              Some Common PC-DOS Viruses and What They Mean To You

                                 David M. Chess
                                 ______________
                      High Integrity Computing Laboratory
                      ___________________________________
                      IBM Thomas J. Watson Research Center
                      ____________________________________
                              Yorktown Heights, NY
                              ____________________

                                 Jan. 25, 1991



          INTRODUCTION
          ____________


          For the researcher, computer viruses can be an interesting
          field of study, presenting challenges in protection,
          detection, removal, and theory.   For the computer owner and
          user, though, computer viruses are simply a nuisance, to be
          avoided or removed with as little effort as is absolutely
          necessary, so that real work can go on.

          One good general definition of a computer virus is given in
          [Cohen, 1987]: a computer virus is "a program that can
          'infect' other programs by modifying them to include a
          possibly evolved copy of itself".  In PC-DOS, the "programs"
          that may become infected by one of the common viruses
          include normal executable files (EXE and COM files, and code
          overlays), and various kinds of boot sectors (a boot sector
          is a small piece of code on a diskette or hard disk that
          tells the computer what to do when it is first brought up,
          before DOS has been loaded).

          Even today, infection by a computer virus is a relatively
          rare event.  The majority of computer virus infections that
          occur in the user community are caused by one of just a few
          widely-spread viruses.  This paper will attempt to aid the
          computer owner, user, or security manager in assessing the
          risks from viruses in general, and in particular in
          understanding just what the most common viruses in the
          PC-DOS world today actually do, from the viewpoint of the
          user, rather than the virus guru.

          Computer viruses can be written for essentially any
          general-purpose computer operating system, and viruses exist
          for every common microcomputer.   This paper covers only
          PC-DOS viruses, because that is where the author's expertise
          lies.

          For each of a number of currently-common computer viruses
          (in roughly descending order of frequency), this paper
          describes the basic action of the virus, the ways it spreads
          from machine to machine, the symptoms that it can cause, the
          damage (if any) it does, and how it can be protected
          against.

          While in theory viruses are difficult to detect reliably, in
          practice protecting against all the currently-common viruses
          is relatively simple.  Some characteristics shared by all
          the common viruses make them simple to detect through any of
          various methods, and commercially-available anti-virus
          programs exist today that will protect against all of the
          viruses discussed here.  The difficult part is not in
          finding a way to protect a single machine against viruses,
          but in effectively implementing the available protections
          throughout an organization.





          THE 1813 ("JERUSALEM") VIRUS
          ____________________________


          One of the oldest PC-DOS viruses, and probably the most
          common, is the 1813 virus, also called (among other things)
          the Jerusalem, the Jerusalem-B, the Friday the 13th, the
          Black Friday, the Black Hole, the Morbus Waiblingen, and the
          sUMsDos.  When a file infected with the 1813 virus is
          executed, the virus is loaded into memory, and any file
          executed via the DOS "execute program" function thereafter
          (until the next power-off or reboot) will be infected.  This
          includes EXE and COM programs invoked from the DOS command
          line, as well as overlays that are called by other
          programs.  This technique of infecting things as they are
          used is one of the features that most of the
          currently-common viruses share.

          When an infected program is executed on Friday the 13th (any
          month, any year but 1987), it will ERASE programs that are
                                             _____
          executed, rather than infecting them.



          SPREAD
          ______


          The 1813 virus spreads from machine to machine by way of
          infected files; when an infected program travels (on
          diskette, over a LAN, by download from a host computer or
          bulletin board system, or otherwise) from one computer to
          another, the destination computer will become infected as
          soon as the infected program is executed.  The virus has no
          power to spread between machines itself; it relies on people
          intentionally sharing software or machines in order to
          spread.

