A virus reproduces, usually without your permission or

knowledge. In general terms they have an infection phase

where they reproduce widely and an attack phase where
they do whatever damage they are programmed to do (if
any). There are a large number of virus types.

Viruses are a cause of much confusion and a target of considerable misinformation even from some

virus experts. Let's define what we mean by virus:

A virus is a program that reproduces its own code by

attaching itself to other executable files in such a way
that the virus code is executed when the infected
executable file is executed.

You could probably also say that the virus must do this without the permission or knowledge of the

user, but that's not a vital distinction for purposes of our discussion here. We are using a broad

definition of "executable file" and "attach" here.

An obvious example of an executable file would be a program (COM or EXE file) or an overlay or

library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what

you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to

also realize that the system sectors on either a hard or floppy disk contain executable code that can

be infected--even those on a data disk. More recently, scripts written for Internet Web sites and/or

included in E-mail can also be executed and infected.

To attach might mean physically adding to the end of a file, inserting into the middle of a file, or

simply placing a pointer to a different location on the disk somewhere where the virus can find it.

Most viruses do their job by placing self-replicating code in other programs, so that when those

other programs are executed, even more programs are infected with the self-replicating code. This

self-replicating code, when triggered by some event, may do a potentially harmful act to your

computer.
Another way of looking at viruses is to consider them to be programs written to create copies of

themselves. These programs attach these copies onto host programs (infecting these programs).

When one of these hosts is executed, the virus code (which was attached to the host) executes, and

links copies of itself to even more hosts.

Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often

the characteristics of both a virus and a worm can be found in the same beast; confusing the issue

even further.

Note: The balance between viruses, worms, and Trojan Horses changes from time to time. In the

early days of such malware viruses tended to dominate. Various macro viruses/worms appeared

later as the dominate form and by around 2005 or so Trojan Horses started to be more prominent

and by early 2008 they were, by far, the dominant malware.

Before looking at specific virus types you might also want to consider the following general

discussions:

Virus Behavior

Virus writers have to balance how and when their viruses

infect against the possibility of being detected. Therefore,
the spread of an infection may not be immediate.

Viruses need time to infect. Not all viruses attack, but all use system resources and often have

bugs.

Viruses come in a great many different forms, but they all potentially have two phases to their

execution, the infection phase and the attack phase.

Infection Phase

When the virus executes it has the potential to infect other programs. What's often not clearly

understood is precisely when it will infect the other programs. Some viruses infect other programs

each time they are executed; other viruses infect only upon a certain trigger. This trigger could be
anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers

want their programs to spread as far as possible before anyone notices them.

It is a serious mistake to execute a program a few times - find nothing infected and presume there

are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its

infection phase.

Many viruses go resident in the memory of your PC in the same or similar way as terminate and

stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs

that executed under DOS but stayed in memory instead of ending.) This means the virus can wait

for some external event before it infects additional programs. The virus may silently lurk in memory

waiting for you to access a diskette, copy a file, or execute a program, before it infects anything.

This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use

for their infection.

On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is

possible to construct a virus which will locate itself in upper memory (the space between 640K and

1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows,

a virus can effectively reside in any part of memory.

Resident viruses frequently take over portions of the system software on the PC to hide their

existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet

avoid detection.

Note that worms often take the opposite approach and spread as fast as possible. While this makes

their detection virtually certain, it also has the effect of bringing down networks and denying

access; one of the goals of many worms.

Attack Phase

Many viruses do unpleasant things such as deleting files or changing random data on your disk,

simulating typos or merely slowing your PC down; some viruses do less harmful things such as

playing music or creating messages or animation on your screen. Just as the infection phase can be

triggered by some event, the attack phase also has its own trigger.
Does this mean a virus without an attack phase is benign? No. Many viruses have bugs in them and

these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it

still steals system resources. (Also, see the "good" virus discussion.)

Viruses often delay revealing their presence by launching their attack only after they have had

ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or

even years after the initial infection.

The attack phase is optional, many viruses simply reproduce and have no trigger for an attack

phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk

without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.)

This is made worse since viruses that "just infect," with no attack phase, often damage the

programs or disks they infect. This is not an intentional act of the virus, but simply a result of the

fact that many viruses contain extremely poor quality code.

An an example, one of the most common past viruses, Stoned, is not intentionally harmful.

Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The

original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of

the entire diskette (this bug was fixed in later versions of the virus).

Number of Viruses

There were over 50,000 computer viruses in 2000 and

that number was then and still is growing rapidly.
Sophos, in a print ad in June 2005 claims "over 103,000
viruses." And, Symantec, in April 2008 is reported to
have claimed the number is over one million.
Fortunately, only a small percentage of these are
circulating widely.
There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large

margin). Estimates of exactly how many there are vary widely and the number is constantly

growing.

In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000

different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994,

the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000.

1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now. Indeed, in April

2008, the BBC reported that Symantec now claims "that the security firm's anti-virus programs

detect to 1,122,311" viruses and that "almost two thirds of all malicious code threats currently

detected were created during 2007."

The confusion exists partly because it's difficult to agree on how to count viruses. New viruses

frequently arise from someone taking an existing virus that does something like put a message out

on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck

is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in

less than two minutes resulting in yet another "new" virus.

More confusion arises with some companies counting viruses+worms+Trojans as a unit and some

not.

Another problem comes from viruses that try to conceal themselves from scanners by mutating. In

other words, every time the virus infects another file, it will try to use a different version of itself.

These viruses are known as polymorphic viruses.

One example, the Whale (an early, huge, clumsy 10,000 byte virus), creates 33 different versions

of itself when it infects files. At least one vendor counted this as 33 different viruses on their list.

Many of the large number of viruses known to exist have not been detected in the wild but probably

exist only in someone's virus collection.

David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus

Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections

that we see in day-to-day operation." In late 2007, about 580 different viruses, worms, and Trojans
(and some of these are members of a single family) account for all the virus-related malware that

actually spread in the wild. To keep track visit the Wildlist , a list which reports virus sightings.

How can there be so few viruses active when some experts report such high numbers? This is

probably because most viruses are poorly written and cannot spread at all or cannot spread without

betraying their presence. Although the actual number of viruses will probably continue to be hotly

debated, what is clear is that the total number of viruses is increasing, although the active viruses

not quite as rapidly as the numbers might suggest.

Summary

• By number, there are well over 100,000 known computer viruses.

• Only a small percentage of this total number account for those viruses found in the wild,

however. Most exist only in collections.

A virus' name is generally assigned by the first

researcher to encounter the beast. The problem is that
multiple researchers may encounter a new virus in
parallel which often results in multiple names.

What's in a name? When it comes to viruses it's a matter of identification to the general public. An

anti-virus program does not really need the name of a virus as it identifies it by its characteristics.

But, while giving a virus a name helps the public at large it also serves to confuse them since the

names given to a particular beast can differ from anti-virus maker to anti-virus maker.

How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some

have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore

such text (mostly to spite the virus writers ). And, any virus writer that insists on a particular

name has to identify themselves in the process--something they usually don't want to do. So, the

anti-virus companies control the virus naming process. But, that leads to the naming problem.

Viruses come into various anti-virus companies around the world at various times and by various

means. Each company analyzes the virus and assigns a name to it for tracking purposes. While
there is cooperation between companies when new viruses are identified, that cooperation often

takes a back seat to getting a product update out the door so the anti-virus company's customers

are protected. This delay allows alternate names to enter the market. Over time these are often

standardized or, at least, cross-referenced in listings; but that does not help when the beast makes

its first appearance.

This problem/confusion will continue. One practical and well documented example of how it affects a

real-world virus listing can be seen at the WildList site on the page...

http://www.wildlist.org/naming.htm

One attempt at bringing some order to the naming problem is Ian Whalley's VGrep [registration

required to view page]. VGrep attempts to collect all of the various virus names and then correlates

them into a single searchable list. While useful, there is, again, the lag time necessary to collect and

correlate the data.

