Behavior Research Methods, Instruments, & Computers 1989, 21 (2), 334-340 SESSION XIII TUTORIAL: COMPUTER VIRUSES Walter Schneider, Presider University of Pittsburgh Computer viruses: What they are, how they work, how they might get you, and how to control them in academic institutions WALTER SCHNEIDER University of Pittsburgh, Pittsburgh, Pennsylvania A computer virus is a program that replicates itself and spreads to computers with the goal of disrupting or destroying normal computer use. In academic computing, viruses represent a serious problem that costs millions of dollars in losses annually and hinders the free exchange of information so critical to education. Viruses operate in incubation, infection, and destroy phases. The nature, mechanisms, and preventive measures for personal-computer viruses are reviewed. Different procedures are recommended to protect research laboratories, instructional laboratories, and software lending libraries. Tradeoff'sbetween providing adequate protection and not having the security become too burdensome are considered. Computer viruses are programs that replicate them­ or installation ofcommercial software, as well as through selves to spread to other computers; they have the poten­ malicious intent. It is important to remember that in tial ofaltering the behavior oftheir computer hosts. They most cases, viruses have been spread unintentionally by can destroy research and instructional data and computer people who did not mean to harm the computer systems equipment, and they can easily be spread by honest, un­ they operate. knowing individuals, who are themselves using the host One should always operate a computer with the assump­ computers appropriately. Researchers need to take basic tion that a virus may infect one's computer if one does steps in order to prevent any catastrophic loss ofdata due not take preventive action. Even a single individual tens to computer viruses, because universities, which typically ofthousands ofmiles away from a university can destroy encourage free exchange ofinformation among many in­ the data in an undergraduate laboratory. The University dividuals, unfortunately thus make it very easy for com­ of Pittsburgh, for example, was hit by the "BRAIN" virus, puter viruses to do extensive damage. This paper provides which has spread to over Ito countries. It was originally a tutorial on what computer viruses are and how one can written by two brothers in Pakistan, who felt that they deal with them in academic settings. A complete descrip­ were not making sufficient money in their software com­ tion of computer viruses can be found in R. Roberts's pany because of the illegal copying of programs. Their (1988) book on the topic. virus began by making its way into some of the illegal A computer virus can affect any laboratory in which software-copying stores in Pakistan. honest individuals are using programs imported from other I do not know with certainty just what this virus's path sources. Viruses can be spread through the normal use of spread was, but here is a likely scenario: The virus replicated itself and spread to many of the software dis­ tribution stores in Pakistan. It is thought that someone This work was supported in part by Office of Naval Research Contracts from the medical center at the University of Delaware then N<XXlI4-87-K-{)397 and N<XXlI4-86-K-{)678 and Army Research Institute Contract MDA903-86-C-{)149. Reprint requests may be sent to Walter bought some software at one ofthem; the software is very Schneider, Learning Research and Development Center, 3939 O'Hara cheap in these stores, because they pay no royalties to St., University of Pittsburgh, Pittsburgh, PA 15260. the manufacturer. This individual then brought the soft- Copyright 1989 Psychonomic Society, Inc. 334 COMPUTER VIRUSES 335 ware backto the University of Delaware, wherethe virus computers to accomplish one's tasks while the virus spread through the medicalcenter and on to the Univer­ problem is kept in check. sity of Delaware in general. It is also believedthat someonefrom the University of What Is a Computer Virus? Pittsburgh whouseda computerat the University of Dela­ A computer virus is a program that installs itself upon ware imported the same virus back to the University of a systemto infectand/or destroy (or alter)other systems. Pittsburgh, where it then replicated itself in the univer­ It is very important to understand the characteristics of sity's public laboratories. One of the students who was a virusso thatone mayreducethe likelihood of itsspread­ operating a computer in the psychology department's ing. A virus is an executableprogram that attachesitself laboratorytook a floppydisk from the undergraduate lab to other programs in order to spread. A simpleexample and ran it on one of the public sites (perhapshe was do­ would be a virus that alters a computer's operating sys­ ing word processing both at the public sites and on the tem so that whenever the system is started up (booted), laboratory computer). Thiswas, of course, a totally legiti­ the virus