COMPUTE!'s computer viruses.pdf - adamas.ai
COMPUTE!'s computer viruses.pdf - adamas.ai
COMPUTE!'s computer viruses.pdf - adamas.ai
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>COMPUTE</strong>!<strong>'s</strong><br />
<strong>COMPUTE</strong>R<br />
VIRUSES<br />
Ralph Roberts<br />
<strong>COMPUTE</strong>! Books<br />
Greensboro, North Carolina<br />
Radnor, Pennsylvania
Other Books by Ralph Roberts:<br />
<strong>COMPUTE</strong>l<strong>'s</strong> Using Turbo Basic<br />
<strong>COMPUTE</strong>l<strong>'s</strong> Using Borland<strong>'s</strong> Sprint<br />
The Price Guide to Autographs<br />
Auction Action!<br />
Analysis with Reflect<br />
The Power of Turbo Prolog<br />
The Word Processor Buyer<strong>'s</strong> Survival Manual<br />
Editor: Stephen Levy<br />
Copyright 1988, <strong>COMPUTE</strong>! Publications, Inc. All rights reserved.<br />
Reproduction or translation of any part of this work beyond that permitted by<br />
Sections 107 and 108 of the United States Copyright Act without the permission of<br />
the copyright owner is unlawful.<br />
Printed in the United States of America<br />
10 9 8 7 6 5 4 3 2 1<br />
Library of Congress Cataloging-in-Publication Data<br />
Roberts, Ralph<br />
<strong>COMPUTE</strong>t<strong>'s</strong> <strong>computer</strong> <strong>viruses</strong><br />
p. cm.<br />
Includes index.<br />
ISBN 0-87455-178-1<br />
1. Computer <strong>viruses</strong>. I. Title.<br />
QA76.76.C68R62 1988<br />
005.8--dc19 88-28556<br />
The authors and publisher have made every effort in the preparation of this book to insure the accuracy<br />
of the programs and information. However, the information in this book is sold without<br />
warranty, either express or implied. Neither the authors nor <strong>COMPUTE</strong>! Publications, Inc. will be<br />
liable for any damages caused or alleged to be caused directly, indirectly, incidentally, or consequentially<br />
by the programs or information in this book.<br />
The opinions expressed in this book are solely those of the author and are not necessarily those of<br />
<strong>COMPUTE</strong>! Publications, Inc.<br />
<strong>COMPUTE</strong>! Books, Post Office Box 5406, Greensboro, NC 27403, (919) 275-9809, is a<br />
Capital Cities/ABC, Inc. company, and is not associated with any manufacturer of<br />
personal <strong>computer</strong>s. IBM is a registered trademark and OS/2 is a trademark of International<br />
Business Machines Corporation. MS-DOS is a registered trademark of<br />
Microsoft Corporation. Apple and Macintosh are trademarks of Apple Computer, Inc.<br />
Amiga is a trademark of Commodore-Amiga. Atari and Atari ST are trademarks of<br />
Atari Corporation.
CONTENTS<br />
Preface ....................................... v<br />
Acknowledgements ............................. vi<br />
1. Your Computer May Be Sick! ................. 1<br />
2. History and Infamous Viruses ................. 9<br />
3. How Viruses Work ......................... 17<br />
4. Fighting Viruses and Practicing Safe Computing . 31<br />
5. How the Experts Deal with Viruses .... . . . . . . .. 55<br />
6. Corporate Initiatives for PC Data Security<br />
Pamela Kane ............................ 81<br />
7. The Case of the Gerbil Virus that Wasn't<br />
Raymond M. Glath ....................... 91<br />
8. IBM PCs and Compatibles . . . . . . . . . . . . . . . . . .. 95<br />
9. Macintosh ............................... 133<br />
10. Atari ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 145<br />
11. Amiga .................................. 151<br />
12. The Only Good Virus Is a Dead Virus ........ 163<br />
Index ...................................... 168
PREFACE<br />
What if all the data on your <strong>computer</strong><strong>'s</strong> hard disk and/or<br />
floppies suddenly disappears? Millions of characters of information<br />
are irretrievably gone and the only thing left in return<br />
is an infantile message like "Arfl Arfl Gotcha!"or "Welcome to<br />
the dungeon ... beware the virus."<br />
The destructive rampages of these terrible little hidden<br />
programs from sick minds are not limited to high risk users<br />
who download indiscriminately from pirate electronic bulletin<br />
boards. Associated Press and United Press International stories<br />
in recent months have reported that such major institutions as<br />
NASA, Lehigh University, Miami (Ohio) University, AReO<br />
Oil, Hebrew University in Israel, and others have had <strong>computer</strong><br />
virus attacks. Viruses can attack your system even if you<br />
don't have a telephone modem.<br />
Like a biological virus, a <strong>computer</strong> virus can replicate itself<br />
and be spread (through the use of "Trojan horse" programs)<br />
from system to system. Trade a floppy disk with a friend and<br />
you may unwittingly be destroying large amounts of important<br />
data in your system, be it a single-user <strong>computer</strong> or a large telephone-linked<br />
network of 20,000 terminals. It<strong>'s</strong> not even enough<br />
to have good backup-a timed release virus can also be in the<br />
backup disks or tape, destroying data time after frustrating time.<br />
There have been <strong>viruses</strong> reported for all of the major<br />
brands of <strong>computer</strong>s. Those with IBM and compatibles, and<br />
Macintoshes are currently the most vulnerable, but the potential<br />
threat to all machines is scary. Like vaccinating ag<strong>ai</strong>nst<br />
smallpox or typhoid fever, there are prudent steps <strong>computer</strong><br />
users can take that may very well save them hours and days of<br />
work, or even more than that.<br />
Whether you're a single <strong>computer</strong> owner or the manager of<br />
a large area network, this book offers relief from the fear and<br />
the very real danger of a viral infection in your system. It will<br />
v
help you understand and implement ways to protect your system,<br />
as well as those of your friends and clients who put programs<br />
into their own systems that were copied off your disks.<br />
Typhoid Mary was a dishwasher who, while not sick herself,<br />
spread that disease to many others. Imagine how poor<br />
Mary would be sued today. This book helps you protect yourself<br />
in many ways.<br />
Acknowledgments<br />
The author gratefully acknowledges all those who helped in the<br />
preparation of this book, with special thanks to: Ray Glath,<br />
Ross Greenberg, and Pam Kane.<br />
And to those other staunch virus fighters: Ron Benvenisti,<br />
Dennis Director, Chuck Gilmore, Eric Hansen, Dr. Harold<br />
Highland, John McAfee, Mike Riemer, Howard Upchurch,<br />
Steve Tibbett, and Jeff Shulman.<br />
And to: Stephen Levy, Claudia Earhart, Pam Williams,<br />
and all my other friends at <strong>COMPUTE</strong>! Books.<br />
And most especially to you, the reader, in hopes that this<br />
book proves helpful.<br />
vi
1<br />
YOUR<br />
<strong>COMPUTE</strong>R<br />
MAY BE SICK!<br />
Virus: "Something that corrupts or poisons the mind or the soul. "<br />
Webster<strong>'s</strong> New Collegiate Dictionary<br />
"Over one percent, or about a quarter of a million IBM PCs<br />
and compatibles are already infected," says Larry DiMartin,<br />
president of Computer Integrity Corporation, publishers of the<br />
commercial viral protection program, Vaccinate.<br />
A <strong>computer</strong> virus is a small program, usually hidden as a<br />
code segment of a larger host or Trojan horse program. It has<br />
the ability to replicate itself, and to move from <strong>computer</strong> to<br />
<strong>computer</strong> through the transfer of disks, or by electronic<br />
communications. You're safe only if you never buy a program,<br />
never borrow a disk from a friend, never call a <strong>computer</strong> network<br />
or electronic bulletin board, never turn on and use your<br />
<strong>computer</strong> at all. In other words, the possibility of a <strong>computer</strong><br />
viral infection cannot be eliminated totally, only minimized.<br />
While not alive, the resemblance in the actions of a <strong>computer</strong><br />
virus to the reproductive and infectious qualities of a biological<br />
virus is uncanny, even horrifying. Hence the name<br />
<strong>computer</strong> virus.<br />
Viruses mayor may not be harmful. Their effects range<br />
from the humorous to the catastrophic. A destructive virus<br />
could wipe out data it has taken you or your company years to<br />
accumulate, including backups. Whatever the effect, someone is<br />
messing with your system without your permission. This book<br />
helps you to: Avoid neglect! Detect! Protect!<br />
1
Chapter 1<br />
One factor on our side is that a <strong>computer</strong> virus must be<br />
machine-specific. An Amiga virus isn't going to thrive in an<br />
IBM environment; a Macintosh virus can't wipe out Atari disks.<br />
This is the good news. The bad news is that the Computer<br />
Virus Industry Association-a group of software companies<br />
who manufacture and sell antiviral products-has already<br />
identified <strong>viruses</strong> on most of the major categories of personal<br />
<strong>computer</strong>s being sold today. These include over 20 different<br />
types that attack IBM pes and compatibles, 4 are Macintoshspecific,<br />
4 prey on Amigas, and 6 more infect other types of<br />
<strong>computer</strong> architecture.<br />
These, of course, are just the ones that have been verified<br />
as existing. The scope of the virus problem (as evidenced by<br />
more and more reports) continues to grow. The odds are with<br />
an individual <strong>computer</strong> owner right now; however, the odds will<br />
continue to drop if things go unchecked. Next month, next<br />
year, your <strong>computer</strong> might catch a virus. It could be sick<br />
already.<br />
Where Do Viruses Come From?<br />
Computers have always been prone to losing large amounts of<br />
data in the blink of an eye. Equipment malfunction, operator<br />
error-the reasons are many and varied. In this crazy world,<br />
you must also add those who deliberately want to destroy your<br />
data. These electronic terrorists come in many stripes.<br />
Some, like medical experimenters who may have carelessly<br />
let a biological bug escape from the laboratory, did not unleash<br />
their <strong>viruses</strong> into the world information pool intentionally.<br />
The term virus was coined by a University of California<br />
graduate student, Fred Cohen. He demonstrated how to write a<br />
<strong>computer</strong> program that could infiltrate and attack a <strong>computer</strong><br />
system in much the same way that a biological virus infects a<br />
human. Other students and educators have experimented with<br />
these nasty little codes. So have hackers (a description that<br />
used to be honorable, but now has been sullied by those few<br />
who abuse their knowledge) and various research and development<br />
groups.<br />
An intelligence agency is not going to overlook this means<br />
of disrupting an enemy country<strong>'s</strong> informational infrastructure.<br />
2
Your Computer May Be Sick<br />
It<strong>'s</strong> obvious and logical that a good many governments could<br />
already be experimenting, perhaps even field testing such <strong>computer</strong><br />
<strong>viruses</strong>.<br />
A second group are pranksters, those individuals or groups<br />
who have a "message" to disseminate, or just pure jokers who<br />
want to mess with your system (though not necessarily destructively).<br />
The Macintosh Peace virus-supposedly benign and<br />
well-intentioned, but still frightening many <strong>computer</strong> ownersis<br />
a prime example of this.<br />
According to a February 12, 1988 UPI report, the source<br />
of this Macintosh virus is Richard Brandow, publisher of a<br />
40,OOO-circulation magazine called MacMag, based in Montreal,<br />
Quebec. The report quotes a spokesman for the magazine<br />
as confirming this.<br />
The Brandow message reads:<br />
Richard Brandow, Publisher of MacMag, and its entire staff would<br />
like to take this opportunity to convey their Universal Message of<br />
Peace to all Macintosh users around the world.<br />
The message includes a small drawing of the world and is<br />
signed by a Drew Davidson.<br />
The virus was designed to infect the Macintosh operating<br />
system and to flash the above message on the screen on March<br />
2, 1988, the anniversary of the Mac II<strong>'s</strong> introduction. To say<br />
the reaction among thousands of Macintosh users was irate is<br />
an understatement. Many hundreds of messages condemning<br />
Mr. Brandow and the Peace virus were posted in the Macintosh<br />
special interest groups on Delphi (where they still can be<br />
read in the Mac Group), Compuserve, and Genie.<br />
In his own defense, Brandow s<strong>ai</strong>d: "If other people do<br />
nasty things (with a virus), it is their responsibility. You can't<br />
blame Einstein for Hiroshima."<br />
True, but the furor and uproar came from people who did<br />
not want an infectious "disease," no matter how allegedly benign,<br />
lurking in their operating systems.<br />
Viruses maliciously designed to be destructive come from<br />
intentional electronic terrorists. These may be individuals harboring<br />
ill ag<strong>ai</strong>nst a particular company or institution, or ideological<br />
organizations. If Palestinian commandos could unleash<br />
3
Chapter 1<br />
a virus that would attack Israel<strong>'s</strong> <strong>computer</strong>s, might they not do<br />
it? Well, perhaps they already have. A little later we'll look at<br />
the Friday the 13th virus attack first reported by the Hebrew<br />
University in Jerusalem.<br />
Do Viruses Really Exist?<br />
The short answer is yes. Prior to 1988, although <strong>viruses</strong> were<br />
reported even in the 1970<strong>'s</strong>, industry pundits tended to downplay<br />
the possibility of their existence. Anything that caused fear<br />
and reduced sales of the mushrooming personal <strong>computer</strong> industry<br />
was to be assiduously avoided.<br />
Yet, it<strong>'s</strong> the very success of the industry that has provided<br />
the medium for <strong>computer</strong> <strong>viruses</strong> to grow and spread. Their<br />
existence is no longer a matter of speculation, it<strong>'s</strong> proven fact,<br />
with many incidents of viral attack now documented.<br />
The Computer Virus Industry Association lists the top five<br />
viral str<strong>ai</strong>ns (by reported incidence) as:<br />
Scores (Macintosh)<br />
Pakistani Br<strong>ai</strong>n (IBM PC)<br />
SCSI (Amiga)<br />
Lehigh (IBM PC)<br />
Merritt (IBM PC)<br />
The National BBS Association reports 39 known <strong>viruses</strong>.<br />
Computer <strong>viruses</strong>, however, are hard to pin down and even<br />
more difficult to trace to the perpetrator. A major problem is<br />
the lack of expertise of most <strong>computer</strong> users to recognizing viral-related<br />
problems. The Computer Virus Industry Association<br />
reports the following statistics on their investigation of virus<br />
incidents:<br />
• 94% of submissions are non <strong>viruses</strong>.<br />
30% of these are bombs, Trojans, and so forth.<br />
50% are nonanalyzable (<strong>viruses</strong> tend to destroy the<br />
evidence).<br />
14% are attributable to operator error.<br />
• Half of the rem<strong>ai</strong>ning 6% are only partial <strong>viruses</strong>.<br />
Missing sectors were not collected.<br />
The virus was partially destroyed by its activation.<br />
4
Your Computer May Be Sick<br />
• There is an unknown, but probably large, number of <strong>viruses</strong><br />
unreported because the user assumed the problem was in the<br />
hardware or through personal error.<br />
The problem of <strong>computer</strong> <strong>viruses</strong> is so new and still so<br />
misunderstood that many people are still reacting out of fear.<br />
In its own way, the scourge of these data-destroying <strong>viruses</strong> can<br />
have just as frightening an effect on our society as some of the<br />
most deadly biological <strong>viruses</strong>.<br />
Imagine your bank. A place of many branches and millions<br />
upon millions of dollars in deposits, all documented by a<br />
massive <strong>computer</strong> system. What if just one of thousands of<br />
bank employees downloads a game from an electronic bulletin<br />
board somewhere and plays it on the bank<strong>'s</strong> time, using one of<br />
their PC workstations which, acting as a terminal, is connected<br />
to the bank<strong>'s</strong> m<strong>ai</strong>n <strong>computer</strong> system.<br />
The innocuous-seeming little game is a Trojan horse, hiding<br />
a malicious virus. The virus replicates and spreads through<br />
the system. A time-released monster, it doesn't show any<br />
destructive tendencies until after it has not only made many<br />
copies of itself, but is also firmly lodged on the bank<strong>'s</strong> backup<br />
tapes. The virus finally activates, and destroys or modifies perhaps<br />
millions of records.<br />
Modification is even more frightening than out and out<br />
destruction. The random changing of one digit here and one<br />
digit there is far harder to detect. But one day you, your neighbor,<br />
the guy who runs the convenience store down the street,<br />
and the lady across town with the florist shop all go to the<br />
bank. You find there is no record of your money, or your life<br />
savings has been instantly reduced from fifteen thousand to fifteen<br />
cents!<br />
Scary? Sure it is. A major virus attack is a catastrophe just<br />
w<strong>ai</strong>ting to happen. Worse, it could be you or your best friend<br />
who unwittingly copied the game from a bulletin board out of<br />
state and gave it to that bank employee.<br />
Avoid neglect! Detect! Protect!<br />
As the onslaught of <strong>computer</strong> <strong>viruses</strong> continue, we all have<br />
a collective responsibility. It<strong>'s</strong> not enough to just safeguard our<br />
own data, we must help our fellow <strong>computer</strong> owner as well.<br />
5
Chapter 1<br />
That, ag<strong>ai</strong>n, is what this book is all about: How to institute<br />
methods of detecting and erasing any virus that may attempt to<br />
infiltrate your system and how to keep from passing along the<br />
infection.<br />
The Jargon<br />
Below are definitions of the terms used in this book. These<br />
terms follow the definitions issued by the Computer Virus Industry<br />
Association.<br />
Virus: A <strong>computer</strong> virus is a small program that can lay<br />
dormant for months before performing its destructive mission,<br />
such as erasing the contents of your hard disk. The resemblance<br />
in action to biological <strong>viruses</strong> is almost uncanny. A<br />
<strong>computer</strong> virus can replicate itself and be unwittingly spread<br />
from system to system. It "infects" and hides inside of another<br />
program, such as the <strong>computer</strong><strong>'s</strong> operating system or an application<br />
program.<br />
Activation: The final phase of the virus life cycle, during<br />
which it does whatever was programmed in as the end goal.<br />
This can be full or partial destruction of its environment, sending<br />
a message to the screen, or some other system disturbance.<br />
Activation Period: The time of delay programmed into the<br />
virus that it w<strong>ai</strong>ts between the initial infection and its<br />
activation.<br />
Bomb: A program that, through intent or programmer error,<br />
malfunctions and causes destructive results.<br />
Boot Infector: A virus that attaches itself to the boot sector<br />
of a disk, either floppy or hard.<br />
Generic Infector: A virus that can attach itself to any general<br />
program (such as those with the extension .COM or .EXE<br />
in the IBM world).<br />
Hacked Programs: Hacked (and also Pirated) programs are<br />
regular commercial programs whose copy protection or other<br />
normal operation has been modified. Often not intentional, the<br />
destructiveness of these programs is simply the result of a novice<br />
programmer<strong>'s</strong> poor technique.<br />
Host Program: Host programs are those to which a <strong>computer</strong><br />
virus attaches itself. This is an executable program such<br />
as those with .COM or .EXE extensions.<br />
6
Your Computer May Be Sick<br />
Infection Detection Product: Any hardware or software<br />
product that detects virus infection after it occurs.<br />
Infection Identification Product: Any hardware or software<br />
product that identifies specific virus str<strong>ai</strong>ns in an infected<br />
system.<br />
Infection Prevention Product: Any hardware or software<br />
product that prevents a virus from initially infecting a system.<br />
Isolation: The method the virus uses to distinguish itself<br />
from the host program.<br />
System Infector: A virus that replicates by attaching itself<br />
to operating or environment system files.<br />
Trojan Horse: A Trojan or Trojan Horse is either a vehicle<br />
to transmit a virus into <strong>computer</strong> systems, or a destructive program<br />
on its own. Like the ancient Greeks who were supposed<br />
to have captured the city of Troy by leaving a huge wooden<br />
horse full of soldiers outside the gates, pulling such a program<br />
into your system can have similar disastrous results. A disaster<br />
may not occur for months. On the other hand, your hard disk<strong>'s</strong><br />
light may come on when the program is run (and all files<br />
erased) and an infantile message like "Arf! Arfl Gotcha!" may<br />
appear on the screen.<br />
Replication: The process of reproduction, where the virus<br />
copies itself (or detaches) from the present host to a new one.<br />
Worms: Worms are an earlier name for <strong>computer</strong> <strong>viruses</strong>.<br />
7
2<br />
HISTORY AND<br />
INFAMOUS<br />
VIRUSES<br />
You cannot judge the horse by the harness.<br />
Old Proverb<br />
The popular press has suddenly discovered <strong>computer</strong> <strong>viruses</strong>.<br />
As is human nature with something newly learned, many<br />
reporters treat the specter of <strong>viruses</strong> and Trojan horses as a<br />
brand new horror just now looming over the horizon of the<br />
Information Age like black storm clouds billowing and brewing.<br />
However, the lightning-cracklings presaging the storm have<br />
been around much longer than the <strong>computer</strong> industry has previously<br />
been willing to admit In 1974, the first self-replicating<br />
code was demonstrated at the Xerox Corporation, but the<br />
problem is even older than that<br />
Viral History<br />
During the sixties, when hacker was a term of respect, young<br />
people at such places as the Massachusetts Institute of Technology<br />
were doing things with <strong>computer</strong>s that had never been<br />
done before. They did wondrous and glorious things like<br />
inventing the game Space War and sitting up all night coding<br />
the most elegant "hack" (program) possible, subsisting on<br />
candy bars and soft drinks. Out of this group came many of the<br />
people who first conceived of personal computing. It was these<br />
early hackers who made personal computing possible, despite<br />
9
Chapter 2<br />
all the nay saying of the big machine people. We owe them a<br />
great debt.<br />
One honorable pursuit, in this infancy of personal interaction<br />
with <strong>computer</strong>s, was to play with friends' minds by<br />
messing up their program code. Hackers won points and respect<br />
by introducing a problem that would be undetectable for<br />
as long as possible. Watching the friend go crazy as the program<br />
bombed time after time for inexplicable reasons was<br />
considered great sport.<br />
These clandestine modifications to code were not <strong>viruses</strong>,<br />
they were bombs (taking immediate effect). Yet, these bombs<br />
proved that controlling another person<strong>'s</strong> program to someone<strong>'s</strong><br />
own ends was possible. Perhaps the one universal rule of all<br />
mankind is if something is possible, someone, somewhere, for<br />
some reason (sane or not), will do it. We can then attach the<br />
addendum that someone else will hear of this thing being done,<br />
and do it. When a <strong>computer</strong> virus is reported in the press, other<br />
programmers may decide to construct <strong>viruses</strong> of their own.<br />
Computer Crime<br />
The subject of <strong>viruses</strong> is not the only one the <strong>computer</strong> industry<br />
has been silent on-another area is <strong>computer</strong> crime. A<br />
major reason for the silence is simply self-interest. The companies<br />
are afr<strong>ai</strong>d-justified to some extent-that talk of <strong>viruses</strong><br />
will hurt sales, and that public discussion of <strong>computer</strong> crime will<br />
encourage other programmers to emulate it.<br />
Some of the same techniques used in the late fifties to defraud<br />
by <strong>computer</strong> are also being used in the sick world of<br />
those who hatch and unleash <strong>computer</strong> <strong>viruses</strong>. A logic bomb is<br />
one of these. This is a clandestine portion of a program which<br />
is executed when the <strong>computer</strong> determines that cert<strong>ai</strong>n conditions<br />
have been met. These conditions can be satisfied by<br />
elapsed time, the number of times the program has run, or<br />
more commonly, on a cert<strong>ai</strong>n date.<br />
There have been numerous instances where a programmer<br />
who quit or was fired from a large company left such a bomb<br />
in the system. These logic bombs have done such things as<br />
simply shut down the system on the programmer<strong>'s</strong> birthday, in<br />
effect, taking the day off, to maliciously destroying thousands of<br />
10
History and Infamous Viruses<br />
important records. Ag<strong>ai</strong>n, if it can be done (and it cert<strong>ai</strong>nly<br />
can), someone will attempt it.<br />
It<strong>'s</strong> much harder to implant an undetectable program that<br />
will accomplish a useful feat for the warped programmer-such<br />
as rounding down all cents figures and routing the overage into<br />
an account belonging to the <strong>computer</strong> burglar. It<strong>'s</strong> easier to slip<br />
in a virus or bomb that will do malicious damage. Such programs<br />
usually destroy themselves and make it almost impossible<br />
to find the perpetrator.<br />
Thus, <strong>computer</strong> <strong>viruses</strong> are a more common problem than<br />
<strong>computer</strong> crime for profit. They are also more widespread.<br />
While it may pay to slip a "round down" program into a<br />
bank<strong>'s</strong> system (a task security people continue to make harder<br />
and harder), the same is not true of a personal <strong>computer</strong> system.<br />
Most likely, no one wants to steal your data, someone<br />
wants to destroy it.<br />
The Recent Viral Explosion<br />
The <strong>computer</strong> industry<strong>'s</strong> tight lid on virus information began<br />
leaking in 1984, when scientific papers on <strong>computer</strong> <strong>viruses</strong><br />
started appearing. The first virus to cause widespread infection<br />
and damage appeared in 1986. By 1988, public reports from<br />
Associated Press and others, and articles in the various industry<br />
trade periodicals, have caused the industry pundits not<br />
only to pull their heads from the sand, but in many cases, to<br />
glare around in a state close to panic.<br />
Many software publishers are spurring their programmers<br />
to build in virus protection for commercial programs (and let<strong>'s</strong><br />
hope that none of those programmers become disaffected). A<br />
number of companies have sprung up who make products to<br />
detect and protect systems ag<strong>ai</strong>nst <strong>viruses</strong>, and many shareware<br />
and public dom<strong>ai</strong>n programs are also now av<strong>ai</strong>lable.<br />
The basis for this sudden concern about <strong>viruses</strong> by the industry<br />
and the increased public awareness of the problem is the<br />
same-it<strong>'s</strong> gotten worse. Literally several million more <strong>computer</strong>s<br />
exist today than did a mere two years ago. Telephone<br />
modems are selling for under one hundred dollars. Tens of<br />
thousands of users are calling electronic bulletin boards and<br />
<strong>computer</strong> networks d<strong>ai</strong>ly. The medium for <strong>computer</strong> <strong>viruses</strong> to<br />
11
Chapter 2<br />
thrive and spread has become a hundredfold more fertile. As<br />
<strong>computer</strong>s continue to spew from scores of assembly lines in<br />
the many thousands per year, "living" space for <strong>viruses</strong> increases<br />
dramatically.<br />
Let<strong>'s</strong> be frank. The virus problem is going to get worse<br />
before it gets better. We're all going to have to take measures to<br />
protect ourselves and those who we come in contact with<br />
electronically. This is why the bulk of this book is concerned<br />
with actual detection and protection instead of theory.<br />
The Scores Virus<br />
The Environmental Protection Agency, NASA, and Apple<br />
Computer<strong>'s</strong> Washington, D.C. sales office were all hit this year,<br />
according to the April 11, 1988 issue of Info World. In each<br />
case, systems were affected by a virus program on personal<br />
<strong>computer</strong>s within their systems (in this case, Macintoshes). It<br />
spread from there throughout the system. As reported by Bill<br />
Pike in the Virus Newsletter, private contractors in the Washington<br />
and North Carolina area inadvertently sold dozens of<br />
<strong>computer</strong>s that carried the virus on hard disk to government<br />
agencies.<br />
It is not yet known how much damage was done over a<br />
five month period starting in January. Damage to government<br />
data appears to be limited, due mostly to the virus being designed<br />
for personal <strong>computer</strong>s while most of the sensitive data<br />
was in m<strong>ai</strong>n frame <strong>computer</strong>s that the virus couldn't infect.<br />
The FBI was called in to investigate. Because the original<br />
source is so difficult to determine, the efforts of the investigators<br />
are being spent more on trying to prevent future occurrences<br />
rather than pinning the blame on an individual or group.<br />
"This was definitely a criminal act," Cynthia Macon, a<br />
spokeswoman for Apple s<strong>ai</strong>d.<br />
The Scores virus has built in time bombs that activate at<br />
two, four, and seven days after a disk has become infected. The<br />
results are varied, but include printing problems, system<br />
crashes, and the malfunction of desk accessory operations.<br />
Data files are not affected by this particular virus, but all<br />
application programs including system files have to be deleted<br />
to erase the virus. A government technician, who preferred not<br />
12
History and Infamous Viruses<br />
to be named, s<strong>ai</strong>d the Scores virus had now been widely dispersed<br />
throughout the country.<br />
Apple now admits the problem and has released an antiviral<br />
program (called Virus RX) which will be discussed later.<br />
Scores is the most commonly reported type of virus, but the<br />
IBM and compatibles world make up for this by having many<br />
more str<strong>ai</strong>ns of <strong>viruses</strong>.<br />
The Br<strong>ai</strong>n Virus<br />
The Providence, R.I. Journal-Bulletin newspaper, in a widelypublished<br />
UPI report, s<strong>ai</strong>d it spent a week and a half stamping<br />
out a virus that infected their in-house PC network used by<br />
reporters and editors. The virus apparently destroyed one<br />
reporter<strong>'s</strong> data and infected scores of floppy disks before it<br />
could be removed.<br />
Journal reporter Jeffrey L. Hiday s<strong>ai</strong>d the virus was "a<br />
well-known, highly sophisticated variation called the br<strong>ai</strong>n virus,<br />
which was created by two brothers who run a <strong>computer</strong><br />
store in Lahore, Pakistan." Variations of this alleged virus have<br />
cropped up at companies and colleges across the country,<br />
including Bowie State College in Maryland, where it destroyed<br />
five students' disks, and Miami University in Ohio, where it<br />
threatened to wipe out stored term papers.<br />
Hiday wrote that the newspaper contacted one of the Pakistan<br />
brothers by phone, who s<strong>ai</strong>d he created the virus merely to<br />
keep track of software he wrote and sold, adding that he did<br />
not know how it got to the United States.<br />
"U.S. <strong>computer</strong> programming experts, however, believe<br />
the Pakistanis developed the virus with malicious intent,"<br />
Hiday wrote. "The original version may be relatively harmless,<br />
they point out, but its elegance lends itself to alterations by<br />
other programmers that would make it more destructive."<br />
The newspaper discovered the virus on May 6 when a<br />
message popped up on <strong>computer</strong> screens reading, "Welcome to<br />
the Dungeon ... Beware of this VIRUS. Contact us for<br />
vaccination." The message included a 1986 copyright date, two<br />
names (Basit and Amjad), a company (Br<strong>ai</strong>n Computer Services),<br />
an address (730 Nizam Block Allama Iqbal in Lahore,<br />
Pakistan) and three phone numbers.<br />
13
Chapter 2<br />
The Lehigh Virus<br />
Here<strong>'s</strong> how Kenneth R. van Wyk, User Services Senior Consultant,<br />
Lehigh University Computing Center, described the Lehigh<br />
virus that attacked their system in 1987, destroying a large<br />
percentage of their public site disks.<br />
"The virus is cont<strong>ai</strong>ned in the stack space of COMMAND.<br />
COM. When a PC is booted from an infected disk, all a user<br />
need do to spread the virus is to access another disk via TYPE,<br />
COPY, DIR, etc. If the other disk cont<strong>ai</strong>ns COMMAND.COM,<br />
the virus code is copied to the other disk. Then, a counter is<br />
incremented on the parent. When this counter reaches a value<br />
of 4, any and every disk in the PC is erased thoroughly. The<br />
boot tracks are nulled, as are the FAT tables, etc.<br />
"All Norton<strong>'s</strong> horses couldn't put it back together ag<strong>ai</strong>n.<br />
"This affects both floppy and hard disks. Meanwhile, the<br />
four children that were created, go on to tell four friends, and<br />
then they tell four friends, and so on, and so on."<br />
The Friday the 13th Virus<br />
Y. Rad<strong>ai</strong> of the Computation Center at the Hebrew University<br />
of Jerusalem recently described the Friday the 13th virus,<br />
which also affects IBM PCs and compatibles. He did so in a<br />
warning message disseminated widely on the ARPLANET<br />
<strong>computer</strong> network (which connects government agencies,<br />
universities, and similar institutions worldwide), and which<br />
was then copied to the various commercial networks such as<br />
CompuServe and Delphi.<br />
"Our version," Rad<strong>ai</strong> s<strong>ai</strong>d (comparing it to the Lehigh virus),<br />
"instead of inhabiting only COMMAND. COM, can infect<br />
any executable file. It works in two stages: When you execute<br />
an infected .EXE or .COM file the first time after booting, the<br />
virus captures interrupt 21 (hexadecimal) and inserts its own<br />
code. After this has been done, whenever any .EXE file is executed,<br />
the virus code is written to the end of that file, increasing<br />
its size by 1808 bytes .. COM files are also affected, but the<br />
1808 bytes are written to the beginning of the file, another 5<br />
bytes (the string MsDos) are written to the end, and this extension<br />
occurs only once."<br />
14
History and Infamous Viruses<br />
The disease, according to Rad<strong>ai</strong>, manifests itself in at least<br />
three ways:<br />
1. Because of this continual increase in the size of .EXE files,<br />
such programs eventually become too large to be loaded into<br />
memory or there is insufficient room on the disk for further<br />
extension.<br />
2. After a cert<strong>ai</strong>n interval of time (apparently 30 minutes after<br />
infection of memory), delays are inserted so execution of<br />
programs slows down considerably. (The speed seems to be<br />
reduced by a factor of 5 on ordinary pes, but by a smaller<br />
factor on faster models.)<br />
3. After memory has been infected on a Friday the 13th, any<br />
.COM or .EXE file executed on that date gets deleted.<br />
"It is possible," Rad<strong>ai</strong> continues in the message, that the<br />
whole thing might not have been discovered in time were it not<br />
for the fact that when the virus code is present, an .EXE file is<br />
increased in size every time it is executed. This enlargement of<br />
.EXE files on each execution is apparently a bug; probably the<br />
intention was that it should grow only once, as with .COM<br />
files, and it is fortunate that the continual growth of the .EXE<br />
files enabled us to discover the virus much sooner than<br />
otherwise.<br />
"From the above it follows that you can f<strong>ai</strong>rly easily detect<br />
whether your files have become infected. Simply choose one of<br />
your .EXE files (preferably your most frequently executed one),<br />
note its length, and execute it twice. If it does not grow, it is<br />
not infected by this virus. If it does, the present file is infected,<br />
and so, probably, are some of your other files. (Another way of<br />
detecting this virus is to look for the string <strong>'s</strong>UMsDos' in bytes<br />
4-10 of .COM files or about 1800 bytes before the end of .EXE<br />
files; however, this method is less reliable since the string can<br />
be altered without attenuating the virus.)<br />
"Of course, this is only the beginning. We can expect to see<br />
many new <strong>viruses</strong> both here and abroad. In fact, two others<br />
have already been discovered here. In both cases the target date<br />
is April 1. One affects only .COM files, while the other affects<br />
only .EXE files. What they do on that date is to display a 'Ha<br />
ha' message and lock up, forcing you to cold boot. Moreover<br />
(at least in the .EXE version), there is also a lockup one hour<br />
15
Chapter 2<br />
after infection of memory on any day on which you use the default<br />
date of 1-1-80. (These <strong>viruses</strong> may actually be older than<br />
the above-described virus, but simply weren't noticed earlier<br />
since they extend files only once.)"<br />
The Sunnyvale Slug<br />
An article in the July, 1988 Personal Computing reported that a<br />
northern California company (who prefers not to be named)<br />
was suffering attacks in their IBM PCs from a virus dubbed the<br />
Sunnyvale Slug.<br />
The Slug does various things, some benign and some<br />
destructive. It may flash a message on the screen reading:<br />
"Greetings from Sunnyvale. Can you find me?" Worse, it<br />
sometimes modifies DOS<strong>'s</strong> COpy command so it deletes instead<br />
of copies.<br />
The company, as more and more are doing, turned to an<br />
outside virus expert to help clean their system-in this case,<br />
Panda Systems of Wilmington, Delaware. Panda manufactures<br />
a commercial virus protection program, the Dr. Panda utilities<br />
(which, along with many others, are discussed later in this<br />
book).<br />
President Pam Kane and her programming staff serve as<br />
an equivalent in the computing field to famous oil well fire<br />
extinguisher Red Ad<strong>ai</strong>r in the petroleum industry. If a company<br />
is suffering a viral attack in its system, Pam and her troops can<br />
"cap the fire."<br />
Conclusion<br />
Computer <strong>viruses</strong> exist and have existed for some time. There<br />
are many documented examples, like those above, of their attacks.<br />
The explosive spread of personal <strong>computer</strong>s in their<br />
many millions give <strong>viruses</strong> a fertile medium in which to replicate<br />
and spread as well.<br />
16
3<br />
HOW VIRUSES<br />
WORK<br />
The disaster originating in this source, spread throughout the<br />
country and the people.<br />
Horace<br />
Let<strong>'s</strong> tell it like it is.<br />
Computer data storage is a lot more vulnerable than most<br />
people realize. The problem of <strong>viruses</strong>, bombs, and Trojan<br />
horses aside, there are still numerous operator errors and<br />
equipment malfunctions that can scramble the contents of a<br />
floppy disk or even an entire 20 megabyte hard disk in less<br />
than a second!<br />
Salespeople and others connected with the <strong>computer</strong> industry<br />
tend to not mention or, at best, gloss over this<br />
vulnerability. It has been the experience of this writer, wearing<br />
the hat of <strong>computer</strong> consultant, that most people are simply<br />
unaware of how precarious their data storage really is. On IBM<br />
and other MS-DOS <strong>computer</strong>s, how often are disks examined<br />
with CHKDSK? Not nearly enough. Lost cluster ch<strong>ai</strong>ns and<br />
files corrupted for a variety of reasons crop up constantly on<br />
the best of systems.<br />
An Accident W<strong>ai</strong>ting to Happen<br />
If CHKDSK is not used often to check that a disk is storing<br />
data properly-and appropriate m<strong>ai</strong>ntenance implemented<br />
when a problem is detected-any MS-DOS file system will<br />
eventually tear itself apart. This is a fact of life.<br />
The <strong>computer</strong> industry has greatly downplayed the areas in<br />
which <strong>computer</strong>s can be unreliable. Backup and DOS-level<br />
17
Chapter 3<br />
m<strong>ai</strong>ntenance is not stressed at all, and end users waste hours<br />
upon hours recovering data (or trying to).<br />
Every file read/write operation is an "accident w<strong>ai</strong>ting to<br />
happen." Not just on IBM and compatibles, but on all <strong>computer</strong>s.<br />
The disk is spinning (in the case of most PC hard disks) at<br />
perhaps 3600 rpm. The heads are whipping back and forth.<br />
There are millions of operations per second going on in the<br />
<strong>computer</strong><strong>'s</strong> memory. A momentary voltage surge, a minute<br />
mechanical slippage, an error in one of thousands of program<br />
instructions, and the data on the disk is ruined or damaged.<br />
It is beyond the province of this book to expl<strong>ai</strong>n DOSlevel<br />
m<strong>ai</strong>ntenance (although it<strong>'s</strong> strongly recommended that<br />
you learn and use these techniques for your own protection),<br />
but the point to be made here is that <strong>computer</strong>s are already<br />
easy enough to foul up. Because of this vulnerability, <strong>viruses</strong><br />
can quickly and easily do serious damage-in mere milliseconds.<br />
Disks Present a Bare Throat to Viruses<br />
For programs to work reliably, data must be stored in a consistent<br />
manner on all <strong>computer</strong>s of a specific type. The actual<br />
structure of information recorded on MS-DOS disks is different<br />
from that used for Macintosh <strong>computer</strong>s (reflecting the demands<br />
of their respective operating systems), but is essentially<br />
the same for all <strong>computer</strong>s within that class. In other words, an<br />
IBM PC compatible disk from a <strong>computer</strong> in Hong Kong can<br />
be read by one in New Jersey or Scotland or Pago Pago,<br />
American Samoa.<br />
This interchangeability is both a strength and a weakness.<br />
It allows the free exchange of information, but it also facilitates<br />
the spread of <strong>viruses</strong>.<br />
Without getting too technical, understanding how disks<br />
work (and their vulnerable nature) will show you just why <strong>viruses</strong><br />
can have such a field day trashing your system. All disks<br />
work in the same general way, but let<strong>'s</strong> use the MS-DOS (IBM<br />
and compatibles) as an example.<br />
All disks (5W' floppies, 312" disks, or fixed hard disks) are<br />
all basically the same in operation. The only difference, essentially,<br />
is a matter of capacity. Each of these disks has a number<br />
of magnetic tracks (sometimes referred to as cylinders). Tracks<br />
18
How Viruses Work<br />
may be thought of as similar to the grooves on a phonograph<br />
record.<br />
Each track is subdivided into sectors (all of this done<br />
magnetically by the <strong>computer</strong> that formatted the disk). Tracks<br />
and sectors have specific numbers: Every part of the disk has<br />
an address.<br />
A program can then send a request to the <strong>computer</strong> to<br />
read or write data into or out of Track X, Sector Y. This command<br />
is sent by the <strong>computer</strong> to the disk controller card, which<br />
figures out how to physically position the read/write head in<br />
order to comply with the instructions received.<br />
Thus, if a program can send erroneous address information<br />
during a write process, data belonging to a file other<br />
than the one being worked on can be overwritten. So any of<br />
perhaps hundreds of programs on a hard disk can, through<br />
simple error, foul up any of literally millions of pieces of data.<br />
The disk controller has no way of knowing whether the command<br />
was right or not-or whether it came from a legitimate<br />
program or a virus-it just blindly writes to the location<br />
specified.<br />
The first track on a disk, especially on a hard disk, usually<br />
has a small program that<strong>'s</strong> read and run when you first turn on<br />
your <strong>computer</strong>. This process is called booting and the first track<br />
is the boot track. The boot program initializes the <strong>computer</strong><br />
and readies it to do work. If the boot program is infected by a<br />
virus, you've lost control from the start.<br />
Now for a really soft place in disk structure, the jugular<br />
vein that sharp-fanged <strong>viruses</strong> often go for-the File Allocation<br />
