Howstuffworks "How Computer Viruses Work" Page 1 of 8

Free Newsletter! • Suggestions! • Win! • About HSW • Contact Us • Home

Daily Stuff • Top 40 • What's New • HSW Store • Forums • Advertise!

Search HowStuffWorks & the Web

Click here to go back to the normal view!

How Computer
Viruses Work
by Marshall Brain

Computer viruses are mysterious and grab our attention. Every time a new virus hits, it makes
the news if it spreads quickly.

On the one hand, viruses show us how unknowingly vulnerable we are. A properly engineered
virus can have an amazing effect on the world -wide Internet. On the other hand, they show
how sophisticated and interconnected human beings have become. For example, the
"Melissa" virus -- which became a worldwide phenomenon in March of 1999 -- was so
powerful that it forced Microsoft and a number of other very large companies to completely
turn off their e -mail systems until the virus could be contained. The "ILOVEYOU" virus in 2000
had a similarly devastating effect. That's pretty impressive when you consider how simple the
Melissa and ILOVEYOU viruses are!

In this edition of How Stuff Works we will discuss viruses -- both "traditional" viruses and the
newer e-mail viruses -- so that you can learn how they work and also understand how to
protect yourself. Viruses in general are on the wane, but occasionally a person finds a new
way to create one and that's when they make the news!

When you listen to the news, you hear about many different forms of electronic infection. The
most common are:

? Viruses - A virus is a small piece of software that piggy-backs on real programs. For
example, a virus might attach itself to a program like a spreadsheet program. Each time
the spreadsheet program runs, the virus runs too, and it has the chance to reproduce
(by attaching to other programs) or wreak havoc.
? Email viruses - An email virus moves around in email messages, and usually replicates
itself by automatically mailing itself to dozens of people in the victim's email address
book.
? Worms - A worm is a small piece of software that uses computer networks and security
holes to replicate itself. A copy of the worm scans the network for another machine that
has a specific security hole. It copies itself to the new machine using the security hole,
and then starts replicating from there as well.
? Trojan Horses - A trojan horse is simply a normal computer program. The program
claims to do one thing (e.g. - it claims to be a game) but instead does damage when you

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 2 of 8

run it (e.g. - it erases your hard disk). Trojan horses have no way to replicate
automatically.

The infections in the news right now are worms, so let's take a look at worms and then go into
the details on all of the different types of infection.

Code Red
A worm called Code Red made huge headlines in 2001. Experts predicted that this worm
could clog the Internet so effectively that things would completely grind to a halt. The Code
Red worm attacks Windows NT 4.0 and Windows 2000 servers running Microsoft IIS (Internet
Information Server) 4.0 or IIS 5.0. Microsoft has released a simple patch that fixes the security
loophole used by the Code Red worm that you can access here.

What's a "Worm"?
A worm is a computer program that has the ability to copy itself from machine to machine.
Worms normally move around and infect other machines through computer networks. Using a
network, a worm can expand from a single copy incredibly quickly. For example, the Code
Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001.

Worms use up computer time and network bandwidth when they are replicating, and they
often have some sort of evil intent. The Code Red worm slowed down Internet traffic (but not
nearly as badly as predicted) when it began to replicate itself. Each copy of the worm scans
the Internet for Windows NT or Windows 2000 servers that do not have the security patch
installed. Each time it finds an unsecured server, the worm copies itself to that server. The
new copy then scans also for other servers to infect. Depending on the number of unsecured
servers, a worm could conceivably create hundreds of thousands of copies.

The Code Red worm is designed to do three things:

? Replicate itself for the first 20 days of each month

? Replace Web pages on infected servers with a page that declares Hacked by Chinese
? Launch a concerted attack on the White House Web server in an attempt to overwhelm
it

The most common version of Code Red is a variation, typically referred to as a mutated
strain , of the original Ida Code Red that replicated itself on July 19, 2001. According to the
National Infrastructure Protection Center: ALERT 01--016:

The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of
known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI)
service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permit the
attacker to run embedded code on the affected system. This memory resident worm, once active
on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect
unprotected web servers. Each worm thread will then inspect the infected computer's time clock.
The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is
at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.

