viruses notes

vivek_4545

New member
Computing | Internet Security
Viruses – Types and Examples
If you have read the last article, I assume that you have become familiar with the definition and anatomy of a computer virus. As in medicine, in cases of Computer viruses too we have specialization depending on area of infection and amount of damage. So let us study the basic category of viruses.
Types of viruses
Boot viruses: These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus
Program viruses: These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade
Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila
Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale
Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.
Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.
These are just few broad categories. There are many more specialized types. But let us not go into that. We are here to learn to protect our self, not write a thesis on computer virus specification.


+++++++++++++++++++++++++++++++++++++++++++++


Viruses can be catagorized in more than one way. For example, they can be catagorized by their primary function and propagation method as follows:
Trojan horse--enters a system disquised as something else
Worm--propagates on its own by a variety of means including hijacking email accounts, user ids, file transfer programs, etc.
Bomb--doesn't propagate itself at all, is placed by a human or another program and activated by a trigger such as time or event. Usually does something unpleasant when it goes off.
Port Scanner--hides on a system and scans the surrounding environment for IP addresses and open ports that it then makes available to other malicious code or individuals.

The way viruses are usually catagorized however, is by what they do as follows:
Boot Virus--infects the boot sector of disk storage (Form, Disk Killer, Michelangelo)
Program Virus--infects executable programs (Sunday, Cascade )
Multipartite Virus--combination of the first two (Invader, Flip, Tequila)
Stealth Virus--able to avoid detection by a variety of means such as removing itself from the system registry, masqarading as a system file, etc. (Frodo, Joshi, Whale)
Parasitic Virus--embeds itself into another file or program such that the orginal file is still viable (Jerusalem)
Polymorphic Virus--changes its code structure to avoid detection and removal, mutates (Stimulate, Cascade, Phoenix, Evil)
Macro Virus--exploits the macro language of a program like MSWord or MSExcel for malicious purpose (DMV, Nuclear, Word Concept)
Hope this is helpful

+++++++++++++++++++++++++++++++++++++++++++++++
The person might have a computer virus infection when the computer starts acting differently. For instance getting slow or when they turn the computer on, it says that all the data is erased or when they start writing a document, it looks different, some chapters might be missing or something else ubnormal has happened.
The next thing usually the person whose computer might be infected with virus, panics. The person might think that all the work that have been done is missing. That could be true, but in most cases viruses have not done any harm jet, but when one start doing something and are not sure what you do, that might be harmful. When some people try to get rid of viruses they delete files or they might even format the whole hard disk like my cousin did. That is not the best way to act when the person think that he has a virus infection.
What people do when they get sick? They go to see a doctor if they do not know what is wrong with them. It is the same way with viruses, if the person does not know what to do they call someone who knows more about viruses and they get professional help.
If the person read email at their PC or if they use diskettes to transfer files between the computer at work and the computer at home, or if they just transfer files between the two computers they have a good possibility to get a virus. They might get viruses also when they download files from any internet site. There was a time when people were able to be sure that some sites we secure, that those secure sites did not have any virus problems, but nowadays the people can not be sure of anything. There has been viruses even in Microsoft's download sites.
In this report I am going to introduce different malware types and how they spread out and how to deal with them. Most common viruses nowadays are macro viruses and I am going to spend a little more time with them. I am going to give an example of trojan horses stealing passwords.
2. General information about computer viruses
2.1 Different malware types
Malware is a general name for all programs that are harmful; viruses, trojan, worms and all other similar programs [1].

2.1.1 Viruses
A computer virus is a program, a block of executable code, which attach itself to, overwrite or otherwise replace another program in order to reproduce itself without a knowledge of a PC user.
There are a couple of different types of computer viruses: boot sector viruses, parasitic viruses, multi-partite viruses, companion viruses, link viruses and macro viruses. These classifications take into account the different ways in which the virus can infect different parts of a system. The manner in which each of these types operates has one thing in common: any virus has to be executed in order to operate. [2]
Most viruses are pretty harmless. The user might not even notice the virus for years. Sometimes viruses might cause random damage to data files and over a long period they might destroy files and disks. Even benign viruses cause damage by occupying disk space and main memory, by using up CPU processing time. There is also the time and expense wasted in detecting and removing viruses.


