Computer Virus Attacks
Should Be Planned For

by Lloyd Borrett
Technical Cornucopia, December 1990

In the last eighteen months many horror stories and dire warnings have been published about the risk of damage from potentially serious computer viruses. In particular the "Friday the 13th", "Stoned", "Invader" and "AIDS" viruses have been widely discussed.

"Computer virus" is a term often used to describe any self-replicating software that can, under certain circumstances, destroy information in computers or disrupt networks. Other examples of malicious software are "Trojan horses" and "network worms." Viruses can spread quickly and can cause extensive damage. They pose a larger risk for personal computers which tend to have fewer protection features and are often used by non-technically-oriented people.

The virus problem is real

The fact is that virus attacks are now a very real problem in the computer world. The instance of such attacks is much higher than has been reported in the press as few companies are likely to want it publicly known that they became a victim! We have seen many of the more common viruses for ourselves on customer's systems.

As of the end of November 1990, we know of at least 144 separate virus strains and 223 virus sub-strains (varieties) for IBM PC and compatible computer systems! These 144 viruses include the 10 most common viruses which account for over 95% of all reported PC infections.

Virus characteristics and typical damage

Most of the known computer viruses infect the host computer in more than one way and typically three or four ways. The characteristics of the infections are:

• Infect fixed disk partition table
• Infect fixed disk boot sector
• Infect floppy diskette boot sector
• Infect overlay files
• Infect EXE files
• Infect COM files
• Infect the command shell COMMAND.COM
• Virus remains resident
• Virus uses self encryption

The damage done to the host system by a virus varies, but usually has at least one of the following characteristics:

• Corrupts or overwrites the boot sector
• Affects system run-time operation
• Corrupts program or overlay files
• Corrupts data file
• Formats or erases all/part of disk
• Directly or indirectly corrupts file linkages.

Reduce your risks

Only foolish people would ignore the warnings and fail to prepare a plan of action to increase the level of protection against viruses on their computer systems. Routinely using good computing practices can reduce the likelihood of contracting and spreading any virus and can minimize its effects if one does strike. Advice from the experts includes:

• Make frequent backups of your data, and keep several versions.
   
• Use only software obtained from reputable and reliable sources. Be very cautious of software from public sources, such as bulletin boards, or software sent across personal computer networks.
   
• Don't let others use your computer without your consent.
   
• Use care when exchanging software between computers at work or between your home computer and your office computer.
   
• Back up new software immediately after installation and use the backup copy whenever you need to restore. Retain original distribution diskettes in a safe location.
   
• Learn about your computer and the software you use and be able to distinguish between normal and abnormal system activity.
   
• If you suspect your system contains a virus, stop using it and get assistance from a knowledgeable individual.

In general, educating users is one of the best, most cost-effective steps to take. Users should know about malicious software in general and the risks that it poses, how to use technical controls, monitor their systems and software for abnormal activity, and what to do to contain a problem or recover from an attack. An educated user is the best defence most organizations have.

Help is available

A number of commercial organisations sell software or services that may help detect or remove some types of viruses. Unfortunately many of these programs offer little real protection and most can only handle a limited subset of the known viruses.

Typically, the anti-virus programs available come in three parts. The first part tries to prevent a virus getting on to your hard disks and floppy disks. The second part attempts to detect viruses already on the system. The final part helps you recover from an attack by a know virus.

But there are many types of viruses, and new ones are appearing all the time. Thus it is very hard for any product to guarantee to be able to identify all viruses. It is also very easy for the creator of a virus to program around the known limitations of the anti-virus programs.

Fortunately, a few of the anti-virus programs are continually updated (e.g. every few weeks) and these updates are included for a specified period as a part of the purchase. Beware of any anti-virus program that does not offer such a facility for it will quickly become outdated.

And remember: the worst thing you could do is to ignore the problem and simply pretend that computer viruses don't exist!