1. A virus definition

From the definition of data virus follows that you are not infected even if you have a file with a virus on you hard disk. You are not infected until you open the file/document and the virus propagates.

A virus is defined by these criteria:

• Its ability to replicate. The replication can be different, depending on the kind of virus. The different types of virus are described later.
• A virus needs a host to propagate. Such a host can be a file on a server/workstation/diskette, a document, a Master Boot Record or a System Boot Record. (Master Boot Record and System Boot Record are described later in this document.)
• Some kind of action must result, an action which the user did not intend to invoke. This could be a message, deletion of files, changing of stored data or only replication. The latter uses resources like disk space, CPU time or network resources.

Virus infections do not happen often. However when they occur, they have to be treated correctly and quickly. More damage is done by erroneous attempts to remove viruses which might - or might not - exist on a computer.

A virus may propagate from program to program, and from system to system, without the user's knowledge. I.e. one does not have to do something consciously to transfer the virus, one only has to supply a host to the virus. The propagation is handled by the virus itself.

Most users do not know that they are infected by a virus. The discovery happens by coincidence, by noticing that some files are missing, or that the computer's behavior suddenly is "strange". In the time between infection and discovery, other computers may have been infected, by use of the same diskettes or by sharing files/documents. Most virus attacks are not visible by the time of the attack.

The earlier the infection is discovered, the earlier further propagation can be stopped. It is important to remember that once source may consist of various viruses which infect in different ways.

The risk of being infected by legally bought programs - licensed or shareware - is minor.

2. Different types of virus

2.1 File virus

A file virus is attached to a program file, normally an *.EXE or a *.COM file. It uses different techniques to infect other program files. File virus may also infect *.SYS, *.DRV, *.BIN, *.OVL and *.OVY-filer.

Most file viruses are resident, which enables the virus to supervise all activity, and infect other program files. Other file viruses infect by "direct action", which means that they infect one or several program files when the user opens/runs the file.

This kind of virus man be transferred to/from all kinds of storage media (only from CD-ROM) and propagate in a network.

Three main techniques are used to infect files which can be run: overwriting, inserting at the beginning, and appending.

1. A overwriting virus is placed at the beginning over program, over the original program code, which results in destroying this. When you try to run the program nothing expected happens, but the virus infects another file or other files, or terminates and stays resident.resident.
2. Viruses which insert themselves at the beginning of a program, leaves the original program intact after the virus. When you run a program infected by such a virus, the virus program is run, and then the original program is started.
3. Appending viruses inserts themselves at the end of the file. In addition a jump instruction which points to the virus is set at the beginning of the file. The program will then run as usual, the user does not notice the virus being run.

2.2 System virus

System viruses or boot viruses are often present on diskettes without the users' knowledge. When a user starts or restarts the computer the system virus will infect Master Boot Sector (MBR) and System Boot Sector (SBS) if the infected diskette is in the diskette drive. You can only be infected by a system virus from a diskette.

MBS: Master Boot Sector is a small area on the hard disk which has information about how the hard disk is organized. All physical hard disks have a MBS. The MBS includes a program which read the partition table, as well as the partition table itself. The program reads the partition table, and interprets the information to find the System Boot Sector. Most system viruses infects MBS.

SBS: System Boot Sector is an area on the hard disk which has several kinds of data, including a program which finds and runs the operating system.

The reading of these system areas is part of the startup process on all IBM compatible computers. Thus system viruses are not dependent on the operating system, which makes the propagation easier but only by diskettes, not networks.

