This chapter comes from the 34th edition of the "Secret Guide to Computers & Tricky Living," copyright by Russ Walter. To read the rest of the book, look at www.SecretFun.com.

Security

These tips will help keep your computer secure, so you’ll have fewer problems and need fewer repairs.

 

Back up your work

When you’re typing lots of info into a word-processing program (or any similar program), the stuff you’ve typed is in the computer’s RAM. Every 10 minutes, copy that info onto the hard disk, by giving the Save command. (To learn how to give the Save command, read my word-processing chapter.)

That way, if the computer breaks down (or you make a boo-boo), the hard disk will contain a copy of most of your work, and you’ll need to retype at most 10 minutes’ worth.

Don’t trust automatic backups

If your word-processor is modern, it has a feature called “automatic timed backup”, which can make the computer automatically save your document every 10 minutes. Don’t trust that automatic feature! It might be saving your latest error instead of what you want.

For example, if you accidentally wreck part of your document and then automatic timed backup kicks in, you’ve just replaced your good, saved document by a wrecked one, and the good one is gone forever. Give the Save command manually, so that you, not the computer, decide when and what to save.

Split into chapters

If you’re using a word-processing program to type a long book, split the book into chapters. Make each chapter be a separate file. That way, if something goes wrong with the file, you’ve lost just one chapter instead of the whole book.

Make extra backups

Besides saving your work in the hard disk’s main folder (which is typically called “My Documents”), make extra copies of your work also, in case you or colleagues wreck what’s in My Documents accidentally — or an enemy or virus wrecks it maliciously.

While writing this book, I made several copies of it, to make sure I wouldn’t lose what I wrote:

I copied it onto paper (by telling the computer to “print” the document).

I copied it onto USB flash drive (by doing the “Send to USB flash drive” procedure on pages 96-97).

I copied it onto a CD and floppy disk (by using procedures explained in earlier editions of this book).

I copied it into a folder called Safety (by creating that new folder and then dragging the document’s icon into that folder while holding down the Ctrl key).

I saved the document under a second name (by doing this procedure: while viewing the words in the document, click “File” then “Save As”, invent a second name and type it, then press the Enter key).

I did that copying each time I was at a good “resting point” (when I was confident of what I’d written so far but less confident of what I’d be writing next).

The easy forms of copying I did frequently (at many “resting points”). The harder forms I did less frequently (just at the “major resting points”).

Copying is important

Computers work as you expect, 99.9% of the time. They’re so reliable that you start to believe they work always, and you think backups aren’t necessary. Then you don’t bother making backups anymore. But someday, your document will eventually get wrecked (by a hardware failure or software error or your stupidity or a virus or other maliciousness). Then you’ll feel devastated and swear you’ll never forget to make backups again… but you will forget, and you’ll be sorry again! It’s human nature.

 

Protect your hardware

Here’s how to protect your hardware.

Temperature

If possible, avoid using the computer in hot weather.

When the room’s temperature rises above 93 degrees, the fan inside the computer has trouble cooling the computer sufficiently. Wait until the weather is cooler (such as late at night), or buy an air conditioner, or buy a window fan to put on your desk and aim at the computer, or use the computer for just an hour at a time (so that the computer doesn’t have a chance to overheat).

Another problem in the summer is electrical brownouts, where air conditioners in your house or community consume so much electricity that not enough voltage gets to your computer.

Moving your computer

Some parts inside the computer are delicate. Don’t bang or shake the computer! If you need to move the computer to a different location, be gentle!

Before moving the computer, make backups: copy everything important from the computer’s hard disk onto floppy disks. For example, copy all the documents, spreadsheets, and database files you created.

Moving by hand If you must move the computer to a different desk or building, be very gentle when you pick up the computer, carry it, and plop it down. Be especially gentle when walking on stairs and through doorways.

Moving by car If you’re transporting your computer by car, put the computer in the front seat, put a blanket underneath the computer, and drive slowly (especially around curves and over bumps).

Do not put the computer in the trunk, since the trunk has the least protection against bumps. If you have the original padded box that the computer came in, put the computer in it, since the box’s padding is professionally designed to protect against bumps.

Moving by air If you’re transporting your computer by air, avoid checking the computer through the baggage department.

The baggage handlers will treat the computer as if it were a football, and their “forward pass” will make you pissed.

Instead, try to carry the computer with you on the plane, if the computer’s small enough to fit under your seat or in the overhead bin. If the whole computer won’t fit, carry as much of the computer as will fit (the keyboard, monitor, or system unit?) and check the rest as baggage. If you must check the computer as baggage, use the original padded box that the computer came in, or else find a giant box and put a lot of padding material in it.

When going through airport security, it’s okay to let the security guards X-ray your computer and disks. Do not carry the computer and floppy disks in your hands as you go through the metal detector, since the magnetic field might erase your disks.

For best results, just tell the guards you have a computer and disks. Instead of running the computer and disks through detection equipment, the guards will inspect your stuff personally.

To make sure your computer doesn’t contain a bomb, the guards might ask you to unscrew the computer or prove that it actually works. If your computer’s a laptop and you need to prove it works, make sure you brought your batteries — and make sure the batteries are fully charged!

Since airport rules about baggage and security continually change, ask your airport for details before taking a trip.

Beware of theft. Crooks have used this trick:

A crook waits for you to put your laptop on the X-ray conveyor belt. Then the crook cuts in front of you and purposely gives himself trouble going through the metal detector (by having keys in his pocket). While he delays you and distracts security guards, his partner grabs your laptop off the conveyor belt and walks away with it.

Moving by mail Computer companies have discovered that FedEx handles computers more carefully — and causes less damage — than the post office and UPS.

 

Send email cautiously

Remember this poem:

Beware what messages you send.

They may reach eyes you don’t intend.

For example, suppose you send an email message to Bob. Your message might be read by people other than Bob, for one of these reasons:

Maybe Bob shares his email address with his wife, kids, parents, and friends.

Maybe Bob works for a department that shares just one Internet address.

Maybe Bob’s secretary reads all Bob’s mail, to discard junk.

While Bob shows a friend how to use email, the friend can see Bob’s email.

While Bob goes to the bathroom, a passerby can peek at Bob’s screen.

Whenever Bob receives interesting email, maybe he forwards it to friends.

Maybe you meant to reply to Bob but accidentally sent the reply to “All”.

Maybe your email reaches a different guy named “Bob”.

According to U.S. law, if you’re an employee who writes an email message by using the company’s computer, the message becomes the company’s property, and your boss is allowed to look at it. Your message has no privacy. Moreover, if your company is sued (by a competitor or customer), United States law can require your company to reveal all email messages about the lawsuit’s topic and about all the people involved in it: the cute joke you wrote can embarrass you when the judge makes you read it to the courtroom.

So be especially careful about writing emails that contain sexual references (such as “I love your body, so let’s go out on a date and have sex!”) or anger (such as “The boss is an ass and should be assassinated!”), since your email might fall into the hands of the one person to whom you don’t want to show that message. Here’s the most important rule about email messages:

If you want to send a sexual or angry email,

wait an hour (to cool down) then read your draft and think again!


No “Undo”

When you tell the computer to send an email message (by clicking the Send button, Reply button, or Reply All), the computer tries to transmit the message immediately. You cannot cancel the transmission easily, since there’s no “Undo button”.

If you try to wreck the transmission (by unplugging your modem or turning off your computer’s power), your computer will detect sabotage and overcome it: the next time you run your email program, the computer will try again to transmit the wrecked message (by using a copy of the message that the computer keeps in your computer’s Outbox folder).

Since email transmissions can’t be easily canceled, remember:

Before you click Send or Reply or Reply All,

check your spelling and emotions, or you’ll all be appalled!

 

Beware of evil email

You’ll receive several kinds of email messages. Some of those messages will help you (because they’re written to you by your friends or business acquaintances, or because they’re weekly or daily news bulletins that you requested from companies whose Web sites you visited).

But most of the email messages you receive will be bad email that’s “a waste of your time to read” or “dangerous”.

