Appendix C— Computer VirusesYou may have seen the TV commercial: a bored-looking of- across networks. Viruses can be programmed to replicate fice worker sits in her cubicle, checking her e-mail. She and travel in many ways. perks up when she sees a message with an exciting subject Here are some common ways to pick up a virus: line, then unthinkingly opens the message. Instantly, a >> Receiving an infected file attached to an e-mail mes- menacing-looking character appears on her computer sage, or a virus hidden within the message itself. E-mail screen, “eats” the program icons on her desktop, and an- has become the single most common method for spread- nounces that she has just unleashed a virus. Within sec- ing viruses, especially now that so many people use the onds, the same chaos erupts in the surrounding cubicles, Internet to exchange messages and files. Viruses can and it becomes clear that the worker has made a horrible even be spread through online chat rooms and instant mistake. messenger programs. In reality, computer viruses aren’t so dramatic. In fact, most viruses are designed to hide, do their work quietly, and avoid detection for as long as possible. But a virus’s damage can be dramatic in the extreme, causing untold losses to data and productivity. “Touch a key, Because of their ability to cause damage and disruption, and your data gets it!” viruses have been big news in recent years, especially with the outbreak of e-mail viruses beginning in the late 1990s. These viruses alone have accounted for billions of dollars in downtime and lost data in the past few years. Experts pre- dict that virus attacks will only increase in the future. Even so, many computer users are unaware of the dan- gers posed by viruses and make no effort to protect their computers and data from viruses. This is the primary reason viruses continue to be so successful. What Is a Computer Virus? A virus is a parasitic program that infects another legiti- :: Viruses may not look menacing, but they can do all kinds of damage. mate program, which is sometimes called the host. To infect the host program, the virus 1 The programmer creates a boot sector modifies the host to store a virus and stores it on a hard disk. The copy of the virus. Many virus is copied to any floppy disk that is viruses are programmed to inserted into the same computer. do harm once they infect the victim’s system. As you will see later, a virus can be designed to do various kinds 2 The programmer distributes infected of damage. But the ability floppies to other users. to do damage is not what defines a virus. To qualify as a virus, a 3 The hard disks of other users are program must be able to infected by the infected floppy. Every replicate (make copies of) floppy that is placed in an infected itself. This can mean copy- computer also becomes infected, and ing itself to different places the number of infected computers grows exponentially. on the same computer or looking for ways to reach other computers, such as by infecting disks or traveling :: Many viruses can spread by copying themselves to floppy disks or recordable CDs. As shown here, each time an infected machine’s user gives someone else a disk, a copy of the virus goes with it. 532 or destroy selected files. of service (DOS) attack” or a “distributed de- nial of service (DDOS) attack. For example.” because it pre- vents the server from providing services to users. restore systems. and many create viruses to perform a specific 2 The virus sends a copy of type of task. viruses can be devastating in terms of lost data and productivity. as shown here. In this case. you need to protect your network. Virus programmers can be extremely creative. executable file (a program) on the disk. you probably will not know if you have down- loaded an infected file. someone else to access and even take control of the sys- tem through a network or Internet connection. could be stored in the boot sector of the disk or in an >> Modify. and ensure against fu- be able to infect other systems through that connection. given Server the right circumstances. If the network is connected to the and remove viruses.>> Downloading an infected file to your computer across a Viruses can be programmed to do many kinds of harm. nearly any one can strike at any time.S. and then become active. rendering the >> Receiving an infected disk (a diskette. use the zombies to send thousands of requests to a spe- 1 This PC becomes cific Web server. the virus may lost or corrupted data. companies lose billions of dollars every year to damage caused by viruses. jan Horse. In this simple each year—as workers sit idle. however. infected by an Such an attack is sometimes called a “denial e-mail virus. network.” which the virus’s author can use to at- specific damage. effectively shutting it down. Viruses may seem like major problems for individual computer users. Most of the expenses come 3 Soon. Regardless. the author can damage to a computer system if permitted to run. This list is by no means comprehensive. But companies also lose valu- able work time—millions of person-hours :: Viruses also can spread through a network connection. 