Security

The IT doctor is in: A primer on viruses

Take a look from the inside out to learn how a virus attacks your system. Once you know the basics, you can take a stand and defend your company's computer systems from viral infections.


It seems that every day we hear about another computer virus and its potential for destruction. Some computer users respond to this threat with virus paranoia, believing that every problem they encounter on their system is caused by viruses lurking somewhere on their hard drives. Other users prefer the big yawn approach: “It’s all just hype to sell more copies of McAfee and Norton.”

Neither approach is correct, and both are foolhardy. Not every problem on every system is caused by a virus—but some are, and it is foolish to believe you are immune. It’s even more foolish to be ignorant about viruses or to fail to practice “safe computing.”
In part 1 in this series, we’ll give you a brief overview of how a virus infection occurs and we’ll define some of the types of viruses that you need to know about as an IT manager. In part 2, we’ll look at some steps you should take to keep yourself out of harm’s way.
What the bug does
A virus either attaches itself to some existing program code, or completely replaces the code. Then it redirects the computer to execute the virus code in addition to, or in place of, the original code. Let’s suppose, for example, that your FORMAT.COM file is infected. The original FORMAT routine follows these steps:
  • 001 Check to see if the disk to format exists
  • 002 If it doesn’t, display an error message and quit
  • 003 Check to see if the disk to be formatted is a hard disk or a floppy
  • 004 If it’s a hard disk, get permission to format it

Once infected, the FORMAT routine might follow this process instead:
  • 001 Jump to 100
  • 002 Check to see if the disk to format exists
  • 003 If it doesn’t, display an error message and quit
  • 004 (rest of code the same)
  • 100 Copy lines 101 to 103 to another place in memory
  • 101 Check for floppy disks in all floppy drives
  • 102 If floppy is found, delete every fifth byte of any file on it
  • 103 Set up a timer so these lines keep executing over and over
  • 104 Jump back to 002 and finish the format as usual

You can see how difficult this would be to detect. Every time you format a disk, you would unknowingly load the code into memory and execute it.

If you change line 102 to include a random condition, such as, “Only delete bytes if it’s Friday the 13th”, you’ve got something that would be almost impossible to find. That’s where antivirus software comes in. (Come back next week to get the lowdown on antivirus software in part 2 of this series.)

Of Trojan horses and polymorphism
 With such a large variety of new viruses, you’ll want to keep up-to-date on the latest bug buzzwords. Here are some of the major virus categories and a few other terms you’ll need to know.
  • Executable file virus. This virus attaches itself to an executable file, such as an .EXE or .COM file, and runs whenever the executable file is run. Our example above fits this description; it infected a .COM file.
  • Boot sector virus. This virus infects the boot sector of a disk, where it is executed whenever the disk is used to boot from. If you boot from an infected floppy, the virus infects the hard drive’s boot sector. Every floppy that you put into your infected machine will also pick up the virus. Boot sector viruses are particularly dangerous, since they run every time the computer is turned on.
  • Trojan horse. This virus masquerades as something desirable when its real aim is destruction. That cool game your brother-in-law gave you on a floppy might actually be a Trojan Horse virus. When you play the game you are also infecting all your boot sectors. It’s just another reason to avoid your brother-in-law.
  • Polymorphic virus. This virus changes on the fly—making it difficult to detect. A polymorphic virus has a unique sequence of bytes in its code, known as its “signature.”
  • Stealth virus. Stealth viruses escape normal antivirus detection efforts because they contain a unique code. The stealth is a type of polymorphic virus. For example, a boot sector virus may copy the original boot sector to somewhere else on the hard disk, then wait for attempts by other programs to look at the actual boot sector. If the virus detects such an attempt by, say, an antivirus program, it intercepts the attempt and redirects the antivirus program to the original boot sector sitting out on the hard disk. The antivirus program then reports that all is well with the boot sector, and the virus goes undetected.
  • Trigger event. Some viruses do their dirty work immediately upon execution. More commonly, though, the virus lies in wait, biding its time until some event chosen by its author causes it to “wake up” and deliver its “payload.” It may be a date, or a time. It may be a certain number of boot ups, or a certain number of times a command is executed.
  • Payload. Just like in missiles, the virus payload is whatever damage the virus ultimately delivers. It may be fairly innocuous, like a message appearing on your screen. It may be annoying, like letters falling to the bottom of the screen. Or, it may be horribly destructive, like deleting every file it can find on both your computer and the network.

Arm yourself against the enemy
Next week we’ll examine the reasons behind the large numbers of computer viruses, plus we’ll outline the latest antivirus software.

Important Virus Links

Bruce Maples is an author, trainer, speaker, and consultant living in Louisville, KY.

Tell us about your problems with and solutions to the viruses floating around in cyberland by posting a comment below. If you have a story idea you’d like to share, please drop us a note .

Editor's Picks

Free Newsletters, In your Inbox