Content :

 What is Computer virus

 Types of viruses
 Introduction to Antivirus Program
 How an Antivirus works
 What to look when selecting an Antivirus
software
 Configuring your antivirus software
 What to do when suspecting virus attack
 General precautions you should take

What is Computer Virus?
 A computer virus is a small program written to
alter the way a computer operates, without
the permission or knowledge of the user.
With an ability to replicate itself, thus
continuing to spread. Also, known as
Malicious Software, a program that can
cause damage to a computer.
 The computer viruses can damage or corrupt
data, modify existing data, or degrade the
performance of the system by utilising
resources such as memory or disk space.
Classification of Computer viruses:
 Boot sector virus

 Master Boot Record (MBR)virus

 File infector virus

 Multipartite virus

 Macro virus
Boot sector virus

 Boot sector viruses generally hide in the boot sector, either

in the bootable disk or the hard drive.

 It attaches itself to the first part of the hard disk that is
read by the computer upon boot up.

 These viruses are spread rapidly by floppy disks and not on
CD-ROMs.

 Once copied to the memory, any floppy disks that are not
write protected will become infected when the floppy
disk is accessed.

 Error message “Invalid system disk”

 E.g. Form, Disk Killer, Michelangelo, Stoned.
Master Boot Record (MBR)virus

 Master Boot Record (MBR) virus MBR viruses are

memory-resident viruses that infect disks in the
same manner as boot sector viruses.

 However it, infects the MBR of the system, gets
activated when the BIOS activates the Master
boot code.


 MBR infectors normally save a legitimate copy of

the master boot record in an different location.


 E.g. AntiEXE, Unashamed, NYB

File infector virus

 Fileinfector virus File infector viruses infect

program files. Normally infect executable code,
such as .COM, .SYS, .BAT and .EXE files.

 They can infect other files when an infected
program is run from floppy, hard drive, or from
the network.

 Many of these viruses are memory resident. After
memory becomes infected, any uninfected
executable file that runs becomes infected.

 E.g. Snow.A, Jerusalem, Cascade.
Multipartite virus

 Multipartite virus Multipartite (also known as

polypartite) viruses infect both boot records and
program files.

 These are particularly difficult to repair. If the
boot area is cleaned, but the files are not, the
boot area will be reinfected.

 The same holds true for cleaning infected files. If
the virus is not removed from the boot area, any
files that you have cleaned will be reinfected.

 E.g. One_Half, Emperor, Anthrax, Tequilla.
Macro virus

 Macro virus Macro are mini-programs which make it possible

to automate series of operations so that they are
performed as a single action, thereby saving the user
from having to carry them out one by one.

 Macro viruses infect files that are created using certain
applications or programs that contain macros.

 They are platform-independent since the virus itself are
written in language of the application and not the
operating system.

 They infect documents created from Microsoft Office Word,
Excel, PowerPoint and Access files.

 E.g.W97M.Melissa, Bablas, WM.NiceDay, W97M.Groov.
 In addition to Computer viruses,
there are two more types of
malicious software:
These are : Worms and Trojans
Computer Worms
 Computer Worms are programs that replicate
themselves from system to system without
the use of a host file. The worms are spread
through networks like LAN, WAN and also
through Internet. There are various ways by
which a worm spreads, through Internet like
E-mails, Messaging and Chats.

 Worms almost always cause harm to the
network, like consuming network
bandwidth.

 E.g.W32.Mydoom.AX@mm
Computer Trojans
 Computer Trojans Trojan horses are impostors: files that
claim to be something desirable but, in fact, are
malicious. Trojan horse programs do not replicate
themselves. Trojan horses contain malicious code that
when triggered cause loss, or even theft, of data. E.g.
Trojan.Vundo

 Retrieving user’s critical information. i.e. name, password.


 Spreading malware programs i.e. ‘dropper’ or ‘vector’.


 Erasing or overwriting data on a computer.

 Spying on a user to gather his information like browsing
habits, sites visited etc. These are called Spyware.
Antivirus Software
 AntivirusSoftware An antivirus software is a
computer program that identify and remove
computer viruses, and other malicious software
like Worms and Trojans from an infected
computer.

 Not only this, an antivirus software also protects
the computer from further virus attacks.

 We should regularly run an antivirus program to
scan and remove any possible virus attacks from
a computer.
Screenshots of some popular
Antivirus:
 How an Antivirus works
Ø Using dictionary Approach:


 The antivirus software examines each and

every file in a computer and examines its
content with the virus definitions stored in
its virus dictionary.

