|
| |
The Yeshua Worldwide Network
of Churches
Harmful Computer problems faced
by the Home User!!!
I wanted to write a few things about computer viruses, Trojans and
adware/spyware
for those who are Home computer users who are rather new to the using of a
computer.
If you should look at the excellent virus’ information written by
Dr. Sir Lyndon P. Edwards D.D. A.D.
further down this page you can find out very satisfactorily what virus’,
Trojans, and the like are and what they do. There are just a few other things in
which I would like to go into a little more in-depth.
firstly, that most people in the computer world do not bother with
the different categories i.e. Trojans, viruses,
malware,
etc. They mostly group them all under the term of virus. I wish to state if you
find yourself confused or have any questions to please write to myself or to the
website owner who will pass any comments and questions to me and I will
endeavour to clarify or elucidate the point more clearly.
I will give a list
of the different types of “Virus” that I am going to cover in this
article and their meanings similar to that of my esteemed colleague and in
addition add websites where you can go to receive information and help.
Email
Hoaxes - emails sent to either gain money or sympathy or frighten and mislead.
Spyware
–software surreptitiously installed on a hard
disk without the user's knowledge that relays encoded information on his or her
identity and Internet use via an Internet connection
Adware –
advertising-supported software is any software application in which
advertisements are displayed as a popup while the program is running.
Malware – software such as viruses or Trojans designed to cause damage or
disruption to a computer system
I want to be able to show you by
giving examples of personal experiences that I have had with each of these
groups and how it was that I was able to deal with the repercussions (if any).
I receive on many occasions like many of you do emails with poems, jokes and
funny anecdotes in them from friends and relations but also there are many that
are received in addition to these that have a more sinister implication.
To give you an
example of an Email Hoax I will copy one here:
I'm 11 years old. My mommy worked on
the 20th floor in the World Trade Tower. On Sept. 11 2001 my daddy drove my mom
to work. She was running late so she left her purse in the car. My daddy seen it
so he parked the car and went to give her the purse. That day after school my
daddy didn't come to pick me up.
Instead a police man came and took me to foster care.
Finally I found out why my daddy never came.. I really loved him.... They never
found his body.. My mom is in the Hospital since then.. She is losing lots of
blood.. She needs to go through surgery.. But since my daddy is gone and no one
is working.. We have no money .. And her surgery cost lots of money.. So the Red
Cross said that.. for every time this email is fwd we Will get 10 cent for my
mom's surgery. So please have a heart and fwd this to everyone you know I really
miss my daddy and now I dont want to lose my mommy too.. R.I.P. Daddy..
To me this particular Email Hoax is very upsetting as I am an American and lost
friends/family in the WTC on 9-11. It also has the affect of being real as there
were many incidents similar to what is written above. But with one
difference…this is a hoax. You can find out if such emails you receive are
hoaxes or no by either one of two ways. One: search on the internet or go to
http://hoaxbusters.ciac.org/HoaxBustersHome.html
as they update their site for new hoaxes regularly. Two: you can contact via
phone the charity mentioned in the email. In this case it was the Red Cross.
There are phone numbers you can get that will allow you to find out if such
fundraising is true or not. As I’ve said many times to many of my friends when
they’ve passed such emails to me without realizing it was a hoax but motivated
by deep concern “There is no way for an email to be tracked in such a way.”
Now I know what
you are going to say to yourself “Why is this mentioned in an article about
viruses?” Well here’s my answer. There is more types than just the one
mentioned above. I will give another example:
Subject: This is a legit warning
Check this one out!!!!
Warning
Emails
with pictures of Osama Bin-Laden hanged are being sent and the moment that you
open these emails your computer will crash and you will not be able to fix it!!!
This e-mail is being distributed through countries around the globe, but mainly
in the US and Israel.
Don't be inconsiderate; send this warning to whomever you know.
In this part of the email the hoaxer gives a very plausible explanation on how
the “virus” works. This is why so many people are hoaxed into believing
that a computer expert is giving them information that is vital to protect their
computer as well as their friends.
Confirmed at:
http://www.snopes.com/computer/virus/osama.asp
Origins: There are few headlines that
would grab the attention of more computer users around the world than "Osama bin
Laden Captured," and that's exactly what whoever created this lure was counting
on to snare unsuspecting victims who use Microsoft platforms.
"Osama bin Laden Captured" isn't a virus in itself;
it's the text of a message that includes a link to a file called
EXPLOIT.EXE. When a message
recipient clicks on this link to view what he thinks are pictures of Osama bin
Laden's capture, he can end up downloading an executable Trojan known as
Backdoor-AZU,
BKDR_LARSLP.A,
Download.Trojan, TrojanProxy.Win32.Small.b,or
Win32.Slarp. Clicking
the embedded link in the "Osama bin Laden Captured" message auto-executes a file
called "EXPLOIT.EXE,"
which exploits a known security hole to download the Trojan. According to McAfee
Security:
The Trojan opens a random port on the victim's machine. It sends the Port
information to a webpage at IP address
66.139.77.145. The Trojan listens on the open port
for instructions and redirects traffic to other IP addresses.
Spammers and hackers can take advantage of compromised systems by using the
infected computer as a middleman, allowing them to pass information through it
and remain anonymous.
Microsoft has made available updates that close the hole exploited by this
Trojan.
Once again this is an example of an Email Hoax to scare people. I have received
such an email as have friends of mine and have opened it and NOTHING
HAPPENED!!!!!
Now as you can see I know about computers but it
may not always fall into the hands of people like me who are computer literate.
For instance, and I have my husband’s permission to add this, The Archbishop of
Cumbria, The Most Reverend Dr. Charles Anderson DD didn’t know about computers
until we started dating but before that he received an email similar this one,
opened it, did not recognize it as a hoax, literally screamed with horror and
completely wiped his computer to save his hard drive. The consequences of that
was he, as he is a writer, had printed out his stories but lost some other vital
material he worked with that he could not print.
