Virus-L/comp.virus FAQ: Miscellaneous Questions

========================================
= Section F.   Miscellaneous Questions =
========================================

F1)  How many viruses are there?

It is not possible to give an exact number because new viruses are
literally being created every day.  Furthermore, different antivirus
researchers use different criteria to decide whether two viruses are
different or one and the same.  Some count viruses as different if they
differ by at least one bit in their non-variable code.  Others group
viruses in families and do not count the closely related variants within
a family as different viruses.

Further, some antivirus researchers have samples in their collections
that they count as viruses, but that several other experts strongly deny
are viruses.  Sometimes these are "partial viruses", where a virus has
not properly infected a host and are therefore non-infective, other
times they are well-known non-viruses.  As some of these non-viruses are
known to be in some of the common test sets, some antivirus software
vendors count them amongst the viruses they detect.

As of January 1995 there were about 5,600 PC viruses, about 150 Amiga
viruses, about 100 Acorn Archimedes viruses, about 45 Macintosh viruses,
several Atari ST viruses, a few Apple II viruses, four Unix viruses,
three MS Windows viruses, at least two OS/2 viruses and two VMS DCL-
based viruses.

Fortunately, few of the existing viruses are widespread.  For instance,
only about three dozen of the known PC viruses cause most of the
reported infections and fewer than 200 PC viruses have been found in the
wild at all.


F2)  How do viruses spread so quickly?

This is a very complex issue, and some viruses don't spread quickly at
all (though talk of them often does!).

Those that do spread widely are able to do so for a variety of reasons.
A large target population--millions of compatible computers--helps. A
large virus population helps.  Vendors whose quality assurance relies
on, for example, outdated scanners, help.  Users who gratuitously
install new software on their systems without making any attempt to test
for viruses help.  All of these things are factors.


F3)  What is the correct plural of "virus"?  "Viruses" or "viri" or
     "virii" or "vira" or...

The correct English plural of "virus" is "viruses".  The Latin word is a
mass noun (like "air") and, therefore, there is no correct Latin plural.
Please use "viruses", and if people use other forms, please do *not* use
Virus-L/comp.virus to correct them.


F4)  When reporting a virus infection (and looking for assistance), what
     information should be included?

People frequently post messages to Virus-L/comp.virus requesting
assistance with a suspected virus problem.  Quite often the information
supplied is insufficient for the various experts on the list to be able
to help at all.  Also, please note that any such assistance from members
of the list is provided on a voluntary basis; be grateful for any help
received.  Try to provide the following information in your requests for
assistance:

1.   The date and location (town and country) of suspected
     infection.
2.   The name of the virus (if known)
3.   The program (or programs) and version that called the virus
     by that name.
4.   Any other antivirus software that you are running and whether
     it has been able to detect the virus or not, and if yes, what
     name it called the virus.
5.   Your software and hardware configuration (computer type,
     kinds of disk(ette) drives, amount of memory and
     configuration (extended/expanded/conventional), the exact
     version of your OS, TSR programs and device drivers used,
     control panels and INITs, etc.).
6.   Any "unusual" behavior that has occurred recently and any new
     software (including upgrades) you have recently installed.

It is helpful if you can use more than one scanning program to identify
a virus, and to say which scanner gave which identification.  However,
some scanning programs leave "scan strings" in memory which will confuse
others, so it is best to do a "cold reboot" between runs of successive
scanners, particularly if you are getting conflicting results (see C6).


F5)  How often should we upgrade our antivirus tools to minimize
     software and labor costs and maximize our protection?

This is a difficult question to answer.  Antivirus software is a kind of
insurance, and these type of calculations are difficult.

There are two things to watch out for here: the general "style" of the
software, and the scan strings that scanners use to identify viruses.
Scanners should be updated more frequently than other software, and it
is probably a good idea to update a scanner's set of scan strings at
least once every two months.  In the six or so months prior to January
1995, most of the popular PC-based virus scanners typically added
detection of about 500-600 new viruses or variants--this averages out to
between two and three new viruses per day!

Some antivirus software looks for changes to programs or specific types
of viral "activity", and these programs generally claim to be good for
"all current and future viral programs".  However, even these programs
cannot guarantee to protect against all future viruses, as new "attack"
and anti-antivirus methods are continually being developed by virus
writers.  Thus, even this type of antivirus software needs to be
upgraded occasionally.

Of course, not every antivirus product is effective against all viruses,
even if upgraded regularly.  Thus, do *not* depend on the fact that you
have upgraded your product recently as a guarantee that your system is
free of viruses!


F6)  What are "virus simulators" and what use are they?

There are three different kinds of programs that are often called "virus
simulators". None of the three generate actual viruses.  The first kind
demonstrate the audio- and video-effects of some real computer viruses.
The second kind are programs that simulate a virtual environment--a
virtual computer, with virtual disks, virtual files, and virtual viruses
on them.  The user of such programs can manipulate the simulated
objects, letting the simulated viruses infect the simulated files on the
simulated disks, watching every step of the process, without a danger of
"real infection".  The third kind are programs that generate files
containing scan strings used by some scanners to detect real viruses.
The idea is that those scanners will detect the generated files too,
thus letting the user get the feeling of what discovering a virus is
like, but without the danger of risking a real infection.

