COMPUTER

VIRUS
&
ANTIVIRUS
SYSTEMS

INDEX
 1. Introduction

2. General information

3. How to deal with Viruses

4. How to protect from Viruses

5. How Viruses spread around the

world?

6. Computer Viruses & Network

Security

7. AntiVirus

8. AntiVirus Databases

9. Statistics

10.Conclusion

11.Forecast

Introduction to Computer Viruses

Computer virus
A computer virus is a computer program that can copy itself and infect a
computer without permission or knowledge of the user. The term "virus" is also
commonly used, albeit erroneously, to refer to many different types of malware
and adware programs. The original virus may modify the copies, or the copies
may modify themselves, as occurs in a metamorphic virus. A virus can only
spread from one computer to another when its host is taken to the uninfected
computer, for instance by a user sending it over a network or the Internet, or by
carrying it on a removable medium such as a floppy disk, CD, or USB drive.
Meanwhile viruses can spread to other computers by infecting files on a network
file system or a file system that is accessed by another computer. Viruses are
sometimes confused with computer worms and Trojan horses. A worm can
spread itself to other computers without needing to be transferred as part of a
host, and a Trojan horse is a file that appears harmless. Worms and Trojans
may cause harm to either a computer system's hosted data, functional
performance, or networking throughput, when executed. In general, a worm
does not actually harm either the system's hardware or software, while at least
in theory, a Trojan's payload may be capable of almost any type of harm if
executed. Some can't be seen when the program is not running, but as soon as
the infected code is run, the Trojan horse kicks in. That is why it is so hard for
people to find viruses and other malware themselves and why they have to use
spyware programs and registry processors.
Most personal computers are now connected to the Internet and to local area
networks, facilitating the spread of malicious code. Today's viruses may also
take advantage of network services such as the World Wide Web, e-mail,
Instant Messaging and file sharing systems to spread, blurring the line between
viruses and worms. Furthermore, some sources use an alternative terminology
in which a virus is any form of self-replicating malware.
Some malware is programmed to damage the computer by damaging
programs, deleting files, or reformatting the hard disk. Other malware programs
are not designed to do any damage, but simply replicate themselves and
perhaps make their presence known by presenting text, video, or audio
messages. Even these less sinister malware programs can create problems for
the computer user. They typically take up computer memory used by legitimate
programs. As a result, they often cause erratic behavior and can result in
system crashes. In addition, much malware is bug-ridden, and these bugs may
lead to system crashes and data loss. Many CiD programs are programs that
have been downloaded by the user and pop up every so often. This results in
slowing down of the computer, but it is also very difficult to find and stop the
problem.

The person might have a computer virus infection when the computer starts
acting differently. For instance getting slow or when they turn the computer on,
it says that all the data is erased or when they start writing a document, it looks
different, some chapters might be missing or something else ubnormal has
happened.
The next thing usually the person whose computer might be infected with virus,
panics. The person might think that all the work that have been done is
missing. That could be true, but in most cases viruses have not done any harm
jet, but when one start doing something and are not sure what you do, that
might be harmful. When some people try to get rid of viruses they delete files
or they might even format the whole hard disk like my cousin did. That is not
the best way to act when the person think that he has a virus infection.
What people do when they get sick? They go to see a doctor if they do not know
what is wrong with them. It is the same way with viruses, if the person does
not know what to do they call someone who knows more about viruses and they
get professional help.
If the person read email at their PC or if they use diskettes to transfer files
between the computer at work and the computer at home, or if they just
transfer files between the two computers they have a good possibility to get a
virus. They might get viruses also when they download files from any internet
site. There was a time when people were able to be sure that some sites we
secure, that those secure sites did not have any virus problems, but nowadays
the people can not be sure of anything. There has been viruses even in
Microsoft's download sites.
In this report I am going to introduce different malware types and how they
spread out and how to deal with them. Most common viruses nowadays are
macro viruses and I am going to spend a little more time with them. I am going
to give an example of trojan horses stealing passwords.

Computer virus timeline

1949
Theories for self-replicating programs are first developed.
1981
Apple Viruses 1, 2, and 3 are some of the first viruses in the world or in
the public domain. Found on the Apple II operating system, the viruses
spread through Texas A&M via pirated computer games.
1983
Fred Cohen, while working on his dissertation, formally defines a
computer virus as “a computer program that can affect other computer
 programs by modifying them in such a way as to include a (possibly
evolved) copy of itself.”
1986
Two programmers named Basit and Amjad replace the executable code in
the boot sector of a floppy disk with their own code designed to infect
each 360kb floppy accessed on any drive. Infected floppies had “© Brain”
for a volume label.
1987
The Lehigh virus, one of the first file viruses, infects command.com files.
1988
One of the most common viruses, Jerusalem, is unleashed. Activated
every Friday the 13th, the virus affects both .exe and .com files and
deletes any programs run on that day.
MacMag and the Scores virus cause the first major Macintosh outbreaks.
1990
Symantec launches Norton AntiVirus, one of the first antivirus programs
developed by a large company.
1991
Tequila is the first widespread polymorphic virus found in the wild.
Polymorphic viruses make detection difficult for virus scanners by
changing their appearance with each new infection.
1992
1300 viruses are in existence, an increase of 420% from December of
1990.
The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that
turns ordinary viruses into polymorphic viruses. The Virus Creation
Laboratory (VCL) is also made available. It is the first actual virus creation
kit.
1994
Good Times email hoax tears through the computer community. The hoax
warns of a malicious virus that will erase an entire hard drive just by
opening an email with the subject line “Good Times.” Though disproved,
the hoax resurfaces every six to twelve months.

