Viruses, Germs, and Worms

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Most virus software on the market today does this by creating what is called a “signature table,” which is, in essence, a list that contains strings of code found in viruses. Each virus has a unique code sequence, and when you attempt to do something like download a file, the virus software scans that file and tries to match a pattern between what is contained within its tables and what is contained within the code on your file. If it identifies a pattern, it alerts you to the kind of virus found and, depending on the software can either clean, repair or delete your file to eliminate the virus.

When a new virus code is found in the wild, software companies add its “signature” to their tables, and every month or so they post an update. That is why it is so important to keep your signature tables updated. If you don’t, you run the risk of your software not detecting the signatures of new viruses. Also, be advised that you usually cannot run more than one kind of anti-virus software at a time. They read one another’s signature tables and mistake the table for live viruses.

In order to protect against today’s viruses, worms, etc., you should be aware of the following distinctions:

A virus is a program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. In other words, they replicate and attach themselves to other files, usually executable code. Viruses have several things in common: they require a “host” program that has executable content; they replicate; and they can generally be detected by signature scanning. They can be separated into several categories:

1.File infectors attach themselves to ordinary program files. They usually infect .COM and/or .EXE programs, although some can infect any program containing executable code such as .SYS, .OVL, .DLL and .PRG files. The majority of file infectors hide themselves somewhere in memory the first time an infected program is executed, and then infect any program subsequently launched.

2.Macro viruses infect Microsoft Office documents (such as Word or Excel). They are generally written in a scripting language, except in Office 97 where they are written in Visual Basic for added power. These viruses are responsible for the majority of virus infections today, mostly due to the huge volume of files exchanged via email. Macro viruses can switch words around in documents, change colors on screens, format the hard drive, and send email without notifying the user.

3.System/boot infector viruses infect executable code found in certain system areas on a disk, which are not ordinary files. Some are ordinary boot-sector viruses, which infect only the DOS boot sector. Others are MBR viruses, which infect the Master Boot Records on fixed disks and the DOS boot sector on diskettes. Some viruses modify CMOS settings as well.

These are the most common viruses, but there are many, many more. For additional specific information, Dr. Solomon’s has an excellent white paper.

A Trojan is, in memory of the great original Trojan horse, a program that simply does something more than the user was expecting, and it is usually damaging. For example, a few years ago, there was a Trojan that was e-mailed to large numbers of people claiming “Click here and you can enter AOL for free!” The user was expecting a program that somehow allowed them to log onto AOL without paying for the service, and what they got instead was a Trojan that destroyed files on their drive. A Trojan’s behavior can resemble that of a virus, but it is not considered a virus in the traditional sense of the word. Trojans typically do not replicate, and they do not spread the same way viruses do.

A worm is similar to a virus in that it spreads from computer to computer and often causes damage along the way. However, unlike viruses, worms are self-contained programs that replicate themselves rather than infect other programs. Perhaps the most famous example of a worm that widely spread is the Morris Internet Worm, which, by exploiting debugging code in an early version of UNIX sendmail, caused over 6,000 Internet servers to become so busy replicating it back and forth between themselves that they were no longer able to be accessed by their legitimate users until reset. This was on the evening of November 2, 1988, when the Internet was still in its infancy. Damage, due to loss of system usability, was estimated to be as high as $10 million.

A dropper is a program that is not a virus, nor is it infected with a virus, but when executed it installs a virus into memory, onto the disk, or into a file. Essentially serve as a convenient carrier for a virus. Some anti-virus programs can detect droppers.

A germ is an instance of the virus in generation zero, and in such a form that the infection could not have happened naturally. For example, a germ might resemble a virus that only infects files larger than 5Kb, but it only infects a tiny 10-byte file. Alternatively, it might be an instance of the virus without any host file. If you remove the virus, you are left with a zero-byte file, which is the original file created by the virus author.

The newest threat on the Internet is malicious mobile code, known as a vandal. In contrast to viruses, vandals are *auto-executable* applications, likely to appear in the form of hostile Java applets, ActiveX controls, Javascript, or any number of programming languages (such as CGI) designed to enhance web pages. They can also be hidden in pushed content, e-mail attachments, or harmful plug-ins for Web browsers. In the news recently was the hacker group known as HFG (Hackers for Girls), who just hacked the New York Times’ Web site. This group is infamous for using a CGI script to gain access to a company’s corporate data. Another recent example involves the Hotmail software. When users of Hotmail accessed a certain site, a window appeared telling them they had been disconnected, and to please re-enter their user name and password to log back on. This was a completely false message, and the user name and password was sent back to the creator of the vandal. Other examples include vandals that insert transaction lines in Quicken software and similar programs.

Anyone really interested in learning more about viruses and virus prevention might want to visit some of the following sites: ICSA, Dr. Solomon’s Virus Center (part of Network Associates now), Symantec’s virus center, and eSafe.

There you have it — Virus 101.

Reprinted with permission from The Aventail Corporation

Related articles: