Dr. Wayne Summers & Naimah Bte Mohd. Hussin...EDUCOMP '91



        COMPUTER VIRUSES AND PRACTICING SAFE COMPUTING 

 

 

 

            Dr. Wayne Summers & Naimah Bte Mohd. Hussin

 

            ITM/MUCIA - PUSAT PENGAJIAN PERSEDIAAN

                  SECTION 17, 40000 SHAH ALAM

                     SELANGOR DARUL EHSAN.

 

 

                           ABSTRACT

 

Computer viruses are a major problem.   Today there are over 500 different strains of viruses which attack the  IBM PC compatible  computers.  These viruses can be broken down into three different classifications: boot sector infectors, system infectors  and application  program infectors.  The rate  at

which these viruses can spread is astounding.   The impact on computer users everywhere is dramatic as computer viruses have resulted in  hundreds of  thousands of dollars  of losses.  Whenever computer resources are  shared, there is the risk of infection by  a computer virus.  The spread of computer virus

infections  can be  stopped  through the  practice of "safe computing."  Most importantly,  computer users need  to know about computer viruses and how they spread.  By practicing the "safe computing"  guidelines,  a  computer user can  avoid infection by computer viruses.  Most of these  guidelines are common sense rules that many computer users choose to ignore.  In addition there is a variety of software available to combat computer viruses.  These  include virus  prevention programs, programs to  diagnose and  identify computer  viruses  and

programs to remove viruses.   Although computer viruses are a major problem to computer users, there are methods to prevent the spread of these viruses.


 

INTRODUCTION

 

Today  there are over 230 known viruses including  around 500 different  strains  which attack  the IBM  PC  compatible computers.   The rate at which these viruses  can spread is astounding.   The  impact on computer  users everywhere  is dramatic as  computer viruses have resulted in  hundreds of thousands  of dollars of losses.  Whenever computer resources are  shared,  there is the risk of infection by  a computer virus.    This is  especially a  problem at  schools  and universities.   Students are a mobile population  and often carry  disks between school and home.  They often share their programs with their  friends and peers.  Students are also not often aware of the dangers  and illegality  of using pirated software.  When they are aware of this,  they often ignore it

because of  the cost  of purchasing  legal software.   An additional problem is  that many of our school and university labs are open and unrestricted.   There is little security and few precautions taken to prevent a student from  accidentally introducing a computer virus into a computer system.

 

2  DEFINITIONS

 

What are computer viruses?  The term Computer Virus was first used  by Fred  Cohen in 1984.   The concept  of a  program spreading and taking over  other computer systems was  first described in a science-fiction book, Adolescence of P-1 by T. J. Ryan.   A  computer virus is a small program that attaches

itself to another program and attacks other software by making copies of itself.

 

Similar to a computer virus is a Worm.  A  worm is a program (usually stand-alone)  that worms its  way through either the computer's memory or a disk and alters data that it accesses.  It  is different  from a computer virus since  it does  not require a host.

 

Many computer viruses are introduced to a computer system as a Trojan horse.   A  Trojan horse is a program which attaches itself to a seemingly innocent program.   Trojan horses do not necessarily replicate.

 

Most computer viruses do not do damage immediately.   If they did,  it would be easy to identify the virus and prevent its further  spread.    Many computer viruses  exhibit  the characteristics of a Logic or Time bomb.  A logic or time bomb is a program that  is activated or triggered after or during a certain event.  This may  be after several executions or on a certain day like Friday the 13th.

 

  TYPES OF VIRUSES

        

Viruses  can  be  broken  down  into  three  different classifications.   These are boot  sector infectors,  system infectors, and application program infectors.

 

A Boot sector infector hides in the boot sector of a disk and takes over control of the computer system  when it is booted. It then copies itself into the  computer's memory.  When other disks are  used, the virus transfers to their boot  sectors.  The most common boot  sector viruses are the Pakistani Brain virus and the Stoned/Marijuana virus.

 

A  system infector attaches to one or more  operating system modules or system  device drivers,  usually COMMAND.COM.  The virus takes  control after the initial use of  the infected program.   An example of a system infector virus is the Lehigh virus that infects the COMMAND.COM program.