          Some common spread scenarios include:

          o   Shared machines - If a computer is used by many
              different people, it can serve as a center of infection.
              If someone has run an infected program on the machine,
              the infection has probably spread to programs on the
              machine's hard disk; if other users bring their own
              programs on diskette and run them on the machine, those
              programs are likely to become infected, and the
              infection will be spread on diskette to other machines.
              Shared machines are therefore one important place to
              apply virus protection programs.

          o   Shared diskettes - There are many diskettes that are
              routinely carried from machine to machine; these include
              diagnostic diskettes, product demos, and so on.  If such
              a diskette becomes infected, the infection can quickly
              spread to many machines.  Shared diskettes should
              therefore be protected; the most effective protection is
              a write-protect tab!

          o   Popular programs - There are some programs (games,
              demos, animations, and so on) that are very popular;
              anyone who gets a copy of one of these programs is
              likely to want to pass it on (or at least show it off)
              to other people.  If one of these programs becomes
              infected, the infection can spread quickly to many
              machines; users should therefore be educated in the
              dangers of running such programs without first employing
              virus detectors or other anti-virus measures.

          o   LAN servers - If a program on a LAN server that is used
              by many workstations on the LAN becomes infected, a
              large percentage of workstations on the LAN can become
              infected very quickly (sometimes within an hour or two).
              Programs on LAN servers should be carefully checked for
              viruses, and LAN access controls for shared programs
              should be set up correctly.  One common mistake is to
              have the LAN "logon" program in a place where anyone on
              the LAN can write to it; this setup means that if any
              workstation on the LAN becomes infected, the logon
              program will quickly become infected, and then every
              workstation that logs onto the LAN will immediately be
              infected.  Properly maintained, LAN servers can be a
              good way to make virus-free programs available to many
              machines; set up incorrectly, they can be just the
              opposite!

          These scenarios apply to program-infecting viruses in
          general, and similar scenarios (which will be mentioned
          later on) apply to boot-sector-infecting viruses.




          SYMPTOMS
          ________


          In general, the most reliable symptom of a computer virus is
          an alert from a good anti-virus program.  Machines properly
          protected by an anti-virus program should never experience
          the more serious symptoms of the virus!  In any large
          organization or community, though, there will be at least a
          few machines not properly protected, and support people
          (Help Desks, Information Centers, repair groups, and so on)
          should be aware of symptoms that might mean a virus has
          infected an unprotected system.

          The 1813 virus is actually one of the more obvious of the
          common PC-DOS viruses.  It has a number of intentional
          effects, and a number of bugs, which can cause infected
          systems to behave oddly even before the virus "activates" on
          Friday the 13th.  The likely symptoms include:

          o   Shortage of disk space and/or growth in size of programs
              (when the virus infects a file, it adds approximately
              1813 bytes to the size of the file),
          o   An occasional decrease in the apparent speed of the
              infected computer (users have described this as, for
              instance, "the machine suddenly started typing at 1200
              baud"),
          o   The scrolling or blanking of a small rectangular area in
              the upper left quadrant of the screen (the "black hole"
              effect),
          o   The message "Program too big to fit in memory" when
              certain often-used EXE programs are run (due to a bug in
              the virus, it will continually re-infect most EXE
              programs, eventually causing them to be too large to
              run),
          o   Malfunctioning of a few infected EXE programs: programs
              "lock up", or report unexpected error conditions or
              inability to load functions.  (This is due to another
              bug in the virus that sometimes destroys part of the
              infected program.)

          The first three of these symptoms are reasonably reliable
          signs of an infection; the last two can be from any of
          various causes.  But in any case, checking a malfunctioning
          computer for known viruses with an anti-virus tool is
          generally a quick and easy process, and a useful addition to
          a support person's toolkit.  Machines infected with the 1813
          virus are often misdiagnosed as having software or hardware
          problems, leading to wasted time (as parts are replaced and
          tests run), and to the risk of spreading the infection via
          diagnostic diskettes.




          DAMAGE
          ______


          The 1813 is not a particularly destructive virus.  At the
          time it loads itself into memory, it asks DOS for the
          current date.  If the day of the week is a Friday, the day
          of the month is 13, and the year is not 1987, the virus
          "activates".  Once the virus has activated, any program
          executed via the DOS "execute program" call, described
          above, is erased.  Users will generally notice this quite
          quickly (as all the programs they try to use turn out not to
          exist!), and it is not generally hard to recover from
          (programs can be re-installed from their original
          distribution diskettes, or re-created from source files).

          The fact that the virus is not intentionally very
          destructive does not mean that protection against it isn't
          cost-effective.  Systems infected with the virus do not work
          very well, and are capable of spreading the infection beyond
          the immediate business or community.   Cleanup is therefore
          necessary; the earlier the virus was detected, the simpler
          cleanup will be.  Erasing a few infected files from one
          diskette is cheap; scanning and cleaning up hundreds of
          unprotected systems after the fact can be very expensive.

