November 2000
Marcos Portnoi

Table of Contents

Virus, Worms, Trojan Horses, Exploits:  What are they?

What Systems are vulnerable to virus attacks?
Are viruses exclusive to a specific operating system?
How to protect yourself:
    The Antivirus
    The Firewalls
    The low-risk attitude
    Testing for virus and checking origin
Final Considerations




Computer viruses are an ominous menace to the security of any Personal Computer. Damage and loss can be caused and only discovered when it is too late to take actions. Furthermore, through the Internet, destruction can spread from a single computer to hundreds of thousands of other computers, in a matter of hours. What are the viruses, how they work and what can be done to avoid them is the subject of this article.



Computers are for long required tools in any business, no matter its size. It is also becoming a piece of furniture in any household, such as the food mixer or the refrigerator. Just like them, a computer that suddenly stops working may cause headaches.

The advance of computers brought together the diseases. The computer virus comes as the worst of all plagues, affecting domestic and corporate users. Combining the connectivity of the Internet and skilled programming, new viruses have known a destructive power only cogitated and shown in movies. Initially a curiosity, viruses such as Chernobyl, Melissa and ILOVEYOU reached billions of dollars in damages in a matter of hours or few days. In order to avoid the threat, the user must know what is a computer virus, how it works and what are the available weapons to fight them.


Virus, Worms, Trojan Horses, Exploits: What are they?

Virus is a generic definition to computer programs that work in the computer usually unknown, and that performs malicious actions, as destroying data and affecting performance. Typically, computer viruses are also called this way because they have the ability to copy or insert themselves into other programs, which gives them the capability of dissemination. Or, more appropriately said, infection. A virus is generally a very small program, skillfully written in low-level languages such as C or Assembly.

The first viruses were work of extremely talented programmers, which unfortunately directed their ability towards evil. It is said the first virus was a programming project, with the intent of testing the limits of the system and experimenting with replicating code. It would have fallen onto the hands of unscrupulous programmers, who improved the destructive power and freed the code out of the labs, where the viruses could infect other machines.

The virus works by attaching itself to an executable file, or replacing the whole executable file by its own code. This way, every time the file is accessed, the virus will be executed. At this moment, the virus does what it was programmed for, depending on the type: infect other files, erase files, format the computer hard drives, hamper performance, show messages or drawings on the screen and, task attainable by some, rewrite or erase the motherboard BIOS, rendering the computer completely non-operational and needing technical intervention. The viruses can act undetected for a long time, without giving any hints of their existence, slowly infecting files. A certain day, they simply burst out, revealing their destructive power. Exactly as biological viruses, which have incubation periods until they manifest themselves. By definition, a virus propagates when an infected file is transferred to another computer. In this computer, the file, if executed, will infect other files and the cycle continues.

It is important to know that a virus will perform its destructive tasks only if executed, since it is a program. Just having an infected file in the computer hard disk doesnít mean that the virus will manifest itself. If this file is never executed, the virus will never spread or infect.

Worms operate similar to viruses, disrupting performance or destroying files. The difference between worms and viruses, by definition, lies in the fact worms are also capable of transferring themselves to other computers on a network, without user intervention or file swapping. They move on their own. This is done usually through e-mail, when the worm takes possession of the list of e-mail addresses stored into the computer and sends itself to the addresses in the list. If the recipients, after receiving the attached files, execute them, they will become infected. Under certain circumstances, the simple action of viewing the e-mail messages in a preview pane might initiate the infection. In this case, the worms take advantage of security flaws or operation characteristics of the e-mail client. Luckily, these circumstances are still rare.

Worms are often designed to infect the more computers as possible, and not necessarily the more files. While viruses spread as fast as the users share files, worms spread at the speed of the Internet. And this speed can be awesome. Melissa, ExploreZip and ILOVEYOU are famous instances of worms. ExploreZip hit in 1999, coming as an attached file to an e-mail message. When executed, it would remain in the background and respond to any incoming e-mail. Melissa came out in March 1999. Also sent as an attached file to an e-mail message, when executed, Melissa would send itself to the first 50 people in the userís address book. The multiplying factor of this infection stratagem is fifty to the fiftieth power, for each computer. Melissa reached thousands of thousands of computers in a matter of several days. ILOVEYOU did not have the 50 people limitation. It would simply send itself to all people in the userís address book, attached to a seemingly naÔve love letter. After sending itself, ILOVEYOU would erase files in the computer. This worm reached planetary infection in a matter of several hours. (This hit initiated a discussion of how much was Microsoft responsible for these worm attacks, due to allegedly lack of security or quality in its programs, specifically Outlook and Windows. More on this later in this article.) With almost every computer system connected to each other and to the Internet, nowadays, worms have a vast path to walk through, in the speed of electricity.

A bit of history 

The first worm was created for beneficial purposes at Xerox, 1982.  It was designed to perform a series of repetitive tasks on computers such as cleaning up files.  It suddenly went bad.  It began to crash systems and went out of control, forcing Xerox to create one of the first antivirus programs to get rid of it.

In 1987, it was IBMís turn.  A new worm called Christmas.exe spread through the company e-mail network.  It moved like the Love Bug and would display a Christmas tree in the userís monitor.

In 1988, finally, a Cornell computer science graduate released the infamous Morris Internet worm.  This worm used known Unix backdoors (security holes, explained later in this article) to break into about 6000 systems.  The backdoors or security holes had fixes or patches, but system managers hadnít installed them.

Trojan Horses are so called because they come disguised as a seemingly innocuous file. When executed, the Trojan Horse or might perform its destructive tasks immediately or just installs sub-repetitiously a small program (called the client) into the computer. This client might do a series of activities. It can infect other files or create more Trojan Horses, or destroy specific files or configurations, or steal specific information, such as passwords or addresses and send them through the Internet to the Trojan Horse controller (called the host or server). Most usually, the client will assume control over the computer, allowing the host or server to access the computer from distance, giving the host full power. Every time the computer is turned on, the client will also be loaded and leave open a means of access to the host. All of this is obviously done without the knowledge or permission of the user.

Most famous representatives of the category, the Trojans Netbus and BackOrifice are very similar and allow computers running Microsoft Windows to be controlled from a distant host. Their small client programs come disguised and install in the attacked computer when executed. Every time the computer is booted, the client is also executed and remains in the background, leaving a specific TCP por open, through which the host contacts it and assumes control. These Trojans can capture keyboard strokes, deactivate specific keys, control the mouse and intercept the screen, view, erase and transfer files, and command the execution of other programs. All of these over a LAN, or the Internet.

The creators of Netbus do not agree that their program be called a Trojan. As they define it, it is a tool to remotely control a computer. It is actually sold and its official version does not install the client sub-repetitiously. The client announces itself and requires user permission to be installed. It is the silent version of this tool, however, which gained fame and was used maliciously. As with BackOrifice, it was created with bad intent.

Exploit is not a virus itself, but the technique, used by them, to explore failures, bugs or operational behavior intrinsic to certain programs or applications. When done properly, these failures can cause security breaches and allow the attacker to gain privileged access or permissions, otherwise not normally possible. With these privileges, the attacker can view, transfer or erase files. Depending on the invaded system, the attacker cannot only gain access to the computer, but to a whole LAN. Inside a LAN, the computers are usually trusted, which means the accesses between themselves are highly allowed, while outside computers have limited access. If the attacker successfully controls one trusted computer, he can browse the whole LAN from this trusted one. The other computers will believe the actions performed by this trusted computer are legitimate, and carry them on. The attacker can also install backdoors, which are small programs or simple configurations that allow the attacker to have privileged access again to the same computer, anytime. The backdoors usually leave a TCP port open or create a privileged user in multi-user systems. The attacker can now simply connect to this backdoor and start using the invaded computer. Exactly like the burglar who leaves the basement door unlocked, so he can come back the following night.

