Tutor.JUNE.
NEW 14/05/01 8:21 PM Page 2
tutor
TYPES OF VIRUS
KNOW YOUR
ENEMY
Viruses can send annoying emails to your friends or wipe out your system. Knowing
more about the enemy may spare hours of lost time and the hea rt a che of losing data.
Here we show you how you can protect yourself and keep your PC virus-free.
echnological old timers – that is to
T say, those of us who were comput-
ing before the advent of the Internet
– remember when getting your sys-
tem infected by malicious software, or “mal-
ware,” was actually relatively difficult. Back then,
you’d most often get a virus by booting your
machine from an infected floppy disk or by
downloading and running programs from a
computer bulletin board system (BBS).
For better or worse, those days are gone for-
ever. Now that connectivity is cheap and e-mail
is ubiquitous, the Internet has become the pri-
mary means by which malware spreads. One
careless click can wipe out valuable files, clog
your company’s servers, render your computer
unable to boot, or broadcast material of ques-
tionable taste to friends, relatives, and business
contacts – with your name on the From line.
When malware interferes with your work,
damages or disables your system, or does any-
thing other than propagate itself, this nasty behav-
iour is called a payload. Sometimes, as in the
case of the Michelangelo and Chernobyl virus-
es, the payload is not released immediately but
on a pre-programmed date in the future. This
gives the malware time to propagate before
making its presence known and before disabling
the host.
To avoid these hazards, you’ll need to under-
112 June 2001
stand how to detect and disarm malware and
spot the telltale signs of hoaxes. The sections
that follow describe the most common types of
malware and how to avoid each.
A MALWARE BESTIARY
Malware is usually classified according to two
traits: where it hides and how it spreads. Because
the terminology was created before the age of
the Internet, though, malware doesn’t always fit
cleanly into any one classification within these
two categories (hence David Smith’s embedded
message in Melissa, the virus he authored:
“Worm? Macro Virus? Word 97 Virus? Word 2000
Virus? You Decide!...it’s a new age!”). Nonethe-
less, understanding the traditional categories of
malicious software is useful.
BOOT SECTOR VIRUSES AND FILE
INFECTORS
Before the Internet was open to the general pub-
lic, booting from an infected floppy disk was
the most common way to introduce a virus into
your machine. This would unleash a boot sec-
tor virus – malicious code contained in the flop-
py disk’s boot sector (the area that stores the
instructions that tell the computer how to load
the operating system). The virus would copy
itself to the hard drive’s boot sector, then to every
write-enabled floppy disk inserted into the
www.DITnet.co.ae
machine.
A few boot sector viruses have somewhat dra-
matic payloads. The MS-DOS virus Cascade, for
example, makes the characters on your display
appear to fall to the bottom in a heap. Others,
such as the Stoned virus, systematically degrade
performance. Still others have no obvious pay-
load and seem to exist only to propagate.
Some boot sector viruses are also file infec-
tors (though not all file infectors are boot sector
viruses). File infectors modify the programs you
use, inserting code that runs when you execute
the altered programs. Other files on your hard
drive can then become infected, as can floppy
disk boot sectors and files. File infectors can leap
across a network to manipulate shared files and
can deliver a payload. To avoid arousing suspi-
cion and, as a result, enjoy more opportunities
to propagate, such viruses generally permit
infected files to run.
To avoid both boot sector viruses and file infec-
tors, run a commercial antivirus program. Near-
ly all do an excellent job of detecting and pre-
venting the spread of such viruses. You should
also enable any antiviral feature in your system’s
bios that prevents programs from writing to boot
sectors. Some file infectors can propagate in the
same way as worms and Trojan horses (which
we cover below), so taking the measures rec-
ommended for these categories also pays.
■ www.pcmag-mideast.com
Tutor.JUNE.NEW 14/05/01 8:21 PM Page 3
MACRO VIRUSES
Documents created by many productivity appli-
cations can contain programs called macros that
start when a document is opened, when they are
selected from a menu, or when a combination
of keys is pressed. A macro virus is a file infec-
tor that hides inside such documents. Microsoft
Word files are the most frequent carriers, but
Excel spreadsheets and other document types
are also targets. Microsoft has taken a few mea-
sures, in recent versions of its Office suite, to
make such viruses harder to write. But millions
of people still use older, unprotected versions,
and virus writers have taken on the challenge
of bypassing newer safeguards with gusto.
To avoid macro viruses, set whatever securi-
ty features the application has to High, or dis-
able macros altogether. Be wary of opening
documents that arrive unexpectedly – even if
they appear to come from someone you know.
(Many macro viruses, including Melissa, spread
like Trojan horses or worms, mailing themselves
to everyone in a victim’s address book without
that person’s knowledge.) Again, use and reg-
ularly update antivirus software. Finally, ask
your ISP or company network administrator
whether incoming email messages can be
scanned for potentially dangerous attachments
before hitting your mailbox.
TROJAN HORSES
Like the wooden horse that figured so promi-
nently in Homer’s Iliad, a Trojan horse program
masquerades as something it is not, to persuade
a user to let it into the system. In the BBS era,
such programs often impersonated new ver-
sions of commonly used programs, such as the
PKZIP file compression utility. A more recent
www.DITnet.co.ae ■ www.pcmag-mideast.com
types of virus | know what you’re up against
example: the Anna Kournikova Tro j a n
horse/worm program, which arrived in users’
electronic mailboxes appearing to be a picture
of the attractive Russian tennis star.
Although some malware can propagate with-
out user intervention, most of the malware to
which Internet and email users are likely to be
exposed takes the form of a Trojan horse in at
least one phase of its life cycle. Note that Tro-
jan horses can’t do their dirty work unless acti-
vated by the user. It is therefore vitally impor-
tant that you know exactly what you are run-
ning, launching or opening – especially when
it comes as an attachment to email.
In many cases, a Trojan horse will attempt to
conceal its true nature by arriving as a file with
multiple extensions – for example,
AnnaKournikova.jpg.vbs. This type of filename
exploits the fact that Windows, like many Win-
dows email programs, uses the last extension at
the end of the filename to choose an icon to
represent the file. The name is then displayed,
minus the final extension and the period that
precedes it, next to the icon.
Such a multiple-extension exploit is a dead
giveaway that an attachment is malicious.
Recipients of the Anna Kournikova program
who use Outlook or Outlook Express see the
attached file containing the worm as an icon
with a scroll in it. Next to the icon is the name
AnnaKournikova.jpg. The script icon, which
contains an image of a scroll, looks at first
glance as if it might represent some type of
photographic film, and the displayed name
makes the file appear to be a jpeg image. So,
many users clicked on the icon expecting to see
a picture.
To avoid Trojan horses, users must take great
care to avoid running a program that can work
its will on their machines. This means scrutin-
ising all email attachments and downloading
programs from trusted sources only. Antivirus
software can identify well known or wide-
spread Trojan horses, but versions of malware
that are modified in only minor ways can often
slip through. What’s more, antivirus vendors
can be slow to provide patterns for the latest
Trojan horses, sometimes taking up to ten days
to make new pattern files available for down-
load. So it is extremely useful to install heuris-
tic filters (that is, filters that identify and quar-
antine suspicious email according to a set of
rules) on one’s mail server. (If you rely on your
ISP’s mail server, encourage your provider to
do this.) Such filters require some technical
expertise to set up and should be installed by
a network administrator.
WORMS
A worm is malware that propagates from
machine to machine without human interven-
tion. The most famous program of this ilk was
unleashed by Robert Tappan Morris, Jr., the son
of a noted computer security expert, in 1988.
Taking advantage of known security holes in
commonly used software, it used the comput-
ing power of each infected machine to break
into others, spreading like wildfire between sys-
tems made by Digital Equipment and Sun.
While the “Morris worm” didn’t intentionally
pack a harmful payload, it had a bug in the part
of code that was supposed to limit its repro-
ductive zeal. As a result, its overeager attempts
to spread itself consumed most of an infected
machine’s resources, crippling a substantial frac-
tion of the computers on the Internet. (Surpris-
June 2001 113
Tutor.JUNE.NEW 14/05/01 8:21 PM Page 4

