Embed Size (px)
Citation preview
Computer virusesdemystified
Internet
Mobile devices
Safety
Reference
Viruses
Computer virusesdemystified
3
Contents
Internet
Mobile devices
Safety
Reference
VirusesContentsWhy viruses matter 5
Viruses, Trojans and worms 7
Virus hoaxes 23
Top 10 viruses 27
Email 33
The internet 39
Mobile phones and palmtops 47
Ten steps to safer computing 55
Useful links 59
Glossary 61
Index 69
4
5
Why virusesmatter
Internet
Mobile devices
Safety
Reference
VirusesVirusesWhy viruses matterComputer viruses, hackers, crackers, datacrime. They make headline news and – sothe media claim – cost us millions. But doviruses and all the other nasties incyberspace matter? Do theyreally do much harm?
If you’re in any doubt, just try imaginingwhat could happen in your office or home.
Imagine that no-one has updated youranti-virus software for a few months. When theydo, you find that your accounts spreadsheets areinfected with a new virus that changes figures atrandom. Naturally you keep backups. But you mighthave been backing up infected files for months. How doyou know which figures to trust?
Now imagine that a new email virus has been released.Your company is receiving so many emails that you decideto shut down your email gateway altogether … and miss anurgent order from a big customer.
Suppose that you’ve been studying at home for an MBA.You’ve almost finished your dissertation when one of your
Why virusesmatter
6
Internet
Mobile devices
Safety
Reference
VirusesViruses
children puts a new game on your PC and infects it. Thevirus deletes everything on the hard drive … including allyour hard work.
Imagine that a friend emails you some files he found onthe internet. You open them and trigger a virus that mailsconfidential documents to everyone in your address book… including your competitors.
Finally, imagine that you accidentally send anothercompany a report that carries a virus. Will they feel safe todo business with you again?
Such incidents have all happened. Inevery case, simple precautions, some ofwhich cost nothing, could have prevented theproblem.
This guide tells you what the risks are andhow you can avoid them.
7
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesVirusesViruses, Trojansand wormsIn the mid-1980s Basit andAmjad Alvi of Lahore,Pakistan discovered thatpeople were piratingtheir software. Theyresponded by writingthe first computer virus, aprogram that would put a copy ofitself and a copyright message on anyfloppy disk copies their customers made.From these simple beginnings, an entirevirus counter-culture has emerged. Todaynew viruses sweep the planet in hours andvirus scares are major news. People arefascinated, but not always well-informed.Read on to see how viruses spread and howyou can protect yourself.
Viruses, Trojansand worms
8
Internet
Mobile devices
Safety
Reference
VirusesViruses
What is a virus?A computer virus is a computer program that canspread across computers and networks by making copiesof itself, usually without the user’s knowledge.
Viruses can have harmful side-effects. These can range fromdisplaying irritating messages to deleting all the files onyour computer.
How does a virus infect computers?A virus program has to be run before it caninfect your computer.
Viruses have ways of making sure that thishappens. They can attach themselves to otherprograms or hide in code that is runautomatically when you open certain types offiles.
You might receive an infected file on adisk, in an email attachment, or in adownload from the internet. As soon as youlaunch the file, the virus code runs. Then the viruscan copy itself to other files or disks and make changes onyour computer.
For details, see ‘Boot sector viruses’, ‘Parasitic viruses’ and‘Macro viruses’ later in this chapter.
9
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
Trojan horsesTrojan horses are programs that dothings that are not described in theirspecifications.
The user runs what theythink is a legitimateprogram, allowing it to carryout hidden, often harmful,functions.
For example, Troj/Zeluclaims to be a program forfixing the ‘millennium bug’but actually overwrites thehard disk.
Trojan horses are sometimes used as ameans of infecting a user with a computervirus.
Backdoor Trojans are programs that allowother computer users to take control of yourPC over the internet.
WormsWorms are similar to virusesbut do not need a carrier(like a macro or a bootsector).
Worms simply create exactcopies of themselves and usecommunications betweencomputers to spread.
Many viruses, such asKakworm (VBS/Kakworm) orLove Bug (VBS/LoveLet-A),behave like worms and useemail to forward themselvesto other users.
Viruses, Trojansand worms
10
Internet
Mobile devices
Safety
Reference
VirusesViruses
What can viruses do?Virus side-effects, often called the payload, arethe aspect of most interest to users. Here aresome of the things that viruses are capable of.
Messages WM97/Jerk displays themessage ‘I think (user’sname) is a big stupid jerk!’
Pranks Yankee plays ‘YankeeDoodle Dandy’ at 5 pm.
Denying access WM97/NightShadepassword-protects thecurrent document onFriday 13th.
Data theft Troj/LoveLet-A emails information aboutthe user and machine to an address inthe Philippines.
Corrupting data XM/Compatable makes changes to thedata in Excel spreadsheets.
Deleting data Michelangelo overwrites parts of thehard disk on March 6th.
Disabling CIH or Chernobyl (W95/CIH-10xx)hardware attempts to overwrite the BIOS on April
26th, making the machine unusable.
11
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
Where are the virus risks?Here are the points where your office is vulnerable.
Floppy disks and CDs
Floppy disks can have a virusin the boot sector. They canalso hold infected programs ordocuments. CDs may also holdinfected items.
Programs
Programs thatcarry a viruscan infect yourmachine assoon as yourun them.
Documents andspreadsheets
These can contain macro viruses,which can infect and make changesto other documents orspreadsheets.
Email can include infectedattachments. If you double-click onan infected attachment,you risk infecting yourmachine. Some emailseven include maliciousscripts that run as soonas you preview the mail or read thebody text.
The internet
Downloadedprograms ordocuments may beinfected.
Viruses, Trojansand worms
12
Internet
Mobile devices
Safety
Reference
VirusesViruses
Preventing virusesThere are simple measures you can take to avoid beinginfected or to deal with viruses if you are infected.
Make users aware of the risks
Tell everyone in the organisation that they are at risk if theyswap floppy disks, download files from websites or openemail attachments.
Install anti-virus software and update it regularly
Anti-virus programs can detect and often disinfect viruses.If the software offers on-access virus checking, use it.On-access checking protects users by denying access toany file that is infected. See the ‘Anti-virus software’section later in this chapter.
Keep backups of all your data
Make sure you have backups of all data andsoftware, including operating systems. If you areaffected by a virus, you can replace your files and programswith clean copies.
For details, see the ‘Ten steps to safer computing’ chapter.
13
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
Boot sector virusesBoot sector viruses were the first type of virus to appear.They spread by modifying the boot sector, which containsthe program that enables your computer to start up.
When you switch on, the hardware looks forthe boot sector program – which is usuallyon the hard disk, but can be on floppy or CD– and runs it. This program then loads therest of the operating system into memory.
A boot sector virus replaces the originalboot sector with its own, modified version(and usually hides the original somewhereelse on the hard disk). When you next startup, the infected boot sector is used and thevirus becomes active.
You can only become infected if you bootup your computer from an infected disk, e.g.a floppy disk that has an infected bootsector.
Many boot sector viruses are now quiteold. Those written for DOS machines do notusually spread on Windows 95, 98, Me, NTor 2000 computers, though they cansometimes stop them from starting upproperly.
Form
A virus that is still widespreadten years after it first appeared.The original version triggerson the 18th of each month andproduces a click when keys arepressed on the keyboard.
