virus backgrounder
August 3, 2002

what is a virus?

In simple terms, a virus is a small program that uses a variety of techniques to transfer itself from one computer to another, often without the knowledge of individuals using the computers concerned. The virus often takes active steps to avoid detection, propagate, perform tasks on the infected machine, and sometimes, resist disinfection. Most viruses have the ability to damage in some way the data on the computer they have infected, or to affect the computer's normal day-to-day operation. These adverse affects either occur immediately upon infection, or are triggered by some event, perhaps a certain date, or the number of times the virus has multiplied. Some viruses do not attempt to harm their host; rather they use it as a launchpad for cracking more hosts, or file-serving, chatroom-hosting, port-scanning, password-cracking, packet-sniffing, session-hijacking, denial-of-service attacks, or some other nefarious activity.

Viruses are defined by their ability to self-replicate, that is, to make copies of themselves that can infect other computers, which in turn can make copies of themselves and infect other computers, and so on. They are not to be confused with "trojan horse" programs - these are usually small programs designed to compromise the host in some way, such as provide a backdoor into the filesystem, eavesdrop on the keyboard or the microphone, etc. The essential difference is that trojan horses do not self-replicate.

The technology behind a virus is usually quite sophisticated, however it has been coded into virus generators that make it simple for anyone to make a virus. However, most of these generic techniques are known to current virus scanners. Developing new viruses that evade current virus detectors is difficult, and for this reason they are normally created by knowledgeable, technically able individuals. It is never clear as to why these people write viruses: perhaps to expose a security flaw; to see their name in lights; to see how far their creation goes; as a challenge or an experiment; one-upmanship among their peers; to make a social or political statement; a disgruntled employee; industrial espionage; terrorist action. Whatever the reason, in most cases following a few simple procedures will allow you to avoid most viruses, and keep your system intact.

types of viruses and how they spread

When a computer is first powered on, it usually runs a series of internal checks and then looks for a "bootable device", that is, is a device which contains the code necessary to start the operating system, and load any applications into memory. This bootable device can be a floppy disk, inserted when the computer is first powered on, or a hard disk, CD-ROM, or network. The floppy disk, and possibly a bootable CD, is a point of entry for boot-sector viruses.

When the computer looks for its bootable device, it usually looks first for a floppy disk. If it finds one, it reads what is called the "boot sector" from the disk. This boot sector contains the necessary instructions to load the rest of the operating system from the floppy and get the system up and running.

This is where boot-sector viruses slot themselves in. These viruses locate themselves in the boot sector, and are executed when the computer tries to boot from an infected disk. When a boot-sector virus finds itself executing on a previously uninfected computer, it will usually infect the computer by copying itself into the hard disk’s boot sector, so that it is loaded every time the computer boots. It only takes one attempted boot from an infected floppy to infect the hard drive. Once active, most viruses check each new floppy that is inserted into the computer during its operation, and if they are not infected, it infects them. Each of these floppies can then infect other systems, and so on.

This method of infection can be defeated by changing the computer's boot sequence. This is usually accomplished in the BIOS setup utility; set the boot device to something other than A: first.

With the decline in use of floppy disks, and with the routine monitoring of the boot-sector by anti-virus products, boot-sector viruses have become rare.

Macro viruses, such as the Concept virus, propagate through macros stored in data files, usually but not exclusively Microsoft Office documents. Macro viruses spread when infected documents are opened. Uninfected copies of Microsoft Office programs such as Word, Powerpoint, Excel and Access become infected at this time, and consequently infect all edited documents. These documents can then infect other computers if they are opened on them. Macro viruses are not seen so much anymore, due in part to fixes from Microsoft, and also to a decline in use of Office documents for information-sharing.

Some viruses infect executable programs, so that when the programs are copied, even if the virus is not active at the time, the virus will be transferred. In this case, infection usually occurs when the infected program is executed. Modern executable-based viruses usually reconfigure the operating system so as to launch themselves when the system starts - for example the Klez virus modifies Windows' registry. This type of virus continues to pose a threat.

Worms, such as I Love You and Melissa, propagate through the use of the internet. Recent worms have exploited security vulnerabilities in Microsoft Windows Scripting, Microsoft Internet Explorer, and Microsoft Outlook. The virus embeds itself as a script inside an email. When the email is opened - sometimes just previewed - the script is executed. What happens next depends on the virus; they normally send themselves to some or all of the addressees in the address book, at a minimum. A fix for this issue is available here; it's essentially to disable Windows Scripting. This prevents the virus from executing, even if you open an infected email using Outlook. Notably, other email readers such as Pegasus Mail do not suffer this problem of auto-executing scripts.

sources of infection

Viruses, of one form or another, can be caught by using infected disks, executing programs, opening a document, or reading email; and they can come from any external source, such as friends, work, customers, suppliers, education, or the internet.

Attachments to emails may be infected, and should be treated as any other potentially infected item - scan before use. To do this, save the attachment to disk, don't open it using the email reader - and then scan it the way you'd scan any other file on your system.

do you have protection?

Despite their cunning, the average virus is easy to detect. Each virus has a "signature", a sequence of computer code that is often involved with the actual operation of the virus. This signature is present in memory when the virus is active. Since it's highly unlikely that any two signatures are going to be the same, as each virus is unique, the signature serves as a unique sequence that can be detected by other programs. So, to find a certain virus on a computer system, all that is required is that the signature for that virus is determined, and that a program searches the system for it.

This is what anti-virus scanners do. They can be used to check your system for existing viruses, and to check new disks, programs, documents and emails that you have received, and to remove or otherwise disable any viruses they find. This means that once an initial scan has been done (and any existing viruses removed), as long as additions to the system are checked prior to use, then the chances are good that your system will remain virus-free.

It is important to note, however, that a commercial virus-scanner isn't a cure to viruses. New viruses can slip past them, even when they are in "heuristic" (generic detection) mode. A virus-scanner should be only one of a number of layers of security you apply.

ongoing system recovery strategy

A preventative strategy can help ensure that a virus doesn't take you out. This way, even if something does infect you and delete your data, you can recover.