Windows 98 Professional Reference

- 18 -
Viruses in Windows 98

• Understanding Malicious Programs
  • Understanding Virus Types
  • Understanding How Viruses Infect Files
  • Understanding Virus Creation
  • Understanding Viral Transmission
  • Recognizing Viruses
• Preventing Viruses
• Conclusion

At 9:05 a.m. you get a call from a user: She just arrived at work and her computer won't boot and she's frustrated. You head off to her desk, but before getting there you're paged to call another extension. Stopping to use a phone in the hallway, you speak to another user, complaining of the same problem. "Well, that's weird," you think to yourself. Going to the first user's computer, you try another boot, only to discover that, although the hard disk seems to be working properly, it's acting as if the hard disk were wiped completely clean, without even a partition table or Master Boot Record (MBR). As you're looking the problem over, three other users from nearby see you, come over, and ask, "Is the network down? None of our computers will start up." Taking a quick look at one of their systems, you see the same

symptoms as the first system. More users see you, and start heading over to talk to you, obvious concern on their faces. "Hey, what's going on with all the computers?" they ask.

With a sinking feeling in the pit of your stomach, you suddenly realize what's happening: A virus must have gotten into the system, spread throughout all of the computers, and "dropped its payload," wiping out every computer's partition table and boot sector, and probably destroying all the files stored locally. You start thinking about the job ahead of you: Every system must be booted from a clean floppy disk, repartitioned, and reformatted; Windows 98 and all user applications must be reinstalled; and any backups (which must first be assured of being virus-free) must be restored. Each computer will take several hours to complete, and there are hundreds of computers to take care of. There's no way, with the staffing you have, to get this all done by tomorrow, even by the end of the week, even working 24-hour days, even bringing in outside help (who won't understand all of the standards and conventions used in your company). The entire company is shut down for the week, at best.

Thinking about the not-yet-installed network virus protection software still sitting on your desk, you think about having to explain what has happened to your bosses, their bosses, and eventually the CEO and Chairman--not to mention all of the users.

"Is a good reference worth it, or should I just go clean out my desk before they realize what's going on and lynch me?" you muse to yourself.

You've just been hit by a computer virus.

Understanding Malicious Programs

A computer virus is simply a software program that replicates itself. Often, viruses (not "virii" as some would think) are designed to replicate themselves without being detected, until triggered by some event to carry out other instructions. These other instructions, called the payload, may do any number of things, depending on the intentions of the programmer who wrote the virus. A payload might simply display an amusing or political message on the screen, or it might erase all files it can, or even destroy the computer's boot sectors and partition tables. The extent of the damage can be severe and far-reaching.

Viruses are not the only types of malicious programs in existence, but sometimes these other types of programs are mistaken for viruses. Malicious programs come in many forms:

• Viruses, already discussed, replicate themselves as many times as possible, usually in such a way that there is a good chance of their being transmitted to another computer, where they can continue to spread.
• Trojan Horses are programs that appear to have an innocent purpose, but carry out some undesired action after they are started. For instance, you may download a game from the Internet, and while you're using it, it's secretly erasing files on your hard disk. Trojan Horses are named for the mythical story in which Greek soldiers hid themselves in a giant horse placed outside the city of Troy. Mistaking it for a gift, the Trojans brought it into the city, and the Greeks emerged from the horse and attacked the city from within.
• Logic Bombs are pieces of code inserted into an otherwise useful program, and which carry out some action when triggered. For instance, a software program may have code that destroys itself unless the bomb's programmer disarms the logic bomb.
• Worms are programs that transmit themselves through a network, from one computer to another. They do not replicate themselves, generally. Worms may be designed to collect information about each system they visit and transmit the information (such as user lists) to another location, for example.

This chapter concerns itself primarily with viruses, because they pose the greatest threat and are relatively easy to protect against, provided you have the right information and take good precautions. The most important thing is to remember to take precautions before you have the lesson hammered into you, similar to the little scenario presented at the beginning of the chapter.

Another important thing to realize is that the threat from computer viruses is growing dramatically. Consider the growth rate of known viruses:

A study done by the National Computer Security Association (NCSA) and various members of the antivirus community revealed the following data:

• 90% of all surveyed sites with 500 or more PCs experienced a virus incident, in which 25 or more PCs were simultaneously affected, each month.
• In larger organizations, the likelihood of encountering a virus infection is about one chance per 100 PCs, per month.
• 30% of sites reported server downtime of 5.8 hours (average) from a single virus infection.
• Over 46% of sites that experienced virus incidents took more than 19 days to completely recover.
• 37% reported that single incidents cost close to $1,999, sometimes more.

Clearly, viruses are a major threat and are not to be taken lightly.

