Bob's Junkmail, 1999/08/26

And now... Bob's Junkmail #3!
Thursday, August 26, 1999

The picture of today is contrast:

        viatravel13.jpg

This was taken a few years ago on an aircraft carrier in New York City. It's a museum, with an SR-71 on it. (SR-71s don't land on carriers, but it's neat anyway.) There's a "nice" water tower, the Empire State Building, and some other stuff.

Mike and I climbed Gray's Peak, Colorado yesterday, and I climbed Torrey's Peak. Although Mike claims Torrey's is not a separate mountain, anybody can see here that it is:

        torreys.jpg

and here's a mountain goat or rhino or something:

        torreygoat.jpg

Y2K Update: Today a hurricane is approaching the Carolinas just after the Texas coast was hit by hurricane Bret. Weather experts have discovered that these super powerful storms are no longer caused by global warming or El Nino, but are in fact a harbinger of the Y2K problems to come. Y2K experts recommend immediately withdrawing all money from stocks and bonds and placing the cash with them for safe keeping.

Paul Armstrong and I are going to the Hotter'n Hell Hundred bike ride Saturday. EVERY junk mail recipient is invited to join us for a 100-mile bike ride in the August sun at Wichita Falls, TX. Or at least a 100-mile attempt.

Your government in action: "Government officials have found that 3% to 4.5% of the children were not counted in the last census." Instead of counting them this time around, they reckon that it will be better just to fudge the number up by that amount and pay that much more money for social programs. The Census Bureau says was purely a coincidence that the areas that would receive the most money were the districts of senators and congressmen who determine the budget of the Census Bureau.

Another picture of today -- 3 boy scouts in Badlands of South Dakota:

        scouts.jpg

"Computer Virus" -- what is one, and how does it work?

A computer virus is a program. That's the easy half of the question. And it's important. Since a virus is always a computer program, you have to run a program containing the virus in order to get a virus. More on this in a minute.

A program is a set of computer instructions that normally resides on your hard drive. Word, Excel, Windows 98, DesignCAD, and Internet Explorer are all examples of programs. (Actually, Windows 98 is a set of several programs, but let's not get technical.) A program is usually and file with the .exe extension. When you run the program, the computer goes to the beginning of the file (or somewhere close to the beginning) and starts executing instructions in the program.

Suppose I want to write a virus program. I could write a program called virus.exe. When my program ran, it would copy itself (the file virus.exe) onto the end of a file called winword.exe, which is the Microsoft Word program file. Then, my virus program could change the beginning of winword.exe and cause it to branch to the virus program attached to the end of winword.exe every time Word is run.

But that's not good enough for me. I want my virus to spread to lots of programs and lots of computers. My virus is harmless, but I just want to see how far I can make it spread. I have two problems at this point. You have to run virus.exe in order to get it "installed" or copied to winword.exe, and winword.exe is the only file it can copy itself to.

A solution to both problems is to make the virus program memory resident. This means that when virus.exe is run, it is loaded into memory and runs, but it doesn't stop running like other programs. This is easy to do. Next, I'll have my program intercept calls to Windows 98 that open other .exe files. For example, if another program wants to copy a program file from one location to another, I can have my program take over. I'll attach the virus to the .exe file being opened, then give control back to Windows 98. This way, whenever a program file is run or copied, I can have my virus program make a copy of itself and append it to the .exe file, adjusting the newly "infected" program so it executes my virus first.

So now, there need to be two parts of the virus program: the part that loads itself into memory, and the part that modifies the other program files. When an "infected" program runs, it checks memory to see if the virus is already loaded. If not, it loads the virus. When a virus is in memory, every time a program is run or copied, it copies itself to the program file if it has not already been copied there.

Now it's easy to see how the virus spreads on one computer, but how do I spread it to lots of others? I'll let the user do that. People copy programs a lot from one place to another. Email and Internet make that really easy.

But there are lots of anti-virus programs available that detect viruses. How do they work? There are several ways. The most common way for a virus to be detected is for a file to be scanned for the virus "signature" by an anti-virus program. The signature is a set of computer instructions that are unique to that virus. (At least it should be unique. Norton anti-virus had a false virus detection on some of our software a few months ago.) They can also check the size and date of an exe file and store it to make sure it doesn't change. They can reside in memory and check for programs that intercept function calls to Windows.

So, to get around this I'll make my virus program so it changes itself randomly, as much as possible, and still runs. I can put some garbage characters in the program that are skipped over, and I can change them every time it copies itself to an .exe file. This way, the signature won't work very well. I can make a small virus that doesn't increase the size of the .exe file. I can also reset the date stamp on the file I'm "infecting" to the original date and time of the file. And finally, I can one-up the anti-virus program by checking for it in memory, and disabling it or fooling it if I find it.

This is getting pretty far-fetched, isn't it? But that's where the viruses have come over the past several years. This is what the "state-of-the-art" viruses do, and more. Someone writes or modifies a virus program so the anti-virus programs don't catch it, and then the anti-virus people learn how to handle the new virus.

But there is a newer set of viruses out. These are usually less malicious and simpler, but they're still interesting. Remember, and virus has to be a program. You cannot get a computer virus without executing it. But there are new ways to write programs now -- inside other programs.

A "macro" used to be a set of keystrokes recorded so you can duplicate tasks in an application program. Then, there were macro languages, so you could not only record the keystrokes or program commands, but also actually write simple programs. Now, the macro languages have gotten fairly powerful, and you can actually write a virus in a macro language.

What does this mean? I can sit down in Microsoft Word, and write a macro that copies itself to every word document I open. And then, when you read a document from me, it will copy itself to your "normal" template so it starts copying itself to all the documents you open. Microsoft has put some features in place that make it a little more complicated to do this now, but that's the principal. The Melissa virus was a macro virus like this.

What about getting a virus from a web site? That's a very good question. When you visit a web site on the Internet, you're not running a program, are you? Well, sometimes you are. Sometimes you run a program written in a "safe" language such as Java that does not have access to most of your hard drive. Sometimes, it runs a "plug-in" to let you see neat stuff. A plug-in is also a program that's supposed to be safe.

However, there are occasionally bugs in the browsers and plug-ins that provide loopholes that would, in theory, allow a web page and programs associated with it to access your computer in ways they're not supposed to. I haven't heard of this ever happening, but it's possible and probably will happen someday. But it will be stopped pretty quick, because the source of the problem will be immediately apparent.

Just about the best way to have your computer's files erased or copied without authorization is to run a program you receive in email. I could write a small program to format your hard drive, for example, and send it to you as an attachment called "runme." When you double click on the attachment, the program would run and format your hard drive. This is simple. This is not detected by anti-virus programs.

What about just opening the email? It's not a problem. In theory. I have never seen this happen, but Microsoft has made fixes to Outlook to prevent malicious macros from being run when you open an email.

So open your email, double click on pictures and text files. If you double click on a word or excel document and are asked about a macro, tell it you want to disable macros in that document unless you're sure it's OK not to. If you get an email with a .exe file in it, especially some kind of joke .exe file, don't run it unless you have a current backup.

There is lots more, but this is getting pretty boring.

A web site for today:

        http://antwrp.gsfc.nasa.gov/apod/astropix.html

---------------------------------------

If you do not wish to receive this piece of artistic literature any more, please send me $10,000 and send a reply to this message with "remove" in the subject line. This won't get you removed from the list, but I'll appreciate the gesture. And the money.