Viruses and Other Unwelcome Artificial Life

Includes sidebar: Antivirus Programs

One of the simplest forms of life on the planet is the virus. Its only talents are finding hosts (all too often us) and reproducing itself. Sometimes, they damage their host, and sometimes not. There has been talk of using viruses in biological warfare.

Then, there's the computer virus, so named because it has the same characteristics I just described for its biological counterpart, except the host is a computer. Computer viruses aren't the only kind of malignant programs. Normally, they are classified into one of these categories: Trojan horses, viruses, and worms.

TROJAN HORSES

Trojans are programs that are not what they appear, named for the famed wooden horse of Troy. A Trojan horse may look like a game or handy utility, when it's really a malignant program that trashes your system.

For example, PKZIP is a shareware utility used by many of us to compress files so they take up less disk space and modem faster. For quite some time, the latest revision of PKZIP was 2.0g. One day, a new version, called PKZIP 3.0, began circulating. But it wasn't really PKZIP. Any unsuspecting person who ran the installation program got their hard disk reformatted.

What can you do about Trojan horses?

1. Only get programs directly from the author. Anyone who took the trouble to check www.pkware.com would have discovered that there was no 3.0 version (the latest today is 2.5).
2. Always make sure you have a good backup before installing a new program.
3. See if anyone you know has used it before you load it for the first time.

There are antivirus programs on the market that can help to protect you against viruses and worms (more about them later), but the only thing that can save you from Trojan horses is your own common sense.

VIRUSES

A virus is a self-replicating program that attaches itself to other programs. Every time a host program runs, the virus spreads into other programs. Viruses have three main parts: infectors, triggers, and payloads. Understanding these parts will help you to avoid virus problems, and to deal with them calmly and rationally if you get one.

Payloads are the nasty part of the virus. They can be relatively benign (flash a cute message on your screen on April Fools' Day) or extremely vicious (trash your hard disk). A particularly ugly example is in the recent CIH virus (a.k.a. Chernobyl). It is the first common virus to actually damage computer hardware. The fact that it also reformats your hard disk simply adds insult to injury.

When you turn on your computer, a program called the BIOS runs. It is stored on a chip inside the computer, which is cleverly called the BIOS chip. It then looks for a bootable hard disk, and loads your operating system's "bootstrap" program, which starts up the computer. BIOS chips used to be ROMs (Read-Only Memories), which meant that they could never be changed. Nowadays, most computer manufacturers use flash memories for BIOS chips. These are memory chips that can be changed, so you can load BIOS upgrades, but it takes a special procedure. CIH looks for systems with flash memory BIOS chips, and trashes the data on the chip, so your computer can no longer start up. The only way to fix it is to have a technician remove the chip and replace it. In many cases, it's cheaper just to replace the computer.

Triggers determine when the virus will launch the payload. Viruses may trigger on a certain date (CIH "went off" on April 26), after they have reproduced a certain number of times, when your disk gets full, or when some random number comes up. Many viruses are named for their trigger, like the famous Michelangelo virus (some versions of the virus spell it "Michaelangelo"), which triggers every year on Michelangelo's birthday, or the "Friday the 13th" virus.

There are even viruses that are triggered by the installation of certain antivirus software. Don't worry, though. The odds that you have one of those are slim at best.

Infectors let viruses replicate. They are usually very specialized, and can only pass themselves on in one simple way, which is why most viruses never spread far enough to be found "in the wild." Viruses are often classified by the type of infector they use.

• Boot sector viruses reside in the part of a disk that lets your operating system start up. They spread to every disk you put in the computer. Most of the time, this means that the only way they can get into your computer is if you boot up from an infected floppy diskette.
  Solution: Never boot from a floppy diskette unless it's a verified clean startup disk that you made yourself.
  Note: If you don't have an emergency startup diskette, put down this magazine and go make one right now. In Windows 95/98, Select "Add/Remove Programs" from the Control Panel, and go to the "Startup Disk" tab.
• Parasitic viruses attach themselves to other programs. Whenever you run an infected program, it searches for other programs to infect. When people share utilities and games, they can easily pass viruses along with them. Parasitic viruses can spread using diskettes, email, and downloads from the Internet.
  Solutions: Don't run programs from unknown sources, always run a virus scanner on new programs you get, and don't run a program attached to an email unless you're absolutely certain it's clean.
• Macro viruses , like the infamous Melissa, are the latest fad. Since a virus can only travel in a program, not in a data file, people always considered data files safe. What people di dn't realize is that the macros you can save in some kinds of documents (Microsoft Word, for example) can be sophisticated little programs in their own right.
  Solutions: Don't open documents attached to emails unless you specifically requested them, turn on macro virus protection (in MS-Word, it's under Options:General), and scan all incoming documents with a virus scanner.