1995
Word Concept becomes one of the most prevalent viruses in the mid-
1990s. It is spread through Microsoft Word documents.
1996
Baza, Laroux (a macro virus), and Staog viruses are the first to infect
Windows95 files, Excel, and Linux respectively.
1998
Currently harmless and yet to be found in the wild, StrangeBrew is the
first virus to infect Java files. The virus modifies CLASS files to contain a
copy of itself within the middle of the file's code and to begin execution
from the virus section.
 The Chernobyl virus spreads quickly via .exe files. As the notoriety
attached to its name would suggest, the virus is quite destructive,
attacking not only files but also a certain chip within infected computers.
Two California teenagers infiltrate and take control of more than 500
military, government, and private sector computer systems.

1999
The Melissa virus, W97M/Melissa, executes a macro in a document
attached to an email, which forwards the document to 50 people in the
user's Outlook address book. The virus also infects other Word documents
and subsequently mails them out as attachments. Melissa spread faster
than any previous virus, infecting an estimated 1 million PCs.
Bubble Boy is the first worm that does not depend on the recipient
opening an attachment in order for infection to occur. As soon as the user
opens the email, Bubble Boy sets to work.
Tristate is the first multi-program macro virus; it infects Word, Excel, and
PowerPoint files.
2000
The Love Bug, also known as the ILOVEYOU virus, sends itself out via
Outlook, much like Melissa. The virus comes as a VBS attachment and
deletes files, including MP3, MP2, and .JPG. It also sends usernames and
passwords to the virus's author.
W97M.Resume.A, a new variation of the Melissa virus, is determined to be
in the wild. The “resume” virus acts much like Melissa, using a Word
macro to infect Outlook and spread itself.
The “Stages” virus, disguised as a joke email about the stages of life,
spreads across the Internet. Unlike most previous viruses, Stages is
hidden in an attachment with a false “.txt” extension, making it easier to
lure recipients into opening it. Until now, it has generally been safe to
assume that text files are safe.
“Distributed denial-of-service” attacks by hackers knock Yahoo, eBay,
Amazon, and other high profile web sites offline for several hours.

2001
Shortly after the September 11th attacks, the Nimda virus infects
hundreds of thousands of computers in the world. The virus is one of the
most sophisticated to date with as many as five different methods of
replicating and infecting systems. The “Anna Kournikova” virus, which
mails itself to persons listed in the victim's Microsoft Outlook address
book, worries analysts who believe the relatively harmless virus was
written with a “tool kit” that would allow even the most inexperienced
programmers to create viruses. Worms increase in prevalence with
Sircam, CodeRed, and BadTrans creating the most problems. Sircam
 spreads personal documents over the Internet through email. CodeRed
attacks vulnerable webpages, and was expected to eventually reroute its
attack to the White House homepage. It infected approximately 359,000
hosts in the first twelve hours. BadTrans is designed to capture passwords
and credit card information.
2002
Author of the Melissa virus, David L. Smith, is sentenced to 20 months in
federal prison. The LFM-926 virus appears in early January, displaying the
message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files.
Celebrity named viruses continue with the “Shakira,” “Britney Spears,”
and “Jennifer Lopez” viruses emerging. The Klez worm, an example of the
increasing trend of worms that spread through email, overwrites files (its
payload fills files with zeroes), creates hidden copies of the originals, and
attempts to disable common anti-virus products. The Bugbear worm also
makes it first appearance in September. It is a complex worm with many
methods of infecting systems.
2003
In January the relatively benign “Slammer” (Sapphire) worm becomes the
fastest spreading worm to date, infecting 75,000 computers in
approximately ten minutes, doubling its numbers every 8.5 seconds in its
first minute of infection. The Sobig worm becomes the one of the first to
join the spam community. Infected computer systems have the potential
to become spam relay points and spamming techniques are used to mass-
mail copies of the worm to potential victims.
2004
In January a computer worm, called MyDoom or Novarg, spreads through
emails and file-sharing software faster than any previous virus or worm.
MyDoom entices email recipients to open an attachment that allows
hackers to access the hard drive of the infected computer. The intended
goal is a “denial of service attack” on the SCO Group, a company that is
suing various groups for using an open-source version of its Unix
programming language. SCO offers a $250,000 reward to anyone giving
information that leads to the arrest and conviction of the people who
wrote the worm.

An estimated one million computers running Windows are affected by the

fast-spreading Sasser computer worm in May. Victims include businesses,
such as British Airways, banks, and government offices, including Britain's
Coast Guard. The worm does not cause irreparable harm to computers or
data, but it does slow computers and cause some to quit or reboot
without explanation. The Sasser worm is different than other viruses in
that users do not have to open a file attachment to be affected by it.
Instead, the worm seeks out computers with a security flaw and then
sabotages them. An 18-year-old German high school student confessed to
 creating the worm. He's suspected of releasing another version of the
virus.

