Computer Virus

Posted on March 31, 2010, 7:59 pm

In 1983, Fred Cohen coined the term computer virus “, postulating a virus was” a program that can “infect” other programs by modifying them to include a copy of itself can be changed. “The term” virus “is an acronym for Vital Information Resources under Sixteen. Mr. Cohen has expanded his definition a year later, in his 1984 document, “A computer virus,” noting that “a virus can spread through a computer system or network using the authorizations of every user of use it to infect their programs. Any program that is infected may also act as a virus and thus the infection develops. “Viruses, as we know it today was born in 1986 with the creation of the brain – the first personal computer virus. Two brothers wrote it (and Farooq Alvi Basidium, who operated a small software in Lahore, Pakistan ) and started the race between virus and anti-virus programs that continues today. Using the above explanation, we can say that viruses infect program files. However, viruses can also infect certain types of data files, in particular the types of data files that support executable content, for example, files created in Microsoft Office programs that rely on macros. Compounding the difficulties of definition, viruses also exist that demonstrate a similar capacity to infect data files that do not typically support executable content – for example, Adobe PDF is widely used for sharing documents, and. JPG image files. However, in both cases, the virus in question has a dependency on an executable file on the outside and therefore neither the virus can be considered more than just a “proof of concept. In other cases, the data files themselves can not be infected, but may allow the introduction of viral code. Specifically, vulnerabilities in certain products can allow data files to be manipulated so that it will cause the host program to become unstable, after which malicious code can be introduced into the system. These examples are given simply to note that viruses are not themselves simply relegated to infect program files, as was the case when Mr. Cohen first defined the term. Thus, to simplify and modernize, we can say with any certainty that the virus infects other files, if the program or data. The computer viruses are called viruses because they share some traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person. There are similarities at a deeper level, too. A biological virus is not a living thing. A virus is a fragment of DNA in a protective sleeve. Unlike a cell, a virus has no way to do something or to reproduce by itself – it is not alive. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the existing mechanisms of the cell to reproduce. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the virus of new particles bud off the cell one at a time, and the cell remains alive. Apart from a computer virus some of these traits. A computer virus must be grafted on top of another program or document in order to obtain enforcement. Once it is launched, it is then able to infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks. A computer virus is a program that replicates. To do this, he must join with other program files (eg. Exe,. Com,. Dll) and run whenever the host program is running. Beyond simple replication, a virus almost always trying to achieve another goal: to cause damage. Called routine damage, or payload, the destructive part of a virus may vary from overwriting critical information required on the partition table of hard to blur the figures in spreadsheets is a little insulting to the user sounds, images or unpleasant effects. It is worth recalling, however, that even without “damage” routine, if viruses are allowed to run continuously, so it will continue to spread – the system memory consumption, disk space, which slows the network traffic and degrading the overall performance. In addition, the virus code is often buggy and can also be the source of mysterious system problems that take weeks to understand. So if a virus is harmful or not, his presence on the system may lead to instability and should not be tolerated. Some viruses, in conjunction with “logic bombs” are not doing their presence for months. Instead of causing damage right away, these viruses are only reproducing – until a predetermined triggering event or when they release their routines damage to the host system or across a network. The impact of viruses on computer systems The virus can be reprogrammed to do all sorts of harm, including the following. 1. copy itself to other programs or areas of a disk. 2. Replicate and often as quickly as possible, filling the infected system’s disk and memory to make the systems useless. 3. Displays information on the screen. 4. Edit, corrupt or destroy files selected. 5. Delete the contents of entire disks. 6. Dormant for a specified time or until a condition is met, and then become active. 7. Open a rear door to the infected system that allows the control to someone else to access and even the system through a network or Internet connection. 8. Some viruses can crash the system by some programs (usually Windows) to behave strangely. How viruses are spread from one system to another? The most likely points of entry of viruses are e-mail, Internet and network connections, disk drives, and modems or serial or parallel port connections. In a world increasingly interconnected workplace (Internet, Intranet, Shared Drives, removable disks, and email), attacks the virus can now spread faster and wider than ever. Here are some common ways for a virus to enter the computer system users: • Attachments • The malicious scripts in web pages or HTML e-mail • FTP traffic from the Internet (file downloads) • The shared network files and network traffic in general • Demonstration of software • pirated software • retractable production programs (rare) • Computer Labs • bulletin boards (BBS) • Disk swapping (using diskettes other persons to carry data and programs from front to back) high-risk files The most dangerous types are the files: . EXE,. COM,. XLS,. DOC,. MDB Because they do not require conversion to infect a specific computer – all they have learned to do is run and therefore the spread of the virus. It has been estimated that 99% of all viruses are written for these file formats. A list of possible virus carriers includes: EXE – (executable file) SYS – (executable file) COM – (executable file) DOC – (Microsoft Word) XLS – (Microsoft Excel) MDB – (Microsoft Access) ZIP – (compressed file, common to the United States) ARJ – (compressed file, common to the United States) RVD – (device driver) BIN – (Common image file boot sector) SCR – (screen saver Microsoft) Common symptoms of infection ? computer does not start. ? Computer disk space is reduced. Applications ? does not load. ? An application takes longer to load than normal period. ? diving activity increases especially hard when nothing is done on the computer. ? A message appears antivirus software. ? The number of bad sectors hard disk is steadily increasing. ? unusual graphics or messages displayed on the screen ? files are missing (deleted) ? A message appears that the disk drive can not be detected or recognized. ? Strange sounds come from the computer. ? Some viruses take control of the keyboard and sometimes replace a key neighbors that actually pressed. Another virus “swallows” keys so that nothing appears on the screen. ? as interesting are the effects of weather system. Clocks reversing are particularly frightening for workers who can not wait to get home. More seriously, this type of virus can cause chaos for programs that depend on the system time or date. ? Some viruses can be costly to the user by calling on his modem. We do not know who made premium-rate telephone numbers, but no doubt we shall soon see. A particularly malicious virus dials 911 (the emergency number in the U.S.) and takes the precious time of emergency services. The categories of viruses According to the source of information different types of viruses can be classified as follows: PDA VIRUS The rise of PDAs has spawned a new breed of virus. Proceedings of creative programmers have leveraged the ability of the PDA to communicate with other devices and run programs, because digital chaos. The world blissfully sure where the users of these devices can sync and download with impunity ended in August 2000 with the discovery of the virus Palm Liberty. Since then, many viruses have been discovered more. Although not as harmful as their PC cousins, these viruses still pose a threat to unsuspecting users. Their effects vary from a harmless flash of a message or an unwanted increase in energy consumption, the elimination of all programs installed. But the threat is growing, and the destruction of these viruses is provided in parallel the development of devices with which they attack. Multipartite VIRUS A virus that combines two or more different methods of infection is called a multipartite virus. This type of virus can infect files and boot sector of a disk. multi-partite viruses share certain characteristics of boot sector viruses and file viruses: they can infect. COM files. exe, and the boot sector of hard disk of the computer. On a computer booted with an infected disk, the virus of multi-partite first become resident in memory and then infect the boot sector of hard disk. From there, the virus can infect the whole environment of a PC. Not many forms of this class of viruses actually exist. However, they do represent a disproportionate percentage of all infections. Tequila Anticad are examples of multi-virus. BOMBS The two most common types of bombs are bombs and logic bombs. A bomb hidden on the disk of the victim and waits for a specified date before the execution. A logic bomb can be activated by a date, a modification of a file, or a particular action taken by a user or program. The bombs are treated as viruses because they can cause damage or disrupt a system. Boot sector viruses Until the mid-1990s, the boot sector viruses were the type of virus most common, mainly in the spread of 16-bit DOS world via floppy disk. The boot sector viruses infect the boot sector on a floppy disk and spread on a user’s hard disk, and can also infect the master boot record (MBR) on the hard drive of a user. Once the MBR or boot sector on the hard drive is infected, the virus attempts to infect the boot sector of each disk is inserted into the computer and accessed. Examples of boot sector viruses are Michelangelo, and Satria Keydrop. Boot sector viruses work like this: Suppose that the user has received a disk with a boot sector infection. The user data copied to it, but I forgot to remove the A: drive. When he started the computer the next time the boot process to run the boot sector infected floppy. The virus will infect the first load and hard disk. Note that this can be avoided by changing the boot sequence in the CMOS (either C: boot drive before A:). By hiding on the first sector of a disk, the virus is loaded into memory before system files are loaded. This allows him to take control of DOS interrupts the process and replaces the original contents of the MBR or DOS boot sector with their own content and move the data from the original boot sector to another area on the disk. Because the virus has infected a system area of disk drive, it will be loaded into memory each time the computer is started. He will first take control of low-level services of the system disk before you run the startup code of origin of the sector where it has stored in another part of the disk drive. The computer seems to behave exactly as it should. Nobody will notice the extra fractions of a second was added to the boot sequence. During normal operation of the virus will gladly remain in memory. Thank you to the fact that he has control services disk, it can easily monitor disk access requests – including floppies. Upon receiving a request to access a disk it determines that there is a disk in the floppy drive. It will then examine its boot sector to see if it has already been infected. If it finds the disk clean, it will replace the boot sector with its own code. From that moment, the disk will be a “carrier” and become a way for infection to other PCs. The virus will also monitor the disk requests for special access to the boot sector. The boot sector contains its own code, and a request to read it could be a program audit