          When cleaning up after a memory-resident virus like the 1813
          (and the other viruses discussed in this paper), it is vital
          to make sure that the virus is not in memory during the
          cleanup process!  Otherwise the virus is likely to re-infect
          objects as they are cleaned up, and cleanup will not be
          successful.  To ensure that no virus is active in memory,
          power off the infected system and reboot it from a
          write-protected diskette that is known to be free of
          viruses; then during cleanup use only programs that are
          known not to be infected.



          PROTECTION
          __________


          The 1813 virus is relatively easy to detect and prevent, and
          virtually every commercial anti-virus product can deal with
          it.  The virus makes no attempt to hide itself, and infected
          files are easily recognized as such by even the simplest
          known-virus scanner.  Products which load into memory and
          block unauthorized attempts to alter programs are also
          generally successful against it.  The fact that the virus is
          still so common is a sign that all too many machines still
          lack even the simplest protection against computer viruses.




          THE STONED VIRUS
          ________________


          The Stoned virus, also known as the New Zealand or the
          Marijuana virus, is another of the most common PC-DOS
          viruses.  It was originally found primarily in New Zealand
          and Australia, but has recently become widespread in the
          rest of the world.  Unlike the 1813 virus, the Stoned is a
          boot-sector infector; it infects diskette boot sectors, and
          "master" boot sectors on hard disks.

          When a machine is booted from an infected diskette, the
          virus first infects the hard disk, and then installs itself
          in memory.  Any diskette used in the A: drive thereafter is
          likely to be infected.  Approximately once in eight boots
          from an infected floppy, the message "Your PC is now
          Stoned!" will be displayed during the boot process.  When a
          machine is booted from an infected hard disk, the virus
          loads into memory and infects diskettes in the same way, but
          the message is never displayed.



          SPREAD
          ______


          The Stoned virus, like other boot-sector-infectors, spreads
          through the transfer of floppy diskettes rather than files.
          In general, though, spread scenarios for these viruses are
          similar to those given for the 1813 virus above.  Some
          common scenarios include:

          o   Shared machines - If a shared machine is once booted
              from an infected diskette, the hard disk will become
              infected, and the machine will serve as a center of
              infection.  Diskettes used in the machine will be
              infected (unless they are write-protected), and carry
              the infection to any machine that is later booted from
              them.

          o   Shared diskettes - Shared diskettes of the sort
              described above can serve as channels for the spread of
              boot-sector viruses as well, especially if they are
              designed to be placed in the A:  drive and booted from
              (as many diagnostic and demo diskettes are).  Such
              diskettes should always be write-protected, even if they
              are not designed to be bootable (see the next item).

          o   "Non-bootable" diskettes - Even a "non-bootable"
              diskette that simply displays a message like "Non-system
              disk" when booted from can carry a boot-sector virus.
              Such disks do have a boot sector; it contains a small
              program that simply displays the "Non-system" message
              and waits for a keypress.  If such a diskette becomes
              infected and is later booted from (typically by being
              accidentally left in the A: drive when the machine is
              brought up), the virus will infect the hard disk and
              load into memory BEFORE the "Non-system" message
                               ______
              appears.  So even a user who in good faith says that the
              office machine is "never" booted from a diskette may
              have in fact booted from an infected non-system floppy,
              and then forgotten about it.

          These scenarios apply to boot-sector-infecting viruses in
          general.  Although the details of the viruses may be
          different, they tend to spread through the same channels.



          SYMPTOMS
          ________


          Again, the primary symptom of the Stoned virus is that an
          anti-virus program tells you it's there!  The other symptoms
          are much less reliable, and an unprotected system can remain
          infected for long periods of time, spreading the infection
          to many diskettes, without the user noticing anything
          unusual.  The "Your PC is now Stoned!" message appears only
          on the occasional boot from diskette; if a workstation's
          hard disk is infected, and all or most boots are from the
          hard disk, the message may never be seen (there are also
          variants of the virus that never display the message at
          all).  Systems infected with the Stoned virus will show less
          total memory than expected if a utility like CHKDSK is run,
          but the average user will not notice the change.  The only
          other symptom of the virus that is at all common is a
          corrupting of the file system on hard disks that were
          originally set up under DOS 2 (the virus stores the original
          boot sector on a part of the disk that is normally unused,
          but is used for the File Allocation Table on some disks set
          up with DOS 2).

