The NRL IS Security Course Handbook

What Are Viruses?

Government computers have been exposed to virus type programs for a number of years. A virus is a quickly spreading program that "infects" other programs by modifying them to include a copy of itself. Once activated, the program can cause various detrimental effects to normal system operation. The impact can range from the annoying, including various messages, to the damaging, resulting in destruction of data and software to actual operating system damage.
Worms are a virus-like program that spreads through a system by copying itself from one location to another. Worms do not infect other programs as do viruses, but they can compete for computing resources with other programs such as what occurred from the notorious DECnet worm.
A Trojan Horse is a program that masquerades as a useful program but does something malicious. This program does not replicate or infect other programs. The effects to a system are akin to those of viruses.

Why Are Viruses a Problem?

The primary reason viruses are such a problem is the vulnerability of IS resources. Safeguard programs take time to run, and many users are in too much of a hurry to wait. Another reason viruses spread is that users often simply are not aware of the viruses presence until it is too late. This is true for both stand-alone and networked computers. If it can't be seen it is seldom given much thought.

VULNERABILITIES

Lack of user awareness

Inadequate security controls

Ineffective use of existing security controls

Bugs and loopholes in system software causing network susceptibility

Unauthorized system use

Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect executable files. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files.
On DOS based systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called MULTI-PARTITE viruses or BOOT-AND-FILE viruses.

How Many Viruses Are There?

It is not possible to give an exact number of how many viruses there are because new ones are being created literally every day. Furthermore, different anti-virus researchers use different criteria to decide whether two viruses are different or one and the same. Most researchers agree that there are more than 1500 PC viruses. However, very few of the existing viruses are widespread. Only about three dozen of the known IBM PC viruses cause most of the reported infections. These common viruses include the Jerusalem, Stoned, Brain and Eddie viruses.

Does My Computer Have a Virus?

There are various symptoms which indicate a virus is present. Symptoms include messages, music and graphical displays. However, the main indicators are changes in file sizes and contents. Virus detection packages provide some assurance by checking for the code of known viruses, but with the continuing emergence of new viruses, this is not always reliable.
VIRUS INFECTION INDICATORS

Odd system behavior

Decrease is system response

Memory reduction

Change in size or date of files

Application program failures

Alteration of commands

Unusual error messages

System down time increase

System slowdown

Consistent output loss

Unusual noises or tones

Increase in bad sectors

Program failures

Anti-virus programs scan files for virus code or check for changes in file size using checksums. Even though not always reliable, it is wise to arm yourself with the latest anti-viral software. There are a number of packages on the market that detect for viruses. The Microcomputer Software Support Center can recommend software packages that will be appropriate to your particular needs.

How We Protect NRL Systems

PREVENTION

Never boot from an unprotected diskette.

Never use untested software.

Backup files and programs.

Minimize software sharing.

Do not use unapproved software.

Watch for unusual operation indicators.

Use virus detection software.
The NRL IS Security Office supplies users with an applications program called NISE East Computer Security Toolbox V3.0. This applications program is authorized by NAVCIRT. The application contains VIRSCAN, a viral signature scanning program created and distributed by Norman Armour. It is a command-line program that scans MS-DOS based systems and compatible disk drives for the presence of viral signatures.
VIRSCAN uses the database of viral signatures contained in two files on its diskette. The two files are VIRSIG.LST and ADDENDA.LST. VIRSCAN can only identify viral signatures for known computer viruses whose signatures have been entered into its signature database. VIRSCAN may produce occasional false alarms, but this is preferred over not reporting possible infections.
VIRSCAN has been licensed by the Naval Computer Incident Response Team (NAVCIRT) for use throughout the Department of the Navy (DON). This license includes personal noncommercial use by DON personnel. Unauthorized copying, modification, and use is prohibited.