Understanding Virus Types

Viruses come in different varieties. In many cases, there could also be a number of slight variants on a particular theme, where a programmer modifies an existing virus to suit a particular whim (it's easier to do this than to write a new virus from scratch). Here are the main classifications of viruses:

• Boot Sector Viruses occupy the boot sectors of hard and floppy disks. A boot sector virus transmits itself by infecting a formatted floppy disk. All formatted disks, whether or not they are bootable, contain a small boot sector program (this program is what displays the message "Non system disk or disk error," should you accidentally leave it in the drive and boot the system). When such a disk is booted up, the boot sector of the hard disk is then infected, and subsequent floppy disks are then infected.
• Macro Viruses infect the documents of popular applications, such as Microsoft Word or Excel, and are written in the macro language of those applications. The number of known macro viruses has increased dramatically in recent years, starting from the first known macro virus called WM/Concept (WM stands for Word Macro) discovered just two years ago, to over 1,500 known macro viruses today. Macro viruses now account for the vast majority of virus infections. They spread rapidly because documents tend to be exchanged between computers much more frequently these days than disks and program files. Moreover, although most people know that programs can contain viruses, not everyone has yet learned that documents can, too.
• File Viruses typically infect executable files, such as .COM or .EXE files. They transmit themselves to other .COM and .EXE files on the system when you run an infected program.
• Polymorphic Viruses try to escape detection by constantly changing their sequence of instructions, which is what some virus scanners use to detect viruses. Often, they self-encrypt themselves, using different keys, to accomplish this feat. Some of these can mutate into as many as two billion different forms.
• Stealth Viruses help escape detection by "spoofing" certain commands in the operating system. For instance, they may cause the DIR command to fail to show an infected file's increased size, or modification date. When they are running and consuming system memory, they often hide this loss of memory, too.
• Multipartite Viruses combine qualities of both file and boot sector viruses. They typically enter through an executable program, and then infect the computer's boot sector when run.
• Companion Viruses take advantage of a trick in MS-DOS whereby a program with a .COM file extension is executed in favor of a program with an .EXE extension that shares the same filename. For instance, if you have a program called EDIT.EXE under MS-DOS, a virus might create a copy of itself as EDIT.COM. Simply typing EDIT and pressing Enter at the command line will execute the virus code instead of the intended program (and if the virus is well-written, it will automatically start EDIT.EXE for you once it's loaded, so that you don't notice what's happening).

---

When Is a Virus Actually a Virus?

---

With the growing ubiquity of email, a new sort of pseudovirus has emerged, which you might call the warning virus. Taking the form of emailed dire warnings about avoiding messages that have certain words in their subject lines (like "Good Times" or "Join the Crew"), these messages are often convincingly written, at least well enough to fool most users.
The simple fact is this: There is no known bona fide email that has ever usefully informed people about a virus. Furthermore, your system cannot be infected by a virus just because you open an email message and read it. Although downloading an attached program could invite a virus, you won't contract it by reading the message.
Other forms of these warning viruses also concern other, nonvirus-related, frauds. There are some that promise to donate a few cents to cancer research (or whatever) for every person you forward the message to. Often, these are just schemes to harvest email addresses, which are useful for sending out advertisements later.
Basically, the rule is this: Don't ever rely on emailed warnings about anything. Instead, check with reputable sources or web sites for correct information.
As a personal note, I'd urge you, as a fellow computer professional, to take a few minutes to reply to people who forward these types of messages and explain to them that the warning is probably a fraud, and that they do more harm than good by forwarding these messages to lots of people. I've found it useful to refer them to good web sites that contain information about such scams. One such site is www.urbanlegends.com. Or, better yet, search www.yahoo.com with the words "Urban Legends" and visit one of the many sites that publish this information.

---

Understanding How Viruses Infect Files

You should already understand how most programs function at the machine level. Every program is a series of machine language instructions, some of which jump to other locations in the program. Most viruses insert themselves into programs by inserting an unconditional jump instruction at the beginning of the program, which jumps to the end of the program file where the virus has been added. The virus instructions then execute, and finally execute another jump instruction back to where the original program left off. Using this method, a virus can be activated by these jump instructions anywhere in a program, although usually it's done at the very beginning. Viruses using this method of execution are called non-overwriters or appenders.

There are some viruses called overwriters that simply overlay program instructions with virus instructions. These viruses are easily detected, because your own program typically no longer operates in their presence.

Understanding Virus Creation

If you came to this section hoping for a tutorial on how to create viruses, you're going to be disappointed. The intention of this section is to point out that anyone with an Internet connection using one of the popular search engines can find all sorts of virus resources on various hacker sites. Some of the sites examined by this author when researching the chapter contained examples of program code useful for creating viruses (including source code for complete viruses), discussions on how to escape detection from virus scanners, and even entire "virus construction sets" which enable you to create a virus by using building blocks contained in the kits. You should realize that it's easy to create viruses, even if someone isn't otherwise a good enough programmer to be able to do it himself. All you need is the desire to do it.

