Computer Viruses
MITESH SOLANKI
2K10/ME/070
�Introduction
Computer viruses have become todays
headline news
With the increasing use of the Internet, it
has become easier for virus to spread
Virus show us loopholes in software
Most virus are targeted at the MS Windows
OS
�Definition
Virus : A computer virus is a computer program
that can replicate itself. A true virus is capable of self
replication on a machine. It may spread between files
or disks, but the defining character is that it can
recreate itself on its own with out traveling to a new
host and spread from one computer to another. The
term "virus" is also commonly but erroneously used
to refer to other types of malware, including but not
limited to adware and spyware programs that do not
have the reproductive ability
�History of viruses
The first academic work on the theory of computer
viruses (although the term "computer virus" was
not used at that time) was done in 1949 by John
von Neumann. In his essay "Theory of selfreproducing automata" von Neumann described
how a computer program could be designed to
reproduce itself
In 1984 Fred Cohen from the University of Southern
California wrote his paper "Computer Viruses Theory and Experiments". It was the first paper to
explicitly call a self-reproducing program a "virus"
�Background
There are estimated 30,000 computer
viruses in existence
Over 300 new ones are created each
month
First virus was created to show loopholes
in software
�Virus Languages
ANSI COBOL
C/C++
Pascal
VBA
Unix Shell Scripts
JavaScript
Basically any language that works on the
system that is the target
�Infection strategies
In order to replicate itself, a virus must be
permitted to execute code and write to memory.
For this reason, many viruses attach themselves
to executable files that may be part of legitimate
programs. If a user attempts to launch an
infected program, the virus' code may be
executed simultaneously
� Viruses can be divided into two types based on their
behavior when they are executed.
Nonresident viruses immediately search for other hosts
that can be infected, infect those targets, and finally
transfer control to the application program they infected.
Resident viruses do not search for hosts when they are
started.
Instead, a resident virus loads itself into memory on
execution and transfers control to the host program. The
virus stays active in the background and infects new hosts
when those files are accessed by other programs or the
operating system itself.
�Symptoms of Virus
Attack
Computer runs slower than usual
Computer no longer boots up
Screen sometimes flicker
PC speaker beeps periodically
System crashes for no reason
Files/directories sometimes disappear
Denial of Service (DoS)
�Virus through the
Internet
Today almost 87% of all viruses are spread
through the internet
Transmission time to a new host is
relatively low, on the order of hours to
days
�Classifying Virus - Types
Trojan Horse
Worm
Macro
�Trojan Horse
Covert
Leaks information
Usually does not reproduce
�Trojan Horse
Back Orifice
Discovery Date:
10/15/1998
Origin: Pro-hacker Website
Length: 124,928
Type: Trojan
SubType: Remote Access
Risk Assessment: Low
Category: Stealth
�Trojan Horse
About Back Orifice
requires Windows to work
distributed by Cult of the Dead Cow
similar to PC Anywhere, Carbon Copy software
allows remote access and control of other
computers
install a reference in the registry
once infected, runs in the background
�Trojan Horse
Features of Back Orifice
pings and query servers
reboot or lock up the system
list cached and screen saver password
display system information
logs keystrokes
edit registry
server control
receive and send files
display a message box
�Worms
Spread over network connection
Worms replicate
First worm released on the Internet was
called Morris worm, it was released on Nov
2, 1988.
�Worms
Bubbleboy
Discovery Date:11/8/1999
Origin: Argentina (?)
Length: 4992
Type:
Worm/Macro
SubType: VbScript
Risk Assessment: Low
Category: Stealth/Companion
�Worms
Bubbleboy
requires WSL (windows scripting language),
Outlook or Outlook Express, and IE5
Does not work in Windows NT
Effects Spanish and English version of Windows
2 variants have been identified
May cause DENIAL OF SERVICE
�Worms
How Bubbleboy works
Bubbleboy is embedded within an email
message of HTML format.
a VbScript while the user views a HTML page
a file named Update.hta is placed in the start
up directory
upon reboot Bubbleboy executes
�Worms
How Bubbleboy works
changes the registered owner/organization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\RegisteredOwner = Bubble Boy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\RegisteredOrganization = MICROSOFT
using the Outlook MAPI address book it sends
itself to each entry
marks itself in the registry
HKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy =
OUTLOOK.Bubbleboy1.0 by Zulu
�Macro
Specific to certain applications
Comprise a high percentage of the viruses
Usually made in WordBasic and Visual
Basic for Applications (VBA)
Microsoft shipped Concept, the first
macro virus, on a CD ROM called "Windows
95 Software Compatibility Test" in 1995
�Macro
Melissa
Discovery Date: 3/26/1999
Origin: Newsgroup Posting
Length: varies depending on variant
Type:
Macro/Worm
Subtype: Macro
Risk Assessment: High
Category: Companion
�Macro
Melissa
requires WSL, Outlook or Outlook Express Word
97 SR1 or Office 2000
105 lines of code (original variant)
received either as an infected template or email
attachment
lowers computer defenses to future macro virus
attacks
may cause DoS
infects template files with its own macro code
�Macro
How Melissa works
the virus is activated through a MS word
document
document displays reference to pornographic
websites while macro runs
1st lowers the macro protection security setting
for future attacks
checks to see is it has run in current session
before
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Meliss
a = by Kwyjibo
propagates itself using the Outlook MAPI
address book (emails sent to the first 50
�Protection/Prevention
Knowledge
Proper configurations
Run only necessary programs
Anti-virus software
�Anti viruses
Many users install anti-virus software that can detect
and eliminate known viruses after the computer
downloads or runs the executable. There are two
common methods that an anti-virus software
application uses to detect viruses. The first, and by
far the most common method of virus detection is
using a list of virus signature definitions. This works
by examining the content of the computer's memory
(its RAM, and boot sectors) and the files stored on
fixed or removable drives (hard drives, floppy drives),
and comparing those files against a database of
known virus "signatures". The disadvantage of this
�. The second method is to use a heuristic algorithm
to find viruses based on common behaviors. This
method has the ability to detect novel viruses that
anti-virus security firms have yet to create a
signature for
Some anti-virus programs are able to scan opened
files in addition to sent and received email messages
"on the fly" in a similar manner. This practice is
known as "on-access scanning". Anti-virus software
does not change the underlying capability of host
software to transmit viruses. Users must update their
software regularly to patch security holes. Anti-virus
software also needs to be regularly updated in order
�Methods employed by viruses to
avoid detection
Avoiding bait files and other undesirable hosts
Stealth
Self-modification
Encryption with a variable key
Polymorphic code
Metamorphic code
�Deceiving viruses
Installing anti viruses
Creating back up of important files
re-installation of damaged programs
System restore (Some viruses, however, disable
System Restore and other important tools such as
Task Manager and Command Prompt. An example
of a virus that does this is CiaDoor. However,
many such viruses can be removed by rebooting
the computer, entering Windows safe mode, and
then using system tools.
Operating system reinstallation
�Conclusion
viruses work through your system to
make a better virus
Have seen how viruses show us a loophole
in popular software
Most viruses show that they can cause
great damage due to loopholes in
programming
�Thank you
