=============================================================================== This is file: virustalk.txt that was last modified on: April 6th, 1999 Malicious programs: software you don't want "installed" on your computer Laurentiu B. Cristofor laur@cs.umb.edu DISCLAIMER: This article is provided without warranty of any kind, either express or implied, including the implied warranty of fitness for a particular purpose. I (Laurentiu B. Cristofor) assume no responsibility for errors or omissions in this article. In no event shall I be liable for any direct, special, incidental or consequential damages of any kind arising out of or in connection with the use or performance of this information. Permission to copy and distribute this file in its original, unmodified form is granted by this notice. =============================================================================== =============================================================================== Malicious programs: software you don't want "installed" on your computer =============================================================================== Abstract: This is an introduction to the virus/antivirus software world. I have tried to give an overview of the techniques employed by viruses to prevent detection and by antivirus software to detect viruses. I think that this information can be helpful to people that don't know the limitations of viruses and of antivirus software. It can help them understand better the problem and choose better a method of protection against viruses. =============================================================================== Main topics: 1) Definition and classification of malicious programs 2) Classification of viruses 3) Program viruses 4) Application viruses 5) System viruses 6) Virus "features" 7) Antivirus software 8) Practical example of a dangerous virus: ONE_HALF 9) Miscellaneous information 10) Conclusions 11) Bibliography and pointers to more information =============================================================================== Keywords: virus, worm, trojan, backdoor, companion, dropper, multipartite, logic bomb, stealth, tunnelling, polymorphic, encrypting, armored, inoculation, scanning, integrity checking, generic, heuristic, one_half =============================================================================== ------------------------------------------------------------------------------- 1) Definition and classification of malicious programs ====================================================== A first definition has been given in the title of this article but it is a little vague so I'll give another one here: Malicious programs (also known as malware) are programs or pieces of code whose actions are intentional and not-documented and that would not be approved by the user if he would know about them. (I've expanded this based on the definition of a trojan horse that I've found in VIRUS-L.FAQ) Since the programs act without the user's approval, it is obvious to me that malware is BAD and the person that is responsible for the attack of the user's computer should be considered a criminal or at least accused of criminal negligence. Note that I make here a distinction between the activity of writing a virus and the activity of infecting a computer, not because I really think that this distinction should be done, but because this is the current moral of our society: we do not prosecute gunmakers, we prosecute people who use guns to shoot other people. Some of you might think that I make this distinction for other hidden reasons, so I feel necessary to add to what I said the fact that I have never written a virus, nor have I ever even attempted to write one. I give only one virus name in this paper as an example, because I don't want to give credit and satisfaction to the virus writers who came out with all kinds of virus ideas. In what follows I will use the name DOS/Windows to refer to DOS, Windows 3.x, and Windows 95. We can distinguish between several categories of malicious software: viruses, worms, trojan horses, companions, file system. There are two basic characteristics that help us distinguish between the main categories of malware: replication and the ability to attach to (or hide inside) other programs (we'll call the later host-attaching). Based on these characteristics we can distinguish between four categories of malicious programs: ---------------------------------------------------------------- categories: | Virus | Worm | Trojan horse | Malicious patch -----------------+-------+------+--------------+---------------- replicating: | yes | yes | no | no -----------------+-------+------+--------------+---------------- host-attaching: | yes | no | no | yes ---------------------------------------------------------------- A) VIRUS/VIRUSES ---------------- We can define a computer virus in analogy with a biological virus by listing its characteristics: (1) The ability of attaching itself to (infecting) a "host" program; whenever the "host" program will execute its activities, the virus will also execute its own (unwanted) activities. (2) The ability to spread to other "host" programs by infecting them with (sometimes mutated) copies of itself. Because of its first characteristic, I will also refer to a virus using the term infector. in the wild ~~~~~~~~~~~ - this means that the virus has infected computers outside virus research laboratories, as opposed to 'in the zoo'. victim ~~~~~~ A program that is not malware and that is used by a malicious program for purposes such as hiding. If the malicious program hides inside the victim, and gets executed through the execution of the victim, then the victim is called a host. Unix viruses ~~~~~~~~~~~~ With the apparition