tutor
TYPES OF VIRUS
ingly, despite this rude wake-up call, few seri-
ous security measures were taken on the Inter-
net until years later.)
Today, only a few true worms exist in the
wild on the Internet. One of these, called Kak-
worm, was said to be instrumental in a break-
in at Microsoft that may have allowed hackers
access to Windows source code. Exploiting
security holes in Outlook Express, Internet
Explorer and ActiveX, it infects a machine when
you read email – without requiring that you
click on an attachment. Other security holes in
Outlook and Outlook Express may make it fea-
sible to create even more virulent worms of this
type, but fortunately none are widespread yet.
Another worm, called Ramen, spre a d s
between machines running widely used ver-
sions of Red Hat Linux. Although this worm
was initially easy to find and get rid of, new
versions have surfaced that employ a rootkit –
a series of programs designed to hide the
w o rm’s presence and make it difficult to
remove. The new mutations also can infect
some systems that were not susceptible to the
original.
Alas, because they do not require user inter-
action, worms can’t be caught by an alert user.
But antivirus software and firewalls can detect
many such programs, and heuristic e-mail filters
can provide an extra layer of protection. Dis-
abling risky features, such as the Windows
Scripting Host and ActiveX, may reduce your
system’s susceptibility to worms.
Finally, using operating systems and software
with a proven security track record (such as the
three open-source versions of BSD Unix –
FreeBSD, NetBSD and OpenBSD) reduces the
likelihood that a worm will be able to get in
and wreak mischief.
MONGREL MALWARE
Recently, malware has surfaced that combines
the traits of viruses, worms, and Trojan horses.
Most of the pesky programs spreading through-
out the Net these days can be classified as Tro-
jan worms – a hybrid between Trojan horses
and worms. A Trojan worm requires a user to
activate it, as does a Trojan horse, before it can
infect a computer. But once this is done, it takes
control of the machine and sends itself – via e-
mail, Internet Relay Chat, or other means – to
other systems without further intervention.
Trojan worms resort to all sorts of unusual
and clever tactics to persuade users to activate
them. The Hybris Trojan worm promises recip-
ients a ribald tale involving Snow White and
the seven dwarfs. One common type of Trojan
worm, often called a Friends and Family virus
after MCI’s famous marketing program for long-
distance services, disguises messages bearing
the worm so that they appear to have been sent
by someone familiar. While Melissa, I Love You,
and many other Trojan worms use this trick,
ExploreZip is perhaps the most subtle. It oper-
ates as an email auto-responder, replying imme-
diately to incoming mail with a message that
reads: “I received your email, and I shall send
you a reply ASAP. Till then, take a look at the
attached zipped docs.” Attached to the mes-
sage is an executable file that appears at first
glance to be a self-extracting archive file. It is
actually a copy of the worm.
ExploreZip is effective because the Subject:
header of the automatic response matches that
of a recently sent message and the From:
address is that of the person to whom it was
sent. Unless the correspondent is on guard or
has an up-to-date virus checker, he or she is
likely to believe that the automatically generated
message is part of an ongoing conversation and
trustingly run the attachment. Unfortunately,
this particular worm carries a nasty payload: it
destroys files not only on the victim’s hard disk
but on any shared drives or directories to which
that victim has access.
INTERNET PEST CONTROL
In general, you can keep most Internet pests in
check by being observant, maintaining a healthy
skepticism about what you receive via email,
and employing proper tools. Whatever else you
do, using a good antivirus program with up-
to-date patterns is essential. You would also be
wise to install – or use an ISP that has installed
– tools that scan email for suspicious content
before it arrives on your machine. (This may
be the only effective defense against “true
worms” that spread via e-mail without user
intervention.) Backups are also vital, since some
malware destroys valuable files irretrievably.
Of course, even if you take all of these precau-
tions, you may still fall victim to malware that
unexpectedly penetrates your defenses. But if
you’re on your guard, the odds of serious dam-
age will be greatly reduced.