Virus Origins

Computer viruses are called viruses because they share some of the traits of
biological viruses. A computer virus passes from computer to computer like a
biological virus passes from person to person.
Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological
virus must inject its DNA into a cell. The viral DNA then uses the cell's existing
machinery to reproduce itself. In some cases, the cell fills with new viral
particles until it bursts, releasing the virus. In other cases, the new virus
particles bud off the cell one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must
piggyback on top of some other program or document in order to launch. Once
it is running, it can infect other programs or documents. Obviously, the analogy
between computer and biological viruses stretches things a bit, but there are
enough similarities that the name sticks.

2. General information about computer viruses

2.1 Different malware types
Malware is a general name for all programs that are harmful; viruses, trojan,
worms and all other similar programs.

2.1.1 Viruses
A computer virus is a program, a block of executable code, which attach itself
to, overwrite or otherwise replace another program in order to reproduce itself
without a knowledge of a PC user.
There are a couple of different types of computer viruses: boot sector viruses,
parasitic viruses, multi-partite viruses, companion viruses, link viruses and
macro viruses. These classifications take into account the different ways in
which the virus can infect different parts of a system. The manner in which each
of these types operates has one thing in common: any virus has to be executed
in order to operate.
Most viruses are pretty harmless. The user might not even notice the virus for
years. Sometimes viruses might cause random damage to data files and over a
long period they might destroy files and disks. Even benign viruses cause
damage by occupying disk space and main memory, by using up CPU
processing time. There is also the time and expense wasted in detecting and
removing viruses.

2.1.2 Trojan
A Trojan Horse is a program that does something else that the user thought it
would do. It is mostly done to someone on purpose. The Trojan Horses are
usually masked so that they look interesting, for example a saxophone.wav file
that interests a person collecting sound samples of instruments. A Trojan Horse
differs from a destructive virus in that it doesn't reproduce. There has been a
password trojan out in AOL land (the American On Line). Password30 and
Pasword50 which some people thought were wav. files, but they were disguised
and people did not know that they had the trojan in their systems until they
tried to change their passwords.
According to an administrator of AOL, the Trojan steals passwords and sends an
E-mail to the hackers fake name and then the hacker has your account in his
hands.

2.1.3 Worms
A worm is a program which spreads usually over network connections. Unlike a
virus which attach itself to a host program, worms always need a host program
to spread. In practice, worms are not normally associated with one person
computer systems. They are mostly found in multi-user systems such as Unix
environments. A classic example of a worm is Robert Morrisis Internet-worm
1988.

2.2 Macro virus

Macro viruses spread from applications which use macros. The macro viruses
which are receiving attention currently are specific to Word 6, WordBasic and
Excel. However, many applications, not all of them Windows applications, have
potentially damaging and infective macro capabilities too.
A CAP macro virus, now widespread, infects macros attached to Word 6.0 for
Windows, Word 6.0.1 for Macintosh, Word 6.0 for Windows NT, and Word for
Windows 95 documents.
What makes such a virus possible is that the macros are created by WordBASIC
and even allows DOS commands to be run. WordBASIC in a program language
which links features used in Word to macros.
A virus, named "Concept," has no destructive payload; it merely spreads, after
a document containing the virus is opened. Concept copies itself to other
documents when they are saved, without affecting the contents of documents.
Since then, however, other macro viruses have been discovered, and some of
them contain destructive routines.
Microsoft suggests opening files without macros to prevent macro viruses from
spreading, unless the user can verify that the macros contained in the
document will not cause damage. This does NOT work for all macro viruses.
Why are macro viruses so successful? Today people share so much data, email
documents and use the Internet to get programs and documents. Macros are
also very easy to write. The problem is also that Word for Windows corrupts
macros inadvertently creating new macro viruses.

Corruption's also creates "remnant" macros which are not infectious, but look
like viruses and cause false alarms. Known macro virus can get together and
create wholly new viruses.

There have been viruses since 1986 and macro viruses since 1995. Now about
15 percent of virus
are macro viruses. There are about 2.000 macro viruses and about 11.000 DOS
viruses, but the problem is that macro viruses spreads so fast. New macro
viruses are created in the work-place, on a daily basis, on typical end-user
machines, not in a virus lab. New macro virus creation is due to corruption,
mating, and conversion. Traditional anti-virus programs are also not good at
detecting new macro viruses.
Almost all virus detected in the Helsinki University of Technology have been macro viruses,
according to Tapio Keihänen, the virus specialist in HUT.
Before macro viruses it was more easy to detect and repair virus infections with
anti-virus programs. But now when there are new macro viruses, it is harder to
detect macro viruses and people are more in contact with their anti-virus
vendor to detect an repair unknown macro viruses, because new macro viruses
spread faster than new anti-virus program updates come up.
2.3 Virus sources
Viruses don not just appear, there is always somebody that has made it and
they have own reason to so. Viruses are written everywhere in the world. Now
when the information flow in the net and Internet grows, it does not matter
where the virus is made.
Most of the writers are young men. There are also few university students,
professors, computer store managers, writers and even a doctor has written a
virus. One thing is common to these writers, all of them are men, women do
not waste their time writing viruses. Women are either smarter or they are just
so good that never get caught.
2.3.1 Why do people write and spread viruses?
It is difficult to know why people write them. Everyone has their own reasons.
Some general reasons are to experiment how to write viruses or to test their
programming talent. Some people just like to see how the virus spreads and
gets famous around the World. The following is a list from news group postings
alt.comp.virus and tries to explain why people write and spread viruses.

