David Emm
August 1996
Making predictions about the future is dangerous. Without the aid of a crystal ball, it is unwise to try and be too specific about what is likely to happen. Nevertheless, it is possible to make a broad assessment of future virus developments.
With regard to the desktop operating systems being used on the PC, the future clearly lies with Microsoft Windows, whether Windows 95 and/or Windows NT; although it is also clear that DOS will be with us for some time to come. To a considerable degree, therefore, the impact of viruses under Windows will define their overall impact on the PC world.
Within this context, macro viruses will play a considerable part. They have already had a marked effect. Since the appearance of WM/Concept in July 1995, we have seen over 1,500 macro viruses. Macro viruses (such as WM/Concept, WM/Wazzu, WM/Npad, WM/MDMA, WM/Cap, WM/Switcher and others) form the greater part of viruses reported to Technical Support.
Some macro viruses include a damaging payload, designed to damage data or delete files on the disk. If instructions within a macro make calls to a specific operating system (as with the WM/FormatC macro trojan), they will be restricted to that particular operating system. However, the WM/MDMA virus demonstrates that it is possible to accommodate this; WM/MDMA attempts to get round this by including variable payloads for different operating systems.
Macro virus writers have implemented techniques inherited from earlier generations of virus writers. Some viruses use stealth to conceal the changes they make. WM/Cap, for example, removes the Tools | Macro option, to prevent macros being listed. WM/Angus goes further, replacing the normal Tools | Macro dialog with a fake message box (entitled 'Microsoft Windows' and containing the text 'Windows Protection Error'). Some viruses are polymorphic; that is, they change with each infection in an attempt to avoid detection by anti-virus programs. WM/Angus, for example, uses randomly generated macro names.
Macro viruses are not confined to Microsoft Word for Windows. In January 1996, the first macro virus to infect Lotus AmiPro files (APM/GreenStripe) appeared. Unlike Word for Windows, in which macros are directly linked to document and template files, AmiPro macros are contained in a separate file; this makes it possible to exchange AmiPro documents (for example, via e-mail) without exchanging infected macros. For this reason, there are likely to be less AmiPro macro viruses; and they are likely to spread less effectively.
However, we have seen viruses written to infect Microsoft Excel for Windows (the first working Excel for Windows macro virus was XM/Laroux, which appeared in July 1996). It does not take a great deal of imagination to see the possible consequences which might arise from a virus making modifications to spreadsheets.
Looking ahead, Microsoft Office 97 opens up new possibilities. WordBasic (the macro writing language used in earlier versions of Word for Windows and Excel for Windows) has been replaced by Visual Basic for Applications (VBA). This makes it possible to write more complex macro viruses. In addition, it makes PowerPoint macro viruses a possibility.
The impact on macro viruses rests on three factors.
Macro viruses are written in WordBasic or VBA. They are much easier to write than executable file viruses (written using low-level programming tools). As a result, virus writing is no longer the preserve of a comparatively small number of people.
They are the first viruses to infect data files, rather than executables. Data files, to which macros are attached, provide viruses with a more effective replication method than executable files. Data files are exchanged far more frequently than executable files. The development of macro viruses has taken place parallel with the increased use of e-mail (and the ability to attach files to e-mail), and mass access to the Internet (including on-line services like CompuServe and America Online); this makes macro viruses a much greater threat to computer users than executable file viruses and boot sector viruses.
Macro viruses are not platform-specific. There are versions of Microsoft Word for Windows 3.x, Windows 95, Windows NT and Macintosh. This makes all of these operating systems susceptible to macro viruses.
However, macro viruses do not make up the whole picture. Boot sector viruses still represent a large percentage of 'in the wild' viruses; and they are likely to have an effect on PC users for some time to come. These viruses infect at boot-up, when an infected floppy disk is inadvertently left in drive A. They infect at a BIOS level; that is, before the operating system loads. This is true of any operating system . . . DOS, Windows (of whatever flavour), OS/2, Novell NetWare, etc. For this reason, any PC is susceptible to infection from boot sector viruses.
The ability of boot sector viruses to spread, by infecting floppy disks accessed in the PC, is dependent on the operating system. Under Windows 95, some boot sector viruses are able to go memory resident and infect floppy disks accessed in the PC. However, they are more likely to be noticed by the user, since they disrupt the normal working of Windows 95 (the system will load in 16-bit mode and general exception errors may occur).
Under protected mode operating systems, like Windows NT, where the concept of a TSR (memory resident program) is anathema, boot sector viruses are unable to go memory resident. Nevertheless, data stored on PCs running Windows NT is still at risk. Any damage routine triggered by a boot sector virus takes place (like the infection process) at a BIOS level, before the operating system has been loaded.
Over time, as we move away from DOS and Windows 3.x, boot sector viruses will decline. However, this will not happen overnight. The fact that new boot sector viruses (like Baboon ad Dodgy) are being written, and are able to spread successfully is testimony to this fact.
Just as the spread of boot sector viruses will be more limited under Windows NT, the spread of executable file viruses (the most successful of which are memory resident viruses) is likely to diminish. However, this will have less of an impact on the wider picture; it should be remembered that executable file viruses (as distinct from macro viruses) have always been much less commonly found 'in the wild'
It is worth remembering that the observations above relate to existing viruses, written during a period when DOS has been the principal desktop operating system. And the viruses we have seen which are specifically designed to infect Windows programs (for example, Tentacle or Boza) are 'direct-action' viruses (that is, they do not go memory resident).
If a virus is able to actively monitor, and intercept, disk or file activity, it can spread more effectively. The first attempt to write a VxD virus (a VxD is a Windows 95 memory resident device driver) was Punch, written early in 1997; but this contains bugs and fails to spread effectively. More recently, however, we have seen a number of other VxD viruses, including Klunky and Memorial. In addition, we have seen one virus, Cabanas, which successfully infects under Windows 95 and Windows NT. Development of viruses for these operating systems is unlikely to end here; and we can expect to see more viruses for Windows 95 and Windows NT.
There is no reason to suppose that the number of viruses being written will diminish greatly. There were around 7,500 viruses in July 1995 (when the first macro virus appeared); currently [December 1997] there are over 15,500. Around 400 new viruses are being seen each month. It is fair to say, therefore, that some people's predictions about the imminent demise of viruses have been 'greatly exaggerated'.