Upon successful infection, the worm waits for the appointed hour and connects to the
www.whitehouse.gov domain. This attack consists of the infected systems simultaneously
sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91).

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 3 of 8

The U.S. government changed the IP address of www.whitehouse.gov to circumvent that

particular threat from the worm and issued a general warning about the worm advising users
of Windows NT or Windows 2000 Web servers to ensure that they have installed the security
patch.

Learn More
For more information on the Code Red worm, check out these great
links:

? National Infrastructure Protection Center: ALERT 01--016

? Windows NT version 4.0 security patch
? Windows 2000 Professional, Server and Advanced Server
security patch
? Microsoft: Security Bulletin MS01-033
? Digital Island: Code Red Alert

What's a "Virus"?
Computer viruses are called viruses because they share some of the traits of biological
viruses. A computer virus passes from computer to computer like a biological virus passes
from person to person.

At a deeper level there are similarities as well. A biological Viruses In the News
virus is not a living thing. A virus is a fragment of DNA Last update: Feb. 14, 2001
inside a protective jacket. Unlike a cell, a virus has no way
to do anything or to reproduce by itself -- it is not alive. ? MSNBC: Dutch Police
Instead, a biological virus must inject its DNA into a cell. Arrest Kournikova Virus
The viral DNA then uses the cell's existing machinery to Suspect
reproduce itself. In some cases, the cell fills with new viral ? Virus Attacks Cost $17.1
particles until it bursts, releasing the virus. In other cases Billion in 2000
the new virus particles bud off the cell one at a time and ? Wired: New Virus: Now
the cell remains alive. Anna Loves You

A computer virus shares some of these traits. A computer virus must piggyback on top of
some other program or document in order to get executed. Once it is running, it is then able to
infect other programs or documents. Obviously the analogy between computer and biological
viruses stretches things a bit, but there are enough similarities that the name sticks.

Virus History
Traditional computer viruses were first widely seen in the late 1980s, and they came about
because of several factors. The first factor was the spread of personal computers (PCs). Prior
to the 1980s, home computers were non-existent or they were toys. Real computers were
rare and they were locked away for use by "experts." During the 1980s, real computers
started to spread to businesses and homes because of the popularity of the IBM PC (released
in 1982) and the Apple Macintosh (released in 1984). By the late 1980s, PCs were
widespread in businesses, homes and college campuses.

The second factor was the use of computer "bulletin boards." People could dial up a bulletin
board with a modem and download programs of all types. Games were extremely popular,
and so were simple word processors, spreadsheets, etc. Bulletin boards led to the precursor

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 4 of 8

of the virus known as the Trojan Horse. A trojan horse is a program that sounds really cool
when you read about it. So you download it. When you run the program, however, it does
something uncool like erasing your disk. So you think you are getting a neat game but it wipes
out your system. Trojan horses only hit a small number of people because they are
discovered quickly. Either the bulletin board owner would erase the file from the system or
people would send out messages to warn one another.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs
were small and you could fit the operating system, a word processor (plus several other
programs) and some documents onto a floppy disk or two. Many computers did not have hard
disks, so you would turn on your machine and it would load the operating system and
everything else off of the floppy disk.

Viruses took advantage of these three facts to create the first self-replicating programs!

Follow the Trail

Early viruses were pieces of code attached to a common program like a popular game or a
popular word processor. A person might download an infected game from a bulletin board and
run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any
virus is designed so it runs first when the legitimate program gets executed. The virus loads
itself into memory and looks around to see if it can find any other programs on the disk. If it
can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus
launches the "real program." The user really has no way to know that the virus ever ran.
Unfortunately, the virus has now reproduced itself, so two programs are infected. The next
time either of those programs gets executed, they infect other programs, and the cycle
continues.

If one of the infected programs is given to another person on a floppy disk, or if it is uploaded
to a bulletin board, then other programs get infected. This is how the virus spreads.

The spreading part is the "infection" phase of the virus. Viruses wouldn't be so violently
despised if all they did was replicate themselves. Unfortunately, most viruses also have some
sort of destructive "attack" phase where they do some damage. Some sort of trigger will
activate the attack phase, and the virus will then "do something" -- anything from printing a
silly message on the screen to erasing all of your data. The trigger might be a specific date, or
the number of times the virus has been replicated, or something similar.

