Viruses online and offline
and dealing with them when
There are several different classes of Virus. I have listed
them below with examples in some cases.
infect the boot block on a floppy or hard disk. Typical examples are
STONED and MICHAELANGELO. These usually replace the boot block with all
or part of a virus program which stashes itself in memory and moves the
boot block on the disk to another location. Often the damage is done because
the boot block is moved blindly to another disk location, over-writing
what ever is resident there. There may be other "interesting" effects triggered
by specific events, such as Ping Pongs timer.
To the Top
infect ordinary *.EXE or *.COM files. Usually they just append the virus
code to the file; but recent versions have
gotten trickier, and hide their additions. Friday the 13th loads into
memory on execution of the infected file, and if
the date matches Friday the 13th, deletes *.exe files - often itself
infect both systemic areas such as boot blocks and executable files.
These are opportunistic infectors, finding the
available files at random.
focus on the system files necessary for DOS. These are files which control
the allocation of system resources, such
as directories, and files. In some cases a much more basic level of
attack against CMOS structures is attempted.
combine a range of strategies to attack the integrity of the operating
try to conceal there presence. This may be as simple as modifying the
file structure to conceal the additional code
added to a file. It may go so far as making sure that when added to
machine code in the *.COM file that the CRC is
not changed (a technically very tricky bit of work).
Viruses that execute their nastywork in the very helpful meta languages
embedded in powerful modern programs
like MS Word.
are crude, front door attacks. They rely on simple naiveté (which
I have fallen for many times). The level ot the
threat can be very potent, however, because they do not require any
backdoor - you gave them the key!
What is a virus?
A virus is a computer program designed to disrupt normal operations
in a computer. The idea is that the virus seizes control of your computer
making it difficult for you to do anything.
What can a virus do?
Lots of things. Some do no file damage, some do moderate damage, some
crash your hard drive altogether making it difficult for you to even start
your computer. The last thing you want to let happen is leave a virus in
your computer long enough to detonate. If this happens, you risk loosing
every file in your system.
Where do viruses come from?
Viruses are created by hackers who have nothing better to do than think
of ways of hurting other people. Virus programming is just high tech vandalism.
What are the chances of a virus infection in my computer?
Depends on how you use your computer. If you download from bulletin
boards & the internet on a daily basis without scanning these files
for viruses, you chances of a virus infection are very good. If you are
in the habit of using other disks not scanned for viruses, you chances
are even better of getting nailed. However, if you never buy new
software programs, use disks from other people or download from bulletin
boards or the internet, you chances of getting a virus are close to zero.
Do viruses automatically do their damage after they
infect a computer?
Definitely not!! Viruses are like time bombs. There is usually a certain
amount of time between when they land in a computer's hard drive and when
they detonate. Successful viruses will spend days, weeks or even months
sitting in your computer infecting every executable file and disk you use
in your computer. The idea is that the virus spreads to your friends computer
before it trashes yours. Obviously, if your computer is disabled, the virus
cant spread anywhere anymore. Well designed viruses use all kinds of tricks
to elude detection by a well trained computer user or by antivirus programs.
How do viruses spread? How can you detect an incoming
I'll give you one example. A few months ago, I received a disk from
someone working in an oil company downtown. I was asked to look at some
Excel spreadsheet files on this disk. I inserted the disk in my floppy
dive. Since I had never seen this disk before, I was wise to instruct my
antivirus program to scan its contents for viruses.
BOOM! My antivirus program turned my screen red with stiff warnings
there was indeed a virus on this disk.
There are two ways this disk could have been infected. (1) The files
on the disk had a virus or (2) the boot sector on the disk had a virus
hidden in it. Excel spreadsheet files (.XLS) are not "executable" files
but they can be infected by "Macro" viruses. As it turned out, my antivirus
program told me the boot sector on this disk had a virus on it.
I printed out the warning and gave it to the person who gave me the
disk. I told this person that their computer(s) at their office were infected
with a virus. "That's not possible. Our computers are working fine" I was
told. However, the next day they virus scanned their computers only to
find out they WERE infected with the very same virus I detected on the
disk they gave me. They were shocked!
Afterwards, they ran their antivirus program and removed the virus
from their computer(s)...I hope.