of Java application viruses, we see the first truly multiplatform viruses that are capable of infecting any OS for which there exists a Java Virtual Machine, therefore most varieties of Unix. Even if these viruses cannot successfully spread starting from an infected applet, they still pose a threat as people will start to exchange Java applications. Before the apparition of Java viruses, to write a Unix virus was feasible but difficult and there were no known wild Unix viruses. Even though Java viruses are not simple to write either, I consider them to be an important menace due to their portability. It therefore makes sense to scan a Unix system for Java viruses or, in the case the system acts as a repository for non-Unix software, to scan it for non-Unix viruses. B) WORM ------- It is a program which spreads (usually) over network connections but does not attach itself to a host program. There are two famous examples of worms: The Internet Worm ~~~~~~~~~~~~~~~~~ On November 2, 1988 a graduate student in Computer Science released a worm on the Internet. The worm spread very fast and it affected tens of thousands of computers all over the US for two days. The removal costs were in the order of hundreds of thousands of dollars or maybe more (an exact evaluation has not been made). The Xerox PARC Worm ~~~~~~~~~~~~~~~~~~~ This was an experimental worm that tried to do distributed computation on a network by finding idle stations and copying itself on them in order to increase its computing power. After being left to run without supervision overnight, the worm started however to crash machines in the network and the researchers abandoned the project. I also consider the following to be a special kind of worm: Companion ~~~~~~~~~ This is a kind of worm that doesn't spread through the use of network connections. Some people consider this to be a virus. It is a program which creates a malicious companion program for each victim and fools the command interpreter into running the malicious program instead of the victim. The malicious program will do its dirty job and then call the victim, such that everything will appear normal. This could be done in several ways. One way is to create a malicious .COM file for each .EXE file (which is the victim) since the command interpreter tries to run .COM programs before .EXE programs. Another way is for the program to scan the PATH environment variable and to install the companion in a directory that is searched first. Other ways would consist in renaming the victim under another name and saving the virus under the victim's name or using aliases. There exist "stealth" companions that intercept the FindFirst, FindNext system calls to hide the companion. C) TROJAN HORSE --------------- As its name is suggesting, a trojan horse is a non-replicating malicious program that pretends to do something useful while also performing an intentional and undocumented action that the user would not approve if he knew about it (VIRUS-L.FAQ). Backdoor ~~~~~~~~ A backdoor is a program "feature" that allows people who know about it to bypass one of the program's protections (a security check for example). Programs that have backdoors known by their authors but unknown by their users would fall into the trojan horse category of malicious programs. Dropper ~~~~~~~ A dropper is a program which installs another malicious program, usually pretending that it does something useful. Note that it is not replicating itself so it is a trojan horse. D) MALICIOUS PATCH ------------------ A malicious patch is a malicious program that doesn't spread but that is attached to another program. A malicious patch can be planted by a dropper for example. ------------------------------------------------------------------------------- 2) Virus classification ======================= While making this classification, and in the next sections when discussing the main categories of viruses, I have had in mind viruses for DOS/Windows. However, if you ignore the details, this discussion is relevant for other operating systems too. On one operating system, according to what gets infected we can have three basic categories: a) PROGRAM - these viruses can be differentiated according to two criteria: a.1) how they get control a.1.1) DIRECT-ACTION - infect other programs when the host is executed. a.1.2) RESIDENT - stay in memory and infect other programs when they are executed. a.1.3) SEMI-RESIDENT - are temporary resident a.2) how they infect: a.2.1) FAST (piggybacking) - infect programs that are executed and programs that are just opened. a.2.2) SLOW - infect only files that are modified or created. a.2.3) SPARSE - infect programs occasionally according to some rules, like the number of executions of the virus or the file size of potential host. b) APPLICATION (macro viruses) - infect application documents c) SYSTEM - infect code or data found in certain system areas on a disk. When data is infected the virus is infecting the operating system, so in this case the host would be the operating system. - these can be differentiated according to the system areas they infect: c.1) BOOT SECTOR/MBR c.2) OPERATING SYSTEM FILES c.3) FILE SYSTEM If we consider combinations of the above we have: d) MULTIPARTITE (BOOT-AND-FILE) - these are those viruses that infect both files and boot-records. There are also viruses that belong to one of the above categories but are not restricted to it due to some special capabilities: e) MULTIPLATFORM - capable of infecting different operating systems. f) NETWORK-AWARE - capable of spreading over a network. There are examples of viruses that used security holes in Novell NetWare (the problem was fixed in next releases). Viruses could also be separated in categories