Computer viruses are increasing at an unprecedented rate. In 1986, there was one known computer virus; three years later, that number had increased to six and by 1990, the total had jumped to 80. By November of that year, viruses were being discovered at the rate of one per week. Today, between 10 and 15 new viruses appear every day. In fact, from December 1998 to October 1999, the total virus count jumped from 20,500 to 42,000.

Virus Transmission | Virus Incidence | Virus Terminology | Today's Most Frequently Reported Viruses | Virus Genealogy | Virus Myths | Virus Control

Virus Transmission

A computer virus is a program designed to replicate and spread on its own, preferably without a user's knowledge. Computer viruses spread by attaching themselves to another program-such as word processing or spreadsheet programs-or to the boot sector of a diskette. When an infected file is executed or the computer is started from an infected disk, the virus itself is executed. Often, it stays in memory, waiting to infect the next program that is run or the next disk that is accessed. Many viruses perform trigger events; for example, they might display a message on a certain date or delete files after the infected program is run a certain number of times. While some of these trigger events are benign, others can be very costly and cause significant damage.

According to the International Computer Security Association (ICSA), diskettes are declining as a major source of virus infection, accounting for 68 percent of all reported infections in 1998 and 38 percent in 1999. Infections that spread through e-mail attachments-the source of macro viruses-increased from 32 percent in 1998 to 56 percent in 1999. E-mail attachments are the biggest source of macro viruses, while diskettes are the typical carrier for boot-sector viruses.

Virus Incidence

Understandably, an increase in viruses corresponds with an increase in the occurrence of virus infections. For example, a study by ICSA reports that the average rate of infection was 88 virus encounters per 1,000 computers during the month of February 1999 compared to only 32 per 1,000 for January 1998, and 14.9 virus encounters per 1,000 for January 1997. The study concludes that the figures show a "significant annual growth of approximately 20 encounters per 1,000 machines per month each year during that period," ICSA 1999, pg. 3.

The financial cost of virus infection, measured in cost per incident, has declined to $2,454 in 1998 from $8,100 in 1996, according to the ICSA study. The 1998 study also reports that complete recovery from an infection takes an average of 45.6 hours and 9.4 person-days of work, ICSA 1999, pg. 23. Often the cost is much more: one respondent to the study reported a cost of $150,000 for a single incident. Clearly, viruses cause damage and waste time and manpower. What is not so clear is the extent of that damage. The ICSA study indicates that the reported costs of virus infection would be much higher if related costs such as loss of business and lower productivity were taken into consideration.

Causing everything from lost data to inaccessible files, computer viruses as well as worms and Trojan Horses are a drain on corporate bottom lines and employee patience. A rise in virus hoaxes, which can clog e-mail networks, can also result in downtime and lost productivity.

Virus Terminology

Viruses are computer programs that are designed to spread themselves from one file to another on a single computer. A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers. In most cases, that's where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computer, and so on.

So how do humans spread viruses? Most people exchange information in time intervals on the order of minutes, hours or days. Furthermore, information is sent to a relatively small group of people. A user might send messages with attachments (usually documents) to an average of three people roughly every 33 minutes during business hours. While these figures may not be typical of most users, they're plausible and are corroborated by the (relatively) slow spread of most computer viruses.

As the name implies, a Trojan Horse program comes with a hidden surprise intended by the programmer but totally unexpected by the user. Trojan Horses are often designed to cause damage or do something malicious to a system, but are disguised as something useful. Unlike viruses, Trojan Horses don't make copies of themselves. Like viruses, they can cause significant damage to a computer.

Worms are like viruses in that they do replicate themselves. However, instead of spreading from file to file, they spread from computer to computer, infecting an entire system.

Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others. The computer worm is a program that is designed to copy itself from one computer to another, leveraging some network medium: e-mail, TCP/IP, etc. The worm is more interested in infecting as many machines as possible on the network, and less interested in spreading many copies of itself on a single computer (like a computer virus). The prototypical worm infects (or causes its code to run on) a target system only once; after the initial infection, the worm attempts to spread to other machines on the network.

The rise in Internet use is paralleled by an increase in Internet-borne malicious code carried by Microsoft ActiveX controls and Sun Microsystems Java applets. ActiveX or Java technology is downloaded to a user's hard drive and launched on the local computer, potentially with few security restrictions (in the case of ActiveX; Java is much more secure).

Although it has not yet happened, it is possible for virus writers to use ActiveX and possibly Java to introduce viruses, worms and Trojan horses onto a web-surfer's computer, turning Web pages into virus carriers. By simply surfing the Web, users could expose their computer to viruses spread via ActiveX controls, without downloading files or even reading e-mail attachments. The virus writers could then use the virus to access RAM, corrupt files, and access files on computers attached via a LAN, among other things.

Viruses are either benign or malignant. The majority of viruses are harmless and do no real damage to a computer or files. A benign virus might do nothing more than display a message at a pre-determined time or slow down the performance of a computer.

Malignant viruses cause damage to a computer system, such as corrupting files or destroying data. (These viruses don't corrupt the files they infect; that would prevent them from spreading. They infect, and then wait for a trigger date to do damage.) Just because a virus is classified as malignant does not mean that the damage it causes is intentional. Sometimes the damage is the result of poor programming or unintended bugs in the viral code.

A virus that has been found in more than one organization or company is called an in the wild virus. Currently, approximately 250 viruses exist in the wild. Whether a virus is new or old, it can still be in the wild. A zoo virus can be found only within research labs and has not succeeded in moving into general circulation. The current census reports approximately 42,000+ zoo viruses.

A virus hoax is an e-mail that is intended to scare people about a non-existent virus threat. Users often forward these alerts thinking they are doing a service to their fellow workers, but this causes lost productivity, panic and lost time. This increased traffic can soon become a massive problem in e-mail systems and cause unnecessary fear and panic. Because hoaxes represent a serious threat to e-mail systems, the Symantec AntiVirus Research Center (SARC) has dedicated an entire Web page to them. There you can read about the $800 from Microsoft Chain Mail Hoax, the Pluperfect Hoax, and the Mobile Phone Hoax, among many others.

Today's Most Frequently Reported Viruses

Following is a list of the top reported viruses as of July 1999:

1. W97M.Melissa. W97M.Melissa.A is a typical macro virus that has an unusual payload. When a user opens an infected document, the virus attempts to e-mail a copy of this document to up to 50 other people, using Microsoft Outlook. The virus turns off security protection upon opening an infected document in MS Word 2000, disabling the macro prompt the next time the document is opened. The virus infects MS Word 97 and MS Word 2000 documents by adding a new macro module named Melissa.
   
   
2. Worm.ExploreZip. First found in Israel, this worm contains a malicious payload, utilizing MAPI commands and MS Outlook on Windows systems to propagate itself. The worm e-mails itself out as an attachment with the filename "zipped_files.exe"; the body of the e-mail message appears to come from a known e-mail correspondent. The worm determines the recipient by going through received messages in the user's inbox. Once the attachment is executed, the worm copies itself to the user's directory and modifies the WIN.INI file so that the program is executed each time Windows is started. The worm then utilizes the user's e-mail client to harvest e-mail addresses in order to propagate itself. When executed, the worm also searches through the C through Z drives of the user's computer system and selects a series of files (of any file extension) to destroy by making them 0 bytes long. This can result in non-recoverable data and operable computers.
   
   
3. WM.CAP.A, alias WordMacro/Cap.A. This virus consists of 10 macros, all stored in encrypted form. WM.CAP.A has a stealth feature that hides the menu item from the Tools menu and the Templates menu item from the File menu when the NORMAL.DOT file is infected. This prevents the user from checking the list of macros contained in the document or template, and hides the macros. It has no intentional payload or trigger.
   
   
4. W97M.Ethan.A, alias Ethana. This is a Word 97 macro virus that inserts its viral code into the beginning of the "ThisDocument" VBA module. While closing an infected document, the virus, with 30 percent chance, modifies several fields in the File Summary Information menu. This macro virus also removes the temporary text file "C:\CLASS.SYS" that most W97M.Class variants use.
   
   
5. W97M.Marker. This is a common macro virus with a unique payload that adds its viral code to the "ThisDocument" VBA5 module. It also uses a randomly named temporary text file while infecting. This macro virus will keep the date/time of the infection and user information. When the payload in the virus activates on the 1st of the month, it will upload this information to an FTP site.
   
   
6. PictureNote.Trojan, alias Trojan Horse, Backdoor.Note, Picture.exe, and URLSnoop. This is a malicious program that is often identified and referred to as a Trojan Horse. It does not have the capability to spread like a virus. The program is sent through Internet e-mail as an e-mail attachment named PICTURE.EXE. When this file is executed, it ultimately searches for America Online user information on that computer, possibly stealing the user's AOL password information.
   
   
7. Happy99.Worm, alias Trojan.Happy99 and I-Worm.Happy. This is a worm program, not a virus. The program file is usually sent as an e-mail attachment or an article attachment. When executed, the program shows a fireworks display as it copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into the Windows\System directory. It also modifies WSOCK32.DLL and copies it into WSOCK32.SKA. This allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This DLL creates a new e-mail or a new article with UUENCODED HAPPY99.EXE inserted into the e-mail or article. It then sends this e-mail or posts this article.
   
   
8. XM.Laroux, alias ExcelMacro/Laroux, Excel.Laroux, and Laroux. This virus is the first working Excel macro virus found in general circulation. The actual virus code consists of two macros called Auto_Open and Check_Files. The macros are stored in a hidden datasheet named "laroux." When an infected spreadsheet is opened, the Check_Files macro copies the worksheet with the virus code into a spreadsheet file stored in the Excel startup directory named "Personal.xls." This enables the infection of all other spreadsheets opened or created on the infected system in the future. XM.Laroux contains no deliberately destructive payloads; it exists only to replicate.
   
   
9. W95.CIH, alias Chernobyl and CIH.Spacefiller. CIH is a very destructive virus with a payload that destroys data. It infects 32-bit Windows 95/98/NT executable files but is only capable of functioning under Windows 95/98. When an infected program on a Windows 95/98 machine is run, it becomes resident in the computer's memory. An infected system, therefore, must be rebooted from a clean system disk before scanning with an anti-virus product. The virus includes two payloads; the first is designed to overwrite the hard disk with random data and the second tries to cause permanent damage to the computer by attacking the Flash BIOS.
   
   
10. W97M.Class, alias Class.Poppy. This polymorphic W97M macro virus does not add a new VBA5 module; instead, it adds viral code to the "ThisDocument" VBA5 module which, by default, is always in Word97 document/template. Most variants have a payload that displays messages on certain dates of the year.

Retro viruses. These viruses are designed to actively attack anti-virus software. They're anti-anti-virus viruses! They'll try to delete anti-virus data files, corrupt anti-virus programs, and more.

Virus Myths

While viruses are capable of damaging systems, they cannot do the following:

1. Viruses don't infect files on write-protected disks.
   
   
2. Viruses don't infect compressed files. However, applications within a compressed file could have been infected before they were compressed. Some viruses are known to insert copies of themselves in already-created archives.
   
   
3. Viruses don't infect computer hardware such as monitors or computer chips; they only infect software. They can, however, damage certain types of hardware such as flash-memory.
   
   
4. Macintosh viruses don't infect DOS-based computer software, and vice versa. For example, the Michelangelo virus does not infect Macintosh applications. Again, an exception to this rule are the Word and Excel macro viruses, which infect spreadsheets, documents, and templates which can be opened by either Windows or Macintosh computers.
   
   
5. Viruses usually do not identify themselves as viruses, even after they do something destructive.