          To remove the Stoned virus from an infected diskette, first
          make sure that the virus is not active in memory, by
          powering off and booting from a disk or diskette that is not
          infected.  Then use the SYS command to rewrite the boot
          sector; or use COPY to copy off all important files, and
          then FORMAT to rewrite the entire diskette.  Removing the
          Stoned virus from a hard disk requires a bit of extra work.
          While the 1813 virus may be removed simply by erasing
          infected programs, there is no equally simple way to restore
          an infected master boot sector.  The DOS commands SYS and
          FORMAT only effect the DOS partition on a hard disk, and the
          master boot sector is not in any partition.  The most
          drastic solution is a "low-level" format (generally
          available as a menu option from a diagnostic diskette),
          which overwrites all data on the physical disk drive (all
          files will be erased).  There are some commercial tools
          specifically designed to repair Stoned-infected master boot
          sectors, and some utilities that will overlay the existing
          master boot sector with one of their own; contact your local
          DOS guru for details!  In any case, remember to make sure
          the virus is not active in memory before cleaning up.



          PROTECTION
          __________


          Like the 1813 virus, the Stoned is well-known and
          well-understood, and any good anti-virus program should be
          effective against it.  It makes no attempt to hide itself,
          and infected boot sectors are easily recognizable.




          THE JOSHI VIRUS
          _______________


          The Joshi virus is another boot-sector infector, similar to
          the Stoned.  It also infects diskette boot sectors and hard
          disk master boot sectors.  It appeared only recently in the
          U.S., but has quickly become one of the most
          commonly-appearing viruses; this seems to be due to lucky
          (from the virus' point of view) accidents, rather than to
          any special properties of the virus.  On January 5th of any
          year, infected machines will periodically halt with the
          message

                          Type "Happy Birthday Joshi" !

          on the display.  Typing "Happy Birthday Joshi" will unlock
          the system.



          SPREAD
          ______


          In terms of spread characteristics, the Joshi virus is very
          similar to the Stoned.  When a machine is booted from an
          infected diskette or hard disk, the virus loads into memory,
          and any diskettes used in the A: or B: drives, as well as
          the first two physical hard disks, may become infected
          thereafter.  The Joshi virus is somewhat larger and more
          complex, but all the spread scenarios given for the Stoned
          apply.



          SYMPTOMS
          ________


          Because the Joshi is larger and more complex, Joshi-infected
          systems are somewhat more likely to malfunction than systems
          infected with the Stoned.  Under some circumstances, systems
          infected with the Joshi virus will be unable to correctly
          access the diskette drives, for instance.  As with the
          Stoned, Joshi-infected systems will have somewhat less total
          memory than they should, but the typical user will not
          notice this.  As always, the most reliable symptom is an
          alert from an anti-virus program, and checking for viruses
          is a good first step when dealing with any unprotected
          system that is acting strangely.




          PROTECTION
          __________


          The Joshi is a somewhat newer virus than the 1813 or the
          Stoned, and some anti-virus programs may not be able to
          detect it or protect against it.  It is also slightly harder
          to detect than the Stoned virus, because if the virus is
          active in memory, it will intercept attempts to read the
          infected boot sector, and "lie" to the calling program by
          passing back an image of the system's original uninfected
          boot sector.  It will also remain in memory even if the
          system is booted by pressing the control-alt-delete key
          sequence (it does not, of course, remain in memory if the
          power is turned off!).  The virus is, however, easily
          detected in memory, so an up-to-date anti-virus program
          should have no difficulty detecting it.

          Removing the Joshi virus is very much like removing the
          Stoned; diskettes should be SYSed or FORMATed, and hard
          disks need to have their master boot sectors restored (both
          in a machine in which the virus is not currently active in
                                             ___
          memory).





