This document discusses computer viruses and how they differ from Trojans, worms, and hoaxes.
Solution
The term virus is often used as a generic reference to any malicious code that is not, in fact, a true computer virus. This document discusses viruses, Trojans, worms, and hoaxes and ways to prevent them.
What is a virus?
A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:
- It must execute itself. It will often place its own code in the path of execution of another program.
- It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.
There are five recognized types of viruses:
- File infector viruses
File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any uninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade. - Boot sector viruses
Boot sector viruses infect the system area of a disk--that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned. - Master boot record viruses
Master boot record viruses are memory resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 95/98. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed. - Multipartite viruses
Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla. - Macro viruses
These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay, and W97M.Groov.
What is a Trojan horse?
Trojan horses are impostors--files that claim to be something desirable but, in fact, are malicious. A very important distinction from true viruses is that they do not replicate themselves, as viruses do. Trojans contain malicious code, that, when triggered, cause loss, or even theft, of data. In order for a Trojan horse to spread, you must, in effect, invite these programs onto your computers--for example, by opening an email attachment. The PWSteal.Trojan is a Trojan.
What is a worm?
Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. PrettyPark.Worm is a particularly prevalent example.
What is a blended threat?
Blended threats combine the characteristics of viruses, worms, Trojan horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include the following:
- Causes harm
Launches a Denial of Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan horse programs for later execution. - Propagates by multiple methods
Scans for vulnerabilities to compromise a system, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment. - Attacks from multiple points
Injects malicious code into the .exe files on a system, raises the privilege level of the guest account, creates world read and writeable network shares, makes numerous registry changes, and adds script code into HTML files. - Spreads without human intervention
Continuously scans the Internet for vulnerable servers to attack. - Exploits vulnerabilities
Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.
Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
What is an expanded threat?
An expanded threat is an application or software-based executable that is either independent or interdependent on another software program, and meets one or more of the following criteria:
- Is considered to be nonviral in nature (that is, does not spread on its own using a virus-like mechanism, or meet the definition of a worm or Trojan horse), yet conforms in a significant way to the general definition of a category of expanded threat.
- Has been submitted to Symantec by a critical number of either corporate or individual users within a given timeframe. The timeframe and number may vary by category and by threat.
- Can be shown to create a general nuisance related to one of the specified threat categories, or exhibits behavior that is as yet undefined under a broader category of expanded threat.
For information about expanded threat categories, read the Symantec Security Response Web site.
What is a virus hoax?
Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Some of the common phrases used in these hoaxes are:
- If you receive an email titled [email virus hoax name here], do not open it!
- Delete it immediately!
- It contains the [hoax name] virus.
- It will delete everything on your hard drive and [extreme and improbable danger specified here].
- This virus was announced today by [reputable organization name here].
- Forward this warning to everyone you know!
Most virus hoax warnings do not deviate far from this pattern. If you are unsure whether a virus warning is legitimate or a hoax, additional information is available at the Symantec Security Response hoaxes site.
What is not a virus?
Because of the publicity that viruses have received, it is easy to blame any computer problem on a virus. The following are not likely to be caused by a virus or other malicious code:
- Hardware problems. There are no viruses that can physically damage computer hardware, such as chips, boards, and monitors.
- The computer beeps at startup with no screen display. This is usually caused by a hardware problem during the boot process. Consult your computer documentation for the meaning of the beep codes.
- The computer does not register 640 KB of conventional memory. This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those for the monitor or SCSI card can use some of this memory. Consult with your computer manufacturer or hardware vendor to determine if this is the case.
- You have two antivirus programs installed and one of them reports a virus. While this could be a virus, it can also be caused by one antivirus program detect the other program's signatures in memory. For additional information, see Should you run more than one antivirus program at the same time?
- You are using Microsoft Word and Word warns you that a document contains a macro. This does not mean that the macro is a virus.
- You are not able to open a particular document. This is not necessarily an indication of a virus. Try opening another document or a backup of the document in question. If other documents open correctly, the document may be damaged.
- The label on a hard drive has changed. Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label command of from within Windows.
- When running ScanDisk, Norton AntiVirus Auto-Protect reports virus-like activity. The following are two possible solutions:
- Disable Auto-Protect
- Start Norton AntiVirus, and temporarily disable Auto-Protect
- Run ScanDisk and let it fix the errors.
- Re-enable Auto-Protect.
- Change a ScanDisk option
- Start ScanDisk and Choose to run a thorough scan.
- Click Options.
- Uncheck "Do not perform write testing."
- Run ScanDisk again.
- Disable Auto-Protect
What is safe computing?
With all the hype, it is easy to believe that viruses lurk in every file, every email, every Web site. However, a few basic precautions can minimize your risk of infection. Practice safe computing and encourage everyone you know to do so as well.
General precautions
- Do not leave a floppy disk in the floppy disk drive when you shut down or restart the computer.
- Write-protect your floppy disks after you have finished writing to them.
- Be suspicious of email attachments from unknown sources.
- Verify that attachments have been sent by the author of the email. Newer viruses can send email messages that appear to be from people you know.
- Do not set your email program to "auto-run" attachments.
- Obtain all Microsoft security updates.
- Back up your data frequently. Keep the (write protected) media
in a safe place--preferably in a different location than your computer.
