Here's part of "The Secret Guide to Computers," copyright by Russ Walter, 29th edition. For newer info, read the 33rd edition at www.SecretFun.com.

Viruses

A computer virus is a program that purposely does mischief and manages to copy itself to other computers, so the mischief spreads. Since computer viruses are malicious malevolent software, they’re called malware.

People create viruses for several reasons.

Some people think it’s funny to create mischief, by creating viruses. They’re the same kind of people who like to play “practical jokes” and, as kids, pulled fire alarms.

Some people are angry (at dictatorships, at the military, at big impersonal corporations, at clients who don’t pay bills, at lovers who rejected them, and at homosexuals). To get revenge, they create viruses to destroy their enemy’s computers.

Some people are intellectuals who want the challenge of trying to create a program that replicates itself. Too often, the program replicates itself too well and too fast and accidentally does more harm that the programmer intended.

Some people want to become famous (or infamous or influential) by inventing viruses. They’re the same kinds of people who, as kids, wrote graffiti on school walls and in bathrooms.

People who create viruses tend to be immature. Many are teenagers or disgruntled college students.

Different viruses perform different kinds of mischief.

Some viruses print nasty messages, containing four-letter words or threats or warnings, to make you worry and waste lots of your time and prevent you from getting work done.

Some viruses erase some files, or even your entire hard disk.

Some viruses screw up your computer so it prints wrong answers or stops functioning.

Some viruses clog your computer, by giving the computer more commands than the computer can handle, so the computer has no time left to handle other tasks, and all useful computer tasks remain undone.

The damage done by a virus is called the virus’s payload. Some viruses are “benign”: they do very little damage; their payload is small. Other viruses do big damage; they have a
big payload. If a virus destroys your files, it’s said to have a destructive payload.

 

Propagation tricks

To propagate, viruses use two main tricks.

Trojan horse

Homer’s epic poem, The Iliad, describes how the Greeks destroyed Troy by a trick: they persuaded the Trojans to accept a “gift” — a gigantic wooden horse that secretly contained Greek warriors, who then destroyed Troy.

Some computer viruses use that trick: they look like a pleasant gift program, but the program secretly contains destructive warriors that destroy your computer. A pleasant-seeming program that secretly contains a virus is called a Trojan horse.

Time bomb

If a virus damages your computer immediately (as soon as you receive it), you’ll easily figure out who sent the virus, and you can stop the perpetrator. To prevent such detection, clever viruses are time bombs: they purposely delay damaging your computer until you’ve accidentally transmitted the virus to other computers; then, several weeks or months after you’ve been secretly infected and have secretly infected others, they suddenly destroy your computer system, and you don’t know why. You don’t know whom to blame.

 

How viruses arose

The first computer virus was invented in 1983 by Fred Cohen as an innocent experiment in computer security. He didn’t harm anybody: his virus stayed in his lab.

In 1986, a different person invented the first virus that ran on a PC. That virus was called Brain. Unfortunately, it accidentally escaped from its lab; it was found next year at the University of Delaware. (A virus that escapes from its lab is said to be found in the wild.)

Most early viruses harmed nobody, but eventually bad kids started invented destructive viruses. The first destructive virus that spread fast was called the Jerusalem virus because it was first noticed at the Hebrew University of Israel in 1987. It’s believed to have been invented by a programmer in Tel Aviv or Italy.

Most people still thought “computer viruses” were myths; but in 1988, magazines ran articles saying computer viruses really exist. Researchers began to invent antivirus programs to protect against viruses and destroy them. In 1989, antivirus programs started being distributed to the general public, to protect against the 30 viruses that had been invented so far. But then the nasty programmers writing viruses began protecting their viruses against the antivirus programs. Now there are over 50,000 viruses, though many are just copycat viruses that are slight variants of others.

Companies writing antivirus software are working as hard as the villains writing the viruses. Most antivirus companies release updates weekly.

 

Programs to protect you

MS-DOS 6 & 6.2 come with an antivirus program called msav (which stands for MicroSoft Antivirus). But msav is rather useless, since most viruses were invented after it and outsmart it.

The best antivirus program is Norton AntiVirus, which lists for $50. You can also get Norton Antivirus as part of Norton SystemWorks, which lists for $70 and includes other utilities.

The Norton products are published by Symantec and sold in many stores, which usually charge about half of list price (after discounts and rebates). If you’re in a rush and not near a store, phone PC Connection (a mail-order dealer at 800-800-0003), which charges just $5 for overnight shipping. (You can order late at night and still receive it in the morning!)

The second-best antivirus program is McAfee VirusScan, which lists for $60 and is published by Network Associates.

You can get a free antivirus checkup, called HouseCall, from an Internet Web site called “housecall.antivirus.com”. That Web site is run by Trend Micro, which also sells an antivirus program called PC-cillin. You can get another free antivirus checkup by going to the Symantec Antivirus Research Center’s Web site (www.sarc.com) then clicking “Online Virus and Security Check” (which is on the Web page’s left side, below “Virus Definitions”). Those free checkups don’t prevent viruses from entering your computer, but they reveal whether viruses entered already, and they help you start removing them.

If you use Windows, make sure you get antivirus software that’s designed for your version of Windows. Old antivirus programs think new versions of Windows are viruses, so those antivirus programs try to erase Windows!

Alas, using virus-scanning software can make your computer run slower, since virus-scanning can take a long time and consume RAM.

Besides worrying about viruses, you must also worry about adware (programs that secretly put ads onto your computer) and spyware (spybot programs, which secretly watch your activities on the computer and report about you to advertisers and crooks). Adware and spyware are nasty! They also consume the computer’s RAM and time, so your computer seems slower. The best programs for getting rid of adware and spyware are:

Spybot Search and Destroy

free from www.safer-networking.org, though donations are requested; about 1% of the users donate; avoid spybot.com, safer-networking.com, and safernetworking.com, which are different companies

Ad-aware

free from www.lavasoft.de for non-commercial use, though fancier versions are available for pay (from that Web site and retailers); avoid adaware.com, ad-aware.com, and lavasoft.com, which are different companies

The www.safer-networking.org and www.lavasoft.de will in turn refer you to www.download.com, which is a general Web site for downloading shareware.

 

Who gets viruses

The most common place to find traditional viruses is at schools.

That’s partly because most viruses were invented at schools (by bright, mischievous students) but mainly because many students share the school’s computers. If one student has an infected floppy disk (purposely or accidentally) and puts it into one of the school’s computers, that computer’s hard disk will probably get infected. Then it will infect all the other students who use that computer. As disks are passed from that computer to the school’s other computers, the rest of the school’s computers become infected.

Then the school’s students, unaware of the infection, take the disks home with them and infect their families’ home computers. Then the parents bring infected disks to their offices (so they can transfer work between home and office) and infect their companies. Then company employees take infected disks home and infect their home computers, which infect any disks used by the kids, who, unaware of the infection, then take infected disks to school and start the cycle all over again.

Anybody who shares programs with other people can get a virus. Most programs are copyrighted and illegal to share. People who share programs illegally are called pirates. Pirates spread viruses. For example, many kids spread viruses when they try to share their games with their friends.

Another source of viruses is computer stores, in their computer-repair departments.

While trying to analyze and fix broken computers, the repair staff often shoves diagnostic disks into the computers, to find out what’s wrong. If one of the broken computers has a virus, the diagnostic disks accidentally get viruses from the broken computers and then pass the viruses on to other computers. So if you bring your computer to a store for repairs, don’t be surprised if your computer gets fixed but also gets a virus.