Now I must add
that you cannot always be sure whether or not such emails are virus infected as
there are some who are malicious who do program a “virus” into their
emails. My best advice is this: If you do not recognize who sent the email do
not open it!!! You can on some occasions report such emails like the one above
to either Microsoft as is mentioned in the case above or to Symantec which is
also known as Norton. Symantec is the company name whereas Norton is just the
name of the Antivirus Software they publish.
Now one other thing before I move on. You may say to yourself “Well all my
emails are scanned by MacAfee or Norton or whatnot” well yes that is the
case but one thing I know is that there are new virus’ every day that are
designed to slip past Antivirus Software and in some cases they are successful
and can do a lot of damage. One thing I recommend is that you go to the Symantec
Website if you notice your computer is acting sluggish or even opening programs
that shouldn’t be running. At Symantec they have a diagnostic tool that you can
use to scan your computer for any new viruses that your virus database may not
contain. They also provide tools that you can download and use to remove any
such viruses. The web link below is where you can go to download such tools.
http://www.symantec.com/enterprise/security_response/removaltools.jsp
Okay now with that out of the way
there are three other problems which can do damage to the computer. The effects
of such are varied and can range from annoying popup's to completely wiping your
computer. Adware, Spyware and Malware.
Now first things first…. Adware:
advertising-supported software, is any software application in which
advertisements are displayed as a popup while the program is running.
Such things as Limewire, Kazaa or any other peer 2 peer software contain Adware.
A lot of the time it can be just a simple advertisement which runs along the
bottom of your software program advertising other software programs or in some
cases can be a popup which will continually pop-up when you close one. Most
“Free” programs have Adware as they (the company) have to have their money
come from somewhere to make it possible to publish their software for free.
These most of the time can be a nuisance but they are not really harmful except
for possibly slowing down the speed of your computer.
Spyware: software surreptitiously installed on a hard disk without the user's
knowledge that relays encoded information on his or her identity and Internet
use via an Internet connection
Again most of the time Spyware isn’t harmful except for the slowing down of your
computer as it has to connect via internet to the parent company to send
information. There are exceptions to this rule though. There are companies who
are scammers who wish to find out personal information such as Bank Accounts,
Credit Card Numbers etc. and they can use Spyware inserted into a program to
gain such information. Trojans are often used as Spyware to gain said
information.
Again here personal experience helps. Fortunately for me I’ve never had an
instance where a bank account or credit card was accessed or information stolen
through Spyware but I have had trouble with Spyware on many occasions slowing
down my computer.
There are many programs that are out and about today for the detection and
removal of Adware and Spyware. Two of the best I have used is Adaware and Spybot.
Now I’ve used them both but currently I do not really have a need for Spybot as
my antivirus software takes care of that. I still use Adaware as there are often
Adware that will creep onto the computer which my antivirus software does not
catch. Examples of Spyware are: Top Text and Search Assistant. These two are the
non dangerous type and are often found on any computer which the user has
downloaded freeware or shareware and can slow down your computer. As I have said
I do not find I need to use Adaware or Spybot now but they are two which I
recommend if you have another antivirus system on your computer.
The Antivirus which I use, Avast!, is a free program which I have found works
wonderfully. I have yet to have a virus on my computer that it hasn’t found or
even Spyware that it hasn’t warned me of or Adware even in some cases. It as I
say is a free program but only for Home users. Professional users such as
companies have to buy it so I guess it’s not that bad. Once a year you have to
send in an email to apply for a new license. I am adding the link for the Avast
software in this article so that you can read about it as well as download.
http://www.avast.com/eng/avast_4_home.html
The last but not least of the 4 trouble spots which I have mentioned at the
beginning of this article is Malware. The definition is thus: Malware – software
such as viruses or Trojans designed to cause damage or disruption to a computer
system.
Malware
cannot always be detected by normal antivirus software. You will need a
special detection scanner. This can be found at Microsoft’s website:
http://www.microsoft.com/security/malwareremove/default.mspx
This is what I use on my own personal computer and so far I have not had the
need for it but I do not wish to be without it as you can never know.
Malware
isn’t a “Virus” so to speak but a classification of “viruses”
which do harm to the computer. Again in the
Malware
category there are different classifications but all are damaging. I won’t go
into all the different classes but I will show you via a webpage that I found
while working on this article. http://www.spyware-removal-info.com/malware.html
Here is a good site for the explanation of the different classes of
Malware.
Some of it was already covered in my colleagues page so some of it may be known
to you but it is still a good article to read for information on what they do,
how they do it, and how to get rid.
I hope that this
article may clear up any problems that you may have or may even have in the
future. If you should still need clarification on anything which I have covered
or not covered please feel free to contact me through Yeshua International as
they will pass on any questions or comments.
Chaplain Monia Anderson
ALL ABOUT VIRUSES
Dr. Sir Lyndon P. Edwards DD, AD
Frequently Asked Questions
(Please read inconjunction with
the following article)
If you have a
Computer Question, click Here for free advice
Viri
(see documentation is an example)
Virii
(see documentation is an example)
Trojan
(Name of a virus)
Stoned
(Name of a virus)
Parity.b
See Documentation
FORMAT
Format of hard disk
int
21
See Documentation
int
21h
See Documentation
Droppers
See Documentation
BSVs
See Documentation
Form
See Documentation
MBR
See Documentation
DOS
Disk Operating System
DBR
See Documentation
OS/2
Operating System
UNIX
Operating System
Michelangelo
(Name of a virus)
Macro
A compound statement of commands
AMP.
