Computer Viruses


An Introduction

A computer virus is a piece of software designed and written to make additional copies of itself and spread from location to location, typically without user knowledge or permission.

A computer virus is a program which is intentionally designed to attach itself to, or overwrite another program to reproduce itself without the knowledge of the PC user.

Some programs act without the user's knowledge and commit some kind of act inside the computer that they are intentionally designed to do. These types include worms, Trojan horses, and droppers. All of these programs, including viruses, are part of a category of programs known as malware, or malicious-logic software.

If you buy a new computer these days, it's likely to ship with an antivirus package. This fact, more than anything else, should convince us of how widespread viruses have become and how much the computer industry has come to accept their inevitability. Quite simply, viruses are a fact of computing life.

Viruses, by definition, add their code to your system in such a way that when the infected part of the system executes, the virus does also.

Viruses work in different ways, but here's the basic process

First, the virus appears on your system. It usually enters as part of an infected program file (COM, EXE, or boot sector). In the past viruses travelled almost exclusively through the distribution of infected floppy disks. Today, viruses are frequently downloaded from networks (including the Internet) as part of larger downloads, such as part of the setup files for a trial program, a macro for a specific program, or an attachment on a e-mail message.

Note that the e-mail message itself cannot be a virus. A virus is a program, and it must be run to become active. A virus delivered as an e-mail attachment, therefore, does nothing until you run it. You run this kind of virus by launching the attachment, usually by double-clicking on it. One way to help protect yourself from this kind of virus is simply not to open attachments that are executable files (EXE or COM) or data files for programs, such as office suites, that provide macro-writing features. A graphics, sound, or other data file is safe.

A virus starts its life on your PC, therefore, as a Trojan horse-like program. It is hidden within another program or file and launches with that file. In an infected executable file, the virus has essentially modified the original program to point to the virus code and launch that code along with its own code. Typically, it jumps to the virus code, executes that code, and then jumps back to the original code. At this point the virus is active, and your system is infected.

Once active, the virus either does its work immediately--if it's a direct-action virus--or sits in the background as a memory-resident program, using the TSR (terminate and stay resident) procedure allowed by the operating system. Most are of this second type and are called resident viruses. Given the vast range of activities allowed by TSR programs--everything from launching programs to backing up files and watching for keyboard or mouse activity (and much more)--a resident virus can be programmed to do pretty much anything the operating system can do. Using a bomb, it can wait for events to trigger it, then go to work on your system. One of the things it can do is scan your disk or (more significantly) your networked disks for other running (or executable) programs, then copy itself to those programs to infect them as well.

There are various types of viruses:

Worms are similar to viruses in that they make copies of themselves, but differ in that they need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems - to infect, then copies its code to them.

Some viruses display symptoms, and some cause damage to files in a system they have infected. But neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank.

There are no "good" viruses, simply because virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly.

Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus author. For instance, when a virus finds itself in a very different environment than that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point is the boot virus: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to be the end of the system.

Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will.

Virus Types

Viruses are often classifed into two major categories: "boot viruses" (which infect the boot area of floppies and hard disks, and become resident and active at the time of booting the machine) and "file viruses" (which infect one or more types of files, and activate when the program is run. Our most common infections are of boot viruses, even though the majority of the viruses in the world are file viruses. This is because in order to get from one machine to another, the virus must have an efficient means of doing this. Floppy disks are commonly shared, and while not all contain program files (preventing the spread of file infectors), if they are formatted, they contain a boot sector and thus, potentially, a boot virus.

A macro virus consists of instructions in Word Basic or some other macro language, and resides in documents or templates. While we do not think of documents has capable of being infected, any application which supports macros that automatically execute is a potential platform for macro viruses. Because documents are now even more widely shared than diskettes (through networks and the Internet), document-based viruses are likely to dominate our future.

These are viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL and .OVY. The most common file viruses are resident viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run.

Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the program in the boot sector is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk. All "boot viruses" infect the boot sector of floppy disks; some of them, such as Form, also infect the boot sector of hard disks. Other boot viruses infect the master boot sector of hard disks.

The first physical sector of every hard disk (Side 0, Track 0, Sector 1) contains the disk's Master Boot Record and Partition Table. The Master Boot Record has a small program within it called the Master Boot Program which looks up the values in the partition table for the starting location of the bootable partition, and then tells the system to go there and execute any code it finds. Assuming your disk is set up properly, what it finds in that location (Side 1, Track Ø, Sector 1) is a valid boot sector. On floppy disks, these same viruses infect the boot sectors.

