Hi!! I am a VIRUS!!

M

ad

e B

y-:

The following Slide Show contains Graphical

information on VIRUSES.

Viewer Discretion is advised.

Abhyank 93Akshit 105Eijaz 119Yohan 124

COMPUTE

R

VIRUSES

Agenda• Computer Virus Concept

• Analyze three common computer viruses

• Antivirus Technologies

• Company Policy Issues

• Conclusion

Computer Virus Concept

• What is Computer Virus?

• Computer Virus Time Line

• Types of Computer Virus

• Virus Hoax

• How does computer virus works?

What is Computer Virus? • Definition -- Virus: A self-replicating piece of

computer code that can partially or fully attach itself to files or applications, and can cause your computer to do something you don't want it to do.

• Similarities between biological virus (like " HIV " ) and computer virus:

• Need a host for residence.

• Capable of self-replicate

• Cause damage to the host.


Computer Virus Time Line• 1949 - Theories for self-replicating programs was first developed.

• 1981 - Apple Viruses 1, 2, and 3 was some of the first viruses in public.

• 1988 – Jerusalem was detected. Activated every Friday the 13th, the virus affects both .EXE and .COM files and deletes any programs run on that day.

• 1991 - Tequila is the first widespread polymorphic virus found.

• 1999 - The Melissa virus, W97M/Melissa, executed a macro in a document attached to an email. Melissa spread faster than any other previous virus.

• 2000 - The Love Bug, also known as the ILOVEYOU virus, sent itself out via Outlook, much like Melissa.

• 2001 - The Code Red I and II worms attacked computer networks in July and August. They affected over 700,000 computers and caused upwards of 2 billion in damages.


Types of Computer Virus • Boot Sector Virus - Michelangelo

Boot sector viruses infect the boot sectors on floppy disks and hard disks, and can also infect the master boot record on a user's hard drive.

• File Infector Virus - CIH

Operate in memory and usually infect executable files.

• Multi-partite Virus

Multi-partite viruses have characteristics of both boot sector viruses and file infector viruses.

• Macro Virus - Melissa Macro Virus

They infect macro utilities that accompany such applications as Microsoft Word, Excel and outlook.


Types of Computer Virus - Continue• Trojan / Trojan Horse – Back OrificeA Trojan or Trojan Horse is a program that appears legitimate, but performs some malicious and illicit activity when it is run.

• Worm – Red CodeA worm is a program that spreads over network. Unlike a virus, worm does not attach itself to a host program. It uses up the computer resources, modifies system settings and eventually puts the system down.

Worms are very similar to viruses in that they are computer programs that replicate themselves. The difference is that unlike viruses, worms exist as a separate small piece of code. They do not attach themselves to other files or programs.

• Other:

• Java - Java.StrangeBrew

• HTML virus - Usually takes advantage of these scripting languages(VB Script). The script virus usually uses Web pages to reach the victims.


Virus Hoax• An untrue virus-related warning/alert started by malicious individuals. A Hoax

message, often in the form of electronic mail, can spread away as people pass on via Internet.

• Hoax message does not have direct harms on computers. Hoax message cause confusion to the recipients in their attending real virus alerts and waste people' s time in reading them.

• How to identify a hoax• Hoaxes use complex technical descriptions and

• Hoaxes request recipients to pass on the message.

• Examples:

• Work Virus Hoax (keyword: a virus called "work"), Phantom Menace Virus Hoax (keyword: Virus Alert, Phantom Menace)


Virus Characteristics • Memory Resident: Loads much like a TSR staying in memory where it can easily replicate itself into programs of boot sectors. Most common.

• Non-Resident: Does not stay in memory after the host program is closed, thus can only infect while the program is open. Not as common.

• Stealth: The ability to hide from detection and repair in two ways.

- Virus redirects disk reads to avoid detection.

- Disk directory data is altered to hide the additional bytes of the virus.


Virus Characteristics (contd..)• Encrypting: Technique of hiding by transformation. Virus code converts itself into cryptic symbols. However, in order to launch (execute) and spread the virus must decrypt and can then be detected.

• Polymorphic: Ability to change code segments to look different from one infection to another. This type of virus is a challenge for ant-virus detection methods.

• Triggered Event: An action built into a virus that is triggered by the date, a particular keyboard action or DOS function. It could be as simple as a message printed to the screen or serious as in reformatting the hard drive or deleting files.

• In the Wild: A virus is referred to as "in the wild" if is has been verified by groups that track virus infections to have caused an infection outside a laboratory situation. A virus that has never been seen in a real world situation is not in the wild, and sometimes referred to as "in the zoo".


How does computer virus work?• The Basic Rule: A virus is inactive until the infected program is run or

boot record is read. As the virus is activated, it loads into the computers memory where it can spread itself.

• Boot Infectors: If the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can travel to every disk that is read and the infection spreads.

• Program Infectors: When an infected application is run, the virus activates and is loaded into memory. While the virus is in memory, any program file subsequently run becomes infected.


Analyze three common computer viruses

• CIH

• Macro Virus

• ILOVEYOU

CIH• Type: Resident, EXE-files

• Origin: Taiwan

• History: The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months.

• Infects Windows 95 and 98 EXE files, but it does not work under Windows NT.

• After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed.


CIH - Continue

• BIOS Attack !!!• Attempts to overwrite the BIOS on Pentium PCs that have flashable BIOS PROMS.

• If the PC is infected, it will be unbootable (even from diskette) after this attack and the BIOS chip will need to be replaced or reprogrammed from the vendor or an outside source .

• The PC can't be booted even after reflash (reprogram) the chip normally. Because the virus overwrites the first 2048 sectors of your hard disk, further making your PC unbootable (this works on almost all PCs). But the disk can be made bootable and restored from a backup.

• Four Variants• CIH v1.2 (CIH.1003): Activates on April 26th.

• CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th.

• CIH v1.4 (CIH.1019): Activates on 26th of every month.


CIH - Continue

• How to prevent?If your PC has a flash BIOS write protect jumper on the motherboard, you can put it in the write-protect position to prevent CIH from overwriting your BIOS.


Macro Virus• What is Macro virus

• A type of computer virus that is encoded as a macro embedded in a document.

• According to some estimates, 75% of all viruses today are macro viruses.

• Once a macro virus gets onto your machine, it can embed itself in all future documents you create with the application.

• In many cases macro viruses cause no damage to data; but in some cases malicious macros have been written that can damage your work.

• The first macro virus was discovered in the summer of 1995. Since that time, other macro viruses have appeared.


Macro Virus• How does it spread?• When you share the file with another user, the attached macro or script goes with the

file. Most macro viruses are designed to run, or attack, when you first open the file. If the file is opened into its related application, the macro virus is executed and infect other documents.

• The infection process of the macro virus can be triggered by opening a Microsoft Office document or even Office Application itself, like Word, Excel. The virus can attempt to avoid detection by changing or disabling the built-in macro warnings, or by removing menu commands.

• For Word, after a macro virus triggers, it usually copies itself to Normal.dot, which is the template that Word loads with every file. from there, it can copy itself to every file that you open or create.


Macro Virus• How to prevent?In your Office programs, make sure that you have macro virus protection turned on.

1. On the Tools menu, click Options.

2. On the General tab, select the Macro virus protection check box.

3. If you have turned on macro virus protection, each time you want to open a document with macros, the Macro Virus Protection dialog box appears and gives you three choices.

• Disable Macros

• Enable Macros

• Do Not Open


Selection Group

ILOVEYOU


• VBS/LoveLetter is a VBScript worm. It spreads through e-mail as a chain letter.

• The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2007.

• 82 variants of this worm.

• This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms.

• This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.

• The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs.

ILOVEYOU


• Damage

• Large scale e-mailing: Sends itself to all addresses in the Microsoft Outlook Address Book

• Modifies files: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. Files with extensions of .mp2 and .mp3 will be hidden from the

user by setting the hidden directory attribute. Variant G also overwrites .bat and .com files.

• Degrades performance: Might create a lot of traffic to the email server

ILOVEYOU


• Distribution• Subject of email: ILOVEYOU

• Name of attachment: Love-letter-for-you.txt.vbs

• Size of attachment: 10,307 bytes

• Inside the mail is a short text message saying "Kindly check the attached LOVELETTER coming from me" and an attachment named LOVE-LETTER-FOR-YOU.txt.vbs. This is the virus body.