So, get used to viruses having different names. As Shakespeare said...

What's in a name? That which we call a rose

By any other name would smell as sweet...

Another attempt is the database at VirusPool which "...tries to put information from all known

infections and antivirus creators into one place so you can compare names and results." I wish them

the best of luck.

A new site to try to correlate malware names: CME - Common Malware Enumeration. CME

provides single, common identifiers to new virus threats to reduce public confusion during malware

outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses

and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing

capability for malware.

Finally, some vendors have largely given up with naming specific malware and resorting to generic

names for the type of malware (e.g., Troj/Agent). The malware is being generated faster than the

naming system can reasonably keep up. Look for this to probably continue. Of course, this will then

mean changes to the specific methods of disinfection as you would no longer be able to download a

specific disinfector for a named beast. Time will tell how this develops.
Summary

• Virus naming is a function of the anti-virus companies. This results in different names for

new viruses.

• Different names can cause confusion for the public but not anti-virus software which looks

at the virus, not its "name."

How Serious are Viruses?

While serious if you have one, viruses are only one way
your data can be damaged. You must be prepared for all
threats; many of which are more likely to strike than
viruses.

It's important to keep viruses in perspective. There are many other threats to your programs and

data that are much more likely to harm you than viruses. A well known anti-virus researcher once

said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the

growth in number of viruses, the introduction of the Microsoft Word macro viruses, VisualBasic

Script worms, and socially-engineered Trojans now puts this statement into question (even though

you can avoid these by just not clicking on them to open them!), it's still clear that there are many

dangerous occurrences of data corruption from causes other than from viruses.

So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that

it's foolish to spend much money and time on addressing the threat of viruses if you've done

nothing about the other more likely threats to your files. Because viruses and worms are

deliberately written to invade and possibly damage your PC, they are the most difficult threat to

guard against. It's pretty easy to understand the threat that disk failure represents and what to do

about it (although surprisingly few people even address this threat). The threat of viruses is really

no different; lost concentration or a zero-day attack can give you the same kind of problem a lost

hard drive can. There are no "cures" for the virus problem. One just has to take protective steps

with anti-virus software and use common sense when dealing with unknown files and Web links.
Summary

• While viruses are a serious threat, there are other, probably more serious, threats to your

data.

• If you have not taken precautions (e.g., regular backup) against general threats you have

not properly protected your computer.

Are There Good Viruses?

The general consensus is that there are none.

By definition, viruses do not have to do something bad. An early (and current) virus researcher,

Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered

a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.

Most researchers, however, take the other side and argue that the use of self-replicating programs

are never necessary; the task that needs to be performed can just as easily be done without the

replication function.

Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are

"Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this

writing, the paper is available at:

ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip

Lest you think others have not been thinking about this, here are some of the proposals (from the

above-referenced paper) for a good virus that have not worked out:

• The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus;

a virus which would be able to locate other (presumably malicious) computer viruses and

remove them.

• The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The

idea consists of creating a self-replicating program, which will compress the files it infects,

before attaching itself to them.

 • The "Disk Encryptor" Virus. This virus has been published. The idea is to write a boot

sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in

this particular case) and a user-supplied password to ensure the privacy of the user's data.

• The "Maintenance" Virus. The idea consists of a self-contained program, which spawns

copies of itself across the different machines in a network (thus acting more like a worm)

and performing some maintenance tasks on those machines (like deleting temporary files).

All of the above viruses fail one or more of the standard measures typically used to judge if a virus

is "good" or not. These are (again, from the above-referenced paper):

• Technical Reasons

o Lack of Control. Once released, the person who has released a computer virus

has no control on how this virus will spread.

o Recognition Difficulty. In general it is not always possible to distinguish between

a virus and a non-virus program. There is no reason to think that distinguishing

between "good" and "bad" viruses will be much easier. Many people are relying on

generic anti-virus defenses (e.g., activity monitoring and/or integrity checking)

which will trigger a response to changes.

o Resource Wasting. A computer virus eats up disk space, CPU time, and memory

resources during its replication.

o Bug Containment. A computer virus can easily escape a controlled environment.

o Compatibility Problems. A computer virus that attaches itself to user programs

would disable several programs on the market that perform a checksum on

themselves at runtime.

• Ethical and Legal Reasons

o Unauthorized Data Modification. It is usually considered unethical to modify

other people's data without their authorization. In many countries this is also

illegal.
 o Copyright and Ownership Problems. In many cases, modifying a particular

program could mean that copyright, ownership, or at least technical support rights

for this program are voided.

o Possible Misuse. An attacker could use a "good" virus as a means of

transportation to penetrate a system.

o Responsibility. Declaring some viruses as "good" and "beneficial" would just

provide an excuse to the crowd of irresponsible virus writers to condone their

activities and to claim that they are actually doing some kind of "research."

• Psychological Reasons

o Trust Problems. Users like to think that they have full control on what is

happening in their machine.

o Negative Common Meaning. For most people, the word "computer virus" is

already loaded with negative meaning.

Summary

• While frequently discussed, the general consensus is that there is no task that requires a

virus.

Why Do People Write Viruses?

There are many reasons from simple boredom to

criminal activity for making money.

Back in the dim mists of time, most virus writers were people who just wanted to test the system

and push the envelope. They delighted in finding a way to insert their code into places where others

might not find it and held contests of sorts to see who could do what the fastest during various

conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The

Brain virus, for example, was said to have been written to punish users of illegal copies of software

(software pirates). Users could become legitimate by contacting Brain Computer Services for help.

The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:

The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.

With the advent of virus writing kits more people entered into the picture. These were largely the

bored who had too much time on their hands and decided to spend it making and distributing

viruses just for the heck of it. Many of these people could not actually program one if they had to;

they just used the kits and put in different parameters and then sent whatever came out on their

way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused

them great problems) mentioned somewhere.

This sort of activity expanded as the virus and worm and Trojan world expanded and script worms

became common. Indeed, the term "script kiddie " was more or less coined during this time to

indicate someone who would just take an existing script worm, modify a small part of it, and then

release that as a "new" worm.

As spyware and adware started to appear motives started to change. Money started to enter into

the picture.

First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a

central command to do something, maybe crash the system(s) they were installed on. Then, the

botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could

use the botnets to make the infected computers send out spam. Since spammers would pay to send

out spam money started to enter into the equation. The botnets were sending out messages based

on the infected users computers' stored address lists so the spammers had an automatic source of

valid E-mail addresses and a possible way to get through blacklists because they could put the

infected user's return address on the E-mail and the receiver might very well have that user

whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect

users and then sent out in the spam so the new users would not only get spam but if they

responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer

holes made this form of malware even easier to send to and infect others who might not have

updated their computer system recently. The use of social engineering to make these message

appear "real" increased so the clickthroughs increased.

The malware sent evolved as well. Newer malware tended toward collecting information from

systems instead of crashing them or destroying data. This stolen data became even more valuable

to criminals than just the fact that spam was getting through. Identity theft based on the stolen

information increased as the attacks became more targeted.

Some of this malware is designed to target specific banks in specific countries and is quite

professional looking. And, it's not limited to crimes of identity theft for banking purposes; some

malware targets the massively multiplayer on-line games. Why target games? Because once you

steal someone's credentials in such a game you can pretend to be that person and sell virtual items

to other players. The games have become so popular that virtual items are going for large prices (a

virtual space station went for $100,000 if you can believe that). Of course, the person doing the

buying is getting scammed and the person who's credentials have been stolen gets the blame. The

criminal, meanwhile, walks with the money.

Rootkit installation to do the data collection is one of the newer threats and promises to increase

the revenue of the criminal groups behind some of the latest attacks.

Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to

do that efficiently and anonymously and that's exactly what P2P networks do.