GreenStripe See Documentation
DOC
Document files e.g. Word
AmiPro
Software package
SMM
See Documentation
XM.Laroux
See Documentation
TSR
file
Terminate and stay resident program
COM
Short program used in Dos Systems
Dark
Avenger
See Documentation
Green
Caterpillar
See Documentation
DIR
Directory
AUTOEXEC.BAT
Batch file program
Tequila
See Documentation
Starship
See Documentation
DIR
II
See Documentation
FAT
File
allocation table
fast
infector
See Documentation
slow
infector
See Documentation
Brain
See Documentation
polymorphic
virus
See Documentation
DOS
2
See Documentation
Eddie
lives
See Documentation
Cheeba
See Documentation
Vacsina.44.login
See Documentation
GP1
See Documentation
BBSes
See Documentation
BSV
See Documentation
FindVirus
Software program information
sheep-dip
See Documentation
WinGuard
Software program information
VirusGuard
Software program information
VxD
Software program information
SMEG
See Documentation
Checksummer
See Documentation
ViVerify
See Documentation
Novell
NetWare
Software operating system
Lotus AmiPro
files
Software program
Format C macro
Trojan
Virus program
BIOS
Basic Input Output System
1) What is the first
thing to do?
2) What is a virus?
3) Why are viruses bad news?
4) Things that are not viruses
5) Different kinds of
virus
6) Miscellaneous objects of infection
7) Virus characteristics
8) Damage done by viruses
9) How viruses are spread
10) Virus
prevention
11) Rules,
Procedures, Education and Tools
12)
Anti-virus tools
13) Networks
and viruses
14) Network
protection
15) The
future impact of viruses
1. WHAT IS THE FIRST THING TO DO?
Don't panic! Indeed, don't do anything. Have a cup of tea or coffee don't start
bashing away at the keyboard before you've determined what you ought to do. In
my experience, a lot of the damage done by viruses'
is actually damage done by people doing things before they've made sure of what
they ought to do, which is another way of saying panic. So, don't panic!
2.
WHAT IS A VIRUS?
A
virus is a program that copies itself. That's the definition of a virus. In
retrospect, it's unfortunate that the word `virus' was used; it makes the
problem sound a lot worse than it is, and people
get the plural wrong [the plural is not `viri', or even `virii',
it's `viruses'. It might have been better to use the word `weed'.
But we're stuck with `virus'. A virus need do no more than replicate in
order to be a virus. Indeed, 95% of viruses do no more than that, plus some
trivial extra like beeping the keyboard, or displaying a message. And
conversely, if a program does something nasty that you weren't expecting, that
doesn't make it a virus, unless it replicates. Such a program is called a `Trojan',
after the famous horse of Troy.
3. WHY
ARE VIRUSES BAD NEWS?
If a
virus does nothing but copy itself, why do people get so worked up when they
have one? For example, Form virus beeps every time you hit a key on your
keyboard on the 18th of each month, so why does everyone who gets infected want
to get rid of it? There are a few reasons for this. If you don't get rid of the
virus, there is a strong likelihood that eventually you'll pass it on to a
supplier or customer, who will be upset. Over 99% of viruses that actually
spread 'in the wild' are memory resident, so there
is the possibility of incompatibilities between the virus and some other program
you are running [keeping
one specimen for a `zoo']. If you do get rid of
the virus, this is going to take time, and time is money. Each PC will take at
least several minutes, and each floppy disk will take at least several seconds [and
there may be a lot of floppy disks]. It would be nice if you only had to
worry about those computers and floppies that are infected, but of course you
don't know which ones these are until you've done the virus-hunt, so you have to
check everything.
4. THINGS THAT ARE NOT VIRUSES BUGS
Bugs
are not viruses, and viruses are not bugs. I am using a word processor that I
know has a serious bug. If you work with a large file for a long time, then
eventually something goes wrong inside the program, and it refuses to let you
save the file to the disk, so that you lose all the work you've done since the
last save. This program comes from a major software house, and they didn't do
this on purpose, so it isn't a Trojan. The programmers made a mistake.
Programmers are human, and humans make mistakes. Programmers, like other humans,
have pride, and don't like to admit that they make mistakes, so they call them `bugs',
as if the bug had drifted in through the window and settled on the program. All
sufficiently complex programs have bugs. Anti-virus software does not detect
bugs. If it did, it would report bugs in just about everything.
a) FALSE ALARMS
-
False
alarms are not viruses. A false alarm is when you think you have a virus, but
you are mistaken. Sometimes, people have some hardware or software fault, and
after running some diagnostics, eliminate the possibility of hardware or
software problems, conclude that it is therefore a virus, and proceed on that
assumption. More often, a false alarm is the result of running anti-virus
software. Anti-virus software, in common with other software, is not infallible.
The two main mistakes that an anti-virus program can make are to fail to find a
virus that is there [I once tested a program that failed to find any boot
sector viruses whatsoever, and these account for over two thirds of infections]
or to claim that a virus is present when there isn't one, and that is called a
false alarm. When an anti-virus program gives a false alarm, it looks pretty
much like the real thing. There are a couple of things that might indicate that
the alarm is false, though. Only one file is giving the alarm [or perhaps
four files, but they are copies of the same file]. Only one product gives
the alarm; other products say the system is clean. You get the alarm after
running multiple products, but not when cold-booting and running any one
product. The virus that is detected is not listed as 'in the wild' [of
course, this list changes all the time]. Unfortunately, there's no hard rule
that can be applied. You can't say it's a false alarm if one of the four above
is true, or if all four of the above are true. The only way to really nail down
a false alarm is to send the suspect file to the product vendor giving the
alarm, and ask them to verify that it is a virus by analysing it in their virus
lab. And this might take some time. Meanwhile, a false alarm can be as much
hassle as a real virus, or even more. If you have a floppy disk that is infected
with Stoned virus, you can simply copy the data off the disk and destroy the
infected floppy, or you can get rid of the virus with your anti-virus program,
or demand a replacement disk. Whatever, the cost is just a few seconds. But if
you get an update of your favourite anti-virus program, and it tells you that
you have Stoned virus on one of the files on your file server, then resolving
the situation will take longer. You know and I know that Stoned cannot infect
files. But just maybe someone has written a file virus and someone has decided
to call it Stoned [for example, there are two unrelated viruses, one called
Parity and the other called Parity.b]. So, you send the file to your product
vendor for analysis and comment.
