The following Slide Show

Antivir
contains Graphical
information on VIRUSES.
Viewer Discretion is

Abhyank 93
Made By-:

Akshit 105
Eijaz 119
Yohan 124
 Antivir

COMPUTE
R
 Antivir

Agenda
•Computer Virus Concept
•Analyze three common computer viruses
•Antivirus Technologies
•Company Policy Issues
•Conclusion
 Antivir

Computer Virus
Concept
•What is Computer Virus?
•Computer Virus Time Line
•Types of Computer Virus
•Virus Hoax
•How does computer virus works?
 Computer Virus Concept
Antivir

What is Computer
Virus?
•Definition -- Virus: A self-replicating piece of computer
code that can partially or fully attach itself to files or
applications, and can cause your computer to do
something you don't want it to do.
•Similarities between biological virus (like " HIV " ) and
computer virus:
•Need a host for residence.
•Capable of self-replicate
•Cause damage to the host.
 Computer Virus Concept
Antivir

Computer Virus Time

Line
•1949 - Theories for self-replicating programs was first developed.
•1981 - Apple Viruses 1, 2, and 3 was some of the first viruses in public.
•1988 – Jerusalem was detected. Activated every Friday the 13th, the virus
affects both .EXE and .COM files and deletes any programs run on that day.
•1991 - Tequila is the first widespread polymorphic virus found.
•1999 - The Melissa virus, W97M/Melissa, executed a macro in a document
attached to an email. Melissa spread faster than any other previous virus.
•2000 - The Love Bug, also known as the ILOVEYOU virus, sent itself out via
Outlook, much like Melissa.
•2001 - The Code Red I and II worms attacked computer networks in July and
August. They affected over 700,000 computers and caused upwards of 2 billion in
 Computer Virus Concept
Antivir

Types of Computer
Virus
•Boot Sector Virus - Michelangelo
Boot sector viruses infect the boot sectors on floppy disks and hard
disks, and can also infect the master boot record on a user's hard drive.
•File Infector Virus - CIH
Operate in memory and usually infect executable files.
•Multi-partite Virus
Multi-partite viruses have characteristics of both boot sector viruses and
file infector viruses.
•Macro Virus - Melissa Macro Virus
They infect macro utilities that accompany such applications as Microsoft
 Computer Virus Concept
Antivir
Types of Computer Virus
- Continue
•Trojan / Trojan Horse – Back Orifice
A Trojan or Trojan Horse is a program that appears legitimate, but performs some malicious and
illicit activity when it is run.

•Worm – Red Code

A worm is a program that spreads over network. Unlike a virus, worm does not attach itself to a
host program. It uses up the computer resources, modifies system settings and eventually puts
the system down.
Worms are very similar to viruses in that they are computer programs that replicate themselves.
The difference is that unlike viruses, worms exist as a separate small piece of code. They do not
attach themselves to other files or programs.
•Other:
•Java - Java.StrangeBrew
•HTML virus - Usually takes advantage of these scripting languages(VB Script). The
 Computer Virus Concept
Antivir
Virus Hoax
•An untrue virus-related warning/alert started by malicious individuals. A Hoax
message, often in the form of electronic mail, can spread away as people pass on
via Internet.
•Hoax message does not have direct harms on computers. Hoax message cause
confusion to the recipients in their attending real virus alerts and waste people' s
time in reading them.
•How to identify a hoax
•Hoaxes use complex technical descriptions and
•Hoaxes request recipients to pass on the message.

•Examples:
•Work Virus Hoax (keyword: a virus called "work"), Phantom Menace Virus Hoax
(keyword: Virus Alert, Phantom Menace)
 Computer Virus Concept
Antivir

Virus Characteristics
•Memory Resident:
Loads much like a TSR staying in memory where it can easily replicate itself into
programs of boot sectors. Most common.

•Non-Resident:
Does not stay in memory after the host program is closed, thus can only infect while the
program is open. Not as common.

•Stealth:
The ability to hide from detection and repair in two ways.
- Virus redirects disk reads to avoid detection.
- Disk directory data is altered to hide the additional bytes of the virus.
 Computer Virus Concept
Antivir
Virus Characteristics
(contd..)
•Encrypting:
Technique of hiding by transformation. Virus code converts itself into cryptic symbols. However, in
order to launch (execute) and spread the virus must decrypt and can then be detected.

•Polymorphic:
Ability to change code segments to look different from one infection to another. This type of virus is
a challenge for ant-virus detection methods.