Summary

• The first malware came from people who basically wanted to push the envelope with the

system at hand.

• Later malware came from so-called script kiddies who took advantage of other people's

work in order to flood cyberspace with their creations.

 • Botnets were created and their potential to raise money brought other elements into the

malware game.

• Eventually, criminal groups started to generate the malware in order to make more money

for their activities and can be expected to continue for the purpose of moving information.

Hardware Threats

Hardware is a common cause of data problems. Power

can fail, electronics age, add-in boards can be installed
wrong, you can mistype, there are accidents of all kinds,
a repair technician can actually cause problems, and
magnets you don't know are there can damage disks.

Hardware problems are all too common. We all know that when a PC or disk gets old, it might start

acting erratically and damage some data before it totally dies. Unfortunately, hardware errors

frequently damage data on even young PCs and disks. Here are some examples.

Power Faults

Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe

so, maybe not; it's vital to know for sure if anything was damaged.

Other power problems of a similar nature would include brownouts, voltage spikes, and frequency

shifts. All can cause data problems, particularly if they occur when data is being written to disk

(data in memory generally does not get corrupted by power problems; it just gets erased if the

problems are serious enough).

• Brownout: Lower voltages at electrical outlets. Usually they are caused by an

extraordinary drain on the power system. Frequently you will see a brownout during a heat

wave when more people than normal have air conditioners on full. Sometimes these power
 shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe

you'll get yours just as that important file is being written to disk.

• Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit

breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a

power pole) can causes spikes as the circuits balance. An appliance in your home can cause

a spike, particularly with older wiring. Lightning can put large spikes on power lines. And,

the list goes on. In addition to current backups and integrity information for your software

and data files, including a hardware voltage spike protection device between the wall and

your computer hardware (don't forget the printer and monitor) can be very helpful.

• Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz

(or 50 Hertz in some countries), the power supply on the computer can be affected and

this, in turn, can reflect back into the computer causing data loss.

Solution: Consider a combined surge protector and uninterruptible power supply.

Age

It's not magic; as computers age they tend to fail more often. Electronic components are stressed

over time as they heat up and cool down. Mechanical components simply wear out. Some of these

failures will be dramatic; something will just stop working. Some, however, can be slow and not

obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.

Solution: Keep an eye on the specials after three to five years.

Incompatibilities

You can have hardware problems on a perfectly healthy PC if you have devices installed that do not

properly share interrupts. Sometimes problems are immediately obvious, other times they are

subtle and depend upon certain events to happen at just the wrong time, then suddenly strange

things happen! (Software can do this too!)

Solution: Make a really good backup before installing anything (hardware or software) so you can

revert the system back to a stable state should something crop up.
Finger Faults

(Typos and "OOPS! I didn't mean to do that!")

These are an all too frequent cause of data corruption. This commonly happens when you are

intending to delete or replace one file but actually get another. By using wild cards, you may

experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here;

something was deleted; what was it? Or was I in the other directory?" Of course if you're a

programmer or if you use sophisticated tools like a sector editor, then your fingers can really get

you into trouble!

Another finger fault problem arises with touchpads below the space bar on notebook computers. It's

very easy to brush the touchpad when you are typing away and suddenly find yourself entering

characters in a screen location very different from where you were before you touched the pad.

Solution: Be careful and look up now and again to make certain your cursor is where you want it.

Malicious or Careless Damage

Someone may accidentally or deliberately delete or change a file on your PC when you're not

around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was

changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this

type of damage is done unintentionally by someone you probably know. This person didn't mean to

cause trouble; they simply didn't know what they were doing when they used your PC.

Solution: Never run the computer as an administrative user and have guest accounts available for

others who use the computer. Keep up-to-date backups as well.

Typhoid Mary

One possible source for computer infections is the Customer Engineer (CE), or repairman. When a

CE comes for a service call, they will almost always run a diagnostic program from diskette. It's

very easy for these diskettes to become infected and spread the infection to your computer. Sales

representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always

check your system after other people have placed their floppy disk into it. (Better yet, if you can,

check their disk with up-to-date anti-virus software before anything is run.)
Solution: Insist on testing their disk before use or make certain they've used an up-to-date anti-

virus before coming to your location.

Magnetic Zaps

Computer data is generally stored as a series of magnetic changes on disks. While hard disks are

generally safe from most magnetic threats because they are encased within the computer

compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a

floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.

Some of the more subtle sources of magnetism include:

• Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a

magnetic field.

• Telephone. When ringing, telephones (particularly older phones with a bell) generate a

magnetic field.

• Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the

vacuum cleaner that the maintenance people slide under the desk to clean the floor does.

• Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer

just above.

• Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk,

can affect files on the disk. Instead of "The dog ate my homework," today it could just as

easily be: "The cat sat on my homework." (I once had a student where this exact problem

happened; a cat sat on her floppy disk and static wiped out the data on the disk.)

Solution: Stay away from magnets or sources of static of all kinds when working with a computer.

Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the

data is OK? These tools do not always recover good copies of the original files. Active action on your

part before disaster strikes is your best defense. It's best to have a good, current backup and, for

better protection, a complete up-to-date integrity-check map of everything on your disk.

Summary

• There are many different kinds of hardware threats to your data. Some include:

o Power faults

o Age

o Equipment incompatibilities

o Typos

o Accidental or deliberate damage

o The Customer Engineer or friendly salesperson

o Problems with magnets and/or sources of static electricity

• Active action on your part can help you identify problems and, perhaps, head them off

early.

Why Do People Write Viruses?

There are many reasons from simple boredom to

criminal activity for making money.

Back in the dim mists of time, most virus writers were people who just wanted to test the system

and push the envelope. They delighted in finding a way to insert their code into places where others

might not find it and held contests of sorts to see who could do what the fastest during various

conferences.

Another common reason for writing viruses was to "punish" users for some perceived infraction. The

Brain virus, for example, was said to have been written to punish users of illegal copies of software

(software pirates). Users could become legitimate by contacting Brain Computer Services for help.

The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:

The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the

bored who had too much time on their hands and decided to spend it making and distributing

viruses just for the heck of it. Many of these people could not actually program one if they had to;

they just used the kits and put in different parameters and then sent whatever came out on their

way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused

them great problems) mentioned somewhere.

This sort of activity expanded as the virus and worm and Trojan world expanded and script worms

became common. Indeed, the term "script kiddie " was more or less coined during this time to

indicate someone who would just take an existing script worm, modify a small part of it, and then

release that as a "new" worm.

As spyware and adware started to appear motives started to change. Money started to enter into

the picture.

First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a

central command to do something, maybe crash the system(s) they were installed on. Then, the

botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could

use the botnets to make the infected computers send out spam. Since spammers would pay to send

out spam money started to enter into the equation. The botnets were sending out messages based

on the infected users computers' stored address lists so the spammers had an automatic source of

valid E-mail addresses and a possible way to get through blacklists because they could put the

infected user's return address on the E-mail and the receiver might very well have that user

whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.

Once money came into the game, however, so did crime. Trojans were developed to quickly infect

users and then sent out in the spam so the new users would not only get spam but if they

responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer

holes made this form of malware even easier to send to and infect others who might not have

updated their computer system recently. The use of social engineering to make these message

appear "real" increased so the clickthroughs increased.

The malware sent evolved as well. Newer malware tended toward collecting information from

systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen

information increased as the attacks became more targeted.

Some of this malware is designed to target specific banks in specific countries and is quite

professional looking. And, it's not limited to crimes of identity theft for banking purposes; some

malware targets the massively multiplayer on-line games. Why target games? Because once you

steal someone's credentials in such a game you can pretend to be that person and sell virtual items

to other players. The games have become so popular that virtual items are going for large prices (a

virtual space station went for $100,000 if you can believe that). Of course, the person doing the

buying is getting scammed and the person who's credentials have been stolen gets the blame. The

criminal, meanwhile, walks with the money.

