Computer Viruses

"Computer viruses" are one category of "malicious software". Generally, malicious software can be divided into three different categories: "viruses", "trojan horses" and "tapeworms" (or simply "worms"). Because people have only heard of "viruses", they tend to call any sort of malicious software a virus. One of the dangers of this misuse of terminology is that people come to expect all malicious software to act like a virus. If you read about a virus that has tremendous powers, for instance, the ability to physically damage a portion of your computer, it's probably a hoax.

Virus programs seem to have a few strikes against them from the start - they pop up at inopportune times for a lengthy scan of your hard disks, they may slightly impact the performance of your computer, and they may occasionally cause conflicts with other software. Or, at least those are some of the reasons lots of folks use for not running them.

Today's computer viruses are social - they don't just want your machine, they want our whole network and will use every form of technological and sociological deception to get it:

Virus carrying emails appear to be from people you know and if you're infected, they might attempt to spread using every email address that can be found on your hard drive.
Subject lines may entice you to open attachments with vague promises of humor, pictures, games, a screen saver, or even a software update (Microsoft NEVER sends product updates as attachments). The Anna Kournikova virus was hugely successful simply because people thought they were getting pictures of the tennis star.
One infected machine can infect an entire network, eventually causing the email servers to clog with self-propogating viruses darting from machine to machine. Imagine the cost of the lost productivity on a campus deprived of its network for communication, learning, teaching and and research.
Many viruses open "back doors" into infected machines, allowing the virus author (or anybody else) to access your data and any data accessible to you over the network.
Machines with "back doors" can be taken over en masse and used as "zombies" to attack other computers. MSNBC.com was recently knocked off the Internet in a denial of service attack that likely originated from a number (maybe hundreds) of zombie computers that may well have been on corporate or university desktops at the time.

Viruses

A computer virus is a program (a block of executable code), which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the computer user. (See chart on next page for more details.) Many viruses are comparatively harmless, and may be present for years with no noticeable effect. Some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files or make disks unreadable. Still others cause unintended damage. Even so-called benign viruses cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. One of the most famous computer viruses was the Michelangelo virus. This virus received wide attention in the media, and sent waves of panic and hysteria through the computer user community in 1992. While Michelangelo itself did relatively little damage to computer systems, the reaction to Michelangelo resulted in a lot of wasted time, effort and money.

Trojan Horses

A Trojan Horse is a program intended to perform some covert and usually malicious act, which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce — though this distinction is by no means universally accepted. An infamous "trojan horse" is a fake version of a popular "shareware" archiving program, "PKZIP". This "Trojan Horse" first surfaced in May of 1995, but warnings about it are still circulating on the Internet.

Worms

A worm is a program, which spreads on its own. Unlike a virus, it does not attach itself to a host program. Unlike a trojan horse, it reproduces and spreads by itself. In practice, worms are not normally associated with personal computer systems. The most famous worm is probably the one set loose on the Internet in 1988 by Robert Morris, Jr. Morris’s worm was a small program, which wreaked havoc on machines across the country by overloading them with invisible tasks, preventing users from being able to use the machines effectively.

FEATURES	VIRUSES	TROJAN HORSES	WORMS
Reproduction	Viruses reproduce by modifying or replacing other software. The "infected" (or "host") software then acts as a "vector", infecting other software.	Trojan Horses do not reproduce.	Worms reproduce on their own by making copies of themselves.
Transportation	"Infected" software is transported to another computer, usually by disk or downloading, where the infection process starts again.	Computer users are duped into installing Trojan Horses by claims that they do something good.	"Network worms" find their own way to other computers over a network. Other worms spread via "infected" disks.
Dependencies	Viruses function by "infecting" other software. They are essentially code fragments.	Trojan Horses are self-contained programs.	Worms are self-contained programs, or systems of programs.

