Viruses: If At First You Don t Succeed

        By Eriq Neale, ACS Lab Manager and Virus Protection Expert (neale@unt.edu)

        From the "When it rains, it pours" department, it s time to assuage some fears and correct some misinterpretations. A little while back, there was a lot of talk about the Goodtimes virus that was supposedly spreading on America On-Line. I received about a dozen copies of E-mail messages warning people not to read a mail message on AOL with the subject Goodtimes because it was actually a virus that would infect your computer and do nasty things to you. Some of these messages were written by well-meaning people who tried to give their message a look of importance. Others were quick notes of warning to potential victims.

        All of them were wrong

        But the dust kicked up by this panic attack is still settling, with some unsettling consequences. In the remainder of this article, I ll try to address some of the biggest issues that have resulted from this incident, and, to entice the reader to read this article to its conclusion, I ll give you the sure-fire, no-fail method for keeping your computer system virus- and problem-free forever.

        E-mail, Fast-food Rats, and Sewer Alligators

        Let s clear the air first: the Goodtimes virus is fiction. It does not exist, and as far as we can tell, it never did. However, in a few short weeks, it achieved Urban Legend status. This status was achieved when computer support people made their best efforts to alert clients and potential clients about this alleged virus, and what began as probably a small joke exploded into a media circus not unlike what Michelangelo stirred up in 1991.

        The premise of Goodtimes was this: someone sent out E-mail on AOL that contained a virus, and when you read the message, your computer became infected. First, your potential victims are AOL customers, because the virus was activated in the AOL mail reader (or so the story goes). Second, you rule out half of the AOL customer base, either Mac or PC users, because the virus could realistically only affect one of the two computer types. So, in contrast to Michelangelo, you ve already limited the spread of the damage to several hundred thousand computers as opposed to several million.

        Now let s tackle the heart of the matter. Can an E-mail message cause a mail reader to infect a computer running the mail reader with a virus? In short, no. A computer virus is executable code that replicates itself when run in the computer. So the e-mail message would have to contain a program (either Macintosh or MS-DOS) that the recipient computer would have to execute. Well, this can happen with the AOL mailer. Person A can E-mail a DOS executable to Person B on AOL by uploading the program into the mail message being sent. If the program Person A uploads is infected and Person B downloads the program and runs the program, then Person B will get infected. This same problem exists on every BBS system across the world, but we only hear of isolated incidents where an infected program is uploaded to a BBS for others to download. (We can thank proactive BBS operators for that, as the bulk of them check all uploads before making new files available.)

        But this virus was to infect you when you read the e-mail. This means that the AOL client software would have to cause the computer to run a piece of computer program code contained in the E-mail message without asking the person running the client for permission. As far as we know, the AOL client, on any platform, cannot do such a thing. And, if someone had figured out how to do such a thing, I d really like to know. It is possible that, in developing the clients, AOL left some back doors in the mailer program for testing that remain in the program today and that the E-mail message in question could somehow tap into this, but it s really, really unlikely.

        Suppose we built a giant badger...

        If Goodtimes did what everyone promised it would, it would actually be classified as a Trojan Horse and not as a virus. A Trojan Horse is a program or data file that purports to do one thing when it actually does another. One classic Macintosh example was the Sexy Ladies HyperCard stack. While the viewer would ogle over the images of bikini-clad models, the stack would quietly eat files off the computer s hard disk in the background. Goodtimes followed the same premise: you opened what you thought was E-mail, but instead something evil lurked inside and attacked when you opened it.

        The Goodtimes scenario has brought about a renewed interest in other Trojan-related areas. One of the more interesting is a phenomenon called an ANSI bomb. On DOS systems, it is possible to reprogram function key actions at the DOS prompt through ANSI escape sequences. This is an old trick, actually, and one that many people have used to program frequently-used DOS commands into their keyboards. Unfortunately, malicious commands can be programmed into keyboards as well. It would be possible to change from repeating the last command entered to formatting the local hard disk when pressed.

        Rest easy, though, for this is an uncommon thing. But one of the easiest distributions for this type of mischief is still download sites like BBSs, online services, and anonymous ftp. Recent versions of PKWare s PKZIP and PKUNZIP utilities have a feature that displays a text message when a ZIP file is uncompressed (actually, there are several programs that now offer this feature). As you may have guessed, miscreants have found ways to embed ANSI codes into these messages to have portions of the text appear in color, or to reprogram function keys and the like.

        How do you protect yourself from this threat? There are a couple of ways. One is to practice caution when downloading files, and this really should be one of the 10 Computer Commandments! PKWare supposedly has utilities that will examine the embedded comments in ZIP files for trouble codes. Or, you can remove ANSI from your PC altogether. If this is not really an option for you (it s not been one for me), you can use one of several ANSI emulators that do not support function key remapping (some of these tools are available on ftp.unt.edu).

        This type of thing can happen on other systems, too. Emacs can recognize and execute lisp code included in the comments of a source file as the file is being opened for editing. Some Web browsers could be configured to automatically download and execute files from Web sites. And there are probably others that this author is not aware of (please forgive the poor grammar).

        42

        Hopefully, you are now armed with more information about this than you really care to know and you realize that the situation is much less severe than you may have realized before. While these issues are concerns that need to be dealt with, a healthy case of paranoia can be reserved for a different situation.

        I have to admit that I lied to you earlier. There is no single solution, no one fix fixes all tool that can be used to prevent computer disasters. But a good, regular backup will help prevent loss of data when a computer disaster occurs. It is inevitable that your computer will suffer some dastardly sort of problem that will cause loss of data. If you are prepared with a complete, recent backup of your system, your downtime should be kept to a minimum once you ve identified and removed the problem.

        Previous Article <== ==> Next Article

        If you have problems or questions about this server, please contact me as soon as possible. You can send mail to the following address:

        WWW@unt.edu