WHAT IS THE FIRST THING TO DO?
Don't panic! Indeed, don't do anything. Have a cup of tea or coffee don't start bashing away at the keyboard before you've determined what you ought to do. In my experience, a lot of the `damage done by viruses' is actually damage done by people doing things before they've made sure of what they ought to do, which is another way of saying panic. So, don't panic!
WHAT IS A VIRUS?
A virus is a program that copies itself. That's the definition of a virus. In retrospect, it's unfortunate that the word `virus' was used; it makes the problem sound a lot worse than it is, and people get the plural wrong [the plural is not `viri', or even `virii', it's `viruses']. It might have been better to use the word `weed'. But we're stuck with `virus'.
A virus need do no more than replicate in order to be a virus. Indeed, 95% of viruses do no more than that, plus some trivial extra like beeping the keyboard, or displaying a message. And conversely, if a program does something nasty that you weren't expecting, that doesn't make it a virus, unless it replicates. Such a program is called a `trojan', after the famous horse of Troy.
WHY ARE VIRUSES BAD NEWS?
If a virus does nothing but copy itself, why do people get so worked up when they have one? For example, Form virus beeps every time you hit a key on your keyboard on the 18th of each month, so why does everyone who gets infected want to get rid of it? There are a few reasons for this. If you don't get rid of the virus, there is a strong likelihood that eventually you'll pass it on to a supplier or customer, who will be upset. Over 99% of viruses that actually spread 'in the wild' are memory resident, so there is the possibility of incompatibilities between the virus and some other program you are running [for example, Jerusalem tries to use one of the resources that Novell NetWare uses, so you can't run both Novell NetWare and Jerusalem on the same system]. In addition, even though we have analysed and documented the virus, the user might remain nervous that the virus does more than has been documented, or that he/she has a different version of the virus. So in almost every case that we have seen, people want very much to get rid of the virus [apart, sometimes, for keeping one specimen for a `zoo'].
If you do get rid of the virus, this is going to take time, and time is money. Each PC will take at least several minutes, and each floppy disk will take at least several seconds [and there may be a lot of floppy disks]. It would be nice if you only had to worry about those computers and floppies that are infected, but of course you don't know which ones these are until you've done the virus-hunt, so you have to check everything.
THINGS THAT ARE NOT VIRUSES
BUGS
Bugs are not viruses, and viruses are not bugs. I am using a word processor that I know has a serious bug. If you work with a large file for a long time, then eventually something goes wrong inside the program, and it refuses to let you save the file to the disk, so that you lose all the work you've done since the last save. This program comes from a major software house, and they didn't do this on purpose, so it isn't a trojan. The programmers made a mistake. Programmers are human, and humans make mistakes. Programmers, like other humans, have pride, and don't like to admit that they make mistakes, so they call them `bugs', as if the bug had drifted in through the window and settled on the program. All sufficiently complex programs have bugs.
Anti-virus software does not detect bugs. If it did, it would report bugs in just about everything.
FALSE ALARMS
False alarms are not viruses. A false alarm is when you think you have a virus, but you are mistaken. Sometimes, people have some hardware or software fault, and after running some diagnostics, eliminate the possibility of hardware or software problems, conclude that it is therefore a virus, and proceed on that assumption. More often, a false alarm is the result of running anti-virus software.
Anti-virus software, in common with other software, is not infallible. The two main mistakes that an anti-virus program can make are to fail to find a virus that is there [I once tested a program that failed to find any boot sector viruses whatsoever, and these account for over two thirds of infections] or to claim that a virus is present when there isn't one, and that is called a false alarm.
When an anti-virus program gives a false alarm, it looks pretty much like the real thing.
There are a couple of things that might indicate that the alarm is false, though.
Only one file is giving the alarm [or perhaps four files, but they are copies of the same file].
Only one product gives the alarm; other products say the system is clean.
You get the alarm after running multiple products, but not when cold-booting and running any one product.
The virus that is detected is not listed as 'in the wild' [of course, this list changes all the time].