- Make sure that you have the most recent virus definitions. We recommend that you run LiveUpdate at least once per week. Symantec Security Response updates virus definitions in response to new virus threats. For additional information, please see How to Run LiveUpdate.
- Make sure that you have set Norton AntiVirus to scan floppy disks on access and at shutdown. Please see your User's Guide for information on how to do this in your version of Norton AntiVirus.
- Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response now strongly recommends that you have Norton AntiVirus set to scan all files, not just program files.
- Scan all new software before you install it.. Because boot sector viruses spread by floppy disks and bootable CDs, every floppy disk and CD should be scanned for viruses. Shrink-wrapped software, demo disks from suppliers, and trial software are not exempt from this rule. Viruses have been found even on retail software.
- Scan all media that someone else has given you.
- Use caution when opening email attachments. Email attachments are a major source of virus infections. Microsoft Office attachments for Word, Excel, and Access can be infected by Macro viruses. Other attachments can contain file infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for viruses as you open or detach them. If you have Norton AntiVirus 2000, we recommend that you enable Email protection, which will scan email attachments before the email message is sent to your email program.
There are a lot of heavily technical terms that get used around computer security. Many of them can be a bit hard to explain in a simple manner, so they often get used incorrectly. One of the most frequently (and painfully) misused groups is the terms that differentiate malware from other types of vulnerabilities and threats. I thought I'd clear up the confusion by explaining what malware, trojans, viruses, and worms are and how they're different from one another.
Here’s the basic definition for all the terms we’ll discuss here:
- Malware:
This is a big catchall phrase that covers all sorts of software with nasty intent. Not buggy software, not programs you don’t like, but software which is specifically written with the intent to harm. - Virus:
This is a specific type of malware that spreads itself once it’s initially run. It's different from other types of malware because it can either be like a parasite that attaches to good files on your machine, or it can be self-contained and search out other machines to infect. - Worm:
Think of inchworms rather than tapeworms. These are not parasitic worms, but the kind that move around on their own. In the malware sense, they're viruses that are self-contained (they don’t attach themselves like a parasite) and go around searching out other machines to infect. - Trojan:
Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent. You run a file that is supposed to be something fun or important, but it turns out that it’s neither fun nor important, and it’s now doing nasty things to your machine. - Vulnerability
Funny thing about software: it’s written by humans. Humans are fallible and sometimes forget to cross t's and dot i's. Sometimes those mistakes create strange behavior in programs. And sometimes that strange behavior can be used to create a hole that malware or hackers could use to get into your machine more easily. That hole is otherwise known as a vulnerability. - Exploit
The strange behavior that can be used to create a hole for hackers or malware to get through generally requires someone to use a particular sequence of actions or text to cause the right (or is that wrong?) conditions. To be usable by malware (or on a larger scale by hackers), it needs to be put into code form, which is also called exploit code.
Malware is the big umbrella term. It covers viruses, worms and Trojans, and even exploit code. But not vulnerabilities or buggy code, or products whose business practices you don’t necessarily agree with.
Malware = umbrella term.
The difference between malware and vulnerabilities is like the
difference between something and the absence of something. Yeah, okay,
that’s a bit esoteric. What I mean is malware is a something. You can
see it, interact with it, and analyze it. A vulnerability is a weakness
in innocent software that a something (like malware or a hacker) can go
through.Flashback is an example of malware that exploited a vulnerability to take over people’s machines. The authors slipped malicious exploit code into otherwise-innocent websites, and this code utilized a vulnerability within Java in order to silently install itself.
Virus is a slightly smaller sort of umbrella term that covers anything that spreads itself without additional human intervention beyond that first double-click.
Virus = smaller umbrella.
It could spread parasitically, meaning the virus code attaches itself
to otherwise-innocent files, and keeps infecting more and more files
whenever that infected file is run. Viruses can either be destructive
(including spying behavior) or they could just be intended to do nothing
other than to spread. Non-destructive viruses are pretty rare these
days, as everything has become financially motivated.A virus requires the presence of those innocent files in order to spread. The other scenario is that it could spread as a static, self-contained file. The self-contained file sends itself through shared network connections, by attaching itself to emails or IMs, or even just by sending a link in email or IM to download the file. In this latter, static case, the specific type of virus is called a worm.
Worms are no fun.
The difference between a worm and a Trojan is a tricky one that may
not seem to matter much if you’re the one being affected. If you got
infected with the Melissa email worm
way back when, you may remember the difference: you don’t have to worry
about just your own machine getting messed up, now you have to worry
about those first 50 people in your email address book who’ve now just
been sent a copy. (Those people are probably gonna be pretty righteously
peeved at you.)Trojans really have only one purpose, and that is to cause damage.
Don't be fooled!
They often have identical destructive functionality to some viruses;
they just lack the ability to spread on their own. Trojans must be
planted somewhere people are likely to run across them (like Flashback),
or they must be sent directly (like in a targeted attack such as Imuler).
This confusion is what leads some people to refer to things as “Trojan
viruses,” even though those two terms are mutually exclusive.Hopefully that clears things up a bit! If you have any questions about malware, trojans, viruses, and worms, drop them in the comments.
Comments
Post a Comment