• It's important to note that the virus cannot run by itself. In order for it to run, the recipient must open the mail, launch the attachment by double-clicking on it, and answer "yes" to a dialogue that warns of the dangers of running untrusted programs. (Microsoft)

ILOVEYOU


• How to prevent?• Do not launch attachments in emails from unknown

sources!

• Uninstalling the Windows Script Host.

Check http://www.sarc.com/avcenter/venc/data/win.script.hosting.html for more information

http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

Antivirus Technologies • How to detect virus?

• How to clean virus?

• Best Practices

How to detect virus? • Some Symptoms

• Program takes longer to load.

• The program size keeps changing.

• When run CHKDSK, it doesn't show 655360 bytes available.

• Keep getting 32 bit errors in Windows.

• The drive light keeps flashing when you are not doing anything.

• User created files have strange names.

• The computer doesn't remember CMOS settings.

Antivirus Technologies

How to detect virus? • Check for any change

in the memory map or configuration as soon as you start the computer in command mode. (If you don’t have antivirus software)

• In MSDOS Prompt: Type in Chkdsk

• Check:


CHKDSK has NOT checked this drive for errors.

You must use SCANDISK to detect and fix errors on this drive.

Volume DATA created 01-04-2001 2:56p

Volume Serial Number is 1CFA-2864

6,822,284 kilobytes total disk space

2,206,920 kilobytes free

4,096 bytes in each allocation unit

1,705,571 total allocation units on disk

551,730 available allocation units on disk

655,360 total bytes memory

602,160 bytes free

Start your computer in command prompt. In MSDOS Prompt: Type in MEM /C.


Memory Summary:

Type of Memory Total Used Free

---------------- ----------- ----------- -----------

Conventional 655,360 53,168 602,192

Upper 0 0 0

Reserved 393,216 393,216 0

Extended (XMS) 66,060,288 ? 267,128,832

---------------- ----------- ----------- -----------

Total memory 67,108,864 ? 267,731,024

Total under 1 MB 655,360 53,168 602,192

Total Expanded (EMS) 67,108,864 (64M)

Free Expanded (EMS) 16,777,216 (16M)

Largest executable program size 602,160 (588K)

Largest free upper memory block 0 (0K)

How to detect virus? • Integrity checkers or modification detectors.

These tools compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides generic detection.

• Use Debug Or Other Tools to check FAT Table, MBR and partition on your system.

• Use Antivirus Software to scan the computer memory and disks.


How to clean virus?• All activities on infected machine should be stopped and it should be

detached from the network.

• Recover from backup is the most secure and effective way to recover the system and files.

• In some cases, you may recover the boot sector, partition table and even the BIOS data using the emergency recovery disk.

• In case you do not have the latest backup of your files, you may try to remove the virus using anti-virus software.


How to clean virus?The steps to reinstall the whole system –

1. Reboot the PC using a clean startup disk.

2. Type in FDISK/MBR to rewrite the Master Boot Record.

3. Use FDISK to recreate partitions (Optional)

4. Format DOS partitions.

5. Reinstall Windows98 or Windows2K and other applications.

6. Install Antivirus Software and apply the latest virus definition data.


•Best Practices• Regular Backup

Backup your programs and data regularly. Recover from backup is the most secure way to restore the files after a virus attack.

• Install Anti-virus Software

Install an anti-virus software to protect your machine and make sure that an up-to-date virus definition file has been applied.

• Daily Virus Scan

Schedule a daily scan to check for viruses. The schedule scan could be done in non-peak hours, such as during the lunch-break or after office hour.

• Check Downloaded Files And Email Attachments

Do not execute any downloads and attachment unless you are sure what it will do.


•Resources• Antivirus Software

• McAfee Virus Scan

• F-Secure

• Symantec

• Trend Micro

• Shareware, www.grisoft.com

• Free Virus Tool, http://www.antivirus.com/free_tools/


http://www.grisoft.com/

http://www.antivirus.com/free_tools/

Company Policy Issues1. Education

2. Updating

3. Warning

4. Technical Support

5. Reporting

Kaspersky Lab’s classification system divides malicious programs into three classes:

•TrojWare: this class includes a range of malicious programs which cannot replicate independently .

(backdoors, rootkits and all types of Trojan);

•VirWare: self-replicating malicious programs (viruses and worms);

•MalWare: programs which are used by malicious users to create malicious programs and organize attacks.