Unfortunately, there's no hard rule that can be applied. You can't say it's a false alarm if one of the four above is true, or if all four of the above are true. The only way to really nail down a false alarm is to send the suspect file to the product vendor giving the alarm, and ask them to verify that it is a virus by analysing it in their virus lab. And this might take some time.
Meanwhile, a false alarm can be as much hassle as a real virus, or even more. If you have a floppy disk that is infected with Stoned virus, you can simply copy the data off the disk and destroy the infected floppy, or you can get rid of the virus with your anti-virus program, or demand a replacement disk. Whatever, the cost is just a few seconds. But if you get an update of your favourite anti-virus program, and it tells you that you have Stoned virus on one of the files on your file server, then resolving the situation will take longer. You know and I know that Stoned cannot infect files. But just maybe someone has written a file virus and someone has decided to call it Stoned [for example, there are two unrelated viruses, one called Parity and the other called Parity.b]. So, you send the file to your product vendor for analysis and comment. Meanwhile, to be safe, you remove the file from the server [or possibly the product is barring access to that file]. This might mean that some important system won't work any more, as it needed that file. It also means that you have to keep track of the response to the problem, report it up through the usual security breach reporting channel, and so on. You might try deleting the offending file and re-installing the software that is causing the false alarm, but when you've finished doing that you still get the false alarm.
It isn't surprising that some people have changed their anti-virus software after too many false alarms.
Anti-virus software does not detect false alarms. If it did, it wouldn't report the false alarm, would it?
JOKES
A joke is something that is funny. Of course, what one person finds funny is not the same as what another person finds funny. It depends on your sense of humour. Consider a program that pretends to format your hard disk, and then reveals that it hasn't. Is that funny? It depends on your sense of humour.
Some people love to play practical jokes, and on certain dates one must apply a little scepticism to alleged virus reports. Some anti-virus software detects jokes, and tells you 'You have a joke called . . .'. The reason for this, is that some jokes are fairly widespread, and are known to cause concern, so the anti-virus program is trying to calm things down, by saying `Yes, I know about this, and it's harmless'.
TROJANS
A trojan is a program that does something more than the user was expecting; and that extra function is damaging. This leads to a problem in detecting trojans. Suppose I wrote a program that could infallibly detect whether another program formatted the hard disk. Then, can it say that this program is a trojan? Obviously not if the other program was supposed to format the hard disk [like FORMAT does, for example], then it is not a trojan. But if the user was not expecting the format, then it is a trojan. The problem is to compare what the program does with the user's expectations. You cannot determine the user's expectations for a program.
So, we have to make some judgments. The Aids Information Diskette is generally considered to be a trojan. About 20,000 copies of this were mailed to users in 1989, purporting to be a program that teaches you about the Aids virus. In fact, it was a trojan; after you re-boot your computer 90 times, it encrypts and hides all the filenames on your hard disk, and demands that you pay for your licence to use it. Although the documentation that came with it told you that something bad was likely to happen, it is generally considered to be a trojan. FORMAT is not a trojan.
As a rule, you don't see trojans very often. They don't copy themselves, and don't spread in the way that viruses do. Trojans are not a real threat, except in one of the following circumstances.
When they are widely disseminated, like the Aids Information Diskette.
They are targetted on an organisation, in which case it is an `inside job', done by an employee.
Some anti-virus products detect a few trojans [such as the Aids one], but most products don't detect trojans at all.
CORRUPTED PROGRAMS
Some files are simply corrupted [perhaps by a hardware problem], and hang the computer when run. For some reason, these sometimes end up in virus collections, unless the collection is carefully maintained.
INTENDED VIRUSES
Some virus authors are less skilful than they would like to be, and write what is clearly intended to be a virus, but for some reason there is such a major bug that the virus does not work at all. They release these, however, in the fond belief that no one will ever test them [or perhaps they didn't test them themselves]. One typical mistake is to get confused about decimal versus hexadecimal, and so their source code presumably says `int 21' for the DOS function interrupt, but it should have said `int 21h' [which is 33 in decimal].
DROPPERS
A dropper is a program that is not a virus, nor is it infected with a virus, but when run it installs a virus into memory, on to the disk, or into a file. Droppers have been written sometimes as a convenient carrier for a virus, and sometimes as an act of sabotage. Some anti-virus programs try to detect droppers.
