our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

In a similar fashion, computer viruses infect, self-replicate and spread. By understanding how computer viruses take on a life of their own, you'll understand the damage that viruses can do and the important steps to take to protect your workgroup.

Since a computer user typically only runs useful, known programs (like a word processor or spreadsheet), a virus needs to attach itself to--or associate with--another program in order to run. Moreover, there needs to be some mechanism by which the virus code will run automatically. Two such mechanisms are widely employed by viruses--boot-sector executables and application macros.

Boot-Sector Viruses When you first start or restart your computer, it checks to see if there is a disk in the floppy drive. If there is, the computer looks for a part of the disk called the boot sector (created when the disk is first formatted) and runs a program called the boot-sector executable. If the disk is bootable, the boot sector executable loads the OS (operating system). If not, it displays the message "non-system disk or disk error, replace and strike any key when ready." The boot-sector executable runs automatically every time the computer starts with a disk in the floppy drive, regardless of the disk's contents. On a diskette infected with a boot-sector virus, the boot-sector executable is modified--it performs the same functions as the standard boot-sector executable, but also transfers the virus program to the computer.

Most often, the infected boot-sector executable modifies a sector on the computer's hard disk called the MBR (Master Boot Record)--also known as the partition sector or partition table. The MBR contains an executable that runs automatically when there is no diskette in the floppy drive. The MBR executable then automatically starts an OS boot-sector executable, which is located on one of the hard drive's partitions. The virus transfers itself to the computer by modifying the MBR executable so that the next time the computer is booted from the hard drive, the virus program is loaded into memory.

Once loaded in memory, the virus waits for diskettes to be inserted in the floppy drive. The virus then modifies the new floppy disk's boot sector executable with the original virus code, so the floppy diskette can infect other computers. Thus, the virus has utilized an automated process to infect, replicate itself and spread. Other varieties of virus may either attack the OS boot sector on the hard drive instead of the MBR, attack both the OS boot sector and the MBR, or avoid the hard drive altogether and load directly into memory from the floppy diskette.

Macros and Macro Viruses When using office-automation applications, such as word processing and spreadsheets, business-specific tasks are often performed repeatedly. To help with such situations, most applications support macros. A macro is a series of commands and instructions that you group together as a single command to automate a task. You might write a macro in Excel to highlight all of the lines in a spreadsheet that are missing a key field, or you may have a macro in Word to reformat all the addresses in an address list with the format used in your workgroup.

Since macros contain a series of instructions, they are essentially programs. Indeed, these programs can be very powerful. Applications like Word and Excel can modify the configuration of the application itself. However, unlike normal application programs, which are separate executable files, macros are usually saved along with the document data file. Moreover, macro languages typically offer a mechanism to run automatically when the document is opened (such a macro is often called an autorun, autostart or start-up macro).