Business-like, isn't he?


 

 




CyberSafety: Computer Viruses

by Alan Zisman (c) 2003, 2006 

Printer-friendly version                                              Polish language translation

Ukrainian translation by Anna Matesh at: http://eustudiesweb.com/cybersafety-computer-viruses/

Computer viruses are among the best-known problems affecting online users. The dangers of computer viruses have gotten a lot of attention (not always accurately) from newspapers and radio and TV news. The good news is that they’re easily controlled. The bad news is that despite that, far too many people fail to take simple precautions and so viruses, old and new, continue to spread. 

Some History

Computer viruses have been present for at least twenty years. Early viruses were identified as early as 1981, spreading on Apple II floppy diskettes. By 1986, viruses were spreading to the now-popular IBM-PC type of personal computer, the ancestor of most of today’s computers.

Most of these early viruses were so-called boot sector viruses. These were actually relatively difficult to catch. They spread via floppy diskettes, but even if you used an infected diskette, your computer would only be infected if the disk was inserted at the time the computer was booting. When it tried (and usually failed) to boot from the floppy diskette, the computer read the floppy’s boot sector, which contained the virus code, which then spread to the computer hard drive’s boot sector. Then, if an uninfected floppy diskette was in the drive when the computer was rebooted, the virus would spread to that diskette’s boot sector, potentially infecting other computers.

Often, infected computers would display a message near the start of boot: “Your computer is stoned. Legalize Marijuana” read the message on computers infected with the Stoned Virus. Along with the boot message, these viruses could cause various types of damage or reduce computer performance.

By the late 1980s, file infectors were also becoming common: viruses that changed a standard computer program, such as the main DOS file Command.com, and were loaded into memory when the infected file was run. 

In 1988 a related type of infection, an Internet worm got a lot of publicity when, as a grad student’s ‘experiment’ got out of hand, replicating itself much more quickly than he had anticipated. It quickly spread itself to a large percentage of the computers connected to this early Internet, clogging the Net with its attempts to spread itself. In 1992, a virus, Michelangelo got quite a lot of press, with the prediction that it would cause massive damage on the painter’s birthday. Actually, its effects were quite limited, especially compared to the hype.

By the mid-1990s, a new type of virus became prevalent. Macro viruses were written in the macro languages included with popular applications—most often Microsoft Word. Attached to specific documents, when the document was loaded, the macro infected the program’s macro library, attaching itself to all documents subsequently opened with that copy of the application. Besides spreading themselves, macro viruses could also be programmed to damage files on the host computer.

1998 saw the appearance of Trojans, starting with Back Orifice (a pun on Microsoft’s Back Office application). These programs are installed by innocent users thinking they are legitimate programs—and may have legitimate functions. But they enable outsiders to take control of the infected computer. 1999’s Melissa was a combination of a Word macro virus that also infected Outlook and Outlook Express, sending itself via email to people listed in the address book. Infecting Outlook and Outlook Express has become the most common way for virus infections to spread in the early part of the new decade.

Viruses have been found for Internet-enabled phones, for Palm PDAs, and on most computer platforms, but the most common targets, by far, are Windows-powered computers, particularly via the Outlook and Outlook Express email programs. Trojans are often spread by users of instant messaging software (ICQ, AOL Messenger, MSN Messenger, etc) and among peer-to-peer file-sharing networks.

Gaining in popularity in 2002/03 have been worms infecting Web servers and SQL database servers. While these don’t infect individual users, they can have the affect of slowing or shutting down whole sections of the Internet, indirectly affecting millions of users. Sadly, in most cases, these could have been prevented if network system administrators had made sure they were up-to-date on patching their server’s operating systems and server software. In August 2003, the Blaster worm infected many ordinary users, and a relative shut down Air Canada's reservations system. Again, users who had bothered to get Microsoft's mid-July crticial update were safe from this infection.

Also in August 2003, the Sobig virus apparently was designed to allow infected computers to be used to help distribute spam.

(More detail on the history of viruses can be found at http://www.cknow.com/vtutor/vthistory.htm which was the source for this discussion. The New York Times, in February 2004 ran a piece called The Virus Underground looking at some of the people who actually create computer viruses and worms: http://www.nytimes.com/2004/02/08/magazine/08WORMS.html (free registration required)).

And definitions…

According to well-known anti-virus software producer McAfee: 

* What is a Virus?
A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as “Me, nude.” 

* What is a Worm?
Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC). 

* What is a Trojan Horse?
A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. 

Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.
(http://www.mcafee.com/anti-virus/default.asp)

PC Magazine (July 2004) talked to a 16 year old Dutch virus writer; read the article (http://www.pcmag.com/article2/0,1759,1612207,00.asp) to find out why he does it.