Average number of new malicious programs per month.

TrojWareVirWareMalWare

The chart below shows the number of new VirWare programs

detected by Kaspersky Lab analysts each month:

DECLINE PHASE

The pie chart below shows a breakdown of different subgroups

in the VirWare category:

E-mail WormIM-Worm

IRC-Worm

NET-Worm

P2P-Worm

Worms

Virus

Antivirus databasesKaspersky Lab has shortened its response time to the growing number and increasing speed of new threats by releasing an increased number of antivirus database updates.

ForecastIn light of all of the trends and events described above, we expect that in 2009virus writers will continue to concentrate their efforts on various types of Trojans used to steal personal information.

Attacks will largely be focused on the users of various banking and payment systemsin addition to online gamers.

Virus writers and spammers will continue to pool their efforts; this symbiotic relationship will lead to the use of infected computers both for organizing epidemics and attacks, and for sending spam.

http://www.kaspersky.com/

Computer virus goes into orbitAugust 28, 2008, 8:23 am AFP ©

SAN FRANCISCO (AFP) - NASA confirmed on Wednesday that a computer virus sneaked aboard the International Space Station only to be tossed into quarantine on July 25 by security software.

A "worm type" virus was found on laptop computers that astronauts use to send and receive email from the station by relaying messages through a mission control center in Texas, according to NASA spokesman Kelly Humphries.

The virus is reported to be malicious software that logs keystrokes in order to steal passwords or other sensitive data by sending the information to hackers via the Internet.The laptop computers are not linked to any of the space station's control systems or the Internet.

.

Conclusion

• Be careful when use new software and files

• Be alert for virus activities

• Be calm when virus attacks

• And all will be fine!

SO REMEMBER………

EVERYTHING THAT

HAS A BEGINNING…

HAS AN END.

VIRUSESRELOADE

D

ANY SMART QUESTIONS ??

Reference:

• http://www.cnn.com/2000/TECH/computing/10/23/virus.works.idg/

• http://www.itsd.gov.hk/itsd/virus/general/whatis.htm

• http://www.infoplease.com/spot/virustime1.html

• http://www.itsd.gov.hk/itsd/virus/general/type.htm

• http://www.itsd.gov.hk/itsd/virus/hoax/hoax.htm

• http://www.cai.com/virusinfo/faq.htm#how_virus

• http://www.europe.f-secure.com/v-descs/cih.shtml

• http://www.stil ler.com/cih.htm

• http://www.webopedia.com/TERM/M/macro_virus.html

• http://office.microsoft.com/Assistance/9798/whtsvrus.aspx

http://www.cnn.com/2000/TECH/computing/10/23/virus.works.idg/

http://www.itsd.gov.hk/itsd/virus/general/whatis.htm

http://www.infoplease.com/spot/virustime1.html

http://www.itsd.gov.hk/itsd/virus/general/type.htm

http://www.itsd.gov.hk/itsd/virus/hoax/hoax.htm

http://www.cai.com/virusinfo/faq.htm

http://www.europe.f-secure.com/v-descs/cih.shtml

http://www.stiller.com/cih.htm

http://www.webopedia.com/TERM/M/macro_virus.html

http://office.microsoft.com/Assistance/9798/whtsvrus.aspx

Reference:• http://www.cai.com/virusinfo/faq.htm

• http://www.itsd.gov.hk/itsd/virus/general/detectvirus.htm

• http://www.itsd.gov.hk/itsd/virus/general/cleanvirus.htm

• http://www.itsd.gov.hk/itsd/virus/guide/guide.htm

• http://kb.indiana.edu/data/aehm.html

• http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

• http://www.data-fellows.com/v-descs/love.shtml

• http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet.asp

http://www.cai.com/virusinfo/faq.htm

http://www.itsd.gov.hk/itsd/virus/general/detectvirus.htm

http://www.itsd.gov.hk/itsd/virus/general/cleanvirus.htm

http://www.itsd.gov.hk/itsd/virus/guide/guide.htm

http://kb.indiana.edu/data/aehm.html

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

http://www.data-fellows.com/v-descs/love.shtml

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/virus/vbslvltr.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/virus/vbslvltr.asp

Documents

Hi!! I am a VIRUS!!