A computer virus is a program that purposely does mischief and manages to copy itself to other computers, so the mischief spreads. Since computer viruses are malicious malevolent software, they’re called malware.
People create viruses for several reasons.
People who create viruses tend to be immature. Many are teenagers or disgruntled college students.
Different viruses perform different kinds of mischief.
The damage done by a virus is called the virus’s payload. Some
viruses are “benign”: they do very little damage; their payload is small. Other
viruses do big damage; they have a
big payload. If a virus destroys your files, it’s said to have a destructive payload.
To propagate, viruses use two main tricks.
Homer’s epic poem, The Iliad, describes how the Greeks destroyed Troy by a trick: they persuaded the Trojans to accept a “gift” — a gigantic wooden horse that secretly contained Greek warriors, who then destroyed Troy.
Some computer viruses use that trick: they look like a pleasant gift program, but the program secretly contains destructive warriors that destroy your computer. A pleasant-seeming program that secretly contains a virus is called a Trojan horse.
If a virus damages your computer immediately (as soon as you receive it), you’ll easily figure out who sent the virus, and you can stop the perpetrator. To prevent such detection, clever viruses are time bombs: they purposely delay damaging your computer until you’ve accidentally transmitted the virus to other computers; then, several weeks or months after you’ve been secretly infected and have secretly infected others, they suddenly destroy your computer system, and you don’t know why. You don’t know whom to blame.
The first computer virus was invented in 1983 by Fred Cohen as an innocent experiment in computer security. He didn’t harm anybody: his virus stayed in his lab.
In 1986, a different person invented the first virus that ran on a PC. That virus was called Brain. Unfortunately, it accidentally escaped from its lab; it was found next year at the University of Delaware. (A virus that escapes from its lab is said to be found in the wild.)
Most early viruses harmed nobody, but eventually bad kids started invented destructive viruses. The first destructive virus that spread fast was called the Jerusalem virus because it was first noticed at the Hebrew University of Israel in 1987. It’s believed to have been invented by a programmer in Tel Aviv or Italy.
Most people still thought “computer viruses” were myths; but in 1988, magazines ran articles saying computer viruses really exist. Researchers began to invent antivirus programs to protect against viruses and destroy them. In 1989, antivirus programs started being distributed to the general public, to protect against the 30 viruses that had been invented so far. But then the nasty programmers writing viruses began protecting their viruses against the antivirus programs. Now there are over 50,000 viruses, though many are just copycat viruses that are slight variants of others.
Companies writing antivirus software are working as hard as the villains writing the viruses. Most antivirus companies release updates weekly.
MS-DOS 6 & 6.2 come with an antivirus program called msav (which stands for MicroSoft Antivirus). But msav is rather useless, since most viruses were invented after it and outsmart it.
The best antivirus program is Norton AntiVirus, which lists for $50. You can also get Norton Antivirus as part of Norton SystemWorks, which lists for $70 and includes other utilities.
The second-best antivirus program is McAfee VirusScan, which lists for $60 and is published by Network Associates.
You can get a free antivirus checkup, called HouseCall, from an Internet Web site called “housecall.antivirus.com”. That Web site is run by Trend Micro, which also sells an antivirus program called PC-cillin. You can get another free antivirus checkup by going to the Symantec Antivirus Research Center’s Web site (www.sarc.com) then clicking “Online Virus and Security Check” (which is on the Web page’s left side, below “Virus Definitions”). Those free checkups don’t prevent viruses from entering your computer, but they reveal whether viruses entered already, and they help you start removing them.
If you use Windows, make sure you get antivirus software that’s designed for your version of Windows. Old antivirus programs think new versions of Windows are viruses, so those antivirus programs try to erase Windows!
Alas, using virus-scanning software can make your computer run slower, since virus-scanning can take a long time and consume RAM.
Besides worrying about viruses, you must also worry about adware (programs that secretly put ads onto your computer) and spyware (spybot programs, which secretly watch your activities on the computer and report about you to advertisers and crooks). Adware and spyware are nasty! They also consume the computer’s RAM and time, so your computer seems slower. The best programs for getting rid of adware and spyware are:
The www.safer-networking.org and www.lavasoft.de will in turn refer you to www.download.com, which is a general Web site for downloading shareware.
The most common place to find traditional viruses is at schools.
Anybody who shares programs with other people can get a virus. Most programs are copyrighted and illegal to share. People who share programs illegally are called pirates. Pirates spread viruses. For example, many kids spread viruses when they try to share their games with their friends.
Another source of viruses is computer stores, in their computer-repair departments.
Occasionally, a major software company will screw up, accidentally get infected by a virus, and unknowingly distribute it to all folks buying the software. Even companies as big as Microsoft have accidentally distributed viruses.
The newest viruses are spread by Internet communications, such as e-mail, instead of by floppy disks. Internet-oriented viruses spread quickly all over the world: they’re an international disaster!
Viruses fall into 6 categories: you can get infected by a file virus, a boot-sector virus, a multipartite virus, a macro virus, an e-mail worm, or a denial-of-service attack.
Here are the details.…
A file virus (also called a parasitic virus) secretly attaches itself to an innocent program, so the innocent program becomes infected. Whenever you run the infected innocent program, you’re running the virus too!
Here are the file viruses that are most common. For each virus, I begin by showing its name, the country it came from, and the month it was first discovered in the wild. Let’s start with the oldest.…
(From Bulgaria in September 1989) Every day at 5 PM, this virus plays part of the song Yankee Doodle on the computer’s built-in speaker.
This virus is also called Old Yankee and TP44VIR. It infects .COM & .EXE files, so they become 2899 bytes longer.
Die Hard 2
(From South Africa in July 1994) This virus infects .COM & .EXE files and makes them become exactly 4000 bytes bigger.
The virus also overwrites .ASM files (programs written in assembler) with a short program. When you try to compile the .ASM program, the computer hangs.
It’s also called DH2.
(From Taiwan in June 1998) Back on April 26, 1986, radioactive gas escaped from a nuclear reactor in Chernobyl in the Soviet Union. The Chernobyl virus commemorates that event by erasing your hard disk on April 26th every year. (A variant, called version 1.4, erases your hard disk on the 26th of every month.)
If you get infected by this virus, you won’t notice it until the 26th; then suddenly your hard disk gets erased — and so do the hard disks of all your friends to whom you’d accidentally sent the virus!
The virus was written in Taiwan by a 24-year old guy named Chen Ing-Hau. Since his initials are CIH, the virus is also called the CIH virus.
The virus was first noticed in June 1998. It did its first damage on April 26, 1999. Computers all over the world lost their data that day. Most American corporations were forewarned and forearmed with antivirus programs; but in Korea a million computers lost their data, at a cost of 250 million dollars, because Koreans don’t use antivirus programs but do use a lot of pirated software.
Here’s how the virus erases your hard disk:
The virus also tries to attack your computer’s Flash BIOS chips, by writing wrong info into them. If the virus succeeds, your computer will be permanently unable to display anything on the screen and also have trouble communicating with the keyboard, ports, and other devices, unless you bring your computer into a repair shop.
The virus destroys data just if you’re using Windows 95 or 98 (not Windows 3.1, not Windows NT).
Here’s how the virus spreads:
Before you attack the virus by using an antivirus program, boot by using an uninfected floppy. If instead you just boot normally from your hard disk, your hard disk’s infected files copy the virus into RAM; then when you tell the antivirus program to “scan all programs to remove the virus”, the antivirus program accidentally copies the virus onto all those programs and infects them all. Yes, the virus tricks your antivirus program into becoming a pro-virus program!
On a floppy disk or hard disk, the first sector is called the disk’s boot sector or, more longwindedly, the disk’s master boot record (MBR). A virus that hides in the boot sector is called a boot-sector virus. Whenever the computer tries to boot from a drive containing an infected disk, the virus copies itself into RAM memory chips (even if the booting is unfinished because the disk is considered “unbootable”).
Before hiding in the boot sector, the typical boot-sector virus makes room for itself by moving data from the boot sector to a “second place” on the disk. Unfortunately, whatever data had been in the “second place” gets overwritten and cannot be recovered.
The typical boot-sector virus makes the computer eventually hang (stop reacting to your keystrokes and mouse strokes).
Here are the boot-sector viruses that are most common.…
(From New Zealand in December 1987) Of all the viruses common today, this is the oldest. It was invented in 1987 by a student at the University of Wellington, New Zealand.
If you boot from a disk (floppy or hard) infected with this virus, there’s a 1-in-8 chance your computer will beep and display this message: “Your PC is now Stoned”.
It was intended to be harmless, but it assumes your floppy disk is 360K and accidentally erases important parts of the directory on higher-capacity floppy disks (such as 1.44M disks). It also makes your computer run slower — as if your computer were stoned.
(From Switzerland in June 1990) This virus is supposed to just play a harmless prank: on the 18th day of each month, the computer beeps whenever a key is pressed. But this virus is badly written and accidentally causes problems. For example, if your hard disk ever becomes full, the virus makes the hard disk become unbootable. And if the computer ever fails to read from a disk, the virus can make the system hang.
It reduces your total conventional RAM memory by 2K, so you have 638K instead of 640K. The virus’s second sector contains this message, which never gets displayed:
(From Sweden in April 1991) Inspired by the Stoned virus (and sometimes called Stoned Michelangelo), this virus sits quietly on your hard disk until Michelangelo’s birthday, March 6th. Each year, on March 6th, the virus tries to destroy all data on your hard drive, by writing garbage (random meaningless bytes) everywhere.
(From the USA in October 1992) Inspired by the Stoned virus (and sometimes called Stoned Empire Monkey), this virus encrypts the hard drive’s partition table, so the hard drive is accessible just while the virus is in memory. If you boot the system from a clean (uninfected) floppy disk, the hard drive is unusable. This virus is tough to remove successfully, since removing the virus will also remove your ability to access the data.
It reduces your total conventional RAM by 1K, so you have 639K instead of 640K.
(From Germany in September 1993) Every hour, this virus checks whether it’s infected a floppy disk. If it hasn’t infected a disk in the last hour, it says “PARITY CHECK” and hangs the computer.
This virus consumes 1K of your RAM, so your conventional RAM is 639K instead of 640K. The virus stays in RAM even if you press Ctrl with Alt with Del: to unload the virus from RAM, you must turn off the computer’s power or press the Reset button.
(From Norway in November 1993) This virus randomly corrupts data being written to disk.
The chance of a particular write being corrupted is just 1 out of 1024, so the corruption occurs just occasionally and to just a few bytes at a time. You typically don’t notice the problem until several weeks have gone by and the infection has spread to many files and your backups, too! Then it’s too late to recover your data! Yes, Ripper has the characteristic of a successful virus: its effects are so subtle that you don’t notice it until you’ve infected your hard disk, your backups, and your friends! Then ya wanna die! It’s also called Jack Ripper, because it contains this message which is never displayed:
It contains another undisplayed message:
(From Russia in December 1993) This virus monitors disk activity and waits for you to run a certain important .EXE program. (Virus researchers haven’t yet discovered which .EXE program is involved.) When you run that important .EXE program (so that program’s in your RAM), the virus corrupts the copy that’s in the RAM (but not the copy that’s on disk). While you run that corrupted copy, errors occur, and the computer usually hangs.
(From the USA in February 1994) This virus changes your system’s CMOS settings, as follows:
To evade detection and give itself time to spread to other computers, it waits awhile before doing that damage: it waits until you’ve accessed the floppy drive many times; on the average, it waits for 256 accesses.
A variant virus, Anti-CMOS.B, generates sounds from the computer’s built-in speaker instead of changing the CMOS.
New York Boot
(From the USA in July 1994) This virus’s only function is to spread itself. But it spreads itself fast and often. It’s also called NYB.
You’ve learned that some viruses (called boot-sector viruses) infect the disk’s boot sector, while other viruses (called file viruses) infect the disk’s file system. If a virus is smart enough to infect the disk’s boot sector and file system simultaneously, it’s called a multipartite virus.
Yes, a multipartite virus hides in two places: the boot sector and also the file system. If you remove the virus from just the boot sector (or from just files), you still haven’t completely removed the virus, which can regenerate itself from the place you missed.
If a virus is very smart, it’s called a stealth polymorphic armored multipartite virus (SPAM virus):
(From Austria in October 1994) The most common multipartite virus is One Half. It slowly encrypts the hard drive. Each time you turn on the computer, the virus encrypts two more cylinders (starting with the innermost 2 tracks and working toward the outer tracks). The encrypting is done by using a random code. You can use the encrypted cylinders as long as the virus remains in memory. When about half of the hard drive’s cylinders are encrypted, the computer says:
This virus is tough to remove successfully, since removing the virus will also remove your ability to access the data.
It infects the hard disk’s MBR, each floppy disk’s boot sector, and .EXE and .COM files. It scans filenames for text relating to antivirus programs (such as MSAV, NOD, SCAN, CLEAN, and FINDVIRU): it won’t infect antivirus programs! It’s hard to detect, since it’s polymorphic and uses stealth. It reduces your total conventional RAM memory by 4K, so you have 636K instead of 640K. It’s also called Dis, Slovak Bomber, Explosion 2, and Free Love.
A macro virus hides in macros, which are little programs embedded in Microsoft Word documents and Excel spreadsheets. The virus spreads to another computer when you give somebody an infected document (on a floppy disk or through a local-area network or as an e-mail attachment). During the past few years, e-mail has become prevalent, and so have macro viruses: they’re more prevalent than all other viruses combined.
Here are the most prevalent macro viruses.…
(From the USA in July 1995) This virus infects Microsoft Word documents and templates. When you load an infected document for the first time, you see a dialog box that says “1”, with an OK button. Once you click OK, the virus takes over. It forces all documents to be saved as templates, which in turn affect new documents.
It consists of 5 macros: AutoOpen, PayLoad, FileSaveAs, AAAZAO, and AAAZFS. You can see those macros in an infected Word document by choosing “Macro” from the Tools menu.
Invented in 1995, it was historic:
Old antivirus programs can’t detect it.
It was intended as just a harmless prank demonstration of what a macro virus could do (and is therefore also called the Prank Macro virus), but it spread fast.
(From the USA in June 1996) Inspired by the Concept virus, this virus consists of a macro called AutoOpen that forces Microsoft Word documents to be saved as templates. Whenever you open a document, the virus also rearranges up to 3 words and inserts the word “Wazzu” at random.
(From the USA in July 1996) This virus was first discovered in July 1996 in Africa and Alaska. It was the first macro virus that infected Excel spreadsheets (instead of Word documents). It does no harm except copy itself. It works just in Windows, not on Macs.
(From the USA in March 1998) This macro virus is called Tristate because it’s smart enough to infect 3 things: Microsoft Word documents, Excel spreadsheets, and PowerPoint slides.
(From the USA in October 1998) This macro virus infects Microsoft Word documents. It just displays a stupid message on your screen occasionally.
(From the USA in January 1999) When you use Microsoft Word, if you click “File” then “Properties” then “Summary”, you see a window where you can type a document’s title, author, keywords, and other items. When you close a document infected by the Ethan virus, this virus has a 30% chance of changing the document’s title to “Ethan Frome”, the author to “EW/LN/CB”, and the keywords to “Ethan”.
That’s to honor Ethan Frome, a novel written by Edith Wharton in 1911, about a frustrated man — the kind of man who would now write viruses.
(From the USA in March 1999) This macro virus infects Microsoft Word documents. When you look at (open) a document, if the document is infected, the virus tries to e-mail copies of the infected document to the first 50 people mentioned in Microsoft Outlook’s address book (which is called the Contacts folder), unless the virus e-mailed to those people previously. Yes, your document gets secretly e-mailed to 50 people, without you knowing!
Each of those 50 people get an e-mail from you. The e-mail’s subject says “Important message from” and your name. The e-mail’s body says “Here is that document you asked for ... don't show anyone else ;-)”. Attached to that e-mail is your document, infected by the virus.
This virus spreads fast just if your computer has Microsoft Outlook. The typical large corporation does have Microsoft Outlook on each computer (since Microsoft Outlook is part of Microsoft Office), so the virus e-mails itself to 50 people automatically, and each of those people e-mails to 50 other people, etc., so the virus spreads fast.
The FBI hunted for the perpetrator and concluded that the Melissa virus was invented by David L. Smith in New Jersey.
A TV cartoon show called “The Simpsons” has an episode called “The Genius”, where Bart Simpson abruptly ends a Scrabble game by claiming he won with the word “Kwyjibo”. The virus can put into your document this quote from him:
The virus inserts that quotation just if you open or close the document at the precise minute when, on the computer’s clock, the number of minutes equals the date. For example, on May 27th it will insert that quotation if the time is 1:27, 2:27, 3:27, 4:27, 5:27, 6:27, 7:27, 8:27, 9:27, 10:27, 11:27, or 12:27.
The virus runs just if you have Microsoft Word 97 or 2000.
Although the original virus’s e-mail subject line said “Important message from”, a new variant of the virus has a blank subject line, making the virus harder to notice.
(From the USA in April 1999) This macro virus infects Microsoft Word documents. On the first day of each month, it tries to invade your privacy by copying your name (and your company’s name and your address) to an Internet site run by codebreakers.org. (If it successfully uploads your info, it doesn’t bother redoing it in future months.)
(From the USA in August 1999) This macro virus infects Microsoft Word documents. It lurks there until December 13th, when it erases drive C. It’s called “Thus” because its macro program begins with the word “thus”.
(From the USA in November 1999) Here’s how this variant of Melissa differs from Melissa:
An e-mail worm is a malicious program that comes as an e-mail attachment and pretends to be innocent fun.
The following e-mail worms are the most prevalent.…
(From the USA in January 1999) This program, called HAPPY99.EXE, comes as an e-mail attachment. If you open it, you see a window titled “Happy New Year 1999 !!”. In that window, you see a pretty firework display.
But while you enjoy watching the fireworks, the HAPPY99.EXE program secretly makes 3 changes to your SYSTEM folder (which is in your WINDOWS folder):
The modified WSOCK32.DLL file forces your computer to attach the Happy 99 worm to every e-mail you send. So in the future, whenever you send an e-mail, the person who receives your e-mail will also receive an attachment called HAPPY99.EXE. When the person double-clicks the attachment, the person will see the pretty firework display, think you sent it on purpose, and not realize you sent an e-mail worm virus.
To brag about itself, the virus keeps a list of everybody you sent the virus to. That list of e-mail addresses is in your SYSTEM folder and called LISTE.SKA.
Here’s how to get rid of the virus:
An updated version, called Happy 00, comes as a file called HAPPY00.EXE. It says “Happy New Year 2000!!” instead of “Happy New Year 1999 !!”.
(From France in May 1999) This virus comes in an e-mail. The e-mail’s subject line, instead of saying “Important message”, says just “C:\CoolPrograms\Pretty Park.exe”. The e-mail’s body, instead of containing sentences, says just “Test: Pretty Park.exe :)” and shows a drawing of a boy wearing a hat. The boy is Kyle, from the “South Park” TV cartoon show. The icon is labeled “Pretty Park.exe”. If you double-click it, you’ll be opening an attachment called PrettyPark.exe, which is a virus.
Then you might see the 3D Pipes screensaver (which is one of the screensavers that you get free as part of Windows 98). But secretly, every 30 minutes, the virus peeks in Microsoft Outlook’s address book and sends copies of itself to your friends listed there. Every 30 seconds, it also tries to connect your computer to an Internet Relay Chat server computer, so the virus can invade your privacy by sending info about you and your computer to the virus’s author or distributor, though there’s no evidence that any private info about anyone has actually been transmitted yet.
This virus was first distributed in May 1999 by an e-mail spammer from France.
(From the USA in June 1999) This virus destroys all your Microsoft Word documents (and all other file that end in .doc), all your Excel spreadsheets (and all other files that end in .xls), all your PowerPoint presentations (and all other files that end in .ppt), all your assembly-language programs (and all other files that end in .asm), and all files that end in .h, .c, or .cpp.
It destroys the files by replacing them with files that have 0 length. Since the file names still exist, you won’t immediately notice that their contents are destroyed, and backup software won’t notice which files are gone. It destroys those files on drives C, D, E, etc. For example, if your computer is part of a network, the virus destroys those files on your hard drive and also on the network server’s hard drive.
It also looks in your e-mail’s Inbox (created by Outlook Express or Outlook or Exchange), notices any messages you haven’t replied to yet, and replies to them itself!
For example, if an e-mail from Joan with a subject line saying “Buy soap” hasn’t been replied to yet, the virus sends a reply who subject is “Re: Buy soap” and whose body says:
The reply comes with an attachment called zipped_files.exe. If the recipient opens that attachment, zipped_files.exe starts running. To fool the victim, it displays a fake error message (which begins by saying “Cannot open file”). Then it puts a copy of itself into the SYSTEM folder (which is in the WINDOWS folder); the copy is called “Explore.exe” or “_setup.exe”. It also modifies the “run” line in your computer’s WIN.INI file so the program will run each time Windows starts.
Here’s how to get rid of the virus:
(From the USA in July 1999) This virus sends, to people in Microsoft Outlook’s address book, an e-mail whose subject line says “Check this” and whose body says “Have fun with these links. Bye.” Clicking the e-mail’s attachment makes the virus infect the recipient’s computer and then tell the recipient, “This will add a shortcut to free XXX links on your desktop. Do you want to continue?”
If the recipient clicks “Yes”, the virus creates a shortcut icon pointing to an adult-sex Web site. But even if the recipient clicks “No”, the virus has already infected the computer and will use that computer to send e-mails, which will embarrass the computer’s owner when those e-mails reach the owner’s friends.
(From France in December 1999) If your computer gets infected by this virus, every e-mail you send by using Microsoft Outlook Express gets infected (unless you have Microsoft’s correction to this security hole). The virus infects by acting as an e-mail signature instead of an attachment, so everybody reading your e-mail will get infected, even if the recipients don’t look at any attachments.
The virus is called Kagou-Anti-Krosoft, which is abbreviated as Kak. Its main file is KAK.HTM, which is put into your Windows folder. It temporarily puts a file called KAK.HTA into your Startup folder but erases that file when you reboot.
Here are 5 signs that you’ve been infected by the virus:
(From Philippines in May 2000) This virus comes in an e-mail whose subject line says “ILOVEYOU”. The e-mail’s body says “kindly check the attached LOVELETTER coming from me.” and comes with an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. That attachment is the virus. When you activate it (by clicking the attachment), the virus infects your computer and does 3 dastardly deeds:
This virus spread faster than all other viruses.
An international manhunt for the perpetrator finally led to a 23-year-old computer student in the Philippines city of Manila.
It’s called the Love Bug because it’s a virus (bug) transmitted by a love letter. It’s also called the Love Letter virus and the Killer from Manila.
Copycats have edited the virus’s program and created 28 variants. The original version is called version A. Here are examples of other versions:
The following variants pretend to cure the virus but actually are viruses themselves:
(From the USA in May 2000) Here’s a famous comment about life stages:
The Life Stages virus tries to e-mail that comment, but the transmission is imperfect: the virus misspells “handsome” as “hansome” and makes other errors in spelling and punctuation.
The e-mail’s subject is “Life stages” or “Funny” or “Jokes”, with maybe the word “text” afterwards, and maybe “Fw:” beforehand. So there are 12 possible subjects, such as this: “Fw: Life stages text”. (The computer chooses among the 12 at random.) By having 12 possible subjects instead of 1, the virus is harder for antivirus programs to stop.