What to do (or what not to do)…

Boot sector, file infectors, Word macro viruses, and other early types are still in the wild, and may be encountered from time to time. But by far, the most prevalent type of infectors are spread as e-mail attachments. If you want to avoid getting infected, the answer is simple: don’t open email attachments. Receiving an infected attachment does not, by itself, infect your computer—your computer is only infected when you double-click on the attachment, running it.

One way to avoid infected attachments is to not be connected to the Internet. But that’s too drastic a step for most of us. Instead, a little common-sense and self-discipline goes a long way. Don’t open attachments, even if they appear to be from someone you know. Ever. (Note that you can still get infected from files or boot-sector viruses on floppy diskettes).

Unless the attachment meets the following criteria:
* It’s from someone you know
* You were expecting to receive it or
* You’ve written the sender and confirmed that they intended to send it to you
Even then, you may want to be suspicious if, for instance:
* The attachment is a program file (file extension ending in EXE, BAT, PIF, or COM)
* The attachment is a screen saver (file extension ending in SCR)
* The attachment has two file extensions, with the first one appearing to be a document like a JPG (image) and the last one a program or screen saver.
When in doubt, rather then opening the attachment, be suspicious.

In order to be properly suspicious, you need to have done a few things:
* Have your email program put any attached files some place where you can easily see them. I use the computer Desktop for that. 
* Make sure that you’ve set your computer to always display file extensions. This is not the Windows default (unfortunately). See the previous part of this tutorial if you don’t know how to do that.
* Be disciplined. On my desktop, there’s a cute green heart-shaped icon labeled ‘friends.scr’ that came in an email message addressed to me from someone named friendshipforu. The message subject said “Best Friends !!” Could something that friendly be nasty? You bet!
* When in doubt, check. Go to Google.com and type (for example) ‘friends.scr’ in the search field. Very quickly, I discovered that this was a well-known attachment of the W32/Yaha.B virus.
* Even if you don’t find anything about that particular attachment, be suspicious. It may be a new virus, too new to have made it into Google. Or it may be an old virus with a new name. If it seems suspicious, treat it as guilty until proven innocent.

Don’t trust your friends if messages bearing attachments appear without warning—no matter how close a friend or how cute the letter or attachment. While some viruses send themselves to names appearing in infected computers’ address books, but with from addresses like ‘friendshipforu’, others steal names and addresses from the address books and paste them into the From: field as well as the To: field. So strangers can be getting virus-bearing messages that appear to have been sent by you or even from me! That doesn’t make it so.

Hoaxes

Another variation on viruses is the virus hoax email message. Here, people receive a warning about a new virus, usually from someone they know, and are urged to spread the word to everyone they know. Often, the message claims that the warning originated with Microsoft, IBM, NASA, or some other well-known organization.

For example, I received the following warning from a colleague (note the all-caps):

PLEASE, SEND THIS INFORMATION TO EVERY PERSON IN YOUR ADDRESS BOOK. IF YOU RECEIVE AN E-MAIL THAT READS "UPGRADE INTERNET2" DO NOT OPEN IT, AS IT CONTAINS AN EXECUTABLE NAMED "PERRIN.EXE." IT WILL ERASE ALL THE DATA IN YOUR HARD DRIVE AND IT WILL STAY IN MEMORY.... THIS INFORMATION WAS PUBLISHED YESTERDAY IN THE CNN WEB SITE.... CHECK THE LIST BELOW, SENT BY IBM, WITH THE NAMES OF SOME E-MAILS THAT, IF RECEIVED, SHOULD NOT BE OPENED AND MUST BE DELETED IMMEDIATELY, BECAUSE THEY CONTAIN ATTACHED VIRUSES…

Almost always, these warnings are untrue. Because they tend to spread out of control, they duplicate like a virus, taking up the time and energy of thousands or millions of users. Rest assured; Microsoft (et al) do not spread warnings about security problems via email, and do not encourage end-users to tell everyone they know.

Some hoaxes have been more dangerous. At least one spread the word that if a users checked for the existence of a certain file, it meant they were infected, and should delete that file. Too bad that file was a normally installed part of Windows, and deleting it caused problems.

A number of online sites keep track of virus hoaxes. If you receive a warning about a virus, check with one of these first. Some examples include:
Symantec: http://www.symantec.com/avcenter/hoax.html
McAfee: http://vil.mcafee.com/hoax.asp
Hoaxbusters: http://hoaxbusters.ciac.org/
VMyths: http://www.vmyths.com/

Check out any claims before spreading a virus warning further.

More dangerous hoaxes are email messages bearing attachments that claim  to be legitimate security patches coming from Microsoft or other sources. For example, September 2003 saw the W32.Swen virus, transmitted along with a very well-designed message that apparently was from Microsoft, bearing what it claimed was an important security fix. Microsoft does not contact end-users via e-mail; rather than fixing a security problem, the attachment infected the user's computer and hijacked Outlook or Outlook Express email software to spread itself further.