Get-rich-quick schemes

You’ll get emails promising you’ll get rich quick — if you pay the sender first. If you’re stupid, you’ll pay the sender — then realize you’ve become poorer, not richer, since the sender gives you nothing worthwhile in return.

For example, in what’s called multilevel marketing (MLM), you’ll be told you can get rich by selling products (such as pills or emailed reports) if you buy them first from the seller.

After you stupidly buy the products, you realize you can’t easily find other stupid people to buy them from you. That’s because the products themselves are junk.

The classic MLM scheme tries to get you to send $10 each to 5 people (for worthless “email reports”), while you hope many people, in return, will be stupid enough to send $10 each to you. You’ll soon discover than most people are not stupider than you, and just you are stupid enough to lose $50. Such a scheme is called a chain letter or pyramid scheme. The post office has ruled all such chain-letter pyramid schemes are illegal and constitute mail fraud, since the only way to get rich in such a scheme is to make hundreds of stupid people become poor. Most such schemes claim to be legal but aren’t.

Another false road to riches is the Nigerian scam:

You’ll receive a letter begging your help in moving $30,000,000 out of Nigeria (because the money was secretly acquired by a slightly corrupt Nigerian official), and you’ll be allowed to keep 30% of the money for yourself. The “catch” is that before the money is transferred to you, a “small” fee must be paid to lawyers, etc., to transfer the money. If you’re stupid enough to believe the tale, you pay the fee (a few thousand dollars) — then find out you have to pay another fee, then another, then another, to get around “unexpected difficulties”. You never receive a penny. All fees wind up in the pocket of the scammer (who pretends to be a lawyer).

Thousands of Americans were stupid enough to fall for that Nigerian scam. The typical victim lost $50,000; the stupidest victims lost $300,000 per person. Several victims were stupid enough to go to Nigeria to get their money — and got murdered.

The Nigerian scam is a more lucrative crime than anything the Mafia ever did. It brings in over $1,000,000 per day from all the victims. It’s been imitated by other African countries and other constituencies. Example: “I’m a sinner who acquired $30,000,000 but I’ve mended my ways, and now I’d like to donate it all to your church, if you could please help me move it out of Sierra Leone.” Some churches went broke believing that tale!

For a different scam, you’ll be told you won $3,000,000 in the Netherlands lottery (though common sense should tell you that you can’t win a lottery you didn’t enter and never even heard of), and you just need to pay a “transfer fee” to get your winnings transferred to you.

In a real lottery, there’s no transfer fee; in this faked lottery, there’s a transfer fee but no jackpot, except for the scammers who keep your transfer fee. At first, you’ll be told the transfer fee is $5,000; after you’ve stupidly paid it, you’ll be told that because of “difficulties” with the transfer, more fees will be necessary… and then more… and then more… until your bank account is empty.

The Nigerian scam and the Netherlands-lottery scam are both examples of advance-fee scams, where you’re told you’ll get rich if you pay a fee first.

Freebies

You’ll receive email offering you something for free (such as a free digital camera, or a free screensaver, or a free pornographic look at nude women, or free access to not-quite-legally downloaded music). You say to yourself, “What can I lose? It’s free!” so you click yes.

That launches a barrage of ads upon you — through Web sites and through emails — trying to convince you to buy more. Many of the ads come in the form of adware and spyware. Page 127 explains how to cure them.

Oh yeah, about that “free” digital camera: you discover it’s terrible, and it will be “free” just after you buy lots of other stuff first. Misleading, huh?

Some of the emails pretend to be surveys, such as “Who should the next President be?” The survey doesn’t really care about your political opinion: it’s just collecting (harvesting) your email address and other personal data about you, to sell to advertisers.

Pornography

Most emails hawking pornography try to make you to visit a sexy Web site, full of nude women who try to get you to reveal your credit-card number and become a paying member. Other pornographic emails try to make you phone a sexy girl whose area code just happens to be in the Caribbean or Asia or Hong Kong or some other island that will give you a huge phone bill, whose profits go to a foreign phone company that secretly gives the scheme’s manager a cut.

Phishing

You might receive an email saying that the security department (of your bank, credit-card company, or employer) wants you to reenter your personal information (credit-card number, PIN number, social-security number, mother’s maiden name, etc.) to protect against fraud. At the bottom of the email is a button to click to go to the Web site, where you enter the info.

But that Web site’s a fake: it’s really run by a crook who’s waiting for you to enter your personal info so he can steal your identity and credit-card info and buy things billed to you, then disappear before you realize you’ve been robbed and your credit history has been ruined.

Banks NEVER send emails asking you to reenter your account info. Such emails are always frauds.

Those fake emails and fake Web sites are called phishing, because they’re created by crooks who are “fishing” for suckers who’ll tell the crooks all personal secrets. Phishing expeditions were first launched against customers of Australia and New Zealand banks then spread to U.S. banks (such as Citibank) and beyond.


Spam

Unsolicited and unwanted email is called junk email. It’s mass-produced and sent to millions of folks all over the world, using a technique called bulk email. Junk email is also called spam (because it spreads all over the Internet, just like Spam luncheon meat spread all over Europe during World War II). The person who sends it is called a spammer and said to be spamming.

The typical spammer uses bulk email to send spam to 3,000,000 email addresses, all at once! 99.99% of the people who receive it will ignore it, but the other .01% keep the spammer in business: .01% of 3,000,000 people is 300 customers — and sending bulk email costs nearly nothing!

In the USA, 90% of all email is spam.

Internet service providers (such as Earthlink and AOL) complain that most of their equipment is now just handling spam. They’ve sued spammers for “trespassing”, and they’ve gotten some laws passed against spam. Remember:

If you’re a spammer,

You’ll wind up in the slammer.

If you’re trying to advertise a business, you’ll be tempted to send bulk email (spam). It costs you nearly nothing, since Internet email is free (unlike traditional mail, which costs 44¢ each, plus the cost of paper, plus the cost of putting labels onto all the envelopes). But since spam is associated with dishonest hucksters, sending spam can do your business’s reputation more harm than good.

To avoid wasting time reading spam, some people (and their employers and Internet providers) use spam filters, which automatically erase spam (or dump it into a “Spam” folder or put the word “SPAM” in the subject line). To decide which emails are spam, spam filters use 3 techniques: blacklists (lists of known spammers), whitelists (lists of friends who are not spammers), and Bayesian filters (lists of characteristics of spam).

But spammers evade the filters and get their spam to you anyway, by using these tricks:

Spammers keep changing their email addresses (to addresses that aren’t blacklisted yet).

Spammers purposely misspell (they offer you “poorn” or “pOrn” or “p0rn” or “pron” instead of “porn”) and add word salad (irrelevant words & sentences, often printed in white on a white background), so most of the email doesn’t seem to be about porn or Viagra or other spam topics.

Alas, spam filters reject valid mail that just looks like spam.

If you sent an email to a friend, but your friend never saw it, that’s probably because your email looked too much like spam (you used too many spam-like words or fonts or graphics), so a spam filter hid your mail.

Hoaxes

A hoax is just an email message that contains a scary incorrect rumor and warns you to “pass the message to all your friends”.

The hoax is not a program; it’s just a document. Though it theoretically does “no harm”, actually it’s as harmful as traditional viruses, since it wastes your time, waste your friends’ time, embarrasses you (when you later discover the rumor is a lie and should be retracted), and creates a worldwide clogging of email systems forced to transmit the rumor and retractions to millions of people.

Good Times In May 1994, people began sending each other emails spreading a rumor that if you receive a file called “Good Times”, don’t download it, because downloading it will erase your hard disk. The rumor was false: there’s no “Good Times” virus.

The person who started the rumor knew it was false and started it as a prank. The rumor traveled fast and clogged email systems all across the country, so the rumor itself became as annoying as a traditional virus.

The rumor gradually got wilder: it said “Good Times” was an email message, and just reading the message would erase your hard disk.

