Classic Computer Magazine Archive COMPUTE! ISSUE 134 / OCTOBER 1991 / PAGE 44

Computer viruses from A to Z. (protecting against computer viruses) (Special Anniversary Issue)
by Mark Minasi

It's easy to protect yourself against computer viruses. Here's how.

You've heard about computer viruses - those mysterious, malevolent programs that enter your computer in the dead of night and zap all of your data. Some virus experts say we'll see thousands of different viruses floating around the computer world in the next few years. Like Chicken Little, these pundits predict the computer sky will fall, ending computing as we know it. Others say that these virus experts need users to be afflicted with virus hysteria so they can keep their jobs. What's going on? Here's the who, what, why, where, and how of viruses.

Virus is a term in popular use that refers to any of a group of unwanted programs - the weeds in your computer garden. By the way, the term is a metaphor only - you can't catch a virus from your computer.

Why are there viruses? Simply put, a virus is a a form of computer crime, and often it's not even a particularly inspired crime. Microcomputing has grown up in atmosphere of trust and cooperation, freeing PC operating environments from the clutter of security systems - much like a rural neighborhood that hasn't had to lock its doors for years.

This open environment has left an opportunity for a few cowardly programmers to create these destructive programs. Believe me - there's not much to writing a virus that runs on DOS machines. There's no more ingenuity in writing one of those than there would be in robbing houses in the aforementioned neighborhood.

The media-inspired vision of virus authors as a class of super programmers is misinformed. They're just maladjusted twerps looking for some attention in a particularly destructive way.

Parts of a Virus

A virus has two parts, which I'll call the infector and the detonator. They have two very different jobs. One of the features of a computer virus that separates it from other kinds of computer programs is that it replicates itself so that it can spread (via floppies transported from computer to computer, or networks) to other computers. That's what the infector does.

After the infector has copied the virus elsewhere, the detonator performs the virus's main work. Generally that work is either damaging data on your disks, altering what you see on your computer display, or doing something else that interferes with the normal use of your computer.

Here's an example of a simple virus, the Lehigh virus. The infector portion of Lehigh replicates by attaching a copy of itself to COMMAND.COM (an important part of DOS), enlarging it by about 1000 bytes.

So let's say you put a floppy containing COMMAND.COM into an infected PC at your office - that is, a PC that is running the Lehigh program. The infector portion of Lehigh looks over DOS's shoulder, monitoring all floppy accesses. The first time you tell the infected PC to access your floppy drive, the Lehigh infector notices the copy of COMMAND.COM on the floppy and adds a copy of itself to that file.

Then you take the floppy home to your PC and boot from the floppy. (In this case, you've got to boot from the floppy in order for the virus to take effect, since you may have many copies of COMMAND.COM on your hard and floppy disks, but DOS only uses the COMMAND.COM located on the boot drive.)

Now the virus has silently and instantly been installed in your PC's memory. Every time you access a hard disk sub-directory or a floppy disk containing COMMAND.COM, the virus sees that file and infects it, in the hopes that this particular COMMAND.COM will be used on a boot disk on some computer someday.

Meanwhile, Lehigh keeps a count of infections. Once it's infected four copies of COMMAND.COM, the detonator is triggered. The detonator in Lehigh is a simple one. It erases a vital part of your hard disk, making the files on that part of the disk no longer accessible. You grumble and set about rebuilding your work, unaware that Lehigh is waiting to infect other unsuspecting computers if you boot from one of those four infected floppies!

The Worm That Turned

The term for any program that replicates itself, like the infector part of a virus, is a worm. Some viruses are pure worms, like the much-publicized Internet worm. This worm ran on minicomputers linked on the Internet network. It made multiple copies of itself in a minicomputer, forcing the computer to waste time executing the worms, slowing down response time for legitimate users. It also copied itself to other computers on Internet, spreading so quickly that it brought the entire network to a halt.

Such a program will not affect PC users, since there are no PC-based networks that can call your computer up and dump messages on it automatically. The kinds of worms found in viruses generally work by injecting copies of themselves into executable programs.

This one fact simplifies the task of antivirus programs. A virus can only infect either an executable program - ones with a COM, EXE, SYS, BIN, or OVL extension - or the area of a disk called the boot sector. We can then talk about two kinds of viruses: program infectors and boot sector infectors.

DOS Boot

A boot sector is a program and data area on a disk that contains a small program that is essential to the initial boot-up process. The unusual thing about the boot sector is that it is not a file. In fact, it lies completely outside the part of the disk that contains files.