A virus dictionary is an inbuilt file belonging to
an antivirus software that contains code
identified as a virus by the antivirus authors.
Using Suspicious Behavior
Approach:
 Antivirus software will constantly monitors the
activity of all the programs.
 If any program tries to write data on an
executable file, the antivirus software will
flag the program having a suspicious
behavior, means the suspected program will
be marked as a virus.
 The advantage of this approach is that it can
safeguard the computer against unknown
viruses also. The disadvantage is that it may
create several false alerts too.
When selecting an Antivirus
Software

Real-Time Scanning:
 The antivirus software is automatically
running in the background on a continuous
basis, scanning files and folders for possible
virus attacks as they are opened or
executed, and checking e-mails as they are
downloaded.
 Most commercial antivirus software provide
real time scanning.
Virus Updates:
 Virus Updates Providing regular updates for
the virus dictionary. You should look for
antivirus program that provides free virus
updates on a periodic basis.

 With the current outburst in macro and script-
based viruses, virus updates that address the
latest threats are essential.

 Most commercial antivirus software in today’s
scenario provide virus updates on daily
basis.
Configuring your Antivirus
software:
 Configuring your Antivirus software Adjust the
settings to scan all (*all*) files.Also, ensure
that real time scanning is enabled by
default.

 Create a recovery/reference/cure disk
because if a boot sector or MBR virus attack
the system, it may fail to boot. In that case,
recovery cure disk can be used to boot the
system and remove the virus.
What to do on Suspecting Virus
attack?
 Disconnect the suspected computer system from
the Internet as well as from the Local Network.


 Start the system in Safe Mode or from the

Windows boot disk, if it displays any problem in
starting.

 Take backup of all crucial data to an external
drive. Install antivirus software if you do not
have it installed.

 Now, download the latest virus definitions updates
from the internet. (do it on a separate
computer) Perform a full system scan.
Some of the symptoms of an
infected computer:
 Folder Options disappears from the Tools. Now, hidden files
cannot be viewed. Changing registry values has no effect.

 Regedit doesn’t works, when you try to invoke it from the
RUN box.

 Task Manager has been disabled by Administrator.

 In My Computer, Autoplay option appears instead of Open in
every drive you enter i.e. when you click on your drive
letters (C, D, E etc) a window opens to select any one
program to Open with.

 Computer becomes slow and there is noticeable delay in
characters to appear on screen when you press in
keyboard.
 Command prompt doest open, if it does
closes suddenly.
 You cannot open system utilities like Task
Manager, Regedit, Msconfig, gpedit.msc; it
opens and suddenly closes.
 It creates new entries & add values to the
existing Registry.
Hidden processes running on your
system:
 monit.exe - runs under explorer.exe, keylogger
app, creates problems with Counter Strike.
 scvhost.exe or 713xRMTmon.exe - not to be
confused with svchost.exe, an important
windows process.
 wscript.exe - a harmless process which can be
made to execute harmful VBScripts like
mswin32.dll.vbs
 amvo.exe or amva.exe
 autorun.inf - Its actually a harmless file. But can
be used to invoke a virus when you click a
folder/drive which has this file.
Deleting Identified Virus files
manually:
 Identify files say like autorun.inf or mswin32.dll.vbs in
the root of all drives or in your system drive.
 You can also delete a file from DOS. The command
DIR /w/a displays all hidden files and folders. with
command attrib -s -h -r <filename>. Then del
<filename>.
 A virus also hides itself in the System Volume
Information and PREFETCH folder. So it might be a
good idea to turn off System Restore for a while.
 To prevent future infections in your USB Drive, what
you could try is create an empty autorun.inf file and
set read only attribute to it. This should prevent a
malicious autorun.inf taking its place
General precautions you should
take:
 General precautions you should take When
inserting removable media (floppy, CD, flash
drive etc.) scan the whole device with the
antivirus software before opening it.
 If you have internet access, make sure you use
internet security software.
 Get Windows updates.
 From time to time, update your installed
software to their latest version. E.g. (MS
Office, Adobe Reader, java, Flash player
etc.)
 Most important, disable the Autoplay on all
drives on your PC.
 Go to start > run > type gpedit.msc Select
‘computer configuration’ from the left tree
and then go to > ‘administrative templates’-
> ‘system’.
 In the right panel look for ‘Turn off Autoplay’,
Double click on it and Select ‘enabled’ and
then select 'all drives'.
 Last but not least, you should have an
updated antivirus guarding your PC all time.