1.1 Introduction
For the researcher, computer viruses can be an interesting field of study, presenting challenges in protection, detection, removal, and theory. For the computer owner and user, though, computer viruses are simply a nuisance, to be avoided or removed with as little effort as is absolutely necessary, so that real work can go on. One good general definition of a computer virus is given in [Cohen, 1987]: a computer virus is "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself". In PC-DOS, the "programs" that may become infected by one of the common viruses include normal executable files (EXE and COM files, and code overlays), and various kinds of boot sectors (a boot sector is a small piece of code on a diskette or hard disk that tells the computer what to do when it is first brought up, before DOS has been loaded). Even today, infection by a computer virus is a relatively rare event. The majority of computer virus infections that occur in the user community are caused by one of just a few widely-spread viruses. This paper will attempt to aid the computer owner, user, or security manager in assessing the risks from viruses in general, and in particular in understanding just what the most common viruses in the PC-DOS world today actually do, from the viewpoint of the user, rather than the virus guru. Computer viruses can be written for essentially any general-purpose computer operating system, and viruses exist for every common microcomputer. This paper covers only PC-DOS viruses, because that is where the author's expertise lies. For each of a number of currently-common computer viruses (in roughly descending order of frequency), this paper describes the basic action of the virus, the ways it spreads from machine to machine, the symptoms that it can cause, the damage (if any) it does, and how it can be protected against. While in theory viruses are difficult to detect reliably, in practice protecting against all the currently-common viruses is relatively simple. Some characteristics shared by all the common viruses make them simple to detect through any of various methods, and commercially-available anti-virus programs exist today that will protect against all of the viruses discussed here. The difficult part is not in finding a way to protect a single machine against viruses, but in effectively implementing the available protections throughout an organization.1.2 The 1813 ("Jerusalem") Virus
One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread
The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:- Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
- Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
- Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
- LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms
In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:- Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
- An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
- The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
- The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
- Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
1.2.3 Damage
The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection
The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.Footnotes:
(1) Overlays may have any extension at all; some common ones are "OVL", "BIN", "OV1", "OV2", and so on.
1.3 The Stoned Virus
The Stoned virus, also known as the New Zealand or the Marijuana virus, is another of the most common PC-DOS viruses. It was originally found primarily in New Zealand and Australia, but has recently become widespread in the rest of the world. Unlike the 1813 virus, the Stoned is a boot-sector infector; it infects diskette boot sectors, and "master" boot sectors on hard disks. When a machine is booted from an infected diskette, the virus first infects the hard disk, and then installs itself in memory. Any diskette used in the A: drive thereafter is likely to be infected. Approximately once in eight boots from an infected floppy, the message "Your PC is now Stoned!" will be displayed during the boot process. When a machine is booted from an infected hard disk, the virus loads into memory and infects diskettes in the same way, but the message is never displayed.
1.3.1 Spread
The Stoned virus, like other boot-sector-infectors, spreads through the transfer of floppy diskettes rather than files. In general, though, spread scenarios for these viruses are similar to those given for the 1813 virus above. Some common scenarios include:- Shared machines - If a shared machine is once booted from an infected diskette, the hard disk will become infected, and the machine will serve as a center of infection. Diskettes used in the machine will be infected (unless they are write-protected), and carry the infection to any machine that is later booted from them.
- Shared diskettes - Shared diskettes of the sort described above can serve as channels for the spread of boot-sector viruses as well, especially if they are designed to be placed in the A: drive and booted from (as many diagnostic and demo diskettes are). Such diskettes should always be write-protected, even if they are not designed to be bootable (see the next item).
- "Non-bootable" diskettes - Even a "non-bootable" diskette that simply displays a message like "Non-system disk" when booted from can carry a boot-sector virus. Such disks do have a boot sector; it contains a small program that simply displays the "Non-system" message and waits for a keypress. If such a diskette becomes infected and is later booted from (typically by being accidentally left in the A: drive when the machine is brought up), the virus will infect the hard disk and load into memory before the "Non-system" message appears. So even a user who in good faith says that the office machine is "never" booted from a diskette may have in fact booted from an infected non-system floppy, and then forgotten about it.
