IPT - A Virtual Approach IPT A Virtual Approach by Peter Whitehouse
Quick Links:
 
 
Information and Intelligent Systems Social and Ethical Implications Human Computer Interaction Software and Systems Engineering eXercise Files Course Outline and Assessment A-Z of Geeky Acronyms Terrace Work Program 2004 Sillybus FAQ = Frequently Asked Questions Help
 
 

Computer Viruses

A Resource Document

"The only truly secure system is one that is powered off, cast in concrete, and sealed in a lead-lined room with armed guards - and even then I have my doubts."
E.H. Spafford, Dept of Computer Sciences, Purdue University.

This document is provided as source material for the EXTENDED WRITING TASK: SE1. It is meant as a starting point for research and ideas.


Definitions

The 'Computer Virus' is a relatively recent phenomenon. The first reported (as a news item) 'viral' infection was in 1987, prior there were unsubstantiated reports of 'nasty' programs being picked up from pirated games software as early as 1985. It is obvious that such activity must have been going on well before that (many hackers and normal users alike were doubtlessly coping with rogue programs long before this and failing to report it for fear of being caught pirating software - which is, of course, illegal).

Minimum criteria for the definition of a program as a VIRUS are the following:

  • the program must be executable
  • it must be capable of cloning(replicating) itself
  • it must convert other executable objects into viral clones (ie 'infect' them)

In addition to this, the vast majority of these viruses load and run without users requesting them to run, 'hide' inside normal (host) programs and run when the hosts are run, they act without prompting users for permission, without warning of consequences and internally error trap (so as not to alert the user to their presence).

'Destructive' behaviour/action, as used in this unit, refers to any action that the user did not specifically request (or that he/she did not knowingly allow to happen, or could reasonable anticipate) which causes changes to software/hardware.

'Rogue' software, as used in this unit, is any software illegally or illicitly obtained, by choice or by default (ie. you get it without any say in the matter) that causes unwanted changes to a computer system.

Most of this document deals with IBM or IBM compatible viral infections (specifically MS-DOS,OS/2 systems). There are, as one would predict, an equally daunting array of 'rogue' programs available for all other computer systems.

Material for this unit was compiled from a variety of sources, including:

The Computer Virus Handbook. R.B. Levin, 1990. Osborne/McGraw-Hill (Lib ref 005.16 LEV)

Fact and Fiction

Viruses are not some form of electronic life, nor do they employ some form of artificial intelligence (for them to do this, they would need memory far in excess of the vast majority of PCs they infect) - contrary to whatever the X-Files would have you believe.

When dealing with, and describing computer viruses, it is difficult not to use terms and phrases associated with living things, and to think of them as having a personality (a pretty bizarre and vicious one at that). Therefore it is important to continually remind ourselves that viruses follow specific algorithms designed by programmers, where all actions are pre-meditated, and the motives of the designer are many and varied (though usually destructive).

They cannot spread from an infected computer (called a host) to a non-infected computer unless they are physically (and electronically) connected, and/or share executable files. Viruses cannot remain active when the computer is turned off (that is not to say that the 'infected' files are eliminated when power is off, rather they cease their action).


'Rogue' Software Classified

BUG-WARE

lawful programs that, due to inadequate testing or logic errors, damage hardware/software accidentally.

TROJAN HORSES

programs that appear useful and that have well written 'shells', but that contain one (or more) destructive commands acting under the surface.

CHAMELEONS

programs that act like other familiar, trusted programs while underneath they are being destructive.

SOFTWARE BOMBS

designed to erase data from the instant they are run, they rarely clone.

LOGIC BOMBS

designed to execute destructive computer commands depending on the status of particular environmental variables (eg. key sequence, disk read/write etc.)

TIME BOMBS

designed to execute destructive computer commands depending on the status of particular numeric or time-related environmental variable (eg. a particular date, after two runs etc.)

REPLICATORS

(commonly called rabbits) typically clone themselves, then their offspring clone, and so on until memory is used up and processing is halted.

WORMS

programs that travel through a networked environment either collecting information (passwords, documents etc) or leaving messages.

VIRUSES

programs that modify other programs to include an executable and possible modified copy of themselves (ie. they clone). Once all executable files are infected, the viruses then may begin destructively tampering with system operations and data files.

It should be noted that rogue programs come in many forms, with many and varied actions, but programs called viruses are a nasty step above your average rogue, and as such, demand a separate classification.


Virus Classification

BSIs - Boot Sector Infectors

programs that specialise in altering, overtaking files in the boot sector. This makes the BSIs the first programs run when computers are booted (ie before DOS, Batch files or any anti-virus software is executed) and so assume total control.

