NOTES ON COMPUTER VIRUSES

by Richard Barnhart, Ph.D.

Definition Computer Virus [1]:

  1. A set of computer instructions
  2. Deliberately created
  3. That propagates
  4. And does unwanted things.

Characteristics of Computer Viruses:

  1. Cannot exist in a viable form, apart from another (usually legitimate) program.
  2. Propagates when the host program is executed.
  3. Has an incubation period, during which no damage is done.
  4. After incubation period, begins to manifest its behavior.

A Few Manifestations of Computer Viruses:

  1. Sudden or periodic slowing of programs.
  2. Unexplained change in the size of any program.
    ("Explanations" would be, for example, a new version of DOS, or re-installing a program with different options.)
  3. Unusual behavior of the computer, especially during a program which you have been running regularly with no problems.
  4. Failure of any program (such as a word processor) to install correctly from its distribution (original) disks. (Many programs check their own size after installation.)

Programs which are NOT viruses:

  1. Trojan horse: a standalone program which does its damage immediately, while you are running it for another purpose (usually a game!).
  2. Bomb: a standalone program (like a Trojan horse) whose only effect is to destroy some part of your system (programs, data) but does not pretend to be another program while it runs.
  3. Bug: a legitimate program with some logic error which causes accidental damage to your system even though everything was done according to the manual.
  4. User error: a human error (which the human may deny!) which causes loss of data or programs, or damage to hardware, due to accident or entry of incorrect commands.

A few kinds of virus-caused behavior:

  1. Formats hard drive, destroying all data ("Dark Avenger").
  2. Causes random change in typed characters ("Teatime" virus).
  3. Presents a political or (false) advertising message every few times ("Stoned" virus: Legalize Marijuana).
  4. Causes computer to act as though a monitor or disk drive is going bad ("Jerusalem-B" virus).

Where viruses can hide:

  1. In the "boot" sector of any floppy disk. This is a small program which runs whenever the computer is "booted" from the diskette, whether or not the diskette is "bootable." (This is the tiny program which puts the message "Non-system disk or disk error" on the screen if the disk is not bootable!)
  2. Attached to any program: shareware, commercial or public domain.
  3. Embedded in the hidden system files IO.SYS and MSDOS.SYS on the boot disk or drive.
  4. Same as #2, but pay SPECIAL ATTENTION to the file COMMAND.COM on the boot disk or drive.
  5. The "partition table" on a hard drive. (This DOES contain executable information, since it is attached to the "Master Boot Record" which is consulted at boot-up to determine whether to boot DOS, OS/2, UNIX, etc.)

How viruses are spread:

  1. Trading, copying or pirating software on diskettes without knowing the source.
  2. Software salesmen giving demos on your computer from their diskettes.
  3. Computer repair personnel using diagnostic disks.
  4. Computer user groups and bulletin boards (BBS's). NOTE: #2 & #3 account for over 80% of all infections at business sites! #1 accounts for nearly all others, #4 LESS THAN 5%.

    How to deal with virus infections: (Clip & save this!)

    1. DON'T PANIC!
    2. Read ALL these instructions FIRST!
    3. Turn the machine OFF (POWER SWITCH, NOT Ctrl-Alt-Del!!!!). Boot up from a clean, WRITE-PROTECTED floppy disk. If you have a SET-UP option during boot-up, usually by pressing the ("delete") key, use it. MAKE SURE that booting from floppy is ENABLED, and that the boot-up sequence is A:,C:.
    4. DON'T PANIC!
    5. Copy all your DATA files, including documents (memos,
    6. letters, class handouts, etc.), spreadsheets, work areas, etc. to diskettes or magnetic tape. Keep TYPES of data on separate diskettes or tape volumes. (It is REMOTELY possible that a virus could infect a spreadsheet in the form of a Lotus macro, for instance, and not your WordPerfect documents, or vice-versa. Anything which contains executable material, such as macros or source code of programs is suspect until the virus is identified and killed!)
    7. DON'T PANIC!
    8. Now, and ONLY now, walk, don't run, to your local computer store and invest in a virus eradication program. If this doesn't work, re-format your hard drive, re-install your software from distribution disks, and copy back your data. DO NOT reformat your hard drive until AFTER you have copied ALL your data to diskettes, preferably TWO copies on TWO different sets of diskettes. Your data is your life! Programs can be replaced for money; your data is priceless!

    When viruses activate:

    1. Every few times the computer is booted up ("Stoned" virus, every 8th boot).
    2. On a certain day of the year (March 6, "Michaelangelo" virus, destructive mutant of "Stoned").
    3. On a certain day of the week ("Sunday" virus).
    4. On a certain day of the month ("Friday the 13th", "Saturday the 14th" viruses).
    5. Every day EXCEPT one ("Israeli" or "Suriv03" virus, every day except Friday the 13th.)
    6. On a certain date only. (Jan. 1, 2000 "Century" will activate, write zeroes to all connected disks, effectively destroying all data and programs, destroying all directories, file allocation tables, boot records and partition tables, possibly causing the disk to have to be returned to the dealer for repair. Finally, a message is presented to the user, "Welcome to the 21st Century.")
    7. A certain period after infection ("Plastique" virus, one week).
    8. After infecting a certain number of files ("MIX/1" virus, six files).
    9. After a certain number of keystrokes ("Devil's Dance" virus, 2000 keystrokes; after 5000 destroys hard disk data and prints characteristic "Devil's Dance" message).
    10. At a particular time of day ("Teatime" virus, between 3:10 and 3:13 PM, trashes every 11th keystroke.)
    11. Any combination of the above, plus anything you can probably think of!

    Types of viruses, classified by how they spread ("vectors"):

    1. Boot-sector viruses. Can NOT be transmitted from BBS's at all. Transmitted by floppy or tape cartridge (rare). Boot- up must be attempted from infected disk. Remains memory- resident during warm boot, infects boot sector of all other disks in system including hard and floppy disks.
    2. Program viruses. May be transmitted by distribution of infected programs via floppy, BBS or network. Some infect ONLY COMMAND.COM; others avoid infecting COMMAND.COM, to avoid detection.

    Types of viruses, classified by operating system:

    1. DOS. Greatest variety of viruses due to widespread use.
    2. Amiga-DOS. Restricted to Commodore Amiga.
    3. Macintosh. Restricted to Macintosh computers. NOTE: Amiga(TM) and Macintosh(TM) computers often have a DOS emulation mode. In this mode, some (but not all) DOS viruses can damage them as well.
    4. OS/2. Relatively immune to viruses so far, due to rarity of systems. Most DOS viruses are rendered harmless by OS/2, although some may still survive since OS/2 can also run DOS programs.
    5. UNIX. These viruses are relatively rare, but some have the potential of migrating to PC's running UNIX clones such as XENIX. Similar remarks apply to Amigas and Macintoshes running A/UX or other UNIX clones.
    6. VMS, MVS, etc. (Minicomputers & mainframes). A few viruses spread over networks. More commonly affected by worms (RTM Internet worm, e.g.), logic bombs via e-mail, etc.

    Conditions for propagation [1] (epidemiology):

    1. Many computers in close proximity. "Proximity" may not be physical distance between computers, but between computer owners in the same class or job.
    2. Frequent exchange of susceptible software.
    3. Long incubation period of virus.
    4. Proportionately few "immune" individuals in the community, i.e. those using anti-viral software.
    5. Use of software brought from home, where "the kids" could bring home viruses from school, etc.

    Prevention of virus infections or attenuation of epidemics:

      Remove any of the conditions above.
    1. Isolate computers. This is seldom practical! But you can set aside one computer in an organization on which to try out disks and software before releasing disks for general use.
    2. Don't be hasty to try every new program that comes down the pike.
    3. Use the computer set aside in #1 to set future dates and see if anything happens.
    4. Use anti-viral software on ALL computers, and keep it updated regularly. (The few users who don't use the software will be protected by "herd immunity" which is well known in disease control.)
    5. Disallow use of any software not purchased by and for the corporation, or disinfected as in #1 and #3.


    [1] Louw, Eric and Neil Duffy, Managing Computer Viruses Oxford: Oxford University Press, 1992.
    Last updated 96/09/23
    © Richard Barnhart, 1996