Multipartite Viruses

Wendy Bowman

ETEC 562

General Information

PayloadActivation

Hidden Transmission Removal

General Information• A computer virus is defined as a program

or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.

• http://www.webopedia.com/TERM/v/virus.html

Viral Facts• Viruses can

replicate.

• All computer viruses are manmade.

• Can infect other programs.

• Viruses do not infect plain text files.

• Viruses take up memory after replicating.

• Viruses can not exist without a host.

Types of Viruses

• Trojans and Stealth

• Boot Sector

• File

• Macros• Worms• Network and

Multipartite viruses

Network Viruses• Infect networks by making extensive

use of network protocols.

• Network viruses are able to transfer code to a remote server or workstation.

Reference http://www.viruslist.com/eng/viruslistbooks.html?id=24

Network Virus Facts• Separated into

several segments that each run on a part of the network.

• Use automated functions such as email to replicate.

• Use programming built into the macros to spread themselves.

• Called an octopus when it has one main segment that coordinates with what the other segments are doing.

• Can steal password info and send it to a malicious source.

http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=157&page=0

Multipartite Viruses

A multipartite virus is defined as a virus that infects your boot sector as well as files.

Boot Sector

The area of the hard drive that is accessed when the computer is first turned on.

Back to Show

Multipartite Facts• Can infect

floppy disks.

• Hardest virus to clean.

• Are memory resident viruses.

• Harder to spread across networks but isn’t impossible.

• To spread across a network, the server must be infected and an infected program must be accessed.

http://www.faqs.org/faqs/computer-virus/alt-faq/part1/

Viral Payload

Payload is defined as the action the virus performs on the computer.

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/glossary.asp#payload

Possible Payloads

• Corrupts the hard disk

• Create files• Delete files• Modify files• Formats the hard

drive

• Hangs the system during rebooting

• Modifies available memory

• Modify available resources

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/

Activation or Trigger• Refers to the

condition or date in which the payload of the virus will occur.

• Computer can be infected for months or years before the payload occurs.

• Holidays are the most popular trigger date.

• http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/glossary.asp#trigger_condition_or_date

Hidden Dangers• Decrease the size of

memory in BIOS, cut the last MCB (memory control block), and replicate in the free space left by the MCB

• Disguise the virus as part of a downloadable shareware package

• Interrupting the DOS language just enough to “hook” a viral code onto existing language (hooking) until a floppy disk can be infected.

• Hooking on to the debugger.

http://www.virusbtn.com/VirusInformation/natas.html

From here to there…• Floppy disks

• CD-ROMs

• Shareware

• New software

• Network server

• Email attachments

• Hackers

• Downloading material from the Internet

http://www.cuyamaca.net/rachael.holloway/ppt/virus.ppt

Disposal• Run anti-viral

software

• Quarantine the virus (if possible)

• Replace the MBR (master boot record)

• Reboot computer from a clean disk then run anti-viral software

• Reformat the hard drive through DOS

• Costliest method, purchase a new memory chip

General Information

Payload

Activation

Hidden Transmission Removal

Click Here!

Anthrax• Writes its viral

code to the last sector of the hard drive while overwriting data there.

• Memory resident• DOS platform

• Infects .COM, .EXE, MBR, and floppy boot sectors

• Multipartite

• Uses 1024 bytes (files) and 512 bytes (MBR)

http://www.symantec.com/avcenter/vinfodb.html#

Clisti 1025 and Clisti 1025 (b)

• No aliases

• Memory resident

• Uses encryption

• Wild (

• Can be transmitted through networks

• Infects .COM, floppy boot sector, hard disk boot sector

• Mainly, transmitted through emails

http://www.symantec.com/avcenter/vinfodb.html#

One Half Boot• Infects .COM, .EX

E, MBR• Memory resident• Slowly encrypts

the hard drive• Uses 3155 bytes

(files) and 512 bytes (MBR)

• Multipartite, stealthing, and polymorphic

• Transmitted through emails

• All encrypted data is lost when virus is removed

http://www.symantec.com/avcenter/vinfodb.html#

Is your computer a ticking time

bomb?