DEFINITIONS OF VIRUSES AND OTHER COMPUTER "VERMIN"
Computer Virus -
term was first used by Fred Cohen in 1984. A computer virus is a
small program that attaches itself to another program and attacks
other software by making copies of itself.
Worm - A worm is a program
(usually stand-alone) that worms its way through either the computer's memory
or a disk and alters data that it accesses. It is different from a computer virus
since it does not require a host.
Trojan horse - A
program which attaches itself to a seemingly innocent program.
Trojan horses do not necessarily replicate.
Logic or time bomb -
A program that is activated or triggered after or during a
certain event. This may be after several executions or on a
certain day like Friday the 13th. Virus Calendar
TYPES OF VIRUSES
Boot sector infector
- hides in the boot sector of a disk or the partition table of a hard
disk and takes over control of the computer system when it is booted.
It then copies itself into the computer's memory. When other
disks are used, the virus transfers to their boot sectors. The most common boot sector
viruses are the Pakistani Brain virus and the Stoned/Marijuana virus.
Appliciation program
infector - The most infectious type of computer viruses is
the application program infector or file virus. They may attach
to any executable file usually .COM and .EXE files. An
application program infector takes control after the initial use
of the infected program. Once the virus is in place in the RAM of
the computer system, it will potentially infect every program run
on the computer until the computer is shut off. The most
widespread virus today is the Jerusalem virus.
Stealth viruses -
viruses which attempt to hide their presence. Some of the simple techniques include hiding the
change in date and time and hiding the increase in file size. Some
even prevent anti-virus software from reading the part of the file where
the virus is located. Some also encrypt the virus code using
variable encryption techniques.
Dark Avenger Mutation
Engine - polymorphic encryption program used by virus
developers to encrypt the virus in order to avoid detection. The
engine uses a special algorithm to generate a completely variable
decryption routine each time. No three bytes remain constant from
one sample to the next.
Multiparite virus -
virus which infects both the boot sector of a disk as well as application programs.
Macro viruses -
virus which attaches to a wordprocessing or spreadsheet file (typically a MS Word
or Excel file) as a macro. Once the file is accessed, it replaces
one of the Word or Excel standard macros with an infected version which
can than infect all subsequent documents. Many of these are now spread via e-mail where the virus is activated when an e-mail attachment containing the virus is opened.
EXAMPLES OF VIRUSES
Pakistani Brain virus
- a boot sector virus that transfers the current boot sector to
an unused portion of the disk and marks that portion of the disk
as bad sectors. The virus then copies the remainder of the virus
to an unused portion of the disk and marks that portion as bad
sectors also. The Brain virus then periodically marks other
portions of the disk as bad sectors making files and eventually
the disk unusable. Early versions displayed a volume label (c)
Brain. All versions have the name of the program, the authors and
often their address in the boot sector of the infected disk. This
virus was the first virus known to spread worldwide and has
spawned numerous strains of similar viruses including the Ashar
or Ashar-Shoe virus, which is very widespread in Malaysia.
Stoned-Marijuana virus
- is also a boot sector virus. It infects the boot sector of
floppy disks and the File Allocation Table (FAT) of hard disk
systems. On most systems it will only periodically display a
message "Your PC is Stoned. Legalise Marijuana."
However on hard disk systems with more than one partition and on
floppy disks that have been formatted high density, it will
damage the file allocation table. This makes access to the files
nearly impossible. The original strain of this virus was written
in New Zealand.
Jerusalem virus - also known as the Israeli and Friday 13th virus and includes several strains including the Jerusalem-B virus. The Jerusalem virus infects both .COM and .EXE files. This virus will survive a warm boot. After the virus is resident for 1/2 hour, it slows the system down by a factor of ten. On Friday the 13th, it will delete all infected files. Besides the damage it inflicts, the Jerusalem-B virus also periodically displays a "black window" in the middle of the screen.
Cascade virus - also known as the Falling Letters or 1701 virus. It originally appeared as a Trojan Horse disguised as a program to turn off the Num-Lock light. Instead it caused all the characters on the screen to fall into a pile at the bottom of the screen. It now occurs as a memory resident .COM virus. The Cascade virus uses an
encryption algorithm to avoid detection. It originally activated on any machine with a color monitor in September-December in the years 1980 and 1988.
Michelangelo - on March 6th, if the infected computer is a '286 or '386 computer,
the virus will write garbage on all tracks of all cylinders.
Black Monday - on Mondays, a counter counts down from 240 each time a file is
infected. When zero is reached, a low level format of the hard disk is performed. Written by a Malaysian student.
W97M/Melissa - spreads by e-mailing itself automatically from one user to another. Released on Friday, March 26, 1999. When the virus activates it modifies user's documents with comments from the TV series "The Simpsons". It can send out confidential information from the computer without users' notice. Melissa was initially distributed in an internet discussion group called alt.sex. The virus was sent in a file called LIST.DOC, which contained passwords for X-rated websites. When users downloaded the file and opened it in Microsoft Word, a macro inside the document executed and e-mailed the LIST.DOC file to 50 people listed in the user's e-mail alias file ("address book"). The e-mail looked like this:
From: (name of infected user)
Subject: Important Message From (name of infected user)
To: (50 names from alias list)
Here is that document you asked for ... don't show anyone else ;-)
Attachment: LIST.DOC
|
VBS/LoveLetter - VBScript worm that uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus and it spreads using a mIRC client as well. When it is executed, it first copies itself to the Windows System directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to the Windows directory as:
- Win32DLL.vbs
It adds itself to the registry, so that it will be executed when the system is restarted.
After that the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to the registry as well, which causes the program to be executed when the system is restarted.