MALICIOUS MESSAGES
mail can also contain security Because an image incorporated in HTML damage or install other malware.

E exploits that, while they don’t

propagate themselves as viruses
or worms do, may compromise
your privacy or make your computer unus-
able. For example, an HTML message con-
taining an image tag will cause most email
programs to retrieve the image automatically
when the mail is read. If your email address
(or any other information that uniquely iden-
tifies you) is included in the image tag (for
example, <img src=”http://images.spam-
mer.com/picture.jpg?innocent@user.com”>),
a spammer can determine from his or her
Web server logs that the address is valid and
that you’ve opened the spam. You’ll then be
tagged as a live prospect for more spam. This
sort of identifying image tag is sometimes
called a mail bug.
mail is usually retrieved via HTTP (the Hyper-
text Transfer Protocol), the server may also
be able to place a cookie on your system.
(Note that the most popular email clients use
browser software to render mail. Outlook,
Outlook Express, and AOL use Microsoft Inter-
net Explorer; Netscape Communicator uses
Netscape Navigator; Opera uses its own inter-
nal HTML rendering software, and Eudora uses
Internet Explorer unless explicitly configured
not to do so.) And you may not know that any
invasion of privacy has taken place, especial-
ly if the image is tiny or invisible (a clear GIF or
Web bug). An email message may also contain
“active content exploits”—calls to suscepti-
ble ActiveX controls on Windows machines.
Such security holes can be used to extract per-
sonal information from your computer, do
A hostile script embedded in email can also
“take control” of your machine by opening
an advertising or pornographic Web page in
your browser. It can then prevent you from
closing the window or shifting the focus. A
malicious script can freeze the browser or the
entire machine. A message with intentional for-
matting errors may crash some vulnerable
email software, too.
Fortunately, this genre of malware is still in
its infancy, but it’s sure to become more com-
mon as the techniques for creating it become
better known. The best way to avoid email
exploits that use image tags or active content
is to employ a filter that disables them before
the message reaches you. Such filters are
already available for use on mail servers run
by ISPs and companies.

114 June 2001 www.DITnet.co.ae ■ www.pcmag-mideast.com