according to the damage they do but I didn't find this to be a significant classification. It would also be hard to make, since viruses that would do little damage on one computer might do a lot of damage on another one due to bugs. Some definitions that might come in handy: MBR ~~~ Master Boot Record - is located on track 0, head 0, sector 1 of a hard-drive and contains a loader program and a partition table. The loader program is a small piece of code that gets executed when a computer boots up. It looks in the partition table to determine the active partition and then gives control to the boot sector of the active partition. The boot sector contains code that loads operating system files. A new MBR can be created by using the /MBR switch of the FDISK command. This is the simplest MBR virus remover on the market (of course it's not the safest, and it doesn't even manage to remove the virus always so you should use it only when you know what you are doing or when you don't care about the results very much). FAT ~~~ File Allocation Table - a table that shows how clusters are allocated by having an entry for each cluster. A file cannot use less space than one cluster. The value stored in the entry tells if the cluster is free, bad, or if it is allocated it points to the next cluster in the file or contains a special value if there is no next cluster. For each file on disk there will be a chain of entries in the FAT. Cluster ~~~~~~~ A cluster represents a group of sectors, its size being determined by the size and type of the partition. Inoculation ~~~~~~~~~~~ It's the technique of making a program appear to be infected in order to avoid its infection by a specific virus. This technique is based on the fact that most viruses do not infect a file twice. It is also called vaccination. ------------------------------------------------------------------------------- 3) Program viruses ================== They infect executable programs, usually .COM and .EXE files, but they can infect also overlay files, dynamic link libraries, device drivers, object files and many other types of files (even .BAT files). The virus code is usually appended to the end of the host code, but sometimes it can be inserted at the beginning (like in the empty space of the .EXE header) or even in the middle of the code. Cavity viruses ~~~~~~~~~~~~~~ A virus that looks for an area of constants (like a string of zeroes) of sufficient length inside the body of the host and then copies itself to such a place (if found). The idea is not to modify the dimension of the host. ------------------------------------------------------------------------------- 4) Application viruses ====================== Application viruses do not infect normal programs, instead they spread as "macros" in different types of documents, like for example in Microsoft Office documents. They are possible due to the power of the macro languages of those applications. ------------------------------------------------------------------------------- 5) System viruses ================= Boot-sector/MBR --------------- These are the most frequent system viruses The virus will copy the original MBR/boot-sector code in some other part of the disk/diskette especially if he uses full stealth techniques, but he might also replace the MBR/boot-sector code completely (in which case it wouldn't be a virus, strictly speaking). When the MBR/boot-sector code is executed, the virus usually goes resident and hides in the last 1KB of conventional memory. It will infect the MBR/boot-sector of the hard-drive and then the boot-sector of any unprotected diskette that is accessed by the system. Partition table viruses ~~~~~~~~~~~~~~~~~~~~~~~ This is a virus that will create a new partition, copy itself in the boot record of the newly created partition and then make this partition the active one. At boot time, the virus gets executed and then continues to execute the boot sector of the partition that was previously active. Note that this virus doesn't change or move the MBR code, it just changes the data used by the MBR code, i.e. the partition table. Operating system files ---------------------- There are two reported kind of attacks on the operating system files that do not modify the files directly so these don't fall into the program virus category. They are based on OS design inconsistencies. The first one is the so called "DOS file fragmentation attack" [Bontchev]. The idea is that during boot, there is no concept of the file system, the boot code simply tries to load the first sectors of the hard drive. A virus can copy itself over the first sector while moving the original first sector to another part of the disk and updating the FAT. After being executed, the virus will copy the first original sector into memory and give it control. Note that the virus doesn't change the system files, it just changes their location. The second method is based on the assumption that the first entries in the root directory will be entries for the system files which is not always true. When this assumption doesn't hold, the virus will fail to successfully infect the computer. The virus modifies the root directory entry by making two copies of the first entry, overwriting the first one with virus code and marking its directory entry as being a volume label. If the first entry happened to be the IO.SYS entry, the infected copy gets executed during boot since the boot code doesn't care about the volume label setting. On the other hand, after the boot, one cannot see the infected IO.SYS file since the commands that list directories ignore volume labels and so do the DOS file oriented functions. File system ----------- This is a virus that modifies the directory entry for a victim such