The e-mail’s body says “The male and female stages of life”. Attached to it is a file that pretends to be just a simple text document called LIFE_STAGES.TXT, but actually it’s a virus program called LIFE_STAGES.TXT.SHS. The .SHS means it’s a SHell Scrap object program. When you open it, you see the comment about the stages of life. (You see it in a Notepad window.) While you read that comment, the virus secretly infects your computer, so your computer transmits the virus to 100 randomly-chosen people in your Outlook address book and to Internet chat groups.
After e-mailing the virus to your friends, the computer erases those e-mails from your Sent folder, so you don’t know the e-mails were sent. To stop you from eradicating the virus by editing the registry, the virus changes the name of the computer’s REGEDIT.EXE program to “RECYCLED.VXD”, then moves it to the Recycle Bin and makes it a hidden file so you can’t see it.
The virus is called Life Stages (or just Stages). You can
remove it by using the Internet to go to www.symantec.com/
(From the USA in September 2000) This virus offers to tell you a naughty story about Snow White.
It comes in an e-mail whose subject line tries to say “Snow White and the Seven Dwarfs — the REAL story!” and claims to be from firstname.lastname@example.org. The e-mail’s body tries to send this message:
It sends that subject and message in slightly flawed English (for example, it says “Snowhite” instead of “Snow White”) or in French, Spanish, or Portuguese — because the virus is smart enough to analyze your computer to find out which language you seem to prefer!
To find out the rest of the sexy story, you’re encouraged to open the attachment (which the English version calls “sexyvirgin.scr” “midgets.scr” or “dwarf4you.exe” or “joke.exe”). If you click that attachment, you’ll launch the multilingual virus, which will infect your WSOCK32.DLL file and thereby watch you forevermore! Whenever you send or receive an e-mail (or view a Web site that mentions an e-mail address), the virus will notice, then delay awhile, then send itself to that e-mail address; so if you try to send an e-mail to a friend, your friend will get two e-mails from you, the second one being the Snow White story with virus.
The virus tries to communicate with a newsgroup called
alt.comp.virus so it can send and receive new fancier versions of itself by
swapping intelligence with copies that are on other computers. For example, one
of the new fancy features
puts a spinning spiral onto your computer screen once an hour (whenever your computer’s clock says the number of minutes is 59). To drive you extra crazy, the spiral also appears all day on September 16 & 24. Another fancy feature copies the virus into all your .EXE files, so that those files will still run but are infected, making the virus hard to remove.
The virus is also called Hybris, since the attachment includes a copyright notice saying the virus is called “HYBRIS (c) Vecna”.
(From Sweden in March 2001) This virus, called Magistrate or Magistr, targets magistrates, judges, and lawyers.
After your computer is infected, it spreads to your colleagues by e-mail and networks. Then it waits, still lurking in your computer.
If 2 months have passed, then on odd-numbered days
your desktop’s icons will run away from the mouse pointer whenever you try to click them.
If 3 months have passed, the infected file is deleted.
If you’re a judge or lawyer, this virus is especially
dangerous, because of this rule: if at least 1 month has passed and at least
100 colleagues were infected and at least 3 of your files contain at least 3
legal phrases (in English, French, or Spanish),
it wrecks your computer thoroughly, by doing all this:
For example, here are the English legal phrases it looks for:
The virus program includes this note (which isn’t printed on the screen):
The virus comes in a strange e-mail:
(From the USA in July 2001) Of all the viruses, this virus does the most to destroy your privacy, because it grabs a document you wrote and secretly sends it to somebody you never intended!
This virus can get very embarrassing. For example, if you wrote a private note, to a friend, about how much you hate your boss, the virus might secretly send that note to your boss!
It sends e-mail to every e-mail address mentioned in your address book or your Web cache.
Each e-mail it sends has a 3-line body. The top line says:
The middle line is one of these:
The bottom line says:
Exception: if your computer uses Spanish instead of English, the 3-line message is sent in Spanish.
Attached to the e-mail is a document, which you created by using Microsoft Word or WordPad or Excel or Winzip, and which the virus copied from your “My Documents” folder. The attached copy is infected with the virus; so while the recipient reads the document, the recipient’s computer gets secretly infected. The document’s name is used as e-mail’s subject.
If you’re on a local-area network, the virus tries to spread itself to the rest of the network. The virus is supposed to also destroy some files; but the guy who invented the virus made a programming error, so the destruction never gets done.
(From the USA in September 2001) If you spell “admin” backwards, you get “nimda”, which is the name of this virus. It spreads by e-mail and through networks. Its main purpose is to attack the security of a network server, by making every “guest” user get “administrator” privileges, so a hacker can log in as a guest and take over the whole computer network.