You get a Master Boot Record virus in exactly the same manner you get a boot sector virus -- by leaving an infected diskette in a drive and rebooting the machine. When the boot sector program is read and executed, the virus goes into memory and infects the MBR of your hard drive. Again, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.

Multi-partite viruses are a combination of the viruses listed above. They will infect both files and boot areas. Multi-partite viruses are rare

Macro viruses are much like other viruses in many ways: they consist of code written in such a way that under some condition, that code "reproduces", making a copy of itself. Like other viruses, they can be written to cause damage, display a message, or do anything else a program can be made to do.

There are some differences between a macro virus and other kinds of viruses:

Boot viruses are always written in assembly language; viruses which infect executable programs are usually written in assembly language, but sometimes in a high-level language such as C. Macro viruses are always written in a macro language.
To get a boot virus, you must boot your machine with a diskette that is infected with the boot virus. To get a file virus, you need to run a copy of the infected file. To get a macro virus, all you need to do is double-click on an infected document, to view it. When it loads, its macros run, and you are infected.
Because macro viruses are written in a macro language, a given macro virus will run in any environment which can understand and interpret those macro instructions. Thus Word.Concept, which is written in WordBasic, is able to infect documents if you are running an English version of Word, because it uses two macros (AutoOpen and FileSaveAs) which are only understood by the English version of Word. However, English versions of Word run in the Macintosh, in DOS, in Windows, in Windows 95, and Windows NT, so this virus can infect on all of these platforms. The multi-platform availability of an application opens the door to multi-platform viruses -- something not possible with viruses that infect executable programs.

Macro viruses are always application-specific. For instance, a virus named Laroux will only infect users of Excel; Green Stripe will only infect users of Ami Pro. Word Macro viruses will only infect Microsoft Word. This is of little comfort to those who are already infected, or to those who have one of these popular packages, but it should provide assurance to those who are using something else: WordPerfect users cannot be infected with a Word Macro virus. 1-2-3 users cannot be infected with an Excel macro virus.

A macro virus consists of a set of macros, nothing more. The macros must be stored wherever the application stores macros. In the case of Word, macros are stored in templates, rather than documents. Word treats any file with the .DOT extension as a template, and any other extension as a document. However, a file having a template structure (and containing macros) can also contain text, and appear on the screen as if it were a standard document. And such a template can be stored with any extension. So macro viruses for Word typically arrive at a computer as a template file with the .DOC extension. When such a file is loaded, it behaves both like a template (macros are run) and as a document (you may view the text within it.)

Some Word macro viruses do little more than infect the global template, NORMAL.DOT. Others convert documents to templates with the .DOC extension, so that these files themselves are infected. Because users have no means of determining whether a file with a .DOC extension is a template with text or a true document, the virus can easily slip into a machine without user awareness.

Your probability of getting a macro virus is directly proportional to the number of new, unknown documents you view each day. If you have a reasonably closed system, your chance of infection is very low. If you double-click on dozens of new documents each day, your chance of infection is much higher.

Your probability of infection also depends on the likelihood that a new document you examine is infected. At this writing, only two sites have been reported to have an infection of Laroux. Unless you work at one of those sites (one in Alaska, one in Africa), your chance of infection today by this virus is 0. Of course, if such a virus becomes more prevalent, double-clicking on a new spreadsheet will become a bit riskier.

Two phenomena probably best characterize the Macro viruses:

  1. They are spreading more rapidly than any other kind for virus in history. For instance, Word.Concept, which first appeared in July, 1995, accounted for approximately 25% of all reported infections, worldwide, as of April 1, 1996! It has been reported in US, UK, Finland, Sweden, Russia, France, Germany, Holland, Turkey, Canada. No boot or file virus has ever spread so rapidly.
  2. The number of different macro viruses is increasing rapidly. This is inevitable, since macro viruses are easier to write than viruses written in assembly language, and there are probably far more users in the world who can write a few macros than can write assembly language programs.


Macro viruses have changed many of our "rules" of virus defense:

  1. It was once true that you couldn't get infected by viewing a virus. This is not true of a macro virus, if the viewer you use interprets and runs its macros.
  2. It was once true that you couldn't get infected from e-mail. Now, if a document attached to your e-mail is infected with a macro virus, simply looking at that document leaves you infected. (E-mail messages themselves will not be infected, and are not a source of danger.)
  3. It was once true that you didn't need to scan "all files" because viruses wouldn't be found in documents and databases. Today they can be found in files of any extension (Word permits documents to have any extension.)
  4. We once advised users to only run programs from trusted sources. We must now consider only viewing documents we have previously viewed! - hardly sound advice.

|Index ||Glossory of terms|