that the virus is run before the victim whenever the user tries to execute the victim. This kind of infector will modify the directory entry of an executable file to point toward the cluster where the virus is located. The beginning cluster of the victim would be stored (and encrypted) in some unused space in its directory entry. This allows one copy of the virus to infect all executables on the disk: their directory entries would all point toward the cluster where the virus is located. ------------------------------------------------------------------------------- 6) Virus "features" =================== It is interesting to note that some techniques used normally by viruses can be useful in legitimate programs like drivers or security programs. The virus "features" are generally destined to make detection harder so as to increase the spreading rate of the viruses. TRIGGERED EVENTS ---------------- The actions of the virus are triggered by special events. A sparse infector is a virus with triggered events since its process of infecting hosts is triggered by some special conditions. A malicious program whose actions are triggered by special events is also known as a logic bomb. Most logic bombs are of the time-bomb type, i.e. their actions are triggered on specific dates. STEALTH ------- A virus that hides its modifications so that the infected system appears clean. This can be done in two ways: 1. Full - The virus intercepts disk reads and writes to avoid detection and removal. Requires the virus to be resident. 2. Semi - Disk directory data is altered to hide the additional bytes of the virus. Hardware-level stealth ~~~~~~~~~~~~~~~~~~~~~~ This is a method used by viruses to avoid detection without intercepting disk read/write interrupts, instead they intercept device ready interrupts and then modify the contents of the disk buffer that is read [Bontchev]. TUNNELLING ---------- 1) Ability to trace the original interrupt handler and thus to be able to call the original system routines. 2) Also the ability to access the hard-drive through ports rather than by interrupts (works on IDE and EIDE, not on SCSI or MFM). The name of the method comes from the fact that the program that uses it tries to access some services one level below the protection set by another program. This is a method that can be used by antiviruses for the detection of stealth viruses and also for preventing infection when a fast infector is resident. It can also be used by viruses against programs that offer a software write-protection of the hard-drive. A drawback: Cannot be used when scanning remote computers on a network or against hardware level stealth. POLYMORPHIC ----------- This is the ability of a virus to produce different (yet fully operational in most cases) copies of itself. The simplest way for a virus to produce different copies of itself is to use encryption with a variable key, and attach to the encrypted code of the virus a small piece of code that does the decryption and it is called the decryptor. This is sometimes called oligomorphism. This method can be improved by having several decryptors, only one being used for each infection, the other ones being encrypted with the rest of the code. A better way to achieve polymorphism is to modify the decryptor for each infection while still keeping it functional. Ways to do this: - use of noise instructions like NOP - use of different sequences of instructions that have the same effect (replace XOR AX, AX with MOV AX, 0). This method is effective since the instruction set of the 80x86 family is not orthogonal. One of the most effective forms of polymorphism is the one encoded in the MtE (Mutation Engine) library which was made available on the Internet by a Bulgarian virus writer who calls himself Dark Avenger. The library consisted of an object module and instructions for using it. By inserting some calls in a virus code and then linking it to the MtE object module, a new polymorphic virus is created. It seems that about 80% of the virus copies are completely functional which is quite remarkable. Another kind of polymorphism, not based on encryption, consists in swapping around portions of the virus code for each new infection. Viruses that use this technique are also called permutating viruses. Polymorphism makes detection extremely hard. Antivirus software uses detection of the entry point of the decryptor to detect polymorphic viruses. This technique can be invalidated by viruses which place a sequence of jumps in the body of the host that will eventually give control to the virus code [Bontchev]. ARMORED ------- A virus which uses special tricks to make difficult the tracing, disassembling and understanding of their code. DISKETTE BOOT FAKER ------------------- This is a technique that can be used by Boot-sector/MBR viruses A virus could fake a reboot by changing the CMOS information of the computer to invalidate the diskette drive and thus force the boot from the hard-disk and the loading of the virus code which would give control to the diskette boot record, faking in this way a boot from the diskette [Bontchev]. The good news is that this wouldn't work on every computer. TARGETED ATTACKS ---------------- Some viruses attack specific antivirus software by not infecting them, or by infecting them and disabling their integrity check, or by destroying their database of checksums. ------------------------------------------------------------------------------- 7) Antivirus software ===================== False positive/negative ~~~~~~~~~~~~~~~~~~~~~~~ I'll use the term false alarm instead of false positive. False positive represents the false identification of an innocent program as being infected. False negative means the failure of identifying an infected program as such. Antivirus software falls into one of the following categories: 1) Generic monitors - these programs prevent the formatting of the hard-drive or the modification of system and program files. Not very reliable. Most BIOS-es include a feature that can prevent writes to the MBR, boot records and partition table. * drawback : can be bypassed using tunnelling. 