|
By Kim Zetter
A virus is a self-replicating piece of
computer code that can partially or fully attach
itself to files or applications, and can cause your
computer to do something you don't want it to do.
Computer viruses are the "common cold" of modern
technology. They can spread swiftly across open
networks such as the Internet, causing billions of
dollars worth of damage in a short amount of time.
Five years ago, the chance you'd receive a virus over
a 12-month period was about 1 in 1000; today, your
chances have dropped to about 1 in 10. The vital
statistics:
- Viruses enter your system via e-mail, downloads,
infected floppy disks, or (occasionally) hacking.
- By definition, a virus must be able to
self-replicate (make copies of itself) to spread.
- Thousands of viruses exist, but few are found
"in the wild" (roaming, unchecked, across networks)
because most known viruses are laboratory-made,
never released variations of common "wild" viruses.
- Virus behavior can range from annoying to
destructive, but even relatively benign viruses tend
to be destructive due to bugs introduced by sloppy
programming.
- Antivirus software can detect nearly all types
of known viruses, but it must be updated regularly
to maintain effectiveness.
A virus is just a computer program. Like any other
program, it contains instructions that tell your
computer what to do. But unlike an application, a
virus usually tells your computer to do something you
don't want it to do, and it can usually spread itself
to other files on your computer -- and other people's
computers.
If you're lucky, a virus will execute only a benign
"personality quirk," such as causing your computer to
make seemingly random bleeps. But a virus can be very
destructive; it could format your hard drive,
overwrite your hard drive boot sector, or delete files
and render your machine inoperable.
How did I get this virus, anyway?
You get a virus when you copy infected files to
your computer, then activate the code inside by
running the infected application or opening an
infected document. How you copy the infected files is
irrelevant: Viruses don't care if you get them as an
e-mail attachment, a download, or via a shared floppy
disk, though e-mail attachments are the most prevalent
-- and easiest -- mode of transport (see "Learning
from the 'Love' bug," link below).
Once you open an infected file or application, the
malicious code copies itself into a file on your
system, where it waits to deliver its payload --
whatever the programmer designed it to do to your
system. Simply deleting the e-mail after you open the
attachment won't get rid of the virus, since it has
already entered the machine.
A virus writer can set the payload to trigger
immediately, at a preset future time or date, or upon
the execution of a specific command, such as when you
save or open a file. The Michelangelo virus, for
example, was programmed to release its payload on
March 6 of any year -- the artist's birthday.
General virus types
While there are thousands of variations of viruses,
most fall into one of the following six general
categories, each of which works its magic slightly
differently:
Boot Sector Virus: replaces or implants
itself in the boot sector---an area of the hard drive
(or any other disk) accessed when you first turn on
your computer. This kind of virus can prevent you from
being able to boot your hard disk.
File Virus: infects applications. These
executables then spread the virus by infecting
associated documents and other applications whenever
they're opened or run.
Macro Virus: Written using a simplified
macro programming language, these viruses affect
Microsoft Office applications, such as Word and Excel,
and account for about 75 percent of viruses found in
the wild. A document infected with a macro virus
generally modifies a pre-existing, commonly used
command (such as Save) to trigger its payload upon
execution of that command.
Multipartite Virus: infects both files and
the boot sector--a double whammy that can reinfect
your system dozens of times before it's caught.
Polymorphic Virus: changes code whenever it
passes to another machine; in theory these viruses
should be more difficult for antivirus scanners to
detect, but in practice they're usually not that well
written.
Stealth Virus: hides its presence by making
an infected file not appear infected, but doesn't
usually stand up to antivirus software.
All malicious codes aren't viruses
A common misconception is that other kinds of
electronic nasties, such as worms and Trojan horse
applications, are viruses. They aren't. Worms, Trojan
horses, and viruses are in a broader category analysts
call "malicious code."
