Skip to main content
ad info technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

4:30pm ET, 4/16


Analysis: Understanding viruses


January 30, 2001
Web posted at: 4:56 p.m. EST (2156 GMT)

(IDG) -- Everyone knows what a virus is. It doesn't take too many encounters with the likes of "Melissa" and "I Love You" to forge an indelible memory. However, most people don't really know the nature of a virus. Everyone has heard of the type of problems that can befall their systems, but they can't clearly differentiate a virus from a worm, or explain why a virus works.

Not every attack against computers is a virus, but because of the frequency at which viruses appear, many users have begun to assume that every problem they have is virus-related. A virus is a program that copies itself into other programs -- similar to the way biological viruses invade the host's cells -- and becomes active when a program is run (e.g., clicked on). From there, a virus infects other files.


What exactly is a virus, and how is it different from other forms of attack? Do viruses preferentially or exclusively attack Windows systems? Can they be subverted and used for altruistic purposes?

One reason for the confusion is that experts don't necessarily define a virus in precisely the same way. Some experts, like Bruce Schneier and Elizabeth Zwicky, claim a virus consists of two parts: a propagation mechanism and a payload. Others describe a virus as just the transport mechanism. In any case, when a virus infects a system, there are generally two components at work: one that handles the replication and one that does the damage. INFOCENTER
Related Stories
Visit an IDG site search

Some authors further distinguish between propagation (local replication) and migration (getting from one system to another). Clearly, there's plenty of reason for the average man on the street (or in the next cubicle) to be confused. Consider the Melissa virus, which struck in March 1999 and was one of the first viruses to receive popular attention. Described as a virus, Melissa was said by some to be both a virus and a worm. The worm component allowed Melissa to move from system to system; the virus part managed the replication on the local system. If we consider a virus to be the transport mechanism only, we will likely see payloads that we would identify as time and logic bombs, buffer overflow exploits, and Trojan horses.

Important definitions concerning viruses include:

  • Propagation/migration: how a virus replicates locally and over a network
  • Payload: mechanism through which a virus causes damage or has an effect
  • Signature: pattern with which a virus is detected by antiviral software
  • Detection avoidance: method by which a virus attempts to hide itself
  • Trigger: action through which a virus comes to life

Propagation and migration often involve reading data files and sensing the environment. Many recent viruses have read the user's address book in order to send the virus to other systems. Others have infected applications in such a manner that files created with that application were infected; those files then carried the infection to other systems. Some viruses infected floppy disks so that systems were infected when the disks were read.

Payloads can be anything from innocuous banners to severe filesystem damage. A virus isn't necessarily harmful -- in fact, many early viruses were harmless pranks. On the other hand, some viruses have caused so much damage that a simple reinstallation of the operating system was insufficient to repair them.

Viral signatures are the patterns used to identify a virus within a file. In order for a virus to be detected, it must be identified and its signature established and distributed. Frequent updates of the data files associated with antiviral software can protect users from known viruses. Unfortunately, there's a significant difference between the time a virus is first released and the time a pattern allowing its detection is available. What is needed, but is extremely difficult to develop, is a way to recognize the character of a virus and differentiate it from normal system activity.

Many viruses attempt to hide themselves. They may insert themselves into unused space within a binary so as not to change the size or other characteristics of those files (though they would affect a checksum). Others simply store themselves in obscure files and locations.

A virus can be triggered in a number of ways. Clearly, no CPU or operating system is going to grab an infected file and execute it. Even a time bomb needs some action to make it run. Many viruses are triggered when an unsuspecting user clicks on an attachment (often Visual Basic), thinking it's something nice from a friend or colleague. Because viruses often read people's address books, they will appear to be from known individuals. Others are invoked when a system boots (e.g., a boot sector virus) or an infected floppy is read. Time and logic bombs are kicked off when some event occurs (e.g., using an infected application) and the particular conditions are met. A time bomb might be set to go off if you use Microsoft Word on St. Patrick's Day. A logic bomb might go off if the date and time (e.g., 3/18 and 3:18) align.

Though most viruses preferentially attack Windows systems, operating systems are not immune. Windows systems are most often targeted because they're so plentiful. More hackers are Windows users, and more people are affected by Windows viruses. Furthermore, other forms of attack have been favored on particular platforms -- like Unix -- and there have been Unix viruses. Supervisor mode, levels of security (e.g., B1 and C2), and file permissions are not mandatory for viruses to operate, and therefore aren't sufficient to prevent them. Experts like Tom Duff have stated that preventing viruses on any operating system that separates programs and data files, and also allows updates, is simply not possible. There's no way to make a system that is both immune and useful.

As users, then, we can only detect viruses as we can, update our virus detection files religiously, armor systems as much as possible, be extremely cautious of email attachments, and always be on the alert.

The most worrisome thing about viruses is that since they first appeared, they've become increasingly sophisticated and damaging. Early viruses did little more than pop up harmless banners; recent viruses randomize the contents of system files, and can damage a system to the point that it must be taken back to the shop before it can be reinstalled. For a while, it seemed that being wary of attachments might be sufficient. That notion was quickly dispelled.

Most of us are more than ready for a corresponding jump in the sophistication of antiviral software. But as with many things in life, breaking something is much simpler than fixing it. Making a thing unbreakable is harder still. As my late father-in-law used to say, "Any silly soul can poke a hole." It takes a true master to prevent holes from occurring.

Studies: U.S. security threatened by Internet
January 4, 2001
'Kriz' virus waiting for Christmas strike
December 21, 2000
U.K. antivirus company ranks top 10 viruses of 2000
December 13, 2000
Author of 'Prolin' worm eludes authorities
December 12, 2000
Office 2000 gets its own virus protection
December 4, 2000
MTX virus gaining speed in unusual ways
December 1, 2000
'Navidad' computer virus poses moderate risk
November 10, 2000

Revamped Melissa requires antivirus update
(Network World Fusion)
When love came to town: A virus investigation
Users angry at lack of support for Symantec antivirus software
The latest tidbits on security news
Embedded HTML 'bugs' pose potential security risk
'Ramen' worm hits some Red Hat Linux servers
Computer virus seen as mischief by Linux zealots
(Network World Fusion)
Experts predict more mutating viruses
(Network World Fusion)

TeleCommunication Systems, Inc.

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Back to the top