While there is no widely-accepted definition of the term computer virus, the following loose definition should suffice: A computer virus is executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems; others merely present a problem solely through the act of infecting other code. In either case, though, computer virus infections should not go untreated.

Closely related to computer viruses are Trojan Horses and worms. A Trojan Horse is a program that performs some undesired yet intended action while, or in addition to, pretending to do something else. One common class of Trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragger that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself. A Worm is just a self-propagating virus.

 Viruses come in many shapes and sizes, such as:     

File injectors:These viruses attach themselves to regular programs, such as COM or EXE files under DOS. Thus, they are invoked each time the infected program is run.

Cluster infectors: They modify the file system so that they are run prior to other programs. Note that, unlike file infectors, they do not actually attach themselves to programs.

Macro viruses: Word processing documents can serve as sources of transmission for viruses that take advantage of the auto-execution macro capabilities in products such as Microsoft Word. Simply by opening an infected document, the virus, written in a product's macro language, can spread.

These viruses are collections of macros for MS Word that can infect documents and document templates under Word 6.0 (both Windows and Mac platforms). The more common is non-destructive, but does attach itself to any Word documents you might create with File, Save As.
Macro viruses are viruses written with the macro language of an application. Such viruses can be written for several applications, but so far, only viruses for Microsoft Word, Microsoft Excel and Lotus Ami Pro have been seen. Of these, the Word macro viruses are by far the biggest problem currently.

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functioning.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all documents that are created with the File/Save As command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros:

AAAZAO          AAAZFS          AutoOpen          FileSaveAs          PayLoad

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous. It contains the text:

Sub MAIN

REM That's enough to prove my point

End Sub

However, the "PayLoad" macro is not executed at any time.

You can detect the presence of the WordMacro/Concept macro virus in your system by simply selecting the command Macro from Word's Tools menu. If the macro list contains a macro named "AAAZFS", your system is infected.

You could prevent the virus from infecting your system by creating a macro named "PayLoad" that doesn't have to do anything. The virus will then consider your system already infected, and will not try to infect the global template NORMAL.DOT. This is only a temporary solution, though - somebody may modify the virus's "AutoOpen" macro to infect the system regardless of whether NORMAL.DOT contains the macros "FileSaveAs" or "PayLoad".

Concept replicates only on English versions of Word. However, one translated version to operate on French Word has been found. This variant is known as WordMacro/Concept.Fr.

WordMacro/Nuclear was recently discovered. Like WordMacro/DMV and WordMacro/Concept, it spreads through Microsoft Word documents. The new virus was first spotted on a FTP site in Internet, in a publicly accessible area which has in the past been a notorious distribution site for viral code. Apparently, the virus's distributor has some sense of irony; the virus was attached to a document which described an earlier Word macro virus, WordMacro/Concept.

Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only potentially harmful, WordMacro/Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT.

Unlike WordMacro/Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the File/Save As command by attaching its own macros to it. The virus tries to hide its presence by switching off the "Prompt to save NORMAL.DOT" option (in the Options dialogue, opened from Tools menu) every time a document is closed. That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed. Many users relied on this option to protect themselves against the WordMacro/Concept virus, but it obviously no longer works against Nuclear.

WordMacro/Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, "DropSuriv", looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called "Ph33r" into the system (as the virus's author has commented in the virus's code: "5PM - approx. time before work is finished"). "Suriv" is, of course, "Virus" spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments.

Another of the virus's macros, "PayLoad", tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. This attempt will fail due a programming error (virus authors never test drive the destructive parts of their code, it seems). And finally, the virus adds the following two lines:

And finally I would like to say:

STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC

at the end of any document printed or faxed from Word during the last five seconds of any minute. Since the text is added at print-time only, the user is unlikely to notice this embarrassing change. This function is handled by the viral macro "InsertPayload".

The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.

WordMacro/Colors
This macro virus is also known as the Rainbow virus. This macro virus infects Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

AutoClose      AutoExec       AutoOpen      FileExit       FileNew 

FileSave      FileSaveAs      ToolsMacro      macros

All macros are encrypted with the standard Word execute-only feature.