anti-virus viruses. The virus will not allow the boot sector to be read and redirect all requests to the location on the hard drive where it has saved the original. In this way nothing abnormal is detected. These methods are called stealth techniques and their main objective is to mask the presence of the virus. Not all viruses use stealth boot, but not those who are common. Boot viruses can also infect non-file (system) areas of hard drives and floppy disks. These areas offer an effective way for a virus to spread from one computer to another. boot virus reached a higher degree of success that the virus infecting their program objectives and dissemination. virus can infect boot DOS, Windows 3. x, Windows 95/98, Windows NT, Novell NetWare, and even systems. This is because they exploit the inherent characteristics of the computer (rather than the operating system) and start to spread. Clean boot sector virus can be carried by the boot from a floppy disk system rather than the infected hard drive, or finding the original boot sector and replace the right place on the disc. GROUP OF VIRUSES The virus makes changes to a file system disks. If a program is run from the infected disk, the program causes the virus to run well. This technique creates the illusion that the virus has infected all the programs on the disk. E-MAIL VIRUS These types of viruses can be transmitted by e-mail messages sent over private networks or the Internet. Some email viruses are transmitted by an infected attachment document file or a program that is attached to the message. This type of virus is executed when the victim opens the file that is attached to the message. Other types of email viruses reside in the body of the message itself. To store a virus, the message must be encoded in HTML format. Once launched many email viruses attempt to spread by sending messages to everyone in the address book of the victim, each of which contains a copy of the virus. The last thing in the world of computer viruses is the e-mail virus called Melissa virus, which resurfaced in March 1999. Melissa spread in Microsoft Word documents sent by e-mail, and it worked like this: Someone created the virus as a Word document uploaded to an Internet discussion group. Anyone who downloaded the document and opened it trigger the virus. The virus would then send the document (and therefore itself) in an e-mail to the first 50 people in the address book of the person. The e-mail contains a friendly note that included the name of the person, so that the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient’s computer. As a result, the Melissa virus was the virus most rapid breakdown ever seen and it has forced a number of large companies to close their e-mail systems at this time. The ILOVEYOU virus, which appeared May 4, 2000, was even simpler. It contained a piece of code attached. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the address book of the victim and then started corrupting files on the victim’s computer. It’s as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail is a virus. The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and can be programmed to do things like modify files and send e-mails. It also has a useful but dangerous auto-run feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. So the Melissa virus was programmed. Anyone who has opened a document infected with Melissa immediately activate the virus. It would send the 50 e-mails, then infect a central file called “normal”. DOT so that any file saved later also contain the virus! He created a huge mess. FILE viruses infecting File infectors usually operate in memory and infects executable files with the following extensions: *. COM, *. EXE, *. DRV, *. Dll, *. BIN, *. OVL, *. SYS. They activate every time the infected file is executed by copying themselves to other executable files and can remain in the memory long after the virus has been activated. Thousands of different file infecting viruses exist, but similar to boot sector viruses, the vast majority operates in a DOS 16-bit. Some, however, have successfully infected Microsoft Windows, IBM OS / 2, and Apple Computer Macintosh environments. file viruses can be further separated into categories by how they handle their objectives: TSR FILE VIRUS A less common type of virus is the virus file terminate-and-stay-resident. As its name suggests these viruses infect files in general it is. COM and. exe. However, there are some viruses device driver, some viruses that infect overlay files, and although more than 99% of executable programs have the extension. COM and. exe, others not. For a virus to spread TSR we have to run an infected program. The virus goes memory resident typically looking at each program running and then it infects. Examples of file viruses are TSR Dark Avenger and Green Caterpillar. CRUSH VIRUS These viruses infect by overwriting a portion of their target with their own code, but in doing so, they corrupt the file. The file will never be another purpose other than the virus from spreading further. For this reason, they are usually detected quickly and does not spread easily. PARASITIC VIRUSES These viruses attach themselves to executable without significantly altering the content of the host program. They attach by adding its code at the beginning, end, or even to the middle and divert program flow so that the virus is executed first. When the virus has completed its work, control is passed to the host. Running the host is a little delayed, but this is generally not noticeable. Macro viruses Many applications more simple macro-systems that allow the user to record a sequence of operations in the application and link them to a specific key. Later, the user can perform the same sequence of operations by simply hitting the specified key. New applications provide much more complex macro-systems. The user can write any macro-programs that run in the word processor or spreadsheet environment and are attached directly to word processing and spreadsheet files. Unfortunately, this capability also allows creation of macro viruses. Macro viruses currently account for about 80 percent of all viruses, according to the International Computer Security