Rootkit installation to do the data collection is one of the newer threats and promises to increase

the revenue of the criminal groups behind some of the latest attacks.

Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to

do that efficiently and anonymously and that's exactly what P2P networks do.

Summary

• The first malware came from people who basically wanted to push the envelope with the

system at hand.

• Later malware came from so-called script kiddies who took advantage of other people's

work in order to flood cyberspace with their creations.

• Botnets were created and their potential to raise money brought other elements into the

malware game.

• Eventually, criminal groups started to generate the malware in order to make more money

for their activities and can be expected to continue for the purpose of moving information.
 COMPUTER VIRUSES

Computers can do anything: from running spreadsheets, word processors, power stations to
music synthesizers and missile control systems. And because computers can do anything, they
can in particular run viruses and any other nasty software. Of course viruses aren’t the only way
computer systems can go wrong: you can have your computer stolen; you might simply have a
disc crash or some other hardware fault. None of these problems are predictable.
However, viruses are unique in their abilities. They can stop many computers at once: this
would be much more serious for a small company than ‘normal’ faults that affect only one PC at a
time. Thus, viruses rank with hazards like power cuts and fire in their effect and speed of action.
Worse than fire, you may find that you cannot take your work elsewhere, for if you did you
might simply take the virus infection with you and bring more systems down too! Secondly,
viruses can spread disinformation and bring disrepute to individuals or organisations: viruses
may send malicious email apparently on behalf of the person whose computer has been infected.
Normal information management precautions, such as taking backups, can be of considerable
help in avoiding and recovering after virus attacks. (But you may also have backed up your
viruses.)
Definition A computer virus is a piece of program code that attaches copies of itself to other
programs, incorporating itself into them so that the modified programs, while still possibly
performing their intended function, surreptitiously do other things. Programs so corrupted seek
others to which to attach the virus, and so the “infection” spreads. Successful viruses lie low until
they have thoroughly infiltrated the system, and only reveal their presence when they cause
damage. The effect of a virus is rarely traceable back to its originator, so viruses make attractive
weapons for vandals.
Computer viruses generally work by altering files that contain otherwise harmless programs.
This is infection. When an infected program is invoked, it seeks other programs stored in files to
which it has write permission, and infects them by modifying the files to include a copy of itself
(replication) and inserting an instruction to branch to that code at the old program’s starting point.
Then the virus starts up the original program so that the user is unaware of its intervention. (The
exact details vary from virus to virus.)
A virus can spread when information is shared: on a multi-user system with shared disk
facilities, or on a PC where users download programs from bulletin boards, or if they share
floppy disks or other exchangeable media. Email is an common vector, especially when powerful
email programs run arbitrary programs ‘to be helpful’ — but which turn out to be able to run
viruses.
If person A executes one of person B’s programs (or programs embedded in email, etc) that is
infected, A’s programs and files risk becoming infected, since programs that A invokes normally
have permission to alter A’s own files. Even when they never execute one another’s programs,
infection can spread from A to B through an intermediary. In practice, it is hard to guard against
infection in an environment that encourages program (data or email…) sharing. Even in an
isolated personal computer environment, viruses easily spread from one floppy disk to another
once having infiltrated the system.
Many applications interpret their data in some way as programs. Spreadsheets, email
programs, and word processors typically have “macro programs,” such as Visual Basic, to
provide extra functionality. Viruses can therefore infect even the data which is handled by such
applications. Viruses can be spread, then, by users sharing a word processor or spreadsheet file: it
is not necessary to share a ‘program’ as such.
Other Malicious Programs The term “virus” is a popular catch-all for other kinds of malicious
software. A logic bomb or time bomb is a destructive program activated by a certain combination of
circumstances, or on a certain date. A Trojan horse is any bug inserted into a computer program

1
that takes advantage of the trusted status of its host by surreptitiously performing unintended
functions. A worm is a distributed program that invades computers on a network. It consists of
several processes or “segments” that keep in touch through the network; when one is lost (e.g.,
by a server being rebooted), the others conspire to replace it on another server — they search for
an ‘idle’ server, load it with copies of themselves. Like viruses, worms spread by replication;
unlike them, they may run as independent processes rather than as part of a host program.
It is unproductive to be pedantic over the precise terms; the main distinction is that viruses
replicate themselves, and Trojan horses explicitly deceive users. Of course, viruses may include
Trojan components, and often do.
To escape detection, viruses normally reside in compiled programs rather than as readable
source code and thus do not survive recompilation or re-installation of a back-up. Viruses in
scripting languages (e.g., Visual Basic) use encryption for the same reason: to try to conceal their
purpose from casual readers, and indeed from virus detection programs. Just as worms are
destroyed by simultaneously rebooting all affected machines, viruses are eradicated by
simultaneously recompiling all affected programs. However, under special circumstances a bug
can survive recompilation: in a compiler that is written in the language it compiles (a common
bootstrapping practice), it is possible to implant a bug that re-inserts itself into the binary code
whenever the compiler is recompiled. Such a bug need never be visible in source form.
History and Examples In 1962 V. A. Vyssotsky, a researcher at Bell Telephone Laboratories
(New Jersey), devised a game called Darwin, played on an IBM 7090 computer. The object of the
game was survival, for “species” of programs to fight it out in an arena set up in the 7090’s
memory. Successful programs would be able to make more copies of themselves, and perhaps go
on to take over the entire arena. The idea was taken up ten years later (Aleph Null, 1972), and
converted to run on other computers. Within the somewhat arbitrary rules of the game, Doug
McIlroy invented what he called a virus: an unkillable organism that could still fight.
The idea, though, of a maliciously self-propagating computer program originated in Gerrold’s
1972 novel When Harlie Was One, in which a program called telephone numbers at random until it
found other computers into which it could spread. Worms were also presaged in science fiction,
by Brunner’s 1975 novel The Shockwave Rider. The first published report of a worm program, done
in 1982 by Shoch and Hupp as an experiment in distributed computing, included a quotation
from this book.
The idea of self-replication and viral ideas was explored by Douglas Hofstadter (1983), partly
taking up the ideas of Richard Dawkin’s memes: ideas that persist (like genes) because they
replicate (Dawkins, 1976). Hofstadter claimed the ideas of self-reproducing ideas could be traced
back to 1952. The Scientific American published Hofstadter’s articles, but was probably first to
popularise viruses in the computer sense with Dewdney’s series of articles on a game called
corewars (over the period 1984–87). Corewars is a game where players wrote attacking programs,
not unlike today’s viruses in theory, but the programs all ran within corewars rather than
running wild on a PC unrestricted.
The first actual virus program seems to have been created in 1983, as the result of a discussion
in a computer security seminar, and described at the AFIPS Computer Security Conference the
following year.
It is interesting that when Roberto Cerruti and Marco Morocutti read Dewdney’s corewars
articles they thought out how to write a virus for the Apple II computer, and considered
installing a disc at the biggest computer shop in Bresica (Italy) to cause an epidemic in their home
city. They thought that a ‘real’ epidemic had to be malignant, and that after 16 reproductive
cycles they would have the virus reinitialise (erase) discs. Having realised how devious their idea
was they decided not to do it, but instead told the world via Dewdney’s column in the Scientific
American.
Dewdney went on to consider spreading advertising copy by virus: the infected computer
could display irritating messages in commercial breaks! “It’s time you got DISC DOCTOR,
available at a store near you.” The idea of using virus-like mechanisms for information
dissemination was later pursued by Thimbleby and Witten (1990) in a system called Liveware.
In 1984 Ken Thompson, in his Turing Award Lecture, showed how a self-replicating bug can
infest a compiler or other language processor and become completely invisible — an idea
mentioned above.
Real virus attacks were not reported until a few years thereafter, and so far have been more in
the nature of electronic vandalism than serious subversion. One of the first occurred in late 1987

