Office of Information Technology
About Computer Viruses
A computer virus is a program that explicitly copies itself. This may lead to it spreading from machine to machine and is typically done without the user’s knowledge or permission. Viruses, by definition, add their code to your system in such a way that when the infected part of the system executes, the virus does also.
Virus Detection & Prevention Tips
(for at home or the office)
- Do not open any files attached to an e-mail from an unknown, suspicious or untrustworthy source.
- Do not open any files attached to an e-mail unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through e-mail. Better be safe than sorry and confirm that they really sent it.
- Do not open any files attached to an e-mail if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.
- Delete chain e-mails and junk e-mail. Do not forward or reply to any to them. These types of e-mail are considered spam, which is unsolicited, intrusive mail that clogs up the network.
- Do not download any files from strangers.
- Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.
- Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.
- Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.
- When in doubt, always err on the side of caution and do not open, download, or execute any files or e-mail attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and e-mail.
Types of Viruses
Boot viruses place (some of) their code in the disk sector whose code the machine will automatically execute when booting. Thus, when an infected machine boots, the virus loads and runs. After boot viruses are finished loading, they usually load the original boot code, which they have previously moved to another location, or take other measures to ensure the machine appears to boot normally.
File viruses attach to ‘program files’ (files containing executable or interpretable code) in such a way that when you run the infected program, the virus code executes. Usually the virus code is added in such a way that it executes first, although this is not strictly necessary. After the virus code has finished loading and executing, it will normally load and execute the original program it has infected, or call the function it intercepted, so as to not arouse the user’s suspicion.
Macro viruses are really just a type of file virus, but a particularly ‘successful’ type. They copy their macros to templates and/or other application document files. Although ‘auto macros’ were almost exclusively used by early macro viruses (often to ensure the virus’ code is the first to execute when infected templates or documents were opened), several other mechanisms are also available – in fact, some of these, such as taking over standard internal functions of the host application (say the ‘File Save’ command) and installing default event handlers are probably more commonly used these days.
Worms are described by some antivirus researchers as similar to viruses in that they make copies of themselves, but different in that they need not attach to particular files or sectors at all. Once such a worm is executed, it seeks other systems – rather than parts of systems – to infect, then copies its code to them in such a way as to have the code execute directly from memory. This form of ‘classic worm’ is still very rare, with the ‘Morris worm’ (or ‘The Internet worm’) of November 1988 the best known of a small number of examples. More recently the term ‘worm’ has been taken to mean ‘a virus that replicates across a network link’, with the most common usage applied to viruses that send many copies of themselves out attached to the infected user’s e-mail.
RATs (Remote Access Trapdoor) and the network crawler type worms have become so ‘successful’ because of the expansion of ‘always on’ Internet connection technologies such as cable-modems and DSL. The tendency to keep such connections up, coupled with their increased bandwidth and the increasing propensity of naïve users to implement Microsoft networking without taking the most rudimentary of security precautions is bound to see these problems get worse before they get better. The basic idea behind a RAT is that an ‘attacker’ attempts to trick or ‘social engineer’ a victim (who may just be a random Internet user) into running a program on their computer. This program (the RAT itself) then opens up a ‘backdoor’ or ‘trapdoor’ into the victim’s computer whereby the attacker (or anyone else that discovers the listening network port) can attach to the victim’s computer and execute whatever commands they wish, copy files to and from the computer, send the user messages or pretty much anything else you can imagine a computer program being able to do. Usually a special client program is needed to connect to the RAT, and these are different for each RAT.
Master Boot Record Infectors The first physical sector of every hard disk (Cylinder 0, Head 0, Sector 1) is known as the Master Boot Record (MBR – also as the Master Boot Sector, MBS), which in turn contains the disk’s Partition Table. The Master Boot Record, like the boot sector of a diskette, holds a small boot program. However, unlike on a diskette, this boot program is not usually directly concerned with locating and starting the operating system.
Multi-partite Viruses Multi-partite viruses are ‘combination infectors’, infecting more than one class of basic target listed above. Thus, a virus with code parts that infect both files and boot sectors is multi-partite. Before the rise of macro viruses, several of the most common file infectors (for example Junkie) were actually the file infector parts of multi-partite viruses that had leveraged the distribution advantage attributable to their boot infector components. These viruses became common because of their boot virus components. More recently we have seen complex forms of multi-partism with, for example, viruses that infect EXE files and insert droppers as macros in suitable document files.
More on Viruses...
Some viruses display obvious symptoms, and some cause damage to files in a system they have infected. While one or both of these features of a virus often capture the attention of the popular media, note from the preceding discussion that neither are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank and, other things being equal, viruses without obvious symptoms are more likely to spread further and persist longer than those that rapidly draw attention to themselves.
There are no ‘good’ viruses, simply because a virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly.
Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus writer. For instance, when a virus finds itself in a very different environment than that for which it was written, what was intended to be a non-destructive virus can prove very destructive. A good case in point is the boot virus. Few, if any, boot viruses contain code to damage computers running Windows NT however, with many boot viruses, when they infect an NT machine system recovery can be quite tricky.
NOTE: Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread.