Computer Virus

1
Computer Virus And Antivirus Technology Tao
Chen January 29, 2002
2

• Agenda
• Computer Virus Concept
• Analyze three common computer viruses
• Antivirus Technologies
• Company Policy Issues
• Conclusion

3

• Computer Virus Concept
• What is Computer Virus?
• Computer Virus Time Line
• Types of Computer Virus
• Virus Hoax
• How does computer virus works?

4
Computer Virus Concept

• What is Computer Virus?
• Definition(IDG) -- Virus A self-replicating
  piece of computer code that can partially or
  fully attach itself to files or applications, and
  can cause your computer to do something you don't
  want it to do.
• Similarities between biological virus (like "
  HIV " ) and computer virus
• Need a host for residence.
• Capable of self-replicate
• Cause damage to the host.
• Difference Computer viruses are created by
  human.

5
Computer Virus Concept

• Computer Virus Time Line
• 1949 - Theories for self-replicating programs
  was first developed.
• 1981 - Apple Viruses 1, 2, and 3 was some of the
  first viruses in public.
• 1988 Jerusalem was detected. Activated every
  Friday the 13th, the virus affects both .EXE and
  .COM files and deletes any programs run on that
  day.
• 1991 - Tequila is the first widespread
  polymorphic virus found.
• 1999 - The Melissa virus, W97M/Melissa, executed
  a macro in a document attached to an email.
  Melissa spread faster than any other previous
  virus.
• 2000 - The Love Bug, also known as the ILOVEYOU
  virus, sent itself out via Outlook, much like
  Melissa.
• 2001 - The Code Red I and II worms attacked
  computer networks in July and August. They
  affected over 700,000 computers and caused
  upwards of 2 billion in damages.

6
Computer Virus Concept

• Types of Computer Virus
• Boot Sector Virus - Michelangelo
• Boot sector viruses infect the boot sectors on
  floppy disks and hard disks, and can also infect
  the master boot record on a user's hard drive.
• File Infector Virus - CIH
• Operate in memory and usually infect executable
  files.
• Multi-partite Virus
• Multi-partite viruses have characteristics of
  both boot sector viruses and file infector
  viruses.
• Macro Virus - Melissa Macro Virus
• They infect macro utilities that accompany such
  applications as Microsoft Word, Excel and
  outlook.

7
Computer Virus Concept

• Types of Computer Virus - Continue
• Trojan / Trojan Horse Back Orifice
• A Trojan or Trojan Horse is a program that
  appears legitimate, but performs some malicious
  and illicit activity when it is run.
• Worm Red Code
• A worm is a program that spreads over network.
  Unlike a virus, worm does not attach itself to a
  host program. It uses up the computer resources,
  modifies system settings and eventually puts the
  system down.
• Worms are very similar to viruses in that they
  are computer programs that replicate themselves.
  The difference is that unlike viruses, worms
  exist as a separate small piece of code. They do
  not attach themselves to other files or programs.
  
• Other
• Java - Java.StrangeBrew
• HTML virus - Usually takes advantage of these
  scripting languages(VB Script). The script virus
  usually uses Web pages to reach the victims.

8
Computer Virus Concept

• Virus Hoax
• An untrue virus-related warning/alert started by
  malicious individuals. A Hoax message, often in
  the form of electronic mail, can spread away as
  people pass on via Internet.
• Hoax message does not have direct harms on
  computers. Hoax message cause confusion to the
  recipients in their attending real virus alerts
  and waste people' s time in reading them.
• How to identify a hoax
• Hoaxes use complex technical descriptions and
• Hoaxes request recipients to pass on the
  message.
• Examples Work Virus Hoax (keyword a virus
  called "work"), Phantom Menace Virus Hoax
  (keyword Virus Alert, Phantom Menace)

9
Computer Virus Concept

• Virus Characteristics
• Memory Resident
• Loads much like a TSR staying in memory where it
  can easily replicate itself into programs of boot
  sectors. Most common.
• Non-Resident
• Does not stay in memory after the host program is
  closed, thus can only infect while the program is
  open. Not as common.
• Stealth
• The ability to hide from detection and repair in
  two ways.
• - Virus redirects disk reads to avoid
  detection.
• - Disk directory data is altered to hide the
  additional bytes of the virus.

10
Computer Virus Concept

• Virus Characteristics
• Encrypting
• Technique of hiding by transformation. Virus code
  converts itself into cryptic symbols. However, in
  order to launch (execute) and spread the virus
  must decrypt and can then be detected.
• Polymorphic
• Ability to change code segments to look different
  from one infection to another. This type of virus
  is a challenge for ant-virus detection methods.
• Triggered Event
• An action built into a virus that is triggered by
  the date, a particular keyboard action or DOS
  function. It could be as simple as a message
  printed to the screen or serious as in
  reformatting the hard drive or deleting files.
• In the Wild
• A virus is referred to as "in the wild" if is has
  been verified by groups that track virus
  infections to have caused an infection outside a
  laboratory situation. A virus that has never been
  seen in a real world situation is not in the
  wild, and sometimes referred to as "in the zoo".

11
Computer Virus Concept

• How does computer virus work?
• The Basic Rule A virus is inactive until the
  infected program is run or boot record is read.
  As the virus is activated, it loads into the
  computers memory where it can spread itself.
• Boot Infectors If the boot code on the drive is
  infected, the virus will be loaded into memory on
  every startup. From memory, the boot virus can
  travel to every disk that is read and the
  infection spreads.
• Program Infectors When an infected application
  is run, the virus activates and is loaded into
  memory. While the virus is in memory, any program
  file subsequently run becomes infected.

