|
|
Glossary of Terms
A
Armored Virus
An armored virus is one which uses special tricks to make the tracing, disassembling
and understanding of their code more difficult. A good example is the Whale
virus.
B
Boot Record
The program recorded in the Boot Sector. All floppies have a boot record, whether
or not the disk is actually bootable. Whenever you start or reset your computer
with a disk in the A: drive, DOS reads the boot record from that diskette. If
a boot virus has infected the floppy, the computer first reads the virus code
in (because the boot virus placed its code in the boot sector), then jumps to
whatever sector the virus tells the drive to read, where the virus has stored
the original boot record.
Boot Sector
The first logical sector of a drive. On a floppy disk, this is located on side
0 (the top), cylinder 0 (the outside), sector 1 (the first sector.) On a hard
disk, it is the first sector of a logical drive, such as C: or D:. This sector
contains the Boot Record, which is created by FORMAT (with or without the /S
switch.) The sector can also be created by the DOS SYS command.
Boot Sector Infector
Every logical drive, both hard disk and floppy, contains a boot sector. This
is true even of disks that are not bootable. This boot sector contains specific
information relating to the formatting of the disk, the data stored there and
also contains a small program called the boot program (which loads the DOS system
files). The boot program displays the familiar "Non-system Disk or Disk
Error" message if the DOS system files are not present. It is also the
program that gets infected by viruses. You get a boot sector virus by leaving
an infected diskette in a drive and rebooting the machine. When the program
in the boot sector is read and executed, the virus goes into memory and infects
your hard drive. Remember, because every disk has a boot sector, it is possible
(and common) to infect a machine from a data disk. All "boot viruses"
infect the boot sector of floppy disks; some of them, such as Form, also infect
the boot sector of hard disks. Other boot viruses infect the master boot sector
of hard disks.
Boot Virus
A term that describes those viruses which place their starting code in the boot
sector of floppies, and either the boot sector or master boot sector of hard
disks. Viruses which also infect files are sometimes known as multipartite viruses.
BSI
Boot Sector Infector: a virus which takes control when the computer attempts
to boot (as opposed to a file infector).
C
CMOS
Complementary Metal Oxide Semiconductor: A memory area that is used in AT and
higher class PCs for storage of system information. CMOS is battery backed RAM
(see below), originally used to maintain date and time information while the
PC was turned off. CMOS memory is not in the normal CPU address space and cannot
be executed. While a virus may place data in the CMOS or may corrupt it, a virus
cannot hide there.
Companion Virus
A companion virus is one which, instead of modifying an existing file, creates
a new program which (unknown to the user) gets executed by the command-line
interpreter instead of the intended program. (On exit, the new program executes
the original program so that things will appear normal.) The only way this has
been done so far is by creating an infected .COM file with the same name as
an existing .EXE file. Note that those integrity checkers which look only for
modifications in existing files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code to be a
virus, since it does not modify existing files.)
The best way to determine if you have any virus is to scan with an antivirus program. If you do not have an antivirus program, one of the following symptoms may indicate the presence of a boot virus.
Attempts to write to a write-protected disk.
A boot sector virus in memory spreads by writing to the floppy boot record.
If the virus tries to write to a write-protected disk, DOS generates the message
"write-protect error writing drive [drive letter].
The DOS command CHKDSK reports less than 655,360 bytes (640K) total memory.
Notes:
If a boot virus is detected in memory when the
system is booted from a floppy disk, then the boot disk is also infected. You
must boot your system from a clean, write-protected disk to remove the virus.
If the system does not boot directly from the A: drive, then you must change
the boot order in the CMOS setup to A:; C:. Refer to your system documentation
for instructions on how to make this change.
The only way a hard drive becomes infected with a boot virus is through an infected
floppy disk. After you repair the hard drive, you must scan all your floppy
disks. If you boot or attempt to boot your machine with an infected disk, you
will reinfect the hard drive.
F
False Positive, False Negative
A false positive (or Type-I) error is one in which the anti-virus software claims
that a given file is infected by a virus when in reality the file is clean.
A false negative (or Type-II) error is one in which the software fails to indicate
that an infected file is infected. Clearly false negatives are more serious
than false positives, although both are undesirable.
In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign programs because the string was not well chosen. False negatives are more common with virus scanners because scanners will miss a completely new or a heavily modified virus.
One other serious problem could occur: A positive that is misdiagnosed (e.g., a scanner that detects the Stoned.Empire virus in a boot record but reports it as the Stoned.Standard). In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. Some more recent products store information about the original programs to allow verification of recovery processes.
Fast Infector
A typical file infector (such as the Jerusalem) copies itself to memory when
a program infected by it is executed, and then infects other programs when they
are executed.
A fast infector is a virus which, when it is active in memory, infects not only
programs which are executed, but even those which are merely opened. The result
is that if such a virus is in memory, running a scanner or integrity checker
can result in all (or at least many) programs becoming infected all at once.
Examples are the Dark Avenger and the Frodo viruses.
The term slow infector is sometimes used for a virus which, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus.
FDISK /MBR
MS-DOS 5.0 or higher: If you have MS-DOS 5.0 or higher, you can use the DOS
command FDISK /MBR to remove all viruses which infect the master boot sector
and which do not encrypt it. This option should be used only when all other
attempts to repair have failed. Using FDISK /MBR can sometimes produce unexpected
results, causing unrecoverable damage to your system. Here's how to do it:
Power off the machine.
Place a clean, write-protected system disk in A: drive, and then power on the
computer. NOTE: For this option to work correctly, you must boot from the same
version of DOS that is installed on the hard drive. Using a different version
of DOS could adversely affect the system information on your hard disk.
From the A: prompt, type: C:\DOS\FDISK /MBR and then press Enter.
Power off the computer when you see the prompt again. (You will normally see
no message from the command in the previous step.).
Restart the computer normally, and then scan with your anti-virus software to
verify that the virus is gone.
Notes:
If the boot virus is detected in memory when
the system is booted from a "clean" floppy disk, then that boot disk
is also infected. You must boot your system from a clean, write-protected disk
to remove the virus.
If the system does not boot directly to the A: drive, then you must change the
boot order in the CMOS setup to A:; C:. Refer to your system documentation for
instructions on how to make this change.
The only way a hard drive becomes infected with a boot virus is through an infected
floppy disk. After you repair the hard drive, you must scan all your floppy
disks. If you boot or attempt to boot your machine with an infected disk, you
will reinfect the hard drive.
See also SYS.
File Infectors
These are viruses that attach themselves to (or replace) .COM and .EXE files,
although in some cases they can infect files with extensions .SYS, .DRV, .BIN,
.OVL and .OVY. The most common file viruses are resident viruses, going into
memory at the time the first copy is run, and taking clandestine control of
the computer. Such viruses commonly infect additional programs as you run them.
But there are many non-resident viruses, too, which simply infect one or more
files whenever an infected file is run.
I
In the Wild
A term that indicates that a virus has been found in several organizations somewhere
in the world. It contrasts the virus with one which has only been reported by
researchers. Despite popular hype, most viruses are "in the wild"
and differ only in prevalence. Some are new and therefore extremely rare. Others
are old, but do not spread well, and are therefore extremely rare. Joe Wells
maintains a list of those he knows of to be "in the wild".
(empty)
M
Macro Virus
A new kind of virus, the macro virus, consists of instructions in Word Basic
or some other macro language, and resides in documents. While we do not think
of documents has capable of being infected, any application which supports macros
that automatically execute is a potential platform for macro viruses. Because
documents are now even more widely shared than diskettes (through networks and
the Internet), document-based viruses are likely to dominate our future.
Master Boot Record
The 340-byte program located in the Master Boot Sector. This program begins
the boot process. It reads the partition table, determines what partition will
be booted from (normally C:), and transfers control to the program stored in
the first sector of that partition, which is the Boot Sector. The Master Boot
Record is often called the MBR, and often called the "master boot sector"
or "partition table." The master boot record is created when FDISK
or FDISK /MBR is run.