When an infected document is opened, the virus will execute when user:

Creates a new file

Closes the infected file

Saves the file (autosave does this automatically after the infected document has been open for some time)

Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

It is interesting to note that the AutoExec macro in the virus is empty. It is probably included just to overwrite an existing AutoExec macro - which might contain some antivirus routines. WordMacro/Colors also enables the automatic execution of automacros if they have been disabled, and turns off the 'prompt to save changes to NORMAL.DOT' feature, both of which have been used to fight macro viruses.

WordMacro/Hot
Hot spreads in a similar manner as the WordMacro/Concept virus: when an infected DOC is first opened, virus modifies the NORMAL.DOT file, and will spread to other documents after that.

Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones.

Infected documents contain the following four macros, which are visible in the macro list:

AutoOpen        DrawBringInFrOut        InsertPBreak       ToolsRepaginat

When Hot infects NORMAL.DOT, it renames these macros to:

StartOfDoc       AutoOpen        InsertPageBreak        FileSave

Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.

WordMacro/Hot contains a counter. It adds a line like this to the WINWORD6.INI file:

QLHot=35112

This number is based on the number of days during this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate.

After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage:

'---------------------------------------------------------------

'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---

'- and if File C:DOSega5.cpi not exist (not for OUR friends) -

'---------------------------------------------------------------

By default, there is no file by the name EGA5.CPI in MS-DOS distributions.

WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.

WordMacro/Atom
WordMacro/Atom is quite similar to WordMacro/Concept, with the following differences:

All the macros in this virus are encrypted (Word's execute-only feature)

The virus replicates during file openings as well, in addition to saving files

The virus has two destructive payloads

First activation happens when the date is December 13th. At this date the virus attempts to delete all files in the current directory.

Second activation happens when a File/Save As command is issued and the seconds of the clock are equal to 13. If so, the virus will password-protect the document, making it inaccessible to the user in the future. The password is set to be ATOM#1. Several other viruses use passwords as well.

It is not easy to give a search string for this virus: some of the replicates are usually in files password-protected by the virus, and thus contain no constant user-definable search string.

Disabling automacros will make Atom unable to execute and spread. Turning on the Prompt to save NORMAL.DOT setting will make Atom unable to infect NORMAL.DOT, but it will still be able to infect documents that are opened or saved during the same Word session.

Other Word macro viruses and Trojans
Roughly two thirds of known macro viruses are able to spread under any language version of Word. There exists also several Trojans written in the Word macro language. These typically delete data as soon as the trojanized document is open. Since these do not spread by themselves, they are not widespread and not considered to be a significant threat.

Some known macro Trojans are WordTrojan/FormatC, WordTrojan/WeideroffnenC, WordTrojan/Concept.L.Drp and WordTrojan/Concept.M.Drp.

Protecting yourself against Word macro viruses
There is a generic way to protect your Word against some macro viruses. However, this should not be relied on alone, as it can not stop even all known macro viruses. Select the command Macro from the Tools menu and create a new macro called "AutoExec". Write the following commands to the macro and save it:

Sub MAIN

DisableAutoMacros

MsgBox "AutoMacros are now turned off.", "Virus protection", 64

End Sub

This macro will be executed automatically when Word starts. It will disable the feature which viruses like Concept, DMV and Nuclear use to attack the system. However, there are ways to create macro viruses that are able to bypass such protection.

Other generic ways to protect against macro viruses:

Use Word 1.0 or 2.0 instead of Word 6.0 or 7.0

Use WordPerfect, Ami Pro or Word Pro instead of Microsoft Word

Use Word Viewer and WordPad instead of Word

Exchange files as RTF (Rich Text Format) files instead of DOC files

Upgrade to Word 7.0a or Word 97 and turn on macro protection. Most macro viruses do not operate under Word 97 anyway.

ExcelMacro/Laroux.

Once the Excel environment has been infected by this virus, the virus will always be active when Excel is loaded and will infect any new Excel workbooks that are created as well as old workbooks when they are accessed. The virus spreads from a machine to another when XLS files are exchanged over a local network, over the internet, in e-mail or on diskettes.

ExcelMacro/Laroux was written in Visual Basic for Applications (VBA). This is a macro language based on the Visual Basic language from Microsoft. This virus is be able to operate under Excel 5.x and 7.x under Windows 3.x, Windows 95 and Windows NT. This virus does not work under any version of Excel for Macintosh or Excel 3.x or 4.x for Windows. It also fails under some localized versions of Excel, but works fine under other (for example, it won't work under French Excel, but replicates fine under Finnish Excel). This depends on how the translation is done.

ExcelMacro/Laroux consists of two macros, auto_open and check_files. The auto_open macro executes whenever an infected Spreadsheet is opened, followed by the check_files macro which determines the startup path of Excel. If there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module called "laroux".

PERSONAL.XLS is the default filename for any macros recorded under Excel. Thus you might have PERSONAL.XLS on your system even though you are not infected by this virus. The startup path is by default set as \MSOFFICE\EXCEL\XLSTART, but it can be changed from Excel's Tools/Options/General/Alternate Startup File menu option.

If an infected workbook resides on a write-protected floppy, an error will occur when Excel tries to open it and the virus will not be able to replicate.

ExcelMacro/Laroux is not intentionally destructive and contains no payload; it just replicates.

Six months after the first Excel macro virus, four different viruses were found:

ExcelMacro/Laroux.A

ExcelMacro/Laroux.B

ExcelMacro/Sofa

ExcelMacro/Delta

The number of Excel macro viruses continues to rise.

To manually determine if you have the virus:

Start Microsoft Excel.

Click Macro on the Tools menu.

Infection is likely if the following macro names are listed:

Auto_Open

Check_files

PERSONAL.XLS!auto_open

PERSONAL.XLS!check_files

If you have any infected workbooks open in the background, you may also see the following names listed:

'bookname'!auto_open

'bookname'!check_files

(where ‘bookname’! is the name of the open workbook)..

Before disinfecting your files, confirm the existence of the macro by clicking Unhide on the Window menu and unhide the Personal.xls file. This should make the sheet visible. Presence of the virus is indicated by the word "laroux" in the sheet tab.

To manually disinfect ExcelMacro/Laroux:

Start Microsoft Excel.

Click Macro on the Tools menu.

Delete any of the following macro names that appear in your workbook:

Auto_Open

Check_files

PERSONAL.XLS!auto_open

PERSONAL.XLS!check_files

Click Exit on the Microsoft Excel File menu and click Yes to save all changes. Microsoft Excel is now clean.

Continue to open all infected workbooks one by one. Press and hold the shift key while you open them to bypass any automacros.

For each workbook, click Macro on the Tools menu and delete the virus macros*.

Click Save on the File menu and re-save the file.

*Note: If the macro name, ‘auto_open’ is visible, but ‘check_files’ is not, the file may not be infected.

Microsoft Excel 97 users: This tool is currently the only tool available that can detect and eliminate the Laroux virus in Microsoft Excel 97 workbooks. Neither earlier versions of XLSCAN.XLA, nor any commercial anti-virus product (including F-Prot) will work with Microsoft Excel 97. Microsoft will continue to work closely with third party anti-virus vendors to provide them with the information they need to create tools designed to protect against macro viruses in Microsoft Excel.

How Common Are Virus Infections?

Infections per Month per 1,000 Computers, Top Viruses, 1996-1998                       12

Sources of Infection, Boot and Macro Viruses, 1997                                                 20

Percentage of Desktop PCs with No Virus Protection Running                                   25

Percent of Servers Running Periodic Scans, Full-time Scans, or Both, 1997-1998      30

E-mail, proxy servers, and firewalls with virus protection, 1997-1998                         31

ICSA’s Fourth Virus Prevalence Survey reveals the computer virus problem in North America is not going away. In fact computer viruses are alive and well. This year’s survey data represents 581,458 desktop workstations and 12,122 application and file servers. Based on this sampling, virtually all large and midsize North American Corporations have experienced computer virus infections (>99%). Of the 300 respondents to the survey, the top five primary lines of business represented in the survey sampling are: Government, Healthcare, Manufacturing, Finance/Insurance, and Transportation/Utilities. Similar to last year the installed base of anti-virus software is up. This year’s survey reports 91% of servers and 98% of desktop workstations with some type of protection. Even with this installed base of protection, virus encounters rose. This year’s group of respondents averaged slightly over 86.5 virus encounters per 1,000 machines per year over the survey period. This compares to 62.5 encounters per 1,000 machines per year in last year’s survey.

Again, the macro family of computer viruses tops the list of those most prevalent. Of the ten most prevalent viruses in 1997, five were of the macro family: WM/Concept, WM/CAP, WM/ Wazzu, WM/Npad, and XM/Laroux. This is not surprising given the wide span of replicating vectors available (i.e. e-mail attachments, exchange of documents over a network, exchange of files by diskette, Internet download, as well as software distribution media); subtlety, and long latency.

Certain viruses are more likely to occur than others. In addition, certain viruses are "growing" in prevalence (e.g. more copies of them exist, which are infecting more PCs, files and/or diskettes) while others are probably declining in numbers.

Which Viruses are Most Common in 1998?

Virus Bulletin maintains a list of viruses reported to them the most common virus in the period was WM/Concept, followed by WM/Wazzu and WM/CAP. The most common type of virus is the macro virus, and infection rates for this type of virus are growing most rapidly. The second most common type of virus is the boot virus, and its numbers are increasing rapidly, with a doubling in infection rate in the period March 1997- February 1998. In contrast, multipartite and file viruses are showing no growth at all, and are relatively rare.

There are several reasons for the rapid growth of macro viruses. Macro viruses can replicate using vectors other than diskette (like e-mail attachments, see below). Users may have learned to scan diskettes, but they are generally not yet checking e-mail attachments.

Macro viruses are subtle and have a long latency; most users who are infected by macro viruses do not experience any change in behavior or degradation of performance of their computer (i.e. they do not notice the virus). Viruses that go unnoticed are more likely to spread, because the computer remains infected and virulent for a longer period, and therefore has more opportunity to infect more hosts.

There are several reasons for the continued growth of boot viruses. Like macro viruses, boot viruses transcend operating systems. A boot virus like Form can infect DOS, Windows 3.x, Windows 95, and Windows NT machines with approximately equal success. As with macro viruses, most boot viruses are relatively subtle, causing little discernible difference in machine performance.

There are also reasons why file and multi-partite viruses seem to be declining in prevalence. File viruses and multi-partite viruses are specific to a particular operating system. For instance, they might expect to find themselves in a DOS machine. When they find themselves outside their intended platform, they sometimes reveal themselves either through unintended damage to files or other means that result in detection. The emergence of "new" operating systems, such as Windows 95 and the decline of older operating systems, such as DOS has hastened the decline of file and multi-partite viruses expecting to find themselves in the world of DOS.

There is a potential problem in these data: a virus that appears to be in decline might actually be increasing in prevalence. If a user is infected with an older virus that is easily dispatched with the product on hand, that user is likely to kill the virus without reporting it to management. If the virus was contained because of the effectiveness of anti-virus products, the likelihood of it being reported to our survey researchers would be minimal. Viruses that cause unpleasant experiences, data loss, massive infection, and/or prove difficult to remove, are most likely to be recorded.

Sources of Infection, 1996-1998

It is not surprising that diskettes are such a common vector for infection. Many of the most prevalent viruses are boot track viruses and could not travel by any other means. Although diskettes remain the most common source of infection, e-mail is rapidly growing as a significant source of infection. Respondents are becoming more knowledgeable about the infection source, as reflected in the declining proportion of those that did not know where the virus had come from.

Theoretically, all viruses can be transferred by diskette, by e-mail, or by download. Nevertheless, some vectors are more common for some kinds of viruses than for others macro viruses are most likely to enter an organization via e-mail attachments, whereas boot viruses most often come via diskette.

One of the most costly effects of a virus incident is the disruption caused by the investigation process required to determine the severity of the virus encounter or incident and isolate which PCs were affected. It is not unusual for an entire network to be shut down only to find the virus was isolated to one or two PCs in the group. After the researcher had learned about the name of the virus in the most recent disaster, respondents were asked:

"How many PCs were initially suspected of having the virus?"

"How many PCs were actually found to be infected?"

The same questions were posed for servers suspected of being infected and those actually infected by the most recent virus incident.

PCs and Servers Suspected/Actually Infected During Most Recent Incident, 1996-1998

’96 Suspected ’96 Actual ’97 Suspected ’97 Actual '98 Suspected '98 Actual

PC 131 135 94.6 107 81.1 121.2

Server 1.6 5.4 7.64 1.81 5.2 5.

Usage of Anti-Virus Products

Virtually all respondents had one or more different anti-virus products available to them. Of the 269 respondents who answered this question, an average of 3.5% of desktop PCs were believed to have anti-virus software installed but not running. Full-time background scans have increased in popularity, but other methods appear to have declined in popularity.

Protection  1997-1998

A closer look at desktop protection methods finds that in 1997, only 16% of respondents used only one of the above methods of protection, but that by 1998, this had increased to 30%. In general, the past year has witnessed a consolidation of anti-virus techniques used.

With the advent of macro viruses, careful monitoring of e-mail attachments has become more critical than ever. In the past, any infected file or boot virus dropper could be sent as an e-mail attachment. Double clicking on it in Windows 95 might invoke the program, or invoke an extraction utility such as WinZip. Once executed, the file virus would be able to gain control of the machine. (The boot virus dropper would fail under Windows 95, however, which blocks writes to the boot area while it is running.) However, documents are attached to e-mail far more often than program files, and Word documents are now home to Word macro viruses. While users can still extract documents and manually scan them for macro viruses, e-mail gateways that monitor attachments are becoming a good idea. Of course, they will not be able to see a virus in an attachment that is zipped and password-protected, or that is in an attachment that uses a "non-standard" compression approach. Nonetheless, this approach is gaining acceptance.

Proxy Servers and Firewalls

Separating the inside of the organization from the outside world is the job of proxy servers and firewalls. Because viruses can pass through network connections, virus detection added to these protection tools is on the increase. Both Proxy Servers and Firewalls more often have anti-virus capability today than a year ago. New macro viruses apparently caused incidents even in sites with full-time protection installed. This can most likely be attributed to one or more of the following:

a) new strains of such viruses

b) some anti-virus vendors may have taken a longer time to implement adequate full-time protection in their products

c) the time frame for vendors to provide updates for products

d) improperly configured full-time protection

e) respondent sites take too long to update their protective software

Background Scanning: Automatic scanning of files as they are created, opened, closed, or executed. Performed by memory resident anti-virus software. Synonyms: online, automatic, background, resident, active.

Behavior Blocking: A set of procedures that are tuned to detect virus-like behavior, and prevent that behavior (and/or warn the user about it) when it occurs. Some behaviors that should normally be blocked in a machine include formatting tracks, writing to the master boot record or boot record, and writing directly to sectors. Synonyms: "dynamic code analysis", "behavioral analysis."

Boot Record: The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code in (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.

Boot Sector: The first logical sector of a drive. On a floppy disk, this is located on side 0 (the top), cylinder 0 (the outside), sector 1 (the first sector.) On a hard disk, it is the first sector of a logical drive, such as C: or D:. This sector contains the Boot Record, which is created by FORMAT (with or without the /S switch.) The sector can also be created by the DOS SYS command. Any drive that has been formatted contains a boot sector.

Boot Sector Infector: Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the program in the boot sector is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.

