💾 Archived View for spam.works › mirrors › textfiles › virus › virus_my.ths captured on 2023-06-16 at 21:05:52.

View Raw

More Information

-=-=-=-=-=-=-


   Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg        Page 1 of 8



                               Computer Virus Myths

                            (8th Edition, March 1992)

                                by Rob Rosenberger
                              with Ross M. Greenberg


   A number of myths have surfaced about the threat of computer "viruses".
   There are myths about how widespread they are, how dangerous they are, and
   even myths about what a computer virus really is.  We'd like the facts to
   be known.

   The first thing to learn is that a virus is a malicious programming tech-
   nique in the realm of "Trojan horses."  All viruses are Trojan horses, but
   few Trojan horses can be called a virus.

   That having been said, it's time to go over the terminology we use when we
   lecture:

      BBS           Bulletin Board System.  If you have a modem, you can call
                    a BBS and leave messages, transfer computer files back &
                    forth, and learn a lot about computers.  (What you're
                    reading right now, for example, most likely came to you
                    from a BBS.)

      Bug           an accidental flaw in the logic of a program which makes
                    it do things it shouldn't really be doing.  Programmers
                    don't mean to put bugs in their program, but they always
                    creep in.  Programmers tend to spend more time debugging
                    their programs than they do writing them in the first
                    place.  Inadvertent bugs have caused more data loss than
                    all the viruses combined.

      Hacker        someone who really loves computers and who wants to push
                    them to the limit.  Hackers have a healthy sense of curi-
                    osity: they try doorknobs just to see if they're locked,
                    and they tinker with a piece of equipment until it's "just
                    right."  The computer revolution itself is a result of
                    hackers.

      Shareware     a distribution method for quality software available on a
                    "try before you buy" basis.  You pay for the program only
                    if you find it useful.  Shareware programs can be down-
                    loaded from BBSs and you are encouraged to give evaluation
                    copies to friends.  Many shareware applications rival the
                    power of off-the-shelf counterparts, at just a fraction of
                    the price.  (You must pay for the shareware you continue
                    to use -- otherwise you're stealing software.)

      Trojan horse  a generic term describing a set of computer instructions
                    purposely hidden inside a program.  Trojan horses tell a
                    program to do things you don't expect it to do.  The term
                    comes from a legendary battle in which the ancient city of

   Computer Virus Myths                                            Page 2 of 8



                    Troy received the gift of a large wooden horse.  The
                    "gift" secretly held soldiers in its belly, and when the
                    Trojans rolled it into their fortified city....

      Virus         a term for a very specialized Trojan horse which spreads
                    to other computers by secretly "infecting" programs with a
                    copy of itself.  A virus is the only type of Trojan horse
                    which is contagious, like the common cold.  If it doesn't
                    meet this definition, then it isn't a virus.

      Worm          a term similar to a Trojan horse, but there is no "gift"
                    involved.  If the Trojans had left that wooden horse out-
                    side the city, they wouldn't have been attacked.  Worms,
                    on the other hand, can bypass your defenses without having
                    to deceive you into dropping your guard.  An example is a
                    program designed to spread itself by exploiting bugs in a
                    network software package.  Worms are usually released by
                    someone who has normal access to a computer or network.

      Wormers       the name given to the people who unleash destructive
                    Trojan horses.  Let's face it, these people aren't angels.
                    What they do hurts us.  They deserve our disrespect.

   Viruses, like all Trojan horses, purposely make a program do things you
   don't expect it to do.  Some viruses are just an annoyance, perhaps only
   displaying a "Peace on earth" greeting.  The viruses we're worried about
   are designed to destroy your data (the most valuable asset of your com-
   puter!) and waste your valuable time in recovering from an attack.

   Now you know the difference between a virus and a Trojan horse and a bug.
   Let's get into some of the myths:

   "All purposely destructive code comes as a virus."
      Wrong.  Remember, "Trojan horse" is the general term for purposely
   destructive code.  Very few Trojan horses actually qualify as viruses.  Few
   newspaper or magazine reporters have a real understand of computer crimes,
   so they tend to call almost anything a virus.

