Computer Virus

And
Antivirus Technology

CREATED BY:
RAUNAK NAYAN
NIKHIL BOHRA
Agenda
• Computer Virus Concept
• Analyze three common computer viruses
• Antivirus Technologies
•Conclusion
Computer Virus Concept
• What is Computer Virus?
• Computer Virus Time Line(History)
• Types of Computer Virus
• Virus Hoax
• How does computer virus works?
 Computer Virus Concept

What is Computer Virus?

• Definition(IDG) -- Virus: A self-replicating piece of
computer code that can partially or fully attach itself to
files or applications, and can cause your computer to
do something you don't want it to do.
• Similarities between biological virus (like " HIV " ) and
computer virus:
• Need a host for residence.
• Capable of self-replicate
• Cause damage to the host.

• Difference: Computer viruses are created by human.

 Computer Virus Concept

Computer Virus Time Line

• 1949 - Theories for self-replicating programs was first developed.
• 1981 - Apple Viruses 1, 2, and 3 was some of the first viruses in public.
• 1988 – Jerusalem was detected. Activated on Friday 13th, the virus affected
both .EXE and .COM files and deleted any programs run on that day.
• 1991 - Tequila is the first widespread polymorphic virus found.
• 1999 - The Melissa virus, W97M/Melissa, executed a macro in a document
attached to an email. Melissa spread faster than any other previous virus.
• 2000 - The Love Bug, also known as the ILOVEYOU virus, sent itself out via
Outlook, much like Melissa.
• 2001 - The Code Red I and II worms attacked computer networks in July and
August. They affected over 700,000 computers and caused upwards of 2 billion in
damages.
 Computer Virus Concept

Types of Computer Virus

•Boot Sector Virus - Michelangelo
Boot sector viruses infect the boot sectors on floppy disks and hard disks, and can also
infect the master boot record on a user's hard drive.
•File Infector Virus - CIH
Operate in memory and usually infect executable files.
•Multi-partite Virus
Multi-partite viruses have characteristics of both boot sector viruses and file infector viruses.
•Macro Virus - Melissa Macro Virus
They infect macro utilities that accompany such applications as Microsoft Word, Excel and
outlook.
 Computer Virus Concept

Types of Computer Virus - Continue

•Trojan / Trojan Horse – Back Orifice
A Trojan or Trojan Horse is a program that appears legitimate, but performs some malicious
and illicit activity when it is run.
•Worm – Red Code
A worm is a program that spreads over network. Unlike a virus, worm does not attach itself
to a host program. It uses up the computer resources, modifies system settings and
eventually puts the system down.
Worms are very similar to viruses in that they are computer programs that replicate
themselves. The difference is that unlike viruses, worms exist as a separate small piece of
code. They do not attach themselves to other files or programs.
•Other:
•Java - Java.StrangeBrew
•HTML virus - Usually takes advantage of these scripting languages(VB Script). The
script virus usually uses Web pages to reach the victims.
 Computer Virus Concept

Virus Hoax
• An untrue virus-related warning/alert started by malicious individuals. A Hoax
message, often in the form of electronic mail, can spread away as people pass on
via Internet.
•Hoax message does not have direct harms on computers. Hoax message cause
confusion to the recipients in their attending real virus alerts and waste people' s
time in reading them.
•How to identify a hoax
•Hoaxes use complex technical descriptions and
•Hoaxes request recipients to pass on the message.

•Examples: Work Virus Hoax (keyword: a virus called "work"), Phantom Menace Virus
Hoax (keyword: Virus Alert, Phantom Menace)
 Computer Virus Concept

Virus Characteristics

•Memory Resident:
Loads much like a TSR staying in memory where it can easily replicate itself into programs
of boot sectors. Most common.
•Non-Resident:
Does not stay in memory after the host program is closed, thus can only infect while the
program is open. Not as common.
•Stealth:
The ability to hide from detection and repair in two ways.
- Virus redirects disk reads to avoid detection.
- Disk directory data is altered to hide the additional bytes of the virus.
 Computer Virus Concept

Virus Characteristics

•Encrypting:
Technique of hiding by transformation. Virus code converts itself into cryptic symbols.
However, in order to launch (execute) and spread the virus must decrypt and can then be
detected.
•Polymorphic:
Ability to change code segments to look different from one infection to another. This type of
virus is a challenge for ant-virus detection methods.
•Triggered Event:
An action built into a virus that is triggered by the date, a particular keyboard action or DOS
function. It could be as simple as a message printed to the screen or serious as in
reformatting the hard drive or deleting files.
•In the Wild:
A virus is referred to as "in the wild" if is has been verified by groups that track virus infections
to have caused an infection outside a laboratory situation. A virus that has never been seen in
a real world situation is not in the wild, and sometimes referred to as "in the zoo".
 Computer Virus Concept

How does computer virus work?