As virus creators got more sophisticated, they learned new tricks. One important trick was the
ability to load viruses into memory so they could keep running in the background as long as
the computer remained on. This gave viruses a much more effective way to replicate
themselves. Another trick was the ability to infect the boot sector on floppy disks and hard
disks. The boot sector is a small program that is the first part of the operating system that the
computer loads. The boot sector contains a tiny program that tells the computer how to load
the rest of the operating system. By putting its code in the boot sector, a virus can guarantee
it gets executed. It can load itself into memory immediately and it is able to run whenever the
computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in
the machine, and on college campuses where lots of people share machines they spread like
wildfire.

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 5 of 8

In general, both executable and boot sector viruses are not very threatening any more. The
first reason for the decline has been the huge size of today's programs. Nearly every program
you buy today comes on a compact disc. Compact discs cannot be modified, and that makes
viral infection of a CD impossible. The programs are so big that the only easy way to move
them around is to buy the CD. People certainly can't carry applications around on a floppy
disk like they did in the 1980s, when floppies full of programs were traded like baseball cards.
Boot sector viruses have also declined because operating systems now protect the boot
sector.

Both boot sector viruses and executable viruses are still possible, but they are a lot harder
now and they don't spread nearly as fast as they once could. Call it "shrinking habitat," if you
want to use a biological analogy. The environment of floppy disks, small programs and weak
operating systems made viruses possible in the 1980s, but that environmental niche has been
largely eliminated by huge executables, unchangeable CDs and better operating system
safeguards.

E-mail Viruses
The latest thing is the e-mail virus , and the Melissa virus in March of 1999 was spectacular.
Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this.
Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone
who downloaded the document and opened it would trigger the virus. The virus would then
send the document (and therefore itself) in an e-mail message to the first 50 people in the
person's address book. The e-mail message contained a friendly note that included the
person's name, so the recipient would open the document thinking it was harmless. The virus
would then create 50 new messages from the recipient's machine. As a result, the Melissa
virus was the fastest-spreading virus ever seen! As mentioned earlier, it forced a number of
large companies to shut down their e -mail systems.

The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a
piece of code as an attachment. People who double clicked on the attachment allowed the
code to execute. The code sent copies of itself to everyone in the victim's address book and
then started corrupting files on the victim's machine. This is as simple as a virus can get. It is
really more of a trojan horse distributed by e-mail than it is a virus.

The Melissa virus took advantage of the programming language built into Microsoft Word
called VBA, or Visual Basic for Applications. It is a complete programming language and it
can be programmed to do things like modify files and send e-mail messages. It also has a
useful but dangerous auto-execute feature. A programmer can insert a program into a
document that runs instantly whenever the document is opened. This is how the Melissa virus
was programmed. Anyone who opened a document infected with Melissa would immediately
activate the virus. It would send the 50 e -mails, and then infect a central file called
NORMAL.DOT so that any file saved later would also contain the virus! It created a huge
mess.

Microsoft applications have a feature called Macro Virus Protection built in to them to
prevent this sort of thing. If you turn Macro Virus Protection on, then the auto -execute feature
is disabled. By default the option is ON. So when a document tries to auto-execute viral code,
a dialog pops up warning the user. Unfortunately, many people don't know what macros or
macro viruses are, and when they see the dialog they ignore it. So the virus runs anyway.

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 6 of 8

Many other people turn off the protection mechanism. So the Melissa virus spread despite the
safeguards in place to prevent it.

In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-
clicked on the program that came as an attachment, then the program ran and did its thing.
What fueled this virus was the human willingness to double-click on the executable.

Origins
People create viruses. A person has to write the code, test it to make sure it spreads properly
and then release the virus. A person also designs the virus's attack phase, whether its a silly
message or destruction of a hard disk. So why do people do it?

There are probably at least three reasons. The first is the same psychology that drives
vandals and arsonists. Why would someone want to bust the window on someone else's car,
or spray paint signs on buildings or burn down a beautiful forest? For some people that seems
to be a thrill. If that sort of person happens to know computer programming, then he or she
may funnel energy into the creation of destructive viruses.

