Dr. Wayne Summers & Naimah Bte Mohd.
Hussin...EDUCOMP '91
COMPUTER VIRUSES AND PRACTICING SAFE
COMPUTING
Dr. Wayne Summers & Naimah Bte Mohd. Hussin
ITM/MUCIA - PUSAT PENGAJIAN PERSEDIAAN
SECTION 17, 40000 SHAH ALAM
SELANGOR DARUL EHSAN.
ABSTRACT
Computer viruses are a major problem. Today there are over 500 different strains
of viruses which attack the
IBM PC compatible
computers. These viruses can be
broken down into three different classifications: boot sector infectors, system
infectors and
application program infectors. The rate at
which these viruses can spread
is astounding. The impact on computer
users everywhere is dramatic as computer viruses have resulted in hundreds of thousands of dollars of losses.
Whenever computer resources are shared, there is the risk of infection
by a computer virus. The spread of computer virus
infections can be
stopped through the practice of "safe computing." Most importantly, computer users need to know about computer viruses and how they
spread. By practicing the "safe
computing"
guidelines, a computer user can avoid infection by computer viruses. Most of these guidelines are common sense rules that
many computer users choose to ignore. In
addition there is a variety of software available to combat computer
viruses. These include virus prevention programs, programs to diagnose and
identify computer viruses and
programs to remove viruses. Although computer viruses are a major
problem to computer users, there are methods to prevent the spread of these
viruses.
INTRODUCTION
Today
there are over 230 known viruses including around 500 different strains
which attack the IBM PC
compatible computers. The rate
at which these viruses
can spread is astounding.
The impact
on computer users everywhere is dramatic as computer viruses have resulted in hundreds of thousands of dollars of losses. Whenever computer resources are shared, there is the risk of infection by a computer virus. This is especially a problem at
schools and universities. Students are a mobile population and often carry disks between school and home. They often share their programs with their friends and
peers. Students are also not often aware
of the dangers and
illegality of using pirated
software. When they are aware of this, they often ignore
it
because of the cost
of purchasing legal
software. An additional problem is that many of our
school and university labs are open and unrestricted. There is little security and few precautions
taken to prevent a student from accidentally introducing a computer
virus into a computer system.
2
DEFINITIONS
What are computer viruses? The term Computer Virus was first used by Fred Cohen in 1984. The concept of a
program spreading and taking over
other computer systems was first
described in a science-fiction book, �Adolescence of P-1� by T. J.
Ryan. A computer virus is a small program that
attaches
itself to another program and
attacks other software by making copies of itself.
Similar to a computer virus is a Worm. A worm is a program (usually
stand-alone) that worms its way through either the computer's memory or a
disk and alters data that it accesses. It is different from a computer virus since it does
not require a host.
Many computer viruses are introduced to a computer system
as a Trojan horse. A Trojan horse is a program which attaches
itself to a seemingly innocent program.
Trojan horses do not necessarily replicate.
Most computer viruses do not do damage immediately. If they did, it would be easy to identify the virus
and prevent its further spread. Many computer viruses exhibit the characteristics of a Logic or Time bomb. A logic or time bomb is a program that is activated or
triggered after or during a certain event.
This may be
after several executions or on a certain day like Friday the 13th.
TYPES OF VIRUSES
Viruses
can be broken
down into three
different classifications. These
are boot sector
infectors, system infectors, and
application program infectors.
A Boot sector infector hides in the boot sector of a disk
and takes over control of the computer system when it is booted. It then copies
itself into the
computer's memory. When
other disks are used,
the virus transfers to their boot
sectors. The most common boot sector viruses
are the Pakistani Brain virus and the Stoned/Marijuana virus.
A
system infector attaches to one or more operating system modules or system device drivers, usually COMMAND.COM. The virus takes control after the initial use of the infected program. An example of a system infector virus is the
Lehigh virus that infects the COMMAND.COM program.
The
most infectious type
of computer viruses is the
application program infector. They attach to all .COM and .EXE files.
An application program infector takes control after the initial use of
the infected program. Once the virus is in place in the RAM of the computer system,
it will potentially infect every program run on the computer until the
computer is shut off. The most
widespread virus today is the Jerusalem
virus.
4 EXAMPLES OF VIRUSES
The Pakistani Brain virus is a
boot sector virus that transfers
the current boot sector to an unused
portion of the disk and marks that portion of the disk as bad sectors. The virus then copies the remainder of the virus to an unused portion of the
disk and marks that portion as bad
sectors also. The Brain virus
then periodically marks other portions of the disk as bad sectors making files
and eventually the disk unusable.