• The Basic Rule: A virus is inactive until the infected program is run or
boot record is read. As the virus is activated, it loads into the computers
memory where it can spread itself.
• Boot Infectors: If the boot code on the drive is infected, the virus will
be loaded into memory on every startup. From memory, the boot virus
can travel to every disk that is read and the infection spreads.
• Program Infectors: When an infected application is run, the virus
activates and is loaded into memory. While the virus is in memory, any
program file subsequently run becomes infected.
Analyze three common computer viruses
• CIH
• Macro Virus
• ILOVEYOU
 Analyze three common computer viruses

CIH
• Type: Resident, EXE-files
• Origin: Taiwan
• History: The CIH virus was first located in Taiwan in early June 1998. After
that, it has been confirmed to be in the wild worldwide. It has been among the ten
most common viruses for several months.

• Infects
Windows 95 and 98 EXE files, but it does not work under
Windows NT.
• After an infected EXE is executed, the virus will stay in memory
and will infect other programs as they are accessed.
 Analyze three common computer viruses

CIH - Continue
• BIOS Attack !!!
•Attempts to overwrite the BIOS on Pentium PCs that have flashable BIOS
PROMS.
•If the PC is infected, it will be unbootable (even from diskette) after this
attack and the BIOS chip will need to be replaced or reprogrammed from the
vendor or an outside source .
•The PC can't be booted even after reflash (reprogram) the chip normally.
Because the virus overwrites the first 2048 sectors of your hard disk, further
making your PC unbootable (this works on almost all PCs). But the disk can
be made bootable and restored from a backup.

• Four variants
• CIH v1.2 (CIH.1003): Activates on April 26th.
• CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th.
• CIH v1.4 (CIH.1019): Activates on 26th of every month.
 Analyze three common computer viruses

CIH - Continue
• How to prevent?
If your PC has a flash BIOS write protect jumper on the motherboard, you
can put it in the write-protect position to prevent CIH from overwriting
your BIOS.
 Analyze three common computer viruses

Macro Virus
•What is Macro virus
• A type of computer virus that is encoded as a macro embedded in a document.
• According to some estimates, 35% of all viruses today are macro viruses.
• Once a macro virus gets onto your machine, it can embed itself in all future
documents you create with the application.
• In many cases macro viruses cause no damage to data; but in some cases
malicious macros have been written that can damage your work.
• The first macro virus was discovered in the summer of 1995. Since that time,
other macro viruses have appeared.
 Analyze three common computer viruses

Macro Virus
•How does it spread?
• When you share the file with another user, the attached macro or script goes with
the file. Most macro viruses are designed to run, or attack, when you first open the file.
If the file is opened into its related application, the macro virus is executed and infect
other documents.
• The infection process of the macro virus can be triggered by opening a Microsoft
Office document or even Office Application itself, like Word, Excel. The virus can
attempt to avoid detection by changing or disabling the built-in macro warnings, or by
removing menu commands
• For Word, after a macro virus triggers, it usually copies itself to Normal.dot,
which is the template that Word loads with every file. from there, it can copy itself to
every file that you open or create.
 Analyze three common computer viruses

Macro Virus
• How to prevent?
In your Office programs, make sure that you have macro virus protection turned on.
1. On the Tools menu, click Options.
2. On the General tab, select the Macro virus protection check box.
3. If you have turned on macro virus protection, each time you want to open a document
with macros, the Macro Virus Protection dialog box appears and gives you three
choices.
• Disable Macros
• Enable Macros
• Do Not Open 
 Analyze three common computer viruses