2.1.2 Trojan
A Trojan Horse is a program that does something else that the user thought it would do. It is mostly done to someone on purpose. The Trojan Horses are usually masked so that they look interesting, for example a saxophone.wav file that interests a person collecting sound samples of instruments. A Trojan Horse differs from a destructive virus in that it doesn't reproduce. There has been a password trojan out in AOL land (the American On Line). Password30 and Pasword50 which some people thought were wav. files, but they were disguised and people did not know that they had the trojan in their systems until they tried to change their passwords. [9]
According to an administrator of AOL, the Trojan steals passwords and sends an E-mail to the hackers fake name and then the hacker has your account in his hands.

2.1.3 Worms
A worm is a program which spreads usually over network connections. Unlike a virus which attach itself to a host program, worms always need a host program to spread. In practice, worms are not normally associated with one person computer systems. They are mostly found in multi-user systems such as Unix environments. A classic example of a worm is Robert Morrisis Internet-worm 1988. [1,5]


Picture 1 An example of a worm.
2.2 Macro virus

Macro viruses spread from applications which use macros. The macro viruses which are receiving attention currently are specific to Word 6, WordBasic and Excel. However, many applications, not all of them Windows applications, have potentially damaging and infective macro capabilities too.
A CAP macro virus, now widespread, infects macros attached to Word 6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for Windows NT, and Word for Windows 95 documents.
What makes such a virus possible is that the macros are created by WordBASIC and even allows DOS commands to be run. WordBASIC in a program language which links features used in Word to macros.
A virus, named "Concept," has no destructive payload; it merely spreads, after a document containing the virus is opened. Concept copies itself to other documents when they are saved, without affecting the contents of documents. Since then, however, other macro viruses have been discovered, and some of them contain destructive routines.
Microsoft suggests opening files without macros to prevent macro viruses from spreading, unless the user can verify that the macros contained in the document will not cause damage. This does NOT work for all macro viruses.
Why are macro viruses so successful? Today people share so much data, email documents and use the Internet to get programs and documents. Macros are also very easy to write. The problem is also that Word for Windows corrupts macros inadvertently creating new macro viruses.



Picture 2 New macro virus by corruption [12]
Corruption's also creates "remnant" macros which are not infectious, but look like viruses and cause false alarms. Known macro virus can get together and create wholly new viruses.




Picture 3 Macro virus growth, July 1995 to May 1997 [12]

There have been viruses since 1986 and macro viruses since 1995. Now about 15 percent of virus
are macro viruses. There are about 2.000 macro viruses and about 11.000 DOS viruses, but the problem is that macro viruses spreads so fast. New macro viruses are created in the work-place, on a daily basis, on typical end-user machines, not in a virus lab. New macro virus creation is due to corruption, mating, and conversion. Traditional anti-virus programs are also not good at detecting new macro viruses.
Almost all virus detected in the Helsinki University of Technology have been macro viruses, according to Tapio Keihänen, the virus specialist in HUT.
Before macro viruses it was more easy to detect and repair virus infections with anti-virus programs. But now when there are new macro viruses, it is harder to detect macro viruses and people are more in contact with their anti-virus vendor to detect an repair unknown macro viruses, because new macro viruses spread faster than new anti-virus program updates come up.
2.3 Virus sources
Viruses don not just appear, there is always somebody that has made it and they have own reason to so. Viruses are written everywhere in the world. Now when the information flow in the net and Internet grows, it does not matter where the virus is made.
Most of the writers are young men. There are also few university students, professors, computer store managers, writers and even a doctor has written a virus. One thing is common to these writers, all of them are men, women do not waste their time writing viruses. Women are either smarter or they are just so good that never get caught. [1]



+++++++++++++++++++++++++++++++++++++++


The Difference Between a Virus, Worm and Trojan Horse
The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects.
A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely. Key Terms To Understanding Computer Viruses:
virus
A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.
Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves
worm
A program or algorithm that replicates itself over a computer network and usually performs malicious actions
blended threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities .
antivirus program
A utility that searches a hard disk for viruses and removes any that are found.
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.
To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate
 

abhishreshthaa

New member
Politically Correct Virus:
Never calls itself a "virus", but instead refers to itself as an "electronic microorganism."

Right to Life Virus:
Won't allow you to delete a file, regardless of how old it is. If you attempt to erase a file, it requires you to first see a counselor about possible alternatives.

