What is a Computer Virus?
One may think of several explanations of what a computer virus is. The
simplest form of explanation is what one might term as "fit for a housewife"
who has never seen a computer in her life, but knows from listening
to her children talking, that viruses DO exist, and that ALL computers
are prone to virus infection. Such an explanation can be given rather easily,
unlike the other rather complicated one, meant for an expert programmer.
At this stage I do not think I can give an exact definition of a computer
virus and set a clear margin between programs basing on a principle of
"virus / non-virus".
Explanation for a Housewife
This explanation will be given on the example of a desk clerk working exclusively with papers. The idea of such an explanation belongs to D.N.Lozinsky as expanded by Eugene Kaspersky.
Let us imagine a desk clerk coming to work every day to his office. Everyday he finds a stack of papers with a list of tasks which he must fulfil during his working day. He takes the top paper from the stack, reads the instructions of the superior, follows them carefully, then throws "used" papers into the waste basket. Now, let us suppose that a "bad guy" sneaks into the office and inserts a paper into the stack with his own task which reads:
"Copy this paper twice and put the copies into your neighbours' stacks".
What will the desk clerk do? He will copy this paper twice, destroy the original one and continue to the next paper in the stack, i.e. he will go on working as usual. What will his neighbours do, being as careful workers as he is, when they find a new task? They will do the same thing as the first one did: copy the paper twice and give it to other desk clerks. Altogether we have four copies of the paper already, and the paper will continue to be copied and transferred to other people.
This is approximately this scenario according to which the computer virus works, with programs instead of paper stacks and computers instead of desk clerks. A computer, like a desk clerk, carefully fulfils all the commands contained in a program (task lists), starting from the first one. If the first one is, for example, something like "copy my body into two other programs", the computer will do so, and the virus command will now be in two other programs. When the computer starts running other "infected" programs, the virus will continue to spread all over the computer in a similar manner.
In the above example about a desk clerk and his office our paper virus does not check whether another stack of papers is infected or not. In this case by the end of the working day all the office will be overrun by piles of such copies, the clerks will have nothing else to do but copy the same text and give it to the neighbours - the first clerk makes two copies of the paper, the next victim of the virus makes four copies, then 8, 16, 32, 64 and so on, that is the number of copies each time will increase twice.
If a desk clerk needs 30 seconds to copy one paper and 30 seconds more to pass the copies on, then in an hour there will be more than 1,000,000,000,000,000,000 copies of the virus in the office! Soon, of course, the office will be out of paper, and the spreading of the virus will also stop because of this obvious reason.
Funny as it may seem (although the participants of this incident were not at all laughing), exactly the same thing happened in 1988 in America, when several global information networks became over flown with copies of a network virus (Morris's worm), which transferred itself from one computer to another. Therefore, "direct" viruses can be said to have this format:
"Copy this list twice and put the copies into the stacks of tasks of your neighbours, if they don't already have one".
The problem is solved - there is no "overpopulation", but each stack contains a copy of the virus, besides that, the desk clerks also manage to carry on with their usual jobs.
"How about the destruction of data?" - an educated housewife might ask. This is very simple - it is sufficient to add to the "task" list something like this:
1."Copy this list twice and put the copies into the stacks of tasks
of your neighbours, if they
don't already have one.
2.Check with the calendar, and if the date is Friday the 13th, throw ALL documents away
into the waste basket."
THAT is what a very well known virus of the past, "Jerusalem" (a.k.a. "Time") did !
Incidentally, going by the example of our desk clerks, it is very obvious to see why in most cases it is impossible to say where the virus originated to our computer. All the clerks have the same COPIES (except for handwriting), but the original, written by the "bad guy", was in the waste basket as soon as the first clerk made the first copies !
This is the simple explanation of how a virus works. I would like to add two axioms to it, which are not obvious for everyone, strange as it may seem:
Firstly, viruses do not appear by themselves - they are being created by very evil and bad hacker programers who then send them to information exchange networks or toss them to the computers of their acquaintances. A virus cannot sneak into your computer by itself - either it was hiding on diskettes or even on a CD, or you have accidentally downloaded it from a computer information network, or maybe you had a virus in your computer from the very beginning, or, worst of all, some hacker lives in your home.
