A computer virus is a program that purposely does mischief and manages to copy itself to other computers, so the mischief spreads. Since computer viruses are malicious malevolent software, they’re called malware.
People create viruses for several reasons.
Some people think it’s funny to create mischief, by creating viruses. They’re the same kind of people who like to play “practical jokes” and, as kids, pulled fire alarms.Some people are angry (at dictatorships, at the military, at big impersonal corporations, at clients who don’t pay bills, at lovers who rejected them, and at homosexuals). To get revenge, they create viruses to destroy their enemy’s computers.Some people are intellectuals who want the challenge of trying to create a program that replicates itself. Too often, the program replicates itself too well and too fast and accidentally does more harm that the programmer intended.Some people want to become famous (or infamous or influential) by inventing viruses. They’re the same kinds of people who, as kids, wrote graffiti on school walls and in bathrooms.People who create viruses tend to be immature. Many are teenagers or disgruntled college students.Different viruses perform different kinds of mischief.Some viruses print nasty messages, containing four-letter words or threats or warnings, to make you worry and waste lots of your time and prevent you from getting work done.Some viruses erase some files, or even your entire hard disk.Some viruses screw up your computer so it prints wrong answers or stops functioning.Some viruses clog your computer, by giving the computer more commands than the computer can handle, so the computer has no time left to handle other tasks, and all useful computer tasks remain undone.The damage done by a virus is called the virus’s payload. Some viruses are “benign”: they do very little damage; their payload is small. Other viruses do big damage; they have a big payload. If a virus destroys your files, it’s said to have a destructive payload.
Propagation tricks
To propagate, viruses use two main tricks.
Trojan horse
Homer’s epic poem, The Iliad,
describes how the Greeks destroyed Troy by a trick: they persuaded the Trojans
to accept a “gift” — a gigantic wooden horse that secretly contained Greek
warriors, who then destroyed Troy.
Some computer viruses use that trick: they look like a
pleasant gift program, but the program secretly contains destructive warriors
that destroy your computer. A pleasant-seeming program that secretly contains a
virus is called a Trojan horse.
Time bomb
If a virus damages your computer immediately (as soon as you receive it),
you’ll easily figure out who sent the virus, and you can stop the perpetrator.
To prevent such detection, clever viruses are time
bombs: they purposely delay damaging your computer until you’ve
accidentally transmitted the virus to other computers; then, several weeks or
months after you’ve been secretly infected and have secretly infected others,
they suddenly destroy your computer system, and you don’t know why. You don’t
know whom to blame.
How viruses arose
The first computer virus was invented in 1983 by Fred Cohen
as an innocent experiment in computer security. He didn’t harm anybody: his
virus stayed in his lab.
In 1986, a different person invented the first virus that
ran on a PC. That virus was called Brain.
Unfortunately, it accidentally escaped from its lab; it was found next year at
the University of Delaware. (A virus that escapes from its lab is said to be
found in the wild.)
Most early viruses harmed nobody, but eventually bad kids
started invented destructive viruses. The first destructive virus that spread
fast was called the Jerusalem virus
because it was first noticed at the Hebrew University of Israel in 1987. It’s
believed to have been invented by a programmer in Tel Aviv or Italy.
Most people still thought “computer viruses” were just
myths; but in 1988, magazines began running articles saying computer viruses
really exist. Then researchers began to invent anti-virus
programs to protect against viruses and destroy them. In 1989,
anti-virus programs started being distributed to the general public, to protect
against the 30 viruses that had been invented so far.
Unfortunately, the nasty programmers writing viruses began
protecting their viruses against the anti-virus programs. Now there are over
50,000 viruses, though many are just copycat
viruses that are slight variants of others.
Companies writing anti-virus software are working as hard
as the villains writing the viruses. Most anti-virus companies release updates
(quarterly, or monthly, or immediately by downloading from the Internet),
sometimes for free.
Popular anti-virus programs
MS-DOS 6 & 6.2 come with an anti-virus program called msav (which stands for MicroSoft Anti-Virus). But msav is
rather useless, since most viruses were invented after it and outsmart it.
