Lions and Tigers and Bears, Oh My! - Part 2

by Robin Laudanski
June 10, 2004

In Part 1 of this series we discussed the who's behind Viruses, Worms and Trojans. Today we are going to get into the differences between them.

Contrary to popular belief Viruses, Worms and Trojans are not the same thing. They actually function in quite different capacities. However they can also work in conjunction with each other. To try to dispel any misconception I’ll briefly explain the difference between each of them.

A Virus is generally a small program, which MUST meet two requirements. It must be self executable, and self replicating. Quite often viruses are the payload or partial payload of Trojans. Very often we intentionally download or open files which are infected. For example: you get an email from Aunt Sally, the subject of the email says “a fun game” there may or may not be a line of text in the subject body of the email. The file itself is an executable file. What do we do? Click on it’s from Aunt Sally, thereby freeing the virus on our computers.

There are 5 different kinds of viruses: File infector viruses, Boot sector viruses, Master boot record viruses, Multi-partite viruses, and Macro viruses.

Macro viruses seem to be the most prolific, and have cost an enormous amount of time and money to repair the damage caused by them. There are literally 1000s of these viruses in circulation.

A Trojan-horse is exactly as it implies. Appearing to be something we want or need, but in fact is malicious with a sole purpose of distributing a payload. They can be used to steal your personal information, to unleash viruses or worms as well as many other unpleasantries. One thing they do not do is replicate themselves. The file from Aunt Sally could actually be considered a Trojan, because when we see who it is from we assume it is something which will be pleasant, when the payload is actually destructive in nature. We could get infected through file sharing, downloading or running programs from the net, email, warez sites/cracked programs etc. The point is we give the Trojan access to our computers through our own actions. Everyday the people who write these scripts become more elusive. If you attempted to download a program and another program tried to download instead, you would become suspicious. These people piggyback them onto the download you request or encrypt them so it is more difficult for anti-virus programs to find them.

A Worm is a program which replicates itself they often come with their own MTA (Mail Transport Agent)*. As the Worm replicates it may use various different preprogrammed body text messages, and attachment names. There may be several thousand infected files on a single computer. It goes through the infected computers address book of the email client, and emails itself out. Many many people email us and ask, “Why am I getting all these emails with infected attachments?” Here is an example. On this site there is in excess of 73 000 registered users. Once you have received a confirmation email from our server, our email address is now in your address book. If one of those registered users is infected with a worm, that worm may try to propagate itself using our server email address in the “from” of the email, it will try send itself out to everyone, in the affected machines address book. The behavior will continue until the Worm has been found and cleaned. If you get an email like that, it does not mean our server is infected, or that we are sending out viruses. What it does mean is that there is an individual out there who happens to have both of our email addresses in their address book. It also does not mean you are infected. A Worm still needs to be executed, which occurs when the affected file is opened.

How can you tell if the email which was sent to you, actually came from the person in the “from”? Check the headers. To do this you need to highlight a message in your email client. Right click on it, and scroll down and click on properties. Another box will pop up, click on details, then click on message source. An additional window will pop up. You are looking for what it says in the return path. If Aunt Sally’s email is auntsally@home.com that is what it should say in the return path. Here is an example mail header (addresses are not real).

Return-Path: < auntsally@home.com >
Received: from web40509.mail.home.com (web40509.mail.home.com [xxx.xxx.xxx.xxx])
by yourmail.server.com
for < you@home.com >; Thurs, 10 Jun 2004 09:36:39 -0400
Message-ID: < 20040610876758.98537.qmail@web40509.mail.home.com >
Received: from [xxx.xxx.xxx.xxx]by web40509.mail.home.com via HTTP; Thurs, 10 Jun 2004 06:37:58 PDT
Date: Thurs, 10 Jun 2004 06:37:58 -0700 (PDT)
From: Aunt Sally< auntsally@home.com >
Subject: Barbbq on Saturday
To: you@home.com
MIME-Version: 1.0

If it says anything other then auntsally@home in the return path the mail did not originate from Aunt Sally. If it says somewhere in the header "may be forged" do not open the email. Please check the headers before you fire off an email at someone accusing them of sending you a virus or SPAM. It is easy enough to check the headers. In Outlook and Outlook Express, highlight the email you want to check, right click -> click properties -> click details. In accounts like Yahoo, and hotmail there is an option to show headers.

The best thing you can do to protect yourself is to keep an up to date anti-virus and don't open attachments before checking the headers. Having an anti-virus product on your computer was last updated 6 years ago (true story) doesn't do anything. There are many good anti-virus programs out both paid and free. We offer support for several of them here in our forums. The important thing is that you get your computer covered. You might think you don't use the internet enough to need one, or the only people who email you are friends and family, and that's fine. What happens if one of them gets infected? If you don't know which one to get, ask in the forums. With over 70 000 registered members you are bound to get some pro's and con's for various products. I would suggest that you don't get something because "everyone" has it. Everyone might have it, that doesn't mean it works, and it doesn't mean they like it. Do yourself a favor and ask some questions. * The MTA's listed are known widely used MTAs, they are for example only, and should not be considered representative of a virus.