Compiled By :S. Agarwal, Lecturer & Systems InchargeSt. Xavier’s Computer Centre,St. Xavier’s CollegeKolkata February, 2003
W is a Virus ? hatA virus is just a computer program.Like any other program, it containsinstructions that tell your computerwhat to do.But unlike an application, a virususually tells your computer to dosomething you dont want it to do, andit can usually spread itself to other fileson your computer -- and other peoplescomputers.
In some cases, a virus will executeonly a gentle "personality quirk,"such as causing your computer tomake seemingly random bleeps.But a virus can be very destructive;it could format your hard drive,overwrite your hard drive boot sector,or delete files and render yourmachine inoperable.
General virus typesWhile there are thousands ofvariations of viruses, most fallinto one of the following generalcategories, each of which worksslightly differently.
Boot Sector Virus:Replaces or implants itself inthe boot sector. This kind ofvirus can prevent you frombeing able to boot your harddisk.
Macro Virus:Written using a simplified macroprogramming language, these virusesaffect Microsoft Office applications,such as Word and Excel. A documentinfected with a macro virus generallymodifies a pre-existing, commonly usedcommand (such as Save) to trigger itspayload upon execution of thatcommand.
Multipartite VirusInfects both files and the bootsector-- a double whammy thatcan reinfect your system dozensof times before its caught.
Polymorphic Virus:Changes code whenever itpasses to another machine.
Stealth Virus:hides its presence bymaking an infected filenot appear infected
E-mail viruses:An e-mail virus moves aroundin e-mail messages, andusually replicates itself byautomatically mailing itself todozens of people in the victimse-mail address book.
Worms: A worm is a computer programthat has the ability to copy itselffrom machine to machine. Wormsnormally move around and infectother machines through computernetworks. Worms eat up storagespace and slows down the computer.But worms dont alter or delete files.
Trojan horses : A Trojan horse is simply acomputer program that claimsto do one thing (it may claim tobe a game) but instead doesdamage when you run it (itmay erase your hard disk).
When loaded onto your machine,a Trojan horse can captureinformation from your system --such as user names and passwordsor could allow a malicious hackerto remotely control yourcomputer.Trojan horses have no way toreplicate automatically.
Origins of Viruses : People create viruses. A person has towrite the code, test it to make sure itspreads properly and then release thevirus. A person also designs the virussattack phase, whether its a sillymessage or destruction of a hard disk.In most of the cases people create virusesjust for the thrill or fun.
How They Spread ?Early viruses were pieces of code attachedto a common program like a popular gameor a popular word processor. A personmight download an infected game from theinternet or copy it from a floppy disk andrun it. A virus like this is a small piece ofcode embedded in a larger, legitimateprogram. Any virus is designed to run firstwhen the legitimate program getsexecuted.
The virus loads itself into memory and looksaround to see if it can find any other programson the disk. If it can find one, it modifies it toadd the viruss code to the unsuspectingprogram. Then the virus launches the "realprogram." The user really has no way to knowthat the virus ever ran. Unfortunately, thevirus has now reproduced itself, so twoprograms are infected. The next time either ofthose programs gets executed, they infect otherprograms, and the cycle continues.
If one of the infected programs is givento another person on a floppy disk, or ifit is uploaded to internet, then otherprograms get infected.This is how the virus spreads.
The spreading part is the infection phase of thevirus.Viruses wouldnt been so violently disliked if allthey did was replicate themselves. Unfortunately,most viruses also have some sort of destructiveattack phase where they do some damage. Somesort of trigger will activate the attack phase, andthe virus will then "do something" -- anythingfrom printing a silly message on the screen toerasing all of your data. The trigger might be aspecific date, or the number of times the virus hasbeen replicated, or something similar.
SOME TRICKS THE VIRUSES PLAY :One important trick is the ability to loadviruses into memory so that they cankeep running in the background as longas the computer remains on. This givesviruses a much more effective way toreplicate themselves.
Another trick is the ability to infect the boot sectoron floppy disks and hard disks. The boot sector is asmall program that is the first part of the operatingsystem that the computer loads and tells thecomputer how to load the rest of the operatingsystem.By putting its code in the boot sector, a virus canguarantee that it gets executed. It can load itselfinto memory immediately, and it is able to runwhenever the computer is on. Boot sector virusescan infect the boot sector of any floppy diskinserted in the machine, and on campuses wherelots of people share machines they spread likewildfire.
In general, both executable and boot sector viruses arenot very threatening any more.The first reason for the decline has been the huge sizeof todays programs. The programs are so big that theonly easy way to move them around is in CDs. Peoplecertainly cant carry applications around on a floppydisk like they did in the early days. Compact discscannot be modified, and that makes viral infection of aCD impossible.Boot sector viruses have also declined becauseoperating systems now protect the boot sector.Both boot sector viruses and executable viruses arestill possible, but they are a lot harder now and theydont spread nearly as quickly as they once could.
Prevention is the best cure :Run a secure operating system like UNIX orW indows NT.Install virus protection software.Avoid programs from unknown sources.Disable floppy disk bootingMacro Virus Protection is enabled in allMicrosoft applications.Never double-click on an attachment thatcontains an executable that arrives as an e-mailattachment.
How antivirus software works :Scanning software looks for a virus in one oftwo ways. If its a known virus (one that hasalready been detected in the wild and has anantidote written for it) the software will lookfor the viruss signature -- a unique string ofbytes that identifies the virus like a fingerprint-- and will zap it from your system. Mostscanning software will catch not only an initialvirus but many of its variants as well, since thesignature code usually remains intact.
In the case of new viruses for which no antidote hasbeen created, scanning software uses methods thatlook for unusual virus like activity on your system.If the program sees any funny business, itquarantines the questionable program andbroadcasts a warning to you about what theprogram may be trying to do (such as modify yourWindows Registry). If you and the software thinkthe program may be a virus, you can send thequarantined file to the antivirus vendor, whereresearchers examine it, determine its signature,name and catalog it, and release its antidote. Itsnow a known virus.
If the virus never appears again --which often happens when the virus istoo poorly written to spread -- thenvendors categorize the virus asdormant. But viruses are likeearthquakes: The initial outbreak isusually followed by aftershocks.Variants (copycat viruses that emergein droves after the initial outbreak)make up the bulk of known viruses.
Practice safe computingThe best way to protect yourself from virusesis to avoid opening unexpected e-mailattachments and downloads from unreliablesources. Resist the urge to double-clickeverything in your mailbox. If you get a fileattachment and you arent expecting one, e-mail the person who sent it to you before youopen the attachment. Ask them if they meantto send you the file, what it is, and what itshould do.
For added safety, you need to installreliable antivirus scanning software anddownload updates regularly. Majorantivirus software vendors, includingSymantec, Network Associates, ComputerAssociates, and Trend Micro, provideregular updates. (Computer AssociatesInoculateIT is also free.) Some of thevendors also offer a service that willautomatically retrieve updates for youfrom the companys Web site.
Regular updates are essential.Researchers at Computer Economicsestimate that 30 percent of smallbusinesses are vulnerable to viruseseither because they dont keep theirvirus-scanning software updated orbecause they dont install it correctly.