Free Website | credit report | credit cards | BlueHost Review  


Go Home

Computer Virus

In the computing world there is a killer disease called computer virus. A computer which is attacked by this killer disease is capable of being deficient in many ways. In this module, we shall address the following:

a.     Basic concept of computer virus.
b.     Carriers of computer virus.
c.     Phases of computer virus infection.
d.     Signs and symptoms of computer virus.
e.     Prevention of computer virus.
f.     Curation of computer virus.
g.     Case study tof he positive and negative use of computer virus technology.

Basic Concept of Computer Virus

A computer virus is a program written by a computer programmer with the ulterior motive of making the host computer it infests deficient in many ways. A computer virus can be in the form of a worm, trojan horse or time bomb.

A worm is a form of computer virus that searches for unused computer memory space and re-writes itself successfully until the un-used computer memory space is exhausted. All the copies of the worm replicated in the un-used computer memory space are connected to one another with the aim of disallowing the smooth running of any legitimate program. The altitude goal of a worm is to enforce a total breakdown or crash of the host computer.

A trojan horse is a form of computer virus which is capable of attaching itself to a legitimate program with the aim of causing a serious havoc on a host computer. While the legitimate program is running to produce legitimate results. The trojan horse works secretly to destroy or damage some computer files resident in the computer memory of the host computer. A trojan horse appears very friendly in outward look but it is capable of doing a lot of havoc to the computing system inwardly. A war horse dressed like a cow, the sacred animal to the Indians, by a country that is at war with India is a trojan.

A time bomb is a form of computer virus designed to execute at the occurrence of a particular event. When that event occurs, the time bomb explodes and may cause annoyance or serious damages to the host computer. Typical events are:

a.     December 25th which is the Christmas day. At the occurrence of this event, If a computer infested with Christmas virus is turned on, a Christmas tree will automatically be displayed on the screen of the computer. If you switched off the host computer and turned it on during the period December 25th through December 31st, the Christmas tree will always be displayed on the computer screen. The ultimate goal is to prevent you from using your computer during that period. The host computer becomes active at the disappearance of the Christmas tree on the first of January.
b.     A time bomb can be coded to activate and destroy a working version of a software package such as SPSS if an attempt is made to obtain a forth copy of the package. A time bomb of this nature is often coded to protect the copyright of the package.
c.     A time bomb can be coded to activate and tell the story of Jesus Christ crucifixion at every one hour between Good Friday and Easter Monday. The ultimate goal of the time bomb is to prevent the user of the infested computer from using the host computer..

Software threat to computer performance had been in existence for long but the extent of the damages it could cause the computer was not widely noticed in the early days as is the case today. The reason one can advance for this is that the direct interactions with the early computers were the exclusive preserve of computer operators and computer systems engineers who were usually on the payroll of the computer manufacturers. Today, there are different sizes of computers, namely: mainframe computers, minicomputers, microcomputers. The most commonly used type in recent time is the microcomputer system.  

Although the occurrences of viruses in minicomputers and mainframe computers have been low compared to the microcomputers, the potential for damage is far greater. The recent development in Information Technology (IT) emphasizes computer network. Computer network is the interconnections of two or more related computers with a view to sharing resources such as software packages, files and input-output devices. The major medium of transmission of computer virus is the floppy disk (diskette). In a computer network environment data are transmitted online from one computer to another, thus the data transmission media such as cables, in a Local Area Network (LAN) environment constitute a major medium of transmission of computer virus. Thus computer viruses spread wherever information is found, they can also distribute themselves throughout a computer network, regardless of how the computers are connected. In a situation where some microcomputers are connected to a mainframe computer or minicomputer, if a microcomputer in the network environment is  infected by a virus, the mainframe computer or minicomputer is vulnerable to attack by the virus.
The features that are responsible for the wide spread of computer virus are the following::

a.     The proliferation of microcomputers.
b.     The development of user friendly and interactive software packages which creates ample opportunity for non-experts in computing technology the ability to program computers.
c.     Microcomputers, typically, do not have the internal hardware and software controls which can protect application programs from one another nor the operating system from application programs.
d.     The microcomputer hardware and software compatibility which has facilitated the free sharing of programs among microcomputer users.
e.     The microcomputer market is dominated by IBM compatible microcomputers. Therefore, a virus which is written to operate on an IBM compatible microcomputer can potentially affect a huge number of other computers.

Carriers of Computer Virus

Computer viruses can be introduced into a computer system from a  variety of sources. Among the known sources are infected computer  system, application software, software packages, proprietary  software, fake computer games, communication medium in a computer network environment and shareware.

It is noted that a computer virus may operate like a biological virus. Some computer virus are executable (.EXE) programs containing the logic that replicates by  attaching the viral code to another executable program file. Computer viruses are  transmitted when infected computer files are copied to a computer hard disk. Each time the infected programs are executed, the virus attaches itself to other programs or perform whatever its designer  intended it to do. If a computer is infected with a virus, any  floppy disk used on the infected system is vulnerable to  infection. Any computer system on which the floppy disk is used  is, in turn, vulnerable to attack by the virus and thus the  growth of a virus may continue indefinitely. The activation of a  virus may not be immediate and when it does occur, the damaging  effect may be irreparable.
Some software houses have taken a positive step towards controlling their copyright by building viral code into the software packages developed by them. The virus may be built to keep count of the number of copies of the software packages made illegally after purchase. When the count reaches a preset number of allowable copy that can be made, a message may be displayed on the screen cautioning further copying of the  software. Any attempt made by any user to make a further copy of the  software after this message had been displayed may activate the virus and thus corrupt some selected files such as .EXE, .COM and data  files stored in the target computer. The copies of the software  used on any other computer system may cause similar damages. The author had had this experience with Norton Antivirus and Statistical Package for Social Sciences (SPSS/PC+).
Software packages are analyzed, designed, compiled, test run on computers in the laboratories of software houses. There is always the high risk of infection of software package diskettes at the laboratory where the package is being developed. The infected  diskettes may not be detected before they are packaged for mass sales to vendors who, in turn, had to sell to customers.

During the development of software packages, a programmer may engage himself or herself in some recreational activities. A  recreational activity may involve coding a fake game whose  primary motive may be to cause amusement. There are a number of  viruses which when activated display some funny pictures such as Christmas trees on the screen, picture of a lady and message  giving the account of the love relationships between the  programmer and a lady he met during a summer holiday. A fake game  may be coded and given a fascinating name which a computer user  may not resist trying to run. In the process of running the game, the game board or a funny diagram may be displayed on the  screen for a period of time during which the monitor will be out  of use. There is, for example, a computer virus called sexy ladies when run by a user puts up a nasty message on the screen and then  erases the contents of the hard disk.

Both freeware and shareware programs are commonly available  from Bulletin Board System (BBS). The idea is that a programmer develops a particular application program and he or she announces  the software to a community of users via electronic mail. A user may therefore  subscribe to the software by paying a registration fee directly  to the programmer. In some cases, the programmer may have ulterior motive  of doing havoc to any host computer on which the software is run.  Such software should be treated with caution and initially used  in a controlled environment until it is clearly shown that the  software does not contain virus or destructive codes. In many  cases, commercial organization has banned the introduction and  use of shareware by staff in the company's computer installation. In certain  cases, the contravention of this policy by any computer personnel  or user is a dismissable offence. Software packages distributed via computer network are fairly obvious  targets for virus programmers as they provide a built in method  for widespread and anonymous propagation.

The major carriers of computer virus are mentioned below:

a.     Note that a floppy disk is the commonest tertiary store of computer which is easily transportable from one computer environment to another. Again, note that software packages are sold by the software houses in the form of floppy disks and documentation manuals. When a virus infested floppy disk is used on a computer, that computer stands a very high risk of being infested with a virus. Any floppy disk used thereafter on the infested computer also stand a serious risk of being infested with the virus.
b.     In a computer network environment, a virus can be carried from one site to another site via the transmission medium such as cable.


Phases of Computer Virus Infection

The evaluation of known viruses has shown that successful viruses are generally constructed in at least one of the four phases each of which is outlined below.

The first phase of a virus code attack is the placement of the code where it may be executed so that it can install itself in the main memory. Listed below are some methods adopted for the  installation of viral code in the computer memory.

a.     Modification to .EXE or .COM files.
b.     Modification or replacement of the Boot Sector.
c.     Modification or replacement of the Partition Record.
d.     Modification or replacement of device drivers.
e.     Modification of .OVL overlay files.

The second phase involves saving the viral code to hard or  floppy disk in such a way as to make it difficult to be detected  and removed. The layout of MicroSoft Disk Operating System (MS-DOS) provides the following areas in a hard or floppy disk which are largely hidden from users but accessible to DOS commands only.

a.     Boot Sector 0.
b.     Sectors marked bad in the File Allocation Table (FAT).
c.     Track 41.
d.     Intersector gaps.
e.     Partition Record (Hard disk only).
f.     .EXE, .COM, .OVL or .SYS files.
g.     Hidden files.

One of the most common techniques used by virus writers is to  copy Boot Sector 0 to an unused sector on the disk and then overwrite Boot Sector 0 with viral code. Whenever the disk is booted, the viral code is executed and loaded into the memory. The  viral code then loads the original boot sector from its new  position and passes control to it, and then system is able to  continue apparently normally.

The third phase involves a test for a condition which if  met, will activate the virus. A condition may be a specified  time, date or after a specified number of copies of the viral code have been made.

The fourth and final phase is the action phase of the virus. During this phase, the virus attacks the target system and the effect of the attack may be destructive or  non-destructive.

Signs and Symptoms of Computer Virus

The presence of a virus can be indicated if one or more of the following signs and symptoms appear on a computer system. Any evidence of these or similar events should be an immediate cause for concern which requires the isolation and investigation of the computer.

a.     Unfamiliar graphics or quizzical messages appearing on the computer screen.
b.     A program that normally takes a short time to run suddenly begins to take long period to run.
c.     Access to data stored on computer secondary memory takes unusually longer period than before.
d.     Frequent display of unusual error messages on the computer screen.
e.     Frequent display of messages that the memory space of the computer is low.
f.     Irregular behaviour of the hard disk and floppy disk access light indicator.
g.     The size of a computer file changes for no obvious reasons.
h.     The dates of creation of some files change for no obvious reasons.
i.     The computer keyboard malfunctions without any hardware faults.
j.     Some letters or segments of a text file fall off in an irregular manner.
k.     Some application programs fail to run.
l.     A computer may take unusually long time to boot or after booting, it suddenly reboots and this repeats at random intervals.
m.     Some funny figures, words, sentences, pictures and so on appear on the computer screen indiscriminately.

Preventive Measures of Computer Virus

In today's data processing environment, which relies heavily on telecommunications and application programming, it is impossible to guarantee complete protection against a computer virus.  Another factor that adds to the impossibility of achieving absolute protection, is that viruses, which may originate outside of the organization, are often transmitted inadvertently by people in the company who have legitimate access to computer systems. Viruses and other security threats are not the technical problems that can be solved by a technical solution alone. Prudent management policies and procedures must be instituted in conjunction with technological safeguards. For example, the use of antivirus software or access control software can only reduce the computer virus risk to an acceptable level.

In some instances, software tools capable of detecting a virus attack are also capable of preventing the attack. These products often work by requesting authorization from a user for system activities. The problem with a large number of effective anti-virus products is their inability to differentiate between a valid system request and an invalid request. As a result of this, microcomputer users are informed of a high level of system activity by this type of anti-virus programs and are required to authorize each request. The user could eventually ignore the warnings, with the risk that a genuine virus attempt to overwrite a disk file would also be ignored. Other products are able to detect changes in both data and programs files, typically using routines. Unfortunately, such products, can only detect viral action after the event had occurred and are not able to prevent virus attacks.

Prevention of virus attacks may be achieved by the implementation of a security policy designed to protect data held  on microcomputer from a range of potential threats, including  viruses. Such a security policy should include the following basic steps:

a.     Users should be informed of the need for data security and the potential threats to the integrity of their data.
b.     All purchased software should be carefully examined before use. Load new software onto an isolated microcomputer which contains no critical or sensitive files.
c.     Procedures for evaluating new software should include tests for the presence of viral code.
d.     All software and data files should have backups taken at regular intervals. It is advisable to separately backup executable codes and data files on different diskettes.
e.     Microcomputers must not be booted from diskettes that have not been shown to be free from virus.
f.     Programs downloaded from bulletin boards and those obtained from computer clubs should be carefully evaluated and examined for destructive codes. As this is a difficult task, it is strongly recommended not to use software acquired from sources other than those legally acquired from the major software houses.

The implementation of a security policy including, as a minimum, the basic steps outlined above will help to reduce the risk of a successful virus attack. The installation and use of an anti-virus products may further improve the level of security over microcomputer systems and thereby reduce the risk of a successful virus attack.

Curative Measures of Computer Virus

The nature of the problem created by viruses makes it impossible  to prescribe a panacea for removing viruses from computer  systems. Computer systems affected by a virus attack would need to be investigated at a very detailed level by technical staff with a  good understanding of microcomputer operating systems and disk  formats. Although names have been given to some of the more widespread viruses, there is no reason to assume that the same  program structure would be found for all versions of any named  virus. There is no guarantee that an `anti-Brain virus' program would work against all strains of the `Brain' virus for example.  It is noted that anti-virus packages are produced on the basis of known viruses. Therefore, any anti-virus packages cannot treat a newly discovered virus.

The following steps should be taken if a virus attack is suspected:

a.     Identify and isolate microcomputer and disks which could be affected.
b.     Seek the advice of a specialist to perform the following tasks:
     i.     Identification of viral code on affected disks.
     ii.     Removal of viral code from all affected disks.
     iii.     Evaluation of the integrity of data files and correction of data where necessary.
     iv.     Review of the security procedures to ensure that the risk of future virus attack is minimized.

c.     Determine how the virus was introduced to the system.

The three-way method of treating virus infected computer system is presented as follows:

a.     Use anti-virus to scan for the infected files in the computer store and employ the 'clean' module of the anti-virus to remove the known viruses, thereby curing the infected files of the known viruses.
b.     Computer viruses are discovered daily. Therefore, an anti-virus can treat only the computer viruses that are known before it is developed. Suppose there are files which are infected by unknown viruses, delete the infected files and reboot the computer from a write protected uninfected booting diskette. The uninfected copy of the files can then be copied from the diskette containing them into the hard disk.
c.     Some computer viruses do infect the Boot Sector, File Allocation Table and Partition Table. A system infected in this way may fail to boot when turned on. Such system can be cured by reformatting and re-organising the infected hard disk. Remember that when a hard disk is formatted, all the stored data are lost. In the view of this, the operating system, software packages, application programs, data files and text files have to be reinstalled.

Case Study of Computer Virus Technology

This section presents the results of a research work which attempts to study the negative and positive applications of computer virus technology. Along the negative direction, an attempt is made to develop and implement a computer viral production simulation software package which has the ulterior motive of using up the free space of the host computer RAM during its run time. It also has the ulterior motive of using up the free space of the host computer hard disk when the output reports of the package are stored. Along the positive direction, the computer viral production simulation software package is modified to usefully monitor and control the creation (birth), update (survival) and deletion (death) of the users data and program files in the host computer hard disk.

Overview of Case Study

In a biological sense, a virus is any of the various submicroscopic pathogens consisting essentially of a core of a single nucleic acid surrounded by a protein coat, having the ability to replicate only inside a living cell and causing disease in the host of the living cell. A computer virus is a computer program capable of reproducing itself only inside a computing system and causing the computing system to malfunction.

Biological viruses can cause disease in people, but because a lot has been learnt about them, it has been possible to guard against them and, indeed, use them to improve the treatment of some biological diseases. By the same token, computer viruses can make computing system malfunction, but they can also lead to a remarkable improvement in the performance of information technology.

In this section an attempt is made to demonstrate that the features that make computer virus a serious threat to computer integrity can be modified and used for the effective and efficient management of computing resources. The computing resources that are of interest in our research are the RAM and Hard Disk.

Along the negative direction, we develop and implement a computer viral production simulation software package coded in Pascal which has the ulterior motive of using up the free space of the host computer RAM during its run time. It also has the ulterior motive of using up the free space of the host computer hard disk when the output reports of the package are stored. The package slows down the processing power of the host computer and ultimately renders it powerless and causes it to hang. The host computer is put to life only when it is switched off, booted and the hard disk is purged of the large files generated by the software package.

Along the positive direction, the computer viral production simulation software package is modified to usefully monitor and control the creation (birth), update (survival) and deletion (death) of the users data and program files in the host computer hard disk. The ultimate goal of the modified package is to:

a.     Keep track of the users files in a computer hard disk.
b.     Give notice of each of the users files that:

     i.     is more than one month old,
     ii.     has not been accessed and updated in the last one month,
occupies more than `x' Mbytes.

c.     Display the records of the offending files and delete them automatically at the end of the third time of rainsing an alarm.

In section 15.7.2, the results obtained from the case study of the computer viral production simulation software package are presented. The results obtained from the case study of the modified software package are presented in section 15.7.3. Some conclusions are drawn in section 15.7.4.

Simulation of Viral Production

A software package has been developed using Pascal programming language to play the game of life in a Microsoft Disk Operating System (MS-DOS) environment. The objective of the software package is to use up the RAM free storage space and the free space of the hard disk of the host computer with a view to rendering the host computer powerless.

The software package has been implemented on a Compaq Prolinea microcomputer that has the following features:

a.     386 processor type
b.     25 MHZ processor speed
c.     2MB RAM
d.     40MB hard disk
e.     3.5 inches floppy drive
f.     VGA Colour monitor

The software package is iterative in nature and the configuration of the checker board generated at the end of each iteration is stored, by default, temporarily in the RAM. The package is run to use up the free space of the host computer RAM. Consequently, the host computer is rendered powerless from being used because of non-free space in the RAM that may allow the package to pass control to the host computer operating system. The intermediate results generated by the package point to one another and blocks the channel of communications between the package and the host computer operating system; thus bringing the host computer to a halt. The host computer will come to life only if it is switched off so that it will automatically loose the memory of the intermediate results resident in the RAM. The lose of the memory of the intermediate results will allow for free RAM storage space that will enable the host computer to boot.

