An Overview of Computer Viruses

and Antivirus Software

by Bob Kanish, kanish@concentric.net
Contents
• Preface
• What is a Virus?
• What is a Macro Virus?
• Developing An Effective Antivirus Strategy
• Lines of Defense
• Myths & Pointers
• Getting the Software
• More Information About Viruses
• Glossary
• Disclaimer
• Special Alert: The Hare Virus
• How Current Is This Document?

Preface
If there's one word that can strike fear in the heart of any computer user, especially one who
accesses the internet, or exchanges diskettes, that word is, "virus." Viruses can generate so much
fear in the cyber world that news of a new virus often spreads faster than the virus itself. As the
Information Manager of a company that produces software for the computer industry, I receive
hundreds of diskettes per month and almost as many internet uploads from our customers.
Consequently, I have come in contact with many viruses and I have learned quite a bit about
them. Through my experiences I have learned that just as important as knowing what viruses can
do, is knowing what they can not do.

What is a Virus?
First, what is a virus? A virus is simply a computer program that is intentionally written to attach
itself to other programs or disk boot sectors and replicate whenever those programs are executed
or those infected disks are accessed. Viruses, as purely replicating entities, will not harm your
system as long as they are coded properly. Any system damage resulting from a purely
replicating virus happens because of bugs in the code that conflict with the system's
configuration. In other words, a well-written virus that only contains code to infect programs will
not damage your system. Your programs will contain the virus, but no other harm is done. The
real damage--the erasing of files, the formatting of hard drives, the scrambling of partition tables,
etc.--is caused by intentional destructive code contained within the virus. Generally, the
destructive part of a virus is programmed to execute when certain conditions are met, usually a
certain date, day, time, or number of infections. An example is the now infamous Michelangelo
virus. This virus can run rampant on your computer for months and you won't notice that
anything is wrong. That is because even though your hard disk's master boot record is infected
with the virus, the destructive code has not yet been executed. The virus is programmed to
trigger its destructive code on March 6, Michelangelo's birthday. Therefore, if Michelangelo
contained no destructive code, nothing bad would happen to your computer even though it was
infected with a virus.
An important thing to remember is that not all virus attacks produce catastrophic results. For
example, one of the most common viruses in the world is called Form. I got Form from a floppy
disk given to me by a friend who didn't know he had the virus. In fact, I didn't know I had it
either until I received a call from a company to whom I mailed my resume using that floppy disk.
They called me, not to tell me that I got the job, of course, but rather that my computer had the
Form virus. How embarrassing! Apparently, Form had been on my computer for a long time, but
its effects were so slight that I never noticed it. The only peculiarity I encountered was a clicking
sound that emitted from my PC speaker every time I pressed a key, but this only happened for
one day. Later, I learned that Form is programmed to trigger this action on the 18th of every
month. Other than that, it doesn't contain any destructive code.
The only other time my system actually became infected was considerably more serious. It
happened only a few months ago on the job. I was scanning a large stack of diskettes for viruses
when I was distracted by a phone call. After completing the lengthy call I turned my computer
off and took a short break. When I returned I booted my computer, forgetting that I had left a
diskette in the A drive. I discovered my error when the floppy drive began to spin. At that point I
also noticed that the disk was being accessed far too much for a non-system disk. Upon
rebooting from the hard drive, I quickly realized my mistake. A virus called Junkie was all over
my hard drive. It had infected command.com, as well as my screen reading software and all
associated drivers. The Junkie virus was alive in the boot sector of the diskette that I
inadvertently left in the drive, and it ran wild when I accidentally tried to boot from it. Junkie is a
perfect example of a virus that, if written properly, would not have damaged my system. It
contains no destructive code. It simply replicates by infecting .com files. However, not all .com
files are structurally accurate. Without getting too technical, .com files are raw binary data read
by your computer, and .exe files need to be interpreted first. There are some files, particularly
ones used by memory management software, that have .com extensions, but that are actually
written more like .exe files. When Junkie infects one of these types of files, it becomes corrupted
because it is essentially an .exe file, but Junkie has appended .com-like instructions to it; similar
to repairing a can opener with parts from a toaster.
After the near heart attack I had during my battle with the Junkie virus, I began to study the
phenomenon very seriously, and since then, though I have run into many viruses on the job, none
of them has infected my computer. This is because I now have an effective antivirus strategy in
place.

What Is A Macro Virus?