There are three ways in which virus simulators are usually used:

1) For educational purposes.  The second kind of virus simulators are
very useful and valuable for this purpose, provided the simulated
environment is realistic enough.  The first kind are also somewhat
useful--mainly teaching the users what the video- or audio-effects of
particular viruses are like.  There is the danger, however, that users
will get the incorrect impression that *every* computer virus
demonstrates itself in some visible or audible way.  The third kind of
virus simulators are not useful for this purpose--they do not show how
computer viruses work, do not show what computer viruses do, and because
their virus fragments are not reliably detected as viruses by many good
scanners, may give the wrong impression of a scanner's value.

2) As an installation check that antivirus defenses are installed and
working.  The first and second kinds of virus simulators are unsuitable
for this, because they do not trigger any antivirus defenses.  Even the
third kind of virus simulators have a rather limited value in this
regard, as the files generated by them often fail to trigger virus
defenses, which are designed to protect against *real* viruses.  Unlike
the producers of such simulators, many believe it is the job of the
producer of an antivirus product to provide the means of checking
whether their product is installed and working.  This position is based
on the authors knowing their products better than anyone else and that
updated check methods will normally be provided as the antivirus
defenses employed in any given product change.

3) As a test of the quality of the antivirus defense--usually a scanner.
Again, the first two kinds of simulators are unsuitable for this purpose
because they do not trigger antivirus defenses.  The third kind of virus
simulators often do, from which many users get the impression that they
are suitable for these testing purposes.  This is a serious
misconception.  The files that such programs generate are not real
viruses; antivirus programs, particularly virus-specific ones like
scanners, are designed to detect real viruses.  Therefore, one must not
draw a conclusion from the ability or the inability of a product to
detect "simulated viruses" of the third kind--the fact that they are
detected does not necessarily mean that a real virus will be detected,
and the fact that they are not detected does not mean that the real
virus it is supposed to represent will not be detected!

One exception to the above are simulators that do not generate files
containing scan strings, but which simulate the different kinds of
attacks that real viruses use, but without being able to replicate.
Examples of such attacks include different methods of tunnelling,
stealth, attacks against integrity checkers, and so on.  Such simulators
are useful for testing antivirus products that are not virus-specific,
especially if the simulator exercises a wide range of known attacks.


F7)  I've heard talk of "good viruses".  Is it possible to use a
     computer virus for something useful?

A very hotly debated topic that has flared-up dramatically several times
in Virus-L/comp.virus.  The answer to this is not simple and largely
hinges on your definition or interpretation of the term computer virus.

By definition (see B1), viruses do not have to do something "bad"
(although many people argue that the uninvited "resource wasting" that
is almost inherent in viral activity is necessarily bad).  From this
point (and based on his somewhat esoteric definition of the term
computer virus) Fred Cohen has argued that "good" or "useful" computer
viruses are a serious possibility.  In fact, Dr. Cohen offered a reward
of $1000 for the first clearly "useful" virus--despite several potential
claimants, however, he hasn't paid up.

Although there has never been a position that was widely agreed upon as
a result of any of these discussions, many contributors to this forum
believe that there are serious problems with the idea of implementing
useful computing functionality through self-replicating programs.
Vesselin Bontchev's paper originally delivered at the 1994 EICAR
conference, titled "Are `Good' Computer Viruses Still a Bad Idea?", is
available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP =
134.100.4.42), as pub/virus/texts/viruses/goodvir.zip.  *Anyone* wishing
to raise this discussion in Virus-L/comp.virus again should read and
carefully consider this paper before posting.  It contains many strong
arguments against the idea of "good computer viruses", and some
prescriptions of how good viruses would have to be implemented and
distributed to deserve the label "good".  To date no strong arguments
countering the points in this paper or otherwise arguing in favor of the
concept of good viruses have been posted to the group.


F8)  Wouldn't adding self-checking code to your programs be a good idea?

Every few months somebody suggests the idea of adding a small piece of
code to existing programs.  This code would check for virus infections
when the program is executed by comparing a previously computed CRC or
cryptographic checksum (hash value) of the file in its known clean state
with its current value.  The idea is that this will detect any virus
infection immediately, and is thus effective against unknown viruses.

A simple and intuitively attractive idea--in fact, some antivirus
programs have included options to do just this.  There are, however,
some serious flaws with this approach.

This method cannot prevent the program from getting infected in the
first place.  Further, if a program that has been protected this way
becomes infected later, whenever it is run the virus code will be
activated first.  The virus may then be able to detect or even remove
the self-checking code, or it might make it totally ineffective by using
stealth techniques, so the self-checking code only "sees" the original,
non-infected program.

Some programs contain an internal self-check--much antivirus software,
for example.  Such internal code might also be unable to detect stealth
viruses, but unless the external self-check code uses stealth techniques
too, the result will be a conflict, where the internal check will notice
the newly added code and decide that it has been "infected".

Moreover, this method is ineffective against "companion" viruses that
don't modify the applications they infect.

It may not be possible to protect all programs this way.  For example,
under DOS it is relatively easy to add code of this type to most COM
files (unless the original program was slightly less than 64K, and the
resulting file would break that limit).  However, EXE files are more of
a problem--especially those containing internal overlays, where one
cannot append the code to the file, as the resulting file might become
too big to load.  Windows applications are also a problem, as they have
two different entry points, and special care has to be taken to handle
that correctly.

On the other hand, adding internal self-checking to programs as part of
their development is a good idea.  Although it has the same limitations
regarding stealth viruses, it does not cause the conflicts described
above, and can be put in any program at compile-time.  It is also much
more difficult for viruses to bypass.
0
No votes yet
Your rating: None