          THE BOUNCING BALL VIRUS
          _______________________


          The Bouncing Ball virus, also known as the Italian or Ping
          Pong virus, is another boot-sector infector, slightly
          different in operation from the Stoned and Joshi.  The
          Bouncing Ball infects diskette boot sectors, and the DOS
          boot sector (rather than the master boot sector) on hard
          disks.  The most obvious effect of the virus is that,
          approximately once in sixteen boots from an infected disk or
          diskette, a bouncing dot will appear on the display during
          the boot process and afterwards.




          SPREAD
          ______



          Although the details of infection differ, all the scenarios
          given for the Stoned virus apply to the Bouncing Ball virus
          as well.  Shared machines, shared diskettes, and
          non-bootable diskettes may all serve as channels for the
          virus to spread.



          SYMPTOMS
          ________


          Besides alerts from anti-virus programs, the main symptom of
          the Bouncing Ball virus is a bouncing dot on the display.
          But even this is not a completely reliable symptom; the
          virus only displays the dot when the value in the system
          clock at boot time has certain properties, and there may be
          systems on which the effect will rarely or never appear.  As
          with the Stoned and Joshi viruses, an infected system has a
          bit less total memory than it should (because the virus
          reserves some memory at boot-time for itself), but the
          average user will not notice the difference.



          PROTECTION
          __________


          The Bouncing Ball is another old and well-known virus, and
          any good anti-virus program should be able to deal with it.
          Removing the Bouncing Ball from a hard disk is somewhat
          simpler than removing the Stoned or Joshi.  The SYS command
          will generally work even on an infected hard disk (since the
          virus infects the DOS boot sector, which SYS touches),
          although always re-check a disk after SYSing, to make
          certain.  In some circumstances, SYS may not overwrite the
          boot sector, and a DOS FORMAT (after backing up all
          important files) or a special utility may be required.  In
          any case, remember to turn the power off and reboot from a
          known-clean diskette before cleaning up.




          THE SUNDAY VIRUS
          ________________


          The Sunday virus is closely related to the 1813; the author
          of the Sunday clearly started with a copy of the 1813 virus
          and made a number of changes to it.  Despite its similarity
          to the 1813, the Sunday virus is much less common.

          Like the 1813, the virus loads into memory the first time an
          infected program is run, and remains in memory until
          power-off or reboot, infecting any programs that are
          executed.  The virus contains code that is designed to erase
          files and display a message if the day of the week is Sunday
          (and the year is not 1989), but at least in the most common
          variant of the virus, the code has a bug, and is never
          actually executed.  The Sunday virus does not display "black
          holes", does not slow down infected machines, and does not
          multiply-infect EXE files.




          SPREAD
          ______


          Because the Sunday virus is so similar to the 1813, it will
          spread through the same channels as the 1813.  Shared
          machines, shared diskettes, shared programs, and LAN servers



          are all key points in restricting the spread of this class
          of virus.



          SYMPTOMS
          ________


          The Sunday virus is somewhat less likely to be noticed than
          the 1813, because the more obvious symptoms have been
          removed.  The most common variant of the virus does not
          erase files, cause blank or scrolling boxes, slow down
          infected machines, or cause EXE files to grow repeatedly.
          The symptoms that remain, including one-time growth of files
          and the occasional malfunctioning EXE program, are less
          likely to be noticed.



          PROTECTION
          __________


          Although it is newer than the 1813, the Sunday virus is
          well-known and easy to detect, and should be caught by any
          good anti-virus program.





          THE 17XX VIRUSES
          ________________


          The name "17xx" refers to a family of viruses, sometimes
          called (among other things) Cascade, Blackjack, or Falling
          Tears.  The most common members of this family are the 1701
          and 1704 viruses.  Like the 1813 and Sunday viruses, the
          17xx viruses load into memory when the first infected
          program is executed, and remain resident until power off or
          reboot, infecting files which are executed.  Unlike those
          viruses, the 17xx viruses infect only COM-format files(1).
          ----------------
          1   COM-format files usually have the extension "COM",
              although overlay files in COM format may have any
              extension at all, and a few files with extension "EXE"
              are actually in COM format.  The details are
              unimportant; a good anti-virus program will do the right
              thing.
          ----------------
          The virus will also occasionally cause all the letters on
          the display to fall into a "heap" at the bottom of the
          screen; this happens only very rarely if the year is after
          1988, however.




