virus proof
TRANSCRIPT
-
7/27/2019 Virus Proof
1/6
1
VIRUS
In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to
another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note
or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded
file, or diskette you've received is usually unaware that it contains a virus. Some viruses wreak their effect as soon
as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the
computer. Some viruses are benign or playful in intent and effect ("Happy Birthday, Ludwig!") and some can be
quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by
resending itself as an e-mail attachment or as part of a network message is known as a worm.
File Viruses (Parasitic Viruses)
File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and are
activated when the host program is run. Some file infector viruses attach themselves to program files, usually
selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL,
.PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as
wholly-contained programs or scripts sent as an attachment to an e-mail note.
Boot Sector Viruses
A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all
information about the drive is stored, along with a program that makes it possible for the operating system to boot
up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot
sequence.
A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their
downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread
like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which
eventually stopped such viruses from spreading.
Multipartite Viruses
Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through
infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the
virus infects executable files on the hard drive and spreads across the system.
Macro Viruses
Macro viruses infect files that are created using certain applications or programs that contain macros. These
include Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations,
Access databases, and other similar application files such as Corel Draw, AmiPro, etc.
Since macro viruses are written in the language of the application, and not in that of the operating system, they are
known to be platform-independentthey can spread between Windows, Mac, and any other system, so long as
theyre running the required application. With the ever-increasing capabilities of macro languages in applications,
and the possibility of infections spreading over networks, these viruses are major threats.
The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are
thousands of macro viruses in existencesome examples are Relax, Melissa.A and Bablas.
-
7/27/2019 Virus Proof
2/6
2
Network Viruses
This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet.
E-mail Viruses
An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailingitself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click
-- they launch when you view the infected message in the preview pane of your e-mail software.
One of the most common and destructive e-mail viruses is the ILOVEYOU virus.
Other Malicious Software
Trojan Horses: The biggest difference between a Trojan horseor Trojanand a virus is that Trojans dont spread
themselves. Trojan horses disguise themselves as useful software available for download on the Internet, and nave
users download and run them only to realise their mistake later.
Remote Access Trojans: These are the most commonly available Trojans. These give an attacker complete control
over the victims computers. The attacker can go through the files and access any personal information about the
user that may be stored in the files, such as credit card numbers, passwords, and important financial documents.
Password-sending Trojans: The purpose of such Trojans is to copy all cached passwords and look for other
passwords as you enter them, and send them to specific mail address, without the users knowledge. Passwords for
restricted Web sites, messaging services, FTP services and e-mail services come under direct threat with this kind of
Trojan.
Keyloggers: These log victims keystrokes and then send the logs to the attacker. The attacker then searches for
passwords or other sensitive data in the log files. Most of them come with two functions, such as online and offline
recording. Of course, they can be configured to send the log file to a specific e-mail address on a daily basis
Destructive: The only function of these Trojans is to destroy and delete files. They can automatically delete all the
core system files on your machine. The Trojan could be controlled by the attacker or could be programmed to
strike like logic bomb-starting on a specific day or at specific hour.
Denial of Service (DoS) Attack Trojans: The main idea behind this kind of Trojan is to generate a lot of Net traffic
on the victims machine, to the extent that the Internet connection is too overloaded to let the user visit a Web site
or download anything. Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as
many machines as possible and simultaneously attack specific e-mail addresses with random subjects and contents
that cannot be filtered.
Proxy/Wingate Trojans: These types of Trojan turn the victims computer into a proxy/wingate server. That way,
the infected computer is available to the whole world to be used for anonymous access to various risky Internet
services. The attacker can register domains or access pornographic Web sites with stolen credit cards or do similar
illegal activities without being traced.
Worm: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A
copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the
new machine using the security hole, and then starts replicating from there, as well.
-
7/27/2019 Virus Proof
3/6
3
The main difference between viruses and worms is the method in which they reproduce and spread. A virus is
dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can
run completely independently and spread of its own accord through network connections.
COMMON SYMPTOMS
Your computer always stops responding when you try to use certain software. This could also take placedue to corruption of an essential file required by that software.