Table. After a while, disks become fragmented. That is, if there<br />
is a 40K file to be written but there<strong>'s</strong> not 40K of contiguous<br />
space, the disk controller will break up the file and put the fragments<br />
here and there as it tries to effectively use all the space<br />
on the disk. (This, by the way, has the effect of slowing down<br />
disk accesses as the heads eventually have to hunt all over the<br />
disk to find the sectors belonging to a particular file. A utility<br />
to optimize disks, like Norton<strong>'s</strong> Speed Disk, speeds up access<br />
time by simply redoing the disk so files are cont<strong>ai</strong>ned in adjacent<br />
clusters instead of randomly distributed.)<br />
The real problem occurs because of the just-described way<br />
19
Chapter 3<br />
in which sectors are put on disks-in any open space. For the<br />
<strong>computer</strong>, through the disk controller, to find all of our 40K<br />
file ag<strong>ai</strong>n, there has to be an index (actually, in this case,<br />
indexes).<br />
On a MS-DOS disk, the directory structure on the first<br />
part of the disk references the first cluster of all files (beginning<br />
address) and another index, the FAT or File Allocation Table.<br />
The FAT has the other addresses for the scattered clusters that<br />
cont<strong>ai</strong>n the rem<strong>ai</strong>nder of the file. A cluster represents the<br />
smallest amount of information about a file that the operating<br />
system knows how to read or write.<br />
The disk controller, when given the address (track and sector)<br />
of this cluster, can access the first portion of the file. Next,<br />
the FAT is referred to for the location of the next cluster, and<br />
so on until the end of the file is reached.<br />
Every cluster on the disk is referenced in the FAT table.<br />
The information cont<strong>ai</strong>ned here can indicate that the cluster is<br />
unused, damaged (marked as a bad cluster), that it<strong>'s</strong> the last<br />
cluster in a file, or show where the next cluster in that file is located.<br />
In other words, the FAT provides the ch<strong>ai</strong>n that links<br />
clusters together to form files.<br />
A standard 360K floppy has 354 clusters. A 24 megabyte<br />
hard disk has over 12,000. Each of these 12,000 plus clusters is<br />
referenced in the FAT for that disk. It<strong>'s</strong> the only way files can<br />
be properly read or written to.<br />
If you think all this sounds like a cumbersome, error-prone<br />
way to do things, you're right! There is no need to erase files or<br />
cause the disk to be reformatted for a virus or worm to make a<br />
disk unusable. Just trash the FAT. All the information will still<br />
be on the disk but you can't get to it (a good programmer, with<br />
a lot of headaches and cursing can recover parts of the disk).<br />
Because of the delicacy and openness of your <strong>computer</strong><strong>'s</strong><br />
read/write procedures, <strong>viruses</strong> can also do much more subtle<br />
and insidious things. If a virus is just occasionally changing<br />
data randomly, you may not even detect the problem before<br />
wholesale file corruption has set in.<br />
Let<strong>'s</strong> look now at the types of <strong>computer</strong> <strong>viruses</strong>. We'll follow<br />
up with ways to protect ag<strong>ai</strong>nst viral infection and how to<br />
detect and get rid of any you might already have.<br />
20
Types of Viruses<br />
How Viruses Work<br />
The Computer Virus Industry Association, whose members are<br />
companies manufacturing antiviral software and hardware, is<br />
one group attempting to define standard terms. There are,<br />
according to the association, currently three classes of <strong>viruses</strong>:<br />
Boot infectors, system infectors, and general executable program<br />
infectors.<br />
Steve Gibson, the popular "Tech Talk" columnist in the<br />
<strong>computer</strong> trade weekly, InfoWorld, says there are four classes of<br />
<strong>viruses</strong>. He defines them as: General Purpose Infector (GPV),<br />
Special Purpose Infector (SPV), Very Clever General Purpose<br />
Infector Virus (VCGPV), and the Central System Infecting Virus<br />
(CSIV). The first three can infect any application program,<br />
while the last infects the operating system only.<br />
Both classifications fit what is now known about <strong>viruses</strong>.<br />
Gibson<strong>'s</strong> system, as might be expected, is the more technical.<br />
Since this book is <strong>ai</strong>med more toward the general user who just<br />
wants to protect his or her system, not become a virus expert,<br />
we'll use the Computer Virus Industry Association<strong>'s</strong> definitions.<br />
The National BBS Society has identified 39 different <strong>viruses</strong>,<br />
and there are cert<strong>ai</strong>nly more str<strong>ai</strong>ns than that. The good<br />
news is (despite how easily a virus can damage your system)<br />
there is only a very limited way in which this can be accomplished.<br />
A <strong>computer</strong><strong>'s</strong> disk storage techniques are wide open to<br />
interference, but there are generally only four ways in which a<br />
virus can do so. These are:<br />
High-level format. A high level format is what happens<br />
when you use DOS<strong>'s</strong> FORMAT command. This lays down the<br />
magnetic structure used to store files. While this type of damage<br />
is aggravating, you can restore the disk if you've taken the<br />
precaution of using a format recovery program like those by<br />
Norton or Mace ahead of time. High-level formatting on an already<br />
formatted disk does not actually erase data except for<br />
initializing the Directory and FAT areas. This is true for both<br />
floppies and hard disks.<br />
Low-level format. Hard disks, when initially installed, require<br />
a process called low-level formatting. In essence, this lays<br />
down a foundation for a highllevel format. Low-level format-<br />
21
Chapter 3<br />
ting does erase all data. You cannot do a low-level format with<br />
regular operating system commands (such as MS-DOS). Usually<br />
these are done by hard disk installation programs, or by<br />
<strong>viruses</strong>.<br />
System operation. FAT, Directory, and Boot Sector scrambling<br />
are ways in which system operation can be played with. It<br />
takes just a few milliseconds for a virus to destroy the file<br />
allocation table, erase the directory, or overwrite the boot sector.<br />
Overwriting the boot sector is an effective way of killing a<br />
hard disk. The system simply refuses to boot up. You may get<br />
an error message such as Probable Non-DOS Disk. The system<br />
may also be slowed down and other unacceptable operations<br />
occur.<br />
Data scrambling. The effects here are usually more subtle<br />
and may not be caught for months. Numbers are randomly<br />
changed. Customer accounts and other data become corrupted.<br />
If the <strong>computer</strong> is used for billing you may learn this immediately<br />
in a scorching phone call, or, in the case of under-billing,<br />
you may lose a lot of money before finding out you have viral<br />
problems.<br />
Boot Infectors<br />
The Computer Virus Industry Association<strong>'s</strong> three classes of <strong>viruses</strong><br />
are described in the online file "Anti-Virus Measures"<br />
from association member InterPath Corporation (manufacturers<br />
of C-4 and Tracer). Boot infectors attach themselves to<br />
sector 0 of floppy disks and, occasionally, hard disks. This area<br />
of the disk is part of the boot track.<br />
Viruses that have infected the boot track g<strong>ai</strong>n control when<br />
the system is first turned on and rem<strong>ai</strong>n in control at all times.<br />
Many have the capability to trap warm boot requests (holding<br />
down the Ctrl and Alt keys and pressing the Del key) and rem<strong>ai</strong>n<br />
in control even if booted from a noninfected floppy, with<br />
the result that the clean floppy becomes instantly infected.<br />
Boot infectors typically create bad disk sectors to which<br />
the original boot sector is copied, along with the rem<strong>ai</strong>nder of<br />
the virus code. Boot infectors may be from 2 to 7 sectors in<br />
length.<br />
22
How Viruses Work<br />
Boot infectors can be benign or malignant. The Pakistani<br />
Br<strong>ai</strong>n virus (described in the previous chapter), for example,<br />
was cl<strong>ai</strong>med to be a benign boot infector virus in its original<br />
form. The company in Lahore, Pakistan supposedly wrote it<br />
merely as a way to keep track of their software.<br />
Programmers refer to code that is extremely efficient for a<br />
particular task as elegant. The Br<strong>ai</strong>n virus program is elegant at<br />
doing its task of infection, and is also easy to modify into a<br />
very malignant form.<br />
Whether it was originally meant to be this or not, the virus<br />
is now a nasty little monster that can infect hard disks and destroy<br />
FAT entries, delete files, and perform other destructive<br />
activities.<br />
Boot infectors can do the following:<br />
• Move or overwrite the original boot sector<br />
• Replace the boot sector with themselves<br />
• Create bad sectors cont<strong>ai</strong>ning virus rem<strong>ai</strong>nder<br />
• Infect through soft reboot (Ctrl-Alt-Del) or other functions.<br />
System Infectors<br />
Several kinds of <strong>viruses</strong>, ag<strong>ai</strong>n as described in InterPath<strong>'s</strong><br />
informational file, attach themselves to COMMAND. COM<br />
and other system files that rem<strong>ai</strong>n memory resident. They g<strong>ai</strong>n<br />
control after system boot and infect hard disks or other<br />
bootable floppies that cont<strong>ai</strong>n the appropriate system files.<br />
Memory resident programs (also called TSR<strong>'s</strong> for Terminate<br />
and Stay Resident) are prime candidates for infection<br />
by this type of virus. Any power user of <strong>computer</strong>s has several<br />
of these programs, such as Borland<strong>'s</strong> Sidekick on both IBM<br />
PCs and compatibles, and also for Apple<strong>'s</strong> Macintosh.<br />
However, even if you have no TSR programs in memory,<br />
the operating system probably already has. Such MS-DOS commands<br />
as COPY, DIR, and ERASE are loaded into memory<br />
when the <strong>computer</strong> boots. These miniprograms can be accessed<br />
and manipulated (to your detriment) by system infectors.<br />
System infectors may activate after a given period of time<br />
or they may instantly begin subtle modifications in system<br />
processing-including increasing the time to perform system<br />
23
Chapter 3<br />
functions, subtle scrambling of data or modification of system<br />
error messages, or informational messages. The Friday the 13th<br />
virus first discovered at the Hebrew University in Israel is an<br />
example of such a virus. (This virus is also able to act as a general<br />
.COM and .EXE infector as well as being a system infector).<br />
Like the time-release pills in such medicines as Contac,<br />
activation of <strong>computer</strong> <strong>viruses</strong> can take place after a specified<br />
period of time or times have elapsed. A specific number of<br />
times a program is run can also serve as a trigger. Activation<br />
may include scrambling the FAT, erasure of specific files, low<br />
level disk format, or modification of nonexecutable files<br />
cont<strong>ai</strong>ning numeric or other ASCII data.<br />
General.COM and .EXE Infectors<br />
General Infectors is the third and final class defined by the<br />
Computer Virus Industry Association. This class of virus is the<br />
most dangerous from an infection standpoint since these <strong>viruses</strong><br />
can spread to almost any executable program in any system.<br />
Your spreadsheet, word processor, games, utilities, or any<br />
program you run can be a target. These <strong>viruses</strong> infect in three<br />
general ways, by<br />
1. G<strong>ai</strong>ning control each time the infected program is executed<br />
and copying itself to other .COM or .EXE files on the fixed<br />
or floppy disk prior to passing control to the host program.<br />
This is the most common infection technique. Since the<br />
drive light is already on, and the whole process takes almost<br />
no time, it<strong>'s</strong> practically undetectable.<br />
2. Rem<strong>ai</strong>ning memory resident and infecting each program<br />
that<strong>'s</strong> loaded for execution. This technique is used by the<br />
Friday 13th virus but is less common than the above<br />
method.<br />
3. Attaching themselves externally to .COM or .EXE files and<br />
thus changing the file size. They mayor may not modify the<br />
creation date and time. Others insert themselves internally<br />
in the executable host program<strong>'s</strong> dead space and are thus invisible<br />
to anything other than a binary compare routine.<br />
Some <strong>viruses</strong> continue to infect the same program multiple<br />
24
How Viruses Work<br />
times until the program becomes too large to fit into memory.<br />
Most, however, check to see if the host has already been<br />
infected and pass over previously infected files.<br />
Viruses Battling for Supremacy<br />
Viruses, like life forms, may fight for territory and "eat" other<br />
<strong>viruses</strong>. Here<strong>'s</strong> an example:<br />
There is a public dom<strong>ai</strong>n program called "Core War,"<br />
which has been av<strong>ai</strong>lable for several types of <strong>computer</strong>s including<br />
IBMs and compatibles for at least four years now. It<strong>'s</strong> a<br />
<strong>computer</strong> game played both with and by <strong>computer</strong>s. In Core<br />
War, two player-written <strong>computer</strong> programs operate concurrently<br />
in a circular memory array. A program loses when it hits<br />
an instruction it can't execute.<br />
The information below comes from the documentation file<br />
included with the program. There is no attribution to the author<br />
of the distributed version, but COREWARS.C was written<br />
by Kevin A. Bjorke in May of 1984, in Small-C version 2.03,<br />
and placed in the public dom<strong>ai</strong>n.<br />
Most of us think of a <strong>computer</strong> loading a program into its<br />
working memory and running it. When we're word processing<br />
or using a spread sheet, that<strong>'s</strong> all that<strong>'s</strong> happening. Right?<br />
Wrong. There are still lots of things going on in memory, many<br />
of them unrelated to the program now running. What<strong>'s</strong> worse,<br />
<strong>viruses</strong> could be battling to see which can do the most damage.<br />
Core War is just a game, but it demonstrates the freedom<br />
<strong>viruses</strong> have in an unprotected system once they get into memory.<br />
Also, these types of programs can (and no doubt did) serve<br />
as the models for actual <strong>viruses</strong>. Core war programs are described<br />
more fully by A. K. Dewdney in the "Computer<br />
Recreations" column of Scientific American, May 1984. Here<strong>'s</strong><br />
a short synopsis of Mr. Dewdney<strong>'s</strong> article (omitting the<br />
technicalities).<br />
Neither program originally knows where in memory the<br />
other is, or even where the program itself has started-however,<br />
the memory array used by Core War is circular, and all<br />
addressing is relative, so absolute memory addresses are not<br />
important. Both battle programs are executed by the Core War<br />
25
Chapter 3<br />
operating system, MARS. In the version included with the IBM<br />
public dom<strong>ai</strong>n version, MARS is also the program loader.<br />
Programs are loaded either from the keyboard or from disk<br />
(when you give the program a name, it will check the directory<br />
for that name; if it finds it, it will load it from disk, assuming<br />
the program is an ASCII file). The MARS interpreter simply<br />
keeps switching its program counter from one program to another-ABABABABABABAB<br />
... until one program loses,<br />
some maximum number of instruction cycles have been performed<br />
(as a safeguard ag<strong>ai</strong>nst endless loops), or you hit<br />
to abort.<br />
Here<strong>'s</strong> the shortest possible battle program, called "IMP:"<br />
MOV 01<br />
IMP just copies the current location to the next location,<br />
then advances to the next location, and so forth. While the<br />
original program is short, it will eventually gobble up every<br />
memory location if unchecked, thus becoming the largest possible<br />
battle program as well. It can even spread to its opponent,<br />
since any program that jumps to a location written by IMP will<br />
become an identical clone of IMP.<br />
ANTI.IMP sets up a marker byte at - 5 relative to its first<br />
byte and then w<strong>ai</strong>ts for IMP to come along. When the marker<br />
changes, it bombards the area that IMP is moving into with<br />
DAT 0 instructions, which IMP can't execute and thus "bites" it.<br />
ANTIANTI.IMP writes a block of code that looks like<br />
IMP into progressively higher memory locations. When<br />
ANTI.IMP senses this drone IMP, it will attack it, but to no<br />
av<strong>ai</strong>l-it will still get overwritten and then become a clone of<br />
IMP. At this point it turns around and wreaks havoc on<br />
ANTIANTI.IMP, which has no protection ag<strong>ai</strong>nst IMP itself<br />
Other examples are given in Dewdney<strong>'s</strong> article, such as<br />
DWARF, which fires "Zero Bombs" in a fashion similar to<br />
ANTIANTLIMP; GEMINI, which simply runs away; or<br />
RAIDAR, which is able to leapfrog over advancing attacks.<br />
There may come a time, if the virus problem continues to<br />
grow at the rate it is now, when killer <strong>viruses</strong> will have to be<br />
developed. These "good" <strong>viruses</strong> might be unleashed in a <strong>computer</strong><br />
system much as you would get an injection of antibiotics<br />
to fight an infection in your biological body.<br />
26
How Viruses Work<br />
So far, as we will see in the next chapter, eradicating <strong>viruses</strong><br />
from a <strong>computer</strong> system follows more conventional lines.<br />
But, until the <strong>computer</strong> hardware manufacturers make systems<br />
that aren't so delicate and open to <strong>viruses</strong>, don't count on<br />
things staying the same. Viruses will escalate, and so will<br />
protective programs.<br />
How Does Your Computer Get Infected?<br />
A virus invades your system in a carrier or Trojan horse program.<br />
Basically there are only two ways a virus can enter your<br />
<strong>computer</strong>: You've either physically placed a disk into the machine<br />
that has a virus on it or you've downloaded a virus over<br />
the telephone or a LAN (Local Area Network).<br />
Just doing a quick DIR (directory) of a disk (if it has a system<br />
file like COMMAND.COM on it) lets the virus jump into<br />
your <strong>computer</strong>. The infected disk may have been in the drive<br />
for only five seconds or so. It takes much less time than that<br />
for a nimble virus program. The more programs you buy or<br />
trade for, or have been given to you, the greater the chance of<br />
viral infection.<br />
Booting from a floppy disk is even worse. InterPath,<br />
maker of the C-4 antiviral program, stresses that booting from<br />
a floppy is a high risk practice and the single largest cause of<br />
viral infection.<br />
Calling another <strong>computer</strong> over the phone lines, such as<br />
electronic bulletin boards (BBSs) also puts you at risk if that<br />
<strong>computer</strong> is infected. The more <strong>computer</strong>s you call, the greater<br />
the chance of viral infection.<br />
However, all the above are useful things to do. Why<br />
should we let a few sick minds keep the vast majority of <strong>computer</strong><br />
users from enjoying the fantastic benefits of telecommunications?<br />
The answer is there is no reason! In the next chapter<br />
we'll discuss ways of fighting <strong>viruses</strong> and practicing safe<br />
computing.<br />
The Reproductive Urge<br />
Computers, even personal <strong>computer</strong>s, have become so sophisticated<br />
now that they support a very crude imitation of life cycle<br />
processes. Viruses can burrow into host programs like<br />
27
Chapter 3<br />
biological <strong>viruses</strong> into living cells. They have an urge to reproduce<br />
or replicate themselves. Like in real life, they seek the<br />
immortality given by offspring.<br />
As are life forms, <strong>viruses</strong> are usually specialized, some<br />
str<strong>ai</strong>ns inhabiting boot sectors, others system files such as<br />
COMMAND. COM or the hidden BIOS files, and some hardy<br />
ones that are able to exist in almost any .COM or .EXE executable<br />
program.<br />
Like genetic codes in living microorganisms, <strong>computer</strong> <strong>viruses</strong><br />
also have a greater instinctual reason for existence. They<br />
have the drive to reproduce, but reproduction accomplishes<br />
their final goal. That goal may be something as innocuous as<br />
flashing a humorous message on the screen, or as malignant<br />
even as a low level format of your hard disk.<br />
A <strong>computer</strong> virus enters your system concealed in a Trojan<br />
horse carrier program. Most programs, especially large ones,<br />
have empty or unused areas in their code where a smaller program<br />
can easily be concealed.<br />
When this Trojan horse program is run, a replicating virus<br />
will take control of it for a brief time during the start up phase.<br />
Since the disk light is already on because the program is loading,<br />
you'll probably notice nothing out of the ordinary. The virus<br />
quickly checks to find an uninfected host program. It<br />
copies itself into that one, then returns control to the program<br />
starting up, which then runs as if nothing has happened.<br />
Such activity will happen each time the Trojan is invoked<br />
until all the programs the virus can reach are infected. At that<br />
time, the virus may trigger and do whatever goal its creator has<br />
programmed in (usually something quite nasty). Or, it may<br />
w<strong>ai</strong>t until a specific time, infecting any new programs you put<br />
into the system and, of course, going out with all programs you<br />
give or trade to friends, or upload to BBSs.<br />
The more sophisticated <strong>viruses</strong>, even when triggered, do<br />
not engage in wholesale destruction. They change data randomly<br />
and degrade system performance, all while rem<strong>ai</strong>ning<br />
hidden in the hopes of spreading to other systems. In such<br />
manner, the virus goes through many generations and can infect<br />
thousands of systems, thus achieving the goals (usually<br />
sick) of the person who programmed it.<br />
28
The Retro-Virus<br />
How Viruses Work<br />
The latest virus discovered and verified by the National BBS<br />
Association is called the retro-virus. It was first publicly described<br />
by Steve Gibson in the May 9, 1988 InJoWorld.<br />
Three popular shareware programs (which are not named)<br />
are the hosts for this viral str<strong>ai</strong>n. The programs are infected by<br />
the virus and reproduce by attaching passive carrier clones of<br />
itself to other executable programs. It rides these programs in<br />
hopes of finding one of the three programs it can live inside.<br />
The name retro-virus was given because it communicates<br />
with the carrier clones of itself using a clever flag hidden<br />
within the system. When any of the viral clones activates, this<br />
flag is turned on. When one of the three infected programs is<br />
run, the flag is checked and turned off. If it was already off, the<br />
virus assumes the infected programs must have been removed<br />
from the system. Then it w<strong>ai</strong>ts for several months to reinject<br />
the target programs. Like a submarine rigged for silent running,<br />
the retro-virus w<strong>ai</strong>ts until the destroyers have stowed the depth<br />
charges and gone back to port before returning to sink ships.<br />
Conclusions<br />
Computer <strong>viruses</strong> imitate real life <strong>viruses</strong> in the way they reproduce.<br />
On a hard disk they can infect hundreds of programs<br />
and spread to new systems as these programs are entered via<br />
disks or telephone modem. Running an infected program<br />
spreads the infection.<br />
Viruses are becoming more and more sophisticated and already<br />
lurk in thousands of systems. The National BBS Society<br />
has identified 39 str<strong>ai</strong>ns (most of which are on the IBM and<br />
compatibles, or Apple<strong>'s</strong> Macintosh <strong>computer</strong>s). It is obvious<br />
that the problem will only get worse before it gets better.<br />
What can you do to rid your system of any <strong>viruses</strong> that<br />
may be present and to make sure no infection occurs? The<br />
rem<strong>ai</strong>nder of this book is concerned with the specifics of detection<br />
and protection.<br />
29
4<br />
FIGHTING<br />
VIRUSESAND<br />
PRACTICING<br />
SAFE<br />
COMPUTING<br />
When false things are brought low . ..<br />
Thomas Hardy<br />
The best cure for any virus is not to catch it in the first place.<br />
Alas, unless you do all your computing in an underground bunker<br />
on a totally isolated <strong>computer</strong>, and use only programs<br />
you've written and personally typed into the <strong>computer</strong> yourself,<br />
chances are your system will sooner or later be exposed to a virus,<br />
Trojan, worm, or hacked program of some sort. The Third<br />
Marine Division is useless ag<strong>ai</strong>nst this kind of invasion.<br />
This chapter gives you the general precepts needed to detect<br />
and prevent viral infections, as well as attacks by Trojans,<br />
bombs and pl<strong>ai</strong>n old operator error. It acqu<strong>ai</strong>nts you with how<br />
to practice safe computing and shows ways of fighting <strong>viruses</strong><br />
instead of just passively worrying about the danger of an intrusion<br />
into your system.<br />
If you use public dom<strong>ai</strong>n, freeware, or shareware programs,<br />
the chances of attack or infection increases. The obvious answer<br />
touted by some writers is never use a public dom<strong>ai</strong>n or<br />
shareware program, and never hook your <strong>computer</strong> up to the<br />
telephone line.<br />
31
Chapter 4<br />
This, despite the very real danger of <strong>viruses</strong> and other<br />
destructive programs, is still poor advice. In my utility directory<br />
right now are 314 programs (the result of weeding out hundreds<br />
of downloads). There are some real gems in this<br />
collection; useful programs I got free or for a minimal registration<br />
fee that could not otherwise have been bought for any<br />
amount of money. Some of them I use every day.<br />
Power Computing<br />
For a commercial program to succeed, it must meet the needs<br />
of the widest possible market. Major compromises are made to<br />
fit a program within this criteria. Often public dom<strong>ai</strong>n or shareware<br />
programs will better do your specific tasks. These programs<br />
also offer features on the leading edge of programmingthings<br />
the commercial companies, with their much longer<br />
development period, will not implement for a year or more.<br />
Pull-down menus, windows, and many other now takenfor-granted<br />
features of commercial software first appeared in<br />
public dom<strong>ai</strong>n programs. Of the many thousands of such programs<br />
av<strong>ai</strong>lable on Compuserve, Delphi, and the other major<br />
<strong>computer</strong> networks, and on hundreds of local electronic bulletin<br />
boards, probably far less than 1 percent are currently infected<br />
with a virus, or will cause damage in some other way.<br />
Why let the few sickies who turn out <strong>viruses</strong> keep you<br />
from this power?<br />
Far too many people buy a <strong>computer</strong> for one particular<br />
purpose. Often they purchase just one or two programs and run<br />
them all the time. This is akin to owning a 928 Porsche but<br />
only using it to drive to the grocery store down the street,<br />
never taking it out of first gear.<br />
Computers are performance enhancers. Like the six-gun<br />
"equalizer" in the Old West, they are the iron you "pack" to<br />
survive in the information age. If you let the threat of <strong>viruses</strong><br />
scare you away from the networks and bulletin boards, or cause<br />
you to shun public dom<strong>ai</strong>n and shareware, that six-shooter is<br />
going to soon click empty.<br />
On the other hand, you don't want to sit with your back to<br />
the door. Viruses are ornery varmints, but they can be<br />
overcome.<br />
32
Risky Practices<br />
Fighting Viruses and Practicing Safe Computing<br />
If you ask for trouble, chances are someone, sometime, will<br />
oblige you. In fact, these days, it<strong>'s</strong> not necessary to even asksome<br />
worm out there is probably unleashing a new virus as<br />
you read this book. Tomorrow, next month, a year from now<br />
that virus may mount an assault on the bastions of your precious<br />
and valuable data.<br />
The first group to start having virus problems were modem<br />
junkies-those of us who like to s<strong>ai</strong>l the telecommunications<br />
sea at night, visiting electronic bulletin boards all<br />
over the United States and Canada. With PC Pursuit (a service<br />
offered by Telenet), you can make unlimited calls from 6 p.m.<br />
to 7 a.m for only $25 total per month. Thousands of boards are<br />
now reachable for practically no cost.<br />
A wealth of interesting, usable, and even valuable programs<br />
can be quickly accumulated in this way. Unfortunately,<br />
viral infection is also spread in the same manner.<br />
Most of the news articles now appearing in your local<br />
newspaper from AP or UPI are about virus attacks in large networks<br />
of <strong>computer</strong>s such as the Macintoshes at NASA and the<br />
EPA, which were infected by the Scores virus, or Lehigh<br />
University<strong>'s</strong> virus last year, which hit IBM PCs.<br />
There is a good chance that the initial infection came<br />
about because some person with access to the network had<br />
downloaded a program on his or her personal <strong>computer</strong> from a<br />
bulletin board somewhere, and then either tried it out at work,<br />
or put it on the system in order to share with others.<br />
This is a common practice and, unless a viral infection occurs,<br />
a good one. The free interchange of information among its<br />
employees helps a company or institution become stronger.<br />
The better adroit its people are in informational techniques, the<br />
more efficient the company or institution.<br />
The problem is that viral infections must be protected<br />
ag<strong>ai</strong>nst. Computer users in general must have the techniques or<br />
software av<strong>ai</strong>lable to them that detects and protects ag<strong>ai</strong>nst <strong>viruses</strong>.<br />
More about that in just a bit, but first, what are the risky<br />
practices that can result in viral infection?<br />
Here are some practices that increase the chance of your<br />
33
Chapter 4<br />
<strong>computer</strong> system contracting a virus or being otherwise damaged<br />
by a Trojan or hacked program:<br />
• Putting a disk of unknown origin into your <strong>computer</strong>.<br />
• Using other people<strong>'s</strong> disks and programs, and letting them use<br />
yours.<br />
• Trading <strong>computer</strong> programs with strangers, or with people<br />
who trade frequently.<br />
• Running a <strong>computer</strong> program if you're unsure of the following:<br />
its origin; the number of times it has been copied; if it<br />
has been altered; or what generation copy of the original this<br />
one might be.<br />
• Executing any new <strong>computer</strong> program for the first time without<br />
first making backup copies of every program and data file<br />
on your <strong>computer</strong>.<br />
• Calling another <strong>computer</strong> using a telephone modemespecially<br />
a <strong>computer</strong> of the same type as your own.<br />
• Booting from a floppy disk.<br />
• Hooking your machine into a LAN (Local Area Network).<br />
• Letting anyone else put a disk into your machine.<br />
• Using unauthorized copies of commercial software or operating<br />
systems.<br />
• Using public dom<strong>ai</strong>n or shareware programs.<br />
The more of the above that apply to you, the greater the<br />
risk of catching a virus. Since most <strong>computer</strong> users engage in<br />
one or more of these activities the real problem is not so much<br />
avoiding the chance of infection as protecting ag<strong>ai</strong>nst infection.<br />
David J. Buerger, in his article "A Specter Is Haunting<br />
Networks-The Specter of Viruses, Hidden in Horses"<br />
(Info World, March 7, 1988), says there is only one sure way to<br />
avoid a virus from a program you get from a network. You<br />
download only the source code, examine it carefully line by line<br />
to "verify the absence of mischievous programmed logic; and<br />
then compile the code yourself."<br />
This ultimate precaution could be just as well applied to<br />
each and every program obt<strong>ai</strong>ned for your system, even the<br />
ones you buy shrink wrapped off the shelf at the local <strong>computer</strong><br />
store. But, alas and alack, few of us want to be put to that<br />
much bother, even assuming we have the expertise in Pascal<br />
34
Fighting Viruses and Practicing Safe Computing<br />
and C, which most public dom<strong>ai</strong>n and shareware programs are<br />
written in, or the wide variety of compilers all this code would<br />
require.<br />
Buerger also points out the difficult task faced by network<br />
system operators in preventing the spread of <strong>viruses</strong>. The example<br />
he gives is that of a virus-infected Macintosh program<br />
inadvertently published in Compuserve<strong>'s</strong> HyperCard forum.<br />
The virus was exterminated in one day but, writes Buerger, 40<br />
people had already unsuspectingly downloaded the program. If<br />
the virus program is not caught on a busy day at any major<br />
network, several hundred people might have their <strong>computer</strong>s<br />
unknowingly contaminated in the course of a year<strong>'s</strong> time, and<br />
spread the virus by trading disks with their friends who are not<br />
online.<br />
To reiterate, the real problem is not avoiding the chance of<br />
infection (because that is practically impossible), but protecting<br />
your system from being infected. Make your <strong>computer</strong> a wasteland<br />
for <strong>viruses</strong>, full of nothing but shifting sand and the occasional<br />
dead cactus. Leave one little oasis of unprotected turf,<br />
and the virus will put down roots and bide its time until you<br />
make another mistake.<br />
How Safe Can You Be? Not Very!<br />
There<strong>'s</strong> a common misconception that if you use only commercial<br />
software you'll be sure to avoid infection. Although this<br />
practice will lessen the chance of catching a virus, it will not<br />
cancel it entirely, as Aldus Corporation recently found out. Aldus<br />
has the somewhat dubious distinction of being the first<br />
commercial software publisher to inadvertently ship a product<br />
with a viral infection.<br />
A March 16, 1988 Associated Press story reported that a<br />
virus had gotten into copies of FreeHand, a new program that<br />
Aldus had just released for Apple Macintosh <strong>computer</strong>s. This<br />
was acknowledged by Aldus spokesperson Laury Bryant.<br />
The virus str<strong>ai</strong>n involved was one of the supposedly benign<br />
ones, the Macintosh Peace virus described in Chapter 1. It<br />
was intended to put a message of universal peace on <strong>computer</strong><br />
screens on March 2, 1988 and then die out.<br />
35
Chapter 4<br />
Software at Aldus was apparently infected when a contractor<br />
provided an infected <strong>computer</strong> tr<strong>ai</strong>ning disk to the company.<br />
The contractor traced the virus back to a game program<br />
obt<strong>ai</strong>ned from a <strong>computer</strong> bulletin board. As we discussed earlier,<br />
this is a classic way that large <strong>computer</strong> systems become<br />
infected.<br />
Since March, 1988 Aldus has applied stringent virus<br />
protection measures. However, the significance of this incident<br />
cannot be underrated. Until this incident, it was assumed personal<br />
<strong>computer</strong> <strong>viruses</strong> only resided in noncommercial software.<br />
Many <strong>computer</strong> virus "experts" had m<strong>ai</strong>nt<strong>ai</strong>ned that the<br />
best protection ag<strong>ai</strong>nst <strong>viruses</strong> was to buy all software "off the<br />
shelf." Computer store salespeople gleefully echoed this, and totaled<br />
up their commissions from extra sales. For, while many<br />
$10 or $15 registration-fee shareware might be better than a lot<br />
of$99.95 commercial software, who wanted to take the chance<br />
of a viral infection? The ease with which the Peace virus invaded<br />
Aldus' inhouse system and duplicated software shrinkwrapped<br />
for market belied all the experts.<br />
Aldus declined to say how many disks were infected, but<br />
as det<strong>ai</strong>led in the AP report, they did admit it was a sizable<br />
number. A disk duplicating machine copied the infected Free<br />
Hand disks for three days. Half of these had already been<br />
distributed to ret<strong>ai</strong>l outlets when the viral infection was<br />
discovered.<br />
Marc Canter, president of MacroMind Inc. of Chicago, was<br />
the one who inadvertently passed the virus to Aldus on a tr<strong>ai</strong>ning<br />
disk. He had been on a trip to Canada when he received an<br />
infected program from the Mr. Potato Head game, which is a<br />
<strong>computer</strong>ized version of the popular toy.<br />
Unaware of the infection, Canter ran the game once, then<br />
used the same <strong>computer</strong> to work on software for Aldus. The<br />
disk he eventually sent to Aldus was infected and the infection<br />
spread from it into their system. From there, the virus went<br />
out on disks sold to customers and infected their systems, Canter<br />
told the AP.<br />
This incident also caused other companies to worry because<br />
they also use Canter<strong>'s</strong> services. These clients include such<br />
major names as Microsoft, Ashton-Tate, Lotus Development<br />
36
Fighting Viruses and Practicing Safe Computing<br />
Corporation, and Apple Computers. Officials at Microsoft, Apple<br />
and Lotus all told AP that none of their software was infected,<br />
while Ashton-Tate had not replied at the time of these<br />
reports.<br />
The Peace virus originated at the Canadian publication<br />
MacMag. It was distributed by many <strong>computer</strong> bulletin boards<br />
in a program that was supposedly a listing of products made by<br />
Apple.<br />
The message in full reads: "Richard Brandow, the publisher<br />
of MacMag, and its entire staff would like to take this<br />
opportunity to convey their universal message of peace to all<br />
Macintosh users around the world." A picture of a globe appears<br />
below the message.<br />
Brandow s<strong>ai</strong>d that originally he expected people making<br />
unauthorized copies of programs on the machine would spread<br />
the virus in the Montreal area and possibly a few other areas of<br />
Canada and the United States. However, he s<strong>ai</strong>d he was<br />
shocked later to find that, after the virus program began to appear<br />
in the databases of online information services, an estimated<br />
350,000 people in North America and Europe saw the<br />
message pop up on their <strong>computer</strong>s on March 2nd, 1988!<br />
Like medical detectives following a ch<strong>ai</strong>n of biological<br />
infections, <strong>computer</strong> <strong>viruses</strong> can be traced in the same manner.<br />
What <strong>computer</strong>s or disks did the infected <strong>computer</strong> have contact<br />
with? What <strong>computer</strong>s and/or disks did the newly infected<br />
carriers come in contact with? This goes on and on, in the<br />
manner of ripples spreading out from a pebble tossed in a still<br />
pond.<br />
Aldus, a large and respected software manufacturer acted<br />
responsibly. They tracked the serial numbers of the product affected<br />
by the virus. Those customers received a letter expl<strong>ai</strong>ning<br />
the situation and offering them the opportunity to exchange<br />
the disks for free.<br />
Aldus is now taking additional security precautions in the<br />
creation, testing, and duplication of all software products.<br />
These measures include the use of specific tests and vaccines<br />
for known <strong>viruses</strong> in the market at any given time, and the creation<br />
of an isolated secure system for master disk duplication.<br />
37
Chapter 4<br />
"We believe authors of the <strong>viruses</strong> deserve to be condemned<br />
by every member of the Macintosh community. Viruses<br />
affect not just Aldus Corporation, but every software<br />
company, and potentially every Macintosh owner," s<strong>ai</strong>d Laury<br />
Bryant, Aldus public relations manager. "While we believe that<br />
the best insurance ag<strong>ai</strong>nst future outbreaks of software <strong>viruses</strong><br />
is the moral outrage of the Macintosh community, we are also<br />
exploring potential legal remedies with our attorneys."<br />
Unlike many <strong>viruses</strong>, the source of the Peace virus is<br />
known. While this virus is apparently benign, it<strong>'s</strong> probably still<br />
out there, in hundreds if not thousands of systems.<br />
It<strong>'s</strong> time to hit the m<strong>ai</strong>n point of this chapter yet ag<strong>ai</strong>n. No<br />
matter how assiduously you practice safe computing, in the<br />
long run your <strong>computer</strong> stands a good chance of coming in<br />
contact with a virus. The best strategy is to protect ag<strong>ai</strong>nst<br />
infection. Make it impossible for a virus to g<strong>ai</strong>n a toehold in<br />
your system.<br />
Department of Defense Fights Viruses<br />
Cathryn Conroy, writing in Compuserve<strong>'s</strong> OnLine Today for<br />
May 18th, 1988 (a service offered on the Compuserve <strong>computer</strong><br />
network), describes how the Department of Defense is<br />
fighting <strong>viruses</strong> in their systems. Naturally, in the matter of national<br />
security, our <strong>computer</strong>ized armed forces have an intense<br />
interest in keeping their many <strong>computer</strong> networks virus-free.<br />
The DOD has instituted procedures to detect and prevent<br />
the electronic sabotage. The general concerns of DOD about its<br />
<strong>computer</strong>s were reported recently in Government Computer<br />
News.<br />
"It can spread through <strong>computer</strong> networks in the same<br />
way it spreads through <strong>computer</strong>s," s<strong>ai</strong>d DOD spokeswoman<br />
Sherry Hanson. "The major problem areas are denial of service<br />
and compromising data integrity."<br />
Computer scientists at the National Security Agency are in<br />
charge of installing hardware and software to prevent viral<br />
infection of military systems. The NSA is the largest intelligence<br />
agency of the Federal Government and charged with<br />
electronic intelligence ranging from vast amounts of cable and<br />
radio intercepts to the newer fields of <strong>computer</strong> communications.<br />
38
Fighting Viruses and Practicing Safe Computing<br />
Hanson told Government Computer News that DOD is<br />
also using specialized ROM devices and intrusion detectors.<br />
Because <strong>viruses</strong> are only a few lines of programming code,<br />
they're easy to develop and slip into a system.<br />
After IBM<strong>'s</strong> worldwide internal m<strong>ai</strong>l system was infected<br />
in December 1987 with an innocent-looking Christmas message<br />
that kept duplicating itself many times over (slowing down and<br />
even halting the company<strong>'s</strong> massive message system), virusspecialist<br />
programmers have installed a filter program that<br />
monitors the system and protects from new infections.<br />
As reported in GCN, executable programs can't be transferred<br />
from one <strong>computer</strong> to another within IBM<strong>'s</strong> network.<br />
Executable programs, of course can serve as Trojan horses to<br />
carry <strong>viruses</strong> from one system to another and, when run, allow<br />
the virus to infect new hosts.<br />
Personal Computer Users<br />
Conroy<strong>'s</strong> article continues to relate how personal <strong>computer</strong><br />
users are also worried. Because a virus rem<strong>ai</strong>ns hidden in a<br />
<strong>computer</strong><strong>'s</strong> m<strong>ai</strong>n memory, she writes, and gives the example of<br />
a recent Amiga-specific virus which infected almost the entire<br />
membership of a Florida Commodore Amiga users group<br />
before it was discovered.<br />
The president of the group s<strong>ai</strong>d he believed the virus originated<br />
in Europe on a disk of programs the group received from<br />
an overseas source. Like many companies, clubs, institutions,<br />
and private individuals, the club now has a checker program to<br />
check disks for <strong>viruses</strong> before they're used.<br />
Al Gengler, a member of the Amiga group, compared the<br />
virus to AIDS. "You've got to watch who you compute with<br />
now," he s<strong>ai</strong>d.<br />
In a later OnLine Today report by James Moran (May 19),<br />
