ssssssssss.virus

For Educational Purpose Only...........

Computer viruses are executable computer programs. Like biological viruses, they find and attach themselves to a host. Just as a cold virus finds and attaches itself to a human host, a computer virus attaches itself to an item, such as a computer startup area (boot record) or an executable file.

Most viruses stay active in memory until you turn off your computer. When you turn off the computer you remove the virus from memory, but not from the file, files, or disk it has infected. So, the next time you use your computer the virus program is activated again and attaches itself to more programs. A computer virus, like a biological virus, lives to replicate.

Viruses are categorized by their infection targets:

Program viruses infect program files, which commonly have extensions such as .COM, .EXE, .SYS, .DLL, .OVL, or .SCR. The most common programs targeted by viruses are standard DOS programs that use the .COM and .EXE file extensions. Program files are attractive targets for virus writers because they are widely used and have relatively simple formats to which viruses can attach.

Boot viruses infect the non-file (system) areas of hard and floppy disks. These areas offer an efficient way for a virus to spread from one computer to another. Boot viruses have achieved a higher degree of success than program viruses in infecting their targets and spreading.

Macro viruses infect data files with macro capabilities and are the newest threat to the computing public. For example, Microsoft Word document and template files are susceptible to macro virus attacks. They spread rapidly as infected documents are shared on networks or downloaded from Internet sites.

Types Of Viruses

Viruses are categorized by their infection targets:

Macro viruses infect data files with macro capabilities and are the newest threat to the computing public. For example, Microsoft Word document and template files are susceptible to macro virus attacks. They spread very rapidly as infected documents are shared on networks or downloaded from Internet sites.

Program Viruses: Like normal programs, program viruses must be written for a specific operating system. The vast majority of viruses are written for DOS but some have been written for Windows 3.x, Windows 95/98, and even UNIX. All versions of Windows are compatible with DOS and can host DOS viruses with varying degrees of success.

Boot Viruses: All hard and floppy disks have boot records, whether or not they also contain operating system files. A disk does not have to be bootable to be infected by a boot virus; data disks can contain boot viruses too. A typical way a computer gets a boot infection is to restart with an infected floppy disk inadvertently left in the drive. Even if the floppy is not a boot disk, the virus will activate and spread.

Unlike program viruses, almost any boot virus can infect DOS, Windows 3.x, Windows 95/98, Windows NT, and even Novell Netware systems. This is because they exploit inherent features of the computer (rather than the operating system) to spread and activate.

Many boot viruses assume the hard disk is using a normal DOS file system. Such an assumption is not always correct if you are using an operating system other than DOS or Windows 3.x. On Windows NT, for example, you can choose to use the NTFS file system instead of the DOS-compatible FAT file system. If a virus encounters a system using NTFS, it still successfully infects the computer but it may accidentally damage some of your files or boot records (disk system areas) in the process. When this happens, NT won’t be able to start and you may need to reinstall Windows.

Another interesting aspect of Windows NT is that it will disable any boot viruses when it starts, assuming it can still start. This means that boot viruses can infect a machine running Windows NT but they can’t spread to other systems while Windows NT is running. Don’t, however, assume that the virus is benign. Every time you boot your system, the virus activates and has a chance to activate its trigger and deliver its payload. For example, on March 6th, the Stoned.Michelangelo virus writes random bytes to every cylinder on the hard drive, corrupting the original data. In a fraction of a second, key non-file areas used on computer start-up are the first to be wiped out in the process. It is virtually impossible to prevent the virus from destroying all data on the hard disk once the destructive trigger routine has activated.

Macro viruses: Many older applications had simple macro systems that allowed you to record a sequence of operations within the application and associate them with a specific keystroke. Later, you could perform the same sequence of operations by merely hitting the specified key.

Newer applications provide much more complex macro systems. You can write entire macro-programs that run within the word processor or spreadsheet environment and are attached directly onto word processing and spreadsheet files. The ability to tote one or more macros around with a data file is a very powerful feature. Unfortunately, this ability also makes it possible to create macro viruses.

A typical chronology for macro virus infection begins when an infected document or spreadsheet is loaded. The application also loads any accompanying macros that are attached to the file. If one or more of the macros meet certain criteria, the application will also immediately execute these macros. Macro viruses rely upon this auto-execution capability to gain control of the application’s macro system.

Once the macro virus has been loaded and executed, it waits for you to edit a new document, then kicks into action again. It attaches its virus macro programs onto the new document, then allows the application to save the document normally. In this fashion, the virus spreads to another file and does so in a completely discrete fashion. You have no idea of the infection. If this new file is later opened on another computer, the virus will once again load, be launched by the application, and find other unsuspecting files to infect.

Finally, as far as a macro virus is concerned, the application serves as the operating system. A single macro virus can spread to any of the platforms on which the application is installed and running. For example, a single macro virus that uses Microsoft Word could conceivably spread to Windows 3.x, Windows 95/98, Window NT, and the Macintosh.