Several months ago, the Internet community was struck by attacks performed by hackers that rendered famous and big sites such as Yahoo unusable for hours. They were hit by DoS attacks, short for Denial of Service. DoS attacks are done by sending hundreds of thousands of requests for connection to a single site. Incapable of handling all these requests, the site servers deny access to the excess. A legitimate user who tries to access the site will be caught up in the excess of requests and will probably have his request denied. Thus, the site is almost inaccessible or down until the attack stops or defensive actions are taken. In order to perform DoS attacks, hackers usually invade several computers with regular connection to the Internet, such as those installed in universities, and install on them backdoors. Later, upon receiving a signal from the hacker, these programs will start sending requests for connection to the target site. Using this stratagem, a single user can have hundreds of computers working for him at the same time, and without acknowledge from the users of those computers. That innocent-looking computer sitting in the back of the lab in the university may be performing a highly intrusive DoS attack, and nobody may notice that the computer is being exploited. Since the source of the attacks is multiplied, the DoS attack can be hard to trace.

Technically, viruses can be said to be a combination of all of the formats explained before. Viruses that exploit bugs in order to install a client program, and that send themselves through e-mail to other users, like the worms, and that perform destruction in the computer. The last most famous virus to hit computers, the ILOVEYOU, used the exploit technique to take advantage of a security breach in Microsoft Outlook, sending itself to all e-mail addresses stored in the programís address book, while it would infect and erase other files. The virus was written in VBS (Visual Basic Script) and came attached to an innocent e-mail message entitled Love Letter to You. A Trojan Horse tactic.

Even so, the ILOVEYOU virus would only infect the computer if actually executed by the user. Wisely, ILOVEYOU exploited another characteristic of Microsoft Windows9x Operating System: by default, Windows9x hides the filesí extensions. These extensions define the type of file for the OS. Executable files have the extension ".exe", text files use ".txt", batch files, ".bak" and so on. Visual Basic Script files, which contain routines written in Visual Basic for Applications, have the extension ".vbs" and are executable if open by a program such as Microsoft Word or Outlook. Appropriately, the attached file with the virus ILOVEYOU was named "LoveLetterToYou.txt.vbs". If Windows retained the default configuration, the extension would be hidden, thus resulting in a file named "LoveLetterToYou.txt" attached to the e-mail message. This scheme tricked the user into thinking the file was some sort of innocuous text, and would end up opening it, initiating the infection.

This virus spread out spectacularly fast, reaching planetary levels of contamination in a matter of few days and causing billions of dollars in damages. The potential of connection given by the Internet resulted in extremely powerful viruses, powers only limited before by the computers non-connectivity. Today, with almost every PC connected to the Internet, viruses can spread with amazing speed. This situation is perfectly similar to biological viruses, which are limited in nature by geographical and population boundaries. Means of transportation such as automobiles, ships and airplanes let the population migrate fast, and the viruses migrate along, contaminating other populations.


What Systems are vulnerable to virus attacks?

Virtually every computational system, if it allows the entry of programs for execution or even data sequences for operation control, is vulnerable to attacks from viruses and exploits. This means desktop computers, handheld computers, pocket or personal information managers (PIMís), the Palm computers and cellular phones, pagers or devices for Internet access, such as those meant to be plugged to the TV set.

Not convinced? There are already at least three known viruses specific for the Palm platform: Palm Liberty Trojan Horse, Phage.963 and Vapor.741. The Liberty trojan was distributed as a crack for Liberty, an application that emulates the Nintendo Gameboy system on the Palm. It is said that this trojan was written by the author of the emulator application, both as a way to avoid his emulator from being pirated and as a test. The code was released only for a few minutes in a newsgroup. It was enough for the trojan to gain life outside the lab.

Phage is a real virus: when transferred and executed, it locates and infects all programs installed in the system, by overwriting the beginning of the files. After this, these files will repeat the same behavior when executed: infect other programs and block the pdaís normal operation. Phage can be transferred through docking stations and also through the infrared beaming device, when infected files are shared. The only way to restore normal operation is restoring a backup from the PC.  Vapor also infects all files installed in the pda, but instead of overwriting them, it just erases their icons, thus rendering them inaccessible. A backup from the PC will restore normal operation.

