Sections
Sections

Blog

Understanding Computer Viruses

Recently we have seen significant increases in the number of viruses spreading across the internet. This virus problem is increasing and the truth is that no software systems will be able to completely block out viruses.

It is now possible for a new virus to spread around the world and infect over 1 Million users in less than 48 hours. No virus detection company can combat at that rate and we must expect viruses to enter our system.

At the same time large numbers of hoaxes are being spread in the same fashion. These hoaxes are harmless, but create hysteria and perpetuate ignorance and misunderstanding about the whole subject.

The very best preventative action is still based on sound knowledge and understanding of the problem. No anti-virus software today can do a better job than a person who understands the problem and manages their files with caution and reason. My aim in this article is to elevate the level of understanding within an organisation with the hope of protecting us all just a little more.

Firstly we must understand the difference between a Virus and a Hoax. While it is probably obvious that a virus is a true threat to our computer systems and a hoax is not, I still see many hoax messages perpetuated by poor thinking and actions.

Hoaxes

In general a hoax message is simply an email message warning us about some threat or offer, however the information is not real or correct and does not exist. People who mindlessly forward the message on without any consideration of whether the warning is valid then perpetuate the hoax. In many cases the information is about a computer virus but not always. This recent message about Coca Cola is a hoax:

Subject: FREE COCA COLA FOR A MONTH
Coca-Cola is offering four free cases of diet coke or regular coke to every person you send this to. When you have finished sending this e-mail to as many people as you wish, a screen will come up. It will then ask where you want your free coke products sent. This is a sales promotion to get our name out to young people around the world. We believe this project can be a success, but only with your help. So please start e-mailing and help us build our database.
 
Thank you for your support!
Always Coca-Cola,
Mike Hill Director of Marketing Coca-Cola Corporation
Atlanta, Georgia
www.cocacola.com

The heart of the problem here is really just human behavior. Most people are inclined to believe a message that comes from a completely unsubstantiated source and then pass it on to others. Of course this makes no sense at all and is completely irrational, but that is how most people react to a hoax message. We could eradicate almost all hoax messages if we simply did one thing – confirm the validity of the message before forwarding it on.

This problem also falls into the area of proper netiquette (internet etiquette). Unsolicited mass emailing of any kind is truly an abuse of the Internet and should be stopped at all costs. And passing on an unsubstantiated virus warning is essentially unsolicited email of the worst kind. Nobody should send any email to any group, without the recipient’s approval. Of course, in some cases the approval is ‘understood’, but in most cases it should be sort formally.

In any company, a few simple rules will go a long way. If you receive a virus-warning message – DO NOT forward it to anybody until you are totally certain it is valid. First, forward it to your system administrator who will check against industry virus warning centers [http://www.symantec.com/avcenter/hoax.html] and confirm the validity. If I believe it is a valid warning then I will distribute it to all staff.

While hoaxes are essentially harmless, they do waste time, resources and add to the volume of useless traffic that clogs up the Internet.

Viruses

To understand what viruses are we must understand the file system of a computer just a little. Your computer is made up of some simple parts:

  1. A file system – a place where files are stored and retrieved from. This is generally your hard disk.
  2. 2. RAM – a memory where the computer can temporarily store information if necessary
  3. 3. A processor – the brain-like part of the computer that executes some of these files
  4. 4. Of course input and output devices such as keyboard, mouse, monitor etc.

Now everything that is ‘stored on’ your computer is simply a file of some sort. The operating system that you are running (probably Windows 98 or NT) is actually just a collection of files. All of your programmes are just files and all of your data that you store - perhaps spreadsheets, databases, word documents – are all just files stored on your hard drive. The same is true of viruses, they are just files.

Now you can loosely group all files into two types:

  1. Executable files – these are files that represent programmes or software. When the processor sees these files it can read them and follow instructions within the files. The names of these files usually end in .COM and .EXE. The latest versions of Microsoft Office products are now powerful enough to store small programmes within their files (called Macros), which means that the office files .DOC, .XLS, .MDB are also executable files.
  2. 2. Data files – these files simply contain information that needs to be stored. In general a programme file will use and read data files. The processor however cannot execute these files directly, as they do not contain instructions for a processor to understand. These files may have file names that end in .TXT, .DAT, .INI, .GIF, .JPG .HTM

Viruses are essentially Executable files. They are tiny programmes that perform simple (although sometimes destructive) tasks when executed. This means that a data file cannot be (or contain) a virus. So you can be sure that text files, images, videos, sound files, web pages are all safe. This also means that all executable files could be (or contain) viruses.

Unlike the common myths these viruses are not ‘alive’, they can’t just execute themselves and jump from machine to machine. They must have a name and are generally visible on your file system and they need a way of being transported and then executed.

Of course the person who develops the virus is not going to name it “THISISAVIRUS.EXE”. They will usually do one of two things – give it a name of a commonly accepted programme and effectively disguise it, or literally attach the virus to another true programme. In both cases the file will resemble an executable file. So you can always identify a potential virus-containing file by identifying if it is an executable file.

In any case the virus lies dormant until it is actually executed. This is an important point - viruses do not execute themselves.

