virus proof

7/27/2019 Virus Proof

1/6

1

VIRUS

In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to

another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note

or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded

file, or diskette you've received is usually unaware that it contains a virus. Some viruses wreak their effect as soon

as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the

computer. Some viruses are benign or playful in intent and effect ("Happy Birthday, Ludwig!") and some can be

quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by

resending itself as an e-mail attachment or as part of a network message is known as a worm.

File Viruses (Parasitic Viruses)

File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and are

activated when the host program is run. Some file infector viruses attach themselves to program files, usually

selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL,

.PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as

wholly-contained programs or scripts sent as an attachment to an e-mail note.

Boot Sector Viruses

A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all

information about the drive is stored, along with a program that makes it possible for the operating system to boot

up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot

sequence.

A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their

downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread

like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which

eventually stopped such viruses from spreading.

Multipartite Viruses

Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through

infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the

virus infects executable files on the hard drive and spreads across the system.

Macro Viruses

Macro viruses infect files that are created using certain applications or programs that contain macros. These

include Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations,

Access databases, and other similar application files such as Corel Draw, AmiPro, etc.

Since macro viruses are written in the language of the application, and not in that of the operating system, they are

known to be platform-independentthey can spread between Windows, Mac, and any other system, so long as

theyre running the required application. With the ever-increasing capabilities of macro languages in applications,

and the possibility of infections spreading over networks, these viruses are major threats.

The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are

thousands of macro viruses in existencesome examples are Relax, Melissa.A and Bablas.


2/6

2

Network Viruses

This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet.

E-mail Viruses

An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailingitself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click

-- they launch when you view the infected message in the preview pane of your e-mail software.

One of the most common and destructive e-mail viruses is the ILOVEYOU virus.

Other Malicious Software

Trojan Horses: The biggest difference between a Trojan horseor Trojanand a virus is that Trojans dont spread

themselves. Trojan horses disguise themselves as useful software available for download on the Internet, and nave

users download and run them only to realise their mistake later.

Remote Access Trojans: These are the most commonly available Trojans. These give an attacker complete control

over the victims computers. The attacker can go through the files and access any personal information about the

user that may be stored in the files, such as credit card numbers, passwords, and important financial documents.

Password-sending Trojans: The purpose of such Trojans is to copy all cached passwords and look for other

passwords as you enter them, and send them to specific mail address, without the users knowledge. Passwords for

restricted Web sites, messaging services, FTP services and e-mail services come under direct threat with this kind of

Trojan.

Keyloggers: These log victims keystrokes and then send the logs to the attacker. The attacker then searches for

passwords or other sensitive data in the log files. Most of them come with two functions, such as online and offline

recording. Of course, they can be configured to send the log file to a specific e-mail address on a daily basis

Destructive: The only function of these Trojans is to destroy and delete files. They can automatically delete all the

core system files on your machine. The Trojan could be controlled by the attacker or could be programmed to

strike like logic bomb-starting on a specific day or at specific hour.

Denial of Service (DoS) Attack Trojans: The main idea behind this kind of Trojan is to generate a lot of Net traffic

on the victims machine, to the extent that the Internet connection is too overloaded to let the user visit a Web site

or download anything. Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as

many machines as possible and simultaneously attack specific e-mail addresses with random subjects and contents

that cannot be filtered.

Proxy/Wingate Trojans: These types of Trojan turn the victims computer into a proxy/wingate server. That way,

the infected computer is available to the whole world to be used for anonymous access to various risky Internet

services. The attacker can register domains or access pornographic Web sites with stolen credit cards or do similar

illegal activities without being traced.

Worm: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A

copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the

new machine using the security hole, and then starts replicating from there, as well.


3/6

3

The main difference between viruses and worms is the method in which they reproduce and spread. A virus is

dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can

run completely independently and spread of its own accord through network connections.

COMMON SYMPTOMS

Your computer always stops responding when you try to use certain software. This could also take placedue to corruption of an essential file required by that software.