Since there is no antivirus for the Palm platform yet, there is no way to avoid being hit by those virus, but to perform the synchronization operation regularly, donít beam with unknown people and be extra careful when downloading files.

As for cellular phones, they have already known two instances of the possibilities of being hit by exploits. In Spain, several hundred cellular phones were hit by spam through SMS (Short Message Service). These phones could receive SMS messages from the web. The attacker set up a program to use this service and flood the phones with messages, causing severe headaches.

In another example, a telephone company, doing tests with SMS, were able to crash or freeze a number of Nokia cellular phones (from a specific model). It was found that the firmware of those phones would crash if a certain sequence of characters were received through SMS. The phone would freeze completely, no keys remaining operational. Users were forced to remove the batteries and reinstall them, in order to reset the phones. A perfect example of how a cellular phone, which is yet unable of receiving external programs for execution, can however have its failures exploited to wreak havoc. Second-generation cell phones have minibrowsers for Internet navigation, can send and receive e-mail, and some can download new ring types and exchange address book data. Third generation cell phones and up will have more processing power, and will eventually allow small programs to be executed. Open doors to viruses.


Are viruses exclusive to a specific operating system?


When ILOVEYOU hit, and some time before, discussions flooded the newsgroups. Subject: the easy dissemination of viruses was Microsoftís responsibility. This argument stated that Windows, used in more than 90% of the PCís in the world, and other Microsoft programs had severe security flaws, due to lack of care or just bad programming. Virus designers would easily exploit these flaws, resulting in fast dissemination. Other operating systems such as Linux, Unix and MacOS Ė the argument continues Ė would not be subject to frequent virus hits, and when actually hit, their dissemination wouldnít be so easy.

This coarse line of thought has clear limitations. First, if the wish of a virus designer is to cause chaos and destruction, he will prefer the base of construction that reaches the highest possible number of users. This is obviously the Windows operating system and the Intel platform, simply because more than 90% of personal computers are based on Intel (or Intel-compatible) and run Windows. Different operational systems would require diversified programming, and machines based on another microprocessor architecture would require different programming code. (Just as biological viruses: a virus generally can only infect a specific species, or DNA. The canine AIDS virus, for example, is innocuous to the human being.) It doesnít matter how the most used operating system is called, either Windows or Skylight, and the company is Microsoft, Microshaft, Oracle, Listener, Sun, Moon or an independent allegedly non-profit organization: whatever the system is, that will be the one virus designers will write their virus and exploits for. And there will always be a hole, for there is no 100% safe system.

Similarly, Microsoft applications are majority in several instances, such as Office, e-mail clients (Outlook) and browsers (Internet Explorer). This fact will make those applications the preferred ones to be exploited. One successful exploit for Microsoft Word can simply reach dozens of millions of users. Another application would have fewer users, and thatís not what the virus designer wants.

Blaming Microsoft for virus dissemination is as naÔve as stating that left-handed individuals are less skilled and have more back problems due to genetic limitation. Such absurd conclusion would certainly attract many admirers, who would not care to use their good-sense to understand that if left-handed individuals have skill problems, perhaps that is due to the fact that the majority of equipment and devices are designed to the ergonomics of the right-handed: buttons and controls to the right, panels and visors to the left. And the back problems might be caused because left-handed individuals are forced to sit in chairs equipped with a small writing table, which is always attached to the right side of the chair. Thus, forcing the left-handed to perform contortionisms in order to write.

Truly, Microsoft is victim of a general unfriendly behavior. It is common not to look with gentle eyes at a very large organization, specially when this organization have more than 90% of certain markets. It doesnít matter whether the organization acquired this level of market share by competence, by lack of competitors or by military force. This is a behavior that started in the Bible, in the famous story of David and Goliath. To the big and powerful, the image of Evil is associated; to the small, heroism, love, bravery and moral.

