computer virus by imran

7/31/2019 Computer Virus by IMRAN

1/16

1

INTRODUCTION-

This document covers the basics on computer viruses.Computer Virus is a kind of malicious

software written intentionally to enter a computer without the users permission or knowledge, with

an ability to replicate itself, thus continuing to spread. Some viruses do little but replicate others can

cause severe harm or adversely affect program and performance of the system. A virus should never

be assumed harmless and left on a system.You have heard about them, read the news reports about

the number of incidents reported, and the amount of damage they inflict. Maybe you have even

experienced one firsthand. And ifyou havent, count yourself fortunate. Computer viruses are real

and theyre costly. Springing up seemingly from nowhere, spreading like wildfire; computer viruses

attack computer systems lightly or heavily, damaging files and rendering computers and networks

unusable. They proliferate through e-mail, Internet file downloads, and shared diskettes. And they

dont play favorites; your home computer is just as likely as a Fortune 500 companys netw ork to

experience an infection.

WHAT IS A COMPUTER VIRUS?

A computer virus is a computer program. , a block of executable code, which attach itself to,

overwrite or otherwise replace another program in order to reproduce itself without a knowledge of

a PC user .The term "virus" is also commonly but erroneously used to refer to other types of

malware, including but not limited to adware and spyware programs that do not have the

reproductive ability. A true virus can spread from one computer to another (in some form of

executable code) when its host is taken to the target computer; for instance because a user sent it

over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD,

or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on

a network file system or a file system that is accessed by another computer.

As stated above, the term "computer virus" is sometimes used as a catch-all phrase to include

all types of malware, even those that do not have the reproductive ability. Malware includescomputer viruses, computer worms, Trojan horses, spyware, dishonest adware and other malicious

and unwanted software, including true viruses. Viruses are sometimes confused with worms and

Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread

itself automatically to other computers through networks, while a Trojan horse is a program that

appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a

computer system's data or performance. Some viruses and other malware have symptoms noticeable

to the computer user, but many are surreptitious or simply do nothing to call attention to

themselves. Some viruses do nothing beyond reproducing themselves.
http://en.wikipedia.org/wiki/Adwarehttp://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Codehttp://en.wikipedia.org/wiki/Network_file_systemhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Computer_wormhttp://en.wikipedia.org/wiki/Trojan_horse_(computing)http://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Adwarehttp://en.wikipedia.org/wiki/Adwarehttp://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Trojan_horse_(computing)http://en.wikipedia.org/wiki/Computer_wormhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Network_file_systemhttp://en.wikipedia.org/wiki/Codehttp://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Adware


2/16

2

HISTORY-

The first academic work on the theory of computer viruses (although the term "computer

virus" was not invented at that time) was done by John von Neumann in 1949 who, held lectures at

the University of Illinois about the "Theory and Organization of Complicated Automata". The work of

von Neumann was later published as the "Theory of self-reproducing automata". In his essay von

Neumann postulated that a computer program could reproduce.

The actual term 'virus' was first used in David Gerrold's 1972 novel, When HARLIE Was One. In

that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal

information from other computers to blackmail the man who wants to turn him off.

TIMELINE OF VIRUS PROGRAMS

1970-1979

The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBNTechnologies. Creeper infected DECPDP-10 computers running the TENEX operating system.

Creeper gained access via the ARPANET and copied itself to the remote system where the

message, "I'm the creeper, catch me if you can!" was displayed. The Reaperprogram was later

created to delete Creeper.

1980-1989

The Brain boot sector virus (aka Pakistani flu) was released. Brain is considered the first IBM PCcompatible virus and the program responsible for the first IBM PC compatible virus epidemic. The

virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by

19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

Ralf Burger presented the Virdem model of programs at a meeting of the underground ChaosComputer Club in Germany. The Virdem model represented the first programs that could

replicate themselves via addition of their code to executable DOS files in COM format.

Appearance of the Vienna virus, which was subsequently neutralizedthe first time this hadhappened on the IBM platform.

Christmas Tree EXEC was the first widely disruptive replicating network program, which paralyzedseveral international computer networks in December 1987.
http://en.wikipedia.org/wiki/(c)Brainhttp://en.wikipedia.org/wiki/Boot_sectorhttp://en.wikipedia.org/wiki/Boot_sectorhttp://en.wikipedia.org/wiki/(c)Brain


3/16

3

1990-1999

Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burgerdevelops the first family of polymorphic virus: the Chameleon family.

