Computer Viruses

Numerous news stories have left many computer users confused about the nature of viruses and the damage they can cause.  A virus is a computer program that piggybacks or attaches itself to application programs or other executable system software.  Some evidence indicates that a virus may be contained in data files.  At some predetermined point, a virus activates; sometimes resulting in the erasure of files, other times leaving harmless messages.

In one six-month study conducted by the Computer Virus Industry Association of its members, a total of 61,795 infected computers were reported.  From five to 816 computers were infected at individual organizations.  For any given virus, numerous variant strains can exist.  These variants result from program modifications made to the original virus program.  A knowledgeable programmer can create a new virus by starting with an existing virus and simply making modifications.

Three basic categories of computer viruses exist:  (1) boot infectors, (2) system infectors, and (3) generic application infectors.  Boot infectors are incorporated into the boot sectors of diskettes and hard disks.  This type of virus gains control of a system when it is initially booted and retains control at all times.  When a diskette is inserted and accessed for the first time, the virus transfers itself to sector 0 of the diskette, and it infects the subsequent system booted from this diskette.  Only by booting from an infected diskette can this type of virus spread.  Two infamous boot infectors are the Pakistani Brain virus and Alameda virus.

System infectors are attached to either an operating system module or a system device driver. A well-known system infector virus is the Lehigh virus. Generic application infectors make up the third and most widespread category of viruses. These viruses may attach to any application program. This type of virus gains control when an infected application program is run. At that point, the virus searches the system for additional host programs, either on hard disks or diskettes. After the search ends, usually with further spread of the virus, it returns control to the host program. Well-known generic application infectors include the Scores virus, Israeli virus, and nVir virus.

Once the virus has made contact, it utilizes its self-replicating code and copies itself to other programs and causes additional infections.  With society's dependence on the sharing of information, the virus can spread easily and quickly.  Viruses have managed to bring many computer systems and networks to a standstill by destroying valuable data.

The computer virus usually infects its subject, the host program, using one of two approaches. The first approach requires the virus to attach itself to an existing piece of code. In the alternative approach, the virus removes a piece of code and takes its place. The virus binds itself either externally or internally. If it binds externally, it will increase the size of the program and increase the potential of detection. If the virus binds itself internally, it will fill the free space in a section of code and make detection difficult. Once infected, the host program remains relatively unchanged and continues to function properly until the virus program calls on itself to activate.

Activation of the virus depends on execution of the host program.  The virus must use the read and write channels to replicate and perform its task, whether it displays a message on a monitor or destroys files.  The virus may activate either after the host program is executed a certain number of times or on a date and time written into the virus program. The typical virus infection process is shown in Exhibit A.

 EXHIBIT A

VIRUS INFECTION PROCESS

    1. Creation of virus by programmer; the virus program is typically an executable file, e.g. an exe, com, or vbs file.

     2. The virus program is attached to an e-mail (or alternatively attached to a public domain software program).

     3. The e-mail with the infected attachment file is sent to unwary recipients.

     4. When the e-mail message is opened, the infected program runs on the user's system and the virus replicates itself onto an operating system file.

     5. In some cases, the virus spreads from the user's system to other user systems through infected diskettes. In other cases the virus gains access to the user’s e-mail system address book and sends itself to all the addresses.

     6. At a predetermined point (e.g., a specific date), the virus activates, often leaving programs and data files unusable.

Virus Incidents

 There have been numerous reported incidents involving compute viruses.  There may also be many unreported incidents because victims are afraid that the negative publicity would damage their reputations.  Customer confidence may be reduced if a virus incident was reported, especially if major losses occurred.  Four well-known computer virus incidents are described in the following paragraphs.

The Manawella Virus.  In the spring 2001, this virus (technically a “worm”) was created by someone utilizing the virus writing kit VBS Worm Generator, which is better known as having been used to spawn the “Kournikova” virus epidemic at the beginning of 2001.  The Manawella virus was sent to computers in the form of an e-mail with a “vbs” file attached.  Upon opening the attached MANAWELLA.VBS file, the worm was activated.  At the same time, the worm copied itself to the Windows system directory using the same name; however, the copied file was not used any more.  The worm then gained access to the MS Outlook address book, sending itself to all of the e-mail addresses listed there.

