Viruses: As Many Kinds As Sniffles in Kindergarten

So far I've been using the word virus fairly liberally. And for sheer practicality, it's handy to have a catch-all word that more or less covers what we're talking about. Some self- righteous sticklers, however, will poke you with a pointy stick if you use the term virus too broadly.

If you start ranting across your Corn Flakes about how viruses spread on their own, inevitably a stickler will pipe up.

"Actually, that's not a virus."

"Yes, it is," you might say indignantly.

Some people will tell you that viruses can purportedly overheat and damage computer hardware by turning off cooling systems. If it's been done, its success has been limited. I think this is a myth.

"No, it's not," he'll say as he spoons his Cheerios. "That's a worm."

A worm?

Yeah, bad news here. Not all viruses are viruses.

I know that's confusing, but so is a man in a clingy dress. Bear with me a secwe'll get to the bottom of this.

To say "I have a virus " is sort of like saying "I am having meat for dinner" as opposed to "I am having quail with a tasty pistachio butter." The word virus is often used as a generic term to describe all malicious computer files that do bad stuff to your computer, but note that the word virus is specific to malicious programs that need human intervention to run.

So let's talk about the different types and all their trimmings, and then I'll cover viruses' evil cousins: worms, Trojan Horses, and virus hoaxes .

Macro Viruses

A macro is a computer programming language built into a larger program. It's used to automate tasks . For example, a Microsoft Word macro can be written to format an entire document or share the contents of a Word file with other Microsoft Office programs. Windows has a few built-in macro languages (sometimes called scripting languages) as do the various programs in Microsoft Office, WordPerfect, and other productivity software programs.

Tip

One good way to defend against macro viruses is to turn off the capability to open them by default and have a document warn you if a macro is present and give you the option to turn it on. It's annoying to get bugged like that, but it's a good and easy way to defend against macro viruses. To change the macro security level in Office 2003 programs, click Tools, Options, and then the Security tab. Under Macro Security, click the Macro Security button. Click the Security Level tab, and then select the security level you want to use. The medium setting is a good choice.

A macro can be as short as a few lines of programming code or it can be a massive program that contains zillions of instructions. And it can be designed to run as soon as a file is opened. It's not surprising that virus writers saw this technology as a great opportunity to deploy their malicious software. And sure enough, they have been exploiting this feature in the last few years with great zeal.

The basic strategy has been to generate a virus in a macro and then send a file with a macro embedded as an email attachment. The secret to making this work is, once again, people. A virus writer has to also convince someone to start the macro so the virus can execute and proliferate.

One of the most famous macro viruses is called Melissa, purportedly named after an exotic dancer the virus writer was rather taken with. The virus became famous because of the speed with which it spread. Within three days of its release, Melissa (the virus, not the woman ) had infected 100,000 computers.

Melissa spread by arriving as an email with an infected Word document attached with the message "Here's the document you asked for...don't show it to anyone else ;->." When it was opened the virus code executed and sent an email to the first 50 entries in a victim's Outlook email address book.

The Scary Stuff

Unlike other viruses, macro viruses infect documents or document templates. Still, they can do substantial damage to a system including turning off security programs, including antivirus applications. It can generate unusual system behavior including random beeping and rude or cryptic messages. It can also modify the Windows Registry or destroy data.

The Windows Registry is a filing cabinet in Windows that keeps track of a zillion settings that makes Windows what it is. It's so important that in case it gets damaged or deleted, Windows keeps a backup. However, if both get corrupted, Windows will not start.

Caution

You can look in your Windows Registry by clicking Start, Run, typing regedit , and clicking OK. This opens a registry editor. I'll warn you now: Do not mess with it unless you know exactly what you are doing. This cautionary tip is brought to you by the slogan , "Look, but don't touch."

Perhaps the worst impact of a macro virus is the annoyance factor. It wastes your time and, in widespread outbreaks, can force companies to shut down their systems and networks until the problem is dealt with.

Webopedia.com suggests that 75% of the world's active viruses are macro viruses. It's the virus you are most likely to come into contact with because macro viruses spread as attachments to email.