   "Viruses and Trojan horses are a recent phenomenon."
      Trojan horses have been around since the first days of the computer;
   hackers toyed with viruses in the early 1960s as a form of amusement.  Many
   different Trojan horse techniques emerged over the years to embezzle money,
   destroy data, etc.  The general public didn't know of this problem until
   the IBM PC revolution brought it into the spotlight.  Banks still hush up
   computerized embezzlements (as they did during the 1980s) because they
   believe customers will lose faith in their computer systems if the word
   gets out.

   "Viruses are written by hackers."
      Yes, hackers have purposely unleashed viruses, but so has a computer
   magazine publisher.  And according to one trusted military publication, the
   U.S. Defense Department develops them as weapons.  Middle-aged men wearing
   business suits created Trojan horses for decades before the advent of com-

   Computer Virus Myths                                            Page 3 of 8



   puter viruses.  We call people "wormers" when they abuse their knowledge of
   computers.  You shouldn't fear hackers just because they know how to write
   viruses.  This is an ethics issue, not a technology issue.  Hackers know a
   lot about computers; wormers abuse their knowledge.  Hackers (as a whole)
   got a bum rap when the mass media corrupted the term.

   "Viruses infect 25% of all IBM PCs every month."
      If 25% suffer an infection every month, then 100% would have a virus
   every four months assuming the user took no preventive measures -- in other
   words, every IBM PC would suffer an infection three times per year.  This
   astronomical estimate surfaced after virus expert (and antivirus vendor)
   Dr. Peter Tippett published "The Kinetics of Computer Virus Replication," a
   complex thesis on how viruses might spread in the future.  Computer viruses
   exist all over the planet, yes -- but they won't take over the world.  Only
   about 400 different viruses exist at this time and some of them have been
   completely eliminated "from the wild."  (Of course, virus experts retain
   copies even of "extinct" viruses in their archives.)  You can easily reduce
   your exposure to viruses with a few simple precautions.  Yes, it's still
   safe to turn on your computer!

   "Only 400 different viruses?  But most experts talk about them in the thou-
   sands."
      The virus experts who "originate" these numbers tend tto work for
   antivirus firms.  They count even the most insignificant variations of
   viruses as part of the grand total for advertising purposes.  When the
   Marijuana virus first appeared, for example, it displayed the word
   "legalise," but a miscreant later modified it to read "legalize."  Any pro-
   gram capable of detecting the original virus will detect the version with
   one letter changed -- but antivirus companies count them as "two" viruses.
   Such obscure differentiations quickly add up.

   "Viruses could destroy all the files on my disks."
      Yes, and a spilled cup of coffee will do the same thing.  If you have
   adequate backup copies of your data, you can recover from any virus or
   coffee problem.  Backups mean the difference between a nuisance and
   a disaster.  It is safe to presume there has been more accidental loss of
   data than loss by viruses and Trojan horses.

   "Viruses have been documented on over 300,000 computers (1988)."
   "Viruses have been documented on over 400,000 computers (1989)."
   "Viruses have been estimated on over 5,000,000 computers (1992)."
      These numbers come from John McAfee, a self-styled virus fighter who
   craves attention and media recognition.  If we assume it took him a mere
   five minutes to adequately document each viral infection, it would have
   taken four man-years of effort to document a problem only two years old by
   1989.  We further assume McAfee's statements include every floppy disk ever
   infected up to that time by a virus, as well as all of the computers
   participating in the Christmas and InterNet worm attacks.  (Worms cannot be
   included in virus infection statistics.)
      McAfee prefers to "estimate" his totals these days.  Let's assume we
   have about 100 million computers of all types & models in use around the
   world.  McAfee's estimate means 1 out of every 20 computers on the planet
   supposedly has a virus.  It sounds like a pretty astronomical number to
   most other virus experts.

   Computer Virus Myths                                            Page 4 of 8



   "Viruses can hide inside a data file."
      Data files can't wreak havoc on your computer -- only an executable pro-
   gram file can do that (including the one that runs when you first turn on
   your computer).  If a virus infected a data file, it would be a wasted
   effort.  But let's be realistic: what you think is 'data' may actually be
   an executable program file.  For example, a "batch file" qualifies as text
   on an IBM PC, yet the MS-DOS operating system treats it just like a pro-
   gram.