Boot virus: A virus whose code is called during the phase of booting the computer in which the master boot sector and boot sector code is read and executed. Such viruses either place their starting code or a jump to their code in the boot sector of floppies, and either the boot sector or master boot sector of hard disks. Most boot viruses infect by moving the original code of the master boot sector or boot sector to another location, such as slack space, and then placing their own code in the master boot sector or boot sector. Boot viruses which also infect files are sometimes known as multipartite viruses. All boot viruses infect the boot sector of floppy disks; some of them, such as Form, also infect the boot sector of hard disks. Other boot viruses infect the master boot sector of hard disks.

Companion virus: A program that attaches to the operating system, rather than files or sectors. In DOS, when you run a file named "ABC", the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run "ABC", and the actual sequence is "ABC.COM", "ABC.EXE"

Encrypted virus: A virus whose code begins with a decryption algorithm, and continues with the scrambled or encrypted code of the remainder of the virus. When several identical files are infected with the same virus, each will share a brief identical decryption algorithm, but beyond that, each copy may appear different. A scan string could be used to search for the decryption algorithm. Cf. Polymorphic.

File virus: Viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL, OVR, etc. The most common file viruses are resident viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses too, which simply infect one or more files whenever an infected file is run.

In the Wild virus: A term that indicates that a virus has been found in several organizations somewhere in the world. It contrasts the virus with one which has only been reported by researchers. Despite popular hype, most viruses are "in the wild" and differ only in prevalence. Some are new and therefore extremely rare. Others are old, but do not spread well, and are therefore extremely rare. Joe Wells maintains a list of those he knows of to be "in the wild".

Macro virus: A virus which consists of instructions in Word Basic or some other macro language, and resides in documents. While we do not think of documents as capable of being infected, any application which supports macros that automatically execute is a potential platform for macro viruses. Because documents are now even more widely shared than diskettes (through networks and the Internet), document-based viruses are likely to dominate our future.

Master Boot Record: The 340-byte program located in the Master Boot Sector. This program begins the boot process. It reads the partition table, determines what partition will be booted from (normally C:), and transfers control to the program stored in the first sector of that partition, which is the Boot Sector. The Master Boot Record is often called the MBR, and often called the "master boot sector" or "partition table." The master boot record is created when FDISK or FDISK /MBR is run.

Master Boot Sector: The first sector of the hard disk to be read. This sector is located on the top side ("side 0"), outside cylinder ("cylinder 0"), first sector ("sector 1.") The sector contains the Master Boot Record.

Master Boot Sector Virus: A virus that infects the master boot sector, such as NYB, spreads through the boot sector of floppy disks. If you boot or attempt to boot your system with an infected floppy disk, NYB loads into memory and then writes itself to the master boot sector on the hard drive. If the disk is not bootable, you see the DOS error message "Non-system disk or disk error..." If the disk is bootable, the system boots to the A: prompt. Either way the system is infected, and there is no indication on the screen that this has happened. Once the hard drive is infected, NYB loads into memory each time the system is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.

On-Demand Scanning: Synonyms: offline, manual scanning, foreground, non-resident scanning, scanning.

Polymorphic virus: A polymorphic virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus.

Remove: To remove or clean a virus means to eliminate all traces of it, returning the infected item to its original, uninfected state. Nearly all viruses are theoretically removable by reversing the process by which they infected. However, any virus that damages the item it has infected by destroying one or more bytes is not removable, and the item needs to be deleted and restored from backups in order for the system to be restored to its original, uninfected state. There is a gap between theory and practice. In practice, a removable virus is one which the anti-virus product knows how to remove. The term "clean" is sometimes used for remove, and sometimes used to refer to the destruction of viruses by any method. Thus deleting a file which is infected might be considered cleaning the system.

Resident: A property of most common computer viruses and all background scanners and behavior blockers. A resident virus is one which loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. When the trigger event occurs, the virus becomes active, either infecting something or causing some other consequence (such as displaying something on the screen.) All boot viruses are resident viruses, as are the most common file viruses. Macro viruses are non-resident viruses.

