Computer Viruses UNIT 16 COMPUTER VIRUSES Objectives After going through this unit, you should be able to: • define computer virus and its characteristics, • identify different type of perverse software, • list the possible damages due to the perverse activities of viruses, • describe the important precautionary measures to prevent virus infection, • perform necessary corrective actions in case of virus infection and attack on Personal Computer. Structure 16.1 Introduction 16.2 Why PCs under DOS Environment are susceptible to Virus attack? 16.3 What is Perverse Software? 16.4 Characteristics of Computer Viruses 16.4.1 Virus : An Introduction 16.4.2 Areas of Infection 16.4.3 Symptoms of Virus Infection 16.4.4 How does Virus Spread? 16.4.5 The Virus Attack 16.4.6 Names and Features of some of the Popular Viruses 16.5 Protection and Treatment 16.5.1 Preventive Measures 16.5.2 Virus Detection 16.5.3 Virus Removal 16.5.4 Recovery of Damaged Files 16.6 Summary 16.7 Self-assessment Exercises 1618 Further Readings 16.1 INTRODUCTION Mr. Vijay Singh, P.A. to Mr. R. Modi was working with his word processor. Suddenly, a ball appeared on his screen and started bouncing from side to side. Mr. Vijay called up the computer manufacturer, who informed him that he had a virus on his machine. Mr. Vijay retorted, "Oh, God! I am so sorry; yesterday I had a bad cold. Will my computer be showing the same symptoms after some time? Can you rectify this problem or will I have to consult a physician?" Such incidents are becoming quite frequent these days. Many of the computer users who are not aware of Computer Virus are reporting loss of data, programs and several other perverse activities. Are all these problems resulting due to Computer Virus? No, the loss of data and programs on computer can also occur due to one or more of the following reasons : --- accidental or physical damages to hardware resulting in corruption of programs or data; --- negligence by employees; --- data entry errors; etc. But Computer virus is a major cause of data corruption. Computer virus is perverse software which causes a malicious activity. Computer virus is a relatively new phenomenon which has resulted mainly due to advancement in technology and accessibility of operating systems such as DOS. Previously, the operating system used to be secretive and hidden from the user. A user was supposed to submit his pack of PUNCHED CARDS containing a program which in turn was 15 Socio-Legal Aspects of processed by the hardware (and propriety operating system). But with the advent of Computerisation interactive computers and general purpose operating systems people starlet working on machines with the idea "How to fail a computer" and hence came the concept of Computer Virus. The terms like `Virus', `Vaccine', `Stoned', `C Brain', `Happy Birthday Joshi', `Ping- Pong' are becoming increasingly popular. All these terms relate to the same problem, i.e. Computer Virus. In this unit, we will discuss about the features and characteristics of Computer virus, some of the existing viruses, their areas of infection, treatment and preventive measures. We will be restricting ourselves to the viruses that are most common on PCs in DOS environment. 16.2 WHY PCs UNDER DOS ENVIRONMENT ARE SUSCEPTIBLE TO VIRUS ATTACK? The popularity of IBM Compatible PCs and its clones have grown tremendously in the last decade. As per one estimate, the number of these PC's, PC-XT's and PC-AT's, is likely to be more than a million by 1993. There are certain inherent limitations of the currently used IBM compatibles which most often are being used in MS-DOS environment as stand-alone PCs. These limitations have made PCs vulnerable to security problems. These limitations are : i) MS-DOS/PC-DOS operating system consists of three files, two out of which are hidden and 'the third one is named COMMAND.COM (Try to visualize it in the root directory of your DOS floppy or hard disk of your PC-XT or PC- AT). All these files are normally kept in root directory of hard disk or floppy disk. ' Although the hidden files are not accessible to normal users, yet there exist special commands by which these files can be modified. On the other hand, UNIX operating, system, commonly used on PC-386/Super-mini/Mini computers, is installed in a distributed manner in different directories, sub- directories and files. The Operating System files are not accessible to users and, are stored in binary/machine language form, incorporating certain corrective routines. Thus, UNIX is less prone to modifications. ii) In addition, DOS does not have in-built security/password scheme. Thus, Either the user will have to devise his own programs/routines to restrict unauthorized access or will have to use hardware locks and sometimes even physical locks. On the other hand, UNIX operating system offers a secured two layer password scheme. One layer is for user-group and,another for system administrators (superusers). Thus, each user can have his own password. The superuser can add new users or restrict/remove users as per the requirements and is generally a trusted person. 16.3 WHAT IS PERVERSE SOFTWARE? A simple definition of perverse software is : "A software which causes a perverse activity." But, what is a perverse activity for 'computer? The answer to this question lies in the basics of the computer. A personal computer has I/O devices, CPU and Memory and it executes application program/software which in turn do data manipulation. Therefore, a computer essentially maintains, in its storage, the data and the program or software. A program causing hindrances of other program. execution in such a way that result in the modification or even complete destruction of data without the user's intentions or unpredictable behaviour in display, print etc. or even sabotaging the operational system are some of the examples of perverse activities for computers. The computer system on which a perverse software is operational is said to be an infected system. 16 But, how does a software cause a perverse activity? The answer to this question is given in this unit in the next few sections, since it requires some more .details about Computer Viruses Computer virus. But we can dwell for a moment on the reasons for this perverse activity. There are several reasons for it such as : for gaining publicity some individuals have made these type of software; or are developed by individuals as practical jokes; or as personal vendetta against a company or another person; or may be it is an in-born natural desire to tease other persons; or an act of a maniac, etc. All these perverse software are aimed towards producing a variety of disastrous effects while normally a user wants to do something constructive with the help of the computer system to increase his productivity and efficiency. There may be different types of perverse software all of which generate a different type of perverse activity. Yet all these activities have one thing in common, that is, they. generate uncertainty for computer users. The normal MS-DOS operations were designed with bona-fide normal users in mind and were not geared up to detect such perverse software. Also., standard security checks normally do not detect the anomaly caused by these perverse software in a computer system. Thus, an infected computer system may continue to work, causing the infection to spread. The perverse• software can be classified in the following types: a) Bombs : Bomb is a piece of bad code deliberately planted by an insider or supplier of a Program. A bomb gets triggered by an event which is logical or time based. The bombs explode when the conditions of explosion get fulfilled causing the damage immediately. However, these programs cannot infect other programs. Since these programs do not propagate by infecting other programs, chances of a wide-spread epidemic are relatively slim. Bombs are generally of the following two types : i) Time Bomb : This name has been borrowed from its physical counterpart because of mechanism of activation. A physical time bomb explodes at the time it is set for (unless somebody forces it to explode early), so is the computer time bomb which causes the perverse activity, such as, disruption of computer system, modifications or destructions of stored information etc. on a particular date and time for which it has been developed. It is initiated ' by the computer clock. ii) Logic Bomb : These perverse software may be similar in perverse activity to time bombs. Logic bombs are activated by certain combination of events: For example, a code like : "If MYFILE is deleted then destroy'the memory contents by writing zeros." This code. segment, on execution, may cause destruction of the contents of the memory on deleting a file named MYFILE. These bombs can be set-to, go off at a future time or event. b) Trojan Horse: This name has been borrowed from the pages of history because Trojans are considered to be programs that conceal agents of ruin/malicious activity like the wooden horse of Troy. Typically, a Trojan Horse is an illicit coding contained in a legitimate program, and causes an illegitimate action. The concept of Trojan is similar to bombs but it does not necessarily get activated by a computer clock or particular circumstances. A Trojan-may change or steal the password or may modify records in protected files or may allow illicit users to use the systems. Trojan Horses hide in a host and generally do not damage the host program.