•Triggered Event:
An action built into a virus that is triggered by the date, a particular keyboard action or DOS
function. It could be as simple as a message printed to the screen or serious as in reformatting the
hard drive or deleting files.

•In the Wild:

A virus is referred to as "in the wild" if is has been verified by groups that track virus infections to
have caused an infection outside a laboratory situation. A virus that has never been seen in a real
 Computer Virus Concept
Antivir
How does computer virus
work?
•The Basic Rule: A virus is inactive until the infected program is run or
boot record is read. As the virus is activated, it loads into the computers
memory where it can spread itself.

•Boot Infectors: If the boot code on the drive is infected, the virus will be
loaded into memory on every startup. From memory, the boot virus can
travel to every disk that is read and the infection spreads.

•Program Infectors: When an infected application is run, the virus

activates and is loaded into memory. While the virus is in memory, any
program file subsequently run becomes infected.
Analyze three Antivir
common computer
viruses

•CIH
•Macro Virus
 Analyze three common computer
viruses
Antivir

CIH
•Type: Resident, EXE-files
•Origin: Taiwan
•History: The CIH virus was first located in Taiwan in early
June 1998. After that, it has been confirmed to be in the wild
worldwide. It has been among the ten most common viruses for
several months.
•Infects Windows 95 and 98 EXE files, but it does not work
under Windows NT.
•After an infected EXE is executed, the virus will stay in memory
and will infect other programs as they are accessed.
 Analyze three common computer
Antivir
CIH viruses
- Continue

•BIOS Attack !!!

•Attempts to overwrite the BIOS on Pentium PCs that have flashable BIOS PROMS.
•If the PC is infected, it will be unbootable (even from diskette) after this attack and the
BIOS chip will need to be replaced or reprogrammed from the vendor or an outside
source .
•The PC can't be booted even after reflash (reprogram) the chip normally. Because the
virus overwrites the first 2048 sectors of your hard disk, further making your PC
unbootable (this works on almost all PCs). But the disk can be made bootable and
restored from a backup.

•Four Variants
•CIH v1.2 (CIH.1003): Activates on April 26th.
•CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th.
•CIH v1.4 (CIH.1019): Activates on 26th of every month.
 Analyze three common computer
viruses
Antivir

CIH - Continue
•How to prevent?
If your PC has a flash BIOS write protect jumper on the motherboard,
you can put it in the write-protect position to prevent CIH from
overwriting your BIOS.
 Analyze three common computer
viruses
Antivir

Macro Virus
•What is Macro virus
•A type of computer virus that is encoded as a macro embedded in a
document.
•According to some estimates, 75% of all viruses today are macro viruses.
•Once a macro virus gets onto your machine, it can embed itself in all future
documents you create with the application.
•In many cases macro viruses cause no damage to data; but in some cases
malicious macros have been written that can damage your work.
•The first macro virus was discovered in the summer of 1995. Since that time,
other macro viruses have appeared.
 Analyze three common computer
viruses
Antivir

Macro Virus
•How does it spread?
•When you share the file with another user, the attached macro or script goes with the
file. Most macro viruses are designed to run, or attack, when you first open the file. If the file
is opened into its related application, the macro virus is executed and infect other
documents.

•The infection process of the macro virus can be triggered by opening a Microsoft Office
document or even Office Application itself, like Word, Excel. The virus can attempt to avoid
detection by changing or disabling the built-in macro warnings, or by removing menu
commands.

•For Word, after a macro virus triggers, it usually copies itself to Normal.dot, which is
the template that Word loads with every file. from there, it can copy itself to every file that
you open or create.
 Analyze three common computer
viruses
Antivir

Macro Virus
• How to prevent?
In your Office programs, make sure that you have macro virus protection turned on.
4. On the Tools menu, click Options.
5. On the General tab, select the Macro virus protection check box.
6. If you have turned on macro virus protection, each time you want to open a document
with macros, the Macro Virus Protection dialog box appears and gives you three
choices.
• Disable Macros
• Enable Macros
• Do Not Open
 Antivir

Selection
Group
 Analyze three common computer
viruses
Antivir

ILOVEYOU
•VBS/LoveLetter is a VBScript worm. It spreads through e-mail as a
chain letter.
•The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2007.
•82 variants of this worm.
•This worm sends itself to email addresses in the Microsoft Outlook
address book and also spreads to Internet chatrooms.
•This worm overwrites files on local and remote drives, including files
with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg,
.wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg,
.mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.
•The contents of most of these files are replaced with the source code
of the worm, destroying the original contents. The worm also appends
the .vbs extension to each of these files. For example, image.jpg
becomes image.jpg.vbs.
 Analyze three common computer
viruses
Antivir

ILOVEYOU
•Damage
•Large scale e-mailing:
Sends itself to all addresses in the Microsoft Outlook Address Book

•Modifies files:
Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .
sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and
.mp2. Files with extensions of .mp2 and .mp3 will be hidden from the user by setting
the hidden directory attribute. Variant G also overwrites .bat and .com files.