The rumor eventually became even more bizarre. Here’s an abridgement of the rumor’s current version:

“The FCC released a warning, last Wednesday, of major importance to any regular user of the Internet. A new computer virus has been engineered that’s unparalleled in its destructive capability. Other viruses pale in comparison to this newest creation by a warped mentality.

“What makes this virus so terrifying, said the FCC, is that no disk need be inserted to infect a computer. The virus can be spread through Internet
email. Once a computer is infected, its hard drive will most likely be destroyed. If the program is not stopped, it will create a loop that can severely damage the processor if left running too long. Unfortunately, most novice users will not realize what’s happening until far too late.

“Luckily, there’s a way to detect what’s now know as the ‘Good Times’ virus: the virus always travels to new computers in an email message whose subject line says ‘Good Times’. Avoiding infection is easy once the file has been received: don’t read it.

“The program is highly intelligent: it will send copies of itself to everyone whose email address is in a received-mail file or a sent-mail file. It will then trash the computer it is running on.

“So if you receive a file with the subject line ‘Good Times’, delete it immediately! Do not read it!

“Warn your friends of this newest threat to the Internet! It could save them a lot of time and money.”

Again, there’s no Good Times virus, but the rumor of the virus is itself a kind of virus!

Bad Times In December 1997, inspired by the Good Times virus hoax, Joe Garrick (and later others) published a rumor about a “Bad Times” virus. Here’s the rumor’s newest version (abridged):

If you receive an email entitled “Badtimes,” delete it immediately. Don’t open it.

This one is pretty nasty. It will erase everything on your hard drive, delete anything on disks within 20 feet of your computer, demagnetize the stripes on all your credit cards, reprogram your ATM access code, screw up the tracking on your VCR, and scratch any CD you try to play.

It will recalibrate your refrigerator so your ice cream melts and milk curdles, give your ex-lover your new phone number, mix antifreeze into your fish tank, drink all your beer, leave dirty socks on the coffee table when company’s coming over, hide your car keys, move your car randomly around parking lots so you can’t find it, make you fall in love with a hardened pedophile, give you nightmares about circus midgets, make you run with scissors, give you Dutch Elm Disease & Psittacosis, rewrite your backup files (changing all active verbs to passive and incorporating misspellings that grossly change the meaning), leave the toilet seat up and your hair dryer plugged in dangerously close to a full bathtub, and molecularly rearrange your cologne (making it smell like dill pickles).

It’s insidious, subtle, dangerous, terrifying to behold, and an interesting shade of mauve.

Please forward this message to everyone you know!!! Everyone deserves a good laugh.

Email tax In April 1999, a rumor swept across Canada, by email, saying the Canadian government would start charging 5¢ for each email ever sent, to reimburse the Canadian postal service, which was losing money because people were sending emails instead of regular letters. The rumor was false, a prank.

The next month, a U.S. variant began, which said “U.S.” instead of “Canada”.

Here’s an abridgement of the rumor. [Brackets show where the Canadian and US versions differ.]

Please read the following carefully if you intend to stay online and continue using email.

The Government of [Canada, the United States] is attempting to quietly push through legislation that will affect your use of the Internet. Under proposed legislation, [Canada Post, the U.S. Postal Service] will bill email users.

Bill 602P will let the government charge a 5¢ surcharge on every email, by billing Internet Service Providers. The consumer would be billed in turn by the ISP. [Toronto, Washington DC] lawyer Richard Stepp is working to prevent this legislation from becoming law.


The [Canada Post Corporation, US Postal Service] says email proliferation costs nearly [$23,000,000, $230,000,000] in lost revenue per year. Since the average citizen receives about 10 emails per day, the cost to the typical individual would be an extra 50 cents per day, or over $180 dollars per year, beyond regular Internet costs.

Note that this money would be paid directly to [Canada Post, the US Postal Service] for a service they don’t even provide. The whole point of the Internet is democracy and non-interference.

One [back-bencher, congressman], Tony Schnell, has even suggested a “20-to-40-dollar-per-month surcharge on all Internet service” beyond the government’s proposed email charges. Most major newspapers have ignored the story, the only exception being the [Toronto Star, Washingtonian], which called the idea of email surcharge “a useful concept whose time has come.”

Don’t sit by and watch your freedoms erode away! Send this email to all [Canadians, Americans] on your list. Tell your friends & relatives to write to their [MP, congressman] and say “No!” to Bill 602P.

— Kate Turner, Assistant to Richard Stepp

That rumor is entirely fiction. There is no “Bill 602P”, no “Tony Schnell”, no “Richard Stepp”, and no desire by postal authorities or newspapers for a surcharge.

 

Viruses

A computer virus is a program that purposely does mischief and manages to copy itself to other computers, so the mischief spreads. Since computer viruses are malicious malevolent software, they’re called malware.

People create viruses for several reasons.

Some people think it’s funny to create mischief, by creating viruses. They’re the same kind of people who like to play “practical jokes” and, as kids, pulled fire alarms.

Some people are angry (at dictatorships, at the military, at big impersonal corporations, at clients who don’t pay bills, at lovers who rejected them, and at homosexuals). To get revenge, they create viruses to destroy their enemy’s computers.

Some people are intellectuals who want the challenge of trying to create a program that replicates itself. Too often, the program replicates itself too well and too fast and accidentally does more harm that the programmer intended.

Some people want to become famous (or infamous or influential) by inventing viruses. They’re the same kinds of people who, as kids, wrote graffiti on school walls and in bathrooms.

People who create viruses tend to be immature. Many are teenagers or disgruntled college students.

Different viruses perform different kinds of mischief.

Some viruses print nasty messages, containing four-letter words or threats or warnings, to make you worry and waste lots of your time and prevent you from getting work done.

Some viruses erase some files, or even your entire hard disk.

Some viruses screw up your computer so it prints wrong answers or stops functioning.

Some viruses clog your computer, by giving the computer more commands than the computer can handle, so the computer has no time left to handle other tasks, and all useful computer tasks remain undone.

The damage done by a virus is called the virus’s payload. Some viruses are “benign”: they do very little damage; their payload is small. Other viruses do big damage; they have a
big payload. If a virus destroys your files, it’s said to have a destructive payload.


 

Email viruses

10% of all email contains viruses. Even if the email claims to come from a friend you know, the email can contain a virus (because your friend doesn’t know it contains a virus, or because the virus lied when it said it was from your friend — the virus could have just stolen your friend’s name and email address).

Many viruses come in email attachments.

Don’t open an email attachment unless it comes with a cover letter that convinces you the attachment is really about something specific that you were expecting and that’s specifically about you. For example, don’t open an email attachment that comes with a generic body saying just “open the attachment” or “look at these pictures” or “I’m shocked at what the attachment says about you” or some other depersonalized enticement. On the other hand, it’s okay to open an attachment that says “Here are the pictures from the party I had with you and Sarah last Friday at 9PM”, if you really did have a party with that person and Sarah last Friday at 9PM!

If the attachment’s name ends in .scr or .vbs, the attachment is almost certainly a virus, since normal attachments don’t have such names.

If the attachment’s name ends in .zip, the attachment is probably a virus but might be innocent. Be extremely cautious.

If the attachment’s name ends in .doc, the attachment is probably just an innocent Microsoft Word document; if the attachment’s name ends in .eml, the attachment is probably just an innocent forwarded email. But you can’t be sure (since some viruses pretend to be “.doc” or “.eml”), so still keep your guard up. If you wish, phone or email the sender and ask whether the sender really intended to send the attachment.

Propagation tricks

To propagate, viruses use two main tricks.

Trojan horse Homer’s epic poem, The Iliad, describes how the Greeks destroyed Troy by a trick: they persuaded the Trojans to accept a “gift” — a gigantic wooden horse that secretly contained Greek warriors, who then destroyed Troy.

Some computer viruses use that trick: they look like a pleasant gift program, but the program secretly contains destructive warriors that destroy your computer. A pleasant-seeming program that secretly contains a virus is called a Trojan horse.