• they don't understand or prefer not to think about the consequences for
other people
• they simply don't care
• they don't consider it to be their problem if someone else is
inconvenienced
• they draw a false distinction between creating/publishing viruses and
distributing them
• they consider it to be the responsibility of someone else to protect
systems from their creations
• they get a buzz, acknowledged or otherwise, from vandalism
• they consider they're fighting authority
• they like 'matching wits' with anti virus vendors
• it's a way of getting attention, getting recognition from their peers and
their names (or at least that of their virus) in the papers and the Wild List
• they're keeping the anti virus vendors in a job

2.4 How viruses act

Viruses main mission is to spread out and then get active. Some viruses just
spread out and never activate. Viruses when they spread out, they make copies
of self and spreading is harmful.
2.4.1 How viruses spread out
Viruses mission is to hop from program to other and this should happen as
quickly as possible. Usually viruses join to the host program in some way. They
even write over part of the host program.
A computer is infected with a boot sector virus if it is booted from an infected
floppy disk. Boot sector infections cannot normally spread across a network.
These viruses spread normally via floppy disks which may come from virtually
any source:

• unsolicited demonstration disks

• brand-new software
• disks used on your PC by salesmen or engineers
• repaired hardware

A file virus infects other files, when the program to which it is attached is run,
and so a file virus can spread across a network and often very quickly. They
may be spread from the same sources as boot sector viruses, but also from
sources such as Internet FTP sites and newsgroups. Trojan horses spread just
like file viruses.
A multipartite virus infects boot sectors and files. Often, an infected file is used
to infect the boot sector: thus, this is one case where a boot sector infection
could spread across a network.

2.4.2 How viruses activate

We are always afraid that viruses do something harmful to files when they get
active, but not all the viruses activate. Some viruses just spread out, but when
viruses activate they do very different things. Might play a part of melody or
play music in the background, show a picture or animated picture, show text,
format hard disk or do changes to files.
As an example, in one unnamed company: over a long period of time, the files
in a server were corrupted just a bit. So backup copies were taken from the
corrupted files. And after they noticed that something was wrong, it was too
late to get back the data from the backups. That kind of event is the worst that
can happen for the uses.
There is also talk that viruses have done something to hardware like hard disk
or monitor. Viruses can not do any harm to hardware but they can do harm to
programs and for example to BIOS so that computer does not start after that.
2.5 Viruses in different platforms
2.5.1 PC viruses
Viruses are mostly written for PC-computers and DOS environment. Even
though viruses are made for DOS environment, they are working also in
Windows, Windows95, Windows NT and OS/2 operating systems. Some viruses
like boot sector viruses, do not care what about operating systems.
2.5.2 Macintosh viruses
Macintosh viruses are not as a big problem as PC viruses are. There are not so
many viruses in Macintosh operating system. Macintosh viruses has been found
mostly from schools.
How many Mac viruses there are? I found out that there are about 2-300 Mac-
specific viruses. There are virtually no macro viruses which have a Mac-specific
payload, but all macro viruses can infect on Macs and other platforms which
runs Word 6.x of better.

2.5.3 Other platforms

Viruses can be found from in almost any kind of computer, such as HP
calculators used by students like HP 48-calculators and old computers like
Commodore 64 and Unix computers too.
In general, there are virtually no non-experimental UNIX viruses. There have
been a few Worm incidents, most notably the Morris Worm,. the Internet Worm,
of 1988.
There are products which scan some Unix systems for PC viruses. Any machine
used as a file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS
scanner if it can be mounted as a logical drive on a PC running appropriate
network client software such as PC-NFS.
Intel-based PCs running Unix e.g. Linux, etc. can also be infected by a DOS
boot-sector virus if booted from an infected disk. The same goes for other PC-
hosted operating systems such as NetWare.
While viruses are not a major risk on Unix platforms, integrity checkers and
audit packages are frequently used by system administrators to detect file
changes made by other kinds of attack.

3. How to deal with viruses

3.1 What are the signs of viruses
Almost anything odd a computer may do, can blamed on a computer "virus,"
especially if no other explanation can readily be found. Many operating systems
and programs also do strange things, therefore there is no reason to
immediately blame a virus. In most cases, when an anti-virus program is then
run, no virus can be found.
A computer virus can cause unusual screen displays, or messages - but most
don't do that. A virus may slow the operation of the computer - but many
times that doesn't happen. Even longer disk activity, or strange hardware
behavior can be caused by legitimate software, harmless "prank" programs, or
by hardware faults. A virus may cause a drive to be accessed unexpectedly and
the drive light to go on but legitimate programs can do that also.
One usually reliable indicator of a virus infection is a change in the length of
executable (*.com/*.exe) files, a change in their content, or a change in their
file date/time in the Directory listing. But some viruses don't infect files, and
some of those which do can avoid showing changes they've made to files,
especially if they're active in RAM.
Another common indication of a virus infection is a change to the reassignment
of system resources. Unaccounted use of memory or a reduction in the amount
normally shown for the system may be significant.
In short, observing "something funny" and blaming it on a computer virus is
less productive than scanning regularly for potential viruses, and not scanning,
because "everything is running OK" is equally inadvisable.

