The Enemy Within

Back in 1986, a graduate programmer in Lahore, Pakistan wrote a program that copied itself from one floppy disk to another. His name was Amjad Alvi and together with his brother, Basit, he entered computer folklore as the author of Brain, the first computer virus.

Brain is now extinct because it can only infect low density 5.25 inch floppies, which became obsolete long ago, but its descendants now amount to over 200,000 strains and the need for new ways to combat them has spawned an industry worth millions.

Like their biological counterparts, computer viruses cannot replicate by themselves – they must attach themselves to an existing computer program so they can be copied along with it. There are 3 main types of viruses, each of which use a different kind of host.

Stresses and Strains

Boot Sector Viruses (BSV) attack the boot loader program that the operating system places at the start of every formatted floppy disk. Hard disks also have a boot sector and once this is infected, every subsequent floppy disk put in the drive will become infected.

Boot Sector Viruses cannot be spread over the Net because they rely on the physical transfer of the infected diskette, but the second kind of virus can.

A file virus attaches itself to a program file (one with a .COM or .EXE extension). The host program is modified so that the virus instructions are loaded first before control is returned to the original program. The virus may execute only once and then clear itself from memory, or it may stay behind and after the host program has quit and infect every new program file that is run thereafter. Files that purely contain data, such as text files or graphics, are immune from virus attack because they do not contain program instructions.

The third variety of virus to emerge is the macro virus. These take advantage of the fact that Microsoft Office documents can contain small programs within them called macros. These are written in a programming language called Visual Basic for Applications (VBA), which Microsoft added to Office to enable power users to customize the software. Virus authors were quick to spot its potential for their black art.

Macro viruses are the easiest kind to write because VBA is easier to learn and more powerful than the Assembly language used to write BSVs and file viruses. In addition, it is very easy for would-be-virus-authors to modify the instructions in existing macro viruses to create newer and more sophisticated versions.

Exposed to Infection

The life cycle of a computer virus begins when you expose yourself to an infected source. For a BSV, this could be putting a floppy disk in a computer shared by many students at a college or it could be through a disk containing commercial software that has become infected during the duplication process. File and macro viruses can be caught by downloading an infected file or receiving an email with an infected attachment.

At this stage, your computer has been exposed to infection, but it isn’t actually infected yet. That occurs in the next step, when you make your first mistake. Unthinkingly, you leave the floppy disk in your disk drive when you turn off the computer. When you turn it back on again, you see the message, ‘Invalid system disk’. You take the disk out and hit a key to re-boot, but it is too late – the damage has been done.

In that moment of disk whirring before the message appeared, the virus loaded itself into memory and proceeded immediately to the next stage in its life cycle, which is replication. It relocates the boot sector program of your hard disk and copies the virus code into its place.

For a file or macro virus, infection occurs when you open the program or document. The virus loads into memory and replicates itself to whatever other suitable host files it finds on your hard disk.

Contaminating Others

Your computer is now infected and is a source of infection for others. The virus life cycle completes itself when you unwittingly spread this infection to someone else. You send a memo as an email attachment, you upload a shareware utility to your website or you pass a floppy or CD disk over to your friend. You may very well represent a trusted source to the person you infect and may have seen no symptoms of a virus on your own system.

A clever virus will be very careful not to manifest any symptoms of the infection until it has had time to spread itself, because a virus that reformats your hard disk on infection dies with its host. In nature, biological viruses may cause harm to their host in order to pass on the infection – forcing you to cough up your lungs in someone else’s face, for example. With computer viruses, the nasty side effects, known as the payload, stem from much more capricious motivations and usually amount to nothing more noble than cyber vandalism.

Some viruses don’t carry a payload and others may do nothing worse than a bragging message now and again. Although these viruses consume disk space and may slow your system down a little, the urgency to remove them immediately is relatively low.

The viruses that attract most attention from the mainstream media are those that deliberately attempt to destroy data. Normally triggering on a particular day of the month or year, these may simply initiate a hard disk reformat, or they may incorporate a more devious payload.

The One-half virus quietly encrypts your hard disk, a couple of cylinders at a time, every time it activates. As long as the virus remains in memory, requests for data from those cylinders will be intercepted and the data encrypted on the fly. If the virus is suddenly removed, the decryption facility is lost and the data along with it. For this reason it is important to backup the data before disinfecting the hard disk. Possibly the greatest lethal payload is that of the Chernobyl or Win CIH virus. On 26 April, which is the anniversary of the Chernobyl disaster, the payload activates and not only overwrites the infected system’s hard disk, but also destroys the data in the BIOS, which is stored in flash ram. Since this will leave the computer completely unbootable the motherboard will have to be replaced as the BIOS chip is surface mounted to the board. If it’s a notebook you may as well trash it.

Means of Protection

You can protect yourself from virus infection completely, without recourse to any scanning utilities or protective software. Simply ensure you never boot from drive A, never open an email attachment and never run any executable code you didn’t write yourself. Because this is a trifle limiting, the next best thing is install an antivirus package and adopt a sensible scanning strategy.

Before your system becomes infected, you should create a clean boot disk and put it somewhere safe. This will enable you to start your system in an emergency and be confident there are no viruses in memory. This is important because some stealth viruses can intercept error messages and file date stamps and sizes and show you what they want you to see instead.

Just as important as choosing a good virus scanner, is knowing how to use it. If you only scan your hard disk at boot-up, you will allow a virus plenty of time to infect multiple files during a session and it may escape from your system via the internet before you realize you have been infected.