By the way, the disk they gave me, I just reformatted erasing everything,
including the virus. I could have had my antivirus program "clean" the
disk but I didn't bother because I didn't want to mess with it.
Regarding the above story: Why didn't the other computers,
which were being used as a host by the virus, show any signs of being infected
before they were scanned for viruses?
Ah, yes. Here's where it gets interesting. Obviously the virus was
still in the infection stage in their computer when they gave me the
infected disk. Naturally, if these guys knew their computers
were infected with a virus, they wouldn't have given me the disk in the
first place. However, this is how viruses spread. A virus will try to hide
its presence for some time while infecting every disk and/or every executable
file in the host computer in hopes that the unsuspecting user will share
these with someone else, thus also sharing the virus. After an elapsed
period of time, the virus detonates on the host computer thus often
Obviously, a virus cant spread from a dead computer. However, that's
no problem because it already spread to several other computers earlier
on when everything seemed to be working fine. And once the virus
spreads to other computers, they in turn become hosts spreading the virus
further on like a filthy chain letter.
Do all viruses crash computers and/or destroy files?
Not all but enough do that you don't want to risk it. Or do you? I
Keep in mind one VERY VERY important item: viruses are not tested for
quality control like useful software programs. A virus program may do unintentional
file damage which even the virus programmer didn't intended. Virus programmers
do not usually test their little creations making sure they compatible
with other software and operating systems. There are a lot of viruses out
there with bugs in their code. It is far easier to create a computer
program that does not work than one that does.
If any loud mouth rattles to you about "harmless viruses", ask them
if the virus in question has been tested for system compatibility and
Are viruses easy to remove?
Some Yes, some No. There are some very good antivirus programs out
there. However, there are also some determined virus programmers as well
who refuse to concede defeat. The virus/antivirus thing is like a cat-and-mouse-game
with each side constantly trying to stay ahead of the other. Up to 4 new
viruses are created every day around the world. Antivirus programs must
be kept up-to-date to detect these new viruses.
Can antivirus programs always restore a computer
to its normal condition?
NO, they cant! Antivirus programs cant restore files which have been destroyed
by a "file-overwriting" virus. In these cases, the infected files have
been corrupted beyond repair. Try gluing a glass window together after
it has been smashed by a rock, it you catch my drift. In many cases, it
is necessary to reload damaged files from you backup disks. Often, computer
users are in the unfortunate position of reloading all their DOS and WINDOWS
files as if they just bought a new computer with nothing on it.
To the Top
An entry to a program, or system created by its designer to allow special
access; often without proper security checks. A classic back door was used
by a teen-age hacker in the movie "War Games".
A program which spreads to other users or systems by copying itself as
a by product of execution. It doesn't infect other programs, but acts independently.
Programs which do not do what they have been advertised to do. A example
is XTRATANK, which claims to double your hard drive space. It merely diddles
the file allocation to double the reported size of the disk.
Boot Sector Virus:
A virus secreted in the boot sector or replacing the boot sector on a floppy
disk. Also a virus on the master boot block of a hard disk, or in the partition
table of a hard disk. N.B. even non-systems floppy disks still have a boot
sector; they just lack the boot program on that block ! Examples are Stoned
and Michaelangelo viruses.
An error in the design or implementation of a program, that causes the
program to do something unintended. Remember even viruses have bugs. The
original "bug" was a moth stuck in a relay of ENIAC.
A number that uniquely defines a file, block or other bit of computer code.
A checksum is calculated by applying an algorithm to each byte of the code
and rotating it, logically ANDing or ORing it to some standard, or otherwise
encoding it. The result is a single number which is a numeric finger-print.
See cyclic redundancy check (CRC).
Programs with the anti-copying protection removed, disabled or by-passed.
Both hard-ware and software anti-pirating techniques can be broken with
the appropriate knowledge and software.
Cyclic Redundancy Check (CRC) :
A unique numeric finger-print of a file, block or other bit of computer
code. This is usually calculated using a look-up table. It is common in
error checking protocols. See checksum.
A program which executes based on the presence of a particular device,
such as a com port, hard-drive D:, etc., usually with malicious actions.