You received an e-mail message that has a strange attachment. When you open the attachment, dialogboxes appear, or a sudden degradation in system performance occurs.

There is a double extension on an attachment that you recently opened, such as .jpg .vbs or .gif. exe. An anti-virus program is disabled for no reason and it cannot be restarted. The computer may not allow re-

installation of the anti-virus. Strange dialog boxes or message boxes appear on the screen. Someone tells you that they have recently received e-mail messages from you containing infected attached

files, and you are sure you never sent any such mails.

New icons that you did not place on the Desktop appear, and are not associated with any recently installedprograms.

Strange sounds or music plays from your speakers unexpectedly. A program disappears from the computer, and you didnt uninstall it. Windows will not start because certain critical system files are missing, and you receive error messages

listing those files.

The computer starts as expected some of the time, but at other times, stops responding before thedesktop icons and taskbar appear.

The computer runs very slowly and it takes a long time to start. Out-of-memory error messages appear, even though your computer has plenty of RAM. New programs do not install properly. Windows restarts unexpectedly. Programs that used to run now stop responding frequently. If you try to remove and reinstall the software,

the issue continues to occur.

A partition completely disappears.


4/6

4

Most Infamous Viruses

1. The Melissa Virus

This came in 1999, when David L Smith created a virus based on a Microsoft Wordmacro, spread through email. CNN said it

was named after an exotic dancer from Florida. It replicated itself once opened onto people in the recipients address book .

The FBI reported it as wreaking havoc on government and private sector networks. Smith got 20 months in jail and was fined$5000.

2. ILOVE YOU

In 2000 a new digital threat was born in the Philippines. It was a worm, disguised as a love letter email, with a fatal

attachment, in vbs (visual basic scripting). Onel de Guzman was investigated but not prosecuted through lack of evidence, and

never admitted his complicity. It is thought it did damage to the tune of $10 billion.

McAfee described the attack targets:

It copied itself several times and hid the copies in several folders on the victims hard drive.

It added new files to the victims registry keys.

It replaced several different kinds of files with copies of itself.

It sent itself through Internet Relay Chat clients as well as e-mail.

It downloaded a file called WIN-BUGSFIX.EXE from the Internet and executed it. Rather than fix bugs, this program was apassword-stealing application that e-mailed secret information to the hackers e-mail address.

3. The Klez virus

This one appeared first in 2001 and like its predecessors infected through emails and then replicated. Some versions carried

other programs that destroyed computers, acting as a virus, a worm or a trojan horse. Symanticsaid it could even disable

virus-scanning software and pose as a virus-removal tool.

Once it gathered momentum, some hackers adapted it so it was more deadly. It ransacked address books, and created

spoofing, emails that came from sources different from those in the from box. Klez could be programmed to spam recipients

with multiple emails.

4. The Code Red and Code Red II Worms

These menaces took advantage of vulnerability in operating systems running Windows 2000 and Windows NT, that memory

could be overwritten when machine buffers were overloaded. The White House was the highest profile victim, when all

machines were overloaded.

The worm makes a backdoor into the computers system (a system-level compromise) to allow the person who put in the bug

to operate it. Infected machines obey instructions from that source. Crimes can be committed this way.

The worm was named the .ida Code Red worm because Code Red Mountain Dew was what they were drinking at the time.

5. Nimda Virus

From 2001, Nimda (admin spelt backwards) was the fastest, most ruthless replicating attack up to that time, taking, according

to some estimates, about 20 minutes from being released on the internet to the top attack reported.

Whatever access a computers user had on any network, the worm operator had the same. It slowed the entire web to a crawl;

many systems crashed entirely.

6. SQL Slammer/Sapphire

In 2003 the Slammer virus also known as Sapphire hit the net, doubling its infections every few seconds. Within a quarter of an

hour, half of the internet servers were hit. Bank of America, the City of Seattle and Continental Airlines were among the high

profile US victims. Total damage was in the region of a billion dollars.

Anti-attack devisers realised that hackers will always exploit any weakness in any system, so there is no foolproof defence.