The Melissa virus shows how sophisticated the reproduction of macro viruses can be. It takes advantage of the tight integration of Microsoft's products, specifically Word and Outlook (Microsoft's email program). Whenever you open a Microsoft Word document containing the Melissa virus, it copies itself to your main system macro file (so it will be attached to every document you edit from then on), copies itself to every document you have open, and looks for Microsoft Outlook on your computer. If it finds Outlook, then it sends email to the first 50 addresses in each address book you have. Each of those emails has an attached Word document infected with Melissa.

WORMS

Worms are self-replicating programs that don't live in other programs. Instead, they reside in a computer' s memory, and generally spread themselves over networks. The most famous was Robert Morris' Internet Worm, which took down over a tenth of the Internet in 1988. Worms are of little concern to court reporters and their home computers. Even agencies with networks connected to the Internet are likely to be safe, as worms are far more rare than viruses or Trojans.

VIRUS MYTHS AND HOAXES

There are more hoaxes than viruses. In fact, given how fast and far emailed hoax warnings can spread, the hoaxes waste more total time than most of the viruses do. If you get an email warning of some particularly nasty virus, and it tells you to immediately pass the warning on to everyone you know, don't. Check it out first.

The Computer Virus Myths home page (kumite.com/myths/) is loaded with good information, although it can be difficult for non-techies to read. The government has a great "hoaxbusters" section on the Computer Incident Advisory Capability site (hoaxbusters.ciac.org). Most antivirus companies maintain lists of hoaxes on their Web sites. The Virus Bulletin site (www.virusbtn.com) has good virus data and they evaluate antivirus programs. Even the various urban legend sites have lists of the more widespread hoaxes.

If you do feel compelled to pass on a virus warning, do your homework first, and make sure your email includes Web addresses of documented evidence of the authenticity of the virus.

VIRUSES: THE NEXT GENERATION

As the state of the art advances in software development, and operating systems become more sophisticated, viruses are getting more sophisticated as well.

Stealth viruses hide themselves from virus scanners. There are many stealth techniques, including actually modifying portions of the operating system and/or the virus scanner. Yes, antivirus programs are just programs, and they're not immune from viruses, either, although they take precautions to avoid or detect infection.

Polymorphic viruses actually change themselves to hide better from virus scanners. A scanner looks for a specific "signature" (a chunk of virus code present in anything it infects). Polymorphic viruses are able to mutate so that they look different in every host they infect. Sometimes this is done through encryption technology, using a different random key each time, and sometimes through actual mutation, where the code of the virus changes. There's a danger here of pseudo-Darwinian evolution, where the mutating virus creates tens of thousands of varieties, and "survival of the fittest" allows only the stealthiest to reproduce and mutate.

Hostile applets are Java programs that load in a Web page. Since Java applets are very limited in what they can do, they can't do the same kinds of damage as "real" viruses, and they qualify more as Trojan horses. New email programs from Microsoft and Netscape, however, are allowing HTML (World-Wide Web code) in email, which could allow Java applets to attack you in email. I recommend turning Java and JavaScript off in your email program.

SAFE COMPUTING

Most of the time, people quoted in the press about viruses don't really understand what the viruses do. Damage is grotesquely overestimated, and the viruses are sensationalized. Companies that write antivirus software want to scare you so you buy their software. My goal with this article is to let you know what viruses are so that you know their limits. They can be dealt with fairly easily.

If you keep good backups, stay aware, and check everything new with a virus scanner, you should be safe. I've been programming for 27 years, and I've never lost a byte of data to a virus. I've gotten infected files and disks, but the simple precautions in this article have been enough to prevent any damage. It will work for you, too.