CPIs - Command Processor Infectors

programs that infect COMMAND.COM, and affect the computers ability to process user commands at DOS level.

GPIs - General Purpose Infectors

programs designed to seek out, and infect all executable programs (other than low-level system operating files), rendering them faulty, unpredictable or inoperative.

MPIs - Multi-Purpose Infectors

programs that adopt two or more of the previously mentioned viral strategies, thus greatly increasing its chances of 'survival' in the infected system.

FSIs - File Specific Infectors

programs that are designed to target specific types of files, although they can be 'carried' on other types of files waiting for the opportunity to damage their target.

MRIs - Memory-Resident Infectors

like BSIs and CPIs, these programs stay resident (ie. aren't lost when power is turned off), and are engaged immediately garbling screen output, scrambling keyboard input, disk data shuffled, and during lulls in processor activity infect any uninfected files.

Popular Methods Of Viral Infection

The five most commonly implemented infection strategies at the moment (in detected viruses at least) are:

Appending

viruses that attach rogue code to the end of .EXE or .COM files, and become active upon completion of execution of the infected file. These viruses increase the file size by the number of bytes of viral code appended.

Insertion

viruses that place their code directly inside unused code and data segments of a host file to infect them. Their size is kept to a minimum and they do not alter the size of the file, becoming active when the host file has begun execution.

Redirection

disk partition tables, hidden files and 'bad' sectors are used to store the 'control centre' for a viral infection which consists of a 'network' of inserted viral code (often only a few bytes here and there) scattered through a number of infected files.

Replacement

viruses that delete and replace target files with viral code. This typically alters file size and attribute values, and usually file names also.

Viral Shell

This is more a post-infection survival technique where the viral code is designed to emulate the executable files actions, so all appears to be normal, and any attempt to find out otherwise is resisted. Directories, File allocation tables, attributes and so on are all manipulated to prevent the viral presence from being detected.

Some Viruses (in summary)

What follows is a partial listing of the DETECTED viruses around in 1990 infecting IBM and IBM compatible PCs. It should be pointed out here that these programs represent only those viruses that have been DETECTED, and that can be ELIMINATED (or at least deactivated) - that is not to say that there doesn't exist a plethora of undetected rogue programs merrily working away without detection (this is most likely the case).

NAME (aliases)			type 

AIDS (Hahaha, VGA2CGA)		O N C
Alabama				P R E T
Alameda (Peking, Seoul)		B R F
Ashar (Shoe, UIUC)		B R
Brain (Pakastani)		B R
Cascade A,B (blackjack)		P R C
Chaos				B R
Dark Avenger			P R A K
Datacrime (many versions)	P N A K
dBASE				P R C
Den Zuk (search)		B R F
Devil's Dance (mexican)		P R C T
Disk Killer (ogre)		B R T
EDV				B R X
Friday The 13th			P N C
Fu Manchu			P R A
Ghost Boot			B P N C
Golden Gate			B R
Halloechen			P A
Icelandic			P R E
Jerusalem (PLO, Russian)	P R A K
Joker				P N E
Lehigh				O R K T
Lisbon				P N C
Michaelangelo			A M O T X
Ohio				B F
Oropax (music virus)		P R C
Payday				P R A
Pentagon			B R F
Perfume				P N C K
Ping Pong(bouncing ball)	B R F
Saratoga (one in two)		P R E
Stoned (marijuana)		B R X
Sunday				P R A T
Surviv 1.01 (April 1st)		P R A T
Swap (Falling letters)		B R F
SysLock				P N A
Taiwan				P N C K
Traceback			P R A
Typo (mistake, fumble)		B R P C
Vacsina				P R A
Vcomm				P R E
Vienna (Unesco, Dos-62)		P N C
Virus				P R A F
W13				P N C
Yankee Doodle			P R A
Zero Bug (Palette)		P R C


Codes:		  		A = infects all program files (.COM and .EXE)
				B = boot sector virus
				C = infects .COM files only
				D = infects DOS boot sector on hard disk
				E = infects .EXE files only
				F = floppy (360K) only
				K = infects COMMAND.COM
				M = infects master boot sector on hard disk
				N = nonresident (in memory)
				O = overwriting
				P = parasitic virus
				R = resident (in memory)
				T = manipulation of file allocation table (FAT)
				X = manipulation/infection of the partition table
 

wonko@wonko.info
©Copyright t 1992..2017+. Edition 25.150117
wonkosite
Creative Commons License
This work is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 2.1 Australia License
.