IntroductionComputer virus have become today’s headline

newsWith the increasing use of the Internet, it has

become easier for virus to spread Virus show us loopholes in softwareMost virus are targeted at the MS Windows OS

Definition� Virus : A true virus is capable of self replication

on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on it’s own with out traveling to a new host

OverviewBackground SymptomsClassifying Viruses ExamplesProtection/PreventionConclusion

BackgroundThere are estimated 30,000 computer

viruses in existenceOver 300 new ones are created each

monthFirst virus was created to show loopholes

in software

Virus LanguagesANSI COBOL C/C++PascalVBAUnix Shell ScriptsJavaScriptBasically any language that works on the system

that is the target

Symptoms of Virus Attack Computer runs slower then usual Computer no longer boots up Screen sometimes flicker PC speaker beeps periodically System crashes for no reason Files/directories sometimes disappear Denial of Service (DoS)

Virus through the InternetToday almost 87% of all viruses are spread

through the internet (source: ZDNet)

Transmission time to a new host is relatively low, on the order of hours to days

“Latent virus”

Classifying Virus - GeneralVirus Information

Discovery Date:

Origin:

Length:

Type:

SubType:

Risk Assessment:

Category:

Classifying Virus - Categories

StealthPolymorphicCompanionArmored

Classifying Virus - Types

Trojan HorseWorm Macro

Trojan Horse

Covert

Leaks information

Usually does not reproduce

Trojan Horse Back Orifice

Discovery Date: 10/15/1998

Origin: Pro-hacker Website

Length: 124,928

Type: Trojan

SubType: Remote Access

Risk Assessment: Low

Category: Stealth

Trojan HorseAbout Back Orifice

requires Windows to work distributed by “Cult of the Dead Cow”similar to PC Anywhere, Carbon Copy softwareallows remote access and control of other computersinstall a reference in the registryonce infected, runs in the backgroundby default uses UDP port 54320

TCP port 54321In Australia 72% of 92 ISP surveyed were infected with

Back Orifice

Trojan Horse Features of Back Orifice

pings and query serversreboot or lock up the systemlist cached and screen saver passworddisplay system informationlogs keystrokesedit registryserver controlreceive and send filesdisplay a message box

WormsSpread over network connectionWorms replicateFirst worm released on the Internet was called

Morris worm, it was released on Nov 2, 1988.

WormsBubbleboy

Discovery Date: 11/8/1999

Origin: Argentina (?)

Length: 4992

Type: Worm/Macro

SubType: VbScript

Risk Assessment: Low

Category: Stealth/Companion

WormsBubbleboy

requires WSL (windows scripting language), Outlook or Outlook Express, and IE5

Does not work in Windows NT

Effects Spanish and English version of Windows

2 variants have been identified

Is a “latent virus” on a Unix or Linux system

May cause DoS

WormsHow Bubbleboy works

Bubbleboy is embedded within an email message of HTML format.

a VbScript while the user views a HTML page

a file named “Update.hta” is placed in the start up directory

upon reboot Bubbleboy executes

WormsHow Bubbleboy works

changes the registered owner/organization HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV

ersion\RegisteredOwner = “Bubble Boy” HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV

ersion\RegisteredOrganization = “Vandalay Industry”

using the Outlook MAPI address book it sends itself to each entry

marks itself in the registry HKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy =

“OUTLOOK.Bubbleboy1.0 by Zulu”

MacroSpecific to certain applications Comprise a high percentage of the virusesUsually made in WordBasic and Visual

Basic for Applications (VBA) Microsoft shipped “Concept”, the first

macro virus, on a CD ROM called "Windows 95 Software Compatibility Test" in 1995

MacroMelissa

Discovery Date: 3/26/1999

Origin: Newsgroup Posting

Length: varies depending on variant

Type: Macro/Worm

Subtype: Macro

Risk Assessment: High

Category: Companion

MacroMelissa

requires WSL, Outlook or Outlook Express Word 97 SR1 or Office 2000

105 lines of code (original variant)received either as an infected template or email

attachmentlowers computer defenses to future macro virus

attacksmay cause DoSinfects template files with it’s own macro code80% of of the 150 Fortune 1000 companies

were affected

MacroHow Melissa works

the virus is activated through a MS word documentdocument displays reference to pornographic websites

while macro runs1st lowers the macro protection security setting for

future attackschecks to see is it has run in current session before

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Melissa = “by Kwyjibo”

propagates itself using the Outlook MAPI address book (emails sent to the first 50 addresses)

MacroHow Melissa works

infects the Normal.dot template file with it’s own codeLastly if the minutes of the hour match up to the date

the macro inserts a quote by Bart Simpson into the current document “Twenty two points, plus triple word score, plus fifty points for

using all my letters. Game’s over. I’m outta here.”

Protection/Prevention

KnowledgeProper configurationsRun only necessary programsAnti-virus software

ConclusionYou know know more about virus and how:

viruses work through your system to make a better virus

Have seen how viruses show us a loophole in popular software

Most viruses show that they can cause great damage due to loopholes in programming