In 1995 the first Macro virus, called "Concept," is created. It attacked Microsoft Word documents. "Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation

engine.

2000 and later

2000

The I LOVE YOU worm appears. As of 2004 this was the most costly virus to businesses, causingupwards of 5.5 to 10 billion dollars in damage.

2001

February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts inthe Microsoft Outlook address book.

October 26: The Klez worm is first identified. It exploits vulnerability in Microsoft InternetExplorer and Microsoft Outlook and Outlook Express.

2002

Beast is a Windows based backdoor Trojan horse, more commonly known as a RAT (RemoteAdministration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written

in Delphi and Released first by its author Tataye in 2002, its most current version was released

October 3, 2004

2003

June 13: ProRat is a Turkish-made Microsoft Windows based backdoor Trojan horse, morecommonly known as a RAT (Remote Administration Tool).

2004

Late January: MyDoom emerges, and currently holds the record for the fastest-spreading massmailer worm.

August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo andsometimes referred to as MS Juan) is a Trojan Horse that is known to cause popup and advertising

for rogue antispyware programs.
http://en.wikipedia.org/wiki/Vundohttp://en.wikipedia.org/wiki/Vundo


4/16

4

2005

Late 2005: The Zlob Trojan, also known as Trojan. Zlob is a Trojan horse which masquerades as arequired video codec in the form of ActiveX. It was first detected in late 2005.

2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor Trojan horsethat infects the Windows family. It uses a server creator, a client and a server to take control over

the remote computer.

2006

February 16: discovery of the first-ever malware for Mac OS X, a low-threat Trojan-horse knownas OSX/Leap-A or OSX/Oompa-A, is announced.

2007

January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoftsystems. It begins gathering infected computers into the Storm botnet. By around June 30 it had

infected 1.7 million computers, comprised between 1 and 10 million computers by September.

2008

February 17: Mocmex is a Trojan, which was found in a digital photo frame in February 2008. Itwas the first serious computer virus on a digital photo frame

March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows,turning off anti-virus applications. It allows others to access the computer, modifies data, steals

confidential information (such as user passwords and other sensitive data) and installs more

malware on the victim's computer.

May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities,was announced to have been detected on Microsoft systems and analyzed, having been in the

wild and undetected since October 2007 at the very least.

2009

July 15: Symantec discovered Daprosy Worm. Said Trojan worm is intended to steal online-gamepasswords on internet cafes.

2010

February 18: Microsoft announced that a BSoD problem on some windows machines which wastriggered by a batch of Patch Tuesday updates was caused by the Alureon Trojan
http://en.wikipedia.org/wiki/Daprosy_Wormhttp://en.wikipedia.org/wiki/Daprosy_Worm


5/16

5

TYPES OF COMPUTER VIRUSES-

There are Different Types of Computer Viruses could be classified considering origin,

techniques, types of files they infect, where they hide, the kind of damage they cause, the type of

operating system or platform they attack etc.

Most common types of viruses are mentioned below:

1.Resident Viruses

This type of virus is a permanent which dwells in the RAM memory. From there it can

overcome and interrupt all of the operations executed by the system: corrupting files and programs

that are opened, closed, copied, renamed etc. examples include: Randex, CMJ, Meve, and MrKlunky.

2.Direct Action Viruses

the main purpose of this virus is to replicate and take action when it is executed. When a

specific condition is met, the virus will go into action and infect files in the directory or folder that it is

in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always

located in the root directory of the hard disk and carries out certain operations when the computer is

booted.

3.Overwrite Viruses

Virus of this kind is characterized by the fact that it deletes the information contained in the

files that it infects, rendering them partially or totally useless once they have been infected. The only

way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the

original content.

Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

4. Boot Virus

This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk,

in which information on the disk itself is stored together with a program that makes it possible to

boot (start) the computer from the disk. The best way of avoiding boot viruses is to ensure that

floppy disks are write-protected and never start your computer with an unknown floppy disk in the

disk drive. Examples of boot viruses include: Polyboot.B, AntiEXE.

5. Macro Virus

Macro viruses infect files that are created using certain applications or programs that contain

macros. These mini-programs make it possible to automate series of operations so that they are

performed as a single action, thereby saving the user from having to carry them out one by one.

Examples of macro viruses: Relax, Melissa.A, Bablas, and O97M/Y2K.


