M. E. Kabay, PhD, CISSP-ISSMP
Professor of Computer Information Systems
Norwich University, Northfield, VT
This is another in a continuing series
devoted to how ordinary people can protect themselves when using the Internet.
As this course is being written, there are over 55,000 distinct forms of malicious
program code circulating in cyberspace. Most of these harmful programs are
limited to anti-virus laboratories and to the computers of virus hobbyists —
people who derive a perverted pleasure from playing with dangerous toys.
Viruses are self-reproducing programs that insert parts of themselves into
various forms of executable code — i.e., instructions that can tell a computer
what to do. There are several forms of executable code that have been used
- Boot-sectors: the first piece of information on a disk (sector 0, cylinder
0); boot-sector viruses reproduce by being loaded into memory when
a computer boots (restarts) with an infected disk in the boot-device
- Program files: files on PCs that end in ".exe" or (more rarely)
".com" and some other less-used extensions. Program-file infectors
are viruses that insert instructions into a program file so that viral code
can be loaded into memory where it can modify the functioning of the computer
to, among other things, allow replication of the viral code.
- Trojans: another form of harmful code using programs is called the Trojan
Horse and refers to programs that have been modified without authorization
and without documentation so that they contain unexpected functions. Examples
programs that supposedly allowed people to cheat AOL out of connection fees
(but actually stole passwords and sent them to the criminals who had written
- Document macros: Microsoft Office includes an automatic execution feature
for stored operations; macro viruses are macros that are written in
the Visual Basic programming language and can be executed automatically by
several programs in the MS-Office suite. Macro viruses are the most
frequently-encountered viruses in the world today. They reproduce through
the exchange of infected documents such as MS-Word ".doc" files
and MS-Excel spreadsheet ".xls" files.
- E-mail attachments: In addition, the newest generation of macro-based malicious
software, known as e-mail-enabled worms use Visual Basic to exploit
a feature of MS-Outlook, MS-Outlook Express and other MAPI-compliant e-mail
packages to send copies of themselves to many or all of the recipients listed
in standard e-mail address books. These worms spread through the 'Net thanks
to the automatic execution of file attachments that occurs when an e-mail
recipient opens the attachment.
Today, there are virus-creation kits that allow untrained kids to create virus
variants that can cause havoc to individuals and organizations. Writing (or
modifying) viruses seems to appeal to children because it is so easy to cause
trouble for many people at once – it’s one of the few ways a child can feel
really powerful in the world of adults. It is important to discuss these problems
with children from the earliest ages so that they can get used to the idea that
writing viruses is just as bad an idea as, say, arson. Writing and distributing
viruses may be prosecuted under a number of computer crime laws, including the
1987 Computer Fraud and Abuse Act (18 USC 1087).
Use antivirus software on all your computers.
Keep your virus strings up to date (e.g., at least twice-monthly
updates of your antivirus software).
Don't download or use software that purports to help you break
the law or cheat people and businesses – these programs are especially prone
to viruses or Trojan code.
Don't download or use stolen software (i.e., software copies
without permission or in violation of license restrictions).
Don't execute software that anyone sends you through e-mail even if you know
and like the person who sent it to you. Just because they're nice people doesn't
mean they are qualified to inspect programs for safety.
Before sending someone an attachment (e.g., a picture or any other kind of
file) by e-mail, let your recipient know what to expect via a preliminary message;
if you don't know the person personally, send an e-mail requesting permission
to send the attachment.
Never open attachments you have received without warning, regardless of who
sent them or what the subject line or text say. Be especially suspicious of
generic subjects such as "FYI" without details or "You'll like
this." If you are really curious about the attachment, phone or e-mail
the supposed sender to find out whether it is legitimate.
Don't forward programs, even reliable programs, to anyone; instead, tell your
friends where to download useful programs from a trustworthy source (e.g., a
legitimate Web site).
Before sending anyone an MS-Word document as an attachment, save the document
as an RTF file instead of as the usual DOC file. RTF files don't include document
macros and therefore cannot carry macro-viruses.
Disable automatic execution of macros in MS-Word using the TOOLS | MACROS
| SECURITY menu and select the HIGH option (which restricts macro execution
to digitally-signed macros from trusted sources — none, by default).
Use the patches offered by Microsoft to shut off automatic execution of attachments
in Outlook and Outlook Express.
18 USC 1030: Computer Fraud and Abuse Act of 1987 < http://www4.law.cornell.edu/uscode/18/1030.html
Computer Virus FAQ for New Users (1999) < http://www.cs.ruu.nl/wais/html/na-dir/computer-virus/new-users.html
F-Secure Virus Database search < http://www.f-secure.com/v-descs/ >
IBM Antivirus Research < http://www.research.ibm.com/antivirus/SciPapers.htm
ICSA Labs Virus Alerts < http://www.icsalabs.com/html/communities/antivirus/alerts.shtml
Online VGrep Search < http://www.virusbtn.com/VGrep/search.html
Top Ten Viruses (Trend Micro) < http://www.antivirus.com/vinfo/default.asp >
Virus Bulletin < http://www.virusbtn.com/ >
Virus Primer (Trend Micro) < http://www.antivirus.com/vinfo/vprimer.htm >
“What makes Johnny (and Janey) write viruses?” (2001) by Kim
Zetter < http://www.itworld.com/Net/3271/PCW01051534405/pfindex.html
WildList Organization < http://www.wildlist.org/ >
Word Macro Virus FAQ from Michigan State University < http://www.ahdl.msu.edu/ahdl/macrofaq.htm >
<< end of article >>
In recent weeks, readers may have heard a great deal on the news about the
Sircam and CodeRed worms.
Sircam is a very widespread and dangerous worm that infects MS-Windows systems.
It infects a system when a user opens (double-clicks) an infected attachment.
The e-mail message carrying the worm usually has text that reads something like
“Hi how are you?” in the first line, includes a semi-random selection from a
list of phrases such as “I wanted your opinion on this” and is followed by a
last line reading “See you later. Thanks.” The subject line of the e-mail
message is random characters usually taken from the name of the attached infected
file. Once it infects a system, Sircam will attach itself to any document and
convert it into an executable file and then mail itself to everyone in the victim’s
e-mail address book. The documents are randomly chosen, but there have been
cases in which confidential or embarrassing information has been mailed out
to thousands of recipients. Sircam cannot infect Macintosh computers. Always
delete any attachment that you are not expecting to receive and, if necessary,
contact the sender to determine why you have been sent a file without a preliminary
request for permission to do so. For technical details of the Sircam worm,
see < http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/hohsircam_cid118.shtml
The CodeRed worms (there are now several) are limited to Web servers (not ordinary
PCs) using MS-Windows NT or Windows 2000 running the MS-IIS (Internet Information
Server) package. In addition to defacing Web sites, the initial version of
the worm tried to launch a flood of spurious traffic at the White House Web
site from the 20th to the 27th of July; luckily, a programming
decision allowed the White House to avoid attack. The newer versions of the
worm are more insidious: they cause no obvious damage to the infected system’s
Web site and they open an unauthorized access path (a “back door”) into the
infected system so that criminal hackers can gain control of the systems. At
this point, the CodeRed worms are spreading ferociously because there are still
MS-IIS installations that have not installed the repairs (“patches”) that prevent
infection. For technical information about CodeRed worms, see the alerts from
the Computer Emergency Response Team Coordination Center (CERT-CC) at < http://www.cert.org/advisories/CA-2001-19.html
> and < http://www.cert.org/incident_notes/IN-2001-09.html
<< end of sidebar >>