•Degrades performance:
Might create a lot of traffic to the email server
 Analyze three common computer
viruses
Antivir
ILOVEYOU
•Distribution
•Subject of email: ILOVEYOU
•Name of attachment: Love-letter-for-you.txt.vbs
•Size of attachment: 10,307 bytes
•Inside the mail is a short text message saying "Kindly check the attached
LOVELETTER coming from me" and an attachment named LOVE-
LETTER-FOR-YOU.txt.vbs. This is the virus body.
•It's important to note that the virus cannot run by itself. In order for it to run,
the recipient must open the mail, launch the attachment by double-clicking
on it, and answer "yes" to a dialogue that warns of the dangers of running
untrusted programs. (Microsoft)
 Analyze three common computer
viruses
Antivir

ILOVEYOU
•How to prevent?
•Do not launch attachments in emails from unknown
sources!
•Uninstalling the Windows Script Host.
Check http://www.sarc.com/avcenter/venc/data/win.script.hosting.html for more
information
 Antivir

Antivirus
Technologies
•How to detect virus?
•How to clean virus?
•Best Practices
 Antivirus Technologies Antivir

How to detect virus?

•Some Symptoms
•Program takes longer to load.
•The program size keeps changing.
•When run CHKDSK, it doesn't show 655360 bytes available.
•Keep getting 32 bit errors in Windows.
•The drive light keeps flashing when you are not doing
anything.
•User created files have strange names.
•The computer doesn't remember CMOS settings.
 Antivirus Technologies Antivir

How to
CHKDSK has NOT checked this drive for errors.
You must use SCANDISK to detect and fix errors on this drive.

detect Volume DATA created 01-04-2001 2:56p

Volume Serial Number is 1CFA-2864

virus? 6,822,284 kilobytes total disk space

2,206,920 kilobytes free
•Check for any change in
the memory map or
configuration as soon as 4,096 bytes in each allocation unit
you start the computer in 1,705,571 total allocation units on disk
command mode. (If you
551,730 available allocation units on disk
don’t have antivirus
software)
655,360 total bytes memory
•In MSDOS Prompt: 602,160 bytes free
Type in Chkdsk
•Check:
 Antivirus Technologies Antivir
Start your computer in command prompt. In MSDOS Prompt: Type in MEM /C.

Memory Summary:

Type of Memory Total Used Free

---------------- ----------- ----------- -----------
Conventional 655,360 53,168 602,192
Upper 0 0 0
Reserved 393,216 393,216 0
Extended (XMS) 66,060,288 ? 267,128,832
---------------- ----------- ----------- -----------
Total memory 67,108,864 ? 267,731,024

Total under 1 MB 655,360 53,168 602,192

Total Expanded (EMS) 67,108,864 (64M)

Free Expanded (EMS) 16,777,216 (16M)
Largest executable program size 602,160 (588K)
Largest free upper memory block 0 (0K)
 Antivirus Technologies Antivir

How to detect virus?

•Integrity checkers or modification detectors.
These tools compute a small "checksum" or "hash value" (usually CRC or
cryptographic) for files when they are presumably uninfected, and later compare newly
calculated values with the original ones to see if the files have been modified. This
catches unknown viruses as well as known ones and thus provides generic detection.

•Use Debug Or Other Tools to check FAT Table, MBR and partition on your
system.

•Use Antivirus Software to scan the computer memory and disks.

 Antivirus Technologies Antivir

How to clean virus?

•All activities on infected machine should be stopped and it should be
detached from the network.
•Recover from backup is the most secure and effective way to recover the
system and files.
•In some cases, you may recover the boot sector, partition table and even
the BIOS data using the emergency recovery disk.
•In case you do not have the latest backup of your files, you may try to
remove the virus using anti-virus software.
 Antivirus Technologies Antivir

How to clean virus?

The steps to reinstall the whole system –
3. Reboot the PC using a clean startup disk.
4. Type in FDISK/MBR to rewrite the Master Boot Record.
5. Use FDISK to recreate partitions (Optional)
6. Format DOS partitions.
7. Reinstall Windows98 or Windows2K and other applications.
8. Install Antivirus Software and apply the latest virus
definition data.
 Antivirus Technologies Antivir

•Best Practices
•Regular Backup
Backup your programs and data regularly. Recover from backup is the most secure way to
restore the files after a virus attack.

