Scribd
Upload
128 views

Virus and Worm Features

This document describes the key characteristics of viruses and worms. Viruses prepend and append code to files and can be split throughout files. They execute their code when an infected file runs. Worms propagate through various vectors like email, internet scanning, and mobile devices. More advanced worms use techniques like encryption, polymorphism, and multiple code versions to evade detection. They also employ methods like multi-threading and UDP protocols to spread faster. Some worms can have destructive payloads that crash systems or delete files.

Uploaded by

manju287
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
128 views

Virus and Worm Features

This document describes the key characteristics of viruses and worms. Viruses prepend and append code to files and can be split throughout files. They execute their code when an infected file runs. Worms propagate through various vectors like email, internet scanning, and mobile devices. More advanced worms use techniques like encryption, polymorphism, and multiple code versions to evade detection. They also employ methods like multi-threading and UDP protocols to spread faster. Some worms can have destructive payloads that crash systems or delete files.

Uploaded by

manju287
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

VIRUS AND WORM

FEATURES
VIRUS CHARACTERISTICS :

When virus effected code is run, first the virus code is executed.
An innocuous virus may attempt something benign like printing a “hello
world” message.

Virus code is both prepended and appended to the host file. Virus code
could be split into several segments and interspersed throughout the
infected file using JUMP statements.
To evade detection, some viruses modify the file service interrupt
handler that returns attributes of files.

Another technique is to use compression so that the length of an


infected file remains the same as the length of its original version.

To infect another file, the virus first compresses that file and then
prepends the virus code to the compressed file. The infected file must
uncompressed just prior to execution.

Viruses main feature is their system calls, they are made to read/write
files, spawn new processes, establish new TCP connections etc.
WORM CHARACTERISTICS :
These are classified based on their vector of propagation.

• Internet scanning worms


• E-mail worms
• P2P worms
• Web worms and
• Mobile worms
Enhanced targeting :
Worms that spread through e-mail have an easy way to figure out
targets. They look into victim’s mailbox to find a set of targets.

Mobile worms obtains phone numbers of its potential victims from


the phone book in the cell phone hosting the worm.

Internet scanning worms are used to scan the IP address space for
vulnerable machines. The most straight forward approach is random
scanning.
Enhanced speed :
To enhance the infection rate, some worms are designed to spawn
multiple threads. Each thread is responsible for setting up
connections to a different subset of hosts.

TCP connection establishment involves a 3-way handshake and is


time consuming, by contrast UDP is connectionless.

A steep increase in the number of infected machines at the very


outset of a worm epidemic has a multiplicative effect on spreading
rate.
Enhanced capabilities :
Most worms have unique and distinct signatures – a pattern of bits,
usually assembly language code, which appears in all instances of the
worm.

The main technique to evade virus detection is use of encryption. The


encryption that fail to match any existing worm signatures are known
as polymorphic.

Decryptors may be very simple, involving XOR operations or trivial


shift based substitutions.
The other way of disguising malware is the creation of several code
versions that are superficially different but functionally identical.

Tricks to create multiple versions include :

 use of dummy instructions


 use of extraneous operands
 changing the flow of control without disturbing the existing logic
Two versions of assembly codes are :
Enhanced destructive power :
Analysts estimate costs based on lost productivity, clean-up costs, stealing
sensitive and corporate information, system downtime which affects
business and revenues.

Fast spreading worms also caused severe network congestion problems


disrupting normal Internet traffic and contributing to system down-time.

The witty worm that which appeared in march 2004, was the first worm to
carry a destructive payload. It deleted a random section of the victim’s
hard disk leading to a system crash.

You might also like