The most common viruses that infect computers today--viruses such as Concept, Nuclear,
Showoff, Adam, Wazzu, and Laroux--are macro viruses. They replicate by a completely different
method than conventional viruses. We said earlier that a virus is a small computer program that
needs to be executed by either running it or having it load from the boot sector of a disk. These
types of viruses can spread through any program that they attach themselves to. Macro viruses
can not attach themselves to just any program. Rather, each one can only spread through one
specific program. The two most common types of macro viruses are Microsoft Word and
Microsoft Excel viruses. These two programs are equipped with sophisticated macro languages
so that many tasks can be automated with little or no input from the user. Virus writers quickly
realized that it would be possible to construct self-replicating macros using these languages. The
reason why this is possible is because Word documents and Excel spreadsheets can contain auto
open macros. This means that when you open a Word Document in Word or an Excel spreadsheet
in Excel any auto open macros contained within the document will execute automatically and
you won't even know it's happening. In addition to auto open macros, both of these programs
make use of a global macro template, which means that any macros stored in this global file will
automatically execute whenever something is opened in that program. Macro viruses exploit
these two aspects to enable themselves to replicate.
Here's how it works... You open an infected document in Microsoft Word. (Remember, Word
documents can contain auto open macros). These macros, which in this example, contain a virus,
execute when the document is opened and copy themselves into the global template that Word
uses to store global macros. Now, since the infected macros are now part of your global template
file they will automatically execute and copy themselves into other word documents whenever
you open any document in Microsoft Word. Excel macro viruses work in relatively the same
way. Because Word documents and Excel spreadsheets contain auto open macros it is important
to think of them as computer programs in a sense. In other words, when you open Word
documents in Word, or excel spreadsheets in Excel, you could be executing harmful code that is
built right into the objects you're opening. They should be checked thoroughly for viruses before
you open them in their respective programs. It is important to have an effective anti-virus
strategy in place to prevent infection by these and all other kinds of viruses.

Developing an Effective Antivirus Strategy

Anyone who does a lot of downloading, or accesses diskettes from the outside world on a regular
basis should develop an antivirus strategy. The most important weapon in your antivirus arsenal
is a clean, write-protected bootable system diskette. Booting from a clean write-protected
diskette is the only way to start up your system without any viruses in memory. No virus
scanner/cleaner of any quality will run if there is a virus in memory because more programs can
be infected by the virus as the scanner opens the files to check them. This diskette should also
contain a record of your hard disk's master boot record, partition table, and your computer's
CMOS data. Most antivirus packages contain utilities that can store this information for you.
Lastly, this diskette should contain your favorite scanning/cleaning software because a virus may
have infected this program on your hard drive. Running it from a clean diskette will ensure that
you're not spreading the virus further.
A second effective defense against viruses is a clean backup of your hard drive. Many antivirus
packages will attempt to disinfect infected programs for you so that the virus is no longer in your
system. However, there are times when removing the harmful code from programs or from the
master boot record does not solve the problem completely. Some programs may not run properly
because their code has been altered, or your system may not boot properly because of the
alterations made to the master boot record. In addition, there are some viruses, Midnight for
example, that encrypt or scramble the data files associated with a program which are then
descrambled by the virus when the program is executed. If you remove the virus from the
program the data is still scrambled and the virus is not there anymore to descramble it. A good
reliable backup ensures that all of these problems are solved and everything is back to normal.
The third part of your antivirus strategy should be antivirus software, preferably more than one
package since no one product can do everything. There are many products out there to help you
guard against viruses. Since other people have gone to great lengths to review these products I
am not going to go into detail about them. I will briefly talk about which programs I use to give
you an example of how antivirus software can be used, but please remember that these are only
my opinions and should not be considered advertisements for these products. At the end of this
article I will tell you where to find more reviews than you can imagine. Again, these are only my
opinions.

