IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
are located in inaccessible sectors which are not visible in the directories on
the hard disks or floppy disks. Boot viruses overwrite these sectors with their
own program code. The original contents are moved to a different location of
the data media, and executed after the execution of the virus code during the
start-up of the computer. As a result, the computer apparently starts in the
usual manner, but the boot virus is loaded into the computer's main memory
even before the operating system is loaded, and stays there during the whole
power-on time of the computer. Consequently, the virus is able to infect the
boot sector of every write-enabled floppy disk used during the computer's
power-on time. Boot viruses can only infect other computers during booting,
or through attempts at booting with infected floppy disks.
File viruses
Most file viruses attach themselves to program files. However, this happens in
such a way that when the file is opened, the virus code is activated first,
followed by the original program. The program then appears to run as usual
and the virus is not immediately detected. Nevertheless, primitive, overwriting
viruses are also known to exist, which attach themselves to the beginning of
the host program in such a way that the program no longer runs correctly. File
viruses are spread by the execution of infected programs.
In the case of hybrid boot and file viruses, so called multi-partite viruses have
become important. These viruses can spread through the starting of an infected
program as well as during booting (or attempted booting) from an infected
floppy disk.
Macro viruses
Macro viruses are also placed within files, although they do not infect the
applications, but the files generated by these applications. All kinds of
application programs can be effected including those in which generated files
not only single control characters, but also programs and other objects, can be
embedded. Particularly Microsoft Word and Excel files are affected by such
viruses. These applications offer a powerful macro programming language,
which can easily be abused for the implementation of viruses, also by users
who are not very skilled with these programs.
Macros are programs with whose help the application program can be
expanded with additional functions which have been cut to fit the application
(e.g. production of a fair copy from the draft of a text). These macros can only
be executed with the relevant application program (Winword, Excel etc.)
when the document is processed, either due to activation by the user or if the
macro starts automatically. If, for example, a Word file is received by a
WWW browser which automatically opens the document with Microsoft
Word, a macro can be activated. As data files are often distributed as
conventional program files via data media and networked IT systems, the
threat posed by macro viruses is now larger than that posed by boot and file
viruses.
Examples of destructive functions of computer viruses
- On every March 6th, the boot virus called Michelangelo overwrites the first
tracks of a hard disk with stochastic contents, thus rendering the hard disk
useless.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000