   "BBSs and shareware programs spread viruses."
      Here's another scary myth drummed up in the big virus panic, this one
   spouted as gospel by many "experts" who claim to know how viruses spread.
   "The truth," says PC Magazine publisher Bill Machrone, "is that all major
   viruses to date were transmitted by [retail] packages and private mail sys-
   tems, often in universities."  (PC Magazine, October 11, 1988.)  Machrone
   said this back in 1988 and it still applies to this day.  Almost 50 retail
   companies so far have admitted spreading infected master disks to tens of
   thousands of customers since 1988 -- compared to only five shareware
   authors who have spread viruses on master disks to less than 100 customers.
   Machrone goes on to say "bulletin boards and shareware authors work extra-
   ordinarily hard at policing themselves to keep viruses out."  Reputable
   sysops check every file for Trojan horses; nationwide sysop networks help
   spread the word about dangerous files.  Yes, you should beware of the soft-
   ware you get from BBSs and shareware authors, but you should also beware of
   the retail software you find on store shelves.  (By the way, many stores
   now have software return policies.  Do you know for sure you were the only
   one who used those master disks?)

   "My computer could be infected if I call an infected BBS."
      BBSs can't write information on your disks -- the communications soft-
   ware you use performs this task.  You can only transfer a dangerous file to
   your computer if you let your software do it.  And there is no "300bps sub-
   carrier" that lets a virus slip through a high speed modem.  A joker named
   Mike RoChenle (IBM's "micro channel" PS/2 architecture, get it?) started
   the 300bps myth when he left a techy-joke message on a public BBS.  Unfor-
   tunately, a few highly respected journalists were taken in by the joke.

   "So-called 'boot sector' viruses travel primarily in software downloaded
   from BBSs."
      This common myth -- touted as gospel even by Australia's Computer Virus
   Information Group -- expounds on the mythical role computer bulletin boards
   play in spreading viruses.  Boot sector viruses can only spread by direct
   contact and "booting" the computer from an infected disk.  BBSs deal exclu-
   sively in program files and have no need to pass along copies of disk boot
   sectors.  Bulletin board users therefore have a natural immunity to boot-
   sector viruses when they download software.
      We should make a special note about "dropper" programs developed by
   virus researchers as an easy way to transfer boot sector viruses among
   themselves.  Since they don't replicate, "dropper" programs don't qualify
   as a virus in and of themselves.  Such programs have never been discovered
   on any BBS to date and have no real use other than to transfer infected
   boot sectors.

   Computer Virus Myths                                            Page 5 of 8



   "My files are damaged, so it must have been a virus attack."
      It also could have happened because of a power flux, or static elec-
   tricity, or a fingerprint on a floppy disk, or a bug in your software, or
   perhaps a simple error on your part.  Power failures and spilled cups of
   coffee have destroyed more data than all viruses combined.

   "Donald Burleson was convicted of releasing a virus."
      Newspapers all over the country hailed a Texas computer crime trial as a
   "virus" trial.  The defendent, Donald Burleson, was in a position to
   release a destructive Trojan horse on his employer's mainframe computer.
   This particular software couldn't spread to other computers, so it couldn't
   possibly have qualified as a virus.  Davis McCown, the prosecuting attor-
   ney, claims he "never brought up the word virus" during the trial.  So why
   did the media call it one?
     1. David Kinney, an expert witness testifying for the defense, claimed
        Burleson had unleashed a virus.  The prosecuting attorney didn't argue
        the point and we don't blame him -- Kinney's bizarre claim probably
        helped sway the jury to convict Burleson, and it was the defense's
        fault for letting him testify.
     2. McCown gave reporters the facts behind the case and let them come up
        with their own definitions.  The Associated Press and USA Today, among
        others, used such vague definitions that any program would have
        qualified as a virus.  If we applied their definitions to the medical
        world, we could safely label penicillin as a biological virus (which
        is, of course, absurd).
     3. McCown claims many quotes attributed to him were "misleading or fab-
        ricated" and identified one in particular which "is total fiction."
        Reporters sometimes print a quote out of context, and McCown appar-
        ently fell victim to it.  (It's possible a few bizarre quotes from
        David Kinney or John McAfee were accidentally attributed to McCown.)

   "Robert Morris Jr. released a benign virus on a defense network."
      It may have been benign but it wasn't a virus.  Morris, the son of a
   chief computer scientist at the U.S. National Security Agency, decided one
   day to take advantage of a bug in the Defense Department's networking soft-
   ware.  This tiny bug let him send a worm through the network.  Among other
   things, Morris's "InterNet" worm sent copies of itself to other computers
   in the network.  Unfortunately, the network clogged up in a matter of hours
   due to some bugs in the worm module itself.  The press originally called it
   a "virus," like it called the Christmas worm a virus, because it spread to
   other computers.  Yet Morris's programs didn't infect any computers.  A
   few notes:
     1. Reporters finally started calling it a worm a year after the fact, but
        only because lawyers in the case constantly referred to it as a worm.
     2. The worm operated only on Sun-3 & Vax computers which employ a UNIX
        operating system and were specifically linked into the InterNet net-
        work at the time.
     3. The 6,200 affected computers cannot be counted in virus infection
        statistics (since they weren't infected).
     4. It cost way less than $98 million to clean up the attack.  An official
        Cornell University report claims John McAfee, the man behind this wild
        estimate, "was probably serving [him]self" in an effort to drum
        up business.  People familiar with the case estimated the final figure
        at under $1 million.

   Computer Virus Myths                                            Page 6 of 8



     5. Yes, Morris could easily have added some infection code to make it a
        worm/virus if he'd had the urge.
     6. The network bug exploited in the attack has since been fixed.
     7. Morris went to trial for launching the InterNet worm and received a
        federal conviction.  The Supreme Court refused to hear the case, so
        his conviction stands.

   "The U.S. government planted a virus in Iraq military computers during the
   Gulf War."
      U.S. News & World Report published a story in early 1992 accusing the
   National Security Agency of replacing a computer chip in a printer bound
   for Iraq just before the Gulf War with a secret computer chip containing a
   virus.  The magazine cited "two unidentified senior U.S. officials" as
   their source, saying "once the virus was in the [Iraqi computer] system,
   ...each time an Iraqi technician opened a 'window' on his computer screen
   to access information, the contents of the screen simply vanished."  How-
   ever, the USN&WR story shows amazing similarities to a 1991 April Fool's
   story published by InfoWorld magazine.  Most computer experts dismiss the
   USN&WR story as a hoax -- an "urban legend" innocently created by the Info-
   World joke.  Some notes:
     1. USN&WR has refused to retract the story, but it did issue a "clarifi-
        cation" stating "it could not be confirmed that the [virus] was ulti-
        mately successful."  The editors broke with tradition and refused to
        publish any of the numerous letters readers submitted about the virus
        story.
     2. Ted Koppel, a well-known American news anchor, opened one of his
        "Nightline" broadcasts with a report on the alleged virus.  Koppel's
        staff politely refers people to talk with USN&WR about the story's
        validity.
     3. InfoWorld didn't label their story as fiction, but the last paragraph
        identified it as an April Fool's joke.

   "Viruses can spread to all sorts of computers."
      All Trojan horses are limited to a family of computers, and this is
   especially true for viruses.  A virus designed to spread on IBM PCs cannot
   infect an IBM 4300 series mainframe, nor can it infect a Commodore C64, nor
   can it infect an Apple Macintosh.

   "My backups will be worthless if I back up a virus."
      No, they won't.  Let's suppose a virus does get backed up with your
   files.  You can restore important documents and databases -- your valuable
   data -- without restoring an infected program.  You just reinstall programs
   from master disks.  It's tedious work, but not as hard as some people
   claim.

   "Antivirus software will protect me from viruses."
      There is no such thing as a foolproof antivirus program.  Trojan horses
   and viruses can be (and have been) designed to bypass them.  Antivirus
   products themselves can be tricky to use at times, and they occasionally
   have bugs.  Always use a good set of backups as your first line of defense;
   rely on antivirus software as a second line of defense.

   Computer Virus Myths                                            Page 7 of 8



   "Read-only files are safe from virus infections."
      This common myth among IBM PC users has been printed even in some com-
   puter magazines.  Supposedly, you can protect yourself by using the DOS
   ATTRIB command to set the read-only attribute on program files.  However,
   ATTRIB is software -- and what it can do, a virus can undo.  The ATTRIB
   command seldom halts the spread of viruses.

   "Viruses can infect files on write-protected disks."
      Here's another common IBM PC myth.  If viruses can modify read-only
   files, people assume they can modify write-protected floppies.  However,
   the disk drive itself knows when a floppy is protected and refuses to write
   to it.  You can physically disable an IBM PC drive's write-protect sensor,
   but you can't override it with a software command.



   We hope this dispels the many computer virus myths.  Viruses DO exist, they
   ARE out there, they WANT to spread to other computers, and they CAN cause
   you problems.  But you can defend yourself with a cool head and a good set
   of backups.

   The following guidelines can shield you from Trojan horses and viruses.
   They will lower your chances of being infected and raise your chances of
   recovering from an attack.

     1. Implement a procedure to regularly back up your files and follow it
        religiously.  Consider purchasing a user-friendly program to take the
        drudgery out of this task.  (There are plenty to choose from.)
     2. Rotate between at least two sets of backups for better security (use
        set #1, then set #2, then set #1...).  The more sets you use, the
        better protected you are.  Many people take a "master" backup of their
        entire hard disk, then take "incremental" backups of those files which
        changed since the last time they backed up.  Incremental backups might
        only require five minutes of your time each day.
     3. Download files only from reputable BBSs where the sysop checks every
        program for Trojan horses.  If you're still afraid, consider getting
        programs from a BBS or "disk vendor" company which gets them direct
        from the authors.
     4. Let newly uploaded files "mature" on a BBS for one or two weeks before
        you download it (others will put it through its paces).
     5. Consider using a program that searches, or "scans," disks for known
        viruses.  Almost all infections to date involved viruses known to
        antivirus companies.  A recent copy of any "scanning" program will in
        all probability identify a virus before it gets the chance to infect
        your computer -- and as they say, "an ounce of prevention is worth a
        pound of cure."  A "scanning" program can dramatically lower your
        chaces of getting infected by a computer virus in the first place.
        (But remember: there is no perfect antivirus defense.)
     6. Consider using a program that creates a unique "signature" of all the
        programs on your computer.  Run this program once in awhile to see if
        any of your software applications have been modified -- either by a
        virus or by a fingerprint on a floppy disk or perhaps even by a stray
        gamma ray.

   Computer Virus Myths                                            Page 8 of 8



     7. DON'T PANIC if your computer starts acting weird.  It may be a virus,
        but then again maybe not.  Immediately turn off all power to your com-
        puter and disconnect it from any local area networks.  Reboot from a
        write-protected copy of your master DOS disk.  Do NOT run any programs
        on a "regular" disk (you might activate a Trojan horse).  If you don't
        have adequate backups, try to bring them up to date.  Yes, you might
        back up a virus as well, but it can't hurt you if you don't use your
        normal programs.  Set your backups off to the side.  Only then can you
        safely hunt for problems.
     8. If you can't figure out what's wrong and you aren't sure what to do
        next, turn off your computer and call for help.  Consider calling a
        local computer group before you call for an expert.  If you need a
        professional, consider a regular computer consultant first.  Some
        "virus removal experts" charge prices far beyond their actual value.
     9. [Consider this ONLY as a last resort.]  If you can't figure out what's
        wrong and you are sure of yourself, execute both a low-level and a
        high-level format on all your regular disks.  Next, carefully re-
        install all software from the master disks (not from the backups).
        Make sure the master disks have write-protect tabs!  Then, carefully
        restore only the data files (not the program files) from your backup
        disks.

   We'd appreciate it if you would mail us a copy of any Trojan horse or virus
   you discover.  (Be careful you don't damage the data on your disks while
   trying to do this!)  Include as much information as you can and put a label
   on the disk saying it contains a malicious program.  Send it to Ross M.
   Greenberg, P.O. Box 908, Margaretville, NY 12254.  Thank you.

     Ross M. Greenberg is the author of both shareware and retail virus
     detection programs.  Rob Rosenberger is the author of various phone
     productivity applications.  (Products are not mentioned by name because
     this isn't the place for advertisements.)  They each write for national
     computer magazines.  These men communicated entirely by modem while
     writing this treatise.

             Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg


   Rosenberger can be reached electronically on CompuServe as [74017,1344], on
   GEnie as R.ROSENBERGE, on InterNet as `74017.1344@compuserve.com', and on
   various national BBS linkups.  Greenberg can be reached on MCI and BIX as
   `greenber', on UseNet as `c-rossgr@microsoft.com', and on CompuServe as
   [72461,3212].

   You may give copies of this treatise to anyone if you pass it along in its
   entirety.  Publications may reprint it at no charge if they give due credit
   to the authors and send two copies to: Rob Rosenberger, P.O. Box 643,
   O'Fallon, IL 62269.