3.2 What to do when you find viruses

First thing what you should do when you find virus is count to ten and stay cool.
You should keep notes on what you do and write down what your virus
programs and you computer tells you. If you are not sure what to do, you
should call the administrator for future action. In some cases it is not good to
start you computer from hard disk, because the virus may active and then do
some harm.
Second,make sure that you should get sure that it is virus and what virus it is.
It is important to know what kind of virus we are dealing with. Companies that
make anti-virus programs knows what different viruses does and you can ether
call them and ask about that viruses or you can go to their web pages and read
about the virus you have.
When you start you computer you should do it from a clean (non-infected)
floppy diskette and after that run the virus program. The boot diskette should
be write protected so that virus can not infect the boot diskette too.
It is good to take a backup of the file that was infected. Virus program could do
some damage to the file and that is why it is good to have a backup.
It is good to let you administrator to know about the virus, so viruses would not
spread around so much. In TKK PC classes are protected by anti-virus program
and that virus program reports to a person, responsible for virus protection.

4. How to protect from viruses

4.1 How to provide against viruses
Best way to protect yourself is to prepare your computer against viruses in
advance. One way to protect you computer is to use updated anti-virus
program. When you get an email attachment, you should first check the
attachment by checking the file with a anti-virus program.
As an example in one unnamed Finnish company all information was mailed in
email attachments. There was this one Word document that was mailed to
everybody. That email attachment was infected by a macro virus. Everyone got
the infected attachment and those who opened that attachment by Word got
that CAP-macro virus. After all there were a few thousand infections. It took
lots of time and money to clear that virus.
One can protect the computer against boot sector viruses by setting the BIOS
to start from a hard disk rather than from a floppy disk.
Write protection is a good way to prohibit against viruses. Write protection
works well in floppy disks, Windows NT and UNIX, but not that well in Windows
and Windows95.

4.2 Different anti-virus programs

There are three different kind of anti-viral packages: activity monitors,
authentication or change-detection software, and scanners. Each type has its
own strengths and weaknesses. Commercial anti-viral programs have a
combination of the above mentioned functions.
There are over ten good anti-viral programs. Most knows programs are Data
Fellows F-Prot, EliaShim ViruSafe, ESaSS ThunderBYTE, IBM AntiVirus, McAfee
Scan, Microsoft Anti-Virus, Symantec Norton AntiVirus and S&S Dr Solomon's
AVTK.
On a day-to-day basis, the average corporation should be very interested in the
scan time; these impact strongly the users, who should be scanning hard drives
and disks on a daily basis. If a product takes too long to carry out these basic
tasks, users will be unwilling to wait, and will stop using it. This is clearly
undesirable - the perfect anti-virus product would be one which takes no time to
run and finds all viruses.

5. How computer viruses have spread out around the world?

Computer viruses are a problem all over the world. The following picture tells us
how many times people have accessed Data Fellows, a company that makes
anti-virus program F-Prot, more than 1,672,846 per month. It means that
people are interesting in virus information. One reason is that people have to
deal with viruses. Viruses in not only a problem in Finland and USA, it is a
problem around the world.

Picture 4 Accesses per month

Today's most common virus is the macro virus. Cap virus is one of the macro
viruses. Last month there were 3100 Cap macro virus accesses during the last
30 days in Data Fellows. Next common virus was Join the Crew with 1171
accesses and third common was Pen pal Greetings with 895 accesses.

Picture 5 Twenty most accessed virus descriptions during the last 30 days

6. Computer viruses and network security

Computer viruses are one network security problem. A few people when asked
if computer viruses can cause network security problems answered as follows.
Dave Kenney answered from National Computer Security Assoc: "There is one
macro virus for MSWord that is received as an attachment to MS Mail
messages. If a user has Word open, and double clicks to see the contents of
the attachment, MS Word and the open document is infected. Then the
document is mailed to three other users listed in the original user's address
book."
"The only information that is leaked is the thing you should be worried about,
your password! The trojan sends an E-mail to the hackers fake name and then
he has your account at his hands," wrote CJ from American Online.
"Rarely, a Word macro virus may accidentally pick up some user information
and carry it along; we know of one case where a macro virus "snatched" an
innocent user macro that contained a password, and spread it far outside the
company where that happened. In the future, however, it is entirely possible
that more network-aware viruses will cause significant network security
problems," wrote David Chess from IBM.
Marko Helenius wrote from Virus Research Unit, that there has been some cases
when hackers have used trojan horses to gain information. There is one
example in one finnish corporation where some money were transferred illegally
a year ago. There has been a trojan in the University of Tampere too where the
trojan pretend to be a host transfer program. The trojan saved users login
name and password to hard disk.

