Memory Space has to be found for all viruses which go memory resident. These include Memory Resident Parasitic Viruses and Boot Sector Viruses. There are various means of doing this :
[1] Locate at the top of memory and reduce the space available to MS-DOS. This is done by altering the value held at location 0040:0013 in memory. This means that DOS has 640K bytes available to it minus the length of the virus. This is the favoured mechanism for Boot sector viruses. This allocation can be detected by utilities such as CHKDSK or Antivirus programs 0^49]
[2] Allocation above 640K in memory. This will involve the virus searching for suitable free RAM space. The likelihood of detection is not high.
[3] Use the MS-DOS TSR functions to place the virus code as resident so that it is not overwritten. This is the simplest method but is easily detected by Antivirus monitors Ufi.
[4] Use the first Disk I/O buffer used by MS-DOS and remove it from the I/O chain. These buffers are 512 bytes long which is often enough for a virus. Being an unusual approach this is unlikely to be detected [20,22]
1.3 : FIRST GENERATION COMPUTER VIRUSES
The first, purely experimental virus was injected into a contained environment at the University of Southern California in October 1983. It was written by Fred Cohen, to be run on a VAX 11/750 running UNIX. It was capable of taking over the entire system in less than 30 minutes. File to file infection took much less than a second and was therefore not detectable by a user. It was written purely as a demonstration and never allowed to spread beyond the system mentioned above.
Early examples of computer viruses released into the public domain were probably written as irresponsible jokes. It was late 1987 when the first DOS viruses appeared. First was the BRAIN virus, closely followed by the LEHIGH and JERUSALEM viruses.
BRAIN 1^7,8] is a boot sector virus which attached itself to 360K floppy drives only. It claims both the boot sector, and a further 3 clusters (6 sectors) which it marks as 'BAD' in the FAT. It stores the original boot sector within the extra sectors it allocates itself, which it calls once the virus is installed. It occupies 7k of memory when resident. It gets its name because each infected disk has its label changed to '(c) Brain'. This was the first recorded DOS virus and was also the first to exhibit 'stealth' capabilities (which are explained later) : The virus intercepted any requests to read the boot sector and redirected them to the original sector if they occurred. Thus the virus hid itself from the user. Its source was Lahore in India and its range went as far as Delaware and Washington Universities in the USA, a Midlands University, a Leicester consultancy, and a major Insurance company on the South Coast. This virus is a
—
:Ï
LEHIGH H7,23] ig a parasitic virus which becomes memory resident. Unlike BRAIN,this virus is far from benign, it trashes a disk after it has been infected four times by overwriting the first thirty two sectors of the disk. It infected several hundred machines causing severe loss of data before it was detected, and several hundred more were infected before a cure was found. It is estimated that it infected 600 disks within just two days. It originated in Lehigh University in the USA, hence its name, and the damage it caused was fairly centralised. The reason for this was the virus triggered after infecting only four files. This meant that detection was quick : it is estimated that if
this number was much higher, then tens of thousands of machines world-wide would d have been affected. This is a SCAM-GTAR virus as it only infected a specific file, the % COMMAND.COM, yet its target action is general.
JERUSALEM 17,24] ]g ^ memory resident, parasitic virus. It infects all .EXE and .COM files in the system upon execution. After thirty minutes the virus triggers and the system slows down by a factor of five and an area of the screen from row 5 column 5 to row 16 column 16 scrolls up two lines. All programs executed on Friday the thirteenth are also deleted. It is estimated that at its peak 10 000 to 20 000 machines were infected. This virus is of the GCAM-GTAR type.
These viruses were simple in design and required only limited skill to write. They were simple to disassemble and analyse. Detection and removal of these viruses was also reasonably simple. However this was not the case for very long.
1.4 : NEW GENERATION COMPUTER VIRUSES
Over 400 DOS viruses exist in the world today and this is increasing at the rate of over 1 per day I^si. Other types of machines such as those running MACOS are similarly affected, although the number in existence and the rate of growth are proportionably smaller than for the PC. Reasons for this probably include the simple fact that there are far more PCs in the world today and that they have been in existence longer. DOS is also a far more open and documented operating system than its Macintosh counterpart. Mainframe viruses such as VAX and SUN have also been suffering from infections but these machines have proved to be more immune from attack, at least for the moment.
Analysis of the viruses that are currently appearing indicate that virus infection is, and is going to continue to be, a very real problem within the computing community. As a steady flow of new viruses are released day by day it becomes obvious that a group of highly motivated individuals, or even companies, from all around the world are actively developing virus code.
Eradication of these infections is becoming more and more necessary as they increase in complexity, sophistication, and of course number.