Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next Major Types of Viruses The following sections discuss the most prevalent types of viruses, including file, boot sector, multi-partite, file overwrite, stealth, polymorphic, and macro-based. File File viruses usually attach themselves to an executable file, such as .EXE and .COM on DOS machines. The virus can insert its code into the host program’s code so that when the program executes, the virus executes first. Most of the thousands of viruses known to exist are file viruses. Windows 3.1 barely runs in the presence of a file virus. If a file virus is resident in the memory of a DOS system (which is exactly where file viruses like to reside), in many cases Windows cannot even start. This generally causes the user running Windows to eliminate the virus, perhaps unwittingly, as they attempt to fix their system. A growing trend toward Windows 95 and 32-bit operating systems may signal a resurgence of file viruses. Boot Boot sector viruses cause the vast majority of actual attack incidents. Each of the top 12 viruses reported last year were boot sector viruses. Whenever a computer is booted up, it looks for instructions about how to operate and what to do. It finds those instructions in the boot sector of a hard drive or floppy disk. Boot viruses insert themselves into boot sectors so that the virus executes first and gains control of the system, even before the operating system is loaded. Boot viruses are especially dangerous because they can spread from anything that has a boot sector. Any floppy disk — even an allegedly blank one — can spread boot viruses. If a boot virus on a floppy disk is inserted into a computer, the virus goes into RAM and infects every disk that computer accesses until the computer is rebooted, which wipes the boot virus from memory. Multi-partite Multi-partite viruses combine characteristics of file and boot viruses. Multi-partite viruses can spread as easily as a file virus, yet still insert an infection into a boot sector, making them very difficult to eradicate. File Overwriters File overwriters are file viruses that link themselves to an executable program but keep the program intact. Executing the program also executes the virus, which attempts to add itself to as many files as possible. File overwriters often have no purpose other than to replicate, but even then they take up space and slow performance. They may damage or destroy files inadvertently. Stealth Stealth viruses are engineered to elude detection by traditional antivirus checkers. The virus may target and eliminate the detection function of a commercial antivirus product. Stealth viruses reside in memory, intercepting the system’s MS-DOS calls in order to make infected files appear uninfected. The stealth virus can then infect every floppy diskette and logical drive the system accesses. Some anti-virus scanners help propagate stealth viruses because they open and close files to scan them, giving the virus additional chances to spread. Polymorphic Polymorphic viruses include a mutation engine that makes the virus change minor parts of its code each time the virus is executed. Different encryption algorithms are nested within a polymorphic virus to help it hide from scanners. A decryption routine included in the virus allows it to return to a normal state when it executes. The stable bytes (the decryption algorithm) become shorter with repeated executions of the virus. This defeats first-generation virus scanners, which operate by checking code for any matches with virus code. Virus authors can access polymorphic engines, which can take a non-polymorphic virus as input and output the virus with polymorphic qualities. The availability of such engines has made the authoring of polymorphic viruses a simple, straightforward task. As a result, the number of polymorphics has doubled about every eight months. Today, more 200 polymorphic viruses produced by these engines exist, and another 50 polymorphic viruses are known to exist that do not use the engines. The latest generation, the superfast polymorphic infector, can lay waste to every executable in every directory on a PC’s hard disk without requiring that .COM and .EXE files launch first. Running a directory listing is enough to trigger the virus. Macro-based Macro-based viruses are the newest innovation. A macro virus is unusual because it can infect documents instead of programs. It is the first virus that can cross platforms, infecting both PCs and Macintoshes. The one known form of the virus, written in Word Basic and referred to by Microsoft as the Prank Virus, infects only Microsoft Word 6.0 files. The virus is not destructive; it simply adds nonsense Word macros to documents that end with .DOC or .DOT. Although Prank is not really destructive, its implications for the future are disturbing because it has introduced an entirely new method for viruses to spread. Common Spread Scenarios Viruses spread through organizations several ways, including through the use of shared machines, shared diskettes, popular programs, and LAN servers. Shared Machines Viruses spread throughout an organization most commonly through shared machines. A computer used by many different people can serve as a center of infection. If a user runs an infected program on the machine, the infection has probably spread to programs on the machine’s hard disk. If other users bring their own diskettes to run on the machine, the diskettes and any programs on them are likely to become infected. The diskette will probably carry the infection to other machines. Shared Diskettes Many diskettes, such as diagnostic diskettes, product demos, or company manuals, are routinely carried from machine to machine. If such a diskette becomes infected, the infection can quickly spread to many machines. Popular Programs Popular games, demos, or animations often cause the user who obtains a copy to want to pass it on to other people. If one of these programs becomes infected, the infection can spread quickly to many machines. LAN Servers If a program on a LAN server used by many workstations becomes infected, a large percentage of the LAN workstations can become infected very quickly (sometimes within an hour or two). One common mistake is to have the LAN log-on program in a place where anyone on the LAN can write to it. This setup means that if any workstation on the LAN becomes infected, the logon program quickly becomes infected, and then every workstation that logs on to the LAN immediately becomes infected. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.