ANSI.SYS key-remapping commands consist of cryptic-looking text that specifies, using ANSI numeric codes, which keys to redefine. In the following two examples, the ANSI codes of 99 and 66 represent the letters C and c respectively:

ESC[99;"format c:";13p
ESC[66;"format c:";13p

In the above two commands, the keys for letters C and c are redefined to run the "format c:" command followed by the enter key (ANSI code number 13) when they are pressed. Naturally, the moment the computer tries to run the "format c:" command to reformat the hard disk, a message will appear and ask, “Do you really want to reformat drive C: (Y/N)?”

Most users would likely answer “No” by pressing either the n or N key. So the ANSI bomb also includes driver commands to redefine both the N (ANSI code 110) and the n keys (ANSI code 78) to represent the Y (ANSI code 121) and y keys (ANSI code 89):

ESC[110;121;13p
ESC[78;89;13p

Now when the user presses either the n or N key, the ANSI bomb actually gives the computer the y or Y response instead, which tells it to go ahead and format the entire hard disk.

To trick people into running an ANSI bomb, malicious hackers would often disguise them in innocent-looking batch files. Batch files are nothing more than text files containing one or more MS-DOS commands to run. With a batch file, the user needs only to type the batch file name to run a group of commands, rather than entering them in one by one at the MS-DOS command line.

Malicious hackers on a BBS would create an ANSI bomb using either an ordinary text editor or a specialized ANSI bomb–making program, as shown in Figure 4-1. They would either save the malicious code in a text file with a generic name, such as install.bat (commonly used for the batch files that install freeware or shareware) or insert it into the batch file used by some other popular shareware program. Then they would upload the rigged file to the BBS and its unsuspecting users. Unfortunately for these good citizens, they would thus run the ANSI bomb, which would redefine the keyboard and cause havoc on their machines.

More insidious ANSI bombs would copy themselves into the autoexec.bat batch file, which is the first batch file the computer runs when it boots up. The ANSI bomb would then load every time the user turned on the computer, and so cause problems over and over again.

Figure 4-1. An ANSI bomb–making program can simplify the process of creating and planting an ANSI bomb.

Since few BBS users knew what ANSI bomb commands looked like, they often had no idea how to identify rigged batch files. Although ANSI bombs themselves are now largely obsolete since the introduction of Microsoft Windows, they do demonstrate a timeless and universal strategy used by malicious people: exploiting a victim’s trust (the user’s willingness to run programs downloaded from the BBS) and ignorance (disguising the ANSI bomb as a legitimate program).

In the old days, programs used to fit on a single floppy disk. If you wanted to play a video game or run an application like WordPerfect or Microsoft Excel, you could ask a friend to copy the program to a floppy disk and hand it to you. As a result, one of the earliest forms of virus infection involved programs shared via floppy disk.

File-infecting viruses still exist, but they can only spread if someone transfers an infected program file over the Internet or via an infected CD/DVD. However, most programs nowadays consist of several files, so rather than copy individual program files off a hard disk, most people just copy the program’s original installation CD/DVD. Unless a virus can infect this original installation CD/DVD, it won’t be able to spread this way, and as a result, this method of infection poses little threat in today’s computing environment.

Boot-sector viruses infect the boot sector of a disk, which tells the computer how to use that particular disk. A boot-sector virus spreads whenever you boot from or access an infected hard drive or removable disk (such as a floppy or CD).

At one time, boot-sector viruses were the most common type of infection, but as fewer people share floppy disks nowadays, they have become much more rare. Back when people used floppy disks to transfer files from one computer to another, they would often leave the disk behind in the floppy drive. When someone turned on a computer with an inserted floppy disk, it would first try to boot up from the floppy disk. If the floppy disk was infected with a boot-sector virus, that virus would then infect the hard disk or lurk in memory so it could infect any other floppy disks inserted into the computer. Boot-sector viruses thus typically spread through the sharing of infected floppy disks, although it’s still possible nowadays for a boot-sector virus to spread by infecting bootable CDs.

Both file infectors and boot-sector viruses have their strengths and weaknesses. File-infecting viruses can only spread if the user runs the infected program. If the virus happens to infect a seldom-used file, the virus may never spread and do its damage.

