Computer Virus Myths (10th Edition: October 4, 1993) by Rob Rosenberger with Ross M. Greenberg A number of myths have surfaced about the threat of computer "viruses." There are myths about how widespread they are, how dangerous they are, and even myths about what a computer virus really is. We want you to know the facts. The first thing you need to learn is that a computer virus falls in the realm of malicious programming techniques known as "Trojan horses." All viruses are Trojan horses, but relatively few Trojan horses can be called a virus. That having been said, it's time to go over the terminology we use when we lecture: BBS Bulletin Board System. If you have a modem, you can call a BBS and leave messages, transfer com- puter files back & forth, and learn a lot about computers. (What you're reading right now, for example, most likely came to you from a BBS.) Bug an accidental flaw in the logic of a program which makes it do things it shouldn't be doing. Pro- grammers don't mean to put bugs in their programs, but they always creep in. Programmers often spend more time "debugging" programs than they do writing them in the first place. Inadvertent bugs have caused more data loss than all viruses combined. Hacker someone who really loves computers and who wants to push them to the limit. Hackers have a healthy sense of curiosity: they try doorknobs just to see if they're locked, for example. They also love to tinker with a piece of equipment until it's "just right." The entire computer revolution itself is largely a result of hackers. Shareware a distribution method for quality software avail- able on a "try before you buy" basis. You must pay for it if you continue using it after the trial period. Shareware authors let you download their programs from BBSs and encourage you to give evaluation copies to friends. Many shareware applications rival their retail-shelf counterparts at a fraction of the price. (You must pay for the shareware you continue to use -- otherwise you're stealing software.) (c) 1988,93 Rob Rosenberger & Ross M. Greenberg Page 1 of 10 Trojan horse a generic term describing a set of computer instructions purposely hidden inside a program. Trojan horses tell programs to do things you don't expect them to do. The term comes from the legen- dary battle in which the ancient city of Troy received a large wooden horse to commemorate a fierce battle. The "gift" secretly held enemy soldiers in its belly and, when the Trojans rolled it into their fortified city, .... Virus a term for a very specialized Trojan horse which spreads to other computers by secretly "infecting" programs with a copy of itself. A virus is the only type of Trojan horse which is contagious, much like the common cold. If a Trojan horse doesn't meet this definition, then it isn't a virus. Worm a term similar to a Trojan horse, but there is no "gift" involved. If the Trojans had left that wooden horse outside the city, they wouldn't have been attacked from inside the city. Worms, on the other hand, can bypass your defenses without having to deceive you into dropping your guard. An example would be a program designed to spread itself by exploiting bugs in a network software package. Worms usually come from someone who has legitimate access to the computer or network. Wormers what we call people who unleash Trojan horses onto an unsuspecting public. Let's face it, these people aren't angels. What they do hurts us. They deserve our disrespect. Viruses, like all Trojan horses, purposely make a program do things you don't expect it to do. Some viruses will just annoy you, perhaps only displaying a "Peace on earth" greeting. The viruses we worry about will try to erase your data (the most valuable asset of your computer!) and waste your valuable time in recovering from an attack. Now you know the differences between a bug and a Trojan horse and a virus. Let's get into some of the myths: "All purposely destructive code spreads like a virus." Wrong. Remember, "Trojan horse" describes purposely destruc- tive code in general. Very few Trojan horses actually qualify as viruses. Newspaper & magazine reporters tend to call almost any- thing a virus because they often have no real understanding of computer crime. Page 2 of 10 Computer Virus Myths "Viruses and Trojan horses are a recent phenomenon." Trojan horses have existed since the first days of the com- puter; hackers toyed with viruses in the early 1960s as a form of amusement. Many different Trojan horse techniques have emerged over the decades to embezzle money, destroy data, fool investors, etc. The general public really didn't know of this problem until the IBM PC revolution brought it into the spotlight. Banks still hush up computerized embezzlements to this day because they believe customers will lose faith in them if word gets out. "Viruses are written by teenage hackers." Yes, hackers have unleashed viruses -- but so has a computer magazine publisher. And according to one trusted military publi- cation, the U.S. Defense Department creates computer viruses for use as weapons. Trojan horses for many decades sprang from the minds of middle-aged men; computer prices have only recently dropped to a level where teenagers could get into the act. We call people "wormers" when they abuse their knowledge of com- puters. You shouldn't fear hackers just because some of them know how to write viruses. This whole thing boils down to an ethics issue, not a technology issue. Hackers know a lot about com- puters; wormers abuse their knowledge. Hackers as a whole got a bum rap when the mass media corrupted the term. "Viruses infect 25% of all IBM PCs every month." If 25% suffer an infection every month, then 100% would have a virus every four months -- in other words, every IBM PC would suffer an infection three times per year. This mythical estimate surfaced in the media after researcher Peter Tippett wrote a com- plex thesis on how viruses might spread in the future. Computer viruses exist all over the planet, yes -- but they won't take over the world. Only about 500 different viruses exist at this time; many of them have never existed "in the wild" and some have since been completely eliminated "from the wild." You can easily reduce your exposure to viruses with a few simple precautions. Yes, it's still safe to turn on your computer! "Only 500 different viruses? But most experts talk about them in the thousands." The virus experts who claim much larger numbers usually work for antivirus companies. They count even the most insignificant variations for advertising purposes. When the Marijuana virus first appeared, for example, it contained the word "legalise," but a miscreant later modified it to read "legalize." Any pro- gram which can detect the original virus can detect the version with one letter changed -- but antivirus companies count them as "two" viruses. These obscure differentiations quickly add up. And take note: the majority of "new" computer viruses dis- covered these days are only minor variations on well-known viruses. Computer Virus Myths Page 3 of 10 "A virus could destroy all the files on my disks." Yes, and a spilled cup of coffee could do the same thing. You can recover from any virus or coffee problem if you have adequate backups of your data. Backups mean the difference between a nui- sance and a disaster. You can safely presume there has been more accidental loss of data than loss by all viruses and Trojan horses. "Viruses have been documented on over 300,000 computers {1988}." "Viruses have been documented on over 400,000 computers {1989}." "The Michelangelo virus alone was estimated to be on over 5,000,000 computers {1992}." These numbers originated from John McAfee, a self-styled virus fighter who craves attention and media recognition. If we assume it took him a mere five minutes to adequately document each viral infection, it would have taken four man-years of effort to docu- ment a problem only two years old by 1989. We further assume McAfee's statements included every floppy disk ever infected up to that time by a virus, as well as every computer involved in the Christmas and InterNet worm attacks. (Worms cannot be included in virus infection statistics.) McAfee prefers to "estimate" his totals these days and was widely quoted during the Michelangelo virus hysteria in early 1992. Let's do some estimating ourselves by assuming about 80 million IBM PC-compatible computers around the world. McAfee's estimate meant one out of every 16 of those computers not only had a virus of some type, it specifically had the Michelangelo virus. Many other virus experts considered it an astronomical estimate based on the empirical evidence. "Viruses can hide inside a data file." Data files can't wreak havoc on your computer -- only an execu- table program file can do that (including the one that runs every time you turn on or reboot a computer). If a virus infected a data file, it would be a wasted effort. But let's be realistic: what you think is "data" may actually be an executable program file. For example, a "batch file" on an IBM PC contains only text, yet DOS treats it just like an executable program. "Some viruses can completely hide themselves from all antivirus software, making them truly undetectable." This myth ironically surfaced when certain antivirus companies publicized how they could detect so-called "Mutation Engine" viruses. The myth gained national exposure in early 1993 when the Associated Press printed excerpts from a new book about viruses. Most viruses have a character-based "signature" which identifies it both to the virus (so it doesn't infect a program too many times) and to antivirus software (which uses the signature to detect the virus). A Mutation Engine virus employs Page 4 of 10 Computer Virus Myths an algorithm signature rather than a character-based signature -- but it still has a unique, readily identifiable signature. The technique of using algorithm signatures really doesn't make it any harder to detect a virus. You just have to do some calculations to know the correct signature -- no big deal for an antivirus program. "BBSs and shareware programs spread viruses." Here's another scary myth, this one spouted as gospel by many "experts" who claim to know how viruses spread. "The truth," says PC Magazine publisher Bill Machrone, "is that all major viruses to date were transmitted by [retail] packages and private mail systems, often in universities." [PC Magazine, October 11, 1988.] What Machrone said back then still applies today. Over 50 retail companies have admitted spreading infected master disks to tens of thousands of customers since 1988 -- compared to only nine shareware authors who have spread viruses on master disks to less than 300 customers since 1990. Machrone goes on to say "bulletin boards and shareware authors work extraordinarily hard at policing themselves to keep viruses out." Reputable sysops check every file for Trojan horses; nationwide sysop networks help spread the word about dangerous files. Yes, you should beware of the software you get from BBSs and shareware authors, but you should also beware of retail soft- ware found on store shelves. By the way, many stores now routinely re-shrinkwrap returned software and put it on the shelf again. Do you know for sure only you ever touched those master disks? "My computer could be infected if I call an infected BBS." BBSs can't write information on your disks -- the communica- tions software you use performs this task. You can only transfer a dangerous file to your computer if you let your software do it. And there is no "300bps subcarrier" by which a virus can slip through a modem. A joker who called himself Mike RoChenle ("micro channel," get it?) started this myth after leaving a techy-joke message on a public network. Unfortunately, some highly respected journalists got taken in by the joke. "So-called `boot sector' viruses travel primarily in software downloaded from BBSs." This common myth -- touted as gospel even by "experts" -- expounds on the supposed role bulletin boards play in spreading infections. Boot sector viruses spread only if you directly copy an infected floppy disk, or if you try to "boot" a computer from an infected disk, or if you use a floppy in an infected computer. BBSs deal exclusively with program files and don't pass along copies of boot sectors. Bulletin board users thus have a natural immunity to boot-sector viruses in downloaded software. (And since the clear majority of infections stem from boot sector Computer Virus Myths Page 5 of 10 viruses, this fact alone exonerates the BBS community as the so- called "primary" source for the spread of viruses.) We should make a special note about "dropper" programs developed by virus researchers as an easy way to transfer boot sector viruses among themselves. Since they don't replicate, "dropper" programs don't qualify as viruses. These programs have never appeared on BBSs to date and have no real use other than to transfer infected boot sectors. "My files are damaged, so it must have been a virus attack." It also could have happened because of a power flux, or static electricity, or a fingerprint on a floppy disk, or a bug in your software, or perhaps a simple error on your part. Power failures, spilled cups of coffee, and user errors have destroyed more data than all viruses combined. "Donald Burleson was convicted of releasing a virus." Newspapers all over the country hailed a 1989 Texas computer crime trial as a "virus" trial. The defendant, Donald Burleson, had released a destructive Trojan horse on his employer's main- frame computer. The software in question couldn't spread to other computers, and prosecuting attorney Davis McCown claimed he "never brought up the word virus" during Burleson's trial. So why did the media call it one? 1. David Kinney, an expert witness testifying for the defense, claimed Burleson had unleashed a virus. The prosecuting attorney didn't argue the point and we don't blame him -- Kinney's claim may have actually swayed the jury to convict Burleson. 2. McCown gave reporters the facts behind the case and let them come up with their own definitions. The Associated Press and USA Today, among others, used such vague definitions that any program would have qualified as a virus. If we applied their definitions to the medical world, we could safely label penicillin as a biological virus (which is, of course, absurd). "Robert Morris Jr. released a benign virus on a defense network." It supposedly may have been benign, but it wasn't a virus. Morris, the son of a chief computer scientist at the U.S. National Security Agency, decided one day to take advantage of bugs in the software which controls InterNet, a network the Defense Department often uses. These tiny bugs let Morris send a worm throughout the network. Among other things, the "InterNet worm" sent copies of itself to other computers -- and clogged the entire network in a matter of hours due to bugs in the worm module itself. The press called it a "virus," like it called the 1987 "Christmas worm" a virus, because it spread to other com- puters. Yet Morris's work didn't infect any computers. A few notes: 1. Reporters finally started calling it a worm a year after the fact, but only because lawyers on both sides of the case constantly referred to it as a worm. Page 6 of 10 Computer Virus Myths 2. The worm operated only on Sun-3 & VAX computers which employ the UNIX operating system and which were specifically linked into InterNet at the time of the attack. 3. The 6,200 affected computers cannot be counted in virus infection statistics (they weren't infected). 4. It cost way less than $98 million to clean up the attack. An official Cornell University report claims John McAfee, the man behind this wild estimate, "was probably serving [him]self" in an effort to drum up business. People familiar with the case estimated the final figure at slightly under $1 million. 5. Yes, Morris could easily have added some infection code to make it both a worm and a virus if he'd had the urge. 6. InterNet gurus have since fixed the bugs Morris exploited in the attack. 7. Morris went on trial for launching the worm and received a federal conviction. The Supreme Court refused to hear his case, so the conviction stands. "The U.S. government planted a virus in Iraqi military computers during the Gulf War." U.S. News & World Report in early 1992 claimed the National Security Agency had replaced a computer chip in a printer bound for Iraq just before the Gulf War with a secret computer chip containing a virus. The magazine cited "two unidentified senior U.S. officials" as their source, saying "once the virus was in the [Iraqi computer] system, ...each time an Iraqi technician opened a `window' on his computer screen to access information, the contents of the screen simply vanished." Yet the USN&WR story shows amazing similarities to a 1991 April Fool's joke published by InfoWorld magazine. Most computer experts dismiss the USN&WR story as a hoax -- an "urban legend" innocently created by the InfoWorld joke. Some notes: 1. USN&WR continues to stand by its story, but did publish a "clarification" stating "it could not be confirmed that the [virus] was ultimately successful." The editors broke with tradition by declining to print any letters readers had sub- mitted about it. 2. Ted Koppel, a well-known American news anchor, opened one of his "Nightline" broadcasts with a report on the alleged virus. Koppel's staff politely refers people to talk with USN&WR about the story's validity. 3. InfoWorld didn't label their story as fiction, but the last paragraph identified it as an April Fool's joke. "Viruses can spread to all sorts of computers." The design of all Trojan horses limits them to a family of computers, something especially true for viruses. A virus written for IBM PCs cannot infect an IBM 4300 series mainframe, nor can it infect a Commodore C64, nor can it infect an Apple Macintosh. But take note: some computers can now run software written for other types of computers. An Apple Macintosh, with the right products, can run IBM PC software for example. If one type of Computer Virus Myths Page 7 of 10 computer can run software written for another type of computer, then it can also catch viruses written for the other type of com- puter. "My backups will be worthless if I back up a virus." No, they won't. Let's suppose a virus does get backed up with your files. You can restore important documents and databases and spreadsheets -- your valuable data -- without restoring an infected program. You just reinstall the programs from master disks. It's tedious work, but not as hard as some people claim. "Antivirus software will protect me from viruses." There is no such thing as a foolproof antivirus program. Viruses and other Trojan horses can be (and have been) designed to bypass them. Antivirus products also can be tricky to use at times and they occasionally have bugs. Always use a good set of backups as your first line of defense; rely on antivirus software only as a second line of defense. "Read-only files are safe from virus infections." This common myth among IBM PC users has appeared even in some computer magazines. Supposedly, you can protect yourself by using the ATTRIB command to set the read-only attribute on pro- gram files. Yet ATTRIB is software -- what it can do, a virus can undo. The ATTRIB command cannot halt the spread of most viruses. "Viruses can infect files on write-protected floppy disks." Another common IBM PC myth. If viruses can modify read-only files, people assume they can also modify files on write-pro- tected disks. However, the disk drive itself knows when a floppy has a write-protect tab and refuses to write to the disk. You can't override an IBM PC drive's write-protect sensor with a software command. We hope this dispels the many computer virus myths. Viruses DO exist, they ARE out there, they WANT to spread to other com- puters, and they CAN cause you problems. But you can defend yourself with a cool head and a good set of backups. The following guidelines can shield you from viruses and other Trojan horses. They will lower your chances of getting infected and raise your chances of recovering from an attack. 1. Implement a procedure to regularly back up your files and follow it religiously. We can't emphasize this enough! Consider purchasing a user-friendly program or a tape backup device to take the drudgery out of this task. You'll find plenty of inexpensive programs and tape backup hardware to choose from. 2. Rotate between at least two sets of backups for better security (use set #1, then set #2, then set #1...). The more sets you use, the better protection you have. Many people take a "master" backup of their entire hard disk, Page 8 of 10 Computer Virus Myths then take a number of "incremental" backups of files which have changed since the last time they backed up. Incre- mental backups might only require five minutes of your time each day. 3. Many IBM PC computers now have a "BIOS option" to ignore floppy drives during the bootup process. Consult your com- puter's documentation to see if you can set this option. It will greatly reduce your exposure to boot sector viruses (the most common type of computer virus). 4. Download files only from reputable BBSs where the sysop checks every program for Trojan horses. If you're still afraid, consider getting programs from a BBS or "disk vendor" company which obtains files direct from the authors. 5. Let a newly uploaded file "mature" on a BBS for one or two weeks before you download it (others will put it through its paces). 6. Consider using a program that searches ("scans") for known viruses. Almost all infections involve viruses known to antivirus companies. A recent version (no more than four months old) of any "scanning" program will in all proba- bility identify a virus before it can infect your computer. But remember: there is no perfect antivirus defense. 7. Consider using a program that creates a unique "signature" of all the programs on your computer. Run this software once in awhile to see if any of your program files have been modified -- either by a virus or perhaps just by a stray gamma ray. 8. DON'T PANIC if your computer starts acting weird. You might have a virus, but then again you might not. Immediately turn off all power to your computer and disconnect it from any local area networks. Reboot from a write-protected copy of your master DOS disk. Don't run any programs on a "regu- lar" disk -- you might activate a Trojan horse. If you don't have adequate backups, try to bring them up-to-date. (Yes, you might back up a virus as well, but it can't hurt you if you don't use your normal programs.) Set your backups off to the side. Only then can you safely hunt for problems. 9. If you can't figure out the problem and you don't know what to do next, just turn off your computer and call for help. Consider calling a local computer group before you call for an expert. If you need a professional, consider a regular computer consultant first. (Some "virus removal experts" charge prices far beyond their actual value.) We'd appreciate it if you would mail us a copy of any Trojan horse or virus you discover. (Be careful you don't damage the data on your disks while trying to do this!) Include as much information as you can and put a label on the disk saying it con- tains a malicious program. Send it to Ross M. Greenberg, Soft- ware Concepts Design, Virus Acres, New Kingston, NY 12459. Thank you. Computer Virus Myths Page 9 of 10 Ross M. Greenberg writes both shareware and retail virus detection & removal programs. (Products aren't mentioned by name because this treatise isn't the place for advertise- ments.) He serves as a sysop for the Virus & Security Round- Table on GEnie and is also currently working on a number of other products having nothing to do with computer viruses. Rob Rosenberger serves as lead sysop for CompuServe's SHARE- WARE forum. He has researched computer virus myths & hoaxes since 1988. His research on the cause of the Michelangelo virus scare of 1992 has been reprinted in ISPNews (a computer security industry newsletter); and he has consulted on com- puter virus & data security books written by Janet Endrijonas, Pamela Kane, and Richard B. Levin. These men communicated entirely by modem while writing this treatise. (c) 1988,93 Rob Rosenberger & Ross M. Greenberg Rosenberger can be reached electronically on CompuServe as [74017,1344], on GEnie as R.ROSENBERGE, on InterNet as `74017.1344@compuserve.com', and on various national BBS linkups. Greenberg can be reached electronically on MCImail and BIX and GEnie as `greenber', on InterNet as `greenber@ramnet.com', and on CompuServe as [72461,3212]. You may give copies of this treatise to anyone if you pass it along unmodified and in its entirety. We especially encourage antivirus vendors and book authors to bundle it with their pro- ducts as a public service. Printed publications may reprint this treatise in whole or in part, at no charge, if they give due credit to the authors. For- profit publications must submit two copies to: Rob Rosenberger, P.O. Box 1115, O'Fallon, IL 62269. Book publications need only submit one copy. Non-profit publications do not have to submit any copies. Page 10 of 10 Computer Virus Myths