Occasionally, a major software company will screw up, accidentally get infected by a virus, and unknowingly distribute it to all folks buying the software. Even companies as big as Microsoft have accidentally distributed viruses.

The newest viruses are spread by Internet communications, such as e-mail, instead of by floppy disks. Internet-oriented viruses spread quickly all over the world: they’re an international disaster!

 

6 kinds of viruses

Viruses fall into 6 categories: you can get infected by a file virus, a boot-sector virus, a multipartite virus, a macro virus, an e-mail worm, or a denial-of-service attack.

Here are the details.…

File viruses

A file virus (also called a parasitic virus) secretly attaches itself to an innocent program, so the innocent program becomes infected. Whenever you run the infected innocent program, you’re running the virus too!

Here are the file viruses that are most common. For each virus, I begin by showing its name, the country it came from, and the month it was first discovered in the wild. Let’s start with the oldest.…

Yankee Doodle

(From Bulgaria in September 1989) Every day at 5 PM, this virus plays part of the song Yankee Doodle on the computer’s built-in speaker.

This virus is also called Old Yankee and TP44VIR. It infects .COM & .EXE files, so they become 2899 bytes longer.

Die Hard 2

(From South Africa in July 1994) This virus infects .COM & .EXE files and makes them become exactly 4000 bytes bigger.

The virus also overwrites .ASM files (programs written in assembler) with a short program. When you try to compile the .ASM program, the computer hangs.

It’s also called DH2.

Chernobyl

(From Taiwan in June 1998) Back on April 26, 1986, radioactive gas escaped from a nuclear reactor in Chernobyl in the Soviet Union. The Chernobyl virus commemorates that event by erasing your hard disk on April 26th every year. (A variant, called version 1.4, erases your hard disk on the 26th of every month.)

If you get infected by this virus, you won’t notice it until the 26th; then suddenly your hard disk gets erased — and so do the hard disks of all your friends to whom you’d accidentally sent the virus!

The virus was written in Taiwan by a 24-year old guy named Chen Ing-Hau. Since his initials are CIH, the virus is also called the CIH virus.

The virus was first noticed in June 1998. It did its first damage on April 26, 1999. Computers all over the world lost their data that day. Most American corporations were forewarned and forearmed with antivirus programs; but in Korea a million computers lost their data, at a cost of 250 million dollars, because Koreans don’t use antivirus programs but do use a lot of pirated software.

Here’s how the virus erases your hard disk:

It starts at the disk’s beginning and writes random info onto every sector (beginning at sector 0), until your computer stops working. The data that was previously on those overwritten sectors is gone forever and can’t be recovered.

The virus also tries to attack your computer’s Flash BIOS chips, by writing wrong info into them. If the virus succeeds, your computer will be permanently unable to display anything on the screen and also have trouble communicating with the keyboard, ports, and other devices, unless you bring your computer into a repair shop.

The virus destroys data just if you’re using Windows 95 or 98 (not Windows 3.1, not Windows NT).

Here’s how the virus spreads:

Whenever you run an infected program, the virus in the program copies itself into the RAM memory chips, stays there (until you turn the computer off), and infects every other program you try to run or copy. To infect a program, the virus looks for unused spaces in the program’s file, then breaks itself up and puts pieces of itself into unused spaces, so the file’s total length is the same as before and the virus is undetected.

Before you attack the virus by using an antivirus program, boot by using an uninfected floppy. If instead you just boot normally from your hard disk, your hard disk’s infected files copy the virus into RAM; then when you tell the antivirus program to “scan all programs to remove the virus”, the antivirus program accidentally copies the virus onto all those programs and infects them all. Yes, the virus tricks your antivirus program into becoming a pro-virus program!

 

Boot-sector viruses

On a floppy disk or hard disk, the first sector is called the disk’s boot sector or, more longwindedly, the disk’s master boot record (MBR). A virus that hides in the boot sector is called a boot-sector virus. Whenever the computer tries to boot from a drive containing an infected disk, the virus copies itself into RAM memory chips (even if the booting is unfinished because the disk is considered “unbootable”).

Before hiding in the boot sector, the typical boot-sector virus makes room for itself by moving data from the boot sector to a “second place” on the disk. Unfortunately, whatever data had been in the “second place” gets overwritten and cannot be recovered.

The typical boot-sector virus makes the computer eventually hang (stop reacting to your keystrokes and mouse strokes).

Here are the boot-sector viruses that are most common.…

Stoned

(From New Zealand in December 1987) Of all the viruses common today, this is the oldest. It was invented in 1987 by a student at the University of Wellington, New Zealand.

If you boot from a disk (floppy or hard) infected with this virus, there’s a 1-in-8 chance your computer will beep and display this message: “Your PC is now Stoned”.

It was intended to be harmless, but it assumes your floppy disk is 360K and accidentally erases important parts of the directory on higher-capacity floppy disks (such as 1.44M disks). It also makes your computer run slower — as if your computer were stoned.

It doesn’t infect files and can’t infect other computers over a network. In its most common form, it reduces your total conventional RAM memory by 4K, so you have 636K instead of 640K. It also contains this message, which doesn’t get displayed: “Legalise Marijuana”. This virus is also called Marijuana, Hemp, and New Zealand. Many other virus writers have created imitations & variants, called strains. Some strains reduce your total conventional RAM memory by 1K or 2K instead of 4K.

Form

(From Switzerland in June 1990) This virus is supposed to just play a harmless prank: on the 18th day of each month, the computer beeps whenever a key is pressed. But this virus is badly written and accidentally causes problems. For example, if your hard disk ever becomes full, the virus makes the hard disk become unbootable. And if the computer ever fails to read from a disk, the virus can make the system hang.

It reduces your total conventional RAM memory by 2K, so you have 638K instead of 640K. The virus’s second sector contains this message, which never gets displayed:

The FORM-Virus send greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.

Michelangelo

(From Sweden in April 1991) Inspired by the Stoned virus (and sometimes called Stoned Michelangelo), this virus sits quietly on your hard disk until Michelangelo’s birthday, March 6th. Each year, on March 6th, the virus tries to destroy all data on your hard drive, by writing garbage (random meaningless bytes) everywhere.

This virus was invented before big hard drives became popular, so it assumes your hard drive is small: it writes the garbage onto just the first 17 sectors of each of the first 256 tracks of each of the first 2 platters, both sides. The overwritten data cannot be recovered. The virus reduces your total conventional RAM memory by 1K, so you have 639K instead of 640K. The simplest way to avoid damage from the virus is to adopt this trick: on March 5th, before you turn off the computer, change the computer’s date to March 7th, skipping March 6th.

Monkey

(From the USA in October 1992) Inspired by the Stoned virus (and sometimes called Stoned Empire Monkey), this virus encrypts the hard drive’s partition table, so the hard drive is accessible just while the virus is in memory. If you boot the system from a clean (uninfected) floppy disk, the hard drive is unusable. This virus is tough to remove successfully, since removing the virus will also remove your ability to access the data.

It reduces your total conventional RAM by 1K, so you have 639K instead of 640K.

Parity Boot

(From Germany in September 1993) Every hour, this virus checks whether it’s infected a floppy disk. If it hasn’t infected a disk in the last hour, it says “PARITY CHECK” and hangs the computer.

This virus consumes 1K of your RAM, so your conventional RAM is 639K instead of 640K. The virus stays in RAM even if you press Ctrl with Alt with Del: to unload the virus from RAM, you must turn off the computer’s power or press the Reset button.

