AN INTRODUCTION TO COMPUTER VIRUSES

Computer security has three aspects: Secrecy, Accuracy and Availability.

Computer Viruses mostly have an impact on two of these: accuracy, a virus may
modify you programs and data, and availability, your machine may not work when
you require it.

A computer virus is a program that can infect other programs by modifying

them to include a copy of itself. Viruses can take many routes to reach your
organisation. Most people are familiar with how a virus can spread between one
company and another via home machines, or between a college machine and home
machines to other companies and organisations. However, viruses can also enter
your organisation from purchased software or even blank, preformatted disks. If a
software or disk manufacturer accidentally uses an infected master disk, all copies of
that will be infected. It is therefore important to check ALL programs and disks
entering your organisation.

The main types of computer viruses are:

Nonresident viruses: Nonresident viruses can be thought of as consisting of a

finder module and a replication module.

Resident Viruses: This type of virus is a permanent which dwells in the RAM
memory. Examples include: Randex, CMJ, Meve, and MrKlunky.

Direct Action Viruses: The main purpose of this virus is to replicate and take
action when it is executed.

Overwrite Viruses: Virus of this kind is characterized by the fact that it deletes the
information contained in the files that it infects, rendering them partially or totally
useless once they have been infected.
Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

Directory Virus: Directory viruses change the paths that indicate the location of a
file.
Polymorphic Virus: Polymorphic viruses encrypt or encode themselves in a
different way (using different algorithms and encryption keys) every time they infect
a system.

Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

Companion Viruses: Companion viruses can be considered file infector viruses like
resident or direct action types. Some examples include: Stator, Asimov.1539, and
Terrax.1069

Boot Sector viruses: infect the Dos Boot Record or Master Boot Record (partition
table) of disks. They include some of the commonest viruses: Brain, Stoned, Form,
Michelangelo, Flame (also known as Torch or Stamford) and AntiCMOS.

Macro Virus: Macro viruses infect files that are created using certain applications
or programs that contain macros. Examples of macro viruses: Relax, Melissa.A,
Bablas, O97M/Y2K.

File viruses: also known as parasitic viruses infect executable files. Some examples
are Jerusalem (also known as Israeli or Friday 13th), _1099, Ping Pong (also known
as Bouncing Ball) and Vtech.

FAT Viruses: The file allocation table or FAT is the part of a disk used to connect
information and is a vital part of the normal functioning of the computer.

Worms: Computer worms are programs that reproduce, execute independently and
travel across the network connections. The key difference between a virus and worm
is the manner in which it reproduces and spreads. Two very prominent examples of
worms are the MS-Blaster and Sasser worms.

Trojan Horse Viruses: Trojan Horses have developed to a remarkable level of

cleverness, which makes each one radically different from each other.
ActiveX & Java Applets: Active X and Java Controls are being used in Web
browsers to enable and disable sound or video and a host of other controls. If not
properly secured this is another area that virus writes use to get private data from
your computer.

Link viruses: also called cluster viruses modify the record of where files are stored
in order to infect. There is one example, DIR II.

What are Computer Viruses?

Computer viruses are programs written by "mean" people. These virus
programs are placed into a commonly used program so that program will run the
attached virus program as it boots, therefore, it is said that the virus "infects" the
executable file or program. Executable files include Macintosh "system files" [such as
system extensions, INITs and control panels] and application programs [such as
word processing programs and spreadsheet programs.] Viruses work the same ways
in Windows or DOS machines by infecting zip or exe files.

A virus is inactive until you execute an infected program or application OR

start your computer from a disk that has infected system files. Once a virus is active,
it loads into your computer's memory and may save itself to your hard drive or copies
itself to applications or system files on disks you use.

