Crime Branch Advisory
The Nigerian Scam
term "sparse infector" is sometimes given to a virus that infects
only occasionally, e.g. every 10th executed file, or only files
whose lengths fall within a narrow range, etc. By infecting less
often, such viruses try to minimize the probability of being discovered
by the user.
A companion virus is one that, instead
of modifying an existing file, creates a new program, which (unknown
to the user) gets executed by the command-line interpreter instead
of the intended program. (On exit, the new program executes the
original program so things will appear normal.) This is done by
creating an infected .COM file with the same name as an existing
.EXE file. Note that this type of malicious code is not always considered
to be a virus, since it does not modify existing files.)
An armored virus is one that uses special tricks
to make the tracing, disassembling and understanding of its code
more difficult. A good example is the Whale virus.
Many applications allow you to create macros. A macro
is a series of commands to perform an application-specific task.
Those commands can be stored as a series of keystrokes, or in a
special macro language.
A macro virus is a virus that propagates through
only one type of program, usually either Microsoft Word or Microsoft
Excel. It can do this because these types of programs contain auto
open macros, which automatically run when you open a document or
a spreadsheet. Along with infecting auto open macros, the macro
virus infects the global macro template, which is executed anytime
you run the program. Thus, once your global macro template is infected,
any file you open after that becomes infected and the virus spreads.
A virus hoax generally appears as an email message
that describes a particular virus that does not exist. These emails
almost always carry the same basic story: that if you download an
email with a particular subject line, your hard drive will be erased
(an impossibility because the text of an email cannot harbor a virus).
Such messages are designed to panic computer users.
The writer or writers email the warning and include a plea for the
reader to forward it to others. The message then acts much like
a chain letter, propagating throughout the Internet as individuals
receive it and then innocently forward it. An example of a virus
hoax is the "Good Times" virus -- which was written in
1994 and since then has circled the globe many times over. The best
thing to do on receipt of such an email is to ignore and delete
Major Virus Incidents Since 1998 Melissa
This virus set a benchmark the world over when it was first noticed
on 26th March 1999. It was the fastest spreading virus. The Melissa
virus is an automatic spamming virus. Its action includes infecting
Microsoft Word's normal.dot global template, which basically implies
that all new documents created by the user would get infected. After
that, each time that an infected document is accessed the virus
will disable Microsoft Word's macro warning feature so that it is
allowed to be activated.
Its next action is to access Microsoft Outlook address
book and e-mail the infected Word file as an attachment to the first
fifty e-mail addresses entered there. As soon as the receivers of
such an e-mail message open the attachment their computers also
get infected. The virus then sends the infected file to another
50 e-mail addresses. This is the reason for the extensive spread
of the virus in a short while.
The virus by itself, installed in the victim's computer,
was rather harmless. It merely inserted some text into a document
at a specified time of the day. What caused the maximum harm was
that the volume of traffic, due to the numerous e-mail attachments
being sent, was more than could be borne by most servers around
In its activities it was similar to Melissa, but
there was one major difference. ExploreZip, first discovered in
June 1999, was not a virus. It was a Trojan. This means that it
was incapable of replicating itself. Thus, the Melissa virus had
more far reaching presence.
In addition to this dissimilarity, ExploreZip was
more active. It not only hijacked Microsoft Outlook but also selected
certain files and made their file size zero - reduced their data
to nothing. Those files were then of no use to the user and they
could not be recovered.