2) Scanners - there are several ways of checking (scanning) a system: - look for virus signatures (first in memory and then on disk). * drawback : - misses all unknown viruses - can miss stealth infectors if the scanner doesn't use tunnelling. - can miss versions of polymorphic viruses - can give false alarms - but rarely. - use heuristic methods (try to recognize potentially harmful code for example look for jumps to the end of the file, placed at the beginning of the file). * advantage : might detect unknown viruses. * drawback : gives false positives and false negatives. - decoy launching : try to execute small programs (these are the decoys, also known as probes or bait) and check if they got infected. * drawback : can miss slow and sparse infectors and will certainly miss boot viruses and companion infectors. - check for system modifications that are usually done by viruses. * drawback : changes might be done also for legitimate reasons (a memory decrease from 640k to 639k can be due to a driver that is installed on the system). Some scanners provide resident scanners (sentinels) that remain resident and perform a superficial scan on each program that is executed or each diskette that is read. By superficial I mean that the sentinel scans only for a small number of viruses since otherwise it would slow down the computer operation. 3) Integrity checkers - verify the integrity of files by computing checksums or hash values. The checksums database might be attacked by viruses however, therefore special measures need to be taken to ensure its protection. * advantage : this provides generic detection. * drawback : - can miss stealth infectors if ran from infected hard-drive. - it should detect most infectors if ran after booting the system from a clean diskette, but might still miss some infectors (like companion or some system viruses). - will report modifications that are legal (there are legitimate self modifying programs, ex: Turbo Pascal 6.0's turbo.exe). * potential problem : if checksums are computed only for some portions of a file like the header and the end of the file, then this might miss infectors that write themselves in the middle of a file. - the integrity information can be added at the end of each file, with a piece of code that will do an integrity check each time the program is launched. (Some programs might not like this, since they might do their own integrity checking). 3a) Generic disinfection - sufficient information is saved for each file so that it can be restored to its original state in the case of a great majority of viral infections, even if the virus is unknown. This information could also be appended to the end of each file, together with a piece of code that checks the integrity of the file and attempts to repair it if it detects changes. 4) AI techniques - are used to learn about new viruses and extract signatures for them. Examples: - V-Care (CSA Interprint, Israel; distributed in the U.S. by Sela Consultants Corp.) - Victor Charlie (Bangkok Security Associates, Thailand; distributed in the US by Computer Security Associates). 5) Hardware protection - adding a special card that does virus scanning and integrity checking, before the boot. It cannot prevent infection though. ------------------------------------------------------------------------------- 8) Practical example of a dangerous virus: ONE_HALF =================================================== One_Half (also known as 'Dis' and 'Free Love') Characteristics: almost everything you wouldn't want to find in a virus: in the wild, multipartite, resident, stealth, encrypting, polymorphic. It slowly encrypts any hard drive it infects. Each time the system is booted, two more cylinders starting from the end of the hard-drive are encrypted. The cylinders can be accessed by the user as long as One_Half is resident. After encrypting about one half of the hard drive, the virus displays the message: Dis is one half. Press any key to continue... Because of the encryption done to the hard-drive, the simple removal of the One_Half virus will not solve the problem. The antivirus will need to decrypt the cylinders back. FDISK /MBR would remove One_Half but the encrypted portion of the disk would be lost. One_Half only infects files that have a .COM or .EXE extension and that don't contain strings like SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, or MSAV in the filename. Lessons: -------- a) Do not continue to operate your computer if you find out it is infected by a virus whose characteristics you don't know. Try to identify the virus and to find out what kind of damage it performs before rebooting your computer. b) Do not try to remove a virus using inappropriate software. This can result in corruption of your data and sometimes can result in more damage than the damage that might have been produced by the virus. ------------------------------------------------------------------------------- 9) Miscellaneous information ============================ How can you get your PC infected? --------------------------------- There are three ways: 1) Booting from an infected system. 2) Executing an infected program. 