Department of Computer Science
COMPUTER
VIRUSES AND HOW TO PRACTICE SAFE COMPUTING
Today there are over 230 known viruses
including around 500
different strains which attack
the IBM PC compatible computers. The
rate at which these viruses can
spread is astounding. The impact on
computer users everywhere is
dramatic as computer viruses have
resulted in hundreds of
thousands of dollars of losses. Whenever
computer resources are shared,
there is the risk of infection by a
computer virus.
2
Definitions:
Computer Virus
- first used by Fred Cohen in 1984
first
described in a T.J. Ryan sci-fi book:
Adolescence of P-1
small program that attaches itself to another
program and attacks other
software by making copies of itself.
Worm - program (usually stand-alone) that worms
its way through either the
computer's memory or a disk and alters data
that it accesses.
Trojan horse
- program which attaches itself to a
seemingly
innocent program (does not
necessarily replicate).
Logic/Time
bomb - program which is activated or triggered after
or during a certain event.
Viruses
can be broken down into three different
classifications:
boot sector infectors - hides in the boot sector of a disk
and takes over control of the
computer system when it is booted,
copying itself into the
computer's memory. When other disks are
used,
the virus transfers to their
boot sectors.
system infectors - attaches to one or more operating system
modules or system device
drivers, usually COMMAND.COM. Takes
control
after the initial use of the
infected program.
application program infectors - attaches to .COM and .EXE
files. Takes control after the initial use of the
infected program.
Very infectious.
3
Examples:
Pakistani
Brain virus - (boot sector virus) transfers current
boot sector to an unused portion
of the disk and marks that portion as
bad sectors. Then copies remainder of virus to unused
portion of the
disk and marks that portion as
bad sectors. Brain virus then marks
other portions of the disk as
bad sectors making files and eventually
the disk unusable. Early versions displayed a volume label (c)
Brain. All versions have the name of the program,
the authors and
their address in the boot sector
of the infected disk.
Lehigh
virus - infects the COMMAND.COM file.
After it has
infected 4 or 10 infections, it
overwrites the boot sector and FAT
with zeros in the first 32
sectors of the disk. Can be detected by
looking at the size and creation
date of the COMMAND.COM file.
virus) - infects both .COM and
.EXE files. Will survive a warm boot.
After the virus is resident for 1/2 hour, it slows the
system down by
a factor of 10. On Friday the 13th, it will delete all
executed
files.
Cascade
virus (also known as the Falling Letters or 1701
virus) - originally a Trojan
Horse disguised as a program to turn off
the Num-Lock light. Instead it caused all the characters on the
screen to fall into a pile at
the bottom of the screen. It now occurs
as a memory resident .COM
virus. Uses an encryption algorithm to
avoid
detection. Activated on any machine with a color monitor
in Sept.-
Dec. in years 1980 and 1988.
Stealth
virus (also known as 4096, Century, FroDo, IDF and
100 Years virus) - infects .COM, .EXE and .OVL files. It hides the
increase in length of the
file. It crosslinks
files on the system
disk by manipulating the FATs. Hangs infected
systems on or after
Sept. 22 of any year.
AIDS
Trojan Horse - over 20,000 corporations received a
disk
and pamphlet titled "AIDS
Information--An Introductory Diskette".
The
install program prints an
invoice and then creates some hidden
subdirectories using spaces and
non-printable characters and then
copies itself into a file named
REM.EXE and modifies the AUTOEXEC.BAT
file. After 90 reboots, the program tells the user
that the software
lease has expired and must be
renewed. It then encrypts all the file-
names and hides them, rendering
the disk unusable.
4
The spread
of computer virus infections can be stopped
through the practice of
"safe computing":
1. Don't use illegal software! If the software has been
obtained illegally, how can you assume that it doesn't
contain a virus.
2. Never boot your computer system from a
diskette other
than the original DOS diskette. Only one write-
protected boot disk should be assigned to a floppy-
based system. The
diskette should be clearly marked,
write-protected and used only for booting up the
designated computer.
If you accidently try to boot
from a non-system disk, turn the computer off and boot
with the write-protected system disk.
3. If your system uses a fixed disk, never boot
from a
diskette. In some
situations, write protection
software for the hard disk should be employed.
4. Always write-protect your systems and program
disks.
Write-protect tabs are easy to use and very effective.
You
should write only on data disks.
5. Only copy files from the original
distribution disks.
6. Always keep at least one set of back-up
copies of all
original disks. (This won't prevent a virus infection,
but it will help in the recovery process if an
infection occurs.)
7. Do not loan out program disks. They may be infected
when they are returned.
If you must loan a disk, always
format it before using the disk on your computer system.
8. Never use a computer that has already been
turned on by
another user. Always
use a cold boot to restart the
computer. Do not
assume that a warm boot will remove a virus.
9. Make all the .COM and .EXE system and program
files
read only by using the command ATTRIB+R.
10. Always keep a lookout for strange
occurrences:
a. When
you do a directory listing, look at the volume
label.
b.
Observe whether your computer system is slowing down.
c.
Watch for files that disappear.
d.
Notice when there are attempts to access the disks
when there should not be any read or write activity.
e.
Watch whether the loading of programs takes longer.
f. Keep
a lookout for decreases in the main memory or
reduction of disk space.
g. Watch for unusually large sizes on
program files.
h.
Watch for recent creation dates on old program
files.
11. Use caution when using public domain and
shareware
software or any new software.
