Examining Computer Viruses

A computer virus can’t spread by itself; it must infect an executable program that a user then launches. Even common e-mail macro viruses follow this rule, infecting executable macros in e-mail programs, which a user then activates by launching an attachment.

A computer virus generally follows a simple life cycle (see Figure 7-5) that, again, is analogous to the life cycle of biological viruses. The cycle begins with its creation and ends with its identification and termination. The cycle may begin again with the modification of the virus (creation of a variant) and its subsequent release. The steps in the computer virus life cycle are:

1. Creation, or birth

2. Release, or initial distribution of the virus

3. Trigger, either a date or event (optional)

4. Activation

5. Detection

6. Elimination or removal

7. Modification

   
   Figure 7-5: The life cycle of a computer virus

   Note

   Other types of malware, including worms and blended threats, follow a similar cycle.

Dangerous and double extensions

Because viruses infect executable files, it’s important that you don’t arbitrarily execute files that you receive as e-mail attachments. Not all executable files end with the .exe file extension. Table 7-1 lists some other file extensions that indicate executable files and their associated programs.

If you encounter an attachment with an extension you don’t recognize, be safe. Don’t open the file. Data files don’t represent a threat, because data files aren’t executable. Although data files can be infected with malicious code, opening the files does not activate the code because data files are not executed like application files are. Malicious code located in a data file requires an infected executable program to execute it.

An example of this is a file-infecting macro virus. The malicious code — in this case a Microsoft Word macro — is embedded in a Word document. In order for the macro virus to execute, Microsoft Word must run the macro. This is why disabling Microsoft Word’s macro feature defeats macro viruses.

Because data files are usually harmless, crackers and virus writers take advantage of this to trick people into opening executable attachments. They can use double extensions to confuse people or even hide the real extension of a file. The following file names are examples of this:

• Iloveyou.txt.exe

• account_info.doc.pif

• yourmessage.jpg.scr

In each of these examples, the false file extension that indicates a data file is followed by the actual file extension indicating that the file is actually an executable file. Windows allows the “.” character in a file name and recognizes the last three letters following the final “.” as the actual file extension. The problem is that if you have enabled the Hide extensions for known file types option, Windows will hide the actual extension and only shows the file name with the first, false extension. Figure 7-6 illustrates this and displays one of the preceding example files in a folder window with the known extensions hidden.

Figure 7-6: A document with its extension hidden

All of the executable files appear to be harmless data files, and an unsuspecting user is likely to launch one of them inadvertently. Another method for hiding the actual extension is to create a long file name with nonprinting characters like spaces:

Figure 7-7 shows this file displayed in a folder list. In the top window, the last extension is hidden because of the long file name and will remain hidden even if the system is not configured to hide known extensions. In the bottom window, you can see the actual file extension, but only by making the Name column extremely wide.

Figure 7-7: A double extension can be hidden by a long file name with blank spaces