The executable part the LoveLetter worm downloads from the web is a password stealing trojan. On the system startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, in other case the main routine takes control.
Immediately after startup and when timer counters reach certain values, the trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to e-mail address 'mailme@super.net.ph'
After that the worm creates an HTML file called "LOVE-LETTER-FOR-YOU.HTM" to the Windows System directory. This file contains the worm and it will be sent using mIRC whenever another person joins an IRC channel where the infected user currently is. To accomplish this the worm replaces the "script.ini" file from the mIRC installation directory.
Then the worm uses Outlook to mass mail itself to everyone in each address book. The message that it sends looks like this:
From: (name of infected user)
Subject: ILOVEYOU
To: (all names from address book)
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
|
Then the virus searches for certain file types from all folders in all local and remote drives and overwrites them with its own code.
After this has been done, the the virus locates files with ".jpg" and ".jpeg" extensions, adds a new file next to it and deletes the original file. Then the virus locates ".mp3" and ".mp2" files, creates a new file and hides the original file.
Code Red - worm that targets Microsoft IIS www servers, and does not pose a threat to end users. Copies the standard Windows NT/2000 command interpreter "cmd.exe" into web server's "scripts" directory. As a result, any web surfer can now execute commands on any infected www site just by typing suitable URLs to the web location.
When a host gets infected it starts to scan for other hosts to infect. It probes random IP addresses but the code is designed so that probing of neighbour hosts is more probable. If the infected system has the language set to Chinese the worm starts more aggressive scanning (600 threads instead of 300). The scanning runs for 24 hours after the infection (48 for Chinese machines) and then the system is rebooted. The worm also drops a trojan program to '\explorer.exe' that modifies different some IIS settings to allow a remote attack of the infected host. During a certain period of time the worm only spreads, then it initiates a Denial-of-Service (DoS) attack aganist www1.whitehouse.gov and finally suspends all the activities.
Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE. If affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users. Nimda is the first worm to modify existing web sites to start offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web sites. This technique enables Nimda to easily reach intranet web sites located behind firewalls.
- Nimda locates EXE files from the local machine and infects them by putting the file inside its body.
- Nimda locates e-mail addresses via MAPI from the e-mail client as well as searching local HTML files for additional addresses. Then it sends one e-mail to each address. These emails contain an attachment called README.EXE, which might be executed automatically on some systems.
- Nimda starts to scan the internet, trying to locate www servers. Once a web server is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm will modify random web pages on the site. End result of this modification is that web surfers browsing the site will get automatically infected by the worm.
- The worm will search for file shares in the local network, either from file servers or from end user machines. Once found, it will drop a hidden file called RICHED20.DLL to any directory which has DOC and EML files. When other users try to open DOC or EML files from these directories, Word, Wordpad or Outlook will execute RICHED20.DLL causing an infection of the PC. The worm will also infect remote files if it was started on a server.
Computer Security
(Ten rules for data security)
- Establish data security policies
- Establish password management procedures
- Control uploading of programs
- Test new or upgraded software in an isolated computing environment
- Purchase software from reputable sources
- Never leave a network workstation unattended
- Back up data and programs on a regular basis and store them off site
- Establish an effective disaster recovery plan
- Install and keep updated effective antivirus software
- Practice "Safe Computing"
SAFE COMPUTING
The spread of computer virus infections can be stopped through the practice of
"safe computing." The following are a list of do's and don't's for safe computing.
- Don't use illegal software! If the software has been obtained illegally, how can you assume that it doesn't contain a virus.
- If your system uses a fixed disk, never boot from a diskette. In some situations, write protection software for the hard disk should be employed.
- Never boot your computer system from a diskette other than the original DOS diskette. Only one write-protected boot disk should be assigned to a floppy-based system. The diskette should be clearly marked, write-protected and used only for booting up the designated computer. If you accidentally try to boot from a non-system disk, turn the computer off and boot with the write-protected system disk.
- Always write-protect your systems and program disks. Write-protect tabs are easy to
use and very effective. You should write only on data disks.
- Only copy files from the original distribution disks.
- Always use current antivirus software.
- Always use caution when opening e-mail attachments
- Do not loan out program disks. They may be infected when they are returned. If you must loan
a disk, always check it for viruses or format it before using the disk on your computer system.
- Never use a computer that has already been turned on by another user. Always use a cold boot to restart the computer. Do not assume that a warm boot will remove a virus.
- Always keep a lookout for strange occurrences:
- When you do a directory listing, look at the volume label.
- Observe whether your computer system is slowing down.
- Watch for files that disappear.
- Notice when there are attempts to access the disks when there should not be any read or
write activity.
- Watch whether the loading of programs takes longer.
- Keep a lookout for decreases in the main memory or reduction of disk space.
- Watch for unusually large sizes on program files.
- Watch for recent creation dates on old program files.
- Watch for unusual displays on the computer screen.
- Use caution when using public domain and shareware software or any new software. There
have been instances where commercial software has been sold with a virus.
- In a lab environment, do not allow users to run their own programs or boot the computer system with their own disks. Users should only have data disks that are not bootable. All program disks and hard disks in a lab must be
checked frequently for viruses. If users are allowed to use their own program disks, they must be scanned before they are used in the computer lab.
- Always keep at least one set of back-up copies of all original disks. (This won't prevent
a virus infection, but it will help in the recovery process if an infection occurs.)
- Most important of all is to teach computer users about computer viruses so that they can recognize them. Computer users need to be able to identify viruses so that they will be able to prevent their spread.
Click here to return to Wayne's World's homepage:
written by Wayne Summers summers_wayne@ColumbusState.edu