12. If you
are downloading software from a bulletin board
or other computer network, always download to a
diskette. You should
then scan the diskette for
possible virus infections.
(You may want to write-
protect your
hard disk during this operation.)
5
In addition
there is a variety of software available to combat
computer viruses:
Most of
this software can be grouped into four different
categories: infection detection,
infection
identification,
infection elimination and
infection prevention.
Infection detection software products detect the
presence of an infection soon
after it has happened. They often
identify the location of the
infection. Many
infection detection
programs identify generic
infections instead of individual viruses.
They do this by looking for changes in the system made by
the virus.
The
detection of viruses acts in one of two ways: by
taking a snapshot of the system
and by vaccinating the system.
The snapshot technique is the more effective form of
protection.
One example
of a snapshot program is the VALIDATE program
that is distributed by McAfee
Associates through their bulletin board
system. VALIDATE is a file authentication program
which uses two
methods to generate CRC check
numbers. These numbers along with the
size of the file and its
creation date are displayed. These
values
can then be compared with
validation data provided by the author of
the software. The Computer Virus Industry Association
(CVIA)
maintains a bulletin board in
the
the validation data for many
shareware programs.
Another
anti-virus program FluShot+ contains some snapshot
features. FluShot+ is a
shareware program and is a real bargain.
Each time FluShot+ is executed,
it compares the checksums for the
files COMMAND.COM, IBMBIO.COM,
IBMBIO.DOS, and any other files
specified by the user. These checksums are compared with values that
the user places in a data file
used by FluShot+.
A second
method for detecting a virus infection is with
vaccine programs. Vaccination works by changing the computer
system's programs to include a
self-test mechanism inside the
vaccinated program. This test mechanism executes each time the
program is executed and checks
to see if any changes have occurred
since the last time the program
was executed. If the program has
changed, then the user is
notified that a virus attack has probably
occurred.
The
infection identification type of software product
identifies the specific type and
strain of virus that has already
infected the computer
system. Infection identification
software will
often include the capability for
removing the virus. These products
look for specific signatures
left by viruses. These signatures may
include virus labels or
copyright flags like the (c) Brain message or
may be unique segments of the
viral code. These products may look for
particular changes to the
computer system or even specific file names.
Whenever a
virus is found, the user is notified of the
location of the virus and the
identity of the virus. There is one
major drawback to this type of
anti-virus software. The designer must
have a working sample of each
virus and then design and implement code
to identify each virus. This is a very time-consuming process and
requires frequent updates to
account for the new viruses and
substrains
that are constantly emerging.
Probably
the most popular virus detection software is the
program VIRUSCAN that can be
downloaded from John McAffee's Bulletin
Board. The latest version 6.9V75 is reported to
identify 480
different MS-DOS viruses and
their strains.
SCAN
contains a self check which tests for modifications to
VIRUSCAN when it is first loaded. This is an important feature since,
at least one version of
VIRUSCAN, version 65, has been
distributed
with a Trojan horse imbedded in
it. VIRUSCAN includes an option that
removes infected files. If the infection is widespread, the user is
directed to use one of the
disinfector utilities that accompany
VIRUSCAN.
7
If an
infection is detected, follow the procedures listed
below:
1. DON'T PANIC.
First, determine how extensive the
infection is. If the
infection has only attacked the
floppy disks, skip steps 2 through 11.
If possible
use a program like Clean-Up to remove the virus,
otherwise if necessary do the following:
2. Shut off the infected computer system.
3. Power up the system with the original write-protected
system diskette.
4. Make sure that the system has booted
properly.
5. Backup all the nonexecutable
data files from all
directories onto newly formatted diskettes or do a
tape backup. (If backing up to another hard disk, make
sure that the hard disk has not also been infected).
DO NOT
EXECUTE OR BACKUP ANY OF THE PROGRAMS FROM
THE
INFECTED HARD DISK!!!
6. Check each batch files on the infected hard
disk. If any of the lines within the batch file
look
suspicious, do not back up that file. Otherwise
backup all the batch files.
7. Do a low-level format of the infected hard
disk.
8. Install the operating system onto the hard
disk.
9. Rebuild all directories.
10. Install all the executable programs from the
original write-protected distribution disks.
11. Restore all the files that had been backed up
in
steps 5 and 6.
12. Gather all the diskettes that have been used
with
the computer system during the past six months. It is
difficult to tell when the original infection occurred.
Either
destroy these diskettes or follow the following
steps.
13. Backup all the nonexecutable
data files from the
suspect disks onto newly formatted diskettes.
14. Reformat the suspect diskettes.
If the
virus is a boot sector infector, then the recovery
process is simpler. The boot infector viruses do not infect
executable programs. This means that the infection is isolated in
the bootable system on the
infected disk. To recover from this type
of infection proceed with the
following steps:
1. Shut off the infected computer system.
2. Power up the system with the original write-protected
system diskette.
3. Make sure that the system has booted
properly.
4. Replace the operating system and the boot
sector of
the infected disk.
(NOTE: The virus will remain intact in the bad sectors
created by
the virus in the data files, but
these virus segments are not
active).
FOR
ENVIRONMENTS SUFFERING SERIOUS INFECTIONS
1. Write protect the hard disk using a hardware switch.
2. Install a Virus Buster anti-virus card. Prevents viruses
including boot sector viruses
from infecting the computer.
3. Install anti-virus protection in the BIOS.