Similarly, boot sector viruses spread only when a computer boots up from an infected floppy or hard disk. To increase their chances of spreading, some viruses combine the features of both file infectors and boot-sector viruses. These are called multipartite viruses and can infect either (or both) files and boot sectors. Although this increases their chances of spreading themselves, multipartite viruses are also more vulnerable to detection because of their increased size and susceptibility to antivirus programs. They’re also more complicated to write, and with fewer people sharing (or even using) floppy disks anymore, file, boot-sector, and multipartite viruses are quickly fading into obscurity. Your computer can still get infected by these nasty viruses, but the odds are getting slimmer every day.

Macro viruses only infect files created by a specific program, such as documents created in Microsoft Word or spreadsheets created in Microsoft Excel. When you load an infected document, the macro virus tries to spread to any similar documents stored on your computer. Since so many people use Microsoft Word, the most common macro viruses target Word documents, although a handful of macro viruses also target Excel and Microsoft PowerPoint files too.

Unlike other types of viruses that are written using programming languages such as assembly language, C/C++, BASIC, or Pascal, macro viruses are written using the macro programming language specific to its target application. Most macro viruses are written using Microsoft’s macro language, called Visual Basic for Applications (VBA), although a few are written in WordBasic, an older macro programming language for Microsoft Word.

Word-processing macro viruses infect the template files that define the margins, font, and general formatting for every document created by a particular word processor. Try to create a new document from a template infected by a macro virus, and the macro virus will then attempt to infect another template.

Because most people share documents rather than templates, macro viruses cleverly convert infected documents into template files, while maintaining the appearance of an ordinary document file. So, you might think you’re opening an ordinary document for editing, when you’re actually opening a template file instead.

Despite their prevalence in the wild, macro viruses tend to infect only documents created using Microsoft products such as Word, Excel, and PowerPoint. Some people have tried writing macro viruses to infect WordPro or WordPerfect documents, but those documents store their macros in a separate file and thus are less fertile ground for spreading viruses. (Not to mention, far fewer people use WordPro and WordPerfect compared to Microsoft Word.) In contrast, when you copy a Word or Excel document file onto a floppy disk, through a network, or over the Internet, you’re automatically copying both your document and any macros it contains in a single file, which gives the macro virus a chance to spread.

To minimize the threat of macro viruses, Microsoft Word 2003 offers a special macro security feature that you can access by choosing Tools ▸ Macro ▸ Security to display a Security dialog box as shown in Figure 4-2. Then click the Very High or High radio buttons to limit the ability for macro viruses to run.

Figure 4-2. Microsoft Word 2003 offers some protection from macro viruses.

Microsoft Office 2007 goes even further in eliminating macro viruses by changing the file format of Office files themselves. While this won’t stop someone from writing new macro viruses specifically for Microsoft Office 2007 files, it prevents the majority of existing macro viruses from infecting Office 2007 files.

Antivirus programs can spot a virus in one of two ways. First, an antivirus program may recognize a particular virus’s signature, which is nothing more than the specific instructions embedded in the virus program that tell it how to behave and act. A virus’s signature is like a criminal’s fingerprint—each one is unique and distinct.

A second way an antivirus program can detect a virus is by its behavior. Antivirus programs can often detect the presence of a previously unknown virus by noticing when it tries to infect another file or disk, which is called heuristic analysis or detection.

To sneak past an antivirus program, viruses may employ a variety of proliferation methods:

Viruses normally reveal their presence during infection by changing the size, time, and date stamps of the files that they infect. However, file-infecting viruses that use stealth techniques may accomplish their dirty work without causing any of those modifications, thus remaining hidden and undetected.

Boot-sector viruses always use stealth techniques. When the computer reads a disk’s boot sector, the virus quickly loads a copy of the real boot sector (which it has safely stashed away in another location on the disk). This is like using call forwarding to answer the phone from the neighborhood pool hall when your parents call you at home to make sure you’re behaving yourself. As far as your parents are concerned, they called your home number and you answered. All’s well at home, or so they think. Boot-sector viruses use similar stealth techniques to hide their presence from the computer. But that doesn’t always fool good antivirus programs. To slip past them, viruses may use polymorphism.

If criminals could modify their fingerprints each time they committed a crime, they would be harder to catch. That’s the idea behind polymorphism. A polymorphic virus changes its signature—the set of instructions that makes up that virus—each time it infects a file. Theoretically, this means that an antivirus program can never find it.

However, because viruses need to make sure they don’t infect the same file over and over again, and thus reveal themselves by consuming disk space, a polymorphic virus must still leave a small, stable, and distinct signature that it (or an antivirus program) can find. Of course, once the virus has been caught and examined—by an antivirus software vendor, for example—antivirus programs can find these same signatures. That’s why antivirus programs need constant and frequent updates to recognize the latest viruses.

