How Computer Viruses Work
 

Editor-in-Chief  :

Prof. Riazuddin
Editorial Board  :      

Fawad Saeed (IT)

 Adeel-ur-Rehman(IT)

 M. Jamil  Aslam(Physics)

 Ijaz Ahmed(Physics)
 

Computer viruses tend to grab our attention. On the one hand, viruses show us how vulnerable we are. A properly engineered virus can have an amazing effect on the worldwide Internet. On the other hand, they show how sophisticated and interconnected human beings have become.

For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. (Times Online). Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. That's pretty impressive when we consider that the Melissa and ILOVEYOU viruses are incredibly simple.

Types of Infection
When we listen to the news, we hear about many different forms of electronic infection. The most common are:

  • Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.

  • E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book.

  • Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

  • Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when we run it (it may erase our hard disk). Trojan horses have no way to replicate automatically.

Early Cases: Executable Viruses
Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues.

If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a bulletin board, then other programs get infected. This is how the virus spreads.

The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they did was replicate themselves. Unfortunately, most viruses also have some sort of destructive attack phase where they do some damage. Some sort of trigger will activate the attack phase, and the virus will then "do something" -- anything from printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, or the number of times the virus has been replicated, or something similar.

Boot Sector Viruses

As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks & hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, & it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, & on college campuses where lots of people share machines they spread like wildfire.

In general, both executable & boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact discs cannot be modified, & that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 80s. Boot sector viruses have also declined because operating systems now protect the boot sector.

An Ounce of Prevention
We can protect ourself against viruses with a few simple steps:

  • If we are truly worried about traditional (as opposed to e-mail) viruses, we should be running a more secure operating system like UNIX. We never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from our hard disk.

  • If we are using an unsecured operating system, then buying virus protection software is a nice safeguard.

  • If we simply avoid programs from unknown sources (like the Internet), and instead stick with commercial software purchased on CDs, we eliminate almost all of the risk from traditional viruses. In addition, we should disable floppy disk booting -- most computers now allow us to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.

  • We should make sure that Macro Virus Protection is enabled in all Microsoft applications, and we should NEVER run macros in a document unless we know what they do. There is seldom a good reason to add macros to a document, so avoiding all macros is a great policy.

  • We should never double-click on an attachment that contains an executable that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once we run it, we have given it permission to do anything on our machine. The only defense is to never run executables that arrive via e-mail.