Master Boot Sector
The first sector of the hard disk to be read. This sector is located on the
top side ("side 0"), outside cylinder ("cylinder 0"), first
sector ("sector 1.") The sector contains the Master Boot Record.
Master Boot Sector Virus
A virus that infects the master boot sector spreads through the boot sector
of floppy disks.
If you boot or attempt to boot your system with an infected floppy disk, NYB
loads into memory and then writes itself to the master boot sector on the hard
drive. If the disk is not bootable, you see the DOS error message "Non-system
disk or disk error..." If the disk is bootable, the system boots to the
A: prompt. Either way the system is infected, and there is no indication on
the screen that this has happened.
Once the hard drive is infected, NYB loads into memory each time the system is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.
Multipartite Virus
A virus that infects both the boot area and files. Removal of multipartite virsues
requires cleaning both boot sectors and infected files. Before you attempt the
repair, you must have a clean, write-protected boot disk that can boot your
system from A: and allow you to access your hard drive. (If you are running
any disk manager or drive overlay software, contact your vendor for a suitable
boot disk.) For Windows 95 any one of the following disks are suitable, as long
as they were created before the time of infection:
Windows 95 Startup disk
Disk #1 of the original MS-DOS installation disks (MS-DOS 5.x or above)
your anti-virus software's rescue disk
Boot disk created on a clean PC (MS-DOS 5 or greater)
For DOS/Windows, any of the previous disks other than the Windows 95 Startup
disk will work.
If you don't have a system disk, you can make one from a verified uninfected machine or ask a computer store to make one for you. (To create a boot disk from a clean PC, insert a blank diskette in the A: drive, then type format a: /s at the C: prompt in DOS.)
If your anti-virus software finds the virus in
memory it may halt your system. If this happens during the removal procedures,
there can be only two causes: either your boot disk is also infected or your
boot sequence in your CMOS points to your C: drive, then your A: drive. Try
another boot disk and/or make sure the boot sequence is A: C:.
Run your anti-virus scanner twice, if it is able to clean this virus. If, on
the second pass, it still finds infection, run it a third time. If infection
is still found, use a different approach. If your anti-virus software is unable
to repair infected files, it may be due to the nature of the damage, or a weakness
in the product. (Be sure you are using the latest version!). If your scanner
cannot clean an infected file, you might wish to delete the infected file and
copy a new one onto your hard drive from an installation diskette.
Back to Top
(empty)
P
Polymorphic
A polymorphic virus is one which produces varied (yet fully operational) copies
of itself, in the hope that virus scanners will not be able to detect all instances
of the virus.
One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine).
One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
Back to Top
R
RAM
Random Access Memory: the place programs are loaded into in order to execute;
the significance for viruses is that, to be active, they must grab some of this
for themselves. However, some virus scanners may declare that a virus is active
simply when it is found in RAM, even though it might be simply left over in
a buffer area of RAM rather than truly being active.
Resident
A property of most common computer viruses. A resident virus is one which loads
into memory, hooks one or more interrupts, and remains inactive in memory until
some trigger event. When the trigger event occurs, the virus becomes active,
either infecting something or causing some other consequence (such as displaying
something on the screen.) All boot viruses are resident viruses, as are the
most common file viruses.
S
Slow Infector
See Fast Infector.
Sparse Infector
The term sparse infector is sometimes given to a virus which infects only occasionally,
e.g. every 10th executed file, or only files whose lengths fall within a narrow
range, etc. By infecting less often, such viruses try to minimize the probability
of being discovered by the user.
Stealth virus
A virus that uses any of a variety of techniques to make itself more difficult
to detect. A stealth boot virus will typically intercept attempts to view the
sector in which it resides, and instead show the viewing program a copy of the
sector as it looked prior to infection. A stealth file virus will typically
not show any size increase when you issue the "DIR" command. Stealth
viruses must be "active" or running in order to exhibit their stealth
qualities.