Nevertheless, the fact that a company possesses a huge market-share is reason enough for this company to pay special attention to the safety and quality of its products. Any flaw in this area will affect several millions of users or clients and may cause enormous amounts of monetary losses. The bugs and security holes exist in Microsoft products, but it is true that Microsoft is diligent in posting fixes and patches. Maybe less diligent than some would like, or maybe it would be just better if there were no flaws. Unfortunately, this is impossible.

Another detail makes Windows-based systems easier for malicious code writers to create and spread worms without complex programming knowledge. Windows is based in COM technology, short for Component Object Model. COM makes it possible for any application to use the capabilities of other installed applications with simple statements. For example, a program for compressing files can use Microsoft Outlook to e-mail the compressed files, without the code author having to know how Outlook operates or even details of e-mail protocols. COM is a nice feature if used for the good. It needs to embed high security, though, in order to prevent exploitation.

Other operating systems also have their problems. Unix is by the way the preferred system by hackers to perform their attacks, because Unix carries well-known exploits and can give a single user unlimited power and control (the superuser or root). Being also a multiuser system, the hacker can operate at the same time as the other users, drawing little attention to himself.


How to protect yourself: the weapons

The Antivirus


Just as there are viruses, there are vaccines. In Information Technology, they are programs known as antivirus.

Antivirus programs work by detecting existing viruses in the computer or imminent infecting viruses. Then they can isolate the infected programs, clean them by removing the virus code (if possible), or erase the infected files. The antivirus stays resident and monitors every programs to be executed by the computer. When a file is opened, the control is given to the antivirus, which scans the file and then authorizes its execution, if it is free from infection. If the antivirus detects some sort of virus, it then blocks the execution of the program and notifies the user. The antivirus can also monitor the RAM, boot sectors in hard drives and floppies, removable drives, e-mail messages and even incoming network data.

Virus detection is done mainly in two ways. The first method uses the signature concept. Viruses are programs; therefore they have a specific sequence of commands, which are translated to a specific sequence of bytes. This sequence of bytes characterizes a certain type of virus, exactly as biological viruses have specific sequences of DNA code. The antivirus has an internal database of signatures and compares every file imminent to execution against this database; if there is a hit, the execution is halted and the virus cannot infect the computer.

For this method to be efficient, the database must contain the highest number of signatures possible and must be constantly updated. Every new virus must be quickly analyzed and its signature entered into the database, so the antivirus will recognize its code. This procedure is done by the antivirus producer and is left available at their websites, as virus update files. Almost every antivirus program can automatically contact their companyís servers and update themselves periodically, through the Internet. Typical virus databases have more than 45 thousand different signatures.

As defiance to the signature method, some viruses were capable of modifying their own code, resembling the common viruses for colds and flu. Permanent vaccines cannot be synthesized for cold viruses, because they mutate their DNA or RNA code constantly. Since antibodies can only attack specific DNA or RNA sequences, they are inefficient to mutating viruses. Luckily nature is much more competent in coming up with mutating viruses; mutating computer code requires a high degree of programming skills, and mutating computer viruses are not very common. Even then, they may carry a permanent core, making them still possible of being detected by signature.

The second method uses heuristics. In this way, the antivirus constantly monitors the behavior of programs being executed, in search of "suspicious" attitudes. For instance, an attempt to access the address book, erase several files, modify or erase sensitive areas of the hard drive, system files or configuration (registry) files. If the antivirus detects any of those activities, it will consider the program as suspicious, block its actions and notify the user.

The heuristic method does not need updates to work, since it monitors actions, not signatures. Mutant viruses are indistinctly detected by heuristics, so it is a very good protection against them. It is obviously not a perfect method, though; it might not detect a cautious virus, or wrongly block a good program (although this is very unlikely).


The Firewalls


In the real world, firewalls are designed to protect environments against fire. They contain heat and fire outside, so they donít destroy what is inside (under perfect conditions). In Information Technology, firewalls are specialized computers or programs designed to control the flux of information through them, or access. Firewalls, by definition, can control anything from individual user access to which devices are allowed to work on a computer, or what sites users can connect to.

