VirusesWelcome! Viruses can seem mysterious but computer viruses are
actually quite easy to understand. Our web site is dedicated to demystifying how
viruses and anti-virus products work.
I'll give you the information you need know to make sure that your PC is safe
from viruses and all the other threats that may damage your programs and data.
In these pages I'll explain exactly what viruses are, how they work, and how to
protect against them.
Viruses are actually very simple. Once you understand exactly what they can
and cannot do, it's much easier to take appropriate precautions. While we'll be
spending most of our time talking about viruses, I'll also cover the threats
that are much more likely than viruses to damage your programs and data.
Although I'll occasionally touch on some rather esoteric or complex topics, you
won't need to be a "techy" to understand this text or to find it useful in your
day-to-day use of your computer. I will go one step at a time and I will explain
all the concepts and jargon clearly before I use the terms. I'll also focus on
practical information that will help you protect your PC. Everyone should
benefit from reading these pages; those of you that are experts will be able to
skip the background information, yet I will still explain everything clearly for
those of you that are new to PCs.
Let me quickly introduce myself. I am Wolfgang Stiller, the primary
developer of Integrity Master,
a leading anti-virus and data integrity package for the IBM PC. Most of my
comments therefore are specific to the IBM PC but don't worry if you are on
another platform, the general virus principals hold true for any computer.
You may be wondering why you should bother to read this text. You already
have anti-virus software on your PC, so why should you need to actually
understand any of this stuff? One reason is that your anti-virus software may
not be giving you the protection you think it is. You'll learn how to determine
what your software can and cannot do. Another reason is that viruses are but one
threat to your programs and data; I'll explain how to protect yourself fully.
You may even be wondering if viruses are really worth worrying about at all.
Do you think you're safe because you rarely download software or buy only from a
trusted retailer? Are viruses really a serious threat to your PC or are viruses
mostly hype? Let me begin by quickly putting this issue into perspective.
Viruses and anti-virus programs are not really the mysterious, complex, and hard
to understand software that many people consider them to be. Not only can these
programs be understood by anyone, but these days, it's critical that we all
fully grasp how they work so as to to protect ourselves.
What Do Viruses
Do?I'm going to present an easy to understand but detailed explanation of
viruses and other types of malicious software. For now, it's enough to
understand that viruses are potentially destructive software that spreads from
program to program or from disk to disk. Computer viruses, like biological
viruses, need a host to infect; in the case of computer viruses this host is an
innocent program. If such a program is transferred to your PC, other programs on
your PC will become infected. (I'll shortly explain in more detail how this
happens.) Even though some viruses do not intentionally damage your data, I
consider all viruses to be malicious software since they modify your programs
without your permission with occasional disastrous results.
The bottom line is that if you have a virus, you are no longer in control of
your PC. Every time you boot your PC or execute a program the virus may also be
executing and spreading its infection. While most viruses haven't been written
to be destructive, almost all viruses can cause damage to your files--mostly
because the viruses themselves are very poorly written programs. If
viruses destroy nothing else, they destroy your trust in your PC--something that
is quite valuable.
Are Viruses Mostly Hype?Unfortunately not! There is some confusion
about this issue because some extreme claims have been made regarding numbers of
viruses and how likely you are to become infected. During the Michelangelo media
extravaganza in early 1991, some exaggerated figures were presented in the media
which led some people to suspect that all viruses were nothing but hype. One
company was quoted in Information Week that based on their reports, one out of
four PCs was infected every month! (I won't speculate on the motivation for
these type of claims.) You may also hear reports of there being from ten to
thirty thousand different PC viruses with the number expected to double in six
to nine months. So, are we faced with impending doom? No, not quite. The truth
is viruses are very wide-spread but a relatively small number (about
one-hundred) account for ninety percent of all infections. Most of the twenty
thousand viruses in our collection are so poorly written that they will not
spread in the real world. Many of these viruses are created by kids that can't
even program. They use automated viruses creation programs that produce very
poor quality viruses. These viruses are so obvious that they rarely spread in
the wild. Still, viruses are a real threat that we can't afford to ignore.
Viruses have been found on brand-new PCs, direct from the manufacturer, and on
shrink-wrapped software, direct from the publisher. Viruses are not merely hype
and no one is safe from potentially being infected. If you value your data and
programs, you have to take some precautions.