The only way to become infected from a boot sector infector virus is to boot from an infected floppy. Think about that for a moment. The only disk you should ever boot from anyway is the original DOS floppy, and that's write-protected, so it couldn't contain a virus unless the Microsoft original was infected. You really never have to boot from any other floppies except for a few old games, so being careful not to boot from floppies is one simple way to avoid virus infections.

That simple advice is quite powerful. More than 70 percent of the viruses out there are boot sector infectors rather than program infectors. Of the five most common viruses found in the U.S., three are boot sector infectors.

Merely making a habit of keeping the floppy drive door open when you boot will instantly make you invulnerable to more than half the viruses out there. (What should you do about the other kind, the program infectors? They're a bit tougher, so hang on for a few more column inches, and I'll get to them.)

Whether a boot sector or program infector, all infectors' modi operandi are similar. When you turn your computer on, the virus is not active until the infected portion is loaded. In the case of a boot sector infector, that's immediately upon boot-up, since that's when the boot sector is executed.

For a program infector, the virus becomes active when you run the infected program. For example, if 1-2-3 were the only infected program on your PC, the virus would only be active from the time you ran 1,2-3, until you turned the PC off.

Once active, the virus looks for programs or boot sectors to infect. While your hard disk has only one boot sector, a program infector may slowly infect every program on your hard disk. Boot sector infectors will infect boot sectors on floppies inserted in your floppy drives, and program infectors will infect any programs on those floppies. The infection process - a sort of COPY command - is very quick, and it generally won't be noticed by the PC's operator.

Note that because viruses can only be spread by booting from floppies with infected boot sectors or by running infected programs, you cannot become infected by a data file - that is, a 1-2-3 spreadsheet, a WordPerfect document, or a dBASE database cannot spread viruses.

Tick, Tick, Tick

The detonator is usually called a time bomb or logic bomb. It's a piece of code embedded in a program or the operating system itself that waits for a particular event to occur. When that event occurs, the bomb goes off, doing some kind of damage.

Logic bombs have been around nearly since the beginning of computing. An early one showed up in a mainframe payroll program. The program's creator had inserted a clause in the payroll program that said, in effect, "If you find I'm not on the payroll, erase all payroll files."

A time bomb is based on a related idea, but it detonates according to the clock. For example, the detonator portion of the most common virus in the U.S., one called Jerusalem-B, goes off every Friday the 13th. Whenever you try to run a program, it erases the program instead. On other days, it only does minor annoying things to your screen. The detonator program in the Lehigh example is a logic bomb. It says, "Once you've made four copies, do the damage."

Many detonators are fairly harmless, although an annoying intrusion on the use of your PC. The Cascade virus causes letters on your screen to fall to the bottom of the screen. No data's been damaged, but it does make using the computer difficult.

The New Zealand virus, also known as Stoned or Marijuana, occasionally keeps your computer from booting, displaying the message Your PC is now Stoned. (There's also a message in the virus saying, Legalize Marijuana, but due to a bug in the virus, this message never gets displayed.)

The Fu Manchu virus makes childish, obscene comments whenever you type Reagan, Thatcher, or Botha.

Yankee Doodle, from Bulgaria, plays "Yankee Doodle" on the PC speaker at 5:00 p.m. - freeing the workers, as it were.

Bouncing Ball or Italian causes a character to dislodge itself from its original location on the screen and bounce around the screen, Pong-style. A few viruses have no apparent detonators at all, making them pure worms.

Other detonators are quite destructive. Erasing the FAT is a popular virus pastime. Additionally, the extra time required by the infection process when performing disk reads or writes may cause some PCs to erroneously report a timeout error on the floppy drive.

If you'd like to see what some of the flashier viruses look like, get a copy of VIRSIMUL.ZIP, a harmless simulation of several viruses. You can find it on the bulletin board of the National Computer Security Association (NCSA). NCSA's BBS number is (202) 364-1304; its voice number is (202) 364-8252. NCSA also sells books on viruses and computer security.

Vectors of Infection

First of all, don't worry too much about viruses. You may never see one. There are just a few ways to become infected that you should be aware of. The sources seem to be service people, pirated games, putting floppies in publicly available PCs without write-protect tabs, commercial software (rarely), and software distributed over computer bulletin board systems (also quite rarely, despite media misinformation).