You received an e-mail message that has a strange attachment. When you open the attachment, dialogboxes appear, or a sudden degradation in system performance occurs.
There is a double extension on an attachment that you recently opened, such as .jpg .vbs or .gif. exe. An anti-virus program is disabled for no reason and it cannot be restarted. The computer may not allow re-
installation of the anti-virus. Strange dialog boxes or message boxes appear on the screen. Someone tells you that they have recently received e-mail messages from you containing infected attached
files, and you are sure you never sent any such mails.
New icons that you did not place on the Desktop appear, and are not associated with any recently installedprograms.
Strange sounds or music plays from your speakers unexpectedly. A program disappears from the computer, and you didnt uninstall it. Windows will not start because certain critical system files are missing, and you receive error messages
listing those files.
The computer starts as expected some of the time, but at other times, stops responding before thedesktop icons and taskbar appear.
The computer runs very slowly and it takes a long time to start. Out-of-memory error messages appear, even though your computer has plenty of RAM. New programs do not install properly. Windows restarts unexpectedly. Programs that used to run now stop responding frequently. If you try to remove and reinstall the software,
the issue continues to occur.
A partition completely disappears.
-
7/27/2019 Virus Proof
4/6
4
Most Infamous Viruses
1. The Melissa Virus
This came in 1999, when David L Smith created a virus based on a Microsoft Wordmacro, spread through email. CNN said it
was named after an exotic dancer from Florida. It replicated itself once opened onto people in the recipients address book .
The FBI reported it as wreaking havoc on government and private sector networks. Smith got 20 months in jail and was fined$5000.
2. ILOVE YOU
In 2000 a new digital threat was born in the Philippines. It was a worm, disguised as a love letter email, with a fatal
attachment, in vbs (visual basic scripting). Onel de Guzman was investigated but not prosecuted through lack of evidence, and
never admitted his complicity. It is thought it did damage to the tune of $10 billion.
McAfee described the attack targets:
It copied itself several times and hid the copies in several folders on the victims hard drive.
It added new files to the victims registry keys.
It replaced several different kinds of files with copies of itself.
It sent itself through Internet Relay Chat clients as well as e-mail.
It downloaded a file called WIN-BUGSFIX.EXE from the Internet and executed it. Rather than fix bugs, this program was apassword-stealing application that e-mailed secret information to the hackers e-mail address.
3. The Klez virus
This one appeared first in 2001 and like its predecessors infected through emails and then replicated. Some versions carried
other programs that destroyed computers, acting as a virus, a worm or a trojan horse. Symanticsaid it could even disable
virus-scanning software and pose as a virus-removal tool.
Once it gathered momentum, some hackers adapted it so it was more deadly. It ransacked address books, and created
spoofing, emails that came from sources different from those in the from box. Klez could be programmed to spam recipients
with multiple emails.
4. The Code Red and Code Red II Worms
These menaces took advantage of vulnerability in operating systems running Windows 2000 and Windows NT, that memory
could be overwritten when machine buffers were overloaded. The White House was the highest profile victim, when all
machines were overloaded.
The worm makes a backdoor into the computers system (a system-level compromise) to allow the person who put in the bug
to operate it. Infected machines obey instructions from that source. Crimes can be committed this way.
The worm was named the .ida Code Red worm because Code Red Mountain Dew was what they were drinking at the time.
5. Nimda Virus
From 2001, Nimda (admin spelt backwards) was the fastest, most ruthless replicating attack up to that time, taking, according
to some estimates, about 20 minutes from being released on the internet to the top attack reported.
Whatever access a computers user had on any network, the worm operator had the same. It slowed the entire web to a crawl;
many systems crashed entirely.
6. SQL Slammer/Sapphire
In 2003 the Slammer virus also known as Sapphire hit the net, doubling its infections every few seconds. Within a quarter of an
hour, half of the internet servers were hit. Bank of America, the City of Seattle and Continental Airlines were among the high
profile US victims. Total damage was in the region of a billion dollars.