          SPREAD
          ______


          Except for the fact that only COM-format files are infected,
          the 17xx viruses spread through the same channels as the
          1813 and Sunday.




          SYMPTOMS
          ________



          As usual, the most reliable symptom of infection with the
          1701 or 1704 virus is an alert from an anti-virus program.
          The "falling letters" effect happens only if the system date
          is in October, November, or December of 1988, or if the date
          is January 1st 1980 when the virus first loads, and is later
          set to a date after October 1988.  So many systems may be
          infected with the virus for long periods of time without the
          display appearing.  Infected files will grow by 1701 bytes
          or 1704 bytes (depending on the exact strain of the virus),
          but the typical user will not notice that.




          DAMAGE
          ______



          The most common members of this family do no intentional
          damage at all, and if the virus is detected early the only
          cleanup involved will be erasing the infected files and
          replacing them with good copies.  One rare member of the
          family (the "1704-Format" virus) will attempt to format part
          of the hard disk when it activates; recovering from that
          activation requires restoring the disk from backups.




          PROTECTION
          __________



          Like most of the commonest viruses, the 1701 and 1704 are
          old and well-known.  They are also simple to detect, and any
          good anti-virus program should be able to detect or prevent
          them.





          THE DISK KILLER VIRUS
          _____________________



          Also known as the Ogre, the Disk Killer virus is a
          boot-sector infector that can be very destructive.  Like the
          Bouncing Ball virus, the Disk Killer infects diskette boot
          sectors and DOS boot sectors on hard disks.  When a machine
          is booted from an infected diskette or hard disk, the virus
          loads itself into memory, and infects any diskette or hard
          disk that is later read from (until the next reboot or power
          off).  If an infected machine is left on for about 48 hours
          without a reboot, the next read to a disk or diskette will
          cause a message to be displayed, and all data on the boot
          disk (or diskette) will be scrambled.  (There may be
          variants of the virus in which the details of the activation
          conditions are different.)



          SPREAD
          ______



          The spread characteristics of the Disk Killer are very
          similar to those of the Stoned and the Bouncing Ball.




          SYMPTOMS
          ________



          Due to a bug in the virus, diskettes will sometimes be
          improperly infected, and either fail to boot or contain
          damaged files.  Attempts to format a diskette in an infected
          machine will also sometimes fail.  Infected disks and
          diskettes will also show a number of bad sectors and reduced
          total memory, if a utility like CHKDSK is used.  All these
          symptoms may be overlooked, however, if they do occur, and
          anti-virus software is the most reliable test.




          DAMAGE
          ______



          When the virus activates, it displays a message like:

              Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989

              Warning!   Don't turn off the power or remove the diskette
              while Disk Killer is processing!

              PROCESSING

              Now you can turn off the power.   I wish you luck.

          and then scrambles all data on the disk or diskette that was
          last booted from.  If the computer is powered down
          IMMEDIATELY after the first part of the message appears, the
          ___________
          data-scrambling will not occur.  On the other hand, if the
          scrambling is allowed to run to completion, it may be
          possible to recover the data with a program specifically
          designed to unscramble Disk-Killer-damaged disks.  The best
          solution, however, is to detect the virus before it has a
          chance to activate!




          PROTECTION
          __________



          The Disk Killer is reasonably well-understood and simple to
          detect, and any good anti-virus program will catch it.
          Perhaps because it is so destructive, it seems not to be as
          widespread in the world as it once was.




          THE DARK AVENGER
          ________________


          The Dark Avenger, sometimes called the Eddie virus, is the
          most subtly destructive of the viruses we will discuss here.
          Like the other file-infecting viruses we've seen, the first
          time an infected file is run, it loads itself into memory,
          and remains there until the next reboot or power off.  As
          well as infecting files that are executed, the Dark Avenger
          will infect files that are opened (for reading or writing),
          renamed, or operated on in any of a number of other ways.
          Approximately every 16 executions of an infected program, it
          will overwrite a random sector of the disk the program was
          run from with the string "Eddie lives...somewhere in time!"
          followed by part of the body of the virus.




