By Allan George Dyer M.Sc.(tech), B.Sc.
Computer viruses are a concern to everyone who uses computers, expert or novice but they have been surrounded by much mystery and confusion. This article explains simply what viruses are and what they can (and cannot) do. It gives methods to reduce the chances of getting infected by a virus, and minimising the damaged caused if your computer is infected.
A computer virus is a program, like any other program, but it has been designed with a specific purpose in mind: to spread. Computer viruses make copies of themselves. Different viruses use different methods of copying and spreading themselves, some will be mentioned later on.
Many viruses also have a "payload", they are designed to do something else on infected machines. This payload could be anything, play a tune, display a picture or message on the screen, or, more dangerously, destroy data or programs on your machine (one famous example of this is the "Michelangelo" virus, that destroys data on your hard disk), a few are even intended to remove other viruses! The payload is triggered on a particular set of circumstances, this might be a date or time (Michelangelo destroys your data on March 6, other viruses trigger on many other dates or times), or something else (such as after the virus has copied itself 5 times) or a combination (one virus triggers if the disc is used exactly on the hour, 0 minutes, 0 seconds).
Why are viruses dangerous? With many viruses, the payload is deliberately damaging, it has been written to destroy data on other people's machines. Some viruses do no deliberate damage, but might have an amusing, or possibly helpful, payload. However, there is no such thing as a "good" computer virus. A virus is a program that the user did not want, it is occupying disk space and memory, slowing the computer down. More importantly, viruses can go wrong in ways the writer never expected. Many viruses contain bugs, faults in the program, that cause damage - the virus writer did not intend this, but this is no consolation to the computer user who has lost time or data because of it. Viruses spread onto many different types of computer, and a virus that works correctly on one model may fail and damage something on a different one.
How do viruses copy themselves? To be able to do anything, a program must be executed. A virus has some way of getting a chance to be executed. There are two main type of viruses on PCs: Boot sector viruses and File viruses.
Boot sector viruses exploit the fact that every disk has a small program on it, in the "boot sector". The boot sector program normally loads the operating system when you switch your PC on. If you have a non-bootable disk in drive A: when you switch on, it is the boot sector program that displays the message, "Non-system disk, replace and hit a key.". A boot sector virus replaces this program with a copy of itself. Once you have booted from a disk infected with a boot sector virus, the virus stays resident in the computers memory and infects every disk that is used in the machine.
File viruses modify files or their directory entries so that the virus is executed when you run an infected program. With many file viruses, the virus infects a program file by appending (or "prepending") itself to the file and modifying critical parts of the program so that the virus is executed first, followed by the original program.
How can I protect my computer? Some simple rules to follow are:
- Make a clean system diskette that you can start your system from in emergencies and write-protect it. Such a diskette is useful in recovering from other disasters too.
- Never boot your computer from an unknown diskette.
- If you forget a diskette in a drive and start the computer, remove the diskette, turn off the computer using the power switch. Restart your computer from your clean system diskette and scan your hard disk using reliable Anti-Virus software.
- Create a plan for making back-up copies and stick to it. Keep several generations of backups. Keep both full backups and backups of just data files.
- Don't use illegally copied programs or programs of uncertain origin. If you don't know the origin of a diskette, don't try running the programs on it before checking the diskette for viruses.
- Also check the purity of original diskettes. They may be infected too.
- Don't copy programs from one computer to another. Always install programs from original distribution diskettes or write-protected backup copies.
- Install a TSR virus monitor and keep it active at all times.
- Scan your hard disk regularly using reliable Anti-Virus software.
How big is the virus problem? The problem has grown enormously since the term "computer virus" was first used in 1985. There are now about 4000 known viruses, more than 1500 have been discovered in the last year. However, the number of viruses actually causing trouble for computer users is much smaller. For many reasons, a lot of viruses do not spread well "in the wild". Some viruses "get lucky": the world's largest case of an inter-company virus infection known to date [Source: F-PROT 2.09 Version Bulletin, Copyright 1993 Data Fellows Ltd, Finland, reprinted with permission] occurred in the United States on March the 13th 1993. The Michelangelo virus infected approximately 20,000 computers in one corporation. A program, which was to be distributed to users, was copied to diskettes on a contaminated computer. All the 6,500 diskettes used in the copying were infected. These diskettes were then distributed to users inside the company. Due to the memory requirements of the program on the diskette, users were instructed to boot their computers directly from these diskettes. Since Michelangelo is a boot sector virus, it infected the hard discs in all the computers during this booting. The virus infected initially about 7,000 computers, but it was not detected until the number of contaminated computers had reached approximately 20,000. The company also passed the infection to some of its partners. The virus was eventually removed using the F-PROT anti-virus software.
At the time of the infection the company had no anti-virus software in use. The entire incident could have been avoided if even an anti-virus program had been installed on only the computer used for copying.
Even though an infection involving 20,000 computers is a serious matter, the situation could have been worse still. If the incident had happened a week earlier, it would have coincided with Michelangelo's activation day, in which case the virus would have wiped the hard discs empty instead of just infecting them.
How about Hong Kong? In a questionnaire circulated at the SEARCC'93 exhibition, only one respondent had not heard of computer viruses and many had had an infection on their machine. Some said there had been no significant damage as they had simply reformatted their hard disc, neglecting the cost in human time reinstalling software, which will be significant when summed across a corporation. In the same survey, when a respondent could remember the name of the virus that troubled them, it was one of half a dozen that are known to be common worldwide (Stoned, Form, Jerusalem, Michelangelo, Monkey). In a similar survey at the Software'93 exhibition, the viruses named included Green Caterpillar, Flame (also known as "Stamford") and Hidenowt. Flame and Hidenowt are both relatively new (Hidenowt was first reported in Summer '93 and Flame in Autumn '93), and are probably spreading well because many people are using outdated anti-virus software which does not detect them. The prevalence of pirated software in Hong Kong is undoubtedly contributing to the spread of viruses. In several incidents, the victims suggested that the most likely source of the infection was illegally copied software. When purchasing any software, the customer is trusting the quality control of the vendor to ensure the disks are virus-free. Legitimate software manufacturers are not immune from lapses in QC that might let a virus through, but this is safe compared to the pirates: no-one would trust the QC of a vendor who does not even care who owns the software!
Computer viruses will continue to be a serious problem because people are still writing viruses. Many viruses are deliberately damaging, and ignoring the problem will result in large costs in the long run. Computers are a useful (often essential) tool for many applications, viruses reduce the usefulness of computers and should be fought against. All users can help with this by following the rules above. A user protecting her/his own machine is also acting as a responsible member of the computer community - she/he will not be transferring viruses to other users.