-
Meanwhile, to be safe, you remove the file from the server [or possibly the
product is barring access to that file]. This might mean that some important
system won't work any more, as it needed that file. It also means that you have
to keep track of the response to the problem, report it up through the usual
security breach reporting channel, and so on. You might try deleting the
offending file and re-installing the software that is causing
the false alarm, but when you've finished doing that you still get the false
alarm. It isn't surprising that some people have changed their anti-virus
software after too many false alarms. Anti-virus software does not detect false
alarms. If it did, it wouldn't report the false alarm, would it?
b)
JOKES
-
A
joke is something that is funny. Of course, what one person finds funny is not
the same as what another person finds funny. It depends on your sense of humour.
Consider a program that pretends to format your
hard disk, and then reveals that it hasn't. Is that funny? It depends on your
sense of humour. Some people love to play practical jokes, and on certain dates
one must apply a little scepticism to alleged virus reports. Some anti-virus
software detects jokes, and tells you 'You have a joke called . . .'. The
reason for this, is that some jokes are fairly widespread, and are known to
cause concern, so the anti-virus program is trying to calm things down, by
saying `Yes, I know about this, and it's harmless'.
c) TROJANS
-
A Trojan is
a program that does something more than the user was expecting; and that extra
function is damaging. This leads to a problem in detecting Trojans. Suppose I
wrote a program that could infallibly detect whether another program formatted
the hard disk. Then, can it say that this program is a Trojan? Obviously not if
the other program was supposed to format the hard disk [like FORMAT does, for
example], then it is not a Trojan. But if the user was not expecting the
format, then it is a Trojan. The problem is to compare what the program does
with the user's expectations. You cannot determine the user's expectations for a
program. So, we have to make some judgements. The Aids Information Diskette is
generally considered to be a Trojan. About 20,000 copies of this were mailed to
users in 1989, purporting to be a program that teaches you about The Aids
virus.
-
In fact, it was a Trojan; after you re-boot your computer 90 times, it
encrypts and hides all the filenames on your hard disk, and demands that you pay
for your license to use it. Although the documentation that came with it told
you that something bad was likely to happen, it is generally considered to be a
Trojan.
-
FORMAT
is not a Trojan. As a rule, you don't see Trojans very often. They don't copy
themselves, and don't spread in the way that viruses do. Trojans are not a real
threat, except in one of the following circumstances. When they are widely
disseminated, like the Aids Information Diskette. They are targeted on an
organisation, in which case it is an `inside job', done by an employee.
Some anti-virus products detect a few Trojans [such as the Aids one], but
most products don't detect Trojans at all.
d) CORRUPTED
PROGRAMS
-
Some files
are simply corrupted [perhaps by a hardware problem], and hang the
computer when run. For some reason, these sometimes end up in virus collections,
unless the collection is carefully maintained.
e) INTENDED VIRUSES
-
Some virus
authors are less skilful than they would like to be, and write what is clearly
intended to be a virus, but for some reason there is such a major bug that the
virus does not work at all. They release these, however, in the fond belief that
no one will ever test them [or perhaps they didn't test them themselves].
One typical mistake is to get confused about decimal versus hexadecimal, and so
their source code presumably says `int 21' for the DOS function
interrupt, but it should have said `int 21h' [which is 33 in decimal].
f) DROPPERS
-
A dropper
is not a program that is not a virus, nor is it infected with a virus, but when
run it installs a virus into memory, on to the disk, or into a file. Droppers
have been written sometimes as a convenient carrier for a virus, and sometimes
as an act of sabotage. Some anti-virus programs try to detect droppers.
g) GERMS
-
A germ is
an instance of the virus in generation zero, and in such a form that the
infection could not have happened naturally. For example, a virus that only
infects files larger than 5Kb, but infecting a tiny 10-byte file. Alternatively,
it might be an instance of the virus without any host file. If you remove the
virus, you are left with a zero-byte file. This is the original file created by
the virus author.
5. DIFFERENT KINDS OF VIRUS
a) BOOT SECTOR VIRUSES
-
The
commonest kinds of virus are boot sector viruses [BSVs], such as Form or
Stoned. These infect the boot sectors of floppy disks, and either the partition
sector [Master Boot Record, MBR] or the DOS boot sector [DOS Boot
Record, DBR] of hard disks. Here's how a BSV spreads. A floppy disk has just
arrived, with some data on it [some word-processed files and a spreadsheet,
perhaps]. This is part of a project that you are doing jointly with a
colleague. What your colleague doesn't know is that his computer is infected
with a BSV, and therefore so is the disk he sent you. You put the disk in drive
A and start using these files. So far, the virus hasn't done anything. But when
you finish for the day, you switch off the computer and go home. Next day, you
come in and switch on. The floppy disk is still in drive A, so the computer
tries to boot up from this disk. It loads the first sector into memory and
executes it [normally, this is a little program written by Microsoft to load
DOS; or if it can't find DOS on the disk, to tell you so - `Non-System disk, or
disk error. Replace and press any key when ready']. Everyone has seen this
message numerous times, and so you open the drive door and press a key. But this
disk is infected with Stoned, so what executed not just the program by
Microsoft, but the Stoned virus, written in 1987 in New Zealand [and so
sometimes called the New Zealand virus]. The virus installs itself on the
hard disk, replacing the MBR, and copying the original MBR to a place a little
further down the disk. When you start up from the hard disk, the MBR runs, but
this is Stoned virus. Stoned virus goes memory resident, capturing the disk
read/write interrupt 13h, and then it loads the original MBR, and the boot-up
process continues as normal. But, since the disk read/write interrupt is
captured, every time any write or read access [you think you're making a read,
but the virus decides to write anyway] is made to drive A, the floppy is
examined, and if it is not already infected, Stoned virus is installed on the
boot sector. Thus, your computer is now infecting every disk put in drive
A, and sooner or later one of these will be sent to a colleague, and the cycle
continues. The detail of various BSVs is different, but the principle is the
same. They are carried by the boot sectors of infected disks, and only in that
way [a BSV cannot spread across a network, for example]. And the only way
to get infected is to try to boot from an infected disk, even if the boot fails.