Parity Boot
A virus that may randomlydisplay the message ‘PARITYCHECK’ and freeze theoperating system. The messageresembles a genuine errormessage displayed when thecomputer’s memory is faulty.
Viruses, Trojansand worms
14
Internet
Mobile devices
Safety
Reference
VirusesViruses
Parasitic viruses (file viruses)Parasitic viruses, also known as file viruses, attachthemselves to programs (or ‘executables’).
When you start a programinfected with a file virus, thevirus is launched first. Tohide itself, the virus thenruns the original program.
The operating system on your computersees the virus as part of the program youwere trying to run and gives it the samerights. These rights allow the virus to copyitself, install itself in memory or release itspayload.
Parasitic viruses appeared early in virushistory but they still pose a real threat. Theinternet has made it easier than ever todistribute programs, giving these virusesnew opportunities to spread.
Jerusalem
On Friday 13th, deletes everyprogram run on the computer.
CIH (Chernobyl)
On the 26th of certain months,this virus will overwrite part ofthe BIOS chip, making thecomputer unusable. The virusalso overwrites the hard disk.
Remote Explorer
WNT/RemExp (RemoteExplorer) infects Windows NTexecutables. It was the firstvirus that could run as aservice, i.e. run on NT systemseven when no-one is logged in.
15
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
Macro virusesMacro viruses take advantage of macros, commandsthat are embedded in files and run automatically.
Many applications, such as word processingor spreadsheet programs, use macros.
A macro virus is a macro program thatcan copy itself and spread from one file toanother. If you open a file that contains amacro virus, the virus copies itself into theapplication’s startup files. The computer isnow infected.
When you next open a file using the sameapplication, the virus infects that file. If yourcomputer is on a network, the infection canspread rapidly: when you send an infectedfile to someone else, they can becomeinfected too.
A malicious macro can also make changesto your documents or settings.
Macro viruses infect files used in mostoffices and some can infect several filetypes, such as Word or Excel files. They canalso spread to any platform on which their‘host’ application runs. Above all, theyspread easily because documents areexchanged frequently via email and websites.
WM/Wazzu
Infects Word documents. Itmoves between one and threewords and inserts the word‘wazzu’ at random.
OF97/Crown-B
Can infect Word, Excel andPowerPoint files. When itinfects a Word document, itturns off macro protection inthe other Office 97applications, so that it caninfect them.
Viruses, Trojansand worms
16
Internet
Mobile devices
Safety
Reference
VirusesViruses
Anti-virus softwareAnti-virus software can detect viruses, prevent access toinfected files and often eliminate the infection. Here is anintroduction to the different kinds of software available.
ScannersVirus scanners can detect, and often disinfect, the virusesknown at the time the scanner is released. Scanners areeasily the most popular form of anti-virus software but theyhave to be updated regularly to recognise new viruses.
There are on-demand and on-access scanners. Manyanti-virus packages offer both.
On-demand scanners let you start or schedule a scan ofspecific files or drives.
On-access scanners stay active on yourmachine whenever you are using it.They check files as you try to open orrun them.
17
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
ChecksummersChecksummers are programs that can tellwhen files have been changed. If a virusinfects a program or document,changing it in the process, thechecksummer should reportthe change.
The good thing aboutchecksummers is that they donot need to know anything abouta virus in order to detect its presence. Forthat reason, checksummers do not needregular updating.
The bad thing about checksummers isthat they cannot tell the difference betweena virus and a legitimate change, so falsealarms are likely. Checksummers haveparticular problems with documents, whichcan change frequently.
In addition, checksummers can only alertyou after infection has taken place, theycannot identify the virus, and they cannotprovide disinfection.
HeuristicsHeuristic software tries todetect viruses – bothknown and unknown – byusing general rules aboutwhat viruses look like.Unlike conventionalscanners, this softwaredoesn’t rely on frequentupdates about all knownviruses.
However, if a new kind ofvirus emerges, the softwarewill not recognise it andwill need to be updated orreplaced.
Heuristics can be proneto false alarms.
Viruses, Trojansand worms
18
Internet
Mobile devices
Safety
Reference
VirusesViruses
A brief history of viruses1949 Mathematician John von Neumann suggests
that computer programs could reproduce.
1950s Bell Labs develop an experimental game inwhich players use malicious programs to attackeach other’s computers.
1975 Sci-fi author John Brunner imagines a computer‘worm’ spreading across networks.
1984 Fred Cohen introduces the term‘computer virus’ in a thesis onsuch programs.
1986 The first computer virus, Brain,is allegedly written by twobrothers in Pakistan.
1987 The Christmas tree wormparalyses the IBM worldwidenetwork.
1988 The Internet worm spreads through the USDARPA internet.
1990 Mark Washburn writes 1260, the first‘polymorphic’ virus, which mutates (i.e. changeits form) each time it infects.
19
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
1992 There is worldwide panic about theMichelangelo virus, although very fewcomputers are infected.
1994 Good Times, the first majorvirus hoax, appears.
1995 The first macro virus,Concept, appears. In thesame year, Australian viruswriters produce the firstvirus specifically writtenfor Windows 95.
1998 CIH or Chernobyl becomes the first virus toparalyse computer hardware.
1999 Melissa, a virus that forwards itself by email,spreads worldwide. Bubbleboy, the first virus toinfect a computer when email is viewed,appears.
2000 Love Bug becomes the most successful emailvirus yet. The first virus appears for the Palmoperating system, although no users areinfected.
Viruses, Trojansand worms
20
Internet
Mobile devices
Safety
Reference
VirusesViruses
The hidden costs of virusesViruses don’t just corrupt or delete data. They can alsoharm your business in less obvious ways.
Everyone knows about viruses that delete everything on thehard drive or corrupt documents. Such effectsare serious, but you can soon recover if youhave good backups. More serious are someof the less visible side-effects.
For example, viruses can preventcomputers from working or force you toshut down the network. During this time,working hours - and so revenue - are being lost.
Some viruses interrupt the communications businessdepends on. Melissa or ExploreZip, which spread via email,can generate so much mail that servers crash. Even if thisdoesn’t happen, companies sometimes react to the risk byshutting down their mail servers anyway.
There is a threat to confidentiality too. Melissa canforward documents, which may contain sensitiveinformation, to anyone in your address book.
Viruses can seriously damage your credibility. If you sendinfected documents to customers, they may refuse to dobusiness with you or demand compensation. Sometimes yourisk embarrassment as well as a damaged businessreputation. WM/Polypost, for example, places copies of yourdocuments in your name on alt.sex usenet newsgroups.
21
Viruses, Trojansand worms
Internet
Mobile devices
Safety
Reference
VirusesViruses
Who writes viruses?If your computer, or your network, is hit by a virus, thefirst thing you’re likely to say - expletives apart - is ‘Whydo people write these viruses?’
At first glance, there seems to be little incentive for writingviruses. Virus writers don’t gain in financial or careerterms; they rarely achieve real fame; and,unlike hackers, they don’t usually targetparticular victims, since viruses spread tooindiscriminately.
Virus writing is easier to understand if youcompare it to forms of delinquency such asgraffiti or vandalism.
Virus writers tend to be male, under 25 andsingle. Their self-esteem is bound up with theapproval of their peer group, or at least of a smallelectronic community. Virus-writing exploits, likegraffitti art, are a kind of performance that wins thewriter status.
Viruses also give their writers powers in cyberspace thatthey could never hope to have in the real world. No doubtthat’s why virus writers choose names inspired by heavymetal music or fantasy literature, which thrive on similarillusions of prowess and potency.
Viruses, Trojansand worms
22
Internet
Mobile devices
Safety
Reference
VirusesViruses
Is virus writing always wrong?Most of us take it for granted that virusesare simply a bad thing, but is thatnecessarily true?
Many viruses are ‘harmless’ or take the formof jokes. Others alert us to security flaws insoftware. Some people argue that virusescould even be useful, e.g. by distributing bugfixes. Unfortunately, the idea of ‘harmless’viruses doesn’t stand up to scrutiny.
First, viruses make changes on users’computers without their consent andsometimes without their knowledge. That’sunethical – and illegal in many countries –whether the intention is good or bad. Youshouldn’t interfere with somebody else’scomputer, any more than you would borrowtheir car without telling them – even if youdid change the oil.
Secondly, viruses don’t always perform asthe author intends. If a virus is badlywritten, it can cause unforeseen problems.Even if it’s harmless on the operating systemit was written for, a virus may be highlydestructive on other platforms or onsystems developed in future.
Proof-of-conceptSometimes people writeviruses to prove that a newkind of virus is possible.These are known asproof-of-concept viruses.They do not usually haveside-effects (a payload) andshouldn’t be released ontoother users’ computers.
Research?Virus writers like to claimthat they are doing research.Yet viruses are often poorlywritten, they are released atrandom on unsuspectingusers, and there’s no way tocollect the results. This canhardly be called research.
23
Virushoaxes
Internet
Mobile devices
Safety
Reference
VirusesViruses
If you have been warned aboutviruses called ‘Good Times’,‘Budweiser Frogs’ or ‘How togive a cat a colonic’, you arethe victim of a hoax. Virushoaxes, especially emailhoaxes, are commonplaceand can be just as costly interms of time and money asthe real thing.
Virus hoaxes
Virushoaxes
24
Internet
Mobile devices
Safety
Reference
VirusesViruses
What are hoaxes?Hoaxes are reports of non-existent viruses. Typically,they are emails which do some or all of the following:
■ Warn you that there is an undetectable,highly destructive new virus.
■ Ask you to avoid reading emails with aparticular subject line, e.g. Join the Crewor Budweiser Frogs.
■ Claim that the warning was issued by amajor software company, internetprovider or government agency, e.g.IBM, Microsoft, AOL or the FCC.
■ Claim that a new virus can dosomething improbable. For instance, Amoment of silence says that ‘no programneeds to be exchanged for a newcomputer to be infected’.
■ Use techno-babble to describe viruseffects, e.g. Good Times says that thevirus can put the PC’s processor into ‘annth-complexity infinite binary loop’.
■ Urge you to forward the warning toother users.
The hoaxthat wasn’tOn April 1, 2000 an emailheaded Rush-Killer virusalert began circulating. Itwarned of viruses that takeover the modem and dial 911(the US emergency number),and urged you to forward thewarning. The email had allthe hallmarks of a hoax. Yetthe virus was real. It was oneof the BAT/911 viruses whichspread through Windowsshares and do call 911. It’sdifficult to tell a hoax from areal warning; you shouldfollow the advice in ‘Whatcan be done about hoaxes?’ atthe end of this chapter.
25
Virushoaxes
Internet
Mobile devices
Safety
Reference
VirusesViruses
Why are hoaxes a problem?Hoaxes can be as disruptive and costly asa genuine virus.
If users do forward a hoax warning to alltheir friends and colleagues, therecan be a deluge of email. This canoverload mail servers and makethem crash. The effect is the sameas that of the real Love Bug virus,but the hoaxer hasn’t even had towrite any computer code.
It isn’t just end-users who overreact.Companies who receive hoaxes often takedrastic action, such as closing down a mailserver or shutting down their network. Thiscripples communications more effectivelythan many real viruses, preventing access toemail that may be really important.
False warnings also distract from effortsto deal with real virus threats.
Hoaxes can be remarkably persistent too.Since hoaxes aren’t viruses, your anti-virussoftware can’t detect or disable them.
Whichcame first?A hoax can inspire a realvirus threat, or vice versa.After the Good Times hoaxmade the headlines, somevirus writers waited until ithad been debunked andthen wrote a real viruswith the same name(anti-virus firms call itGT-Spoof).
Virushoaxes
26
Internet
Mobile devices
Safety
Reference
VirusesViruses
What can be done about hoaxes?Hoaxes, like viruses or chain mail, depend on being ableto spread themselves. If you can persuade users to breakthe chain, you limit the harm done.
Have a company policy on virus warnings
The solution may be a company policy on virus warnings.Here is an example:
‘Do not forward any virus warnings of any kind toANYONE other than the person responsible for anti-virusissues. It doesn’t matter if the virus warnings come from ananti-virus vendor or have been confirmed by a largecomputer company or your best friend. ALL virus warningsshould be sent to name of responsible person only. It is theirjob to notify everybody of virus warnings. A virus warningwhich comes from any other source should be ignored.’
As long as users follow the policy, there will be no flood ofemails and the company expert will decide whether there isany real risk.
Keep informed about hoaxes
Keep informed about hoaxes by visiting the hoaxes pages onour website: www.sophos.com/virusinfo/hoaxes
27
Top 10viruses
Internet
Mobile devices
Safety
Reference
VirusesVirusesTop 10 virusesWhich viruses are the mostsuccessful ever? Here is ourselection of those that travelledfurthest, infected mostcomputers ... or survivedthe longest.
Top 10viruses
28
Internet
Mobile devices
Safety
Reference
VirusesViruses
Love Bug(VBS/LoveLet-A)
The Love Bug is probably thebest-known virus. By pretendingto be a love letter, it played onusers’ curiosity, spreadingaround the world in hours.
First seen: May 2000
Origin: The Philippines
AKA: Love Letter
Type: Visual Basic Script worm
Trigger: On initial infection
Effects: The original version sends an emailwith the subject line ‘I LOVE YOU’and the text ‘kindly check theattached love letter coming fromme’. Opening the attachment allowsthe virus to run. If MicrosoftOutlook is installed, the virus triesto forward itself to all addresses inthe Outlook address book. It canalso distribute itself to othernewsgroup users, steal userinformation and overwrite certainfiles.
Form
Form featured in the top tenviruses for eight years and isstill widespread. On DOS andearly versions of Windows, itbehaved inconspicuously, so itspread widely.
First seen: 1991
Origin: Switzerland
Type: Boot sector virus
Trigger: 18th of the month
Effects: Produces a clickevery time youpress a key. Canprevent WindowsNT computersfrom working.
29
Top 10viruses
Internet
Mobile devices
Safety
Reference
VirusesViruses
Kakworm(VBS/Kakworm)
Kakworm made it possible for users tobecome infected just by viewing infectedemail.
First seen: 1999
Type: Visual BasicScript worm
Trigger: On initialinfection (formost effects) or 1stof any month (forWindows shutdown side-effect)
Effects: The worm arrives embedded in anemail message. If you are usingOutlook or Outlook Express withInternet Explorer 5, the machinecan be infected when you open orpreview the infected email.The virus changes the OutlookExpress settings so that the viruscode is automatically included withall outgoing mail. On the 1st of anymonth after 5 pm, it displays themessage ‘Kagou-Anti_Kro$oft saysnot today’ and shuts downWindows.
AnticmosAnticmos is a typical bootsector virus. It was widespread
in the mid-1990s andfrequently appeared inthe top ten viruses.
First seen: January 1994
Origin: First detected inHong Kong, butbelieved tooriginate in China.
Type: Boot sector virus
Trigger: Random
Effects: Tries to eraseinformation aboutthe type of floppyand hard diskdrives installed.
Top 10viruses
30
Internet
Mobile devices
Safety
Reference
VirusesViruses
Melissa(WM97/Melissa)
Melissa is an email virus that usespsychological subtlety to spread rapidly.It appears to come from someone youknow and to include a document youwould definitely want to read. As a result,Melissa spread worldwide within a single day.
First seen: March 1999
Origin: A 31-year-old US programmer,David L Smith, posted an infecteddocument on an alt.sex usenetnewsgroup
Type: Word 97 macro virus; also Word2000 aware
Trigger: On initial infection
Effects: Sends a message to the first fiftyaddresses in all the address booksaccessible by Microsoft Outlook,using the current user’s name inthe subject line. There is anattachment containing a copy of theinfected document. If the minuteand day are the same when thedocument is opened (e.g. 10.05 amon the 5th), the virus adds textabout the game Scrabble to thedocument.
New ZealandNew Zealand was easily thecommonest virus in the early1990s.
First seen: Late 1980s
Origin: New Zealand
AKA: Stoned
Type: Boot sector virus
Trigger: Once in 8 times, ifbooted from a floppy
Effects: Displays the message‘Your PC is nowStoned!’. Puts a copyof the original bootsector in a sectorthat is last in the rootdirectory of a 360Kdisk. This candamage larger disks.
31
Top 10viruses
Internet
Mobile devices
Safety
Reference
VirusesViruses
Concept(WM/Concept)
Concept achieved instant success by beingshipped accidentally on official Microsoftsoftware. It was the first macro virus found inthe wild and one of the commonest viruses in1996-1998. The virus takescontrol with its AutoOpenmacro, which Word runsautomatically, and carries outinfection with its FileSaveAsmacro, which runs when Wordsaves a document. Many variantsexist.
First seen: August 1995
Virus type: Macro virus
Trigger: None
Effects: When you open an infecteddocument, a dialog box titled‘Microsoft Word’ and containing thefigure 1 appears. The virus includesthe text ‘That’s enough to prove mypoint’ but this is never displayed.
CIH (Chernobyl)(W95/CIH-10xx)
CIH was the first virus todamage computer hardware.Once it overwrites the BIOS,the computer cannot be useduntil the BIOS chip is replaced.
First seen: June 1998Origin: Written by Chen
Ing-Hau of TaiwanType: Parasitic virus that
runs on Windows95 computers
Trigger: April 26th, withvariants whichtrigger on June26th or the 26th ofany month
Effects: Tries to overwritethe BIOS and thenoverwrites the harddisk.
Top 10viruses
32
Internet
Mobile devices
Safety
Reference
VirusesViruses
Parity BootParity Boot spreads on the boot sectorsof floppy disks. Its success shows thatboot sector viruses, which werecommonest in the 1980s and early1990s, can still thrive. This virus wasstill among the most commonlyreported as recently as 1998. It wasparticularly common in Germany,where it was distributed on a magazinecover-disk in 1994.
First seen: March 1993
Origin: Possibly Germany
Type: Boot sector virus
Trigger: Random
Effect: Displays the message‘PARITY CHECK’ andfreezes the computer. Thismimics a genuine memoryerror. As a result, users oftenthink that there is a problemwith their computer’s RAM(Random Access Memory).
Happy99W32/Ska-Happy99
Happy99 was the first well-knownvirus to spread itself rapidly by email.
First seen: January 1999
Origin: Posted to a newsgroup byFrench virus writer ‘Spanska’
Type: File virus that runs onWindows 95/98/Me/NT/2000computers.
Trigger: None
Effect: Displays a fireworks effectand the message ‘Happy NewYear 1999’. The virus alsomodifies the file wsock32.dllin the Windows systemdirectory so that wheneveran email is sent, a secondmessage including the virusis sent too.
33
Internet
Mobile devices
Safety
Reference
Viruses
EmailIf you asked most people to name a singlevirus, the chances are it would be the LoveBug or Melissa. What theseheadline-hitting viruses havein common is that they spreadaround the world by email.
Email is now the biggestsource of viruses. Why is this?
As long as viruses weretransferred by floppy disk,they spread slowly. Companies could bandisks or insist on having them virus-checked. Email has changed all that. Nowyou can exchange files much more quicklyand infecting your PC is as easy as clickingon an icon – or easier. Conventional virusescan spread faster and new kinds of virusexploit the workings of email programs.
Internet
Mobile devices
Safety
Reference
Viruses
34
Can you get a virusjust by reading email?Some users think they are always safe toopen email as long as they don’t look atattachments. This is no longernecessarily true.
Viruses such as Kakworm andBubbleboy can infect users when theyread email. They look like any othermessage but contain a hidden script thatruns as soon as you open the email, or evenlook at it in the preview pane (as long as youare using Outlook with the right version ofInternet Explorer). This script can changesystem settings and send the virus to otherusers via email.
Microsoft have issued a patch thateliminates this security weakness. Todownload it, visit www.microsoft.com/technet/security/bulletin/ms99-032.asp
Email hoaxesEmail is a popular mediumfor hoaxes. These are bogusvirus reports that urge youto forward the message toeveryone you know.
An email hoax can spreadacross networks like a virusand can cause a mailoverload. The difference isthat the hoax doesn’t needvirus code; it simplydepends on users’ credulity.For more information, seethe ‘Virus hoaxes’ chapter.
35
Internet
Mobile devices
Safety
Reference
Viruses
Viruses that spreadautomatically by emailThe most successful viruses today are those that spreadthemselves automatically by email.
Typically, these viruses depend on theuser clicking on an attacheddocument. This runs ascript that uses the emailprogram to forwardinfected documents toother email users.Melissa, for example,sends a message to thefirst fifty addresses in all address books thatMicrosoft Outlook can access. Other virusessend themselves to every address in theaddress book.
What is spam?Spam is unsolicited email,often advertising get-rich-quick schemes, home-working jobs, loans orpornographic websites.Spam often comes with fakereturn information, whichmakes it more difficult todeal with the perpetrators.Such mail should simply bedeleted.
Internet
Mobile devices
Safety
Reference
Viruses
36
The risks of attachmentsThe greatest security risk at present isn’temail itself but email attachments.
Any program, document or spreadsheetthat you receive by email could carry avirus; launching such an attachment caninfect your computer.
Unfortunately, email attachments are apopular way to exchange information.Many users think it’s ‘harmless fun’ tocirculate screensavers, greetings cards,animations or joke programs. However,such files can carry viruses.
Even an attachment that appears to be asafe type of file, e.g. a file with a .txtextension, can pose a threat. That ‘text file’may actually be a malicious VBS script withthe file extension (.vbs) hidden from view.
The VBS/Monopoly worm is an example ofa malicious program disguised asentertainment. It masquerades as a ‘BillGates joke’. It is (it displays a Monopolyboard with Microsoft images in it) but italso emails itself to other users andforwards your system details to specificemail addresses, threatening theconfidentiality of sensitive information.
Email interceptionand forgeryEmail interception involvesother users reading youremail while it is in transit.You can protect yourself withemail encryption.
Email forgery meanssending mail with a forgedsender’s address ortampering with contents. Youcan protect yourself by usingdigital signatures.
37
Internet
Mobile devices
Safety
Reference
Viruses
How to stop email viruses
Have a strict policy about email attachments
Changing your (and other users’) behaviour is the simplestway to combat email threats. Don’t open any attachments,even if they come from your best friend. Don’t be temptedby promises of instant gratification or ‘harmless fun’. Ifyou don’t know something is virus-free, treat it as if it’sinfected. You should have a company policy that ALLattachments are authorised and checked withanti-virus software before being launched.
Disable Windows Scripting Host
Windows Scripting Host (WSH) automates certain actions,such as running VBS or Java script, on Windows computers.However, WSH allows viruses like Love Bug to spread. Youcan probably do without WSH (but consult your networkadministrator first). For instructions on turning it off, seewww.sophos.com/support/faqs/wsh.html. Remember thatevery time you update Windows or Internet Explorer, WSHwill be re-enabled.
Use anti-virus software
Use on-access anti-virus software on the desktop and at theemail gateway. Both arrangements can protect againstviruses sent via email.
38
39
The internet
Internet
Mobile devices
Safety
Reference
Viruses
Internet
The internetThe internet has made moreinformation available to morepeople more quickly than everbefore. The downside is that theinternet has also made it easierfor harmful computer code to
reach office and homecomputers.
The internet
40
Internet
Mobile devices
Safety
Reference
Viruses
Internet
Click and infect?The internet has increased the risk of infection.
Ten years ago, most viruses spread via floppydisks. Spreading in this way was slow anddepended on users making a conscious effortto run new programs. If the virus hadside-effects that were too obvious, it wasunlikely to affect many users. Now that theinternet is so widely used, everything haschanged.
Sharing software over the net is easy. A click ofthe mouse attaches a program to an email and it’seasy to detach and run it. Users can just as easilyplace a program on a web page, which anyone candownload. So file (or ‘parasitic’) viruses, whichtarget programs, can thrive on the net.
The viruses that really benefit, though, are macroviruses, which affect documents. Users frequently downloaddocuments or spreadsheets, or exchange them by email. Allyou have to do to infect your computer is to click on adownloaded file or email attachment.
When you use the internet, open documents with a viewerthat ignores macros, and don’t run programs that don’tcome from a trustworthy source.
41
The internet
Internet
Mobile devices
Safety
Reference
Viruses
Internet
Can I be infected just byvisiting websites?Visiting a website is less hazardous thanopening unknown programs ordocuments. There are risks, though. Thethreat depends on the types of code usedin the site and the security measurestaken by service providers and by you.Here are the main types of code you willencounter.
HTML
Web pages are written in HTML (HypertextMarkup Language). This language lets webauthors format their text and create links tographics and to other pages. HTML codeitself can’t carry a virus. However, web pagescan contain code that launches applicationsor opens documents automatically. Thisintroduces the risk of launching an infecteditem.
ActiveX
ActiveX is a Microsofttechnology for webdevelopers used only oncomputers runningWindows.
ActiveX applets, used tocreate visual effects onwebpages, have full accessto resources on yourcomputer, which makesthem a potential threat.However, digital signatures,which prove that an appletis authentic and hasn’t beentampered with, do providelimited security.
The internet
42
Internet
Mobile devices
Safety
Reference
Viruses
Internet
More website code
Java
People sometimes worry undulyabout Java viruses on the internet.They do so because they confuse Javaapplets, which are used to createeffects on web pages, withJava applications and Javascripts.
Applets are generally safe.They are run by the browserin a secure environmentknown as a ‘sandbox’. Even if asecurity flaw lets an applet escape, amalicious applet cannot spread easily.Applets usually flow from a server tousers’ computers, not from one user toanother (you tell your friends to visita site, rather than sending them acopy of an applet). In addition,applets are not saved on the hard disk,except in the web cache.
If you do encounter a harmfulapplet, it is most likely to be a Trojan,i.e. a malicious program pretending tobe legitimate software.
Java applications are simplyprograms written in the Javalanguage. Like any other program,they can carry viruses. You shouldtreat them with the same caution asyou would use with other programs.
Java script is active scriptembedded in HTML code inweb pages. Like any otherscript, it can carry outoperations automatically, whichcarries risks. You can disable
active scripts (see ‘Safety on the net’ atthe end of this chapter).
VBS script
VBS (Visual Basic Script) can run assoon as a page is viewed, dependingon the browser used. You don’t have todo anything to launch it.
This script is used by email wormssuch as Kakworm and Bubbleboy, butcan just as well be run from webpages.
43
The internet
Internet
Mobile devices
Safety
Reference
Viruses
Internet
Backdoor TrojansA backdoor Trojan is a program thatallows someone to takecontrol of another user’sPC via the internet.
Like other Trojans, abackdoor Trojan poses aslegitimate or desirablesoftware. When it is run(usually on a Windows95/98 PC), it adds itself tothe PC’s startup routine.The Trojan can thenmonitor the PC until itmakes a connection to the internet. Oncethe PC is on-line, the person who sent theTrojan can use software on their computerto open and close programs on the infectedcomputer, modify files and even send itemsto the printer. Subseven and BackOrifice areamong the best known backdoor Trojans.
Are cookiesa risk?
Cookies do not pose adirect threat to yourcomputer or the data on it.However, they do theatenyour confidentiality: acookie enables a website toremember your details andkeep track of your visits tothe site. If you prefer toremain anonymous, youshould use the securitysettings on your browser todisable cookies.
The internet
44
Internet
Mobile devices
Safety
Reference
Viruses
Internet
Attacks on web serversEnd-users aren’t the only ones atrisk on the internet. Some hackerstarget the web servers which makewebsites available.
A common form of attack involvessending so many requests to a webserver that it slows down or crashes.When this happens, genuine users canno longer gain access to the websiteshosted by the server.
CGI (Common Gateway Interface)scripts are another weak point. Thesescripts run on web servers to handlesearch engines, accept input fromforms, and so forth. Hackers can exploitpoorly-implemented CGI scripts to take control of a server.
45
The internet
Internet
Mobile devices
Safety
Reference
Viruses
Internet
Safety on the netIf you want to use the internet safely, you should do thefollowing:
Have a separate network for internet machines
Maintain separate networks for those computers that areconnected to the internet and those that are not. Doing soreduces the risk that users will download infected files andspread viruses on your main network.
Use firewalls and/or routers
A firewall admits only authorised traffic to yourorganisation. A router controls the flow of packets ofinformation from the internet.
Configure your internet browser for security
Disable Java or ActiveX applets, cookies, etc.,or ask to be warned that such code is running. Forexample, in Microsoft Internet Explorer, selectTools|Internet Options|Security| Custom Leveland select the security settings you want.
46
47
Mobile phonesand palmtops
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
Mobile phonesand palmtopsThe last decade brought theworld (wide web) to yourdesktop; the next will bringit to your mobile phone.You can already accessinternet-like sites andservices on the newgeneration mobiles andthe technology is developing fast. But as itbecomes easier to transfer data – even onthe move – the risk is that new securitythreats will emerge too.