Secondly, computer viruses infect only a computer and nothing else;
so don't be afraid - they are not going
to pass through the keyboard or mouse and infect you personally !!
An attempt to give a "sensible" Definition
The first attempts to explore self multiplying artificial entities were made in the middle of this century and this information is based on an article by Eugene Kaspersky. Von Neumann, Wiener and other authors gave definitions and mathematically analysed finite slot machines, including self multiplying ones. The term "computer virus" became known later - it is now official that it was first used by F.Cohen (USA), a Lehigh university scholar, in 1984, on the seventh conference on computer security, which was held in the United States. It has been a long time since then and viruses present a far bigger problem now, but there is still no exact definition of a computer virus, despite many attempts to give one.
The main difficulty in trying to give the exact definition of a virus is that virtually all the unique features of a virus (incorporating with other objects, stealth behaviour, potential danger and so on) may be found in other non-virus programs, or there exist some viruses which are free from those features (except for their spreading capabilities).
For example, if we take stealth capability as a distinctive feature of a virus, then it is easy to give an example of virus, not denying its spreading capabilities. Such a virus, before infecting any file, outputs a message saying that there is a virus in a computer ready to hit another file, then outputs its filename and prompts for user permission to incorporate itself into this file.
If we take the ability to destroy programs and data on disks as a distinctive feature of a virus, then as a counter-example for this feature it is possible to give the dozens of absolutely harmless viruses, which do no damage but spread themselves and simply annoy and alarm people.
However the main feature computer viruses - with their capability of incorporation into different objects of operating systems - can be found in many conventional programs, which are not viruses. For example, the most widespread operating system, MS-DOS, has all the necessary means to arbitrarily install itself to non-DOS disks. To do so it is sufficient to create an AUTOEXEC.BAT file containing the following lines:
COPY *.* A:
COPY *.* B:
COPY *.* C:
on a DOS boot floppy.
If you modify DOS as described above, it will become a virus in its own right from the point of view of any existing definition of a computer virus.
Thus, the first reason that does not allow one to give an exact definition of a virus is the impossibility to name features which a virus and only a virus can have.
The second difficulty arising when trying to work out the definition of a computer virus is the fact that this definition has to be OS-specific. For example, theoretically, there can be operating systems in which viruses simply cannot exist. This may be the system where it is prohibited to modify executable code, i.e. those objects that are already being executed or can be executed by operating systems under certain conditions.
Therefore it is possible to give only the necessary condition for considering
some sequence of
executable code a virus.
THE NECESSARY CONDITION OF BEING A COMPUTER VIRUS is a capability to
copies of itself (not exact bytewise replicas) and to incorporate them into computer networks and/or files, system areas of computers, and other executable objects. In addition to that copies also maintain the capability to spread further.
It has to be mentioned that this condition is not sufficient (i.e. final), because, for example, the MS-DOS operating system has the necessary condition of a virus, but is obviously not a virus.
This is why there is no exact definition of a virus up to this moment, and it can hardly be given in the near future. Therefore there is no exactly defined law according to which "good" files may be told from "viruses". And more than that, for each particular file sometimes it is rather difficult to tell, whether it is a virus or not.
Here are two examples: KOH virus and ALREADY.COM program.
Example 1. There is a virus(?) utility(?) called KOH. This program encrypts/decrypts disks on a user request only. This is a bootable diskette with KOH bootstrap loader, somewhere in the other sectors there is executable code of KOH. After diskette boot up KOH asks user something like, "May I install myself to your HDD?" (if it already has been installed onto the HDD it asks the same about diskette). If the answer is yes, KOH transfers itself from one disk to another.
As a result KOH transfers (copies) itself from diskettes to hard drives and vice versa, but only if user permits it to do so.
Then KOH outputs some text about its hot keys by pressing which it encrypts/decrypts disks - prompts for password, reads sectors, encrypts them and makes them unavailable if you enter incorrect password. By the way, it also has a key for uninstallation, which is used by KOH to remove itself from disks (having of course decrypted all the encrypted data first.)
So KOH is a utility program for information protection from non approved access. However it has one additional feature: this program can copy itself from one disk to another (with user's permission). Is this a virus? Yes or no? Most likely not...
This might be ok, nobody would call this utility program KOH a virus, if it wasn't for one thing. The KOH's bootstrap loader looks 100 percent like that rather "popular" "Havoc" virus ("StealthBoot")... end of story. It IS a virus! It even has an official name - "StealthBoot.KOH".
Had KOH been written by somebody in Symantec or Sierra or even by Microsoft and not by somebody unknown, nobody would even think of calling it a virus.
Example 2. There is a program called ALREADY.COM, which copies itself to different sub directories on a drive depending on system date. Is this a virus? Yes of course - a typical worm virus, spreading itself over the drives (including the network ones). Yes?... Yes!
"Close but no cigar!" As it turned out, this is not the virus, this is a part of some software. However if you detached this part from the rest of the software, it behaves like a typical virus.
So we have two live examples:
1. Non-virus - virus.
2. Virus - non-virus.
An alert reader who is no stranger to arguments may object:
- Hold it. Computer viruses are called "viruses" because, like their biological counterparts, they have the ability of self propagation. KOH also has this ability, therefore it's a virus (or a compound which includes a virus component)"
In this case DOS is also a virus (or a compound which includes a virus component), because it has the SYS and COPY commands. And if the boot disk has the AUTOEXEC.BAT file similar to the one shown above, there is even no need for a user to initiate the propagation process. In addition to that, if we consider the capability to self propagate to be a necessary and sufficient feature of a virus, then every software which includes an installation program is a virus. Therefore this argument fails.
- ... what if we define a virus as not just "self propagating code",
but "self propagating code not
doing anything useful and even doing harm, without user participation or even knowledge"...
The KOH virus is a program encrypting disks using a password supplied by user. Everything it does is being commented on the display and all the actions are confirmed by the user. In addition to that it also has the "uninstall" option to it that decrypts all the disks and deletes the program body. Nevertheless it is a virus!
Judging by subjective criteria in case of ALREADY.COM (useful/useless, it is part of a compound/is a stand-alone etc.) maybe it is incorrect to call it a virus/worm. But what's the use of being subjective?
But what can objective criteria of being a virus be? Might that be self propagation, obscurity, destructive capabilities? But for each objective criterion one might find 2 counter examples - a) some particular virus not meeting this criterion, and b) some particular non-virus program meeting this criterion:
a. intended viruses, which cannot propagate because of numerous errors,
or propagate under
very limited conditions.
b. MS-DOS and variations of SYS+COPY.
a. "KOH", "VirDemo", "Macro.Word.Polite" viruses and some others inform
the user about their
presence and propagation.
b. how many drivers counting by tens do Microsoft Windows95 load? Incidentally
these are all
a. harmless viruses like "Yankee", who feel fine under DOS, Windows 3.x, Windows95, NT and don't mess up anything.
b. the older versions of Norton Disk Doctor applied to drives with long filenames. In this case Disk Doctor turns out to be Disk Destroyer.
And so the question of whether it is possible to give a "sensible" definition of a computer virus is still open. Only in a few cases one can tell exactly: for example the COMMAND.COM file is definitely not a virus, whereas the notoriously famous program containing the text "Dis is one half" (a.k.a. "OneHalf") IS a 100 percent virus ! Everything in between MIGHT be a virus or MIGHT NOT !
These programs spread in a computer network and, like viruses-"companions",
don't change files or sectors on disks. They penetrate the computer's memory
from a computer network, calculate
network addresses of other computers and send their own copies to these
Such "viruses" (Worms are not viruses in the strict sense) sometimes start files on the system disks, but generally cannot apply themselves to computer resources (with the exception of main memory) .
An INDEX of VIRUS ALERTS can be found here.
A list of VIRUS HOAXES can be found here.
VIRUS ALERTS is a FREE SERVICE, run in the public interest by Fabian Enterprises and ANYBODY from ANY WHERE IN THE WORLD is welcome to join this FREE service. You can join by simply clicking your mouse here and send the email as it appears. You will then be informed by email as soon as a new virus appears.
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.