Understanding Viral Transmission

Viruses spread through a number of different means, but always by the exchange of some program file between computers. As already discussed, the viral program files can inhabit programs, documents that support a sufficiently powerful macro language, or boot sectors on disks. The most common routes of transmission include the following:

• Downloaded documents or programs from the Internet
• Programs or documents sent as attachments to email messages
• Programs or documents shared on a network
• Floppy disks used on different computers, or sent from one person to another

A good prevention strategy must anticipate and handle all these possibilities.

Viruses tend to be classified as either fast infectors or slow infectors. A fast infector infects all files it can access, as rapidly as possible. A slow infector is more choosy about how and when it infects files, with the idea being that you're less likely to notice it and take steps to remove it. Slow infectors tend to be more dangerous because they can often do a lot of damage before being detected. However, antivirus software should detect both types of viruses equally well.

Windows 98 contains some features that help stop viral transmission, such as detecting changes to the Master Boot Record on the computer, and preventing certain low-level disk access attempts (such as attempts to change the MBR while Windows 98 is running). Newer versions of Microsoft Office also offer features that help you notice viral infection, such as alerting you when you open a document that contains an auto-executing macro, which could indicate a possible virus. However, these features just slow down viruses, and newer viruses invariably emerge that can counteract such measures.

Recognizing Viruses

Here's the only good news in this whole subject area: Most viruses are poorly written, and cause perceptible impacts to the operation of most computers. For instance, a virus-infected system might operate much more slowly, access the disk in ways that you don't expect, cause some programs to work incorrectly, or show other signs that a virus is present, such as mysteriously missing disk or memory space on the system.

So, any time a system is behaving in unexpected ways, you should add "viral infection" to your list of candidate causes, in addition to the more mundane possibilities of buggy programs, corrupted files, and failed hardware.

Preventing Viruses

If you think about the different ways that a virus gets onto a computer, it all boils down to one of three possible routes: through a network connection, a modem connection, or a floppy disk. To adequately protect a Windows 98 workstation, you should run antivirus software, which protects against all of these transmission sources.

Antivirus software automatically scans both the memory in the computer and the files accessed by the computer, either on-demand or on-access. On-demand scanning is when you deliberately use the antivirus software to scan all of the files on a disk, whereas on-access scanning automatically scans all files that are accessed (read or written) by the computer. Most antivirus programs employ both methods.

There are a quite a few antivirus programs from which you can choose, including the following popular packages:

• Norton AntiVirus from Symantec
• McAfee VirusScan from Network Associates
• F-Protect from FRISK Software International
• IBM AntiVirus
• Dr. Solomon's Anti-Virus

Not all antivirus programs are created equal, but the preceding programs are all well-known and have been around long enough to be trusted choices. Most antivirus programs for individual workstations cost between $50 and $150, although volume discounts are usually available if you are seeking a site license to protect multiple machines. All the products listed will scan the computer's memory, files, and disks, using both on-demand and on-access techniques.

In addition to workstation-based antivirus software, you should also implement file server antivirus software. Programs intended to run on NetWare and Windows NT Servers automatically scan files stored on them, and may even examine data streams transmitted through their network interfaces for virus signatures. Implementing a server-based solution closes another possible door to viral transmission. Most of the antivirus programs for desktop computers also have server-side versions, and they often work in concert with their desktop-based brethren. Also, since updating virus definition files can be a chore, it's a good idea to choose a package that helps you automate this process, through either a push agent or some other mechanism.

In addition to running antivirus software, which should be considered a requirement, also consider implementing the following policies and practices within your organization:

• Implement a good backup program, which includes the ability to restore files backed up at various times in the past. This may enable you to find a particular file and restore it from before it was infected.
• Ensure that software entering the organization is from reputable sources. There have been well-publicized cases of viruses being transmitted through shrink-wrapped software, but they are very rare and the previous experience has made software vendors extremely conscious of this threat and they take careful measures to prevent infection through their products.
• Encourage people to write-protect their disks, particularly those that are used only to run programs (such as diagnostic programs or demonstration programs). A virus cannot infect a write-protected disk.
• Establish policies that discourage users from bringing in unapproved software, whether from commercial sources, emails from friends, or from their home collection.
• If your PCs support a feature where they will first try to boot from the hard disk before trying a floppy disk, enable this feature. This prevents accidental infection of boot sector viruses from floppy disks.
• Find out whether antivirus software exists for your email server, particularly if it is connected to Internet email. Viruses often enter through attachments, and antivirus scanners exist for some of the most popular email servers.
• Make sure you have original copies of all applications, rather than relying on restoration of applications for reinstallation.
• If you aren't running antivirus software on your workstations, you should implement a policy where all incoming disks are checked by the MIS department or by using a published procedure.

The way to handle viruses is to prevent them before they can get in.

Conclusion

In this chapter, you learned about viruses and other malicious programs that you could encounter under Windows 98, and more importantly you learned how to prevent viruses on individual workstations and network servers. Taking an active approach to preventing viruses is one of the smartest things you can do to avoid catastrophe.

� Copyright, Macmillan Computer Publishing. All rights reserved.