533 >>> . and they can do great ate a large number of zombie systems. someone with a CD-R drive. Such viruses are described as benign. >> Replicate as rapidly and frequently as possible. and can be used to turn an infected system their purpose is to annoy their victims rather than to cause into a “zombie. >> Erase the contents of entire disks. a high-capacity floppy disk. tack other systems. Unless you including the following: have antivirus software that inspects each incoming file >> Copy themselves to other programs or areas of a disk. which quickly spreads to other computers on their computers. ture attacks. the virus >> Display information on the screen. through e-mail or simply by travelling across system against all kinds of viruses. by using viruses to cre- Other viruses are indeed malicious. and so on) from another user. U. for viruses. every other computer from the time and effort required to locate on the network is infected. >> Copying to your disk a document file that is infected >> Lie dormant for a specified time or until a given condi- with a macro virus. copied from another disk or received as an attachment to >> Open a “back door” to the infected system that allows an e-mail message. a CD created by system useless. one PC has been infected by a virus. sometimes with a specific victim itself to other PCs on the in mind. or the Internet. This type What Can a Virus Do? of virus may actually be a type of program called a Tro- The majority of computer viruses are relatively harmless. because the network connections. For corporations. unable to use example. rebuild CONTINUED Internet or a WAN. An infected document might be tion is met. filling up the infected system’s disks and memory. the network. corrupt. an online service. from corrupting documents to deleting data. such as Microsoft Word or Ex- to be read as though a normal start-up were occurring. not inflict any damage. These viruses take up residence in the the victim opens the file that is attached to the mes. This type of virus is run when >> Stealth Viruses. computer’s memory. Joke programs are not viruses and do infected system as described earlier. but they fected disk. a virus onto your PC. >> E-mail Viruses. cate itself. which are >> Cluster Viruses. macro virus. or a particular action taken by a user or a program. >> Bombs. also can issue certain operating-system commands. Once launched. When an cally viruses. a boot sector virus infects the boot sector of a hard or floppy disk. but some do. But. Regardless. the message ing the damage from the user and the operating system. disguised as a macro. A worm is a program whose purpose is to dupli- victims into thinking that a virus has infected and dam. hid- body of the message itself. Regarded as one of the most hos.com files). Because Trojan Horses do messages contains a copy of the virus. >> Polymorphic. must be encoded in HTML format. aged their system. the virus’s code is also perts consider them to be a type of virus. Bipartite. bombs are treated as viruses because they can cause damage or disruption to a system. some Trojan everyone in the victim’s address book. copies itself into memory where it can hide and infect >> Macro Viruses. Self-Encrypting. A macro virus is designed to infect a spe- other disks. For example. because they can do harm. different types of viruses may be described in slightly different ways. To store a virus. A Trojan Horse is a malicious program e-mail viruses attempt to spread by sending messages to that appears to be friendly. the program causes the virus to run as well. For example. :: An e-mail attachment may look harmless. The two most prevalent types of bombs are time bombs and logic bombs. making it difficult to isolate. Other types of e-mail viruses reside within the also can conceal changes they make to other files.) A This technique creates the illusion that the virus has in. If any program is run from the in. Their purpose is to frighten their >> Worms. An effective worm will fill entire disks with 534 . or Self- ternet. They sage. many ex- infected program is launched. many >> Trojan Horses. (Macros are typ- disk’s file system. Self-Garbling. When the computer is started. is embedded in a doc- fected every program on the disk. attached to the message. The virus allows the actual boot sector data cific type of document file. a change to a file. Some e-mail viruses are transmitted as an in. Trojan Horses executed. they are not techni- gram files on a disk (such as . The virus moves the boot sector’s data to a different play a message warning the user not to touch any keys part of the disk. but opening it could unleash >> Boot Sector Viruses. A time bomb hides on the vic- tim’s disk and waits until a specific date (or date and time) before running. the virus or the computer’s hard disk will be formatted. ically used to issue program-specific commands. or Multipartite Viruses. Changing Viruses.exe or . This type of virus can infect both files and the boot sector of a disk. This type of virus can change itself fected attachment—a document file or program that is each time it is copied. This area of the disk stores essential files the computer accesses during start. making them hard to detect. a joke program may dis- up. are often used by hackers to create a “back door” to an >> Joke Programs. tile types of virus. This type of virus makes changes to a small programs that execute