Useful Links: www.tomw.net.au/links

IT issues on 666 ABC Canberra Drive with Keri Phillips each Monday at 5:50pm

With Tom Worthington FACS, Visiting Fellow, Department of Computer Science, Australian National University

Viruses: 20 August 2001

A computer virus is executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems; others merely present a problem solely through the act of infecting other code. In either case, though, computer virus infections should not go untreated.From: What is a Computer Virus by George A. Theall, Thomas Jefferson University Hospital

Technically speaking, most of the computer viruses people talk about are really not viruses but "Trojan Horses" or "worms". The more general description of these is malicious code. Two current examples of malicious code are:

• Sircam:

  "W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information...Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on which Windows is installed (typically C:). From: W32/Sircam Malicious Code, CERT® Advisory CA-2001-22, Original release date: July 25, 2001 Last revised: July 25, 2001 Source: CERT/CC

• Code Red:

  Since around July 13, 2001, at least two variants of the self-propagating malicious code "Code Red" have been attacking hosts on the Internet ... Different organizations who have analyzed "Code Red" have reached different conclusions about the behavior of infected machines when their system clocks roll over to the next month. Reports indicate that there are a number of systems with their clocks incorrectly set, so we believe the worm will begin propagating again on August 1, 2001 0:00 GMT. There is evidence that tens of thousands of systems are already infected or vulnerable to re-infection at that time. Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2, 2001. The CERT/CC has received reports indicating that at least 280,000 hosts were compromised in the first wave. From: Continued Threat of the "Code Red" Worm, CERT® Advisory CA-2001-23, Original release date: July 26, 2001 Last revised: August 16, 2001 Source: CERT/CC

To minimize the risk of malicious code, install up to date anti-virus software. CERT include a list of anti-virus software vendors in their Sircam alert. The easiest way to keep your anti-virus package up to date with the latest virus definitions is with automatic updates via the Internet. Those running servers should keep the operating system up to date with security patches supplied by the vendor.

Make regular backups of the valuable information on your computer. Also keeping the installation disks and manuals which came with the computer and with any software you purchased, so you can reinstall programs.

Almost all malicious code is targeted at computer running the Microsoft Windows operating system. Sircam is targeted at all versions of Microsoft Windows and Code Red at Microsoft Windows NT, Windows 2000 running server software and some products.

Philip Argy, Chair of the Australian Computer Society's Society's Ethics, Legal and Social Implications Committee, who recently gave evidence to a Senate Committee on the Commonwealth Cybercrime Bill, warns: "There's an interesting legal issue as to whether you are liable for negligently propagating a virus or worm - I think you could well be and most people are oblivious to the issue."

Hoax Virus Warnings

While there are many real viruses there are also hoax virus warnings spread by e-mail which do damage. Oxford University Computing Services provides a brief list of where you can find out which are the hoaxes. Hoax messages will ask you pass the message on to everyone you know, please don't. A genuine warning will have contact details, including a web address, to confirm the information. Some hoaxes contain false instructions on how to remove a virus which could actually delete the information in your computer.

Acknowledgement

Thanks to members of the Australian Computer Society, Department of Computer Science ANU and the Link mailing list for assistance.

Further Information:

• More IT issues
• 666 ABC Canberra Drive
• Author's home page

Comments and corrections to: webmaster@tomw.net.au

Copyright © Tom Worthington 2001.