The best anti-virus program is Norton
AntiVirus, which is published by Symantec
and costs just $40.
You can also get Norton
AntiVirus 2002 as part of Norton SystemWorks,
which costs $60 and includes other utilities. Buy AntiVirus or SystemWorks from
any computer store or mail-order dealer. The most convenient mail-order dealer
is PC Connection (at 800-800-0003), which charges just $5 for overnight shipping. (You can order late at night
and still receive it in the morning!)
The second-best anti-virus program is McAfee VirusScan, which is published
by Network Associates and costs
just $20 for the plain version, $30 for the Deluxe version.
You can also get it as
part of McAfee Office, which costs $45
for the plain version, $60 for the Pro version. A stripped-down version of
McAfee VirusScan is often included free when you buy a computer.
You can get a free anti-virus checkup, called HouseCall, from an Internet Web site called “housecall.antivirus.com”. That Web site is run by Trend Micro, which also sells an
anti-virus program called PC-cillin.
You can get another free anti-virus checkup by going to the Symantec Antivirus Research Center’s
Web site (www.sarc.com) then clicking
“Free Online Virus and Security Check”.
If you have Windows, make sure you get anti-virus software
that’s designed for your version of
Windows. Older anti-virus software think new versions of Windows are viruses
and try to erase all of Windows.
Alas, using virus-scanning software can make your computer
run slower, since virus-scanning can take a long time and consume RAM.
Who gets viruses
The most common place to
find traditional viruses is at schools.
That’s partly because most
viruses were invented at schools (by bright, mischievous students) but mainly because many students share the school’s computers.
If one student has an infected floppy disk (purposely or accidentally) and puts
it into one of the school’s computers, that computer’s hard disk will probably
get infected. Then it will infect all the other students who use that computer.
As disks are passed from that computer to the school’s other computers, the
rest of the school’s computers become infected.
Then the school’s students, unaware of the infection, take the disks
home with them and infect their families’ home computers. Then
the parents bring infected disks to their offices
(so they can transfer work between home and office) and infect their companies.
Then company employees take infected disks home and infect their home
computers, which infect any disks used by the kids,
who, unaware of the infection, then take infected disks to school and
start the cycle all over again.
Anybody who shares programs with other people can get a
virus. Most programs are copyrighted and illegal to share. People who share
programs illegally are called pirates.
Pirates spread viruses. For example, many kids spread viruses when they try to
share their games with their friends.
Another source of viruses
is computer stores, in their computer-repair departments.
While trying to analyze
and fix broken computers, the repair staff often shoves diagnostic disks into
the computers, to find out what’s wrong. If one of the broken computers has a
virus, the diagnostic disks accidentally get viruses from the broken computers
and then pass the viruses on to other computers. So if you bring your computer
to a store for repairs, don’t be surprised if your computer gets fixed but also
gets a virus.
7 kinds of viruses
Viruses fall into 7 categories: you can get infected by a file virus, a boot-sector virus, a multipartite virus, a macro virus, an e-mail worm, a denial-of-service attack, or a hoax.
Here are the details.…
File viruses
A file virus
(also called a parasitic virus)
secretly attaches itself to an innocent program, so the innocent program
becomes infected. Whenever you run the infected innocent program, you’re
running the virus too!
Here are the file viruses that are most common. For each
virus, I begin by showing its name, the country it came from, and the month it
was first discovered in the wild. Let’s start with the oldest.…
Yankee Doodle
(From
Bulgaria in September 1989) Every day at 5 PM, this virus plays part of the song Yankee Doodle
on the computer’s built-in speaker.
This virus is also called Old
Yankee and TP44VIR. It
infects .COM & .EXE files, so they become 2899 bytes longer.
Die Hard 2
(From
South Africa in July 1994) This virus infects .COM & .EXE files and
makes them become exactly 4000 bytes bigger.
The virus also overwrites .ASM files (programs written in
assembler) with a short program. When you try to compile the .ASM program, the
computer hangs.
