Some More About Viruses

In the news it's always reported as a "virus" outbreak. Or someone will say they here "hit by a new virus", or their computer was destroyed by the "I Love You" virus. They are not, in fact, speaking about viruses at all, except in a very general sense. When your average person speaks of a virus, they mean "some unauthorized piece of code was executed on my system". Technically, this definition is incorrect. Generally, most "viruses" are actually worms, logic bombs, Trojan horses, and other types of invading software.

Some examples include:

Worm - A worm is a self-replicating virus. Some of the more common worms, such as "I Love You" use Outlook to send themselves to every email address listed in the contact list. Others actually include their own SMTP (simple email system) server internally to send to every email address they can find in any file on the hard drive. Some worms, such as Nimda, actually install themselves on web servers (Microsoft IIS systems) and then search through the internet for other vulnerable machines. When these machines are found, the worm penetrates and installs itself automatically.

Logic Bomb - This is a virus or piece of code (often installed by hostile employees) which is timed to trigger it's payload at a specific date in the future. For example, a malicious employee might leave some code embedded within the accounting package which causes it to delete all records a year in the future. These types of infections are very difficult to detect and even harder to eradicate, as they may have been added to the system years before, backups may be corrupted with the malicious code and even the "safe" source copies may have been compromised.

Trojan Horse - This type of malicious code is simply a virus or other dangerous program which is embedded within some desirable program. For example, someone might post a very nice screen saver on their web site which includes some code which deletes files, sends information to someone or which simply sits and waits for instructions (these are called zombies).

As you can see, these definitions can overlap. It's possible to write a Trojan horse program which launches a worm which then installs a logic bomb which is set to relaunch itself a month later and start the whole process again. Open the email and nothing happens at all for a month, until the logic bomb triggers. Or a malicious programmer could leave a logic bomb behind him after he leaves a company which launches a month later. This program could scan the corporate address book and send copies of itself to every person listed, as well as making copies on all drives visible on the network. The payload of this worm could be a cool graphic which is actually an executable image which, when opened, deletes every file on the disk.

There are several infection routes for viruses.

Files - Many viruses embed themselves within files. The file may just contain the virus, or it may contain real data with the virus hidden inside. They may infect any type of file which is executed, or which contains executable parts. These include .EXE and .COM files, as well as .SYS, .OVL, .PRG and .MNU files. When the program or code is loaded and executed, the virus triggers, and they payload is activated. The "I Love You" virus is an example of this type. Quite often these viruses will be sent as attachments to an email message.

System or boot code - A few years ago, way back in the days of MSDOS and CP/M, this was one of the more common infection methods. A virus would embed itself within the system areas on a disk, and when that disk was mounted or the system was booted the virus would execute. These spread by writing themselves into the DOS boot sector on floppy disks or the Master Boot Record on hard disks. In the early days of computers, email was not the most common method of distributing information and files - floppy disks were. So it was very common to mount a floppy and then find your computer has been disabled by a virus. This is becoming less common now that email and the internet is being used more and more to distribute information.

Macros - In order to make their products competitive and extremely flexible, many vendors have added the capability to automate certain functions. This is called scripting, and it is a feature of many word processors, spreadsheet programs and applications. Unfortunately, Microsoft made the decision to allow complex scripts to be executed from within an email message to their email clients (Outlook and Outlook Express). This decision, while seeming to add benefit for many of their customers, actually more or less eliminated any semblance of security from the programs and has resulted in a huge plague of easy-to-write and exceptionally deadly virus attacks. Later versions of this software have tightened security greatly and with proper installation these types of attacks can be greatly reduced.

Other macro viruses can come embedded within Word and Excel documents, PowerPoint presentations and just about any other document which supports scripting. Since Microsoft has tended to allow scripting within virtually their entire product line (this is a great feature to mention in promotional materials), it means that the possibility exists to receive infections from anything with their logo printed on it.

So how do you protect yourself with all of these (and many more) types of viruses waiting to damage or destroy your system?

1. Purchase the most recent version of anti-virus software, and keep the definitions up-to-date. This is probably the most important decision you can make in regards to the safety of your system. My advice: spend the money and buy the best anti-virus product you can find, and update the version every single year.
2. I'll repeat this again - keep those definitions up-to-date. Make sure your anti-virus software downloads new definitions at least once per week.
3. If you use Outlook 2000, be sure you have installed the Outlook Email Patch or Service Release 3. This will further protect you.
4. Don't use Outlook express before version 6 (which comes with Internet Explorer 6) to read email. Use either a patched version of Outlook 2000, Outlook XP, Outlook Express version 6 or above, or some other email product such as Eudora.
5. Set the folder attribute "Hide extensions for known file types" to "off". This is critical. Otherwise, file types will be hidden from you which you MUST be able to detect.
6. Do not open executable attachments, regardless of who they came from. Not that rule #5 (above) must be followed for you to be able to do this.
7. Subscribe to the newsletter produced by your favorite anti-virus company.
8. Don't listen to anyone who says you do not need anti-virus protection on your system. These people are uneducated fools.
9. Beware of virus hoaxes which tell you to delete things on your system or forward warnings to all of your friends. These are, without exception, hoaxes. Just delete these emails immediately.

Additional Information

• Backing Up Your stuff - Part 1 Backup may seem to be a pain, but it's one of the most important things that you can do to protect your system.
• Backing up your system is an essential part of your security scheme Backups are extremely critical to keep your system secure. If your system is damaged by a virus or an intruder you have a way to recover. Remember, however, that you must think through and test your scheme. 
• Outlook Security Patch If you run Outlook and you want to protect yourself, you should install the Outlook security patch.
• Products - Norton Antivirus You need antivirus protection for your computer. Norton Antivirus is by far and away the best solution for the desktop.
• Products - ZoneAlarm Pro ZoneAlarm Pro is quite possibly the best firewall product for personal home use that currently exists. Highly recommended.
• The Ultimate In Virus Protection Learn how to protect your computer and your hard work. Start with a backup plan, install antivirus software and subscribe to newsletters.