 

The  most infectious  type of  computer viruses  is  the application  program infector.  They attach to all  .COM and .EXE  files.  An application program infector  takes control after the initial use of the infected program.  Once the virus is  in place  in the RAM of the computer  system,  it will potentially infect every program run on the computer until the computer is shut off.   The most widespread virus today is the Jerusalem virus.

 

4  EXAMPLES OF VIRUSES

 

The Pakistani  Brain virus  is a  boot sector  virus that transfers the current boot sector to  an unused portion of the disk and marks that portion of the disk as bad sectors.   The virus then  copies the remainder of the virus to  an unused portion  of the  disk and marks that portion as bad  sectors also.  The Brain virus then periodically marks other portions of  the disk as bad sectors making files and  eventually the disk  unusable.  Early versions displayed a volume label  (c) Brain.  All versions have the name of the program, the authors and often their  address in the boot sector of the  infected

disk.   This virus  was the  first virus known  to spread worldwide and  has spawned numerous strains of similar viruses including the  Ashar or Ashar-Shoe  virus,  which is  very widespread in Malaysia.   The origin of the Ashar  virus is unknown  but it  has some characteristics which point  to a possible Malaysian origin.

 

The  Stoned-Marijuana virus is also a boot sector  virus.  It infects the  boot sector  of floppy  disks and  the  File Allocation Table (FAT) of hard disk systems.  On most systems it  will only  periodically display a message  "Your PC  is Stoned.  Legalise Marijuana."  However on hard disk  systems with more than one  partition and on floppy disks that  have been formatted  high density,  it  will damage  the  file allocation table.   This  makes access to the files  nearly impossible.  The original strain of this virus was written in New Zealand.

 

The Lehigh virus infects the COMMAND.COM file.   After it has infected  a system four or ten times, it  overwrites the boot sector and FAT with zeros in the first thirty-two sectors  of the disk.   This virus is easily detected by looking at  the size and creation date of the COMMAND.COM file.

 

The most widespread virus is the Jerusalem virus.  It is also known  as the  Israeli and Friday 13th  virus and  includes several strains including the Jerusalem-B virus. The Jerusalem virus infects  both .COM and .EXE files.  This  virus will survive a warm boot. After the virus is resident for 1/2 hour, it slows  the system down by a factor of ten.   On Friday the 13th, it will delete all infected files.  Besides the damage it inflicts,  the Jerusalem-B virus also periodically displays a "black window" in the middle of the screen.

              

An interesting virus is the Cascade virus, also known  as the Falling Letters or 1701  virus.  It originally appeared as a Trojan  Horse disguised as a program to turn off the Num-Lock light.   Instead it caused all the characters on the screen to fall into a pile at the bottom of the screen.   It now occurs

as a memory resident .COM virus.   The Cascade virus uses an encryption algorithm to avoid  detection.  It is activated on any  machine with a color monitor in September-December in the years 1980 and 1988.

 

One scary  development is the increase in number of  Stealth viruses. These include viruses 4096,  Century,  FroDo, Fish, Whaleand the 100 Years virus. These viruses infect .COM, .EXE and .OVL files.   They get the name stealth because of  their ability to avoid detection.  They typically hide the increase

in length of the  infected file and usually reset the creation date of  the infected files.  They can survive a warm  boot.  Stealth viruses  are usually encrypted to avoid detection by many virus identification  programs and may use self-modifying encryption algorithms.  Some stealth  viruses can also bypass

programs which write-protect hard  disks.   The FroDo virus crosslinks files on  the system disk by manipulating the FATs.  It also hangs infected systems on  or after Sept. 22  of any year.

 

5  SAFE COMPUTING

 

The spread of computer virus infections can be stopped through

the practice of "safe computing."  The following are a list of

do's and don't's for safe computing.

 

    1.  Don't use illegal software!  If the software has been

        obtained illegally,  how  can you assume  that it

        doesn't contain a virus.

