... COMPUTE!'s COMPUTER VIRUSES Ralph Roberts COMPUTE! Books Greensboro, North Carolina Radnor, Pennsylvania ,... Other Books by Ralph Roberts: COMPUTEl's Using Turbo Basic COMPUTEl's Using Borland's Sprint The Price Guide to Autographs Auction Action! Analysis with Reflect The Power of Turbo Prolog The Word Processor Buyer's Survival Manual Editor: Stephen Levy Copyright 1988, COMPUTE! Publications, Inc. All rights reserved. Reproduction or translation of any part of this work beyond that permitted by Sections 107 and 108 of the United States Copyright Act without the permission of the copyright owner is unlawful. Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data Roberts, Ralph COMPUTEt's computer viruses p. cm. Includes index. ISBN 0-87455-178-1 1. Computer viruses. I. Title. QA76.76.C68R62 1988 005.8--dc19 88-28556 The authors and publisher have made every effort in the preparation of this book to insure the ac­ curacy of the programs and information. However, the information in this book is sold without warranty, either express or implied. Neither the authors nor COMPUTE! Publications, Inc. will be liable for any damages caused or alleged to be caused directly, indirectly, incidentally, or con­ sequentially by the programs or information in this book. The opinions expressed in this book are solely those of the author and are not necessarily those of COMPUTE! Publications, Inc. COMPUTE! Books, Post Office Box 5406, Greensboro, NC 27403, (919) 275-9809, is a Capital Cities/ABC, Inc. company, and is not associated with any manufacturer of personal computers. IBM is a registered trademark and OS/2 is a trademark of Inter­ national Business Machines Corporation. MS-DOS is a registered trademark of Microsoft Corporation. Apple and Macintosh are trademarks of Apple Computer, Inc. Amiga is a trademark of Commodore-Amiga. Atari and Atari ST are trademarks of Atari Corporation. CONTENTS Preface ....................................... v Acknowledgements ............................. vi 1. Your Computer May Be Sick! ................. 1 2. History and Infamous Viruses ................. 9 3. How Viruses Work ......................... 17 4. Fighting Viruses and Practicing Safe Computing . 31 5. How the Experts Deal with Viruses .... .. 55 6. Corporate Initiatives for PC Data Security Pamela Kane ............................ 81 7. The Case of the Gerbil Virus that Wasn't Raymond M. Glath ....................... 91 8. IBM PCs and Compatibles . .. 95 9. Macintosh ............................... 133 10. Atari ... .. 145 11. Amiga .................................. 151 12. The Only Good Virus Is a Dead Virus ........ 163 Index ...................................... 168 ... PREFACE What if all the data on your computer's hard disk and/or floppies suddenly disappears? Millions of characters of infor­ mation are irretrievably gone and the only thing left in return is an infantile message like "Arfl Arfl Gotcha!"or "Welcome to the dungeon ... beware the virus." The destructive rampages of these terrible little hidden programs from sick minds are not limited to high risk users who download indiscriminately from pirate electronic bulletin boards. Associated Press and United Press International stories in recent months have reported that such major institutions as NASA, Lehigh University, Miami (Ohio) University, AReO Oil, Hebrew University in Israel, and others have had com­ puter virus attacks. Viruses can attack your system even if you don't have a telephone modem. Like a biological virus, a computer virus can replicate itself and be spread (through the use of "Trojan horse" programs) from system to system. Trade a floppy disk with a friend and you may unwittingly be destroying large amounts of important data in your system, be it a single-user computer or a large tele­ phone-linked network of 20,000 terminals. It's not even enough to have good backup-a timed release virus can also be in the backup disks or tape, destroying data time after frustrating time. There have been viruses reported for all of the major brands of computers. Those with IBM and compatibles, and Macintoshes are currently the most vulnerable, but the poten­ tial threat to all machines is scary. Like vaccinating against smallpox or typhoid fever, there are prudent steps computer users can take that may very well save them hours and days of work, or even more than that. Whether you're a single computer owner or the manager of a large area network, this book offers relief from the fear and the very real danger of a viral infection in your system. It will v help you understand and implement ways to protect your sys­ tem, as well as those of your friends and clients who put pro­ grams into their own systems that were copied off your disks. Typhoid Mary was a dishwasher who, while not sick her­ self, spread that disease to many others. Imagine how poor Mary would be sued today. This