It’s also called DH2.
Chernobyl
(From
Taiwan in June 1998) Back on April 26, 1986, radioactive gas escaped
from a nuclear reactor in Chernobyl in the Soviet Union. The Chernobyl virus
commemorates that event by erasing your hard
disk on April 26th every year. (A variant, called version 1.4, erases your hard disk on the 26th of every month.)
If you get infected by this virus, you won’t notice it
until the 26th; then suddenly your hard disk gets erased — and so do
the hard disks of all your friends to whom you’d accidentally sent the virus!
The virus was written in Taiwan by a 24-year old guy named
Chen Ing-Hau. Since his initials are CIH, the virus is also called the CIH virus.
The virus was first noticed in June 1998. It did its first
damage on April 26, 1999. Computers all over the world lost their data on that
day. Most American corporations were forewarned and forearmed with anti-virus
programs; but in Korea a million computers lost their data,
at a cost of 250 million dollars, because Koreans don’t use
anti-virus programs but do use a lot of pirated software.
Here’s how the virus erases your hard disk:
It starts at the disk’s
beginning and writes random info onto every sector (beginning at sector 0),
until your computer stops working. The data that was previously on those
overwritten sectors is gone forever and cannot be recovered.
The virus also tries to
attack your computer’s Flash BIOS chips, by writing wrong info into them.
If the virus succeeds, your computer will be permanently unable to display
anything on the screen and also have trouble communicating with the keyboard,
ports, and other devices, unless you bring your computer into a repair shop.
The virus destroys data just if you’re using Windows 95 or
98 (not Windows 3.1, not Windows NT).
Here’s how the virus spreads:
Whenever you run an
infected program, the virus in the program copies itself into the RAM memory
chips, stays there (until you turn the computer off), and infects every other
program you try to run or copy. To infect a program, the virus looks for unused
spaces in the program’s file, then breaks itself up and puts pieces of itself
into unused spaces, so the file’s total length is the same as before and the
virus is undetected.
Before you attack the
virus by using an anti-virus program, boot by using an uninfected floppy.
If instead you just boot normally from your hard disk, your hard disk’s
infected files copy the virus into RAM; then when you tell the anti-virus
program to “scan all programs to remove the virus”, the anti-virus program
accidentally copies the virus onto
all those programs and infects them all. Yes, the virus tricks your anti-virus
program into becoming a pro-virus
program!
Boot-sector viruses
On a floppy disk or hard disk, the first sector is called
the disk’s boot sector or, more
longwindedly, the disk’s master boot record (MBR).
A virus that hides in the boot sector is called a boot-sector
virus. Whenever the computer tries to boot from a drive
containing an infected disk, the virus copies itself into RAM memory chips
(even if the booting is unfinished because the disk is considered
“unbootable”).
Before hiding in the boot sector, the typical boot-sector
virus makes room for itself by moving data from the boot sector to a “second place” on the disk. Unfortunately,
whatever data had been in the “second place” gets overwritten and cannot
be recovered.
The typical boot-sector virus makes the computer eventually
hang (stop reacting to your keystrokes
and mouse strokes).
Here are the boot-sector viruses that are most common.…
Stoned
(From
New Zealand in December 1987) Of all the viruses common today, this is
the oldest. It was invented in 1987 by a student at the University of
Wellington, New Zealand.
If you boot from a disk (floppy or hard) infected with this
virus, there’s a 1-in-8 chance your computer will beep and display this
message: “Your PC is now Stoned”.
It was intended to be harmless, but it assumes your floppy
disk is 360K and accidentally erases
important parts of the directory on higher-capacity floppy disks
(such as 1.44M disks). It also makes your computer
run slower — as if your computer were stoned.
It doesn’t infect files
and can’t infect other computers over a network. In its most common form, it
reduces your total conventional RAM memory by 4K, so you have 636K instead of
640K. It also contains this message, which doesn’t get displayed: “Legalise Marijuana”. This virus is also
called Marijuana, Hemp, and New Zealand. Many other virus writers
have created imitations & variants, called strains.