7. Antivirus
Antivirus software are computer programs that attempt to identify, neutralize
or eliminate malicious software. The term "antivirus" is used because the
earliest examples were designed exclusively to combat computer viruses;
however most modern antivirus software is now designed to combat a wide
range of threats, including worms, phishing attacks, rootkits, trojan horses and
other malware. Antivirus software typically uses two different approaches to
accomplish this:
• examining (scanning) files to look for known viruses matching definitions
in a virus dictionary, and
 • identifying suspicious behavior from any computer program which might
indicate infection.
The second approach is called heuristic analysis. Such analysis may include data
captures, port monitoring and other methods.
Most commercial antivirus software uses both of these approaches, with an
emphasis on the virus dictionary approach. Although some people consider
network firewalls to be a type of antivirus software, this categorization is not
correct
In the virus dictionary approach, when the antivirus software looks at a file, it
refers to a dictionary of known viruses that the authors of the antivirus software
have identified. If a piece of code in the file matches any virus identified in the
dictionary, then the antivirus software can take one of the following actions:
1. attempt to repair the file by removing the virus itself from the file,
2. quarantine the file (such that the file remains inaccessible to other
programs and its virus can no longer spread), or
3. delete the infected file.
To achieve consistent success in the medium and long term, the virus dictionary
approach requires periodic (generally online) downloads of updated virus
dictionary entries. As civically-minded and technically-inclined users identify
new viruses "in the wild", they can send their infected files to the authors of
antivirus software, who then include information about the new viruses in their
dictionaries.
Dictionary-based antivirus software typically examines files when the
computer's operating system creates, opens, closes, or e-mails them. In this
way it can detect a known virus immediately upon receipt. Note too that a
System Administrator can typically schedule the antivirus software to examine
(scan) all files on the computer's hard disk on a regular basis.

Proprietary
• eScan AntiVirus
• ArcaVir by arcabit.com
• avast!
• Avira
• AVG Anti-Virus
• BitDefender
• BullGuard
• CA Anti-Virus
• Cisco Security Agent
• Dr.Web
 • DriveSentry (antivirus, antispyware and HIPS technologies)
• eSafe
• Fortinet FortiClient End Point Security
• F-PROT
• F-Secure
• G DATA AntiVirus
• IKARUS antivirus
• INCA Internet
• Kaspersky Anti-Virus
• LinuxShield
• McAfee VirusScan
• Mks vir
• NOD32
• Norman ASA
• Norton AntiVirus
• Panda Security
• PC Tools AntiVirus
• Rising AntiVirus
• Sophos Anti-Virus
• Trend Micro Internet Security
• TrustPort Antivirus -AEC
• Vba32 AntiVirus
• Virus Chaser
• Windows Live OneCare
• ZoneAlarm

FreeWare
• Avira AntiVir Personal - Free Antivirus
• AOL Active Virus Shield (no longer available via AOL)
• AVG Anti-Virus Free (Registerware, Nagware)
• avast! Home (Registerware)
• BitDefender Free version does not provide real time scanning
• Comodo AntiVirus
• DriveSentry Fully functional free version
 • F-PROT (for Linux, FreeBSD and DOS only)
• PC Tools AntiVirus Free Edition

Open FreeWare
• Clam AntiVirus
• ClamWin
• OpenAntiVirus
• Winpooch
• Untangle

AbandonWare
• Cyberhawk (now ThreatFire AntiVirus)
• Eliashim (now eSafe)
• The Antidote and Antidote SuperLite
8. Antivirus databases
Kaspersky Lab has shortened its response time to the growing number and
increasing speed of new threats by releasing an increased number of antivirus
database updates.
The number of new records in Kaspersky Lab’s antivirus database each month
in 2006 varied from approximately 5,000 to tens of thousands towards the end
of the year. The average monthly number of new records amounts to 7,240 (not
counting records in the extended databases). The average monthly number of
new records was 4,496 in 2005.

Number of new antivirus database records (yellow indicates standard databases; red indicates
extended databases)
As the chart above shows, the number of monthly records in the antivirus
databases increased irregularly over the course of the year. Each month with an
increase was followed by a decrease. However by the end of the year there was
steady growth that led to a record high of over 10,000 new records per month.
Kaspersky Lab responds to the appearance of new malicious programs by
releasing two types of antivirus database updates: standard updates (about
once an hour) and urgent updates (in the event of an epidemic).
The total number of standard database updates in 2006 exceeded 7,000, with a
monthly average of 600.
 Number of standard updates per month
As far as urgent updates are concerned, the data shown in the charts is
particularly interesting for two reasons. First of all, they show the total number
of “epidemiological” situations in 2006 and provide the opportunity to compare
this information with figures from 2005. In addition, they can help us track and
predict when epidemics are likely to occur.

Number of urgent updates per month

These numbers show that events linked to the release of urgent updates were
almost 30% fewer in 2006 than in 2005. In 2005 we saw an average of over 30
urgent updates per month, but in 2006 the monthly average was under
20.These figures show that virus writers were particularly active twice in 2006:
in February-April and again in October-December. The charts clearly show the
traditional summer slow period in June and July.
9.Statistics
Monthly Malware Statistics for July 2008
The format of the 'Virus Top Twenty' reports from Kaspersky Lab has changed
as of July 2008. The previous method used to compile these reports and to
assess the current threat landscape was based on data generated by analysing
email traffic and the files checked using our Online Scanner. However, this
method no longer provides an accurate reflection of the changing nature of
malicious threats; email is no longer the main attack vector, and our data shows
that malicious programs make up a very small proportion of all mail traffic.