Firewalls are essential in any computer system that is connected permanently to the Internet or to any outside network, and in which vital data is stored. Since firewalls work in the access, they are indicated to protect against exploits and trojan horses. Even if a trojan horse is installed, the firewall will block attempts of connection to the trojan server. Correctly configured, the firewallís protection mechanisms will render a computer virtually invisible in the Internet (called stealth mode), making attempts of attack very hard. An attacker would have to know a priori that the computer is there, because it cannot be detected by other means. That is, provided the firewall works right and the attacker does not develop other ways to circumvent the firewall.

When home users had no other choice of connection to the Internet than dial-up modem, an online, virtual attack was very rare. Dial-up connections employ different IP numbers every time the user connects, and they donít last several hours. So an attacker would have to guess which IP number the computer was using at the time, making the attack too troublesome to be worth it. But todayís broadband home connections changed the situation completely. Users with high-speed connections such as ADSL or cable modems stay online for long periods of time, and they keep a constant IP number for the whole session. Usually, ADSL or cable modems have permanent IP numbers, making them prime targets for malicious activity. Home users with this type of connection might have no consciousness of the danger: their computers can house trojan horses and can be hacked simply because they are there all the time. And hackers know home users are usually lenient when it comes to security.

There are good solutions in personal firewalls, such as Network Associates/McAfee Personal Firewall, Symantec Norton Internet Security, BlackIce Defender, ZoneLabs Zone Alarm.


How to protect yourself: the low-risk attitude

Fine. Viruses, exploits, worms. Trojan horses, backdoors. Itís a jungle out there. What can be done? Just unplug the computer and go back to the typewriter? Luckily, there are attitudes and behaviors that can minimize the chances of being infected or attacked or, if really infected, contain the destruction to the minimum possible.

The first step is to obtain and install a good antivirus program. The antivirus must be kept running permanently. It is perhaps not too much to state again: the computer must never run without an antivirus.


Updating Software


The antivirus must be updated at least once a week, or every time the manufacturer publishes an update in their website. Most antivirus programs can update themselves automatically, without user intervention. Without an update, the antivirus is impotent against new viruses and worms.


As a matter of fact, the update procedure deserves a chapter of its own. Every program should be updated, as often as the updates are published in their websites. This is particularly important to web browsers, antivirus, firewalls, email clients and the operating system. Those updates often include security patches. Security holes are usually discovered after the program is in the market. Hackers take advantage of the time lapse until the patch is released to exploit these security holes. And, as impressive as it may seem, a great number of network managers simply do not apply the patches when released. Several large sites work under outdated software, full of security holes, leaving easy paths to hackers.


In large sites and large networks, the patch procedure is time consuming. Usually the whole network must be taken down, preventing several users from working. This costs money in time loss. So network managers are careful when applying patches, even because not all patches assures better performance. A patch may also contain incompatibilities and cause problems. Security holes must be patched, nevertheless. Many websites were hacked exactly because their web servers were running under old software with wellĖknown holes.


In home computers, applying patches usually do not take more than 5 to 10 minutes. They might cause problems, but the danger of using programs with security holes does not compensate the trouble. Web browsers and the operating systems deserve special attention. In Microsoft Windows 9x, there is the Windows Update facility, which connects to Microsoft servers and detects whichever updates are available and needed. The system, if authorized by the user, then downloads the patches and updates itself. Simple and very important, because most security holes do give a hacker access to local files. Some just require the user to connect to a website or open or view an email message. The user doesnít need to execute any file. The last security hole discovered by the famous bug-hunter Georgi Guninsky affects Microsoft Outlook Express. It concerns the compressed help file format for this program. A hacker can embed a script in one such file, and a security flaw will allow the script to access local files or even execute attached files to the email message, without user intervention. The script will run simply by viewing the email message (or accessing a web page with the script), revealing the potential danger of these security flaws. The patch was released short after the hole was discovered.


Another form of exploit that can affect any kind of program (that has the hole) is called buffer overrun. Many programs and the operating system, in order to execute actions, store information briefly in a buffer, which has usually limited size. Almost everything in Computer Technology uses a buffer, from TCP protocol to a calculator. A buffer is needed because data is never processed at the same speed it is fed. So, data must be stored until it can be processed. For example, the keyboard has a buffer of its own. Even when the computer is performing some operation that seems to lock it, keys pressed between this time will be saved and will appear on the screen after the last process is concluded (in a word processor, for instance).