The second reason has to do with the thrill of watching things blow up. Many people have a
fascination with things like explosions and car wrecks. When you were a kid there was
probably a boy in your neighborhood who learned how to make gunpowder and who then built
bigger and bigger bombs until he either got bored or did some serious damage to himself.
Creating a virus that spreads quickly is a little like that -- it creates a bomb inside a computer,
and the more computers that get infected, the more "fun" the explosion.

The third reason probably involves bragging rights, or the thrill of doing it. Sort of like Mount.
Everest. The mountain is there and no one has climbed it, so someone is compelled to do it. If
you are a certain type of programmer and you see a security hole that could be exploited, you
might simply be compelled to exploit the hole yourself before someone else beats you to it.
"Sure, I could TELL someone about the hole. But wouldn't it be better to SHOW them the
hole???" That sort of logic leads to many viruses.

Of course, all of the virus creators miss the point that they cause real damage to real people
with their creations. Destroying everything on a person's hard disk is real damage. Forcing the
people inside a large company to waste thousands of hours cleaning up after a virus is real
damage. Even a silly message is real damage because a person then has to waste the time
getting rid of it. For this reason, the legal system is getting much harsher in punishing the
people who create viruses.

An Ounce of Prevention
You can protect yourself against viruses with a few simple steps:

? If you are truly worried about traditional (as opposed to e-mail) viruses, you should be
running a secure operating system like UNIX or Windows NT. You never hear about
viruses on these operating systems because the security features keep viruses (and
unwanted human visitors) away from your hard disk.
? If you are using an unsecured operating system, then buying virus protection software is
a nice safeguard.
? If you simply avoid programs from unknown sources like the Internet, and instead stick

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 7 of 8

with commercial software purchased on CDs, you eliminate almost all of the risk from
traditional viruses. In addition, you should disable floppy disk booting -- most computers
now allow you to do this, and that will eliminate the risk of a boot sector virus coming in
from a floppy disk accidentally left in the drive.
? You should make sure that Macro Virus Protection is enabled in all Microsoft
applications, and you should NEVER run macros in a document unless you know what
they do. No normal person adds macros to a document, so avoiding all macros is a
great policy.

Open the Options dialog from the Tools menu in Microsoft Word
and make sure that Macro Virus Protection is enabled, as shown.

? In the case of the ILOVEYOU e-mail virus, the only defense is a personal discipline.
You should never double-click on an attachment that contains an executable that
arrives as an e-mail attachment. Attachments that come in as Word files (.DOC),
spreadsheets (.XLS), images (.GIF and .JPG), etc. are data files and they can do no
damage (noting the macro virus problem above in Word and Excel documents). A file
with an extension like EXE, COM or VBS is an executable, and an executable can do
any sort of damage it wants. Once you run it, you have given it permission to do
anything on your machine. The only defense is to never run executables that arrive via
e-mail.

By following those simple steps, you can remain virus free!

http://www.howstuffworks.com/virus.htm/printable 5/6/2002
Howstuffworks "How Computer Viruses Work" Page 8 of 8

Lots More Information!

Related HowStuffWorks Links

? How Web Servers and the Internet Work

? How Firewalls Work
? How Carnivore Works
? How do viruses and worms spread in e -mail?
? Someone started controlling my computer over the Internet -- what happened?

Other Great Links

? Overview of the Melissa virus

? Overview of the ILOVEYOU virus
? Virus protection sites
? Fighting Computer Viruses
? Computer Virus Links

Code Red Links

? National Infrastructure Protection Center: ALERT 01--016

? Windows NT version 4.0 security patch
? Windows 2000 Professional, Server and Advanced Server security patch
? Microsoft: Security Bulletin MS01 -033
? Digital Island: Code Red Alert

Join HSW! || Newsletter || Suggestions || Link to HSW || Hiring

Win! || Store || About Us || Contact Us || Privacy || Home
Frequently Asked Questions || Advertising

Copyright © 1998-2002 Howstuffworks, Inc. All rights reserved

http://www.howstuffworks.com/virus.htm/printable 5/6/2002