•Install Anti-virus Software

Install an anti-virus software to protect your machine and make sure that an up-to-date
virus definition file has been applied.

•Daily Virus Scan

Schedule a daily scan to check for viruses. The schedule scan could be done in non-peak
hours, such as during the lunch-break or after office hour.

•Check Downloaded Files And Email Attachments

Do not execute any downloads and attachment unless you are sure what it will do.
 Antivirus Technologies Antivir

•Resources
•Antivirus Software
• McAfee Virus Scan
• F-Secure
• Symantec
• Trend Micro
•Shareware, www.grisoft.com
•Free Virus Tool, http://www.antivirus.com/free_tools/
 Antivir

Company Policy
Issues
3. Education
4. Updating
5. Warning
6. Technical Support
7. Reporting
 Antivir
Kaspersky Lab’s classification system
divides malicious programs
into three classes:

•TrojWare: this class includes a range of malicious

programs
which cannot replicate independently .
(backdoors, rootkits and all types of Trojan);

•VirWare: self-replicating malicious programs (viruses

and worms);

•MalWare: programs which are used by malicious users

to create malicious programs and organize attacks.
 Antivir

TrojWar
e
VirWar
e
MalWar
e

Average number of new malicious programs

per month.
The chart below shows the number of new
VirWare programs
Antivir
detected by Kaspersky Lab
DECLINE
PHASE
The pie chart below shows a breakdown of different
subgroups
Antivir
in the VirWare category:

E-mail Worm
IM-Worm
IRC-Worm
NET-
Worm
P2P-
Worm
Worm
s
Viru
s
Antivirus Antivir
Kaspersky
database Lab has shortened its
response time to the growing
number and increasing speed of new threats by releasing
an increased
Forecast Antivir
In light of all of the trends and events described above, we expect
that in 2009
virus writers will continue to concentrate their efforts on various
types of Trojans
used to steal personal information.

Attacks will largely be focused on the users of various banking and

payment systems
in addition to online gamers.

Virus writers and spammers will continue to pool their efforts;

Computer virus goes
Antivir
into orbit
August 28, 2008, 8:23 am
AFP ©

SAN FRANCISCO (AFP) - NASA confirmed on Wednesday that a computer virus

sneaked aboard the International Space Station only to be tossed into quarantine
on July 25 by security software.

A "worm type" virus was found on laptop computers that astronauts use to send
and receive email from the station by relaying messages through a mission control
center in Texas, according to NASA spokesman Kelly Humphries.

The virus is reported to be malicious software that logs keystrokes in order to steal
passwords or other sensitive data by sending the information to hackers via the
Internet.
The laptop computers are not linked to any of the space station's control systems
or the Internet.
 Antivir

Conclusion
•Be careful when use new software and files
•Be alert for virus activities
•Be calm when virus attacks
•And all will be fine!

SO REMEMBER………
 EVERYTHING Antivir
THAT
HAS A BEGINNING…

VIRUSES
HAS AN
END.

RELOADE
D
 ANY SMART Antivir
QUESTIONS ??
Reference: Antivir

•http://w w w.cnn.com/2000/TECH/computing/10/23/virus.w orks.idg/

•http://w w w.itsd.gov.hk/itsd/virus/general/w hatis.htm
•http://w w w.infoplease.com/spot/virustime1.html
•http://w w w.itsd.gov.hk/itsd/virus/general/type.htm
•http://w w w.itsd.gov.hk/itsd/virus/hoax/hoax.htm
•http://w w w.cai.com/virusinfo/faq.htm#how _virus
•http://w w w.europe.f-secure.com/v-descs/cih.shtml
•http://w w w.stiller.com/cih.htm
•http://w w w.w ebopedia.com/TERM/M/macro_virus.html
•http://office.microsoft.com/Assistance/9798/w htsvrus.aspx
 Reference: Antivir
•http://w w w.cai.com/virusinfo/faq.htm
•http://w w w.itsd.gov.hk/itsd/virus/general/detectvirus.htm
•http://w w w.itsd.gov.hk/itsd/virus/general/cleanvirus.htm
•http://w w w.itsd.gov.hk/itsd/virus/guide/guide.htm
•http://kb.indiana.edu/data/aehm.html
•http://w w w.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
•http://w w w.data-fellow s.com/v-descs/love.shtml
•http://w w w.microsoft.com/technet/treeview /default.asp?url=/TechNe