Lines of Defense
I personally use three antivirus packages concurrently. The first is viruscan from Mcafee
Associates. I use it mainly because when my company started to become virus-conscious we
wanted to get a comprehensive package to guard against them. Everybody we knew seemed to
use Mcafee so that's what we bought. I must tell you that after seeing what some other products
can do I am not that impressed with Mcafee anymore. One reason is that Mcafee tends to mis-
diagnose some viruses. This is a problem because if your computer is infected with virus A, but
Mcafee thinks it's virus B, it will attempt to disinfect a virus that's not there, which can badly
mess things up on your system. I will say that if you are a casual computer user, Mcafee is
probably all you'll ever need because it is easy to use and it does a good job disinfecting most
common viruses. I still use Mcafee just because it's there, but I never take its word as gospel.
The second program I use is called f-prot from Frisk Software. I like f-prot quite a bit because it
uses two different methods to scan for viruses. It uses signature-based scanning like all other
programs, but it also uses heuristics. What the hell does that mean? All antivirus scanners check
for viruses by checking your files for certain search strings called signatures. Each virus that is
recognizable by the program has a signature associated with it, along with data to disinfect the
virus if possible. F-prot goes a step further. In addition to detecting known viruses through the
use of search strings, it also analyzes your files to see if they contain virus-like code. It checks
for things such as time-triggered events, routines to search for .com and .exe files, software load
trapping so that the virus can execute first and then start the program, disk writes that bypass
DOS, etc. heuristics is a relatively new, but effective way to find viruses that do not yet have a
search string defined for them. From tests that I have run, f-prot seems to make the most accurate
diagnoses of viruses.
The third program I use, and my main line of defense is called Thunderbyte from Thunderbyte
B.B. Thunderbyte is a complete set of utilities that, when used together, protect your computer
against virtually any kind of attack. Thunderbyte's scanner also uses signatures and heuristics. It
is also able to decrypt encrypted viruses to determine what they are. As I stated earlier, f-prot
makes more accurate assessments, but Thunderbyte does not have to rely on its' assessments to
be able to clean a virus off of your system. This is because Thunderbyte generates a file in each
of your directories that contains a detailed record of each executable file, (the vehicle by which
viruses are spread), so that if your programs are hit by a virus, no matter which one it is, it can
rebuild them back to their original, uninfected state. Of course, this doesn't fix the problem I
discussed earlier about viruses that encrypt data, but the program also has a defense against this.
Thunderbyte comes with a set of memory-resident utilities that monitor the activity of your
system so that you can stop a potential problem before it starts. These utilities scan your
programs for viruses upon execution, as well as whenever you download, copy, or unzip a file,
warn you about disk writes that bypass DOS, attempts to modify the code of your programs,
attempts by programs to remain in memory, and a myriad of other operations that would require
pages and pages of technical explanation. In short, these utilities give you complete control of
your computer, and any suspicious action that a program tries to take can only be done with your
permission. Mcafee and f-prot also contain memory-resident monitoring programs, but they can
only stop known viruses from executing. Finally, Thunderbyte also contains a utility that will
store your master boot record, partition table, and CMOS data on a floppy disk, and restore them
if they become corrupted.
All three of these programs have shareware versions. In fact, f-prot's shareware version for DOS
is fully functioning and free to private users. Thunderbyte's shareware version is also free to
private users, but if you have the memory-resident utilities installed, the program will beep at
you and remind you to register and make you press a key to continue during bootup. This can be
scary for a speech user whose screen reading software has not yet been loaded because there's no
way to tell if the program is beeping because it found a virus or it just wants you to register.
Shareware versions of these programs can be downloaded from just about any bbs. I encourage
you to try them out for yourself. If you want to read reviews of these programs, as well as many
others, you can telnet to:
freenet.victoria.bc.ca
Log in as "guest" and type "go virus" from the main menu.
Another great source of virus information is the virus-l discussion group, which is echoed in the
newsgroup comp.virus. To subscribe to virus-l, type the command:
SUB VIRUS-L John Doe
(substituting, of course, your own name for 'John Doe') in the BODY of an emessage, and send it
to:
LISTSERV@LEHIGH.EDU
A listing of additional sources of virus and antivirus information, including the virus-
l/comp.virus FAQ, can be found at the end of this document.

Myths & Pointers

This last section is intended simply to give you some pointers and dispel some myths about
viruses. First, I have heard people say that if you have a virus in your master boot record, typing:
fdisk /mbr
will get rid of it. This method is very dangerous. This is because many master boot record viruses
will scramble the hard disk's partition table. Thus, the virus is actually allowing you to access the
hard disk. If you were to boot from a diskette you would not be able to do anything because the
virus is not active to descramble the partition table. If you were to use "fdisk /mbr" you would be
overwriting the virus with generic code. The virus would be gone, but your hard disk would still
be scrambled. In a case like this, you need to restore the original master boot record and partition
table.
Let's talk about the greatly-feared pkzip300 virus. Pkzip300 is not a virus. It does not replicate.
Rather, it is a Trojan horse. This means that it is a program that is supposed to do one thing, but
when executed it does something entirely different, usually destructive. I have seen statements to
the effect of, "don't download or extract this file under any circumstances. It will format your
hard disk and ruin your high-speed modem." Again, it's just a regular computer program. You
could download it and decompress it and nothing, I repeat, nothing would happen! The only way
this program could hurt you is if you physically executed it yourself.
And what about the Good News or Good Times virus? It's a big hoax!!! Every few months a
wide-spread panic arises on the internet when the news of a horrific virus that is hidden in email
is forwarded and reforwarded through cyberspace. The warning is basically the same every time.
A seemingly reliable source, such as the FCC or IBM has issued a statement that if you were to
download a message containing the subject line, "good news", or, "good times" your whole hard
drive would be erased. The truth is that the concept of infecting your computer by reading the
text of an email message is an impossibility, because no virus can hide itself in an email
message. This is because messages are in text format, and there is no way to catch a virus or
harm your system in any way by reading text. A binary program (a designation that includes
Word documents and Excel spreadsheets) can not be hidden in a plain text message. Even if you
received a text message containing a binary program encoded by NetSend, you are still safe. This
is because when you type, "text" to produce the encoded program, the program is not executed.
You still have to type the program's name to run it. Of course, if you receive a program like this
you should scan it for viruses after decoding it, but before running it. The same rule applies to
programs sent to you as attachments--scan them before running them. In short, if you receive an
email message with no attachments, it does not contain a virus, no matter what the subject line
reads. If it does contain an attachment, scan the attachment for viruses before running the
program, opening the Word document in Word, or the Excel spreadsheet in Excel.
The main thing to remember when dealing with viruses is not to panic. Viruses do not have
mystical powers. They are computer programs that have to conform to the constraints of all other
programs. They can only do their dirty work if they are executed. I personally have about 5000
of them on my computer, (I downloaded them when I was testing antivirus software for my
company), and not one of them has gotten loose and infected my system. That is because I
simply did not execute any of them. Having a good antivirus strategy in place can prevent almost
any type of attack before it happens. As long as you are virus-conscious, not virus-paranoid, you
can prevent or recover from anything.