Early versions displayed a volume label (c) Brain. All versions have the name of the program,
the authors and often their
address in the boot sector of the
infected
disk. This virus was the first virus known to spread worldwide and has spawned numerous strains of similar
viruses including the Ashar or Ashar-Shoe virus,
which is very widespread in Malaysia. The origin of the Ashar virus is unknown but it
has some characteristics which point
to a possible Malaysian origin.
The
Stoned-Marijuana virus is also a boot sector virus.
It infects the
boot sector of floppy disks and
the File Allocation Table (FAT)
of hard disk systems. On most systems it will only periodically display a message "Your PC
is Stoned. Legalise
Marijuana." However on hard disk systems with more
than one partition and on floppy disks
that have been formatted high density,
it will damage the
file allocation table. This makes access to
the files nearly impossible. The original strain of this virus was written
in New Zealand.
The Lehigh virus infects the COMMAND.COM file. After it has infected a system four or ten times, it overwrites the boot sector and FAT with zeros
in the first thirty-two sectors of the
disk. This virus is easily detected by
looking at the
size and creation date of the COMMAND.COM file.
The most widespread virus is the Jerusalem
virus. It is also known as the
Israeli and Friday 13th virus
and includes several strains including
the Jerusalem-B virus. The Jerusalem
virus infects both
.COM and .EXE files. This virus will survive a warm boot. After
the virus is resident for 1/2 hour, it slows the system down by a factor of
ten. On Friday the 13th, it will delete
all infected files. Besides the damage
it inflicts, the
Jerusalem-B virus also periodically displays a "black window" in the
middle of the screen.
An interesting virus is the Cascade virus, also known as the Falling
Letters or 1701 virus. It originally appeared as a Trojan Horse
disguised as a program to turn off the Num-Lock light. Instead it caused all the characters on the
screen to fall into a pile at the bottom of the screen. It now occurs
as a memory resident .COM
virus. The Cascade virus uses an
encryption algorithm to avoid
detection. It is activated
on any machine
with a color monitor in September-December in the years 1980 and 1988.
One scary development is the increase in number
of Stealth viruses. These include
viruses 4096, Century, FroDo, Fish, Whaleand the 100 Years virus. These viruses infect .COM,
.EXE and .OVL files. They get the name
�stealth� because of
their ability to avoid detection.
They typically hide the increase
in length of the infected file and usually reset the creation
date of the infected files. They can survive a warm boot.
Stealth viruses
are usually encrypted to avoid detection by many virus
identification programs and may use
self-modifying encryption algorithms.
Some stealth
viruses can also bypass
programs which write-protect
hard disks. The FroDo virus crosslinks files on the system disk by manipulating the FATs. It also hangs
infected systems on or
after Sept. 22 of any year.
5
SAFE COMPUTING
The spread of computer virus infections can be stopped
through
the practice of "safe
computing." The following are a
list of
do's and don't's
for safe computing.
1. Don't use illegal software! If the software has been
obtained illegally,
how can you assume that it
doesn't contain a virus.
2. Never boot your computer system from a
diskette other
than the original DOS diskette. Only one write-
protected boot disk should be assigned to a floppy-
based system. The
diskette should be clearly marked,
write-protected and
used only for booting up the
designated computer.
If you accidentally try to boot
from a non-system
disk, turn the computer off and
boot with the write-protected system disk.
3. If your system uses a fixed disk, never boot
from a
diskette. In some
situations, write protection
software for the hard disk should be employed.
4. Always write-protect your systems and program
disks.
Write-protect tabs are easy to use and very effective.
You should
write only on data disks.
5. Only copy files from the original
distribution disks.
6. Always keep at least one set of back-up
copies of all
original disks. (This won't prevent a virus infection,
but it will help in the recovery process if an
infection occurs.)
7. Do not loan out program disks. They may be infected
when they are returned.
If you must loan a
disk,
always check it for viruses or format it before using
the disk on your computer system.
8. Never use a computer that has already been
turned on
by another user.
Always use a cold boot to restart
the computer. Do not assume that a warm boot will
remove a virus.
9. Make all the .COM and .EXE system and program
files
read only by using the command ATTRIB+R.
10. Always keep a lookout for strange
occurrences:
a. When you
do a directory listing,
look at the
volume label.
b. Observe
whether your computer system is slowing down.
c. Watch
for files that disappear.
d. Notice
when there are attempts to access the disks
when there should not be any read or write activity.
e. Watch
whether the loading of programs takes longer.
f. Keep a lookout for decreases in the
main memory or
reduction of disk space.
g. Watch
for unusually large sizes on program files.
h. Watch
for recent creation dates on
old program
files.
i. Watch for unusual displays on the computer screen.
11. Use caution when using public domain and
shareware
software or any new software. There have been instances
where commercial software has been sold with a virus.