GERMS
A germ is an instance of the virus in generation zero, and in such a form that the infection could not have happened naturally. For example, a virus that only infects files larger than 5Kb, but infecting a tiny 10-byte file. Alternatively, it might be an instance of the virus without any host file. If you remove the virus, you are left with a zero-byte file. This is the original file created by the virus author.
DIFFERENT KINDS OF VIRUS
BOOT SECTOR VIRUSES
The commonest kinds of virus are boot sector viruses [BSVs], such as Form or Stoned. These infect the boot sectors of floppy disks, and either the partition sector [Master Boot Record, MBR] or the DOS boot sector [DOS Boot Record, DBR] of hard disks. Here's how a BSV spreads.
A floppy disk has just arrived, with some data on it [some word-processed files and a spreadsheet, perhaps]. This is part of a project that you are doing jointly with a colleague. What your colleague doesn't know is that his computer is infected with a BSV, and therefore so is the disk he sent you. You put the disk in drive A and start using these files. So far, the virus hasn't done anything. But when you finish for the day, you switch off the computer and go home. Next day, you come in and switch on. The floppy disk is still in drive A, so the computer tries to boot up from this disk. It loads the first sector into memory and executes it [normally, this is a little program written by Microsoft to load DOS; or if it can't find DOS on the disk, to tell you so - `Non-System disk, or disk error. Replace and press any key when ready']. Everyone has seen this message numerous times, and so you open the drive door and press a key.
But this disk is infected with Stoned, so what executed was not just the program by Microsoft, but the Stoned virus, written in 1987 in New Zealand [and so sometimes called the New Zealand virus]. The virus installs itself on the hard disk, replacing the MBR, and copying the original MBR to a place a little further down the disk.
When you start up from the hard disk, the MBR runs, but this is Stoned virus. Stoned virus goes memory resident, capturing the disk read/write interrupt 13h, and then it loads the original MBR, and the boot-up process continues as normal. But, since the disk read/write interrupt is captured, every time any write or read access [you think you're making a read, but the virus decides to write anyway] is made to drive A, the floppy is examined, and if it is not already infected, Stoned virus is installed on the boot sector. Thus, your computer is now infecting every disk put in drive A, and sooner or later one of these will be sent to a colleague, and the cycle continues.
The detail of various BSVs is different, but the principle is the same. They are carried by the boot sectors of infected disks, and only in that way [a BSV cannot spread across a network, for example]. And the only way to get infected is to try to boot from an infected disk, even if the boot fails.
BSVs infect PCs. They don't care what operating system is running, or what security software is installed, because at the time the BSV installs itself the operating system or security program is not running yet. However, with some non-DOS operating systems for example, Windows NT, or OS/2], although the PC is infected the virus cannot copy itself on to subsequent disks and cannot spread. It can, however, still do damage, as was discovered by one surprised UNIX user when Michelangelo triggered on 6 March.
To most people, the fact that viruses can infect in this way comes as a big surprise, which partly accounts for BSVs being so common.
MACRO VIRUSES
Macro viruses [such as WM.Concept], the latest virus development, seem likely to become a significant threat, for several reasons.
Macros, written in WordBasic, and accessible to many computer users, are easier to write than 'traditional' file viruses [written, for the most part, in assembly code].
They are the first viruses to infect data files, rather than executables. Data files, to which macros are attached, provide viruses with a more effective replication method than executable files. Data files are exchanged far more frequently than executable files. If you add the increased use of e-mail [and the ability to attach files to e-mail], and mass access to the Internet [and on-line services like CompuServe and America Online], this is likely to make macro viruses a much greater threat to computer users than 'traditional' file viruses.
Macro viruses are not platform-specific. There are versions of Microsoft Word for Windows 3.x, Windows 95, Windows NT and Macintosh. This makes all of these operating systems susceptible to macro viruses [although anything in a macro which makes use of calls to a specific operating system [as with the WM.FormatC macro trojan] will be restricted to that particular operating system].