7. MyDoom

As ominous as its name (also Novarg), this one had two triggers. One caused a denial of service (DoS) attack in 2004 and the

second ordered it to stop distributing itself eleven days later. By then enough backdoors had been opened for the virus toremain potent.

Months later a second outbreak was aimed mainly at clogging search engines. It shared with Klez an ability to spoof emails.


5/6

5

8. Sasser and Netsky

Unusually, authorities were able to track this pair of worms. 17 year old German, Sven Jaschan, repeated some codes in both.

Sasser attacked through a Microsoft Windows weakness, scanning for random IP addresses. Netsky went through emails with

spoofs, causing DoS attacks through huge volumes of traffic.

Svenson escaped prison, getting twenty months on probation as he was a minor when arrested.

9. Leap-A/Oompa-A VirusIn general most Mac users feel relatively relaxed about the safety of their machines. BecauseApple produce both hardware

and software, the systems are closed or obscure. There are also fewer Macs than PCs so hackers dont have such a big target

to hit.

However, in 2006 hackers got in through iChatinstant messaging program with a corrupted file that looked like an innocent

JPEG image. As Macs become more common, there will be more attacks on their integrity.

10. Storm Worm

This virus was named after the fact that an email message carrying it was headed 230 dead as storm batters Europe. Fake

headings about current news are what trick most users into opening the dangerous email. As there was already a 2001

W32.Storm.Worm virus, companies like McAfee called it Nuwar and Symantec called it Peacomm.

Whatever its called, its a trojan horse in several different forms. Persons behind it can control infected computers which

behave like zombies or bots. It can create a botnet to send mass spam.

11. Click Jacking

Operation Ghost Clickwas the FBIs code for a two year investigation (2009-2011) that has just caught six Estonians (and a

Russian has not yet been caught). They ran a network of more than 4 million infected computers in 100 countries that

rerouted users from big name websites like Amazon andApple iTunes, to sites that were pure advertising. The gang received a

referral fee every time it happened.

Federal law officers labelled them international cyber-bandits who netted about 9 million over four years gave new meaning

to the term false advertising. The crime has also confirmed a new word in web speak language, click jacking.

12. Happy99

Also known as Ska, the virus spread through email attachments. Once infected, animated fireworks and a Happy New Yearmessage were shown.

13. Creeper

The Creeper virus would look for a machine on the network, transfer to it, and display the message Im the creeper, catch me

if you can!

How does anti-virus software work?

An anti-virus software program is a computer program that can be used to scan files to identify and eliminatecomputer

virusesand othermalicious software(malware).

Anti-virus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary Identifying suspicious behavior from any computer program which might indicate infection

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Virus dictionary approach

In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that

have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the

dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other

programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.

To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated

virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send
http://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.php


6/6

6

their infected files to the authors of anti-virus software, who then include information about the new viruses in their

dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes

them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can

also typically be scheduled to examine all files on the user's hard disk on a regular basis.

Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by

writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so

as to not match the virus's signature in the dictionary.

Suspicious behavior approach

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior

of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior

and the user is alerted to this, and asked what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses

that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably

become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software isobviously useless to that user. This problem has especially been made worse over the past 7 years, since many more

nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti

virus software uses this technique less and less.

Other ways to detect viruses

Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before

transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it

immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However,

this method results in a lot of false positives.

Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this

simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because ofperformance issues this type of detection is normally only performed during on-demand scans.

Issues of concern

Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively

and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft

Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread

and wreak havoc.

User education is as important as anti-virus software; simply training users in safe computing practices, such as not

downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-

virus software.

Computer users should not always run with administrator access to their own machine. If they would simply run in user mode

then some types of viruses would not be able to spread.

The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the

suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus

software will never conquer computer viruses.

There are various methods of encrypting and packing malicious software which will make even well-known viruses

undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can

decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often

unable to detect encrypted viruses.

Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the

public to panic over the threat.

virus proof

Documents