Ripper

(From Norway in November 1993) This virus randomly corrupts data being written to disk.

The chance of a particular write being corrupted is just 1 out of 1024, so the corruption occurs just occasionally and to just a few bytes at a time. You typically don’t notice the problem until several weeks have gone by and the infection has spread to many files and your backups, too! Then it’s too late to recover your data! Yes, Ripper has the characteristic of a successful virus: its effects are so subtle that you don’t notice it until you’ve infected your hard disk, your backups, and your friends! Then ya wanna die! It’s also called Jack Ripper, because it contains this message which is never displayed:

(c)1992 Jack Ripper

It contains another undisplayed message:

FUCK 'EM UP !

Anti-EXE

(From Russia in December 1993) This virus monitors disk activity and waits for you to run a certain important .EXE program. (Virus researchers haven’t yet discovered which .EXE program is involved.) When you run that important .EXE program (so that program’s in your RAM), the virus corrupts the copy that’s in the RAM (but not the copy that’s on disk). While you run that corrupted copy, errors occur, and the computer usually hangs.

Anti-CMOS

(From the USA in February 1994) This virus changes your system’s CMOS settings, as follows:

Your hard drive becomes “not installed”.

Your 1.44M floppy drive becomes “1.2M”.

A 1.2M floppy drive becomes “not installed”.

A 360K floppy drive becomes “720K”, and vice-versa.

To evade detection and give itself time to spread to other computers, it waits awhile before doing that damage: it waits until you’ve accessed the floppy drive many times; on the average, it waits for 256 accesses.

It’s spread just when someone tries to boot the system from an infected floppy disk. It reduces your total conventional RAM memory by 2K, so you have 638K instead of 640K. After it’s damaged your CMOS settings, here’s how to recover: run your computer’s CMOS setup program, which lets you reset the CMOS to the correct settings.

A variant virus, Anti-CMOS.B, generates sounds from the computer’s built-in speaker instead of changing the CMOS.

New York Boot

(From the USA in July 1994) This virus’s only function is to spread itself. But it spreads itself fast and often. It’s also called NYB.

 

Multipartite viruses

You’ve learned that some viruses (called boot-sector viruses) infect the disk’s boot sector, while other viruses (called file viruses) infect the disk’s file system. If a virus is smart enough to infect the disk’s boot sector and file system simultaneously, it’s called a multipartite virus.

Yes, a multipartite virus hides in two places: the boot sector and also the file system. If you remove the virus from just the boot sector (or from just files), you still haven’t completely removed the virus, which can regenerate itself from the place you missed.

If a virus is very smart, it’s called a stealth polymorphic armored multipartite virus (SPAM virus):

A stealth virus makes special efforts to hide itself from antivirus software. For example, it tricks antivirus software into inspecting a clean copy of a file instead of letting it read the actual (infected) file.

A polymorphic virus changes its own appearance each time it infects a file, so no two copies of the virus look alike to antivirus programs.

An armored virus protects itself against antivirus disassembly.

A multipartite virus hides in two places: the boot sector and also the file system.

One Half

(From Austria in October 1994) The most common multipartite virus is One Half. It slowly encrypts the hard drive. Each time you turn on the computer, the virus encrypts two more cylinders (starting with the innermost 2 tracks and working toward the outer tracks). The encrypting is done by using a random code. You can use the encrypted cylinders as long as the virus remains in memory. When about half of the hard drive’s cylinders are encrypted, the computer says:

Dis is one half

Press any key to continue......

This virus is tough to remove successfully, since removing the virus will also remove your ability to access the data.

It infects the hard disk’s MBR, each floppy disk’s boot sector, and .EXE and .COM files. It scans filenames for text relating to antivirus programs (such as MSAV, NOD, SCAN, CLEAN, and FINDVIRU): it won’t infect antivirus programs! It’s hard to detect, since it’s polymorphic and uses stealth. It reduces your total conventional RAM memory by 4K, so you have 636K instead of 640K. It’s also called Dis, Slovak Bomber, Explosion 2, and Free Love.

 

Macro viruses

A macro virus hides in macros, which are little programs embedded in Microsoft Word documents and Excel spreadsheets. The virus spreads to another computer when you give somebody an infected document (on a floppy disk or through a local-area network or as an e-mail attachment). During the past few years, e-mail has become prevalent, and so have macro viruses: they’re more prevalent than all other viruses combined.

Here are the most prevalent macro viruses.…

Concept

(From the USA in July 1995) This virus infects Microsoft Word documents and templates. When you load an infected document for the first time, you see a dialog box that says “1”, with an OK button. Once you click OK, the virus takes over. It forces all documents to be saved as templates, which in turn affect new documents.

It consists of 5 macros: AutoOpen, PayLoad, FileSaveAs, AAAZAO, and AAAZFS. You can see those macros in an infected Word document by choosing “Macro” from the Tools menu.

Invented in 1995, it was historic:

It was the first macro virus. It was the first virus that infects documents instead of programs or boot sectors. It was the first virus that can infect both kinds of computers: IBM and Mac!

Old antivirus programs can’t detect it.

It was intended as just a harmless prank demonstration of what a macro virus could do (and is therefore also called the Prank Macro virus), but it spread fast.

In 1995, it became more prevalent than any other virus. Microsoft Word’s newest versions (Word 97 and Word 2000) protect themselves against the virus, but their predecessor (Word 7) is vulnerable unless you buy an antivirus program that includes anti-Concept.

Wazzu

(From the USA in June 1996) Inspired by the Concept virus, this virus consists of a macro called AutoOpen that forces Microsoft Word documents to be saved as templates. Whenever you open a document, the virus also rearranges up to 3 words and inserts the word “Wazzu” at random.

Laroux

(From the USA in July 1996) This virus was first discovered in July 1996 in Africa and Alaska. It was the first macro virus that infected Excel spreadsheets (instead of Word documents). It does no harm except copy itself. It works just in Windows, not on Macs.

Tristate

(From the USA in March 1998) This macro virus is called Tristate because it’s smart enough to infect 3 things: Microsoft Word documents, Excel spreadsheets, and PowerPoint slides.

Class

(From the USA in October 1998) This macro virus infects Microsoft Word documents. It just displays a stupid message on your screen occasionally.

The original version (called Class.A) says “This is Class” on your screen, on the 31st day of each month. The most prevalent version (called Class.D) displays this message on the 14th day of each month after May: “I think”, then your name, then “is a big stupid jerk!” The craziest version (called Class.E) says “Monica Blows Clinton! -=News@11=-” occasionally (at random, 1% of the time); and on the 17th day of each month after August, it says “Today is Clinton & Monica Fuck-Fest Day!”

Ethan

(From the USA in January 1999) When you use Microsoft Word, if you click “File” then “Properties” then “Summary”, you see a window where you can type a document’s title, author, keywords, and other items. When you close a document infected by the Ethan virus, this virus has a 30% chance of changing the document’s title to “Ethan Frome”, the author to “EW/LN/CB”, and the keywords to “Ethan”.

That’s to honor Ethan Frome, a novel written by Edith Wharton in 1911, about a frustrated man — the kind of man who would now write viruses.

Melissa

(From the USA in March 1999) This macro virus infects Microsoft Word documents. When you look at (open) a document, if the document is infected, the virus tries to e-mail copies of the infected document to the first 50 people mentioned in Microsoft Outlook’s address book (which is called the Contacts folder), unless the virus e-mailed to those people previously. Yes, your document gets secretly e-mailed to 50 people, without you knowing!

Each of those 50 people get an e-mail from you. The e-mail’s subject says “Important message from” and your name. The e-mail’s body says “Here is that document you asked for ... don't show anyone else ;-)”. Attached to that e-mail is your document, infected by the virus.

This virus spreads fast just if your computer has Microsoft Outlook. The typical large corporation does have Microsoft Outlook on each computer (since Microsoft Outlook is part of Microsoft Office), so the virus e-mails itself to 50 people automatically, and each of those people e-mails to 50 other people, etc., so the virus spreads fast.

The FBI hunted for the perpetrator and concluded that the Melissa virus was invented by David L. Smith in New Jersey.

He called it “Melissa” to honor a Florida topless dancer. Her name is hidden in the virus program. The virus spread all over the world suddenly, on March 26, 1999, when he put it in a message in the alt.sex newsgroup. His infected document, called LIST.DOC, contained a list of porno Web sites. In just a few days, 10% of all computers connected to the Internet contained the virus. It spread faster than any other virus ever invented. Since it created so much e-mail (from infected documents and from confused people denying they meant to send the e-mail), many Internet computers handling e-mail had to be shut down.

On April 2, 1999, the FBI had New Jersey police arrest David, who was 31. At first, he denied he distributed the virus; but on December 13, 1999, he finally pleaded guilty, apologized, and faced fines and jail.

A TV cartoon show called “The Simpsons” has an episode called “The Genius”, where Bart Simpson abruptly ends a Scrabble game by claiming he won with the word “Kwyjibo”. The virus can put into your document this quote from him:

Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.

The virus inserts that quotation just if you open or close the document at the precise minute when, on the computer’s clock, the number of minutes equals the date. For example, on May 27th it will insert that quotation if the time is 1:27, 2:27, 3:27, 4:27, 5:27, 6:27, 7:27, 8:27, 9:27, 10:27, 11:27, or 12:27.

The virus runs just if you have Microsoft Word 97 or 2000.

The virus is harmless if you have Microsoft Word 7 or earlier. Microsoft Word 97 & 2000 are supposed to protect you against macro viruses, but the Melissa virus is smart enough to disable that protection. The virus spreads quickly just if you have Microsoft Outlook; the virus uses just the address book in Microsoft Outlook, not the address book in Microsoft Outlook Express.

Although the original virus’s e-mail subject line said “Important message from”, a new variant of the virus has a blank subject line, making the virus harder to notice.

Marker

(From the USA in April 1999) This macro virus infects Microsoft Word documents. On the first day of each month, it tries to invade your privacy by copying your name (and your company’s name and your address) to an Internet site run by codebreakers.org. (If it successfully uploads your info, it doesn’t bother redoing it in future months.)

It uses whatever name and address you gave when you installed Microsoft Word. To see what name and address would be copied, go into Microsoft Word and then click “Tools” then “Options” then “User Information”.

Thus

(From the USA in August 1999) This macro virus infects Microsoft Word documents. It lurks there until December 13th, when it erases drive C. It’s called “Thus” because its macro program begins with the word “thus”.

Prilissa

(From the USA in November 1999) Here’s how this variant of Melissa differs from Melissa:

The e-mail’s subject says “Message from” and your name. The e-mail’s body says “This document is very Important and you've GOT to read this !!!”. Instead of printing a quotation from Bart Simpson, the virus waits until Christmas then does this:

1. It says “©1999 - CyberNET Vine...Vide...Vice...Moslem Power Never End... You Dare Rise Against Me... The Human Era is Over, The CyberNET Era Has Come!”

2. It draws several colored shapes onto the currently opened document.

3. It changes your AUTOEXEC.BAT file so that the next time you boot, the entire C drive will be erased (by reformatting) and you’ll see this message: “Vine...Vide...Vice...Moslem Power Never End... Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!”.

E-mail worms

An e-mail worm is a malicious program that comes as an e-mail attachment and pretends to be innocent fun.

The following e-mail worms are the most prevalent.…

Happy 99

(From the USA in January 1999) This program, called HAPPY99.EXE, comes as an e-mail attachment. If you open it, you see a window titled “Happy New Year 1999 !!”. In that window, you see a pretty firework display.

But while you enjoy watching the fireworks, the HAPPY99.EXE program secretly makes 3 changes to your SYSTEM folder (which is in your WINDOWS folder):

1. In that folder, it puts a copy of itself, and calls the copy SKA.EXE (which is why the Happy 99 worm is also called the SKA worm).

2. In that folder, it puts a file called SKA.DLL (by extracting SKA.DLL from HAPPY99.EXE).

3. It modifies that folder’s WSOCK32.DLL file, after saving that file’s original version as WSOCK32.SKA.

The modified WSOCK32.DLL file forces your computer to attach the Happy 99 worm to every e-mail you send. So in the future, whenever you send an e-mail, the person who receives your e-mail will also receive an attachment called HAPPY99.EXE. When the person double-clicks the attachment, the person will see the pretty firework display, think you sent it on purpose, and not realize you sent an e-mail worm virus.

To brag about itself, the virus keeps a list of everybody you sent the virus to. That list of e-mail addresses is in your SYSTEM folder and called LISTE.SKA.

Here’s how to get rid of the virus:

Disconnect from the Internet. (If you’re attached to the Internet by using a cable modem or local-area network instead of a simple phone line, disconnect by clicking “Start” then “Shut down” then “Restart in MS-DOS mode”.) Delete SKA.EXE and SKA.DLL from the SYSTEM folder (which is in the WINDOWS folder). In the SYSTEM folder, rename WSOCK32.DLL to WSOCK32.BAK and rename WSOCK32.SKA to WSOCK32.DLL. Delete the downloaded file, HAPPY99.EXE, from whatever folder you put it in. Look at the list of people in LISTE.SKA (which is an ASCII text file in the SYSTEM folder) and warn them that you sent them the Happy99 virus.

An updated version, called Happy 00, comes as a file called HAPPY00.EXE. It says “Happy New Year 2000!!” instead of “Happy New Year 1999 !!”.

Pretty Park

(From France in May 1999) This virus comes in an e-mail. The e-mail’s subject line, instead of saying “Important message”, says just “C:\CoolPrograms\Pretty Park.exe”. The e-mail’s body, instead of containing sentences, says just “Test: Pretty Park.exe :)” and shows a drawing of a boy wearing a hat. The boy is Kyle, from the “South Park” TV cartoon show. The icon is labeled “Pretty Park.exe”. If you double-click it, you’ll be opening an attachment called PrettyPark.exe, which is a virus.

Then you might see the 3D Pipes screensaver (which is one of the screensavers that you get free as part of Windows 98). But secretly, every 30 minutes, the virus peeks in Microsoft Outlook’s address book and sends copies of itself to your friends listed there. Every 30 seconds, it also tries to connect your computer to an Internet Relay Chat server computer, so the virus can invade your privacy by sending info about you and your computer to the virus’s author or distributor, though there’s no evidence that any private info about anyone has actually been transmitted yet.

This virus was first distributed in May 1999 by an e-mail spammer from France.

Explore ZIP

(From the USA in June 1999) This virus destroys all your Microsoft Word documents (and all other file that end in .doc), all your Excel spreadsheets (and all other files that end in .xls), all your PowerPoint presentations (and all other files that end in .ppt), all your assembly-language programs (and all other files that end in .asm), and all files that end in .h, .c, or .cpp.

It destroys the files by replacing them with files that have 0 length. Since the file names still exist, you won’t immediately notice that their contents are destroyed, and backup software won’t notice which files are gone. It destroys those files on drives C, D, E, etc. For example, if your computer is part of a network, the virus destroys those files on your hard drive and also on the network server’s hard drive.