Some strains reduce your total conventional RAM memory by 1K or 2K instead of
4K.
Form
(From
Switzerland in June 1990) This virus is supposed to just play a harmless
prank: on the 18th day of each month, the
computer beeps whenever a key is pressed. But this virus is badly
written and accidentally causes problems. For example, if your hard disk ever becomes full, the virus makes
the hard disk become unbootable. And if the computer ever fails
to read from a disk, the virus can make the system hang.
It reduces your total
conventional RAM memory by 2K, so you have 638K instead of 640K. The virus’s
second sector contains this message, which never gets displayed: “The FORM-Virus send greetings to everyone who's
reading this text. FORM
doesn't destroy data! Don't panic! Fuckings go to Corinne.”
Michelangelo
(From
Sweden in April 1991) Inspired by the Stoned virus (and sometimes called
Stoned Michelangelo), this virus sits
quietly on your hard disk until Michelangelo’s birthday, March 6th.
Each year, on March 6th, the virus tries to
destroy all data on your hard drive, by writing garbage (random meaningless bytes)
everywhere.
This virus was invented
before big hard drives became popular, so it assumes your hard drive is small:
it writes the garbage onto just the first 17 sectors of each of the first 256
tracks of each of the first 2 platters, both sides. The overwritten data cannot be recovered. The virus reduces your total
conventional RAM memory by 1K, so you have 639K instead of 640K. The
simplest way to avoid damage from the virus
is to adopt this trick: on March 5th, before you turn off the
computer, change the computer’s date to March 7th, skipping March 6th.
Monkey
(From
the USA in October 1992) Inspired by the Stoned virus (and sometimes
called Stoned Empire Monkey), this
virus encrypts the hard drive’s partition table,
so the hard drive is accessible just while the
virus is in memory. If you boot the system from a clean
(uninfected) floppy disk, the hard drive is unusable. This virus is tough to
remove successfully, since removing the virus
will also remove your ability to access the data.
It reduces your total conventional RAM by 1K, so you have
639K instead of 640K.
Parity Boot
(From
Germany in September 1993) Every hour, this virus checks whether it’s
infected a floppy disk. If it hasn’t infected a disk in the last hour, it says “PARITY CHECK” and hangs
the computer.
This virus consumes 1K of
your RAM, so your conventional RAM is 639K instead of 640K. The virus stays in RAM
even if you press Ctrl with Alt with Del: to unload the virus from RAM, you
must turn off the computer’s power or press the Reset button.
Ripper
(From Norway in November 1993) This virus randomly corrupts
data being written to disk.
The chance of a particular
write being corrupted is just 1 out of 1024, so the corruption occurs just
occasionally and to just a few bytes at a time. You typically don’t notice the
problem until several weeks have gone by and the infection has spread to many
files and your backups, too! Then it’s too late to recover your data! Yes,
Ripper has the characteristic of a successful virus: its effects are so subtle
that you don’t notice it until you’ve infected your hard disk, your backups,
and your friends! Then ya wanna die! It’s also called Jack Ripper, because it contains this
message which is never displayed: “(c)1992
Jack Ripper”. It contains another undisplayed message: “FUCK 'EM UP !”
Anti-EXE
(From Russia in December 1993) This virus monitors disk activity and
waits for you to run a certain important .EXE program. (Virus researchers
haven’t yet discovered which .EXE program is involved.) When you run that
important .EXE program (so that program’s in
your RAM), the virus corrupts the copy that’s in the RAM (but not the copy that’s on disk). While you
run that corrupted copy, errors
occur, and the computer usually hangs.
Anti-CMOS.
(From
the USA in February 1994) This
virus changes your system’s CMOS settings, as follows:
Your hard drive becomes
“not installed”.
Your 1.44M floppy drive
becomes “1.2M”.
A 1.2M floppy drive
becomes “not installed”.
A 360K floppy drive becomes “720K”, and vice-versa.