-
BSVs infect
PCs. They don't care what operating system is running, or what security software
is installed, because at the time the BSV installs itself the operating system
or security program is not running yet. However, with some non-DOS operating
systems for [example, Windows NT, or OS/2], although the PC is infected
the virus cannot copy itself on to subsequent disks and cannot spread. It can,
however, still do damage, as was discovered by one surprised UNIX user when
Michelangelo triggered on 6 March. To most people, the fact that viruses can
infect in this way comes as a big surprise, which partly accounts for BSVs being
so common.
b) MACRO VIRUSES
-
Macro viruses [such
as], the latest virus development, seem likely to become a
significant threat, for several reasons. Macros, written in WordBasic, and
accessible to many computer users, are easier to write
than 'traditional' file viruses [written, for
the most part, in assembly code]. They are the
first viruses to infect data files, rather than
executables. Data files, to which macros are attached,
provide viruses with a more effective replication method
than executable files. Data files are exchanged far more
frequently than executable files.
If you add the increased use of e-mail [and
the
ability to attach files to e-mail], and mass access to the Internet [and
on-line services like CompuServe
and America Online], this is likely to make
macro viruses a much greater threat to computer users
than 'traditional' file viruses.
Macro
viruses are not platform-specific. There are versions
of Microsoft Word for Windows 3.x, Windows 95,
Windows NT and Macintosh. This makes all of these
operating systems susceptible to macro viruses although anything in a macro,
which makes use of calls to a specific
operating system [as with the WM. Format
C macro Trojan] will be restricted to that particular
operating system]. Macro viruses have
already had a marked effect. WM. Concept
currently accounts for around 50% of all virus
reports. And while WM. Concept causes no
damage to data, we have already seen the
first [albeit faltering] steps towards macro
viruses, which threaten data; one payload of WM. Nuclear,
for example, is to attempt to damage the system
files [this payload is never delivered, due to a
bug
in the code].
-
Macro
viruses are not confined to Microsoft Word for
Windows.
In January 1996, the first macro virus to infect
Lotus AmiPro files [AMP. GreenStripe] appeared.
Unlike
Word for Windows, in which macros are directly linked
to DOC [and DOT] files, AmiPro macros are contained
in a separate file [with the extension SMM];
this
makes it possible to exchange AmiPro documents [for
example,
via e-mail] without exchanging infected macros.
And
XM.Laroux, which appeared in July 1996, is the first working macro virus to
infect Microsoft Excel for Windows
spreadsheets.
c) TSR FILE VIRUSES
-
TSR file viruses are
no longer common. As the name suggests,
these infect files. These are usually COM and EXE,
but there are some device driver viruses, and some viruses
infect overlay files; executable programs don't always
have the extension COM or EXE, although over 99% do. For a TSR virus to spread, someone has to
run an infected program. The
virus goes memory resident, and typically
looks at each program run thereafter and infects
it if it is not already infected. Some viruses are
called `fast infectors', and they infect if you just open
the file [for example, a backup might open every file
on the drive]. Dark Avenger was the first 'fast infector'.
In the case of Green Caterpillar, the infection trigger is anything that
determines what files are
present [such as DIR]. Other triggers have been used,
but the commonest is to infect each program that you
are about to run.
d) NON-TSR FILE VIRUSES
-
It is much easier to
write a non-TSR virus, and so many of
the budding virus authors do so. But it is quite rare for
such a virus to be encountered 'in the wild'; less than
1% of reported outbreaks are a non-TSR virus. With such
a virus, running an infected program runs the virus,
which at that time looks for another file to infect,
and infects it. Vienna is the commonest non-TSR virus;
Vienna was the first file virus 'in the wild', but
now has the status of 'rare'. There are a lot of viruses based on
Vienna, because a disassembly [which is almost equivalent
to source code] was published in a book in 1987.
e) COMPANION VIRUSES
-
If you have a COM
file and an EXE file with the same filename
and type that name, DOS runs the COM file in preference
to the EXE file. Companion viruses use this feature
of DOS. Each EXE file that you have acquires a companion
COM file with the same name. Then, when you try
to run your EXE program, actually the COM program runs,
and that is the virus. When the virus has finished doing
what it wants to do [such as creating another companion
for another file], it then runs the EXE program,
so that everything seems to work normally. There
have been a few successful companion viruses, but not
many. The main advantage to the virus author is that because
the EXE file does not change, some change-detection
software might not realise that a virus is
spreading. Another type
of companion is the `path companion'. This sort
of virus puts a program in a directory that is earlier
in the DOS PATH than is the victim. When you run a
program that is not in your current sub-directory, DOS searches
for the program in various sub-directories, as specified
by the PATH command in your AUTOEXEC.BAT file. Path
companions are harder to write than ordinary companions,
so there aren't many of them.
f) OVERWRITING VIRUSES
-
An
overwriting virus simply overwrites each file it infects
with itself, and the program no longer functions.
Because this is so glaringly obvious, overwriting
viruses are never successful in spreading.
g) MULTIPARTITE VIRUSES
-
Some viruses, such as Tequila, infect multiple objects. When
you run a Tequila-infected EXE, Tequila installs itself
on the MBR. When you boot up the computer, Tequila
runs from the MBR, and goes memory resident. While
Tequila is memory resident, it infects EXE files. Other
viruses, such as some of the versions of Anticad, infect
COM, EXE and MBRs interchangeably. Some viruses infect
COM, EXE, MBRs and device drivers.