2.2.1 The Startup process

If you want to understand system virus, you should know about the boot process on a PC. BIOS (Basic Input/Output System), handles the boot process which is initiated when the PC is switched on. The next process is called POST (Power on Self-Test) which ensures that the computer is functioning properly. One POST function recognized by most users is the counting of RAM available. Finally POST runs the startup process. First the presence of a diskette in the diskette drive is checked. If yes, SBS on the diskette is read, and the PC tries to boot from this. If this is a non-bootable diskette such an error message appears:

Invalid system disk
Insert another disk and press any key

Normally there is no diskette in the diskette drive. Then MBR on the hard disk is read before SBS on the hard disk. Finally the operating system is started. This process is the same whether the operating system is DOS/Win3.1 , Windows95, WindowsNT or OS/2. The differences appear when the operating system is loaded.

2.2.2 Checking for system virus

A simple way to check if the system areas are infected is to use the command "CHKDSK". This command will usually show "655.360 total bytes memory". If the number is less, this may indicate that there is a virus in memory. Note however that a reduced DOS memory may have natural causes.

2.3 Dropper virus

A"dropper" is a program which are created or modified to "install" a virus on the target computer. The dropper is like the envelope in which the virus resides. When one is infected the first time the virus is installed on the computer. It is the virus itself which propagates, not the dropper. The virus in the dropper may be any kind of virus.

The dropper may have a name like Readme.exe (the users are curious and run the file), or it may overwrite Command.com and then be activated when this program is run. The virus code may be programmed in such a way that the virus scanners do not find the virus. Most are detected however.

A dropper is actually a Trojan horse which intends to install a virus. See "Trojan horse".

2.4 Companion virus

This kind of virus looks for *.EXE files to create a *.COM copy to place the virus. The reason why is that *.COM files are run before *.EXE files. The program will run as usual, and everything looks normal for the user.

2.5 Multi partity virus

This is a combination of different types of virus. They may infect boot areas and executable files, and may infect through a network.

3. Macro virus

Macro viruses have become an increasingly bigger problems for computer users. As the use of Internet and e-mail has increased - and sharing of resources has become more common - the risk of being infected is higher than ever. Below is a general description of the phenomenon macro viruses and the danger these viruses may inflict on a computer.

3.1. What do macro viruses infect

A macro virus may be included in all file types which use a macro language. Examples are documents from Word, Excel, Access and WordPro. One is per definition not infected before the document is opened. The virus propagates from one document to another, and may also be transferred between documents by OLE2.

3.1.1. OLE2

Data files created by Microsoft applications are stored in so-called OLE2 files. OLE (i.e. "Object Linking and Embedding") is a way to store various links in one file, thus enabling the sharing of data between applications. One OLE2 file may have several "independent" links, e.g. one text link, one picture link, one sound link etc. - all in the same file.

Example 1: You have a Word document with a picture in it. You may then edit the picture in Word directly, instead of opening a picture editing program. OLE2 handles the communication between Word and the graphic editing program, which is what you really use to edit the picture.

Example 2: You have a Word document with a table from Excel. You edit the table in Word, while OLE2 (in the background) takes care of the communication with Excel, which does the real editing.

One may look at OLE2 as a separate file system. The files start with a special signature, a FAT (File Allocation Table) and a directory. OLE2.DLL is used to access OLE2 files. This program is invoked from function calls from an application (e.g. Word). The DLL has all functions needed to work with an OLE2 file (Add/Delete/Modify stream, Read/Write OLE2 and more).

3.2. How does a macro virus infect my documents?

To use Word as an example - macro virus for Word infects most documents in this way:

The macro virus in the opened document takes control, usually by using automacros (i.e. macros which run when certain events occur, e.g when opening (AutoOpen) and closing (AutoClose) documents). The automacro then copies the virusmacro(s) to the global template (Normal.dot).

The template Normal.dot is used when Word starts and contains information about fonts, short keys, colors and so on. Macros created and used in an organization may also be in Normal.dot.

If Normal.dot is infected by the virus macro AutoClose, it will run each time a document is closed.

Other macro viruses infect other files and leaves Normal.dot unchanged.

3.3. Macro virus and menu choices

Several viruses are attached to menu choices. The result is that they run each time a user selects that particular menu selection. One example is the virus macro FileSaveAs, this is invoked by the File|SaveAs menu choice.