Antivirus software

Despite my earlier suggestion that you can avoid infection by being self-disciplined about opening file attachments, every one of us should (in addition to being careful) run an up-to-date antivirus program. Even if you are responsible and don’t open email attachments you may still become infected with a virus:
* You may run into one of the older virus types on a floppy diskette or a Word document or some other way
* Some other user may be sitting at your computer and may, without thinking, open an email attachment
* A new and ‘improved’ virus may start to spread that (for example) runs a destructive java applet from html text embedded in an email message, without actually appearing as a downloaded file. Or something.

Antivirus software is always being updated to recognize new viruses. As a result, it is important to keep whatever software you are using up-to-date. Most modern AV software can be set to download new virus definitions on a regular basis. Weekly is probably a good time-period to check; some people with an always on Internet connection may want to set their software to check for new definitions daily.

Even so, don’t count on any AV software to be 100% effective. The software companies are always responding to new viruses, which means that the new virus has to appear in the wild first—infecting someone, before the AV software will become aware of it. In the interval, one of the computers that may receive the new virus variety may be yours. I’ve twice received suspicious-looking attachments that weren’t picked up by my AV software, even when I manually went and downloaded the program’s latest virus definitions. Because I didn’t trust the attachments, I avoided opening them and sent them (with explanation) to my AV software provider… in each case, later that day, they were identified as new viruses.

The best defense is a combination of an up-to-date AV program, common-sense, and paranoia.

There are a number of good commercial AV programs. The most common were reviewed in the April 22, 2003 issue of PC Magazine; their review can be found online at: http://www.pcmag.com/article2/0,4149,989867,00.asp. Their editors’ choice was awarded to Symantec’s Norton AntiVirus 2003. They concluded: “Norton AntiVirus 2003 gets our top rating for delivering both excellent protection and foolproof ease of use. It has the best interface of all the products, it scans all files by default, and its mail protection scans the contents of ZIP files before they're sent from your PC. NAV also has a stellar lifetime record on independent certification tests. 

As for the rest, PC-cillin 2003's built-in firewall and free phone support are appealing. McAfee VirusScan Home Edition 7.0 offers admirable fine-grain controls, but it requires too much knowledge on the part of inexperienced users when a virus is encountered. For power users, speed mavens, and those who want exact control over antivirus software settings: NOD32 is your baby. It had less than half the impact on system performance of the next-fastest personal av product, and it lets you choose details such as the level of heuristics to use.

 However, the latest versions of NAV are now charging an annual renewal fee to continue automatically getting virus definitions (I believe you can manually download new virus definitions without paying the renewal fee), and the company is reported to be implementing ‘digital-rights management’ to ensure that a single purchased copy is only installed on a single computer. All within their rights, of course, but driving up the costs for home users.

Other well-known commercial AV packages include McAfee Viruscan, Panda, and PC-Cillin. Also worth considering are free virus programs. A list of free AV programs is posted at: http://www.thefreesite.com/Free_Software/Anti_virus_freeware/. The cash-strapped Vancouver School Board, for example, recently replaced McAfee on thousands of school office, classroom, and computer lab systems with the free version of AVG Antivirus (http://free.grisoft.com/freeweb.php) . I'm particular partial to the free Avast Antivirus (http://www.avast.com/eng/down_home.html). I've started using this one on my systems, and it seems to be working well. Particularly nice is the way that it quietly updates itself in the background. (Note: When using Avast, you need to right-click on the program's window to access the options... remember, when in doubt, right-click!)

You can find reviews and links to ten free antivirus programs at: http://www.freeanti-virussoftware.net/

If you don’t have AV software currently installed and are afraid that you might be infected with a virus, several of the AV vendors offer free online virus-scanning services, letting you check your computer right now, for any of thousands of possible viruses. Don’t be in a rush—a full scan of your system will take a while..

Some other online virus scanning sites (thanks to Charles Scaglione for these):

TrendMicro: http://housecall.antivirus.com
F-Secure: http://support.f-secure.com/enu/home/ols.shtml
McAfee: http://www.mcafee.com/myapps/mfs/default.asp
BitDefender: http://www.bitdefender.com/scan/license.php

Note that all of these require ActiveX controls and work best (or perhaps only) when run from Internet Explorer.

If you are pretty sure you are infected with a particular virus variant, Symantec at: http://securityresponse.symantec.com/avcenter/tools.list.html offers automated removal tools, along with instructions for manual removal of a large number of viruses.

PC Magazine (November 8 2005) reviewed three free antivirus programs: Avast, AVG, and AntiVir PE. Check their detailed reviews at:
http://www.pcmag.com/article2/0,1895,1865516,00.asp

Check your options

No matter what AV software you choose to use, pay attention to its various options. The default settings may not reflect the way you want the program to run. You might want to adjust the frequency that the program checks for updated virus definitions, or change the day of the week or time of day when it checks. You may want it to run completely unattended in the background, or you may want to know what wants to download and install onto your system.