 

    2.  Never boot your computer system from a diskette other      

        than the original DOS diskette.  Only one write-           

        protected boot disk should be assigned to a floppy-        

        based system.  The diskette should be clearly marked,      

        write-protected and used only for booting up the           

        designated computer.  If you accidentally try to boot      

        from a  non-system disk, turn the computer off  and      

        boot with the write-protected system disk.                  

 

    3.  If your system uses a fixed disk, never boot from a        

        diskette.  In some situations, write protection            

        software for the hard disk should be employed.             

 

    4.  Always write-protect your systems and program disks.       

        Write-protect tabs are easy to use and very effective.     

        You should write only on data disks.                       

 

    5.  Only copy files from the original distribution disks.      

 

    6.  Always keep at least one set of back-up copies of all      

        original disks. (This won't prevent a virus infection,     

        but it will help in the recovery process if an             

        infection occurs.)                                          

 

    7.  Do not loan out program disks.  They may be infected       

        when they are returned.   If you must loan a  disk,      

        always check it for viruses or format it before using      

        the disk on your computer system.                          

 

    8.  Never use a computer that has already been turned on       

        by another user.  Always use a cold boot to restart       

        the  computer.  Do not assume that a warm boot will       

        remove a virus.                                            

 

    9.  Make all the .COM and .EXE system and program files        

        read only by using the command ATTRIB+R.                   

 

   10.  Always keep a lookout for strange occurrences:              

 

        a. When you do a directory listing,  look at  the      

           volume label.                                         

 

        b. Observe whether your computer system is slowing down.     

 

        c. Watch for files that disappear.                         

 

        d. Notice when there are attempts to access the disks      

           when there should not be any read or write activity.    

 

        e. Watch whether the loading of programs takes longer.     

 

        f. Keep a lookout for decreases in the main memory or      

           reduction of disk space.                                

 

        g. Watch for unusually large sizes on program files.       

 

        h. Watch for recent creation dates on  old program

           files.

 

        i. Watch for unusual displays on the computer screen.

 

   11.  Use  caution when using public domain and shareware

        software or any new software.  There have been instances         

        where commercial software has been sold with a virus.      

 

   12.  If you are downloading software from a bulletin board       

        or other computer network, always download to a             

        diskette.  You should then scan the diskette for             

        possible virus infections.  (You may want to write-         

        protect your hard disk during this operation.)              

          

   13.  In a lab environment, do not allow students to run          

        their own programs or boot the computer system with         

        their own disks.  Students should only have data disks      

        that are not bootable.  All program disks and hard          

        disks in a lab must be checked frequently for viruses.      

        If students are allowed to use their own program            

        disks, they must be scanned before they are used in         

        the computer lab.                                                    

                    

   14.  Most important of all is to teach our students about        

        computer viruses so that they can recognize them.           

        Students need to be able to identify viruses so that

        they will be able to prevent their spread.

 


6  ANTI-VIRUS SOFTWARE

 

In addition  to the precautions listed above,  there  is a variety  of software  available to combat computer  viruses.  Most of  this software can be grouped into  three different categories: infection detection and identification,  infection elimination and infection prevention.

                 

Infection detection  software products detect the presence of an infection soon after it has happened.  They often identify the  location of  the infection.   Many infection detection programs  identify generic infections  instead of individual viruses.    They do this by looking for changes in the system

made by the virus. The detection of viruses acts in one of two ways:  by taking a snapshot of the system and by vaccinating the  system.   The snapshot technique is the more effective form of protection.

 

One example of a snapshot program is the VALIDATE program that is distributed by  McAfee Associates  through their bulletin board system.  VALIDATE is a file authentication program which uses two methods to generate CRC check numbers.  These numbers along with  the size of the file and its creation  date are

displayed.   These values can then be compared with validation data provided by the author of the software.   The  Computer Virus Industry Association (CVIA)  maintains a bulletin board in the U.S. at 1-(408) 988 4008 that lists the validation data for many shareware programs.

 

Another anti-virus program FluShot+,  contains some snapshot features.   FluShot+  is a shareware program and is  a real bargain.   Each time FluShot+  is executed, it compares  the checksums for the files COMMAND.COM, IBMBIO.COM,  IBMBIO.DOS, and any other files specified by the user.  These  checksums are compared with values that the user places in a data  file used by FluShot+.