Stealth virus: A virus that uses any of a variety of techniques to make itself more difficult to detect. A stealth boot virus will typically intercept attempts to view the sector in which it resides, and instead show the viewing program a copy of the sector as it looked prior to infection. An active stealth file virus will typically not reveal any size increase in infected files when you issue the "DIR" command. Stealth viruses must be "active" or running in order to exhibit their stealth qualities.

Trojan Horse: A program which does something unwanted and unexpected by a user, but intended by the programmer. Trojans do not make copies of themselves, as do viruses, and seem to be more likely to cause damage than viruses.

Worm: Similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems - to infect, then copies its code to them.

Zoo virus: A virus which is rarely reported anywhere in the world, but which exists in the collections of researchers. A zoo virus has some "escaping" virus collections, and infecting user machines. Its prevalence could increase to the point that it was considered "in the wild."

Back Orifice?

What exactly is Back Orifice anyway? Here is a good explanation from Zack Schwenk:

Back Orifice is Windows 95 and Windows 98 trojan programmed by: "The Cult of the Dead Cow". It consists of two parts. The Server, and the GUI.

The Server is the actual trojan which will infect the computer. The Server can be installed on the victims computer fairly easily. This can be done by the user downloading a program from a source that he does not know or trust, Or being tricked into downloading, and installing it.

The GUI is a very elaborate remote control of sorts. It controls the computer infected with the Server. The user if the GUI can control the infected computers Registry, Internet Connections, files and folders, and much more. Basically everything a person sitting at the computer terminal can do, the remote user with the GUI can do.

Why is Back Orifice dangerous? Back Orifice always a remote user to have the same access to a computer system as the person sitting directly in front of the terminal. By using this trojan data can be easily take to and from an infected computer system. Data can be changed.

Any passwords that are on the system, whether they are "held" by Windows, or they are in a file can be viewed and saved. All of this can be done remotely and without the infected knowing anything is wrong. Back Orifice is indeed one of the most dangerous trojans out on the Internet at this present time.

Back Orifice is a remote control tool released by the Cult of the Dead Cow (cDc) group.
The trojan horse allows an intruder to monitor and tamper with
Windows 95 and Windows 98 computers over the Internet.

#1: Open the Win98 system information tool by clicking:
Start--->Programs--->Accessories--->System Tools--->System Information

#2: Click "tools" and choose System Configuration Utility.

#3: Click on the tab labeled Startup and a window will open. It lists all the programs that Windows starts up when you start up your computer.

#4: Look in the column that lists command lines of start up files and see if there is one that does not have a name in the program name column. If you find the suspicious entry, uncheck the box next to it. This disables the Back Orifice server from starting when you boot up your computer. Click OK to exit the program and allow the prompt to reboot at this time.

#5: OK! The Back Orifice will not launch itself anymore, but to insure it does not get accidentally launched, you need to delete the BO server itself. It is easy to find :) Just go to C:\windows\system directory and click "size". This will list all of the files in that directory according to size. Scroll until you get to the area of files that are approximately 120k to 126k in size. Look for a file that does not have an icon (usually it will be called " .exe" but could be called just about anything). Chances are it will most likely have a date/time stamp of May 11, 1998. If you see this file, delete it!!! and be sure to empty your recycle bin!

A program called "BoSniffer.zip" that the author
claims will "block key points in the registry from BO as well as search for
existing installs of the backdoor."

Close examination has revealed that this is actually a BO server with the
"SpeakEasy" plugin installed. If you run "BoSniffer.exe", the BoSniffer
executable (read: BO Server Trojan w/ SpeakEasy) will "attempt to log into a
predetermined IRC server on channel #BO_OWNED with a random username. It
then proceeds to announce its IP address and a custom message every few
minutes."

This program, "BoSniffer.zip" is currently being widely distributed as a
"cure for Back Orifice infections". It is probably being distributed with
other software packages and with other names too. Listed below are relevant
details about this program.