code will be executed. The virus then examines mate use of computerson campus. Unfortunately, while other programs that can carry it (e.g., executable pro­ the student was word processing at the public site, the gramson any floppy disksinsertedintothe machine), and virus attached itself to the student's copy of the word­ it will reinstall itself on floppy disks, which may travel processing program. Whenthe student returned his floppy to other computers. It can then installitself on other sys­ disk to the psychology lab, the virus attacheditselfto the tems, whenever the infected programs on the disks are operating system on a lab computer. run at new installations. The virus spreadwithinour laboratorywhendata from The virus threat is very real. The National Security all of the computers were merged on one master file in Agencyof the UnitedStateshas estimatedthat over 40% the main computer. Afterseveral daysof replicating itself, of the nation's college campuses have been hit by com­ the virus beganto erase the disks of the computersin the puter viruses. It does not take an exceptional ability at undergraduate laboratory. With the exception of the very programming to writea new virus; onlyaboutthreecom­ first activitythat occurredin Pakistan,probablyall of the puter courses and some detailed reading will suffice. A other activities that enabled the virus to spread resulted single individual almost anywhere in the world can thus from honest individuals' appropriate use of computers. inflict damage in hundreds of countries. In the future, The net effect of the virus attack was the destruction there will be more viruses, and they will be more dan­ of several months' worth of data collected in the under­ gerous. We may even find academic terrorists targeting graduate labs. When the virus destroyed the data from academicdepartments (e.g., animalrightsgroupstarget­ 120 students from my laboratory class, I was more in­ ing programsthat collectanimaldata). Disillusioned stu­ furiated than I have ever been in my academic career. It dents may injectviruses to disruptclassesso that they do was as if someone had broken into my office and gone nothaveto tum inassignments (similar to the way "bomb through my filing cabinets destroying all my data. For­ scare" reports became a problem in the 1960s in the tunately, because the data had been backed up, after United States). severaldays of work the lab was functioning again. This There are three phases to the operation of a computer type of spreading of a computer virus can and probably virus; they reflectmetaphorical similarities between com­ will occur in any laboratory that allows disks to corne in puter scienceand biology. The first phaseis incubation­ from the outside. staying dormant for a period of time. A computer virus It is important to take precautions to reduce the virus can remain dormant, doing nothing, for an extended threat. One should think of controlling viruses as one period. For example, it might only replicate itself after thinks aboutthesecurityof one's horne. Almostany horne a certain number of starts of the operating system (e.g., can be broken intoeven whenextreme securitymeasures every 50threboot). An incubating virusis thuslikea mole have been taken. Most people use basic security meas­ in a spy network. It sits there and operates normally for ures, suchas lockingtheir doors, to makeit at leastsome­ a long time, so that nobodysuspects that it is there. Users what difficult for a would-bethief. Such basic measures are frequently suspicious of newprograms thatcausetrou­ inhibit robberiesenough so that they are infrequent, and ble on their computers, so that a virusthat wouldimmedi­ we can proceed with our lives relatively unincumbered ately alter the operation of a computer mightquickly be by either robberies or extreme security measures. But if detected. A virus that would allow normal operation for robberies become more of a problem, one may have to severalmonths,however,and onlythenbeginto alter the considermore extensive measuresagainstintrusion(such operationsof the system, wouldbe more likelyto go un­ as installing a security system that requires one to enter detected. Note that there is virtually no way to detect a passwords whenever entering or leaving the premises). virus while it is in its incubation phase. Unless one has One must trade off ease of access against security. For­ a copy of the program before a virus has hit it, or partic­ tunately, however, a few simpleprocedures can provide ular signature information for a specific virus, there is protection from most viruses. It is important not to be­ no way to detect a virus during this period. come paranoid about the virus problem, but rather to The secondphase of a virus is infection, during which choose an appropriate level of security that will allow the virus tries to replicateitselfand spread to more com- 336 SCHNEIDER puters. During the infection phase, the virus program tries it resulted in the heating up ofthe disk coil or motor, and to identify new host programs and install itself on them.