Virus Descriptions

Computer viruses are increasing at an unprecedented rate. In 1986, there was one known computer virus; three years later there were six, then by 1990, the total had jumped to 80. Viruses were being discovered at the rate of one per week. Today, 15 new viruses appear every day. In fact, from December 1998 to February 2001, the total virus count jumped from 20,500 to 50,000. They are costing literally billions of dollars and enormous frustration to the users.

Over the past five years the Internet has changed vastly from its academic origins, becoming the lifeblood of global communications. E-mail users are expected to soon exceed 700 million and are growing at an estimated 170% per year. Unfortunately, along with the obvious benefits associated with such connectivity, there are downsides.

Why are Viruses so prolific?

Networked Plumbing – Too Much Functionality – Common Platforms (Outlook) – Current Solutions are Outdated

Email-aware viruses such as OnTheFly (Anna Kournikova), Melissa, Happy99 or ExploreZip are able to pollinate themselves instantly and with great efficiency. Worse still, powerful scripting languages present in today’s email clients and office suites make creating such viruses a comparatively trivial task.

Today, we know that statistically 1 in every 1,500 emails will, on average, contain a virus. One ISP claims to trap and kill over 500 viruses each day. Analysis has shown that a greater percentage of viruses come from ‘free’ mail accounts than from general private domains. The average number of viruses contained within one popular, free mail system soared to one in 500. We suspect Web mail vastly increases the promiscuous use of multiple computers for handling documents and hence increases the chances of infection.

A virus that has been found in more than one organization or company is called an in the wild virus. Currently, approximately 400 viruses exist in the wild. Whether a virus is new or old, it can still be in the wild. A zoo virus can be found only within research labs and has not succeeded in moving into general circulation. The current census reports approximately 42,000+ zoo viruses.

How does Virus Transmission Occur?

How – How Fast – What Methods

A computer virus is a program designed to replicate and spread on its own, preferably without a user's knowledge. Computer viruses spread by attaching themselves to other programs. When an infected file is executed or the computer is started from an infected disk, the virus itself is executed. Usually it stays in memory, waiting to infect the next program that is run or the next disk that is accessed. While some of these are benign, others can be very costly and cause significant damage.

According to the International Computer Security Association (ICSA), diskettes are declining as a major source of virus infection. Infections that spread through e-mail attachments the source of macro viruses increased from 32 percent in 1998 to over 60 percent in 2000.

Where once a virus may have taken days, weeks or even years to spread, they now travel and infect in literally minutes.

What are the Costs of a Virus Infection?

The financial cost of virus infection, measured in cost per incident, has declined to $2,454 in 2000 from $8,100 in 1996, according to the ICSA study. The study also reports that complete recovery from an infection takes an average of 45.6 hours and 9.4 person-days of work. Often the cost is much more: one respondent to the study reported a cost of $150,000 for a single incident. The ICSA study indicates that the reported costs of virus infection would be much higher if related costs such as loss of business and lower productivity were taken into consideration, the I Love You virus is estimated to have cost billions.

Causing everything from lost data to inaccessible files, computer viruses as well as worms and Trojan Horses are a drain on corporate bottom lines and employee patience. A rise in virus hoaxes, which can clog e-mail networks, can also result in downtime and lost productivity.

How are Viruses Categorised

Virus – Trojan Horse – Worms - Hoaxes

Viruses are computer programs that are designed to spread themselves from one file to another on a single computer. A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers. In most cases, that's where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computer, and so on.

Trojan Horse

As the name implies, a Trojan Horse program comes with a hidden surprise intended by the programmer but totally unexpected by the user. Trojan Horses are often designed to cause damage or do something malicious to a system, but are disguised as something useful. Unlike viruses, Trojan Horses don't make copies of themselves. Like viruses, they can cause significant damage to a computer.

Worms

Worms are like viruses in that they do replicate themselves. However, instead of spreading from file to file, they spread from computer to computer, infecting an entire system.

Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others. The computer worm is a program that is designed to copy itself from one computer to another, leveraging some network medium: E-mail, TCP/IP, etc. The worm is more interested in infecting as many machines as possible on the network, and less interested in spreading many copies of itself on a single computer (like a computer virus).

Hoaxes

A virus hoax is an e-mail that is intended to scare people about a non-existent virus threat. Users often forward these alerts thinking they are doing a service to their fellow workers, but this causes lost productivity, panic and lost time. This increased traffic can soon become a massive problem in e-mail systems and cause unnecessary fear and panic. These include the $800 from Microsoft Chain Mail Hoax, the Pluperfect Hoax, and the Mobile Phone Hoax, among many others.