commands. Categories of Viruses Depending on your source of information. ument file and can do various levels of damage to data. Some specific categories of viruses include the following: >> Bimodal. Many experts do not classify bombs as viruses. E-mail viruses can be transmitted via e-mail messages sent across private networks or the In. not make duplicates of themselves on the victim’s disk >> File-Infecting Viruses. (or copy themselves to other disks). These documents can include macros. each of those Horses appear to be games. This type of virus infects pro. cel files. A logic bomb may be activated by a date. >> Norton AntiVirus monly spread over the Internet via e-mail message at- tachments and through Internet Relay Chat (IRC) >> Virex channels. Most Start by being aware that viruses can come from many antivirus programs allow you to make various settings. mentation thoroughly and master all of its functions. signed to spread to other computers. A homemade data CD or floppy disk can tion. load suspicious code onto your PC. Safeguarding a system against viruses is not difficult if you Once you install the software. such sources—even sources you trust. however. worms are treated as though they were viruses. which can disable any download a file via a network or Internet connection. even programs purchased in tions and set them to give you maximum protection. Most macro to prevent it from running. rendering it useless. an e-mail as activating automatic e-mail scanning. For example. scan your computer’s disks at least known to harbor viruses on rare occasions. Many antivirus software vendors allow users to down- and activated. Once shrink-wrapped packages from reputable stores have been the program is in place. After it is installed on your system all. Sophisticated copies of itself and will take up as much space as possi. your program may CONTINUED tion is to treat all e-mail messages and disks as potential include a scheduling function that can automate disk- carriers of infection. :: Macro viruses have become such a problem that many software programs now provide built-in security measures against them. Technically. An entire LAN or Some popular antivirus programs include corporate e-mail system can become totally clogged with >> McAfee VirusScan copies of a worm. Checking for viruses requires antivirus software. be sure to read its docu- have a little knowledge and some utility software. too. a worm is not the same as a virus. This screen files automatically every time you insert any kind of disk or shows Microsoft Word’s macro security settings. However. The best precau. a good antivirus program checks for infected load updated virus definitions or virus patterns (databases 535 >>> . :: Scanning a computer’s memory and hard disk with Norton AntiVirus. and because they can do considerable damage. simply having antivirus software on your com- puter is not enough to keep viruses away. This is where Preventing Infection many casual computer users slip up and allow their systems to be infected. Worms are com. antivirus utilities can also scan e-mail messages and at- tached files as you receive or send them. so you may need to activate a friend or colleague because it has already infected that them yourself and choose settings to control their opera- person’s computer. which Because new viruses are released almost daily. In fact. Make sure that you understand all the program’s op- be infected. no anti- scans your computer’s memory and disks for known viruses virus program can offer absolute protection against them and eradicates them. virus scanners can also alert you if a Web page attempts to ble in the host system’s memory. All these options virus may arrive in your inbox disguised as a message from may not be active by default. >> PC-cillin Because worms have become so prevalent in recent >> Avast! years. once every week to check for viruses. Many worms are de. scanning for you. It’s also a good idea to stay up to date on the latest news about viruses. :: Many reputable Web sites. http://www.com/vir-info >> CERT Coordination Center Computer Virus Resources. to make sure you are protected against the latest viruses.f-secure.com >> IBM Antivirus Research. download. Whether you choose to update your antivirus software man- ually or automatically.org/other_sources/viruses. A few other sources of general virus-related information are >> Computer Security Institute (CSI).research.com >> Symantec Security Response.vmyths. A good way to do that is to visit the Web site of your antivirus software program’s developer. http://www.html 536 . automatically. of information about viruses and code that can eradicate them) to their programs over the Internet. http://www. :: Downloading updated virus definitions from the McAfee VirusScan Web site. http://www.ibm. :: Setting options in Norton AntiVirus.cert.gocsi. whenever your computer is connected to the Internet. http://www.com/avcenter >> F-Secure Security Information Center.com/antivirus >> Vmyths. and in- stall updated virus definitions by themselves. such as the CERT Coordination Center. The newest- generation antivirus programs can find. provide up-to-the-minute information on viruses and virus prevention.symantec.com. you should do it at least once a week. http://www.