TOPIC: COMPUTER SYSTEMS

Level: A/L By: DZEUGANG PLACIDE

Sub topic
COMPUTER VIRUSES AND MALWARE
Learning objectives
After studying this lesson, student should be able to:
- Define computer virus and discuss about its source, manifestation, how to detect,
prevent or treat computer viruses and malware
- Name and describe different types of malicious software
- Give some examples of antivirus software
I. WHAT IS A COMPUTER VIRUS?
A computer virus is a piece of malicious code that adds itself to other existing programs,
including operating systems. In 1983, researcher Fred Cohen defined a computer virus as “a
program that can „infect‟ other programs by modifying them to include a version of itself.”
Computer viruses spread quickly and wreak havoc on computer systems, including potential
destruction of operating systems and data. Viruses can range from an irritating message flashing
on your computer screen to eliminating data on your hard drive.
II. BRIEF HISTORY OF COMPUTER VIRUSES
The first computer virus for Microsoft DOS was apparently written in 1986 and contains
unencrypted text with the name, address, and telephone number of Brain Computer Services, a
store in Lahore, Pakistan. This virus infected the boot sector of 5¼-inch floppy diskettes with a
360 Kbyte capacity. Robert Slade, an expert on computer viruses, believes the Brain virus was
written as a form of advertising for the store in Pakistan. Experts estimate that the doom
worm infected approximately a quarter-million computers in a single day in January 2004. Back
in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other
very large companies to completely turn off their e-mail systems until the virus could be
contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a
worm called Storm
III. SOURCES OF COMPUTER VIRUSES
the most potent and vulnerable threat of computer users is virus attacks. Virus attacks hampers
important work involved with data and documents. It is imperative for every computer user to be
aware about the software and programs that can help to protect the personal computers from
attacks. One must take every possible measure in order to keep the computer systems free from
virus attacks. The top sources of virus attacks are highlighted below
Downloadable Programs
Email Attachments
Booting From CD
a) Downloadable Programs
one of the possible sources of virus attacks is downloadable programs from the web. Unreliable
sources and internet newsgroups are one of the main sources of computer virus attacks. Any type
of executable program including games, freeware, screensavers as well as executable files are
one of the major sources of computer virus attacks. Executable files having an extension of
“.com”, “.exe” and “coolgame.exe” contain virus sources too. If in the case you want to
download programs from the internet then it is necessary to scan every program before
downloading them.
b) Email Attachments
Email attachments are one of the other popular sources of computer virus attacks. Hence, you
must handle email attachments with extreme care, especially if the email comes from an
unknown sender. Installation of a good antivirus assumes prime necessity if one desires to
eliminate the possibility of virus attacks. It is necessary to scan the email even if it comes from a
friend. There exists a possibility that the friend may have unknowingly forwarded virus along
with the email attachment.
c) Booting from Unknown CD
one of the other sources of virus attacks is perhaps through an unknown CD. It is a good practice
to remove the CD when the computer system is not working. If you do not remove the CD after
switching off the computer system then it is every possibility that the computer system may start
to boot automatically from the disc. This may enhance the possibility to install as well as launch
files/programs on a specific computer system. Apart from the above-mentioned sources, file
sharing network like Bear share, Kazaa and LimeWire are possible sources of virus attacks
too.
Hence, it is necessary to delete the downloaded files from the above-mentioned file sharing
networks to eliminate possibility of virus infection.
IV. CHARACTHERISTIC OF COMPUTER VIRUS
Computer viruses generally have the following characteristics:
- Replication: Typical viruses usually several copies of themselves after infecting a
system.
- Polymorphism: this is the ability of a virus to change its own code segment to avoid
identification by a virus scanner
- Versality: this is the ability of a virus to attack a wide range of application software
- Small size: The small size of virus make it easy for them to attach themselves to other
programs and remain unnoticed for long periods of time
- Tunneling: Some viruses have the ability to prevent the correct use of the antivirus
package
V. TYPES OF VIRUSES
Everyone dreads being the recipient of a computer virus, but not everyone minds studying them.
There are researchers who spend a lot of time looking into different types of computer viruses
and related security threats in order to determine how they are programmed, how they do
damage,
and how they spread. Personally, I find this field interesting, and I enjoy reading about the
different types of viruses in existence.
1) Boot Sector Virus
The term “boot sector” is a generic name that seems to originally come from MS-DOS but is
now applied generally to the boot information used by any operating system. In modern
computers this is usually called the “master boot record,” and it is the first sector on a partitioned
storage device.
Boot sector viruses became popular because of the use of floppy disks to boot a computer. The
widespread usage of the Internet and the death of the floppy have made other means of virus
transmission more effective.
2) Browser Hijacker
this type of virus, which can spread itself in numerous ways including voluntary download,
effectively hijacks certain browser functions, usually in the form of re-directing the user
automatically to particular sites. It is usually assumed that this tactic is designed to increase
revenue from web advertisements.
There are many of such viruses, and they usually have “search” included somewhere in their
description. CoolWebSearch may be the most well known example, but others are nearly as
common.
3) Direct Action Virus
This type of virus, unlike most, only comes into action when the file containing the virus is
executed. The payload is delivered and then the virus essentially becomes dormant – it takes no
other action unless an infected file is executed again.
Most viruses do not use the direct action method of reproduction simply because it is not prolific,

but viruses of this type have done damage in the past. The Vienna virus, which briefly
threatened computers in 1988, is one such example of a direct action virus.
4) File Infector Virus
Perhaps the most common type of virus, the file infector takes root in a host file and then begins
its operation when the file is executed. The virus may completely overwrite the file that it infects,
or may only replace parts of the file, or may not replace anything but instead re-write the file so
that the virus is executed rather than the program the user intended.
Although called a “file virus” the definition does not apply to all viruses in all files generally –
for
example, the macro virus below is not referred to by the file virus. Instead, the definition is
usually meant to refer only to viruses, which use an executable file format, such as .exe, as their
host.
5) Macro Virus
A wide variety of programs, including productivity applications like Microsoft Excel, provide
support for Macros – special actions programmed into the document using a specific macro
programming language. Unfortunately, this makes it possible for a virus to be hidden inside a
seemingly benign document.
Macro viruses vary widely in terms of payload. The most well known macro virus is probably
Melissa, a Word document supposedly containing the passwords to pornographic websites. The
virus also exploited Word’s link to Microsoft Outlook in order to automatically email copies of
itself.
6) Multipartite Virus
while some viruses are happy to spread via one method or deliver a single payload, multipartite
viruses want it all. A virus of this type may spread in multiple ways, and it may take different
actions on an infected computer depending on variables, such as the operating system installed or
the existence of certain files.
7) Polymorphic Virus
Another jack-of-all-trades, the Polymorphic virus actually mutates over time or after every
execution, changing the code used to deliver its payload. Alternatively, or in addition, a
Polymorphic virus may guard itself with an encryption algorithm that automatically alters itself
when certain conditions are met.
The goal of this trickery is evasion. Antivirus programs often find viruses by the specific code
used. Obscuring or changing the code of a virus can help it avoid detection.
8) Resident Virus
This broad virus definition applies to any virus that inserts itself into a system’s memory. It then
may take any number of actions and run independently of the file that was originally infected.
A resident virus can be compared to a direct payload virus, which does not insert itself into the
system’s memory and therefore only takes action when an infected file is executed.
9) Web Scripting Virus
many websites execute complex code in order to provide interesting content. Displaying online
video in your browser, for example, requires the execution of a specific code language that
provides both the video itself and the player interface.
Of course, this code can sometimes be exploited, making it possible for a virus to infect a
computer or take actions on a computer through a website. Although malicious sites are
sometimes created with purposely-infected code, many such cases of virus exist because of code
inserted into a site without the webmaster’s knowledge.
VI. BASIC COMPONENTS OF A VIRUS?
A typical computer virus is made up of two main parts: the shell and the payload. The shell
contains instructions that are used for copying itself from one computer program or document to
another. It also contains instructions that are used for avoiding detection. The payload is the part
that causes damage to the computer. This destructive component can be activated either by the
arrival of a particular date or the execution of a particular action by the user.