Programs which have a legitimate use, but contain viruses which are secretly
planted in system. Droppers may actually be commercial software hacked
to drop viruses.
File Allocation Tables. These areas of the formatted floppy or hard disk
contain information used by the system to locate and maintain the file
File Viruses :
These viruses infect files with *.COM or *.EXE extensions. Friday the 13th
is an example. Also included in this category are viruses which use the
"corresponding files" technique. These viruses search for directories with
files with .EXE extensions and then creates a file of the same name with
a .COM extension. Since DOS executes files with the *.COM extension before
those with the .EXE extension, the virus is executed and then passes control
to the .EXE file.
Software which has been illegally modified by a system expert. See cracks,
pirates, droppers, etc.. This may be as simple as modifying parts of the
code with a debugger; to patching the system to snatch interrupts.
Programs which claim to do the impossible; and don't. An example is a file
2496 which claims to provide instructions on running a 2400 bps modem at
9600 or even 14400 bps. If you follow the instructions, you get a modem
which runs at 0 bps.
An anti-virus strategy to prevent virus infection. This may involve putting
a virus signature into software to be immunized in hopes of fooling a virus
into believing the code is already infected. It may also involve creating
checksums for each file which can be compared during later anti-virus examinations
to guard against virus infection.
A hardware or software signal which indicates to the operating system some
event such as a keystroke has happened. It is typically taken care of by
an interrupt handler which services the event.
Programs which do something intended to be amusing, without causing serious
harm, or replicating. BUGS, which cause little bugs to run across the screen
when executed is an example.
A program which executes on the occurrence, or lack of occurrence of a
set of system conditions. Classic examples are programs which cease functioning
if the programmer's name is removed from the company's payroll list.
These viruses infect both boot sectors and files. Tequila is an example.
Any illegally obtained software. Also software which has had the copy-right
notices, or other identification altered or removed.
These viruses change their characteristics as they replicate. Many of these
utilize the Bulgarian Dark Avenger's mutating engine. The Whale virus is
A program designed to exhaust a system resource (e.g. CPU time, disk space,
terminal I/O, etc.) by replicating itself without limit. It differs from
a bacterium in that it is specifically targeted at a system resource; and
from a virus in that it is a self contained program.
A program that is no longer under the control of its owner, the system
or its executing terminal; a.k.a. zombie. A virus is the ultimate rogue
These viruses conceal the results of infection; keeping file length unchanged
for example, or modifying the file in such a way that the checksum is not
changed. They may simply alter the system so that the file length is reported
unchanged although it is actually increased. Hundred years is an example.
These viruses infect parts of the system other than the boot block. The
file allocation table (FAT), device tables, directories, device drivers
and COMMAND.COM are typical targets. Number of the Beast is an example.
A logic bomb activated after a certain amount of time, or on a certain
date. The classic example is a program that ceases functioning on a given
date, as a control for leasing it. Such a program is often re-activated
by an appropriate password
Trojan Horse Programs:
A program which has a hidden aspect which causes malicious damage. The
classic is AIDS, which purports to be an AIDS data base, but actually destroys
the hard disk when executed. False logon screens which snatch the users
logon ID and password are another example.
Virus (pl. viruses):
a program that can "infect" other software by modifying them to include
a copy of itself. A program need not cause malicious damage to be a virus;
the act of "infecting" other programs is central to the definition.
A program that spreads copies of itself through-out a network. The first
use of the term was applied to a program that copied itself benignly around
a network, to use otherwise unused resources for distributed computation.
A worm becomes a a security problem when it spreads against the wishes
of the system owners, and disrupts the network by overloading it.
To the Top
|This page is designed and written by John
Jenkins. If there are any questions or other issues about the content,
and I will deal with it in a timely manner. If specific help is requested
an email address with an lctn.com
or ecsis.net domain is required.
All others will be deleted. As
with all programs on the internet, you, the downloader, assumes all risk
of file damage or viruses that these or any programs may contain that are
received over the internet. Neither CSS,
ECS, nor the author
will be responsible for any damage done by any program received over the
internet. Please note this includes programs that are virus free but may
cause problems with other programs on your computer and programs that simply
won't run right on a particular machine.