Some viruses are programmed specifically to damage the data on your

computer by corrupting programs, deleting files, or even erasing your entire hard
drive. Many viruses do nothing more than display a message or make sounds / verbal
comments at a certain time or a programming event after replicating themselves to
be picked up by other users one way or another. Other viruses make your computer's
system behave erratically or crash frequently. Sadly many people who have problems
or frequent crashes using their computers do not realize that they have a virus and
live with the inconveniences.

What Viruses Don't Do!

Computer viruses can not infect write protected disks or infect written
documents. Viruses do not infect compressed files, unless the file was infected prior
to the compression. [Compressed files are programs or files with its common
characters, etc. removed to take up less space on a disk.] Viruses do not infect
computer hardware, such as monitors or computer chips; they only infect software.

In addition, Macintosh viruses do not infect DOS / Window computer

software and vice versa. For example, the Melissa virus incident of late 1998 and the
ILOVEYOU virus of 2000 worked only on Window based machines and could not
operate on Macintosh computers.

How do Viruses Spread?

Viruses begin to work and spread when you start up the program or
application of which the virus is present. For example, a word processing program
that contains a virus will place the virus in memory every time the word processing
program is run.

Once in memory, one of a number of things can happen. The virus may be
programmed to attach to other applications, disks or folders. It may infect a network
if given the opportunity.

Viruses behave in different ways. Some viruses stay active only when the
application it is part of is running. Turn the computer off and the virus is inactive.
Other viruses will operate every time you turn on your computer after
infecting a system file or network.
 The History of the Computer Virus
The first computer viruspopularly known as the 'Brain virus' was created in
1986 by two Pakistani brothers, Amjad and Basit Farooq Alvi. This virus, which
spread via floppy disks, was known only to infect boot records and not computer
hard drives like most viruses today. The virus also known as the Lahore, Pakistani,
Pakistani Brain, Brain-A and UIUC would occupy unused space on the floppy disk so
that it could not be used and would hide from detection. It would also disguise itself
by displaying the uninfected bootsector on the disk.

In 1987, the Lehigh virus was discovered at Lehigh University in the United
States. The Lehigh virus was the first memory resident file infector that attacked
executable files and took control when a file was opened. The Jerusalem virus also
appeared around this time at Hebrew University in Israel. Like the Lehigh virus, the
Jerusalem virus was also a memory resident file infector. It contained bugs to re-
infect programs that were already infected.

In March 1988, the first anti-virus was designed to detect and remove the
Brain virus. The anti-virus also immunized floppy disks to get rid of the Brian
infection. At the same time, the Cascade virus appeared in Germany. The Cascade
virus was the first encrypted virus, which was coded and could not be changed or
removed.

Thus, during the late 1980's and the early 1990's, viruses on the loose which
infected files, disks etc. on the computer and caused a great deal of damage received
a lot of media attention. Magazines such a Business Week, Newsweek, Fortune, PC
magazine, and Time began publishing articles about these destructive viruses
running wild and demanded a solution for all these problems.

In 1991, Symantec released the Norton Anti-virus software. Anti-virus

products from IBM, McAfee, Digital Dispatch and Iris also became available.

A few years ago, in 2000, the ILOVEYOU virus wreaked havoc around the
world. The virus that was created in the Philippines was sent through email and
spread around the world in one day infecting 10 percent of computers connected to
the Internet and causing $ 5.5 billion dollars in damage. Hence, viruses are still
common and still create chaos even today. It is hard to determine the reasons for all
these actions and why virus writers create computer viruses. Some do it for their
personal gain, for research projects, pranks, vandalism, etc., while others want to
help make improvements in programs.

Different Types of Computer Viruses

There are Different Types of Computer Viruses could be classified in (origin,

techniques, types of files they infect, where they hide, the kind of damage they cause,
the type of operating system or platform they attack) etc. Let us have a look at them…

Nonresident viruses

Nonresident viruses can be thought of as consisting of a finder module and a

replication module. The finder module is responsible for finding new files to infect.
For each new executable file the finder module encounters, it calls the replication
module to infect that file.