To evade detection and give itself time to spread to other
computers, it waits awhile before doing that damage: it waits until you’ve
accessed the floppy drive many times; on the average, it waits for 256
accesses.
It’s spread just when
someone tries to boot the system from an infected floppy disk. It reduces your
total conventional RAM memory by 2K, so you have 638K instead of 640K. After
it’s damaged your CMOS settings, here’s how to recover: run your computer’s
CMOS setup program, which lets you reset the CMOS to the correct settings.
A variant virus, Anti-CMOS.B, generates sounds from the
computer’s built-in speaker instead of changing the CMOS.
New York Boot
(From the USA in July 1994) This virus’s only function is to spread itself. But it spreads
itself fast and often. It’s also called NYB.
Multipartite viruses
You’ve learned that some viruses, (called boot-sector viruses) infect the disk’s
boot sector, while other viruses (called file
viruses) infect the disk’s file system. If a virus is smart
enough to infect the disk’s boot sector and file system simultaneously, it’s
called a multipartite virus.
Yes, a multipartite virus hides in two places: the boot sector and also the file system. If you remove
the virus from just the boot sector (or from just files), you still haven’t
completely removed the virus, which can regenerate itself from the place you
missed.
If a virus is very smart, it’s called a stealth polymorphic armored multipartite virus (SPAM
virus):
A stealth virus makes special efforts to
hide itself from anti-virus software. For example, it tricks anti-virus
software into inspecting a clean copy of a file instead of letting it read the
actual (infected) file.
A polymorphic virus changes its own
appearance each time it infects a file, so no two copies of the virus look alike to anti-virus programs.
An armored virus protects itself against
anti-virus disassembly.
A multipartite virus hides in two places: the boot sector and also the
file system.
One Half
(From
Austria in October 1994) The most common multipartite virus is One Half. It slowly encrypts the hard drive. Each time you
turn on the computer, the virus encrypts two more cylinders (starting with the
innermost 2 tracks and working toward the outer tracks). The encrypting is done
by using a random code. You can use the encrypted cylinders as long as the virus
remains in memory. When about half of the hard drive’s cylinders are encrypted,
the computer says: “Dis is one half Press any
key to continue......”
This virus is tough to remove successfully, since removing the virus will also remove your ability to
access the data.
It infects the hard disk’s MBR, each floppy disk’s
boot sector, and .EXE and .COM files. It scans filenames for text relating to
anti-virus programs (such as MSAV, NOD, SCAN, CLEAN, and FINDVIRU): it won’t
infect anti-virus programs! It’s hard to detect, since it’s polymorphic and
uses stealth. It reduces your total conventional RAM memory by 4K, so you have
636K instead of 640K. It’s also called Dis,
Slovak Bomber, Explosion 2, and Free
Love.
Macro viruses
A macro virus
hides in macros, which are little
programs embedded in Microsoft Word documents and Excel spreadsheets. The virus
spreads to another computer when you give somebody an infected document (on a
floppy disk or through a local-area network or as an e-mail attachment). During
the past few years, e-mail has become prevalent, and so have macro viruses: they’re
more prevalent than all other viruses combined.
Here are the most prevalent macro viruses.…
Concept
(From
the USA in July 1995) This virus infects Microsoft Word documents and
templates. When you load an infected document for the first time, you see a
dialog box that says “1”, with an OK button. Once you click OK, the virus takes
over. It forces all documents to be saved as templates, which in turn affect
new documents.
It consists of 5 macros: AutoOpen,
PayLoad, FileSaveAs,
AAAZAO, and AAAZFS.
You can see those macros in an infected Word document by choosing “Macro” from
the Tools menu.
Invented in 1995, it was historic:
It was the first macro
virus. It was the first virus that infects documents instead of programs or
boot sectors. It was the first virus that can infect both kinds of computers: IBM and Mac!
Old anti-virus programs
can’t detect it.
It was intended as just a harmless prank demonstration of
what a macro virus could do (and is therefore also called the Prank Macro virus), but it spread fast.