Call up computer repairpersons, and what's the first thing they'll probably do? Boot your system from a diagnostic disk. I've seen three cases in the past year of clients being infected by third-party service people with diagnostic disks that were infected. Of course, the serviceperson didn't know the disks were infected. But be sure to ask that any service personnel run their diagnostic disks through a virus checker like VIRUSCAN (I'll discuss virus checkers in a minute) before putting them in your machine.

Many viruses have spread through pirated - illegally copied or broken - games. This is easy to avoid. Pay for your games, fair and square. I've toured many software companies,and believe me - these are not large faceless corporations. Most are small operations with fewer than thirty employees.

If you use a shared PC or a PC that has public access, such as one in college PC lab or a library, be very careful about putting floppies into that PC's drives without a write-protect tab. Carry a virus-checking program and scan the PC before letting it write data onto your floppies.

Despite all the media hype, computer BBS systems are usually free of viruses. To be really sure, you could download files only from big services like BIX, GEnie, or CompuServe.

Now and then you'll see viruses accidentally included with shrink-wrapped software. Scary as that sounds, it's not really something to worry about - the number of cases of that in the PC world can be counted on one hand, with finger left over.

Search and Destroy

Despite the low incidence of actual viruses, it can't hurt to run a virus checking program now and then. There are actually two kinds of antivirus programs: virus shields, which detect viruses as they are infecting your PC, and virus scanners, which detect viruses once they've infected you.

Virus shields sound attractive - keeping the virus from infecting your PC in the first place - but they suffer from a major flaw that makes them useless in many cases. There's no real way to detect virus behavior; a shield can only detect virus like behavior, such as software that directly controls your disk hardware. Unfortunately, there is a lot of legitimate software that directly controls disk hardware, leading to many annoying false alarms. After a while, you'll get tired of the false alarms, and you'll get rid of the software.

Virus scanners, however, are much more convenient. You just run them now and then, and they detect any viruses that your disks are harboring. There are two potential problems with scanners, but both are surmountable.

The first is the sheer number of viruses out here - more than 500, at last count. A virus scanner must be able to detect any of these monsters, a process that makes scanners big, slow, and potential expensive. At minimum, it means that you'll be buying updates to your virus scanner program a few times per year.

This issue of COMPUTE's PC Disk contains a terrific scanner from McAfee Associates, a California firm specializing in antivirus information, software, and consulting. Its program is called VIRUSCAN, and it's now at version 77. You can be sure that the McAfee folks stay on top of this market!

For more information on PC Disk, see "On Disk" elsewhere in this issue. McAfee requests a $25 registration fee for the use of VIRUSCAN if you're a household or home office business - not an unreasonable price for a little computer peace of mind.

Larger businesses and government agencies must get in touch with McAfee to negotiate a registration fee. You can reach McAfee at (408) 88-38322 (voice), or you can get VIRUSCAN directly from its BBS at (408) 988-4004.

The second potential problem for virus scanners comes from a class of viruses called stealth viruses. In order for a virus to exist on a PC, it must reside somewhere, generally in the boot sector or a program file on the PC's hard disk. So virus scanners look in those areas for distinctive signatures that characterize particular viruses.

But stealth viruses foil scanners. They monitor attempts to read the part of the disk that the virus lives in. They then intercept the read attempt and hand the scanner program the image of the disk as it would be if it weren't infected. "Nobody here but us chickens," the stealth virus says.

How do you get around stealth? Simple. Stealth only works if the virus is active--if it's been loaded from the infected hard disk. Just cold-boot from a write-protected floppy before running any virus scanner, and you're safe from stealth. Ensure that the boot floppy was made with DISKCOPY using your original write-protected DOS startup disk after cold-booting from that original startup disk.

What do you do if find that you are infected? If a program file is infected simply erase it from your hard disk and restore a clean copy from your backups. If you have an infected boot sector, most virus scanners will create a clean, uninfected boost sector, eliminating the virus; if worst comes to worst, you could remove an infected boot sector by backing up your disk, then low-level formatting, partitioning, and high-level formatting the disk, although measures that drastic shouldn't be necessary.

Viruses are something to worry about, but not a lot. A little common sense and the occasional virus scan will keep you virus-free. Remember these four points: * Viruses can't infect a data or text file. * Before running an antivirus program, be sure to cold-boot from a write-protected floppy. * Don't boot from floppies except reliable DOS disks or your original production disks. * Stay away from pirated software.