Resident Viruses
This type of virus is a permanent which dwells in the RAM memory. From
there it can overcome and interrupt all of the operations executed by the system:
corrupting files and programs that are opened, closed, copied, renamed etc.

Examples include: Randex, CMJ, Meve, and MrKlunky.

Direct Action Viruses

The main purpose of this virus is to replicate and take action when it is
executed. When a specific condition is met, the virus will go into action and infect
files in the directory or folder that it is in and in directories that are specified in the
AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of
the hard disk and carries out certain operations when the computer is booted.

Overwrite Viruses
Virus of this kind is characterized by the fact that it deletes the information
contained in the files that it infects, rendering them partially or totally useless once
they have been infected.

The only way to clean a file infected by an overwrite virus is to delete the file
completely, thus losing the original content.

Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

Directory Virus
Directory viruses change the paths that indicate the location of a file. By
executing a program (file with the extension .EXE or .COM) which has been infected
by a virus, you are unknowingly running the virus program, while the original file
and program have been previously moved by the virus.
Once infected it becomes impossible to locate the original files.
Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using
different algorithms and encryption keys) every time they infect a system.

This makes it impossible for anti-viruses to find them using string or signature
searches (because they are different in each encryption) and also enables them to
create a large number of copies of themselves.

Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

Companion Viruses
Companion viruses can be considered file infector viruses like resident or
direct action types. They are known as companion viruses because once they get into
the system they "accompany" the other files that already exist. In other words, in
order to carry out their infection routines, companion viruses can wait in memory
until a program is run (resident viruses) or act immediately by making copies of
themselves (direct action viruses).
Some examples include: Stator, Asimov.1539, and Terrax.1069

Boot Virus
This type of virus affects the boot sector of a floppy or hard disk. This is a
crucial part of a disk, in which information on the disk itself is stored together with a
program that makes it possible to boot (start) the computer from the disk.

Damage Caused
Boot sector viruses gain complete control of the master boot record or the
DOS boot sector by replacing the operating system contents with that of its own. This
allows the virus to spread fast and cause damage:

• By gaining control of the master boot record and the DOS boot sector the boot
sector viruses can sometimes hide the resources that the computer has( the
floppy drive even though attached may not be present)

• Some boot sector viruses contain instructions to redirect disk reads.

• Some boot sector viruses move the master boot record to another location
causing the system to crash when it boots up. Other boot sector viruses cause
damage to the master boot record

• Some boot sector viruses damage the File Allocation Table (FAT) which is the
index of all the files on the drive. This causes loss of data

Removal
The best way to remove boot sector virus is to boot the computer with using a
clean boot disk and then rewrite the files with the good operating system files on the
infected disk. These viruses were very much prevalent in the ninety's and a host of
antivirus programs are now available to detect and clean them effectively
Examples of boot viruses include: Polyboot.B, AntiEXE

Macro Virus
Macro viruses infect files that are created using certain applications or
programs that contain macros. These mini-programs make it possible to automate
series of operations so that they are performed as a single action, thereby saving the
user from having to carry them out one by one.
Examples of macro viruses: Relax, Melissa.A, Bablas, O97M/Y2K.
Damage Caused
Some common macros are
• AutoExec
 • AutoNew
• AutoOpen
• AutoClose
• AutoExit
The existence of the 'auto-exec' macro makes it possible to create many macro
viruses.The 'auto-exec' macro is executed in response to some event and does not
depend on the user command. The autoexec macro and other auto macros are
dangerous tools for the virus writer. Other existing Macro viruses are those which
replace command names (existing commands like save, open etc.) with their code.
Unlike the auto macros which can be disabled; commands cannot be disabled. Once
the macro virus uses these commands it can copy itself to other files and even delete
files.

Removal
Prevention is better than cure and the ways to prevent the virus from running
is that the autoexec macro can be prevented from executing by starting word from
command prompt. Use the following command to start word 'winword /m'. The auto
macros are disabled if we use the command 'DisableAutoMacros' in any macro that is
written. It can also be disabled by holding down the shift key while opening a
document. Word documents cannot contain macros only word templates can. You
can mask a template as a document file to prevent it from infection.