Glossary
MBR: Master Boot Record
The master boot record is, in a sense, a small program that is automatically executed
when the computer is booted. It resides in the hard drive's master boot sector which is
located at the very beginning of the drive. The main function of the code contained within
the MBR is to give the operating system valuable information about how the hard drive
is organized. Since the MBR is accessed so early on in the boot process, it is an excellent
target for viral infection. A boot sector virus will overwrite the MBR's code with its own
code so that it is executed first. The virus will generally copy the actual MBR to another
place on the hard drive and give control back to it after the virus gets a chance to execute.

Partition Table
The partition table is a small storehouse of information that tells the operating system
where to look for its specific boot code. It is located in the master boot sector and is read
 by the master boot record at bootup. Thus, if you had both DOS and Linux installed on
your hard drive, the partition table would contain the information pointing to the boot
code of each of these operating systems. This information is often either moved, or
encrypted by boot sector viruses.

CMOS
The CMOS, complimentary Metal Oxide Semiconductor, is a small segment of internal
memory which contains vital information about your entire computer: its number of
drives, their size, amount of RAM, etc. Without the information contained in the CMOS
your computer would be virtually useless. At the present time, only a handful of viruses,
most notably exebug, will target the CMOS.

.com file
A .com file is a program that ends with an extension of .com. The vast majority of PC-
based viruses are .com programs. There are several reasons for this. The most important
reasons are:
1) Since .com programs contain instructions that can be executed by a computer without
interpretation they tend to operate faster.
2) .com programs are much more compact than their .exe counterparts so they are easier
to hide.
3) In DOS, except for internal commands, .com files will always execute before any
other program of the same name with a different extension. For example, if you have
three programs called chart.com, chart.exe, and chart.bat in the same directory,
typing "chart" will execute chart.com. A special type of virus called a companion virus
exploits this situation by searching for a file with an .exe extension and creating a hidden
file of the same name with a .com extension containing a virus. Thus, typing a program's
name will execute the virus first, (since it has a .com extension), then code contained
within the virus will start the actual .exe program.

.exe file
A .exe file is the most common type of program in the PC world. Though they are not as
compact as .com programs, they provide a great deal of functionality and flexibility in
terms of what they can accomplish. Viruses that can infect .exe files generally have a
better chance of surviving because there are more places in an .exe file for a virus to hide.
All .exe files begin with a header that tells the program how large it is an how much
memory it needs to allocate. After the header there is a blank space, usually about 512
bytes long, that contains nothing but blank characters. This space is a perfect place for a
virus to hide itself. Since the virus is simply filling a blank space in the file, the size of
the infected file does not change, making the infection much more inconspicuous.

TSR
TSR stands for terminate, but stay resident. A TSR program will remain resident in your
computer's memory after it executes. Programs such as memory managers, disk caching
software, and device drivers reserve a section of your computer's memory so that they
can continue to perform their function for the whole time your system is turned on. Many
viruses, (particularly boot sector viruses), will stay resident in memory so they can spread
to other disks and programs much faster and more transparently. In addition, once a virus
 becomes memory-resident it is much harder to detect because it can monitor every action
taken by your computer and cover its tracks accordingly.

The opinions expressed in this article are solely my own and do not necessarily reflect the views
of my employer, MicroLine, Inc., and further are not intended as endorsements for any of the
products mentioned therein.
Bob Kanish, kanish@concentric.net