Volume 26 • No 02 • 2003
ISSN 0742-468X • Since 1978
On-line Since 2000

Some More About Viruses

Editor’s Note: Richard Lowe is back with another top-notch technical article for the not so technical reader. This time he is discussing the inner depths of computer viruses — a timely topic, to say the least. The Internet was just hit with the “SQL Slammer Worm” a computer bug that mostly affects larger networks using Microsoft SQL server. It is thought to have started in South Korea. Jeff Strout, director of IP Services at Cox Communications, said “What it does … it exploits a hole in the Microsoft SQL server and then propagates itself around the Internet,” Strout says. “Once you're affected, then you go after other people and affect them.”

It seemed to me that it was good time to give us all a refresher course on computer viruses. And who better to tell you about it than Richard Lowe Jr.? He is the webmaster of Internet Tips And Secrets at http://www.internet-tips.net By now you should know that he is one of our favorite guest writers.

In the news it's always reported as a "virus" outbreak. Or someone will say they were "hit by a new virus", or their computer was destroyed by the "I Love You" virus. They are not, in fact, speaking about viruses at all, except in a very general sense. When your average person speaks of a virus, they mean "some unauthorized piece of code was executed on my system". Technically, this definition is incorrect. Generally, most "viruses" are actually worms, logic bombs, Trojan horses, and other types of invading software.

Some examples include:

Worm - A worm is a self-replicating virus. Some of the more common worms, such as "I Love You" use Outlook to send themselves to every email address listed in the contact list. Others actually include their own SMTP (simple email system) server internally to send to every email address they can find in any file on the hard drive. Some worms, such as Nimda, actually install themselves on web servers (Microsoft IIS systems) and then search through the internet for other vulnerable machines. When these machines are found, the worm penetrates and installs itself automatically.

Logic Bomb - This is a virus or piece of code (often installed by hostile employees) which is timed to trigger it's payload at a specific date in the future. For example, a malicious employee might leave some code embedded within the accounting package which causes it to delete all records a year in the future. These types of infections are very difficult to detect and even harder to eradicate, as they may have been added to the system years before, backups may be corrupted with the malicious code and even the "safe" source copies may have been compromised.

Trojan Horse - This type of malicious code is simply a virus or other dangerous program which is embedded within some desirable program. For example, someone might post a very nice screen saver on their web site which includes some code which deletes files, sends information to someone or which simply sits and waits for instructions (these are called zombies).

As you can see, these definitions can overlap. It's possible to write a Trojan horse program which launches a worm which then installs a logic bomb which is set to relaunch itself a month later and start the whole process again. Open the email and nothing happens at all for a month, until the logic bomb triggers. Or a malicious programmer could leave a logic bomb behind him after he leaves a company which launches a month later. This program could scan the corporate address book and send copies of itself to every person listed, as well as making copies on all drives visible on the network. The payload of this worm could be a cool graphic which is actually an executable image which, when opened, deletes every file on the disk.

There are several infection routes for viruses.

Files - Many viruses embed themselves within files. The file may just contain the virus, or it may contain real data with the virus hidden inside. They may infect any type of file which is executed, or which contains executable parts. These include .EXE and .COM files, as well as .SYS, .OVL, .PRG and .MNU files. When the program or code is loaded and executed, the virus triggers, and they payload is activated. The "I Love You" virus is an example of this type. Quite often these viruses will be sent as attachments to an email message.

System or boot code - A few years ago, way back in the days of MSDOS and CP/M, this was one of the more common infection methods. A virus would embed itself within the system areas on a disk, and when that disk was mounted or the system was booted the virus would execute. These spread by writing themselves into the DOS boot sector on floppy disks or the Master Boot Record on hard disks. In the early days of computers, email was not the most common method of distributing information and files - floppy disks were. So it was very common to mount a floppy and then find your computer has been disabled by a virus. This is becoming less common now that email and the internet is being used more and more to distribute information.

Macros - In order to make their products competitive and extremely flexible, many vendors have added the capability to automate certain functions. This is called scripting, and it is a feature of many word processors, spreadsheet programs and applications. Unfortunately, Microsoft made the decision to allow complex scripts to be executed from within an email message to their email clients (Outlook and Outlook Express). This decision, while seeming to add benefit for many of their customers, actually more or less eliminated any semblance of security from the programs and has resulted in a huge plague of easy-to-write and exceptionally deadly virus attacks. Later versions of this software have tightened security greatly and with proper installation these types of attacks can be greatly reduced.

Other macro viruses can come embedded within Word and Excel documents, PowerPoint presentations and just about any other document which supports scripting. Since Microsoft has tended to allow scripting within virtually their entire product line (this is a great feature to mention in promotional materials), it means that the possibility exists to receive infections from anything with their logo printed on it.

So how do you protect yourself with all of these (and many more) types of viruses waiting to damage or destroy your system?

1. Purchase the most recent version of anti-virus software, and keep the definitions up-to-date. This is probably the most important decision you can make in regards to the safety of your system. My advice: spend the money and buy the best anti-virus product you can find, and update the version every single year.
2. I'll repeat this again - keep those definitions up-to-date. Make sure your anti-virus software downloads new definitions at least once per week.
3. If you use Outlook 2000, be sure you have installed the Outlook Email Patch or Service Release 3. This will further protect you.
4. Don't use Outlook express before version 6 (which comes with Internet Explorer 6) to read email. Use either a patched version of Outlook 2000, Outlook XP, Outlook Express version 6 or above, or some other email product such as Eudora.
5. Set the folder attribute "Hide extensions for known file types" to "off". This is critical. Otherwise, file types will be hidden from you which you MUST be able to detect.
6. Do not open executable attachments, regardless of who they came from. Not that rule #5 (above) must be followed for you to be able to do this.
7. Subscribe to the newsletter produced by your favorite anti-virus company.
8. Don't listen to anyone who says you do not need anti-virus protection on your system. These people are uneducated fools.
9. Beware of virus hoaxes which tell you to delete things on your system or forward warnings to all of your friends. These are, without exception, hoaxes. Just delete these emails immediately.

Some More About Viruses
Copyright © Richard Lowe Jr. and Claudia Arevalo-Lowe, 1999-2003

Back to Top