The macro viruses are also capable of removing of hiding menu choices. Examples of such menu choices are Tools|Macro and Tools|Customize. Hiding/removing those makes it difficult for the user to check the macros which are in a document to (optionally) delete them.

3.4. What is "Stealth" in connection with macro virus, and what happens if the macro virus is encrypted?

A macro virus' Stealth function means that the virus enters functions in the document which make it difficult to see the infected macros. Examples are hiding the Tools|Macro and Tools|Customize menus, as well as disabling the File|Templates menu choice. Another way for the virus to protect itself is to display dialog boxes instead of the original dialog boxes.

If you see that some menu choices are missing, or see empty dialog boxes, this might indicate that you are infected by a macro virus.

Macro viruses may be stored encrypted. Encrypted macros are not difficult to scan, as the key to encrypt the macro is in the file itself.

4 Other programs like viruses

4.1 Worm

This does not need a host, thus it is not a virus even though all other criteria are present.

Mainframes are the computer types most attacked by worms. A worm transfers to other computers through the network. This causes system overload by constantly propagating through the network.

4.2 Trojan horse

A Trojan horse does not propagate. Therefore it is not a virus even though all other criteria are present.

A Trojan's success is dependent on the users being naïve. It infects the computers by files which looks harmless. A Trojan "pretends" to do something useful (or uninteresting), while it might be dangerous (e.g. overwrite FAT or format the hard disk).

5. Virus characteristics

5.1 Polymorphic characteristic

We use this term for viruses which have several "disguises", i.e. it changes from one infection to another. Macro, file and system virus may all be polymorphic.

5.2 STEALTH characteristic

A stealth virus is any kind of virus which is designed to hide itself to be difficult to detect. One way to accomplish this might be to modify the file structure to hide the additional program code in such a way that the files size is not changed after the virus has infected the file. Another way is to use pointers in such a way that virus scanners see the "uninfected" sector and not the infected one.

5.3 Logical bomb or time bomb

These are dependent on some criteria which all have to be present for the program to do its intentions. Until then the virus is hidden.

6. How is a computer infected by virus?

A computer may be infected by virus in several different ways. Each time an application is run there is a potential infection situation.

Examples of first time infection are:

• Diskettes used by an outsider which may access the computer(s)
• Diskettes used on an infected PC at home:
• E-mail attachments.
• Programs acquired from a developer infected by virus.
• Programs downloaded from the Internet.
• Programs developed by a dissatisfied employee or former employee.
• Diskettes used on an infected computer and later distributed.

7. Conclusions and recommendations

There is no doubt that data virus is a potential threat to the security of programs and data. Fortunately though, users may take some measures to reduce this danger. Some of these are mentioned below.

Virus represent a threat to system security. They may propagate unintentionally. They may propagate in an organization as well as from one organization to others. And viruses may do virtually anything the programmer wanted.

The danger which viruses represent may be reduced by such means as:

• A general good security policy
• Tell the users about security hazards, including virus related ones.
• If possible, isolate critical systems from potential infection sources like network, Internet and programs which are not necessary. Restrict the possibility to install new programs on computers.
• Make certain that sufficient control mechanisms are in place. This includes the administration of the system as well as virus control. Be sure that virus infections are discovered and reported as early as possible, by getting a virus control program which is updated by new virus definition files when these are published.
• Tell the users about the different warnings which a virus control program will use to inform the users about potential virus presence.
• Take the necessary steps to restrict the propagation of a virus which is detected. E.g. check all diskettes which have been used on the infected computer, check the documents and check the server(s).
• Be sure that everyone knows how to react if he/she is infected. All users must know to whom the problem is to be reported. A backup crisis team might be useful.
• Be certain that you can reinstall critical programs and data from a backup which is not infected. If such a backup does not exist, learn how to remove viruses.
• Be aware of new infections from a virus which supposedly was removed.