From July 2008 onwards, the Top Twenty will be composed using data
generated by Kaspersky Security Network (KSN), a new technology
implemented in the 2009 personal product line. This data not only makes it
possible for Kaspersky Lab to get timely information about threats and to track
their evolution, but also makes it possible for us to detect unknown threats, and
roll out that protection to users, as quickly as possible.

The 2009 personal products haven't been officially launched in all countries,
e.g. in Russian and the USA. The data presented in this report therefore
provides an objective reflection of the threat landscape in the majority of
European and Asian countries. However, in the near future, such reports will
include data provided by users in other countries of the world.

The data received from KSN in July 2008 has been used to compile the following
rankings.

The first is a ranking of the most widespread malicious, advertising, and

potentially unwanted programs. The figures given are a percentage of the
number of computers on which threats were detected.
Position Name
1 Trojan.Win32.DNSChanger.ech
2 Trojan-Downloader.WMA.Wimad.n
3 Trojan.Win32.Monderb.gen
4 Trojan.Win32.Monder.gen
5 not-a-virus:AdWare.Win32.HotBar.ck
6 Trojan.Win32.Monderc.gen
 7 not-a-virus:AdWare.Win32.Shopper.v
not-a-
8
virus:AdTool.Win32.MyWebSearch.bm
9 Trojan.Win32.Agent.abt
10 Worm.VBS.Autorun.r
11 Trojan.Win32.Agent.rzw
12 Trojan-Downloader.Win32.CWS.fc
13 not-a-virus:AdWare.Win32.Mostofate.cx
14 Trojan-Downloader.JS.Agent.bi
15 Trojan-Downloader.Win32.Agent.xvu
16 not-a-virus:AdWare.Win32.BHO.ca
17 Trojan.Win32.Agent.sav
18 Trojan-Downloader.Win32.Obitel.a
19 Trojan.Win32.Chifrax.a
20 Trojan.Win32.Agent.tfc

As the rating is only compiled using data received during the course of a single
month, it's very hard to make any predictions. However, future reports will
include such forecasts.

Overall, in July 2008, there were 20704 unique malicious, advertising, and
potentially unwanted programs detected on users' computers. Our data
indicates that out of these, approximately 20000 of them were found in the
wild. The second Top Twenty provides figures on the most common malicious
programs among all infected objects detected.

Position Name
1 Trojan.Win32.DNSChanger.ech
1 Virus.Win32.Virut.q
2 Worm.Win32.Fujack.ap
3 Net-Worm.Win32.Nimda
4 Virus.Win32.Hidrag.a
5 Virus.Win32.Neshta.a
6 Virus.Win32.Parite.b
 7 Virus.Win32.Sality.z
8 Virus.Win32.Alman.b
9 Virus.Win32.Virut.n
10 Virus.Win32.Xorer.du
11 Worm.Win32.Fujack.aa
12 Worm.Win32.Otwycal.g
13 Worm.Win32.Fujack.k
14 Virus.Win32.Parite.a
15 Trojan-Downloader.WMA.GetCodec.d
16 Virus.Win32.Sality.l
17 Virus.Win32.Sality.s
18 Worm.Win32.Viking.ce
19 Worm.VBS.Headtail.a
20 Net-Worm.Win32.Allaple.b
The majority of the programs listed above are able to infect files. The figures
given are interesting as they indicate the spread of threats which need to be
disinfected, rather than simply dealt with by deleting infected objects.

Virus Top 20 for JULY 2008

Change
Positio in Proactive Percentag
Name
n positio Detection Flag e
n
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 23.12