our lawmakers reacted. As might be expected, <strong>computer</strong> <strong>viruses</strong><br />
have now come to the attention of Congress and legislators<br />
who would like to be assured that U.S. defense <strong>computer</strong>s are<br />
safe from viral infections. While defense systems are usually<br />
isolated and can't be reached merely by calling via a telephone<br />
modem, <strong>viruses</strong> could enter those systems from an infected<br />
disk. After all, even servicepeople play games.<br />
39
Chapter 4<br />
The Defense Authorization Bill for fiscal year 1989 will<br />
most likely be concerned with the virus problem. It is expected<br />
to direct the Defense Department (DOD) to report on its methods<br />
for handling potential viral infections. Congress also wants<br />
to know what DOD has done about safeguarding vital military<br />
<strong>computer</strong>s. They'd like some assurance that the Defense<br />
Department also has considered situations where a primary<br />
contractor<strong>'s</strong> <strong>computer</strong> could be infected and subsequently endanger<br />
DOD<strong>'s</strong> own <strong>computer</strong>s (as recently happened to NASA<br />
and EPA machines).<br />
Anticipating future hearings, Congressional staffers are<br />
soliciting comments from knowledgeable users as to what the<br />
report to Congress should cover. Interested parties should forward<br />
their comments to Mr. Herb Lin, House Armed Services<br />
Committee, 2120 Rayburn House Office Building, Washington<br />
D.C. 20515.<br />
Radioactive Viruses?<br />
Computer <strong>viruses</strong> are scary enough on their own, but how<br />
about this? The Nuclear Regulatory Commission announced on<br />
August 11, 1988 that it was proposing to fine the Peach Bottom<br />
nuclear power plant on the Susquehanna River (near the Pennsylvania-Maryland<br />
line) a whopping 1.25 million dollars.<br />
This came about after NRC inspectors caught operators<br />
numerous times "sleeping and/or other acts of inattention to<br />
duty." Sleeping is bad enough when you are supposed to be<br />
monitoring a nuclear plant, but it<strong>'s</strong> the "other acts of inattention"<br />
that<strong>'s</strong> really more frightening.<br />
They were playing <strong>computer</strong> games!<br />
One ofthe classic ways in which large systems receive viral<br />
infections, as we discussed earlier, is through people bringing in<br />
games downloaded from who knows where. The thought of a<br />
virus loose in <strong>computer</strong>s that have anything at all to do with<br />
nuclear power plants is very unsettling.<br />
40
Antiviral Products<br />
Fighting Viruses and Practicing Safe Computing<br />
A growth industry has sprung up in answer to the virus problem.<br />
There are dozens of small startup companies and older already<br />
established firms putting out a wide variety of antiviral<br />
products.<br />
The Computer Virus Industry Association, while not<br />
representing the majority of these companies, is in the lead<br />
now in defining standards and terms for such products in the<br />
popular and <strong>computer</strong> press. A July 20, 1988 news release describes<br />
the product definitions that members of the association<br />
have agreed on.<br />
This standard classification system is for virus protection<br />
products and tools. The system was developed to help the public<br />
understand the appropriate application of the various tools<br />
and to clarify advertising cl<strong>ai</strong>ms.<br />
The Classification system identifies three product groups:<br />
Infection Prevention products, Infection Detection products,<br />
and Infection Identification products. They are defined as:<br />
Class I Infection Prevention This class of product stops the<br />
virus replication process and<br />
prevents the initial infection<br />
from occurring.<br />
Class II Infection Detection This class of products detects<br />
infection soon after it has occurred<br />
and marks the specific<br />
components or segments of the<br />
system that have become<br />
infected.<br />
Class III Infection Identifications This class of products identifies<br />
specific viral str<strong>ai</strong>ns on systems<br />
that are already infected and removes<br />
the virus, returning the<br />
system to its state prior to<br />
infection.<br />
"The industry anticipates that this standard classification<br />
system will assist users in choosing antiviral products that meet<br />
the needs of their specific situations," s<strong>ai</strong>d John McAfee, ch<strong>ai</strong>rman<br />
of the association. "The different product classes address<br />
41
Chapter 4<br />
equally different virus problem areas, and a public understanding<br />
of these differences is essential."<br />
The Computer Virus Industry Association, the news release<br />
continues, is composed of nine major vendors and developers<br />
of antiviral hardware and software products. It was<br />
formed to address the problems of misleading advertising, the<br />
spread of misinformation, and the distribution of ineffective<br />
products. The association may be contacted at 4423 Cheeney<br />
Street, Santa Clara, California 95054. The phone number is<br />
(408) 727-4559.<br />
Prevention Techniques<br />
John McAfee, president of the Computer Virus Industry<br />
Association and InterPath Corporation (a manufacturer of antiviral<br />
software), offers the following tips on preventing viral<br />
infections and the tools with which to fight infections that do<br />
occur. Prevention, he says, can be divided into two areas: safe<br />
computing practices and antiviral tools.<br />
(Much of the information below is courtesy of InterPath,<br />
the Computer Industry Association, and the National BBS<br />
Society.)<br />
Approximately 90 percent of all virus infections, or the<br />
damaging results of infection, can be easily prevented by implementing<br />
the safe usage guidelines below (provided courtesy<br />
of InterPath). Most of the other 10 percent of infections, or<br />
damaging results, can be avoided by the use of antiviral software<br />
or hardware tools.<br />
Here are the recommended safe user practices:<br />
• Never boot from any floppy other than the original write protected<br />
disk from the original distribution package! This<br />
recommendation is extremely important. Most of the boot<br />
sector infector <strong>viruses</strong> can only infect your system if you boot<br />
from an infected floppy disk. Booting from borrowed,<br />
unknown or multiple disks greatly increases the opportunity<br />
for infection.<br />
• One and only one boot disk should be assigned to each and<br />
every floppy based PC (systems without a fixed disk), and<br />
42
Fighting Viroses and Practicing Safe Computing<br />
that disk should be clearly labeled as the boot disk for that<br />
system.<br />
• If you have a system with a fixed disk, never boot from a<br />
floppy drive. The only exceptions to this involve recovering<br />
from a viral infection as described in the section below.<br />
• Treat public dom<strong>ai</strong>n and shareware software with caution. Viruses<br />
are difficult to detect and usually do not modify the operation<br />
of the infected program in any way prior to activation.<br />
• Since a friend or acqu<strong>ai</strong>ntance might, in good f<strong>ai</strong>th, recommend<br />
a program that is infected without their knowledge, it<strong>'s</strong><br />
best to limit use of such programs to systems without fixed<br />
disks. If you do use them on fixed disks, allocate separate<br />
subdirectories for the public dom<strong>ai</strong>n programs. This will limit<br />
exposure since some <strong>viruses</strong> limit their replication activities<br />
to the current subdirectory. You should not place public dom<strong>ai</strong>n<br />
or shareware software in the root directory.<br />
• Create meaningful volume labels on all fixed and floppy disks<br />
at format time. Develop a habit of checking volume labels<br />
each time a DIR command is executed. Look out for changes<br />
in the volume labels.<br />
• Watch for changes in the pattern of your system<strong>'s</strong> activities.<br />
Do program loads take longer than normal? Do disk accesses<br />
seem excessive for simple tasks? Do unusual error messages<br />
occur with regularity? Do access lights on any of the system<br />
devices turn on when there should be no activity on that device?<br />
Do you have less system memory av<strong>ai</strong>lable than usual?<br />
Do programs or files disappear mysteriously? Do you suddenly<br />
notice a reduction in av<strong>ai</strong>lable disk space? Any of these<br />
signs can be indicative of viral infections.<br />
• If you are in a corporate or multisystem environment, minimize<br />
the exchange of executable code between systems wherever<br />
feasible. When using resources on someone else<strong>'s</strong> PC (a<br />
laser printer, for example), transfer the necessary data on a<br />
disk that cont<strong>ai</strong>ns no executable code. Also, do not use disks<br />
which are bootable or that cont<strong>ai</strong>n system files.<br />
• If operating in a network environment, do not place public<br />
dom<strong>ai</strong>n or shareware programs in a common file server directory<br />
that could be accessible to any other PC on the network.<br />
43
Chapter 4<br />
• If operating in a network environment, allow no one other<br />
than the system administrator to use the file server node.<br />
• If using 3270 emulators connected to m<strong>ai</strong>nframe systems,<br />
keep all 3270 emulation software together in a separate subdirectory<br />
and do not include any executable code in the subdirectory<br />
that isn't part of the emulator suite. If possible, limit<br />
such terminals to 3270 emulation only, and remove all other<br />
software from the disk. 3270 emulators are the major gateways<br />
through which <strong>viruses</strong> jump from PCs to m<strong>ai</strong>nframes.<br />
Antiviral Tools: Hardware<br />
The use of write-protect tabs is very important in limiting viral<br />
spread, and is one of the easiest things you can do. You have<br />
most likely bought a box of new, blank disks. In boxes of 51f4inch<br />
disks is a pack of labels and one of small peel-off-stick-on<br />
tabs, probably black or silver. On one side of each disk is a<br />
small notch called the write-protect notch. Placing one of the<br />
small tabs over each notch, bending it so it sticks to both sides<br />
of the disk and completely covers the hole, prevents the <strong>computer</strong><br />
from writing (recording) to the disk.<br />
If you use 31/Z-inch disks, simply slide the write-protect tab<br />
found in the upper-right-hand corner of the disk so you can see<br />
through the disk. This will prevent the <strong>computer</strong> from writing<br />
(recording) to the disk.<br />
Covering the notch on 51f4-inch disks and sliding the writeprotect<br />
tab to the open position on 3'/z-inch disks is similar to<br />
punching out the two plastic tongues on the edge of a cassette<br />
tape opposite the recording head side-it makes the disk a<br />
read-only device to the <strong>computer</strong>. In other words, neither you<br />
nor your <strong>computer</strong> can accidentally mess it up should some<br />
malfunction occur.<br />
All boot floppies (the ones used to initialize your system)<br />
should be write-protected as a matter of course. There are also<br />
commercial products that will write-protect hard disks, and<br />
public dom<strong>ai</strong>n programs such as WPHD.COM for MS-DOS<br />
machines.<br />
Besides using write protection, it<strong>'s</strong> a good habit to remove<br />
disks from drive slots and store them away when they're not<br />
44
Fighting Viruses and Practicing Safe Computing<br />
actually being used. No virus is going to jump out of the <strong>computer</strong><br />
and get on a disk that<strong>'s</strong> filed away. Obviously, this<br />
doesn't hold for a disk inserted in a drive that<strong>'s</strong> just sitting<br />
there fat, dumb, and vulnerable.<br />
More complex (and expensive) hardware solutions exist<br />
also. Several manufacturers have plug-in boards that provide<br />
protection from viral infection, although these are generally<br />
more <strong>ai</strong>med toward overall <strong>computer</strong> security. However, denying<br />
unauthorized access to people also works to some extent<br />
ag<strong>ai</strong>nst <strong>viruses</strong>.<br />
Antiviral Tools: Software<br />
Software protection, as defined by the Computer Virus Industry<br />
Association, falls into three general categories. These are<br />
programs that help prevent the virus from initially infecting<br />
your system, programs that detect infection after it has occurred,<br />
and programs that identify pre-existing infections. All<br />
three types of protection have their strong and weak points.<br />
Later in this book we'll look at specific software packages<br />
from the various manufacturers of antiviral products, such as<br />
InterPath, the makers of C-4, Tracer, and Detect. These three<br />
products, respectively, fit each of the three categories defined<br />
below (and ag<strong>ai</strong>n thanks to John McAfee, President of Inter<br />
Path, for all of his kind assistance).<br />
Here<strong>'s</strong> an overview of the three types of virus-fighting<br />
programs:<br />
Infection Prevention Programs. These programs are TSR<br />
(terminate and stay resident) programs that monitor system<br />
activity and watch for characteristic viral replication activities.<br />
They check all disk I/O and cause a warning to be displayed<br />
when unauthorized activities are attempted. Such activities include<br />
writes to executable programs, system device drivers, the<br />
boot sector, and so forth. They typically redirect the operating<br />
system<strong>'s</strong> interrupt vectors and thus intercept requests from all<br />
other programs.<br />
This type of protection has the advantage of stopping <strong>viruses</strong><br />
before they enter the system, thus avoiding the tasks associated<br />
with removing <strong>viruses</strong>. The disadvantage, however, is<br />
45
Chapter 4<br />
that <strong>viruses</strong> can be, and have been, written to avoid detection<br />
using this type of system. Also, no software technique can prevent<br />
initial infection from a boot sector virus. (This is another<br />
reason to follow the above procedures to avoid boot sector<br />
infections).<br />
Infection Detection Systems. First, as a note of explanation,<br />
these programs only work if the system they're running on<br />
has not been infected prior to installation. They cannot tell you<br />
whether your system has already been infected. They all assume<br />
the system is clean.<br />
They work by looking at key information on the system<br />
disks (such as file sizes, dates, checksums) and periodically<br />
rechecking this information to see if it has changed.<br />
The advantage of this approach is that it<strong>'s</strong> much more<br />
difficult for <strong>viruses</strong> to avoid detection and the technique is<br />
therefore much more secure. The disadvantage is that the system<br />
must become infected in order to detect the virus. However,<br />
if an infection can be identified soon after it occurs, it can<br />
be easily removed before it can replicate further and before it<br />
has a chance to activate.<br />
Infection Identification Systems. Programs in this category<br />
identify specific <strong>viruses</strong> on systems that are already infected<br />
and remove the virus, returning the system to its state prior to<br />
infection. This class of products mayor may not rep<strong>ai</strong>r damage<br />
done by virus activation. Products in this class may identify<br />
only a single virus or multiple types.<br />
The advantage to this class of products is that they can<br />
identify pre-existing infection and perform the removal process.<br />
The disadvantage is that they work for only a few of the specific<br />
<strong>viruses</strong> and cannot provide general purpose virus<br />
protection.<br />
Recovering from a Virus Infection<br />
As might be expected, the procedures needed to recover from<br />
an infection are more difficult than initially preventing the<br />
infection. However, recovery is possible, usually with a minimum<br />
loss of data.<br />
46
Fighting Viruses and Practicing Safe Computing<br />
The major concern in recovering from a virus is not just<br />
the loss of data (which can be great), but the near cert<strong>ai</strong>nty of<br />
reinfection if the proper procedures aren't followed. Nine out of<br />
ten installations that get infected, according to InterPath, suffer<br />
a relapse within a week of "cleaning out" the virus. Some<br />
organizations have "eradicated" a virus as many as a dozen<br />
times, only to have it reoccur shortly after each eradication.<br />
The causes of these reappearances can be traced to two<br />
things:<br />
Many <strong>viruses</strong> do not go away after a warm boot. The Pakistani<br />
Br<strong>ai</strong>n virus is a good example. In many organizations, the<br />
PC is seldom turned off and the prev<strong>ai</strong>ling assumption is that a<br />
Ctrl-Alt-Del will clean out system memory. This is an incorrect<br />
assumption.<br />
Viruses initially infect fixed disk systems by way of a<br />
floppy disk. After infection, every floppy that has been placed<br />
in the system is also likely to be infected. In large organizations,<br />
this can amount to thousands of infected disks that can<br />
reinfect systems if not deactivated.<br />
Understanding the above issues goes a long way toward a<br />
successful recovery from a virus infection.<br />
The following are the recommended procedures from<br />
InterPath and the Computer Virus Industry Association. When<br />
an infection is detected, the following procedures should be<br />
followed:<br />
1. Determine the extent of the infection. If the virus has not<br />
attacked any fixed disks, go to step 12. If the virus has infected<br />
the boot sector only, go to addendum.<br />
2. Power down the infected system.<br />
3. Retrieve the original DOS disk from the distribution package.<br />
Write-protect it. Place it in the floppy boot drive and<br />
power up the system.<br />
4. Ensure that the system has booted properly.<br />
5. Back up all nonexecutable files from all directories onto<br />
newly formatted floppy disks or to a tape backup unit. If<br />
backing up to another fixed disk, ensure that the disk has<br />
not been infected. (If there are any doubts, assume it is infected.)<br />
Do not use the backup utility on the fixed disk. Use<br />
47
Chapter 4<br />
a utility from the original package. Note: At no point in<br />
these procedures should you execute any program from the<br />
infected flxed disk.<br />
6. List all batch files on the infected disk. If any line within<br />
any of the batch files seems unusual or unfamiliar do not<br />
back up. Otherwise, include the batch fIles with the backup.<br />
7. Perform a low level format of the infected disk. Recover<br />
the initial disk configuration using FDISK and FORMAT.<br />
8. Execute the SYS command for the fixed disk.<br />
9. Restructure your directories.<br />
10. Replace all executable programs from the original distribution<br />
packages.<br />
11. Restore the files that were backed up.<br />
12. Locate all floppy disks that may have been inserted in the<br />
infected system within the past two years. (We know it<br />
sounds extreme, but if this and subsequent steps are not<br />
followed, you can be guaranteed to be reinfected within a<br />
short period of time.) At your discretion, either destroy<br />
them all or continue with the next two steps.<br />
13. Back up all nonexecutable files onto newly formatted<br />
floppy disks.<br />
14. Format the suspect disks.<br />
If the virus is a boot sector infector, the recovery process is<br />
somewhat simplified. Since boot infectors do not infect executable<br />
programs, they can be removed by doing a SYS command<br />
on the affected drive. The procedures are:<br />
1. Power down the affected system.<br />
2. Boot from the original DOS write-protected distribution<br />
disk.<br />
3. Perform the SYS command on all affected devices.<br />
The above procedures will leave the virus intact on the<br />
additional bad sectors originally allocated by the virus, but<br />
these viral segments will be deactivated.<br />
Recovery From Trojans, Bombs, and Goof-ups<br />
Viruses are still relatively rare when compared to Trojan programs<br />
or bombs which, when run, immediately damage your<br />
system. First of all, it takes a good deal more programming<br />
48
Fighting Viruses and Practicing Safe Computing<br />
skills to construct a survivable virus than it does some stupid<br />
little program that immediately trashes a disk<strong>'s</strong> file allocation<br />
table (FAT).<br />
Remember that a Trojan is simply an attractive utility or<br />
some other program that serves as a carrier. The evil secreted<br />
inside can be either a virus or a bomb that goes off as soon as<br />
the program is run.<br />
Most of the really good programmers, those having the<br />
technical know-how and creativity to construct a virus, would<br />
consider it unthinkable to do so. Programmers are intelligent,<br />
likable people for the most part-good people who hate the rot<br />
of the current virus plague even more than most of us (because<br />
they understand the true frightfulness of the ramifications that<br />
could be caused by unchecked, widespread viral infection).<br />
Only a very few twisted souls of this elite group create <strong>viruses</strong>.<br />
Hence, the discrete str<strong>ai</strong>ns of <strong>viruses</strong> rem<strong>ai</strong>n moderately<br />
small and, so far, infect probably less than 1 percent of IBMs<br />
and clones, and Macintoshes. This percentage is even less than<br />
that for other brands.<br />
However, this is not so for bombs. We saw in the last<br />
chapter that destroying disks, since they are so vulnerable to<br />
start with, is easy to do. Any bad kid (as opposed to the many<br />
honorable hackers among our youth) can whip up a working<br />
bomb in an evening<strong>'s</strong> time and slide it into almost any program.<br />
An unhappy employee can leave a cybernetic bomb in<br />
his employer<strong>'s</strong> system.<br />
So, your system is more likely to be hit by a Trojan bomb<br />
than a virus. One good, very good, side effect of most viral<br />
protection programs is they will also intercept a bomb<strong>'s</strong> unauthorized<br />
attempts at disk access and alert you before damage<br />
can occur. They not only protect ag<strong>ai</strong>nst intentional destructive<br />
efforts, but also ag<strong>ai</strong>nst honest mistakes (bugs) in programs and<br />
operator error. We all foul up from time to time, and <strong>computer</strong>s<br />
can be unforgiving-a viral protection program sometimes<br />
gives us a second chance.<br />
One person doing some excellent work in alerting people<br />
to Trojans, worms, <strong>viruses</strong>, and pirated software is Eric<br />
Newhouse. Eric electronically publishes The Dirty Dozen, a file<br />
now found on all the major <strong>computer</strong> networks and hundreds<br />
of local <strong>computer</strong> bulletin boards.<br />
49
Chapter 4<br />
Now in its eighth edition, this online publication expl<strong>ai</strong>ns<br />
<strong>viruses</strong>, Trojans, worms and other such pests. It specifically<br />
lists scores of programs known to be "dirty." If you use public<br />
dom<strong>ai</strong>n programs and shareware, it<strong>'s</strong> a very wise precaution to<br />
download and check out each new issue of The Dirty Dozen,<br />
and to support Eric in his work.<br />
Should a Trojan get into your system, Eric Newhouse offers<br />
some good tips in recovering from it.<br />
"Perhaps," writes Eric, "your hard disk sounds like a sick<br />
moose. Perhaps your drive light starts flashing repeatedly, like a<br />
police car<strong>'s</strong> lights. Perhaps your drive just sits in the <strong>computer</strong>,<br />
and the <strong>computer</strong> doesn't acknowledge its presence."<br />
This has happened to me personally on more than one<br />
occasion. There is nothing more frustrating, while fighting a<br />
deadline, than having the hard disk go. While sometimes it<br />
may be a hardware problem-such as a faulty cable, disk<br />
controller, or the hard drive itself-more often the problem is<br />
with software. Fixing the hardware costs money, recovering<br />
from a software problem, such as one caused by a Trojan, can<br />
often be accomplished with only a little effort.<br />
Should you get hit by a Trojan or a bomb (and its going to<br />
be pretty obvious that something bad has happened), first rem<strong>ai</strong>n<br />
calm. Try to diagnose the damage and determine if your<br />
hard drive was reformatted, the FAT table scrambled, files<br />
erased, or the boot sector affected. A Trojan usually does one<br />
or more of these four things.<br />
If the Trojan did a low-level format of your hard disk, the<br />
only option open is to do a new high-level format and reload<br />
your data from your most recent backup. Everything you've<br />
done between the time of backup and the bomb hit is gone<br />
forever.<br />
Here<strong>'s</strong> an analogy to help you better understand the difference<br />
between low- and high-level formats. If you've recorded<br />
a cassette tape of, say, 1950s rock songs, you might have labeled<br />
it for convenience<strong>'s</strong> sake. The label consists of the title<br />
and the counter number so you can fast forward or rewind the<br />
tape to the beginning of the wanted song.<br />
If you lay this cassette tape down on a strong magnet, it<br />
will be completely erased. This is essentially what low-level<br />
50
Fighting Viruses and Practicing Safe Computing<br />
formatting does. If, on the other hand, some nerd merely rips<br />
off your label, all the songs are still on the tape. It<strong>'s</strong> merely a<br />
matter of taking a little time to make a new label. Cleaning off<br />
the label is what a high-level format does.<br />
If the Trojan high-level formatted your disk (and this applies<br />
to both hard disks and regular floppies), you're in much<br />
better shape for recovery of your data. Paul Mace, sometime<br />
back, introduced a way to recover data on a disk that had been<br />
high-level formatted. Peter Norton and others now offer similar<br />
techniques.<br />
The bad news is that most of these format-recovery programs<br />
require a snapshot of the disk in order to bring back all the data.<br />
This can be an automatic process in your AUTOEXEC.BAT file<br />
on IBM PCs and compatibles, or equivalent boot-up programs<br />
on other types of <strong>computer</strong>s. You might lose one day<strong>'s</strong> work in<br />
this case, but that<strong>'s</strong> much better than two week<strong>'s</strong> worth, or six<br />
months' worth.<br />
In the IBM and MS-DOS world, the problem is that the<br />
operating system (DOS) fragments large files and sticks parts of<br />
them all over the disk to more efficiently fill it. This is mapped<br />
out in the FAT (file allocation table) so the file can be found<br />
and used in its entirety ag<strong>ai</strong>n. For an "unformatting" program<br />
to work, an accurate map of the disk is required, hence the<br />
snapshot. Naturally, any file created after this snapshot was<br />
taken will be ignored, even though its still on the disk.<br />
Here are three commercial programs that, among many<br />
other useful utilities, offer format recovery:<br />
PC-Tools Central Point, $79.95 ret<strong>ai</strong>l<br />
Mace+ Utilities Paul Mace $99.95 ret<strong>ai</strong>l<br />
Advanced Norton Utilities Peter Norton, $150.00 ret<strong>ai</strong>l<br />
While these types of utilities may sound expensive, one<br />
recovery can more than pay for them. How much is your time<br />
worth?<br />
If the Trojan scrambled your FAT table and left the rest of<br />
the disk intact, you would have recovery options also. Remember<br />
that the FAT is the map for the operating system to find all<br />
parts of a file-this map has to be reconstructed.<br />
The best way to reconstruct is to keep constant backups of<br />
51
Chapter 4<br />
the FAT table using Norton<strong>'s</strong> or PC-Tools, or a public dom<strong>ai</strong>n<br />
program such as FATBACK.COM. If you can't simply recopy<br />
the FAT back to the hard disk, you'll have to p<strong>ai</strong>nstakingly use<br />
a sector editor, like those included in the Norton Utilities, PC<br />
Tools and lots of other popular utility packages.<br />
Sector editors will allow experienced users to reconstruct<br />
their FAT from the garbage now in its place. This type of recovery<br />
does require more than a little knowledge of your <strong>computer</strong><br />
operating system<strong>'s</strong> disk structure.<br />
Undeleting Files<br />
The situation of erased files is the easiest to recover from (and<br />
something you should know just for files deleted by mistake).<br />
Lots of commercial and public dom<strong>ai</strong>n packages are av<strong>ai</strong>lable<br />
that undelete deleted files.<br />
The Norton Utilities, PC-Tools, MACE+, and UNDEL.<br />
COM (a public dom<strong>ai</strong>n program) will all accomplish undelete<br />
files for you. The commercial products are somewhat more reliable<br />
in undeleting and are obviously more expensive.<br />
You should always undelete your most recent files first.<br />
Since the operating system (DOS) fragments files to fill all<br />
av<strong>ai</strong>lable space, older erased files (which are now invisible to<br />
DOS) may have segments already overwritten.<br />
The first sector on a hard disk (and a floppy) is called the<br />
boot sector. This cont<strong>ai</strong>ns the necessary information for the<br />
<strong>computer</strong> to initialize itself. Not too long ago, the boot sector<br />
on my own system was overwritten. All my files were still<br />
there, but the <strong>computer</strong> simply would not boot-responding<br />
only with a Probable Non-DOS Disk error message. It wound<br />
up costing me several hours to back up the files on the disk, reformat<br />
it with new system files, and reload the backup.<br />
In this case, it was not a Trojan or virus that caused the<br />
problem. I do a lot of reviews and books about various programs.<br />
Some companies are kind enough to send me pre-release<br />
versions so I get a head start in doing a book on their<br />
product. One of these versions had a bug in it (long since<br />
fixed), but it did cause me some hassle at a time when I had<br />
several deadlines to meet.<br />
52
Fighting Viruses and Practicing Safe Computing<br />
If the boot sector on your hard disk should get erased or<br />
written over, there are four things to do. Before you do them,<br />
however, if you don't have a current backup of the disk, make<br />
one now. There is the possibility that you might have to destroy<br />
some files to restore your hard disk to boot status. With a<br />
good backup, you can then load these files back in place.<br />
First, attempt to restore the system to the disk. On MS<br />
DOS disks, these include two hidden files as well as<br />
COMMAND.COM. To do so, insert the floppy disk that came<br />
with your <strong>computer</strong> that has SYS.COM on it. Using the syntax<br />
SYS C: for a hard disk (or SYS A: for a floppy) will transfer<br />
these system files to the hard disk (maybe).<br />
If the system did transfer (you got no error message), copy<br />
COMMAND. COM back onto the hard drive. If the hard drive<br />
still won't boot, try the next remedy.<br />
Should you have the MACE + utilities from Paul Mace, go<br />
to the "other utilities" section and "restore boot sector." If you<br />
have installed and have been using MACE+ correctly, this will<br />
cure your problem.<br />
If none of the above works do a complete backup of the<br />
disk (if you haven't already done it). Now you're going to have<br />
to do a low-level format of the hard disk. Instructions on how<br />
to do this depends on which controller card you have. This<br />
information should have come with your hard disk controller<br />
card.<br />
It<strong>'s</strong> important to map out bad sectors (which all hard disks<br />
have) using a program for that purpose (Eric Newhouse recommends<br />
SCAY.COM by Chris Dunford) or by manually entering<br />
the locations of bad sectors into the low-level format program.<br />
After the low-level format, run the utility FDISKCOM (it<br />
comes with DOS) to create a DOS partition. You can use your<br />
DOS manual for help in using FDISK.<br />
Once this low-level format is finished, you'll have to do a<br />
high-level format on your hard disk (yes, Trojans are a nuisance,<br />
aren't they?). Do this by putting your original DOS disk<br />
(the one that came with the <strong>computer</strong>) in drive A: and type<br />
FORMAT :jS/v. represents the<br />
letter of the disk you're formatting. This formats the disk,<br />
putting the necessary DOS system files on it and verifying that<br />
the copy is exact.<br />
53
Chapter 4<br />
Try rebooting ag<strong>ai</strong>n.<br />
Should things still be fouled, you'll have to find a professional<br />
<strong>computer</strong> rep<strong>ai</strong>rperson to fix your drive or accept the<br />
fact that the drive cannot be booted. I recommend strongly<br />
ag<strong>ai</strong>nst the latter-having to boot from a floppy increases the<br />
chances of viral infections.<br />
54
5<br />
HOWTHE<br />
EXPERTS DEAL<br />
WITH VIRUSES<br />
All the wit in the world is not in one head.<br />
Old Proverb<br />
The <strong>computer</strong> virus problem is both old and new. It is (at least<br />
theoretically) as old as <strong>computer</strong>s themselves, but new to the<br />
general public. Because <strong>computer</strong>s-thanks to immense drops<br />
in prices and incredible increases in unit production in the last<br />
few years-are now in so many more hands, <strong>viruses</strong> now can<br />
affect large numbers of people instead of just a few companies<br />
or institutions. Virus stories are in the newspapers almost<br />
weekly now, and they've been featured on national news<br />
broadcasts.<br />
With actual virus infections and, even more importantly,<br />
the threat of infection, a wide spectrum of system managers,<br />
programmers, and others in the <strong>computer</strong> industry have been<br />
forced to become experts on <strong>viruses</strong>.<br />
Computer <strong>viruses</strong> are still, for most, a relatively new problem.<br />
This holds true for the majority of the <strong>computer</strong> industry<br />
as well. In the process of researching this book, we've found<br />
that some very good people are devising ways to detect and<br />
protect ag<strong>ai</strong>nst <strong>viruses</strong>.<br />
This chapter is a brief look at just a few people on the<br />
"front lines" and how they're leading the fight ag<strong>ai</strong>nst <strong>computer</strong><br />
<strong>viruses</strong>. We regret that lack of space doesn't allow us to<br />
include everyone spoken to. While the virus problem is not yet<br />
55
Chapter 5<br />
as severe as it could very easily get, the future of the Information<br />
Age might well depend on people like those quoted below.<br />
They are soldiers in the war to preserve data.<br />
Ross Greenberg: A Flu_Shot<br />
Ag<strong>ai</strong>nst Viruses<br />
According to Steve Gibson, writing in his "Tech Talk" column<br />
in the <strong>computer</strong> industry weekly newspaper, Info World, one of<br />
the most effective virus protection programs av<strong>ai</strong>lable is also<br />
one of the least expensive: Flu_Shot+, by Ross Greenberg (the<br />
product is reviewed later in this book). A software author and<br />
nationally recognized virus expert and consultant, Greenberg<br />
lives in New York City and runs his own company, Software<br />
Concepts Design.<br />
Ross has been very gracious in providing both information<br />
and additional contacts for this book. The interview below<br />
came from comments Ross made to the author over the phone,<br />
from a Round Table conference on GEnie, and extracts from<br />
Flu_Shot+ <strong>'s</strong> documentation. All are combined and reproduced<br />
here through his kind consent.<br />
"The right to use Flu_Shot + ," Ross s<strong>ai</strong>d, in expl<strong>ai</strong>ning<br />
the shareware concept under which his viral-protection product<br />
is marketed, "is contingent upon your paying for the right to<br />
use it. I ask for ten dollars as a registration fee. This entitles<br />
you to get the next update shipped to you when av<strong>ai</strong>lable, and<br />
allows you to pay me, in part, for my labor in creating the entire<br />
FIu-Shot series. I don't expect to get my normal consulting<br />
rate or to get a return equal to that of other programs which<br />
I've developed and sell through more traditional channels. That<strong>'s</strong><br />
not my intent, or I would have made Flu_Shot+ a commercial<br />
program and you'd be paying lots more money for it.<br />
"Some people are uncomfortable with the shareware concept,<br />
or believe there<strong>'s</strong> no such thing as Trojan or Virus programs,<br />
and that a person who profits from the distribution of a<br />
program such as FIlLShot must be in it for the money. I've<br />
created an alternative for these folks. I'll call it 'charityware.'<br />
You can also register Flu_Shot+ by sending me a check for<br />
56
How the Experts Deal with Viruses<br />
$10 made out to your favorite charity. Be sure to include a<br />
stamped and addressed envelope. I'll forward the money on to<br />
them and register you fully."<br />
Ross Greenberg has been involved with the <strong>computer</strong> virus<br />
problem since the current scare first came to the public<strong>'s</strong><br />
attention.<br />
"When Flu-Shot came out, and the news of <strong>viruses</strong> first<br />
hit the media," he s<strong>ai</strong>d, "I was getting about 40 calls a day on<br />
the average. These were from people who were totally convinced<br />
they were infected. Of those people, I'd say that no<br />
more than five calls per day were legitimate <strong>viruses</strong>. Obviously<br />
those people had been hit bad. They usually called me up because<br />
they had FlU-Shot but had not installed it yet. They figured<br />
they'd try one more piece of software out and boom, they<br />
got hit."<br />
A Trojan, Ross expl<strong>ai</strong>ns, is a program which does something<br />
other than that which you intended it to do. A virus, by<br />
that definition is a Trojan. The m<strong>ai</strong>n difference is a virus will<br />
infect other programs with a copy of itself, and later will turn<br />
"normal" Trojan on you. This implies that the virus is a far<br />
more dangerous case of being "Trojaned."<br />
The normal Trojan, when it goes off, will only erase or<br />
damage the data on whatever disks are currently av<strong>ai</strong>lable to it.<br />
The virus allows for the Trojan to be transmitted to other<br />
disks, and therefore other <strong>computer</strong>s. Additionally, an infected<br />
program can lay dormant until you run it at some later time.<br />
The virus hangs out, w<strong>ai</strong>ting to be executed and will eventually<br />
"go off' causing a bit of havoc on your all important data.<br />
"In FlU-Shot," he s<strong>ai</strong>d, "I've attempted to make the program<br />
only advise you of suspicious operations as they occur.<br />
You are then given the choice of allowing the operation to continue,<br />
allowing all operations to continue until the program<br />
ends, or aborting the operation. This allows you to run programs<br />
such as DOS<strong>'s</strong> own FORMAT program and allows it to<br />
continue to operate normally, but advises you of potentially<br />
dangerous operations which normally shouldn't happen. You<br />
don't expect, for example, a FORMAT operation to take place<br />
when you're using that spiffy new checkbook balancing<br />
program.<br />
57
Chapter 5<br />
"These days, anybody who wants to be protected can be<br />
with Flu-Shot on the el cheapo, so many people are being protected.<br />
Plus, a lot of bulletin board operators out there are<br />
much more cautious now. However, there are a few bulletin<br />
boards I know of where the sysop does nothing but make them<br />
av<strong>ai</strong>lable to you. Unfortunately my own <strong>computer</strong> club board<br />
does this. I had to fight them tooth and n<strong>ai</strong>l to get FllLShot on<br />
there.<br />
"For the most part, bulletin board operators and most<br />
users are much more cautious overall now. The people who are<br />
getting hit the hardest these days I would say are probably<br />
universities-for a whole variety of reasons.<br />
"Some of the large corporate structures are being hit, but<br />
not that badly. Obviously if you hit a GE with 40,000 pes,<br />
that<strong>'s</strong> going to do considerably more damage than if you hit<br />
Fred<strong>'s</strong> <strong>computer</strong> in the other room. Of course, you won't hear<br />
anything from the folks at big companies if they get hit. They<br />
might call me up and say 'Hi, we're infected, but don't tell anybody.<br />
What do we doT And a couple of very large corporations<br />
have called me up and s<strong>ai</strong>d 'Hi, we're infected, but don't tell<br />
anybody. What do we do?'"<br />
Ross then made a very important point about virus<br />
infections:<br />
"The thing to remember," he s<strong>ai</strong>d, "is right now it<strong>'s</strong> summer.<br />
A lot of those university students are probably at home<br />
now concocting their favorite <strong>viruses</strong>. So when they come back<br />
in September, I suspect there will be an increase in infections.<br />
It<strong>'s</strong> a nice, interesting, fun hobby for some people.<br />
"Given that, I expect us to have more virus hits in<br />
September and October. Additionally, I'm a little worried about<br />
virus infections in general. Right now, programs like Flu-Shot<br />
or anyone of the others, they do everything they can to protect<br />
ag<strong>ai</strong>nst <strong>viruses</strong>. There<strong>'s</strong> no virus that I know of which currently<br />
gets around Flu-Shot. Yet, if I wanted to, I could write one tomorrow<br />
that would get around every single piece of software<br />
out there, including FllLShot.<br />
"Writing a virus to attack an unprotected system is really<br />
easy. On a protected system, however-with FllLShot or Vaccine<br />
or one of the others-writing a virus is much more dim-<br />
58
How the Experts Deal with Viruses<br />
cult. The folks who are capable of getting around F1U-Shot or<br />
whatever else are not typically the virus-writer type.<br />
"No one has been caught that I'm aware of. I'm not cert<strong>ai</strong>n,<br />
actually, of what crime they could be prosecuted under.<br />
Assumption: If one were caught, the authorities would n<strong>ai</strong>l<br />
them on some seemingly weird charge, such as 'malicious mischief'<br />
and then they'd get huge fines, a reasonable j<strong>ai</strong>l sentence,<br />
and all of their equipment would be confiscated. Remember<br />
also that 'breaking' into a government <strong>computer</strong> system is a<br />
federal offense of pretty serious merit. I would assume that the<br />
first time your local Congressman lost his re-election data, well,<br />
they'd be pretty angry and some laws would be changed pretty<br />
quickly.<br />
"Getting back to your point, it<strong>'s</strong> impossible to say how<br />
many <strong>computer</strong>s are infected. I am just going to pick a guess<br />
here. I think nationwide 10,000 people."<br />
Since <strong>computer</strong> filing systems are so vulnerable (see Chapter<br />
3: How Viruses Work), we asked Ross his opinion on<br />
whether <strong>computer</strong> manufacturers would move soon to make<br />
their equipment more resistant to infection.<br />
"I doubt it," he s<strong>ai</strong>d. "First, to my knowledge, with the<br />
exception of Apple, none of the major manufacturers have yet<br />
come out and s<strong>ai</strong>d that there are <strong>viruses</strong>. No one has s<strong>ai</strong>d 'We<br />
are doing something about it.' Apple s<strong>ai</strong>d, 'Well, here<strong>'s</strong> something<br />
to make you feel better.'"<br />
Ross is referring here to the Virus RX program released at<br />
the end of April by Apple Computer. This free antiviral program<br />
was created to answer the Scores virus infection in Macintosh<br />
<strong>computer</strong>s (see "The Scores Virus" in Chapter 2). The<br />
program is av<strong>ai</strong>lable at no charge through Apple dealers and on<br />
various <strong>computer</strong> bulletin boards, and will be covered in<br />
greater det<strong>ai</strong>l later in this book.<br />
"Operating systems," Ross continued, "like OS/2 as an example,<br />
now do have a protection mechanism to prevent a virus<br />
from spreading. Are they currently effective? Yes. But, while<br />
these techniques do fight ag<strong>ai</strong>nst <strong>viruses</strong>, they are just the natural<br />
progression of filing systems rather than specific virusprotection<br />
design on the part of manufacturers."<br />
59
Chapter 5<br />
Some programmers are beginning to include virus protection<br />
routines in their application programs. Ross Greenberg has<br />
also done this, especially in his commercial product, RamNet<br />
(a powerful background, memory resident communications<br />
program that enables you to run a bulletin board, upload and<br />
download, or complete a wide range of other tasks automatically<br />
in the background while using other programs in the<br />
foreground).<br />
"Yes," he s<strong>ai</strong>d, "RamNet had that from day one. But it<br />
originally wasn't for <strong>viruses</strong> but to make sure no one was tapping<br />
the code. Such techniques are easy in .COM programs, but<br />
very difficult to do with .EXE programs.<br />