          SPREAD
          ______



          The Dark Avenger can spread through the same channels as the
          1813.  Because it infects files under more conditions than
          the 1813, it can become widespread within a single machine
          faster.  Any operation (such as many kinds of backups, disk
          searches, and so on) that opens many files can spread the
          virus very quickly to many programs on an infected machine.
          This increases both the chance that it will spread to
          another machine, and the chance that it will be detected
          (since more files will be changing).




          SYMPTOMS
          ________



          The only symptoms of the Dark Avenger that are likely to be
          noticed without an anti-virus program are the growth in size
          of files, the occasional appearance of the "Eddie..."
          message inside files, and general system malfunction (caused
          by the overlaying of programs with the virus message).  The
          latter two effects may go unnoticed, or be blamed on
          hardware, for some time, especially if the disk is not very
          full (because then the sectors overwritten will generally be
          unused).




          DAMAGE
          ______



          Because the virus writes its message to random sectors on
          the disk, cleaning up after a Dark Avenger infection can be
          tedious; every file on disk and diskette must be checked for
          the virus message (and, of course, all files should be
          checked for the virus itself), and restored from somewhere
          if found to be damaged.



          PROTECTION
          __________


          Again, any good anti-virus program should provide protection
          against the Dark Avenger; an anti-virus program that does
          not know about the Dark Avenger can actually cause an
          ___
          infection to spread faster, if it opens many files for
          scanning while the virus is in memory.  But other sorts of
          protection programs (that do not allow programs to run if
          they have been altered, for instance) should have no trouble
          against this virus.





          LESSONS
          _______


          All the viruses discussed here have a few features in
          common; all load themselves into system memory when first
          executed, and later infect other objects as they are used.
          All are relatively simple and well-understood, and all are
          easily protected against with any of a number of available
          anti-virus programs.  On the other hand, all are still
          circulating in the computing community; an indication that
          anti-virus measures are still underutilized.  Protecting a
          single machine has become relatively easy; protecting all
          the machines in a community or an organization is still
          difficult.

          Before computer viruses were widespread, [White et al, 1989]
          contained the following advice on the subject:

             o   Put a knowledgeable group in place to deal with
                 virus incidents.

                 -   The group may be a formal part of the
                     organization, or may be an informal collection
                     of knowledgeable people.

                 -   The group should be responsible for educating
                     users about the threat of viruses, providing
                     accurate information about viruses, responding
                     to reports of viruses, and dealing with viral
                     infections when they occur.

                 -   Make sure each employee who works with a
                     computer knows how to contact this group if
                     they suspect a viral infection.

             o   Develop a plan to deal with viruses before there
                                                     ______
                 is a problem.
                 -   Decrease the risks of an initial infection,
                     from internal and external sources.
                 -   Put mechanisms in place to detect viral
                     infections quickly.
                 -   Develop procedures to contain an infection
                     once one is detected.
                 -   Know how to recover from a viral infection.

             o   Test the plan periodically, as you would test a
                 fire evacuation plan.



                 -   But DO NOT use a real virus to test the plan!
                         ______


          This advice is still applicable today.  The primary caution
          that needs to be added is that, since computers viruses are
          now a very real possibility for every popular microcomputer,
          the employment of anti-virus software (including detectors
          for known viruses as well as more general protections) is
          highly recommended, especially at key points such as shared
          machines and LAN servers.

          While most virus infections are caused by a comparatively
          old, well-known virus, not all are.  Particularly critical
          systems should be equipped with both a good known-virus
          detector and a more general change-detector.  A combination
          of the right anti-virus software, advance planning, and
          general safe practices (don't, for instance, forget
          write-protect tabs where possible) can reduce the chance of
          becoming infected with a virus, and ensure that any
          infection that does occur will be quickly detected,
          contained, and recovered from.  See [White et al, 1989] for
          more general advice on the subject.




          REFERENCES
          __________


          Fred Cohen, "Computer Viruses: Theory and Experiments",
          Computers & Security, Volume 6 (1987), 22-35.

          S. R. White, D. Chess, and C. J. Kuo, "Coping with Computer
          Virses and Related Problems", IBM Research Report RC14405,
          1989; IBM order number G320-9913; also published in the
          Proceedings of the DPMA's Third Annual Computer Virus
          Clinic.



 

