How and When the Virus Infects New Items

After the Concept virus installs itself in the global macro pool, it has no problem further propagating into new, uninfected documents. In addition to the virus’ AutoOpen macro, the virus contains a macro known as FileSaveAs. The virus also copies this macro (from an infected template’s local pool) into the global macro pool during the infection process.

If the FileSaveAs macro exists in either the local or global macro pool, Word for Windows is designed to execute this macro anytime the user selects the Save As option from the File menu. After the environment is infected, if a user edits an uninfected document and then uses the Save As option to save a copy, the virus’ FileSaveAs macro executes. The virus’ version of this macro is designed to copy each of the virus macros (including FileSaveAs and FileOpen) from the global macro pool to the document’s local macro pool before the document is saved.

The macro also changes the type of the file from a standard document format to the infectious .DOT format; however, it doesn’t update the name of the file. Finally, the macro allows Word for Windows to save the newly infected file in the usual fashion.

Word for Windows automatically saves all viral macros in the local pool to the file, because the file has been internally converted to a template format.

Note that Word for Windows determines the file type (document or template) from the contents of the file as opposed to the name of the file. So, even though the newly infected template file has an improper extension (.DOC), Word for Windows still can properly work with the file.

Potential Damage the Virus Can Do

To spread, macro viruses must convert standard document files into template files that contain the virus macros. Once a Word for Windows template contains macros, it can only be saved as a template file; otherwise, the macro contents would become lost. Word for Windows doesn’t allow the user to save infected files as document files because, following infection, they contain macros.

Like any other virus, macro viruses can maliciously destroy programs and data on the computer; however, no other major unintentional side effects result from macro virus infection.

Worms

A worm is a self-contained program or set of programs that can propagate from one machine to another. Unlike a virus, the computer worm does not need to modify a host program to spread.

In 1988, the notorious Internet Worm wreaked havoc around the world, spreading to both VAX and SUN systems running BSD Unix and SunOS. It infiltrated more than 6,000 machines connected to the Internet.

At the time of this writing, no PC worms have been discovered. The most likely reason is that a worm must be able to send one or more executable program(s) to target client machines connected to a network before it can function. These executable programs can be as simple as a standard DOS batch file or as complicated as a full C program. The worm also must be able to execute, interpret, and/or compile these programs after they reach a target machine. After the worm establishes itself, and is executing on a new machine, it can then spread to other machines on the network.

Until recently, widely used PC operating systems did not, by default, provide remote execution facilities; the absence of this functionality made creating worm-like programs difficult.

Although standard DOS and Windows 95 systems do not provide remote execution facilities in their default configurations, the Windows NT operating system, which has been growing in popularity in recent years, does have these capabilities and can support worm-like programs.

Network and Internet Virus Susceptibility

With respect to DOS-based computer viruses, networks can be divided into the following three categories:

•  File-server–based local area networks, where users can store data on, and retrieve data from, one or more central file servers.

•  Peer-to-peer networks, where every workstation has the potential to act as both a server and a client. This networking paradigm is available by default under Windows 95.

•  Information Superhighway networks, where data flows through, but is never stored, on the network; its primary function is to serve as a data conduit.

The good news about viruses and computer networks is that, by nature, networks act as a semipermeable barrier to computer viruses. Some of the most common workstation viruses are completely unable to pass over networks of any type! The various network categories are, however, subject to different types of infection.

Network Susceptibility to File Viruses

The typical file virus can spread through all three types of network environments.

File Viruses on Network Servers

Consider the local area network file server used in most corporations. On this type of network, file viruses can be introduced in several different ways:

•  A user can copy infected files directly to the file server.

•  A user can execute a direct action file virus on the workstation. This virus can then infect executable files on the network.

•  A user can execute a memory-resident file virus on the workstation that infects executable files as they are accessed on the server.