What
are viruses, worms and trojans and importance of using up to date/current
virus scanning software.
[
For quick definitions of the following:]
• What does Virus Scanning Software do?
• Why Scan for Viruses?
•
ActiveX controls and Java classes
• Boot sector virus
• File-infecting virus
• Macro virus
• Worms
• Multi-partite virus
• Script virus
• Trojan horse program
• Encrypted code signatures
• Mutating code signatures
• Polymorphic code signatures
• Stealth techniques
The term "computer
virus" identifies a broad range of software that really has only
one feature in common: it "reproduces" itself automatically
by attaching to host software or disk sectors on your computer, usually
without your knowledge. Viruses range widely in their effects, but most
viruses cause relatively trivial problems, from the merely annoying to
the downright insignificant. Often, the primary consequence of a virus
infection is the cost you incur in time and effort to track down the source
of the infection and eradicate all of its traces.
Also, viruses are sneaky. Accidentally leaving a floppy disk in your drive
as you start your computer could load a virus into memory before the VShield
scanner, particularly if you do not have the scanner configured to scan
floppy disks. Once in memory, a virus can infect nearly any program, including
the VShield scanner.
Broadly speaking, viruses fall into two general categories: "boot sector" and "file-infecting" viruses. Boot viruses dwell in the boot sector of the hard or floppy disk that carries them. These execute as your computer starts or whenever your computer reads information from an infected floppy disk. Once they copy themselves into your computer’s memory, they can then spread to other disks or other computers on a network, each time leaving copies of themselves that can repeat the cycle.
File-infecting viruses
become active only when you execute the program that carries them or,
in the case of macro and script viruses, when a program opens a data file
that carries them. Typically, such viruses infect files with extensions
such as .EXE, .COM, or .DLL, and non-executable files such as Microsoft
Word .DOC files or Excel .XLS data and template files. A huge increase
in the variety and scope of new viruses over the last few years, however,
has expanded this list to cover nearly any type of file—even some
plain text files in certain circumstances. Once it executes, the file
virus also loads itself into your computer’s memory, replicates,
then attaches itself to other executable programs. 
In recent years, the line between these two divisions has blurred considerably. Many viruses combine both file-infecting and boot sector-infecting features. These often use a variety of tricks and techniques to conceal themselves from anti-virus software. Newer virus types rely partly on unorthodox methods, including user psychology, to help them spread quickly and widely, while some have elements that classify them not as viruses, but under a more general heading of "malicious software" or "hostile code."
Examples of the latter
include software that anti-virus researchers classify as "worms"
or Trojan horse programs. These agents, because they do not technically
reproduce, are not viruses. But they can often have equally harmful effects
and spread just as fast, if not faster, than "ordinary" computer
viruses. Other agents have worm-like or Trojan-like characteristics, but
come in the form of Java applets or ActiveX controls.
Anti-virus software detects these and other forms of malicious software,
all at the same time, to provide you with complete protection against
harmful software agents.
What does virus scanning software
do?
With the growing number of viruses, Trojans and other hazards that can
easily infect your computer, protecting your PC has never been more important
than now. VirusScanning software acts as a tireless online sentry, guarding
your system against attacks from viruses and preventing harm from other
malicious software. It combines an advanced background scanner with components
that enable you to configure, schedule, run, and manage your own scan
operations with precision control.
This control extends to the response options the program gives you when it finds a virus. You can have VirusScan software ask you what it should do with infected files it finds, or you can have it take a range of actions automatically, with no intervention necessary. Still, if you want to monitor what it does, the software provides you with an extensive set of log files, and can alert you in an instant when it finds a virus via any or all of nearly a dozen different methods.
It can also intercept malicious software as it arrives
in your e-mail and keep your web browser away from Internet sites that
harbor harmful Java and ActiveX objects. Furthermore, since the kind of
vigilance that VirusScan software gives you requires constant updating
to meet innovative new virus threats, you can have it download and install
new virus definitions and even a new scanning engine automatically.
This comprehensive protection comes in a collection of modules and components—some
of which you can install separately—that work together on each desktop
system you want to protect.
Why scan for viruses?
Not so long ago, individual computer users could avoid virus infections
without much thought or planning, simply because they rarely contacted
likely virus sources. Today, however, most computer users send messages
to each other, share data and transfer files constantly—whether through
a modem, via diskettes, or over networks and the Internet. In this same
span of time, viruses have come to number in the thousands and now spread
more quickly and easily than ever.