The best defense is a good offense. Rather than passively hiding from antivirus programs, many viruses actively search them out and attack them. These retaliating viruses either modify the antivirus program so that it can’t detect the virus, or they infect the antivirus program itself and make it complicit in spreading the virus. In both cases, the attacked antivirus program cheerfully displays a “Your computer is virus-free” message while the virus is happily spreading throughout your computer.

Antivirus programs are only as effective as their virus signature databases. Since it’s impossible for one company to find and dissect every new virus that appears, antivirus companies cooperate with one another. The moment one antivirus company makes a new discovery, it shares the information with its rivals (although not always as quickly as those rivals might like, thus giving its own product a chance to catch one more virus than a competing product). This arrangement helps all antivirus companies keep their programs up to date.

Even though antivirus companies share information, each must still provide its own customers a way to update their antivirus programs to catch the latest threats. Because companies update their signature databases on differing schedules, even the most recent versions of different antivirus programs can vary in terms of detecting and eliminating viruses from their customers’ computers. So, at any given time, one antivirus program will detect more viruses than another, although this usually changes within days. As a result, there isn’t a “best” antivirus program that can claim to catch all viruses or that can consistently catch more viruses than any of its competitors. The best antivirus program is simply the one that you like and find most convenient to use. (To learn more about which antivirus programs are good at catching the latest batch of viruses, visit the Virus Bulletin site at www.virusbtn.com.)

Since no antivirus program can catch 100 percent of all viruses all the time, it’s best to run two at a time. But that can get expensive. Here’s a cheaper option.

First, use a free online virus scanner, as shown in Figure 4-3, such as one of the following:

Second, get an antivirus program that can automatically scan your computer for viruses and block any suspicious behavior. While there are plenty of commercial antivirus programs, three free ones (for personal use only) include:

For completely free, open-source antivirus programs, visit:

Figure 4-3. Online scanners can detect viruses on your computer, but cannot stop them from infecting your computer.

Combining a free antivirus program with periodic checkups by a free online virus scanner can protect your computer at no extra cost to you. After all, it’s not your fault that viruses attack Windows so often, so why should you spend additional money?

If you use a Macintosh or Linux computer, your threat of viruses is both much less and much greater. Currently, there are only a handful of viruses that infect Macintosh and Linux computers, so the number of existing viruses that could attack a Macintosh or Linux computer is relatively small. However, since so few Macintosh and Linux users worry about viruses, few people own, let alone use, Macintosh or Linux antivirus programs. The moment someone invents a new way to infect and spread a virus among Macintosh or Linux users, it will likely spread rapidly among many defenseless computers. The bottom line is that if you don’t have an antivirus program, you will get infected eventually, no matter what type of computer and operating system you use.

Technically speaking, the biggest threats no longer come from viruses but from worms and spyware. Worms are essentially viruses that can spread by themselves, and spyware programs track your Internet behavior or retrieve information from your computer and send it elsewhere without your knowledge. (You’ll learn more about worms in Chapter 5 and spyware in Chapter 20.) Because of these new threats, most antivirus programs scan not only for viruses, but for worms and spyware as well.

Many people write computer viruses just to see if they can do it.

Virus writing requires detailed knowledge of a specific operating system, so for many programmers, writing a virus was a way to test and prove their knowledge. Many of these early viruses were designed more as proof of concept than as deliberate attempts to sabotage other people’s computers.

Reflecting their creators’ spirit of curiosity and lack of malice, these early viruses often did nothing more than play a constant beep through the computer’s speaker or reprogram the keyboard to generate a question mark or other symbol every time the E key was pressed. Annoying, to be sure, but ultimately harmless.

Some viruses even got playful and displayed a graphic image on the screen, such as an ambulance or a man strolling across the bottom of the screen. One playful virus would randomly display the message, “I want a cookie,” on the screen. The only way to make the message go away was to type cookie. Other viruses displayed political or humorous messages, as shown in Figure 4-4.

Figure 4-4. The Monopoly virus pokes fun at Bill Gates and his monopoly on the operating system market.

Although people write and release viruses every day, the large majority of viruses fail to spread due to poor programming. Many virus writers want the notoriety of creating viruses that spread faster and cause the greatest amount of damage possible. If a virus writer could panic an entire nation and get his virus reported by name in USA Today or on CNN, his reputation would soar in the underground virus community.