Now there are a few common ways a virus will be executed. The most obvious is by the user simply executing the file with a double-click or run command. If you receive a file via email called Happy99.exe it is a virus. It has a friendly name and the email message that it comes with is a friendly invitation to view a greeting card. However, when you execute the file it displays some fireworks and then does its stuff. Actually it then emails itself to the first 50 people in your address book thereby replicating itself and distributing itself via email.

If the virus comes attached to another programme that you commonly use, then it can be executed when you execute that other file. It may even then copy itself to another location on your computer or even modify the startup process of your computer so that it gets executed every time the system starts.

In any case, the virus does nothing until it is executed and you are responsible for all files executed on your computer. This means that the responsibility of protecting your computer comes down to you ensuring that you only execute safe files.

Viruses do not get activated by:

  • Inserting a floppy disk into your computer
  • Copying files from one location to another
  • Browsing the web
  • Sending or receiving email

Even if you receive an email that contains a file with a virus, it is harmless until you execute that file. You simply need to make sure that you only execute files from known sources that are safe.

[Note: in the last 12 months some viruses coded in .vbs –visual basic script and .js – javascript, have been able to self execute on some versions of Microsoft Outlook. Microsoft has now released parches to Outlook to stop this and it is very important that you download these patches from the Microsoft website or upgrade to Outlook 2000 : TC 08/02/01]

Macro Viruses

Before I explain how to detect viruses I will say a little about a new type of virus that has developed within the last few years - the Macro Virus. A Macro is a small programme (executable) that is stored within another file. Microsoft Office developed a powerful macro language so that developers could create intelligent documents that could assist you with many common tasks. However, as with any executable language, it then becomes possible to embed a virus within a document. This includes .DOC word files and .XLS spreadsheet files.

Microsoft has now developed quite good virus protection features in MS Word and Excel. If you use Office 2000 you can set the security system within MS Word to identify unknown macros and warn you of a potential virus-containing document. You can even set MS Word to disable all macros by default – thereby effectively stopping all macro viruses. This is what I have done – I don’t allow any macros to run on my documents.

In MS Word use the menu Tools>Macro>Security and set to “High” to disable all macros. Do the same for Excel.

Detecting Viruses

I won’t go into all the systems used to detect viruses, but I will explain a few things. Firstly, you must have a reasonable virus detection programme running on your system to assist in virus detection. I don’t have any favourite. I do use Mcafee Anti Virus http://www.mcafee.com to detect viruses on my system, and in general I have found it to be reasonably effective. I also use Norton AntiVirus from Symantec and find it very effective. Symantec also offers a superb virus resource center at http://www.symantec.com/avcenter/

Secondly, viruses are not invisible and with a small amount of care you should be able to identify potential problems. Since a plain email message is simply a data file it cannot contain a virus on its own. A virus can only be transported in email as an attachment, so it will be visible to you. Viruses cannot ‘attack’ your computer while you are just browsing the web; you have to download a file to bring the virus down, so again you will see there is a potential danger. A virus cannot ’jump’ from a floppy disk onto your system; you have to copy a file and then execute it. Basically there is no mystery as to how a virus gets onto your system. You will always place it on your system through common actions.

Most virus detection systems work in a few ways. They all maintain a virus definition file, which contains the definitions of all known viruses. There is now an industry standard for these files and they are updated regularly in most cases. The virus detection software checks your computer files against the list on a regular basis. This means that you must update your definition file regularly to be effective. Most are released about every week or two. You can download these files from the web in most cases if you subscribe to a reasonable service.

Good virus detection software also searches your system for known ‘foot prints’ left by viruses. This is very difficult, and much less effective. This is in fact how new viruses are often detected. The detection programme looks for unusual files, files that have recently changed size for no apparent reason, files in unusual locations etc. Essentially, however the software is not too effective in detecting new and unknown viruses and some can always slip through this process.

Some of the most effective viruses that use viral techniques like Happy99.exe have been known to spread around the world in less than 2 days. This means that you cannot rely on virus detection software to help you at all times.

Summary

So what does all this mean? Well, the first thing to note is that most offices have a distributed system of computers with very many entry points. 80 or so people sending and receiving email, files, floppies etc. There is no one doorway and no single point where we can check for viruses.

This means that everyone has to take on the responsibility of checking his or her own system for viruses. System administrators can attach some software to the mail servers, but it will not block all entry points and it will impose restrictions on email, which may not be acceptable. And lastly as you can see it will never be 100% effective.

A few simple things can help a lot:

  1. Make sure that you are using the latest versions of Office 2000 and that you have macro security set to high – this will eliminate all macro viruses. You should only have it at a lower setting if you have a very good reason to run macros, and then you must be ready to check every document for viruses.
  2. 2. Install a good virus detection programme on your system and make sure you update the virus definition file at least every two weeks. This will protect you against most known viruses
  3. 3. NEVER execute unknown files. This is the hardest rule to follow, and the area where most viruses slip in. Unless you are completely certain about the source of the file – DO NOT execute it. It may be a joke from a friend, a greeting card, or something from a colleague or client, but if you are not certain it is safe then you should not run it.

If you follow the above rules you will be in the best possible position. And step 3 is the most important one and the least followed of all the rules.

To date I have never lost any data to viruses. I have found them on my system, but they have always been eliminated before taking effect.

Understanding Computer Viruses