book helps you protect your­ self in many ways. Acknowledgments The author gratefully acknowledges all those who helped in the preparation of this book, with special thanks to: Ray Glath, Ross Greenberg, and Pam Kane. And to those other staunch virus fighters: Ron Benvenisti, Dennis Director, Chuck Gilmore, Eric Hansen, Dr. Harold Highland, John McAfee, Mike Riemer, Howard Upchurch, Steve Tibbett, and Jeff Shulman. And to: Stephen Levy, Claudia Earhart, Pam Williams, and all my other friends at COMPUTE! Books. And most especially to you, the reader, in hopes that this book proves helpful. vi 1 YOUR COMPUTER MAY BE SICK! Virus: "Something that corrupts or poisons the mind or the soul. " Webster's New Collegiate Dictionary "Over one percent, or about a quarter of a million IBM PCs and compatibles are already infected," says Larry DiMartin, president of Computer Integrity Corporation, publishers of the commercial viral protection program, Vaccinate. A computer virus is a small program, usually hidden as a code segment of a larger host or Trojan horse program. It has the ability to replicate itself, and to move from computer to computer through the transfer of disks, or by electronic communications. You're safe only if you never buy a program, never borrow a disk from a friend, never call a computer net­ work or electronic bulletin board, never turn on and use your computer at all. In other words, the possibility of a computer viral infection cannot be eliminated totally, only minimized. While not alive, the resemblance in the actions of a com­ puter virus to the reproductive and infectious qualities of a bio­ logical virus is uncanny, even horrifying. Hence the name computer virus. Viruses mayor may not be harmful. Their effects range from the humorous to the catastrophic. A destructive virus could wipe out data it has taken you or your company years to accumulate, including backups. Whatever the effect, someone is messing with your system without your permission. This book helps you to: Avoid neglect! Detect! Protect! 1 Chapter 1 One factor on our side is that a computer virus must be machine-specific. An Amiga virus isn't going to thrive in an IBM environment; a Macintosh virus can't wipe out Atari disks. This is the good news. The bad news is that the Computer Virus Industry Association-a group of software companies who manufacture and sell antiviral products-has already identified viruses on most of the major categories of personal computers being sold today. These include over 20 different types that attack IBM pes and compatibles, 4 are Macintosh­ specific, 4 prey on Amigas, and 6 more infect other types of computer architecture. These, of course, are just the ones that have been verified as existing. The scope of the virus problem (as evidenced by more and more reports) continues to grow. The odds are with an individual computer owner right now; however, the odds will continue to drop if things go unchecked. Next month, next year, your computer might catch a virus. It could be sick already. Where Do Viruses Come From? Computers have always been prone to losing large amounts of data in the blink of an eye. Equipment malfunction, operator error-the reasons are many and varied. In this crazy world, you must also add those who deliberately want to destroy your data. These electronic terrorists come in many stripes. Some, like medical experimenters who may have carelessly let a biological bug escape from the laboratory, did not unleash their viruses into the world information pool intentionally. The term virus was coined by a University of California graduate student, Fred Cohen. He demonstrated how to write a computer program that could infiltrate and attack a computer system in much the same way that a biological virus infects a human. Other students and educators have experimented with these nasty little codes. So have hackers (a description that used to be honorable, but now has been sullied by those few who abuse their knowledge) and various research and develop­ ment groups. An intelligence agency is not going to overlook this means of disrupting an enemy country's informational infrastructure. 2 Your Computer May Be Sick It's obvious and logical that a good many governments could already be experimenting, perhaps even field testing such com­ puter viruses. A second group are pranksters, those individuals or groups who have a "message" to disseminate, or just pure jokers who want to mess with your system (though not necessarily destruc­ tively). The Macintosh Peace virus-supposedly benign and well-intentioned, but still frightening many computer owners­ is a prime example of this. According to a February 12, 1988 UPI report, the source of this Macintosh virus is Richard Brandow, publisher of a 40,OOO-circulation magazine called MacMag, based in Mon­ treal, Quebec. The report quotes a spokesman for the magazine as confirming this.