12. If you are downloading software from a
bulletin board
or other computer network, always download to a
diskette. You should
then scan the diskette for
possible virus infections.
(You may want to write-
protect your hard disk during this operation.)
13. In a lab environment, do not allow students
to run
their own programs or boot the computer system with
their own disks.
Students should only have data disks
that are not bootable.
All program disks and hard
disks in a lab must be checked frequently for viruses.
If students are allowed to use their own
program
disks, they must be scanned before they are used in
the computer lab.
14. Most important of all is to teach our
students about
computer viruses so that they can recognize them.
Students
need to be able to identify viruses so that
they will be able to prevent their spread.
6
ANTI-VIRUS SOFTWARE
In addition to the precautions listed above, there
is a variety of software available to combat computer viruses.
Most of this
software can be grouped into three
different categories: infection detection and identification, infection elimination and infection
prevention.
Infection detection software products detect the presence
of an infection soon after it has happened.
They often identify the location of the infection. Many infection detection programs identify generic infections instead of individual viruses. They do this by looking for changes in the
system
made by the virus. The detection
of viruses acts in one of two ways: by
taking a snapshot of the system and by vaccinating the system. The snapshot technique is the more effective
form of protection.
One example of a snapshot program is the VALIDATE program
that is distributed by
McAfee Associates through
their bulletin board system. VALIDATE is
a file authentication program which uses two methods to generate CRC check
numbers. These numbers along with the size of the
file and its creation date are
displayed. These values can then be compared with
validation data provided by the author of the software. The Computer Virus Industry Association
(CVIA) maintains a bulletin board in the
U.S. at 1-(408)
988 4008 that lists the validation data for many shareware programs.
Another anti-virus program FluShot+, contains some
snapshot features. FluShot+ is a shareware
program and is a real bargain. Each time FluShot+ is executed, it
compares the checksums for the files
COMMAND.COM, IBMBIO.COM, IBMBIO.DOS, and
any other files specified by the user. These checksums are
compared with values that the user places in a data file used by FluShot+.
A second method for detecting a virus infection is with vaccine programs. Vaccination works by changing the computer
system's programs to include a self-test mechanism inside the vaccinated program. This test mechanism executes each time the program
is executed and checks to see if any changes have
occurred since the last time the
program was executed. If the program has
changed, then
the user is notified that a virus attack
has probably occurred.
The infection identification type of software
product identifies the
specific type and strain of virus
that has already infected
the computer system.
Infection identification software will often include the capability for removing the
virus. These products look for specific signatures left by viruses. These signatures may include virus labels or copyright
flags like the (c) Brain message or may be unique segments of the viral
code. These products may look for particular
changes to the computer system or even
specific file names.
Whenever a virus is found, the user is notified of
the location of the virus and the identity of the virus. There is one major drawback to
this type of anti-virus software. The
designer must have
a working sample of each virus and then
design and implement code to identify
each virus. This is a very time-consuming process and
requires frequent updates to account for the new viruses and substrains that are constantly emerging.
Probably the most popular virus detection software is the program VIRUSCAN that can be downloaded from John McAffee's Bulletin Board.
The latest version 6.9V75 is
reported to identify 480 different MS-DOS viruses and their strains.
SCAN contains a self check which tests for modifications to VIRUSCAN when it
is first loaded. This is an important feature since, at least one version
of VIRUSCAN, version 65, has been
distributed with a Trojan horse
imbedded in it. VIRUSCAN includes an option that removes
infected files. If the infection is
widespread, the user
is directed to use a disinfector
utilities that accompany VIRUSCAN.
There are many programs for eliminating computer viruses
once they are
discovered. A companion program for VIRUSCAN is a
program called CLEAN-UP or CLEAN. This
program will remove most
of the different
types of viruses once they
are identified. Other programs from McAffee's Bulletin
Board
including MDISK will remove many
viruses that CLEAN will not remove.
Infection prevention programs work by monitoring the
computer system for attempted "illegal" activities. These activities may including
attempts to rewrite program files or .BAT files. These programs also monitor for programs that
Terminate and Stay Resident (TSR). Since most viruses will first place
themselves in the computer's
RAM, this can be identified by the infection prevention program. Some infection prevention programs are
VIRUSHIELD and FLUSHOT+.
7
PROCEDURES FOR VIRUS REMOVAL
If an infection is detected, follow the procedures listed
below:
1. DON'T PANIC.
First, decide
how extensive the
infection is. If the
infection has only attacked the
floppy disks, skip steps 2 through 11.
If possible use a program like CLEAN-UP to remove
the virus. Most viruses can be removed with CLEAN-UP
or a similar virus removal program. In
very serious infections, you may need to follow the procedures outlined below:
2. Shut off the infected computer system.
3. Power up the system with the original write-protected
system diskette.