VII. SIGNS AND SYMTOMS OF VIRAL ATTACK
it can be a nightmare scenario for any computer owner: your beloved machine begins to act
strangely and before you know it, you have lost complete control and you realize too late that
you
have a virus. One of the “good” things about computer viruses is that, in most cases, you know
immediately when you have one. While there is no complete list of computer virus symptoms,
you can look for a few key things.
1) Home Page Redirects – We all know and love our home page, the Internet page that opens
up automatically whenever we start our browsers. If you are noticing that your web browser
is displaying a different page, one you have never heard of, on startup, however, chances are
you have a virus.
2) Significant Slowdowns – Computer viruses eat up many of your system resources. If you
notice that programs are loading slower, or they will not open at all, and your hard drive seems
to be running constantly, chances are, you have a computer virus infection.
3) Mid Browsing Redirects – Along with having a new home page chosen for you against your
will, you may also notice that every 10 or 20 pages you visit automatically sends you back to
one you never asked to go to in the first place. These automatic redirects are often a key sign
that you have a bug.
4) Pop-ups Everywhere – Most of us are used to getting pop-up windows as we browse the
Internet, but if you are getting them constantly, and they all seem to be for the same one or
two websites, then you likely have a virus. Some bugs are so bothersome that you get popups
even when you are not using a web browser.
5) Computer Lock Ups – With today’s lighting fast computer chips, lockups have, for the most
part, become outdated. However, if you are noticing that your computer suddenly
becomes unresponsive, you are probably exhibiting computer Trojan or computer worm
symptoms. If this happens every time you run a particular program, try starting up in safe
mode and running your virus protection right away.
6) Bizarre Error Messages – Most of us know what typical Windows error messages look like.
If you begin to see pop-up windows with bizarre or odd sounding error messages in them, try
to copy down the message you see and then Google it. You will know soon enough if your
computer is showing computer virus symptoms or if you have a program that just is not acting
normally.
7) Fake Virus Scans – Often times, websites will use authentic looking, albeit fake, virus scans
of your computer to make it appear that you are infected with hundreds of bugs. The “scan”
will then tell you that you need to click on this link and download a computer virus
protection software, which, in actuality, is just a pack of viruses. Ignore these scans and
perform one of your own to see if you are showing computer virus symptoms.
8) Distortions on your Desktop – If you suddenly notice that dialog boxes, chat windows and
other programs look differently than they did before, you either have a problem with your
display, your video card or with a virus. Start by running your virus protection software and
then move on to non-virus related solutions.
9) A Huge Increase in File Space/Decrease in Free Drive Space – One activity that viruses
love is to replicate and to invite their friends over. You can have a computer with an almost
empty hard drive, and then a moment later, have one that has run out of space completely. If
you have gotten a warning about being out of drive space when you should not be, you are
showing classic computer virus symptoms.
10) Huge Decrease in Download Speeds – Not only can a virus take control of your computer,
it can hog your bandwidth, as well. Try restarting and resetting your Internet connection to
see if your connection speed improves, if not, perform a virus scan immediately.
11) New Icons – Most of us can name the different icons that are on our desktop, but if you see,
icons disappear or appear that you do not recognize, your computer is exhibiting classic
computer virus symptoms.
VIII. HOW TO THREAT THE COMPUTER INFECTED BY A VIRUS
If your computer is infected with a virus, you will want to remove it as quickly as possible, but it
is
not to panic! The golden rule in this situation is to remain calm to avoid deleting important data
1) Stop all running programs and disconnect the computer from the Internet and any other local
network to avoid spreading the virus to all other computers. In fact, there are virus type
Trojans that perform remote downloads, commonly called "Trojan Downloader".
2) If the symptom observed not boot the computer from the hard drive (an error message
appears when you turn on the computer), try booting in Safe Mode or from the startup disk
you created during the installation of the operating system.
3) Before starting anything, it is recommended to make selective backups of files "important"
and "healthy" on a CDR or DVDR media for example. etc..
4) Install a good Anti-Virus, if it has not been done yet and download the latest updates of virus
databases. It is preferable to use another computer as if yours is indeed infected.
5) Run a full system scan again to make sure that there is no threat.
