Coded Corruption : A study of viruses and other various computer threats

HomeIntroductionAbout VirusesVirus TypesOther ThreatsBibliographyProject Information





About Viruses
 

Coded Corruption - About Viruses

What is a computer virus? A computer virus is a malicious program written to destroy or steal data.
The following points are other criteria that can be used to qualify an program as a virus:

  • A virus is able to create copies of itself or possibly a modified version
  • The copy created is created intentionally, not by accident.
  • A virus must be executed on a host.

     One of the types most commonly detected viruses are Trojan Horse viruses. A Trojan is generally a program disguised as something harmless such as a game. However, when a Trojan is executed, it may do whatever damage the original programmer intended. This may range from slowing down your computer by stealing cycles from the CPU to opening one of the ports of your computer, allowing anyone with the client for that particular Trojan to freely access and control your computer.

     Most viruses can also be modified. This means that any malicious coder can rewrite any portions of the virus in order to make it more damaging or to change its function. Sometimes a less harmful virus or even a version that cleans and removes the original on any infected computer. However, this is very rare.

     The intentions of a virus are not always clear. Sometimes a virus may be created in order to obtain personal information such as credit card numbers and other various personal information. Also, a virus may be created simply for the destruction of data. And finally, some viruses are created for no purpose what so ever, such as making copies of itself on a computer without any methods of passing the virus on to another computer.

     Another one of the major groups of viruses on PCs are boot sector viruses (BSVs), program viruses and application viruses. A BSV infects boot sectors on diskettes and/or hard disks. On diskettes, the boot sector normally contains code to load the operating system files. The BSV replaces the original boot sector with itself and stores the original boot sector somewhere else on the diskette or simply replaces it totally. When a computer is then later booted from this diskette, the virus takes control and hides in RAM. It will then load and execute the original boot sector, and from then on everything will be as usual. Except, of course, that every diskette inserted in the computer will be infected with the virus, unless it is write-protected. A BSV will usually hide at the top of memory, reducing the amount of memory that the DOS sees. For example, a computer with 640K might appear to have only 639K. Most BSVs are also able to infect hard disks, where the process is similar to that described above, although they usually infect the master boot record instead of the DOS boot record.

     Program viruses, the second type of computer viruses, infect executable programs, usually .COM and .EXE files, but sometimes also overlay files, device drivers or even object files. An infected program will contain a copy of the virus, usually at the end, in some cases at the beginning of the original program, and in a few cases the virus is inserted in the middle of the original program. When an infected program is run, the virus may stay resident in memory and infect every program run. Viruses using this method to spread the infection are called "Resident Viruses".

     Other viruses may search for a new file to infect, when an infected program is executed. The virus then transfers control to the original program. Viruses using this method to spread the infection are called "Direct Action Viruses". It is possible for a virus to use both methods of infection.
Most viruses try to recognize existing infections, so they do not infect what has already been infected. This makes it possible to inoculate against specific viruses, by making the "victim" appear to be infected. However, this method is useless as a general defense, as it is not possible to inoculate the same program against multiple viruses.

     The third type of viruses are application viruses, which do not infect normal programs, but instead spread as "macros" in various types of files, typically word-processor documents or spreadsheets.

     There are also many misconceptions of the abilities of viruses. Here are a few examples:

  • A virus cannot appear all by itself, it has to be written, just like any other program.
  • Not all viruses are intentionally harmful - some may only cause minor damage as a side effect - however, there is no such thing as a "harmless" virus.
  • Reading data from an infected diskette cannot cause an infection.
  • A write-protected diskette cannot become infected, if the hardware is working properly.
  • It used to be the case that a virus could not infect a computer unless it was booted from an infected diskette or an infected program was run on it, but alas, this is no longer true. It is possible for a virus infection to spread, just by the act of reading an infected Microsoft Word document, for example, or through use of Lotus Notes, to name two Ill-known applications.
  • It also used to be the case that a virus could not infect data files or spread from one type of computer to another - a virus designed to infect Macintosh computers could not infect PCs or vice versa, but with the appearance of application viruses this has changed as well - there are now a few viruses that can infect WinWord as well as MacWord.

     So, what can be done to prevent infection? Well, first and foremost, antivirus software is a must. There are many different antivirus vendors out there, if you need to purchase one, make sure you buy one that supports up-to-date dat signature updates. These are what antivirus programs use to detect viruses. Remember, if the antivirus software you are using does not have current dat signatures, and a new virus comes out, your antivirus program will not have the dat files necessary to detect that new virus and is therefore now ineffective.

     Be really careful regarding your sources of software. In general, shrink-wrapped commercial software should be "clean", but there have been a few documented cases of infected commercial software. Public-Domain, Freeware and Shareware packages do not have to be any more dangerous - it all depends on the source. Check all new software for infection before you run it for the first time. It is even advisable to use a couple of scanners from different manufacturers, as no single scanner is able to detect all viruses. Obtain Shareware, Freeware and Public-Domain software from the original author or reliable distribution sites, if at all possible.

     How do you know your PC has been infected with a virus? Some of the following are common symptoms of an infected computer:

  • Does it take longer than usually to load programs?
  • Do unusual error messages appear?
  • Does the memory size seem to have decreased?
  • Do the disk lights stay on longer than they used to?
  • Do files just disappear? Anything like this might indicate a virus infection.

     If your computer is infected with a virus - DON'T PANIC! Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus could have done. If you are not sure what to do, leave your computer turned off until you find someone to remove the virus for you.

     Finally, remember that some viruses may interfere with the disinfection operation if they are active in memory at that time, so before attempting to disinfect you MUST boot the computer from a CLEAN system diskette. It is also a good idea to boot from a clean system diskette before scanning for viruses, as several "stealth" viruses are very difficult to detect if they are active in memory during virus scanning.
 

 



Top of Page

 

 
Home   |  Introduction  |  About Viruses   |  Virus Types  |  Other Threats   |  Bibliography   |  Project Information   |  Contact