Mobile phonesand palmtops
48
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
Do mobile phoneviruses exist?At the time of writing, there is novirus that infects mobile phones,despite media stories andhoaxes.
There have been viruses thatsend messages to phones. Forexample, VBS/Timo-A, a wormthat spreads itself by email, also uses themodem to send text (SMS) messages toselected mobile numbers. The notoriousLove Bug virus is also capable of forwardingtext to fax machines and mobiles. However,these viruses can’t infect or harm themobile phone.
Things might change as mobile phonesbecome more sophisticated.
Do mobile devicesput data at risk?
Mobile devices are not assafe a place for data as a PC:
■ They are easily lost orstolen.
■ Interruptions in powercan cause data loss.
■ Data is not backed up.
As mobile devices becomemore complex, they couldalso become vulnerable toviruses or to hackers.
49
Mobile phonesand palmtops
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
WAP phones and virusesThe most talked-about new technology in this field isWAP (Wireless Application Protocol).
WAP provides internet-type informationand services for mobile phones andorganisers. It is based on the same model asweb communications, i.e. a central serverdelivers code that is run by a browser onyour phone. So, at the moment, thepossibilities for viruses are very limited.
A virus could infect the server itself, butthe chances for it to spread or to have aneffect on users would be minimal.
First, there is nowhere on a WAP systemthat a virus can copy itself or survive. Unlikea PC, a WAP phone does not storeapplications. The phone downloads thecode it needs and keeps no copy, excepttemporarily in the browser cache.
Second, a virus cannot yet spread fromone user to another because there is nocommunication between client phones.
In theory, a ‘virus’ could distribute links tomalicious WAP sites, tempting users to useharmful applications, but that still involvesrunning code from the server.
Buzzwords
WAP Wireless ApplicationProtocol
WML Wireless MarkupLanguage
WML A programmingScript language resembling
Java script
Cards Pages in WML
Deck A set of inter-relatedpages all available to aWAP browser withoutfurther downloads
Mobile phonesand palmtops
50
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
Future risks for WAPWAP uses a version of HTTP, the protocolfor web pages, which could transmitmore complex content than thatprocessed by WAP browsers at present. Afuture generation of browsers might beable to download files, such asdocuments, that contain macro viruses.
Under WAP, the server will soon be able topush content to mobile phones. As well asalerting users to updated information(such as financial results or sports scores)or new email, ‘push’ technology coulddownload the data to the cache – withoutthe need for you to take any action.Malicious code could exploit this system todistribute itself.
There are other potential problems too.For instance, malicious WAP sites couldpose as useful services. Such sites couldcrash the user’s browser or fill its memory.
Buzzwords
XML eXtensible MarkupLanguage,recommended for useon the world wide web
WTLS Wireless TransportLayer Security.Encryption methodused on the mobilephone network
51
Mobile phonesand palmtops
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
Mobile operating systemsPalmtop computers or personal digital assistants(PDAs) are likely to provide new opportunities forviruses in the very near future.
Palmtops or PDAs run specially written orscaled-down operating systems – such asEPOC, PalmOS and PocketPC (formerlyWindows CE). Such systems will eventuallybe able to use versions of popular desktopapplications, making them vulnerable tomalicious code in the same way as desktopmachines. In early 2001, there were alreadyviruses that affect the Palm system.
Palmtops are also regularly connected tohome or office PCs to synchronise the dataon the two machines (e.g. address bookinformation or calendars). Such datasynchronisation could allow viruses tospread easily.
No-one yet knows which will be moresuccessful in the future: mobile computersor smart mobile phones. Whichever it is, thesecurity risks will increase as mobilecomputers become better atcommunicating.
Buzzwords
EPOC An operating systemfor palmtops
PDA Personal DigitalAssistant
PalmOS Operating system forPalm computers
PocketPC Microsoft’s operatingsystem for palmtops,formerly Windows CE
UPNP Universal Plug andPlay, a Microsoftsystem for enablingconnections betweenmobiles and otherdevices
Mobile phonesand palmtops
52
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
Viruses for your fridge?More and more different devices will soon ‘talk’ to eachother using infrared links or low-power radio, bringingnew security risks.
Bluetooth is a standard for low-power radiodata communication over very short ranges,e.g. 10 m. Computers, mobile phones, faxmachines and even domestic appliancessuch as video recorders or fridges can useBluetooth to discover what services areprovided by other nearby devices and toestablish links with them transparently.
Software that exploits Bluetooth isemerging. Sun’s Jini technology, for example,allows devices to form connections,exchange Java code automatically and giveremote control of services. The risk is thatan unathorised user, or malicious code,could exploit Bluetooth to interfere withservices.
Bluetooth and Jini are designed to ensurethat only trusted code from known sourcescan carry out sensitive operations. Thesemeasures make it unlikely that there couldbe a virus outbreak but if a virus doesbypass security, there may be little to stop itspreading.
Buzzwords
3G ‘Third generation’mobile technology
Bluetooth Short-range radiodata communications
Jini A technology to allowdevices to exchangeJava code
MExE Mobile stationapplicationExecutionEnvironment, apossible successor toWAP that would letservice providersdownload Java codeto a phone
53
Mobile phonesand palmtops
Internet
Mobile devices
Safety
Reference
Viruses
Mobile devices
How to protect mobile devicesAs mobile and PDA technology evolves, securitymeasures will need to keep up. The main issue is whereyou use anti-virus measures.
Scanning at a gateway or during data transfer
In the near future, the best way to protect mobile devicesmay be to check data when you transfer it to or from them.For mobile phones, for example, the WAP gateway might bea good place to install virus protection. All communicationspass through this gateway in unencrypted form, so therewould be an ideal opportunity for virus scanning.
For palmtop computers, you could use virusprotection when the palmtop is synchronising datawith a conventional PC. The PC could run the majorpart of the virus checking software, so the palmtop’slack of power or memory wouldn’t matter.
Virus scanning on the mobile device
As mobile devices become more interconnected, it willbecome difficult to police data transfer at a central point.The solution will be to put anti-virus software on eachdevice – once they have sufficient processing power andmemory.
54
55
Ten steps tosafer computing
Internet
Mobile devices
Safety
Reference
Viruses
Safety
Ten steps tosafer computing
Apart from using anti-virussoftware, there are plenty of
simple measures you cantake to help protectyourself and your
company from viruses.Here are our ten top tips
for trouble-free computing.
Ten steps tosafer computing
56
Internet
Mobile devices
Safety
Reference
Viruses
Safety
Steps to safer computing
Don’t use documents in .doc and .xls format
Save your Word documents in RTF (Rich Text Format) andyour Excel spreadsheets as CSV (Comma Separated Values)files. These formats don’t support macros, so they cannotspread macro viruses, which are by far the commonest virusthreat. Tell other people to supply you with RTF and CSVfiles. Beware, though! Some macro viruses interceptFileSaveAs RTF and save the file with an RTF extension butDOC format. To be absolutely safe, use text-only files.
Don’t launch unsolicited programs or documents
If you don’t know that something is virus-free, assume itisn’t. Tell people in your organisation that they should notdownload unauthorised programs and documents,including screensavers or ‘joke’ programs, from the internet.Have a policy that all programs must be authorised by an ITmanager and virus-checked before they are used.