You may want to change the default behaviour if it discovers a virus. Should it delete the offending file? Try to repair it? (They rarely succeed) Quarantine it? Should it inform you or do it quietly behind the scenes? How often should you schedule scans of your entire system (and at what times of day or night)? Should the program scan all files? Inside compressed Zip files? Just the most commonly infected types of files?

Can you use the program to make boot floppies (usually you’ll need more than one) enabling you to run the AV software without booting to a possibly-infected hard drive? If so, do so—make the floppy disk set and store them in a safe place.

Become familiar with the AV software you choose. 

The other option

The vast bulk of viruses affect firstly systems running Microsoft Windows and secondarily Microsoft Outlook and/or Outlook Express email software. Most of what’s left consists of older viruses attacking Microsoft Word or Excel. It’s not that virus authors are necessarily anti-Microsoft, but that’s where most of the potential victims are. Moreover, Microsoft has made it easy for virus writers. For example, when Microsoft made Visual Basic for Applications a common macro-language across its various Office applications, it gave virus writers a programming tools with immense power and few built-in limitations. Most users don’t use macros, but Office’s programmers wanted to empower and make it easier for those few users (typically in large corporations) who did extend the Office programs in that way. The result, however, was that millions of other users were put at risk from macro viruses.

Limiting exposure to those particular products, then, also limits (though doesn’t completely eliminate) the risk of virus infection. Consider replacing Outlook Express with Eudora Mail, Netscape Mail, Mozilla Thunderbird or some other email program. Consider replacing Microsoft Office with Corel WordPerfect, Lotus SmartSuite, or the free open source Open Office. Consider replacing Windows with the Mac operating system (and hardware) or Linux (which can run on your existing PC hardware). While there are viruses for these systems, they are far far fewer in number and frequency. For instance: Norton Antivirus for Windows currently claims to detect some 63,000 different virus variants. I can’t find a similar number for Norton Antivirus for Mac, but the number of native viruses for the Macintosh platform is probably in the few dozens. Even Microsoft Outlook Express for Mac isn’t susceptible to Windows Outlook Express viruses.

This is not necessarily an extremist point of view. For instance, in September 2001, a ZDNet columnist suggested: Ban Outlook Now (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814683,00.html)

New and dangerous (March 2004):

Hot off the presses... three new varients of the Bagle virus (P, Q, and R) are reported to not use attachments, but to be able to infect a computer when the message itself is viewed. When the message is viewed, it opens a computer port, automatically downloading the infection-bearing program from another infected computer. (Sort of like peer-to-peer file sharing). Infected computers can be controlled remotely from other computers. Some of the message titles used by this virus appear to be security warnings, and it may come with apparent FROM: addresses making it look like it's from network or ISP administrators.

The general warnings about not opening suspicious-looking file attachments now need to be taken a step further; users should not even view email messages from strangers-- even those claiming to be from corporate network administrators. It's not clear to me at this time whether viewing messages in email preview panes is enough to trigger the virus; to be on the safe side, I recommend turning off this feature (turned on by default in most email and webmail software). (Turning off the preview pane will also help control spam).

The future:

In March 2006, C/Net's Robert Vamosi suggests that we'll be seeing far fewer large-scale virus attacks but a greater number of virus varients, fine-tuned for specific purposes. (http://reviews.cnet.com/4520-3513_7-6462429-1.html?tag=nl.e501) He relates these to increase in so-called 'crimeware', including identity theft and creation of networkings of 'bots' for extortion related to denial-of-service attacks on corporate networks. He also suggests that this flood of virtually individualized viruses may become more difficult for traditional antivirus applications to handle.

Homework

* Make sure your system is set up to display file extensions for all files
* Make sure you know where email file attachments are being saved on your system
* Go to one of the listed websites offering information on virus hoaxes and check for ‘perrin.exe’ 
* Go to Symantec’s online virus check and let it scan your system
* (If it finds you are infected, clean the infection using one of Symantec’s automated tools or manual instructions)
* If you have an AV program installed, make sure the virus definitions are up to date and look over the program’s options. 
* If you don’t currently have an AV program installed, download and install the free AVG or Avast Antivirus. Make sure its virus definitions are up to date. Look over the program’s options.
* Make a set of boot floppies with your AV program.
* Think about whether you could replace any Microsoft products with more secure alternatives

The CyberSafety course includes the following modules:

Introduction
Know your PC
Computer Viruses
Email and Spam
Firewalls
Spyware
Networks and wireless issues

Links
 
Or cut to the chase with 7 Steps to Internet Security

updated 20 March 2006



Google

Search WWWSearch www.zisman.ca

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan