HasYour Computer Or Your Town'sComputer Been Infected With A Virus?Like its biological cousin, a computer virus embeds itself within a hostprogram and induces the host to replicate itself along with the virus

I7

I654I~

c:,> ~Il. ~DT·.r

CDLUMN

1.00, COMPUTER. .. . .. . .. . .. . .. . . ... .. . .. .. .. .. . .. . . .. . ...... .... .... . ................................................... ' ' . "

)

)

This article was taken from Vol.2, No.7 , April 1988 issue of PC­Transmission, a newsletter forcomputer users in transportationpublished by The University ofKansas Transportation Center.

Watch Out For Virusesby Carl Thor

Last month, we ran a short newsart icle about computer ''viruses,'' whichseem to be the latest trend in the realm ofcomputer vandalism. These insidious littleprograms represent a significant threat tousers of micro-computers, especially thosewho exchange public domain programs andinformation with other computers, either bymodem or disk transfer. Let's take a closerlook at what you can do to protect yourselffrom them.

What is a virus? Over the years, afew mischievous and malicious hackers havedeveloped various ways of sabotaging othermachines, and have released their programsinto the public data stream, primarilythrough electronic bulletin boards.

Some of these creatures include theTrojan horse, an apparently normalprogram, usually a game or utility, thatdestroys files as its host disk is used; and thetime bomb, which waits until a certain timebefore destroying data . Most recently, wehave seen a number of cases of a new typeof saboteur program - the virus.

Like its biological cousin, a computervirus embeds itself within a host to replicateitself. Viruses are often not well under­stood, partly because of their nameassociation with human diseases, and partlybecause they inhabit the arcane world ofmachine language programs. Disks do notinfect each other in the storage box, butrather, the virus program must take control

of the computer in order to infect otherdisks.

Currently, the most common ap­proach is for the virus program to be hiddenwithin the operating system program(COMMAND.COM on PC machines).Once loaded into memory, the virusprogram instructs the operating system tocopy itself onto any disk accessed by thecomputer (such as with DIR, TYPE, orCOPY), if that disk already has theoperating system file on it. Then, typically,after replicating itself a certain number oftimes, the virus proceeds to trash all thedisks available to it at the time.

Actually, the virus mechanism isbenign by itself. According to an article byTom McBride and Nick Szabo in the MarchI edition of Info-Mat, "a 'pure' virus has sur­vival as its only goal." But any kind of "pay­load" can be attached to the virus, enablingit to print a message on screen, improve itssurvivability, avoid detection, or evendestroy disk data. The payload can also bebenign, but destructive or obstructivepayloads seem to be the rule among theviruses reported recently.

Case history Although the conceptof virus programs has appeared in theliterature for several years (see "ComputerRecreations" in Scientific American, March1985, for an interesting discussion), only inthe last year have many actual virusoutbreaks been reported. Recent accountscite infections within several user groups , incomputer networks at IBM and Hewlett­Packard, and at the computing centers ofseveral universities.

One of the most widely publicizedoccurrences was at Lehigh University, wherelate last fall a COMMAND.COM virus in­fected PC's throughout the campus. Thevirus most likely escaped the campus and isnow spreading itself around the world. Itscharacteristic is to copy itself four times,then trash every disk in the host system by

erasing their boot records, FAT tables, anddirectories. Meanwhile, the virus' fourchildren will repeat the process somewhereelse as soon as they are booted into anotherPC.

In a memo circulated at LehighUniversity, Kenneth R. van Wyk of theComputing Center stated that "all Norton'shorses couldn't put it back together again,"referring to the inability to recover dataeven with the Norton Utilities, one of themost powerful PC data repair programsavailable . He went on to say that bothfloppy and hard disks were affected, andconcluded by saying "This is not a joke . Alarge percentage of our public site diskshave been gonged by this virus in the lastcouple days."

What is the degree of danger?Obviously, the potential for damage byviruses (and other sabotage programs) isvery serious, although there are some whoargue that the whole issue may be a hoax orurban legend, the computer-age equivalentof the Kentucky Fried rat story. I doubtthat anyone at Lehigh University would buythe hoax theory, but to the millions of userswho have not come into contact with a virus,the whole thing certainly has a science­fiction ring to it. In fact, similar scenariosappeared in stories by several authors longbefore actual virus programs were created .

So far, viruses that use the operatingsystem as a host are fairly easy to detect,and detection is the prime requirement forprevention. Szabo, who has made a hobbyof designing (but not releas ing) virusprograms, feels that greater dangers may lieahead. To put viruses into binary files otherthan the operating system is possible, hesays, and would make detection much moredifficult. The virus discovered last fall atHebrew University in Jerusalem is report­edly of this type. Because of its ability topropagate itself to other disks, a virus

continued on p. 6

page 3

Computer viroses...continued from p. 3

hidden in a program me would be muchmore destructive than earlier vandalprograms, which depend on people fordistribution.

A few simple precautions can usuallyprotect against the known types of viruses.We can only hope that if more virulent typesare developed, they will also be detectableand preventable, and that the threat ofviruses will not put telecommunication andthe public exchange of software in the deepfreeze. It seems likely that as the complexityof the virus programs required to foilexisting security precautions increases, theinterest in creating such programs will wane.Of course, who knows what some maniacwill come up with next?