Forward warnings to one authorised person only
Hoaxes are as big a problem as viruses themselves. Tell usersnot to forward virus warnings to their friends, colleagues oreveryone in their address book. Have a company policy thatall warnings go to one named person or department only.
57
Ten steps tosafer computing
Internet
Mobile devices
Safety
Reference
Viruses
Safety
Steps to safer computing
If you don’t need WSH, turn it off
Windows Scripting Host (WSH) automates some tasks onWindows computers but it also makes you vulnerable toemail viruses like Love Bug and Kakworm. Unless it isneeded disable it. For instructions, visit the FAQ page atwww.sophos.com/support/faqs/wsh.html
Follow software companies’ security bulletins
Watch out for security news and download patches to protectagainst new virus threats. See the ‘Useful links’ chapter.
Block unwanted file types at the email gateway
Many viruses now use VBS (Visual Basic Script) and SHS(Windows scrap object) file types to spread. It is unlikely thatyou need to receive these file types from outside, so block
them at the gateway.
Change your computer’s bootup sequence
Most computers try to boot from floppy disk (the A: drive)first. Your IT staff should change the CMOS settings so thatthe computer boots from the hard disk by default. Then, evenif an infected floppy is left in the computer, it cannot beinfected by a boot sector virus. If you need to boot fromfloppy at any time, you can have the settings changed back.
Ten steps tosafer computing
58
Internet
Mobile devices
Safety
Reference
Viruses
Safety
Steps to safer computing
Write-protect floppies before giving to other users
A write-protected floppy cannot be infected.
Subscribe to an email alert service
An alert service can warn you about new viruses and offervirus identities that will enable your anti-virus software todetect them. Sophos has a free alert service. For details, seehttp://www.sophos.com/virusinfo/notifications
Make regular backups of all programs and data
If you are infected with a virus, you will be able to restoreany lost programs and data.
59
Useful links
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Useful linksVisit these sites for more information
Information on viruseshttp://www.sophos.com/virusinfo/analyses
Virus hoaxes and scareshttp://www.sophos.com/virusinfo/hoaxeshttp://www.vmyths.com
Automatic notification of new viruseshttp://www.sophos.com/virusinfo/notifications
Microsoft Security Bulletinshttp://www.microsoft.com/security
Netscape Security Centerhttp://home.netscape.com/security
Java security informationhttp://java.sun.com/security
The WildList Organizationhttp://www.wildlist.org
Virus Bulletinhttp://www.virusbtn.com
60
61
Glossary
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Glossary
Glossary
62
Internet
Mobile devices
Safety
Reference
Viruses
Reference
ActiveX: A Microsoft technology that extends the capabilitiesof a web browser.
Applet: A small application. Usually refers to Java applets(q.v.).
ASCII: American Standard Code for InformationInterchange. The standard system for representingletters and symbols.
Attachment: A document, spreadsheet, graphic, program or anyother kind of file attached to an email message.
Back door: An undocumented means of bypassing the normalaccess control system of a computer. See BackdoorTrojan.
Backdoor Trojan: A Trojan horse (q.v.) program that gives a remoteuser unauthorised access to and control over acomputer.
Backup: A copy of computer data that is used to recreate datathat has been lost, mislaid, corrupted or erased.
BIOS: The Basic Input/Output System. The lowest level ofsoftware which interfaces directly with hardware.
Boot sector: The part of the operating system which is read intomemory from disk first when a PC is switched on.The program stored in the boot sector is then run,which in turn loads the rest of the operating system.
Boot sector virus: A type of virus which subverts the booting process.Booting: A process carried out when a computer is first
switched on, in which the operating system is loadedfrom disk.
CGI: Common Gateway Interface. A mechanism thatallows a web server to run programs or scripts andsend the output to a user’s web browser.
63
Glossary
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Checksum: A value calculated from item(s) of data which can beused to verify that the data has not been altered.
Companion virus: A virus that exploits the fact that when there are twoprograms with the same name, the operating systemuses the file extension to decide which one to run. Forexample, DOS computers will run a .com file inpreference to an .exe file. The virus creates a .com filecontaining the virus code and gives it the same nameas an existing .exe file.
Cookie: A small packet of data that stores information on auser’s computer. Cookies are usually used to enable awebsite to track visits and remember visitors’ details.
CSV: Comma Separated Values. A file format in whichvalues (e.g. the values from an Excel spreadsheet) areshown separated by commas. The format does notsupport macros, so that it cannot spread macroviruses.
Digital signature: A means of ensuring that a message has not beentampered with and that it originates from the claimedsender.
DOS boot sector: The boot sector which loads DOS into PC RAM.Common point of attack by boot sector viruses.
Downloading: The transfer of data from one computer, typically aserver, to another computer.
File server: A computer which provides central data storage andoften other services for the workstations on thenetwork.
File virus: See parastic virus.
Glossary
64
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Firewall: A security system that sits between the internet andan organisation’s network, and only passesauthorised network traffic.
Floppy disk: Removable magnetic disk used to store data.FTP: File Transfer Protocol. A system that allows internet
users to connect to remote sites and upload ordownload files.
Gateway: Either a computer that serves for the transfer of data(e.g. a mail gateway that handles all the mail cominginto an organisation), or a computer that convertsdata from one protocol to another.
Hacker: A computer user who attempts to gain unauthorisedaccess to other users’ computer systems.
Hard disk: A sealed magnetic disk, generally inside a computer,which is used to store data.
Heuristic scanner: A program that detects viruses by using general rulesabout what viruses are like or how they behave.
Hoax: A report about a non-existent virus.HTML: Hypertext Markup Language. The format for most
documents on the web.HTTP: Hypertext Transport Protocol. A protocol used by
web servers to make documents available to webbrowsers.
Hypertext: Computer-readable text which allows extensivelinking of files.
Internet: A network consisting of many connected networks.‘The internet’ is by far the largest of these.
65
Glossary
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Java: Platform-independent programming language for theweb, developed by Sun Microsystems. Programswritten in Java are either applications or applets (smallapplications).
Java applet: Small application generally used to create effects onweb pages. Applets are run by the browser in a safeenvironment (see Sandbox) and cannot make changesto your system.
Java application: Java-based program that can carry out the fullfunctions that might be expected, e.g. saving files todisk.
Laptop: A portable computer small enough to be used on yourlap.
Link virus: A virus which subverts directory entries so that theypoint to the virus code, allowing it to run.
Macro: Sets of instructions inside data files that can carry outprogram commands automatically, e.g. opening andclosing files.
Macro virus: A virus which uses macros in a data file to becomeactive and attach itself to other data files.
Master boot record: Also known as the partition sector.The first physicalsector on the hard disk which is loaded and executedwhen the PC is booted. The most critical part of thestartup code.
Modem: A MOdulator/DEModulator converts computer datainto a form suitable for transmission via telephoneline, radio or satellite link.
Multipartite virus: A virus which infects both boot sectors and programfiles.
Glossary
66
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Notebook: A computer even smaller than a laptop computer.Operating system: The program which controls the use of the computer’s
hardware resources and performs basic functions suchas maintaining lists of files and running programs.
Palmtop: A computer small enough to be held in the palm of thehand.
Parasitic virus: A computer virus which attaches itself to anothercomputer program, and is activated when thatprogram is run.
