot Sector/Partition Sector viruses live in the boot partition or the partition sector of a DOS-formatted disk, and alter the executable code that resides in the first sector (boot sector). The infector program executes its own code, typically infecting the boot sector or partition sector of the hard disk, so that every time the computer is booted, the virus is loaded into memory. Thereafter, any write-enabled disks or drives used on the infected system become infected themselves. When such infected disks are then inserted into a another system, they infect the new system, and the virus spreads. This means that the primary means of infection is by the physical transfer of write-enabled media, such as floppies, Zip disk, MO-disks, etc.

Perhaps the most widespread viruses are multipartite viruses. These have some of the features of both File viruses and Boot sector/Partition sector viruses. In most cases, the virus resides in an infected program that, when launched, triggers the virus to infect the hard disk's boot sector or partition sector, and then goes on to infect system files and other applications as they are launched on the computer. Then, if files are transferred to another recipient, or write-enabled media is inserted into the now-infected system, the virus is spread.

Over the past few years, we've seen the rapid emergence of yet another form of virus, the so-called Microsoft Macro virus. Unlike the previous virus forms, macro viruses typically imbed themselves in Microsoft documents that support the Microsoft macro language (i.e., Word, Excel, and PowerPoint files), and can change global variables of these applications to allow macros to automatically be inserted into working Microsoft documents. More recently, we've seen the introduction of macro viruses that have the ability to alter the Windows Registry and have used Microsoft Outlook to covertly send emails with infected attachments (as in the recent case of the Melissa virus). However, macro viruses cannot actually infect application files, Rather they change the global settings and templates of certain Microsoft programs so that any documents that are opened in these programs are infected with the macro virus. When the infected document is passed to another user who opens the document, the macro virus installs itself in the user's Microsoft application. Note, however, that macro viruses cannot infect the boot or partition sectors.

Then, there are Trojan horses. These are programs that are represented as being something other than they really are, secretly hiding their true (and frequently malicious) intent. Unlike viruses, true Trojan horses have historically not been self-replicating. Typically when they are launched, they do their damage and that's the end of it. However, there are new hybrid Trojan horses that also send copies of themselves via email, such as Happy99.exe. It appears as an attachment to an email from someone you know. When you run it, it will display some fireworks. Apart from the fireworks, however, it will also create two files SKA.EXE and SKA.DLL, and alters WSOCK32.DLL to put its code into that file; it keeps the original file as WSOCK32.SKA. The modified WSOCK32.DLL has routines to detect the email and newsgroup postings made by the user. It will send a copy of the SKA.EXE file renamed as happy99.exe to every mail recipient or newsgroup to whom the user sends an email. Each recipient will receive the email only once and the Trojan will not send again to the same email address. It will send a separate email retaining the subject of the first email sent by the user, but with the file as an attachment. The Trojan also maintains the file LISTE.SKA that contains the list of all email addresses and newsgroups to which this file has been sent. The unique feature of this Trojan is that it can spread on its own.

So what can you do to protect yourself against viruses?

Two things: Be informed about viruses and get yourself a good anti-virus software like Symantec's Norton Anti-Virus, McAfee Virus Scan, or one of the other anti-virus utilities. You'll have to get your own anti- virus software, but let's address some misconceptions about viruses:

Q: I recently received a warning from a friend that simply

reading an email titled "Good Times" [or other email name; see

below - ed], would result in a virus destroying my computer. Is

this true?

A: This is really a two-part question. First of all, the "Good Times"

virus is a well-known hoax. Simply reading an email cannot cause

your computer to be infected by a virus. However, attachments to

email messages could contain viruses which, if opened, can infect

your computer. If your computer should become infected, though, be

aware that no virus can actually inflict physical damage to your

computer hardware. Although viruses can delete files, reformat your

hard drive and do other damage to code, they cannot damage the

hardware itself. Some might argue the point that the CIH virus

(aka "Chernobyl") can render a computer unusable by overwriting

the BIOS, but by definition it is not destroying hardware. Only

the code in the BIOS chip has been corrupted. If you can somehow

rewrite the code to the BIOS chip, the computer will be usable

again.

Notwithstanding that the names of the emails are different (i.e.,

"Good Times", "Penpals", "Join the Crew", etc.) the hoax is the

same, as can be verified at . There

is absolutely no way that opening (or otherwise reading) an email can

cause a virus to be passed to your computer. It just can't happen.

Q: What do I do if I get an attachment in an email?

A: Use caution. Even though you may have received the attachment in an

email from a trusted source or friend, there are several viruses

(notably "Melissa" and "Happy99") that attach themselves to email

sent by an unsuspecting friend, and can infect your system if you

open them. Check every attachment with an anti-virus utility before

opening it, just to be safe.

Q: If I get a virus, what can happen?

A: Viruses may be benign, or they may trigger on specific dates or

other pre-determined criteria. Sometimes they can be quite dangerous

and might delete files from your hard drive, or completely wipe it

clean. I don't mean to cause undue concern, but some viruses are very

hostile, and their potential risks are very real.

Q: What do I do if I think a virus has infected my computer?

A: First, don't panic. More damage has been caused by panic than by the

viruses themselves. Next, shut down your computer and don't use it

again until you have secured a current anti-virus software utility;

if you work in an company or other institution with computer support

staff, notify them so they can perform the necessary diagnostics and

maintenance. If your computer is at home or your own office, follow

the directions that accompanied your anti-virus software to examine

and, if necessary, disinfect your system. This typically means re-

starting your computer from the anti-virus CD-ROM or other bootable

media, performing a virus scan on the suspected drive, and then

disinfecting it. If you find your computer has become infected, it's

a good idea to contact any people who have received files from you

(by email, across your office network, by sharing disks, etc.) that

they should examine their systems, too.

A word to the wise: an ounce of prevention is worth a pound of cure.

Buy your anti-virus software and install it on your computer before

you need it. Modern anti-virus software can be configured to run in

the background and helps prevent infection before it ever happens.

Oh, and did I mention that backing up your data is a good thing? In

the event your computer contracts any of the nastier virus strains

that erase files or format hard drives, backups ensure that you have

all of your data intact. Interested parties may want to review the

two part series "What's Your Data Worth?" in the TalkAbout section of

the iDOT.com website. Go to http://www.idot.com/iForum/TalkAbout/ for

to read more.

In closing, let me leave you with a couple of thoughts. Remember: don't panic. Be informed. It's your best weapon against viruses. The next best weapons are a current anti-virus software, and a little common sense.