6/16

6

6. Directory Virus

Directory viruses change the paths that indicate the location of a file. By executing a program

(file with the extension .EXE or .COM) which has been infected by a virus, you are unknowinglyrunning the virus program, while the original file and program have been previously moved by the

virus.

Once infected it becomes impossible to locate the original files.

7.Polymorphic Virus

Polymorphic viruses encrypt or encode themselves in a different way (using different

algorithms and encryption keys) every time they infect a system. This makes it impossible for anti-

viruses to find them using string or signature searches (because they are different in each encryption)

and also enables them to create a large number of copies of themselves. Examples include: Elkern,Marburg, Satan Bug, and Tuareg.

8. File Infectors

This type of virus infects programs or executable files (files with an .EXE or .COM extension).

When one of these programs is run, directly or indirectly, the virus is activated, producing the

damaging effects it is programmed to carry out. The majority of existing viruses belongs to this

category, and can be classified depending on the actions that they carry out.

9. Companion VirusesCompanion viruses can be considered file infector viruses like resident or direct action types.

They are known as companion viruses because once they get into the system they "accompany" the

other files that already exist. In other words, in order to carry out their infection routines, companion

viruses can wait in memory until a program is run (resident viruses) or act immediately by making

copies of themselves (direct action viruses).Some examples include: Stator, Asimov.1539, and

Terrax.1069

10. FAT Virus

The file allocation table or FAT is the part of a disk used to connect information and is a vital

part of the normal functioning of the computer. This type of virus attack can be especially dangerous,

by preventing access to certain sections of the disk where important files are stored. Damage caused

can result in information losses from individual files or even entire directories.

11. Worms

A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to

negative effects on your system and most importantly they are detected and eliminated by antivirus.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and Mapson.


7/16

7

12. Trojans or Trojan Horses

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses

do not reproduce by infecting other files, nor do they self-replicate like worms.

13. Logic Bombs

They are not considered viruses because they do not replicate. They are not even programs in

their own right but rather camouflaged segments of other programs. Their objective is to destroy

data on the computer once certain conditions have been met. Logic bombs go undetected until

launched, and the results can be destructive.


8/16

8

HOW COMPUTER VIRUSES WORK AND HOW DO

THEY SPREAD?A computer virus is, in many ways, similar to the biological viruses that attack human bodies.

A biological virus isnt truly a living, independent entity. A virus is nothing more than a fragment of

DNA sheathed in a protective jacket. It reproduces by injecting its DNA into a host cell. The DNA then

uses the host cells normal mechanisms to reproduce itself. A computer virus is like a biological virus

in that it also isnt an independent entity; it must piggyback on a host (another program or

document) in order to propagate. Many viruses are hidden in the code of legitimate software

programsprograms that have been infected, that is. These viruses are called file infector viruses,

and when the host program is launched, the code for the virus is also executed, and the virus loads

itself into your computers memory. From there, the virus code searches for other programs on your

system that it can infect; if it finds one, it adds its code to the new program, which, now infected, canbe used to infect other computers.

This entire process is shown in Figure

If all a virus did, was copy itself to additional programs and computers, there would be little

harm done, save for having all our programs get slightly larger. Unfortunately, most viruses not only

replicate themselves, they also perform other operationsmany of which are wholly destructive. A

virus might, for example, delete certain files on your computer. It might overwrite the boot sector of

your hard disk, making the disk inaccessible. It might write messages on your screen, or cause yoursystem to emit rude noises. It might also hijack your e-mail program and use the program to send

itself to all your friends and colleagues, thus replicating itself to a large number of PCs. Viruses that

replicate themselves via e-mail or over a computer network cause the subsidiary problem of

increasing the amount of Internet and network traffic. These fast-replicating virusescalled worms

can completely overload a company network, shutting down servers and forcing tens of thousands of

users offline. While no individual machines might be damaged, this type of communications

disruption can be quite costly. As you might suspect, most viruses are designed to deliver their

payload when theyre firstexecuted. However, some viruses wont attack until specifically prompted,

typically on a predetermined date or day of the week. They stay on your system, hidden from sight

virus copies itself to other programe

virus delivers its destructive payload

virus code is loaded into pc memory

virus programe is lunched


9/16

9

like a sleeper agent in a spy novel, until theyre awoken on a specific date; then they go about the

work they were programmed to do. In short, viruses are nasty little bits of computer code, designed

to inflict as much damage as possible, and to spread to as many computers as possiblea particularly

vicious combination.