Removal can be done by an anti-virus scanner that needs to be updated

regularly. The other ways are using the organizer to find and remove macros. In case
you know you are infected just shut down word without saving and then find the
normal .dot template and delete it. The other way to remove macro viruses is to open
the organizer's dialog box and delete all the macro project items listed. The organizer
dialog box can be opened from 'File Templates' command or from 'Tools Macro'
command. Then close the file.

File Infectors

This type of virus infects programs or executable files (files with an .EXE or
.COM extension). When one of these programs is run, directly or indirectly, the virus
is activated, producing the damaging effects it is programmed to carry out. The
majority of existing viruses belong to this category, and can be classified depending
on the actions that they carry out.

Damage Caused
The File infector virus can cause irreversible damage to files. By overwriting
files it permanently destroys the content of these files. Some files viruses have also
operated as email worm and Trojan horse as well.

Removal
The only way to disinfect files from the file virus is that the files affected with
the file virus have to be deleted and restored from back up.

FAT Virus
The file allocation table or FAT is the part of a disk used to connect
information and is a vital part of the normal functioning of the computer.
This type of virus attack can be especially dangerous, by preventing access
to certain sections of the disk where important files are stored. Damage
caused can result in information losses from individual files or even entire
directories.

Worms

Computer worms are programs that reproduce, execute independently and

travel across the network connections. The key difference between a virus and worm
is the manner in which it reproduces and spreads. A virus is dependent upon the host
file or boot sector, and the transfer of files between computers to spread, whereas a
computer worm can execute completely independently and spread on its own accord
through network connections.

The security threat from worms is equivalent to that of viruses. Computer

worms are skilled of doing an entire series of damage such as destroying crucial files
in your system, slowing it down to a large degree, or even causing some critical
programs to stop working. Two very prominent examples of worms are the MS-
Blaster and Sasser worms.
Computer Worm Examples

The original computer worm was (perhaps accidentally) unleashed on the

Internet by Robert Tappan Morris in 1988. The Internet Worm used sendmail,
fingerd, and rsh/rexec to spread itself across the Internet.

The SQL Slammer Worm founded in 2003 used vulnerability in Microsoft

SQL Server 2000 to spread itself across the Internet. The Blaster Worm also founded
in 2003 used vulnerability in Microsoft DCOM RPC to spread itself.

The Melissa worm founded in 1999, the Sobig worms founded in 2003 and the
Mydoom worm founded in 2004 all spread through e-mail. These worms shared
some features of a Trojan Horse, in that they spread by tempting a user to open an
infected e-mail attachment.

Mydoom also attempted to spread itself through the peer-to-peer file sharing
application called KaZaA. The Mydoom worms attempted a Denial of Service (DoS)
attack against SCO and Microsoft.

Ways Of Infection

Worms replicate themselves and infect a computer without user knowledge

and consent. There are three major ways these unsolicited parasites can get into the
system.

1. Some parasites called mass-mailing worms propagate through e-mail. They

arrive in files attached to e-mail messages or come embedded into letters. Once the
user opens such a letter or file the worm silently installs itself to the system. The user
cannot notice anything suspicious, as a parasite does not display any setup wizards,
dialogs or warnings.
2. Widely spread worms infect vulnerable computer on the Internet by
exploiting known operating system and installed software security vulnerabilities.
Such parasite spread on their own and therefore do not require any user interference.
3. Many worms distribute themselves in infected files that arrive attached to
instant messages or can be downloaded from file sharing networks or unprotected
network shares. Such worms spread the infection in files with meaningful names in
order to trick the user into executing them. Once the user opens a file, the worm
silently infects a computer.

Worms affect mostly computers running Microsoft Windows operating system.