4. Make sure that the system has booted
properly.
5. Backup all the nonexecutable
data files from
all
directories onto
newly formatted diskettes or do a
tape backup. (If backing up to another hard disk, make
sure that the hard disk has not also been infected).
DO NOT
EXECUTE OR BACKUP ANY OF THE PROGRAMS FROM
THE
INFECTED HARD DISK!!!
6. Check each batch files on the infected hard
disk. If
any of the lines within
the batch file look
suspicious, do not
back up that file. Otherwise
backup all the batch files.
7. Do a low-level format of the infected hard
disk.
8. Install the operating system onto the hard
disk.
9. Rebuild all directories.
10. Install all the executable programs from
the
original write-protected distribution disks.
11. Restore all the files that had been backed up
in steps 5 and 6.
12. Gather all the diskettes that have been used
with the
computer system
during the past six months. It is
difficult to tell when the original infection
occurred. Either check each disk for viruses and
remove the viruses or follow the following steps.
13. Backup all the nonexecutable
data files from the
suspect disks onto newly formatted diskettes.
14. Reformat the suspect diskettes.
If
the virus is a boot sector infector, then the
recovery process is simpler. The
boot infector viruses do not infect executable programs. This means that the infection
is isolated in the boot system on the infected disk. To recover from this type of infection
proceed with the following steps:
1. Shut off the infected computer system.
2. Power up the system with the original write-protected
system diskette.
3. Make sure that the system has booted
properly.
4. Replace the operating system and the boot
sector of
the infected disk or run an antivirus program like CLEAN.
(NOTE: The virus may remain intact in the bad sectors
created by the virus in the data files, but these
virus segments are not active).
8
OTHER SOLUTIONS
In computing environments suffering serious infections,
other more stringent
measures might be taken. These may
include write-protecting the hard disk using a hardware switch. You may also want to install a Virus Buster
anti-virus card. This is effective in preventing viruses including boot sector viruses from infecting the
computer. A similar solution would be to
install anti-virus protection
in the BIOS. All these
solutions are very effective but also very expensive and are usually not
necessary.
9
CONCLUSION
Computer viruses are a serious problem today.
They can destroy
our data and slow down our computer systems. There are however effective methods for combatting viruses.
Chief among these
are the safe computing methods outlined earlier. It is important that we become educated about the
dangers of computer viruses and we learn
how to identify and eliminate them. It
is equally important that as educators, we teach our students about the dangers of
computer viruses and the
importance of practicing safe computing.
10
REFERENCES
Fites, Phillip, Johnston,
Peter, and Kratz, Martin The
Computer
Virus Crisis Van Nostrand
Reinhold, New York, New York,
1989.
Fites, Phillip, and Kratz, Martin Control and Security of
Computer Information Systems Computer
Science Press, 1989.
Greenberg, Ross "Know thy Viral Enemy",
�Byte�, June 1989, pp. 275-
280.
Greenberg, Ross "Flu_Shot+, Version 1.5 Documentation" 1988.
Hoffman, Patricia, "VSUM Documentation"
downloaded from McAffee
Associates BBS, Nov. 1990.
Hruska, Dr. Jan "Anti-virus
Products--Some questions answered",
�Computer Fraud & Security Bulletin�, Jan
1989, pp. 7-90.
Lundell, Allan VIRUS! the Secret World of Computer Invaders That
Breed and Destroy, Contemporary Books, Chicago,
1989.
McAfee, John and Colin Haynes Computer Viruses, Worms,
Data
Diddlers, Killer Programs, and Other Threats to Your System, St.
Martin's Press, New York,
1989.
McAfee, John "The Virus Cure"
�Datamation�, Feb. 15, 1989 pp. 29-40.
McAfee, John "Viruscan
Version 6.7 and Mdisk Documentation", Nov.
1990.
�New Straits Times�, "Where did rogue program come
from", April
12, 1990, p. 17.
�New Straits Times�, "Beware of virus threat", Feb. 9, 1989, p. 7.
�New Straits Times�, "the Marijuana virus behind
attack", Mar. 22,
1990, p. 1.
Rubenking, Neil J.
"Infection Protection", PC Magazine, April 25,
1989, pp. 193-228.
Summers, W. C., Zaidah
Ibrahim & Naimah Mohd. Hussin (1991).
COMPUTER VIRUSES - What They Are and How to Prevent
Them?,
Federal Publications, Penang, Malaysia.
Zaidah Ibrahim & Summers, W. C. (1989).
Computer Virus, What are
they and how do we combat them? Proceedings
of '89 EDUCOMP, (pp.
237-249).