Computer Viruses: An Introduction A very simple definition of computer viruses is: "A program that modifies other programs by placing a copy of itself inside them." This definition is somewhat simplified, but is sufficient to show the major difference between viruses and so-called "Trojan" programs, which is that the virus replicates, but the Trojan does not. A Trojan is a program that pretends to do something useful (or at least interesting), but when it is run, it produces some harmful effect, like scrambling your FAT (File Allocation Table). Viruses and Trojans may contain a "time-bomb", intended to destroy programs or data on a specific date or when some condition has been fulfilled. A time bomb is often designed to be harmful, maybe doing something like formatting the hard disk. Sometimes it is relatively harmless, perhaps slowing the computer down every Friday or making a ball bounce around the screen. However, there is really no such thing as a harmless virus. Even if a virus has been intended to cause no damage, it may do so in certain cases, often due to the incompetence of the virus writer. A virus may be modified, either by the original author or someone else, so that a more harmful version of it appears. It is also possible that the modification produces a less harmful virus, but that has only rarely happened. The damage caused by a virus may consist of the deletion of data or programs, maybe even reformatting of the hard disk, but more subtle damage is also possible. Some viruses may modify data or introduce typing errors into text. Two different types of viruses occur on PCs, boot sector viruses (BSV) and program viruses. A BSV infects the boot sector on a diskette. Normally the boot sector contains code to load the operating system files. The BSV replaces the original boot sector with itself and stores the original boot sector somewhere else on the diskette. When a computer is then later booted from this diskette, the virus takes control and hides in RAM. It will then load and execute the original boot sector, and from then on everything will be as usual. Except, of course, that every diskette inserted in the computer will be infected with the virus, unless it is write-protected. A BSV will usually hide at the top of memory, reducing the amount of memory that the DOS sees. For example, a computer with 640K might appear to have only 639K. Some BSVs are also able to infect hard disks, where the process is similar to that described above. Program viruses, the second type of computer viruses, infect executable programs, usually .COM and .EXE files, but sometimes also overlay files. An infected program will contain a copy of the virus, usually at the end, but in some cases at the beginning of the original program. When an infected program is run, the virus may stay resident in memory and infect every program run. Viruses using this method to spread the infection are called "Resident Viruses". Other viruses may search for a new file to infect, when an infected program is executed. The virus then transfers control to the original program. Viruses using this method to spread the infection are called "Direct Action Viruses". It is possible for a virus to use both methods of infection. Most viruses try to recognize existing infections, so they do not infect what has already been infected. This makes it possible to inoculate against specific viruses, by making the "victim" appear to be infected. In general, viruses are rather unusual programs, rather simple, but written just like any other program. It does not take a genius to write one - any average assembly language programmer can easily do it. Fortunately, few of them do. Now - to correct some common misconceptions, here are a few bits of information about what viruses cannot do. A virus cannot spread from one type of computer to another. For example, a virus designed to infect Macintosh computers cannot infect PCs or vice versa. A virus cannot appear all by itself, it has to be written, just like any other program. Not all viruses are harmful; some may only cause minor damage as a side effect. A virus cannot infect a computer unless it is booted from an infected diskette or an infected program is run on it. Reading data from an infected diskette cannot cause an infection. A write-protected diskette cannot become infected. There is no way a virus can attach itself to data files, so viruses cannot be distributed with them. The F-PROT package will provide protection against viruses, but there are other methods that also should be used. Before I list them, I want to warn you against three methods that are of very limited use. One anti-virus measure consists of making every executable file read-only, by issuing commands like ATTRIB +R *.EXE This is actually not a bad idea, but it will not provide much protection against viruses. Most program viruses will remove this protection before they infect files, and restore it afterwards. Making files read-only will of course have no effect on BSVs. The main purpose of this method is actually to protect the user from his own mistakes, because this makes it harder to delete programs by mistake. However, some viruses are stopped by this method, "Lehigh" and "South African" in particular. Another method is to hide the COMMAND.COM file, by giving the following sequence of instructions: MKDIR C:\HIDDEN COPY COMMAND.COM C:\HIDDEN DEL COMMAND.COM add SHELL=C:\HIDDEN\COMMAND.COM /P to CONFIG.SYS add SET COMSPEC=C:\HIDDEN\COMMAND.COM to AUTOEXEC.BAT This method is quite useless, to say the least. Few viruses infect COMMAND.COM, and some of them are able to do it, even if it has been hidden, using this method. A third useless method is to change the name of COMMAND.COM and patch other programs so they use the new name. Somebody who had only heard of the "Lehigh" virus got this "bright" idea. Apparently he thought that all other viruses operated like it, so he wrote and distributed a program to do this automatically. He thought it was a general cure for the virus problem, but he was wrong. On the other hand, there are a number of ways to provide useful protection. Never boot a computer with a hard disk from a diskette because that is the only way the hard disk could become infected with a BSV. Should you, by accident, have left a non-bootable diskette in drive A: when you turn the computer on, the message Not a system disk. may appear. If this happens, turn the computer off at once. If the diskette was infected with a virus, it will now have infected the computer. It is important to note that pressing Ctrl-Alt-Del will not be sufficient, since many viruses can survive that. If the computer has no hard disk, but is booted from a diskette, you should always use the same diskette, and keep it write-protected. Keep good backups (more than one) of everything you do not want to lose. This will not only protect you from serious damage caused by viruses, but is also necessary in the case of a serious hardware failure. Keep all diskettes write-protected unless you need to write to them. When you obtain new software on a diskette, write-protect the diskette before you make a backup copy of it. If it is not possible to make a backup of the diskette, because of some idiotic copy-protection, I do not recommend using the software. Be really careful regarding your sources of software. In general, shrink-wrapped commercial software should be "clean", but there have been a few documented cases of infected commercial software. Public-Domain, Freeware and Shareware packages do not have to be any more dangerous - it all depends on the source. If you obtain software from a BBS, check what precautions the SysOp takes against viruses. If he does not screen the software made available for downloading, you should find another source. Obtain Shareware, Freeware and Public-Domain software from the original author, if at all possible. Look out for any "unusual" behavior on your computer, like: Does it take longer than usually to load programs ? Do unusual error messages appear ? Does the memory size seem to have decreased ? Do the disk lights stay on longer than they used to ? Do files just disappear ? Anything like this might indicate a virus infection. If your computer is infected with a virus - DON'T PANIC! Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus could have done. If you are not sure what to do, leave your computer turned off until you find someone to remove the virus for you.