6) If a virus, worm or Trojan is detected, follow the instructions from your Internet security
provider. Good security programs have options to disinfect infected objects, quarantine for
those who may be infected, and delete worms and Trojans. They also create a report with the
names of the infected files and malware found in your computer.
7) It may happen after the full scan of the computer, it does not start or the system becomes
unstable (indicating some error messages more often than missing files) if some system files
were infected and deleted during the scan . In this case, it is preferable to perform the
formatting and full installation of all the operating system and programs
NB if your computer is infected with a virus, formatting or erasing the hard drive and starting
over will usually remove any virus. However, keep in mind if backups have been made
that contain the virus, other media or drives connected to the computer have a virus, your
computer is connected to another computer on a network with a virus, or the virus is stored on
some other software you use with your computer it can become re-infected if not properly
protected.
IX. HOW TO PROTECT YOUR COMPUTER FROM VIRUSES
In order to protect a computer or computer data against viruses computer users can apply one or
more of the following techniques
(1) Install powerful antivirus software on your PC and update it regularly. Example of
popular antivirus program include Norton Antivirus, Panda Antivirus, Kaspersky
Antivirus, Avast Antivirus, AVG Antivirus,
(2) Always scan every storage medium from another PC before opening the file on it.
(3) Use only software from legitimate source
(4) Scan every Email attachment you receive before opening it
(5) Avoid indiscriminate opening of files with erotic photographs attached to them. Most of
these files are often infected with very dangerous malware
(6) Do not run any suspicious programs
(7) Educate yourself regularly on computer security issues
X. OTHER MALICIOUS SOFTWARE
The term Malicious software (Malware) refers to any software that is design to disrupt the
normal operation of a computer without the consent of the user. They are often capable of
installing, corrupting, or even deleting some other files. The following is a list of terminology
commonly used to describe the various types of malicious software:
Spyware- Spyware is any technology that aids in gathering information about a person or
organization without their knowledge. On the Internet (where it is sometimes called a
Spigot or tracking software), Spyware is programming that is put in someone's computer
to secretly gather information about the user and relay it to advertisers or other interested
parties. Spyware can get in a computer as a software virus or as the result of installing a
new program.
Worm- a worm is a self-replicating virus that does not alter files but duplicates itself. It
is common for worms to be noticed only when their uncontrolled replication consumes
system resources, slowing or halting other tasks.
Logic bomb- a logic bomb is programming code, inserted surreptitiously or intentionally,
that is designed to execute (or "explode") under circumstances such as the lapse of a
certain amount of time or the failure of a program user to respond to a program
command. It is in effect a delayed-action computer virus or Trojan horse. A logic bomb,
when "exploded," may be designed to display or print a spurious message, delete or
corrupt data, or have other undesirable effects.
Trapdoor- is a method of gaining access to some part of a system other than by the
normal procedure (e.g. gaining access without having to supply a password). Hackers
who successfully penetrate a system may insert trapdoors to allow them entry at a later
date, even if the vulnerability that they originally exploited is closed. There have also
been instances of system developers leaving debug trapdoors in software, which are then
discovered and exploited by hackers.
Trojan (Trojan horse) - a Trojan horse is a program in which malicious or harmful code
is contained inside apparently harmless programming or data in such a way that it can get
control and do its chosen form of damage, such as ruining the certain area on your hard
disk. A Trojan horse may be widely redistributed as part of a computer virus.
RATs (Remote Admin Trojans) - are a special form of Trojan horse that allows remote
control over a machine. These programs are used to steal passwords and other sensitive
information. Although they are "invisible", symptoms such as a slow moving system, CD
ports opening and closing and unexplained restarting of your computer may manifest.
Mobile Malicious Code - web documents often have server-supplied code associated
with them, which executes inside the web browser. This active content allows information
servers to customize the presentation of their information, but also provides a mechanism
to attack systems running a client browser. Mobile malicious code may arrive at a site
through active content such as JavaScript, Java Applets and ActiveX controls or through
Plug-ins.
Malicious Font - webpage text that exploits the default method used to de-compress
Embedded Open Type Fonts in Windows based programs including Internet Explorer and
Outlook. These malicious fonts are designed to trigger a buffer overflow, which will
disable the security on Windows-based PCs. This allows an intruder to take complete
control of the affected computer and remotely execute destructive activities including
installing unauthorized programs and manipulating data.