Memory-Resident Viruses

A memory-resident virus gets into a computer's random access memory (RAM). This is where files and programs are loaded when a computer runs them. For example, when you edit a photo or document, it is loaded into the RAM. From its privileged perch in the RAM, the virus gets access to all key operations carried out on the computer and it can corrupt files and programs with great ease as they are accessed, modified, or manipulated. When the computer is turned off, all data in the memory is purged, including the virus. However, when it infects a system it ensures it is activated in memory every time a computer turns on.

The Scary Stuff

Memory resident viruses can slow down your computer by stealing system resources. They can damage data and system files that could stop your computer from running correctly.

File Infector Viruses

There are many types of files on a computer, but the files that do the heavily lifting are program files. Document files have file extensions such as .TXT or .DOC . A letter to Grandma might be called grandma.TXT or letter to grandma.DOC . Program files, however, are identified with the extensions .EXE and .COM . A program like this appears as MyProgam.EXE or time wasting game.COM . It's these program files that are vulnerable to file infector viruses . They attach themselves to the file, making them slightly bigger, and execute when the file is run.

The Scary Stuff

File infector viruses can damage program or data files. They can be disinfected or replaced from original installation disks but there's a possibility they can damage your crucial files and either cripple your computer or eat your data.

Boot Viruses

A boot virus affects the boot sector of a floppy or hard disk. The boot sector is an area on a disk that contains a program that starts the computer up when it is first switched on. A boot virus swaps itself for the program that boots the computer and spreads to other disks when it is active. You can get a boot virus from a floppy disk, which, in turn, infects your hard drive.

The Scary Stuff

This kind of virus infects any disk with which it comes in contact. It can render a computer unbootable. That means that if you turn the computer on, it won't start.

Multi-Partite Viruses

These complex viruses are cleverly designed. They can infect a computer several times using a whole toolbox of techniques. The idea is to attack a computer at several vulnerable spots including files, programs, disk drives , and macros. For example, the multi-partite virus called Tequilla infected the master boot record of a hard disk and then tried to infect program files with .EXE file extension.

The Scary Stuff

Multi-partites can do all the usual kinds of nasty things that viruses do, including making computers unbootable and files unusable. The tough part is that they are good at hiding and just as you think you've cleaned one infection up, you discover another.

Worms: Network-Savvy Viruses

A computer worm , quite simply, is a virus that moves from computer to computer across a network. It's a traveling virus. Many worms email themselves to email addresses found on the infected computer. They arrive as attachments and when the attachment is opened by a human, the replication cycle starts all over again (see Figure 1.1).

Figure 1.1. A variant of the Bagle worm arrives via email pretending to be a come on from a pretty girl.

Some are designed with no need for human intervention to execute. They worm their way from computer to computer over a network connection employing techniques that are normally used to move files or information between computers.

During a bad worm outbreak, you might notice the Internet or your company network responding very slowly. Two famous examples were Sasser and Blaster. In 2004, Sasser hit hundreds of thousands of Windows XP and Windows 2000 computers globally, including computer systems at American Express and Delta Airlines. The slower-moving Blaster worm hit a year earlier than Sasser and crawled across the Internet infecting computers with Windows XP, Window NT, Windows 2000, and Windows Server 2003. It caused infected systems to either freeze or reboot repeatedly every few minutes. It also initiated a denial of service (DoS) attack against the Windows Update server at Microsoft. A denial of service attack is an effort to overwhelm a server by flooding it with data requests across the Internet.

Viruses and worms are known to be seeding botssoftware that can seek out and infect themselves on vulnerable computers. They then work quietly in the background without the owner of the system knowing they are there. They wait for commands from a remote attacker through chat servers and peer-to-peer networks.

The Scary Stuff

Worms can do a lot of damage, but their most famous threat is network congestion. Because they travel between computers across networks (such as the Internet) they can clog all the networks connections, much as a 2-year-old, an open toilet lid, and a 12-pack of Charmin clogs the toilet . Network traffic builds to such an extent that it can crash computers and clog networks so they are unusable.

Trojan Horses: Hey Helen, the Achaeans Left Us a Present!