1.3.2 Symptoms
Again, the primary symptom of the Stoned virus is that an anti-virus program tells you it's there! The other symptoms are much less reliable, and an unprotected system can remain infected for long periods of time, spreading the infection to many diskettes, without the user noticing anything unusual. The "Your PC is now Stoned!" message appears only on the occasional boot from diskette; if a workstation's hard disk is infected, and all or most boots are from the hard disk, the message may never be seen (there are also variants of the virus that never display the message at all). Systems infected with the Stoned virus will show less total memory than expected if a utility like CHKDSK is run, but the average user will not notice the change. The only other symptom of the virus that is at all common is a corrupting of the file system on hard disks that were originally set up under DOS 2 (the virus stores the original boot sector on a part of the disk that is normally unused, but is used for the File Allocation Table on some disks set up with DOS 2). To remove the Stoned virus from an infected diskette, first make sure that the virus is not active in memory, by powering off and booting from a disk or diskette that is not infected. Then use the SYS command to rewrite the boot sector; or use COPY to copy off all important files, and then FORMAT to rewrite the entire diskette. Removing the Stoned virus from a hard disk requires a bit of extra work. While the 1813 virus may be removed simply by erasing infected programs, there is no equally simple way to restore an infected master boot sector. The DOS commands SYS and FORMAT only effect the DOS partition on a hard disk, and the master boot sector is not in any partition. The most drastic solution is a "low-level" format (generally available as a menu option from a diagnostic diskette), which overwrites all data on the physical disk drive (all files will be erased). There are some commercial tools specifically designed to repair Stoned-infected master boot sectors, and some utilities that will overlay the existing master boot sector with one of their own; contact your local DOS guru for details! In any case, remember to make sure the virus is not active in memory before cleaning up.
1.3.3 Protection
Like the 1813 virus, the Stoned is well-known and well-understood, and any good anti-virus program should be effective against it. It makes no attempt to hide itself, and infected boot sectors are easily recognizable.1.4 The Joshi Virus
The Joshi virus is another boot-sector infector, similar to the Stoned. It also infects diskette boot sectors and hard disk master boot sectors. It appeared only recently in the U.S., but has quickly become one of the most commonly-appearing viruses; this seems to be due to lucky (from the virus' point of view) accidents, rather than to any special properties of the virus. On January 5th of any year, infected machines will periodically halTyping "Happy Birthday Joshi" will unlock the system.
1.4.1 Spread
In terms of spread characteristics, the Joshi virus is
very similar to the Stoned.
When a machine is booted from an infected diskette or hard disk,
the virus loads into memory, and any diskettes used in
the A: or B: drives, as well as the first two physical
hard disks, may become infected thereafter.
The Joshi virus is somewhat larger and more complex, but
all the spread scenarios given for the Stoned apply.
1.4.2 Symptoms
Because the Joshi is larger and more complex, Joshi-infected systems
are somewhat more likely to malfunction than
systems infected with the Stoned.
Under some circumstances, systems infected with the Joshi virus
will be unable to correctly access the diskette drives, for instance.
As with the Stoned, Joshi-infected systems will have somewhat
less total memory than they should, but the typical user will
not notice this.
As always, the most reliable symptom is an alert from an
anti-virus program, and checking for viruses is a good first
step when dealing with any unprotected system that is acting strangely.
1.4.3 Protection
The Joshi is a somewhat newer virus than the 1813 or the Stoned,
and some anti-virus programs may not be able to detect it or
protect against it.
It is also slightly harder to detect than the Stoned virus,
because if the virus is active in memory, it will intercept
attempts to read the infected boot sector, and "lie" to
the calling program by passing back an image of the system's
original uninfected boot sector.
It will also remain in memory even if the system is
booted by pressing the control-alt-delete key sequence
(it does not, of course, remain in memory if the
power is turned off!).
The virus is, however, easily detected in memory, so
an up-to-date anti-virus program should have no difficulty
detecting it.
Removing the Joshi virus is very much like removing the Stoned;
diskettes should be SYSed or FORMATed, and hard disks need to have
their master boot sectors restored (both in a machine in which
the virus is not currently active in memory).
1.5 The Bouncing Ball Virus
The Bouncing Ball virus, also known as the Italian or Ping Pong virus, is another boot-sector infector, slightly different in operation from the Stoned and Joshi. The Bouncing Ball infects diskette boot sectors, and the DOS boot sector (rather than the master boot sector) on hard disks. The most obvious effect of the virus is that, approximately once in sixteen boots from an infected disk or diskette, a bouncing dot will appear on the display during the boot process and afterwards.
1.5.1 Spread
Although the details of infection differ, all the scenarios given for the Stoned virus apply to the Bouncing Ball virus as well. Shared machines, shared diskettes, and non-bootable diskettes may all serve as channels for the virus to spread.
1.5.2 Symptoms
Besides alerts from anti-virus programs, the main symptom of the Bouncing Ball virus is a bouncing dot on the display. But even this is not a completely reliable symptom; the virus only displays the dot when the value in the system clock at boot time has certain properties, and there may be systems on which the effect will rarely or never appear. As with the Stoned and Joshi viruses, an infected system has a bit less total memory than it should (because the virus reserves some memory at boot-time for itself), but the average user will not notice the difference.