When being transmitted through e-mail, the virus comes as an e-mail attachment called README.EXE, in an e-mail that has a blank body and usually a blank subject.
If you receive such an e-mail, you’ll get infected even if you don’t open the attached README.EXE file: just staring at the e-mail’s blank body will infect you, since this virus uses a trick called “Automatic Execution of Embedded MIME type”. That trick makes the virus spread fast.
To confuse you, the virus sends out the e-mails, then goes dormant for 10 days, the sends out e-mails again, then goes dormant again, alternating forever. During each 10-day dormancy period, it sends no e-mails, so you think you’ve been “cured”; you get annoyed and confused when 10 days later you get another burst of e-mails.
To make sure you don’t erase the virus, it hides copies of itself throughout your computer’s .EXE files and some .TMP files.
A variant called Nimda.E comes in an attachment called SAMPLE.EXE instead of README.EXE.
(From China in October 2001) This virus comes in 9 versions, called Klez.A, Klez.B, Klez.C, Klez.D, Klez.E, Klez.F, Klez.G, Klez.H, and Klez.I. The most common is Klez.H. Here’s how Klez.H works.…
If your computer is infected, the virus looks all over your computer’s hard disk for e-mail addresses, then forces the computer to send an e-mail to each of those people.
The virus uses a trick called address spoofing: the virus makes each e-mail message pretend to be from an innocent bystander instead of from you. In the e-mail’s “From” field, instead of your return e-mail address, the virus inserts the e-mail address of an innocent bystander — an innocent uninfected person whose e-mail address happened to be on your computer’s hard disk (such as your Inbox or Outbox). When the e-mail you sent reaches its victim, if the victim is using an antivirus program and notices the virus, the victim will blame the innocent bystander instead of you. You’ll never be warned that you’re spreading the virus, and you’ll keep infecting more people, without you or your friends knowing that you’re the spreader.
Another trick: Klez.H often comes in this e-mail, which pretends to be protection against Klez.E but actually contains Klez.H. The e-mail’s subject is “Worm Klez.E immunity” and the body says the following (I’ve edited out some bad grammar):
That e-mail is a lie: the e-mail itself contains the Klez.H virus.
Klez.H often comes instead in an e-mail containing an attached innocent document copied from the sender’s computer. Klez.H borrowed that technique from Sircam.
Klez.H can also come in an e-mail, pretending to be from your ISP’s postmaster, saying that you sent an e-mail that bounced and to look at the attached file.
Like Nimda, Klez.H can infect you even if you don’t open the attachments. Klez.H contains routines to disable and destroy antivirus programs. Klez.H gives you a present: a second virus, called Elkern. Klez.H and Elkern try to corrupt all your computer’s programs by inserting themselves into each program.
The virus is called “Klez” because it contains this message, which is not displayed:
(From Germany in January 2004) This virus began as a program named bbeagle.exe, so it’s called “Beagle”, but some reporters made an error and accidentally called it “Bagle”. If you hear about a “Bagle” virus, it has nothing to do with bagels you eat for breakfast! As a joke, many virus experts now call it the “Bagle” virus.
The original version of this virus, Beagle.A, was polite: it was invented on January 18, 2004 but was programmed to stop spreading itself on January 28, 2004. So after January 28, 2004, no more people would get infected by Beagle!
Beagle.A did no harm except spread itself. Its main symptom was that it automatically turned on the Windows Calculator program, calc.exe (which you’d otherwise run manually by clicking Start then Programs then Accessories then Calculator).
Unfortunately, many other versions of Beagle were invented afterwards: Beagle.B, Beagle.C, etc., up through Beagle.X. They’re nastier and compete against the Netsky virus, described below.
(From Germany in February 2004) A 17-year-old German high school student, Sven Jaschan, called himself SkyNet and invented a virus called Netsky. Then he wrote 27 more versions of it — and invented a more powerful virus, called Sasser.
Those viruses, especially Sasser, screwed up millions of computers around the world and made people distrust the security of Windows XP. Microsoft offered a reward of 140,000 euros to find out who wrote those viruses. In May 2004, Sven’s friends turned him in, to collect the reward, and he confessed. Under German law, he could receive up to 5 years in jail, though the court will probably be lenient since he was under 18 when he wrote the viruses.
His mom, Veronika, runs a computer consulting company called “PC Help” from her basement, and cynics think Sven wrote the viruses there to create more business for her, but probably his main goal was just to compete against the writer of Beagle. Newspapers call him the “world’s most annoying teenager”.
Here’s how Netsky works. (I’ll explain Sasser on the next page.)
Netsky.A The first version of Netsky, called Netsky.A, came in this e-mail:
Gee, if you got an e-mail like that, you’d be real tempted to read the attachment, wouldn’t you? The attachment contains the virus.
