Brought to you by

1
Viruses!!
Computer

• Brought to you by
• Stacey Raimondi Dan Brush

2
Today we will learn about several important
topics on Computer Viruses...
3
BEWARE of Computer Viruses!!

• Viruses can infect your computer by reading, or
  even, previewing, email. There are many ways that
  you can find out what these email infectors are
  and take the steps to prevent an infection.
• You can get a virus as easily as reading an
  email. A site called the EMAIL Help Center can
  guide you on how to prevent this from happening
  to you or those you send mail to.
• You can test whether your email system is
  vulnerable to email viruses and attacks such as
  emails containing mail attachments, web page
  HTMLs, and many more types of computer
  processing that be infected with one of many
  different types of viruses.
• A computer virus is a self-replicating program
  containing code that explicitly copies itself and
  that can "infect" other programs by modifying
  them or their environment such that a call to an
  infected program implies a call to a possibly
  evolved copy of the virus.

4
The History of Computer Viruses
Since the age of technology arose, and the
twentieth century of computers came about, there
have always been an attempt from those trying to
be smarter then the average computer, (or
computer user, for that matter). It was the very
famous Fred Cohen who "wrote the book" on
computer viruses. He was the soul in the
development of a theoretical, and mathematical
model of computer virus behavior. He was able to
use his logic to test several hypothesis about
computer viruss. Cohen's very own, and
well-known, informal definition is "a computer
virus is a computer program that can infect other
computer programs by modifying them in such a way
as to include a (possibly evolved) copy of
itself". This does not mean that a computer has
to undergo actual destruction(such as deleting or
corrupting files) in order to be classified as a
"virus" by Cohens definition. Many people use
the term "virus" loosely to cover any sort of
program that tries to hide its possible
destructive functions and\or tries to spread onto
as many computers as possible leaving us with a
long list of possibilities to deal with.
5
Sources for Virus Info
Patricia Hoffman's hypertext VSUM. It covers PC
viruses and it is regarded by many in the anti
virus field as being inaccurate, so it is advised
that you not to rely solely on it. It can be
downloaded from most major archive sites.  A
more precise source of information is the
Computer Virus Catalog,published by the Virus
Test Center in Hamburg. It contains highly
technical descriptions of computer viruses for
several platforms DOS,Mac, Amiga, Atari ST and
Unix. It is available by anonymous FTP from
atik.uni-hamburg. For the directory, go to
pub/virus/texts/catalog.  Another small
collection of a good technical descriptions of PC
viruses,called CARObase, is available from
atik.uni-hamburg.
6
There is plenty of information in the monthly
Virus Bulletin, published in the UK. Among other
things, it gives detailed technical information
on viruses . Want a month subscribtion only
395.00!! Another source of information is the
book "Virus Encyclopedia" which is part of the
printed documentation of Dr. Solomon's AntiVirus
ToolKit (a commercial DOS antivirus program). The
WWW site www.datafellows.fi, has an on-line,
cross-reference data base containing descriptions
of about 1500 PC viruses! Lastly, a
network-accessible source of information for
viruses is provided by IBM AntiVirus, at
http//www.brs.ibm.com/ibmav.html.
7
Virus Encyclopedia Types of Viruses
8
ARMORED Virus
An ARMORED virus is one that uses special tricks
to make tracing,disassembling and understanding
of its code more difficult. EX.A good example
is the Whale virus. 
9
CAVITY Virus
A CAVITY VIRUS is one which overwrites a part of
the host file that is filled with a constant
(usually nulls), without increasing the length of
the file, but preserving its functionality. The
Lehigh virus was an early example of a cavity
virus.
10
COMPANION VIRUS
The COMPANION virus is one that, instead of
modifying an existing file,creates a new program
which is executed instead of the intended
program. On exit, the new program executes the
original program so that things appear normal.
On PCs this has usually been accomplished by
creating an infected .COM file with the same name
as an existing .EXE file. Integrity checking
anti virus software that only looks for
modifications in existing files will fail to
detect such viruses.
11
ComputerVirus Virus-L
To subscribe to Virus-L, send e-mail to
LISTSERV_at_LEHIGH.EDU saying "SUBVIRUS-L
your-name". For example  SUB VIRUS-L Jane
Doe To be removed from the Virus-L mailing list,
send a message to LISTSERV_at_LEHIGH.EDU saying
"SIGNOFF VIRUS-L". To "subscribe" to comp.virus,
simply use your favorite USENET newsreader to
read the group. 
12
Comp.Virus Virus-L
Virus-L and comp.virus are BOTH discussion
forums that focus on computer virus issues.
More specifically, Virus-L is an electronic
mailing list and comp.virus is a USENET
newsgroup. Both groups are moderated and all