3) Opening an infected document. What is safe? ------------- a) Copying files or opening them in an editor that does not automatically execute macros cannot infect a system. It is always safe to inspect a file with a simple ASCII editor. b) Write protected diskettes cannot be infected unless the diskette drive is malfunctioning. General hints: -------------- a) Have a non-infected boot disk handy. After you make it, write-protect it! b) Backup your data frequently. c) Avoid booting from floppies by accident (change the boot sequence to C: A: if possible) d) Keep diskettes write protected whenever you just need to read from them. e) Choose carefully your sources of software. Try to obtain Shareware, Freeware and Public-Domain software from the original author or reliable distribution sites. f) Scan all new programs, use several scanners if possible, as there is no BEST scanner. g) Use an integrity checker after booting from a clean write-protected diskette; the checksum database should also be stored on another diskette if possible. This should ensure the database integrity. What if your computer got infected? ----------------------------------- If your computer gets infected with a virus - DON'T PANIC!. If you don't know what to do, then the best thing would be to shutdown your computer and find someone who knows how to deal with viruses. You should always use your boot disk or Rescue disk to start up the system before disinfecting it. ------------------------------------------------------------------------------- 10) Conclusions =============== Viruses represent a danger for any computer user and in order to find out the best way of dealing with them we have to know how they work. The best way of checking for an infection is to boot from a clean disk and to perform a scan and an integrity check. We should also check that no new programs have appeared on our system and that we have effected a real clean reboot, and not a fake one. The steps I would take would be: a) Reboot computer. Enter SETUP and make sure we boot from the diskette drive first. b) Insert boot-disk in drive. c) Exit SETUP after we saved the eventual changes we've made. We should now boot from the diskette. d) Run antivirus software from the diskette. Do a scan and an integrity check. e) Use a program, or just walk through the directories on your path and look if you have any newly added programs. f) Use a disk editor to take a look at your directories structure and detect possible file-system infectors. g) Reboot computer. Enter SETUP and change boot sequence to C: A: h) Reboot and start working. These steps should be done only after we have installed new software (that we should have scanned before installing). Obviously, steps e and f cannot be done by the average user, the antivirus software should offer a way of doing these checks, but unfortunately antivirus software doesn't do all it could. Many antivirus programs claim that they are invincible, however, no antivirus can be invincible. Even if a vendor claims that you don't need a clean reboot to be able to use his software, you shouldn't believe that. An evaluation of antivirus software can be done only by experts and there are few of them. Antivirus software, like cryptography software is made in too many cases by people that are not experts in the field so you should be cautious about what product you buy. You should exercise the same criticism for this paper as I am far from being an expert in computer viruses. ------------------------------------------------------------------------------- 11) Bibliography and pointers to more information ================================================= A good Virus FAQ is: alt.com.virus FAQ - http://emt.doit.wisc.edu/acvfaq/acvFAQ.html Good virus encyclopedias and other information about viruses can be found at: Dr. Solomon - The Virus Encyclopedia - http://www.drsolomon.com/vircen/enc/ AntiViral Toolkit Pro - Virus Encyclopedia - http://www.avpve.com/ Symantec Antivirus Research Center - http://www.symantec.com/avcenter/ The University of Hamburg maintains a good archive for virus related stuff (They have great archives in other domains too so you should check this out). University of Hamburg - ftp://ftp.informatik.uni-hamburg.de/pub/virus/ Here I found and I read the following articles and documents: Vesselin Bontchev - The Bulgarian and Russian virus factories. Vesselin Bontchev - Are "good" computer viruses still a bad idea? Vesselin Bontchev - Future trends in virus writing. Vesselin Bontchev - Possible virus attacks against integrity programs and how to prevent them. Vesselin Bontchev - Known polymorphic viruses Vesselin Bontchev - "Vircing" the InVircible Patrick Min - Virus Detection Alternatives * * * - VIRUS-L.FAQ For Free, Shareware, or Public Domain software check the following: SimTel Archive by FTP: - ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/ SimTel Archive Web Page: - http://www.simtel.net/simtel.net/ WUARCHIVE (at Washington University in St.Louis) - http://wuarchive.wustl.edu/ For more informations you could also check the works of Frederick B. Cohen who was a pioneer of virus research and is one of the leading authorities in matters of computer security. At the time I wrote this article, I didn't read any of his books on viruses but I plan to in case I'll be able to find them. Credits: ~~~~~~~~ Thanks to my parents who bought me my first computer, that I got infected three days later with the Michelangelo virus. This is how I got acquainted with viruses. The articles and documents written by Fridrik Skulason and Vesselin Bontchev have helped me understand better how some viruses and antiviruses work, without reading them I wouldn't have been able to write this document. Thanks to my friend, Mihail "GGDuru" Sichitiu, for reading this paper and for the corrections and suggestions he made for its improvement. =====================This is the end of this file==============================