A worm program replicates itself and slithers
through network connections to infect any machine on
the network and replicate within it, eating up storage
space and slowing down the computer. But worms don't
alter or delete files.
A Trojan horse doesn't replicate itself, but it is
a malicious program disguised as something benign such
as a screen saver. When loaded onto your machine, a
Trojan horse can capture information from your system
-- such as user names and passwords--or could allow a
malicious hacker to remotely control your computer.
Antivirus software answers the siren call
Virus experts have recorded more than 40,000
viruses and their variant strains over the years,
though only about 200 of those viruses are actively
spreading in the wild. While most viruses are just
annoying time-wasters, the ones that do deliver a
destructive payload are a real threat.
Viruses have been around since the early 1960s,
almost since the earliest computers existed, though
until the 1980s they were largely laboratory
specimens, created by researchers and released in a
controlled environment to examine their effect.
When viruses first appeared in the wild in the
1980s, they spread slowly and passed via the "sneaker
net": floppy disks traded by people and shared between
computers. But widely available Internet and e-mail
access hastened their spread.
Two years ago, the advent of viruses that spread
via e-mail (see "Melissa-like virus lurks" and "Love
Letter's legacy," links below) significantly increased
the odds that the average computer user would confront
a virus because they spread so rapidly. E-mail viruses
today account for about 81 percent of virus infections
and can infect thousands of machines in a matter of
minutes.
Practice safe computing
The best way to protect yourself from viruses is to
avoid opening unexpected e-mail attachments and
downloads from unreliable sources. Resist the urge to
double-click everything in your mailbox. If you get a
file attachment and you aren't expecting one, e-mail
the person who sent it to you before you open the
attachment. Ask them if they meant to send you the
file, what it is, and what it should do.
For added safety, you need to install reliable
antivirus scanning software (see "Bulletproof PC
protection," link below) and download updates
regularly. Major antivirus software vendors, including
Symantec, Network Associates, Computer Associates, and
Trend Micro, provide regular updates. (Computer
Associates' InoculateIT is also free.) Some of the
vendors also offer a service that will automatically
retrieve updates for you from the company's Web site.
Regular updates are essential. Researchers at
Computer Economics estimate that 30 percent of small
businesses are vulnerable to viruses either because
they don't keep their virus-scanning software updated
or because they don't install it correctly.
How antivirus software works
Scanning software looks for a virus in one of two
ways. If it's a known virus (one that has already been
detected in the wild and has an antidote written for
it) the software will look for the virus's signature
-- a unique string of bytes that identifies the virus
like a fingerprint -- and will zap it from your
system. Most scanning software will catch not only an
initial virus but many of its variants as well, since
the signature code usually remains intact.
In the case of new viruses for which no antidote
has been created, scanning software employs heuristics
that look for unusual viruslike activity on your
system. If the program sees any funny business, it
quarantines the questionable program and broadcasts a
warning to you about what the program may be trying to
do (such as modify your Windows Registry). If you and
the software think the program may be a virus, you can
send the quarantined file to the antivirus vendor,
where researchers examine it, determine its signature,
name and catalog it, and release its antidote. It's
now a known virus.
If the virus never appears again -- which often
happens when the virus is too poorly written to spread
-- then vendors categorize the virus as dormant. But
viruses are like earthquakes: The initial outbreak is
usually followed by aftershocks. Variants (copycat
viruses that emerge in droves after the initial
outbreak) make up the bulk of known viruses.
Within a few hours of when the LoveLetter virus
first appeared in the United States, a variant --
VeryFunnyJoke -- had already appeared, followed by
more than 30 others during the next two months. And
not all variants stem from mysterious writers. More
than a few companies have been infected by variants
created by a curious employee who fiddled with a virus
he or she received, created a new strain of it, and
unleashed it onto the company's system--sometimes
accidentally, sometimes not.
All information on this document was copied for your
reading from:
http://www.cnn.com/2000/TECH/computing/10/23/virus.works.idg/ |