Password: Sequence of characters which gives access to a system.PC: Personal Computer. A desktop or portable single-user
computer.PDA: Personal Digital Assistant. A small, mobile computing
device used mostly for managing data such as addressbooks and calendars.
Polymorphic virus: Self-modifying virus. By changing its code, the virustries to make itself harder to detect.
Proxy server: A server that makes requests to the internet on behalfof another machine. It sits between a company and theinternet and can be used for security purposes.
Program: A set of instructions that specifies actions a computershould perform.
RAM: Random Access Memory. A form of temporarymemory in a computer. RAM acts as the computer’sworkspace, but data stored there is lost once thecomputer is switched off.
ROM: Read Only Memory. A form of permanent memory ina computer. A ROM is usually used to store acomputer’s startup software.
67
Glossary
Internet
Mobile devices
Safety
Reference
Viruses
Reference
RTF: Rich Text Format. A document format that does notsupport macros, so that it cannot spread macroviruses.
Sandbox: A mechanism for running programs in a controlledenvironment, particularly used with Java applets.
SHS: File extension for Windows ‘scrap object’ files. SHS filescan include almost any code and run automatically ifyou click on them. The extension may be hidden.
SMTP: Simple Mail Transport Protocol. The delivery systemfor internet email.
Spam: Unsolicited email.Spoofing: Pretending to be someone or something else (e.g. by
forging the sender’s address in email).Stealth virus: A virus which hides its presence from the computer
user and anti-virus programs, usually by trappinginterrupt services.
TCP/IP: Transmission Control Protocol/Internet Protocol. Thecollective name for the standard internet protocols.
Trojan horse: A computer program with (undesirable) effects thatare not described in its specification.
URL: Uniform Resource Locator. A web ‘address’.VBS: Visual Basic Script. Code embedded in an application,
document, or web page that can run as soon as thepage is viewed.
Virus: A program which can spread across computers andnetworks by attaching itself to another program andmaking copies of itself.
Virus identity: A description of virus characteristics used for virusrecognition.
Glossary
68
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Virus scanner: A program that detects viruses. Most scanners arevirus-specific, i.e. they identify those viruses that arealready known. See also Heuristic scanner.
WAP: Wireless Application Protocol. Internet-type protocolthat provides information to mobile phones andorganisers.
Web: See World wide web.Web browser: A program used to access information on the web, i.e.
the ‘client’ side of the web.Web server: A computer connected to the internet that makes Web
documents available, generally using HTTP.WSH: Windows Scripting Host. A utility that automates
certain actions, e.g. the running of VBS or Java Script,on Windows computers.
Workstation: A single-user computer, often connected to a network.World wide web: A distributed hypertext system for the reading of
documents across the internet.Worm: A program that distributes multiple copies of itself.
Unlike a virus, a worm does not need a ‘host’ program.WWW: See World wide web.
69
Index
Internet
Mobile devices
Safety
Reference
Viruses
Reference
IndexSymbols
3G 52
A
ActiveX 41, 62anti-virus software 16–17
checksummer 17heuristics 17scanner 16, 68
applets 42, 62ASCII 62attachment 62
B
back door 62backdoor Trojan 9, 43, 62backup 62BIOS 62Bluetooth 52boot sector 62
DOS 63boot sector virusbooting 62Brunner, John 18
C
CGI 44, 62checksum 63checksummer 17CMOS settings 57Cohen, Fred 18Common Gateway Interface, see CGIcompanion virus 63cookie 43, 63CSV format 56, 63
D
digital signature 63DOS
boot sector 63downloading 63
E
email 33–37attachments 36forgery 36hoaxes 34interception 36spam 35, 67viruses 35
prevention 37worm 9
EPOC 51
Index
70
Internet
Mobile devices
Safety
Reference
Viruses
Reference
F
file server 63file virus 14, 63firewall 64FTP 64
H
hacker 64hard disk 64heuristic scanner 64hoaxes 23–26, 34, 64HTML 41, 64HTTP 64
I
internet 39, 64cookie 63cookies 43safety rules 45virus risks 40web servers 44websites 41
J
Javaapplets 42applications 42, 65
Jini 52
L
laptop 65link virus 65
M
macro 65macro virus 15, 19, 65mass-mailing virus 35master boot record 65MBR, see master boot recordMExeE 52mobile computers 51mobile phones 47–53
viruses 48modem 65multipartite virus 65
N
notebook 66
O
operating system 66
P
PalmOS 51palmtop 51, 53, 66parasitic virus 14, 66partition sector, see master boot recordPDA 51, 66personal computer 66PocketPC 51polymorphic virus 18, 66
R
RAM 66ROM 66RTF format 56, 67
71
Index
Internet
Mobile devices
Safety
Reference
Viruses
Reference
S
safety rules 55–58sandbox 42SMS messaging 48, 50SMTP 67spam 35, 67spoofing 67stealth virus 67
T
TCP/IP 67Trojan horse 9, 67
backdoor 9, 43, 62
U
UPNP 51URL 67
V
VBS 42, 67virus 7–22, 67
boot sector 62companion 63defined 8file 14, 63first 18hoaxes 23–26, 64identity 67link 65macro 15, 65multipartite 65parasitic 14, 66polymorphic 18, 66
prevention 16–17, 55–58in email 37on mobiles 53on the internet 45
proof-of-concept 22scanner 16, 68side-effects 10stealth 67writers 21–22
von Neumann, John 18
W
WAP 68phones 49, 50
web 68browser 68server 44, 68
websitesvirus risks 41
Windows Scripting Host 57, 68WML 49workstation 68world wide web, see webworm 9, 68
Christmas tree 18Internet 18
WTLS 50
X
XML 50
Index
72
Internet
Mobile devices
Safety
Reference
Viruses
Reference
Index of viruses
Anticmos 29BackOrifice 43Brain 18Bubbleboy 34Chernobyl, see W95/CIH-10xxCIH, see W95/CIH-10xxConcept, see WM/ConceptForm 13, 28Happy 99, see W32/Ska-Happy99Jerusalem 14Kakworm, see VBS/KakwormLove Bug, see VBS/LoveLet-ALove Letter, see VBS/LoveLet-AMelissa, see WM97/MelissaMichelangelo 10, 19New Zealand 30OF97/Crown-B 15Parity Boot 13, 32Remote Explorer, see WNT/RemExpStoned, see New Zealand
Subseven 43Troj/LoveLet-A 10Troj/Zulu 9VBS/Kakworm 29, 34VBS/LoveLet-A 28VBS/Monopoly 36VBS/Timo-A 48W32/ExploreZip 22W32/Ska-Happy99 32W95/CIH-10xx 14WM/Concept 19, 31WM/Polypost 20WM/Wazzu 15WM97/Jerk 10WM97/Melissa 22, 30, 33WM97/Nightshade 10WNT/RemExp 14XM/Compatable 10Yankee 10
Copyright © 2001 by Sophos Plc
All rights reserved. No part of this publicationmay be reproduced, stored in a retrieval system,or transmitted, in any form or by any means,electronic, mechanical, photocopying, recordingor otherwise without the prior permission inwriting of the copyright owner.
Any name should be assumed to be a trademarkunless stated otherwise. Sophos is a trademark ofSophos Plc.
Edited and designed by Paul Oldfield.
ISBN 0-9538336-0-7
Enquiries: [email protected]: www.sophos.com