"I guess most of the people out there have a simple question:<br />
Do <strong>viruses</strong> exist, and how common are they? Additionally<br />
people are concerned about what their chances are of picking<br />
one up off of their local BBS or from CompuServe, GEnie, or<br />
BIX.<br />
"Well, they do exist. I have about 20 <strong>viruses</strong> in 'quarantine'<br />
on my BBS machine. The odds of you picking one up<br />
on a service like GEnie is pretty slim, though. Their files are<br />
checked and rechecked, and then verified to make sure they're<br />
as safe as possible.<br />
"Does this mean that you can't get one at all? No. I have<br />
one virus here which is <strong>'s</strong>et to go off' in September. Another<br />
one w<strong>ai</strong>ts for your disk to get over 90 percent full. So, the<br />
problem does exist. Your odds of getting one, though, is about<br />
the same as the odds of you getting a laced Tylenol capsule.<br />
"My Flu_Shot+ program attempts to thwart the attempts<br />
of the virus program. It tries to intercept any of the 'normal'<br />
things a virus would do, including direct disk writes, and<br />
changes to any type of .COM or .EXE program.<br />
"I am specifically not in the business of protecting people.<br />
FIu-Shot has dr<strong>ai</strong>ned a lot of my resources from my normal<br />
business. I get about 30 calls per day regarding <strong>viruses</strong> and Trojans.<br />
That is time I can't give to my normal customer base.<br />
Now, I created FIU-Shot to help people who can't protect<br />
themselves. I felt that putting it out as a $10 shareware product<br />
would allow me to pay for distribution, maybe pay for a new<br />
phone line, and otherwise allow me to break even. I love this<br />
60
How the Experts Deal with Viruses<br />
silly little field of ours, and feel privileged to get p<strong>ai</strong>d to do<br />
work I enjoy.<br />
"The little worms who write <strong>viruses</strong> are hurting the field I<br />
love. Hence, I desire to make them extinct. As to publicity:<br />
The amount of publicity that the whole virus question generates<br />
is a feedback loop. I'm more than a little embarrassed<br />
that the normal, non<strong>computer</strong> media reported on the virus<br />
problem long before the <strong>computer</strong> press did. However, this is a<br />
subject which has to be reported on, just as the Tylenol problem<br />
had to be reported on. The Tylenol problem changed society<br />
a small amount. The virus problem will change <strong>computer</strong><br />
society a little. But, I tend to think that the vehement disgust of<br />
people such as you and I is going to tum the little worms off. If<br />
they wanted favorable opinion, they sure are not getting it!<br />
Hence, the publicity is, in my opinion, not a bad thing. You're<br />
now all aware of the problem, which I've known about for<br />
three years!<br />
Protecting Yourself<br />
Ross offers the following suggestions on how you can protect<br />
your system ag<strong>ai</strong>nst viral infection.<br />
"After you make a backup, you might want to consider<br />
using one of the myriad vaccine programs out there. I'm biased,<br />
and like FllL.Shot, but some of the others are quite good<br />
as well.<br />
"You want to be cert<strong>ai</strong>n that your data is secure. Programs<br />
you can always replace with the distribution copy. Aside from<br />
that, know where you get your programs from. Although a<br />
shrink-wrap is not a guarantee that your program is uninfected,<br />
it<strong>'s</strong> a 99.999 percent guarantee.<br />
"If you use PD software, make sure that the BBS you get it<br />
from has checked it out. I know that the managers on GEnie<br />
spend a great deal of time insuring their own public dom<strong>ai</strong>n library,<br />
and that other commercial services do as well.<br />
"Remember that people who log onto GEnie and the other<br />
national services are all verified, and have their credit card<br />
information on file. So, it would be rare for someone to even<br />
try to pass a Trojan or a virus intentionally. The same cannot<br />
be s<strong>ai</strong>d of many BBS systems who allow you to download from<br />
61
Chapter 5<br />
the new uploads section immediately after a program is posted.<br />
Ask your sysop if they check out the code. If the answer is<br />
'No,' get it from someplace else.<br />
"Viruses can infect any program that is executed. They can<br />
infect device drivers (the SYS files in your root directory), and<br />
can infect the boot sector as well. As such, these 'nonspecific'<br />
<strong>viruses</strong> can infect an entire disk pretty quickly, and are the<br />
most dangerous ones. Making a file read-only is done through a<br />
normal DOS call. Any program can change the attributes easily,<br />
then change them back if it wishes. Finally, just as you can<br />
get a directory listing, a program can as well and can put out a<br />
call for all files matching a pattern, such as *.COM, or *.EXE.<br />
"Think of what you can do from the command line. You<br />
type DIR C*.COM from the A: drive, and you find the COM<br />
files on C. A Virus or Trojan can exploit the DOS system<br />
conventions just as easily. Some of the older monochrome<br />
monitors could be burned out by a program, but I've not seen<br />
a virus which does this.<br />
"As for sysops who are nonprogrammers: Make a full system<br />
backup, close the system down, test out the code, then release<br />
only the tested code. Try checksumming every file on the<br />
disk, then comparing it after you test out the newly uploaded<br />
code.<br />
"The Dirty Dozen list is a great list! But, remember that<br />
any program can cont<strong>ai</strong>n a virus. An upload of your favorite<br />
PD program could (potentially) have a virus in it. That<strong>'s</strong> why<br />
testing, such as GEnie does, is so important. Trojans, since<br />
they don't spread, will eventually end up on the DD list, so it<br />
is extraordinarily valuable in that regard."<br />
Ross was then asked about the names of known <strong>viruses</strong>.<br />
"Well, I don't give the little suckers names! I have about<br />
20 <strong>viruses</strong> that have been uploaded to my board (remember<br />
that I actually ask for them, so that isn't a normal number<br />
we're speaking of). Flu_Shot+ does work ag<strong>ai</strong>nst the Br<strong>ai</strong>n virus,<br />
though. A virus (or a Trojan) is only dangerous when it is<br />
run. You can safely examine the program you suspect of<br />
cont<strong>ai</strong>ning a virus, including deARCing it. Only when you execute<br />
a program does it get tricky.<br />
"My favorite virus was one which went TSR (Terminate<br />
62
How the Experts Deal with Viruses<br />
and Stay Resident), and attached itself onto the timer tick.<br />
Once per minute it would examine the screen and search out<br />
four consecutive numbers. When it found a set, it would randomly<br />
transpose two of them. Sounds cute, but could be dangerous<br />
if you're using Lotus 1-2-3 to run a multimillion dollar<br />
company!<br />
"Your BIOS is in two parts. One, in ROM, can't be<br />
changed except by physically pulling the chip. The second part<br />
is stored on disk, as a hidden file, and is called IBMBIO on<br />
IBM-DOS, IOSYS on MS-DOS. That can be changed and can<br />
be infected. The other part of your configuration is in CMOS<br />
RAM, that is, battery backed up RAM. It can be modified by a<br />
virus, but isn't really dangerous. Flu_Shot+ tries to protect<br />
ag<strong>ai</strong>nst that particular change. Alas, that<strong>'s</strong> been a problem spot<br />
(read that as 'bug!') in F11LShot for longer than I like to admit.<br />
Copy-protected software can be a problem if it gets infected.<br />
My suggestion: Call up the manufacturer and ask them what<br />
they intend to do about it!"<br />
Ross Greenberg<strong>'s</strong> virus protection program, Flu_Shot+<br />
will be reviewed later in the book. It<strong>'s</strong> a shareware program,<br />
meaning that you'll find it on many <strong>computer</strong> networks and<br />
bulletins boards. You can download it and try it free-paying<br />
the $10 registration fee only if you decide that the program is<br />
worthwhile for you.<br />
"Copies which you download from the RamNet BBS (212-<br />
889-6438)," Ross s<strong>ai</strong>d, "or from the NYACC BBS (718-539-<br />
3338), BIX, COMPUSERVE, DELPHI, GEnie or from<br />
USENET are all good clean copies.<br />
"Copies from most BBS<strong>'s</strong> are going to be clean, too. I suggest<br />
that you do not use a copy unless the sysop of the BBS<br />
states that he or she has tried out the uploaded copy and procl<strong>ai</strong>ms<br />
it not to be Trojaned or wormed in any way. I do expect<br />
that some worm out there, disappointed at my attempts to<br />
remove what little joy they get out of life will attempt to use<br />
the popularity of Flu Shot+ in some way to further spread the<br />
disease in his or her mind."<br />
You may also order a copy direct from Greenberg by sending<br />
$10 to Software Concepts Design, 594 Third Avenue, New<br />
York, New York 10016.<br />
63
Chapter 5<br />
Reward Offered<br />
There is one additional service Ross Greenberg is doing for the<br />
<strong>computer</strong> industry. He is offering rewards for anyone turning in<br />
someone who has deliberately spread viral infection. This<br />
worthwhile effort should be supported. Below is the text of his<br />
reward offer:<br />
64<br />
* * *<br />
Somebody out there knows who the worms are.<br />
Even they must have someone who is a friend. True, I<br />
can't think of any reason someone would befriend a<br />
worm, but somebody who doesn't know better has.<br />
Well, I'm offering a reward for the capture and conviction<br />
of these worms. Enough already with software<br />
protection schemes, hardware protection schemes, or<br />
any protection at all. It shouldn't be required!<br />
Here<strong>'s</strong> the deal: If you're a software or hardware<br />
manufacturer, or you have some software or hardware<br />
you don't need, consider donating it to this worthy<br />
cause. I don't know what the legal and tax ramifications<br />
of that donation would be. I'm not a lawyer and we can<br />
cross that bridge when we get to it (donations are not<br />
sent unless a person actually qualifies to receive them).<br />
Anyway, if you know one of these worms, turn<br />
them in! Call me up, send me a letter, a telegram, or<br />
leave a message for me on my BBS. Indicate who you<br />
know is worming about. I'll keep your name confidential.<br />
It is surprisingly easy to get the authorities in on<br />
this-they're as concerned about what is happening to<br />
our community as we are. I'll presume that they'll end<br />
up putting a data tap on the phone line of the accused<br />
worm. Then, when he next uploads a Trojan or a virus<br />
to a BBS, he'll get n<strong>ai</strong>led. The authorities are pretty<br />
good about this stuff: They'll not tap a phone or take<br />
any action whatsoever without adequate proof<br />
Will your dropping a dime on this worm be adequate<br />
proof? I don't know. Ag<strong>ai</strong>n, a bridge to cross when<br />
we approach it. However, assuming that this slimeball
How the Experts Deal with Viruses<br />
gets n<strong>ai</strong>led, you'll get all of the software and hardware<br />
other people have donated. You'll also get the satisfaction<br />
of knowing you've done a good thing-you've<br />
helped an industry and community continue to grow.<br />
This is your community, and the vast majority of people<br />
in it are good people who shouldn't have to fear others.<br />
Your friend is not really a friend; he uses you to<br />
justify his own existence. When people use you like<br />
that, they're not friends; they're leeches. And you've<br />
probably got better things to do than let others use you<br />
like that. Most importantly, the worm out there won't<br />
know if one of his friends has already turned him in, so<br />
he won't know if his phone is tapped.<br />
If I were a worm, and considering what kind of<br />
friends I would have, I'd be sure that somebody<br />
dropped a dime on me. And therefore intelligent worms<br />
(perhaps I'm giving them too much credit?) must presume<br />
that their lines are tapped and that they're gonna<br />
go to j<strong>ai</strong>l if they continue what they're doing. So just<br />
stop, you miserable little lowlifes, huh? You're going to<br />
be arrested. You're going to have to put up with indignities<br />
which even you don't deserve! Your equipment<br />
will be confiscated. You'll never get a job in the industry.<br />
You're going to go to j<strong>ai</strong>l. All this will happen<br />
because one of your friends actually has a conscience<br />
and knows what<strong>'s</strong> right and what<strong>'s</strong> wrong. And what<br />
you're doing is wrong.<br />
So, let me get back to the kind of programming I<br />
enjoy-productive programming. And turn your programming<br />
to useful, interesting, and productive programming.<br />
You have the talent to do something useful<br />
and good with your life. What you're doing is hurting<br />
the industry and hurting the community that would<br />
welcome someone with your talents with open arms.<br />
The satisfaction of helping far surpasses the satisfaction<br />
you must get from hurting innocent people. So just stop.<br />
Sincerely, Ross M. Greenberg<br />
* * *<br />
65
Chapter 5<br />
A registration form for pledging software or hardware to<br />
the reward fund is included in the archive of Flu_Shot + ,<br />
which is av<strong>ai</strong>lable from all the major <strong>computer</strong> networks or<br />
from Mr. Greenberg<strong>'s</strong> own board (see below).<br />
Ross Greenberg may be contacted at Software Concepts<br />
Design, 594 Third Avenue, New York, New York 10016 or<br />
phone 1-212-889-6431 between 9:00 a.m. and 5:00 p.m., Eastern<br />
Time. Ross also provides a 24-hour per day <strong>computer</strong> bulletin<br />
board with virus information. Use 1200 or 2400 baud, no<br />
parity, 8 bits, 1 stop bit (8Nl) and call 1-212-889-6438. He also<br />
may be contacted via MCI M<strong>ai</strong>l and on BIX as 'greenber' and<br />
on CompuServe/PCMagNet as 72241,36.<br />
Raymond M. Glath: Keeping<br />
Watch for Viruses<br />
Ray Glath is president of RG Software Systems (2300 Computer<br />
Avenue, Suite I-51, Willow Grove PA 19090 or call 1-<br />
215-659-5300). His company<strong>'s</strong> virus protection product, Disk<br />
Watcher, is reviewed later in this book. The firm also manufactures<br />
the PC Tracker micro<strong>computer</strong> inventory and management<br />
system used by many large companies. This interview<br />
cont<strong>ai</strong>ns material from a phone conversation and from documentation<br />
supplied, courtesy of Mr. Glath.<br />
"Many who create virus programs view them as a joke,"<br />
Ray Glath s<strong>ai</strong>d, "but even nondestructive <strong>viruses</strong>, like ones<br />
that display 'gotcha' messages on a screen, cost a business time,<br />
money, and morale. We think our simple pop-up warning of<br />
unusual activity happening in a system can save incalculable<br />
headaches. "<br />
RG Software Systems, Glath continued, now offers a white<br />
paper that det<strong>ai</strong>ls its rational view of <strong>computer</strong> <strong>viruses</strong> and expl<strong>ai</strong>ns<br />
countermeasures that won't limit access to shareware,<br />
online services, electronic m<strong>ai</strong>l, or user groups. The paper outlines<br />
steps that Information Center managers, MIS/DP groups,<br />
and office managers should take immediately to avoid viral<br />
infection and lost productivity caused by disk-borne <strong>computer</strong><br />
virus, time-bomb, and "Trojan horse" programs. The free<br />
66
How the Experts Deal with Viruses<br />
white paper, av<strong>ai</strong>lable by request on company letterhead, provides<br />
practical solutions business users can implement quickly<br />
without sacrificing system flexibility.<br />
"So far," Ray s<strong>ai</strong>d, "<strong>viruses</strong> are better publicized in the<br />
academic environment, but they're spreading among businesses.<br />
Smart companies are taking steps to guard ag<strong>ai</strong>nst<br />
them.<br />
"Several attacks have been documented by the press and,<br />
from firsthand experience, I can attest to the fact that those reported<br />
do exist. We have seen them and successfully tested our<br />
Disk Watcher product ag<strong>ai</strong>nst them. Reputable individuals<br />
have reported additional <strong>viruses</strong> to us, but these have not<br />
reached the scale of distribution achieved by the now infamous<br />
'Lehigh,' 'Br<strong>ai</strong>n,' 'Israeli,' and 'Macintosh' <strong>viruses</strong>.<br />
"We do expect the situation to worsen due to the attention<br />
it<strong>'s</strong> received. Taking simple lessons from history, a new<br />
phenomenon, once given attention, will be replicated by individuals<br />
who otherwise have no opportunity for personal<br />
attention.<br />
"Now that there are products for defense from <strong>viruses</strong>, the<br />
virus writers have been given a challenge; and for those people<br />
who have always wanted to anonymously strike out at someone<br />
but didn't know of a method to do so, the coverage has<br />
provided a 'How To' guide."<br />
Glath then addressed the problem of distinguishing a bug<br />
or hardware malfunction from a true virus.<br />
"This can be a tough one. With the publicity surrounding<br />
<strong>viruses</strong>, many people are ready to believe that any strange<br />
occurrence while computing may have been caused by a virus,<br />
when it could simply be an operational error, hardware component<br />
f<strong>ai</strong>lure, or a software bug.<br />
"While most commercial software developers test their<br />
products exhaustively. There is always the possibility that some<br />
combination of hardware, mix of installed TSRs, user actions,<br />
or slight incompatibilities with compatible or clone machines<br />
or components can cause a problem to surface."<br />
Glath recommends that you remember the following key<br />
points:<br />
1. Examine the probabilities of your having contacted a virus.<br />
67
Chapter 5<br />
2. Don't just assume that you've been attacked by a virus and<br />
abandon your normal troubleshooting techniques or those<br />
recommended by the product manufacturer.<br />
3. When in doubt contact your supplier or the manufacturer for<br />
tech support.<br />
4. Having an effective "Virus Protection" system installed may<br />
help you determine the cause of the problem.<br />
Protection from Viruses<br />
Do you need some form of protection from <strong>viruses</strong>?<br />
"It wouldn't hurt," Glath s<strong>ai</strong>d. "You do lock the door to<br />
your home when you go out, right?<br />
"Plan in advance the methods you'll use to ward off virus<br />
attacks. It<strong>'s</strong> a far more effective use of management time to<br />
establish preventive measures in a calm environment instead of<br />
making panic decisions after a virus attack has occurred."<br />
Can you be absolutely safe?<br />
"No! Any security system can be broken by someone dedicated<br />
and knowledgeable enough to put forth the effort to break<br />
the system."<br />
How can a software product protect ag<strong>ai</strong>nst <strong>viruses</strong>?<br />
"There are several approaches that have been developed.<br />
"One form is an 'inoculation' or <strong>'s</strong>ignature' process<br />
whereby the key files on a disk are marked in a special way<br />
and periodically checked to see if the files have been changed.<br />
Depending on the way in which this is implemented, this<br />
method can actually interfere with programs that have built-in<br />
integrity checks.<br />
"Another method is to write protect specific key areas of<br />
the disk so that no software is permitted to change the data in<br />
those places.<br />
"We at RG Software Systems believe that preventive measures<br />
are the most effective. The Disk Watch system provides<br />
multiple lines of defense:<br />
"A batch type program automatically checks all active disk<br />
drives for the presence of cert<strong>ai</strong>n hidden virus characteristics<br />
when the <strong>computer</strong> is started, and a TSR (Terminate and Stay<br />
Resident) program monitors ongoing disk activity throughout<br />
all processing. The batch program can also be run on demand<br />
68
How the Experts Deal with Viruses<br />
at any time to check the disk in a specific drive.<br />
"The TSR program, in addition to its other 'Disaster<br />
Prevention' features, cont<strong>ai</strong>ns a series of proprietary algorithms<br />
that detect the behavior characteristics of a myriad of virus<br />
programs and yet produce minimal overhead in processing<br />
time and 'false alarm' reports. Disk Watcher is uniquely able to<br />
tell the difference between legitimate IP activity and the 10<br />
activity of a virus program.<br />
"When an action occurs indicative of a virus attempting to<br />
reproduce itself, alter another program, set itself up to be automatically<br />
run the next time the system is started or attempting<br />
to perform a massively damaging act, Disk Watcher will automatically<br />
pop up. The user will then have several options, one<br />
of which is to immediately stop the <strong>computer</strong> before any damage<br />
can be done. Detection occurs before the action takes place.<br />
Other options allow the user to tell Disk Watcher to continue<br />
the application program and remember that this program is<br />
permitted to perform the action that triggered the pop-up."<br />
Choosing a Virus Protection Package<br />
Mr. Glath then provided some tips on how to choose the best<br />
virus protection package for you.<br />
"Since the first reports of virus attacks appeared in the<br />
press, a number of virus prevention products have quickly appeared<br />
on the market, produced by companies wishing to take<br />
advantage of a unique market opportunity. This is to be expected.<br />
We are one of them with our Disk Watcher product.<br />
"It should be pointed out, however, that only a few<br />
months have transpired since the first major media stories<br />
started appearing.<br />
"Those companies that have had to build a product from<br />
scratch during this limited amount of time have had to design<br />
the defensive system, write the program code, write the user<strong>'s</strong><br />
manual, design the packaging, Alpha test, Beta test, and bring<br />
their product through manufacturing to market. A monumental<br />
task in a miraculously short period of time.<br />
"Companies that have had products on the market that include<br />
virus protection, or products that were enhanced to include<br />
virus protection, such as Disk Watcher, have had extra<br />
69
Chapter 5<br />
time and field experience for the stabilization of their products.<br />
"As a professional in this industry, I sincerely hope that<br />
the quickly developed products are stable in their released<br />
form."<br />
Glath suggests the following evaluation points be applied<br />
as a standard for all types of software products:<br />
• Price<br />
• Performance<br />
• Ease of Use<br />
• Ease of Learning<br />
• Ease of Installation<br />
• Documentation<br />
• Copy Protection<br />
• Support<br />
"A virus protection package, like a security system for your<br />
home, requires a close scrutiny. You want the system to do the<br />
job unobtrusively and yet be effective."<br />
Special Considerations for Virus Protection<br />
Packages<br />
Ray Glath of RG Software Systems provides the following list<br />
of twelve special considerations in choosing a virus protection<br />
package:<br />
Amount of impact the package may have on your <strong>computer</strong><strong>'s</strong><br />
performance. If the package is RAM Resident, does it<br />
noticeably slow down your machine<strong>'s</strong> operations? If so, with<br />
what type of operation? Are program startups slowed? Are database<br />
operations slowed?<br />
Level of dependency on operator intervention. Does the<br />
package require the operator to perform cert<strong>ai</strong>n tasks on a regular<br />
basis in order for it to be effective? (Such as only checking<br />
for virus conditions on command). Does the package require<br />
much time to install and keep operation? For example, must<br />
the protection package be used each time new software is installed<br />
on the system?<br />
70
How the Experts Deal with Viruses<br />
Impact on productivity ••• Annoyance level. Does the package<br />
periodically stop processing and/or require the operator to<br />
take some action? If so, does the package have any capability<br />
to learn its environment and stop its interference?<br />
False alarms. How does the package handle situations that<br />
appear to be <strong>viruses</strong>, but are legitimate actions made by legitimate<br />
programs? Are there situations where legitimate jobs will<br />
have to be rerun or the system rebooted because of the protection<br />
package? How frequently will this occur? How much additional<br />
end-user support will the package require?<br />
The probability the package will rem<strong>ai</strong>n in use? Will there<br />
be any interference or usage requirements that will discourage<br />
the user from keeping the package active? (It won't be effective<br />
if they quickly desire to de-install it and perhaps only pretend<br />
they are using it when management is present.)<br />
Level of effectiveness it provides in combating <strong>viruses</strong>. Will<br />
it be effective ag<strong>ai</strong>nst <strong>viruses</strong> produced by individuals in the<br />
following experience levels?<br />
Levell-Typical End User (Basic knowledge of using<br />
applications and DOS commands.)<br />
Level 2-Power User (Knowledge of DOS command<br />
processor, hardware functions, BASIC programming,<br />
and other advanced features.)<br />
Level 3-Applications Programmer (Knowledge of<br />
programming languages and DOS service calls.)<br />
Level 4-Systems Engineer (Knowledge of DOS and<br />
Hardware internal functions.)<br />
Level 5-Computer Science Professor who develops <strong>viruses</strong><br />
for research purposes.<br />
Which types of <strong>viruses</strong> intrusion will it be effective<br />
ag<strong>ai</strong>nst? Covert Entry? Overt Entry?<br />
Does it detect a virus attempting to spread or clone itself?<br />
Does it detect a virus attempting to place itself into a position<br />
to be automatically run?<br />
If a virus gets into the <strong>computer</strong>, which types of virus<br />
damage will it detect: Massive Destruction? Partial Destruction?<br />
Selective Destruction? Random Havoc Destruction?<br />
Annoyance?<br />
71
Chapter 5<br />
Does the software detect a virus before or after it has infected<br />
a program or made its attack?<br />
Does the publisher cl<strong>ai</strong>m total protection from all <strong>viruses</strong>?<br />
Does the software provide any assistance for post mortem<br />
analysis of suspected problems? If a virus symptom is detected<br />
and the <strong>computer</strong> is brought to a halt, is there any supporting<br />
information for analyzing the problem other than the operator<strong>'s</strong><br />
recall of events?<br />
Impact on your machine<strong>'s</strong> resources. How much RAM is<br />
used? Is any special hardware required?<br />
Is the product compatible with your hardware configuration?<br />
Your operating system version? Your network? Other software<br />
you use, especially TSRs?<br />
Can the package be used by current computing personnel<br />
without substantial tr<strong>ai</strong>ning? What type of computing experience<br />
is required to install the package?<br />
Background of the publisher. References. Who is using this<br />
or other products from this publisher? How is this company<br />
perceived by its customers? The press? How long has the publisher<br />
been in business?<br />
Was the product Beta tested? By valid, well-known<br />
organizations or by friends of the company<strong>'s</strong> owner? Was the<br />
product tested ag<strong>ai</strong>nst any known <strong>viruses</strong>? Successfully?<br />
What about ongoing support? In what form? At what cost?<br />
Does the company plan to upgrade its product periodically?<br />
What is the upgrade policy? Expected costs?<br />
Does the package provide any other useful benefits to the<br />
user besides virus protection?<br />
From the Oracles at Delphi<br />
One of the large public worldwide <strong>computer</strong> services is Delphi.<br />
Located in Cambridge, Massachusetts, Delphi has local telephone<br />
number access throughout the United States and Canada.<br />
In the various special interest groups of Delphi are many<br />
thousands of public dom<strong>ai</strong>n and shareware programs for downloading.<br />
The author of this book (whose user name on Delphi<br />
is also AUTHOR) manages the Writers Group, which has several<br />
hundred av<strong>ai</strong>lable programs just by itsel£<br />
72
How the Experts Deal with Viruses<br />
There are special interest groups for the various types of<br />
<strong>computer</strong>s, and groups for hobbies, science fiction, theology,<br />
business, games, and others. Each of these groups has a database<br />
section that offers programs.<br />
Like all the other major networks, Delphi management in<br />
general and various sysops in particular are concerned with<br />
preventing viral infection in the programs provided to users.<br />
While it is impossible for any network to fully guarantee that<br />
no virus-infected program will ever slip through, Delphi has<br />
been one of the leaders in protecting its users.<br />
Jeff Shulman and the Macintosh<br />
Jeff Shulman, the new ICONtact Manager (Delphi<strong>'s</strong> Macintoshoriented<br />
special interest group) is one of the sysops concerned<br />
with preventing virus infections. In fact, he is the author of a<br />
virus detection program for the Macintosh. He was also the<br />
first person to inform Aldus that their FreeHand program was<br />
being distributed with the Peace virus.<br />
"When <strong>viruses</strong> first appeared on the Mac," Jeff s<strong>ai</strong>d, "I,<br />
too, wondered how to protect Delphi users from downloading<br />
an infected file. Using tools like ResEdit to examine each file<br />
was an extremely time consuming process. What I needed was<br />
a tool that could quickly scan files for the various 'tags' <strong>viruses</strong><br />
left in files. This utility should also be easily modifiable should<br />
new str<strong>ai</strong>ns of <strong>viruses</strong> come along.<br />
"That was how VirusDetective was born. VirusDetective<br />
(VD) was written as a DA so it could be run at any time from<br />
any program (like immediately after I download a file). What<br />
VD does is search through all the files in a given folder, recursively<br />
(or the entire disk) looking for files that meet its matching<br />
criteria. Here is where I used my knowledge of Mac<br />
programming (I have several programs on the market, like<br />
FontDisplay, DiskLock and WriteFontSize) and how <strong>viruses</strong><br />
work to come up with a list of programmable search criteria.<br />
"VD can be configured to select a file by its type, creator,<br />
or by looking for specific resources. The resources may be<br />
searched for by name, ID, type, size, or size range. Once a file<br />
is found that matches its search criteria, it tells the user and<br />
gives him a chance to remove that particular resource.<br />
73
Chapter 5<br />
"Now, most <strong>viruses</strong> in the Mac world cannot be fully<br />
eradicated by removing a single resource. YO<strong>'s</strong> m<strong>ai</strong>n purpose is<br />
virus detection, not eradication. There are several other programs<br />
that are built to eradicate specific <strong>viruses</strong>. VO also does<br />
not search for suspect <strong>viruses</strong> like Interferon does. You must<br />
tell VO exactly what to look for. Thus, it is possible for a new<br />
virus to sneak by VD (as well as the other programs).<br />
"However, in the highly connected Mac community, it will<br />
quickly be identified. Once identified, VO can easily be<br />
reconfigured by the user to also include that virus in its search<br />
criteria. The other detection programs may require reprogramming<br />
and redownloading to include a new virus.<br />
"VO is being marketed as shareware. It has had little return<br />
so far. This is probably due in part to the fact the other<br />
programs are free.<br />
"Another feature of VD is its ability to keep a log of all the<br />
files searched and those that matched the search criteria. It<strong>'s</strong><br />
this logging capability and the ability to easily configure the<br />
search criteria that enables VD to search for just about anything<br />
and not just for <strong>viruses</strong>.<br />
"I also use CE Software<strong>'s</strong> Vaccine INIT and run every program<br />
posted before it is released. That way, should a new<br />
unknown virus pass YO<strong>'s</strong> testing, hopefully, Vaccine would<br />
pick it up. I'm also extra careful with postings from new<br />
uploaders and people whose names I don't recognize. A majority<br />
of the stuff I cross-post from the noncommercial networks<br />
is also checked by those moderators.<br />
"I'm not saying that a virus infected program will never be<br />
posted. Just as the virus scare started, all three major networks<br />
did have a virus program up on the board but it was quickly<br />
detected and removed with 24 hours on all the services. I regularly<br />
read messages from both CIS and GEnie as well as Usenet<br />
and INFO-MAC. Between all five networks, Mac <strong>viruses</strong> are<br />
caught and removed before they have a chance to spread.<br />
"My advice to someone who wants to be extra careful is to<br />
not download any new file when it first comes out but to w<strong>ai</strong>t<br />
a week. Unless it is a very clever virus with a long time delay,<br />
it will be found out and removed in the week<strong>'s</strong> time.<br />
"The telecommunicating Mac community is very large and<br />
very quick at finding these things out."<br />
74
Marty Goodman of Delphi<br />
How the Experts Deal with Viruses<br />
Marty Goodman is SIGOP for Delphi<strong>'s</strong> CoCo Sig, and also is<br />
involved with the OS9 and Portable Place groups as well.<br />
"The Radio Shack color <strong>computer</strong>," Marty s<strong>ai</strong>d, "is operated<br />
under one of two operating systems: RS DOS (otherwise<br />
known as DISK EXTENDED COLOR BASIC) and OS9.<br />
"Now, RS DOS is a ROM-based operating system and so<br />
is totally, utterly, and completely invulnerable to any possible<br />
virus by virtue of its existing only as unalterable firmware. This<br />
takes care of the majority of Color Computer users.<br />
"The more advanced minority who use OS9 use a UNIXlike<br />
operating system. (Described by Dr. Dobbs Journal as<br />
"Leaner and Meaner than Unix"). Because it is a disk-based<br />
operating system, OS9 is in theory as vulnerable as MS-DOS or<br />
any other disk-based operating system to <strong>viruses</strong>.<br />
"In practice, though, to date I know of not one authenticated<br />
report of a CoCo OS9 virus ever being discovered. This<br />
may in part be due to the fact that OS9 users are a serious lot,<br />
and a very tiny minority among <strong>computer</strong> users-especially<br />
6809jCoCo OS9-and so tend to support each other and are by<br />
nature less likely to spend their time concocting diabolical<br />
nasties. That may sound a bit corny but actually probably is to<br />
some real degree true.<br />
"In the Portable Place, the Tandy 100 and 200 are relatively<br />
immune to any virus, ag<strong>ai</strong>n by virtue of the fact that<br />
their operating software is in the form of ROM-based firmware,<br />
so in the worst case, a freezing cold start will wipe out any viral<br />
infection.<br />
"In the case of the MS-DOS-based lap portables, the issues<br />
are of course the same as those with MS-DOS desktop<br />
machines.<br />
"Although real <strong>viruses</strong> have been created for MS-DOS machines,<br />
these are extremely rare, and roughly 99.99 percent of<br />
the time someone thinks a problem is due to a virus; it is instead<br />
due to software misuse, damaged software, or a hardware<br />
f<strong>ai</strong>lure of some kind (the latter being relatively unlikely, too).<br />
Thus, at present, I for one am not honestly very worried about<br />
<strong>viruses</strong>, and (please take no offense here) tend to watch all the<br />
hysteria about them with just a little amusement.<br />
75
Chapter 5<br />
"Since <strong>viruses</strong> can be created to merge with and contaminate<br />
the operating system in any of a number of ways, there<br />
does not seem to me any means of a sysop protecting users<br />
ag<strong>ai</strong>nst <strong>viruses</strong> in any practical sort of way, apart from employing<br />
top notch assembly language programmers with extreme<br />
familiarity with MS-DOS operating system at the machine level<br />
to disassemble totally and analyze every program posted. This,<br />
of course, is a logistical and financial impossibility.<br />
"Beyond that, it is hard for me to imagine any other<br />
means of dealing with the 'viral threat' than carefully examining<br />
any member report of problems that might be associated<br />
with a file one has downloaded. Of course, as we all note, software<br />
here is 'as is' and 'at your own risk.'"<br />
Michael A. Banks, science fiction and <strong>computer</strong> book author,<br />
and manager of Science Fiction Group has found what he<br />
feels to be the ideal solution.<br />
"We are concerned with the virus problem. After all, science<br />
fiction writers have long predicted it. But I let my Assistant<br />
Manager handle the actual checking out. He seems to<br />
know something about the subject."<br />
(The author of this book in addition to managing the Writers<br />
Group is also assistant manager in the SF Group.).<br />
One Man<strong>'s</strong> Opinion<br />
Now, I get to talk for me! As manager of Delphi<strong>'s</strong> Writers<br />
Group for the past two years, the threat of <strong>viruses</strong>, Trojans,<br />
and logic-bombs has been a fact of life. There are over 300 programs<br />
now in the Writer<strong>'s</strong> Software topic of my database. And,<br />
while system-wide and group discl<strong>ai</strong>mers protect us from a<br />
legal standpoint, users cert<strong>ai</strong>nly won't come back if they get a<br />
bad program.<br />
I started using the CHK4BOMB program from the first.<br />
It<strong>'s</strong> pretty simple (and was designed more for Trojans than <strong>viruses</strong>,<br />
having come out in 1985). You enter "CHK4BOMB<br />
" for a listing of all ASCII strings, and potentially<br />
dangerous disk activity. You get warning messages such as<br />
"****WARNING**** This program writes to absolute sectors.<br />
The possibility exists to overwrite important data." Or<br />
76
How the Experts Deal with Viruses<br />
"****WARNING**** This program FORMATS a disk! All data<br />
on the disk could be lost!"<br />
A brave soul (or at least dedicated), I also run programs on<br />
my system before making them public in the Writers Group on<br />
Delphi. As might be expected, I've been burned. The FAT on<br />
my hard disk was trashed by a program that purported to be a<br />
"directory packer." After that, I also started using<br />
WPHD.COM, a nifty little utility that "write protects" your<br />
hard disk.<br />
Now, of course, things are much better. Because of writing<br />
this book, I am receiving all sorts of virus protection and detection<br />
programs for review. I've taken to trying out all programs<br />
submitted or that I intend to upload to the Writers Group with<br />
a variety of these programs.<br />
The recent programs in Writer<strong>'s</strong> Software are probably the<br />
most thoroughly checked programs on any of the networks<br />
(grin). This does not mean a virus-infected program will never<br />
slip in, just that it<strong>'s</strong> much more difficult now than it used to be.<br />
Mike Riemer: Providing a Firm Foundation<br />
Foundation Ware<strong>'s</strong> Mike Riemer is enthusiastic about his<br />
company<strong>'s</strong> products (both the products and Mike himself have<br />
good reputations in the field). FoundationWare takes a somewhat<br />
different approach to fighting <strong>viruses</strong>.<br />
"We do FAT table backup like PC Tools and Mace," Mike<br />
s<strong>ai</strong>d, describing Foundation Ware<strong>'s</strong> programs. "We do FAT table<br />
recovery, we do low-level partition check and recoverybattery<br />
cellular recovery for AT&T. In that vein, we compete<br />
with people like Norton and Mace and we do it all<br />
automatically.<br />
"We also provide what<strong>'s</strong> called user control, which is a<br />
600-byte memory resident program that prevents anything getting<br />
into memory that hasn't been approved to get there. So,<br />
with that a system manager can control what software is being<br />
run on a system.<br />
"In addition to all that, we do a direct disk I/O monitor to<br />
make sure a bomb doesn't go off or someone doesn't accidentally<br />
format the hard disk. Generally, most of our competitors<br />
do one or two of those things. We have eight modules<br />
77
Chapter 5<br />
now, all in the same package. They are optional and have different<br />
switches to turn them on or off, and can be regulated for<br />
specific security levels.<br />
"Generally, people like to hear the philosophy behind a<br />
product. Ours is if you are going to deal with the consumer, especially<br />
MIS people (Manager Information Systems) you have<br />
to provide them wjth tools which are useful in their environment.<br />
Give them control.<br />
"The major problem inside of corporations, excluding the<br />
end user for a second, is the fact that people just bring in software<br />
that they are not supposed to. With our program, they<br />
can't do that. Nothing but nothing that hasn't been approved<br />
will run.<br />
"A funny thing. Hal Highland came up to us at an Expo.<br />
He had six or eight <strong>viruses</strong> in his briefcase. He kept sticking in<br />
one after another and trying to run it. Obviously none of them<br />
were approved to run and wouldn't. We got a pretty good<br />
chuckle out of it.<br />
"We're coming out with what we call 'blue disk' technology.<br />
We have the ability with our user interface to create external<br />
databases, so we made signature checks of a couple of<br />
the largest public dom<strong>ai</strong>n and shareware libraries in the world<br />
and put them on a disk. So if you download a program, you<br />
can check it ag<strong>ai</strong>nst your Blue Disk, which is a floppy disk, and<br />
see whether that version you just downloaded is one of the<br />
ones approved as being virus-free."<br />
Mike Riemer and Foundation Ware may be contacted at<br />
2135 Renrock Rd., Cleveland, OH 44118, phone 1-800-722-<br />
8737.<br />
More Experts than Room<br />
There are several other people whose comments we wanted to<br />
add to this chapter, but lack of space prevents it. Ron<br />
Benvenisti at Worldwide Data was especially helpful, as was<br />
Dennis Director at Director Technologies, Larry DiMartin of<br />
Computer Integrity Corporation, Pam Kane and her fabulous<br />
Dr. Panda, and many others.<br />
78
How the Experts Deal with Viruses<br />
One of few really reassuring things about the <strong>computer</strong> virus<br />
problem is the high caliber of the people fighting viral<br />
infection. How can the sickies prev<strong>ai</strong>l when all the good guys<br />
and gals are on the side of right and might?<br />
79
6<br />
CORPORATE<br />
INITIATIVES<br />
FORPCDATA<br />
SECURITY<br />
Pamela Kane<br />
President Panda Systems<br />
The strength of a ch<strong>ai</strong>n is its weakest link.<br />
Old Proverb<br />
Pam Kane<strong>'s</strong> Panda Systems has been featured on the<br />
front page of The Wall Street Journal (June 17,1988) and<br />
included in several of the major <strong>computer</strong> magazines. Dr.<br />
Panda utilities are one of the most highly rated virus-fighting<br />
systems currently av<strong>ai</strong>lable. "His round, soft and furry<br />
exterior," writes Hal Nieburg about Dr. Panda in the June<br />
Computer Shopper (page 316), "is deceiving. Inside is a<br />
set of three utilities that cont<strong>ai</strong>n the heart of a tiger, the<br />
unrelenting persistence of an Inspector Hercule Poirot, and<br />
the savvy and skill of a James Bond . .. " Panda Systems<br />
also develops custom installation programs and additional<br />
security and data protection utilities for sensitive<br />
operations.<br />
81
Chapter 6<br />
Destructive code, whether virus, worm, Trojan Horse or a<br />
combination, seems to have proliferated in a constant and direct<br />
ratio to the number of personal <strong>computer</strong>s in use. IBM<strong>'s</strong><br />
original estimate of PC sales was less than one-half million; no<br />
one could envision in 1980 that the personal <strong>computer</strong> would<br />
become a standard tool of corporate America in a few short<br />
years.<br />
Had the architects of the PC been able to see the future,<br />
the operating system might have included many of the security<br />
safeguards standard on the larger <strong>computer</strong>s targeted for corporate<br />
use. On the other hand, if the PC operating system had<br />
been more sophisticated and arcane, PC acceptance and growth<br />
could have been sharply limited by the increased difficulty of use.<br />
An Achilles Heel<br />
The best example of DOS<strong>'s</strong> elementary nature is the FORMAT<br />
command. Any user able to type FORMAT can render an entire<br />
disk<strong>'s</strong> data unusable, at least temporarily. Fortunes have<br />
been made by utility software vendors who provide "fixes" for<br />
the "holes" in DOS. Countless corporate overhead hours have<br />
