Computer Virus

 Introduction

The world of computers and Information Technology is going through an era of electronic terrorism, in the form of virus. It is a problem that is potentially so dangerous that it threatens the proper functioning of the computer system in today's information age.

In this article, we would discuss the evolution of the virus, the menace caused by them, the process of infection, the classification of viruses, the types of viruses, the prevention and the cure against them.

The Evolution of Virus

The concept of virus dates back to 1949, when John Von Neumann submitted a paper putting forward the concept of a "Self Replicating" program; the idea seemed impossible and was dropped. Subsequently, the first virus like program appeared in the form of a recreational game called "CODE-WARS" at the Bell Labs of American Telephone and Telegraph Company. 

In "Code-wars" two players were to code a set of programs that would destroy the other players programs. Realizing the potential danger of such programs, the authors did not reveal the presence of such programs. Concurrently, at Massachusetts Institute of Technology, students were carrying out experiments with computer, which no body had ever tried. Their relatively harmless hobby of messing up with programs gave rise to the idea and concept of computer viruses.

The first commercial application of viruses was in 1985, when two Pakistani brothers, in order to keep track of software piracy used Brain Virus (also known as Pakistani virus) on their low cost software sold from their outlet in Lahore. Hidden in nearly every disk they sold, was an extra program not supplied by the original manufacturer, a snippet of computer code, self-replicating in nature that would infect an unauthorized user's computer by disrupting his operations. These self-replicating programs multiplied so fast that, today, they are a threat to the smooth operation of a computer.

Ensuring data security on PCs and LANs is a major problem. Unless organizations create security awareness in its work force, any measures for data security are not likely to prove successful. In this article, the major approaches to cryptography have been illustrated. These range from Caesar Cipher to RSA-129.

The Menace

The virus, whether biological or electronic is an information disorder. Biological viruses are tiny genetic codes DNA or RNA that take over the machinery of a living cell and are capable of making thousands of replicas of the original virus. Like its biological counterpart, virus carries in it an instructional code that makes copies of itself.

Lodged in a host computer, the typical virus takes temporary control of the computer disk operating system. When the infected system comes in contact with an uninfected computer, the virus passes onto the uninfected machine and, thus spreads like a forest fire, infecting machines after machine with which it comes in contact.

Computer viruses are computer programs, which are a collection of coded instructions. The basic difference between a normal program and a virus is that viruses are self-replicating, they have the capability of executing themselves without being asked for. Computer virus is a very broad term in itself and includes not only viruses, but also Worms and Trojans.

Trojans are similar to viruses. They move around as valid programs, sometimes getting executed with flashy opening screens describing them as  "Word Process" or a "Database Package". Trojans are programs that claim to do something but do something completely different and in the process damage information stored on a computer system. Trojans do not infect other software.

Worms travel longer distances by storing themselves in crittas of the disc from where they get loaded and have with them sufficient code to transfer themselves outward from the system they infect.

Worms have been known to damage and infect entire LANs.

Apart from self-replication, another devastation caused by viruses is data loss. A virus can also take steps to avoid its detection. That makes viruses even more dangerous, because you may come to know about the infection when it has struck. Even though all viruses are developed with a specific characteristic, most of them result in data-loss. Most viruses are designed to perform simple feats but in order to do so, they:

•    Corrupt the most sensitive area of the disk; the File Allocation Table (FAT) or the directory area.

•    Modify the interrupt organization of the system, meaning when a read or write to screen operation takes place, it is routed through the virus code in the memory resulting in unresolvable interrupt clashes where a program opens up a file simultaneously for read -write access and the virus interrupts every operation.

•            Even though the virus may have no instructions built into it to destroy data, it can nevertheless render a disk full of files absolutely useless.

The Process of Infection

To understand how a virus infects a system, we go back to the elementary working of a computer. On booting, the system carries out the ROM instructions, the first being the Power On Self Test (POST), which is followed by the bootstrap process of reading the boot record and loading of the disk operating system. In MS-DOS, it involves the loading of IBMDOS.COM, IBMBIO>COM and COMMAND.COM along with some optional files like CONFIG.SYS and AUTOEXEC.BAT. The booting process culminates in the system prompt displayed on the VDU.

The infection may begin as soon as a computer system boots from a contaminated disk or executes an infected program. Whatever viruses are present get activated, which immediately begin to spread throughout the system.

Another important aspect that needs mention here is the interrupt mechanism. All input/output activities on a PC are carried out by interrupts. The interrupt mechanism in itself is very complex. We will try to understand it with an example. Let us say, a user wishes to save his program and presses the required keys on the keyboard. This is treated as an interrupt. The main memory has specific routines to handle these user requests. One such set of routines exists in the ROM-BIOS and the another is in the DOS program in the memory, loaded from IBMBIO.COM. The routine that services the interrupt requests are termed as Interrupt Service

Routines (ISR's) and are located in the memory with their addresses. Then interrupt request activated a number and not the routine address, thus, there exists a table with the interrupt numbers and the corresponding routine address in DOS. When an interrupt request is made, the CPU looks up the table, performs the required routines and transfers the control back to the program.

The contents of ISR address table being in the RAM is vulnerable to modification by user programs and that is what a virus does-modify the ISR's address

Classification of Viruses

Viruses are classified on the basis of their mode of existence and there are three categories of viruses:

1.                  BOOT Infectors

2.                  SYSTEM Infectors

3 .        GENERAL EXECUTABLE       PROGRAM Infectors.

BOOT Infectors

As the name suggests, they are characterized by the fact that they physically reside in the boot sector (0 zero) sector of the disk. A system infected by such a virus will have the virus residing in a particular area of the disk rather than in a program file. These viruses get loaded soon after the Power On Self Test and control the system and remains in control at all times. They sometimes have the capability to trap soft booting (i.e. CTRL ALT DEL) and remain in control even if the system is booted from a non-infected floppy, thereby contaminating the clean floppy.

Boot infectors displaces information originally residing on the location, which they occupy. While writing onto the boot sector, the virus ensures that the boot record is not deleted. Once the virus is loaded, it automatically transfers control to the area where the boot record is available. The reason behind doing this is that the boot record contains instructions to read IBMBIO.COM and IBMDOS.COM and if these files are not readable, access to the disk is not possible, and so the virus becomes ineffective.

Boot infectors typically create "Bad sectors". Boot infectors are the types, which once loaded would stay in the memory until the system is shut off, and until the disk reformats.

 SYSTEM Infectors

This second category of viruses deals with the components of the system itself. All machines without exception require an operating system in order to create an environment in which the operator works. In MS-DOS, COMMAND.COM contains all the internal commands. If no such command file exists, commands such as COPY, DIR etc. are not loaded onto the memory when the machine is booted. The System Infectors attach themselves to a file such as COMMAND.COM or other memory resident files and manipulate these files.

System infectors differ from Boot infectors in the sense that system infectors gain control after the computer is booted: and infect the hard disk or bootable floppies, which contain the appropriate system files only. They have another peculiarity that they may activate after a given period of time or may instantly begin subtle modifications of systems error messages or information messages.

  GENERAL.COM or EXE Infectors

From the infection point of view, these viruses are most dangerous and devastating of the three classes of viruses. They attach themselves to program files and can spread to almost any executable program in any system. These viruses change the original program instructions into a "jump" to its own code and follows that code with a return to the original program. As a result, whenever the program is executed, the virus gets loaded and executed first and then allows the original program to proceed. It remains memory resident and infects each and every program that is loaded for execution.

By attaching themselves to EXE or COM files, they alter the file size and sometimes multiple infections renders program files too large to be accommodated in the memory.