Examples Of Worms

There are thousands of different computer worms. The following examples

illustrate how treacherous and harmful worms can be.

Melissa is an infamous mass-mailing worm that was first found in the early
1999. It comes attached to e-mail messages and looks like a text document. However,
when a user opens such an attachment, the worm silently installs itself to the system
and starts to spread. It modifies Microsoft Word settings and infects lots of text
documents. Then it sends out infected documents attached to e-mails to all the
contacts from the address book. These actions disclose user's personal information
and other confidential data. The worm sends out huge amount of infected letters and
can overload mail servers. Some Melissa variants delete critical system files and
therefore damage the entire system.

ILoveYou, also known as Love Letter and Love Bug, is perhaps the most
widely-known worm in all history of worms. It struck the computer world in 2000,
and infected a big number of systems all over the world. ILoveYou spreads through
email as an attachment to the letters. But the text of the letters seems so nice and
sweet that users open attachments without even thinking that there could be a virus.
The text of e-mail may contain words like “I love you” and everything that is similar
to that. ILoveYou spreads very fast, because when it gets to the system, it
immediately sends its copies to all the addresses from the Microsoft Outlook Express
address book. It also harms the system, by overwriting essential system files, user
personal documents, multimedia files and other critical data. Some ILoveYou
variants are responsible for a Denial of Service attack on the official White House
web site.

Sobig is an Internet worm, which spreads by e-mail in letters with infected

attachments. Once such attachment is executed, the worm installs itself to the system
and distributes itself to e-mail addresses found in files of several types. It also infects
vulnerable computers with shared resources in a local network. Sobig contains a
backdoor, which can be used to update it or install additional plugins. Although this
worm can cause a high overload of mail servers, it is outdated and doesn't spread
now. However, its backdoor can still be active and may be used by attackers. Sobig is
responsible for millions of infections around the world in 2003.

My Doom, also known as Novarg, Shimgapi and Mimail, is the fastest

spreading worm ever. The parasite propagates by e-mail and through file sharing
networks. It comes in infected files attached to e-mail messages that trick the user
into believing that they were sent by regular mail servers as delivery error
notifications. Once the user executes such a file, MyDoom silently installs itself to the
system and runs its payload. The worm sets up a backdoor that gives the remote
attacker full unauthorized access to a compromised computer and performs a Denial
of Service attack against SCO and Microsoft companies web sites. It also blocks
access to several reputable domains. MyDoom is responsible for significant
worldwide Internet performance slowdown that took place in the beginning of 2004.
One in ten of all e-mail messages at that time contained a copy of the parasite.

The Sasser worm is an infamous Internet parasite that infects vulnerable

computers running systems with unfixed security breaches. It doesn't distribute itself
by e-mail or some networks, but infects computers directly and doesn't depend on
the user's actions. Sasser installs itself to the system and searches for other
vulnerable hosts. The worm can hang the infected computer or reboot it frequently.
It also severely compromises the security of infected systems, so the attackers are
able to connect and control them remotely.

Most Internet worms spread through e-mail, file sharing networks or

unprotected network shares. This distribution method noticeably decreases overall
computer performance and degrades Internet connection speed. The user, which
computer is infected with a worm, usually have multiple web surfing problems,
system instability and software unreliability issues. Moreover, his computer becomes
the source of infection and poses serious threat to other hosts over the Internet or in
a local network.
 Many worms attempt to decrease system security by modifying security-
related application settings, turning off antivirus or anti-spyware protection. Some
parasites drop even more dangerous security and privacy threats such as various
backdoors or trojans. The remote attacker can use these pests to gain full
unauthorized access to a compromised computer, steal user sensitive information or
totally destroy the entire system and all user data.

A worm by itself is a great privacy risk. Lots of these parasites are designed
specially to collect valuable user information like passwords, bank account details,
credit card numbers or identity data and silently transfer it to the attacker. Some
worms are made for criminal purposes. They are created to infect computers of
corporate users and steal or disclose to public secret documents and other
confidential information.Protect yourself against Computer Worms

How To Remove A Worm?

