Viruses, by Paul Eddington

Introduction
This document has been produced to answer some of the common questions that are being asked in regards to viruses, worms and Trojans.

I hope that you find it useful and informative.

Paul Eddington
Ever-Vigilant Virus Hunter and Feared Nemesis of the Viral Author

What is a computer virus?
The following is the definition of a virus taken from the McAfee Internet site:

“Virus: A software program that attaches itself to another program in computer memory or on a disk, and spreads from one program to another. Viruses may damage data, cause the computer to crash, display messages, or lie dormant.”

So basically, a computer virus is a computer program that was written to cause you grief. They are lines of code. That’s all.

They are not biological agents like the influenza virus.

You cannot give your computer a virus by sneezing on it.

Why do people write viruses?

Ever wondered why people write graffiti? I think that viral authors write viruses for the same reason that graffiti artists write graffiti. Sometimes it is because they enjoy the infamy. Sometimes it is because they intend to hurt a particular person. Sometimes it is just to see if they can do it and get away with it.

Why do most viruses target Microsoft?

Ever wondered why people never write graffiti on the bottom of the bus shelter? Well, it’s a bit the same with viruses. The idea is for the virus writer to attain the greatest amount of infamy available by being seen by the widest audience. That means targeting the most popular operating systems and application software. That means Microsoft. But make no mistake – there have been viruses written that specifically targeted Linux, Solaris, HP UNIX, Mac OS, Novell and Lotus to name a few. But the Microsoft ones are more common and definitely hit the hardest. Therefore they stick in your mind more.

Are viruses the only types of nasty code out there?

No! In addition to viruses there are several other nasty types of computer codes. The main two other nasty types of code are worms and Trojan horses.

Worm

A virus requires the receiver to run an executable in order to activate. Worms need no such action, and are therefore much more dangerous. Typically they take advantage of vulnerabilities within an application or operating system at the network interface level. The SQL Slammer worm, for example, sent a packet on the SQL port (TCP/UDP 1434) that exploited a known buffer overflow vulnerability. Once infected, the machine would then start broadcasting out looking for other vulnerable machines on TCP/UDP 1434.

The important thing to note about worms is that they do not require user interaction (unlike viruses). Any computer connected to the Internet is a potential target for worms simply by virtue of being switched on with a network cable attached.

Trojan Horse

A Trojan Horse is a program that is pretending to be something other than what it actually is.

For example, imagine a program that prints a screen that looks exactly like your Windows logon screen. You come along and enter in your logon name and password. A message comes up on the screen saying “Unable to connect to domain controller, please try again”. Meanwhile your logon name and password are now being emailed to Denmark, and the real logon screen is fired up. You re-enter your logon name and password and get in this time.

Two weeks later several confidential reports are sold to your business competitor and all we know about it is that the reports were copied using your username and password, and that there is a taunting message in your inbox from someone called Oläf Bøejoěrgansen.

Scary huh….

Do ALL these nasty programs do damage?

Thankfully, no. Some programs are just written as a bit of (annoying) fun.

Joke Programs

Some of you may have received an email with an attachment called CokeGift.exe. If you ran the executable file you would have got a message asking you to please accept a free cup-holder from Coke. The program then ejected your CD player (there’s your cup holder)! This type of program is called a JOKE PROGRAM.

A Joke Program is not technically a virus, but may cause the user to freak out a little bit because they don’t know what is going on. Some spiteful joke programs produce a message stating things like that they are now reformatting your hard drive even though they are not.

Virus Hoaxes

Question: When is a virus not a virus? Answer: When it is a virus hoax.

Virus hoaxes are simply email messages. Normally these email messages warn of some grave danger that will occur to you if you open a certain email or file from the Internet.

Some famous hoaxes are: the cat-colonic hoax, AIDS hoax and the BUDDYLST.zip hoax.

For a complete list of virus hoaxes you can visit http://vil.mcafee.com/hoax.asp.

What are some famous viruses?

Michelangelo

Michelangelo burst into worldwide viral infamy on the 6th of March 1991. On that day thousands of computer users worldwide found out two things: 1) The famous artist Michelangelo was born on the 6th of March and 2) Their hard drives had just been reformatted.

The Michelangelo virus was awesome in its effect on the computing world. US Millions (perhaps billions) of dollars worth of data was lost. Some companies never recovered. Companies suddenly became aware of their exposure risk to viruses.

Michelangelo is a Boot Sector Virus. This means that the virus resides on the very start of the hard drive of the infected computer. It also means that the virus is always active in memory of the infected computer.

Michelangelo cause worldwide hysteria in between the 6th of March 1991 and the 6th of March 1992. The media beat up the story of the impeding doom of personal computing when the first anniversary was coming due. This hysteria fed on the true reports that several major software vendors admitted to accidentally shipping PC’s infected with the Michelangelo virus. The media estimated that 5,000,000 PC’s worldwide were going to be infected. When the 6th of March 1992 rolled around approximately 15,000 computers were infected – a tiny proportion of the prediction.

But we have one major milestone to which the Michelangelo virus is responsible. It was in response to the Michelangelo Virus that several major OEM and motherboard manufacturers started to bundle anti-virus software with their hardware. Bless that Michelangelo!

Melissa

The Melissa virus first made the news in early 1999 when mail servers worldwide were being shut down due to a mysterious message being copied time and time again until the hard drive of the mail server filled up.

The Melissa virus attached itself to email messages as an attachment. Typically, the infected message would say something like: “Please click on the attachment to gain 40Mb of FREE WEB SPACE”.

If the user opened the document then the message replicated itself and sent itself to the first 50 names in your Global Address List and Personal Address Book.

In this manner it spreads like wildfire. In many cases it filled up the hard drive of the mail server, which consequently crashed.

The author of Melissa is an American computer programmer called David Smith. He was jailed in December 1999 charged with causing in excess of US$120 million dollars in criminal damage.

Just for the record, the Melissa virus was named after a stripper that David Smith had the hots for.

LoveLetter (a.k.a. I Love You, LoveBug, Very Funny)

The LoveLetter virus originally arrived on May 4th, 2000 as an email with the subject line “I Love You”, a message body of "Kindly check the attached LOVELETTER coming from me." and an attachment named LOVE-LETTER-FOR-YOU.TXT.VBS, although later variants had different names including Very Funny.vbs, virus_warning.jpg.vbs, and protect.vbs. Opening the VBS attachment infects the local PC.

Once infected, the virus overwrites files with specific extensions, modifies registry entries, installs a password stealing Trojan and propagates itself by sending itself to addresses harvested from the local users Outlook Address Book.

Because it ran as a VBS attachment, and specifically targeted Outlook (and therefore Exchange) to propagate, Microsoft copped a huge amount of flak over LoveLetter. Microsoft had to do something, and do it fast. They fought back in two ways:

1. Microsoft released a security patch for Outlook 2000 that blocked access to several attachment types including VBS.

2. Microsoft released a tool called Exmerge and published instruction for using Exmerge to ‘purge’ an Exchange database of all email containing a specific subject line or attachment name. So if you like Exmerge as much as I do then you have a lot to thank LoveLetter for!

And there you have it. That’s what I know about viruses. I hope you found this information useful.


Regards

Paul Eddington

KB Keywords: Symantec Norton McAfee Trend Micro Vet Virus VirusScan AntiVirus ScanMail infect infected clean quarantine