The Macintosh Virus.  Although harmless, this virus came on a graphics program disk from a manufacturer still in the shrink-wrapped packaging.  The virus displayed a universal peace message and afterwards destroyed itself.

The IBM Christmas Tree.  This virus produced a Christmas greeting and a drawing of a Christmas tree on IBM's internal communication  network.  The virus duplicated itself every time a machine accessed the system and it infected machines and disks.  IBM detected and removed the virus.

The New Zealand Marijuana Virus.  Some of the microcomputers at Databank Systems Ltd in Wellington were infected with a virus that blanks a monitor during use and flashes a message encouraging the legalization of marijuana.  The virus was incorporated into the boot sector of infected disks.  Databank, which handles all funds transfers among New Zealand banks, was able to avoid loss of data because of a computer security program.  A major catastrophe was avoided through the use of effective backup procedures.

Antiviral Techniques
 

  • Antiviral techniques can be classified into safe user procedures and antivirus software.  Safe user procedures include the following:
  • 1. Make backup copies of programs and data files.
  • 2. Such public domain software as freeware and shareware should be used with extreme care.

    • 3. Users should test all software, both retail-purchased and public domain.

    4. Users should create meaningful volume labels on all hard disks and diskettes, and routinely check volume labels for changes.

    5. Users should be wary of such unusual system activities as less available system memory than normal or turned-on access lights in a system device when there should be no activity.

    6. Be wary of opening emails containing attachments of executable files (e.g. exe, com, and vbs files).

    In addition to safe user procedures, antiviral programs can help combat the virus threat.  There are three categories of antiviral programs:  (1) infection preventers, (2) infection detectors, and (3) infection identifiers.  Regarding the first category, prevention programs monitor system activities and watch for signs of attempted replication.  The programs monitor loading and downloading procedures and watch for indications of a virus trying to gain access to executable programs.  When a virus is detected, the system freezes before the virus completes infiltration and notifies the user so that the virus can be removed.  Unfortunately, boot infectors cannot be prevented in this manner because they occur before the prevention program is loaded up.

    The second group of antiviral programs is referred to as infection detectors.  These programs can detect viruses soon after the initial infection has occurred.  Detectors are effective against most generic viruses and have two forms.  One is called a vaccination, which will place a selftest mechanism in each program.  The selftest is executed each time a program is run and checks for any alteration of the sequence of instructions.  However, vaccinated programs can become reinfected.  The second type of detector program is called a snapshot.  Snapshots are one of the most effective means of defense.  This program makes a log of all important information when a system is initially installed.  This allows the system to be periodically compared with the log to check for changes that might have occurred because of a virus.  However, using a snapshot can be very time-consuming.

    The third group of antiviral programs is known as infection identifiers.  Theseprograms are basically antidotes for specific viruses. Unfortunately, these too have disadvantages because a great deal of time is usually required to create an antidote.  Not only are antiviral programs growing rapidly, but so are the varieties of viruses.  Antiviral programs range in price from $10 to hundreds of dollars.

    Legal Consequences

    Many people are curious about whether or not there is any legal  recourse for the victims of a virus.  People who create viruses are somewhat safe from prosecution for the moment because no specific law exists making computer viruses illegal.  However, the Computer Fraud and Abuse Act of 1986 makes it a felony to gain unauthorized access to classified information.  The act also makes it a misdemeanor to access financial records in financial institutions or to trespass into a federal government computer system.

    Victims of computer viruses have legal recourse against the person who created the virus because a virus can be construed as a malicious act.  Recourse against a commercial software producer who unknowingly sold a program containing a virus depends on the particular state laws' stance on shrink-wrap contracts.  However, some law experts say that a manufacturer is not to be held liable for defects or damages to the user's machine.


    LINKS:

    Email me at: lmsmith@tamu.edu