The problem resides when the buffer is full. When it happens, some programs will simply refuse more data, discarding the excess. Others will signal the source, others might erase the whole buffer. And some might behave in completely unpredicted and weird ways (because the programmers might have never imagined that that particular buffer would overflow). A security flaw found a time ago in Internet Explorer, a buffer-overrun type, was very interesting. A link in a web page could be made with several characters, number enough to overflow the internal browser buffer for hyperlinks. Clicking on the link would cause the buffer overrun, and the additional characters would be executed! If an actual program were properly embedded in the hyperlink, it would execute in the local computer, under no control. Impressive.


Testing for virus and checking origin

All programs must be tested for virus before they are executed or installed. When an antivirus is installed, this test procedure is done automatically, if the antivirus is configured correctly.

The source is everything when it comes to computer viruses. If the origin of a program is suspicious, caution must be doubled. There are preferred sources from which viruses spread. Mainly email, IRC channels, newsgroups, and warez distribution sites. IRC channels are perhaps the most promiscuous places. The best attitude is simply refuse to accept any file coming from IRC users, unless it is well known, or it is a picture file (which is, to this date, completely harmless). Virus programmers usually start spreading by sending the virus to IRC users or to newsgroups. The first Palm virus originated from the newsgroups.

The safest attitude, here, is to be paranoid. A file received from an unknown sender should be simply erased. The risk is rarely worthwhile, and unknown, good faith people seldom send files upon first contact. Nevertheless, files received from friends or known people, especially from email, can be suspicious. Worms rely on the trust users put on known senders, by maliciously using the address book stored in the computer and sending themselves to every address. The user trusts the sender and opens the file, and the sender doesnít know she is infected and is sending worms to everyone in the address book.

Text or picture files (with extension .txt, .jpg, .tif or .gif) are practically harmless. Scripts cannot be embedded into these files; nothing is therefore executed. If the operating system is Windows 9x, it must be configured to show all file extensions. By default, Windows hides file extensions, making it difficult to promptly detecting the file type. Remember, a virus can only infect if executed. If a program with a virus has its extension changed to .txt, for instance, it is immediately rendered harmless. A double click on one such file would just open a notepad-type program and the user would just see a bunch of meaningless characters displayed.

Files with .doc extension are more dangerous. They can house macros or scripts that are executed by the word processor, such as Word or WordPerfect. Macros might be viruses. As a matter of fact, most new viruses are macro viruses, or written in Visual Basic for Applications (VBA). The word processors may have the macro execution capabilities disabled, or may be configured to automatically call the antivirus each time a file is opened. Even then, if the source of the file is suspicious, a program such as the Wordpad, which comes with Windows 9x, can open the file safely, since Wordpad is unable of processing macros or scripts.

Files with extensions .exe, .com, .bat, .ocx, .vbs, .chm, .osx, .htm, .html, .php, .asp are executable. All of these, but the .exe and .com, are truly text files, but might contain macros or scripts. Files with extension .php and .asp are executed on the server (server-side), not on the userís computer. They might, however, contain virus, as it was recently proved with .php files (they infect the server only, though). If the source of those files cannot be trusted, the best measure is to erase them.

Any files with the extensions above must be tested for virus and opened with caution. Thereís not much to do about HTML-type files, but to rely on the antivirus and the safety measures of the browser. If the HTML page has malicious scripts or applets or active controls that successfully override the antivirus and browser firewalls, the computer might be infected. This makes simple Internet navigation not 100% safe, unless the user disables every kind of script, applet and active control processing in the browser. This renders navigation dull, however, since advanced sites wonít show correctly.

If an executable file is received from an unknown sender, there is no doubt: it must be erased immediately and never opened. The old lesson taught by every mother applies here: never accept gifts or sweets from strangers.