How Serious Are viruses?Viruses are a problem but they are not the main
thing you should be concerned about. There are many other threats to your
programs and data that are much more likely to harm you than viruses.
Problems such as hardware glitches, software conflicts, software bugs,
and even typos are much more likely to cause undetected damage to your data than
viruses. A well known anti-virus researcher once said that you have
more to fear from a spilled cup of coffee than from viruses. While the growth in
number of viruses now puts this statement into question, it's still clear that
there are many more occurrences of data corruption from other causes than from
viruses. So, does this mean that viruses are nothing to worry about?
Emphatically, no! It just means that we need to address the other threats to our
data as well as viruses. Because viruses have been deliberately written to
invade and possibly damage your PC, they are the most difficult threat to guard
against. It's pretty easy to understand the threat that disk failure represents
and what to do about it, but the threat of viruses is much more difficult to
GuidelinesIt's important to keep viruses in perspective. They are but one
threat to your data and programs. They need not be regarded as mysterious and
they are quite easy to understand. Here are a few tips to keep in mind when
- You can only get a virus by executing an infected program or booting from
an infected diskette. Any diskette can be infected by a boot sector virus, even
- You cannot get a virus simply by being on a BBS, the internet, or an
online service. You will only become infected if you download an infected file
and execute that file. (It's important to understand that Microsoft Office
files act as executable programs since they can contain macro programs that
are executed when 'open' the file; so, to be safe, a MicroSoft Word document
or Excel Spreadsheet should not be opened with the actual Microsoft
application but rather with a viewer program such as those available from the
Microsoft web site or simply disgarded.)
- Most viruses are transferred by booting from an infected diskette (e.g,
Stoned, Form, Stealth-B, AntiExe, Monkey). Remove diskettes from your A drive
as soon as you are through with the diskette. If your CMOS permits it, change
your boot order to boot from your hard disk first. If you don't know what CMOS
is, check the manual for your PC; there is normally an option when you boot
your PC to hit a specific key to enter CMOS setup. This allows you to change
many options on your PC.
- Make sure you have at least two backups for all of your files. Backups are
essential not only to safely recover from virus infections, but also to
recover from the other threats to your data.
- Be sure to check all new software for viruses. Even shrink-wrapped
software from a major publisher may contain a virus.
Software attacks against your
computer:Viruses are one specific type of program written deliberately to
cause harm to someone's computer or to use that computer in an unauthorized way.
There are many forms of malicious software; sometimes the media calls all
malicious software viruses, but it's important to understand the distinction
between the various types. Let's examine the different types of malicious
- Logic Bombs
- Just like a real bomb, a logic bomb will lie dormant until triggered by
some event. The trigger can be a specific date, the number of times executed,
a random number, or even a specific event such as deletion of an employee's
payroll record. When the logic bomb is triggered it will usually do something
unpleasant. This can range from changing a random byte of data somewhere on
your disk to making the entire disk unreadable. The changing of random data on
disk may be the most insidious attack since it would do a lot of damage before
it would be detected.
- These are named after the Trojan horse which delivered soldiers into the
city of Troy. Likewise, a trojan program is a delivery vehicle for some
destructive code (such as a logic bomb or a virus) onto a computer. The trojan
program appears to be a useful program, but when a certain event occurs, it
will attack your PC in some way.
- A worm is a self-reproducing program which does not infect other programs
as a virus will, but instead creates copies of itself, which create even more
copies. These are usually seen on networks and on multi-processing operating
systems, where the worm will create copies of itself which are also executed.
Each new copy will create more copies quickly clogging the system. The so
called Morris ARPANET/INTERNET "virus" was actually a worm. It created copies
of itself through the ARPA network, eventually bringing the network to its
knees. It did not infect other programs as a virus would, but simply kept
creating copies of itself which would then execute and try to spread to other
- Here's our definition:
A virus is a program which reproduces its own code by attaching
itself to other programs in such a way that the virus code is executed when
the infected program is executed.
You could also say that the virus must do this without the permission or
knowledge of the user.