Rootkits - Rootkits are a set of software tools used by an intruder to gain and maintain
access to a computer system without the user's knowledge. These tools conceal covert
running processes, files and system data making them difficult to detect. There are
rootkits to penetrate a wide variety of operating systems including Linux, Solaris and
versions of Microsoft Windows. A computer with rootkits on it is called a rooted
computer.
There are three types of rootkits. Below is a description of the characteristics of each:
o Kernel Rootkits - hide a backdoor on a computer system by using modified code
to add or replace a portion of the system's existing kernel code. Usually the new
code is added to the kernel via a device driver or loadable module. Kernel rootkits
can be especially dangerous because they can be difficult to detect without
appropriate software.
O Library Rootkits - hide information about the intruder by manipulating system
calls with patches, hooks, or replacements.
O Application Rootkits - replace or modify regular application binaries with
camouflaged fakes, hooks, patches, or injected code.
XI. Some popular Malicious Computer Programs
Brain virus
the first computer virus for Microsoft DOS was apparently written in 1986 and contains
unencrypted text with the name, address, and telephone number of Brain Computer Services, a
store in Lahore, Pakistan. This virus infected the boot sector of 5¼-inch floppy diskettes with a
360 Kbyte capacity. Robert Slade, an expert on computer viruses, believes the Brain virus was
written as a form of advertising for the store in Pakistan.
A variant of the Brain virus was discovered at the University of Delaware in the USA during
Oct 1987 where the virus destroyed the ability to read the draft of at least one graduate student's
thesis.
Lehigh Virus
in November 1987, a virus was discovered infecting the COMMAND.COM file on DOS
diskettes at Lehigh University. When an infected COMMAND.COM had infected four other
copies of COMMAND.COM (i.e., when copying to a floppy diskette), the virus wrote over the
file allocation table on all disks in the system, destroying the ability to read files from those
disks.
Quick intervention at Lehigh University, including overnight development and distribution of a
disinfection program, stopped this virus from spreading off campus. The data on approximately
500 computer disks and diskettes at Lehigh University were lost because of this one virus.
To the best of my knowledge, the author of the Lehigh Virus was never identified, so there was
no punishment for him.
Christmas Worm
A student at a university in Germany created a worm in the REXX language. He released his
worm in December 1987 on a network of IBM mainframe computers in Europe.
The worm displayed an image of a conifer tree on the user's monitor, while it searched two files
on the user's account to collect e-mail addresses, and then automatically sent itself to all of those
addresses. (This trick would be used again, on a different operating system, in March 1999 by
the Melissa virus.) The Christmas worm deleted itself after it functioned once. However, the one
copy deleted was replaced by multiple copies sent to everyone with an e-mail address in either
the in-box or out-box of the user's account, so the total number of copies continued to increase.
The worm itself was relatively harmless: it neither deleted nor altered the user's computer files.
However, the rapid propagation of the worm created a mailstorm in the network of IBM
mainframe computers from nine to 14 Dec 1987.
The author of the Christmas worm was identified, by tracing the mail messages back to the
original source. His computer account was closed, but I cannot find any other punishment for
him.
Morris Worm
On 2 November 1988, Robert Tappan Morris, then a first-year graduate student in computer
science at Cornell University, released his worm that effectively shut down the Internet for
several days.
The Morris Worm used four different ways to get unauthorized access to computers connected to
the Internet:
1. exploit a defect in send mail when DEBUG was enabled during compile
2. Exploit a defect in fingered buffer overflow
3. Trusted hosts feature that allows use without a password (rexec, rsh)
4. an algorithm that tried 432 common passwords, plus variations on the user's name, and
then /user/dict/words/.
The worm only infected SUN-3 and Digital Equipment Corp. VAX computers running versions
of the Berkeley UNIX operating system.
MBDF Virus
In 1992, four undergraduate students at Cornell University created and released the MBDF virus,
which attacks Apple Macintosh computers. This virus was released in three shareware programs:

1. Obnoxious Tetris, a computer game,

2. Ten Tile Puzzle, a computer game, and
3. Tetris cycle, a Trojan horse program that contained an encrypted copy of the MBDF
virus.