In this environment, taking steps to protect yourself from a computer virus infection is no longer a luxury but a necessity. Consider the value of the data on your computer. It would probably require a significant investment of time and money to replace if it became corrupted or unusable because of a viral infection—it may even be irreplaceable. But whether your own data is important to you or not, neglecting to guard against viruses may mean that your computer could play unwitting host to a virus that can spread and attack the data on computers your co-workers and colleagues use.
Scheduling periodic virus scans with VirusScan anti-virus
software and other virus-scanning solutions significantly reduces your
vulnerability to infection and prevents unnecessary loss of time, money
and data.
Worms:
A worm is a malicious software agent that spreads by indirect means, instead
of reproducing itself. Some worms hijack e-mail systems and send copies
of themselves out to the world, others appear on high-traffic sites for
downloading, and still others use both these and other techniques to spread.
Worms can be just as destructive and spread just as, if not more, rapidly
than viruses. Worm writers often play on user psychology to entice people
to download and run them.
W97M/MELISSA, the notorious "Melissa" virus, is a worm that
used an e-mail system to spread at a spectacularly rapid rate. Its unprecedented
pace brought many mail servers down with hundreds of infections and caused
a massive cleanup effort.
Trojan horse program:
Trojan horse programs generally are harmful or destructive programs that
wear the superficial "clothing" of legitimate software. Because
they don’t include native replication routines, they are not viruses.
Trojan horse programs rely, more than most types of malicious software,
on user psychology—their writers spend almost as much time on crafting
the right strategy to get you to run their software as they do on the
software itself. These strategies can range from the extremely simple—giving
a file a plausible name and planting it in the right context can often
be enough—to the very elaborate. Some Trojan horse programs can mimic
the environment in which they run in order to deploy their payload or
gather needed information.
A number of Trojan horse programs try to steal subscriber
and account information from such widely used services as America Online
or Compuserve. These programs masquerade under such names as BUDDYLIST.EXE
or WINSAVER.EXE. Others collect lists of Internet sites you’ve visited
and transmit them, or perform other unwelcome functions.
Macro
virus
Macro viruses
arose shortly after some software vendors began incorporating macro languages
in their products and allowing those products to produce "data"
files that carried macro commands. The Microsoft Office product suite,
for example, includes a variation of the Microsoft Visual Basic programming
language that gives Microsoft Word and Microsoft Excel the ability to
automate template and document creation. Concept, the first macro virus,
appeared almost as soon as the Microsoft Word version that introduced
macro capability.
Macro capabilities
have since appeared in a number of software packages and have attracted
legions of virus writers. Macro and script viruses now account for the
overwhelming majority of circulating viruses and have only recently begun
to give ground to late-generation worms, which spread via e-mail and Internet
connections.
Script viruses differ from macro viruses mainly in that script viruses
can often run in multiple product environments. A common language like
VBScript can run routines in web servers and browsers, in Microsoft Outlook
e-mail clients, and in other products that can interpret it. Scripting
languages also tend to be more open-ended than macro languages, which
can offer virus writers significant control over infected computers.
Script virus
Script viruses
rely on a particular scripting language to function, and require host
software or an environment that can correctly interpret the commands embedded
in the scripting language. The actual infecting agent can consist of a
plain text file, as it does with an mIRC script virus, provided that the
host environment understands the language and can execute its instructions.
Script viruses differ from macro viruses mainly in that script viruses
can often run in multiple product environments. A common language like
VBScript can run routines in web servers and browsers, in Microsoft Outlook
e-mail clients, and in other products that can interpret it. Scripting
languages also tend to be more open-ended than macro languages, which
can offer virus writers significant control over infected computers.
VBS/Bubbleboy, an
experimental, proof-of-concept virus, can run directly from an e-mail
message. It relies on the Outlook client's ability to interpret VBScript
directly.
ActiveX controls and Java
classes:
As the popularity
of the Internet has grown, website design has become much more sophisticated.
Many sites now include interactive elements such as scripts, forms, search
engines, animations, and a host of other multimedia features that make
web browsing more useful and more exciting. Much of the technology that
makes these features possible comes from small, easily downloaded programs
that interact with your browser software to exchange information, to display
multimedia files, to formulate database queries, and to perform other
tasks. Website designers and programmers use Java and ActiveX, among other
tools to write these types of programs.
