Computer Viruses

MITESH SOLANKI
2K10/ME/070

Introduction
Computer viruses have become todays

headline news
With the increasing use of the Internet, it
has become easier for virus to spread
Virus show us loopholes in software
Most virus are targeted at the MS Windows
OS

Definition
Virus : A computer virus is a computer program

that can replicate itself. A true virus is capable of self

replication on a machine. It may spread between files
or disks, but the defining character is that it can
recreate itself on its own with out traveling to a new
host and spread from one computer to another. The
term "virus" is also commonly but erroneously used
to refer to other types of malware, including but not
limited to adware and spyware programs that do not
have the reproductive ability

History of viruses
The first academic work on the theory of computer

viruses (although the term "computer virus" was

not used at that time) was done in 1949 by John
von Neumann. In his essay "Theory of selfreproducing automata" von Neumann described
how a computer program could be designed to
reproduce itself
In 1984 Fred Cohen from the University of Southern
California wrote his paper "Computer Viruses Theory and Experiments". It was the first paper to
explicitly call a self-reproducing program a "virus"

Background
There are estimated 30,000 computer

viruses in existence
Over 300 new ones are created each
month
First virus was created to show loopholes
in software

Virus Languages
ANSI COBOL
C/C++
Pascal
VBA
Unix Shell Scripts
JavaScript
Basically any language that works on the

system that is the target

Infection strategies
In order to replicate itself, a virus must be

permitted to execute code and write to memory.

For this reason, many viruses attach themselves
to executable files that may be part of legitimate
programs. If a user attempts to launch an
infected program, the virus' code may be
executed simultaneously

 Viruses can be divided into two types based on their

behavior when they are executed.
Nonresident viruses immediately search for other hosts
that can be infected, infect those targets, and finally
transfer control to the application program they infected.
Resident viruses do not search for hosts when they are
started.
Instead, a resident virus loads itself into memory on
execution and transfers control to the host program. The
virus stays active in the background and infects new hosts
when those files are accessed by other programs or the
operating system itself.

Symptoms of Virus
Attack
Computer runs slower than usual

Computer no longer boots up

Screen sometimes flicker
PC speaker beeps periodically
System crashes for no reason
Files/directories sometimes disappear
Denial of Service (DoS)

Virus through the

Internet
Today almost 87% of all viruses are spread

through the internet

Transmission time to a new host is
relatively low, on the order of hours to
days

Classifying Virus - Types

Trojan Horse
Worm
Macro

Trojan Horse
Covert
Leaks information
Usually does not reproduce

Trojan Horse
Back Orifice
Discovery Date:
10/15/1998
Origin: Pro-hacker Website
Length: 124,928
Type: Trojan
SubType: Remote Access
Risk Assessment: Low
Category: Stealth

Trojan Horse
About Back Orifice
requires Windows to work
distributed by Cult of the Dead Cow
similar to PC Anywhere, Carbon Copy software
allows remote access and control of other

computers
install a reference in the registry
once infected, runs in the background

Trojan Horse
Features of Back Orifice
pings and query servers
reboot or lock up the system
list cached and screen saver password
display system information
logs keystrokes
edit registry
server control
receive and send files
display a message box

Worms
Spread over network connection
Worms replicate
First worm released on the Internet was

called Morris worm, it was released on Nov

2, 1988.

Worms
Bubbleboy
Discovery Date:11/8/1999
Origin: Argentina (?)
Length: 4992
Type:
Worm/Macro
SubType: VbScript
Risk Assessment: Low
Category: Stealth/Companion

Worms
Bubbleboy
requires WSL (windows scripting language),

Outlook or Outlook Express, and IE5

Does not work in Windows NT
Effects Spanish and English version of Windows
2 variants have been identified
May cause DENIAL OF SERVICE

Worms
How Bubbleboy works
Bubbleboy is embedded within an email

message of HTML format.

a VbScript while the user views a HTML page
a file named Update.hta is placed in the start
up directory
upon reboot Bubbleboy executes

Worms
How Bubbleboy works
changes the registered owner/organization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\RegisteredOwner = Bubble Boy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\RegisteredOrganization = MICROSOFT
using the Outlook MAPI address book it sends

itself to each entry

marks itself in the registry

HKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy =
OUTLOOK.Bubbleboy1.0 by Zulu

Macro
Specific to certain applications
Comprise a high percentage of the viruses
Usually made in WordBasic and Visual

Basic for Applications (VBA)

Microsoft shipped Concept, the first
macro virus, on a CD ROM called "Windows
95 Software Compatibility Test" in 1995

Macro
Melissa
Discovery Date: 3/26/1999
Origin: Newsgroup Posting
Length: varies depending on variant
Type:
Macro/Worm
Subtype: Macro
Risk Assessment: High
Category: Companion

Macro
Melissa
requires WSL, Outlook or Outlook Express Word

97 SR1 or Office 2000

105 lines of code (original variant)
received either as an infected template or email
attachment
lowers computer defenses to future macro virus
attacks
may cause DoS
infects template files with its own macro code

Macro
How Melissa works
the virus is activated through a MS word

document
document displays reference to pornographic
websites while macro runs
1st lowers the macro protection security setting
for future attacks
checks to see is it has run in current session
before

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Meliss
a = by Kwyjibo

propagates itself using the Outlook MAPI

address book (emails sent to the first 50

Protection/Prevention
Knowledge
Proper configurations
Run only necessary programs
Anti-virus software

Anti viruses
Many users install anti-virus software that can detect

and eliminate known viruses after the computer

downloads or runs the executable. There are two
common methods that an anti-virus software
application uses to detect viruses. The first, and by
far the most common method of virus detection is
using a list of virus signature definitions. This works
by examining the content of the computer's memory
(its RAM, and boot sectors) and the files stored on
fixed or removable drives (hard drives, floppy drives),
and comparing those files against a database of
known virus "signatures". The disadvantage of this

. The second method is to use a heuristic algorithm

to find viruses based on common behaviors. This

method has the ability to detect novel viruses that
anti-virus security firms have yet to create a
signature for
Some anti-virus programs are able to scan opened
files in addition to sent and received email messages
"on the fly" in a similar manner. This practice is
known as "on-access scanning". Anti-virus software
does not change the underlying capability of host
software to transmit viruses. Users must update their
software regularly to patch security holes. Anti-virus
software also needs to be regularly updated in order

Methods employed by viruses to

avoid detection
Avoiding bait files and other undesirable hosts
Stealth
Self-modification
Encryption with a variable key
Polymorphic code
Metamorphic code

Deceiving viruses
Installing anti viruses
Creating back up of important files
re-installation of damaged programs
System restore (Some viruses, however, disable

System Restore and other important tools such as

Task Manager and Command Prompt. An example
of a virus that does this is CiaDoor. However,
many such viruses can be removed by rebooting
the computer, entering Windows safe mode, and
then using system tools.
Operating system reinstallation

Conclusion
viruses work through your system to
make a better virus
Have seen how viruses show us a loophole
in popular software
Most viruses show that they can cause
great damage due to loopholes in
programming

Thank you