Worms work in the same manner as the regular computer viruses and
therefore can be found and removed with the help of effective antivirus products like
Symantec Norton AntiVirus, Kaspersky Anti-Virus, McAfee VirusScan, eTrust EZ
Antivirus, Panda Titanium Antivirus, AVG Anti-Virus. Some advanced spyware
removers, which are able to scan the system in a similar way antivirus software does
and have extensive parasite signature databases can also detect and remove certain
worms and related malicious components. Powerful anti-spyware solutions such as
Microsoft AntiSpyware Beta, Spyware Doctor, Ad-Aware SE, SpyHunter or eTrust
PestPatrol are known for quite fair worm detection and removal capabilities.
In some cases even an antivirus or spyware remover can fail to get rid of a
particular worm. That is why there are Internet resources such as 2-Spyware.com,
which provide manual malware removal instructions. These instructions allow the
user to manually delete all the files, directories, registry entries and other objects that
belong to a parasite. However, manual removal requires fair system knowledge and
therefore can be a quite difficult and tedious task for novices.

Computer worms which spread through vulnerabilities in network services

can best be protected against by keeping the antivirus up-to-date and installing
patches provided by operating system and application vendors. This includes worms
like SQL Slammer and Blaster.

Computer worms which spread like Trojan Horse can best be defended
against by avoiding opening of attachments in your e-mail. These infected
attachments are not limited to .EXE files. Microsoft Word and Excel files can contain
macros which spread infection.

Trojans or Trojan Horses

most important difference between a trojan virus/trojan horse and a virus is

that trojans don’t spread themselves. Trojan horses disguise themselves as valuable
and useful software available for download on the internet. Most people are fooled by
this ploy and end up dowloading the virus disguised as some other application. The
name comes from the mythical “Trojan Horse” that the Ancient Greeks set upon the
city of Troy.

A trojan horse is typically separated into two parts – a server and a client. It’s
the client that is cleverly disguised as significant software and positioned in peer-to-
peer file sharing networks, or unauthorized download websites. Once the client
Trojan executes on your computer, the attacker, i.e. the person running the server,
has a high level of control over your computer, which can lead to destructive effects
depending on the attacker’s purpose.

A trojan horse virus can spread in a number of ways. The most common
means of infection is through email attachments. The developer of the virus usually
uses various spamming techniques in order to distribute the virus to unsuspecting
users. Another method used by malware developers to spread their trojan horse
viruses is via chat software such as Yahoo Messenger and Skype. Another method
used by this virus in order to infect other machines is through sending copies of itself
to the people in the address book of a user whose computer has already been infected
by the virus.
Types of Trojan horse Viruses

Trojan Horses have developed to a remarkable level of cleverness, which

makes each one radically different from each other. For an inclusive understanding,
we have classified them into the following:

Remote Access Trojans

Remote Access Trojans are the most frequently available trojans. These give
an attacker absolute control over the victim’s computers. The attacker can go through
the files and access any personal information about the user that may be stored in the
files, such as credit card numbers, passwords, and vital financial documents.

Password Sending Trojans

The intention of a Password Sending Trojan is to copy all the cached

passwords and look for other passwords as you key them into your computer, and
send them to particular email addresses. These actions are performed without the
awareness of the users. Passwords for restricted websites, messaging services, FTP
services and email services come under direct threat with this kind of trojan.

Key Loggers

Key Loggers type of Trojans logs victims’ keystrokes and then send the log
files to the attacker. It then searches for passwords or other sensitive data in the log
files. Most of the Key Loggers come with two functions, such as online and offline
recording. Of course, they can be configured to send the log file to a specific email
address on a daily basis.