In 1995, it became more
prevalent than any other virus. Microsoft Word’s newest versions (Word 97 and
Word 2000) protect themselves against the virus, but their predecessor (Word 7)
is vulnerable unless you buy an anti-virus
program that includes anti-Concept.
Wazzu
(From
the USA in June 1996) Inspired by the Concept virus, this virus consists
of a macro called AutoOpen
that forces Microsoft Word documents to be saved as templates. Whenever you
open a document, the virus also rearranges
up to 3 words and inserts the word “Wazzu” at random.
Laroux
(From
the USA in July 1996) This virus was first discovered in July 1996 in
Africa and Alaska. It was the first macro virus that infected Excel
spreadsheets (instead of Word documents). It does no harm except copy itself.
It works just in Windows, not on Macs.
Tristate
(From
the USA in March 1998) This macro virus is called “Tristate” because
it’s smart enough to infect three
things: Microsoft Word documents, Excel spreadsheets, and PowerPoint slides.
Class
(From
the USA in October 1998) This macro virus infects Microsoft Word
documents. It just displays a stupid message on your screen occasionally.
The original version
(called Class.A) says “This is Class” on your screen, on the 31st
day of each month. The most prevalent version (called Class.D) displays this message on the
14th day of each month after May: “I
think”, then your name, then “is a
big stupid jerk!” The craziest version (called Class.E) says “Monica Blows Clinton! -=News@11=-”
occasionally (at random, 1% of the time); and on the 17th day of
each month after August, it says “Today
is Clinton & Monica Fuck-Fest Day!”
Ethan
(From
the USA in January 1999) When you use Microsoft Word, if you click
“File” then “Properties” then “Summary”, you see a window where you can type a
document’s title, author, keywords, and other items. When you close a document
infected by the Ethan virus, this virus has a 30% chance of changing the document’s
title to “Ethan Frome”, the author to “EW/LN/CB”, and the keywords to
“Ethan”.
That’s to honor Ethan
Frome, a novel written by Edith Wharton in 1911, about a frustrated man —
the kind of man who would now write viruses.
Melissa
(From
the USA in March 1999) This macro virus infects Microsoft Word
documents. When you look at (open) a document, if the document is infected, the
virus tries to e-mail copies of the infected
document to the first 50 people mentioned in Microsoft Outlook’s address
book (which is called the Contacts folder),
unless the virus e-mailed to those people previously. Yes, your document gets secretly e-mailed to 50 people,
without you knowing!
Each of those 50 people get an e-mail from you. The
e-mail’s subject says “Important message from” and your name. The e-mail’s body says “Here is that document you asked for ... don't show anyone else ;-)”. Attached to that e-mail is your
document, infected by the virus.
This virus spreads fast
just if your computer has Microsoft Outlook.
The typical large
corporation does have Microsoft
Outlook on each computer (since Microsoft Outlook is part of Microsoft Office),
so the virus e-mails itself to 50 people automatically, and each of those
people e-mails to 50 other people, etc., so the virus spreads fast.
The FBI hunted for the perpetrator and concluded that the
Melissa virus was invented by David L. Smith in New Jersey.
He
called it “Melissa” to honor a Florida topless dancer. Her name is hidden in
the virus program. The virus spread all over the world suddenly, on March 26,
1999, when he put it in a message in the alt.sex newsgroup. His infected
document, called LIST.DOC, contained a list of porno Web sites. In just a few
days, 10% of all computers connected to the Internet contained the virus. It spread faster than any other virus ever invented.
Since it created so much e-mail (from infected documents and from
confused people denying they meant to send
the e-mail), many Internet computers handling e-mail had to be shut down.
On April 2, 1999, the FBI
had New Jersey police arrest David, who was 31. At first, he denied he distributed
the virus; but on December 13, 1999, he finally pleaded guilty, apologized, and
faced fines and jail.
A TV cartoon show called “The Simpsons” has an episode
called “The Genius”, where Bart Simpson abruptly ends a Scrabble game by
claiming he won with the word “Kwyjibo”. The virus can put into your document
this quote from him: “Twenty-two points, plus
triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here.”