The Java programming language, which originated with Sun Microsystems, allows designers to write small, special-purpose applications, or "applets," that run on a Java "virtual machine" incorporated into your browser software, either directly or as a plug-in module. A Java "class" is a prewritten software module that programmers can modify for their own use.
Programmers use Microsoft
ActiveX technology for similar purposes. ActiveX differs from Java primarily
in how it runs—where Java runs in a virtual machine built specifically
to interpret Java applets, ActiveX serves as a sophisticated software
bridge between existing programs, or between other programs and Windows
itself. An ActiveX "control" is a software module that links
programs and allows them to share data without either having to know anything
about how the other operates. Java
classes and ActiveX controls are, collectively, "objects."
Multi-partite
virus
A multi-partite virus acts both as a boot sector
virus and as a file-infecting virus. It can travel via infected files,
and can load itself into your hard disk’s or a floppy disk’s
boot sector when it executes, where it can repeat the cycle. Very few
modern viruses use only one of these infection methods—most use both
methods, and a number of others besides.
Encrypted
code signatures:
Most anti-virus software relies, in part, on the presence of a code signature
to find certain types of viruses. The code signature is a unique series
of bytes that distinguishes virus code from other portions of a file or
data. That signature could be a data pattern within the virus, an encryption
or decryption routine, or another identifying characteristic. Some viruses
use a distinctive signature to hang a sort of "do not disturb"
sign on files they infect—if not for this signature, the virus might
infect a file often enough to cause the file’s size alone to raise
suspicion.
Some viruses can encrypt this signature to evade detection.
Many such viruses also mutate or develop polymorphic variations for their
code signatures or their encryption routines. This makes finding even
the distinctive signature for the encryption routine, to say nothing of
the virus itself, very difficult.
The encryption techniques they use can range from the simple to the very
sophisticated. As with other concealment techniques, code signature encryption
is not specific to one type of virus.
Mutating
code signatures:
Most anti-virus software relies, in part, on the presence of a code signature
to find certain types of viruses. The code signature is a unique series
of bytes that distinguishes virus code from other portions of a file or
data. That signature could be a data pattern within the virus, an encryption
or decryption routine, or another identifying characteristic. Some viruses
use a distinctive signature to hang a sort of "do not disturb"
sign on files they infect—if not for this signature, the virus might
infect a file often enough to cause the file’s size alone to raise
suspicion.
Some viruses can change or "mutate" this signature
under certain circumstances to try to evade detection. Many such viruses
also encrypt their executable code to avoid detection, which makes them
very difficult to find. But they often will leave traces of the decryption
routine they use to "uncloak" themselves, which makes them vulnerable
to good anti-virus software.
As with stealth techniques, code signature mutation is not specific to
one type of virus.
Polymorphic code signatures:
Most anti-virus software relies, in part, on the presence of a code signature
to find certain types of viruses. The code signature is a unique series
of bytes that distinguishes virus code from other portions of a file or
data. That signature could be a data pattern within the virus, an encryption
or decryption routine, or another identifying characteristic. Some viruses
use a distinctive signature to hang a sort of "do not disturb"
sign on files they infect—if not for this signature, the virus might
infect a file often enough to cause the file’s size alone to raise
suspicion.
Some viruses can change or mutate this code signature
repeatedly, each time they copy themselves, to avoid detection. Some viruses
employ code signature encryption to appear polymorphic, since encryption
will change their distinctive code signatures.
An example of an advanced virus of this type is Hare which, though now
rare, could travel via a floppy disk boot sector or as part of an infected
file. It loaded itself into memory when it executed, and could overwrite
part of the hard disk master boot record (MBR). Hare used polymorphic
techniques regularly to avoid detection.
Stealth
concealment techniques:
Viruses that use stealth techniques hide themselves to evade detection.
These techniques can consist of simple redirection functions that display
a false picture of the information you expect to see when you look at
a disk sector, while the virus conceals itself in the real location you
meant to examine. It can also mean a much more advanced combination of
techniques that allows viruses to hide within files, in unused or unformatted
space on your hard disk, or in other areas the operating system normally
cannot see.
Any virus type can employ some stealth techniques, but boot sector and
file-infecting viruses tend to make the most use of them.