Encrypted Viruses Encrypted viruses use cryptographic techniques, such as those described in Chapter 9, to avoid detection. In their outward appearance, they are actually quite similar to polymorphic viruses— each infected system has a virus with a different signature. However, they do not generate these modified signatures by changing their code; instead, they alter the way they are stored on the disk. Encrypted viruses use a very short segment of code, known as the virus decryption routine, that contains the cryptographic information necessary to load and decrypt the main virus code stored elsewhere on the disk. Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system. However, the virus decryption routines often con- tain telltale signatures that render them vulnerable to updated antivirus software packages. Hoaxes No discussion of viruses is complete without mentioning the nuisance and wasted resources caused by virus hoaxes. Almost every e-mail user has, at one time or another, received a message forwarded by a friend or relative that warns of the latest virus threat to roam the Internet. Invariably, this purported “virus” is the most destructive virus ever unleashed and no antivirus package is able to detect andor eradicate it. One famous example of such a hoax is the Good Times virus warning that first surfaced on the Internet in 1994 and still circulates today. For more information on this topic, the renowned virus hoax expert Rob Rosenberger edits a web- site that contains a comprehensive repository of virus hoaxes. You can find it at www.vmyths.com. Logic Bombs As you learned in Chapter 7, logic bombs are malicious code objects that infect a system and lie dor- mant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, and so on. The vast majority of logic bombs are programmed into custom-built applications by software developers seeking to ensure that their work is destroyed if they unexpectedly leave the company. The previous chapter provided several examples of this type of logic bomb. However, it’s important to remember that, like any malicious code object, logic bombs come in many shapes and sizes. Indeed, many viruses and Trojan horses contain a logic bomb com- ponent. The famous Michelangelo virus caused a media frenzy when it was discovered in 1991 due to the logic bomb trigger it contained. The virus infects a system’s Master Boot Record through the sharing of infected floppy disks and then hides itself until March 6—the birthday of the famous Italian artist Michelangelo Buonarroti. On that date, it springs into action, refor- matting the hard drives of infected systems and destroying all of the data they contain. Trojan Horses System administrators constantly warn computer users not to download and install software from the Internet unless they are absolutely sure it comes from a trusted source. In fact, many companies strictly prohibit the installation of any software not prescreened by the IT depart- ment. These policies serve to minimize the risk that an organization’s network will be compro- mised by a Trojan horse—a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network.