2
when, over a two-month period, a virus quietly insinuated itself into IBM-PC programs at a
Jerusalem university. It was noticed because it caused programs to grow longer (due to a bug, it
repeatedly reinfected files). Once discovered, it was analysed and an antidote devised. It was
designed to slow processors down on certain Fridays, and to erase all files on Friday, 13 May.
At about the same time, another PC virus invaded Lehigh University, and a much-publicised
“chain letter” Christmas message spread itself by self-replication, clogging the Bitnet network.
The latter was eradicated only by a massive network shutdown. Early 1988 saw a relatively
harmless Macintosh virus designed to distribute a “message of peace,” and a number of other
viruses appeared for this and other PCs. By that time talk about viruses had invaded the news
media.
At 9pm on 2 November 1988, a worm program was inserted into the Internet computer
network by Cornell graduate student Robert Morris, Jr. It exploited several security flaws in
systems running Unix to spread itself from system to system. Although discovered within hours,
it required a huge effort (estimated at 5,000 hours and $200,000) by programmers at affected sites
to counteract and eliminate it over a period of weeks. It was unmasked by a bug: under some
circumstances it replicated itself so fast that it seriously slowed down the infected host. On 21
January 1990, Morris was convicted and in May 1990 he was sentenced to three years probation
and fined $10,000. In addition, he was ordered to perform 400 hours of community service.
On 6 March 1992, the Michelangelo virus (so named because 6 March is Michelangelo’s
birthday), although widely heralded as a worldwide threat to computer systems, actually did
little damage.
Viruses now have no distinct identity, but (typically) “mutate” each time they copy
themselves to other files. This, combined with various cryptographic techinques, makes modern
viruses difficult to detect. Some viruses have “stealth” code, and behave differently when a user
attempts to detect them. False alarms have become an increasing problem, particularly with users
sending “chain email” warning about supposed virus problems; ironically, the panic may cause
more problems than the viruses it warns about!
Email has become a popular way to distribute viruses, because powerful commercial email
packages (e.g., Microsoft Outlook) are themselves programmable — and users often configure
email systems to ‘helpfully’ run programs automatically! If it doesn’t happen automatically, the
virus mail typically tricks the user into running its program, which then reads the user’s email
address list and mails out further copies of itself to the user’s contacts. Once installed, the payload
part of the virus may do nasty or innocuous things, depending on the whim of the virus writer,
such as deleting files on a specific date.
Viruses are not difficult to develop, and many ‘virus construction kits’ are readily available on
the internet. Many viruses are simple variants of others, indicating that virus writers are often
unimaginative — but no less dangerous for that.
Computer viruses and real viruses Despite their similarities, computer viruses do not behave
like biological viruses. For example, Koch’s Postulates (which apply to biological agents; cf.
Thimbleby, Anderson & Cairns, 1999) are irrelevant. Computer viruses are purely conceptual,
and indeed the equivalent of computer viruses for the human mind — as opposed to digital
computers — are called memes. Memes are potentially either good or bad, but for any supposedly
‘good’ computer virus there is always a far better way of achieving the same ends without using
a virus (and without the risk of giving a vandal a virus model to copy and subvert).
Computer viruses have stimulated the research field of “artificial life,” the study of what non-
carbon based life might be like, and of course mostly life as simulated on computer. In contrast to
viruses, which are destructive, artificial life has a positive outlook! See Thimbleby, Witten and
Pullinger (1995) for a review of the differences, which are beyond the scope of these notes.
Defences The obvious, but generally impractical, defence against viruses is never to use
anyone else’s software and never to connect with anyone else’s computer — assuming you could
guarantee that the computer never had an infection to start with. One can achieve this using
cryptographic techniques. Another defence is to implement a check in the operating system that
queries users whenever a program they have invoked attempts to write to disk. In practice,
however, this imposes an intolerable burden because users do not generally know what files their
software does legitimately. Given a particular virus, one can write an antibody program that
spreads itself in the same way, removing the original virus from infected programs, and
ultimately removing itself too. However, this approach cannot protect against viruses in general,
since it is not possible to tell whether a particular piece of code is a virus or not — worse, some

3
such antibodies have been ‘hijacked’ by virus writers and been turned to be destructive. There is
at least one example of a virus writer (belatedly) releasing anti viral software to detect his own
virus: Vaxene was an anonymous program to detect Scores infections (which it did not do very
well) but it claims to have been written by the Scores author.
Digital signatures can help prevent the corruption of files. Each file as it is written is sealed by
attaching an encrypted checksum. Also, before it is used, the checksum is decrypted and checked
against the file’s actual checksum. Such a scheme may engender unacceptable overhead,
however, in the logicistics of handling encryption keys. Moreover, it also assumes that the file is
not infected before it is signed, and that the checking system itself has not been compromised (e.g.,
by a Trojan horse).
A practical approach is to regularly (or continuously) run programs that recognise (enough)
viruses, and which try to eliminate virus infections before they do too much damage. Because
new viruses are being devised every day, it is important to keep detection programs up to date
(e.g., by regular subscription from a reputable company), and to minimise risky procedures (e.g.,
sharing information as infrequently as possible).
All approaches are trade-offs. The only real hope is eternal vigilance on the part of users, and,
above all, education of users to the possible consequences of their actions.
Theoretical problems The basic problem of detecting a virus (or Trojan) is that there are an
infinite number of ways of getting a computer to do anything. Consider printing the number 5.
You could ask the computer to print 5, or 4+1, or 3+2, or 100–95, or 10sin(π/6). Only the first few
of these alternatives is readily recognisable as printing 5; and, as the last example shows, you can
make recognition that the program prints 5 as difficult as you wish.
So, even supposing that there was exactly one sort of virus, there would still be an infinite
number of ways of doing the same nasty work — and most of those ways would be
unrecognisable. In fact, there are an infinite number of ways in which viruses might work, and
each of these ways can itself be expressed in an infinite number of ways. Actual viruses don’t
really take advantage of the infinite possibilities, and in fact it would not be possible to do so!
Advice Be very careful opening unsolicited email with attachments, especially if you are using
Microsoft Outlook or similar programmable products. Never download software from web sites
unless you have antivirus software to check it. Your organisation should have policies,
including the following points:
Have ʻfire drillsʼ
If your organisational rules permit it, run ‘fire drills’ where you simulate the impact of a virus
(or other computer problems).
Awareness
Just as you wouldn’t share food (goodness knows what diseases you might catch!) with
someone you don’t know very well, don’t share programs (files, emails…). Just as you wouldn’t
eat food you found lying on the ground, don’t run any old program that comes your way.
Disable all automatic programs, such as automatically running email attachments. And so on!
Remember: computer viruses work very much like real viruses.
Use more than one hardware platform
If you have the resources, one of the best protections against total disaster is to use several
different sorts of computer (for instance, PCs and Macintoshes). In many cases you will be able to
run compatible software on a range of equipment (if your software is so good then it should be
available on many machines). Very few viruses can migrate from one machine type to another,
though some viruses embedded in (for example) spreadsheet files may be able to if you are
running the same spreadsheet package on different systems.

4
 A virus reproduces, usually without your permission or
knowledge. In general terms they have an infection phase
where they reproduce widely and an attack phase where
they do whatever damage they are programmed to do (if
any). There are a large number of virus types.

Viruses are a cause of much confusion and a target of considerable misinformation even from some

virus experts. Let's define what we mean by virus:

A virus is a program that reproduces its own code by

attaching itself to other executable files in such a way
that the virus code is executed when the infected
executable file is executed.

You could probably also say that the virus must do this without the permission or knowledge of the

user, but that's not a vital distinction for purposes of our discussion here. We are using a broad

definition of "executable file" and "attach" here.