If the package is run on a large size checker board for a large number of iterations and the configuration of the checker board generated at the end of each iteration is stored in the hard disk of the host computer, the chances are very high that the free storage space on the hard disk would run out.

Automation of Computer Hard Disk Management

We view the computer hard disk as an array of blocks of storage space and each block is made to keep a data or program file. Files are created in the hard disk in a random manner. Some files created in the hard disk may be kept and updated from time to time; some file may be deleted at random subject to the dictation of the users.

The checker board of the game of life is viewed as a model or an abstract representation of the computer hard disk. Note that the game of life is concerned with the birth (creation), survival (update) and death (deletion) of counters in the checker board. The implementation of the viral production simulation software package presented in section 2 has demonstrated the adverse effect of the arbitrary or indiscriminate creation of files in the computer RAM and hard disk.

The computer operating system is a collection of programs that are responsible for managing the computing resources such as memory, file, processor, input device and output device. The operating system has some utility programs meant for handling and managing data and program files. Currently, there are no operating system that has an utility program that is capable of alerting computer users about the presence in the hard disk virus non-infected files that have resided in the hard disk for too long or have unduly large size and consequently deleting such files from the hard disk.

A modified computer viral production simulation software package with the primary goal of usefully assisting the management of computer hard disk has been developed. The modified software package serves as an interface between the computer operating system and the computer users with the functional goal of:

a.     Keeping track of users files resident in a computer hard disk.
b.     Notifying the users or Computer Operations Manager the files that:

     i.     occupy `x' Mbytes of the hard disk,
     ii.     have been created over a month ago,
     iii.     have not been accessed and updated in the last one month.

c.     Automatically deleting from the hard disk the files that fall into the categories b(i), b(ii) or b(iii) above at the end of the third time of raising an alarm.

The basic assumption taken in the development of the modified software package are:

a.     The computer hard disk has a root directory. Each software package such as Word Perfect, Lotus, SPSS, Paradox or Foxpro is resident in a subdirectory of the root directory. The data and program files of the users of a software package are created in a subdirectory of the software package.
b.     Microsoft Disk Operating System manages users data and program files in such a way that the date of creation of a user file is modified to reflect the file most recently date of access and update. That is, if a file is created on February 01,1997 and an update is carried out on the file on March 10, 1997. The date which will show against the file in the sub-directory will be March 10,1997.

The modified software package has been coded in Pascal Programming language in modules.

The first module (FMODULE) scans the hard disk of the host computer and generates the list of all the users sub-directories.

The second module (SMODULE) updates the text file created by (FMODULE) with the users files showing the size and date of creation of each file.

The third module (TMODULE) evaluates the size of each file and creates a file containing the list of the files which is larger than or equal to `x' MB.

The fourth module (FTMODULE) evaluates the date each file was last accessed and updated. The FTMODULE creates a file containing the list of the files whose evaluated date falls outside thirty days. A date that falls outside thirty days represents the fact that the file under review was created over a month ago and was last accessed and updated over a month ago.

The module (VIOLATION) takes as input the files created by the TMODULE and FTMODULE. This module raises the first alarm by setting a counter to one for each file that violates the date and size constraints the first time and displaying the files on the screen. Similar alarm is raised on the second time and third time of executing the modified software package. At the third alarm, VIOLATION passes control to the sixth module (ERASER).

The ERASER displays on the screen the information about all the users files that violates the date and size constraints and deletes all the files displayed. The ERASER also deletes all the temporary files that were created during the run time of the modified software package. It is remarked that the ERASER is not called and run until the third alarm was raised by the VIOLATION.

The last module (REMAIN) produces the list of the users files that are left in the hard disk. The list is displayed on the screen for the purposes of confirming the non-existence of any files in the hard disk that violate the date and size constraints.

The modified software package has been implemented on a Compaq Prolinea microcomputers with the following features.

a.     386 processor type
b.     25MHZ processor speed
c.     2MB RAM
d.     4OMB Hard Disk
e.     3.5 inches floppy drive
f.     VGA Colour monitor.

The list of the software packages directories on the hard disk is:

a.     WP51          b.     Paradox3
c.     DOS          d.     Pascal     
e.     Fortran          f.     Lotus
g.     Windows     h.     WP60
i.     FL          g.     Flow


Where Will You Like To Go Next