submissions are sent to the moderator who decides
if a submission should be distributed to the
groups. Virus-L is distributed in "digest"
format (with multiple e-mail postings in one
large digest) and comp.virus is distributed as
individual news postings.However, the content of
the two groups is identical.
13
FILE Infectorsfor PCs
The first class of the common PC virus consists
of the FILE INFECTORS which attach themselves to
ordinary program files. These usually infect
arbitrary COM and/or EXE programs,though some can
infect any program for which execution or
interpretation is requested, such as SYS, OVL,
OBJ, PRG, MNU and BAT files.  File infectors can
be either DIRECT-ACTION or RESIDENT. A
direct-action virus selects one or more programs
to infect each time a program infected by it is
executed. A resident virus installs itself
somewhere in memory (RAM) the first time an
infected program is executed, and thereafter
infects other programs when they are executed, or
when other conditions are fulfilled. Direct-action
viruses are also sometimes referred to as
NON-RESIDENT.The Vienna virus is an example of a
direct-action virus. Most viruses are resident.
14
POLYMORPHIC Virus
 A POLYMORPHIC virus is one that produces varied
but operational copies of itself. This is so
that virus scanners will not be able to detect
all instances of the virus.  One method of
evading scan string-driven virus detectors is
self-encryption with a variable key. These
viruses (Cascades) are not "polymorphic", as
their decryption code is always the
same.Therefore the decryptor can be used as a
scan string by the simplest scan string-driven
virus scanners (unless another virus uses the
identical decryption routine and the exact
identification.)
15
Stealth Viruses
The STEALTH virus is one that, while "active can
hide the changes it has made to files or boot
records. This is achieved by monitoring the
system functions used to read files or sectors
from storage media and forging the results of
calls to such functions. Meaning that programs
that try to read infected files or sectors see
the original, uninfected form instead of the
actual, infected form. The virus's
modifications may go undetected by anti virus
programs. VERY TRICKY In order to do this, the
virus must be a resident in memory when the anti
virus program is executed and this may be
detected by antivirus program.
16
SYSTEM or BOOT-RECORD Infectors
A second PC category of viruses is SYSTEM or
BOOT-RECORD INFECTORSthese viruses infect
executable code found in certain system areas on
a disk. On PCs there are ordinary boot-sector
viruses, which infect only the DOS boot sector,
and MBR viruses which infect the Master Boot
Recordon fixed disks and the DOS boot sector on
diskettes. ( Examples include Brain, Stoned,
Empire, Azusa and Michelangelo.) All common
boot sector and MBR viruses are memory
resident. To confuse this classification
somewhat, a few viruses are able to infect BOTH
files and boot sectors (the Tequila virus is one
example).These are often called "MULTI-PARTITE"
viruses, or the"BOOT-AND-FILE" virus.
17
The TROJAN HORSE Virus
A TROJAN HORSE is a program that does something
undocumented that the programmer intended, but
that some users would not approve of if they knew
about it. It is a virus, as it is one which is
able to spread to other programs(i.e., it turns
them into Trojans too). A virus that does not do
any deliberate damage (other than merely
replicating)is not a Trojan.
18
TUNNELLING Virus
A TUNNELLING VIRUS is one that finds the original
interrupt handlers in DOS and the BIOS and calls
them directly. Then, by passing any activity
monitoring program, which may be loaded and have
intercepted, it interrupts the vectors in its
attempt to detect viral activity. Some anti virus
software also uses these tunnelling techniques
in an attempt to by pass any unknown or
undetected virus that may be active when it runs.
19
Worms
A computer WORM is a self-contained program (or
set of programs), that is able to spread
functional copies of itself or its segments to
other computer systems (usually via network
connections).  Unlike other viruses, worms do not
need to attach themselves to a host program.
There are two types of worms 1. host
computer worms 2.network worms. 
20
NETWORK- Computer Worms
 Network worms consist of multiple parts, called
"segments. They each run on different machines
(and possibly perform different actions) using
the network for several communication
purposes. Moving a segment from one machine to
another is only one of their purposes. Network
worms that have only one main segment will
coordinate the work of the other segments which
are sometimes called "octopuses."
21
HOST- Computer Worms
Host computer worms are entirely contained in the
computer they run on and use network connections
only to copy themselves to other computers. Host
computer worms are the original terminates after
it launches a copy on to another host (so there
is only one copy of the worm running somewhere on
the network at any given moment). They are
sometimes called"rabbits."
22
TOP 5 Viruss Reported
23
Protect Yourself from Computer Viruss