WHAT DO VIRUSES DO TO COMPUTERS?

Viruses are software programs, and they can do the same things as any other programs

running on a computer. The actual effect of any particular virus depends on how it was programmed

by the person who wrote the virus. Some viruses are deliberately designed to damage files or

otherwise interfere with your computer's operation, while others don't do anything but try to spread

themselves around. But even the ones that just spread themselves are harmful, since they damage

files and may cause other problems in the process of spreading. But viruses can't do any damage to

hardware, they won't melt down your CPU or burn out your drive.

THE HARMS CAUSED BY COMPUTER VIRUSES-

Not a month goes by without another big-time virus scare. Tens of millions of computers are

infected by computer viruses every year. In 2001, 2.3 million computers were infected by the SirCam

virus, and another million computers were hit by CodeRed. Even worse, the LoveLetter virus hit an

estimated 45 million computerson a single day in 2000. ICSA Labs (www.icsalabs.com), a leading

provider of security research, intelligence, and certification, found that the rate of virus infection in

North America in 2001 was 113 infections per 1000 computersmeaning that more than 10% of all

computers they surveyed had been hit by a virus. And this rate is increasing; ICSA says that the

likelihood of contracting a computer virus has doubled for each of the past five years. Viruses hit the

corporate world especially hard; a single infected computer can spread the virus among the entire

corporate network. McAfee.com (www.mcafee.com), a company specializing in virus protection,

estimates that two-third of U.S. companies are attacked by viruses each year. A third of those

companies reported that viruses knocked out their servers for an average of 5.8 hours per infection,

and 46% of the companies required more than 19 days to completely recover from the virus incident.

These incidents come with a heavy cost. The research firm Computer Economics (www

.computereconomics.com) estimates that companies spent $10.7 billion to recover from virus attacks

in 2001. Technology magazine The Industry Standard (www.thestandard.com) puts the cost much

higher, at upwards of $266 billion. Whatever the real number, its clear that computer viruses are

costly to all concernedin terms of both money and the time required to clean up after them. Just

look at the costs inflicted by individual viruses. For example, Computer Economics estimates that the

Nimda virus alone cost companies $590 million in cleanup costs; CodeRed and LoveLetter were even

more costly, running up costs of $2.6 billion apiece. To an individual company, these costs can be


10/16

10

staggering. ICSA Labs estimates that virus cleanup costs large companies anywhere from $100,000 to

$1 million each per year. Thats real money.Unfortunately, this problem doesnt look like its going to

go away. In fact, the problem just keeps getting worse. To date, more than 53,000 different viruses

have been identified and catalogued with another half-dozen or so appearing every day.

Diagnosing a Virus Infection-

How does one know if his/her computer has been infected with a virus? In short, if it starts

acting funny, doing anything it didnt do before, then a probable cause is some sort of computer

virus. Here are some symptoms to watch for:

Programs quit working or freeze up. Documents become inaccessible. Computer freezes up or wont start properly. The CAPS LOCK key quits workingor works intermittently. Files increase in size. Frequent error messages appear onscreen. Strange messages or pictures appear onscreen. Your PC emits strange sounds. Friends and colleagues inform you that theyve received strange e-mails from you, that

You dont remember sending.


11/16

11

HOW CAN YOU PROTECT YOURSELF?

With dangerous viruses on the network, what can computer users do to protect their

systems? Here are just a few hints:

Dont assume anything. Make some time to learn about securing your system. Acquire and use a reliable antivirus program. Select an antivirus that has a consistent track

record.

Acquire and use a reliable firewall solution. Again, independent reviewers are your best betfor reasonable choices. Some operating systems come with a firewall which only filters

incoming traffic. Use a firewall that can control both incoming and outgoing Internet traffic.

Do not open e-mails coming from unknown or distrusted sources. Many viruses spread via e-mail messages so please ask for a confirmation from the sender if you are in any doubt.

Do not open the attachments of messages with a suspicious or unexpected subject. If youwant to open them, first save them to your hard disk and scan them with an updated antivirus

program.

Delete any chain e-mails or unwanted messages. Do not forward them or reply to theirsenders. This kind of messages is considered spam, because it is undesired and unsolicited

and it overloads the Internet traffic.