been expended in developing end-user interfaces that minimize<br />
the possibility of inadvertent data destruction. It is the very<br />
simplicity of the PC<strong>'s</strong> operating system that creates the<br />
environment where <strong>viruses</strong> can grow.<br />
Just as the simplicity of DOS allows the easy incursion of<br />
destructive code, it provides for simple and inexpensive methods<br />
to prevent data destruction. Further, executable programs<br />
for personal <strong>computer</strong>s, whether commercial or proprietary,<br />
may be replaced rapidly, allowing security techniques to focus<br />
on data and work product.<br />
Practically and pragmatically, <strong>viruses</strong> are a fact of life in<br />
the late 1980s; they will continue to be spread, innocently for<br />
the most part, and responsible users and managers will take<br />
positive steps to prevent data loss from destructive code just as<br />
from any other source.<br />
Experience tells us that the possibility of data loss due to<br />
destructive programs can reasonably be compared to the possibility<br />
of data loss due to power reductions or f<strong>ai</strong>lures. Just as<br />
a surge protector is an essential part of a PC<strong>'s</strong> hardware<br />
82
Corporate Initiatives for PC Data Security<br />
configuration, data protection procedures and utilities should<br />
be an essential part of system software configurations.<br />
Looking back to the early days of the IBM PC-AT, another<br />
example is worth pointing out: Careful users and managers<br />
planned for when the drive would crash and spent no time at<br />
all on if.<br />
Areas of Concern in Corporate Security<br />
The three areas corporate security managers must consider in<br />
developing policies and procedures and the selection of data<br />
protection software are Risk Assessment and Management,<br />
Cost/Benefit Analyses, and Human Resources.<br />
Risk assessment can involve lengthy and convoluted studies,<br />
particularly difficult when data loss or destruction for any<br />
reason is a taboo subject for publication in the corporate world.<br />
Using the example above, managers who choose not to include<br />
surge protectors in their installations are consciously taking an<br />
identifiable risk; f<strong>ai</strong>ling to use antivirus procedures and software<br />
constitutes at least an equal risk.<br />
Cost/Benefit Analysis is more str<strong>ai</strong>ghtforward. The cost of<br />
returning a single PC to service following data destruction can<br />
be calculated by adding technical support time, loss of<br />
productivity, and the cost of data recovery or re-creation. The<br />
cost of security software programs may be calculated in a similar<br />
fashion: the cost of the software program itself with costs of<br />
installation, tr<strong>ai</strong>ning, and user support added.<br />
Human Resources concerns are the most subtle and the<br />
most important. People costs far outweigh the costs of hardware<br />
or software in any organization. Tr<strong>ai</strong>ning may be ineffective<br />
or confusing. Additional decision-making responsibility,<br />
particularly if the consequences of an error are great, is often<br />
unwelcome and stress-producing. Changes to the operation of a<br />
familiar system inevitably result in loss of productivity, if only<br />
for a brief time.<br />
The ideal antiviral security procedures and software, therefore,<br />
will be absolutely unseen to the user unless there is evidence<br />
of potential data destruction at the end user level. While<br />
the end users should be relatively uninvolved in data security<br />
on the software level, managers and power users must be pro-<br />
83
Chapter 6<br />
vided with powerful tools to prevent data destruction and to<br />
recover lost work product.<br />
The ratio of end users to managers and technical support<br />
staff must also be considered in the development of security<br />
solutions and the associated budgeting. PC support departments<br />
are frequently understaffed and underbudgeted. Many<br />
companies rely on outside contractors for many services, often<br />
with a resulting lack of control or direction. These factors must<br />
also be given serious consideration in the planning process.<br />
Difficulty may be encountered by PC managers or security<br />
administrators in "selling" the cost of such programs to the<br />
department heads who will ultimately "pay the bill." It is a<br />
Catch-22 of corporate reality that, should disaster strike, these<br />
same department heads will take the PC staff to task for f<strong>ai</strong>ling<br />
to provide adequate security.<br />
Prevention Techniques<br />
Common sense, DOS functions, and standard commercial utilities<br />
will enable managers to begin a security program for safe<br />
computing and to perform some of the basic functions of antivirus<br />
utilities. The following activities and functions can be extremely<br />
effective:<br />
84<br />
1. Add the CHKDSK command to AUTOEXEC.BAT. If the<br />
number of hidden files or disk space av<strong>ai</strong>lable changes, find<br />
the reason before using the system.<br />
2. Prepare a "clean model" disk cont<strong>ai</strong>ning at least<br />
COMMAND. COM, IBM/MS DOS, IBMBIO/MSIO. Add<br />
other target files a virus writer might predict to be on a<br />
disk such as CONFIG.SYS, AUTOEXEC.BAT or 123.EXE.<br />
Write-protect the disk. Write a batch file using the DOS<br />
COMP command to check the selected files for changes or<br />
include the COMP function in AUTOEXEC.BAT. If a file<br />
has been changed, assume it<strong>'s</strong> corrupted. Replace the file<br />
with a clean version. Do not assume the virus has<br />
disappeared.<br />
3. Write batch files for COPY and FORMAT functions that<br />
include a CHKDSK on the target disk after the DOS operation.<br />
A system disk with a label will show three hidden
. Corporate Initiatives/or PC Data Security<br />
files, DOS, BIO/IO and the label. If additional hidden files<br />
are present, a virus may have been passed. Note: some copyprotected<br />
programs install hidden files.<br />
4. Change the attributes of system or predictable files to Read<br />
Only using the DOS ATTRIB command or a utility.<br />
5. M<strong>ai</strong>nt<strong>ai</strong>n an up to date hardcopy of your directories and<br />
their contents. TREE> IPT 1 prints the directory structure.<br />
DIR>IPTl for each subdirectory prints complete information<br />
about a directory<strong>'s</strong> contents. Watch for unexpl<strong>ai</strong>nable<br />
changes in file size or addition of new files.<br />
6. Use only software from reliable sources. If using public<br />
dom<strong>ai</strong>n/shareware/freeware, contact the writer/distributor<br />
to compare file date and file size before using. If the<br />
share/freeware does not include a contact address or te]ephone<br />
number, do not use it. Say no to "borrowware."<br />
7. Begin the habit of clean boot operating system use before<br />
detection activities. Prepare a clean boot ["CB"] disk by<br />
turning off the PC, inserting an original DOS disk in A:<br />
and turning the power on. Type DISKCOPY A: A: and follow<br />
screen prompts. Use the write-protected duplicate as a<br />
clean boot disk.<br />
8. Before copying data from a floppy to hard drive, cold boot<br />
and use CHKDSK to look for any hidden files. If hidden<br />
files other than the DOS LABEL O-byte file are present, do<br />
not copy the data.<br />
9. Always reFORMAT used floppies. A format from C: followed<br />
by cold boot and CHKDSK may detect a virus but<br />
produce a bad disk. For a cleaner result, format all disks<br />
after a cold boot.<br />
10. Always download data to a floppy disk and look for hidden<br />
files on the floppy with CHKDSK. Run communications<br />
and .ARC programs from floppies after a cold boot.<br />
11. Use a utility program to sort each subdirectory by date and<br />
time. Any date before 01/01/80 is a cert<strong>ai</strong>n warning. Dates<br />
in the future should be carefully checked. Look for 00 in<br />
dates and times and any time greater than 23:59:59.<br />
12. Sort on file size. Be alert for unusually large or O-byte files.<br />
Compare file sizes with your hardcopy. Any change in<br />
.COM, .EXE, .BAT, or .SYS files should r<strong>ai</strong>se a warning<br />
flag.<br />
85
Chapter 6<br />
13. Sort on file name. If a program is called by .EXE (123 for<br />
example) and a file with the same name and the extension<br />
.COM is present, this spells serious trouble. The .COM file<br />
executes first in the DOS hierarchy. Look for filenames that<br />
seem odd according to your naming conventions.<br />
14. Another sort, this time on extension. You might not pick<br />
up DBASE.EVL or a file in the 123 subdirectory with<br />
. WK8 as an extension the first time through.<br />
15. Remove suspicious files with a utility to WIPE them. Do<br />
not use the DOS DEL function that merely replaces the<br />
first letter of the filename so it won't show on a DIR. The<br />
file rem<strong>ai</strong>ns in place until written over.<br />
16. Evaluate the risk factor for an individual system or installation.<br />
Any access of external data from disk, network, or<br />
modem ent<strong>ai</strong>ls risk.<br />
17. Develop procedures and utilities that oversee or limit transfer<br />
of data among PCs. Network with other users for ideas<br />
and solutions.<br />
18. Understand the meaning and operation of virus, worm, and<br />
Trojan Horse programs. The seeding of a virus from one<br />
system to another is a separate event from the operation of<br />
any destructive code the virus may implant. Worms w<strong>ai</strong>t<br />
for a signal such as a specific date or "x" numbers of access<br />
of "Y.EXE" to execute. Trojan Horse programs execute<br />
wi th the first access.<br />
The above procedures, though based in sound practice, are<br />
time and effort intensive and, therefore, appropriate only for<br />
managers and the small group of experienced PC professionals<br />
in any organizational group. The large time requirement and<br />
the low security level achieved must be balanced ag<strong>ai</strong>nst<br />
commercial utility products.<br />
Virus Detection and Protection Software<br />
According to the trade press, there are more than 100 antiviral<br />
software packages av<strong>ai</strong>lable, ranging in price from $10<br />
shareware to thousands of dollars when a CD-ROM approach<br />
is used. Evaluation of the various products and approaches can<br />
be costly and time-consuming once an initiative is identified.<br />
86
Corporate Initiatives for PC Data Security<br />
Virus detection programs or those that "inoculate" ag<strong>ai</strong>nst<br />
particular "str<strong>ai</strong>ns" of virus should be eliminated out of hand.<br />
It<strong>'s</strong> impossible to conceive of a software program that can constantly<br />
be refreshed to counter the destructive code that just appeared<br />
yesterday. The cost involved in an almost constant<br />
update/upgrade situation is unacceptable for even the smallest<br />
installations.<br />
Programs that require significant tr<strong>ai</strong>ning or decisionmaking<br />
at end user levels are also to be avoided. A $20 package<br />
that requires $200 per user in tr<strong>ai</strong>ning is not a barg<strong>ai</strong>n.<br />
The ideal antivirus software for corporate use should be<br />
absolutely transparent to the user until potentially destructive<br />
activity is identified.<br />
If this sounds too easy, consider ag<strong>ai</strong>n the simplicity of<br />
PC/MS-DOS coupled with the goal of a virus-to place itself in<br />
as many places as possible as often as possible. There are only<br />
three required and therefore, absolutely predictable files on a<br />
Pc. These are COMMAND.COM, DOS, and BIO/IO. Next in<br />
predictability are files with extensions .COM, .EXE, and .SYS.<br />
Antiviral software that constantly checks for changes to such<br />
files and looks for changes in the hidden file structure will<br />
identify most virus incursions, even before they can begin their<br />
dirty work.<br />
Should the presence of a virus not be identified, there are<br />
only four likely destructive activities, thanks ag<strong>ai</strong>n to the elementary<br />
nature of DOS. The four are: destruction of the boot<br />
sector, scrambling the initial bytes of the file allocation table, a<br />
logical format of any drive, or a virtual format of the default<br />
hard drive. By eliminating the possibility of any of these four<br />
events, antiviral software can provide an almost perfect foil for<br />
destructive programming.<br />
By logical extension, the presence of destructive code is<br />
identified at the same time that data loss is prevented.<br />
The "Yeah, but what if. .. " contingent in any organization<br />
may be counted on to develop scenarios where such a basic<br />
software approach will be defeated or circumvented. Clearly, no<br />
software will be 100 percent foolproof, especially ag<strong>ai</strong>nst intentional<br />
sabotage. The overriding goal must be to provide the<br />
highest security level at the lowest cost with the least intrusion.<br />
87
Chapter 6<br />
The port of entry for PC <strong>viruses</strong> should also be given careful<br />
consideration. Most destructive code is unwittingly brought<br />
into the workplace by <strong>computer</strong> literate employees. Employees<br />
who use home <strong>computer</strong>s for both work and hobbies and<br />
employees seeking additional education in the <strong>computer</strong> field<br />
are the significant carriers. It would be unwise, to say nothing<br />
of unenforceable, to attempt to limit the external use of PCs by<br />
valuable employees.<br />
Other Protective and Recovery Measures<br />
Many companies are also attempting to ban the use of public<br />
dom<strong>ai</strong>n and/or shareware programs on corporate machines.<br />
This is also policy that is practically unenforceable. Every PC<br />
guru, whether a member of the technical support staff or a<br />
departmental local expert has his or her own tool kit of favorite<br />
utilities.<br />
Many of the best utilities av<strong>ai</strong>lable and in use today are in<br />
the public dom<strong>ai</strong>n and are freely shared among users. Power<br />
users are, at least by reputation, highly independent sorts and<br />
often have strong opinions on methodology. This, combined<br />
with the tradition of sharing information among PC users<br />
would render such policies useless in practice. It<strong>'s</strong> far better to<br />
institute "clean room" procedures for public dom<strong>ai</strong>n programs.<br />
The increased employee involvement not only provides a<br />
significant benefit, but also a level of protection for possible<br />
licensing or copyright problems that might accrue to the<br />
company.<br />
The business that is truly committed to human relation<br />
concerns will also provide home PC users with antiviral software<br />
and utilities, thereby further involving the employee with<br />
the chosen positive solution.<br />
A written protocol should be developed for use by the<br />
technical support staff in case of a suspected virus attack. Such<br />
a document should include strong cautions not to construe any<br />
anomaly of operation as a virus situation without careful<br />
evaluation. It should also resist the temptation to reformat a<br />
hard drive immediately.<br />
The best procedure is to simply swap out either the CPU<br />
or hard drive of the PC in question so troubleshooting and<br />
evaluation can take place without a serious loss of productivity.<br />
88
Corporate Initiatives for PC Data Security<br />
If data backups are not av<strong>ai</strong>lable, data should be unloaded<br />
from the suspect PC using the DOS COpy command following<br />
a clean boot. Ideally, the replacement drive should be formatted<br />
and all standard applications software installed. If additional<br />
programs are required, they should be loaded from<br />
original disks, not copied from the questionable system.<br />
If a working virus is identified, immediate and stringent<br />
quarantine measures should be implemented as well as mounting<br />
a search for any and all disks that were in contact with<br />
the virus site. It<strong>'s</strong> difficult to state any general rules for these<br />
measures as the "patient zero" PC could be a stand-alone<br />
workstation with negligible access to other machines or it could<br />
be a node on a 500-PC local area network. If the virus leaves<br />
an identifiable footprint such as a message hidden within<br />
COMMAND. COM or a hidden file, any hard drive or disk exposed<br />
to the infected PC should be examined.<br />
Commercial utilities that search for text strings ("@#$&<br />
YOU!") are readily av<strong>ai</strong>lable. Simple programs can also be<br />
written in assembly language and DOS DEBUG can be used to<br />
examine files.<br />
Conclusions<br />
The search for virus code can be lengthy and exhausting; recovery<br />
of lost data may be impossible. Data files on infected machines<br />
should be transferred with the utmost care and carefully<br />
inspected for accuracy. Infected disks should be physically destroyed<br />
and infected hard drives reformatted using FDISK<br />
from a clean boot. (The virtual, rather than logical, format of a<br />
hard drive is essential to remove all traces of virus code.)<br />
Above all, don't trust to luck. Install viral-protection software<br />
and institute the procedures recommended above. Being<br />
safe is infinitely better than being sorry. If troubles persist, call<br />
a professional in the field of virus removal.<br />
89
7<br />
THECASEOF<br />
THE GERBIL<br />
VIRUSTHAT<br />
WASN'T<br />
Raymond M. Glath<br />
President, RG Software Systems, Inc.<br />
Imagination rules the world.<br />
Napoleon I (1769-1821)<br />
RG Software Systems is the manufacturer of the Disk<br />
Watcher "disaster prevention" utility, and PC Tracker,<br />
used by many large corporations to keep track of their personal<br />
<strong>computer</strong>s. Ray Glath, its president, is a very<br />
knowledgable virus fighter. We feel the amusing incident<br />
he relates below is exceptionally appropriate for this book.<br />
It was a quiet, pleasant Friday afternoon when we received the<br />
urgent call from the pastor of a small Pennsylvania church.<br />
Quite upset, he expressed his need to immediately purchase our<br />
antivirus product as he had lost a major section of his doctoral<br />
thesis, along with many other files, to the "Gerbil" virus.<br />
"All of a sudden, the word GERBIL appeared in the upper<br />
left corner of my screen; footprints were scattered all over the<br />
display and my system locked up" he excl<strong>ai</strong>med. "When I<br />
turned the system off and on ag<strong>ai</strong>n, my document was gone ...<br />
All that work lost." Upon questioning, the pastor stated that he<br />
91
Chapter 7<br />
had used nothing but legitimate, purchased, professional software<br />
other than a DOS update disk he had received from his<br />
dealer.<br />
Appalled at the thought of an innocent man of the cloth<br />
being attacked by an anonymous virus writer, we requested<br />
that he send us a copy of the disk he was using so we could attempt<br />
to track down this dastardly culprit.<br />
After many hours of p<strong>ai</strong>nstaking analysis, we determined<br />
that his disk simply cont<strong>ai</strong>ned a normal DOS system, several<br />
programs, and nothing unusual. Further discussions with the<br />
good pastor led to the discovery that this problem only appeared<br />
when he was using a specific commercial word processor,<br />
and he had returned the package to the store where he<br />
bought it. "With your antivirus package installed, I've had no<br />
further problems," he s<strong>ai</strong>d.<br />
Something just didn't sound right. We decided to purchase<br />
a copy of the package in question, and when we looked through<br />
the program code, 10 and behold, there it was ••• : "GERBIL.OOC',<br />
"GERBIL.2" and several other uses of the word GERBIL ...<br />
right there in the middle of this commercial package<strong>'s</strong> program<br />
code!<br />
We immediately contacted the publisher of the word<br />
processing system to alert them to the fact that we found something<br />
suspicious in their package and were continuing to research<br />
the matter. They responded that they had no reports of<br />
problems of this nature and that the package had been on the<br />
market for six months in many installations.<br />
They did recognize the term GERBIL however, because<br />
that was the project Code Name while it was in development.<br />
Aha ... a clue.<br />
As it turns out, the GERBIL references were never removed<br />
from the production version of the system. Each word<br />
processing document begins with an internally used id record<br />
that starts off with-you guessed it-GERBIL.DOC.<br />
Additionally, this package allows you to bring program and<br />
other supporting files into the word processor as you would any<br />
other document.<br />
And guess what some of the files begin with? Right<br />
ag<strong>ai</strong>n-GERBIL.<br />
92
The Footprints?<br />
The Case of the Gerbil Virus that Wasn't<br />
Well, they turned out to be the happy faces, spade, club diamond,<br />
and other symbols you'll see when program code<br />
consisting of low value ASCII characters appears on a display.<br />
(They sure looked like footprints to the pastor. He didn't know<br />
what else to call them.)<br />
In the meantime, fearful that he had been thoroughly infected<br />
by a virus and wanting to be sure that it would go no<br />
further, the pastor used his disk recovery utility to locate all<br />
occurrences of the word GERBIL on his disk, and he proceeded<br />
to erase all sectors that had the word GERBIL appearing.<br />
Now all his documents are unreadable; all his work is lost.<br />
Did he ever contact the word processing publisher for support<br />
on the problem? Yes. No one had any idea what he was<br />
talking about. He also contacted his <strong>computer</strong> dealer, the regional<br />
rep for the <strong>computer</strong> system he was using, and the store<br />
where he bought the word processing package. His efforts were<br />
all to no av<strong>ai</strong>l.<br />
Are there any lessons to be learned from this sad tale? You<br />
betcha!<br />
Lessons for Software Publishers<br />
Especially now that the concerns regarding <strong>viruses</strong> are high,<br />
let<strong>'s</strong> start using less cute code names for projects. And when the<br />
project is complete and ready for commercial distribution, let<strong>'s</strong><br />
remove all references to the code name.<br />
For those products already on the market with cute or<br />
questionable terminology embedded, let the customer support<br />
personnel in on it so the end users can have their fears allayed<br />
without causing major heartache.<br />
Lessons for End Users<br />
Every unusual event does not a virus indicate.<br />
Make sure you have a static free environment surrounding<br />
your <strong>computer</strong>.<br />
Immediately after encountering a strange event, make<br />
notes in as det<strong>ai</strong>led a form as possible, regarding each step you<br />
performed in the few moments preceding the event. You'll<br />
93
Chapter 7<br />
need these to help the manufacturer<strong>'s</strong> customer support personnel<br />
determine corrective actions for you. And you may have to<br />
repeat them several times. You should be prepared to answer<br />
questions such as these:<br />
What job were you running?<br />
Precisely what were you doing?<br />
What keys did you press?<br />
Did the power f<strong>ai</strong>l?<br />
Did the plug get pulled?<br />
What file were you working on?<br />
Have you had any recent hardware problems while<br />
running any job?<br />
Run the DOS CHKDSK program on the disk you were<br />
using. If the disk has been partially damaged by a power<br />
surge/drop/outage or static charge, you can encounter very<br />
strange results. If CHKDSK reports errors on a given disk,<br />
you'll need to check all the files from that disk to see if they're<br />
still intact.<br />
Check with the tech support group from the publisher of<br />
the product you were using. In addition to the above det<strong>ai</strong>ls,<br />
you should also be prepared to give them the names of any<br />
TSR software you were using at the time, a description of your<br />
hardware configuration, and your DOS version number.<br />
Finally, if you're concerned about your susceptibility to<br />
acquiring a virus, it may be helpful to install an antivirus program<br />
that could alert you to a possible virus problem.<br />
But, you've got to exercise care in the selection of such a<br />
program. One that<strong>'s</strong> been thrown together quickly without regard<br />
to compatibility and false alarm issues can be more<br />
troublesome than an actual virus.<br />
94
8<br />
IBMPCsAND<br />
COMPATIBLES<br />
When most the world applauds you, most beware,' 'tis often less<br />
a blessing than a snare.<br />
Rev. Edward Young (1683-1765)<br />
If those twisted and despicable few who concoct <strong>viruses</strong> have a<br />
favorite song, it is surely "Send in the Clones!"<br />
The standard that IBM set back in 1981 with the personal<br />
<strong>computer</strong> has resulted in millions of <strong>computer</strong>s that all can run<br />
the same software. Inexpensive compatibles or clones of the<br />
IBM PC can be ordered from any of the myriad of <strong>computer</strong><br />
magazines for prices in the $500 range.<br />
Thousands upon thousands upon thousands of public dom<strong>ai</strong>n<br />
and shareware programs are av<strong>ai</strong>lable. The base of<br />
commercial programs is in the many tens of thousands. Businesses,<br />
schools, and individuals buy IBM or compatible<br />
<strong>computer</strong>s because of these huge software resources.<br />
Overall-with apologies to the Mac people for pointing<br />
out what is, alas, true-the most important work is done on<br />
IBM and compatible machines. The reason is simple (and one<br />
which Apple keeps trying unsuccessfully to overcome): There<br />
are so many more business-oriented programs av<strong>ai</strong>lable for<br />
IBM personal <strong>computer</strong>s and clones that a large corporation<br />
doesn't hesitate as to which personal <strong>computer</strong> to buy in<br />
quantities.<br />
As Ross Greenberg pointed out in Chapter 5, a corporation<br />
the size of General Electric, for example, might have a network<br />
of 40,000 PCs or more. This same propensity for choosing IBM<br />
compatibles applies to the majority of companies, institutions,<br />
95
Chapter 8<br />
and individuals who do serious work on a personal <strong>computer</strong>.<br />
Cr<strong>ai</strong>g Zarley, Feature Editor for PC Week wrote (April 26,<br />
1988 issue, page 41): "PCs are the biggest capital asset at many<br />
companies."<br />
John Markoff, writing in The New York Times' "Business<br />
Day" (March 18, 1988, page 1) says " ... Companies will have<br />
to monitor the software on personal <strong>computer</strong>s used in the<br />
workplace."<br />
Those of us who make a living with our <strong>computer</strong>s have a<br />
big enough problem-our data integrity is exceptionally important.<br />
Companies, corporations, universities, and all the rest<br />
who use networks of personal <strong>computer</strong>s have a problem that<strong>'s</strong><br />
directly proportional to the number of machines they have<br />
linked together. Each and every machine is a potential source<br />
of infection for the whole network!<br />
Those who might only use their PC for fun must also<br />
worry about <strong>viruses</strong> and the liability you incur. If you pass<br />
along a virus to someone else, even though it was inadvertent,<br />
you may wind up in court. In fact, one of the first cases of this<br />
type was filed with the United States District Court, District of<br />
New Mexico on August 12, 1988 at 10:34 a.m. The pl<strong>ai</strong>ntiff is<br />
a <strong>computer</strong> bulletin board operator who contends that a Trojan<br />
horse program named BBSMON.COM was uploaded to his<br />
board by the individual who the suit is ag<strong>ai</strong>nst.<br />
The lawsuit was authorized ag<strong>ai</strong>nst the defendant "pursuant<br />
to 18 U.S.c. sec. 2707 and providing for injunctive relief<br />
ag<strong>ai</strong>nst unlawful access to stored electronic communications."<br />
For interested attorneys, jurisdiction was invoked "pursuant<br />
to 28 U.S.c., sec. 1331,28 U.S.c., sec. 2001, 28 U.S.c., sec.<br />
2202. This action is instituted pursuant to 18 U.S.c., sec.<br />
2707." The initials U.S.c. stand for United States Code, the<br />
body of Federal laws.<br />
In other words, IBM personal <strong>computer</strong>s and the hundreds<br />
of compatible brands present an exceptionally large, slowmoving<br />
target. Concocters of <strong>viruses</strong> simply can't miss.<br />
Whether you're an individual end user or involved with a<br />
larger network of personal <strong>computer</strong>s, the virus-makers have<br />
p<strong>ai</strong>nted a big bull<strong>'s</strong>-eye on your back. It<strong>'s</strong> not f<strong>ai</strong>r, but IBM and<br />
clones comprise the major virus battleground right now.<br />
96
IBM PCs and Compatibles<br />
The millions of PCs already in use are like a great fertile<br />
pl<strong>ai</strong>n to <strong>computer</strong> <strong>viruses</strong>-much like Fertile Crescent that<br />
gave rise to the world<strong>'s</strong> first great civilizations: the Sumerians,<br />
Ur, Babylonian, the Caldeans, the Medes, and Persians. Like<br />
they learned the hard way, it<strong>'s</strong> time to start putting walls<br />
around the villages.<br />
This does not mean to lock everyone out. In ancient days,<br />
doing so would have stifled trade. In today<strong>'s</strong> Information Age,<br />
not being able to telecommunicate is stagnation and a foolish<br />
self-immobilization. So, like the Sumerians put gates in their<br />
village walls-letting the villages grow to cities through tradewe<br />
need to do the same thing.<br />
In blunt words, if you have an IBM or compatible personal<br />
<strong>computer</strong>, you need virus protection and detection. Not<br />
having this opens yourself to losing valuable data and to being<br />
legally liable for unwittingly spreading <strong>viruses</strong> to others.<br />
The rem<strong>ai</strong>nder of this chapter gives a brief overview of a<br />
number of commercial, public dom<strong>ai</strong>n, and shareware programs.<br />
This information will help you determine what programs<br />
are av<strong>ai</strong>lable and choose the best type of protection and<br />
detection for your IBM or compatible.<br />
Note: Shareware and public dom<strong>ai</strong>n products are av<strong>ai</strong>lable<br />
from the <strong>computer</strong> networks such as Delphi and CompuServe,<br />
and from many local boards. To insure you get an uncontaminated<br />
product (infected virus detection software is obviously<br />
less than reliable), it<strong>'s</strong> best to download the program from a<br />
<strong>computer</strong> network where you can be sure the program has been<br />
checked, or from the program author<strong>'s</strong> personal board. For example,<br />
Ross Greenberg m<strong>ai</strong>nt<strong>ai</strong>ns a BBS in his office on which<br />
the latest clean version of Flu_Shot + is av<strong>ai</strong>lable. So does<br />
Chuck Gilmore, author of Ficheck.<br />
Shareware, by the way, means you can obt<strong>ai</strong>n and try the<br />
program, and register it only if you decide it<strong>'s</strong> of benefit on<br />
your system. This is an honor system-if you don't register,<br />
you are expected to stop using the product.<br />
97
Chapter 8<br />
Bombsqad<br />
Product BOMBSQAD.COM 1.3 (Bomb Squad)<br />
CHK4BOMB (Check/or Bomb)<br />
Company Andy Hopkins<br />
26 Walnut Lane<br />
Swarthmore, PA 19081<br />
Type Freeware<br />
Av<strong>ai</strong>lable in IBMSW on CompuServe<br />
These two programs have been around for several years,<br />
coming about originally to fight Trojans, bombs, and worms.<br />
They are almost classics, and the price is cert<strong>ai</strong>nly right.<br />
Bomb Squad (BOMBSQAD.COM), says Andy Hopkins, is<br />
not a game. It<strong>'s</strong> a further attempt to prevent pranksters from<br />
destroying your data. The proliferation of the Trojan Horse<br />
type programs that purport to be games (but actually plant<br />
bombs in your system that format your hard disk or erase the<br />
disk directory) has prompted the writing of this program as<br />
well as CHK4BOMB.EXE, Check for Bomb.<br />
CHK4BOMB.EXE reads the program file from disk and<br />
attempts to spot dangerous code and suspicious messages, but<br />
since code is often a function of runtime memory situations, it<br />
could miss spotting the bombs. BOMBSQAD.COM is a program<br />
that intercepts calls to the BIOS code in ROM as a suspicious<br />
program is run, displays what is going to happen during<br />
the call, and asks if you want to continue. You can abort or<br />
continue as you see fit.<br />
"In the spirit of cooperation with fellow PC users and hoping<br />
to discourage those whose idea of a joke is destroying other<br />
people<strong>'s</strong> valuable data," writes Andy, "I encourage you to make<br />
copies of this program and documentation and give it to anyone<br />
who may be susceptible to these pranksters. Users who frequently<br />
download BBS programs of unknown origin may find<br />
BOMBSQAD particularly useful. Complete rights to the program<br />
itself, and the routines used in the program, however, rem<strong>ai</strong>n<br />
with the author, Andy Hopkins, through Swarthmore<br />
Software Systems."<br />
98
C-4<br />
Product<br />
Company<br />
Type<br />
C-4 Antiviral Shield<br />
InterPath<br />
4423 Cheeney Street<br />
Santa Clara, CA 95054<br />
(408) 988-3832<br />
Commercial<br />
$39.95<br />
IBM pes and Compatibles<br />
Its manufacturer describes C-4 as running permanently in<br />
the background of your system. It monitors all system activity,<br />
including program loads, BIOS calls, interrupt requests and accesses<br />
to system and application files. The monitor checks for<br />
characteristic viral replication activity-such as attempts to<br />
write to executable programs or DOS system files; access to a<br />
disk<strong>'s</strong> boot sector; attempted modification of COMMAND.COM<br />
and other techniques that <strong>viruses</strong> typically use to reproduce<br />
themselves. C-4 also checks for activities that indicate a virus is<br />
active and attempting to destroy or corrupt the system. These<br />
activities include access to the system<strong>'s</strong> file allocation table,<br />
low-level formats, and other low-level disk access requests.<br />
If a virus does enter your system, C-4 will identify the virus<br />
and prevent it from infecting any existing programs on<br />
your disks. It will freeze the virus and display a warning window,<br />
identifying the name of the offending program and the<br />
name of the file or disk area where it was attempting to replicate<br />
itself Likewise, if your system was infected prior to<br />
installing C-4 and an existing virus attempts to activate, it will<br />
be frozen before it can cause harm, and you will be notified.<br />
Steve Gibson, writing in his "Tech Talk" column in<br />
Info World (May 9, 1988) calls C-4 one of "The two most effective<br />
virus detection monitors av<strong>ai</strong>lable ... " (For the other one,<br />
see the description of Flu_Shot + below).<br />
99
Chapter 8<br />
Caware<br />
Product Caware<br />
Company Chuck Gilmore<br />
Gilmore Systems<br />
P.O. Box 3831<br />
Beverly Hills, CA 90212-0831<br />
Voice: (213) 275-8006 BBS: (213) 276-5263<br />
Type Shareware<br />
$10 registration fee<br />
Gilmore Systems offers a way in which you can allow your<br />
compiled Turbo C programs to check themselves for changes in<br />
their CRC or file size, thus detecting if a virus has modified<br />
them. Viruses have become a problem-altering *.EXE and<br />
*.COM files these days. Not just <strong>viruses</strong>, but hackers also modify<br />
shareware programs because they don't like looking at the<br />
openmg screens.<br />
If you're a programmer using Turbo C, you now have a<br />
means of protection. You can make your programs aware of<br />
their own CRC and file size-the two most likely things to<br />
change in the event of a virus or hacker attack. aWARE.ARC,<br />
the archived file in which this system is distributed (av<strong>ai</strong>lable<br />
in CompuServe IBMSW and elsewhere) cont<strong>ai</strong>ns a READ. ME<br />
file, MAKAWARE.EXE (EXE initializer), EXAMPLE.C (sample<br />
source for using the checker), and six OBJs-one for each<br />
memory model you can link with your programs to offer you<br />
(or your program) security. This code offers protection that no<br />
external programs can offer.<br />
"At least now," s<strong>ai</strong>d Chuck Gilmore, "nobody can accuse<br />
your program of cont<strong>ai</strong>ning a virus. Although nothing<strong>'s</strong> perfect,<br />
I'm sure some hacker will come up with a way of defeating this<br />
code manually, but it would be extremely difficult for a virus<br />
to alter or defeat this code."<br />
As with all shareware, try it first. If you like it, send<br />
Gilmore Systems $10. In return for your $10, they will send<br />
you the source code. You'll receive:<br />
EXEAWARE.C-source code needed to reproduce the<br />
EXEAWAR?OBJ files.<br />
MAKAWARE.C-source code needed to reproduce the<br />
MAKAWARE.EXE file.<br />
100
IBM PCs and Compatibles<br />
If you register for $15 instead of $10, you get six months<br />
of full access to Gilmore<strong>'s</strong> "Virus Info" BBS in addition to the<br />
source code (see the review ofFICHECK for more information<br />
on the BBS; it<strong>'s</strong> worthwhile). The "Virus Info" BBS deals<br />
strictly with the topic of <strong>computer</strong> <strong>viruses</strong>. You can download<br />
text, source, and programs all pert<strong>ai</strong>ning to <strong>computer</strong> virus<br />
prevention and detection. This is a great way to keep informed<br />
of the latest <strong>viruses</strong> going around.<br />
Checkup<br />
Product Checkup<br />
Company Richard B. Levin<br />
BBSoft<br />
9405 Bustleton Ave.<br />
P.O. Box 14546<br />
Philadelphia, PA 19115<br />
Lab: (215) 333-6922<br />
BBS: (215) 333-6923<br />
BBS: (215) 635-5226<br />
Type Shareware<br />
$5 registration fee<br />
Checkup is one of several excellent shareware answers to<br />
viral protection. Author Richard B. Levin describes the software<strong>'s</strong><br />
operation as being able to detect viral infections by<br />
comparing a target file<strong>'s</strong> size, its incremental checksum, and its<br />
total checksum to previously stored baseline values. The program<br />
breaks the target filespec down to a series of randomly<br />
sized blocks of data. These data blocks may vary from one byte<br />
to near total file size. If the size of the file being checked is less<br />
than the block size selected, Checkup revises the block size<br />
downward. Checkup<strong>'s</strong> dynamic block size allocation allows files<br />
as small as one byte to be accurately checked.<br />
Checkup scans and compares every byte of the target<br />
filespec on a block-by-block basis. If the recorded file size, any<br />
of the block checksum comparisons, or the checksum totals<br />
don't match, Checkup alerts the user that the target file has<br />
been altered and possibly infected.<br />
Checkup<strong>'s</strong> incremental file checksum technique is preferable<br />
to simply adding the bytes in a file and comparing past<br />
101
Chapter 8<br />
and present checksum totals. Future <strong>viruses</strong> may be intelligent<br />
enough to calculate a host file<strong>'s</strong> checksum total, pad their own<br />
code with dummy characters to m<strong>ai</strong>nt<strong>ai</strong>n total checksum integrity,<br />
and then infect. Such <strong>viruses</strong>, says Levin, would defeat<br />
other checksum calculation programs, but not Checkup.<br />
"We believe it is impossible for a virus to m<strong>ai</strong>nt<strong>ai</strong>n an accurate<br />
intra-block checksum. This is especially true when the<br />
checked block size varies from one byte to near the total file<br />
size; the method for calculating the checksum is unknown, and<br />
the results are encrypted."<br />
To survive Checkup<strong>'s</strong> scrutiny, a virus would need to<br />
know the block size, exact calculation entry point, checksum<br />
calculation algorithm, and the encryption key Checkup used on<br />
the target filespec at initialization. The encroaching virus would<br />
then have the difficult (if not impossible) task of padding its<br />
own code with dummy characters, since the adjustments would<br />
have to occur every few hundred bytes. If a super-virus were<br />
able to achieve this high degree of adaptability, it would still be<br />
unable to operate in an internally scrambled condition.<br />
The latest version of Checkup is av<strong>ai</strong>lable for downloading<br />
on the BBSoft Support BBSs. Support is also av<strong>ai</strong>lable through<br />
the BBSoft Lab. Please leave a message on the answering machine<br />
if your call is not answered personally. Long distance<br />
calls will be returned after 6:00 p.m. EST, collect.<br />
Condom<br />
Product Condom (FCBIN.PAS version l.OI-June 1, 1988)<br />
Company Jim Murphy<br />
CompuServe ID 74030,2643<br />
Type Public Dom<strong>ai</strong>n Freeware<br />
Dr. C. Everett Koop, the Su:geon General of the United<br />
States addresses the problem of AIDS: "The only protection<br />
ag<strong>ai</strong>nst the virus, short of total abstinence is the use of a<br />
condom."<br />
Jim Murphy applies this same philosophy to his antiviral<br />
program, which he generously placed in the public dom<strong>ai</strong>n.<br />
The program is distributed as a file named CONDOM.ARC,<br />
and is av<strong>ai</strong>lable in such places as Chuck Gilmore<strong>'s</strong> Virus Info<br />
Palladium <strong>computer</strong> bulletin board (see the review of Ficheck<br />
102
IBM PCs and Compatibles<br />
for the telephone number}. It includes the Turbo Pascal source<br />
code so you can see exactly what you're getting and recompile<br />
it if you want to be absolutely cert<strong>ai</strong>n it<strong>'s</strong> clean.<br />
"I first became aware of the existence of the software virus<br />
in magazine articles," Jim says in his documentation, "and I<br />
wondered what I could do to protect my <strong>computer</strong> from their<br />
insidious attack. The prime target was usually reported to be<br />
COMMAND.COM, although just about any program could be<br />
its target.<br />
"I reasoned that if I could compare COMMAND. COM<br />
ag<strong>ai</strong>nst a known healthy copy, I could be sure that at least it had<br />
not been contaminated. I figured I would use FCEXE (file compare)<br />
that came with MS-DOS, in my AUTOEXECBAT file to<br />
check COMMAND.COM each time I booted up, and if there<br />
was a difference, flag it so I could replace COMMAND. COM<br />
before any damage was done.<br />
"Let me regress for a minute. The demented individuals<br />
who write these <strong>viruses</strong> want to make sure it gets spread around,<br />
so they design them to work a few days, or a few boot ups after<br />
the virus installs itself. It is done this way to insure that the virus<br />
will be spread by formatting other disks, or looking at a<br />
directory in another drive that cont<strong>ai</strong>ns the program the virus<br />
installs itself in (usually COMMAND.COM). This being the<br />
ca'le, you can most likely catch it when you boot up the <strong>computer</strong><br />
for the next session. If it did its dirty work immediately, I<br />
would call it a Trojan horse problem, and that requires different<br />
techniques, although you could use some of those protection<br />
methods along with the one I am describing to get close to 100<br />
percent protection.<br />
"I wanted the boot up to be automatic, stopping only if<br />
COMMAND.COM was changed. Using FCEXE would not<br />
work as it doesn't send an errorlevel code after it terminates, so<br />
I decided to write my own File Compare utility that would output<br />
an errorlevel code. I wanted it to be fast, and it would not<br />
have to show every byte that was different, just tell me that the<br />
two files were not identical. I could use FCEXE later to get a<br />
complete report of the differences.<br />
"I called my program FCBIN.EXE (File Compare Binary);<br />
it is written in Turbo Pascal version 4.0 and it will compare any<br />
103
Chapter 8<br />
file, reporting all the general differences, such as Date and<br />
Length, and that the bytes did not compare. It also tells you at<br />
which byte the first difference occurred.<br />
"I decided to check all my files in the root directory as<br />
well by creating a subdirectory called ZROOT in which were<br />
placed uncontaminated copies of all the files in the root directory.<br />
The file copies were renamed for additional safety;<br />
COMMAND.COM is called CMD.BAK; CONFIG.SYS is<br />
called CFG.BAK, and so on.<br />
Cop<br />
Product Cop (Command Obfuscation Processor)<br />
Company Jack A. Orman<br />
Box 858<br />
Southaven, MS 38671<br />
Type Shareware<br />
$15 registration fee<br />
This program is used to encode a .COM program to make<br />
the data or programming techniques indecipherable. It will<br />
make hacking or modification of the program that much more<br />
difficult. This is not, the author points out, a surefire, guaranteed<br />
safeguard system, but is merely to keep the average programmer<br />
from tinkering with your code.<br />
"It is not foolproof," Jack Orman s<strong>ai</strong>d, "and I'm sure that<br />
an expert programmer can break the system easily."<br />