• AVIEN AVI-EWS
• CERT
• STOPzilla
• GFI Mail Security for Exchange
• Anti Virus eScan 2003
• CIAC
• Cyber notes
• ICSA
• Information Security Magazine
• NIPC (National Infrastructure Protection Ctr)
• SANS Institute
• Virus Bulletin

24
The Top 9 Virus Protectors are...
Brought to you by Guide Picks
25
1 PANDA ANTIVIRUS PLATIINUM v7.0 Panda
Antivirus Platinum v7.0 combines anti virus and
firewall protection to provide robust security
with minimal system impact. Optional script
blocking and attachment filtering combined with
daily updates helps ensure protection against
even new and unknown email threats. Downside
cumbersome custom configuration for scans.
26
2 NORTON ANTIVIRUS 2003 This latest version of
Norton AntiVirus offers automatic updating
combined with script blocking and outbound worm
detection. It also includes protection against IM
worms and infected attachments sent via America
Online, Yahoo!, and MSN instant messenger
programs. Downside cumbersome custom
configuration for scans.
27
3 F-PROT FOR WINDOWS F-Prot for Windows
continues to impress with solid 100 ItW and
96.34 Zoo detection. The interface is extremely
pleasing - easy enough for novice users to
navigate yet sophisticated enough for the more
advanced. An excellent addition to any antiviral
arenal. Downside like other Top Picks, excluding
folders is a cumbersome task. However, erring on
the side of protection is never a bad idea.
28
4 MCAFEE VIRUSSCAN HOME EDITION 7.0 Scoring
100 detection for ItW threats and 99.84 Zoo
(with a mere .01 false positive rate), VirusScan
Home Edition provides the protection needed in
today's hostile computing environment. Script
Stopper technology stops VBScript and JScript
worms. Hostile Activity Watch Kernel looks for
suspicious activity and stops mass-mailing worms.
Downside Some reports of incompatibility with
ZoneAlarm.
29
5 NORMAN VIRUS CONTROL Norman Virus Control
offers a highly respectable 100 rate of
detection for ItW threats and 91.92 Zoo with
only a .02 false positive rate. With
configurable email attachment blocking,
decompression module, and sandboxing, Norman
Virus Control has earned its second top pick
award. The new interface helps better integrate
the various modules. Downside cumbersome custom
configuration for scans.
30
6 PC-CILLIN With 100 ItW, 94.82 Zoo
detection, and only a .02 false positive rate,
Trend Micro's best-of-breed anti virus protection
features an integrated firewall and extends its
scanning to include even web-based email.
PC-cillin also provides mobile users the extra
protection needed to stay virus-free on the road,
including Wi-Fi connection security and PDA
synchronization protection.
31
7 BIT DEFENDER PROFESSIONAL v6.5 Softwin's
BitDefender Professional provides filtering of
URLs, IP addresses, and ports, as well as
seamless signature updates every 8 hours.
BitDefender's impressive 100 ItW and 94.21 Zoo
detection also protects against viruses
encountered through the use of ICQ, Yahoo!
Messenger, NetMeeting, or MSN Messenger.
32
8 NOD 32 Nod32 continues to be a personal
favorite. With a tiny footprint, its presence on
the system is barely perceptible yet it packs
quite a bit of protection. For older systems,
Nod32 may well be the only antivirus solution
capable of offering superb 100 detection and
prevention of ItW threats without impacting
performance. Downside inability to exclude
folders from scanning.
33

• 9 STOPzilla!
•  BLOCK annoying popup-windows for good and
  forever with STOPzilla!STOPzilla maximizes your
  surfing speed by guarding your system against
  annoying unwanted popup windows. With fully
  customizable options that allow you to configure
  STOPzilla to meet your surfing needs, you will
  never again be smothered in an endless sea of
  pop-ups!
• Acts like a firewall for popup windows,
  Monitors your system while you surf the web and
  destroys pop-ups before they open.
• Speeds up your surfing by keeping pop ups at bay,
  is Configurable warnings alert you when a site
  attempts to open a pop-up.
• Automatically add sites to the STOPzilla Black
  List to prevent all future popup attempts.
• Fully customizable settings give you the
  flexibility to 'ALLOW' or 'BLOCK' with the single
  click of a mouse.
• Audible alerts let you know when STOPzilla has
  thwarted a perpetrator
•   
•  
•  

