==================================================== = Section B. Definitions and General Information = ==================================================== B1) What are computer viruses (and why should I worry about them)? Fred Cohen "wrote the book" on computer viruses, through his Ph.D. research, dissertation and various related scholarly publications. He developed a theoretical, mathematical model of computer virus behaviour, and used this to test various hypotheses about virus spread. Cohen's formal definition (model) of a virus does not easily translate into "human language", but his own, well-known, informal definition is "a computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself". Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be classified as a "virus" by this definition. The problem with Cohen's human language definition is that it doesn't capture many of the subtleties of his mathematical model--as indeed, few informal definitions do--and questions arise that can only be answered by checking his formal model. Using his formal definitions, Cohen classifies some things as viruses that most readers of Virus-L/ comp.virus (and many experts) would not consider viruses. For example, given certain circumstances on an IBM PC running DOS, the DISKCOPY program is classified as a virus by Cohen's formalisms. This has led to some tension between what Cohen considers a "virus" and what is usually discussed on Virus-L. Several other definitions of "virus" have been proposed, but it is probably fair to say that most of us are concerned about things that are viruses by the following definition: A computer virus is a self-replicating program containing code that explicitly copies itself and that can "infect" other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. Probably the major distinction between Cohen's definition and "viruses" as we tend to use the word is that we see them as deliberately designed to replicate (although there is some debate over this too). Cohen's definition does *not* require this (and this would be difficult to build into his formal model). Note that many people use the term "virus" loosely to cover any sort of program that tries to hide its possibly malicious function andor tries to spread onto as many computers as possible, though some of these programs may more correctly be called "worms" (see B2) or "Trojan Horses" (see B3). Also be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious--don't assume too much about what a virus can or can't do! These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be life-threatening. For example, in the context of a hospital life- support system, a virus that "simply" stops a computer and displays a message until a key is pressed, could be fatal. Further, those who create viruses can not halt their spread, even if they wanted to. It requires a concerted effort from computer users to be "virus-aware", rather than continuing the ambivalence that has allowed computer viruses to become such a problem. Computer viruses are actually a special case of something known as "malicious logic" or "malware", and other forms of malicious logic are also discussed in Virus-L/comp.virus. It can be important to understand the distinctions between viruses and these other forms of malware. B2) What is a Worm? A computer WORM is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections). Note that unlike viruses, worms do not need to attach themselves to a host program. There are two types of worms--host computer worms and network worms. Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Host computer worms where the original terminates itself after launching a copy on another host (so there is only one copy of the worm running somewhere on the network at any given moment), are sometimes called "rabbits." Network worms consist of multiple parts (called "segments"), each running on different machines (and possibly performing different actions) and using the network for several communication purposes. Propagating a segment from one machine to another is only one of those purposes. Network worms that have one main segment which coordinates the work of the other segments are sometimes called "octopuses." The infamous Internet Worm (perhaps covered best in "The Internet Worm Program: An Analysis," Eugene H. Spafford, Purdue Technical Report CSD- TR-823) was a host computer worm, while the Xerox PARC worms were network worms (a good starting point for these is "The Worm Programs-- Early Experience with a Distributed Computation," Communications of the ACM, 25, no.3, March 1982, pp. 172-180). B3) What is a Trojan Horse? A TROJAN HORSE is a program that does something undocumented that the programmer intended, but that some users would not approve of if they knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to *non-replicating* malware, so that the set of Trojans and the set of viruses are disjoint. B4) What are the main types of PC viruses? Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. There is also at least one PC virus that "infects" source code files by inserting code into C language source files that replicates the virus's function in any executable that is produced from the infected source code files (see E5 for a more detailed discussion of the issue of "executable" code). File infectors can be either DIRECT-ACTION or RESIDENT. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem virus) or when other conditions are fulfilled. Direct-action viruses are also sometimes referred to as NON-RESIDENT. The Vienna virus is an example of a direct-action virus. Most viruses are resident. The second main category of viruses is SYSTEM or BOOT-RECORD INFECTORS: these viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa and Michelangelo. All common boot sector and MBR viruses are memory resident. To confuse this classification somewhat, a few viruses are able to infect both files and boot sectors (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus. Aside from the two main classes described above, many antivirus researchers distinguish either or both of the following as distinct classes of virus: FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. The program itself is not physically altered, only the directory entry of the program file is. Some consider these to be a third category of viruses, while others consider them to be a sub- category of the file infectors. LINK virus is another term occasionally used for these viruses, though it should be avoided, as "link virus" is commonly used in the Amiga world to mean "file infecting virus." KERNEL viruses target specific features of the programs that contain the "core" (or "kernel") of an operating system (3APA3A is a DOS kernel virus and is also multipartite). A file infecting virus that *can* infect kernel program files is *not* a kernel virus--this term is reserved for describing viruses that utilize some special feature of kernel files (such as their physical location on disk or a special loading or calling convention). B5) What is a stealth virus? A STEALTH virus is one that, while "active", hides the modifications it has made to files or boot records. This is usually achieved by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus's modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed and *this* may be detected by an antivirus program. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain- infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (aka 4096, 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort the results of system status checks. Thus the system should be started from a trusted, clean, bootable diskette before any virus- checking is attempted; this is "The Golden Rule of the Trade" (see G8 for help with making a clean boot disk and booting clean). B6) What is a polymorphic virus? A POLYMORPHIC virus is one that produces varied but operational copies of itself. These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus. One method of evading scan string-driven virus detectors is self- encryption with a variable key. These viruses (e.g. Cascade) are not termed "polymorphic", as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners (unless another virus uses the identical decryption routine *and* exact identification (see B15) is required). A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind. More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. One of the most sophisticated forms of polymorphism used so far is the "Mutation Engine" (MtE) which comes in the form of an object module. With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation- engine and random-number generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses. B7) What are "fast" and "slow" infectors? A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed. A FAST infector is a virus that, when it is active in memory, infects not only programs which are executed, but even those that are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected. Examples are the Dark Avenger and the Frodo viruses. The term "SLOW infector" is sometimes used to refer to a virus that only infect files as they are modified or as they are created. The purpose is to fool people who use integrity checkers into thinking that modifications reported by their integrity checker are due solely to legitimate reasons. An example is the Darth Vader virus. B8) What is a sparse infector? The term "sparse infector" is sometimes used to describe a virus that infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range, etc. By infecting less often, such viruses try to minimize the probability of being discovered. B9) What is a companion virus? A COMPANION virus is one that, instead of modifying an existing file, creates a new program which (unknown to the user) is executed instead of the intended program. On exit, the new program executes the original program so that things appear normal. On PCs this has usually been accomplished by creating an infected .COM file with the same name as an existing .EXE file. Integrity checking antivirus software that only looks for modifications in existing files will fail to detect such viruses. B10) What is an armored virus? An ARMORED virus is one that uses special tricks to make tracing, disassembling and understanding of its code more difficult. A good example is the Whale virus. B11) What is a cavity virus? A CAVITY VIRUS is one which overwrites a part of the host file that is filled with a constant (usually nulls), without increasing the length of the file, but preserving its functionality. The Lehigh virus was an early example of a cavity virus. B12) What is a tunnelling virus? A TUNNELLING VIRUS is one that finds the original interrupt handlers in DOS and the BIOS and calls them directly, thus bypassing any activity monitoring program (see D1) which may be loaded and have intercepted the respective interrupt vectors in its attempt to detect viral activity. Some antivirus software also uses tunnelling techniques in an attempt to bypass any unknown or undetected virus that may be active when it runs. B13) What is a dropper? A DROPPER is a program that has been designed or modified to "install" a virus onto the target system. The virus code is usually contained in a dropper in such a way that it won't be detected by virus scanners that normally detect that virus (i.e., the dropper program is not *infected* with the virus). While quite uncommon, a few droppers have been discovered. A dropper is effectively a Trojan Horse (see B3) whose payload is installing a virus infection. A dropper which installs a virus only in memory (without infecting anything on the disk) is sometimes called an "injector". B14) What is an ANSI bomb? An "ANSI bomb" is a sequence of characters, usually embedded in a text file, that reprograms various keyboard functions of computers with ANSI console (screen and keyboard) drivers. In theory a special sequence of characters could have been included in this FAQ sheet to reprogram your Enter key to issue the command "format c:" with a return character tacked on the end. Such a possibility however, need not translate into much of a threat. It is rare for modern software to require the computer it runs on to have an ANSI console, so few PCs or other machines should load ANSI drivers. Also, few people use software that simply "types" output to the terminal device, so