Note: Only use COP. COM on copies of your programs,<br />
not the originals!<br />
To encode a .COM program, type in the following:<br />
COP [d:]filename code-phrase <br />
Cop will read the program and by using the code-phrase,<br />
write a modified version back to the disk. The modified version<br />
is encoded and makes disassembling of the code quite<br />
difficult. Note that Cop writes over the original version of the<br />
file that<strong>'s</strong> being processed. The Cop modified program will still<br />
run from the DOS prompt and perform just as the original.<br />
104
IBM PCs and Compatibles<br />
Cop is av<strong>ai</strong>lable on a number of bulletin boards and the<br />
national networks. The Writers Group on Delphi has Cop and<br />
several of Jack Orman<strong>'s</strong> other excellent shareware programs<br />
av<strong>ai</strong>lable for downloading. There is no charge for this service<br />
other than normal Delphi connect time.<br />
Data Physician<br />
Product Data Physician Software Protection System, including<br />
VirAlert<br />
Company Digital Dispatch, Inc.<br />
55 Lakeland Shores<br />
St. Paul, MN 55043<br />
(800) 221-8091<br />
(612) 436-1000 (in Minnesota)<br />
Type Commercial<br />
$199<br />
Data Physician is a set of programs designed to help protect<br />
your PC-DOS or MS-DOS <strong>computer</strong> system from software<br />
<strong>viruses</strong> and logic bombs. The programs consist of the following:<br />
Datamd. This is the m<strong>ai</strong>n virus protection, detection, and<br />
removal program. It allows you to detect whether an unauthorized<br />
change has occurred in any file or system area on<br />
your disk, and also allows the removal of cert<strong>ai</strong>n types of<br />
<strong>viruses</strong>.<br />
Padlock. Along with Disklock provides an intelligent disk<br />
write-protect function. They intercept attempted writes to disk<br />
that a virus may use as it infects or attacks your system. They<br />
also provide protection ag<strong>ai</strong>nst logic bombs that don't spread<br />
on their own, but can attack in much the same manner as a<br />
virus.<br />
Novirus works with the data created by Datamd and runs<br />
virus detection in background mode while you perform other<br />
tasks on your system. This can be helpful if you have many<br />
files to watch over, or if you want continuous security<br />
monitoring.<br />
Antigen. Allows virus protection to be installed directly on<br />
any executable program. Each time a protected program is run,<br />
it checks itself for tampering and is capable of removing cert<strong>ai</strong>n<br />
105
Chapter 8<br />
types of <strong>viruses</strong> on its own. Antigen is useful when it<strong>'s</strong> not<br />
practical to have Datamd or Novirus in operation, or where the<br />
protected program needs to be widely distributed and you want<br />
it to continue to be protected.<br />
Viralert is a program (actually a device driver) that runs<br />
continually in the background to intercept changes to executable<br />
and operating system files (.EXE, .COM, and .SYS).<br />
VirAlert also watches for changes to the boot record, and any<br />
disk formatting attempts.<br />
Data Physician is a powerful, well-thought-out system with<br />
a lot of tools. The documentation is above average.<br />
Disk Defender<br />
Product Disk Defender<br />
Company Director Technologies, Inc.<br />
906 University Place<br />
Evanston, IL 60201<br />
(312) 491-2334<br />
Type Commercial (hardware)<br />
U.S. Patent #4,734,851<br />
$240<br />
"In the war on <strong>computer</strong> <strong>viruses</strong>, while everyone else is<br />
trying to perfect the bow and arrow, Director Technologies is<br />
manufacturing a tank! It<strong>'s</strong> called Disk Defender."<br />
As we discussed early in this book, the MS-DOS system of<br />
file management is very vulnerable. Viruses succeed, in most<br />
cases, simply because hard disks and floppies are wide open to<br />
infiltration and destruction. The Disk Defender system of plug<br />
in card and external control box rectifies this design deficiency<br />
of all IBM and compatible <strong>computer</strong>s.<br />
Dennis Director, president of the company, points out that<br />
Disk Defender operates independently of any software, and cannot<br />
be circumvented by any software. It can be used with multiple<br />
operating systems on one disk, and will work regardless of<br />
networking configurations. Disconnect the control box and the<br />
zone protect is locked in for maximum data safety.<br />
Disk Defender automatically write-protects all or part of<br />
any fixed Winchester disk having an ST-506j412 standard<br />
interface. It does not affect the use of the second hard disk on<br />
106
IBM PCs and Compatibles<br />
two drive systems, but allows reading at all times.<br />
Activation is by an external control box, which can be<br />
placed anywhere up to five feet from the <strong>computer</strong> system. The<br />
operator activates protection by placing the switch on the face<br />
of the control box in the desired protection mode. Three status<br />
lights keep the operator advised on disk access, reading, and<br />
writing functions.<br />
The external control box can easily be removed if it<strong>'s</strong> preferred<br />
that the operator not have access to the protected portion<br />
of the disk. Without the control box in place, the unit is in<br />
the Zone protect mode at all times, and no one can get access<br />
to the protected portion of the disk.<br />
"Software cures," Dennis Director s<strong>ai</strong>d, speaking of the virus<br />
problem, "are not the answer. The destructive virus, itself,<br />
is a piece of software. Of course, software can be developed to<br />
neutralize a particular virus, but it will not stop other <strong>viruses</strong>.<br />
The creator of that virus has but to change one small part of<br />
the code for that virus to easily thwart the original software<br />
'cure.'"<br />
Hardware, he points out, affords 100 percent protection<br />
ag<strong>ai</strong>nst all <strong>viruses</strong> because the PC needs a device that makes it<br />
impossible for write signals to reach the hard disk and corrupt<br />
its stored programs. Disk Defender is such a device, and lets<br />
you select all or a portion of the hard disk as a protected zone.<br />
The programs and data files to be protected are placed in this<br />
protected zone of the hard disk.<br />
Mr. Director s<strong>ai</strong>d that IBM had even bought several of his<br />
units to protect its own large software library. Director Technologies<br />
is also working on a similar device for the Apple Macintosh<br />
series of <strong>computer</strong>s.<br />
The company also publishes the Computer Virology newsletter,<br />
which is offered free. Contact the above address for more<br />
information.<br />
107
Chapter 8<br />
Disk Watcher<br />
Product<br />
Company<br />
Type<br />
Disk Watcher<br />
Raymond M. Glath<br />
RG Software Systems<br />
2300 Computer Avenue<br />
Willow Grove, PA 19090<br />
(215) 659-5300<br />
Commercial<br />
$99.95<br />
Disk Watcher is more than just another viral protection<br />
program, it<strong>'s</strong> also disaster prevention software.<br />
First, of course, it provides multiple lines of defense<br />
ag<strong>ai</strong>nst <strong>viruses</strong>. Here<strong>'s</strong> how the system of programs included in<br />
the Disk Watcher package handles viral protection.<br />
The first program automatically checks all active disk<br />
drives and the <strong>computer</strong><strong>'s</strong> RAM for the presence of cert<strong>ai</strong>n hidden<br />
virus characteristics when the <strong>computer</strong> is started. This<br />
program can also be run on demand at any time to check the<br />
disk in a specific drive.<br />
Disk Watcher, itself, is a TSR program that when installed,<br />
monitors ongoing disk activity throughout all processing with a<br />
series of proprietary algorithms that detect the behavior<br />
characteristics of a myriad of virus programs. Depsite this, the<br />
product uses minimal overhead in processing time and false<br />
alarm reports.<br />
Disk Watcher has the unique ability to differentiate between<br />
legitimate I/O activity and the I/O activity of a virus<br />
program. When an action occurs indicative of a virus attempting<br />
to reproduce itself, alter another program, set itself up to be<br />
automatically run the next time the system is started, or attempting<br />
to preform a massively damaging act, Disk Watcher will<br />
pop up. You will then have several options, one of which is to<br />
immediately stop the <strong>computer</strong> before any damage can be done.<br />
Whenever the "Stop the <strong>computer</strong>" option is selected, both<br />
the application program screen image and Disk Watcher<strong>'s</strong><br />
screen image will be automatically set to the system printer<br />
before the machine is stopped. This helps in performing an<br />
effective analysis of the problem.<br />
108
IBM PCs and Compatibles<br />
Disk Watcher also protects ag<strong>ai</strong>nst cert<strong>ai</strong>n other mishaps<br />
such as accidentally or carelessly losing valuable data, or just<br />
time and paper wasting actions such as unintentionally hitting<br />
Shift-PrtSc.<br />
The program also protests ag<strong>ai</strong>nst a full disk error message,<br />
accidental format of a hard disk, the printer not being ready,<br />
and the system date and time not being set (or the battery in<br />
the clock expiring). Numerous file and disk management tasks<br />
are also added, all for an expenditure of about 40K of RAM<br />
(the program is a TSR). Disk Watcher works on IBM PCs,<br />
ATs, PS/2s, and compatibles.<br />
It is also a very well-behaved program, being able to coexist<br />
with a variety of other TSRs without causing lockups (a<br />
condition not true of products tested from several other<br />
companies). Disk Watcher is a viral protection system (and<br />
more) that you should take a serious look at.<br />
Dr. Panda<br />
Product Dr. Panda Utilities<br />
Company Pam Kane<br />
Panda Systems<br />
801 Wilson Road<br />
Wilmington, DE 19803<br />
(302) 764-4722<br />
Type Commercial<br />
$79.95<br />
Panda Systems and their virus-fighting software offer the<br />
viral detection and protection package described below. Their<br />
system is one of the highest rated for effectiveness.<br />
The Dr. Panda Utilities detect virus, worm and Trojan<br />
horse programs. Dr. Panda is a three-part software approach<br />
that should be used in conjunction with sound management<br />
practices.<br />
Physical, the virus detection utility, compares essential system<br />
files and user selected files ag<strong>ai</strong>nst an unique installation<br />
record. The system status is reported onscreen each time Physical<br />
is run. If a file has been changed, the filename is displayed<br />
onscreen. Any change in a system file, *.SYS, *.COM, *.EXE,<br />
*.OVL or other program file may indicate a virus. Physical also<br />
109
Chapter 8<br />
reports the name and location of all hidden files on a disk at<br />
each operation.<br />
Labtest displays the hidden ASCII strings of a selected file<br />
after reporting warning messages for calls bypassing DOS.<br />
Through the function key interface, the user may scroll through<br />
the file onscreen, perform basic editing functions, and direct<br />
output to a file or printer. Help screens assist in identifying and<br />
analyzing potentially destructive code.<br />
Monitor automatically intercepts disk operation calls that<br />
request a format of any drive or writes to the File Allocation<br />
Table of C: (or the first designated hard drive). The user may<br />
also select additional disk operations for checking (Read, Write,<br />
Verify) at installation. Control of a program passes to the keyboard<br />
at each interrupt with a Proceed/Bypass option. Monitor<br />
is particularly effective ag<strong>ai</strong>nst Trojan horse programs that destroy<br />
data immediately as part of their operation.<br />
The utilities provide a basic security system for PC/MS<br />
DOS micro<strong>computer</strong>s. Viruses in <strong>computer</strong>s, as in their users,<br />
come from contact.<br />
Panda Systems recommends the following: Any system<br />
that ever accesses external data is at risk. To practice safe<br />
computing, never use an unknown program without checking it<br />
first. Using the Dr. Panda Utilities from the original Dr. Panda<br />
disk will check a PC<strong>'s</strong> files for any changes (destructive or benign)<br />
and allow evaluation of any file for potentially harmful<br />
operations. The responsibility for good computing practices depends<br />
upon <strong>computer</strong> users and managers. Panda Systems'<br />
consulting and technical staff are av<strong>ai</strong>lable to assist in troubleshooting<br />
advanced processes and development of security policies<br />
and procedures.<br />
110
Ficheck<br />
Product Ficheck 4.0<br />
Company Chuck Gilmore<br />
Gilmore Systems<br />
P.O. Box 3831<br />
Beverly Hills, CA 90212-0831<br />
IBM PCs and Compatibles<br />
Voice: (213) 275-8006 BBS: (213) 276-5263<br />
Type Shareware<br />
$15 registration fee<br />
Ficheck is one of several effective shareware virus protection<br />
programs. Don't let their low price scare you off; some of<br />
these programs are worth far more than the low registration<br />
fees. This one, for example, is but a mere $15. Below is a<br />
description of how Ficheck works, as expl<strong>ai</strong>ned in the documentation<br />
that comes with version 4.0.<br />
There are some viral-fighting programs av<strong>ai</strong>lable such as<br />
Flu_Shot + , and versions of Vaccine. These programs attempt<br />
to block <strong>viruses</strong> from doing things that <strong>viruses</strong> typically do.<br />
They attempt to block any altering of COMMAND.COM or<br />
your other operating system<strong>'s</strong> system files. They try to alert you<br />
of low-level disk writing. These programs look for other things<br />
as well, but may slow your system down as a result. Some require<br />
you to make lists of approved programs and TSRs. The<br />
problem with these programs are that they're running on your<br />
system which may cont<strong>ai</strong>n a virus that looks for these particular<br />
programs and renders them inactive or makes them think<br />
everything<strong>'s</strong> okay while they do their dirty work.<br />
Ficheck is a program that differs from vaccine-type programs<br />
and other programs that attempt to find, block, or alert<br />
you to <strong>viruses</strong>. Ficheck does none of these things. As a matter<br />
of fact, Ficheck can't even be run from your fixed disk! Ficheck<br />
is a preventive medicine program that takes an "x-ray" of your<br />
entire fixed disk(s) and logs it to a file. Ficheck logs the date,<br />
time, size, attribute, and CRC (Cyclic Redundancy Check) of<br />
every file on your fixed disk(s). It looks for differences in all<br />
these things whenever you decide to run it ag<strong>ai</strong>n and alerts you<br />
to any changes. Any changes potentially mean a virus is at<br />
work. Viruses have to alter files in some way in order to spread<br />
themselves.<br />
111
Chapter 8<br />
Ficheck should not be placed on your fixed disk-it will<br />
only run from a floppy, and furthermore, it won't even run<br />
from a floppy unless you boot DOS from a floppy.<br />
Why all the hassle of booting from and running from a<br />
floppy? It<strong>'s</strong> Simple.<br />
If you boot from a fixed disk, you may boot from an infected<br />
copy of your operating system, start an infected TSR,<br />
have an infected device driver, or run an infected program. If<br />
you boot from floppy, you don't give the <strong>viruses</strong> on your fixed<br />
disk a chance to become active. Therefore, the first thing you<br />
should do to prepare for using the Ficheck program is:<br />
l. Boot DOS from your original distribution disk.<br />
2. Format a bootable floppy (not the distribution disk); use the<br />
command FORMAT A:/S<br />
3. Copy FICHECK.EXE to the newly formatted disk.<br />
4. Diskcopy this new disk for as many fixed disk drives or logical<br />
drives you have on your system and label each one for a<br />
specific drive.<br />
Ficheck searches all me attributes. Once processing has<br />
started, Ficheck starts a timer and when processing finishes,<br />
Ficheck prints how long it ran. On <strong>computer</strong>s running at 4.77<br />
Mhz such as the original IBM XTs, Ficheck may take a while<br />
to complete its job. On <strong>computer</strong>s such as the IBM PS/2<br />
Model 80 running at 20 Mhz, Ficheck flies right through.<br />
Gilmore Systems has incorporated fast algorithms so Ficheck<br />
will run through your system as fast as possible.<br />
* * *<br />
In conjunction with the shareware and commercial products<br />
offered by Gilmore Systems, Chuck Gilmore also runs the<br />
VIP (Virus Info Palladium) <strong>computer</strong> bulletin board in Los Angeles<br />
(1-213 276-5263). You can call this board and download<br />
FICHECK4.ARC from the FREE area of the FILES menu. You<br />
can do this regardless of whether you're a registered user of the<br />
BBS or not.<br />
If you become a registered user of Ficheck, Gilmore Systems<br />
will automatically m<strong>ai</strong>l you the latest commercial version<br />
112
IBM PCs and Compatibles<br />
of Xficheck on disk. Xficheck is a copyrighted commercial program<br />
(nonshareware, non-public dom<strong>ai</strong>n) that<strong>'s</strong> offered to their<br />
registered users at no charge. Xficheck is distributed exclusively<br />
from the Virus Info Palladium BBS-no distribution to the<br />
public by other BBS systems or by any other means is allowed<br />
without the prior written permission of Gilmore Systems.<br />
If you've registered your Ficheck program with Gilmore<br />
Systems (remember, shareware authors have to eat, too), your<br />
access level will be upgraded within 72 hours of your first call.<br />
Until then, all you can really do is download anything in the<br />
[F]ree area of the [F]iles section. The other sections will not be<br />
av<strong>ai</strong>lable to you until your access level has been updated. Also<br />
note that the [M]essage section will not allow you to read or<br />
write messages (you can only scan) until upgrade has been<br />
implemented.<br />
If you don't have a copy of FICHECK., you can download<br />
FICHECK4.ARC from the Free area of the Files section.<br />
Instructions in the documentation expl<strong>ai</strong>n how to register. Also<br />
av<strong>ai</strong>lable in the Free area is a sample listing (SAMPLE.LST) of<br />
some of the antiviral and virus related text files, programs,<br />
source code, and other relevant files av<strong>ai</strong>lable to you for downloading<br />
once you've registered. You are allowed to download<br />
anything in the Free area-you don't need to be a registered<br />
user to download from that area.<br />
Both Ficheck and the VIP BBS are worth checking out.<br />
Chuck Gilmore and his Gilmore Systems have become one of<br />
the respected names in the ongoing fight ag<strong>ai</strong>nst <strong>computer</strong><br />
<strong>viruses</strong>.<br />
113
Chapter 8<br />
Flu-Shot+<br />
Product Flu_Shot+ 1.4<br />
Company Ross M. Greenberg<br />
Software Concepts Design<br />
594 Third Avenue<br />
New York, New York 10016<br />
BBS: (212)-889-6438 1200, 2400, N/8/1<br />
Type Shareware<br />
$10 registration fee<br />
The original Flu_Shot, one of the first virus protection<br />
programs, now has a new name: Flu_Shot + . Some "worm"<br />
(as Ross Greenberg so aptly calls them) put out a program<br />
called FLUSHOT4 which was a Trojan. Greenberg opted to<br />
change the name.<br />
"Besides," Greenberg s<strong>ai</strong>d, "Flu_Shot+ is the result of<br />
some real effort on my part, instead of being a part-time quick<br />
hack. I hope the effort shows."<br />
Flu_Shot is now table driven. That table is in a file named<br />
FLUSHOT.DAT. It exists in the root directory on your C:<br />
drive. However, you can change its location to one of your<br />
choice so a worm can't create a Trojan to modify that file.<br />
This data file allows you to write- andlor read-protect entire<br />
classes of programs. This means you can write-protect from<br />
damage all of your *.COM, *.EXE, *.BAT, and *.SYS files.<br />
You can read-protect all your *.BAT files so a nasty program<br />
can't even determine what name you used for Flu_Shot+<br />
when you invoked it.<br />
Additionally, you can now automatically check programs<br />
when you first invoke Flu_Shot+ to determine if they've<br />
changed since you last looked at them. Called checksumming,<br />
it allows you to know immediately if one of the protected programs<br />
has been changed when you're not looking. Additionally,<br />
this checksumming can even take place each time you load the<br />
program for execution.<br />
Also, Flu_Shot+ will advise you when any program "goes<br />
TSR." TSR stands for Terminate and Stay Resident, allowing<br />
pop-ups and other useful programs to be created. A worm<br />
could create a program that leaves a bit of slime behind. Pro-<br />
114
IBM PCs and Compatibles<br />
grams like Borland<strong>'s</strong> SideKick, a wonderful program and cert<strong>ai</strong>nly<br />
not a Trojan or virus, is probably the best known TSR.<br />
Flu_Shot+ will advise you if any program you haven't already<br />
registered in your FLUSHOT.DAT file attempts to go TSR.<br />
Finally, Flu_Shot+ will also now pop up a small window<br />
in the middle of your screen when it gets triggered. It also will<br />
more fully expl<strong>ai</strong>n why it was triggered. The pop-up window<br />
means your screen won't get changed beyond recognition-unless<br />
you're in graphics mode when it pops up; this is a problem<br />
common to many TSR programs.<br />
Steve Gibson, writing in his "Tech Talk" column in<br />
Info World (May 9, 1988) calls Flu_Shot+ one of "The two<br />
most effective virus detection monitors av<strong>ai</strong>lable ... "<br />
The right to use Flu_Shot + ," Ross s<strong>ai</strong>d, in expl<strong>ai</strong>ning the<br />
shareware concept under which his viral-protection product is<br />
marketed, "is contingent upon your paying for the right to use<br />
it. I ask for ten dollars as a registration fee. This entitles you to<br />
get the next update shipped to you when av<strong>ai</strong>lable. And it allows<br />
you to pay me, in part, for my labor in creating the entire<br />
FllLShot series. I don't expect to get my normal consulting<br />
rate or to get a return equal to that of other programs which<br />
I've developed and sell through more traditional channels.<br />
That<strong>'s</strong> not my intent, or I would have made Flu_Shot+ a<br />
commercial program and you'd be paying lots more money for<br />
it.<br />
"Some people are uncomfortable with the shareware concept,<br />
or believe there<strong>'s</strong> no such thing as Trojan or Virus programs,<br />
and that a person who profits from the distribution of a<br />
program such as Flu_Shot must be in it for the money. I've<br />
created an alternative for these folks. I'll call it 'charityware.'<br />
You can also register Flu_Shot+ by sending me a check for<br />
$10 made out to your favorite charity. Be sure to include a<br />
stamped and addressed envelope. I'll forward the money on to<br />
them and register you fully."<br />
115
Chapter 8<br />
Guard Card<br />
Product Guard Card<br />
Company NorthBank Corporation<br />
10811 NorthBank Road<br />
Richmond, VA 23333<br />
(804) 741-7591<br />
Type Commercial (hardware)<br />
$194<br />
NorthBank takes a hardware approach to viral protection.<br />
Their Guard Card is a plug-in board that provides "true hardware-based<br />
write protection for your hard disk! It n<strong>ai</strong>ls <strong>viruses</strong><br />
and Trojans (and warts!) dead in their tracks."<br />
The Guard Card prevents accidental erasures and formats<br />
when persons share a PC, such as in a networked system. It<br />
also protects turnkey user libraries from user error. The card<br />
supports one or two drives. One drive can be area-protected<br />
(Requires partitioning. Works with any ST -506 controller). A<br />
system reset button is included.<br />
Ice<br />
Product ICE.COM (Intrusion Countermeasure Electronics<br />
COM File<br />
Security)<br />
Company Keith P. Graham<br />
c/o PC-Rockland BBS (914) 353-2157<br />
Type Freeware<br />
Av<strong>ai</strong>lable in IBMSW on CompuServe<br />
Ice is a program that scrambles and compresses .COM files<br />
(not .EXE files) yet allows them to be fully functional. The program<br />
makes it difficult to alter the original program and it has<br />
the added bonus of compressing .COM files without detracting<br />
from their usefulness. Iced .COM files still run as they did<br />
before except they're usually smaller and disk load times are<br />
shorter. Ice offers protection ag<strong>ai</strong>nst <strong>viruses</strong> in that Ice can<br />
scramble COMMAND. COM and make it difficult for <strong>viruses</strong><br />
to attach themselves to the scramble program.<br />
116
The format of the Ice command:<br />
ICE FILE.COM encryption-key<br />
IBM PCs and Compatibles<br />
FILE is the name of a .COM file to Ice and encryption key<br />
is a string of numbers and/or letters that will help make your<br />
scramble unique.<br />
Ice will compress and scramble the .COM file and replace<br />
the original. It<strong>'s</strong> important to have a backup of the original<br />
.COM file in case Ice doesn't work properly on a particular file.<br />
"I have written," says Keith Graham, "an Ice Breaker for<br />
Iced programs and I am sure that any good hacker could also<br />
figure it out after awhile. No software resource can be protected<br />
entirely by software. I can only guarantee that Ice makes .COM<br />
files safer, not 100 percent safe."<br />
Ice is distributed as freeware but rem<strong>ai</strong>ns the property of<br />
Keith P. Graham and is not for sale, but you are allowed to<br />
share it with your friends as long as no fee is associated with<br />
the copying of Ice or distribution of Ice other than nominal<br />
disk copy or access charges.<br />
IFCRC<br />
Product IFCRC<br />
Company David Bennett<br />
Bennett Software Solutions<br />
151 West Geospace Drive<br />
Independence, MO 64056.<br />
CompuServe ID: 74635,1671<br />
Type Freeware<br />
Av<strong>ai</strong>lable in IBMSW on CompuServe<br />
This program (compiled using Borland<strong>'s</strong> Turbo Pascal 4.0<br />
compiler) is for use in a batch file. It allows you to execute<br />
commands based on whether or not a cert<strong>ai</strong>n file matches the<br />
given CRC value. The program can also be used to check the<br />
CRC value of a file (CRC stands for Cyclic Redundancy<br />
Check).<br />
"Although I primarily wrote this program to execute a cert<strong>ai</strong>n<br />
command based on whether a file has been altered or<br />
not," writes David, "it could also be used to check a d<strong>ai</strong>ly<br />
117
Chapter 8<br />
transfer from a remote site or even used to check for <strong>computer</strong><br />
<strong>viruses</strong>.<br />
"I hereby release this program to the public dom<strong>ai</strong>n (Guilt<br />
FreeWare!)."<br />
Mace Vaccine<br />
Product Mace Vaccine<br />
Company Paul Mace<br />
Paul Mace Software<br />
499 Williamson Way<br />
Ashland, OR 97520<br />
(503) 488-0224<br />
Type Commercial<br />
$20<br />
Paul Mace is an extremely respected name in the field of<br />
IBM and compatible software. The Mace Utilities (version 4.1,<br />
$99.00) is one of the leaders in hard disk format recovery and<br />
m<strong>ai</strong>ntenance. Their familiar ads featuring a Swiss Army knife<br />
appear in most major <strong>computer</strong> magazines. The Mace Vaccine<br />
antiviral package, just introduced as this book was being written,<br />
is currently being included free for purchasers of the Mace<br />
Utilities.<br />
Mace Vaccine, says the company, is designed to warn you<br />
when unusual attempts are made to access vital disk areas and<br />
system files, not just by a <strong>computer</strong> flu or virus, but by any<br />
application that has no business modifying these vital areas of<br />
your disk. You can also r<strong>ai</strong>se the protection level to prevent<br />
any unauthorized access outside of DOS. This will stop any of<br />
the current <strong>viruses</strong> "before it stops you."<br />
The unique feature that Mace Vaccine has over most other<br />
viral protection software is the option to increase or decrease<br />
levels of protection. Levell (the default) will write-protect the<br />
drive ag<strong>ai</strong>nst access to vital areas and system files. Your permission<br />
is required before any vital area or file can be<br />
modified.<br />
Level 2 provides all Level 1 protection of vital areas and<br />
files. Additionally, it write-protects the drive ag<strong>ai</strong>nst all attempts<br />
at direct access. Only normal DOS applications are<br />
permitted to write, unless you grant permission.<br />
118
IBM PCs and Compatibles<br />
Those things that aren't granted direct access include <strong>viruses</strong>,<br />
DOS format, CHKDSK/F and Debug, disk reorganizers<br />
such as Mace UnFrag, Disk Optimizer, Norton SpeedDisk, and<br />
disk sector editors such as Norton and PC Tools.<br />
You may also turn Mace Vaccine off. This does not remove<br />
it from memory; it simply turns off protection. You can<br />
use this feature (judiciously) when there<strong>'s</strong> a conflict with other<br />
software.<br />
Mace Vaccine is a resident program, and takes up approximately<br />
4,000 bytes (4K) of memory. It is most effective when<br />
placed first in your AUTOEXEC.BAT file. It<strong>'s</strong> a solid effort<br />
from a solid company.<br />
NoVirus<br />
Product Ni5Virus<br />
Company Matt Hill<br />
MLH Software Systems<br />
1007 Chelten Parkway<br />
Cherry Hill, NJ 08034<br />
(609) 795-5257<br />
Type Shareware<br />
$10 registration fee<br />
The earliest symptom of a virus, Matt Hill says in the<br />
documentation enclosed with Ni5Virus, is usually a change in<br />
the size of one or more of your system files. These are the files<br />
that most <strong>viruses</strong> will attack first.<br />
The authors of <strong>viruses</strong> are concerned with one thing<br />
only-the destruction of data, and the more the better! For this<br />
reason, <strong>viruses</strong> are generally planted into the system files because<br />
they're the only files copied and run enough to do any<br />
substantial amount of damage. When a system disk becomes<br />
infected, the modifications to the system files will almost always<br />
be manifested in a change of the size or one or more of<br />
these files.<br />
"Due to the fact that two out of these three files are invisible<br />
via the DIR command," Matt writes in expl<strong>ai</strong>ning his<br />
logic philosophy of virus protection, "I have developed a utility<br />
called Ni5Virus which monitors the sizes of these files<br />
automatically. "<br />
119
Chapter 8<br />
When properly installed, NoVirus automatically monitors<br />
the sizes of system files on any system disk you choose. Every<br />
time it encounters a new disk, it will determine the sizes of<br />
each of the individual system files on that disk and store these<br />
figures onto the disk itself in a hidden, write-protected file. The<br />
next time you run NoVirus on that disk, it will find its file and<br />
compare the stored sizes to the current sizes of the files. If the<br />
sizes are the same, it<strong>'s</strong> unlikely that the disk had become infected<br />
and NoVirus will quietly notify you of that fact. However,<br />
if NoVirus detects even the slightest change in the size of<br />
any of these files, it will give you adequate warning to that<br />
effect.<br />
To initialize N6Virus on your hard disk drive, simply copy<br />
the program onto the disk. Matt suggests placing it into a utility<br />
or system subdirectory to which you have a path set up.<br />
If you'd like to verify that your system files have actually<br />
been hooked or you are just curious to see what your system<br />
files are called, you may now obt<strong>ai</strong>n a formatted listing of all of<br />
the files that were identified as system files on your disk by<br />
entering:<br />
c: \>NOVIRUS /L<br />
N6Virus will then perform a size-check and provide a listing<br />
of the system files as per your request. Please note that<br />
N6Virus does not detect the presence of a virus. It merely<br />
watches out for changes in the sizes of your system files after<br />
the time of the initial installation which may have been caused<br />
by viral modification. Although it<strong>'s</strong> unlikely that your system is<br />
already infected, you may want to reinstall your operating system<br />
before using N6Virus for the first time.<br />
To be effective, N6Virus needs to be run often. Matt suggests<br />
placing it into your AUTOEXEC.BAT. This should be<br />
enough, unless you do a reasonable amount of downloading or<br />
have reason to believe that your system may have come into<br />
contact with an infected disk. In this case, you may want to<br />
manually invoke the program at the DOS prompt immediately<br />
after you think a change may have taken place. You may<br />
accomplish this by typing:<br />
C: \>NOVIRUS<br />
120
IBM PCs and Compatibles<br />
"A lot of time and hard work went into the planning and<br />
development of this product," writes Matt Hill, "and I'd like to<br />
think that my effort was not in v<strong>ai</strong>n. I have been using<br />
N6Virus for some time now and I feel that it<strong>'s</strong> something that I<br />
can trust. I sincerely hope that you will feel the same way after<br />
you've gotten to know the program. It is my goal that if enough<br />
people take preventive measures like these we can stop the<br />
spread of the horrible <strong>computer</strong> virus."<br />
SYSCHKl<br />
Product SYSCHKI<br />
Company Terratech<br />
19817 61st Ave. S.E.<br />
Snohomish, WA 98290<br />
Type Shareware<br />
donation requested<br />
SYSCHK1.ARC is the distributed file and cont<strong>ai</strong>ns<br />
SYSCHK.EXE and SYSCHK.DOC. The program performs<br />
checksums of the first and second files in the root directory<br />
and the COMSPEC file. These, of course, are usually the three<br />
most important system files. The first time the program is invoked,<br />
the checksums are displayed. You can then record those<br />
values. If the program is then run with the checksum for the<br />
file given as a parameter, it<strong>'s</strong> compared ag<strong>ai</strong>nst the current<br />
value. Error levels are set so a batch file can test the results. A<br />
simple (and not totally effective) approach.<br />
SoftSafe<br />
Product SoftSafe<br />
Company Software Directions, Inc.<br />
1572 Sussex Turnpike<br />
Randolph, NJ 07869<br />
(800) 346-7638<br />
Type Commercial<br />
$99<br />
SoftSafe provides more than just virus protection; it<strong>'s</strong> also<br />
a means of insuring data security for personal <strong>computer</strong>s. This<br />
includes preventing unauthorized viewing, copying, modifying,<br />
121
ChapterS<br />
or destruction of your valuable data, as well as offering powerful<br />
virus protection, according to the manufacturer, Software<br />
Directions, Inc. (who also makes the printer control program,<br />
PrintQ).<br />
"The primary objective in SoftSafe<strong>'s</strong> design is ease of use,"<br />
s<strong>ai</strong>d Geoffrey Wiener, president of SD.<br />
SoftSafe gives you password protection of your hard disk,<br />
allowing one "owner" to create up to seven authorized "users"<br />
for each Pc. The owner can also delete users or change any<br />
password, and users can change their own password at any<br />
time.<br />
Interruptions are no longer a problem when working with<br />
sensitive data. SoftSafe<strong>'s</strong> lockout feature allows you to hit a hot<br />
key sequence to cover the entire screen with the SoftSafe password<br />
display. Then, only your password unlocks the machine,<br />
protecting your data from unauthorized access. SoftSafe automatically<br />
encrypts data in designated subdirectories, so only the<br />
user who generated the file or the <strong>computer</strong> owner can access<br />
the files.<br />
Finally, of course, SoftSafe provides powerful virus protection<br />
for your Pc. Soft Safe m<strong>ai</strong>nt<strong>ai</strong>ns a protected copy of the<br />
critical system files and compares these to the working files<br />
each time you boot up. If SoftSafe detects tampering, it gives<br />
you the option of replacing the infected files with a clean copy,<br />
or ignoring the change if it was intentional, such as with a DOS<br />
version upgrade.<br />
SoftSafe works on IBM PC XT/AT and 100 percent compatibles<br />
including the PS/2. The list price of $99 includes<br />
floppy disk and a manual, as well as 30 days free technical<br />
support.<br />
122
Tracer<br />
Product<br />
Company<br />
Type<br />
Tracer Virus Detector<br />
InterPath<br />
4423 Cheeney Street<br />
Santa Clara, CA 95054<br />
(408) 988-3832<br />
Commercial<br />
$49.95<br />
IBM PCs and Compatibles<br />
Tracer is a <strong>computer</strong> virus detection system that catches<br />
<strong>viruses</strong> which enter your system. It uses, according to the documentation,<br />
a high reliability detection mechanism that monitors<br />
all system areas susceptible to viral attacks. If a virus does<br />
enter your system, Tracer will identify the specific system area<br />
or program files that have been infected, so virus removal is<br />
simplified.<br />
There are two phases of operation for Tracer. The initial<br />
install phase logs the system<strong>'s</strong> hardware and software parameters-including<br />
the initial interrupt vector states, boot sector<br />
instructions, hidden DOS files, device drivers, and all executable<br />
code on the hard disks. Initial load instructions, branch<br />
addresses, and other program states are also logged for each<br />
program on the hard disk. The subsequent check phase executes<br />
each time the system is powered on or rebooted, and it<br />
checks all system parameters for tracers of infection.<br />
Tracer is designed to detect all types of <strong>viruses</strong>, including<br />
boot sector infectors and embedded <strong>viruses</strong> (<strong>viruses</strong> that leave<br />
the infected program<strong>'s</strong> size and external indicators unchanged).<br />
It provides, says its manufacturer, "a timely and near foolproof<br />
indication of infection.<br />
123
Chapter 8<br />
Trojan Stop<br />
Product Trojan Stop Deluxe version 1.1<br />
Company Carey Nash<br />
The Programmer<strong>'s</strong> Forum<br />
Type Freeware<br />
Av<strong>ai</strong>lable in IBMSW on CompuServe<br />
"Trojan Stop Deluxe," writes Carey Nash in the documentation<br />
included with this freeware offering, "is a program I<br />
wrote while learning assembly. It can successfully stop any attempt<br />
to do harmful damage to your hard disk or floppy disk<br />
system. If you suspect a program is a Trojan, all you have to<br />
do is load STOP. COM before you run it."<br />
Trojan Stop Deluxe works by hooking onto interrupt 13<br />
hex. Interrupt 13 is used for all low-level disk I/O, and any<br />
program that accesses the disk must use it. STOP. COM monitors<br />
interrupt 13 and checks to see which function is being requested:<br />
read, write, or format. If write or format is requested,<br />
STOP.COM does not allow interrupt 13 to perform the command;<br />
instead it returns a value to tell the calling program that<br />
the write, or format was successful. It will also place a colored<br />
square on the upper right corner of your screen.<br />
Here<strong>'s</strong> an example from the documentation that comes<br />
with Trojan Stop Deluxe:<br />
You have a program that has little documentation and<br />
seems much too small to do what it should do. You suspect it<strong>'s</strong><br />
a Trojan. First, run STOP. COM and then proceed to run the<br />
suspected Trojan. If the program does any disk writes or formats,<br />
you'll see a little red or blue square on your screen, and<br />
the program will be disabled-however, the suspected Trojan<br />
won't know this. If the program turns out to be okay (no nasty<br />
messages after it<strong>'s</strong> done or other mischief), everything is fine.<br />
However, if it turns out to be a Trojan and cl<strong>ai</strong>ms to have<br />
done harm to your disk, merely reboot your <strong>computer</strong> and<br />
you're safe!<br />
"Stop," Carey continues, "has been tested with everything<br />
from the FORMAT command, to DEL *.*. However, I accept<br />
no responsibility for what happens to your system while<br />
STOP. COM is in memory. This is just an attempt to supply<br />
people with a way to safeguard their systems ag<strong>ai</strong>nst Trojans."<br />
124
Universal Viral Simulator<br />
Product Universal Viral Simulator<br />
Company National BBS Society<br />
6226 Channel Drive<br />
San Jose, CA 95123<br />
IBM PCs and Compatibles<br />
Voice (408) 727-4559, BBS (408) 988-4004<br />
Type Commercial<br />
This program is made av<strong>ai</strong>lable to universities and<br />
government research organizations and on a limited<br />
basis to appropriate divisions within private industry.<br />
To apply for access, see the above address.<br />
The Universal Viral Simulator is a program that simulates<br />
characteristic activities that .COM and .EXE infector <strong>viruses</strong><br />
use for replication. It also simulates some of the destructive<br />
activities used by <strong>viruses</strong> to destroy disk information. It does<br />
not simulate the infection techniques of boot infector <strong>viruses</strong><br />
(such as the Pakistani Br<strong>ai</strong>n Virus).<br />
The Universal Viral Simulator is not a virus protection<br />
program; it<strong>'s</strong> meant to be used as a tool to test the effectiveness<br />
of antiviral measures and as a demonstration tool for viral<br />
replication activities.<br />
"The use of live <strong>viruses</strong> for testing the security of individual<br />
or multiple system installations is extremely impractical,"<br />
s<strong>ai</strong>d Tim McCurry, technology director for the Society. "If the<br />
security system f<strong>ai</strong>led during the testing/assurance process, the<br />
results could be disastrous. Clearly, a noninvasive approach to<br />
the validation of in-house antiviral systems and off the shelf<br />
products is needed."<br />
The viral simulator is executed after any antiviral systems<br />
have been loaded and activated. It then attempts to infect the<br />
system in a variety of different ways. Each time it<strong>'s</strong> blocked by<br />
the antiviral system, an appropriate message is displayed, naming<br />
the replication attempt technique and the fact that the attempt<br />
was unsuccessful. Likewise, if the simulator is successful<br />
in "infecting" the system, it will identify the procedure it used<br />
to "fool" the antiviral system.<br />
The pseudo-virus will also simulate events typical of a virus<br />
that has activated and is attempting to destroy or disable<br />
system data. The Universal Viral Simulator is nondestructive<br />
and has no permanent effect on the system. 125
Chapter 8<br />
Vaccine from Foundation Ware<br />
Product<br />
Company<br />
Type<br />
Vaccine<br />
Mike Riemer<br />
Foundation Ware<br />
2135 Renrock<br />
Cleveland, OR 44118<br />
(800) 722-8737<br />
Commercial<br />
$189<br />
Vaccine from Foundation Ware (as distinct from the simi<br />
larly-named Vaccine from World Wide Data below, and several<br />
public dom<strong>ai</strong>n programs of the same name) is a sophisticated,<br />
top-end viral protection software. It<strong>'s</strong> especially appropriate for<br />
networked <strong>computer</strong>s. When Vaccine is installed on your hard<br />
disk, it continually tests files for the presence of any <strong>viruses</strong>,<br />
without the interruption of your <strong>computer</strong><strong>'s</strong> operation. If a Vaccine<br />
detects a virus, it will prevent the virus from damaging<br />
your system while alerting you to the danger.<br />
Vaccine also protects ag<strong>ai</strong>nst bombs. The second a bomb<br />
tries to override the operating system with an illegal "write to<br />
disk" command, Vaccine halts the process and flashes you a<br />
warning. Vaccine can even electronically remove your hard<br />
disk from the rest of the system and provide a safe area for<br />
testing dubious software.<br />
Bugs are also caught. Bugs, of course, are those unintentionallittle<br />
things that go wrong with software after prolonged<br />
use. They also result from power surges, static electricity, and<br />
other often unexpl<strong>ai</strong>ned causes. Bugs often aren't as destructive<br />
as <strong>viruses</strong>, but commonly disrupt the integrity of your data.<br />
You probably don't want many people playing with your<br />
<strong>computer</strong>s. If for no other reason, employees using software not<br />
approved by the company waste valuable corporate resources.<br />
Vaccine is designed to allow the system manager to control<br />
what software can exist and be utilized on a system, thus<br />
disallowing any unapproved software to run. This helps to<br />
standardize software and tr<strong>ai</strong>ning within an organization and<br />
keeps people from playing games on your <strong>computer</strong>s.<br />
126
IBM PCs and Compatibles<br />
For additional usage control, Vaccine has a tracking feature<br />
that enables you to monitor what software has been run<br />
on your system and when. You can also install Vaccine to <strong>ai</strong>d<br />
in determining the source of a virus (even if you approve an<br />
infected program).<br />
Vaccine also reduces human error and recovers damaged<br />
or lost data. Ag<strong>ai</strong>n, this is sophisticated software. You may obt<strong>ai</strong>n<br />