ILOVEYOU
• VBS/LoveLetter is a VBScript worm. It spreads through e-mail as a chain
letter.
•The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001.
• 82 variants of this worm.
•This worm sends itself to email addresses in the Microsoft Outlook address
book and also spreads to Internet chatrooms.
• This worm overwrites files on local and remote drives, including files with
the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav,
.txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp,
.c, .h, .swd, .psd, .wri, .mp3, and .mp2.
• The contents of most of these files are replaced with the source code of
the worm, destroying the original contents. The worm also appends the .vbs
extension to each of these files. For example, image.jpg becomes
image.jpg.vbs.
 Analyze three common computer viruses

ILOVEYOU
• Damage
•Large scale e-mailing:
Sends itself to all addresses in the Microsoft Outlook Address Book
•Modifies files:
Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh,
.sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3,
and .mp2. Files with extensions of .mp2 and .mp3 will be hidden from the user
by setting the hidden directory attribute. Variant G also overwrites .bat and .com
files.
•Degrades performance:
Might create a lot of traffic to the email server
 Analyze three common computer viruses

ILOVEYOU
• Distribution

•Subject of email: ILOVEYOU

•Name of attachment: Love-letter-for-you.txt.vbs
•Size of attachment: 10,307 bytes
• Inside the mail is a short text message saying "Kindly check the
attached LOVELETTER coming from me" and an attachment
named LOVE-LETTER-FOR-YOU.txt.vbs. This is the virus body.
• It's important to note that the virus cannot run by itself. In order for
it to run, the recipient must open the mail, launch the attachment by
double-clicking on it, and answer "yes" to a dialogue that warns of
the dangers of running untrusted programs. (Microsoft)
 Analyze three common computer viruses

ILOVEYOU
• How to prevent?
• Do not launch attachments in emails from unknown
sources!
• Uninstalling the Windows Script Host.
Check http://www.sarc.com/avcenter/venc/data/win.script.hosting.html for more
information
Antivirus Technologies
•How to detect virus?
•How to clean virus?
•Best Practices
 Antivirus Technologies

How to detect virus?

• Some Symptoms
•Program takes longer to load.
•The program size keeps changing.
•When run CHKDSK, it doesn't show 655360 bytes available.
•Keep getting 32 bit errors in Windows.
•The drive light keeps flashing when you are not doing
anything.
•User created files have strange names.
•The computer doesn't remember CMOS settings.
 Antivirus Technologies

How to detect virus?

Some Useful Terms:
CMOS - Complementary Metal Oxide Semiconductor: A memory area that is
used for storage of system information. CMOS is battery backed RAM. CMOS
memory is not in the normal CPU address space and cannot be executed. A virus
may place data in the CMOS or may corrupt it, a virus cannot hide there.

MBR - Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on
a PC hard disk, that usually contains the partition table.
RAM - Random Access Memory: the place programs are loaded into in order to
execute.
TOM - Top Of Memory: the end of conventional memory, an architectural design
limit at the 640K mark on most PCs. Checking this value for changes can help
detect a virus.
TSR - Terminate but Stay Resident: these are PC programs that stay in memory
while you continue to use the computer for other purposes; they include pop-up
utilities, network driver, and a great number of viruses.
 Antivirus Technologies

How to detect virus?

• Check for any change in the memory map or configuration as soon as you start
the computer in command mode. (If you don’t have antivirus software)

In MSDOS Prompt: Type in Chkdsk

CHKDSK has NOT checked this drive for errors.
Check:
You must use SCANDISK to detect and fix errors on this drive.

Volume DATA created 01-04-2001 2:56p

Volume Serial Number is 1CFA-2864

6,822,284 kilobytes total disk space

2,206,920 kilobytes free

4,096 bytes in each allocation unit

1,705,571 total allocation units on disk
551,730 available allocation units on disk

655,360 total bytes memory

602,160 bytes free
 Antivirus Technologies

How to detect virus?

Start your computer in command prompt. In MSDOS Prompt: Type in MEM/C.
Memory Summary:

Type of Memory Total Used Free

--------------- ----------- ----------- -----------
Conventional 655,360 53,168 602,192
Upper 0 0 0
Reserved 393,216 393,216 0
Extended (XMS) 66,060,288 ? 267,128,832
---------------- ----------- ----------- -----------
Total memory 67,108,864 ? 267,731,024

Total under 1 MB 655,360 53,168 602,192

Total Expanded (EMS) 67,108,864 (64M)

Free Expanded (EMS) 16,777,216 (16M)
Largest executable program size 602,160 (588K)
Largest free upper memory block 0 (0K)
 Antivirus Technologies

How to detect virus?