To further convince you that the e-mail is real, the e-mail’s body includes an Auction ID number and a Product ID number (which are fake), and the e-mail’s address is spoofed (so it pretends to be from “EBay Auctions” or “Yahoo Auctions” or one of their competitors).
That’s Netsky.A. Later came more powerful variants, called Netsky.B, Netsky.C, etc., up through Netsky.Z, then Netsky.AA, Netsky.AB, and Netsky.AC.
The most widely distributed version of Netsky is Netsky.P, which is smart: it can generate many kinds of
e-mail subjects and e-mail bodies, by choosing them from a long list inside the virus.
For example, here are some of the subjects and bodies it can send you:
At least one of those e-mails will make you curious enough to open the attachment, which contains the virus.
To encourage you to open the attachment, the virus pretends the attachment was approved by an antivirus program. The body ends with a comment such as —
or a similar comment mentioning one of the other 7 antivirus companies. The comment is a lie, written by the virus itself!
Even if you don’t open the attachment, you can get the virus just by reading the body (on an outdated buggy version of Outlook Express or Outlook).
Netsky.P erases some other viruses, so that Netsky.P will be the remaining, dominant virus on your machine and SkyNet will be acknowledged as the master of evil. (But Netsky.P will not erase the Sasser virus, which was created by SkyNet also! Netsky.AB pretends to erase the Sasser virus but doesn’t.)
To taunt the competitor who wrote the Beagle virus (which is also called “Bagle”, Netsky.P contains this message (which is not displayed):
Your computer can attack an Internet Web-site server computer (called the target) by sending so many strange requests to the target computer that the target computer can’t figure out how to respond to them all. The target computer gets confused and becomes so preoccupied worrying about your requests that it ignores all other work it’s supposed to be doing, so nobody else can access it. Everybody who tries to access it is denied service because it’s too busy. That’s called a denial-of-service attack (DoS attack).
In the attack, the “strange request” asks the target computer to reply to a message; but when the target computer tries to reply, it gets flummoxed because the return address is a spoof (a fake address that doesn’t exist). The target computer tries to transmit to the fake address and waits hopelessly for acknowledgement that the reply was received. While the target computer waits for the acknowledgement, the attacking computer keeps sending more such requests, until the target computer gets overloaded, gives up, and dies.
Denial-of-service attacks were invented in 1997. In March 1998, denial-of-service attacks successfully shut down Internet computers run by the Navy, the US space agency (NASA), and many universities.
Distributed DoS attacks
In the summer of 1999, an extra-powerful denial-of-service attack was invented. It’s called a distributed denial-of-service attack (DDoS attack). Here’s how it works:
The first DDoS attack viruses were Trin00 and Tribe Flood Network (TFN). Shortly afterwards came versions that were more sophisticated: Tribe Flood Network 2000 (TFN 2K) and Stacheldraht (which is the German word for “barbed wire”).
Those viruses are flexible: you can teach them to attack any target. Though the inventors of those viruses said they were just “experiments”, other folks used those viruses to attack Yahoo and many other Web sites in February 2000. The attacks were successful: they shut down Yahoo, CNN.com, Amazon.com, eBay.com, eTrade.com, Buy.com, Datek.com, and the FBI’s Web site.
(From the USA in August 2003) The Blaster virus tries to launch a DDoS attack against Microsoft, specifically against microsoft.windowsupdate.com. After Blaster was unleashed, Microsoft quickly reorganized its Web site (by stopping www.windowsupdate.com from redirecting people to microsoft.windowsupdate.com), so no lasting damage has been done to Microsoft.
But Blaster has a nasty side effect:
Blaster infects just Windows XP and variants (Windows Server 2003, Windows 2000, and Windows NT.) Blaster does not infect Windows 95, 98, or Me.
Blaster can spread through any Internet connection, not just through e-mail. Whenever your computer is connected to your Internet Service Provider (ISP), you can get infected, even if you’re not using e-mail and not using the Web.
The virus is called msblast.exe and puts itself in your Windows folder.
To protect against this virus, download Microsoft’s correction to Windows XP (and variants) from Microsoft’s Website (windowsupdate.microsoft.com). If you’ve already been infected by the virus, here’s how to get rid of the virus (if you’re using Windows XP):
(From Germany in April 2004) Sasser is a Blaster variant invented by Sven Jaschan (the same kid who wrote the Netsky virus). Like Blaster, Sasser spreads to other computers by any ISP connection, makes computers reboot, and can be stopped by creating a firewall and updating Windows.
Sasser affects just Windows XP and Windows 2000. (It does not affect Windows 95, 98, Me, NT, or Server 2003.)
Sasser comes in 3 versions.
Blaster creates a DDoS attack (on Microsoft), but Sasser does not create any DDoS attack: it just spreads itself rapidly to computers all over the world.