 

A second  method for detecting a  virus infection  is with vaccine programs.   Vaccination works by changing the computer system's programs to include a self-test mechanism inside the vaccinated  program.  This test mechanism executes each  time the program is executed and checks to see if any changes have

occurred since the last time the program was executed.  If the program has changed,  then the user is notified that  a virus attack has probably occurred.

 

The  infection  identification type  of software  product identifies  the specific  type and strain of virus that  has already  infected  the  computer   system.    Infection identification software will often include the capability for removing  the virus.    These  products look  for specific signatures  left by viruses.   These signatures may  include virus labels or copyright flags like the (c) Brain message or may be unique segments of the viral code.  These  products may look for particular changes to the  computer system or  even

specific file names.

 

Whenever a  virus is  found, the user is  notified of  the location of the virus and the identity of the virus. There is one  major drawback to this type of anti-virus software.  The designer must  have a working sample of each virus  and then design and implement  code to identify each virus.  This is a very time-consuming  process and requires frequent updates to account for the new viruses and substrains that are constantly emerging. 

 

Probably  the most  popular virus detection software is  the program VIRUSCAN that  can be downloaded from John McAffee's Bulletin Board.   The latest version 6.9V75  is  reported to identify 480 different MS-DOS viruses and their strains.

 

SCAN contains a self check which tests for  modifications to VIRUSCAN  when it  is first loaded.  This  is an  important feature since, at least one version of VIRUSCAN,  version 65,  has been  distributed with a Trojan horse  imbedded in  it.  VIRUSCAN includes an option that removes infected files.   If the infection is widespread, the  user is directed  to use a disinfector utilities that accompany VIRUSCAN.

 

There are many programs for eliminating computer viruses once they  are discovered.  A  companion program for VIRUSCAN is a program called CLEAN-UP or CLEAN.   This program will remove most  of the  different types  of viruses  once they  are identified.   Other  programs from McAffee's Bulletin  Board

including MDISK will remove many viruses that CLEAN will  not remove.

 

Infection prevention programs work by monitoring the computer system for attempted "illegal"  activities.  These activities may including attempts to rewrite program files or .BAT files.  These programs  also monitor for programs that Terminate  and Stay Resident (TSR).   Since most viruses will  first place

themselves in the computer's RAM,  this can be identified  by the infection prevention program.   Some infection prevention programs are VIRUSHIELD and FLUSHOT+.

 

7  PROCEDURES FOR VIRUS REMOVAL

 

If an infection is detected, follow the procedures listed below:

 

    1.  DON'T PANIC.   First,  decide how  extensive the

        infection is.  If the infection has only attacked the

        floppy disks, skip steps 2 through 11. 

 

If possible  use a program like CLEAN-UP to remove the virus.  Most  viruses can be removed with CLEAN-UP or a similar virus removal program.   In very serious infections, you may need to follow the procedures outlined below:

 

    2.  Shut off the infected computer system.                   

   

    3.  Power up the system with the original write-protected    

        system diskette.                                         

   

    4.  Make sure that the system has booted properly.           

 

    5.  Backup all the nonexecutable data files  from all      

        directories  onto newly formatted diskettes or do  a    

        tape backup. (If backing up to another hard disk, make    

        sure that the hard disk has not also been infected).     

        DO NOT EXECUTE OR BACKUP ANY OF THE PROGRAMS FROM         

        THE INFECTED HARD DISK!!!                                 

   

    6.  Check each batch files on the infected hard disk.  If    

        any  of the  lines within  the batch  file  look    

        suspicious,  do not back up that file.   Otherwise    

        backup all the batch files.                              

   

    7.  Do a low-level format of the infected hard disk.         

   

    8.  Install the operating system onto the hard disk.         

   

    9.  Rebuild all directories.                                 

   

   10.  Install all the executable programs from the             

        original write-protected distribution disks.             