Oprah Winfrey Virus:
Your 200MB hard drive suddenly shrinks to 80MB, and then slowly expands back to 200MB.

AT&T Virus:
Every three minutes it tells you what great service you're getting.

MCI Virus:
Every three minutes it reminds you that you're paying too much for the AT&T Virus.

Arnold Schwarzenegger Virus:
Terminates and stays resident. It'll be back.

Government Economist Virus:
Nothing works, but all your diagnostic software says everything is fine.

Texas Virus:
Makes sure it's bigger than any other file.

Warren Beatty Virus:
Constantly tries to prove its virility by attaching itself to younger or newer files.

Nike Virus:
Just does it.

Quantum Leap Virus:
One day your PC is a laptop, the next day it is a Macintosh, then a Nintendo.

Adam and Eve virus:
Takes a couple of bytes out of your Apple.

Airline virus:
You're in Dallas, but your data is in Singapore.

Bill Clinton virus:
Promises to give equal time to all processes: 50% to poor, slow processes; 50% to middle-class processes, and 50% to rich ones. This virus protests your computer's involvement in other computer's affairs, even though it has been having one of its own for 12 years.

Congressional Virus:
The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.

Ross Perot Virus:
Activates every component on your system, just before the whole thing quits.

Mario Cuomo Virus:
It would be a great virus, but it refuses to run.

Dan Quayle Virus:
Their is sumthing rong with yor compueter, ewe just can't figyour out watt.

Pat Buchanan virus:
Shifts all your output to the extreme right of your screen.

Gallup Virus:
60% of the PCs infected will lose 38% of their data 14% of the time (plus or minus a 3.5% margin of error.)

Elvis virus:
Your computer gets fat, slow, and lazy and then self destructs, only to resurface at shopping malls and service stations across rural America.

Federal bureaucrat virus:
Divides your hard disk into hundreds of little units, each of which do practically nothing, but all of which claim to be the most important part of the computer.

PBS virus:
Your PC stops every few minutes to ask for money.

Jocelyn Elders virus:
Makes sure every file is a planned and wanted file.


Here's a look at ten of the most malignant viruses and worms of all time.

10. Surreptitious Sircam
Sircam appeared in July 2001 on PCs running Windows 95, 98, and Me. The worm appeared in e-mail in-boxes with an attachment; the body of the message was in Spanish or English. Typical greetings included "Hi! How are you?" and "Hola como estas?" If you launched the attachment, Sircam installed itself on the infected computer, then grabbed random documents and sent them out to e-mail addresses it captured from your address book. It also occasionally deleted files and filled the infected computer's hard drive with gibberish. Visit Symantec's Security Response for instructions on how to remove Sircam.

9. Red Raider
Code Red burned brightly in the summer of 2001, infecting hundreds of thousands of computers--mainly on corporate networks. Code Red slithered through a hole in Internet Information Server (IIS) software, which is widely used to power Internet servers, then scanned the Internet for vulnerable systems to infect and continue the process. The worm used contaminated PCs as weapons in denial of service attacks--flooding a Web site with a barrage of information requests. The original target was the official White House Web site, but government officials changed the site's IP address to thwart the attack.

The worm exploited a weakness in the IIS software (which has since been fixed with a patch from Microsoft) that allowed an intruder to run arbitrary code on a victimized computer. Multiple variants of this worm now exist. Visit Symantec's Security Response for instructions on how to protect your system from Code Red.

8. Bad Benjamin
Benjamin--a new breed of worm--was let loose in May 2002, and it affected users of the popular file-sharing program Kazaa. The crafty worm posed as popular music and movie files. Kazaa users thought they were downloading a media file to their machines, but they got the imposter instead. It then set up a Kazaa share folder and stuffed it with copies of itself posing as popular music and movie files, which other Kazaa users would download. It congested the system's network connection and would ultimately fill up a hard drive. Visit Symantec's Security Response for instructions on how to remove Benjamin.

7. Numbing Nimda
Nimda (also known as the Concept Virus) appeared in September 2001, attacking tens of thousands of servers and hundreds of thousands of PCs. The worm modified Web documents and executable files, then created numerous copies of itself. The worm spread as an embedded attachment in an HTML e-mail message that would execute as soon as the recipient opened the message (unlike the typical attached virus that requires manual launching of the attachment). It also moved via server-to-server Web traffic, infected shared hard drives on networks, and downloaded itself to users browsing Web pages hosted on infected servers. Nimda soon inspired a crowd of imitators that followed the same pattern. Visit Symantec's Security Response for the Nimda removal tool.