6)
MISCELLANEOUS OBJECTS OF
INFECTION
There is a virus
that infects OBJ files. There is a virus
[Starship] that infects by creating a new DBR, leaving
the old one intact, leaving the code on the MBR intact,
and changing the pointer in the MBR so that the Starship
DBR is executed before the original DBR. There
are other viruses [DIR II and ] that infect
file systems by changing the FAT and directories so
that files on the hard disk are all cross linked to the
virus. There are all
sorts of ways of skinning this particular cat.
7) VIRUS CHARACTERISTICS
a) FAST
-
As explained above,
a 'fast infector' spreads rapidly within
a computer by infecting everything that is accessed.
A fast infector isn't as bad as it sounds; it is
just as easy to clean a computer with 1,000 infected files
as one with 10, provided you have an anti-virus program
that does a good cleaning job. However, most anti-virus
products check memory for viruses, and the possibility
of a fast infector in memory is one of the reasons
why. If there is a fast infector in memory, and the
product opens all your files, you wind up with every file
on the computer infected.
-
As explained above,
a 'fast infector' spreads rapidly within
a computer by infecting everything that is accessed.
A fast infector isn't as bad as it sounds; it is
just as easy to clean a computer with 1,000 infected files
as one with 10, provided you have an anti-virus program
that does a good cleaning job. However, most anti-virus
products check memory for viruses, and the possibility
of a fast infector in memory is one of the reasons
why. If there is a fast infector in memory, and the
product opens all your files, you wind up with every file
on the computer infected.
b) SLOW
-
The opposite of a 'fast infector' is a 'slow infector'. The idea here is that if the virus spreads slowly, you're less likely to notice it and kill it. There are various ways that a slow infector can work, but the classic slow infector works by only infecting those files that you had intended to
change anyway. This means that if you are running a change detector as an anti-virus measure, the change detector will trigger each time there is an infection, but since you had intended the file to change anyway, you'll tell it to accept the change.
-
Starship is another way of doing a slow infector. It only infects files as you copy them from your hard disk.
So no file on the hard disk ever changes, and the change detector is happy. But when you copy a file to a floppy disk, the copy is infected, and when you take this to another computer protected by the change detector, the change detector warns you of the existence of the new file. You will then reassure the change detector that you knew about the new file, and the change detector is happy, and another system is infected.
c) STEALTH
-
If a virus is memory
resident [as are over 99% of viruses
'in the wild'], then it has hooked at least one of
the interrupts. If it is a BSV, then it has hooked the
disk read/write interrupt 13h. If it is a stealth virus,
and any program that tries to read the boot sector, then the virus says `Aha,
someone wants to see the boot
sector; I'll just read the original boot sector from
where I put it, and present that instead'. So the software
sees nothing out of the ordinary. Brain, vintage
1986, was the first virus that used this trick.
-
File
viruses can use a similar trick to disguise their
presence,
so that any software reading the file only sees
the bytes that were there before the virus came along.
Frodo is an example of this. It is much commoner to
see stealth in BSVs than in file viruses, as it is much easier for the virus
author to implement stealth in a BSV.
d)
POLYMORPHISM
-
The commonest
kind of anti-virus program that people use is the scanner, looking for a
repertoire of viruses. So for the virus author this is the kind of product that
he would most like to defeat. A polymorphic virus is one where if you take two
instances of the virus, there are no bytes in common between them, so you cannot
write down a byte-sequence and go looking for that in order to detect the virus.
You have to do something a lot more complex and difficult.
8) DAMAGE
DONE BY VIRUSES
We can categorise
the damage done by viruses into six groups, according to the severity of the
damage. Some authorities postulate the possibility of a virus that actually does
good, but no one has yet demonstrated such a virus.
We define damage
as: the virus does something that you'd rather it hadn't done. And we quantify
damage by measuring how long it takes to put things back the way they ought to
be.
We don't include
consequential damage in this categorisation [damage done by the user in a
mistaken attempt to get rid of the virus]. It is remarkable how many people
will format the hard disk to get rid of Stoned, for example. All this does is
get rid of all your data. The virus is untouched, as it resides in the MBR,
which is not touched by FORMAT. Nor can we include damage done by obscure
incompatibilities between the virus and the system. For example, if a computer
that was originally set up under DOS 2 [but is now running a later version of
DOS] is infected by Stoned, then a large number of files will be corrupted
because the design of the virus had not anticipated this situation.
a) TRIVIAL
DAMAGE
b) MINOR
DAMAGE
-
A good example of minor damage is
the way that Jerusalem virus deletes any program that you try to run after the
virus has gone memory resident, on Friday the thirteenth. At worst, you will
have to re-install some programs, so the damage is unlikely to be more than 30
minutes per computer.
c) MODERATE
DAMAGE
-
This is where a
virus hits your backups as well as your hard disk. Every 16th time that a Dark
Avenger-infected file is run, it overwrites a random sector on the hard disk
with `Eddie lives . . . somewhere in time'. This might have been going on
for several weeks. You discover Dark Avenger, get rid of the virus, and find `Eddie
lives . . .' at several places in several files. You restore yesterday's
backup, and find `Eddie lives . . .' in those as well. You might have to
go back a few weeks before you can find clean data files, and when you've
restored a six week old backup, you'll find that you don't actually have any way
to redo that work, because you don't have the original documents to work
from.
d) SEVERE
DAMAGE
e) UNLIMITED
DAMAGE
-
Some viruses [such
as Cheeba, Vacsina.44.login and GP1] aim to get the system manager password
and pass it along to a third party. In the case of Cheeba, for example, it
creates a new user with maximum privileges, with a fixed user name and password.
The damage is then done by the third party, who can log in to the system and do
anything he/she likes.
9. HOW
VIRUSES ARE SPREAD
It seems to be a
common belief that viruses are spread by games, by shareware or by BBSes. The
truth is more complex. First, remember how the most common sort of virus, boot
sector viruses, work. A physical floppy disk has to be involved, and there
doesn't need to be any software on it. You cannot get a BSV by using a BBS.