An obvious example of an executable file would be a program (COM or EXE file) or an overlay or

library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what

you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to

also realize that the system sectors on either a hard or floppy disk contain executable code that can

be infected--even those on a data disk. More recently, scripts written for Internet Web sites and/or

included in E-mail can also be executed and infected.

To attach might mean physically adding to the end of a file, inserting into the middle of a file, or

simply placing a pointer to a different location on the disk somewhere where the virus can find it.

Most viruses do their job by placing self-replicating code in other programs, so that when those

other programs are executed, even more programs are infected with the self-replicating code. This

self-replicating code, when triggered by some event, may do a potentially harmful act to your

computer.
Another way of looking at viruses is to consider them to be programs written to create copies of

themselves. These programs attach these copies onto host programs (infecting these programs).

When one of these hosts is executed, the virus code (which was attached to the host) executes, and

links copies of itself to even more hosts.

Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often

the characteristics of both a virus and a worm can be found in the same beast; confusing the issue

even further.

Note: The balance between viruses, worms, and Trojan Horses changes from time to time. In the

early days of such malware viruses tended to dominate. Various macro viruses/worms appeared

later as the dominate form and by around 2005 or so Trojan Horses started to be more prominent

and by early 2008 they were, by far, the dominant malware.

Before looking at specific virus types you might also want to consider the following general

discussions:

Virus Behavior

Virus writers have to balance how and when their viruses

infect against the possibility of being detected. Therefore,
the spread of an infection may not be immediate.

Viruses need time to infect. Not all viruses attack, but all use system resources and often have

bugs.

Viruses come in a great many different forms, but they all potentially have two phases to their

execution, the infection phase and the attack phase.

Infection Phase

When the virus executes it has the potential to infect other programs. What's often not clearly

understood is precisely when it will infect the other programs. Some viruses infect other programs

each time they are executed; other viruses infect only upon a certain trigger. This trigger could be
anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers

want their programs to spread as far as possible before anyone notices them.

It is a serious mistake to execute a program a few times - find nothing infected and presume there

are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its

infection phase.

Many viruses go resident in the memory of your PC in the same or similar way as terminate and

stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs

that executed under DOS but stayed in memory instead of ending.) This means the virus can wait

for some external event before it infects additional programs. The virus may silently lurk in memory

waiting for you to access a diskette, copy a file, or execute a program, before it infects anything.

This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use

for their infection.

On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is

possible to construct a virus which will locate itself in upper memory (the space between 640K and

1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows,

a virus can effectively reside in any part of memory.

Resident viruses frequently take over portions of the system software on the PC to hide their

existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet

avoid detection.

Note that worms often take the opposite approach and spread as fast as possible. While this makes

their detection virtually certain, it also has the effect of bringing down networks and denying

access; one of the goals of many worms.

Attack Phase

Many viruses do unpleasant things such as deleting files or changing random data on your disk,

simulating typos or merely slowing your PC down; some viruses do less harmful things such as

playing music or creating messages or animation on your screen. Just as the infection phase can be

triggered by some event, the attack phase also has its own trigger.
Does this mean a virus without an attack phase is benign? No. Many viruses have bugs in them and

these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it

still steals system resources. (Also, see the "good" virus discussion.)

Viruses often delay revealing their presence by launching their attack only after they have had

ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or

even years after the initial infection.

The attack phase is optional, many viruses simply reproduce and have no trigger for an attack

phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk

without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.)

This is made worse since viruses that "just infect," with no attack phase, often damage the

programs or disks they infect. This is not an intentional act of the virus, but simply a result of the

fact that many viruses contain extremely poor quality code.

An an example, one of the most common past viruses, Stoned, is not intentionally harmful.

Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The

original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of

the entire diskette (this bug was fixed in later versions of the virus).

Number of Viruses

There were over 50,000 computer viruses in 2000 and

that number was then and still is growing rapidly.
Sophos, in a print ad in June 2005 claims "over 103,000
viruses." And, Symantec, in April 2008 is reported to
have claimed the number is over one million.
Fortunately, only a small percentage of these are
circulating widely.
There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large

margin). Estimates of exactly how many there are vary widely and the number is constantly

growing.

In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000

different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994,

the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000.

1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now. Indeed, in April

2008, the BBC reported that Symantec now claims "that the security firm's anti-virus programs

detect to 1,122,311" viruses and that "almost two thirds of all malicious code threats currently

detected were created during 2007."

The confusion exists partly because it's difficult to agree on how to count viruses. New viruses

frequently arise from someone taking an existing virus that does something like put a message out

on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck

is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in

less than two minutes resulting in yet another "new" virus.

More confusion arises with some companies counting viruses+worms+Trojans as a unit and some

not.

Another problem comes from viruses that try to conceal themselves from scanners by mutating. In

other words, every time the virus infects another file, it will try to use a different version of itself.

These viruses are known as polymorphic viruses.

One example, the Whale (an early, huge, clumsy 10,000 byte virus), creates 33 different versions

of itself when it infects files. At least one vendor counted this as 33 different viruses on their list.

Many of the large number of viruses known to exist have not been detected in the wild but probably

exist only in someone's virus collection.

David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus

Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections

that we see in day-to-day operation." In late 2007, about 580 different viruses, worms, and Trojans
(and some of these are members of a single family) account for all the virus-related malware that

actually spread in the wild. To keep track visit the Wildlist , a list which reports virus sightings.

How can there be so few viruses active when some experts report such high numbers? This is

probably because most viruses are poorly written and cannot spread at all or cannot spread without

betraying their presence. Although the actual number of viruses will probably continue to be hotly

debated, what is clear is that the total number of viruses is increasing, although the active viruses

not quite as rapidly as the numbers might suggest.

Summary

• By number, there are well over 100,000 known computer viruses.

• Only a small percentage of this total number account for those viruses found in the wild,

however. Most exist only in collections.

A virus' name is generally assigned by the first

researcher to encounter the beast. The problem is that
multiple researchers may encounter a new virus in
parallel which often results in multiple names.

What's in a name? When it comes to viruses it's a matter of identification to the general public. An

anti-virus program does not really need the name of a virus as it identifies it by its characteristics.

But, while giving a virus a name helps the public at large it also serves to confuse them since the

names given to a particular beast can differ from anti-virus maker to anti-virus maker.

How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some

have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore

such text (mostly to spite the virus writers ). And, any virus writer that insists on a particular

name has to identify themselves in the process--something they usually don't want to do. So, the

anti-virus companies control the virus naming process. But, that leads to the naming problem.

Viruses come into various anti-virus companies around the world at various times and by various

means. Each company analyzes the virus and assigns a name to it for tracking purposes. While
there is cooperation between companies when new viruses are identified, that cooperation often

takes a back seat to getting a product update out the door so the anti-virus company's customers

are protected. This delay allows alternate names to enter the market. Over time these are often

standardized or, at least, cross-referenced in listings; but that does not help when the beast makes

its first appearance.

This problem/confusion will continue. One practical and well documented example of how it affects a

real-world virus listing can be seen at the WildList site on the page...

http://www.wildlist.org/naming.htm

One attempt at bringing some order to the naming problem is Ian Whalley's VGrep [registration

required to view page]. VGrep attempts to collect all of the various virus names and then correlates

them into a single searchable list. While useful, there is, again, the lag time necessary to collect and

correlate the data.

So, get used to viruses having different names. As Shakespeare said...

What's in a name? That which we call a rose

By any other name would smell as sweet...

Another attempt is the database at VirusPool which "...tries to put information from all known

infections and antivirus creators into one place so you can compare names and results." I wish them

the best of luck.

A new site to try to correlate malware names: CME - Common Malware Enumeration. CME

provides single, common identifiers to new virus threats to reduce public confusion during malware

outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses

and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing

capability for malware.