   

   11.  Restore all the files that had been backed up in steps 5 and 6.                                           

   

   12.  Gather all the diskettes that have been used with the    

        computer  system during the past six months.  It  is    

        difficult to tell when the original infection

        occurred.  Either  check each  disk for viruses and

        remove the viruses or follow the following steps.

 

   13.  Backup all the nonexecutable data files from the         

        suspect disks onto newly formatted diskettes.            

        

   14.  Reformat the suspect diskettes.                          

       

If  the virus is a boot sector infector,  then the  recovery process is simpler.   The boot infector viruses do not infect executable programs.   This  means that  the infection  is isolated in the boot system on the infected disk.  To recover from this type of infection proceed with the following steps:

 

    1.  Shut off the infected computer system.                   

 

    2.  Power up the system with the original write-protected    

        system diskette.                                         

   

    3.  Make sure that the system has booted properly.           

   

    4.  Replace the operating system and the boot sector of      

        the infected disk or run an antivirus program like CLEAN.

    (NOTE:  The virus may remain intact in the  bad sectors created  by the  virus in the data files,  but these  virus segments are not active).

 

8  OTHER SOLUTIONS

 

In computing environments suffering serious infections, other more  stringent measures might be taken.   These may include write-protecting the hard disk  using a hardware switch.  You may also want to install a Virus Buster anti-virus card.  This is  effective in  preventing viruses including  boot sector viruses from infecting the computer.  A similar solution would be to install anti-virus protection  in the BIOS.   All these solutions are very effective but also  very expensive and are usually not necessary.

 

9  CONCLUSION

 

Computer viruses  are a serious problem  today.   They can destroy  our data and slow down our computer systems.   There are however effective methods for combatting viruses.   Chief among these  are the safe computing methods outlined earlier.  It is important  that we become educated about the dangers of computer viruses  and we learn how to identify and eliminate them.  It is equally important that as educators, we teach our students  about the  dangers of  computer viruses  and the importance of practicing safe computing.

 

10  REFERENCES

 

Fites, Phillip, Johnston, Peter, and Kratz, Martin The Computer

Virus Crisis Van Nostrand Reinhold, New York, New York, 1989.

 

Fites, Phillip, and Kratz, Martin Control and Security of

Computer Information Systems Computer Science Press, 1989.

 

Greenberg, Ross "Know thy Viral Enemy", Byte, June 1989, pp. 275-

280.

 

Greenberg, Ross "Flu_Shot+, Version 1.5 Documentation" 1988.

 

Hoffman, Patricia, "VSUM Documentation" downloaded from McAffee

Associates BBS, Nov. 1990.

 

Hruska, Dr. Jan "Anti-virus Products--Some questions answered",

Computer Fraud & Security Bulletin, Jan 1989, pp. 7-90.

 

Lundell, Allan VIRUS! the Secret World of Computer Invaders That

Breed and Destroy, Contemporary Books, Chicago, 1989.

 

McAfee, John and Colin Haynes Computer Viruses, Worms, Data

Diddlers, Killer Programs, and Other Threats to Your System, St.

Martin's Press, New York, 1989.

 

McAfee, John "The Virus Cure" Datamation, Feb. 15, 1989 pp. 29-40.

 

McAfee, John  "Viruscan Version 6.7 and Mdisk Documentation", Nov.

1990.

 

New Straits Times,  "Where did rogue program come from", April

12, 1990, p. 17.

 

New Straits Times,  "Beware of virus threat", Feb. 9, 1989, p. 7.

 

New Straits Times,  "the Marijuana virus behind attack", Mar. 22,

1990, p. 1.

 

Rubenking, Neil J. "Infection Protection", PC Magazine, April 25,

1989, pp. 193-228.

 

Summers, W.  C., Zaidah Ibrahim & Naimah Mohd.  Hussin (1991).

COMPUTER  VIRUSES -  What They Are and How  to Prevent  Them?,

Federal Publications, Penang, Malaysia.

 

Zaidah Ibrahim & Summers, W. C. (1989). Computer Virus, What are

they and how do we combat them? Proceedings of '89 EDUCOMP,  (pp.

237-249).