Internet Interests

Worms, Viruses, and Trojans 101

According to online polls, about 80% of the people who responded claim that they have seen a significant increase in the number of computer viruses being released during 2002 as opposed to last year.  The issue is, whether or not you would recognize whether or not you were under attack from a computer virus.

Unlike those cool looking commercials that show a computer virus chomping around on the monitor and eating up all of your files, real computer viruses are not always immediately visible and rarely (if ever) have a little virus Pac Man that you can watch destroy your computer.  Sometimes you will be completely unaware of the damage that has been caused because there are no visible clues.

Often you will discover that certain programs no longer work correctly or that you seem to have problems with your programs not having enough memory to run.  In some cases, there may not be any damage to your files or programs but you find out when eventually when someone contacts you about the debt that you have run up on your new credit cards.

This last problem is probably the most insidious.  This can be caused by a bad guy who is using a Trojan virus on your computer.  This bad guy will attempt to read and use the information that is available on your computer as well as recording your keystrokes in an attempt to find out your passwords.

To help you with better understanding the various classes of viruses, please take a look at the list below for explanations of the different kinds of viruses.

Viruses

A virus is a piece of code that is written by someone and which has the ability to replicate and infect other files on a particular system (self-replicating).  Viruses are able to infect one file and then spread into another file, and another file, and another file, until the entire machine is infected or crashes.  A virus can spread itself into many files and then those files can go out do the same malicious work on their own, but the fundamental element of a virus is that it replicates

Worms

A worm is a subclass of virus.  A worm is a piece of code that has the ability to move from machine to machine, or network to network.  It becomes mobile in a sense.  A good example of a “pure” worm would be CodeRed.a.  Typically, the most destructive nature of pure worms are causing distributed denial of service (DDoS) attacks across the Internet due to too much traffic, like that of the Code Red situation (the spreading across the Internet) and the Morris Worm of Lore, for which Robert Morris was jailed.  A worm can have ability to understand the operating system to the extent where it looks for something called a "share."  Meaning, if the infection is on my machine, and I have an open share (which means you can come in and see my data or I can see your data), the worm is aware of this, and is then able to move on its own from one machine to another without any human interaction whatsoever.

Trojans

A Trojan is a program that comes to you disguised, just like the Trojan horse.  This means you may get a program that you think is something, for example, you might think it's a screen saver or wallpaper for your computer.  But when you run it, nothing of that nature actually happens.  While sometimes it actually might run, for the most part it doesn't.  When activated, the Trojan goes into your computer and does something malicious.  A Trojan is something that has the ability to delete data, steal your passwords, or hook itself into your machine so that it can get out to the Internet and perhaps retrieve a virus and bring it back to you.  It can also open a back door to your system by which a hacker or virus writer might be able to gain access to your entire system, and even the corporate network. 

Virus/Worm/Trojan Combinations (Blended Threats)

Many threats, especially newer threats, are taking on both virus and worm-like characteristics.  We call these cocktails, as they are a mixture of threats.  Love Letter is a good example of a threat that combined virus and worm-like functionality.  VBS/LoveLetter.worm took on virus-like characteristics by erasing files, and took on worm-like characteristics by mailing itself to everyone in the users e-mail address book.  Another example of a cocktail is CodeRed.c.worm, which was a worm/Trojan threat.  CodeRed.c moved across the Internet to vulnerable Web servers and dropped a Trojan that opened a backdoor, or unsecured access, to the server.

Summary

Recognizing common virus behaviors takes a practiced eye and attention to detail.  Viruses are constantly changing and new ones are always being developed (either intentionally or by accident).  Learning how to recognize different virus classes will help you with trying to locate and repair damage from these attacks as well as helping to prevent their being spread further.

Think it won't happen to you?
During the month of Feb 2002 alone, I successfully fended off the following viruses from my home computer:
bulletJS/IEStart.gen.c (Trojan) Info I responded to a Remove Me link and when I submitted my email address to be removed the virus arrived.
bulletW32/Magistr.b@MM (Virus) Info Arrived by SPAM email
bulletW32/SirCam@MM (Virus) Info Arrived by SPAM email

Typically, I will have to fend off between 2-8 virus attacks per month.  Thank goodness I use virus protection and follow safe procedures or I would really be in trouble.

Respectfully submitted by Steve Duell
SFBA Chapter Webmaster
Send replies to webmaster@sfasis.org

Virus definitions were provided courtesy of McAfee Security, a division of Network Associates.
Special thank you to Katie Bromley for her assistance.