COMPUTER VIRUSESBy: Jason Boylan and Jeff George

Table of Contents

Definition History Vulnerability How it works Types of viruses Virus Removal Summary

Virus Definition

Self replicating computer program

Potentially unknown to user

Potentially self modifying

Programmed to damage computer in someway or just be a nuisance to user

What do viruses do?

The bottom line: they damage your computer; possibly crash your system.

Examples: corrupting programs, deleting files, or reformatting the hard disk.

History

1970’s – ARPANET Creeper virus 1980’s – Elk Cloner, Pakistani flu,

Stoned, Jerusalem, Morris worm 1990’s – Chameleon, Michelangelo,

CIH, Melissa worm, ExploreZip 2000 and beyond - ILOVEYOU,

Sadmind, Sircam, Nimda, Klez, Code Red, Blaster Worm, Welchia, MyDoom, Sasser worm, Santy, Sony rootkit

History I (1970)

ARPANET Creeper virus

Simply displayed 'I'M THE CREEPER : CATCH ME IF YOU CAN.‘ when it infected a system

History II (1980)

Elk Cloner, first virus that was a very large outbreak and outside of computer system in which it was created. It was made on the Apple II and took advantage of the boot sector of a floppy disk and would copy itself to memory, simply displayed a message every 50th boot

Pakistani Flu, also took advantage of the boot sector this virus was developed as an anti-piracy measure because if it spread to a disk then it would simply rename the disk label to ©Brain

Stoned, another nuisance virus that slowed down the users computer and would display the message “Your PC is now Stoned!” at startup

Jerusalem, There are many spin offs of this virus and all seem to follow the pattern that on certain days or times this virus will execute and make itself known, typically every Friday the 13th

History III (1980 - 1990)

Morris worm, was originally developed to try to find out the size of the internet but ended up slowing down systems because a design flaw caused the virus to copy itself too much, it took advantage of a few commands to overflow the buffer and write to memory it shouldn’t have access to, made by Robert Morris

ExploreZip, E-mail virus, would destroy Office documents and C and C++ source files

History VI (2000 and beyond) ILOVEYOU, would spread

by e-mailing itself to everyone on the infected users e-mail contacts, people would unknowingly open the attached virus thinking it was from a trusted source the virus would overwrite important files and media files

SadMind, exploited OS weaknesses

Sircam, Nimda, Klez, Code Red, all e-mailers

Blaster Worm, a worm to perpetrate a DDoS attack against windowsupdate.com

MyDoom, fastest spreading e-mail virus

Sasserworm, propagated by windows port exploit

Santy, used google to find new targets

Sony rootkit, a virus that was put on sony CD’s to prevent piracy

Vulnerability

Diversity in software lowers vulnerability

Standardization is bad because it means that everyone using the same software are all vulnerable

Users of Microsoft Office and Internet Explorer are typically more vulnerable because of their widespread use

Mac’s are less vulnerable because of low market share in PC’s

How do they do it?

In order to replicate itself, the virus needs the permission to execute code and write to memory.

They attach themselves to an executable file of a legitimate program.

When the user runs that program, the virus code is executed.

Sometimes only the virus code is executed.

Two types of Viruses

1. Non Resident Viruses Finder module Replication module

2. Resident Viruses

Non Resident Viruses

It constantly looks for suitable files that can be infected. Then infects it and the file is then ready to execute damage.

It consists of two distinct components to do the task.

The Finder Module is the component that looks for potential prey (files to infect). Then calls the Replication Module to infect that particular file.

Resident Viruses

Resident viruses do not have distinct components like the finder module.

Instead it loads the replication module into memory and starts working in the background.

Each time the operating system is called to perform an action the replication module is called.

So then, every suitable program that is executed on the computer is a possible prey to infection.

Methods to avoid detection Both types of viruses discussed

previously remain hidden. The below are possible tricks for remaining hidden.

1. The virus might pretend to be “Hot_Girls.jpeg” and get into your computer. But really, it is “Hot_Girls.jpeg.exe.”

2. Some viruses have the ability to keep the “last modified date” unchanged after altering the content of the file.

3. Stealth: Some viruses have the ability to intercept an anti-virus software’s request to the operating system. So the anti-virus requests a read permission to the virus instead of the os. Then the virus returns an uninfected version of the file and remains undetected.

The Computer is infected. What can I do now?

First of all, it is very important you don’t just ignore it because at some point you will not be able to.

Also, be prepared to lose some data.

You can do one of two things?

1. Virus removal

2. Operating System Reinstallation

Virus Removal - 1

The simplest method:

in most windows machines (Windows me, xp or vista) there is the System Restore tool. This tool will restore the registry and critical system files to a previous checkpoint.

Virus Removal - 2

Software that can detect and eliminate viruses. However, these softwares, usually only detect know viruses and hence has its limitations. So, its best to get the newest anti-virus software available.

Virus Removal - 3

Operating System Reinstallation

This is the final means of deleting virus. This method will also kill not some but all your data and gives you a fresh start. However, this method is typically guaranteed to remove the virus.

It involves simply reformatting the OS partition and installing the OS from its original media.

The recovery disk might have come with the computer when first bought or you might have to purchase one.

In Summary

Viruses infect systems by: 1. Appending to a program2. Copying themselves to other programs3. Distributing themselves without the

users knowledge They can be very harmful to a system

and cost users a lot of money To stay protected keep up to date with

anti-virus software and if you suspect infection don’t ignore it