additional information on it by calling the toll-free number<br />
listed above.<br />
Vaccine from World Wide Data<br />
Product<br />
Company<br />
Type<br />
Vaccine 2.1<br />
Ron Benvenisti<br />
World Wide Data Corp.<br />
17 Battery Place<br />
New York, NY 10004<br />
(212) 422-4100<br />
Commercial<br />
$79.95 ($25 site licensing)<br />
Vaccine is a software viral protection package consisting of<br />
the Vaccine program, and two other utilities, Antidote and<br />
Checkup.<br />
Antidote scans your disk for all <strong>viruses</strong> known to World<br />
Wide Data. It then notifies you if any of them appear to have<br />
attacked any of your programs. Checkup keeps a record of the<br />
state of your system and informs you if any of your executable<br />
fields (.EXE and .COM) have been changed since the last time<br />
Checkup was run.<br />
Vaccine is a resident program. Once you run it, you can<br />
continue to use your system as you normally do. Vaccine automatically<br />
and transparently checks every exceptional situation<br />
described above. If any program you run tries to alter your system<br />
in a suspicious way, Vaccine warns you about what the<br />
program is trying to do and gives you the chance to stop the<br />
destructive operation.<br />
An example given in the well-written Vaccine User<strong>'s</strong> Manual<br />
is that of TSR programs. No memory resident program is<br />
permitted to rem<strong>ai</strong>n in memory unless its name is declared<br />
127
Chapter 8<br />
legal to Vaccine. No program is permitted to perform an absolute<br />
write to any device or to modify another executable program<br />
unless the user specifically and intentionally grants it<br />
permission. Memory addresses are checked as well to prevent<br />
any virus from corrupting the programs and data in your<br />
machine.<br />
These functions are performed in the background; thus<br />
they are transparent to the user. Once the program is loaded,<br />
the only time you see it work is when it warns you of possible<br />
danger. Trusted and approved programs that might otherwise<br />
trigger Vaccine are listed in an exceptions file (an ASCII file<br />
you can create with any text editor). These will include the<br />
names of all programs that change memory tables or install<br />
themselves as resident. Debuggers and communication programs,<br />
for example, often legitimately change memory tables.<br />
There is one situation the user<strong>'s</strong> manual cautions you<br />
about (and one that applies equally to all viral protection software).<br />
The programs you list as exceptions must be clean to begin<br />
with-if they've been infected with <strong>viruses</strong> that Vaccine<br />
does not recognize, you may not be protected from them. Any<br />
program you approve then, should be a reliable legitimate<br />
copy, generated from a known original source. This includes<br />
Vaccine itself Ag<strong>ai</strong>n, this should apply to all protection<br />
programs.<br />
Vaccine is a strong, well-programmed package already in<br />
wide use. It<strong>'s</strong> well worth checking out for your own system.<br />
Vacine<br />
Product Vacine 1.3<br />
Company Art Hill<br />
936 S. Kensington Ave.<br />
La Grange, IL 60525<br />
Type Shareware<br />
contribution (amount up to you)<br />
This program, says its author Art Hill, will give you some<br />
protection ag<strong>ai</strong>nst the recent crop of so-called virus programs.<br />
The program has only two modes of operation: INSTALL and<br />
CHECK. To install the program, copy it to the root directory<br />
128
IBM PCs and Compatibles<br />
of your hard disk. Run it by typing VACINE and selecting the<br />
appropriate option. The program works by comparing critical<br />
files to known good copies. It will record cert<strong>ai</strong>n information it<br />
needs to check for <strong>viruses</strong> in a subdirectory on your hard disk.<br />
You may also compare critical files to those on a floppy disk.<br />
Typing VACINE C will perform the comparison ag<strong>ai</strong>nst copies<br />
on your hard disk. Just typing VACINE allows you to compare<br />
to critical files on an original DOS disk.<br />
"No doubt," Art s<strong>ai</strong>d, "one of these low life creeps who<br />
create the virus programs will get hold of this program and figure<br />
out a way to defeat it. With your contribution I can keep<br />
upgrading the program with more and more elaborate schemes<br />
to defeat the jerks."<br />
Despite the author<strong>'s</strong> unique way of spelling "vacine" as<br />
opposed to "vaccine," the program appears to run well and is<br />
worth looking at. Its viral protection is limited to file comparison,<br />
but should be an important part of your overall system<br />
defenses.<br />
V_Check<br />
Product V _Check 1.0<br />
Company Dave Millis<br />
P.O. Box 2371<br />
Glenview, IL 60025<br />
Type Shareware<br />
$5, av<strong>ai</strong>lable in CompuServe IBMSW<br />
V _Check Series 1.0, according to Dave Millis in the documentation<br />
supplied with the program, was written as a service<br />
for the many <strong>computer</strong> users who may be concerned about the<br />
growing number of virus programs and the destruction that can<br />
result from them.<br />
"The inspiration for V_Check," Dave writes, "comes from<br />
not only the extensive reading of current <strong>computer</strong> literature,<br />
but also from my experience consulting people who work with<br />
micro <strong>computer</strong>s in a university setting. Software needs to be<br />
protected, but not everyone can afford a commercial package,<br />
some of which can be very expensive. In fact, with the extensive<br />
network of <strong>computer</strong> users throughout the world, less<br />
129
Chapter 8<br />
expensive tools for detecting and preventing the wrath of <strong>viruses</strong><br />
are extremely necessary. For this reason 1 wrote the<br />
V _Check program series."<br />
V _Check is a conglomeration of six programs to do a<br />
comprehensive check on your important files and on DOS system<br />
files. The programs supplied in the archived distribution<br />
file are:<br />
SCC.COM. Run this first. This program compares date,<br />
time, size and checksum of system files ag<strong>ai</strong>nst an original copy<br />
in the A: or B: drive.<br />
SFC.COM creates a hidden file with date, time, and size<br />
of system files if one does not exist. On successive runs, it<br />
checks this information ag<strong>ai</strong>nst the current status of the file.<br />
MCF.COM creates a database of information (in a hidden<br />
file) that cont<strong>ai</strong>ns time, date, size, and checksum for each file<br />
entered.<br />
CCF.COM uses the data file created by MCECOM and<br />
runs a check on the current status of the files, making sure<br />
there are no changes to time, date, size or checksum.<br />
DSFC.COM deletes the hidden file created by SFC.COM.<br />
DMCF.COM deletes the hidden file created by MCECOM.<br />
In these times, continues the V _Check documentation,<br />
when more and more people are offering protection from <strong>viruses</strong>,<br />
V _Check programs offer detection of <strong>viruses</strong> that change<br />
a file<strong>'s</strong> time, date, size or checksum.<br />
"Although some other programs offer much ofthe same as<br />
V _Check," Dave continues, "I have tried to produce a much<br />
more complete set of programs and have also made the source<br />
code av<strong>ai</strong>lable for those who would like to customize or<br />
personalize the routines for either special additions or other<br />
purposes.<br />
"I have had a lot of people try out V _Check and tell me<br />
what they thought of it. (Of course, more feedback and suggestions<br />
are always welcome.) Having been tested on a large number<br />
of IBM and IBM compatible <strong>computer</strong>s, incorporating at<br />
least ten different types of DOS, both PC-DOS and MS-DOS, I<br />
have not found an MS type DOS that could not be checked<br />
with V_Check.<br />
130
IBM PCs and Compatibles<br />
"However, I offer V _Check as is and make absolutely no<br />
guarantees implied or otherwise. If used as recommended,<br />
V _Check Series 1.0 will hopefully help people detect and eliminate<br />
<strong>viruses</strong> infecting <strong>computer</strong>s which result in costly<br />
damage."<br />
WPHD.COM<br />
Product WPHD (Write Protect Hard Disk)<br />
Type Unattributed Public Dom<strong>ai</strong>n<br />
free<br />
av<strong>ai</strong>lable in Delphi Writers Group,<br />
CompuServe IBMSW, and numerous other places<br />
This little gem will write- and format-protect your hard<br />
disks. Run once it protects, run it ag<strong>ai</strong>n it unprotects.<br />
Run this to write- and format-protect your hard disk. It<strong>'s</strong><br />
useful when you let someone else use your PC or try out new<br />
BBS software. Each time it<strong>'s</strong> run, it toggles the protection off or<br />
on-no need to reboot to get rid of it. The toggle on/off feature<br />
will not work if, after running WPHD, you run another resident<br />
program that revectors INT 13. In other words, run WPHD<br />
after running other resident programs, such as Sidekick.<br />
If the DOS FORMAT command is run when this is on, it<br />
will appear to be formatting your hard disk, but it<strong>'s</strong> actually<br />
VERIFYing each sector, which does not harm the disk. Your<br />
data is actually lost during a format when DOS writes a new<br />
Directory and FAT-WPHD will prevent that. Actually, if<br />
WPHD is not installed and you accidentally start formatting<br />
your hard disk, you can type CtrI-Break to stop the formatting.<br />
The Ctrl-Break will not be acknowledged right away, but that<strong>'s</strong><br />
all right-it will still break you out of format before any damage<br />
is done. This one is highly recommended. Get it and use it.<br />
131
Chapter 8<br />
XFICHECK<br />
Product XFICHECK 4.0<br />
Company Chuck Gilmore<br />
Gilmore Systems<br />
P.O. Box 3831<br />
Beverly Hills, CA 90212-0831<br />
Voice: (213) 275-8006 BBS: (213) 276-5263<br />
Type Shareware<br />
Extended version of FICHECK., free to registered<br />
users<br />
When you register your copy of FICHECK with Gilmore<br />
Systems (see FICHECK), they will send you not only guaranteed,<br />
virus-free copies of FICHECK and MFICHECK., but<br />
XFICHECK as well. XFICHECK (eXtended FICHECK) incorporates<br />
both CRC and MCRC checking in a single pass, and<br />
doesn't take much longer to run than MFICHECK. The added<br />
security and peace of mind of dual-checking for CRC and<br />
MCRC alone is worth the registration fee, but that<strong>'s</strong> not all<br />
XFICHECK does. XFICHECK does everything FICHECK and<br />
MFICHECK do together, and more.<br />
XFICHECK., like FICHECK and MFICHECK can only be<br />
run from a system that was booted from a DOS floppy. However,<br />
some people simply don't want to bother taking the extra<br />
precaution of booting from a floppy. Although the company<br />
does not endorse the practice, XFICHECK comes with information<br />
expl<strong>ai</strong>ning how to defeat the check so you may run the<br />
program without actually booting DOS from a floppy.<br />
132
9<br />
MACINTOSH<br />
The rotten apple injures its neighbour.<br />
Chaucer<br />
The Macintosh has been beset with <strong>viruses</strong> for at least the past<br />
two years. The Scores virus (see its description in Chapter 2)<br />
was first reported in 1987, and it<strong>'s</strong> still out there and still causing<br />
trouble.<br />
Viruses get into Macintosh systems disguised as Hyper<br />
Card stacks or applications. The virus is self-replicating and<br />
thus spreads from machine to machine. They can (and do) infect<br />
such Macintosh resources as INITs and CODE. A welldesigned<br />
virus infects other systems and attempts to hide code<br />
in as many carriers or Trojan horses as possible.<br />
A virus, in the end, is eventually triggered and completes<br />
whatever tasks (usually nefarious) planned by the twisted mind<br />
that created it. This can and does include numerous things, up<br />
to and including erasing a disk on a specific date.<br />
Computer <strong>viruses</strong> have an uncanny resemblance to biological<br />
<strong>viruses</strong>. In the Macintosh, it can spread from the carrier<br />
or Trojan (the stack or application that received it "through the<br />
door") into other places such as System files. Once entrenched,<br />
the replicated copies of the virus can lay dormant for days,<br />
weeks, months, or maybe even years.<br />
If your Macintosh got infected last year and you do nothing,<br />
you may not know it until next year. Next year, however,<br />
boy will you know it as files disappear.<br />
There are three major virus infestations of Macs. Two of<br />
these we've already discussed in the course of this book-the<br />
Scores and the Peace virus from MacMag. The latter bears the<br />
"honor" of being the first virus to infect commercial shrinkwrapped<br />
software, Aldus' FreeHand (see "How Safe Can You<br />
Be?" in Chapter 4).<br />
133
Chapter 9<br />
In this chapter we introduce the third type of Macintoshspecific<br />
virus and discuss some ways to avoid or purge <strong>viruses</strong><br />
in and from your system. We'll also look at some of the viral<br />
protection tools av<strong>ai</strong>lable for Macintosh <strong>computer</strong>s and take a<br />
look at the virus problem on other Apple <strong>computer</strong>s as well.<br />
nVIR<br />
The major Macintosh virus not yet discussed is called n VIR.<br />
While it doesn't have the fame of Scores and the Peace virus,<br />
it<strong>'s</strong> out there. One sign of its presence is beep infected programs<br />
make when you start them.<br />
In the same manner as Scores-reports Kristi Coale in her<br />
excellent article about <strong>viruses</strong> in the September, 1988 MacUsern<br />
VIR installs its own code segments into an application<strong>'s</strong> resources.<br />
Each time you call the application after that, the n VIR<br />
virus resources are also installed. The code searches the System<br />
folder for its INIT, and should this not be there, it will copy it<br />
to the System folder and include nVIR resources 0-7.<br />
After the virus has established itself, it will then infect<br />
applications through its INIT (ID = 32). This virus will also<br />
add CODE ID = 256 as a resource. Here<strong>'s</strong> one procedure for<br />
getting rid of n VIR infection. It comes from Chris Borton at<br />
the University of California at San Diego (USeD) and is av<strong>ai</strong>lable<br />
on many of the <strong>computer</strong> networks, including Compu<br />
Serve. A good knowledge of how to use ResEdit is required.<br />
First, open INIT 32 in your System File with ResEdit.<br />
Next, select all hex code and delete. Enter in two bytes-4E<br />
75-which merely puts an RTS there. Go into each nVIR resource<br />
and delete all information in them. Don't delete those<br />
resources! The virus checks for their existence (only); if they are<br />
there, it assumes they're okay. With the changes above, they<br />
are harmless and won't spread the virus further.<br />
The virus depends upon INIT 32 and n VIR 0-7 resources<br />
in the System file. It modifies the CODE #0 resource to each<br />
application, altering eight bytes in the jump table to execute the<br />
code in CODE #256, which it also installs. The n VIR resources<br />
hold copies of important information-#2 has the eight original<br />
bytes from the applications CODE 0 resource. #6 is a copy of<br />
134
Macintosh<br />
IN IT 32, and so on. The eight bytes are the first eight on the<br />
third line in ResEdit.<br />
For those who might not be that comfortable with ResEdit,<br />
Mike Scanlin has written Virus WarningINIT and Vaccination.<br />
The first is a virus alarm that goes off whenever one of the<br />
nVIR resources are found, or if the nVIR CODE segment is<br />
detected. The second program, Vaccination, looks for n VIR<br />
and reports on the status of an application. It also acts to prevent<br />
n VIR from infecting your system in the first place.<br />
Mike<strong>'s</strong> programs are distributed as the "stuffed" file<br />
VACCIN.SIT in the Macintosh area (Personal) on CompuServe.<br />
Virus RX<br />
Apple, like the other major players in the <strong>computer</strong> hardware<br />
and software business, rem<strong>ai</strong>ned markedly silent on the subject<br />
of <strong>viruses</strong> for a long time. Unlike the others, however, Apple<br />
did finally react to the pleas of their customers-especially after<br />
they were hit themselves with the Scores virus in at least their<br />
Washington office (according to an AP report-see Chapter 2).<br />
First, Apple called in the FBI. This writer talked with a<br />
number of people who thought the perpetrator of the Scores virus<br />
would soon be brought to justice, but no one would say<br />
anything for publication. (Let<strong>'s</strong> hope the slimebucket finds out<br />
that justice is not blind after all).<br />
Second, Apple is providing a program, Virus RX, free<br />
along with guidelines on how to use it. This is, says Apple, "a<br />
public service."<br />
Virus RX, according to the documentation Apple supplies<br />
with it, wi1llist damaged applications, INIT, cdev and RDEV<br />
files, invisible files, altered system files, and altered applications.<br />
The program reports different levels of concern, from<br />
simple comments to dangerous to fatal.<br />
Damaged applications are the first to be listed. These have<br />
not been infected by the virus, but they will not work and<br />
should probably be removed from your disk. The program next<br />
lists all INIT, cdev, and RDEV files (such as the Easy Access,<br />
Mouse or AppleShare files) in your System Folder. Many of<br />
these are common, but you should make sure you know why<br />
135
Chapter 9<br />
they're on your disks. Some files are normally invisible; Virus<br />
Rx checks these and lists them. The documentation continues,<br />
expl<strong>ai</strong>ning how to determine if you have a virus and how to remove<br />
the infection.<br />
Virus RX is av<strong>ai</strong>lable free on Delphi, CompuServe, other<br />
networks, various <strong>computer</strong> bulletin boards, and through your<br />
local Apple dealer. It<strong>'s</strong> designed primarily for the Scores virus.<br />
Below is more det<strong>ai</strong>led information on killing Scores.<br />
Killing the Scores Virus<br />
The following information on the Scores virus was written and<br />
provided to the public dom<strong>ai</strong>n by Howard Upchurch, a Macintosh<br />
<strong>computer</strong> consultant in Garland, Texas and distributed<br />
by the Mac Pack and the Dallas Apple Corps for all members<br />
of the Macintosh community. Mr. Upchurch gives special<br />
thanks to John C<strong>ai</strong>l, Doug Ruddman, Kelly and Cheney Coker,<br />
and Steve Schroader for their assistance. It<strong>'s</strong> reprinted here<br />
with Howard<strong>'s</strong> kind permission.<br />
136<br />
Introduction. A virus is an organism that attacks<br />
and feeds off a host until either the virus or the host<br />
dies. A so-called Scores virus has spread throughout the<br />
Macintosh community. This virus, however, is a nasty<br />
piece of software written by a demented individual. Just<br />
like a living organism, it reproduces itself and has<br />
spread like an epidemic. Rumors (and there are plenty!)<br />
are that thousands of U.S. Government Macintoshes<br />
including those owned by NASA are infected, and that<br />
the FBI is investigating the outbreak.<br />
In addition, Apple, other major corporations, and<br />
probably hundreds ofthousands of business and private<br />
users are infected. This is not the M acM ag virus, which<br />
was relatively benign and was inadvertently spread by<br />
Aldus in a few copies of FreeHand. It is not the nVIR<br />
virus, which so far has spread very little, according to<br />
published sources. It is a virus that was purposely designed<br />
to spread itself as rapidly as possible. Scores will<br />
enter a disk as part of an application. It will spread to<br />
the System, then to other applications, some of which
will be given to a friend or taken to work, spreading it<br />
even further.<br />
There is evidence that it can spread through a network.<br />
Scores will damage programs, causing unpredictable<br />
problems. Its primary intent has not yet been<br />
discerned. Don't be the first to discover the evil purpose<br />
for which this virus was designed. Get it out of all systems<br />
in which it is located, and do it now!<br />
Detection: Open the System Folder on all disks in<br />
your possession, especially hard disks. Look for two<br />
icons representing the Scrapbook File and Note Pad<br />
File. The System is infected if both of them are there<br />
and if both icons are generic document icons-for example,<br />
blank dog-eared pages. The System is probably<br />
not infected if neither or only one icon is present or if<br />
the icons look like Macintoshes, the same icon used for<br />
the System and Finder.<br />
If the disk is infected, don't panic. The information<br />
below tells how to remove the virus from the System<br />
and prevent its recurrence. If the disk is not infected,<br />
learn here how to protect yourself and to help someone<br />
else remove the virus.<br />
Macintosh programs used to perform productive<br />
tasks are called applications. Common applications are<br />
Mac Write, MacP<strong>ai</strong>nt, and Microsoft Word. Other applications<br />
with which everyone is familiar are the Font/<br />
DA Mover, HyperCard, and Teach Text. Many users<br />
don?t realize that the Finder is also an application.<br />
Items created by applications are called documents.<br />
A letter created with MacWrite, for instance, is a document.<br />
There are other items on a Mac like System and<br />
General, which are neither applications nor documents.<br />
These items, along with applications and documents,<br />
may be termed files. Generically, any item that has an<br />
icon on a Macintosh is called a file.<br />
Macintosh files are composed of smaller groups of<br />
software called resources and data. Thus any Macintosh<br />
file may cont<strong>ai</strong>n data, resources, or both. An application<br />
is comprised primarily of resources; a document is comprised<br />
primarily of data.<br />
Macintosh<br />
137
Chapter 9<br />
138<br />
Resources with which everyone is familiar are<br />
fonts and icons. Others of importance to this discussion<br />
are CODE and INITs. CODE is cont<strong>ai</strong>ned in virtually<br />
every application, for it<strong>'s</strong> really the heart of the application<br />
itself. CODE is the set of commands that controls<br />
all the other resources. An INIT is a set of instructions<br />
loaded into the Mac<strong>'s</strong> memory when power is turned on<br />
and a disk is inserted. INITs are executed in alphabetical<br />
order.<br />
Common INITs are Suitcase and Pyro. Apple has<br />
provided an application called the Resource Editor,<br />
ResEdit, or ResEd for short. It is a necessary tool for<br />
both identification and removal of this virus, but it is<br />
quite powerful and beginners are urged to avoid any<br />
uses of this program other than those described here.<br />
Analysis of Infected Application. The Scores virus<br />
seems to attack only files that have CODE resources,<br />
primarily applications. Although it<strong>'s</strong> possible for documents<br />
to cont<strong>ai</strong>n CODE, no specific examples are<br />
known. It should be mentioned that files that have been<br />
stored in the Stuffit format cont<strong>ai</strong>n no resources at all,<br />
so a file saved or archived in that manner should be<br />
impervious to infection IF it was clean when Stuffed.<br />
Effects of Using an Infected Application. When an<br />
infected application is opened, its new CODE commands<br />
tell it to add several new pieces of software to the<br />
System Folder. The Scrapbook File and Note Pad File<br />
are quite important because they provide the best clue<br />
that something is wrong.<br />
The virus makes other changes to the System<br />
Folder that are less obvious: It adds a Desktop file and a<br />
file called Scores, from which the virus gets its name.<br />
These files cannot be observed from the Finder because<br />
they're invisible. Programs such as ResEd and Mac<br />
Tools show them to be there, however.<br />
The virus also modifies the System itself, adding<br />
the following resources: atpl ID 128, DATA ID-4001,<br />
and INITs with IDs of 10, 6, and 17. With these new<br />
INIT resources in the System, the Mac is figuratively a
Macintosh<br />
fused bomb, ready to do damage the next time it<strong>'s</strong><br />
turned on.<br />
Spread of Virus to Uncontaminated Applications.<br />
Because these new resources are primarily INITs, they<br />
are activated the next time the Mac is started. Once<br />
initialized, the virus begins to execute the commands<br />
that cause it to spread. As the infected disk is used, the<br />
virus continually seeks uncontaminated applications.<br />
The present thought is that it searches in a random fashion<br />
at an interval of three and a half minutes. At times a<br />
disk drive will begin operating when nothing should be<br />
happening. This occurs because the virus is writing its<br />
code resource to another application. After a long<br />
enough period of time, every application on the disk<br />
will be infected, apparently whether it has been used or<br />
not.<br />
Prevention of Occurrence or Recurrence. CE Software<br />
has released into the public dom<strong>ai</strong>n a utility called<br />
Vaccine. Vaccine is a "cdev," which means "Control<br />
Panel Device." Copies are free. Get it from a Disk-ofthe-Month<br />
(DaM) at a user group meeting or from a<br />
telephone communication service such as Compu<br />
Serve, Delphi, or GEnie.<br />
To use it, place the Vaccine icon in the System<br />
Folder. Select Control Panel from the Apple menu and<br />
you'll see Vaccine listed right under General. Close<br />
examination will reveal that the name begins with a<br />
space before the "V." Leave it that way so it will be the<br />
first thing that operates when the Mac is started or reset.<br />
Select the Vaccine icon and read the instructions.<br />
In case you don't understand them, putting an X in<br />
the top and bottom boxes is recommended. Be sure to<br />
restart the Mac after setting Vaccine in order to start it<br />
working. To help assure you have a clean copy of Vaccine,<br />
select the Vaccine icon while at the Finder (not the<br />
Control Panel) and choose Get Info from the File menu.<br />
Verify that the size is 11,875 bytes and that the creation<br />
date is Saturday, March 19, 1988 at 11:49 p.m. We must<br />
assure that no one creates a bogus version of this fine<br />
work. And thank you, CE Software!<br />
139
Chapter 9<br />
140<br />
After Vaccine has been installed, look for the<br />
following symptoms when using the Mac or opening an<br />
application; each is an indication that the virus is in<br />
operation:<br />
1. Vaccine randomly asks for permission to alter a<br />
resource.<br />
2. Opening an application triggers Vaccine.<br />
3. Opening a resource causes a bomb (usually ID = 02).<br />
4. Opening an application causes the Mac to hang up.<br />
Do not put a copy of any application on a hard disk<br />
until it has been checked for contamination. Do not run<br />
a new copy of any program until it has been checked<br />
out. Examine any program before uploading it to a Bulletin<br />
Board.<br />
Removal of Virus from System. Since the relatively<br />
recent discovery of this virus, several programmers are<br />
working on developing software that will do any or all<br />
of the following: detect the presence of the virus, remove<br />
it from the System Folder, detect infected applications,<br />
and/or rep<strong>ai</strong>r the infected applications. As of<br />
this writing, however, none are av<strong>ai</strong>lable. What follows<br />
is a step-by-step procedure that will enable you to clean<br />
up a disk with or without one or more of these utility<br />
programs.<br />
First, install the Vaccine utility if it<strong>'s</strong> av<strong>ai</strong>lable and<br />
reboot the Mac. (Note: If you see a bomb, a hangup, or a<br />
message from Vaccine when booting, the Finder is<br />
contaminated. Boot with a clean floppy and replace the<br />
Finder on the virused disk.) Open ResEd. (Note: If you<br />
see a bomb, a hangup, or a message from Vaccine when<br />
trying to open ResEd, ResEd itself is contaminated; replace<br />
it with a clean copy.) At this point you'll see the<br />
files at the so-called root level of the disk.<br />
Notice the file called DeskTop. This is not the bad<br />
file. Scroll through the window and open the System<br />
Folder by double clicking on its name.<br />
Select the Desktop file by clicking on it one time;<br />
then choose Clear from the Edit menu. Do the same<br />
thing for the other three infection files, Note Pad File,
Macintosh<br />
Scores, and Scrapbook File. Locate the System and double<br />
click on its name to open it.<br />
Locate atpl and open it by double clicking. Select<br />
atplID 128 and Clear it by using the Clear command<br />
under the Edit menu. Close atpl and open DATA. Clear<br />
DATA ID-4001. Close it and open INIT. Clear ID 10,<br />
ID 17, and ID 6. Close all windows except the root level<br />
window and save the changes when asked if you wish to.<br />
Important: A virgin System (4.1, at least) from Apple<br />
does not cont<strong>ai</strong>n either resource of the types atpl or<br />
DATA, but some programs, LaserSpeed, for one, legitimately<br />
place them in the System. Remove only the ID<br />
numbers listed.<br />
The System is now free of infection, but the work is<br />
far from over. When Vaccine has been properly installed<br />
on the disk, opening an infected application will<br />
cause either a bomb or a message from Vaccine. The<br />
Mac may also hang up.<br />
In any case, the application should be examined<br />
more closely: Use ResEdto open the CODE resource of<br />
the suspected application. If the top CODE ID is two<br />
numbers higher than the next highest, Get Info on it. If<br />
the size is 7026, it is an infected application. Throw it in<br />
the trash because it<strong>'s</strong> unusable and will reinstall the virus<br />
into the System if it is run with Vaccine off or not<br />
installed.<br />
Even if you don't yet have a copy of Vaccine, use<br />
ResEd to examine every application on your disks.<br />
Check all of the applications in the manner described<br />
above. It<strong>'s</strong> easy to overlook some ofthe smaller and perhaps<br />
lesser used ones like FontjDA Mover and backup<br />
programs.<br />
Remember, the Finder is an application. And an<br />
application doesn't have to be run to be contaminated.<br />
Experiences with this virus over the past four months<br />
have shown this to be an effective and relatively simple<br />
way to clean a disk. There<strong>'s</strong> nothing wrong with replacing<br />
the System, replacing the System Folder, or reinitializing<br />
the hard drive. These, however, are extreme<br />
141
Chapter 9<br />
142<br />
measures and are not considered by the author (for example,<br />
Howard Upchurch) to be necessary.<br />
In any case, make sure with ResEd that all applications<br />
put back on the hard drive are clean, especially if<br />
Vaccine has not yet been installed. Otherwise, the whole<br />
cycle could begin ag<strong>ai</strong>n. For more advanced users: After<br />
it<strong>'s</strong> felt that all infected applications have been removed<br />
and replaced, run Disk Express, if av<strong>ai</strong>lable, with the<br />
Erase Free Space option turned on. This will cluster the<br />
data to the start of the disk and zero out all rem<strong>ai</strong>ning<br />
space.<br />
Then use Fedit, MacTools, or a similar program to<br />
search for two strings virtually unique to this virus:<br />
VULT and ERIC. Each string is all caps. If these strings<br />
are nowhere on the disk, it<strong>'s</strong> clean. If they're still there,<br />
do everything possible to find out which file they're in<br />
and remove it from the disk. Repeat this until there is<br />
no ERIC or VULT. (The only application so far discovered<br />
that cont<strong>ai</strong>ns the VULT string is one called DD<br />
Editor, and it does not cont<strong>ai</strong>n ERIC).<br />
Searching a previously infected disk in this manner<br />
without running Disk Express first does no good because<br />
the infected files weren't actually erased when<br />
trashed; the remnants are probably still on the disk. In<br />
other words, the presence of ERIC and VULT at this<br />
stage of the removal process does not mean the disk is<br />
still infected, but their absence DOES mean the disk is<br />
clean.<br />
Removal of Virus from Infected Applications. Unfortunately,<br />
at this time there is no known method to rep<strong>ai</strong>r<br />
infected applications, and perhaps there never will<br />
be. There is evidence that when the virus attaches itself<br />
to an application and inserts the new CODE resource, at<br />
least a part of the new CODE is apparently written over<br />
some part of the original application software, permanently<br />
destroying it. If true, this would account for the<br />
many strange effects of the virus because the missing<br />
code would be different in each application.<br />
There would have to be a separate fix for every
Macintosh<br />
application. The safest thing to do is trash every bad<br />
application from the disk and replace it with a known<br />
clean copy. If there is no clean copy backed up, save the<br />
infected version on a floppy in hopes that a fix will be<br />
found.<br />
Comments. Cleaning the virus from one disk will<br />
not fix the problem. ALL Macintosh disks must be<br />
clean or the problem will be around for a long, long<br />
time. And not just your disks: EVERYONE'S disks!<br />
After you're familiar with the problem and its solution,<br />
share your knowledge.<br />
"Why am I taking the time to create this document?"<br />
writes Howard Upchurch. "I had the virus as<br />
early as November of 1987, but dismissed the problem<br />
as an offshoot of Multi Finder, due to the fact that the virus<br />
struck me just as I had decided to quit using<br />
MultiFinder and return to using System 4.1.<br />
"I spent many hours of work over several weeks<br />
figuring it out and ridding myself of its effects. At the<br />
time I did not recognize it as a virus, and for that I am<br />
very sorry. I should have pounded on Apple<strong>'s</strong> doors<br />
relentlessly asking about this problem.<br />
"Possibly someone there would have recognized it<br />
for what it was, early enough to prevent the present<br />
massive outbreak of the problem. I have enjoyed my<br />
Mac for well over four years now. I have created three<br />
fonts with it, one shareware and two that have actually<br />
been published. I have had fun with my Mac, and I have<br />
earned money with it. I am a member of two Macintosh<br />
clubs and have made many good friends because ofthis<br />
small <strong>computer</strong>.<br />
"I can't stand by while some jerk destroys so much<br />
of my life. The time has come to repay the Mac community<br />
and this is my way. Help me. One hates to publish a<br />
phone number in a document designed for public distribution,<br />
but without it you could not relay any important<br />
information.<br />
"I have reported information as I have found it. If<br />
there are any errors in the above, I apologize but ask not<br />
to be held responsible. Some statements may prove<br />
143
Chapter 9<br />
false or incomplete as more information comes to light<br />
"Please call only from 8 a.m. to 8 p.m. Central<br />
time, and only if you have found some information not<br />
in this document Long distance callers, please leave a<br />
complete message on the answering machine if it answers,<br />
as I cannot afford to return many long distance<br />
calls.<br />
"Both User Groups of which I am a member have<br />
access to AppleLink, a worldwide communications network<br />
operated by Apple Computer, so any new information<br />
can be relayed directly to the people at Apple<br />
who are working on solving this problem. And thanks<br />
for any help."<br />
Howard Upchurch may be reached at 3409 O'Henry<br />
Drive, Garland, TX 75042 (214) 272-7826.<br />
Other Apples<br />
The Macintosh and IBM types of <strong>computer</strong>s have borne the<br />
brunt of viral attacks, but older Apple machines are not totally<br />
immune either. Checking the Apple II and III area on Compu<br />
Serve, we fmd the programs listed below av<strong>ai</strong>lable for Apple II<br />
owners. Alas, the Apple III seems to have been abandoned<br />
even by the virus-makers.,<br />
Appie.Rx 1.7: This is a software virus detection program.<br />
It<strong>'s</strong> listed as shareware ($20) but is not to be distributed elsewhere<br />
than CompuServe. This revision corrects one bug and<br />
adds enhancements: prints only error lines if desired, adds an<br />
automatic, hands off, check mode (for use in a queue). This requires<br />
a IIGS or a lIe or IIc with a 65802 chip or 65816 board<br />
substituted for the 65C02. Copyright 1988 by Glen Bredon.<br />
VACCINE II: This is the latest version (1.1) of VACCINE<br />
II, a full-function Virus Analyzer and detector for the IIGS.<br />
This version adds additional checks not found in the previous<br />
version, and fIxes the FINDER restart problem experienced by<br />
some users. You should destroy your previous copies of VAC<br />
CINE after download.<br />
ANTIVI.BQY: Checks for virus on the boot block (block 0)<br />
of any ProDOS disk. Unpack with BLU to get program and<br />
documentation.<br />
144
10<br />
ATARI<br />
R<strong>ai</strong>se no more spirits than you can conjure down.<br />
Old Proverb<br />
Atari is no more immune from <strong>viruses</strong> than are IBM and Macintosh.<br />
Both the older 8-bit machines and the newer STs have<br />
been struck by <strong>viruses</strong>.<br />
The ST appears to have been the hardest hit. Two STspecific<br />
<strong>viruses</strong> have already been identified, and more are suspected.<br />
The worst of these, according to John J<strong>ai</strong>nschigg writing<br />
in the September/October 1988 issue of Atari Explorer, seems<br />
to have originated in West Germany. The ST is very popular<br />
in that country.<br />
This viral beastie has been named the Boot Sector virus<br />
because it inhabits the boot sector on auto-booting disks.<br />
Should an infected disk be used to initialize an ST system, the<br />
virus loads itself into memory and attaches itself to a system<br />
call vector that is related to disk access. By doing this, it can<br />
infect other appropriately configured disks whenever an access<br />
call is made.<br />
The procedure used by this virus is to first check the disk<br />
for its own presence. If no clone of the virus exists, it makes a<br />
copy of itself into the boot sector. In such manner, the virus<br />
can be spread easily from machine to machine. When the virus<br />
decides it has replicated enough, it goes active and corrupts the<br />
File Allocation Tables (FAT) of however many floppies are put<br />
into the ST during an operating session.<br />
The other known ST virus is somewhat less destlUctive. It<br />
also lives in the boot sector of autobooting disks. Its active life<br />
consists of simulating memory errors like you might expect to<br />
see if some of your <strong>computer</strong><strong>'s</strong> memory chips had become defective.<br />
This virus is not very amusing if you go to the consid-<br />
145
Chapter 10<br />
erable expense of replacing chips only to find (seemingly) that<br />
you still have the same problem.<br />
Fighting ST Viruses<br />
ST <strong>viruses</strong> (and 8-bit too) are spread by the exchange of infected<br />
auto-booting disks. This affects user groups much more<br />
than isolated users, since user groups do a lot of disk trading.<br />
One user who found this out, to his dismay, is Gerd Sender of<br />
Koeln, West Germany. Herr Sender was kind enough to pass<br />
along his experiences to the global community of Atari users<br />
via a text file that<strong>'s</strong> been posted on numerous bulletin boards<br />
worldwide, and the full text is av<strong>ai</strong>lable in the Atari special interest<br />
group on CompuServe. Here<strong>'s</strong> an excerpt from that file.<br />
"This weekend I received a number of pd software disks<br />
from a <strong>computer</strong> store. I found that three of these cont<strong>ai</strong>ned<br />
the ST Virus that has been mentioned on the net recently. I did<br />
not however discover this until it had trashed one disk and infected<br />
a very large number of disks.<br />
"I have since disassembled the virus and worked out exactly<br />
what it does and I am posting a summary of what I found<br />
here.<br />
"When the ST is reset or switched on, it reads some information<br />
from track 0 sector 0 of the disk in drive A. It is possible<br />
to set up that sector so that the ST will execute its<br />
contents. The virus program is written into this sector so that it<br />
is loaded whenever the ST is booted on the offending disk.<br />
"Once loaded into memory, the virus locates itself at the<br />
end of the system disk buffer (address cont<strong>ai</strong>ned at Ox4c2 I<br />
think) and attaches itself to the bios getbpb( ) function.<br />
"Every time getbpb( ) is called, the virus is activated. It<br />
tests the disk to see if it cont<strong>ai</strong>ns the virus. If it doesn't then<br />
the virus is written out to the boot sector and a counter is<br />
initialized.<br />
"If the disk does cont<strong>ai</strong>n the virus, then the counter is incremented.<br />
Once the counter reaches a cert<strong>ai</strong>n value, random<br />
data is written across the root directory & FAT tables for the<br />
disk, thus making it unusable. The virus then removes itself<br />
from the boot sector of the damaged disk (destroys the<br />
evidence?).<br />
146
Alar;<br />
"Once the virus is installed in the ST it will copy itself to<br />
EVERY non-write-protected disk you use-EVEN IF YOU<br />
ONLY DO A DIRECfORY -or open a window to it from the<br />
desktop.<br />
"The virus CANNOT copy itself to a write-protected disk.<br />
"I think (but am not cert<strong>ai</strong>n) that it survives a reset.<br />
"The current virus does not affect hard disks (it uses the<br />
flopwr( ) call). However, if you are using an auto-boot hard<br />
disk such as Supra, and the disk in drive A cont<strong>ai</strong>ns the virus,<br />
THE FlDPPY BOOT SECfOR IS EXECUTED BEFORE<br />
THE HARD DISK BOOT SECfOR and consequently the virus<br />
will still be loaded and transferred to every floppy you use.<br />
"To test for the virus, look at sector 0 of a floppy with a<br />
disk editor. If the boot sector is executable, it will cont<strong>ai</strong>n 60<br />
hex as its first byte. Note that a number of games have executable<br />
boot sectors as part of their loading. However, if this is the<br />
case, they should not load when infected by the virus.<br />
"If people are worried about this and haven't been able to<br />
get the other killer (l have not seen it yet) then I will post the<br />
source/object for a simple virus detector/killer that I have<br />
written.<br />
"It would appear that this virus is not the end of the story.<br />
I have heard that there is a new virus around. This one is almost<br />
impossible to detect. For each disk inserted, it scans for<br />
any *.prg and appends itself to the text segment in some way.<br />
Thus, it is very difficult to tell whether or not the virus is actually<br />
on a disk."<br />
8-Bits Take Hits<br />
Nor, of course, do the older Atari models get off scot-free. Portland<br />
(Oregon) Atari Club president, Bill Pike, warns Atari users<br />
of a virus that, different from ST boot sector <strong>viruses</strong>, can actually<br />
attach itself to application programs.<br />
Writing in the widely published electronic version of the<br />
PAC newsletter, he says that an original program may run fine<br />
the first time. Yet, unknown to you, the file is a Trojan horse<br />
that lets the virus write a program to the disk.<br />
Like some fat, crafty spider, the virus sets inside the <strong>computer</strong><br />
memory and w<strong>ai</strong>ts for a disk Input/Output operation.<br />
147
Chapter 10<br />
Each time a disk is placed in the drive and an Input/Output<br />
operation is performed, a copy of the virus is written to the<br />
disk. If a file cont<strong>ai</strong>ning the virus is transferred to a BBS, the<br />
virus goes along with the program.<br />
The virus then sets in w<strong>ai</strong>t on the disk. As Bill reminds us<br />
in his article, its not listed in the directory and mayor may not<br />
change the VTOC. Later, at some predetermined time, the virus<br />
goes to work and may wipe out the directory and VTOC or<br />
it just might format the entire disk. Some virus programs modify<br />
DOS so the virus program is appended to every file on the<br />
disk when a file is loaded off of disk or transferred via modem.<br />
Bill also says boot sector <strong>viruses</strong> exist that prey on 8-bit<br />
machines too, but Atari owners have a big advantage over<br />
other types of <strong>computer</strong>s since the disk drive is a "smartdrive."<br />
This means if the disk is write-protected the drive will<br />
not write to or format that disk.<br />
"This is part of the ROM instructions within the drive itself,"<br />
Pike writes, "and a virus cannot modify ROM. However<br />
there is a modification av<strong>ai</strong>lable to bypass this feature. I would<br />
suggest that it be removed for obvious reasons."<br />
He continues to point out that keeping the virus out of<br />
your library is much easier than removing it when it already<br />
exists. You can never be sure you've caught every disk the virus<br />
has infected. If all infected disks aren't destroyed, the virus<br />