Stealth Viruses: Stealth viruses actively seek to conceal themselves from attempts to detect or remove them. They use techniques such as intercepting disk reads to provide an uninfected copy of the original item in place of the infected copy (read-stealthing viruses), altering disk directory or folder data for infected program files (size-stealthing), or both. For example, the Whale virus is a size-stealthing virus. It infects .EXE program files and alters the folder entries of infected files when other programs attempt to read them. The Whale virus adds 9216 bytes to an infected file. Because changes in file size are an indication that a virus might be present, the virus then subtracts the same number of bytes (9216) from the file size given in the directory/folder entry to trick the user into believing that the file’s size has not changed.

Polymorphic Viruses: Most simple viruses attach identical copies of themselves to the files they infect. An anti-virus program can detect the virus’s code (or signature) because it is always the same and quickly ferret out the virus. To avoid such easy detection, polymorphic viruses operate somewhat differently. Unlike the simple virus, when a polymorphic virus infects a program, it scrambles its virus code in the program body. This scrambling means that no two infections look the same, making detection more difficult.

Multipartite Viruses: Multipartite viruses are both program and boot viruses. For example, if you run a word processing program infected with the Tequila virus, the virus activates and infects your hard disk boot record. Then, the next time you boot your computer, the Tequila virus activates again and starts infecting every program you use, whether it is on a hard or floppy disk.

Windows Viruses: Viruses that infect Windows programs.

Companion Viruses: A companion virus is the exception to the rule that a virus must attach itself to a file. The companion virus instead creates a new file and relies on a behavior of DOS to execute it instead of the program file that is normally executed. Companion viruses use a variety of strategies. Some companion viruses create a .COM file with a name identical to an existing .EXE file. For example, the companion virus might create a file named CHKDSK.COM and place it in the same directory as CHKDSK.EXE. Whenever DOS must choose between executing two files of the same name where one has an .EXE extension and the other a .COM extension, it executes the .COM file.

Malicious programs: Viruses that infect agent programs (such as those that download software from the Internet; for example, JAVA and ActiveX).

What Viruses Do & Don't

Some computer viruses damage the data on your disks by corrupting programs, deleting files, or even reformatting your entire hard disk. Most viruses, however, are not damaging; they simply replicate or display messages.

Viruses do the following:

# Infect executable program files, such as word processing, spreadsheet, or operating system programs.

# Infect disks by attaching themselves to special programs in areas of your disks called boot records and master boot records. These are the programs your computer uses to start up.

#Infect a file before it is attached to an email message, data disks and disks used to transfer programs.

Viruses do not:

Damage hardware, such as keyboards or monitors. Though you may experience strange behaviors such as screen distortion or characters not appearing when typed, a virus has merely affected the programs that control the display or keyboard. Not even your disks are physically damaged, just what's stored on them. Viruses can only infect files and corrupt data.

Infect write-protected disks or text-based email messages.

Virus-like Activity

Virus-like activities are those activities that viruses usually perform when attempting to infect your files. Any of these activities may occasionally be legitimate in your work context. Therefore, you can exclude certain files from being checked for any of the activities listed below.

Low-Level Format Of Hard Disk: All information on the disk is erased and cannot be recovered. This type of format is generally performed at the factory only. If this activity is detected, it almost certainly indicates an unknown virus at work. (This is not an option for NEC PC98xx machines.)

Write To Hard Disk Boot Records: Very few programs write to hard disk boot records. If this activity is detected, it could indicate an unknown virus at work.

Write To Floppy Disk Boot Records: Only a few programs (such as the operating system FORMAT command) write to floppy disk boot records. If this activity is detected, it could indicate an unknown virus at work.

Write To Program Files: Some programs save configuration information within themselves. Although this activity often happens legitimately, it could indicate an unknown virus at work.

The Virus Infection Cycle

There are three stages in the life of computer viruses: infection, detection, and recovery. In the infection stage, a virus infects a file in your computer. In the detection stage, the virus is identified and isolated. In the recovery stage, the virus is eliminated. Unless the virus is eliminated or quarantined, it continues to infect other files and possibly damage

data on your disks. These stages are detailed below.

Infection Source

Reused floppy disks from unknown sources

Disks from home or school

Disks borrowed from friends

Programs downloaded from BBSs or the Internet

Software bargains (from non-reputable dealers)

Re-shrink-wrapped or opened software

Pirated software

Preformatted floppy disks

Infected email attachments

Malicious scripts in web pages or HTML email

Infection

Boot from infected disk

Reboot with infected floppy disk left in drive

Run infected program

Open infected document or spreadsheet

Open infected email attachments

View web pages or HTML email that launch malicious scripts

reference: Ankit Fadia (Ethical Hacking)

Hosted by www.Geocities.ws