1.5.3 Protection
The Bouncing Ball is another old and well-known virus, and any good anti-virus program should be able to deal with it. Removing the Bouncing Ball from a hard disk is somewhat simpler than removing the Stoned or Joshi. The SYS command will generally work even on an infected hard disk (since the virus infects the DOS boot sector, which SYS touches), although always re-check a disk after SYSing, to make certain. In some circumstances, SYS may not overwrite the boot sector, and a DOS FORMAT (after backing up all important files) or a special utility may be required. In any case, remember to turn the power off and reboot from a known-clean diskette before cleaning up.1.6 The Sunday Virus
The Sunday virus is closely related to the 1813; the author of the Sunday clearly started with a copy of the 1813 virus and made a number of changes to it. Despite its similarity to the 1813, the Sunday virus is much less common. Like the 1813, the virus loads into memory the first time an infected program is run, and remains in memory until power-off or reboot, infecting any programs that are executed. The virus contains code that is designed to erase files and display a message if the day of the week is Sunday (and the year is not 1989), but at least in the most common variant of the virus, the code has a bug, and is never actually executed. The Sunday virus does not display "black holes", does not slow down infected machines, and does not multiply-infect EXE files.
1.6.1 Spread
Because the Sunday virus is so similar to the 1813, it will spread through the same channels as the 1813. Shared machines, shared diskettes, shared programs, and LAN servers are all key points in restricting the spread of this class of virus.
1.6.2 Symptoms
The Sunday virus is somewhat less likely to be noticed than the 1813, because the more obvious symptoms have been removed. The most common variant of the virus does not erase files, cause blank or scrolling boxes, slow down infected machines, or cause EXE files to grow repeatedly. The symptoms that remain, including one-time growth of files and the occasional malfunctioning EXE program, are less likely to be noticed.
1.6.3 Protection
Although it is newer than the 1813, the Sunday virus is well-known and easy to detect, and should be caught by any good anti-virus program.1.7 The 17xx Viruses
The name "17xx" refers to a family of viruses, sometimes called (among other things) Cascade, Blackjack, or Falling Tears. The most common members of this family are the 1701 and 1704 viruses. Like the 1813 and Sunday viruses, the 17xx viruses load into memory when the first infected program is executed, and remain resident until power off or reboot, infecting files which are executed. Unlike those viruses, the 17xx viruses infect only COM-format files (2) The virus will also occasionally cause all the letters on the display to fall into a "heap" at the bottom of the screen; this happens only very rarely if the year is after 1988, however.
1.7.1 Spread
Except for the fact that only COM-format files are infected, the 17xx viruses spread through the same channels as the 1813 and Sunday.
1.7.2 Symptoms
As usual, the most reliable symptom of infection with the 1701 or 1704 virus is an alert from an anti-virus program. The "falling letters" effect happens only if the system date is in October, November, or December of 1988, or if the date is January 1st 1980 when the virus first loads, and is later set to a date after October 1988. So many systems may be infected with the virus for long periods of time without the display appearing. Infected files will grow by 1701 bytes or 1704 bytes (depending on the exact strain of the virus), but the typical user will not notice that.
1.7.3 Damage
The most common members of this family do no intentional damage at all, and if the virus is detected early the only cleanup involved will be erasing the infected files and replacing them with good copies. One rare member of the family (the "1704-Format" virus) will attempt to format part of the hard disk when it activates; recovering from that activation requires restoring the disk from backups.
1.7.4 Protection
Like most of the commonest viruses, the 1701 and 1704 are old and well-known. They are also simple to detect, and any good anti-virus program should be able to detect or prevent them.1.8 The Disk Killer Virus
Also known as the Ogre, the Disk Killer virus is a boot-sector infector that can be very destructive. Like the Bouncing Ball virus, the Disk Killer infects diskette boot sectors and DOS boot sectors on hard disks. When a machine is booted from an infected diskette or hard disk, the virus loads itself into memory, and infects any diskette or hard disk that is later read from (until the next reboot or power off). If an infected machine is left on for about 48 hours without a reboot, the next read to a disk or diskette will cause a message to be displayed, and all data on the boot disk (or diskette) will be scrambled. (There may be variants of the virus in which the details of the activation conditions are different.)
1.8.1 Spread
The spread characteristics of the Disk Killer are very similar to those of the Stoned and the Bouncing Ball.
1.8.2 Symptoms
Due to a bug in the virus, diskettes will sometimes be improperly infected, and either fail to boot or contain damaged files. Attempts to format a diskette in an infected machine will also sometimes fail. Infected disks and diskettes will also show a number of bad sectors and reduced total memory, if a utility like CHKDSK is used. All these symptoms may be overlooked, however, if they do occur, and anti-virus software is the most reliable test.
1.8.3 Damage
When the virus activates, it displays a message like:Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989and then scrambles all data on the disk or diskette that was last booted from. If the computer is powered down immediately after the first part of the message appears, the data-scrambling will not occur. On the other hand, if the scrambling is allowed to run to completion, it may be possible to recover the data with a program specifically designed to unscramble Disk-Killer-damaged disks. The best solution, however, is to detect the virus before it has a chance to activate!
Warning! Don't turn off the power or remove the diskette
while Disk Killer is processing!
PROCESSING
Now you can turn off the power. I wish you luck.
0 comments:
Post a Comment