will simply reinfect all of your disks.<br />
Here are three basic rules of protecting yourself from <strong>viruses</strong><br />
while using an Atari <strong>computer</strong>:<br />
1. Disks that aren't supposed to be written to should be writeprotected.<br />
It<strong>'s</strong> easy enough, should you need to put something<br />
on the disk, to remove the write-protect tab and then<br />
replace it. It<strong>'s</strong> better to be safe than sorry.<br />
2. A cold start removes a virus from memory. Turn the <strong>computer</strong><br />
off, then reboot it with a known good DOS disk. You<br />
should always have a good, pristine backup of the DOS<br />
disk-write-protected and never used except to make copies.<br />
3. If you trade programs or download them from bulletin<br />
boards, keep these on a separate disk. After trying them out,<br />
do a cold boot of your <strong>computer</strong> as described above.<br />
148
Atari<br />
Finally, here<strong>'s</strong> a method suggested by Bill Pike for checking<br />
out new programs:<br />
Format a blank disk, using a known good copy of DOS.<br />
Then use a sector editor to check the first 4 sectors (0-3) of the<br />
suspect disk ag<strong>ai</strong>nst the freshly formatted disk. If these don't<br />
match, one of the files on the disk has a virus. You can find<br />
the infected file by using a known good DOS and copying each<br />
file individually to another disk and comparing the boot sectors<br />
(0-3) with the newly formatted disk. You might also wish to<br />
compare all file lengths including the DOS.SYS and DUP.SYS<br />
files. If any file is longer than the original file, suspect a virus.<br />
Conclusion<br />
So far, the best protection ag<strong>ai</strong>nst <strong>viruses</strong> on either an ST or 8bit<br />
Atari seems to be simply to use the write-protect tab. There<br />
are a few public dom<strong>ai</strong>n antiviral programs for Atari beginning<br />
to appear, also.<br />
One gets the feeling that the Atari community is where the<br />
IBM and Macintosh were last year. Rumors are flying and actual<br />
infestations are appearing, but <strong>viruses</strong> are not yet as widespread<br />
as they are on IBM and compatibles, and on the<br />
Macintosh.<br />
Alas, Atari<strong>'s</strong> time seems to be coming, just like the others.<br />
149
11<br />
AMIGA<br />
These are called the pious frauds of friendship.<br />
Henry Fielding (1707-1754)<br />
Commodore<strong>'s</strong> Amiga <strong>computer</strong>s are mighty machines, yet<br />
one little program entering in the guise of friendship can lay<br />
them low.<br />
One of the first Amiga <strong>viruses</strong> was widely reported in<br />
October 1987 by Pete Goodeve and others on various networks<br />
and <strong>computer</strong> bulletin boards. This particular virus seems to be<br />
relatively innocuous, merely popping a message up on your<br />
screen. However, it doesn't show itself until a number of your<br />
disks are infected. Goodeve posted a message on GEnie on<br />
October 15, 1987 in which he det<strong>ai</strong>ls having seen the virus the<br />
previous evening at the Winners Circle User Group meeting.<br />
The virus works like this: When a warm boot (Ctrl-Amiga<br />
Amiga) is done from an infected disk, the virus writes itself<br />
into memory. Subsequent warm boots will not delete it. After<br />
that, until such time as power has been removed from the machine,<br />
other disks placed into the <strong>computer</strong> have the virus written<br />
to their boot sectors, and will pass the infection on in the<br />
same manner.<br />
The message this virus throws onto the screen, as best Pete<br />
could remember, was:<br />
"Something wonderful has happened-Your Amiga is<br />
alive! And what is more, some of your disks are infected by a<br />
virus! Brought to you by [something ... something] SCA."<br />
Apparently this virus was meant to be benign. However, it<br />
may have spread to thousands of Amiga <strong>computer</strong>s, disrupting<br />
the normal operating parameters of these machines. A report<br />
about this virus in CompuServe<strong>'s</strong> Online Today pointed out<br />
that some commercial software developers use coded infor-<br />
151
Chapter 11<br />
mation in the boot block of their distribution disks. In such<br />
cases the virus can inadvertently damage these disks and render<br />
the software useless. The virus was evidently meant to be a<br />
high-tech joke, displaying the message above after having invaded<br />
and entrenched itself in a user<strong>'s</strong> disk library.<br />
Like the supposedly benign Macintosh Peace virus, this<br />
Amiga infestation at the very least caused a lot of users<br />
consternation. None of us want anyone messing with our precious<br />
disks.<br />
Viruses Go South for the Winter<br />
After October 1987, the next major virus outbreak in the<br />
Amiga community occurred in sunny Florida during January<br />
1988. A United Press International report quotes members of<br />
the Tampa Amiga User<strong>'s</strong> Group as saying they were engaged in<br />
a fight ag<strong>ai</strong>nst <strong>viruses</strong>. One person s<strong>ai</strong>d the virus was set to<br />
start destroying fIles on May 13th (see the Friday the 13th virus<br />
described in Chapter 2).<br />
"It kind of creeps up on you," president JeifWhite of the<br />
Amiga group s<strong>ai</strong>d to UPI, and continued to say that many of<br />
the group<strong>'s</strong> membership now had disks infected by this virus.<br />
The UPI report continued, "Experts don't yet know what,<br />
if any, damage the virus can cause to the disks or programs.<br />
Similar problems have erased programs and information ....<br />
White s<strong>ai</strong>d the program spread itself to more than 20 of his<br />
floppy disks before he discovered it. But by then, the program<br />
had spread to the disks of many of the club<strong>'s</strong> members via its<br />
regular disk-of-the-month distribution."<br />
White told UPI the program works invisibly. "When the<br />
<strong>computer</strong> is turned on, the program stores itself in the machine<strong>'s</strong><br />
m<strong>ai</strong>n memory and then begins spreading copies of itself<br />
to new disks used in the machine," he s<strong>ai</strong>d.<br />
He stated that Tampa Amiga User<strong>'s</strong> Group members now<br />
employ a virus-checker program to test disks and prevent<br />
infections.<br />
SCA, All the Way!<br />
The virus discussed above also resurfaced in January 1988now<br />
named the SCA virus. Chet Solace, Assistant Editor of the<br />
152
Amiga<br />
Amiga-oriented AMnews Magazine, posted public warning<br />
messages on various boards saying the magazine had inadvertently<br />
spread the virus.<br />
"If you got a copy of AMnews, Vol. 2, No.1 (WHITE<br />
Cover) at AMI-EXPO," reads the warning in part, "install<br />
Disk# 1, using a write-protected copy of WorkBench! If you AL<br />
READY used AM news, any BOOTABLE disk used prior to<br />
POWER-OFF is also infected! Check ALL such disks/memory<br />
with VCheck19.arc. NON-BOOT ABLE DISKS ARE SAFE!"<br />
Like the Aldus FreeHand case and the Macintosh Peace<br />
virus, the Amiga community now had to face the fact that even<br />
commercial software was not safe from viral infection.<br />
Solace went on to describe what had happened and the<br />
steps the magazine was taking to rectify the situation. He wrote<br />
that after the January master disks had been sent for copying,<br />
someone added the virus to Disk#l before duplication.<br />
Through the three days of demonstrations at the show, the virus<br />
rem<strong>ai</strong>ned hidden until 300 prerelease copies had been sold.<br />
Chet then emphasizes that no other infected copies were<br />
released and that all copies were being certified virus free and<br />
repackaged.<br />
"Since all copies ofDisk#l had the same 'generation' of<br />
virus," he s<strong>ai</strong>d, "it had to be done just prior to, or during copying.<br />
We've added security, and future issues will automatically<br />
check for <strong>viruses</strong>! We are stunned at this senseless violence,<br />
and apologize to all those affected for the inconvenience,<br />
aggravation and delay."<br />
VirusX: Steve Tibbett<strong>'s</strong> Virus Killer<br />
Product VirusX<br />
Company Steve Tibbett<br />
2710 Saratoga PI. # 11 08<br />
Gloucester, Ontario<br />
KIT lZ2<br />
BBS 613-731-3419<br />
BIX s.tibbett, People/Link SteveX<br />
Type Copyrighted, but freely distributable and not<br />
shareware<br />
153
Chapter 11<br />
Steve Tibbett<strong>'s</strong> VirusX is one of the leading programs in<br />
virus-fighting on the Amiga, and Steve himself is a leading<br />
authority on Amiga <strong>viruses</strong>. VirusX has gone through several<br />
revisions (we looked at 1.7 here) and is t<strong>ai</strong>lored to protect<br />
ag<strong>ai</strong>nst not only the SCA virus, but several others as well. The<br />
first he addresses, however, is the SCA virus.<br />
"There are a number of CLI-based Virus Checkers out<br />
there," writes Steve in the documentation included in the archived<br />
VirusX distribution file, "which do their job just fine,<br />
but if you're not into using CLI, what do you do? You use<br />
VirusX!<br />
"Please, I encourage you to give this program to anybody<br />
who might have the virus. Including your local dealer-some<br />
of the dealers in this area have the virus all over their disks,<br />
which they allow customers to copy, and they don't do anything<br />
about it because they don't know how. VirusX makes it<br />
extremely simple."<br />
VirusX can be put in your Startup-Sequence. When run, it<br />
will open a small window so you know it<strong>'s</strong> there (and it will<br />
display the occasional message in it). Whenever a disk is inserted<br />
into any of the 3lh-inch drives, that disk is automatically<br />
checked for the SCA virus and is also checked to see if its boot<br />
sector is Standard.<br />
"If the disk has a nonstandard boot sector," writes Steve,<br />
·'it is either a new form of virus which I don't know about yet,<br />
or it is a commercial program which uses the boot block for<br />
something constructive (like booting their game)."<br />
If VirusX finds a boot block it is suspicious about, it will<br />
present the user with a requester either warning him that the<br />
disk has the SCA virus or telling him that the boot code is nonstandard.<br />
In either case, he is given the option to either ignore<br />
it or Remove it.<br />
If the user selects Remove, after he says he<strong>'s</strong> sure he wants<br />
to rewrite the disk<strong>'s</strong> boot sector, the boot code written back to<br />
the disk by VirusX is the same boot code that the AmigaDOS<br />
INSTALL command writes. (Remember: Never rewrite the<br />
boot sector of a commercial program unless you know that program<br />
doesn't use it for something else. If the program gives you<br />
the AmigaDOS window before running, you know it<strong>'s</strong> safe to<br />
rep<strong>ai</strong>r that disk.)<br />
154
Amiga<br />
"If you run across a str<strong>ai</strong>n of the virus, or any other virus<br />
that VirusX doesn't specifically warn of, please send me a copy<br />
of a disk with that virus on it! I want to keep VirusX current,<br />
and to do so, I need the <strong>viruses</strong>.<br />
"Of course, there are those of you who are thinking that I<br />
am some nut case trying to spread my own virus hidden under<br />
the guise of a virus checker. Well, just for you, I've included<br />
the C source code. Please, if you don't trust me, don't discard a<br />
useful utility as untrustworthy for no reason, CHECK THE<br />
SOURCE! Recompile it if you think I'm trying to slip a fast<br />
one on you. I just want to see the virus out of all of our lives."<br />
The Byte Bandit Virus<br />
Steve Tibbett<strong>'s</strong> VirusX also goes for the throat of the Byte Bandit<br />
virus. Once it<strong>'s</strong> in memory, the Byte Bandit virus copies itself<br />
to just above the high memory point on the first hunk of<br />
RAM it can find. This means it<strong>'s</strong> not always in the same place.<br />
The virus wedges itself into the Interrupt Server ch<strong>ai</strong>n, into the<br />
Trackdisk.device<strong>'s</strong> vectors, and creates itself a Resident structure<br />
so it can hang around after reboot.<br />
Byte Bandit watches every disk inserted and will write itself<br />
to any bootable disk that<strong>'s</strong> inserted. This one, says Steve,<br />
can spread like wildfire. Every disk you insert into your external<br />
drive during a session with this Virus loaded will result<br />
in all those disks being infected. If you install a disk while this<br />
virus is going, it will just copy itself back to the disk.<br />
When VirusX finds this virus on a disk, it will also display<br />
a Copy Count, which is the number of disks that have been infected<br />
by that Branch on the Tree that the virus is on. If you<br />
infect a disk with your copy, and your copy is number 300,<br />
that copy will be #301.<br />
"If that one infects somebody," writes Steve, "that will be<br />
#302, but on your copy, two infestations down the line, there<br />
will be another #302. Anyway, the copy count on my Byte Bandit<br />
virus is #879. Note that VirusX will check RAM for this virus<br />
as well as the disk. This was necessary as you can tell from<br />
the description above.<br />
"Special thanks must go here to Dave Hewett who, 2 days<br />
after I gave him a copy of the virus, gave me a printed, com-<br />
155
Chapter 11<br />
mented disassembly of the virus with meaningful labels and<br />
everything I needed to stomp it. Thanks Dave!<br />
"Thanks must also go to Bruce Dawson of CygnusSoft<br />
Software, who went to the trouble of being the first person to<br />
send me this Virus."<br />
The Revenge Virus<br />
"This virus is not yet common in North America (I think I'm<br />
the first person here to have a copy of it)," says Steve Tibbett,<br />
"but it is apparently making the rounds in Sweden and Germany,<br />
so that<strong>'s</strong> who this version of VirusX is more or less directed<br />
to. (I'm sure we'll get that virus over here soon enough!)<br />
"What this virus does, is everything that the Byte Bandit<br />
virus does; plus, after infecting a disk, it will w<strong>ai</strong>t one minute<br />
after every reboot and change your mouse pointer into an image<br />
of a cert<strong>ai</strong>n part of the male anatomy.<br />
"I think the reason this virus is called the Revenge virus is<br />
because it looks specifically for the Byte Bandit and for the<br />
SCA Virus. If it finds either of these, it rigs that virus so that it<br />
will crash the machine unless this virus is loaded first. Note<br />
that I might be wrong about this-that<strong>'s</strong> the way it looks from<br />
the disassembly, but I don't have an SCA virus here to test it<br />
with. I tried it with the Byte Bandit and it didn't seem to do<br />
anything like this-but be warned in case it pops up later or<br />
something.<br />
"The Revenge virus stays in RAM via changing the Cool<br />
Capture vector to point to his own code. He then intercepts the<br />
DoIO( ) call and watches for any attempts to rewrite or to read<br />
the boot block and acts accordingly. He also has an interrupt<br />
around counting VBlanks until it<strong>'s</strong> time to bring up his sicko<br />
pointer.<br />
"To get this virus out of memory is simple. Hold down<br />
the Joystick button (plug a joystick into port 2, and hold down<br />
the button while you are rebooting) and the screen will briefly<br />
turn RED during the boot, and it<strong>'s</strong> out of memory. (If you hold<br />
down Joystick button and mouse button, he will half-remove<br />
himself from RAM and turn the screen Blue.)<br />
"VirusX will alert you if the virus is present in RAM and<br />
will render it helpless in RAM before telling you about it. It<br />
will also report its presence on disk."<br />
156
Amiga<br />
Other Amiga Viruses<br />
The Byte Warrior virus, reports Steve Tibbett, is a lot like the<br />
Byte Bandit virus except it<strong>'s</strong> not designed to hurt anything. It<br />
will start an Alarm sound if it sees another virus, but other<br />
than that, it will write itself to any disk inserted. There is also a<br />
hidden message in it, asking us to spread it around and not to<br />
erase it ... Right.<br />
The latest Amiga virus Steve has found is the Obelisk<br />
Softworks Crew virus (sent to him by Jason Allen Smith, who<br />
he wishes to thank). Ag<strong>ai</strong>n, Steve wants you to send him any<br />
Amiga <strong>viruses</strong> so he can include defenses ag<strong>ai</strong>nst them in<br />
VirusX. Our congratulations to Steve Tibbett for the fine job<br />
he<strong>'s</strong> doing.<br />
The Clock Virus<br />
Product Chronos<br />
Company Dave Thomas<br />
contact via PhilAMIGA BBS (215-533-3191)<br />
Type public dom<strong>ai</strong>n<br />
The following information on the Clock virus is supplied<br />
to the public dom<strong>ai</strong>n by Dave Thomas along with a program<br />
to fight the virus. The program is av<strong>ai</strong>lable from the board<br />
above, or on GEnie, among other places.<br />
As many of you are aware, writes Dave, there<strong>'s</strong> a virus<br />
floating about that causes trouble by causing your batterybacked-up<br />
clock to accelerate at incredible speed. There were<br />
two solutions to this problem. One was to physically remove<br />
the battery from your clock and short the terminals. This was,<br />
shall we say, inconvenient. The second solution was a program<br />
called Clock_Doctor, which would correct this problem.<br />
Now, there<strong>'s</strong> a new (dare we say, mutated) clock virus that<br />
causes the exact problem. It turns off your hardware clock.<br />
When you try to load or save the time using SetClock, you receive<br />
a message stating that the hardware clock is not functioning.<br />
Don't Panic!<br />
The first solution mentioned above will also solve this<br />
problem, but the same inconvenience exists. Clock_Doctor<br />
doesn't detect this condition. What is a time conscious Amigan<br />
to do?<br />
157
Interview with Steve Tibbett<br />
Amiga<br />
We called Steve Tibbett<strong>'s</strong> <strong>computer</strong> bulletin board in Ottawa,<br />
the capital of Canada, to verify the information on his program,<br />
VirusX, and to make sure he had no objection to<br />
publishing it. While online, Steve switched his BBS into chat<br />
mode, and the following interview occurred (online interviewing<br />
is great for a writer, since the interviewee writes all your<br />
notes for you!).<br />
Tibbett: Just wanted to mention that Discovery Software<br />
has a program called VIp, a Virus protection program. Have<br />
you heard of or looked into it? Talk to Randy at Discovery<br />
Software, at 301-268-9877. The reason I mention it is that they<br />
just arranged with me to do some work on it, and I think it<strong>'s</strong><br />
going to be the best Amiga virus protection program.<br />
The thing about VIP is that it will let you classify a new<br />
(as in, a virus you don't already know the name of) into a database.<br />
Whenever you check a disk, it will compare it ag<strong>ai</strong>nst all<br />
the ones it knows-if it doesn't recognize it, you can add it.<br />
Also, a m<strong>ai</strong>n function of VIP is to make BACKUPs of<br />
boot blocks. You take all your commercial games, back up the<br />
boot blocks, and then even if a new virus does wipe something<br />
out, you can restore the disk.<br />
Roberts: Sounds good, Steve. Hey, I might as well do a<br />
very quick mini-interview of you (if you don't mind) since<br />
you're on. Is that okay?<br />
Tibbett: Sure. Typing fast comes in handy at long distance<br />
(grin).<br />
Roberts: My phone bill must be getting really big talking to<br />
Canada. How serious do you see the virus problem in the<br />
Amiga community?<br />
Tibbett: Well, the way I see it right now, there are a bunch<br />
of hackers/pirates over in Germany /Sweden/Holland/wherever,<br />
who are trading software back and forth and including <strong>viruses</strong><br />
just for their own amusement. There aren't any <strong>viruses</strong> currently<br />
that go after anything but the boot block. That is, there<strong>'s</strong><br />
nothing malicious. It<strong>'s</strong> cert<strong>ai</strong>nly possible and I'm not looking<br />
forward to the day someone decides to start. There was the<br />
Byte Bandit virus which would crash your machine every five<br />
minutes or so on purpose, but at least it didn't cost you anything.<br />
159
Chapter 11<br />
Roberts: Say, you're a great typist! So, no <strong>viruses</strong> yet that<br />
attach to or infect application programs?<br />
Tibbett: Nope. I hear they are all the rage on the PC and<br />
on the Mac. It<strong>'s</strong> just too easy with all those system files to infect<br />
them. Ag<strong>ai</strong>n, it<strong>'s</strong> cert<strong>ai</strong>nly possible on the Amiga. I've<br />
thought of a few easy ways of doing it, but I'm not going to be<br />
the one to try it.<br />
Roberts: Right. Is there a lot of concern among users on<br />
this side of the Atlantic about <strong>viruses</strong>?<br />
Tibbett: Well, it seems to me that over here, people are a<br />
lot different than people over there (<strong>computer</strong> users that is).<br />
Over here, it seems that there is ummm ummm (thinking) ...<br />
There don't seem to be as many hard core "hackers" as there<br />
are over there. If you look at the arsenal of the typical pirate,<br />
it<strong>'s</strong> very rare to see programs broken in North America. I'm<br />
not really sure why this is, but it seems that <strong>viruses</strong> and piracy<br />
go hand in hand, and piracy is cert<strong>ai</strong>nly much more rampant<br />
over there.<br />
Roberts: Hmmmmm ... That<strong>'s</strong> interesting, and not true in<br />
other brands of <strong>computer</strong>s (grin), but from what I've read on<br />
Amiga, I cert<strong>ai</strong>nly agree. How serious do you think the problem<br />
will get? Worse? Better? More malicious <strong>viruses</strong>?<br />
Tibbett: Right now, there are six different <strong>viruses</strong> (and a<br />
couple of other ones which are just the same six with different<br />
text in them). I think that because all these <strong>viruses</strong> basically do<br />
the same thing (infect the boot block, spreading from machine<br />
to machine via the boot block) and because there are good PD<br />
programs out there to find boot block <strong>viruses</strong> (grin), and the<br />
amount of media attention given the issue seems to be helping.<br />
Sure, it<strong>'s</strong> spawning MORE <strong>viruses</strong>, but since they all basically<br />
do the same thing, we know what they are and we know how<br />
to handle them. I have not seen a Trojan on the Amiga yet, no<br />
logic bombs, none of the other malicious stuff. Hopefully this<br />
says something about Amiga users in general.<br />
Until somebody goes malicious, I don't see things getting<br />
any worse. Another 20 boot block <strong>viruses</strong> wouldn't surprise<br />
me, but wouldn't really hurt.<br />
Roberts: Well, sounds like it<strong>'s</strong> a lot better in Amiga-land<br />
than IBM. Most of the IBM-specific <strong>viruses</strong> are destructive. Do<br />
160
Amiga<br />
you see a commercial virus software market springing up for<br />
Amiga?<br />
Tibbett: I hope so (grin) with me working on VIP Seriously,<br />
though, I think that the PD software is great, but it<strong>'s</strong> not<br />
as good as what VIP is going to be, because VIP is the culmination<br />
of a lot of people<strong>'s</strong> work. It<strong>'s</strong> also got the advantage of<br />
advertising-meaning that ... [Launching into a story here].<br />
I work in a <strong>computer</strong> store. Quite often, people will drag<br />
in their hardware, and a bunch of their disks, and say "It<strong>'s</strong> broken.<br />
None of my games work anymore." Those type things. I<br />
grab one of their disks, pop it into our machine, and up comes<br />
"Disk in DFO: is infected with the WHATEVER virus." These<br />
people might even have known that they had the virus, but<br />
they have no way of protecting themselves. One thing about<br />
PD software (on the Amiga) is that it usually requires that you<br />
be able to understand ARC and the Amiga-CLI which the average<br />
"Oh, I just bought it to play games" type person doesn't<br />
care about. A commercial program with a good manual is<br />
<strong>ai</strong>med at these people.<br />
Roberts: Hey! Good stuff. What is the company developing<br />
VIp, and how much will it sell for, etc.?<br />
Tibbett: VIP is already av<strong>ai</strong>lable from Discovery Software<br />
International, makers of some of the best Amiga software<br />
(Arkanoid, Zoom, Marauder). These guys have a real interest in<br />
the matter. I don't think they're just out to make a quick buck.<br />
With the Amiga market being as small as it is (less than 1 million),<br />
it seems that for a lot of applications, one company can<br />
fill the whole market. Example: Marauder, is about the only<br />
Amiga disk copier that went anywhere. If this were the PC<br />
market or Mac market, there'd be many of them. (Right? Are<br />
there?)<br />
Roberts: Yes. I have almost 30 IBM packages here for review<br />
and more are coming to market. So VIP is sold through<br />
stores, m<strong>ai</strong>l order, etc.?<br />
Tibbett: All of the above. Yes. At a reasonable price. I hear<br />
some of the PC ones are big bucks. VIP is $49.95 Canadian,<br />
probably $37.95 or so U.S. That<strong>'s</strong> pretty reasonable.<br />
Roberts: "Yes, and you are working on it?"<br />
Tibbett: Right. The first release wasn't quite adequate for<br />
161
Chapter 11<br />
the job. The next release (probably 1.1) is going to have a really<br />
neat method of identifying new <strong>viruses</strong>, and will also keep a<br />
catalog database of all your commercial boot block blocks. So,<br />
with it, you can spot the brand new virus that just wiped out<br />
your Arkanoid, store the virus (so it can be spotted later on),<br />
and then fix your Arkanoid.<br />
Roberts: Sounds great. Let<strong>'s</strong> see, you're in Ottawa, right?<br />
The capital of Canada?<br />
Tibbett: Gloucester, actually-a few minutes from Ottawa.<br />
Roberts: How long have you been working with <strong>computer</strong>s?<br />
Tibbett: Oh, gee, when I was about 13 I was hanging out at<br />
a local CompuMart bugging them day and night about their<br />
Apple lIs and PETs.<br />
Computers have changed a lot. It seems that for any <strong>computer</strong><br />
to be taken seriously these days, it has to be IBM<br />
compatible, and I think that<strong>'s</strong> a waste. In Europe, they don't<br />
depend on IBM compatibility. They buy the best <strong>computer</strong> for<br />
the job (or so I hear). That<strong>'s</strong> why the ST and the Amiga are doing<br />
so much better over there than here. The Mac is a great<br />
machine and would have done a lot better if it wasn't for Big<br />
Blue stifling things. Same for the Amiga!<br />
BBS System: Less than 2 minutes rem<strong>ai</strong>ning.<br />
Roberts: Thanks, Steve. I'll spell check this and make us<br />
both sound erudite. Bye.<br />
Tibbett: Yes (grin), make me sound better! Okay, Ralph,<br />
been great talking to you. Looking forward to seeing the book!<br />
BBS System: Online for 31 mins, 51 sees. Logged out at<br />
27-Aug-88 20:24.<br />
Steve and his Amiga-oriented BBS may be reached at 613-<br />
731-3419. The BBS now supports 2400 baud.<br />
162
12<br />
THEONLY<br />
GOOD VIRUS IS<br />
ADEADVIRUS<br />
Will toys amuse when medicines cannot cure?<br />
Reverend Edward Young (1683-1765)<br />
"The basic rule is, where information can go, a virus can go<br />
with it," s<strong>ai</strong>d Dr. Fred Cohen, a University of Cincinnati<br />
professor who has been doing research on the threat of <strong>computer</strong><br />
<strong>viruses</strong> since 1983. He was quoted in an article in The<br />
New York Times that appeared on Sunday, January 31, 1988.<br />
Dr. Cohen continues to point out that research performed<br />
by him in 1983 and 1984 has shown that most m<strong>ai</strong>nframe<br />
<strong>computer</strong>s can be successfully subverted within an hour. Computer<br />
networks, even huge international ones with thousands of<br />
<strong>computer</strong>s spread over continents, can be opened up to an illicit<br />
intruder within days.<br />
The possibility of <strong>computer</strong> networks becoming a primary<br />
medium for subversion and warfare-the "softwar" depicted in<br />
a dozen classic science-fiction thrillers-"has become much<br />
more real," Dr. Cohen s<strong>ai</strong>d.<br />
It all becomes a matter of scale. Your neighbor is going to<br />
lose little sleep if a virus wipes out the files on the personal<br />
<strong>computer</strong> in your den. However, if his or her bank<strong>'s</strong> data files<br />
are destroyed, not only your neighbor, but a lot of people are<br />
going to be demanding some answers about <strong>viruses</strong>.<br />
163
Chapter 12<br />
Potential for Major Disasters<br />
The practice of germ warfare, the deliberate release of deadly<br />
biological bacteria or <strong>viruses</strong>, is a practice so abhorrent it<strong>'s</strong><br />
firmly outlawed by international treaty. However, <strong>computer</strong><br />
scientists, security experts, and <strong>computer</strong> users at all levels<br />
must now consider the possibility that something similar could<br />
be used to disable their systems.<br />
Personal <strong>computer</strong>s are the least of our worries.<br />
Imagine the sudden shutdown of <strong>ai</strong>r traffic control, medical<br />
<strong>computer</strong>s monitoring and running life support systems<br />
malfunctioning, financial networks penniless in the blink of an<br />
eye, widespread destruction of government and business<br />
records. We are now a <strong>computer</strong>ized society at all levels and<br />
thus, particularly vulnerable to <strong>viruses</strong>.<br />
"Suppose your virus attacked by deleting files in the system,"<br />
Cohen s<strong>ai</strong>d (this time in a report av<strong>ai</strong>lable in the public<br />
area of the Naval Weapons Support BBS and written by Lee<br />
Dembart). "If it started doing that right away, then as soon as<br />
your files got infected they would start to disappear and you'd<br />
say 'Hey, something<strong>'s</strong> wrong here.' You'd probably be able to<br />
identify whoever did it."<br />
To avoid early detection of the virus, a clever saboteur<br />
might add instructions to the virus program, causing it to check<br />
the date each time it ran. It would attack only if the date was<br />
identical to, or later than, some date months or years in the future.<br />
"Then," says Cohen, "one day, everything would stop.<br />
Even if they tried to replace the infected programs with programs<br />
that had been stored on backup tapes, the backup copies<br />
wouldn't work either-provided the copies were made after the<br />
system was infected."<br />
The idea of virus-like programs has been around since at<br />
least 1975, when the science fiction writer John Brunner included<br />
one in his novel The Shockwave Rider. Brunner<strong>'s</strong> "tapeworm"<br />
program ran loose through the <strong>computer</strong> network,<br />
gobbling up <strong>computer</strong> memory in order to duplicate itself. "It<br />
can't be killed," one character in the book excl<strong>ai</strong>ms in desperation.<br />
"It<strong>'s</strong> indefinitely self-perpetuating as long as the network<br />
exists."<br />
164
The Only Good Virus Is a Dead Virus<br />
Two other experts were quoted in a report in The New<br />
York Times.<br />
"A virus is deadly because it can jump-actually slide<br />
right through-the barriers everyone uses to control access to<br />
valuable information," s<strong>ai</strong>d Kenneth Weiss, technical director<br />
at Security Dynamics Technologies Inc., a <strong>computer</strong> security<br />
division of the American Defense Preparedness Association.<br />
"The solution is to put a wall with a good solid gate around the<br />
jungle-most <strong>computer</strong>s still have the equivalent of a sleepy<br />
guard at the door. But the larger problem is how to secure the<br />
system ag<strong>ai</strong>nst people who have legitimate work inside."<br />
"It<strong>'s</strong> apparently going to be the game this year-to see who<br />
can come up with the best virus," s<strong>ai</strong>d Dennis Steinaur, a senior<br />
security specialist at the National Bureau of Standards,<br />
which promotes <strong>computer</strong> security in nonmilitary Federal agencies<br />
and the private sector. "We've all very vulnerable."<br />
Yet he s<strong>ai</strong>d the bureau planned no immediate recommendations<br />
on the virus threat. "With limited resources," he<br />
s<strong>ai</strong>d, "we like to put our priorities in areas where we can see<br />
solution."<br />
Let<strong>'s</strong> bo back to the public report by Lee Dembert from<br />
the Naval Weapons Support BBS.<br />
Dembert writes that Marvin Schaefer, chief scientist at the<br />
Pentagon<strong>'s</strong> <strong>computer</strong> security center, says the military has been<br />
concerned about penetration by virus-like programs for years.<br />
Defense planners have protected some top-secret <strong>computer</strong>s by<br />
isolating them.<br />
The secret <strong>computer</strong>s of the military and such intelligence<br />
agencies as NSA and the National Reconn<strong>ai</strong>ssance Office are<br />
highly shielded electronically and connected to each other only<br />
when necessary by wires that run through pipes cont<strong>ai</strong>ning gas<br />
under pressure. Should anyone try to penetrate the pipes in order<br />
to tap into the wires, the drop in gas pressure would immediately<br />
cause an alarm. But, Schaefer admits, "in systems<br />
that don't have good access controls, there really is no way to<br />
cont<strong>ai</strong>n a virus. It<strong>'s</strong> quite possible for an attack to take over a<br />
machine."<br />
Many in government and the <strong>computer</strong> industry very<br />
strongly believe that neither Cohen nor any other responsible<br />
165
Chapter 12<br />
expert should even open a public discussion of <strong>computer</strong> <strong>viruses</strong>.<br />
"It only takes a halfway decent programmer about half a<br />
day of thinking to figure out how to do it," Jerry Lobel of<br />
Honeywell says, as quoted in Dembart<strong>'s</strong> article. "If you tell<br />
enough people about it, there<strong>'s</strong> going to be one crazy enough<br />
out there who<strong>'s</strong> going to try."<br />
Cohen disagrees, insisting that it<strong>'s</strong> more dangerous not to<br />
discuss and study <strong>computer</strong> <strong>viruses</strong>. "The point of these experiments,"<br />
he says, "is that if! can figure out how to do it, somebody<br />
else can too. It<strong>'s</strong> better to have somebody friendly do the<br />
experiment, tell you how bad it is, show you how it works and<br />
help you counteract it, than to have somebody vicious come<br />
along and do it." If you w<strong>ai</strong>t for the bad guys to create a virus<br />
first, Cohen says, then by the time you find out about it, it will<br />
be too late.<br />
The Future of Viruses<br />
In this book, we have been primarily concerned with <strong>viruses</strong><br />
that attack personal <strong>computer</strong>s. As stated earlier, one thing in<br />
our favor is that <strong>viruses</strong> are machine-specific. In other words, a<br />
Macintosh virus won't work on an IBM or compatible <strong>computer</strong>,<br />
and an Atari virus cannot inhabit a m<strong>ai</strong>nframe machine.<br />
But, what if the personal <strong>computer</strong> program is merely a<br />
carrier for a virus that would infect another type of <strong>computer</strong>,<br />
such as a DEC VAX or an IBM System 370? Don't think this<br />
hasn't already occurred in the devious and twisted minds of<br />
virus-makers.<br />
How does the virus get from the personal <strong>computer</strong> into<br />
the larger machine? Simplicity itself We are now a world of<br />
networks. Millions of <strong>computer</strong>s communicate with other<br />
<strong>computer</strong>s. A m<strong>ai</strong>nframe virus concealed in a personal <strong>computer</strong><br />
file could be easily transmitted to a m<strong>ai</strong>nframe.<br />
Tomorrow you have no bank account. The morning after<br />
that, all the traffic lights in New York lock on red. That afternoon,<br />
an atomic power plant melts down.<br />
Viruses are serious stuff.<br />
There are no firm answers yet, no cut and dried guaranteed<br />
solutions. We are faced with electronic terrorism that<br />
could become horribly damaging to all of us, that could disrupt<br />
166
The Only Good Virus Is a Dead Virus<br />
and endanger all of our lives. Everyone. Worldwide.<br />
This book has been a start. Using the techniques and software<br />
described in these pages gives you a good measure of<br />
protection ag<strong>ai</strong>nst <strong>viruses</strong>.<br />
There are far more personal <strong>computer</strong>s than m<strong>ai</strong>nframes,<br />
and all the media attention has been on the smaller <strong>computer</strong>s.<br />
If we, as <strong>computer</strong> users, can all act responsibly to employ safe<br />
computing practices, we can halt the spread of <strong>computer</strong> <strong>viruses</strong><br />
on IBM and compatibles, on Macs and Ataris, on Amigas<br />
and all the rest.<br />
If those who concoct <strong>viruses</strong> are no longer getting publicity,<br />
maybe they'll quit. And maybe they won't make the effort<br />
to come up with <strong>viruses</strong> that can exist in a m<strong>ai</strong>nframe<br />
environment. Then all we have to worry about are disgruntled<br />
employees, and political terrorists, and foreign enemies.<br />
Viruses are serious stuff.<br />
We should be scared, and we should do something about it.<br />
Good luck, and stomp a virus whenever you see it.<br />
167
INDEX<br />
activation 6<br />
activation period 6<br />
Aldus Corporation 35-38<br />
Amiga 151-62<br />
virus information 158<br />
ANTlVI.BQY 144<br />
antivirus hardware 45-46<br />
antivirus software 41, 44-45, 86-88<br />
choosing 69-72<br />
Apple II 144<br />
Apple III 144<br />
Apple.Rx 1.7 144<br />
applications 137<br />
contaminated 141<br />
infected 138, 142-43<br />
uncontaminated 139<br />
Atari 8-bit machines 147-49<br />
protection 148-49<br />
Atari ST 145-49<br />
protection 148-49<br />
attributes 85<br />
AUTOEXEC.BAT 51, 84<br />
backup 47, 51, 53<br />
Banks, Michael A. 76<br />
BBSoft Support BBS 102<br />
Bennett, David 117<br />
BIO/IO 87<br />
BIOS 63<br />
BIX 60<br />
blue disk technology 78<br />
bombs 6, 10,48-52, 126<br />
logic 10<br />
Bomhsqad 98<br />
boot blocks 159<br />
boot infectors 6, 21-23<br />
booting 19, 42-43<br />
from floppy 27, 132<br />
boot sector 52-53, 62, 87<br />
Brandow, Richard 3<br />
Buerger, David J. 34-35<br />
bugs 49, 67, 126<br />
C-499<br />
Canter, Marc 36<br />
Caware 100<br />
charityware 115<br />
Checkup 101-2<br />
CHKDSK 84, 94<br />
CHK4BOMB 76, 98<br />
Chronos 157-58<br />
clean boot disk 85<br />
clean model disk 84<br />
168<br />
clean room procedures 88<br />
cluster 20<br />
CMOS RAM 63<br />
CODE 138<br />
code names 93<br />
codes<br />
elegant 23<br />
executable 43-44<br />
Cohen, Fred 2, 163-64<br />
COMMAND. COM 87<br />
CompuServe 60, 97<br />
<strong>computer</strong> crime 10-11<br />
<strong>computer</strong> networks 163<br />
Computer Virology 107<br />
<strong>computer</strong> virus 1-7, 57<br />
and legislation 39-40<br />
danger of 163-66<br />
definition of 6<br />
fighting 31-54<br />
future of 166-67<br />
history of 9-12<br />
publicity 61, 67<br />
seeding 86<br />
types of 21-29<br />
working of 17-29<br />
Computer Virus Industry Association 2,<br />
4, 6, 21, 41-42, 47<br />
Condom 102-4<br />
control panel device 139<br />
Cop 104-5<br />
COpy 84<br />
CRC (Cyclic Redundancy Check) 111,<br />
117<br />
Cyclic Redundancy Check. See CRC<br />
cylinders 18<br />
data 137<br />
Data Physician 105-6<br />
data scrambling 22<br />
Defense Authorization Bill 40<br />
Delphi 72-73, 75, 97<br />
Department of Defense 38-40<br />
destructive codes 82, 87-88<br />
device drivers 62<br />
Dewdney, AX 25<br />
DiMartin, Larry 1<br />
Director, Dennis 106-7<br />
directories 85<br />
Dirty Dozen, The 49-50, 62<br />
Disk Defender 106-7<br />
Disk Express 142<br />
disks 18-20
disk trading 146<br />
Disk Watcher 66, 68-69, 108-9<br />
documents 137<br />
DOS 62, 82, 87<br />
DOS ATTRIB 85<br />
DOS COMP 84<br />
DOS DEBUG 89<br />
Dr. Panda 81, 109-10<br />
electronic bulletin boards 27, 33<br />
electronic terrorists 2-3<br />
emulator (3270) 44<br />
encoding 104<br />
extension 86<br />
FAT (File Allocation Table) 19-20,<br />
49-52, 77, 87, 145<br />
FDISK 89<br />
Ficheck 97,111-13<br />
File Allocation Table. See FAT<br />
file checksums 101, 121<br />
filenames 86<br />
files 137<br />
AUTOEXEC.BAT 51, 84<br />
batch 84, 117<br />
command 14-15,24, 116<br />
.EXE 14-15, 24<br />
hidden 85, 87<br />
system 23, 119, 134<br />
undeleting 52-54<br />
file size, checking 85<br />
file size, monitoring 120<br />
F1U-Shot+ 56-63,97, 114-15<br />
fonts 138<br />
FORMAT 82, 84<br />
formatting 85<br />
high-level 21, 50-51,53<br />
low-level 21-22, 50-51, 53<br />
FoundationWare 77<br />
FreeHand 35-36<br />
freeware. See programs, public dom<strong>ai</strong>n<br />
general executable infectors 21, 24-25<br />
generic infector 6<br />
GEnie 60-61, 158<br />
Gibson, Steve 21, 29<br />
Gilmore, Chuck 97,100,111-13, 132<br />
Glath, Raymond M. 66-72, 91, 108-9<br />
Goodman, Marty 75-76<br />
Graham, Keith P. 116-17<br />
Greenberg, Ross 56-66, 97,114-15<br />
Guard Card 116<br />
Hill, Matt 119-21<br />
Hopkins, Andy 98<br />
HyperCard stacks 133<br />
IBMBIO 63<br />
IBM PC 95-97<br />
Ice 116-17<br />
icon 137-38<br />
IFCRC 117<br />
infection detection product 7<br />
infection identification product 7<br />
infection prevention product 7<br />
INIT 134, 138-39<br />
inoculation process 68<br />
Interferon 74<br />
InterPath Corporation 22, 42, 47<br />
IOSYS 63<br />
isolation 7<br />
Kane, Pamela 81, 109<br />
LAN (Local Area Network) 27, 34<br />
Levin, Richard B. 101<br />
liability 96<br />
logical format 87, 89<br />
Mace, Paul 118<br />
Mace Vaccine 118-19<br />
Macintosh 73-74,133-44<br />
detecting the Scores virus 137<br />
removal of virus in 140<br />
MacMag 3,37<br />
MARS interpreter 26<br />
McAfee, John 42<br />
memory addresses 25<br />
memory, simulated errors in 145<br />
Millis, Dave 129-31<br />
MS-DOS 75-76, 106<br />
Murphy, Jim 102-4<br />
Nash, Carey 124<br />
National BBS Association 4<br />
National BBS Society 21<br />
Newhouse, Eric 49-50<br />
NWirus 119-21<br />
OS975<br />
PC operating system 82<br />
PC Tracker 66<br />
piracy 160<br />
pranksters 3<br />
prevention, techniques 42-44<br />
products<br />
antiviral 41-42<br />
write-protect 44<br />
programs<br />
application 147<br />
batch 68<br />
battle 26<br />
C-4 antiviral 27<br />
checker 39<br />
CHKDSK 17<br />
Core war 25<br />
hacked 6<br />
host 1,6<br />
infection detection 41, 46<br />
infection identification 41, 46<br />
infection prevention 41, 45-46<br />
memory resident 23<br />
169
public dom<strong>ai</strong>n 32, 34, 43, 85, 88, 97<br />
Trojan horse 1, 5, 7, 27-28, 48-52,<br />
57,86, 124<br />
TSR 23, 45, 68-69,94-114, 127<br />
Turbo ClOD<br />
quarantine 89<br />
Radio Shack color <strong>computer</strong> 75<br />
RamNet 60<br />
recovery 46-54<br />
from bomb 48-52<br />
from boot sector infector 48<br />
from bugs 48-49<br />
from Trojan Horses 48-52<br />
Riemer, Mike 77-78<br />
replication 7, 27-28, 125<br />
ResEd 140-42<br />
ResEdit 134-35<br />
resources 137-38<br />
reward fund 64-66<br />
RG Software Systems 66, 91<br />
risky practices 33-35<br />
RS DOS 75<br />
sector editors 52, 149<br />
sectors 19<br />
security 61, 121-22<br />
corporate 81-89<br />
shareware. See programs, public<br />
dom<strong>ai</strong>n<br />
Shulman, Jeff 73-74<br />
signature process 68<br />
SoftSafe 121-22<br />
static free environment 93<br />
subdirectories 43<br />
sorting 85<br />
surge protection 82-83<br />
SYSCHKl 121<br />
SYS command 48<br />
system infector 7, 21, 23-24<br />
system operation 22<br />
Terminate and Stay Resident program.<br />
See TSR<br />
Tibbett, Steve 153-55, 159-62<br />
Tracer 123<br />
tracking 127<br />
tracks 18-19<br />
boot 19<br />
Trojan Stop 124<br />
TSR (Terminate and Stay Resident) 23,<br />
45, 68-69,94, 114, 127<br />
Turbo Pascal source code 103<br />
undeleting files 52-54<br />
Universal Viral Simulator 125<br />
170<br />
Upchurch, Howard 136, 143-44<br />
user control 77<br />
utilities<br />
File Compare 103<br />
wipe 86<br />
Vaccinate 1<br />
Vaccination 135<br />
Vaccine 139-42<br />
Vaccine from FoundationWare 126-27<br />
Vaccine from World Wide Data 127-28<br />
Vaccine INIT 74<br />
VACCINE II 144<br />
Vacine 128-29<br />
V_Check 129-31<br />
VIP 159, 161<br />
virtual format 87, 89<br />
VirusDetective 73-74<br />
<strong>viruses</strong><br />
Boot Sector 145<br />
boot sector infector 42, 46, 48<br />
Br<strong>ai</strong>n 13, 23, 47, 62<br />
Byte Bandit 155-56, 159<br />
Byte Warrior 157<br />
Clock 157-58<br />
common to the Amiga 151-62<br />
Friday the 13th 14-16, 24<br />
GERBIL 91-93<br />
killer 25-27<br />
Lehigh 14<br />
Macintosh Peace 3, 35, 37, 133<br />
nVIR 134-35<br />
Obelisk Softworks Crew 157<br />
retro 29<br />
Revenge 156<br />
SCA 152-54<br />
Scores 12-13, 59, 133-34, 136-37<br />
ST 146-47<br />
SUllnyvale Slug 16<br />
Virus Info Palladium BBS 101, 112<br />
Virus RX 59, 135-36<br />
VirusWarningINIT 135<br />
Virus X 153-56, 159<br />
volume labels, changing 43<br />
worms 7, 86<br />
WPHD.COM 77, 131<br />
write protection 44, 68<br />
and the Atari 148-49<br />
hard disk 131<br />
write-protect notch 44<br />
write-protect tabs 44<br />
XFICHECK 113, 132