What Viruses Do:Our virus definition is very general and covers all
viruses. Let's consider specifically how this works. Viruses are programs just
like any other on your PC. They consist of instructions for (what I like to call
"code") that your computer executes. What makes viruses special is that they do
their "job" by placing self-replicating code in other programs, so that when
those other programs are executed, even more programs are "infected" with the
self-replicating code. "Self-replicating code" is simply a program that copies
itself to other programs. This self-replicating code, when triggered by some
event, may do a potentially harmful act to your computer--but this is strictly
optional. Only a minority of viruses contain deliberately destructive code. You
could say that viruses are distributed in the form of a trojan. In other words,
the virus code has been planted in some useful program. Since the virus infects
other useful programs, absolutely any piece of executable code can suddenly
become a trojan delivery vehicle for the virus.
Another way of looking at viruses is simply to consider them to be a program
which can create copies of itself. These copies are inserted in other programs
(infecting these programs). When one of these other programs is executed, the
virus code (which was inserted in that program) executes, and places copies of
itself in even more programs.
You'll notice that I used the word "attach" in our definition of a virus.
This is because viruses can "attach" themselves to a program without directly
modifying that program. This might seem hard to believe at this point, but I'll
explain later exactly how they accomplish this trick.
When you consider our definition of viruses, it's important to understand
that "programs" may exist in places that you don't expect. For example, all
diskettes contain boot sectors which are "programs" that are executed when you
boot your PC and Microsoft Office files (such as MS Word Documents and
Excel Spread Sheets) can contain macros which are "programs" that can be
executed when you open these files.
General Virus BehaviorViruses come in a
great many different forms, but they all potentially have two phases to their
execution, the infection phase and the attack phase:
that we've examined general virus behavior, let's take a closer look at the two
major categories of viruses and how they operate.
- When the virus executes it will infect other programs. What is often not
clearly understood is precisely when it will infect the other programs. Some
viruses infect other programs each time they are executed, other viruses
infect only upon a certain trigger. This trigger could by anything; it could
be a day or time, an external event on your PC, a counter within the virus
etc. Some viruses are very selective about when they infect programs; this is
vital to the virus's survival. If the virus infects too often, it is more
likely to be discovered before it can spread far. Virus writers want their
programs to spread as far as possible before anyone detects them. This brings
up an important point which bears repeating:
It is a serious mistake to execute a program a few times -- find nothing
infected and presume there are no viruses in the program. You can never be
sure that the virus simply hasn't triggered its infection phase!
Many viruses go resident in the memory of your PC just as a terminate and
stay resident (TSR) program such as Sidekick(R) does. This means the virus can
wait for some external event such as inserting a diskette, copying a file, or
executing a program to actually infect another program. This makes these
viruses very dangerous since it's hard to guess what trigger condition they
use for their infection. Resident viruses frequently corrupt the system
software on the PC to hide their existence.
- The second phase is the attack phase. Many viruses do unpleasant things
such as deleting files or changing random data on your disk, simulating typos
or merely slowing your PC down; some viruses do less harmful things such as
playing music or creating messages or animation on your screen. Just as the
virus's infection phase can be triggered by some event, the attack phase also
has its own trigger. Viruses usually delay revealing their presence by
launching their attack only after they have had ample opportunity to spread.
This means that the attack may be delayed for years after the initial
infection. The attack phase is optional, many viruses simply reproduce and
have no trigger for an attack phase. Does this mean that these are "good"
viruses? No, unfortunately not! Anything that writes itself to your disk
without your permission is stealing storage and CPU cycles. This is made worse
since viruses which "just infect", with no attack phase, damage the programs
or disks they infect. This is not intentional on the part of the virus, but
simply a result of the fact that many viruses contain extremely poor quality
code. One of the most common viruses, the STONED virus is not intentionally
harmful. Unfortunately the author did not anticipate other than 360K floppy
disks, with the result that the virus will try to hide its own code in an area
on 1.2mb diskettes which causes corruption of the entire diskette.
System Sector Viruses (AKA Boot Sector Viruses)These are viruses which
plant themselves in your system sectors. System sectors are special areas on
your disk containing programs that are executed when you boot your PC. Sectors
are not files but simply small areas on your disk that your hardware reads in
single chunks. Under DOS, sectors are most commonly 512 bytes in length. These
sectors are invisible to normal programs but are vital for correct operation of
your PC. They are a common target for viruses. There are two types of system
sectors found on DOS PCs, DOS boot sectors and partition sectors (also known as
Master Boot Records or MBRs). If the term boot sector is new to you, then please
read the page on system sectors for more details on why system sectors are important and
how they work.