Anti-attack devisers realised that hackers will always exploit any weakness in any system, so there is no foolproof defence.
7. MyDoom
As ominous as its name (also Novarg), this one had two triggers. One caused a denial of service (DoS) attack in 2004 and the
second ordered it to stop distributing itself eleven days later. By then enough backdoors had been opened for the virus toremain potent.
Months later a second outbreak was aimed mainly at clogging search engines. It shared with Klez an ability to spoof emails.
-
7/27/2019 Virus Proof
5/6
5
8. Sasser and Netsky
Unusually, authorities were able to track this pair of worms. 17 year old German, Sven Jaschan, repeated some codes in both.
Sasser attacked through a Microsoft Windows weakness, scanning for random IP addresses. Netsky went through emails with
spoofs, causing DoS attacks through huge volumes of traffic.
Svenson escaped prison, getting twenty months on probation as he was a minor when arrested.
9. Leap-A/Oompa-A VirusIn general most Mac users feel relatively relaxed about the safety of their machines. BecauseApple produce both hardware
and software, the systems are closed or obscure. There are also fewer Macs than PCs so hackers dont have such a big target
to hit.
However, in 2006 hackers got in through iChatinstant messaging program with a corrupted file that looked like an innocent
JPEG image. As Macs become more common, there will be more attacks on their integrity.
10. Storm Worm
This virus was named after the fact that an email message carrying it was headed 230 dead as storm batters Europe. Fake
headings about current news are what trick most users into opening the dangerous email. As there was already a 2001
W32.Storm.Worm virus, companies like McAfee called it Nuwar and Symantec called it Peacomm.
Whatever its called, its a trojan horse in several different forms. Persons behind it can control infected computers which
behave like zombies or bots. It can create a botnet to send mass spam.
11. Click Jacking
Operation Ghost Clickwas the FBIs code for a two year investigation (2009-2011) that has just caught six Estonians (and a
Russian has not yet been caught). They ran a network of more than 4 million infected computers in 100 countries that
rerouted users from big name websites like Amazon andApple iTunes, to sites that were pure advertising. The gang received a
referral fee every time it happened.
Federal law officers labelled them international cyber-bandits who netted about 9 million over four years gave new meaning
to the term false advertising. The crime has also confirmed a new word in web speak language, click jacking.
12. Happy99
Also known as Ska, the virus spread through email attachments. Once infected, animated fireworks and a Happy New Yearmessage were shown.
13. Creeper
The Creeper virus would look for a machine on the network, transfer to it, and display the message Im the creeper, catch me
if you can!
How does anti-virus software work?
An anti-virus software program is a computer program that can be used to scan files to identify and eliminatecomputer
virusesand othermalicious software(malware).
Anti-virus software typically uses two different techniques to accomplish this:
Examining files to look for known viruses by means of a virus dictionary Identifying suspicious behavior from any computer program which might indicate infection
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that
have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the
dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other
programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated
virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send
http://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/malware.phphttp://www.antivirusworld.com/articles/computer-virus.phphttp://www.antivirusworld.com/articles/computer-virus.php -
7/27/2019 Virus Proof
6/6
6
their infected files to the authors of anti-virus software, who then include information about the new viruses in their
dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes
them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can
also typically be scheduled to examine all files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by
writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so
as to not match the virus's signature in the dictionary.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior
of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior
and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses
that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably
become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software isobviously useless to that user. This problem has especially been made worse over the past 7 years, since many more
nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti
virus software uses this technique less and less.
Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before
transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it
immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However,
this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this
simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because ofperformance issues this type of detection is normally only performed during on-demand scans.
Issues of concern
Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively
and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft
Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread
and wreak havoc.
User education is as important as anti-virus software; simply training users in safe computing practices, such as not
downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-
virus software.
Computer users should not always run with administrator access to their own machine. If they would simply run in user mode
then some types of viruses would not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the
suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus
software will never conquer computer viruses.
There are various methods of encrypting and packing malicious software which will make even well-known viruses
undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can
decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often
unable to detect encrypted viruses.
Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the
public to panic over the threat.