|
|
|
What can
viruses do to computers?
Viruses are
software programs, and they can do the same things as any other programs
running on a computer. The actual effect of any particular virus depends
on how it was programmed by the person who wrote the virus.
Some viruses
are deliberately designed to damage files or otherwise interfere with
your computer's operation, while others don't do anything but try to spread
themselves around. But even the ones that just spread themselves are harmful,
since they damage files and may cause other problems in the process of
spreading.
Note that
viruses can't do any damage to hardware: they won't melt down your CPU,
burn out your hard drive, cause your monitor to explode, etc. Warnings
about viruses that will physically destroy your computer are usually hoaxes,
not legitimate virus warnings.
Viruses come
in many shapes and sizes, such as:
File infectors
These viruses attach themselves to regular programs, such as COM or EXE
files under DOS. Thus, they are invoked each time the infected program
is run.
Cluster infectors
They modify the file system so that they are run prior to other programs.
Note that, unlike file infectors, they do not actually attach themselves
to programs.
Macro viruses
Word processing documents can serve as sources of transmission for viruses
that take advantage of the auto-execution macro capabilities in products
such as Microsoft Word. Simply by opening an infected document, the virus,
written in a product's macro language, can spread. Macro
viruses are placed inside one or more of the macros inside the document.
At this moment, the number of macro viruses is growing very fast (more
than 6,000 in August 2000). Due to the powerful features of Visual Basic
for Applications, it is very easy to use all the facilities offered by
Microsoft in Windows. For example, to send an e-mail you need at most
10 code lines. That is probably why many macro viruses have worm capabilities
(the best example is W97M/Melissa.A@MM).
System infectors
Computer operating systems typically set aside a portion of each disk
for code to boot the computer. Under DOS, this section is called a boot
sector on floppies or a master boot record (MBR) for hard disks. System
infectors store themselves in this area and hence are invoked whenever
the disk is used to boot the system. System infector viruses, when
infecting a drive, do not change the MBR content or the boot sector, but
partially modify the FAT allocation of IO.SYS (or its equivalent, IBMBIO.COM)
to allow inclusion of their own viral code sequence at the beginning of
this file. Because, at boot time, DOS reads IO.SYS in a linear way, the
virus will be read before the IO.SYS code. On the other hand, if the IO.SYS
file is opened with a text viewer, it will appear perfectly normal, because
the FAT allocation chain correctly includes the area overwritten by the
virus, which has been saved to another area on the disk.
A virus must
be executed by someone, perhaps unwittingly, in order to spread. Some
ways in which this occurs include:
Booting from an infected floppy
System infectors are loaded each time an infected disk is used
to boot the system. This can happen even if a disk is not equipped with
the files needed to truly boot the computer, as is the case with most
floppies. With PCs, the initial infection typically occurs when someone
boots - or reboots - a computer with an infected floppy accidentally left
in drive A. It is always a good habit to check and remove any floppies
that might be in the drives before booting your machine.
Running an infected program
As programs infected with a file infector are run, the virus spreads.
For this reason, you should regularly scan for viruses any programs you
retrieve from a BBS, the net, a colleague, etc... There are even instances
of commercial, shrink-wrapped software that have been infected with viruses!
Hereunder
you can find what some other viruses can do:
Boot viruses
- they use for replication the boot sector of the floppies, MBR (master
boot record) or the boot sectors of the fixed disks. The only way of replication
for these viruses is booting from the infected disk. Accessing or copying
the infected disks are not dangerous operations as long as the system
is not started from the infected disk.
Tips against boot viruses:
Change the boot sequence from BIOS, so the floppy won't be the first in
that sequence. That way, you are protected when you accidentally forget
an infected floppy in your floppy drive. Booting from the floppy drive
could be necessary only when installing/reinstalling the Operating System
or scanning for some special viruses. We recommend you to scan the floppy
disk using an antivirus program after formatting and copying system files
on it; after that, activate the floppy write-protection.
Parasitic viruses they infect executable files, so that when the
infected file is launched, the virus code gains control. They usually
execute prior to normal executable code. Then, the original code regains
control and, in most cases, executes normally. There are viruses that
gains control after the execution of the original code ends or when a
routine from this code is called. These viruses are more difficult to
detect, but they are less spread too, due to their complexity and the
way they replicate.
Because these viruses infect executable files, they could spread through
any data storage or transfer media: floppies, CDs, modems, networks. The
virus spreads when the host file is executed.
Parasitic viruses may be memory resident (after the launching of an infected
file, the virus stays in memory and infects other active files) and non-resident
parasitic viruses. The non-resident parasitic viruses infect a number
of files, then return control to the host program.
Parasitic viruses need to be able to distinguish between infected and
non-infected files. If a virus is unable to do this (such as certain versions
of the Jerusalem or Vienna viruses), they will repeatedly infect a file
until this will become too large and the virus will be easily detected.
Tips against parasitic viruses:
- When you notice that the programs you usually work with became larger,
use an antivirus program. Because the virus can hide itself in your system
(stealth viruses), you must launch the antivirus from a bootable clean
floppy disk.
- When an installing kit or a program that is capable to verify itself
warns you that it is corrupted and you are sure about the functionality
of that program, use an antivirus program. If you have a backup copy,
we recommend you to use it, after you verify it too. Even if the antivirus
cleans the viral code, many viruses change parts of the original program,
leading to the impossibility of using that program. The best example is
that of Win95/CIH, which overwrites parts of the file supposed to be unused;
that is why the installing kits (which verify themselves) won't work properly
after being infected with Win95/CIH.
Companion viruses create a file having the same name, but another
executable extension; for example, if you have a file named PROGRAM.EXE
and you notice that a file named PROGRAM.COM appears, this is a possible
infection with a companion virus (when the operating system encounters
two executable files, with the same name but different extensions, it
will first launch the .COM file). If the effect is the same for more executable
files, the infection is obvious.
Link viruses are extremely dangerous because they use an unusual
infection method. Link viruses do not change the content of an executable
file; they alter the directory structure, redirecting the directory entry
of an infected file to the area that contains the viral code. Once the
virus has executed, it can load the executable file, knowing the correct
directory entry of the file. Eliminating such a virus from the system
is both difficult and risky.
Multipartite viruses combine two or more basic types from those
described above. There are viruses capable to infect executables and Word
documents, or viruses capable to infect boot sectors and executables,
etc.
Viruses' authors are trying to include as many facilities as possible
in their creations. A perfect example is Esperanto, capable to infect
files on different operating systems and to run on different hardware
architectures (i386 and Mac).
Some viruses
are boring, while others are extremely dangerous. The least they can do
is to increase the file size and slow down the computer. Many viruses
only try to spread, not to damage your computer. There is, however, the
possibility for such benign viruses to occasionally interact with other
software and damage your computer. That is why there are no viruses that
do not produce any damage; even a simple change in an installing kit might
be considered one.
Other viruses are far more dangerous, intentionally modifying or destroying
data, or deleting files and / or formatting your drive. Till Win95/CIH
it was said that viruses couldn't destroy or damage hardware components.
CIH was the first virus (and unfortunately not the last) that was able
to modify the Flash BIOS so that the computer would not work when subsequently
booting the system.
Another virus
capable of hardware damage (but in a strange way) is {Win32,W97M}/Beast.
During the night, Beast opens and closes the door of the CD-ROM unit for
two hours! This will damage that unit for sure!
|
|
|