How Dangerous are Viruses

Benign - Malignant

Viruses are either benign or malignant. Some viruses are harmless and do no real damage to a computer or files.

A benign virus might do nothing more than display a message at a pre-determined time or slow down the performance of a computer.

Malignant viruses cause damage to a computer system, such as corrupting files or destroying data. (These viruses don't corrupt the files they infect; that would prevent them from spreading. They infect, and then wait for a trigger date to do damage.)

Virus Genealogy

Macro Virus – File Infectors – Boot Sector Viruses – Multi Partite – Polymorphic – Stealth - Retro

As the way people exchange electronic information changes, so does the nature of viruses. For example, the boot-sector virus is on the decline as people move to Windows and Windows NT operating systems. New viruses are able to migrate from Windows 98 to Windows NT and back again. Script-based viruses and Windows 32-bit viruses represent the newest growth area.

Macro Viruses. Whereas most viruses used to spread via floppy disks and program files, more infections occur now because of e-mail attachments and downloading from the Internet. According to the Virus Bulletin, eight of the top 10 reported viruses are macro viruses.

Macro viruses can mutate or become corrupted. A mutant macro virus is essentially a new virus with a different fingerprint, making it difficult to detect with existing fingerprints. In addition, macro viruses can also mate when they meet in the same document, creating a third macro virus that has elements of both parent viruses.

File Infectors. These viruses attach themselves to or replace .COM and .EXE files, although in some cases they can infect files with the extensions .SYS, .DRV, .BIN, and OVL. This type of virus generally infects uninfected programs when they are executed with the virus in memory.

Boot Sector Infectors. All logical drives contain a boot sector. The boot sector contains specific information relating to the formatting of the disk and the data stored there. It also contains a small program called the boot program that loads operating system files. Boot sector viruses infect the boot program of the hard drive when an infected diskette is left in a floppy drive and the system is rebooted. When the computer reads and executes the boot sector program, the boot sector virus goes into memory and infects the hard drive. Later, when the user boots from the hard drive, the virus again gains control and can then infect each and every diskette used on the computer. Because every disk has a boot sector, computers can become infected by boot viruses on a "data disk" that has no programs or operating system.

Multi-Partite Viruses. Multi-partite viruses often infect multiple targets instead of just one type of file or disk. For example, they will infect both files and boot records on hard disks or both files and boot sectors on floppy disks.

Polymorphic Viruses. Polymorphic viruses mutate to escape detection by anti-virus software. Both polymorphic file, boot sector, and macro viruses have been identified.

Stealth viruses. These viruses actively conceal themselves while they're running in memory. If the anti-virus program doesn't scan in memory for these viruses, it will completely miss them when scanning files.

Retro viruses. These viruses are designed to actively attack anti-virus software. They're anti-anti-virus viruses! They'll try to delete anti-virus data files, corrupt anti-virus programs, and more.

What are Some of Myths About Viruses

Protected Disks – Compressed Files – Hardware – Cross Platform - Identification

While viruses are capable of damaging systems, they cannot do the following:

1. Viruses don't infect files on write-protected disks.
2. Viruses don't infect compressed files. However, applications within a compressed file could have been infected before they were compressed. Some viruses are known to insert copies of themselves in already-created archives.
3. Viruses don't infect computer hardware such as monitors or computer chips; they only infect software. They can, however, damage certain types of hardware such as flash-memory.
4. Macintosh viruses don't infect DOS-based computer software, and vice versa. For example, the Michelangelo virus does not infect Macintosh applications. Again, an exception to this rule are the Word and Excel macro viruses, which infect spreadsheets, documents, and templates which can be opened by either Windows or Macintosh computers.
5. Viruses usually do not identify themselves as viruses, even after they do something destructive.

How can we Better Control Viruses

Desk Top – Server – Gateways - Resident

Viruses can be controlled at the desktop, the file server, the gateway, and on e-mail servers. Desktop and server anti-virus applications allow for virus scan and detection on an on-going and periodic basis, as well as each time a file is downloaded or a computer is booted. More and more, computer users have anti-virus software running full-time in the background, scanning all files and diskettes the moment they are accessed. As macro viruses proliferate, scanning e-mail attachments at the desktop is critical. To protect networks, monitoring attachments at the e-mail gateway is just as important.

Arthur Hissey
Computer Research & Technology
www.crt.net.au