FUNGEN2.CVP 910804 Viral operations Although the "original" definition of computer viral programs refers to reproduction by attaching to other programs, viri that act in this manner having been less successful than those that use other means. In the personal computer world, boot sector infectors have been much more effective. (Examples in the MS-DOS community are the BRAIN and Stoned viral programs. Examples in the Mac realm are not as clear, but the WDEF virus could be said to be a type of boot sector infector, as the WDEF resource is one that is run automatically as soon as any Mac disk is inserted, although this has changed under System 7.) In larger systems, mini and mainframe computers, network and mail viral programs have, so far, had the greatest impact. The Morris/Internet/UNIX worm managed to spread and reproduce using the facility of networked machines to submit programs to each other. (A VMS program, WANK, used many of the same techniques.) The CHRISTMA EXEC used mainframe mail commands, and the ability to submit programs by mail, in order to reproduce copies which eventually flooded the network. Network and mail viral programs carry, in a sense, their own payload. The reproduction of the programs themselves uses the resources of the hosts affected, and in the cases of both the Morris and CHRISTMA worms went so far as to deny service to users by using all available computing or communications resources. Most other viral programs seem to be written "for their own sake". A kind of electronic graffiti which writes itself on further walls. However, even these can do damage, as with the Stoned virus, which overwrites sections of the FAT with the original boot sector. Some appear to be written as pranks, and others as a kind of advertising, although the potential for damage from even "benign" viri cannot be considered funny, and the "advertising" viri probably don't engender much goodwill. Relatively few viral programs carry a deliberately damaging payload. Those which do attempt to erase infected programs or disks are, fortunately, self limiting. The last payload, or function, which a viral program may carry, is some kind of intelligence to enable it to evade detection. So far the various kinds of evasive action; self-modification, multiple encryption and "stealth" activity; have not proven to have any advantageous "survival" characteristics. In one sense, this is to be regretted, as it demonstrates that the majority of computer users are not taking the most elementary precautions to defend against viral programs. copyright Robert M. Slade, 1991 FUNGEN2.CVP 910804 ============== Vancouver ROBERTS@decus.ca | "Hey, when *you* have the Institute for Robert_Slade@sfu.ca | box, *then* you can give Research into rslade@cue.bc.ca | us geography lessons. User p1@CyberStore.ca | Until then, Tahiti is in Security Canada V7K 2G6 | Europe." - Sneakers