Time bomb If a virus damages your computer immediately (as soon as you receive it), you’ll easily figure out who sent the virus, and you can stop the perpetrator. To prevent such detection, clever viruses are time bombs: they purposely delay damaging your computer until you’ve accidentally transmitted the virus to other computers; then, several weeks or months after you’ve been secretly infected and have secretly infected others, they suddenly destroy your computer system, and you don’t know why. You don’t know whom to blame.

How viruses arose

The first computer virus was invented in 1983 by Fred Cohen as an innocent experiment in computer security. He didn’t harm anybody: his virus stayed in his lab.

In 1986, a different person invented the first virus that ran on a PC. That virus was called Brain. Unfortunately, it accidentally escaped from its lab; it was found next year at the University of Delaware. (A virus that escapes from its lab is said to be found
in the wild.)

Most early viruses harmed nobody, but eventually bad kids started invented destructive viruses. The first destructive virus that spread fast was called the Jerusalem virus because it was first noticed at the Hebrew University of Israel in 1987. It’s believed to have been invented by a programmer in Tel Aviv or Italy.

Most people still thought “computer viruses” were myths; but in 1988, magazines ran articles saying computer viruses really exist. Researchers began to invent antivirus programs to protect against viruses and destroy them. In 1989, antivirus programs started being distributed to the general public, to protect against the 30 viruses that had been invented so far. But then the nasty programmers writing viruses began protecting their viruses against the antivirus programs. Now there are over 50,000 viruses, though many are just copycat viruses that are slight variants of others.

Companies writing antivirus software are working as hard as the villains writing the viruses. Most antivirus companies release updates weekly.

Programs to protect you

To protect yourself against viruses, the first step is to make sure your Windows is up-to-date. Microsoft distributes updates often, especially on the afternoon of each special Tuesday (called
Patch Tuesday, which is usually the 2nd Tuesday of each month). To make your computer check for updates and download them from the Internet, do the “Force an update” procedure on page 93.

Modern Windows versions (Vista, 7, 8, 8.1, 10, and 11) automatically include Microsoft’s free antivirus program, called Windows Defender, which is free. (It’s also called
Windows Security Essentials.)

For most people, Windows Defender is adequate. I don’t recommend getting extra antivirus programs, since installing and updating them cause extra hassles, and they also tend to slow down your computer while they check for viruses. If you nevertheless insist on getting extra antivirus programs (to be extra-protected) anyway, here are some of the most common.

Norton The best easy-to-use extra antivirus program is
Norton AntiVirus. The basic version costs $20; the standard version costs $40. Those prices get you a license for just one year, after which you must pay a yearly fee for updates.

McAfee Another common antivirus program is
McAfee AntiVirus, which comes in several versions. McAfee used to be an independent company, then got bought by Intel, which then sold it off, so McAfee is an independent company again.

Freebies If your Internet Service Provider is Comcast, you can download Norton AntiVirus and other security software free, from http://security.comcast.net.

Some folks use the free versions of AVG Anti-Virus (downloadable from http://free.avg.com) and
Malwarebytes Anti-Malware (downloadable from www.malwarebytes.org/mbam-download.php). But Microsoft Security Essentials has the advantage of being complete (no add-ons needed) and unobtrusive (no annoying messages).

Don’t relax Even with an antivirus program, you can’t completely relax, since new viruses keep getting invented. You must keep your antivirus program up-to-date, to make sure it can detect the newest viruses.

Some viruses are so powerful that they destroy antivirus programs. Some viruses even print their own fake messages saying “no virus found”. Some viruses even pretend they are antivirus programs that found viruses on your computer — and they ask you to send money to complete the “cure” — and they block you from installing or updating true antivirus programs. Don’t send money: it’s wasted and goes to an international group of crooks.


 

Who gets viruses

The traditional place to find viruses is: schools!

That’s partly because most viruses were invented at schools (by bright, mischievous students) but mainly because many students share the school’s computers. If one student has an infected floppy disk (purposely or accidentally) and puts it into one of the school’s computers, that computer’s hard disk will probably get infected. Then it will infect all the other students who use that computer. As disks are passed from that computer to the school’s other computers, the rest of the school’s computers become infected.

Then the school’s students, unaware of the infection, take the disks home with them and infect their families’ home computers. Then the parents bring infected disks to their offices (so they can transfer work between home and office) and infect their companies. Then company employees take infected disks home and infect their home computers, which infect any disks used by the kids, who, unaware of the infection, then take infected disks to school and start the cycle all over again.

Anybody who shares programs with other people can get a virus. Most programs are copyrighted and illegal to share. People who share programs illegally are called pirates. Pirates spread viruses. For example, many kids spread viruses when they try to share their games with their friends.

Another source of viruses is computer stores, in their computer-repair departments.

While trying to analyze and fix broken computers, the repair staff often shoves diagnostic disks into the computers, to find out what’s wrong. If one of the broken computers has a virus, the diagnostic disks accidentally get viruses from the broken computers and then pass the viruses on to other computers. So if you bring your computer to a store for repairs, don’t be surprised if your computer gets fixed but also gets a virus.

Occasionally, a major software company will screw up, accidentally get infected by a virus, and unknowingly distribute it to all folks buying the software. Even companies as big as Microsoft have accidentally distributed viruses.

The newest viruses are spread by Internet communications, such as email, instead of by floppy disks. Internet-oriented viruses spread quickly all over the world: they’re an international disaster!

Virus categories

Viruses fall into 6 categories: you can get infected by a file virus, a boot-sector virus, a multipartite virus, a macro virus, an email worm, or a denial-of-service attack.

Here are the details.…

File viruses

A file virus (also called a parasitic virus) secretly attaches itself to an innocent program, so the innocent program becomes infected. Whenever you run the infected innocent program, you’re running the virus too!

Here are the file viruses that have been most common. For each virus, I show its name and the year & month it was first discovered in the wild. Let’s start with the oldest.…

Yankee Doodle (September 1989 from Bulgaria) plays part of the song Yankee Doodle on the computer’s built-in speaker, at 5 PM every day. It infects .com & .exe files, so they become 2899 bytes longer.

Die Hard 2 (July 1994 from South Africa) makes .com & .exe files become exactly 4000 bytes bigger. It also wrecks .asm files (programs written in assembler).

Chernobyl (June 1998 from Taiwan) erases your hard disk on April 26 every year. That’s to commemorate April 26, 1986, when radioactive gas escaped from a nuclear reactor in Chernobyl in the Soviet Union. A variant, called version 1.4, erases your hard disk on the 26th of every month.

If you get infected, you won’t notice until the 26th, when your hard disk suddenly gets erased — and so do the hard disks of all your friends to whom you accidentally sent the virus!

History:

The virus was written by a 24-year old guy named Chen Ing-Hau, whose initials are CIH, so the virus is also called the CIH virus.

The virus was invented in June 1998. At the end of 1998, three big companies (IBM, Yamaha, and Activision) got infected and accidentally spread the virus on disks distributed to their customers. The virus did its first damage on April 26, 1999. Computers all over the world lost their data that day. Most American corporations were forearmed with antivirus programs; but in Korea a million computers lost their data, at a cost of 250 million dollars, because Koreans didn’t use antivirus programs but did use lots of pirated software.

To erase your hard disk, the virus starts at the disk’s beginning and writes random info onto every sector, until your computer stops working. The data that was previously on those overwritten sectors is gone forever and can’t be recovered.

The virus also tries to attack your computer’s flash BIOS chips, by writing wrong info into them. If the virus succeeds, your computer will be permanently unable to display anything on the screen and also have trouble communicating with the keyboard and other devices.

Whenever you run an infected program, the virus in the program copies itself into RAM memory chips and infects every other program you try to run or copy.

Before you use an antivirus program to delete the virus, you must boot by using an uninfected floppy. If instead you just boot normally from your hard disk, that disk’s infected files copy the virus into RAM; then when you tell the antivirus program to “scan all programs to remove the virus”, the antivirus program accidentally copies the virus onto all your programs and infects them all. Yes, the virus tricks your antivirus program into becoming a pro-virus program!

Boot-sector viruses

On a hard disk or floppy disk, the first sector is called the disk’s boot sector or, more longwindedly, the disk’s master boot record (MBR). A virus hiding in the boot sector is called a
boot-sector virus. Whenever the computer tries to boot from an infected disk, the virus copies itself into RAM memory chips.

The typical boot-sector virus makes the computer eventually hang (stop reacting to your keystrokes and mouse strokes).

The following boot-sector viruses have been most common.…

Stoned (December 1987 from New Zealand) was invented by a student at the University of Wellington. If you boot from a disk (floppy or hard) infected with this virus, there’s a 1-in-8 chance your computer will beep and display this message:

Your PC is now Stoned

It was intended to be harmless, but on high-capacity floppy disks (such as 1.44M disks) it accidentally erases important parts of the directory. It also makes your computer run slower— as if your computer is stoned.

Form (June 1990 from Switzerland) is supposed to just play this harmless prank:

On the 18th day of each month, the computer beeps whenever a key is pressed.

But if your hard disk becomes full, the virus makes the hard disk become unbootable.

Michelangelo (April 1991 from Sweden) sits quietly on your hard disk until Michelangelo’s birthday, March 6th. Each year, on March 6th, the virus tries to destroy all data on your hard drive, by writing garbage (random meaningless bytes) everywhere. The overwritten data can’t be recovered.

To avoid that damage, folks tried playing this trick: on March 5th, before turning off their computers, they changed the computer’s date to March 7th, skipping March 6th.

Monkey (October 1992 from U.S.) encrypts the hard drive’s partition table, so the hard drive is accessible just while the virus is in memory. If you boot the system from a clean (uninfected) floppy disk, the hard drive is unusable. So removing the virus also removes your ability to access the data.

Ripper (November 1993 from Norway) randomly corrupts data written to disk. The corruption occurs just occasionally and just a few bytes at a time, to prevent you from noticing the problem until several weeks have gone by and the infection’s spread to many files and your backups and your friends!

Anti-exe (December 1993 from Russia) picks one of your .exe files and waits for you to run that file. When you do, the virus corrupts the copy that’s in the RAM (but not the copy that’s on disk). While you run the corrupted copy, errors occur.

Anti-CMOS (February 1994 from U.S.) changes your CMOS settings about disks:

Your hard drive becomes “not installed”. Your 1.44M floppy drive becomes “1.2M”. A 1.2M floppy drive becomes “not installed”. A 360K floppy drive becomes “720K”, and vice-versa.

To evade detection and give itself time to spread to other computers, it delays that damage until you’ve accessed the floppy drive many times.

Multipartite viruses

Although some viruses (called boot-sector viruses) infect the disk’s boot sector, while other viruses (called file viruses) infect the disk’s file system, a smarter virus infects the boot sector and file system simultaneously, it’s called a multipartite virus. If you remove the virus from just the boot sector (or just files), you still haven’t completely removed the virus, which can regenerate itself from the place you missed.

If a virus is very smart, it’s called a stealth polymorphic armored multipartite virus (SPAM virus):

A stealth virus makes special efforts to hide itself from antivirus software, by tricking antivirus software into inspecting a clean copy of a file instead of letting it read the actual (infected) file. A polymorphic virus changes its own appearance each time it infects a file, so no two copies of the virus look alike to antivirus programs. An armored virus protects itself against antivirus disassembly. A multipartite virus hides in two places: the boot sector and also the file system.

One Half (October 1994 from Austria) slowly encrypts the hard drive. Each time you turn on the computer, the virus encrypts 2 more tracks. You can use the encrypted tracks while the virus remains in memory. When about half the hard drive’s tracks are encrypted, the computer says:

Dis is one half. Press any key to continue.

This virus is tough to remove, since removing the virus also removes your ability to access the data. It’s hard to detect, since it’s polymorphic and uses stealth.

Macro viruses

A macro virus hides in macros (little programs embedded in Microsoft Word documents and Excel spreadsheets). The virus spreads to another computer when you give somebody an infected document.

Concept (July 1995) infects Microsoft Word documents & templates. The first time you load an infected document, you see a dialog box that says “1”, with an OK button. When you click OK, the virus takes over. It makes all documents be saved as templates that affect new documents.

It consists of 5 macros: AutoOpen, PayLoad, FileSaveAs, AAAZAO, and AAAZFS.

Invented in 1995, it was the first macro virus, the first virus that infects documents, and the first virus that can infect both kinds of computers: IBM and Mac!

It was supposed to be just a harmless prank demonstrating what a macro virus could do (so it’s also called the Prank Macro virus), but it spread fast. In 1995, it became more prevalent than any other virus. Microsoft Word 97 was the first version of Microsoft Word to protect itself against the virus.

Wazzu (June 1996) is a macro called AutoOpen that forces Microsoft Word documents to be saved as templates. Whenever you open a document, the virus also rearranges up to 3 words and inserts the word “Wazzu” at random.

Laroux (July 1996) was the first macro virus that infected Excel spreadsheets (instead of Word documents). It does no harm except copy itself.

Tristate (March 1998) is called “Tristate” because it’s smart enough to infect all 3: Microsoft Word documents, Excel spreadsheets, and PowerPoint slides.

Class (October 1998) infects Microsoft Word documents. It just displays a stupid message:

The original version (called Class.A) says “This is Class” on your screen, on the 31st day of each month.

The most prevalent version (Class.D) displays this message on the 14th day of each month after May: “I think”, then your name, then “is a big stupid jerk!”

The craziest version (Class.E) says “Monica Blows Clinton! News at 11” occasionally (at random, 1% of the time). On the 17th day of each month after August, it says “Today is Clinton & Monica Fuck-Fest Day!”

Ethan (January 1999) honors Ethan Frome, a novel written by Edith Wharton in 1911 about a frustrated man. When you close an infected Word document, the virus has a 30% chance of changing the document’s title to “Ethan Frome”, the author to “EW/LN/CB”, and the keywords to “Ethan”.

Melissa (March 1999 from U.S.) When you look at (open) an infected Word document, the virus sends the document to the first 50 people mentioned in Microsoft Outlook’s address book (unless the virus emailed them already). Each of those people gets an email, whose subject says “Important message from” and your name. (A later version of the virus has a blank subject instead.) The email’s body says:

Here’s that document you asked for. Don’t show anyone else ;-)

Attached to that email is your infected document. In a typical corporation, each computer has Microsoft Outlook (which is part of Microsoft Office), so the virus emails itself to 50 people, who pass the virus to 50 other people, etc., making the virus spread fast.

The virus can also make your document include a quote from “The Simpsons” TV show.

History:

The virus successfully infected Microsoft Word 97 and 2000. Those versions of Microsoft Word were supposed to protect again macro viruses, but this virus is smart enough to disable that protection.

The virus was invented by David L. Smith in New Jersey. He called it “Melissa” to honor a Florida topless dancer. Her name’s hidden in the virus program.

The virus spread all over the world suddenly, on March 26, 1999, when he put it in a message in the alt.sex newsgroup. His infected document, called LIST.DOC, contained a list of porno Web sites. In just a few days, 10% of all computers connected to the Internet contained the virus. It spread faster than any previous virus. Because it created so much email from infected documents (and from confused people denying they meant to send the email), many Internet computers handling email had to be shut down.

The FBI decided the virus did over 80 million dollars of damage to business processes. David tried to hide his authorship, but the FBI arrested him on April 2, 1999. He denied distributing the virus but finally pleaded guilty and apologized. He was fined $5000 and sentenced to 20 months in prison plus 100 hours of community service plus 3 years of supervised release. He cooperated and helped the FBI find perpetrators of other viruses.

Marker (April 1999) infects Microsoft Word documents. On the first day of each month, it invades your privacy by copying (to CodeBreakers.org) your name (and your company’s name & your address), which you gave when you installed Microsoft Word.

Thus (August 1999) infects Microsoft Word documents. It lurks there until December 13th, when it erases drive C.

Prilissa (November 1999) imitates Melissa but displays different words:

The email’s subject says “Message from” and your name. The email’s body says “This document’s very important and you've GOT to read this !!!” Instead of quoting Bart Simpson, the virus waits until Christmas then does the following:

It says “Moslem power never ends. You dare rise against me. The human era is over; the CyberNET era has come!” It draws several colored shapes onto the currently opened document. It changes your autoexec.bat file so when you reboot, the entire C drive will be erased (reformatted) and you see this message: “Moslem power never ends. Your computer’s just been terminated by CyberNET virus!!!”

Email worms

An email worm is a malicious program that comes as an email attachment and pretends to be innocent fun.

Happy 99 (January 1999) comes as an email attachment called happy99.exe. If you open it, you see a window titled “Happy New Year 1999 !!” In that window, you see a pretty firework display. But while you enjoy watching the fireworks, the happy99.exe program secretly makes 3 changes in your System folder (which is in your Windows folder):

It inserts a copy of itself, called SKA.exe (which is why the Happy 99 worm is also called the SKA worm). It also inserts a file called SKA.DLL. It modifies the folder’s WSock32.DLL file, after saving that file’s original version as WSock32.SKA.

The modified WSock32.DLL file makes your computer attach the Happy 99 worm to every email you sent. Every email you send will have an attachment called happy99.exe. When the person double-clicks the attachment, the person will see the pretty firework display, think you sent it on purpose, and not realize you sent an email worm.

A later version, Happy 00, comes as a file called happy00.exe. It says “Happy New Year 2000!!” instead of “Happy New Year 1999 !!”

Pretty Park (May 1999 from France) comes in an email whose subject line says “C:\CoolPrograms\Pretty Park.exe”. The email’s body, instead of containing sentences, says just “Test: Pretty Park.exe :)” and shows a drawing of Kyle (the boy in the “South Park” TV show). The drawing is labeled “Pretty Park.exe”. If you double-click it, you open PrettyPark.exe, which is an attached virus.

Then every 30 minutes, the virus copies itself to everybody in Microsoft Outlook’s address book. Every 30 seconds, it also tries to send info about you and your computer to the virus’s author or distributor.

Explore ZIP (June 1999) destroys all your Microsoft Word documents, Excel spreadsheets, PowerPoint presentations, assembly-language programs, and files that end in .h, .c, or .cpp, on drive C and all later drives (D, E, etc.) and any network server. It replaces them with files that have 0 length. Since the file names still exist, you don’t immediately notice their contents are destroyed, and neither will backup software.

It also looks in your email’s Inbox, notices any messages you haven’t replied to yet, and replies to them itself! For example, if an email from Joan with subject line saying “Buy soap” hasn’t been replied to yet, the virus sends a reply who subject is “Re: Buy soap” and whose body says:

Hi Joan! I received your email and I’ll send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye.

The reply comes with an attachment called zipped files.exe. If the recipient opens that attachment, zipped files.exe starts running. To fool the victim, it displays a fake error message (which begins by saying “Cannot open file”). Then it puts a copy of itself into the System folder (which is in the Windows folder). It also modifies the “run” line in your computer’s Win.ini file so the program will run each time Windows starts.

Free Link (July 1999) finds people in Microsoft Outlook’s address book and sends them an email whose subject line says “Check this” and whose body says “Have fun with these links. Bye.” Clicking the email’s attachment makes the virus infect the computer and say, “This will add a shortcut to free XXX links on your desktop. Do you want to continue?” If you click “Yes”, the virus creates a shortcut icon pointing to a sex Website. But even if you click “No”, the virus has already infected the computer and will send emails, embarrassing you when those emails reach your friends.

Kak (December 1999 from France) infects every email you send by using Microsoft Outlook Express. It infects by acting as an email signature instead of an attachment, so everybody reading your email gets infected, even if the recipients don’t look at any attachments.

The virus is called Kagou-Anti-Krosoft (abbreviated as Kak) because it does this at 5PM on the first day of each month:

It protests Microsoft by saying “Kagou-Anti-Kro$oft says not today!” then shuts down the computer (as if you clicked “Shut Down”).

Love Bug (May 2000 from Philippines) comes in an email whose subject says “ILOVEYOU” and whose body says says “kindly check the attached LOVELETTER coming from me”. The virus is an attachment called “LOVE-LETTER-FOR-YOU.TXT.vbs”.

when you click that attachment, the virus infects your computer and does 3 dastardly deeds:

It copies itself to everybody in your Microsoft Outlook address book. This will embarrass you, when everybody in your address book gets an email saying “ILOVEYOU”. Your boss, assistant, colleagues, customers, friends, and ex-friends will all be surprised to get an email saying you love them. They’ll be upset later, when they discover the “love letter” is a virus you gave!

It wrecks graphics files and some programs. Specifically, it wrecks all files whose names end in .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct, and .hta. It also makes music files (.mp2 and .mp3 files) be hidden, so you can’t use them until you “unhide” them. When looking for files to wreck or hide, it looks at your hard drive and also the hard drives of any network servers you’re attached to.

It tries makes your computer download, from an Internet Web site in the Philippines, a program dishonestly called WIN-BUGSFIX.EXE. That program steals your passwords by emailing them to the Philippines.

This virus spread faster than all other viruses.

It began in the Philippines on May 4, 2000, and spread across the whole world in one day, infecting 10% of all computers connected to the Internet and causing about 7 billion dollars in damage. Most of the “damage” was the labor of getting rid of the virus and explaining to recipients that the sender didn’t mean to say “I love you”. The Pentagon, CIA, and British Parliament had to shut down their email systems; so did most big corporations. It did less damage in India (where employees are conservative and don’t believe “I love you” messages) and the Philippines (where few people used the Internet because it’s expensive).

An international manhunt for the perpetrator finally led to a 23-year-old computer student in Manila. On May 11th (one week after the virus spread), he held a news conference. Accompanied by his lawyer and sister, he said his name was Onel de Guzman and didn’t mean to do so much harm.

Here’s why he created it:

In the Philippines that year, Internet access normally cost 100 pesos ($2.41) per hour, and 100 pesos is half a day’s wages! For his graduation thesis in computer science, he created a program to help low-income Filipinos get free Internet access by stealing passwords. The university rejected that illegal thesis, so he couldn’t graduate. Helped by a group of friends called the Grammersoft Group (which was illegally selling theses to other students), he made his virus be fancy and distributed it the day before the school held its graduation ceremony.

The middle of the virus’s program says the virus is copyright by “Grammersoft Group, Manila, Philippines” and mentions his college.

To find him, the authorities checked (and shut down) the Philippine Websites & email addresses where the virus sent passwords, chatted with the college’s computer-science department, looked for the Grammersoft Group in Manila, and compared the virus with earlier viruses written by his friends. But charges against him were finally dropped, since the Philippines had no laws yet against creating viruses.

It’s called the Love Bug because it’s a virus (bug) transmitted by a love letter. It’s also called the Killer from Manila.

Copycats have edited the virus’s program and created 28 variants.

Version A (the original version) says “ILOVEYOU” then “kindly check the attached LOVELETTER coming from me.” Version C (“Very Funny”) says “fwd: Joke” then has a blank body. Version E (“Mother’s Day”) says “Mother’s Day Order Confirmation” then “We’ve proceeded to charge your credit card for the amount of $326.92 for the Mother’s Day diamond special. We’ve attached a detailed invoice.” Version M (“Arab Air”) says “Thank you for flying With Arab Airlines” then “Please check if the bill’s correct, by opening the attached file”. Version Q (“LOOK!”) says “LOOK!” then “hehe…check this out.”

These variants pretend to cure the virus but are viruses themselves:

Version F says “Dangerous Virus Warning” then “There’s a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.” Version G says “Virus Alert!!!” It wrecks .bat and .com files. Version K says “How to protect yourself from the ILOVEYOU bug!” then “Here’s the easy way to fix the love virus.” Version T says “Recent virus attacks — fix” then “Attached is a copy of a script that’ll reverse the effects.” It corrupts many files and deletes .mp2 and .mp3 files. Version W says “This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.” Version AC says “There’s now a newer variant of love bug. Please download the following patch. We’re trying to isolate the virus. Thanks, Symantec.”

Life Stages (May 2000) tries to email this joke:

The male stages of life:

Age   Seduction line

17      “My parents are away for the weekend.”

25      “My girlfriend is away for the weekend.”

35      “My fiancée is away for the weekend.”

48      “My wife is away for the weekend.”

66      “My second wife is dead.”

Age   Favorite sport

17      sex

25      sex

35      sex

48      sex

66      napping

Age   Definition of a successful date

17      “Tongue!”

25      “Breakfast!’

35      “She didn’t set back my therapy.”

48      “I didn’t have to meet her kids.”

66      “Got home alive!”

The female stages of life:

Age   Favorite fantasy

17      tall, dark, and handsome

25      tall, dark, and handsome, with money

35      tall, dark, and handsome, with money and a brain

48      a man with hair

66      a man

Age   Ideal date

17      He offers to pay.

25      He pays.

35      He cooks breakfast next morning.

48      He cooks breakfast next morning for the kids.

66      He can chew his breakfast.

The email’s subject is “Life stages” or “Funny” or “Jokes”, with sometimes the word “text” afterwards, and sometimes “Fw:” beforehand. So there are 12 possible subjects, such as this: “Fw: Life stages text”. (The computer chooses among the 12 at random.) By having 12 possible subjects instead of 1, the virus is harder for antivirus programs to stop.

The email’s body says “The male and female stages of life”. Attached is a file that pretends to be just a simple text document called LIFE_STAGES.TXT but is actually a virus program called LIFE_STAGES.TXT.SHS. When you open it, you see a Notepad window containing the joke; while you read it, the virus secretly copies itself to 100 randomly chosen people in your Outlook address book and Internet chat groups. Then the virus erases those emails from your Sent folder, so you don’t know the emails were sent. To stop you from deleting the virus by editing the registry, the virus renames your regedit.exe program to “recycled.vxd”, moves it to the Recycle Bin, and makes it a hidden file so you can’t see it.

Snow White (September 2000) offers to tell you a naughty story about Snow White.

It comes in an email whose subject line tries to say “Snow White and the Seven Dwarfs — the REAL story!” and claims to be from hahahaha@sexyfun.net. The email’s body tries to send this message:

Today, Snow White was turning 18. The 7 dwarfs always were very educated & polite with Snow White. When they went out to work in the morning, they promised a HUGE surprise. Snow White was anxious. Suddenly, the door opens, and the Seven Dwarfs enter….

It sends that subject and message in slightly flawed English (for example, it says “Snowhite” instead of “Snow White”) or in French, Spanish, or Portuguese: the virus analyzes your computer to find out which language you prefer.

To read the rest of the sexy story, you’re encouraged to open the attachment, which launches the virus, which will watch you forevermore:

Whenever you send or receive an email (or view a Website mentioning an email address), the virus will send itself to that email address (after a delay); so if you try to send an email to a friend, your friend will get two emails from you; the second is the Snow White story with virus.

The virus tries to communicate with a newsgroup called alt.comp.virus so it can send & receive new fancier versions of itself, by swapping intelligence with copies on other computers.

The virus is also called Hybris, since the attachment includes a copyright notice saying the virus is called “HYBRIS (c) Vecna”.

Magistrate (March 2001 from Sweden) targets magistrates, judges, and lawyers. (It’s also called “Magistr”.)

It infects a file, then spreads to your colleagues by email and networks, then waits.

After 2 months have passed, your desktop’s icons run away from the mouse pointer whenever you try to click them on odd-numbered days. When 3 months have passed, the virus deletes the infected file.

If you’re a judge or lawyer, this virus does extra destruction, because if “at least 3 of your files contain 3 legal phrases (in English, French, or Spanish), and 1 month has passed, and 100 colleagues were infected, it wrecks your computer thoroughly, by doing all this:

It deletes the infected file. It erases your CMOS & flash BIOS chip (so you can’t restart your computer). It wrecks every 25th file (by changing it to repeatedly say “YOUARESHIT”). It deletes every other file. It makes the screen say, “Another haughty bloodsucker. You think you’re God, but you’re just a chunk of shit.” It wrecks a sector on drive C (by putting different info there).

Here are the English legal phrases it looks for:

sentences you, sentence you to, sentences him to, ordered to prison

convict, found guilty, find him guilty, guilty plea, against the accused

affirmed, sufficiency of proof, sufficiency of the evidence

verdict, judgment of conviction, proceedings, habeas corpus

circuit judge, trial judge, trial court, trial chamber, “, judge”

The virus comes in a strange email:

The email’s body is part of a document from the sender’s disk.

The email’s attachment is an infected copy of a program from the sender’s disk.

The email’s return address is usually altered (by changing its second character), to prevent the recipient from replying to the sender and complaining about receiving a virus.

Sircam (July 2001) grabs a document you wrote and secretly sends it to somebody.

This virus can get very embarrassing. For example, if you wrote a private note about how much you hate your boss, the virus might secretly send that note to your boss!

It sends email to every email address mentioned in your address book or your Web cache. Each email has a 3-line body. The top line says:

Hi! How are you?

The middle line is one of these:

I send you this file to have your advice

I hope you can help me with this file I send

I hope you like the file I send you

This is the file with the info you ask for

The bottom line says:

See you later. Thanks

Exception: if your computer uses Spanish instead of English, the 3-line body is sent in Spanish. It attaches a document from your “My Documents” folder, but that document’s infected. The document’s name becomes the email’s subject.

Nimda (September 2001) spreads by email and through networks. Its name is “admin” spelled backwards. It attacks a network’s security by making every “guest” user get “administrator” privileges, so a hacker can log in as a guest and take over the whole network.

Details:

When transmitted by email, the virus comes as an email attachment (called readme.exe) in an email that has a blank body and usually a blank subject. When you receive the email, you get infected even if you don’t open the attachment: just staring at the email’s blank body infects you, since this virus uses a trick called “Automatic Execution of Embedded MIME type”.

To confuse you, the virus sends the emails, then goes dormant for 10 days, then sends out emails again, then goes dormant again, alternating forever. During each dormancy period, you think you’ve been “cured”; you get annoyed and confused when 10 days later the virus acts again.

To make sure you don’t erase the virus, it hides copies of itself throughout your computer’s .exe files and some .tmp files.

A variant (Nimda.E) comes in an attachment called sample.exe instead of readme.exe.

Klez (October 2001 from China) comes in 9 versions (Klez.A, Klez.B, Klez.C, Klez.D, Klez.E, Klez.F, Klez.G, Klez.H, and Klez.I). The most common is Klez.H. Here’s how Klez.H works.…

When your computer gets infected, the virus looks all over your computer’s hard disk for email addresses then makes the computer send an email to each address.

The virus uses a trick called address spoofing:

The virus makes each email message pretend to be from an innocent bystander instead of from you. In the email’s “From” field, instead of your return email address, the virus inserts the email address of an innocent bystander — an uninfected person whose email address happened to be in your computer (such as your Inbox or Outbox).

If the email’s recipient uses an antivirus program and notices the virus, the recipient will blame the innocent bystander instead of you. You’ll never be warned you’re spreading the virus, so you’ll keep infecting more people, without you or your friends knowing you’re the spreader.

Another trick: Klez.H often comes in an email that
pretends to protect against Klez.E but actually contains Klez.H. The email’s subject is “Worm Klez.E immunity” and the body says:

Klez.E is the most common worldwide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-antivirus technique, most common antivirus software can’t detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once, then Klez will never come into your PC. Note: because this tool acts as a fake Klez to fool the real worm, some antivirus programs might complain when you run it. If so, ignore the warning and select “continue.” If you have any question, please mail to me.

That email is a lie: the email itself contains the Klez.H virus.

Klez.H uses these tricks:

It often comes instead in an email containing an attached innocent document copied from the sender’s computer. It borrowed that technique from Sircam. It can also come in an email saying you sent an email that bounced and to look at the attached file.

Like Nimda, it can infect you even if you don’t open the attachments. It contains routines to disable and destroy antivirus programs. It gives you a present: a second virus, called Elkern. It and Elkern try to corrupt all your computer’s programs by inserting themselves into each program.

Beagle (January 2004 from Germany) began as a program named bbeagle.exe, so it’s called “Beagle”, but some reporters made an error and accidentally called it “Bagle”. If you hear about a “Bagle” virus, it has nothing to do with bagels you eat for breakfast!

The virus’s first version, Beagle.A, was polite: it was invented on January 18, 2004 but was programmed to stop spreading itself on January 28, 2004. It did no harm except spread itself. Its main symptom was that it turned on the Windows Calculator program, calc.exe.

Many versions of Beagle were invented afterwards: Beagle.B, Beagle.C, etc., up through Beagle.X. They’re nastier, to compete against the Netsky virus.

Netsky (February 2004 from Germany) was written by a 17-year-old high school student, Sven Jaschan, who called himself SkyNet. Later he wrote 27 more versions of it, plus a more powerful virus, called Sasser. Those viruses, especially Sasser, screwed up millions of computers around the world and made people distrust the security of Windows XP. To discover who wrote those viruses, Microsoft offered a reward of $250,000. In May 2004, Sven’s friends turned him in and collected the reward. He confessed.

Since he distributed the virus on his 18th birthday, the German courts decided he was under 18 when he invented the virus, so he was tried as a minor and got off easy: no jail time and no fine! He had to just perform 30 hours of community service in a retirement home and pay about $3000 in damages to organizations that sued him.

His mom, Veronika, runs a computer consulting company called “PC Help” from her basement. Cynics think Sven wrote the viruses there to create more business for her, but probably his main goal was just to compete against the writer of Beagle. Newspapers call him the “world’s most annoying teenager”.

Here’s how Netsky works. Netsky’s first version, called Netsky.A, came in this email:

Subject: Auction successful!

Congratulations! You were successful in the auction. A detailed description about the product & bill are attached to this mail. Please contact the seller immediately. Thank you!

The email’s body includes an Auction ID number and Product ID number (both fake), and the email’s address is spoofed (so it pretends to be from “EBay Auctions” or “Yahoo Auctions” or one of their competitors). The attachment contains the virus.

Later came more powerful variants, called Netsky.B, Netsky.C, etc., up through Netsky.Z, then Netsky.AA, Netsky.AB, and Netsky.AC.

The most widely distributed version of Netsky is Netsky.P, which can generate many kinds of email subjects and email bodies, by choosing them from a long list inside the virus. Here are some of the subjects and bodies it can send:

Subject                           Body

Re: Your document            Your document is attached.

Re: Is that your document? Can your confirm it?

Re: Question                     I’ve corrected your document.

You can’t do that!             I’m shocked about your document!

Sample                              I’ve attached the sample.

Thank you!                       Your bill’s attached to this mail.

I cannot forget you!           Your big love, ;-)

Re: Old photos                  Greetings from France, Your friend

Your day                           Congratulations! Your best friend

Sex pictures                      Here’s the website. ;-)

Does it matter?                  Your photo, uahhh… you’re naked!

Protected mail system        Protected message is attached.

Stolen document                I found this document about you.

Fwd: Warning again          You’ve downloaded these illegal cracks?

Administrator                    Your mail account has been closed.

Hello                                 I hope the patch works.

Re: Hi                               Please answer quickly!

Mail delivery (failure)       Message has been sent as a binary attachment.

Re: Hi                               I’ve attached your file. Your password is jk144563.

Re: Order                          Thank you for your request. Details are attached!

Spam                                I’ve visited this website and I found you in the

                                          spammer list. Is that true?

Illegal Website                   See the name in the list! You’ve visited illegal

                                          websites. I have a big list of the websites you surfed.

Re: Submit a virus sample  The sample file you sent contains a new virus

                                         version of Mydoom.j. Please clean your system

                                         with the attached signature.

                                         Sincerely, Robert Ferrew

Re: virus sample                The sample file you sent contains a new virus

                                         version of Buppa.k. Please update your virus

                                         scanner with the attached dat file.

                                         Best Regards, Keria Reynolds

At least one of those emails will make you curious enough to open the attachment, which contains the virus. To encourage you to open the attachment, Netsky.P pretends the attachment was approved by an antivirus program, so the body ends with a comment such as —

+++ Attachment: No virus found

+++ McAfee AntiVirus — www.mcafee.com

or a similar comment mentioning one of 7 other antivirus companies. But even if you don’t open the attachment, you can get the virus just by reading the body.

Netsky.P erases some other viruses, to make Netsky.P be the remaining, dominant virus on your machine and SkyNet be acknowledged as evil’s master. (But Netsky.P will not erase the Sasser virus, which was created by SkyNet also! Netsky.AB pretends to erase the Sasser virus but doesn’t.)

To taunt the competitor who wrote the Beagle virus (which is also called “Bagle”), Netsky.P contains this message (which is not displayed):

Bagle, don’t delete SkyNet. You fucked bitch! Wanna go to prison? We’re the only antivirus, not Bagle. Shut up and take your butterfly!

— Message from SkyNet AV Team

Let’s join an alliance, Bagle!

DoS attacks

Your computer can attack a Website’s server computer (called the target) by sending so many strange requests to the target that the target can’t figure out how to respond to them all. The target gets confused and becomes so preoccupied worrying about your requests that it ignores all other work it’s supposed to do. Everybody who tries to access it is denied service because it’s too busy. That’s called a denial-of-service attack (DoS attack).

In the attack, the “strange request” asks the target to reply to a message; but when the target computer tries to reply, it gets flummoxed because the return address is a spoof (a fake address that doesn’t exist). The target tries to reply to the fake address, waits hopelessly for acknowledgement that the transmission was received, and meanwhile the attacking computer keeps sending more requests, until the target gets overloaded, gives up, and dies.

Denial-of-service attacks were invented in 1997. In March 1998, denial-of-service attacks successfully shut down Internet computers run by the Navy, the US space agency (NASA), and many universities.

Distributed DoS attacks In the summer of 1999, an extra-powerful denial-of-service attack was invented. It’s called a distributed denial-of-service attack (DDoS attack). Here’s how it works:

A virus spreads by email to thousands of innocent computers and turns them into zombie agents. The virus waits in those zombies until a preset moment, then forces all those zombies to simultaneously attack a single Internet target by sending strange requests to the target, to overload the target and make it deny service to other customers.

The first DDoS attack viruses were Trin00 and Tribe Flood Network (TFN). Soon after came versions that were more sophisticated: Tribe Flood Network 2000 (TFN 2K) and Stacheldraht (which is the German word for “barbed wire”).

Those viruses are flexible: you can teach them to attack any target. The inventors of those viruses said they were just “experiments”, but other folks used those viruses to attack Yahoo and many other Web sites in February 2000. The attacks succeeded: they shut down Yahoo, CNN.com, Amazon.com, eBay.com, eTrade.com, Buy.com, Datek.com, and the FBI’s Website.

Blaster (August 2003) tries to launch a DDoS attack against microsoft.WindowsUpdate.com. After Blaster was unleashed, Microsoft quickly reorganized its Web site (by stopping WindowsUpdate.com from redirecting people to microsoft.WindowsUpdate.com), so no lasting damage was done to Microsoft. But Blaster has a nasty side effect:

While it makes your computer try to attack Microsoft’s Website — and also send copies of itself to every other address on the Internet (by generating random Internet address numbers) — it makes your computer reboot every 60 seconds.

Blaster can spread through any Internet connection, not just through email. Whenever your computer is connected to the Internet, you can get infected, even if you’re not using email and not using the Web.

Blaster puts itself in your Windows folder., as MsBlast.exe.

Sasser is a Blaster variant (invented in April 2004 by Sven Jaschan, the same kid who wrote the Netsky virus). Like Blaster, it spreads to other computers by any Internet connection and makes computers reboot. But it doesn’t create a DDoS attack: it just spreads itself quickly to computers all over the world.