Macro viruses have already had a marked effect. WM.Concept currently accounts for around 50% of all virus reports to our Technical Support department. And while WM.Concept causes no damage to data, we have already seen the first [albeit faltering] steps towards macro viruses which threaten data; one payload of WM.Nuclear, for example, is to attempt to damage the system files [this payload is never delivered, due to a bug in the code].
Macro viruses are not confined to Microsoft Word for Windows. In January 1996, the first macro virus to infect Lotus AmiPro files [APM.GreenStripe] appeared. Unlike Word for Windows, in which macros are directly linked to DOC [and DOT] files, AmiPro macros are contained in a separate file [with the extension SMM]; this makes it possible to exchange AmiPro documents [for example, via e-mail] without exchanging infected macros. And XM.Laroux, which appeared in July 1996, is the first working macro virus to infect Microsoft Excel for Windows spreadsheets.
TSR FILE VIRUSES
TSR file viruses are no longer common. As the name suggests, these infect files. These are usually COM and EXE, but there are some device driver viruses, and some viruses infect overlay files; executable programs don't always have the extension COM or EXE, although over 99% do.
For a TSR virus to spread, someone has to run an infected program. The virus goes memory resident, and typically looks at each program run thereafter and infects it if it is not already infected. Some viruses are called `fast infectors', and they infect if you just open the file [for example, a backup might open every file on the drive]. Dark Avenger was the first 'fast infector'. In the case of Green Caterpillar, the infection trigger is anything that determines what files are present [such as DIR]. Other triggers have been used, but the commonest is to infect each program that you are about to run.
NON-TSR FILE VIRUSES
It is much easier to write a non-TSR virus, and so many of the budding virus authors do so. But it is quite rare for such a virus to be encountered 'in the wild'; less than 1% of reported outbreaks are a non-TSR virus. With such a virus, running an infected program runs the virus, which at that time looks for another file to infect, and infects it. Vienna is the commonest non-TSR virus; Vienna was the first file virus 'in the wild', but now has the status of 'rare'.
There are a lot of viruses based on Vienna, because a disassembly [which is almost equivalent to source code] was published in a book in 1987.
COMPANION VIRUSES
If you have a COM file and an EXE file with the same filename and type that name, DOS runs the COM file in preference to the EXE file. Companion viruses use this feature of DOS. Each EXE file that you have acquires a companion COM file with the same name. Then, when you try to run your EXE program, actually the COM program runs, and that is the virus. When the virus has finished doing what it wants to do [such as creating another companion for another file], it then runs the EXE program, so that everything seems to work normally.
There have been a few successful companion viruses, but not many. The main advantage to the virus author is that because the EXE file does not change, some change-detection software might not realise that a virus is spreading.
Another type of companion is the `path companion'. This sort of virus puts a program in a directory that is earlier in the DOS PATH than is the victim. When you run a program that is not in your current sub-directory, DOS searches for the program in various sub-directories, as specified by the PATH command in your AUTOEXEC.BAT file. Path companions are harder to write than ordinary companions, so there aren't many of them.
OVERWRITING VIRUSES
An overwriting virus simply overwrites each file it infects with itself, and the program no longer functions. Because this is so glaringly obvious, overwriting viruses are never successful in spreading.
MULTIPARTITE VIRUSES
Some viruses, such as Tequila, infect multiple objects. When you run a Tequila-infected EXE, Tequila installs itself on the MBR. When you boot up the computer, Tequila runs from the MBR, and goes memory resident. While Tequila is memory resident, it infects EXE files. Other viruses, such as some of the versions of Anticad, infect COM, EXE and MBRs interchangeably. Some viruses infect COM, EXE, MBRs and device drivers.
MISCELLANEOUS OBJECTS OF INFECTION
There is a virus that infects OBJ files. There is a virus [Starship] that infects by creating a new DBR, leaving the old one intact, leaving the code on the MBR intact, and changing the pointer in the MBR so that the Starship DBR is executed before the original DBR.
There are other viruses [DIR II and Dir.Byway] that infect file systems by changing the FAT and directories so that files on the hard disk are all cross linked to the virus.
There are all sorts of ways of skinning this particular cat.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment