woodside@ttidca.TTI.COM (George Woodside) (03/21/89)
Having discussed the way viruses work, spread, and can be deterred, the
only remaining topic is how to recognize when an attack occurrs. It is not
always as simple, or as straightforward, as it may seem. What may appear to
be a hardware problem may be a virus, and vice-versa.
There is no absolute way to determine if a given symptom is being caused by
a program error, a hardware error, a virus, or something else. Not all
viruses cause destructive attacks, but those that do are usually devastating.
When files start vanishing or becoming unreadable, it may be due to any of
several reasons. Poor media, or abuse of media is not uncommon. A dirty disk
drive head, or one drifting out of alignment can cause previously reliable
disks to start producing errors. In the ST, there is the age old problem of
chip sockets and poor contact, and early versions of the ST had some component
reliability problems which could contribute to disk errors. Another source
becoming more frequent is the use of extended capacity disk formats, some of
which are not entirely reliable. There is also the potential of a real hardware
failure in the ST, or the drive. Finally there is the potential of a virus
attack. How do you tell? It's very difficult.
Actually, the virus is the easiest to detect. Use your favorite virus detect
program, and start searching. If you can't locate one, then you problem could
be any from the list above. If you find one, you must be certain you have taken
every step available to you to insure it has been eradicated before accessing
your backups.
When the virus does not destroy files, what does it do? It's rather like
the age old "Where does a 600 pound gorilla sit?". Most anyhere he wants,
obviously. A virus can do most anything that any other piece of software can
do. The bigger the code segment of the virus, the more capable it can become.
There are some rather surprising things accomplished by the viruses already
found in boot sectors, when you consider that it has to accomplish its own
loading, spreading, and eventual attack in about 120 instructions.
Some of the viruses currently spreading do nothing more than mess up the screen
display. When such an event occurs, it is not obvious that it is a virus
attack. It could be a momentary power fluctuation, a software bug of some
kind in the executing application, an intermittent hardware error, or any
of several other causes. The only hope of identifying the source as a virus
is, again, a methodic check of your disk library.
Familiarity with the appearance of the attacks of known viruses would be
helpful in recognizing when one is present. For that purpose, I have provided
the program "FLU". It is a demonstration program. It does not contain any of
the code present in any virus for the installation of the virus, or the
spreading of the virus. What it does contain is the non-destructive attack
code of several viruses. These attacks are either audio or visual, so that
there is evidence of the attack occurring. There is no simulation of any of
the virus attacks which cause damage to disk data, since there is no way
to recognize when such an attack is occurring (and, of course, the purpose
of the program is to aid in recognizing the symptoms, not to destroy disks!).
"FLU" is absolutely safe. The program can be viewed as a simple novelty,
which does some strange display alterations. But by running it, and becoming
familiar with the symptoms it displays, you will be capable of recognizing
the characteristics of the attack of several current ST viruses.
Two of the simulations, the "BLOT" virus and the "SCREEN" virus, attack in
a nearly identical manner. They step on a small portion of the screen. When
speeded up to display the symptoms, they have the appearance of drawing lines
from the top and bottom of the screen. However, when the attack occurs at the
speed at which the virus really operates, the attack would appear more like
a small blot appearing on the screen, since the screen would have most likely
been altered or redrawn by the application program between virus attacks.
The "FREEZE" virus is probably the most difficult of the non-destructive
viruses to recognize, since it is the most subtle. It takes over the
ST for an ever increasing period of time, causing a gradual slowing the
machine. Again, the demonstration runs at a significantly higher speed than
the real virus.
This concludes the virus discussions. It has been the goal of these postings
to inform the general public of the way viruses spread, attack, and can be
dealt with. It is clear to me that, as a defense, ignorance has been
unsuccessful.
--
*George R. Woodside - Citicorp/TTI - Santa Monica, CA
*Path: ..!{philabs|csun|psivax}!ttidca!woodside