Fred's Safety Belt
~~ Fred Arshoff

Before going on to my article, I would like to thank Paula W very much for her great help in doing some research, as well as editing the article for me.  Without her help this article wouldn't have been what it is.  Thanks so much Paula. I'd also like to thank our publisher, Linda, for allowing me to write the security column, so I can help others learn about computer viruses and how to avoid them.

HISTORY OF COMPUTER VIRUSES

Before going into the history, I will say that the first viruses were not as dangerous as today's viruses. They were more like pranks that you got from sharing floppy disks with family members or friends, or taking work home from the office computer to finish on your home computer. Those early viruses didn't affect the REGISTRY, as there was none back then. In those days we used either DOS (disk operating system) or Windows 3X (3.0 to 3.11). Those versions of Windows used INI FILES to have the computer know your settings, and each program usually set up its own INI FILE. Those first viruses didn't even corrupt INI FILES. Some children (and even some adults) would have a giggle with the viruses such as the PING PONG VIRUS. What that virus did was have a ping pong ball move around your screen. When you were working on your computer, it could make you have problems focusing on your work, but at least you didn't loose data, or have to reformat your hard drive, or reinstall your operating system. Your AV (antivirus program) was able to detect this virus and remove it very easily. For more information on this virus go to these URLs and read about the variations of it. Personally, I haven't seen this virus in years, but then again, most AV will detect this one right away and give you a warning. This is one of the reasons I do highly recommend we all have an updated AV program installed on our computers

Sophos

About.com

After that came along more pranks such as THE STONED. Of course, if you were a teenager (or even an adult) on drugs, this would have also given you a laugh as you normally would have gotten a message "I'm stoned". In those days there was really no damage to your hard drive, or need to reinstall your operating system. This usually was received in the same way as I mentioned about the Ping Pong virus. Below are URL's to read up more on this virus and its variations.

Sophos

Symantec

After these came viruses that were more sophisticated and set trigger dates. Due to this, many computer users knew in advance that the virus was going to have its (destructive) payload  on a certain date and make sure their AV data file was up to date to detect and remove the virus before it hit. One of the first of this type was the Michelangelo virus. Of course, the date this virus goes off is on Michelangelo's birthday.

totse.com

C|net

How does the Michelangelo virus crash the hard drive of your computer on his birthday and how does it work?

The Michelangelo virus was first reported in April, 1991 in Sweden and the Netherlands. The Michelangelo virus, as well as some other computer viruses, gets on your computer by booting from an infected floppy disk. The Michelangelo virus hides in special and important places on disks, the boot sector and partition areas. The boot sector is the region of the disk that contains system information and is the first sector to be read when your machine starts. The Michelangelo virus becomes memory resident the first time the system is booted with a Michelangelo virus-infected disk. Even if the disk is not a bootable floppy, but just infected in the boot sector, the Michelangelo virus will become memory resident. Once the Michelangelo virus is memory resident, it will infect diskette boot sectors of diskettes as they are accessed. This is how the virus spreads itself to other disks. If a Michelangelo virus-infected disk is booted on March 6, it will activate and erase important parts of the hard disk, in particular the system area of the hard disk. The hard disk will no longer boot and will need to be reformatted to make the drive work again. Like a biological virus, computer viruses need hosts to survive and reproduce. In this case the host is your computer. If you trade or exchange disks with other people, you should always run a virus check before you run any programs from possibly infected disks. If you have a hard drive, never turn on or reset your computer with a floppy in the drive. That is how the Michelangelo virus, and many others, infects computers. If you have the Michelangelo virus infecting your hard drive, it will infect disks as you access them and spread itself.  (David S. Lapointe, Ph.D., Computing Resources, UTHSCSA)

Of course there are many other viruses with specific payload dates.  To find out what virus strikes at what date go to this URL:
About.com

Then came viruses that stay in memory. Those where harder to remove as they were written in such a way that, if the virus detected you were running an AV program to delete the virus, it jumped from one place on your hard drive to another. When you get a virus that does stay in memory, the easiest way to get it out of memory is to shutdown your computer properly (using "SHUTDOWN" and not just by turning the power off) and keeping the computer turned off for five minutes or so (if in doubt, longer is always better).