A stealth virus is one which hides the modifications it has made in the file
or boot record, usually by monitoring the system functions used by programs
to read files or physical blocks from storage media, and forging the results
of such system functions so that programs which try to read these areas see
the original uninfected form of the file instead of the actual infected form.
Thus the virus modifications go undetected by anti-virus programs. However,
in order to do this, the virus must be resident in memory when the anti-virus
program is executed.
Example: The very first virus that infected PCs and compatibles, Brain, a boot-sector
infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected
boot sector to the disk area where the original boot sector is stored. The next
viruses to use this technique were the file infectors Number of the Beast and
Frodo.
Countermeasures: A "clean" system is needed so that no virus is present
to distort the results. Thus the system should be built from a trusted, clean
master copy before any virus-checking is attempted; this is "The Golden
Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e.
DOS Startup/Program diskettes from a major vendor that have been write-protected
since their creation); (2) use only tools from original diskettes until virus-checking
has completed.
SYS
To clean a floppy disk, first boot clean (then scan memory to make sure you have accomplished this), then use the SYS command, once you have booted clean. You can also safely copy files from an infected disk to your hard disk, then reformat the floppy, if you have booted clean.
See also FDISK /MBR
T
TOM
Top Of Memory: the end of conventional memory, an architectural design limit
at the 640K mark on most PCs. Some early PCs may not be fully populated, but
the amount of memory is always a multiple of 64K. A boot-record virus on a PC
typically resides just below this mark and changes the value which will be reported
for the TOM to the location of the beginning of the virus so that it won't get
overwritten. Checking this value for changes can help detect a virus, but there
are also legitimate reasons why it may change (see C11). A very few PCs with
unusual memory managers/settings may report in excess of 640K.
Trojan Horse
A trojan horse is a program that does something undocumented which the programmer
intended, but that the user would not approve of if he knew about it. According
to some people, a virus is a particular case of a Trojan Horse, namely one which
is able to spread to other programs (i.e., it turns them into Trojans too).
According to others, a virus that does not do any deliberate damage (other than
merely replicating) is not a Trojan. Finally, despite the definitions, many
people use the term "Trojan" to refer only to a non-replicating malicious
program, so that the set of Trojans and the set of viruses are disjoint.
TSR
Terminate but Stay Resident: these are PC programs that stay in memory while
you continue to use the computer for other purposes; they include pop-up utilities,
network software, and the great majority of viruses. These can often be seen
using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.
Back to Top
V
Virus
A virus is a piece of software designed and written to make additional copies
of itself and spread from location to location, typically without user knowledge
or permission.
Viruses, by definition, add their code to your system in such a way that when
the infected part of the system executes, the virus does to:
Boot viruses place their code in the sector whose code the machine will automatically
execute when booting, so that when the machine boots, they load and run. After
they are finished loading, they load the original boot code, which they have
previously moved to another location.
File viruses attach to executable program files in such a way that when you
run the infected program, the virus code first executes. After the virus is
finished loading and executing, it loads and executes the program it has infected.
Macro viruses attach to templates and other files in such a way that, when an
application loads the file and executes the instructions in it, the first instructions
to execute are those of a virus.
A companion virus attaches to the operating system, rather than files or sectors.
In DOS, when you run a file named "ABC", the rule is that ABC.COM
would execute before ABC.EXE. A companion virus places its code in a COM file
whose first name matches the name of an existing EXE. You run "ABC",
and the actual sequence is "ABC.COM", "ABC.EXE"
Worms are similar to viruses in that they make copies of themselves, but differ
in that they need not attach to particular files or sectors at all. Once a worm
is executed, it seeks other systems - rather than parts of systems - to infect,
then copies its code to them.
Some viruses display symptoms, and some cause damage to files in a system they have infected. But neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank.
There are no "good" viruses, simply because virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly.
Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus author. For instance, when a virus finds itself in a very different environment than that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point is the boot virus: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to be the end of the system.
Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will.
| Index
| | Faq on Virus |