Finally, some vendors have largely given up with naming specific malware and resorting to generic

names for the type of malware (e.g., Troj/Agent). The malware is being generated faster than the

naming system can reasonably keep up. Look for this to probably continue. Of course, this will then

mean changes to the specific methods of disinfection as you would no longer be able to download a

specific disinfector for a named beast. Time will tell how this develops.
Summary

• Virus naming is a function of the anti-virus companies. This results in different names for

new viruses.

• Different names can cause confusion for the public but not anti-virus software which looks

at the virus, not its "name."

How Serious are Viruses?

While serious if you have one, viruses are only one way
your data can be damaged. You must be prepared for all
threats; many of which are more likely to strike than
viruses.

It's important to keep viruses in perspective. There are many other threats to your programs and

data that are much more likely to harm you than viruses. A well known anti-virus researcher once

said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the

growth in number of viruses, the introduction of the Microsoft Word macro viruses, VisualBasic

Script worms, and socially-engineered Trojans now puts this statement into question (even though

you can avoid these by just not clicking on them to open them!), it's still clear that there are many

dangerous occurrences of data corruption from causes other than from viruses.

So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that

it's foolish to spend much money and time on addressing the threat of viruses if you've done

nothing about the other more likely threats to your files. Because viruses and worms are

deliberately written to invade and possibly damage your PC, they are the most difficult threat to

guard against. It's pretty easy to understand the threat that disk failure represents and what to do

about it (although surprisingly few people even address this threat). The threat of viruses is really

no different; lost concentration or a zero-day attack can give you the same kind of problem a lost

hard drive can. There are no "cures" for the virus problem. One just has to take protective steps

with anti-virus software and use common sense when dealing with unknown files and Web links.
Summary

• While viruses are a serious threat, there are other, probably more serious, threats to your

data.

• If you have not taken precautions (e.g., regular backup) against general threats you have

not properly protected your computer.

Are There Good Viruses?

The general consensus is that there are none.

By definition, viruses do not have to do something bad. An early (and current) virus researcher,

Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered

a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.

Most researchers, however, take the other side and argue that the use of self-replicating programs

are never necessary; the task that needs to be performed can just as easily be done without the

replication function.

Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are

"Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this

writing, the paper is available at:

ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip

Lest you think others have not been thinking about this, here are some of the proposals (from the

above-referenced paper) for a good virus that have not worked out:

• The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus;

a virus which would be able to locate other (presumably malicious) computer viruses and

remove them.

• The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The

idea consists of creating a self-replicating program, which will compress the files it infects,

before attaching itself to them.

 • The "Disk Encryptor" Virus. This virus has been published. The idea is to write a boot

sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in

this particular case) and a user-supplied password to ensure the privacy of the user's data.

• The "Maintenance" Virus. The idea consists of a self-contained program, which spawns

copies of itself across the different machines in a network (thus acting more like a worm)

and performing some maintenance tasks on those machines (like deleting temporary files).

All of the above viruses fail one or more of the standard measures typically used to judge if a virus

is "good" or not. These are (again, from the above-referenced paper):

• Technical Reasons

o Lack of Control. Once released, the person who has released a computer virus

has no control on how this virus will spread.

o Recognition Difficulty. In general it is not always possible to distinguish between

a virus and a non-virus program. There is no reason to think that distinguishing

between "good" and "bad" viruses will be much easier. Many people are relying on

generic anti-virus defenses (e.g., activity monitoring and/or integrity checking)

which will trigger a response to changes.

o Resource Wasting. A computer virus eats up disk space, CPU time, and memory

resources during its replication.

o Bug Containment. A computer virus can easily escape a controlled environment.

o Compatibility Problems. A computer virus that attaches itself to user programs

would disable several programs on the market that perform a checksum on

themselves at runtime.

• Ethical and Legal Reasons

o Unauthorized Data Modification. It is usually considered unethical to modify

other people's data without their authorization. In many countries this is also

illegal.
 o Copyright and Ownership Problems. In many cases, modifying a particular

program could mean that copyright, ownership, or at least technical support rights

for this program are voided.

o Possible Misuse. An attacker could use a "good" virus as a means of

transportation to penetrate a system.

o Responsibility. Declaring some viruses as "good" and "beneficial" would just

provide an excuse to the crowd of irresponsible virus writers to condone their

activities and to claim that they are actually doing some kind of "research."

• Psychological Reasons

o Trust Problems. Users like to think that they have full control on what is

happening in their machine.

o Negative Common Meaning. For most people, the word "computer virus" is

already loaded with negative meaning.

Summary

• While frequently discussed, the general consensus is that there is no task that requires a

virus.

Why Do People Write Viruses?

There are many reasons from simple boredom to

criminal activity for making money.

Back in the dim mists of time, most virus writers were people who just wanted to test the system

and push the envelope. They delighted in finding a way to insert their code into places where others

might not find it and held contests of sorts to see who could do what the fastest during various

conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The

Brain virus, for example, was said to have been written to punish users of illegal copies of software

(software pirates). Users could become legitimate by contacting Brain Computer Services for help.

The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:

The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.

With the advent of virus writing kits more people entered into the picture. These were largely the

bored who had too much time on their hands and decided to spend it making and distributing

viruses just for the heck of it. Many of these people could not actually program one if they had to;

they just used the kits and put in different parameters and then sent whatever came out on their

way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused

them great problems) mentioned somewhere.

This sort of activity expanded as the virus and worm and Trojan world expanded and script worms

became common. Indeed, the term "script kiddie " was more or less coined during this time to

indicate someone who would just take an existing script worm, modify a small part of it, and then

release that as a "new" worm.

As spyware and adware started to appear motives started to change. Money started to enter into

the picture.

First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a

central command to do something, maybe crash the system(s) they were installed on. Then, the

botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could

use the botnets to make the infected computers send out spam. Since spammers would pay to send

out spam money started to enter into the equation. The botnets were sending out messages based

on the infected users computers' stored address lists so the spammers had an automatic source of

valid E-mail addresses and a possible way to get through blacklists because they could put the

infected user's return address on the E-mail and the receiver might very well have that user

whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect

users and then sent out in the spam so the new users would not only get spam but if they

responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer

holes made this form of malware even easier to send to and infect others who might not have

updated their computer system recently. The use of social engineering to make these message

appear "real" increased so the clickthroughs increased.

The malware sent evolved as well. Newer malware tended toward collecting information from

systems instead of crashing them or destroying data. This stolen data became even more valuable

to criminals than just the fact that spam was getting through. Identity theft based on the stolen

information increased as the attacks became more targeted.

Some of this malware is designed to target specific banks in specific countries and is quite

professional looking. And, it's not limited to crimes of identity theft for banking purposes; some

malware targets the massively multiplayer on-line games. Why target games? Because once you

steal someone's credentials in such a game you can pretend to be that person and sell virtual items

to other players. The games have become so popular that virtual items are going for large prices (a

virtual space station went for $100,000 if you can believe that). Of course, the person doing the

buying is getting scammed and the person who's credentials have been stolen gets the blame. The

criminal, meanwhile, walks with the money.

Rootkit installation to do the data collection is one of the newer threats and promises to increase

the revenue of the criminal groups behind some of the latest attacks.

Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to

do that efficiently and anonymously and that's exactly what P2P networks do.

Summary

• The first malware came from people who basically wanted to push the envelope with the

system at hand.

• Later malware came from so-called script kiddies who took advantage of other people's

work in order to flood cyberspace with their creations.

 • Botnets were created and their potential to raise money brought other elements into the

malware game.

• Eventually, criminal groups started to generate the malware in order to make more money

for their activities and can be expected to continue for the purpose of moving information.

Hardware Threats

Hardware is a common cause of data problems. Power

can fail, electronics age, add-in boards can be installed
wrong, you can mistype, there are accidents of all kinds,
a repair technician can actually cause problems, and
magnets you don't know are there can damage disks.