Association (ICSA), and are the fastest growing viruses in computer history. Unlike other virus types, macro viruses are not specific to an operating system and spread with ease via email attachments, floppy disks, Internet downloads, file transfers, and collaborative applications. Macro viruses are, however, the specific application. A macro virus is designed to infect a specific type of document file, such as Microsoft Word or Excel. They infect macro utilities that accompany such applications as Microsoft Word and Excel, which means a Word macro virus can not infect an Excel document and vice versa. A macro virus is embedded in a document file and can travel between data files in the application and can eventually infect hundreds of files so discouraged and in the process to different levels of damage data from corrupt documents the deletion of data. Macro viruses are written in “programming language of every man” – Visual Basic – and are relatively easy to create. They can infect at different points using a file, for example, when it is opened, saved, closed or deleted A chronology of the typical virus macro begins when an infected document or a spreadsheet is loaded. The application also loads all the macros that are attached to the accompanying folder. If one or more macros to meet certain criteria, the application will also immediately implement these macros. Macro viruses rely on the ability of self-enforcement to take control of the macro system of the application. Once the macro virus is loaded and executed, it waits for the user to edit a new document, and foot, and then again in action. It pays macro virus programs on the new document, and then allows the application to save the document normally. In this mode, the virus spreads to another file and made a totally discreet. Users have no idea of the infection. If this new file is later opened on another computer, the virus load once again, will be launched by the application, and find other files to infect unsuspecting. Finally, since a macro virus is concerned, the application uses the operating system. A macro virus can only spread to one of the platforms on which the application is installed and running. For example, a single macro virus that uses Microsoft Word could potentially extend to Windows 3. x, Windows 95/98, NT window, and the Macintosh. The macro virus for Word In the summer of 1995, Microsoft Word 6 was the first product affected by the macro virus. The first (WM / Concept. A) was in fact a proof of concept – one installed macros (called the payload) contained this remark: ”This is enough to prove my point” Most of the Word macro virus to use a feature called “automacros. The basic principle is that some macros with names are automatically executed when you start Word, open a file, or close a file. Macro viruses, macros and then inserted into NORMAL. DOT – a standard that is loaded whenever Word starts. In Word there are several ways to disable automacros but this is not the ultimate solution. Some macro viruses use other methods to take control of the Word environment. Another method of self-protection may be to NORMAL. DOT readonly. But it can also be bypassed, and, moreover, it prevents the user to customize the model. Macro viruses for Excel Excel has the same opportunities for virus writers Word. He automacros and a directory called XLSTART whose models are automatically loaded. But Excel did not quite normal, like Word VBA macros. In Excel there is what is called “formulas” – macros stored in spreadsheet cells. The first macro virus using this technology has been XF / Paix. Macro viruses for other MS Office products: Writing a macro virus for the other Office products is not difficult. There were already viruses for access, and it is expected that there will be macro virus for Power Point in the near future. But macro viruses are not as dangerous as macro viruses for Word or Excel. Not because of some limitations of the desktop products, but because the data files from these products are not often shared. There is a danger that can be viewed in PowerPoint the day, even without a native macro virus written for this product. Programmers can include in their presentation a number of objects from Excel or Word. And these objects can be infected by macro viruses – if they change the layout and open the infected object with its main application, the virus can spread further. But the current situation can change dramatically in coming years. Microsoft has a technology licensing VBA for many companies, we can expect to see more macro viruses for other products too. Polymorphic viruses This type of virus can change itself whenever it is copied, it is difficult to isolate. Most viruses just attach identical copies of themselves the files they infect. An antivirus program can detect the virus code (or signature) because it is always the same and quickly track down the virus. To avoid such an easy detection, polymorphic viruses work a little differently. Unlike viruses simple, when a polymorphic virus infects a program, it blurs the virus code in the body of the program. This means that interference both infections are similar, making their detection more difficult. These viruses create a new decryption routine each time they infect, so that each infected file has a different sequence of the virus code. STEALTH VIRUS Stealth viruses are actively seeking to hide from attempts to detect or remove them. They can also hide the changes they make to other files, hide the damage caused by the user and the operating system. Stealth viruses, interceptors or interruption, as they are sometimes called, take control instructions DOS-level key by intercepting interrupt table, which is at the beginning of memory. This gives the virus an opportunity to do two important things: 1) take control of the system by redirecting the interrupt request, and 2) to hide to avoid detection. They use techniques such as intercepting disk reads provide a non-infected original element instead of copying infected (read stealth virus), change the directory or file data disk for files infected program (size-stealth), or both. g. Trap 1. About. htm 2. http://www. co. 3. http://www. htm 4. 5. 6. 7. 8. 9. 10. Ltd.