The virus inserts that
quotation just if you open or close the document at the precise minute when, on
the computer’s clock, the number of minutes equals the date. For example, on
May 27th it will insert that quotation if the time is 1:27, 2:27,
3:27, 4:27, 5:27, 6:27, 7:27, 8:27, 9:27, 10:27, 11:27, or 12:27.
The virus runs just if you have Microsoft Word 97 or 2000.
The virus is harmless if
you have Microsoft Word 7 or earlier. Microsoft Word 97 & 2000 are supposed
to protect you against macro viruses, but the Melissa virus is smart enough to
disable that protection. The virus spreads quickly just if you have Microsoft
Outlook; the virus uses just the address book in Microsoft Outlook, not the address book in Microsoft
Outlook Express.
Although the original virus’s e-mail subject line said
“Important message from”, a new variant of the virus has a blank subject line,
making the virus harder to notice.
Marker
(From
the USA in April 1999) This macro virus infects Microsoft Word
documents. On the first day of each month, it tries
to invade your privacy by copying your name (and your company’s name and your
address) to an Internet site run by codebreakers.org. (If it
successfully uploads your info, it doesn’t bother redoing it in future months.)
It uses whatever name and
address you gave when you installed Microsoft Word. To see what name and
address would be copied, go into Microsoft Word and then click “Tools” then
“Options” then “User Information”.
Thus
(From
the USA in August 1999) This macro virus infects Microsoft Word
documents. It lurks there until December 13th, when it erases drive C. It’s called “Thus”
because its macro program begins with the word “thus”.
Prilissa
(From
the USA in November 1999) Here’s how this variant of Melissa differs
from Melissa:
The e-mail’s subject says
“Message from” and your name. The
e-mail’s body says “This document is very
Important and you've GOT to read this !!!”. Instead of printing a
quotation from Bart Simpson, the virus waits until Christmas then does this:
1. It says “©1999 - CyberNET Vine...Vide...Vice...Moslem Power
Never End... You Dare Rise Against Me... The Human Era is Over, The CyberNET
Era Has Come!”
2. It draws several
colored shapes onto the currently opened document.
3.
It changes your AUTOEXEC.BAT file so that the next time you boot, the entire C drive will be erased (by
reformatting) and you’ll see this message: “Vine...Vide...Vice...Moslem Power
Never End... Your Computer Have
Just Been Terminated By -= CyberNET =- Virus !!!”.
E-mail worms
An e-mail worm
is a malicious program that comes as an e-mail attachment and pretends to be
innocent fun.
The following e-mail worms are the most prevalent.…
Happy 99
(From
the USA in January 1999) This program, called HAPPY99.EXE, comes as an
e-mail attachment. If you open it, you see a window titled “Happy New Year 1999
!!”. In that window, you see a pretty firework display.
But while you enjoy watching
the fireworks, the HAPPY99.EXE program secretly makes 3 changes to your SYSTEM
folder (which is in your WINDOWS folder):
1. In that folder, it puts
a copy of itself, and calls the copy SKA.EXE (which is why the Happy 99 worm is
also called the SKA worm).
2. In that folder, it puts
a file called SKA.DLL (by extracting SKA.DLL from HAPPY99.EXE).
3. It modifies that
folder’s WSOCK32.DLL file, after saving that file’s original version as
WSOCK32.SKA.
The modified WSOCK32.DLL file forces
your computer to attach the Happy 99 worm to
every e-mail you send.
So in the future, whenever you send an e-mail, the person who receives your
e-mail will also receive an attachment called HAPPY99.EXE. When the person
double-clicks the attachment, the person will see the pretty firework display,
think you sent it on purpose, and not realize you sent an e-mail worm virus.
To brag about itself, the virus keeps a list of everybody
you sent the virus to. That list of e-mail addresses is in your SYSTEM folder
and called LISTE.SKA.