Destructive Trojans

The only purpose of Destructive Trojans is to destroy and delete files from the
victims’ computers. They can automatically delete all the core system files of the
computer. The destructive trojan could be controlled by the attacker or could be
programmed to strike like a logic bomb, starting on a particular day or at specific
time.
Denial of Service (DoS) Attack Trojans

The core design intention behind Denial of Service (DoS) Attack Trojan is to
produce a lot of internet traffic on the victim’s computer or server, to the point that
the Internet connection becomes too congested to let anyone visit a website or
download something. An additional variation of DoS Trojan is the Mail-Bomb
Trojan, whose key plan is to infect as many computers as possible, concurrently
attacking numerous email addresses with haphazard subjects and contents that
cannot be filtered.

Proxy/Wingate Trojans

Proxy/Wingate Trojans convert the victim’s computer into a Proxy/Wingate

server. That way, the infected computer is accessible to the entire globe to be used for
anonymous access to a variety of unsafe Internet services. The attacker can register
domains or access pornographic websites with stolen credit cards or do related illegal
activities without being traced.

FTP Trojans

FTP Trojans are possibly the most simple, and are outdated. The only action
they perform is, open a port numbered 21 – the port for FTP transfers – and let
anyone connect to your computer via FTP protocol. Advance versions are password-
protected, so only the attacker can connect to your computer.

Software Detection Killers

Software Detection Killers kill popular antivirus/firewall programs that guard

your computer to give the attacker access to the victim’s machine.

Note: A Trojan could have any one or a combination of the above mentioned
functionalities.

The best way to prevent a Trojan Horse Virus from entering and infecting your
computer is to never open email attachments or files that have been sent by unknown
senders. However, not all files we can receive are guaranteed to be virus-free. With
this, a good way of protecting your PC against malicious programs such as this
harmful application is to install and update an antivirus program.

How to Remove a Trojan Virus

1 Reboot your computer if you have a Mac. Do this by holding down the "Shift"
key while the computer restarts itself.

2 Launch an antivirus program that you should have installed on your

computer, such as Symantec's Norton or McAfee. Wait for the program's window to
appear, then go to "Disk View." Highlight your computer, then select "Scan/Repair"
so that the antivirus can detect the Trojan and trash it.

3 Exit the antivirus program on your Mac. Restart your computer again to
ensure that the Trojan has been deleted. Empty the trash can on your computer once
it is back up and running.
4 Disable the System Restore feature if you're a Windows user. Go to "Start" at
the bottom of your screen, then right-click the "My Computer" icon to go to
"Properties." Check "Turn off System Restore" under the System Restore tab in the
"Properties" window, then select "Apply." Confirm that you want to disable System
Restore by clicking "Yes" and "OK."

5 Update your virus definitions in your antivirus program. Open the program,
or go to the website, to download the latest definitions so that you can receive the
most recent alerts and keep your computer protected.

6 Scan your files to detect the Trojan file. Follow the instructions in your
antivirus program to delete any suspicious files. You may want to write down the
path and file name of the Trojan, which is usually found in the "C:\" hard drive.
Then, edit your computer's backup registry by choosing "Start," then "Run." Type
"regedit" in the window that appears and click "OK."

7 Search for the registry entry from which the Trojan derived, which may begin
with "HKEY" followed by the file path. Delete the registry entry to ensure that the
Trojan is removed. Exit the registry entry, and restart your computer so that the
changes can take effect.

Logic Bombs
They are not considered viruses because they do not replicate. They are not
even programs in their own right but rather camouflaged segments of other
programs.

Their objective is to destroy data on the computer once certain conditions

have been met. Logic bombs go undetected until launched, and the results can be
destructive.

ActiveX & Java Applets

Active X and Java Controls are being used in Web browsers to enable and
disable sound or video and a host of other controls. If not properly secured this is
another area that virus writes use to get private data from your computer.

Many types of viruses do more than viruses do. Some are file type viruses and
then a trigger may activate a code to make them behave like a worm. Therefore
classification becomes difficult in these cases. The basic behavior of a virus which
makes it different from a Trojan is that it replicates very fast.