such an ANSI bomb in an e-mail or News posting would most likely not reprogram your keyboard anyway. Further, although FORMAT C: may be catastrophic under certain versions of DOS, it won't hurt Macintoshes and would probably have very unexpected, or no, effects on other systems. If you are at all worried about the possibility of having something untoward happen on your PC due to an ANSI bomb *and* you have to load an ANSI driver (some communications software still requires it), look for one of the third-party ANSI drivers which abound on BBSes and FTP sites. Most of these have improved performance over DOS's ANSI.SYS *and* either do not support, or let you disable, keyboard re-mapping. B15) Miscellaneous Jargon and Abbreviations AV = antivirus. A commonly used shorthand on Virus-L/comp.virus, as in "av software". BSI = Boot Sector Infector: a virus that takes control when the computer attempts to boot. These are found in the boot sectors of floppy disks, and the MBRs or boot sectors of hard disks (see B4 for more details). BSIs are also known as BSVs (Boot Sector Viruses). CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT class, and higher, PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed (see E2 for further discussion of issues concerning CMOS memory and viruses). DBS = DOS Boot Sector: The first sector of a logical DOS partition on a hard disk or the first absolute sector of a diskette. This sector contains the startup code that actually loads DOS. This is often confused with the MBR. Some boot sector viruses infect the DBS rather than the MBR when infecting hard disks. DETECTION = The ability of an antivirus program to detect that a virus is present, without necessarily reporting which particular virus it is (also see IDENTIFICATION and RECOGNITION, in this section). DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, DR DOS or Novell DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other, unrelated machines. GERM = The first generation of a virus. It normally cannot be produced again during the replication process and is usually created by compiling the source of the virus. GOAT FILES = Programs which usually do nothing special (e.g., just exit, or simply display a message), that are used by antivirus researchers to capture samples of viruses. This is done to make it easier to disassemble and understand the virus, because the infected "goat" program is (usually) simple and does not clutter the disassembly. Alternative terms are BAIT FILES, DECOY FILES and VICTIM FILES. In any of these terms, the word "programs" often replaces the word "files". IDENTIFICATION = The ability of an antivirus program (usually a scanner) to not only detect the virus and recognize it by name, but also to recognize it to a high degree of uniqueness. This allows third parties to understand which particular virus it is without seeing a sample of the virus. EXACT IDENTIFICATION occurs when every section of the non- modifiable parts of the virus body are uniquely identified. ALMOST EXACT IDENTIFICATION occurs if the identification is only good enough to ensure that an attempt to remove the virus will not result in damage to the host object by the use of an inappropriate disinfection method (also see DETECTION and RECOGNITION, in this section). MBR = Master Boot Record: the first absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table but on some PCs may only contain a boot sector. The MBR is also known as the MBS (Master Boot Sector). This is *not* the same as the DOS Boot Sector, logical sector 0 (see above). PARTITION TABLE = A 64-byte data structure that defines the way a PC's hard disk is divided into logical sections known as partitions. While there is often more than one partition table on a PC's hard disk, the most important is the one stored *in* the MBR. This one contains important extra information such as which partition (if any) should be booted from. The partition table is purely data, so is not executed. Some people erroneously use the term "partition table virus" as a synonym for "MBR virus". RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must load themselves into part of the RAM. However, some virus scanners may declare that a virus is active when it is found in RAM, even though it may only be left in a buffer area following a disk read operation, rather than truly being active (see C8 for further discussion of this issue). RECOGNITION = The ability of an antivirus program (usually a scanner) to detect a virus and to recognize it by name (also see DETECTION and IDENTIFICATION, in this section). TARGETING VIRUS = A virus that tries to bypass or hinder the operation of one or more *specific* antivirus programs. Also known as RETALIATOR, RETRO and ANTI-ANTIVIRUS viruses. SCAN STRING = A sequence of bytes (characters) that occur in a known virus but not, one hopes, in legitimate programs. Some scanners allow "wildcards"--positions that are matched by any character--in their scan strings. Authors of virus scanners reduce the likelihood of false positives (see B7) by carefully selecting their scan strings and often by only searching "likely" parts of target files. SEARCH STRING = A synonym for scan string. SIGNATURE = A poor synonym for scan string. We recommend that you avoid using this term and use "scan string" or "search string" instead. TOM = Top Of Memory: the end of conventional memory--an architectural design limit--at the 640KB mark on most PCs. Some early PCs may not have a full 640KB, but the amount of memory is always a multiple of 64KB. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't be overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change (see C10). A very few PCs with unusual configurations or memory managers may report in excess of 640KB. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of common viruses. These can often be seen using utilities such as MEM and MSD. VX = Virus eXchange. A shorthand usually reserved for those BBSes and FTP sites, and their community of users, that make their virus collections "openly" available for downloading. Exchange of virus samples between bona fide members of the antivirus community is not tagged with the VX label.