Common (and not-so-common) Virus Terminology

Anti-antivirus Virus - A virus that attacks, disables, or avoids infecting specific anti-virus software. Also called a retrovirus.
Antivirus Virus - A virus that looks specifically for, and removes another virus.
Bimodal Virus - A virus that infects both boot records and files. Also called bipartite or multipartite. See File-infecting virus and Boot-sector-infecting virus.
Boot Records - Those areas on diskettes or hard disks that contain some of the first instructions executed by a PC when it is booting up. Boot records must be loaded and executed in order to load the operating system. (Also called "Boot Blocks" or "Boot Sectors".)
Boot-sector-infecting Virus - Some viruses infect the boot records of hard disks and diskettes. They typically do so by replacing the existing boot record with their own code. The virus is executed when the system is booted from the hard disk or diskette, and installs its own code in the system's memory so that it can infect other hard disks or diskettes later. Once that has happened, the virus will usually execute the normal boot program, which it stores elsewhere on the disk. Other names for this type of virus are: boot sector virus, boot block virus, or boot virus.
Bug - An error in the design or implementation of a program that causes it to do something that neither the user nor the program author had intended to be done.
Cluster Virus - A virus that infects disks or diskettes by modifying their file systems so that every program file entry points to the virus code. The virus code only exists in one physical place on the disk, but running any program on the disk will run the virus as well. So, cluster viruses can appear to infect every program on a disk.
Companion Virus - A virus that creates a new program with the same file name as an existing program, but in a different place or with a different file type, so that typing the program's name on the MS-DOS command line causes the virus program to be executed instead of the original program. For instance, a companion virus could create a file name FOO.COM that contained its code, if a program named FOO.EXE already existed. When the user types FOO on the MS-DOS command line, FOO.COM would get executed instead of FOO.EXE. (This is a special case of a "file virus".)
File-infecting Virus - Some viruses infect executable files. There are a variety of mechanisms that they use to do so. Usually, the virus will get control when the program is first executed. In most cases, the virus will return control to the original program after it has completed its own execution.
Logic Bomb - A Trojan Horse, which is left within a computing system with the intent of it executing when some condition occurs. The logic bomb could be triggered by a change in a file, by a particular input sequence to the program, or at a particular time or date (see Time Bomb). Logic bombs get their name from malicious actions that they can take when triggered.
Malicious Code - Any program or piece of code designed to do damage to a system or the information it contains, to prevent the system from being used in its normal manner, or to accomplish a purpose unintended by the user.
Master Boot Records - Those boot records on PC hard disks that define the structure of the information on the disk. There is only one master boot record on each physical hard disk. Each logical partition has a system boot record associated with it. (See Boot Records and System Boot Records.)
Mutant - See Variant.
Rogue Program - This term has been used in the popular press to denote any program intended to damage programs or data, or to breach the security of systems. It encompasses malicious trojan horses, viruses, and so on.
Self-Encrypting Viruses - See Self-Garbling Viruses.
Self-Extracting Files - A file which, when run, decompresses part of itself into one or more new files. It is common to store and transmit groups of files in a self-extracting file to conserve both disk space and transmission time. If infected files are compressed into a self-extracting file, anti-virus programs that only scan files will not necessarily be able to detect the virus. To scan such files, you must first extract and then scan their constituent files. (Some virus software can scan archived files.)
Self-Garbling Viruses - Some viruses attempt to hide from virus scanning programs by keeping most of their code garbled in some way, and by changing the garbling each time they spread. When such a virus runs, a small header degarbles the body of the virus and then branches to it.
Stealth Viruses - Some viruses attempt to hide from detection programs by hiding their presence in boot records or files. When such viruses are run, they install a resident extension. This resident extension intercepts various disk accesses, determines if its own code is part of the disk access, and removes the code before giving the data to the calling program. This may allow a virus to be in several places on the disk, but normal disk reads won’t reveal it.
Time Bomb - A logic bomb activated at a certain time or date.
(Tape) Worm - A worm is a program that spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are normally not associated with personal computer systems.
Trojan Horse - A Trojan Horse is a program intended to perform some covert and, usually, malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce though this distinction is by no means universally accepted.
Variant - A modified version of a virus that is usually produced on purpose by a virus author or by someone who modifies the original virus. Variants may be very similar to their parent virus, or may be fairly different. Some are text variants, which means that the only differences between them and their parent virus are in internal program comments that are never displayed, or in text that is displayed to the screen. Some are the result of small changes made to the original virus, apparently to create a new virus that is not detected by certain anti-virus programs. Some are the result of large changes, such as combining the spreading part of one virus with the damage part of another.
Virus - A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the computer user.

Real Virus or Virus Hoax?

"Help! I've got email from a friend telling me about a terrible new virus on the Internet. It says if I read this certain email message, it will erase my hard disk and permanently damage my computer! What should I do?" Chances are you can ignore it. There are lots of hoax virus warnings out there. So many, in fact, that CIAC (U.S. Dept. of Energy Computer Incident Advisory Capability) wrote: "The Internet is constantly being flooded with information about computer viruses and Trojans. However, interspersed among real virus notices are computer virus hoaxes. While these hoaxes do not infect systems, they are still time consuming and costly to handle. At CIAC, we find that we are spending much more time de-bunking hoaxes than handling real virus incidents..."So, how can you find out if this virus warning is for real? Check out these web sites:

Email Virus Trail

Email leaves a trail wherever it goes, recorded in the header data that accompanies every message. In Outlook you can view the header data by right-clicking on the message and selecting Options from the menu. In Eudora, open the message and click the “Blah,blah,blah” button on the toolbar.

Pictured below is an Internet worm that was sent to the readers of the PEC listserv. Recipients may have thought the listserv itself was infected but the headers tell the real story.

In this example, while it appears a worm infected the pec-l listserv, it’s actually another campus machine that had permission to post to the listserv that was infected. In the example, a sender portrayed themselves as “The Binghamton.edu team”, using the spoofed address noreply@BINGHAMTON.EDU [2]. Reading down through the headers reveals that the message originated on a machine at the IP 128.226.47.91 [1]. Typically the last “Received: from” line will reveal the IP address of the sender. Finally, note the spelling and grammar [3] in the body, which is often a giveaway that a message isn’t authentic.

NOTE: You can forward infected messages to abuse@binghamton.edu and cite the IP you find in the message headers. If the message originates from a campus IP (128.226…) ITS can locate and clean the infected machine.

Typically, the last “Received: from” line in the headers will reveal the sender by their unique, numeric IP address. Reading down through the headers reveals that the message originated on a machine at the IP 128.226.47.91 [1]. From this we can determine that the infected machine was on-campus (128.226… is a campus address) and that it probably had an address book entry for the listserv that was harvested by the worm. In this example, the worm portrayed itself as “The Binghamton.edu team”, using the bogus return address noreply@BINGHAMTON.EDU [2]. Note the spelling and grammar [3] in the body, which is often a giveaway that a message isn’t authentic.

Remember: Viruses are Simply Software

When dealing with computer viruses, it's important to remember that they are software. That means:

Viruses can do anything other software can do:
- Viruses can delete files.
- Viruses can format hard drives or scramble the data on them.
- Viruses can communicate over a network.
Viruses cannot do anything impossible for other software:
- Viruses cannot damage your CPU.
- Viruses cannot physically destroy your hard disk, although they can scramble the data on them.
- Viruses cannot destroy your computer's RAM.
- Viruses cannot cause your computer system to explode.
People intentionally write computer viruses, they do not appear spontaneously. They are not accidental mutations of "normal" software. Find more information at: http://vil.nai.com/vil/default.aspx