The most likely
routes by which a virus gets into an organisation are engineers and
parents. Hardware engineers visit a large number of computers, and like
the busy little bee, could pick up some pollen here, and deposit it there.
Hardware engineers should have all their software disks permanently
write-protected, but don't. Hardware engineers should frequently check any
write-enabled disks for viruses, but don't. Of course, the majority of hardware
engineers are clean and well-behaved, but there are a few that need
re-education. Parents have children, and if there is a PC at home,
and the children are young teens, then they quite possibly swap software at
school. The disks that they bring home might well be infected, and if the parent
is taking disks to and from work, they could easily
take a virus into work with them. A boot sector virus could arrive
on a data disk from a colleague. Other ways of getting a virus include: in
shrink-wrapped software [some of the largest companies have accidentally
shipped a virus in shrink-wrapped software]; along with purchased hardware [most
hardware comes with disks containing utilities or drivers]; salesmen running
demos could unwittingly install the virus they picked up from the last place
they ran their demo.
10. VIRUS
PREVENTION
We recommend that
everything be virus checked before it is used. This includes floppy disks with
data on [remember BSVs] as well as software. This could be done using a
scanner such as FindVirus, which could be installed on every computer [for
convenience, because if it isn't convenient, it won't get done] or it could be
installed on designated 'sheep-dip' computers, which is more convenient for the
PC Support people to keep up to date, but less convenient for the users.
Alternatively, you can make the whole thing as transparent and painless as
possible by installing an on-access scanner, such as VirusGuard [DOS]
and/or WinGuard [a VxD for Windows 3.x, Windows 95 and Windows NT]. This
means that everything is automatically scanned without the user being aware of
it [unless, of course, a virus is found]. The on-access scanner is the
route that most people choose, together with some dedicated 'sheep-dip'
machines.
Linda had worked
in her job for some years. She occasionally took work to do on her home PC, with
the knowledge and approval of her supervisor. One day, the PC
Support department found a virus on her office PC. Later the same
day Linda was fired for bringing a virus on to the premises. Linda was
very upset at what she saw as unfair dismissal and sued the company. She won,
because the company she worked for had no rules to tell employees what to do [so
she hadn't broken any rules]. Although they had anti-virus software, there
were no procedures for checking incoming disks [so she hadn't failed to carry
out company procedures]. On investigation, it looked highly
likely that the PC Support department had accidentally infected her machine, and
only discovered it when they sent disks, copied on Linda's machine, to another
company, who did check for viruses and found one on those disks. If
such procedures had been in place and Linda had ignored them, then the company
would have had a good reason for firing her. Of course, with proper rules and
procedures, they would probably not have been infected by a virus in the first
place. But you have to acknowledge the fact that people behave the
way that they do. If you make your anti-virus procedures onerous and difficult,
they'll quite likely be ignored on the grounds that viruses are very rare, and
the cost and hassle of the procedures is too great.
A
good set of rules might be as follows. Any incoming floppy disk must be
virus-checked. If your anti-virus software finds a virus, tell PC
Support. Notice that the rules are very simple. That way, people are
more likely to remember and follow them. The next thing you need is procedures.
The procedure tells the users how to obey the rules. The procedure for checking
disks should be written down in detail ['Put the floppy disk in the drive,
and type . . .']. If you have a 'sheep-dip' computer, put the procedure up
on the wall near to it. Education is also important. You can't just
tell grown-ups to do something and expect that they'll obey without question.
You have to explain the reason to them. You can do this with talks, or by
getting the Dr Solomon's 'Virus Video' and letting them watch
it. You also have to provide tools. You can't detect a virus with
your bare hands. Any sensible anti-virus strategy must take account of the fact
that even 'well-educated' users are fallible; and that they will
circumvent even the best rules and procedures [either wittingly or
unwittingly . . . remember that security is not the primary concern of staff
that work in Sales, Marketing and other departments within an organisation].
The foundation of any comprehensive anti-virus strategy, therefore, must be
anti-virus tools, which will effectively detect, remove and prevent virus
infection . . . even when the rules and procedures have not been followed.
12.
ANTI-VIRUS TOOLS
a) SCANNERS
-
A scanner is a
program that knows how to find a particular repertoire of viruses. Scanners are
updated, quarterly or monthly. For many users, quarterly upgrades are
sufficient, but every now and then, a new virus comes out and spreads very fast
[such as Tequila, or SMEG]. In that case, you could be unable to detect
this 'in the wild' virus for several weeks, depending on where you are in the
update cycle. So, many people subscribe to monthly upgrades to avoid this
situation. Scanners can be either on-demand, or on-access. FindVirus
is an on-demand scanner, and must be run by the user [although this could be
done automatically, at start-up, from the AUTOEXEC.BAT; or using a scheduler].
VirusGuard [DOS] and WinGuard [Windows 3.x, Windows 95 and Windows NT]
are on-access scanners, and work continuously. As soon as any disk is accessed,
it is checked for boot sector viruses; and as soon as any file is used, it is
checked for file viruses. Both programs may be [optionally] configured to
check files as they are written to the hard disk [useful if files are being
downloaded from a remote site, such as a BBS, or the Internet]. VirusGuard
occupies approximately 9Kb of conventional [DOS] memory; WinGuard, which is a
Windows-specific program uses zero conventional memory. Any
additional time-overhead involved in checking the disk or file is unlikely to be
noticeable in most cases. VirusGuard, a DOS TSR program, does not
have the full facilities of FindVirus [for economy in memory consumption and
time-overhead]; specifically, VirusGuard is not able to find macro viruses [which
do not work under DOS anyway] and a small percentage of extremely
polymorphic viruses [VirusGuard will find polymorphic viruses in memory, if
an infected program has been run]. WinGuard, which does not have
the constraints of a DOS TSR program, has the same detection capability as
FindVirus.
b)
CHECKSUMMERS
-
A checksummer is
a change detector. Executable files should not change, except for a good reason,
such as updating of software. A checksummer aims to detect changes. The
advantage of checksummers is that they do not detect a repertoire of viruses, so
do not need updating. The downside of checksummers, is that they are more hassle
than scanners [files change on your computer more often than you might have
thought, for good and valid reasons], and they do not detect all viruses.