David S. Blumenthal wrote the virus and inserted it in the three programs. Blumenthal also
created an anonymous account on a Cornell computer, so that apparently untraceable file
transfers could be made. Mark A. Pilgrim used this anonymous account on 14 Feb 1992 to
upload the three programs to an Internet archive at Stanford University.
Pathogen Virus
In April 1994, the Pathogen computer virus was released in the United Kingdom, by uploading
an infected file to a computer bulletin board, where victims could download a copy of the file.
The Pathogen virus counted the number of executable (e.g., *.EXE and *.COM) files that it
infected. When the virus had infected 32 files and an infected file was executed between 17:00
and 18:00 on a Monday:
the keyboard is disabled
data in the first 256 cylinders of the hard disk drive are corrupted
Displays a message on the CRT that includes: "I'll be back for breakfast... Unfortunately
some of your data won't!”
The Pathogen virus contained a second virus, Smeg, which hid Pathogen from anti-virus
software.
Melissa Virus
The Melissa virus was released on 26 March 1999 and was designed to infect macros in
word processing documents used by the Microsoft Word 97 and Word 2000 programs. Macro
viruses were not new, they had been known since 1995.
The innovative feature of the Melissa virus was that it propagated by e-mailing itself to the first
fifty addresses in the Microsoft Outlook e-mail program's address book. This feature allowed the
Melissa virus to propagate faster than any previous virus. The virus arrived at each new victim's
computer disguised as e-mail from someone who they knew, and presumably trusted. (About
11 years earlier, the Christmas Worm automatically sent itself to everyone in a victim's e-mail
address book on an IBM mainframe computer.)
The Melissa virus propagated in two different ways:
1. On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used
the Outlook program to send an e-mail containing an attachment, with a filename like
list.doc. This file contained a Microsoft Word document with a macro, and a copy of the
Melissa virus was inside the macro.
When this e-mail was received by someone who had Microsoft Word on his/her
computer (even if their computer was an Apple Macintosh), and the recipient clicked on
the attachment, the document would open and the Melissa virus would automatically
infect Word's normal.dot template file, thus infecting the recipient's computer.
While Microsoft Outlook was necessary for the automatic sending of infected documents,
the recipient of such e-mail could be infected even if the recipient used a non-Microsoft
e-mail program.
2. Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail
sent by victim, etc. When such infected documents were opened in Microsoft Word, the
Melissa virus would automatically infect Word's normal.dot template file, thus infecting
the recipient's computer.
ILOVEYOU Worm
The ILOVEYOU worm was first reported in Hong Kong on 4 May 2000 and spread westward on
that day. The ILOVEYOU worm affected computers at more than half of the companies in the
USA and more than 105 mail servers in Europe. Internal e-mail systems at both the U.S. Senate
and Britain's House of Commons were shut down. It was estimated that the ILOVEYOU worm
did more damage than any other malicious program in the history of computing: approximately
US$ 9 × 109. On 4 May 2000, MessageLabs filtered ILOVEYOU from one in every 28 e-mails,
the all-time highest daily infection rate seen by MessageLabs.
The ILOVEYOU incident was commonly reported as a virus in the news media, but it was
actually a worm, because this malicious program did not infect other programs. I call this worm
by the subject line of e-mail that propagated this worm. Norton Anti-Virus calls it
VBS.Loveletter.A.
The ILOVEYOU worm arrived at the victim's computer in the form of e-mail with the
ILOVEYOU subject line and an attachment. The e-mail itself was innocuous, but when the user
clicked on the attachment to read the alleged love letter, LOVE-LETTER-FOR-YOU.TXT.VBS,
the attachment was a Visual Basic program that performed a horrible sequence of bad things:
1. deletion of files from victim's hard disk
The worm overwrote files from the victims' hard disk drive, specifically targeting files
with extensions:
o *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing
audio/visual data),
o *.CSS (i.e., cascading style sheets called by HTML 4.0 documents).
o some later versions deleted *.COM or *.EXE files, which prevented the computer
from starting when rebooted.
o some later versions deleted *.INI files.