Question: Every time I turn on the computer I get a message that I have a memory virus and should shut down and restart. What is a memory virus and what can I do to correct it?

Answer: A memory virus is constructed to load itself into your computer's memory and to lurk there until it can pounce and infect a program passing by.

Memory viruses vary in their virulence, but one, the Chernobyl virus, which was written in Taiwan, is particularly vicious. It is designed to destroy all the data on the hard drive. And that is just for starters.  The Chernobyl virus will also try to get into your BIOS - the file that sets up and controls your PC's hardware - and short circuit it, in essence crippling the computer until you can replace the BIOS.  

To get rid of a memory virus, arm yourself with an antivirus program.  Symantec, Network Associates and Sophos are among the firms providing sound antivirus software.

But, before you install an antivirus program, read the manual carefully, particularly the section that details how you should proceed if your PC was infected before you bought the program.

Next came Trojans. 

What these do is allow the person who makes this virus (Trojan) to have complete access to your computer: add stuff to your hard drive, or worse yet, steal things from you such as your SIN (social insurance number), credit card number, etc. Some people do use Trojans to administer other computers. They do this instead of buying software themselves. One such software that does this is PCAnywhere and there are many others. 

Having a Firewall up and running will tell you if someone is breaking into your computer to steal your valuable information. There are many firewalls available, so read what each does before deciding on the one that you will purchase. These type of viruses do make changes to your registry, and before you try to remove them always read the full instructions from your AV vendor to make sure you delete only the correct lines. Before editing your registry I STRONGLY RECOMMEND YOU BACK IT UP to floppy disk or CD (in case you delete the wrong line, you can restore the registry and then try again to remove the correct line).

For more details on Trojans go to this URL 

About.com

If you do get a Trojan here is a site that will give you step-by-step instructions for removing Trojans. 

Sophos

Below is a URL for information on one of the newest Trojans to come out:

Sophos

Around the same time came Macro viruses that mostly infect MS office programs and, in particular, Word and Excel. I won't go into too much detail about this type of virus, as it will be the topic for next month, but will tell you a few things now. Any program which allows autoexec macros is a potential target for macro virus writers. 

Word macro viruses: 
Documents in Microsoft Word can contain macros, which are preset action sequences usually invoked by a single keystroke. A document can also contain an autoexec macro, which automatically runs whenever the document is opened, or which replaces a menu item. These macros can be used to conceal viruses!  Word macro viruses replicate by inserting copies of themselves in any Word document which is saved while they are running. They do this by capturing the File>Save command.  Word macro viruses are very new and fortunately not widespread. 

Here are some examples:

• CONCEPT: The original Word macro virus, this one only tested the macro virus concept. It is a benign virus with no virus payload. 

• WAZZU: This one scrambles occasional lines of Word documents and inserts the word "wazzu" at random places within your document. 

• NUCLEAR: writes "End French Nuclear Testing in the Pacific" on the end of any document which is printed during the last 4 seconds on the minute.  It also launches a regular code virus which does the same thing.

Last but not least is the Worm: 

These are the email viruses that send themselves to people in your address book and perhaps inbox without your knowledge. These are usually in attachments, and the best way to avoid getting them is not to open an attachment unless you were told to expect it and it is the same size you where told it was. Here are some URL's about some popular worms 

Badtrans 
About.com

Explore.zip
Symantec

Melissa
Sophos
Symantec

This will give you a choice of what variant of this worm you wish to read about.

Until next month, lets all stay virus free and be careful of what attachments we open to avoid getting a computer virus. They can be much more costly then a virus we humans can catch.

I do hope you enjoy reading my column as much as I enjoy putting it together for you and helping you learn about computer viruses.

Fred Arshoff is self employed in the computer industry where his favorite thing is troubleshooting security and virus issues.  He runs two Yahoo groups:  Fred's Findings and Fred's Virus Info.