Avoid installing services and applications which are not needed in day-by-day operations in adesktop role, such as file transfer and file sharing servers, remote desktop servers and the

like. Such programs are potential hazards, and should not be installed if not absolutely

necessary.

Update your system and applications as often as possible. Some operating systems andapplications can be set to update automatically. Make full use of this facility. Failure to patch

your system often enough may leave it vulnerable to threats for which fixes already exist.

Do not copy any file if you don't know or don't trust its source. Check the source (provenance)of files you download and make sure that an antivirus program has already verified the files at

their source.

Make backups of important personal files (correspondence, documents, pictures and such) ona regular basis. Store these copies on removable media such as CD or DVD. Keep your archive

in a different location than the one your computer is in.


12/16

12

HOW DOES ANTI-VIRUS SOFTWARE WORK?

An anti-virus software program is a computer program that can be used to scan files to

identify and eliminate computer viruses and other malicious software (malware).

Anti-virus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary Identifying suspicious behavior from any computer program which might indicate

infection

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus

dictionary approach.

VIRUS DICTIONARY APPROACH-

In the virus dictionary approach, when the anti-virus software examines a file, it refers to a

dictionary of known viruses that have been identified by the author of the anti-virus software. If a

piece of code in the file matches any virus identified in the dictionary, then the anti-virus software

can then either delete the file, quarantine it so that the file is inaccessible to other programs and its

virus is unable to spread, or attempt to repair the file by removing the virus itself from the file. To be

successful in the medium and long term, the virus dictionary approach requires periodic online

downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically

minded and technically inclined users can send their infected files to the authors of anti-virus

software, who then include information about the new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating

system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus

can be detected immediately upon receipt. The software can also typically be scheduled to examine

all files on the user's hard disk on a regular basis. Although the dictionary approach is considered

effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic

viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise,

so as to not match the virus's signature in the dictionary.


13/16

13

SUSPICIOUS BEHAVIOR APPROACH-

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but

instead monitors the behavior of all programs. If one program tries to write data to an executableprogram, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked

what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides

protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also

sounds a large number of false positives, and users probably become desensitized to all the warnings.

If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to

that user. This problem has especially been made worse over the past 7 years, since many more

nonmalicious program designs chose to modify other .exes without regards to this false positiveissue. Thus, most modern antivirus software uses this technique less and less.

OTHER WAYS TO DETECT VIRUSES -

Some antivirus-software will try to emulate the beginning of the code of each new executable

that is being executed before transferring control to the executable. If the program seems to be using

self-modifying code or otherwise appears as a virus (it immediately tries to find other executables),

one could assume that the executable has been infected with a virus. However, this method results in

a lot of false positives.Yet another detection method is using a sandbox. A sandbox emulates the operating system

and runs the executable in this simulation. After the program has terminated, the sandbox is

analyzed for changes which might indicate a virus. Because of performance issues this type of

detection is normally only performed during on-demand scans.


14/16

14

ISSUES OF CONCERN-

Macro viruses, arguably the most destructive and widespread computer viruses, could be

prevented far more inexpensively and effectively, and without the need of all users to buy anti-virussoftware, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to

the execution of downloaded code and to the ability of document macros to spread and wreak

havoc. User education is as important as anti-virus software; simply training users in safe computing

practices, such as not downloading and executing unknown programs from the Internet, would slow

the spread of viruses, without the need of anti-virus software. Computer users should not always run

with administrator access to their own machine. If they would simply run in user mode then some

types of viruses would not be able to spread.

There are various methods of encrypting and packing malicious software which will make

even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" virusesrequires a powerful unpacking engine, which can decrypt the files before examining them.

Unfortunately, many popular anti-virus programs do not have this and thus are often unable to

detect encrypted viruses. Companies that sell anti-virus software seem to have a financial incentive

for viruses to be written and to spread, and for the public to panic over the threat.


15/16

15

CONCLUSION-

Computer viruses are malicious computer programs, designed to spread rapidly and deliver

various types of destructive payloads to infected computers. Viruses have been around almost as

Long as computers themselves, and they account for untold billions of dollars of damage every year.

While there are many different types of viruses, the best protection against them is to exhibit

extreme caution when downloading files from the Internet and opening e-mail attachments and to

religiously avail yourself of one of the many antivirus software programs currently on the market.


16/16

16

BIBLIOGRAPHY