The worm overwrote a copy of itself to a file with the name of the original file, appending the
extension *.VBS, so the total number of files on the victim's hard disk would be unchanged and
the damage more difficult to immediately detect. Further, if a victim clicked on one of these
files, the ILOVEYOU worm would be activated again on that one victim.
By overwriting files, instead of merely deleting files, the worm made it much more difficult
(perhaps impossible) to recover the original file on the victim's hard drive. For example, if the
worm had merely deleted files, then the victim could restore the files from the Recycle Bin or
Trash Can.
In addition, the worm marked files of type *.MP3 as hidden, so they would no longer appear in
directory listings, then copied the worm to new files *.MP3.VBS.
2. Password theft
the attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft
Internet Explorer start page to a URL at a web server in the Philippines, which would
download WIN-BUGSFIX.EXE to the victim's machine.
The worm then set the victim's machine to run WIN-BUGSFIX.EXE the next time the
victim's machine was booted.
WIN-BUGSFIX.EXE was a Trojan horse program that collected usernames and
passwords from the victim's hard drive and e-mailed them to an address in the
Philippines, mailme@super.net.ph. (That was a stupid feature, since law
enforcement agents, within 12 hours of the initial release of the worm, identified the
person who owned that e-mail address.) Furthermore, there was a copyright notice in the
Trojan horse’s code!
An Internet Service Provider in Europe alerted the web server in the Philippines at
08:30 GMT on Thursday, 4 May 2000, and WIN-BUGSFIX.EXE was removed from the
website, which prevented most of the harm in Europe and the USA from this password-
collecting program. Later, the web server in the Philippines was overwhelmed (i.e., a
kind of a denial of service attack) with requests from the worm for WIN-BUGSFIX.EXE.
This Trojan horse program had been previously submitted as a thesis proposal at a
computer college in the Philippines. The proposal was rejected with handwritten
comments "This is illegal." and "We don't produce burglars." The student then dropped
out of the college without earning a degree. A copy of the student's rejected thesis
proposal is posted at Richard M. Smith's website.
3. Worm propagates
the worm transmitted itself using features of the earlier Melissa program: scanning the
address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU email to all
of those e-mail addresses. This method of transmission rapidly disseminated
the worm to millions of victims. In comparison, Melissa sent copies to only the first
50 entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every
address in the that victims' book.
The worm also sent copies to other people on the same Internet Relay Chat channel that
the victim was using.
Anna Worm
On 11 Feb 2001, a malicious program was released that was contained in an attachment to email.
The attachment purported to be a picture of a 19-year-old Russian tennis player, Anna
Kournikova, but the attachment was actually a computer worm. The attachment had the file
name AnnaKournikova.jpg.vbs
The file type .jpg is commonly used for graphic images, such as photographs. However, the real
file type was .vbs, which is an executable file, a computer program written in Microsoft Visual
Basic Script.
This malicious program is often known by the last name of the innocent tennis player. I have
chosen to refer to this malicious program by her first name, Anna, to avoid associating the tennis
player with this malicious program. Norton Anti-Virus calls this worm VBS.SST@mm. F-Secure
calls this worm OnTheFly after the pseudonym of its author.
The Anna worm did the following two things on a victim's computer:
sends one copy of the worm to each e-mail address in the victim's Microsoft Outlook
address book.
on 26 Jan of each year, it displays the homepage of an innocent computer store on the
victim's web browser.
The Anna worm does not have any novel technical features. I mention the Anna worm here only
because it is one of the very few cases in which the author was arrested and punished.
The Anna worm rapidly spread amongst computers, particularly in North America, on 12-
13 Feb 2001. While the Anna worm was relatively benign (e.g., it did not damage any files on
the victim's computer), it still caused harm by clogging the Internet with many copies of itself
and by requiring each victim to remove it from his/her computer.
SOME EXAMPLES OF ANTIVIRUS SOFTWARE
Free Anti-Virus
1. AVG Free Edition
2. Avast! Home Edition
3. AntiVir Personal
Commercial Antivirus software
1. Kaspersky Anti-Virus
2. NOD32 Antivirus
3. Bitdefender Antivirus
3. Norton Antivirus
6. Nod32 Antivirus by ESET
7. MacAfee Antivirus by Intel