System sector viruses (also commonly referred to as boot sector viruses)
modify the program in either the DOS boot sector or the partition sector. Since
there isn't much room in the system sector (only 512 bytes), these viruses often
have to hide their code somewhere else on the disk. These viruses sometimes
cause problems when this spot already contains data which is then overwritten.
Some viruses, such as the Pakistani BRAIN virus mark the spot where they hide
their code as having bad sectors. This is one reason to be alarmed if CHKDSK or
Scandisk suddenly reports additional bad sectors on your disk. These viruses
usually go resident in memory on your PC, and infect any floppy disk which you
access. Simply doing a DIR on a floppy disk may cause it to be infected. Some
viruses will infect your diskette as soon as you close the drive door. Since
they are active in memory (resident), they can hide their presence. If BRAIN is
active on your PC, and you use a sector editor to look at the boot sector of an infected
diskette, the virus will intercept the attempt to read the infected boot sector
and return instead a saved image of the original boot sector. You will see the
normal boot sector instead of the infected version. Viruses which do this are
known as stealth viruses. In addition to infecting diskettes, some system sector
viruses spread by also infecting files.
File VirusesIn terms of sheer number of viruses, these are the most
common kind. The simplest file viruses work by locating a type of file that they
know how to infect (usually a file name ending in ".COM" or ".EXE") and
overwriting part of the program they are infecting. When this program is
executed, the virus code executes and infects more files. These overwriting
viruses do not tend to be very successful since the overwritten program rarely
continues to function correctly and the virus is almost immediately discovered.
The more sophisticated file viruses modify the program so that the original
instructions are saved and executed after the virus finishes. Just as system
sector viruses can remain resident in memory and use "stealth" techniques to
hide their presence, file viruses can hide this way also. If you do a directory
listing, you will not see any increase in the length of the file and if you
attempt to read the file, the virus will intercept the request and return your
original uninfected program to you. This can sometimes be used to your
advantage. If you have a "stealth" virus (such as 4096 or Dir-2), you can copy
your program files (*.EXE and *.COM files) to files with other extensions and
allow the virus to automatically disinfect your files! If you "COPY *.COM
*.CON", and then cold boot your PC from a known good copy of DOS and "REN *.CON
*.COM", this will disinfect the renamed files.
Be aware that many file viruses (such as 4096 which is also known as Frodo)
also infect overlay files as well as the more usual *.COM and *.EXE files.
Overlay files have various extensions, but ".OVR" and ".OVL" are common
Macro VirusesThere is particular type of file virus that that many
people don't understand. These are the files from the MicroSoft Office
applications (e.g, MS Word, MS Excel, MS Access, etc.). These programs all have
their own macro languages (a BASIC like language) built in. The associated files
(MS Word documents or templates and MS Excel spreadsheet files) are usually
thought of only as data files so many people are surprised that they can be
infected. But these files can contain programs (the macro language) that are
executed when you load one of these files into the associated product. The
program inside of these files is interpreted by the MS Office application. What
is now a language originally began as a very simple macro language that the user
could use to combine keystrokes to automate some routine function. The macro
language in these products has since grown substantially and now is a fully
capable language based on Visual Basic (VBA). Since anything that contains a
program can potentially be infected by a virus, these files can harbor viruses.
Read about the the threat of MS
Word macro viruses (e.g., Concept) or MS Excel Macro Viruses.
What gives these viruses a chance to execute is the fact that Microsoft has
defined special macros that will automatically execute. The mere act of opening
an infected MS Word document or an infected MS Excel spread sheet can allow the
virus macros to be executed. (One simple prevention for this type of virus is to
use the freely available (from Microsoft) viewer programs to rather than MS Word
or MS Excel to view these type of files. Even MS Access database files (*.mdb
files) can contain macro viruses. Read about: MS Access Macro Viruses.
Macro viruses have been very successful because most people regarded
spreadsheets and documents as data, not as programs (and because many anti-virus
programs were very slow to address this threat). If you use a mail reader or Web
browser, it is very important to use a viewer rather than the full MS Office
program (i.e, MS Word or MS Excel) if you want to automatically open downloaded
MS Word documents or MS Excel spreadsheets.
By now you should have a pretty good idea of how viruses work and what they are
likely to do to your PC. You are now ready to continue and read about:
Learn how Integrity Master can protect
Back To The Stiller Research Home
Copyright © 1994-1999 Stiller Research. Document
Last Modified May 25, 2001