For example, checksummers do not detect 'slow infectors'; they do not detect all
boot sector viruses [if the hard disk code is left unchanged]; and they
have problems with stealth viruses. Some people use checksummers, but they are a
minority. Checksummers can be on-demand [like ViVerify], or
on-access.
13.
NETWORKS AND VIRUSES
A network is a
group of computers connected together to make it easier to share data. This
provides interesting opportunities
for viruses, and for dealing with viruses. There is a common
perception that once a virus gets on to a network, somehow it flashes round the
whole network very quickly. The truth, of course, is more complex.
Firstly, BSVs cannot travel across networks. If several machines on a network
are infected, that's because the virus spread via floppy disks in the usual way.
Here's how a file virus spreads across a network.
User
1 gets his/her computer infected, perhaps by a salesman's demo. disk. The virus
goes TSR. User 1 runs other programs on his/her hard
disk. They get infected. User 1 runs some programs on
the network. They get infected. A network emulates a DOS device; reading
and writing to files on the server is done in exactly the same way as locally.
The virus doesn't have to behave any differently to infect files on the
server. User 2 logs on to the server, and runs an infected file. The
virus is now TSR in user 2's machine.
User 2 runs
several other programs, on the local hard disk, and on the server. Each file
becomes infected.
User 3, user 4
and user 5 log on and run infected files. And so on.
14.
NETWORK PROTECTION
70% of networks
use Novell NetWare, so we'll use that as an example, but you can adapt the same
principles for other network operating systems. You can make
directories read-only. If you make files on the local hard disk read-only,
you're wasting your time, because just about every file virus will make them
read/write, infect them, and make them read-only again. This is because the user
has the privilege to make files read/write on his/her local hard disk. But on a
file server, you don't have to give that privilege to the user, and the virus
has the same privilege as the user. Indeed, the virus is the user,
and can do no more than the user can. There is no magic about viruses; they are
subject to the same constraints as any other programs.
Unfortunately, some packages can't be run from
15. THE
FUTURE IMPACT OF VIRUSES
Making
predictions about the future is dangerous. Without the aid of a crystal ball, it
is unwise to try and be too specific about what is likely to happen.
Nevertheless, since the seeds of the future are planted in the present, it is
possible to make a broad assessment of future virus developments.
With regard to the desktop operating systems being used on the PC, the future
clearly lies with Microsoft Windows, whether that be Windows 95 and/or Windows
NT; although it is also clear that DOS will be with us for some time to come. To
a considerable degree, therefore, the impact of viruses under Windows will
define their overall impact on the PC world. Within this context,
macro viruses will almost certainly play a considerable part. They have already
had a marked effect. Since the appearance of WM. Concept, in July 1995, we have
seen around two dozen macro viruses. WM. Concept alone currently accounts for
around 50% of all virus reports to anti-virus vendors and researchers. And while
WM. Concept causes no damage to data, we have already seen the first [albeit
faltering] steps towards macro viruses, which threaten data.
Macro viruses, it
should be noted, are not confined to Microsoft Word for Windows. In January
1996, the first macro virus to infect Lotus AmiPro files [APM. GreenStripe]
appeared. And XM. Laroux, which appeared in July 1996, is the first working macro
virus to infect Microsoft Excel for Windows spreadsheets.
The impact of macro viruses rests on
three factors.
-
Macro viruses are written in
WordBasic. They are easier to write than traditional viruses [typically
written using low-level programming tools]. As a result, virus writing is no
longer the preserve of a comparatively small number of people.
-
Macro viruses infect document
files. Document files, to which macros are attached, provide viruses with a
far more effective replication method than executable files. Document files
are exchanged far more frequently than program files. Coupled with the
increased use of e-mail [and the ability to attach files to e-mail],
and mass access to the Internet [and on-line services like CompuServe and
America Online], is likely to make macro viruses a much greater threat
to computer users than 'traditional' file viruses.
-
Macro viruses are not
platform-specific. There are versions of Microsoft Word for Windows 3.x,
Windows 95, Windows NT and Macintosh. This makes all of these
operating systems susceptible to macro viruses [[although anything in a
macro, which makes use of calls to a specific operating system]] [as
with the WM. Format C macro Trojan will be restricted to that
particular operating system].
However, macro viruses do not make up the whole picture. Boot sector viruses,
which currently make up around 70% of 'in the wild' viruses, are not about to
disappear. These viruses infect at boot-up, when an infected floppy disk is
inadvertently left in drive A. They infect at a BIOS level; that is, before the
operating system loads. This is true of any operating system . . . DOS, Windows
[of whatever flavour], OS/2, Novell NetWare, etc. For this reason, any PC is
susceptible to infection from boot sector viruses.
Under Windows 95, boot sector viruses will [in most cases] go memory resident
and successfully infect floppy disks accessed in the PC. This is not the case
under protected mode operating systems, like Windows NT, where the concept of a
TSR [memory resident program] is anathema.
However, data stored on PCs running these operating systems are still at risk.
Any damage routine triggered by a boot sector virus takes place [like the
infection process] at a BIOS level, before the operating system has been
loaded. Just as the spread of boot sector viruses will be more
limited under Windows NT, the spread of traditional file viruses [the most
successful of which are memory resident viruses] is likely to diminish.
However, this will have less of an impact on the wider picture; it should be
remembered that 'traditional' file viruses [as distinct from macro viruses]
represent only about 30% of 'in the wild' viruses.
©
Yeshua International - Dr. Sir Lyndon P. Edwards DD, AD -
All Rights Reserved
If you have a
Computer Question, click Here for free advice
Yeshua01@btinternet.com
Serving
Yeshua International
& The Old Roman
Catholic Church in England
Back to Top
|