Hardware problems are all too common. We all know that when a PC or disk gets old, it might start

acting erratically and damage some data before it totally dies. Unfortunately, hardware errors

frequently damage data on even young PCs and disks. Here are some examples.

Power Faults

Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe

so, maybe not; it's vital to know for sure if anything was damaged.

Other power problems of a similar nature would include brownouts, voltage spikes, and frequency

shifts. All can cause data problems, particularly if they occur when data is being written to disk

(data in memory generally does not get corrupted by power problems; it just gets erased if the

problems are serious enough).

• Brownout: Lower voltages at electrical outlets. Usually they are caused by an

extraordinary drain on the power system. Frequently you will see a brownout during a heat

wave when more people than normal have air conditioners on full. Sometimes these power
 shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe

you'll get yours just as that important file is being written to disk.

• Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit

breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a

power pole) can causes spikes as the circuits balance. An appliance in your home can cause

a spike, particularly with older wiring. Lightning can put large spikes on power lines. And,

the list goes on. In addition to current backups and integrity information for your software

and data files, including a hardware voltage spike protection device between the wall and

your computer hardware (don't forget the printer and monitor) can be very helpful.

• Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz

(or 50 Hertz in some countries), the power supply on the computer can be affected and

this, in turn, can reflect back into the computer causing data loss.

Solution: Consider a combined surge protector and uninterruptible power supply.

Age

It's not magic; as computers age they tend to fail more often. Electronic components are stressed

over time as they heat up and cool down. Mechanical components simply wear out. Some of these

failures will be dramatic; something will just stop working. Some, however, can be slow and not

obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.

Solution: Keep an eye on the specials after three to five years.

Incompatibilities

You can have hardware problems on a perfectly healthy PC if you have devices installed that do not

properly share interrupts. Sometimes problems are immediately obvious, other times they are

subtle and depend upon certain events to happen at just the wrong time, then suddenly strange

things happen! (Software can do this too!)

Solution: Make a really good backup before installing anything (hardware or software) so you can

revert the system back to a stable state should something crop up.
Finger Faults

(Typos and "OOPS! I didn't mean to do that!")

These are an all too frequent cause of data corruption. This commonly happens when you are

intending to delete or replace one file but actually get another. By using wild cards, you may

experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here;

something was deleted; what was it? Or was I in the other directory?" Of course if you're a

programmer or if you use sophisticated tools like a sector editor, then your fingers can really get

you into trouble!

Another finger fault problem arises with touchpads below the space bar on notebook computers. It's

very easy to brush the touchpad when you are typing away and suddenly find yourself entering

characters in a screen location very different from where you were before you touched the pad.

Solution: Be careful and look up now and again to make certain your cursor is where you want it.

Malicious or Careless Damage

Someone may accidentally or deliberately delete or change a file on your PC when you're not

around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was

changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this

type of damage is done unintentionally by someone you probably know. This person didn't mean to

cause trouble; they simply didn't know what they were doing when they used your PC.

Solution: Never run the computer as an administrative user and have guest accounts available for

others who use the computer. Keep up-to-date backups as well.

Typhoid Mary

One possible source for computer infections is the Customer Engineer (CE), or repairman. When a

CE comes for a service call, they will almost always run a diagnostic program from diskette. It's

very easy for these diskettes to become infected and spread the infection to your computer. Sales

representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always

check your system after other people have placed their floppy disk into it. (Better yet, if you can,

check their disk with up-to-date anti-virus software before anything is run.)
Solution: Insist on testing their disk before use or make certain they've used an up-to-date anti-

virus before coming to your location.

Magnetic Zaps

Computer data is generally stored as a series of magnetic changes on disks. While hard disks are

generally safe from most magnetic threats because they are encased within the computer

compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a

floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.

Some of the more subtle sources of magnetism include:

• Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a

magnetic field.

• Telephone. When ringing, telephones (particularly older phones with a bell) generate a

magnetic field.

• Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the

vacuum cleaner that the maintenance people slide under the desk to clean the floor does.

• Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer

just above.

• Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk,

can affect files on the disk. Instead of "The dog ate my homework," today it could just as

easily be: "The cat sat on my homework." (I once had a student where this exact problem

happened; a cat sat on her floppy disk and static wiped out the data on the disk.)

Solution: Stay away from magnets or sources of static of all kinds when working with a computer.

Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the

data is OK? These tools do not always recover good copies of the original files. Active action on your

part before disaster strikes is your best defense. It's best to have a good, current backup and, for

better protection, a complete up-to-date integrity-check map of everything on your disk.

Summary

• There are many different kinds of hardware threats to your data. Some include:

o Power faults

o Age

o Equipment incompatibilities

o Typos

o Accidental or deliberate damage

o The Customer Engineer or friendly salesperson

o Problems with magnets and/or sources of static electricity

• Active action on your part can help you identify problems and, perhaps, head them off

early.

Why Do People Write Viruses?

There are many reasons from simple boredom to

criminal activity for making money.

Back in the dim mists of time, most virus writers were people who just wanted to test the system

and push the envelope. They delighted in finding a way to insert their code into places where others

might not find it and held contests of sorts to see who could do what the fastest during various

conferences.

Another common reason for writing viruses was to "punish" users for some perceived infraction. The

Brain virus, for example, was said to have been written to punish users of illegal copies of software

(software pirates). Users could become legitimate by contacting Brain Computer Services for help.

The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:

The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the

bored who had too much time on their hands and decided to spend it making and distributing

viruses just for the heck of it. Many of these people could not actually program one if they had to;

they just used the kits and put in different parameters and then sent whatever came out on their

way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused

them great problems) mentioned somewhere.

This sort of activity expanded as the virus and worm and Trojan world expanded and script worms

became common. Indeed, the term "script kiddie " was more or less coined during this time to

indicate someone who would just take an existing script worm, modify a small part of it, and then

release that as a "new" worm.

As spyware and adware started to appear motives started to change. Money started to enter into

the picture.

First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a

central command to do something, maybe crash the system(s) they were installed on. Then, the

botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could

use the botnets to make the infected computers send out spam. Since spammers would pay to send

out spam money started to enter into the equation. The botnets were sending out messages based

on the infected users computers' stored address lists so the spammers had an automatic source of

valid E-mail addresses and a possible way to get through blacklists because they could put the

infected user's return address on the E-mail and the receiver might very well have that user

whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.

Once money came into the game, however, so did crime. Trojans were developed to quickly infect

users and then sent out in the spam so the new users would not only get spam but if they

responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer

holes made this form of malware even easier to send to and infect others who might not have

updated their computer system recently. The use of social engineering to make these message

appear "real" increased so the clickthroughs increased.

The malware sent evolved as well. Newer malware tended toward collecting information from

systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen

information increased as the attacks became more targeted.

Some of this malware is designed to target specific banks in specific countries and is quite

professional looking. And, it's not limited to crimes of identity theft for banking purposes; some

malware targets the massively multiplayer on-line games. Why target games? Because once you

steal someone's credentials in such a game you can pretend to be that person and sell virtual items

to other players. The games have become so popular that virtual items are going for large prices (a

virtual space station went for $100,000 if you can believe that). Of course, the person doing the

buying is getting scammed and the person who's credentials have been stolen gets the blame. The

criminal, meanwhile, walks with the money.

Rootkit installation to do the data collection is one of the newer threats and promises to increase

the revenue of the criminal groups behind some of the latest attacks.

Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to

do that efficiently and anonymously and that's exactly what P2P networks do.

Summary

• The first malware came from people who basically wanted to push the envelope with the

system at hand.

• Later malware came from so-called script kiddies who took advantage of other people's

work in order to flood cyberspace with their creations.

• Botnets were created and their potential to raise money brought other elements into the

malware game.

• Eventually, criminal groups started to generate the malware in order to make more money

for their activities and can be expected to continue for the purpose of moving information.