How to protect yourself: Single-usersystems are pretty safe from viruses, becauseof minimal disk sharing. Every diskexchange, new program coming in, andmodem or network communication link is apotential avenue of entry for viruses andother vandal programs. An isolatedmachine with a bootable hard disk, that isnever booted from a diskette, should be safefrom operating system viruses. But thepotential presence of viruses of othervandals in executable program files suggeststhe need for more care to be taken. Newprograms from public-domain or unknownsources should be tested in isolation at first;several runs may be necessary to guardagainst a Trojan horse .

Sound backup procedures andconscientious handling of disks are veryimportant elements in protection againstvirus programs. Important data andprograms should be stored and backed upon disks without the operating system, andwrite-protect tabs should be used wheneverpossible. (Covering the square notch in theedge of the diskette shell prevents data frombeing written onto the disk.) Keep "clean,"write-protected copies of operating systemand program disks in archive.

Detection of suspected viruses isessential. The Lehigh virus is easilydetected: the COMMAND.COM me oninfected disks carries a more recent writedate than the original me, although the mesize remains the same.

Another test is to boot up with thesuspect disk (it would be wise to first backup the hard disk or use a diskette-onlymachine, since the program may be ready todo its dirty work), then ask for the directory(DIR d:) of another diskette, with a known"clean" operating system, with its write­protect notch covered. Getting a directoryis normally a read-only operation, but if the

virus is in control of the system it will try towrite itself to the clean disk, generating awrite-protect error. It seems reasonable toassume that similar tests will work withother operating systems.

Another reported virus can inhabitany executable (.COM or .EXE) file. Eachtime the program is executed the virusincreases the size of the me (normally by1808bytes), which eventually causes theprogram to overflow disk space, memoryspace, or both . Also, shortly after infection,the virus will slow the host program by asmuch as a factor of five. This particularvirus will erase any infected program that isexecuted on a Friday the 13th. To test forthis virus, compare the program file sizebefore and after running the program, orcompare it to the size of the me on theoriginal program disk (write protected!). Ifme size has increased, the program, andothers on the same disk, are most likely

Even if you do not use com­puters yourself, you mayknow of others who do.Please pass on copies ofthese articles to them. Allcomputer users shouldknow about this information.

infected .If a virus is found, copying the system

file or executable files from a "clean" diskonto the infected disk will eradicate thevirus (first make sure the computer is notinfected by booting from a "clean" disk).Disks do occasionally lose data, but any timeone of your disks is scrambled for noapparent reason, you should begin a carefulcheck for viruses of other suspect programs.Above all, be aware that these things exist,and be on the lookout for them.

Several anti-virus programs have beendeveloped that may offer attractive benefitsto users whose systems are especially vulner­able to attack (network installations orsemi-public sites), or who are in the vicinityof a known virus infection. For more infor­mation on some of these programs call theT2 Center at 1-800-4230060

Ifyou are concerned and want toknow more about viruses, I would suggestyou read the Info_Mat news magazine,available on-line through the PC-TRANS­port electronic bulletin board. Info-Mat hasdone a terrific job of covering the virus storyas it developed over the past few months,and because it is a BBS magazine, I amcertain that they will continue to provide in­depth information on the subject. •

page 6

Once a Hard Disk isInfectedThe following is a summary ofwhat to do in the case of aninfected hard disk. excerptedform the March 1988 issue ofComputing News . from the Uni­versity of Kansas ComputingCenter.

Immediately remove any floppy disksfrom your system and don't let anyone elseuse your system until it is restored to goodhealth. If there is any chance you will beleaving your machine unattended whereothers have access to it, tum it off and leavea sign indicating that no one is to touch themachine until further notice. Then take thefollowing steps:

1. Round up all of the floppy disks youhave used that might possibly have beeninfected. At greatest risk are the disks thathave COMMAND.COM on them. De­pending upon the strain of virus, any diskcontaining an executable file is suspect. Setall these disks aside and identify them withlabels, etc.

2. Reboot your machine from a floppydisk that you know to be good . In otherwords, you must avoid using the contami­nated operating system on the hard disk byrunning a fresh copy from a floppy disk andthen boot from the floppy drive. [Manymachines will boot a diskette found in driveA: during either a cold (power-up) or warm(CTRL-ALT-DEL) boot.]

3. Delete COMMAND.COM from thehard disk and copy a freshCOMMAND.COM from a floppy disk youknow to be good. If the virus is the kindthat also infects any other executable me,you must check the size of every executablefile on the disk against the size of theoriginal version on the original floppy diskfrom which it came. This is tedious, but it isthe only way to be sure . Ifyou are abso­lutely certain that your last hard disk backuptook place before the infection, you mightwant to reformat the hard disk and com­pletely restore it.

4. Any infected floppies must also havetheir COMMAND.COM fields replaced. Ifnecessary, replace the executable files aswell.

5. To prevent the virus from spreading,you should also contact anyone who mayhave used your system since it becameinfected, and inform them that their disksmay also be infected.

The above article was taken from PC­Trans, Vol. 2, No.7. U of Kansas.

)