34
'SARS' computer virus hits India Breaking News
Story May 8, 2003 NEW DELHI - Computers in
India are vulnerable to a mass mailing worm
"SARS", also known as W32/Coronex-A, which
attacks address books and attempts to dupe users.
Micro World Technologies Inc, a content
security and IT solutions provider, has cautioned
computer users of the mass mailing worm that uses
a variety of subject lines, message bodies and
attachment names, including "SARS Virus" and Hong
Kong.exe. "SARS forwards itself to all contacts
in address books and attempts to dupe innocent
computer users into opening an attachment
offering details on the current SARS epidemic.
The worm is delivered as an e-mail attachment and
the e-mail may have a subject line about the
current paranoia about SARS," a statement said.
The SARS worm just goes onto prove that there
are still scores of virus writers who use common
fears to spread dangerous viruses throughout the
world, Govind Rammurthy, MD and CEO, Micro World
Inc said. However, the impact of the worm seems
to be less destructive, a security analyst said.
Sunil Chandran, CEO, Stellar info, a data
security firm in Delhi said, "The worm has been
in operation since April 24 and so far its nature
of destruction is not high and not widespread and
there has been no reporting of data loss by
customers to us."
35
What do experts believe are in store for the
future of Viruss?
''Iraq will destroy us by computer,'' the experts
screamed by Rob Rosenburg -- 05/01/03 "IRAQ
WILL CRIPPLE the U.S. with cyber-attacks," the
fear mongers warned. I tell you, everyone got
into the act -- from Congress to the FBI to
former CIA officials to computer security
salesmen. Even a fire-breathing Muslim cleric
living the high life in Britain got into the act.
Even a delusional narcissistic hacker living in
the slums of Kuala Lumpur got into the act. I
tell you, everyone screamed about the coming
cybergeddon. I mean, c'mon! How much effort does
it take to open a digital can of whoop-ass on
the United States? From what I hear, even a 14
year old Iraqi nomad can remotely shut down our
national power grid and remotely pollute our
vital toilet water supplies. In August of last
year, an ominous m2g press release quoted CEO
D.K. Matai "it would seem highly likely that the
launch of a physical attack on Iraq will see
counter-attacks from disgruntled Arab, Islamic
fundamentalist and anti-American groups." mi2g
warned terrorists might launch remote-controlled
SCADA Attacks along with those (equally?) scary
"chemical, biological, radiological, and
nuclear" attacks.
36
CONT. In December 2002, IDC chief research
officer John Gantz predicted a major cyber
terrorism event would occur in 2003 -- a
cybertastrophe "that will disrupt the economy and
bring the Internet to its knees for at least a
day or two," according to News.com scribe Ed
Frauenheim. Gantz specifically warned "the
looming war with Iraq will galvanize hackers."
A New York Times story in mid-January quoted
House Armed Services Committee member Robert E.
Andrews (D-NJ), who warned "a cyber attack really
fits Saddam Hussein's paradigm for attacking us."
The same New York Times story quoted ex-FBI
flunky Michael Vatis (a well-documented
fear-monger) on the cyber-threat Iraq could pose
to U.S. interests should war break out. ""I would
suspect Iraq's computer warfare program is at a
middling stage ... but even a middling capability
can cause serious harm." FBI's National Internet
Infrastructure Protection Center (now known as
DHS NIPC) issued a pre-war advisory to say Iraq
or its sympathizers might cripple the U.S. with
Spam. Meanwhile, Japan's version of NIPC -- the
Information Technology Security Center within the
Ministry of Economy -- went on "heightened alert"
after their prime minister made comments
supporting the U.S.-led coalition against Iraq.
The agency soon upgraded its cyber-threat
assessment and sent a written plea ("written"?)
to computer security firms to ask them to "watch
for computer virus attacks and unauthorized
changes to Web sites." According to a Kyodo
newswire, Japan's version of NIPC wanted to
assure the public "computer security firms will
be on alert day and night to be able to act
immediately on any abnormal incidents." No doubt.

37
Work CitedThanks to All!!!
SEE OUR WEB PAGE www.uri.edu/personal/dbru7007/b
iblio.html
38
A POWERPOINT PRESENTATION BY BRUSH
RAIMONDI CSC101 2003