Script & Macro Viruses

Script Viruses - Types and Habitats

Script viruses (sometimes called macro viruses) generally travel embedded in email and office automation documents, although they can be found in web pages as well.

Old fashioned program viruses are usually implemented in executable system code, whereas script viruses are usually written in a powerful high-level language that is compiled and run on the fly. They often have sophisticated functionality and direct interfaces to high level applications such as word processing, spreadsheet, email, and web programs, and can wreak considerable havoc. Since they first surfaced in office automation programs, they are sometimes also called "macro" viruses. Script viruses can also propagate through IRC protocols.

On Microsoft computers, turning on your script checking virus protection is essential. However, keep in mind that there may be an associated performance hit for some applications. Many applications on Windows are written in Visual Basic, and real-time script virus checking can double the time it takes for their usual functions to run. If you find that ordinary functions take an inordinate length of time to complete, you can try temporarily turning this feature off in your anti-virus checker -- but don't forget to turn it back on afterwards!

Active threats. The following types of script viruses are currently the most active and dangerous, on the Windows platform:

Visual Basic is a flexible and powerful programming environment for Microsoft Windows, Office, and Internet applications. Script viruses written in Visual Basic can run throughout the Microsoft architecture, giving them considerable reach and power, and making them the primary virus threat today.

The first widespread Visual Basic script virus was Melissa, which brought down several of the large international corporations for several days in March 1999. Melissa traveled in a Microsoft Word document and ran when the document was opened, then opened the associated Microsoft Outlook email program, read the user's email address book, and then sent email copies of itself to the first fifty names it found. It spread very quickly.

The Melissa virus architecture was quickly followed by many similar variants programmed by hackers around the world, including the ground breaking KAK, the first Visual Basic script virus that triggered as soon as an email was opened. KAK was then followed by BubbleBoy, which triggered if an email was even viewed in the preview pane. A steady stream of Visual Basic script viruses continue to circulate to this day. There are even automated, point and click programs like VBS Love Generator to help hackers produce additional variants. Script viruses which use email to send themselves to others are also a form of worm.

The term "macro virus" is used less often, and generally refers to a virus in an office automation application macro, most commonly a Visual Basic macro in a Microsoft Word or Excel document. Macro viruses can cross system boundaries from Windows to Macintosh computers with MS Office documents. Current versions of Microsoft Office contain strong anti-macro protections to guard against known attacks.
ActiveX is one of Microsoft's distributed application technologies that enable web pages to download programs on the fly with the full power of any executable running on your machine. This makes ActiveX modules especially efficient and powerful, but also a security risk since they can create, change, and delete files, add system programming code, or take any other action your user account is allowed on your computer.

To help mitigate the risk, Microsoft provides a network architecture of encrypted security certificates for ActiveX modules. This network gives you the option of refusing the download of unsigned ActiveX modules from unknown authors, and at least disclosing the signed identity of those modules that you do accept in case they later cause problems. However, this approach is not universally accepted by the general user and professional security communities, and is sometimes called "trust me now, try to catch me later". Users running Internet Explorer on Windows machines should make sure that their browser security settings are set to "disable" for unsigned ActiveX applets, and to "prompt" for signed applets.
Hypothetical threats. The following script viruses are largely theoretical, but illustrate that they can turn up wherever there is scripting code:

Java is a standard cross platform development environment, and is often used to download scripts to add functionality like a clock or chat room interface to a web page. Java was written with a strong security model which protects your computer's data and resources, and it has so far proved remarkably resistant to script virus infection. You can turn Java off in your browser if you want to be extra careful, but it will disable some useful functionality on some web pages.
JavaScript is the standard web programming language. JavaScript also has a well-defined security model that protects data and resources, and the few JavaScript viruses that have been discovered have been mainly theoretical in nature. You can turn JavaScript off in your browser settings if you want to be extra careful, but it will disable functionality on many web pages.
MIME. The first script virus that triggered as soon as an email was opened was a MIME virus that applied to older versions of Netscape Mail, Microsoft Outlook, and Eudora Mail. In a variation on an old hacker technique, the attached MIME file was given a very long name that triggered a bug which allowed the end of the name to be run as a series of instructions, which could then be written to run the virus. However, a fix for the bug was quickly developed for each vulnerable email program, and MIME viruses have so far remained hypothetical.
Others. Several other scripting environments have also had viruses, including Corel Draw, Hypertext Preprocessor, Windows Help, Windows installation files, and Windows registry files. Anywhere there is a script interpreter there is an opportunity for a script virus to run.

Boot & Program Viruses

Boot & Program Viruses - Types and Habitats

Boot and program viruses were the first viruses. They are generally made of executable code that hides inside device boot programs and application programs, and are usually targeted for a specific computer operating system. These were the earliest types of computer viruses, and remained relatively common in the wild until overtaken in 1998 by script and macro viruses.
Boot viruses. Boot viruses hide in the boot code for a media device, such as a disk or CD, and run automatically when the media is loaded since boot programs are always the first code loaded from any device. Boot viruses proliferated on floppy disks and even CD's into the late 1990's, but aren't seen as often these days with the decline in importance of transferable, bootable media.
The first computer boot virus was built by a 15 year old kid namedRich Skrenta in 1982 for Apple II computers. Called “Elk Cloner”, it would activate whenever a floppy disk was booted on a computer, install itself on the computer, and then infect other disks used later. Once every 50 times an infected floppy was inserted in a computer it would display the following message.

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!

It will stick to you like glue
It will modify ram too
Send in the Cloner!

Skrenta launched the virus into the wild in early 1982 by infecting his school’s computer and giving out disks at a computer club. Since viruses were not yet known and there were no safegaurds, it spread around the country and continued to pop up on Apple II computers for years afterwards.
The first boot virus to infect Microsoft computers was called Brain, created in 1986 by two Pakistani brothers, and displayed the phone number of their computer repair business.
Program viruses. Program viruses can travel on media like a CD or across the Internet by email attachment. They hide in an apparently useful program and then run when the program is opened. They are often called trojan horse viruses, after the hollow wooden horse containing soldiers that Ulysses and the Greeks gave to Minerva during the Trojan war, and from which the soldiers emerged that night to open the gates of the city of Troy to the Greek armies, thereby causing the city's downfall.

Program viruses may be deliberately hidden in a program by the developer, or surreptitiously attached after the fact at some point along its travels from computer to computer. Program viruses are also sometimes the vector of infection for boot viruses and worms.
Virus infection. A greeting card program emailed to you from a friend might display a holiday animation and song, while at the same time installing a remote access virus program that gives a distant hacker control over your computer whenever you're connected to the Internet. Similarly, a shareware program downloaded and emailed to you by another friend might have been infected with a virus on his computer or the server where it was stored.

The first thing a boot or program virus often does is insert commands and settings in the operating system so that they can operate freely, undetected, and unaudited, without warning messages or access log records. Some of them even change the Basic Input Output System (BIOS) that interfaces between the computer's hardware and software to help mask their activities.

The most sophisticated program viruses include "stealth viruses", which encrypt their contents to try and avoid detection by virus protection software, and "polymorphic viruses", which alter their content every time they replicate to try and avoid detection, which exhibits behavior just like real viruses. Most anti-virus programs can still catch most of these types of viruses.