•Integrity checkers or modification detectors.
These tools compute a small "checksum" or "hash value" (usually CRC or
cryptographic) for files when they are presumably uninfected, and later compare newly
calculated values with the original ones to see if the files have been modified. This
catches unknown viruses as well as known ones and thus provides generic detection.
•Use Debug Or Other Tools to check FAT Table, MBR and partition on your
system.
•Use Antivirus Software to scan the computer memory and disks.
•A memory-resident anti-virus software can be used to continuously monitor the
computer for viruses.
•Scan your hard disk with an anti-virus software. You should make sure that an
up-to-date virus definition data have been applied.
•Use server-based anti-virus software to protect your network.
 Antivirus Technologies

How to clean virus?

•All activities on infected machine should be stopped and it should be
detached from the network.
•Recover from backup is the most secure and effective way to
recover the system and files.
•In some cases, you may recover the boot sector, partition table and
even the BIOS data using the emergency recovery disk.
•In case you do not have the latest backup of your files, you may try
to remove the virus using anti-virus software.
 Antivirus Technologies

How to clean virus?

The steps to reinstall the whole system – My Experience.
1. Reboot the PC using a clean startup disk.
2. Type in FDISK/MBR to rewrite the Master Boot Record.
3. Use FDISK to recreate partitions (Optional)
4. Format DOS partitions.
5. Reinstall Windows98 or Windows2K and other applications.
6. Install Antivirus Software and apply the latest virus definition
data.
 Antivirus Technologies

•Best Practices
•Regular Backup
Backup your programs and data regularly. Recover from backup is the most
secure way to restore the files after a virus attack.

•Install Anti-virus Software

Install an anti-virus software to protect your machine and make sure that an
up-to-date virus definition file has been applied.

• Daily Virus Scan

Schedule a daily scan to check for viruses. The schedule scan could be done
in non-peak hours, such as during the lunch-break or after office hour.

•Check Downloaded Files And Email Attachments

Do not execute any downloads and attachment unless you are sure what it
will do.
 Antivirus Technologies

•Resources
• Antivirus Software
• McAfee Virus Scan
• F-Secure
• Symantec
• Trend Micro
• Shareware, www.grisoft.com
• Free Virus Tool, http://www.antivirus.com/free_tools/
Company Policy Issues
• Education
Educate users to consider e-mail attachments and downloads potentially
dangerous and to treat them very carefully. Open only expected attachments and
download files from trusted sources.
• Updating
Update the virus definition data for the users and the network at least once a
month.
• Warning
Provide computer virus alerts to users as soon as the infection is detected.

• Technical Support
Provide technical support to help users detect and remove virus.
• Reporting
Provide a communication and reporting channel to encourage users to report virus
activities.
Conclusion

•Be careful when use new software and files

•Be alert for virus activities
•Be calm when virus attacks
•We will be fine!
Reference:
http://www.cnn.com/2000/TECH/computing/10/23/virus.works.idg/
http://www.itsd.gov.hk/itsd/virus/general/whatis.htm
http://www.infoplease.com/spot/virustime1.html
http://www.itsd.gov.hk/itsd/virus/general/type.htm
http://www.itsd.gov.hk/itsd/virus/hoax/hoax.htm
http://www.cai.com/virusinfo/faq.htm#how_virus
http://www.europe.f-secure.com/v-descs/cih.shtml
http://www.stiller.com/cih.htm
http://www.webopedia.com/TERM/M/macro_virus.html
http://office.microsoft.com/Assistance/9798/whtsvrus.aspx
http://support.microsoft.com/default.aspx?scid=kb;ZH-CN;q181079
http://securityresponse.symantec.com/avcenter/venc/data/macro.viruses.html
http://office.microsoft.com/Assistance/9798/o97mcrod.aspx
http://www.data-fellows.com/v-descs/love.shtml
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
http://www.data-fellows.com/v-descs/love.shtml
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/virus/vbslvltr.asp
Reference:
•http://www.cai.com/virusinfo/faq.htm
•http://www.itsd.gov.hk/itsd/virus/general/detectvirus.htm
•http://www.itsd.gov.hk/itsd/virus/general/cleanvirus.htm
•http://www.itsd.gov.hk/itsd/virus/guide/guide.htm
•http://kb.indiana.edu/data/aehm.html