So malicious virus writers developed ever trickier tactics for slipping past antivirus programs and spreading as quickly as possible. Their ultimate goal is to create a virus that would become a household name, like the Michelangelo, Melissa, Chernobyl, and I Love You viruses. Although these virus writers could never publicly bask in the notoriety of their creations, they could still gain some measure of fame among their underground hacker friends.

Many virus writers even banded together and formed their own virus-writing groups with names like Amateur Virus Creation & Research Group (AVCR), Corrupted Programming International (CPI), Phalcon/Skism, and Youngsters Against McAfee (YAM). These groups often published their own newsletters, with names like 40Hex, The Crypt Newsletter, and VLAD (Virus Labs and Distribution) Magazine, that explained how their latest virus creations worked. Virus-writing groups typically ran their own BBSs or websites, stocked with live viruses that others could download and run. The more newsletters they published and the more viruses they spread, the greater the notoriety the group could gain.

Fewer virus-writing groups exist today, partly because worms spread more quickly and easily, partly because virus writers never profit from their creations, and partly because government authorities are getting more adept at identifying and tracking down virus writers, such as the 1999 arrest of David L. Smith, accused of writing and spreading the Melissa virus. Instead, many virus programmers today find it’s more profitable to work for companies that make spyware.

Among the more disruptive virus hoaxes are those that encourage you to email copies of warnings to your friends. To convince people of their legitimacy, these virus hoaxes often present information that sounds valid and threatening, but is actually useless and completely wrong. Often the hoax is based on a real event, which is a reliable way of inciting panic in an unsuspecting email recipient.

One example is the ICE phone virus hoax, which occurred after a legitimate organization dubbed In Case of Emergency (ICE)—www.icecontact.com—suggested that people make an entry in the directory of their mobile phones containing the name and phone number of someone to be contacted in an emergency, accessed by the letters ICE.

Pranksters seized the opportunity. They created and spread the ICE hoax by circulating the following text:

This hoax takes advantage of the fear of viruses and the introduction of viruses and Trojan horses specifically designed to infect mobile phones, such as RedBrowser, a Trojan horse that sneaks on to mobile phones and then makes calls to Russia, charging the user $5 a call. However, remember that real virus and Trojan horse news appear on legitimate security websites like Symantec or Trend Micro and not through unsolicited email messages. After all, do you rely on email messages from a total stranger for the latest sports scores—let alone for true news?

Figure 4-7. Virus writers soon flooded the hacker underground with virus-writing toolkits with different names and capabilities.

To give credibility to their hoax, many pranksters often quote trusted authorities, as in the following example, which claims that you can accidentally launch nuclear missiles through an errant email message:

As ridiculous as this hoax sounds (would any country want to launch nuclear missiles via email?), the use of Symantec’s name as a trustworthy source of virus information gives this hoax apparent credibility to the unquestioning. Such hoaxes could be stopped in their tracks if people would only verify the information before forwarding it. All it takes is a quick visit to Symantec’s website to determine whether this warning is actually true.

Since most people don’t understand how viruses work, any seemingly credible virus report will likely grab a lot of attention. To take advantage of this, a porn website once sent out email supposedly coming from “Dave Norton, [email protected]" that contained the following text:

The message then displayed a link that readers could follow to get details about the Lions Den virus and information on protecting their computer from it. Instead of going to the CNN site, however, the link would direct readers directly to the porn site. Once again, this type of hoax could be stopped if people would just verify the information before forwarding it to others.

In 2003, a computer security/hacking group named Gobbles Security released a statement claiming that the Recording Industry Association of America (RIAA) had contacted them to develop a computer worm that could spread through security vulnerabilities in several popular filesharing programs. The purported purpose of this worm was to disable the filesharing networks that are typically used to spread illegally copied MP3 music files.

Lending credibility to this hoax was the fact that many people believed that the RIAA actually would stoop to such illegal tactics in order to shut down the filesharing networks. Plus, Gobbles Security had been known to post legitimate security advisories in the past, and had even provided a sample program with their statement that showed how a computer worm could exploit such flaws in filesharing programs.

Ultimately, Gobbles Security admitted that their statement was a fake and that they only did it to generate publicity. This taught everyone that a hoax could catch even seasoned computer professionals unaware. Remember that no matter how trustworthy someone or something may have been in the past, they’re always capable of lying to you now in their own interest. Treat all claims with skepticism, including everything you read in this book, and you should be all right.