You have probably heard of the story of how the Achaeans (also known as the Greeks) rolled up a great big wooden horse to the gates of Troy (see Figure 1.2). When the delighted Trojans found it, they figured it was a peace offering from their sworn enemies and brought it inside the city. But in the middle of the night, a bunch of sneaky Achaeans hopped out of the horse's hollow belly, let their friends through the gates of Troy, and then attacked the somewhat dim Trojans and burnt and ransacked their city.

Guess what? A computer virus called a Trojan horse works in a similar way. You find (or are sent) a fun, maybe useful computer program and install it on your computer. While you're jumping up and down with delight, bad stuff comes out of the file's belly, opens the door for other bad guys to come into the computer, and then proceeds to ransack its contents.

A Trojan horse is sometimes deployed by a dropper . That's a file that conceals a Trojan horse (or a virus) so it evades antivirus programs (see Figure 1.3).

The Scary Stuff

Actually, a Trojan horse cannot only ransack your data and files, but it can cause lots of other mayhem. It can vandalize your desktop, delete files, or create what's known as a backdoor , which gives bad guys on the Internet an easy way in to snoop around and inflict further mayhem on your computer. Sometimes Trojan horses deploy viruses on your system.

Virus Hoaxes: Fake Viruses that Scare the Heck Out of You

Virus hoaxes are almost as annoying as the actual thing. They arrive as emails from a well-meaning friend who thinks they are doing you a favor by forwarding on an email they think is a virus alert (see Figure 1.4). The email comes in various forms, but typically contains details about a rampant virus that is wiping out hard drives or doing similarly awful things to people's computers. Of course it's all fiction , but it's written in a convincing way, urging recipients to send the warning to all their friends. The irony is that the act of forwarding a hoax is the key to the hoax's success. It's how it replicates.

Figure 1.4. The Life Is Beautiful hoax was first circulated in Portuguese and later in English, French, German, and Chinese.

The Scary Stuff

A virus hoax is scary to those who don't know better because they think there's a nasty out-of-control virus that is about to eat their computer. It's not a real threat, though. It's also a big annoyance to those who know they are hoaxes but receive them on a regular basis. Mostly it results in embarrassment for the na ve sender when they are outted as fools by their angry in-the-know buddies .

Caution

Some virus hoaxes tell you to search for and delete specific files on your system that it claims are viruses. When you look for the specified file to see if it's on your system, you always find it. That's because its part of Windows! Deleting the file can damage your system.

How to Spot a Virus Hoax

The email message goes something like this: "If you receive email titled Win A HolidayDo Not Open It. It will erase everything on your hard drive."

These types of email chain letters are a plague to email users because they waste time and cause unnecessary panic. The truth is that they are hoaxes. But how do you know for sure? By applying a little bit of knowledge and common sense. Here are some telltale signs of an email hoax.

Tip

Your best bet when it comes to emails you receive about viruses is to consider the source. If the email comes from a friend or co-worker and has been forwarded like a chain letter, chances are that it's a hoax. That's not to say that your friend or co-worker is in on the sham. Rather, that personlike all the others in the email trailhas been duped into believing the virus is real. If you receive an email regarding a virus directly from your Internet Service Provider, directly from your system administrator at work, or some other extremely reliable source, you should consider the threat real. A hoax often refers to the source of the hoax as a reliable source, but it never comes straight from one of those sources. In any case, forwarding virus warning emails doesn't help anyone and only serves to clog inboxes and create unnecessary panic.

They all reference a technology authority. Sometimes it's IBM or Microsoft or America Online. Sometimes the author claims that several sources have verified the threat.

The author also promises that the catastrophic virus will arrive as email and wipe out a computer's hard drive or do some other awful damage.

They also encourage the recipient to spread the word about the impending evil that's about to descend by forwarding the message to all their friends. That line is the giveaway to the hoax. It is the reason for the email's existence and the mechanism by which the hoax is spread. Sometimes the request to forward to the message is urged more than once in the hoax.

The best way to see if an email warning is a virus hoax is to copy a sentence or two from it and search for it on Google.com or your favorite search engine. For example, the first line of the Win a Holiday virus hoax says

If you receive an email titled Win a HolidayDo Not Open It. It will erase everything on your hard drive.

If you cut and paste this into Google.com, you see dozens of websites that tell you it's a hoax. You can also look up viruses hoaxes at www.f-secure.com/virus- info /hoax/.