It also looks in your e-mail’s Inbox (created by Outlook Express or Outlook or Exchange), notices any messages you haven’t replied to yet, and replies to them itself!

For example, if an e-mail from Joan with a subject line saying “Buy soap” hasn’t been replied to yet, the virus sends a reply who subject is “Re: Buy soap” and whose body says:

Hi Joan! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye.

The reply comes with an attachment called zipped_files.exe. If the recipient opens that attachment, zipped_files.exe starts running. To fool the victim, it displays a fake error message (which begins by saying “Cannot open file”). Then it puts a copy of itself into the SYSTEM folder (which is in the WINDOWS folder); the copy is called “Explore.exe” or “_setup.exe”. It also modifies the “run” line in your computer’s WIN.INI file so the program will run each time Windows starts.

Here’s how to get rid of the virus:

Remove the “run=” line from your computer’s WIN.INI file (which is in the WINDOWS folder). While holding down the Ctrl and Alt keys, tap the Delete key; click any task named “Explore” or “_setup” (but not “Explorer”), then click the “End Task” button. Delete the file Explore.exe (or _setup.exe) from your SYSTEM folder (which is in the WINDOWS folder).

Free Link

(From the USA in July 1999) This virus sends, to people in Microsoft Outlook’s address book, an e-mail whose subject line says “Check this” and whose body says “Have fun with these links. Bye.” Clicking the e-mail’s attachment makes the virus infect the recipient’s computer and then tell the recipient, “This will add a shortcut to free XXX links on your desktop. Do you want to continue?”

If the recipient clicks “Yes”, the virus creates a shortcut icon pointing to an adult-sex Web site. But even if the recipient clicks “No”, the virus has already infected the computer and will use that computer to send e-mails, which will embarrass the computer’s owner when those e-mails reach the owner’s friends.

Kak

(From France in December 1999) If your computer gets infected by this virus, every e-mail you send by using Microsoft Outlook Express gets infected (unless you have Microsoft’s correction to this security hole). The virus infects by acting as an e-mail signature instead of an attachment, so everybody reading your e-mail will get infected, even if the recipients don’t look at any attachments.

If your computer is infected, it will do this at 5PM on the first day of each month: it will protest against Microsoft by saying “Kagou-Anti-Kro$oft says not today!” and then the computer will shut itself down (as if you had clicked “Start” then “Shut Down” then “OK”).

The virus is called Kagou-Anti-Krosoft, which is abbreviated as Kak. Its main file is KAK.HTM, which is put into your Windows folder. It temporarily puts a file called KAK.HTA into your Startup folder but erases that file when you reboot.

Here are 5 signs that you’ve been infected by the virus:

1. Your Windows folder contains KAK.HTM.

2. If you click “Start” then “Programs” then “Startup”, you see a reference to “kak”.

3. If you click “Start” then “Programs” then “Find” then “Files or Folders” then type “kak” (and press ENTER), you see a reference to “kak” (besides any references to “kakworm”, which are harmless documents from antivirus sites). If you see a reference to “kak”, delete it by clicking it (just once) then pressing SHIFT with DELETE then pressing ENTER.

4. Your AUTOEXEC.BAT file mentions “kak.hta”.

5. While using Outlook Express, if you click “Tools” then “Options” then “Signatures”, the File box is white (instead of gray) and says “C:\WINDOWS\kak.htm”.

Love Bug

(From Philippines in May 2000) This virus comes in an e-mail whose subject line says “ILOVEYOU”. The e-mail’s body says “kindly check the attached LOVELETTER coming from me.” and comes with an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. That attachment is the virus. When you activate it (by clicking the attachment), the virus infects your computer and does 3 dastardly deeds:

It sends a copy of itself to everybody in your Microsoft Outlook address book. This will embarrass you, when everybody in your address book gets an e-mail that says “ILOVEYOU”. Your boss, assistant, colleagues, customers, friends, and ex-friends will all be surprised to get an e-mail saying that you love them and sent them a love letter. (They’ll be upset later when they discover the “love letter” is a virus you gave them!)

It wrecks graphics files and some programs. Specifically, it wrecks all files whose names end in .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct, and .hta. It wrecks them by renaming the files and inserting copies of itself into the files. Also, it hides music files (all files that end in .mp3 or .mp2), so you can’t use those files until you “unhide” them. When looking for files to wreck or hide, it looks at your computer’s hard drive and also the hard drives of any network server computers you’re attached to.

It tries makes your computer download, from an Internet Web site in the Philippines, a program misleadingly called WIN-BUGSFIX.EXE. That program tries to steal your passwords by e-mailing them to a Philippines e-mail address called MAILME@SUPER.NET.PH. To that address, tries to secretly send your Internet passwords, network passwords, your own name, your computer’s name, and your Internet settings, so the virus inventor’s computer can imitate yours and have all your Internet and network privileges.

This virus spread faster than all other viruses.

It began in the Philippines on May 4, 2000, and spread across the whole world in one day (traveling from Hong Kong to Europe to the United States), infecting 10% of all computers connected to the Internet and causing about 7 billion dollars in damage. Most of the “damage” was the labor of getting rid of the virus and explaining to recipients that the sender didn’t mean to say “I love you”. The Pentagon, CIA, and British Parliament all had to shut down their e-mail systems to get rid of the virus — and so did most big corporations. It did less damage in India (where employees are conservative and don’t believe “I love you” messages) and the Philippines (where few people use the Internet because it’s so expensive).


An international manhunt for the perpetrator finally led to a 23-year-old computer student in the Philippines city of Manila.

On May 11th (one week after the virus spread), he held a news conference. Accompanied by his lawyer and sister, he said his name was Onel de Guzman and didn’t mean to do so much harm.

In the Philippines, Internet access normally costs 100 pesos ($2.41) per hour, and 100 pesos is a half day’s wages! For his graduation thesis in computer science, he created a program that would help low-income Filipinos get free access to the Internet by stealing passwords from rich people. The university rejected his thesis because it was illegal, so he couldn’t graduate. Helped by a group of friends called the Grammersoft Group (which was in the business of illegally selling theses to other students), he made his virus be fancy and distributed it the day before the school held its graduation ceremony.

The middle of the virus’s program says the virus is copyright by “Grammersoft Group, Manila, Philippines” and mentions his college. The authorities found him by checking (and shutting down) the Philippine Web sites and e-mail addresses that the virus uses (to steal passwords), chatting with the college’s computer-science department, looking for the Grammersoft Group in Manila, and comparing the virus with earlier viruses written by his friends.

But charges against him were finally dropped, since the Philippines had no laws yet against creating viruses.

It’s called the Love Bug because it’s a virus (bug) transmitted by a love letter. It’s also called the Love Letter virus and the Killer from Manila.

Copycats have edited the virus’s program and created 28 variants. The original version is called version A. Here are examples of other versions:

Version A (the original version) says “ILOVEYOU” then “kindly check the attached LOVELETTER coming from me.” It attaches “LOVE-LETTER-FOR-YOU.TXT.vbs”.

Version C (“Very Funny”) says “fwd: Joke” then has a blank body. It attaches “Very Funny.vbs”.

Version E (“Mother’s Day”) says “Mothers Day Order Confirmation” then “We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com”. It attaches mothersday.vbs.

Version M (“Arab Air”) says “Thank You For Flying With Arab Airlines” then “Please check if the bill is correct, by opening the attached file”. It attaches ArabAir.TXT.vbs.

Version Q (“LOOK!”) says “LOOK!” then “hehe…check this out.” It attaches LOOK.vbs.

The following variants pretend to cure the virus but actually are viruses themselves:

Version F says “Dangerous Virus Warning” then “There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.” It attaches virus_warning.jpg.vbs.

Version G says “Virus Alert!!!” then a long message. This version also wrecks .bat and .com files.

Version K says “How to protect yourself from the ILOVEYOU bug!” then “Here’s the easy way to fix the love virus.” It attaches Virus-Protection-Instructions.vbs.

Version T says “Recent Virus Attacks — Fix” then “Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother’s Day and Lithuanian siblings.” It attaches BAND-AID.DOC.VBS. This version also wrecks many other files, and it totally deletes .mp3 and .mp2 files.

Version W says “IMPORTANT: Official virus and bug fix” then “This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.” It attaches “Bug and virus fix.vbs”.

Version AC says “New Variation on LOVEBUG Update Antivirus!!” then “There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec.” It attaches antivirusupdate.vbs.


Life Stages

(From the USA in May 2000) Here’s a famous comment about life stages:

The male stages of life:

Age   Seduction line

17      “My parents are away for the weekend.”

25      “My girlfriend is away for the weekend.”

35      “My fiancée is away for the weekend.”

48      “My wife is away for the weekend.”

66      “My second wife is dead.”

Age   Favorite sport

17      sex

25      sex

35      sex

48      sex

66      napping

Age   Definition of a successful date

17      “Tongue!”

25      “Breakfast!’

35      “She didn’t set back my therapy.”

48      “I didn’t have to meet her kids.”

66      “Got home alive!”

The female stages of life:

Age   Favorite fantasy

17      tall, dark, and handsome

25      tall, dark, and handsome, with money

35      tall, dark, and handsome, with money and a brain

48      a man with hair

66      a man

Age   Ideal date

17      He offers to pay.

25      He pays.

35      He cooks breakfast next morning.

48      He cooks breakfast next morning for the kids.

66      He can chew his breakfast.

The Life Stages virus tries to e-mail that comment, but the transmission is imperfect: the virus misspells “handsome” as “hansome” and makes other errors in spelling and punctuation.

The e-mail’s subject is “Life stages” or “Funny” or “Jokes”, with maybe the word “text” afterwards, and maybe “Fw:” beforehand. So there are 12 possible subjects, such as this: “Fw: Life stages text”. (The computer chooses among the 12 at random.) By having 12 possible subjects instead of 1, the virus is harder for antivirus programs to stop.

The e-mail’s body says “The male and female stages of life”. Attached to it is a file that pretends to be just a simple text document called LIFE_STAGES.TXT, but actually it’s a virus program called LIFE_STAGES.TXT.SHS. The .SHS means it’s a SHell Scrap object program. When you open it, you see the comment about the stages of life. (You see it in a Notepad window.) While you read that comment, the virus secretly infects your computer, so your computer transmits the virus to 100 randomly-chosen people in your Outlook address book and to Internet chat groups.

After e-mailing the virus to your friends, the computer erases those e-mails from your Sent folder, so you don’t know the e-mails were sent. To stop you from eradicating the virus by editing the registry, the virus changes the name of the computer’s REGEDIT.EXE program to “RECYCLED.VXD”, then moves it to the Recycle Bin and makes it a hidden file so you can’t see it.

The virus is called Life Stages (or just Stages). You can remove it by using the Internet to go to www.symantec.com/
avcenter/venc/data/fix.vbs.stages.html.

Snow White

(From the USA in September 2000) This virus offers to tell you a naughty story about Snow White.

It comes in an e-mail whose subject line tries to say “Snow White and the Seven Dwarfs — the REAL story!” and claims to be from hahahaha@sexyfun.net. The e-mail’s body tries to send this message:

Today, Snow White was turning 18. The 7 dwarfs always were very educated and polite with Snow White. When they went out to work in the morning, they promised a HUGE surprise. Snow White was anxious. Suddenly, the door opens, and the Seven Dwarfs enter….

It sends that subject and message in slightly flawed English (for example, it says “Snowhite” instead of “Snow White”) or in French, Spanish, or Portuguese — because the virus is smart enough to analyze your computer to find out which language you seem to prefer!

To find out the rest of the sexy story, you’re encouraged to open the attachment (which the English version calls “sexyvirgin.scr” “midgets.scr” or “dwarf4you.exe” or “joke.exe”). If you click that attachment, you’ll launch the multilingual virus, which will infect your WSOCK32.DLL file and thereby watch you forevermore! Whenever you send or receive an e-mail (or view a Web site that mentions an e-mail address), the virus will notice, then delay awhile, then send itself to that e-mail address; so if you try to send an e-mail to a friend, your friend will get two e-mails from you, the second one being the Snow White story with virus.

The virus tries to communicate with a newsgroup called alt.comp.virus so it can send and receive new fancier versions of itself by swapping intelligence with copies that are on other computers. For example, one of the new fancy features
puts a spinning spiral onto your computer screen once an hour (whenever your computer’s clock says the number of minutes is 59). To drive you extra crazy, the spiral also appears all day on September 16 & 24. Another fancy feature copies the virus into all your .EXE files, so that those files will still run but are infected, making the virus hard to remove.

The virus is also called Hybris, since the attachment includes a copyright notice saying the virus is called “HYBRIS (c) Vecna”.

Magistrate

(From Sweden in March 2001) This virus, called Magistrate or Magistr, targets magistrates, judges, and lawyers.

After your computer is infected, it spreads to your colleagues by e-mail and networks. Then it waits, still lurking in your computer.

If 2 months have passed, then on odd-numbered days
your desktop’s icons will run away from the mouse pointer whenever you try to click them.

If 3 months have passed, the infected file is deleted.

If you’re a judge or lawyer, this virus is especially dangerous, because of this rule: if at least 1 month has passed and at least 100 colleagues were infected and at least 3 of your files contain at least 3 legal phrases (in English, French, or Spanish),
it wrecks your computer thoroughly, by doing all this:

It erases the infected file.

It erases your CMOS & flash BIOS chip (so you can’t restart your computer).

It wrecks every 25th file (by changing it to repeatedly say “YOUARESHIT”).

It deletes every other file.

It makes the screen say this:

Another haughty bloodsucker...

YOU THINK YOU ARE GOD,

BUT YOU ARE ONLY A CHUNK OF SHIT

It wrecks a sector on your first hard disk (by putting different info there).


For example, here are the English legal phrases it looks for:

sentences you, sentence you to, sentences him to, ordered to prison

convict, found guilty, find him guilty, guilty plea, against the accused

affirmed, sufficiency of proof, sufficiency of the evidence

verdict, judgment of conviction, proceedings, habeas corpus

circuit judge, trial judge, trial court, trial chamber, “, judge”

The virus program includes this note (which isn’t printed on the screen):

ARF! ARF! I GOT YOU!

virus: Judges Disemboweler.

by: The Judges Disemboweler.

Written in Malmo (Sweden)

The virus comes in a strange e-mail:

The e-mail’s body is an excerpt from a .DOC or .TXT document that was on the sender’s disk. The e-mail’s attachment is an infected copy of an .EXE or .SCR program that was on the sender’s disk. In the e-mail’s return address (“From:”), the virus usually alters the second character, to prevent the recipient from replying to the sender and complaining about receiving a virus.

Sircam

(From the USA in July 2001) Of all the viruses, this virus does the most to destroy your privacy, because it grabs a document you wrote and secretly sends it to somebody you never intended!

This virus can get very embarrassing. For example, if you wrote a private note, to a friend, about how much you hate your boss, the virus might secretly send that note to your boss!

It sends e-mail to every e-mail address mentioned in your address book or your Web cache.

Each e-mail it sends has a 3-line body. The top line says:

Hi! How are you?

The middle line is one of these:

I send you this file in order to have your advice

I hope you can help me with this file that I send

I hope you like the file that I sendo you

This is the file with the information that you ask for

The bottom line says:

See you later. Thanks

Exception: if your computer uses Spanish instead of English, the 3-line message is sent in Spanish.

Attached to the e-mail is a document, which you created by using Microsoft Word or WordPad or Excel or Winzip, and which the virus copied from your “My Documents” folder. The attached copy is infected with the virus; so while the recipient reads the document, the recipient’s computer gets secretly infected. The document’s name is used as e-mail’s subject.

If you’re on a local-area network, the virus tries to spread itself to the rest of the network. The virus is supposed to also destroy some files; but the guy who invented the virus made a programming error, so the destruction never gets done.

Nimda

(From the USA in September 2001) If you spell “admin” backwards, you get “nimda”, which is the name of this virus. It spreads by e-mail and through networks. Its main purpose is to attack the security of a network server, by making every “guest” user get “administrator” privileges, so a hacker can log in as a guest and take over the whole computer network.

When being transmitted through e-mail, the virus comes as an e-mail attachment called README.EXE, in an e-mail that has a blank body and usually a blank subject.

If you receive such an e-mail, you’ll get infected even if you don’t open the attached README.EXE file: just staring at the e-mail’s blank body will infect you, since this virus uses a trick called “Automatic Execution of Embedded MIME type”. That trick makes the virus spread fast.

To confuse you, the virus sends out the e-mails, then goes dormant for 10 days, the sends out e-mails again, then goes dormant again, alternating forever. During each 10-day dormancy period, it sends no e-mails, so you think you’ve been “cured”; you get annoyed and confused when 10 days later you get another burst of e-mails.

To make sure you don’t erase the virus, it hides copies of itself throughout your computer’s .EXE files and some .TMP files.

A variant called Nimda.E comes in an attachment called SAMPLE.EXE instead of README.EXE.

Klez

(From China in October 2001) This virus comes in 9 versions, called Klez.A, Klez.B, Klez.C, Klez.D, Klez.E, Klez.F, Klez.G, Klez.H, and Klez.I. The most common is Klez.H. Here’s how Klez.H works.…

If your computer is infected, the virus looks all over your computer’s hard disk for e-mail addresses, then forces the computer to send an e-mail to each of those people.

The virus uses a trick called address spoofing: the virus makes each e-mail message pretend to be from an innocent bystander instead of from you. In the e-mail’s “From” field, instead of your return e-mail address, the virus inserts the e-mail address of an innocent bystander — an innocent uninfected person whose e-mail address happened to be on your computer’s hard disk (such as your Inbox or Outbox). When the e-mail you sent reaches its victim, if the victim is using an antivirus program and notices the virus, the victim will blame the innocent bystander instead of you. You’ll never be warned that you’re spreading the virus, and you’ll keep infecting more people, without you or your friends knowing that you’re the spreader.

Another trick: Klez.H often comes in this e-mail, which pretends to be protection against Klez.E but actually contains Klez.H. The e-mail’s subject is “Worm Klez.E immunity” and the body says the following (I’ve edited out some bad grammar):

Klez.E is the most common worldwide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-antivirus technique, most common antivirus software can’t detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once, and then Klez will never come into your PC. Note: because this tool acts as a fake Klez to fool the real worm, some antivirus programs might complain when you run it. If so, ignore the warning and select “continue”. If you have any question, please mail to me.

That e-mail is a lie: the e-mail itself contains the Klez.H virus.

Klez.H often comes instead in an e-mail containing an attached innocent document copied from the sender’s computer. Klez.H borrowed that technique from Sircam.

Klez.H can also come in an e-mail, pretending to be from your ISP’s postmaster, saying that you sent an e-mail that bounced and to look at the attached file.

Like Nimda, Klez.H can infect you even if you don’t open the attachments. Klez.H contains routines to disable and destroy antivirus programs. Klez.H gives you a present: a second virus, called Elkern. Klez.H and Elkern try to corrupt all your computer’s programs by inserting themselves into each program.

The virus is called “Klez” because it contains this message, which is not displayed:

Win323 Klez V2.01 & Win32 Foroux V1.0

Copyright 2002,made in Asia

Beagle

(From Germany in January 2004) This virus began as a program named bbeagle.exe, so it’s called “Beagle”, but some reporters made an error and accidentally called it “Bagle”. If you hear about a “Bagle” virus, it has nothing to do with bagels you eat for breakfast! As a joke, many virus experts now call it the “Bagle” virus.

The original version of this virus, Beagle.A, was polite: it was invented on January 18, 2004 but was programmed to stop spreading itself on January 28, 2004. So after January 28, 2004, no more people would get infected by Beagle!

Beagle.A did no harm except spread itself. Its main symptom was that it automatically turned on the Windows Calculator program, calc.exe (which you’d otherwise run manually by clicking Start then Programs then Accessories then Calculator).

Unfortunately, many other versions of Beagle were invented afterwards: Beagle.B, Beagle.C, etc., up through Beagle.X. They’re nastier and compete against the Netsky virus, described below.

Netsky

(From Germany in February 2004) A 17-year-old German high school student, Sven Jaschan, called himself SkyNet and invented a virus called Netsky. Then he wrote 27 more versions of it — and invented a more powerful virus, called Sasser.

Those viruses, especially Sasser, screwed up millions of computers around the world and made people distrust the security of Windows XP. Microsoft offered a reward of 140,000 euros to find out who wrote those viruses. In May 2004, Sven’s friends turned him in, to collect the reward, and he confessed. Under German law, he could receive up to 5 years in jail, though the court will probably be lenient since he was under 18 when he wrote the viruses.

His mom, Veronika, runs a computer consulting company called “PC Help” from her basement, and cynics think Sven wrote the viruses there to create more business for her, but probably his main goal was just to compete against the writer of Beagle. Newspapers call him the “world’s most annoying teenager”.

Here’s how Netsky works. (I’ll explain Sasser on the next page.)

Netsky.A The first version of Netsky, called Netsky.A, came in this e-mail:

Subject: Auction successful!

Congratulations! You were successful in the auction. A detailed description about the product and the bill are attached to this mail. Please contact the seller immediately. Thank you!

Gee, if you got an e-mail like that, you’d be real tempted to read the attachment, wouldn’t you? The attachment contains the virus.

To further convince you that the e-mail is real, the e-mail’s body includes an Auction ID number and a Product ID number (which are fake), and the e-mail’s address is spoofed (so it pretends to be from “EBay Auctions” or “Yahoo Auctions” or one of their competitors).

That’s Netsky.A. Later came more powerful variants, called Netsky.B, Netsky.C, etc., up through Netsky.Z, then Netsky.AA, Netsky.AB, and Netsky.AC.

Netsky.P The most widely distributed version of Netsky is Netsky.P, which is smart: it can generate many kinds of
e-mail subjects and e-mail bodies
, by choosing them from a long list inside the virus.

For example, here are some of the subjects and bodies it can send you:


Subject: Re: Your document

You document is attached.

Subject: Re: Is that your document?

Can your confirm it?

Subject: Re: Question

I have corrected your document.

Subject: You cannot do that!

I am shocked about your document!

Subject: Sample

I have attached the sample.

Subject: Re: Order

Thank you for your request. Your details are attached!

Subject: Thank you!

Your bill is attached to this mail.

Subject: I cannot forget you!

Your big love, ;-)

Subject: Re: Old photos

Greetings from France,

Your friend

Subject: Your day

Congratulations!

Your best friend

Subject: Sex pictures

Here is the website. ;-)

Subject: Does it matter?

Your photo, uahhh… you are naked!

Subject: Re: Hi

I have attached your file. Your password is jk144563.

Subject: Protected Mail System

Protected message is attached.

Subject: Stolen document

I found this document about you.

Subject: Spam

I have visited this website and I found you in the spammer list. Is that true?

Subject: Illegal Website

See the name in the list! You have visited illegal websites. I have a big list of the websites you surfed.

Subject: Fwd: Warning again

You have downloaded these illegal cracks?

Subject: Mail Delivery (failure)

Message has been sent as a binary attachment.

Subject: Administrator

Your mail account has been closed.

Subject: Re: Submit a Virus Sample

The sample file you sent contains a new virus version of Mydoom.j. Please clean your system with the attached signature.

Sincerely,

Robert Ferrew

Subject: Re: Virus Sample

The sample file you sent contains a new virus version of Buppa.k. Please update your virus scanner with the attached dat file.

Best Regards,

Keria Reynolds

Subject: Hello

I hope the patch works.

Subject: Re: Hi

Please answer quickly!

At least one of those e-mails will make you curious enough to open the attachment, which contains the virus.

To encourage you to open the attachment, the virus pretends the attachment was approved by an antivirus program. The body ends with a comment such as —


+++ Attachment: No Virus found

+++ McAfee AntiVirus — www.mcafee.com

or a similar comment mentioning one of the other 7 antivirus companies. The comment is a lie, written by the virus itself!

Even if you don’t open the attachment, you can get the virus just by reading the body (on an outdated buggy version of Outlook Express or Outlook).

Netsky.P erases some other viruses, so that Netsky.P will be the remaining, dominant virus on your machine and SkyNet will be acknowledged as the master of evil. (But Netsky.P will not erase the Sasser virus, which was created by SkyNet also! Netsky.AB pretends to erase the Sasser virus but doesn’t.)

To taunt the competitor who wrote the Beagle virus (which is also called “Bagle”, Netsky.P contains this message (which is not displayed):

Bagle, do not delete SkyNet. You fucked bitch! Wanna go into a prison? We are the only AntiVirus, not Bagle. Shut up and take your butterfly!

— Message from SkyNet AV Team

Let’s join an alliance, Bagle!

 

DoS attacks

Your computer can attack an Internet Web-site server computer (called the target) by sending so many strange requests to the target computer that the target computer can’t figure out how to respond to them all. The target computer gets confused and becomes so preoccupied worrying about your requests that it ignores all other work it’s supposed to be doing, so nobody else can access it. Everybody who tries to access it is denied service because it’s too busy. That’s called a denial-of-service attack (DoS attack).

In the attack, the “strange request” asks the target computer to reply to a message; but when the target computer tries to reply, it gets flummoxed because the return address is a spoof (a fake address that doesn’t exist). The target computer tries to transmit to the fake address and waits hopelessly for acknowledgement that the reply was received. While the target computer waits for the acknowledgement, the attacking computer keeps sending more such requests, until the target computer gets overloaded, gives up, and dies.

Denial-of-service attacks were invented in 1997. In March 1998, denial-of-service attacks successfully shut down Internet computers run by the Navy, the US space agency (NASA), and many universities.

Distributed DoS attacks

In the summer of 1999, an extra-powerful denial-of-service attack was invented. It’s called a distributed denial-of-service attack (DDoS attack). Here’s how it works:

A virus spreads by e-mail to thousands of innocent computers (which are then called zombie agents or drones). The virus waits in those computers until a preset moment, then forces all those computers to simultaneously attack a single Internet target computer by sending strange requests to that computer, thereby overloading that computer and forcing it to deny service to other customers.

The first DDoS attack viruses were Trin00 and Tribe Flood Network (TFN). Shortly afterwards came versions that were more sophisticated: Tribe Flood Network 2000 (TFN 2K) and Stacheldraht (which is the German word for “barbed wire”).

Those viruses are flexible: you can teach them to attack any target. Though the inventors of those viruses said they were just “experiments”, other folks used those viruses to attack Yahoo and many other Web sites in February 2000. The attacks were successful: they shut down Yahoo, CNN.com, Amazon.com, eBay.com, eTrade.com, Buy.com, Datek.com, and the FBI’s Web site.

Blaster

(From the USA in August 2003) The Blaster virus tries to launch a DDoS attack against Microsoft, specifically against microsoft.windowsupdate.com. After Blaster was unleashed, Microsoft quickly reorganized its Web site (by stopping www.windowsupdate.com from redirecting people to microsoft.windowsupdate.com), so no lasting damage has been done to Microsoft.

But Blaster has a nasty side effect:

While Blaster makes your computer try to attack Microsoft’s Web site — and also send copies of Blaster to every other address on the Internet (by generating random Internet address numbers) — it makes your computer reboot every 60 seconds, if you’re using Windows XP or Windows Server 2003. (If you’re using Windows NT or 2000, it just makes your computer become slow, unstable, unreliable, and unresponsive.)

Blaster infects just Windows XP and variants (Windows Server 2003, Windows 2000, and Windows NT.) Blaster does not infect Windows 95, 98, or Me.

Blaster can spread through any Internet connection, not just through e-mail. Whenever your computer is connected to your Internet Service Provider (ISP), you can get infected, even if you’re not using e-mail and not using the Web.

The virus is called msblast.exe and puts itself in your Windows folder.

To protect against this virus, download Microsoft’s correction to Windows XP (and variants) from Microsoft’s Website (windowsupdate.microsoft.com). If you’ve already been infected by the virus, here’s how to get rid of the virus (if you’re using Windows XP):

Unplug your computer from the Internet (by detaching the computer from the Internet cable or phone wire).

Create a firewall by doing this: click “start” then “Connect To”; right-click your Internet connection; click “Properties” then “Advanced”; put a check mark in the “Protect my computer” box (by clicking); click “OK”; close the Network Connections window (by clicking its X button).

Interrupt the virus by doing this: while holding down the Ctrl and Alt keys, tap the Delete key; click “Processes”; scroll down the list of programs until you see “Msblast.exe”; click “Msblast.exe” then “End Process”; close the Windows Task Manager window (by clicking its X button).

Delete the virus by doing this: click “start” then “Search” then “All files and folders”; type “msblast”; click the msblast icon; while holding down the SHIFT key, tap the Delete key; press ENTER.

Update Windows XP (by plugging your computer back into the Internet and going to windowsupdate.microsoft.com).

Get an updated antivirus program and run it.

Sasser

(From Germany in April 2004) Sasser is a Blaster variant invented by Sven Jaschan (the same kid who wrote the Netsky virus). Like Blaster, Sasser spreads to other computers by any ISP connection, makes computers reboot, and can be stopped by creating a firewall and updating Windows.

Sasser affects just Windows XP and Windows 2000. (It does not affect Windows 95, 98, Me, NT, or Server 2003.)

Sasser comes in 3 versions.

Sasser.A is called avserve.exe.

Sasser.B and Sasser.C are called avserve2.exe.

Blaster creates a DDoS attack (on Microsoft), but Sasser does not create any DDoS attack: it just spreads itself rapidly to computers all over the world.