Previous Table of Contents Next


Boot viruses are especially dangerous because they can spread from anything that has a boot sector. Any floppy disk — even an allegedly blank one — can spread boot viruses. If a boot virus on a floppy disk is inserted into a computer, the virus goes into RAM and infects every disk that computer accesses until the computer is rebooted, which wipes the boot virus from memory.

Multi-Partite. Multi-partite viruses combine characteristics of file and boot viruses. Multi-partite viruses can spread as easily as a file virus, yet still insert an infection into a boot sector, making them very difficult to eradicate.

File Overwriters. File overwriters are file viruses that link themselves to an executable program but keep the program intact. Executing the program also executes the virus, which attempts to add itself to as many files as possible. File overwriters often have no purpose other than to replicate, but even then they take up space and slow performance. They may damage or destroy files inadvertently.

Stealth. Stealth viruses are engineered to elude detection by traditional antivirus checkers. The virus may target and eliminate the detection function of a commercial antivirus product. Stealth viruses reside in memory, intercepting the system’s MS-DOS calls in order to make infected files appear uninfected. The stealth virus can then infect every floppy diskette and logical drive the system accesses. Some anti-virus scanners help propagate stealth viruses because they open and close files to scan them, giving the virus additional chances to spread.

Polymorphic. Polymorphic viruses include a mutation engine that makes the virus change minor parts of its code each time the virus is executed. Different encryption algorithms are nested within a polymorphic virus to help it hide from scanners. A decryption routine included in the virus allows it to return to a normal state when it executes. The stable bytes (the decryption algorithm) become shorter with repeated executions of the virus. This defeats first-generation virus scanners, which operate by checking code for any matches with virus code.

Virus authors can access polymorphic engines, which can take a non-polymorphic virus as input and output the virus with polymorphic qualities. The availability of such engines has made the authoring of polymorphic viruses a simple, straightforward task. As a result, the number of polymorphics has doubled about every eight months. Today, more than 200 polymorphic viruses produced by these engines exist, and another 50 polymorphic viruses are known to exist that do not use the engines. The latest generation, the superfast polymorphic infector, can lay waste to every executable in every directory on a PC’s hard disk without requiring that .COM and .EXE files launch first. Running a directory listing is enough to trigger the virus.

Macro-Based. Macro-based viruses are the newest innovation. A macro virus is unusual because it can infect documents instead of programs. It is the first virus that can cross platforms, infecting both PCs and Macintoshes. The one known form of the virus, written in Word Basic and referred to by Microsoft as the Prank Virus, infects only Microsoft Word 6.0 files. The virus is not destructive; it simply adds nonsense Word macros to documents that end with .DOC or .DOT. Although Prank is not really destructive, its implications for the future are disturbing because it has introduced an entirely new method for viruses to spread.

Common Spread Scenarios

Viruses spread through organizations several ways, including through the use of shared machines, shared diskettes, popular programs, and LAN servers.

Shared Machines. Viruses spread throughout an organization most commonly through shared machines. A computer used by many different people can serve as a center of infection. If a user runs an infected program on the machine, the infection has probably spread to programs on the machine’s hard disk. If other users bring their own diskettes to run on the machine, the diskettes and any programs on them are likely to become infected. The diskette will probably carry the infection to other machines.

Shared Diskettes. Many diskettes, such as diagnostic diskettes, product demos, or company manuals, are routinely carried from machine to machine. If such a diskette becomes infected, the infection can quickly spread to many machines.

Popular Programs. Popular games, demos, or animations often cause the user who obtains a copy to want to pass it on to other people. If one of these programs becomes infected, the infection can spread quickly to many machines.

LAN Servers. If a program on a LAN server used by many workstations becomes infected, a large percentage of the LAN workstations can become infected very quickly (sometimes within an hour or two). One common mistake is to have the LAN log-on program in a place where anyone on the LAN can write to it. This setup means that if any workstation on the LAN becomes infected, the logon program quickly becomes infected, and then every workstation that logs on to the LAN immediately becomes infected.

HOW TO DISCOVER A VIRUS

Viruses can continue replicating until they are detected. The most well-crafted viruses show no symptoms to reveal their presence. However, many viruses are flawed and betray their presence with some of these indications:

  Changes in the length of programs.
  Changes in the file date or time stamp.
  Longer program load times.
  Slower system operation.
  Reduced memory or disk space.
  Bad sectors on a floppy diskette.
  Unusual error messages.
  Unusual screen activity.
  Failed program execution.
  Failed system bootups when booting or accidentally booting from the A: drive.
  Unexpected writes to a drive.

Instead of waiting for a sign, network managers should use the appropriate tools to seek out viruses before they get far enough to compound problems. The ideal is to repel them before they infect the system.

STANDARD APPROACHES TO FIGHTING VIRUSES

There are several ways to combat viruses. Computer viruses have become increasingly cunning in their programming and ability to avoid detection or eradication. However, virus-fighting tools have also grown through several generations to meet the challenge. Some of the various approaches are described in the following sections.

Signature-Based Scanners

Traditionally, virus scanners look for known virus code and when they find a match, they alert the user. The leading scanners are signature-based. Signatures are strands of code unique to a single virus, analogous to DNA strands in a biological virus. Virus researchers and antivirus product developers catalog known viruses and their signatures. Scanners use these catalogs to search for viruses on a user’s system. The best scanners have an exhaustive inventory of all viruses known to exist and examine all possible locations for infection, including boot sectors, system memory, and files.


Previous Table of Contents Next

Copyright © CRC Press LLC