1

Overview:

• Background

• Definitions

• Origins and Virus Languages

• Symptoms

• Classifying Viruses

• Types of Infection

• Types of Viruses

• Differences between Viruses and Worms

• Examples

• Protection/Prevention

• Conclusion

Background:

z There are estimated 30,000 computer viruses in existence

z Over 300 new ones are created each month

z First virus was created to show loopholes in software

What is Virus?

A virus is a small piece of software that piggybacks on real programs.

Virus might attach itself to a program such as spreadsheet. Each time the
spreadsheet program runs, the virus runs too and replicate itself.

2 main characteristics of viruses

 It must execute itself.

 It must replicate itself.

Virus Languages:

z ANSI COBOL

z C/C++

z Pascal

2
 z VBA

z Unix Shell Scripts

z JavaScript

z Basically any language that works on the system that is the

target

Types of Viruses:

– File infector virus

• Infect program files

– Boot sector virus

• Infect the system area of a disk

– Master boot record virus

• infect disks in the same manner as boot sector viruses.

The difference between these two virus types is where
the viral code is located.

– Multi-partite virus

• infect both boot records and program files

– Macro virus

• infect data files. Examples: Microsoft Office Word, Excel,

PowerPoint and Access files

Difference between Virus and Worm

3
The difference between a worm and a virus is that a virus does not have a
propagation vector. i.e., it will only effect one host and does not propagate
to other hosts. Worms propagate and infect other computers. Majority of
threats are actually worms that propagate to other hosts.

Why do people do it ?

• For some people creating viruses seems to be thrill.

• Thrill of watching things blow up.

Viruses:

• Viruses show us how vulnerable we are

• A properly engineered virus can have an amazing effect on the

Internet

• They show how sophisticated and interconnected human beings

have become.

Melissa Virus (March 1999)

Melissa virus spread in Microsoft Word documents sent via e-mail.

How it works ?

• Created the virus as word document

• Uploaded to an internet newsgroup

• Anyone who download the document and opened it would trigger

the virus.

• Send friendly email messages to first 50 people in person’s address

book.

I Love You Virus (May,2000)

• Contained a piece of code as an attachment.

4
 • Double Click on the attachment triggered the code.

• Sent copies of itself to everyone in the victim’s address book

• Started corrupting files on the victim’s machine.

Code Red (Worm)

• Code Red made huge headlines in 2001

• It slowed down internet traffic when it began to replicate itself.

• Each copy of the worm scanned the internet for Windows NT or

Windows 2000 that don’t have security patch installed.

• Each time it found an unsecured server, the worm copied itself to

that server.

Designed to do three things

 Replicate itself for the first 20 days of each month.

 Replace web pages on infected servers with a page that declares

“Hacked by Chinese”

 Launch a concreted attack on the White House Web server

Symptoms of Infection:

• Programs take longer to load than normal.

• Computer’s hard drive constantly runs out of free space.

• The floppy disk drive or hard drive runs when you are not using it.

• New files keep appearing on the system and you don’t know where
it come frm.

• Strange sounds or beeping noises come from the computer.

• Strange graphics are displayed on your computer monitor.

• Unable to access the hard drive when booting from the floppy drive.

• Program sizes keep changing.

Symptoms of Virus Attack:

z Computer runs slower then usual

z Computer no longer boots up

z Screen sometimes flicker

z PC speaker beeps periodically

5
 z System crashes for no reason

z Files/directories sometimes disappear

z Denial of Service (DoS)

Virus through the Internet:

z Today almost 87% of all viruses are spread through the

internet (source: ZDNet)

z Transmission time to a new host is relatively low, on the

order of hours to days

z “Latent virus”

E-Mail Viruses:

• Moves around in e-mail messages

• Usually replicate itself by automatically mailing itself to dozens of

people in the victim’s email address book.

• Example “MELISSA VIRUS”

• Example “I LOVE YOU VIRUS”

Classifying Virus – General:

z Virus Information

Discovery Date:

Origin:

Length:

Type:

SubType:

Risk Assessment:

Category:

Classifying Virus - Categories

z Stealth

z Polymorphic

z Companion

z Armored

Classifying Virus – Types

6
 z Trojan Horse

z Worm

z Macro

Types of Infection:

• VIRUSES

• E-MAIL VIRUSES

• WORMS

• TROJAN HORSES

Trojan Horse:

• A simple computer program

• It claim to be a game

• Erase your hard disk

• No way to replicate itself.

z Convert

z Leaks information

z Usually does not reproduce

z Back Orifice

Discovery Date: 10/15/1998

Origin: Pro-hacker Website

7
 Length: 124,928

Type: Trojan

SubType: Remote Access

Risk Assessment: Low

Category: Stealth

z About Back Orifice

y requires Windows to work

y distributed by “Cult of the Dead Cow”

y similar to PC Anywhere, Carbon Copy software

y allows remote access and control of other computers

y install a reference in the registry

y once infected, runs in the background

y by default uses UDP port 54320

TCP port 54321

y In Australia 72% of 92 ISP surveyed were infected with Back

Orifice

y Features of Back Orifice

y pings and query servers

y reboot or lock up the system

y list cached and screen saver password

y display system information

y logs keystrokes

y edit registry

y server control

y receive and send files display a message box

Worms:

8
z Spread over network connection

z Worms replicate

z First worm released on the Internet was called Morris worm,

it was released on Nov 2, 1988.

z Bubbleboy

Discovery Date:11/8/1999

Origin: Argentina (?)

Length: 4992

Type: Worm/Macro

SubType: VbScript

Risk Assessment: Low

Category: Stealth/Companion

y requires WSL (windows scripting language), Outlook

or Outlook Express, and IE5

y Does not work in Windows NT

y Effects Spanish and English version of Windows

y 2 variants have been identified

y Is a “latent virus” on a Unix or Linux system

• Small piece of software that uses computer networks and security

holes to replicate itself.

9
 • Copy of the worm scans the network for another machine that has a
specific security hole.

• Copy itself to the new machine using the security hole and start
replicating.

• Example “CODE RED”

How Bubbleboy works :

y Bubbleboy is embedded within an email message of

HTML format.

y a VbScript while the user views a HTML page

y a file named “Update.hta” is placed in the startup

directory

y upon reboot Bubbleboy executes

y changes the registered owner/organization

z HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RegisteredOwner =
“Bubble Boy”

z HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RegisteredOrganization
= “Vandalay Industry”

y using the Outlook MAPI address book it sends itself to

each entry

y marks itself in the registry

z HKEY_LOCAL_MACHINE\Software\
Outlook.bubbleboy = “OUTLOOK.Bubbleboy1.0 by
Zulu”

Macro:

z Specific to certain applications

z Comprise a high percentage of the viruses

z Usually made in WordBasic and Visual Basic for Applications

(VBA)

z Microsoft shipped “Concept”, the first macro virus, on a CD

ROM called "Windows 95 Software Compatibility Test" in
1995

z Melissa

10
 Discovery Date:3/26/1999

Origin: Newsgroup Posting

Length: varies depending on variant

Type: Macro/Worm

Subtype: Macro

Risk Assessment: High

Category: Companion

z Melissa

y requires WSL, Outlook or Outlook Express Word 97 SR1 or

Office 2000

y 105 lines of code (original variant)

y received either as an infected template or email attachment

y lowers computer defenses to future macro virus attacks

y may cause DoS

y infects template files with it’s own macro code 80% of of the
150 Fortune 1000 companies were affected

z How Melissa works

y the virus is activated through a MS word document

y document displays reference to pornographic websites while

macro runs

y 1st lowers the macro protection security setting for future

attacks

y checks to see is it has run in current session before

x HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Melissa
= “by Kwyjibo”

y propagates itself using the Outlook MAPI address book (emails

sent to the first 50 addresses)

y infects the Normal.dot template file with it’s own code

y Lastly if the minutes of the hour match up to the date the

macro inserts a quote by Bart Simpson into the current
document

11
 x “Twenty two points, plus triple word score, plus fifty
points for using all my letters. Game’s over. I’m outta
here.”

Who will create Viruses and Who will Stop the Viruses?

 The Person who had a good Knowledge and good thinking will create
the Anti Viruses Software.
 The Person who had a good knowledge and bad thinking will create
Viruses?

Protection:

12
 • To protect yourself you need to be “Proactive” about Security
issues. Being reactive won’t solve anything; specially at crunch time
and deadlines!! In matter of fact it can make the problem much
more complex to solve, and the situation much worse, resulting in a
complete Nightmare!!

Protection/Prevention:

z Knowledge

z Proper configurations

z Run only necessary programs

z Anti-virus software

13
Tips for protecting your computer from viruses

Protecting your computer from viruses and other threats isn't difficult, but
you have to be diligent. Here are some actions you can take:

 Install an antivirus program. Installing an antivirus program and

keeping it up to date can help defend your computer against viruses.
Antivirus programs scan for viruses trying to get into your email,
operating system, or files. New viruses appear daily, so set your
antivirus software to install updates automatically.
 Don't open email attachments unless you're expecting
them. Many viruses are attached to email messages and will spread
as soon as you open the email attachment. It's best not to open any
attachment unless it's something you're expecting. For more
information, Keep your computer updated. Microsoft releases
security updates that can help protect your computer. Make sure that
Windows receives these updates by turning on Windows automatic
updating. For more information.
 Use a firewall.‌Windows Firewall (or any other firewall) can help alert
you to suspicious activity if a virus or worm attempts to connect to
your computer. It can also block viruses, worms, and hackers from
attempting to download potentially harmful programs to your
computer.
 Use your browser's privacy settings. Being aware of how websites
might use your private information is important to help prevent fraud
and identity theft. If you're using Internet Explorer, you can adjust
your Privacy settings or restore the default settings whenever you
want. For details.
 Use a pop-up blocker with your browser. Pop-up windows are
small browser windows that appear on top of the website you're

14
 viewing. Although most are created by advertisers, they can also
contain malicious or unsafe code. A pop-up blocker can prevent some
or all of these windows from appearing.
The Pop-up Blocker feature in Internet Explorer is turned on by
default. To learn more about changing its settings or turning it on and
off.

Best Measures are the preventative ones.

• You need to basically to do four steps to keep your computer and

your data secure:
1. Get the latest Anti-Virus Software.
2. Make sure you have the latest security patches and hot fixes
using Windows Update.
3. Use a Host-Based Firewall.
4. BACKUP your Important Files.

Here are some actions you can take:

 Install an antivirus program. ...

 Don't open email attachments unless you're expecting them. ...
 Keep your computer updated. ...
 Use a firewall.‌ Windows Firewall (or any other firewall) can help alert you
to suspicious activity if a virus or worm attempts to connect to your
computer.

15
Conclusion:

Be aware of the new infections out there.

Take precaution measures.

Always backup your data.

Keep up-to-date on new Antivirus software.

Simply avoid programs from unknown sources.

z You know know more about virus and how:

y viruses work through your system

y to make a better virus

z Have seen how viruses show us a loophole in popular software

z Most viruses show that they can cause great damage due to
loopholes in programming

***************************************************************************
**********

16