2. +1 Email-Worm.Win32.NetSky.y Trojan.generic 9.70

3. +2 Email-Worm.Win32.Scano.gen Trojan.generic 9.63

4. +4 Email-Worm.Win32.Nyxem.e Trojan.generic 6.75

5. -3 Email-Worm.Win32.NetSky.d Trojan.generic 6.27

6. Email-Worm.Win32.NetSky.x Trojan.generic 4.44

Return
7. -1 Email-Worm.Win32.NetSky.aa Trojan.generic 3.74

8. Email-Worm.Win32.NetSky.b Trojan.generic 3.26

Return
9. -5 Email-Worm.Win32.Bagle.gt Trojan.generic 2.75

10. Net-Worm.Win32.Mytob.u Worm.P2P.generic 2.60

Return
 11. +6 Net-Worm.Win32.Mytob.c Trojan.generic 2.40

12. 0 Email-Worm.Win32.Scano.bn Trojan.generic 2.09

13. Email-Worm.Win32.NetSky.r Trojan.generic 1.98

Return
14. +4 Email-Worm.Win32.NetSky.t Trojan.generic 1.94

15. Net-Worm.Win32.Mytob.bi Trojan.generic 1.65

Return
16. -5 Email-Worm.Win32.Bagle.gen Trojan.generic 1.39

17. -4 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.19

18. Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.08

Return
19. -3 Email-Worm.Win32.NetSky.c Trojan.generic 0.97

20. New! Net-Worm.Win32.Mytob.cg Worm.P2P.generic 0.90

Other malicious programs 12.15

The May 2008 Email Top Twenty is a short one; this is explained by the well-
known fact that virus writers take a break over the summer months. The
complete absence of any epidemics in mail traffic, which is obvious from even a
cursory glance at this month's rankings, bears this out.
In fact, the only significant change to the rankings was caused by the re-entry
of a few worms which have been in circulation for several years now.
Trojan-Downloader programs such as Agent.ica, Agent.hsl, and Diehard that
were active during the first four months of 2008 disappeared without trace in
May.
The Warezov and Zhelatin worms have not reappeared since dropping out of the
Top Twenty back in February. The authors have stopped sending out the
executable components of the worms by email, confining themselves to
distributing the code via links on infected websites.
This does mean that the threat posed by malicious code in email has declined.
However, phishing and spam continue to pose very real threats and have the
potential to create just as big a problem for the end user.
Other malicious programs made up a significant percentage (12.15%) of all
malicious code found in mail traffic.

Summary
 • Moved up: Email-Worm.Win32.NetSky.y, Email-
Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Net-
Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t.

• Moved down: Email-Worm.Win32.NetSky.d, Email-

Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gt, Email-
Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-
Worm.Win32.NetSky.c.

• Returned: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.NetSky.b,

Net-Worm.Win32.Mytob.u, Email-Worm.Win32.NetSky.r, Net-
Worm.Win32.Mytob.bi, Net-Worm.Win32.Mytob.t, Net-
Worm.Win32.Mytob.cg.

• No change: Email-Worm.Win32.NetSky.q, Email-

Worm.Win32.Scano.bn
10. Conclusions
There are lots of viruses in the world and new viruses are coming up every day.
There are new anti-virus programs and techniques developed too. It is good to
be aware of viruses and other malware and it is cheaper to protect you
environment from them rather then being sorry.
There might be a virus in your computer if it starts acting differently. There is
no reason to panic if the computer virus is found.
It is good to be a little suspicious of malware when you surf in the Internet and
download files. Some files that look interesting might hide a malware.
A computer virus is a program that reproduces itself and its mission is to spread
out. Most viruses are harmless and some viruses might cause random damage
to data files.
A trojan horse is not a virus because it doesn't reproduce. The trojan horses are
usually masked so that they look interesting. There are trojan horses that steal
passwords and formats hard disks.
Marco viruses spread from applications which use macros. Macro viruses
spreads fast because people share so much data, email documents and use the
Internet to get documents. Macros are also very easy to write.
Some people want to experiment how to write viruses and test their
programming talent. At the same time they do not understand about the
consequences for other people or they simply do not care.
Viruses mission is to hop from program to other and this can happen via floppy
disks, Internet FTP sites, newsgroups and via email attachments. Viruses are
mostly written for PC-computers and DOS environments.
Viruses are not any more something that just programmers and computer
specialist have to deal with. Today everyday users have to deal with viruses.

11.Forecast
In light of all of the trends and events described above, we expect that in 2007
virus writers will continue to concentrate their efforts on various types of
Trojans used to steal personal information. Attacks will largely be focused on
the users of various banking and payment systems in addition to online gamers.
Virus writers and spammers will continue to pool their efforts; this symbiotic
relationship will lead to the use of infected computers both for organizing
epidemics and attacks, and for sending spam.

Browser vulnerabilities and email will remain the primary infection vectors. The
use of direct port attacks will be less widespread and will fully depend on critical
vulnerabilities being discovered in Windows services. P2P networks or IRC
channels will not be widely used to infect machines, but they will be to some
extent, especially locally (for example, the P2P client Winny, which is very
popular in Japan, could become a serious threat to Asian users in 2007). IM
systems will remain in the top three most actively used mean of attack, even
though we do not expect to see any significant increase in malicious use.

Overall, epidemics and virus attacks will become defined in terms of

geographical boundaries. For example, in-game Trojans and worms with virus
functionality are typically seen in Asia, while Europe and the US tend to see
Trojan spy programs and backdoors. South America is usually hit by a wide
range of banking Trojans.

Without a doubt, the most important underlying theme of 2007 will be the new
Microsoft Vista operating system and its vulnerabilities. Vista’s vulnerabilities
and limitations will determine the development of the virus industry in the years
to come. We do not expect to see any fast-moving or major changes, although
this new OS will definitely define the trends in the year to come.

Malicious programs will continue to become more technically sophisticated and

use methods to conceal their presence in infected systems. Polymorphic code,
code obfuscation and rootkit technologies will be even more widespread and
their use will become standard in most new malicious programs.
We can expect to see considerable growth in malicious programs for other
operating systems, first and foremost for MacOS and *nix systems. Virus
writers will also focus some efforts on gaming consoles like PlayStation and
Nintendo. The increasing number of these types of devices and the
opportunities to use them to interact online could attract the attention of virus
writers, although most likely exclusively for “research” purposes only. It could
happen that viruses for “non-computers” in 2007 will breakthrough and
transition into a phase of major development, although the chances are low,
and developments will probably be limited to a large amount of proof of concept
malware.

The number of targeted attacks aimed at medium-sized and large businesses

will increase. In addition to traditional data theft, these attacks will be aimed at
extorting money from the victim organizations, and will use encryption (i.e.
RansomWare). One of the main infection vectors will be MS Office files and
vulnerabilities in this suite of applications.