Detection of viruses

Three major methods are Signature Scanning, Heuristic Scanning and

Change Detection. Signature scanning tries to recognise short sequences from a virus
in executables. Its' advantages are that it identifies the virus detected, this
information can be used to disinfect the file or boot sector, and speed of scanning.
Its' disadvantage is that it detects only known viruses and therefore requires regular
updates. Signature scanning can be improved several ways: Using multiple
signatures has two effects, it improves the accuracy of identification and therefore
makes disinfection safer, and, if a virus has been modified in the area of one
signature, it is likely that the second signature will still detect it, and it can be
reported as "probably a new version of" the known virus. The addition of algorithmic
scaning, mentioned earlier, can also make possible the detection of polymorphic
viruses.

Change detection is usually implemented as Checksumming, a formula is used

to calculate a value from an executable file based on its' whole contents. Any change
in the file is highly likely to change the checksum. The advantage of this is that it
detects known and unknown viruses equally well. Its' disadvantages are that it must
be installed on a clean system, and it reports every change made, including innocent
changes. One class of viruses, the slow viruses, exploit this flaw by only infecting
when an executable file is opened for a write operation, that is, when new software is
being installed or when a program is being compiled. When the user is warned of the
change by his checksumming program, he will 'OK' the change, because he believes it
is entirely due to the change he made. Checksumming can be improved by heuristic
techniques that report how likely it is that a particular change has been made by a
virus.

Each of these methods can be used in two forms, passive and active. A passive
search is run at intervals by the user, like many of today's popular scanners.
Unfortunantly, users may forget to scan regularly, and the viruses can spread
uncontrolled between scans. Active protection is loaded into memory and checks
each program when it is executed, copied or written. This can detect infections at the
earliest possible time, before they have spread. However, it occupies memory, which
is particularly important in the limited DOS environment, and requires the machine
to do extra processing, slowing it down. These speed and size limitations force a
balance to be struck: a resident signature scanner that detects all viruses but also
occupies all memory is a useless as one which is extremely small but detects virtually
no viruses. Active protection utilities will usually lie between these two extreme

Windows virus protection

As we have seen, each method has advantages and disadvantages, so that a

virus that avoids one detection method will often be caught by another. This defense
 in depth gives the best protection against all viruses, and a good anti-virus product
will cover these methods, allowing them to be combined in an effective manner.

How to Prevent a Virus Invasion!

1. Load only software from original disks or CD's. Pirated or copied software is
always a risk for a virus.
2. Execute only programs of which you are familiar as to their origin. Programs
sent by email should always be suspicious.
3. Computer uploads and "system configuration" changes should always be
performed by the person who is responsible for the computer. Password
protection should be employed.
4. Check all shareware and free programs downloaded from on-line services with
a virus checking program.
5. Purchase a virus program that runs as you boot or work your computer. Up-
date it frequently.

If you run Windows on your computer, you should also run an up-to-date
antivirus program. Not only will such a utility protect you against the most common
viruses, but it can also detect many (although not all) the backdoor agents and
trojans an intruder might install on your system.

Attachments & trojans

Running antivirus software is neither a cure-all nor a substitute for good

security practices. There is always some time delay between the introduction of a
virus and its incorporation into antivirus software databases. Backdoors and trojans
can also be designed to hide from virus-detection programs. For those reasons:
• Do not run or open email attachments unless you know the sender, expect an
attachment from that person, and the subject line of the mail and type of
attachment "make sense." Note that:
o Microsoft never sends out patches via email.
o SCS Computing Facilities will never, without prior notice, send you an
email message containing an attachment
• Do not run programs from untrusted sources
Spam emailers and email viruses can forge message headers, making it appear, for
example, that the mail comes from someone you know. If you check the message
headers [offsite link, will open in a new window], you can confirm the true message
origin.