6. Tennis Anyone?
The Anna Kournikova (or VBS.SST@mm) worm, appearing in February 2001, didn't cause data loss, although in the process of boosting the profile of its namesake, the Russian tennis player, it did cause embarrassment and disruption for many personal and business users. The worm showed up in Microsoft Outlook users' e-mail in-boxes with an attachment (supposedly a picture of Kournikova). The attachment proved hard to resist. The result? Clicking the bogus attachment sent copies of the worm via e-mail to all addresses found in the victim's Outlook address book. Kournikova also brought about a number of copycat variants. Visit Symantec's Security Response for instructions on how to remove Kournikova.

Most worm creators have never been identified, but a 21-year-old Dutchman, Jan de Wit, admitted to unleashing this worm. The admitted virus writer is appealing a 150-hour community service sentence handed down in September 2001 by a judge in the Netherlands.

5. (Expletive Deleted) Explorer
The Explorer.zip worm appeared in the summer of 1999, following in the footsteps of Melissa. The worm deleted Word, Excel, and PowerPoint files and randomly altered other types of files. Like Melissa (see below), Explorer traveled via e-mails that appeared to be from someone the recipient knew. The message included a file that, if activated, showed a fake error message to the user. Unlike Melissa, this virus did not use Outlook to gather e-mail addresses. Instead, it watched the in-box of the infected computer and then sent automatic replies to senders, using the same e-mail subject as the original message.

4. Maniacal Magistr
Magistr is one of the most complex viruses to hit the Internet. Its victims, users of Outlook Express, were hooked by an infected e-mail attachment. The virus, discovered in mid-March 2001, sent garbled messages to everyone in the infected user's e-mail address book. Attached were files pulled at random from the infected PC's hard drive plus an executable file with the Magistr code. This virus was not as widespread as many others, but it was very destructive. Magistr overwrites hard drives and erases CMOS and the flashable BIOS, preventing systems from booting. It also contained antidebugging features, making it hard to detect and destroy. Visit Symantec's Security Response for instructions on how to remove Magistr.

3. Malevolent Melissa
The Melissa virus swamped corporate networks with a tidal wave of e-mail messages in March 1999. Through Microsoft Outlook, when a user opened an e-mail message containing an infected Word attachment, the virus was sent to the first 50 names in the user's address book. The e-mail fooled many recipients because it bore the name of someone the recipient knew and referred to a document they had allegedly requested.

So much e-mail traffic was generated so quickly that companies like Intel and Microsoft had to turn off their e-mail servers. The Melissa virus was the first virus capable of hopping from one machine to another on its own. And it's another good example of a virus with multiple variants. Visit Symantec's Security Response for instructions on how to remove Melissa.

2. Klez the Conquerer
The Klez worm, which blends different virus traits, was first detected in October 2001. Klez distributes itself like a virus, but sometimes acts like a worm, other times like a Trojan horse. Klez isn't as destructive as other worms, but it is widespread, hard to exterminate--and still active. In fact, so far, no other virus has stayed in circulation quite like Klez. It spreads via open networks and e-mail--regardless of the e-mail program you use. Klez sometimes masquerades as a worm-removal tool. It may corrupt files and disable antivirus products. It pilfers data from a victim's e-mail address book, mixing and matching new senders and recipients for a new round of infection. Visit Symantec's Security Response for instructions on how to remove Klez.

1. Love Hurts
LoveLetter is the worm everyone learned to hate in spring 2000. The infection affected millions of computers and caused more damage than any other computer virus to date. Users were infected via e-mail, through Internet chat systems, and through other shared file systems. The worm sent copies of itself via Microsoft Outlook's address book entries. The mail included an executable file attachment with the e-mail subject line, "ILOVEYOU." The worm had the ability to overwrite several types of files, including .gif and .jpg files. It modified the Internet Explorer start page and changed Registry keys. It also moved other files and hid MP3 files on affected systems. Visit Symantec's Security Response for instructions on how to remove LoveLetter.
 
Top