student lab

Virus Primer

This page highlights the types of malicious computer programs (MCP's). Please use this as a reference to the Antivirus Software Distribution page, which describes in detail Clemson University's license for antivirus software. If you need additional information about a specific virus, you can go to Trend-Micro's web site. Trend-Micro has an encyclopedia for viruses and hoaxes which is updated frequently.

Types of MCP's

There are four basic types of MCPs that are prevelent:

  • Viruses
  • Worms
  • Trojan Horses
  • Macro Viruses

Viruses

Examples: Bagle, MyDoom, Nimda

Computer Viruses are small programs which become imbedded in or "infect" files. Once infected, they either prohibit standard functions or execute functions which are malicious in nature. A virus primarily attacks executables or applications - so if an user runs an infected application, the virus program runs in addition to the normal operation, usually something unwanted. Data files may also be infected, although most traditional viruses require an executable to do damage (see Macro Viruses for exception to that rule).

Examples of virus effects are as follows:

  • Preventing the system from booting.
  • Erasing files or entire hard drives.
  • Preventing saving or printing of files.
  • Misusing system resources, causing slow performance or frequent system crashes.
  • Hundreds of other possibilities

Most viruses have code which allows them to propagate themselves to files on your computer or others. It is "infecting" code that gives the MCP the analogy to the biological viruses. Viruses can infect other computers by infected files being transferred by disks and other removable media, networked servers and unsecured sites on the Internet. They can reside in a computer's memory and lay dormant until a certain time or date.

There are software products, such as Trend-Micro OfficeScan, which provides some protection for most viruses. Note: new viruses are discovered almost daily, these products are as good as their last update. So updating virus protection is essential to remaining protected. If a virus is discovered on a computer, this software performs a "clean" of the virus, where it removes all traces of the virus and attempts to repair problems with the files.

Worms

Examples: BugBear, MSBlaster/Lovesan, Sasser

Worms are MCPs which are very similar to viruses and their results can be even more damaging. The difference is they don't alter programs directly, but rather replace a document or application with the worm's code file for a user's data file, and use that code replicates itself over a computer network or file system. They are usually transmitted through a payload which 'tricks" the user into unknowingly activating the worm. Where viruses can for the most part be cleaned, worms often replace files in process to replicate and thus the deleted files are not recoverable.

In May 2000, the Love Bug's payload was initially an email message. Happy.99 and ExploreZip were worms which infected campus computers in the last few years. However worm don';t have to be email-based. In august 2003, MSBlaster/Lovesan worm infected Windows computers which don't have the latest critical patch installed.

Trojan Horses

Examples: SDBot, Spybot

Trojan Horses are applications which perform malicious actions on a computer. They are named because they typically "disguise" themselves as useful programs in an attempt to trick a user into running them, (See Odyssey and Trojan War). Since they are applications, they are confined to certain platforms and only do harm unless they are executed. Trojan Horses are different from viruses and worms since they don't attempt to replicate on the computer. Some trojan horses can even provide access to the computer or its files to a remote user (BackOrifice) without the computer's owner knowing.

Macro Viruses

Examples: Concept, W97.Melissa.A

Macros are a set of commands which typically allow a user of a specific application to repeat actions with a key stroke or under conditions (i.e. when you save a file). They are written in Macro languages which can be very extensive, not just allowing the ability to control actions in the application, but also control other applications and the operating system on the computer. Useful macros can save time and effort by making repetitive tasks easier.

Macro Viruses are macros which are written for malicious purposes. Once considered a type of virus and relative minor threat, Macro viruses have grown in number from less than 10 in 1996 to thousands of variations in May 2000. They can have the same results as traditional viruses, depending how powerfully the macro language is. For example, if the Macro language allows a user to write and/or delete files, then a malicious person could write a macro virus to delete all documents.

Although many of early macros viruses affected Microsoft Office applications (Word, Excel and others), these viruses can strike any application with a macro language including some operating systems. Another added problem with macro viruses is since many applications with macro languages are cross platform, these viruses can "travel" from platform to platform; Windows to MacOS computers.

At first, since they are part of the standard format of the Word/Excel document, standard Antivirus software had no ability to find and remove them. Since then, they have been discovered and now many Antivirus applications now scan and remove them.

How can I prevent infections and attacks?

With so many variants of MCPs on in the Internet, prevention or at least taking prudent steps is important to avoid attacks and infections from worms, viruses, and trojan horses. Here are some steps users can follow to minimize their risk:

  • VERIFY before you open any data files or attachments even when you know the sender. It never hurts to send a reply message or even call the person to double-check if an attachment is valid. Many infections such as Bugbear and SoBig Worms, the worm substituted itself in disguised graphic files with ".vbs", "pif", ".scr" , "exe" or "bat" suffix. Note that opening the attachment can cause the MCP to start, just reading an email message WILL NOT start a threat. Exception: You using email application which automatically opens attachment files, like Outlook. (If you are using Outlook, turn off the feature that "auto-opens" attachments).
  • UPDATE your antivirus protection software regularly (DAILY) and make sure you are using the latest version of the product. Clemson has a site license for Trend-Micro OfficeScan and it is available from our Share Netware server and Software Archive
  • Once your have the Antivirus software (Trend-Micro's OfficeScan) updated, SCAN your local drive for potential problems at least once a MONTH. It is not necessary to scan network servers since they already have virus protection software which scans files.
  • STRENGTHEN your Windows User an Administrator Passwords. Many threats are using “weak” passwords (.i.e. “123”, “abc”, your birth date, or last name) to access and then infect computers. Replace vowels with numbers, capitalize letter within words, and avoiding common words are good tips when creating a strong password.
  • Run Microsoft Critical Updates to PATCH security holes, used to infected computers. Many Threats, such as the recent Sasser worm, will infect unpatched computers. For Windows computers, you can download the latest patches from www.windowsupdate.com (you must have Internet Explorer to run the update features).
  • Remember to take normal steps to BACKUP your data. Copy critical departmental data to your group server, and personal data to your "U:" drive (Netware data server). This is not really preventive but it may save your data in case you are infected.

Further questions and inquiries can be sent to Customer Support Services via email at ITHELP@clemson.edu.