Information Technology Reference
In-Depth Information
infected. The current document would not already be infected if it has just been cre-
ated within Microsoft Word, however, the default document template would be
opened.
With other viruses, system files may be modified, replaced, or deleted; network
drives are often a target, infecting files shared amongst multiple users. The virus may
attach parts of itself to system executables or the hard disk boot sector to ensure re-
petitive execution. When infection simply consists of mass copying of the virus code
in whole it is hard to separate that from self-replication. In fact, many viruses don't
infect a system in a conventional means. Some just sprinkle themselves throughout
the file system expecting the computer's operator to unsuspectingly re-invoke the
virus at some future time. Therefore, the only real difference between self-replication
and infection is that self-replication is the copying of the viral code from the host
currently executing it to another target host.
Once a host is infected, it may continue to self-replicate throughout its life, or it
may lie dormant waiting to deliver its payload. The payload in Melissa is quite simple
the code segment is below.
Melissa inserts the text “Twenty-two points, plus triple-word-score, plus fifty
points for using all my letters. Game's over. I'm outta here.” into the opening docu-
ment whenever the day of month is equal to the minute of the hour. Many viruses are
not as nice; they can send sensitive information to various remote hosts to quite se-
verely damaging files and data.
4
The Essence of the Proposed Approach
A computer code, either legitimate or malicious, first takes the form of a binary se-
quence that is interpreted as instructions for operations to be performed. These may
be high-level instructions, such as those used in script languages, or low-level ma-
chine language instructions. The “alphabet” of instructions contains a finite number of
“letters” whose proper sequence constitutes appropriate directions for computer op-
erations. In many instances, malicious codes are partially encrypted. During the exe-
cution, they decode the encrypted parts and eventually form the sequence of executa-
ble macro commands.
Existing anti-virus programs implement a simple but reliable approach for the de-
tection of computer viruses. They utilize a library of virus definitions that contains
“samples” of the binary sequences of all known viruses in the same way that the pep-
tides of immune cells contain “samples” of the genetic sequences of all antigens ever
encountered by the biological organism. When the computer code in question arrives,
the anti-virus software attempts to match “slides” of the new code to the existing
samples in its library. Finding a “perfect match” triggers the appropriate actions of the
anti-virus program. Although this approach is sound, it cannot detect a new, previ-
ously undocumented virus, and is thus dependent on updates to its library.
