Virus Definition and a Court Battle

“In order to be considered a virus, computer code has to have four properties,” he told me. “If it doesn’t have all four properties, it’s bad code, but it’s not a virus.”

I was all ears. This conversation happened back in the early 90s, in the days of Windows for Workgroups 3.1 and 3.11. The gentleman who was telling me about viruses was the first true Systems Administrator I ever worked with.

“Okay, so what are the four properties a virus must have?” I asked.

He touched a finger as he listed each point. “A virus must be self-replicating, mobile, covert, and unwanted.”

It’s funny how that stuck with me. I didn’t write it down until years later, but I never forgot his list. I don’t remember his name, but the list I know. . .

Today, there are several kinds of malware, and various additional properties that we use to differentiate them from each other. Still, it’s worth examining my forgotten friend’s unforgotten list.

Four Characteristics

1. Self-replicating
   1. The malicious program must contain some code that exists to make copies of itself.
2. Mobile
   1. By replicating itself, a malicious program might conceivably fill all the empty space on a hard disk – but if it can’t move from computer to computer, it’s not really infectious or communicable. Early viruses achieved mobility by copying themselves to removable media – floppy disks – which were later inserted into another computer, beginning a new cycle of self-replication.
3. Covert
   1. A biological virus is unseen because it’s so small. A computer virus is unseen because it’s hidden. It’s secret. It’s unknown to the user.
4. Unwanted
   1. There are all kinds of good files on your computer that you don’t know about: drivers, processes, services, logs. Just because you don’t know about them doesn’t mean you don’t want them. So this fourth property is as important as the other three – the welcome mat isn’t out for the virus.

Malware Today

Human creativity has resulted in a lot of variations that can’t be neatly described by this original list. A Trojan, for example, may not truly be self-replicating. We human beings download and install the program. We are the agent of replication. Let’s take it a step further, and be more specific. Consider a keylogger that is hidden as a Trojan in a program we intentionally install. It may not replicate itself, and furthermore, it may not be mobile. The keylogger might not move to another computer. Yes, it’s covert and unwanted, but it doesn’t have the two traits that make it most analogous to a biological virus.

And now, the funny part...

In the year 2000, I was a Director in a national company that had spent a lot of money replacing our billing software in 1999. If we hadn’t purchased and installed the new software, we would have been unable to generate bills for our customers after January 1, 2000. The Y2K bug would have bitten us. This company’s legal team decided to make an insurance claim to recover the cost of the billing upgrade, under a clause in the insurance that protected us from losses caused by computer viruses. I was invited as a technical representative to one of the early meetings with a couple of our corporate attorneys. They explained to a group of us what they were trying to do, and they repeatedly spoke of “the Y2K virus.”

I said, “There’s a problem with your plan that you should know about. The Y2K bug isn’t a virus.” One of the attorneys gave me a withering stare and said, “Bug – virus – they’re synonymous terms.”

I tried to explain. “A bug is a problem in the software, but it’s not the same thing as a virus. In order to be a virus, it would need to have the following four characteristics, . .” which I then enumerated.

The attorney turned away, and went on with the meeting. I wasn’t invited back to the follow-up meetings...