Here’s how to get rid of the virus:
Disconnect from the
Internet. (If you’re attached to the Internet by using a cable modem or
local-area network instead of a simple phone line, disconnect by clicking
“Start” then “Shut down” then “Restart in MS-DOS mode”.) Delete SKA.EXE and
SKA.DLL from the SYSTEM folder (which is in the WINDOWS folder). In the SYSTEM
folder, rename WSOCK32.DLL to WSOCK32.BAK and rename WSOCK32.SKA to WSOCK32.DLL.
Delete the downloaded file, HAPPY99.EXE,
from whatever folder you put it in. Look at the list of people in
LISTE.SKA (which is an ASCII text file in the SYSTEM folder) and warn them that
you sent them the Happy99 virus.
An updated version, called Happy
00, comes as a file called HAPPY00.EXE. It says “Happy New Year
2000!!” instead of “Happy New Year 1999 !!”.
Pretty Park
(From
France in May 1999) This virus comes in an e-mail. The e-mail’s subject
line, instead of saying “Important message”, says just “C:\CoolPrograms\Pretty
Park.exe”. The e-mail’s body,
instead of containing sentences, says just “Test:
Pretty Park.exe :)” and shows
a drawing of a boy wearing a hat. The boy is Kyle, from the“South
Park” TV cartoon show. The icon is labeled “Pretty Park.exe”. If you
double-click it, you’ll be opening an attachment called PrettyPark.exe, which
is a virus.
Then you might see the 3D Pipes screensaver (which is
one of the screensavers that you get free as part of Windows 98). But secretly,
every 30 minutes, the virus peeks in Microsoft
Outlook’s address book and sends copies of itself to your friends listed there.
Every 30 seconds, it also tries to connect your computer to an Internet Relay
Chat server computer, so the virus can invade your privacy by sending info
about you and your computer to the virus’s author or distributor, though
there’s no evidence that any private info about anyone has actually been
transmitted yet.
This virus was first distributed in May 1999 by an e-mail
spammer from France.
DoS attacks
Your computer can attack an Internet Web-site server
computer (called the target) by
sending so many strange requests to the target computer that the target
computer can’t figure out how to respond to them all. The target computer gets
confused and becomes so preoccupied worrying about your requests that it
ignores all other work it’s supposed to be doing, so nobody else can access it.
Everybody who tries to access it is denied service because it’s too busy.
That’s called a denial-of-service attack
(DoS attack).
In the attack, the “strange request” asks the target
computer to reply to a message; but when the target computer tries to reply, it
gets flummoxed because the return address is a spoof
(a fake address that doesn’t exist). The target computer tries to transmit to
the fake address and waits hopelessly for acknowledgement that the reply was
received. While the target computer waits for the acknowledgement, the
attacking computer keeps sending more such requests, until the target computer
gets overloaded, gives up, and dies.
Denial-of-service attacks were invented in 1997. In March
1998, denial-of-service attacks successfully shut down Internet computers run
by the Navy, the US space agency (NASA), and many universities.
Distributed DoS attacks
In the summer of 1999, an extra-powerful denial-of-service
attack was invented. It’s called a distributed
denial-of-service attack (DDoS attack).
Here’s how it works:
A virus spreads by e-mail
to thousands of innocent computers (which are then called zombie agents or drones). The virus waits in those
computers until a preset moment, then forces
all those computers to simultaneously attack a single Internet target
computer by sending strange requests to that computer, thereby overloading that
computer and forcing it to deny service to other customers.
The first DDoS attack viruses were Trin00 and Tribe
Flood Network (TFN). Shortly afterwards came versions that were
more sophisticated: Tribe Flood Network 2000
(TFN 2K) and Stacheldraht
(which is the German word for “barbed wire”).
Those viruses are flexible: you can teach them to attack
any target. Though the inventors of those viruses said they were just
“experiments”, other folks used those viruses to attack Yahoo and many other
Web sites in February 2000. The attacks were successful: they shut down Yahoo,
CNN.com, Amazon.com, eBay.com, eTrade.com, Buy.com, Datek.com, and the FBI’s
Web site.