Warez distribution sites might contain two dangers: one of them is the fact they distribute pirate software, which is illegal. Second, the warez might be a trojan horse, concealing malicious code within. Warez zone is a no-law zone.

A low-risk behavior, therefore, if the user usually connects to IRC channels or newsgroups, is to keep business to posting only. Or accept text and picture files only.

Obviously, the basic and oldest form of infection must not be forgotten: file swapping and exchange through disks, network and CD-ROMís. An innocent looking floppy disk borrowed from a friend might represent the destruction of all files in a computer. CD-ROMís, even those not recorded by users, might be risky. There were cases of CD-ROMís, distributed freely by Internet Access Providers, that were infected.

It is common that corporations and schools define rules to the manipulation of disks around their computers. The main cause of virus infection in corporations is an employee who brings an infected disk, or receives an infected email.

In a network or LAN, files in a computer hard disk can be seen or opened by another computer in the network. Therefore, if these files are infected, the computer that opens the files (the client) will also be infected. The protection measure here is to install antivirus programs in every computer in the network.

Finally, at least every 15 or 20 days, with the antivirus properly updated, the user must command a full virus scan in all files stored in the computer hard disk. This will ensure undetected or inactive viruses to be found.


Final Considerations

Viruses are plagues born along with computers. Their destruction potential is immense and inexorable. Viruses served as theme for movies and famous books, such as the movie Independence Day (1996, 20th Century Fox), where aliens seek Earth domination and are destroyed with the help of a virus transmitted to their computer system. In the book 3001: The Final Odyssey, from Arthur C. Clarke, the black monoliths, about to destroy humanity spread around the solar system, are deactivated when forced to run mathematical programs which resulted in infinite calculations. Both instances were based in a true principle in Computer Technology: any computer system can emulate another less capable computer system.

With the advent of the Internet, the speed and easiness of virus dissemination became a matter of days or hours and a few clicks on the mouse. The losses caused by virus attacks reach billions of dollars and planetary dimensions. No one, no country, no corporation and no computer system are safe from virus. Unless the corporation has no computers, or the computers are turned off. It is simple as that.

To use tools such as antiviruses and firewalls is essential in order to keep the safety and integrity of data and contain the power of these little programs that, as the biological viruses, are diminutive and fragile, but with astonishing destructive power.




CLARKE, Arthur C.  3001:  The Final Odyssey.  New York, Del Rey/The Ballantine Publishing Group (Random House), 1997.

DELIO, Michelle.  How MS helped with own hack.  Wired News.,1284,39805,00.html  Captured on 09/27/2000.

INFO ONLINE.  CaÁador de bugs aponta falha do Word 2000.  Captured on 09/26/2000.

-----------------.  Surgem os dois primeiros vŪrus para o PalmOS.  Captured on  09/22/2000.

-----------------.  Surge o primeiro virus da Web escrito em PHP.  Captured on  11/21/2000.

-----------------.  Virus ILOVEYOU jŠ tem mais de 50 variaÁűes.  Captured on  10/23/2000.

-----------------.  Virus Romeu e Julieta pode congestionar e-mail.  Captured on  11/21/2000.

KNIGHT, Will.  Bug-Hunters:  Security holes unheeded.  ZDNET []  

MANJOO, Farhad.  Broadband could be Hackland.  Wired News.,1282,39235,00.html  Captured on 09/23/2000.

PCWORLD.  Worry about the worm. 
Captured on 09/22/2000.

SULLIVAN, Bob.  Undergorund targets MS server flaw.  ZDNET []  

SYMANTEC.  Worms and your network. 
Published 08/29/2000, Article ID:   245.  Captured on 09/29/2000.

VANCE, Ashlee.  Destructive Love Bug variant attacks.  PCWORLD [] 

VIEIRA, Eduardo.  Ops!!!  Tem banda larga!  InfoExame, S„o Paulo, ano 15, n. 174, pp. 106 e 107, set. 2000.

WIRED NEWS.  Palm Virus Hits, But Donít Worry.,1282,38997,00.html.  Captured on 09/22/2000.