12

• Analyze three common computer viruses
• CIH
• Macro Virus
• ILOVEYOU

13
Analyze three common computer viruses

• CIH
• Type Resident, EXE-files
• Origin Taiwan
• History The CIH virus was first located in
  Taiwan in early June 1998. After that, it has
  been confirmed to be in the wild worldwide. It
  has been among the ten most common viruses for
  several months.
• Infects Windows 95 and 98 EXE files, but it does
  not work under Windows NT.
• After an infected EXE is executed, the virus
  will stay in memory and will infect other
  programs as they are accessed.

14
Analyze three common computer viruses

• CIH - Continue
• BIOS Attack !!!
• Attempts to overwrite the BIOS on Pentium PCs
  that have flashable BIOS PROMS.
• If the PC is infected, it will be unbootable
  (even from diskette) after this attack and the
  BIOS chip will need to be replaced or
  reprogrammed from the vendor or an outside source
  .
• The PC can't be booted even after reflash
  (reprogram) the chip normally. Because the virus
  overwrites the first 2048 sectors of your hard
  disk, further making your PC unbootable (this
  works on almost all PCs). But the disk can be
  made bootable and restored from a backup.
• Four variants
• CIH v1.2 (CIH.1003) Activates on April 26th.
• CIH v1.3 (CIH.1010.A and CIH.1010.B) Activates
  on June 26th.
• CIH v1.4 (CIH.1019) Activates on 26th of every
  month.

15
Analyze three common computer viruses

• CIH - Continue
• How to prevent?
• If your PC has a flash BIOS write protect jumper
  on the motherboard, you can put it in the
  write-protect position to prevent CIH from
  overwriting your BIOS.

16
Analyze three common computer viruses

• Macro Virus
• What is Macro virus
• A type of computer virus that is encoded as a
  macro embedded in a document.
• According to some estimates, 75 of all viruses
  today are macro viruses.
• Once a macro virus gets onto your machine, it
  can embed itself in all future documents you
  create with the application.
• In many cases macro viruses cause no damage to
  data but in some cases malicious macros have
  been written that can damage your work.
• The first macro virus was discovered in the
  summer of 1995. Since that time, other macro
  viruses have appeared.

17
Analyze three common computer viruses

• Macro Virus
• How does it spread?
• When you share the file with another user, the
  attached macro or script goes with the file. Most
  macro viruses are designed to run, or attack,
  when you first open the file. If the file is
  opened into its related application, the macro
  virus is executed and infect other documents.
• The infection process of the macro virus can be
  triggered by opening a Microsoft Office document
  or even Office Application itself, like Word,
  Excel. The virus can attempt to avoid detection
  by changing or disabling the built-in macro
  warnings, or by removing menu commands
• For Word, after a macro virus triggers, it
  usually copies itself to Normal.dot, which is the
  template that Word loads with every file. from
  there, it can copy itself to every file that you
  open or create.

18
Analyze three common computer viruses

• Macro Virus
• How to prevent?
• In your Office programs, make sure that you have
  macro virus protection turned on.
• On the Tools menu, click Options.
• On the General tab, select the Macro virus
  protection check box.
• If you have turned on macro virus protection,
  each time you want to open a document with
  macros, the Macro Virus Protection dialog box
  appears and gives you three choices.
• Disable Macros
• Enable Macros
• Do Not Open 

19
Analyze three common computer viruses
ILOVEYOU

• VBS/LoveLetter is a VBScript worm. It spreads
  through e-mail as a chain letter.
• The latest is VBS.LoveLetter.CN. Virus
  definitions dated May 31, 2001.
• 82 variants of this worm.
• This worm sends itself to email addresses in the
  Microsoft Outlook address book and also spreads
  to Internet chatrooms.
• This worm overwrites files on local and remote
  drives, including files with the extensions .vbs,
  .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg,
  .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls,
  .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp,
  .c, .h, .swd, .psd, .wri, .mp3, and .mp2.
• The contents of most of these files are replaced
  with the source code of the worm, destroying the
  original contents. The worm also appends the .vbs
  extension to each of these files. For example,
  image.jpg becomes image.jpg.vbs.

20
Analyze three common computer viruses
ILOVEYOU

• Damage
• Large scale e-mailing
• Sends itself to all addresses in the Microsoft
  Outlook Address Book
• Modifies files
• Overwrites files with the following extensions
  .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta,
  .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html,
  .xls, .ini, .bat, .com, .mp3, and .mp2. Files
  with extensions of .mp2 and .mp3 will be hidden
  from the user by setting the hidden directory
  attribute. Variant G also overwrites .bat and
  .com files.
• Degrades performance
• Might create a lot of traffic to the email server

21
Analyze three common computer viruses
ILOVEYOU

• Distribution
• Subject of email ILOVEYOU
• Name of attachment Love-letter-for-you.txt.vbs
• Size of attachment 10,307 bytes
• Inside the mail is a short text message saying
  "Kindly check the attached LOVELETTER coming from
  me" and an attachment named LOVE-LETTER-FOR-YOU.tx
  t.vbs. This is the virus body.
• It's important to note that the virus cannot run
  by itself. In order for it to run, the recipient
  must open the mail, launch the attachment by
  double-clicking on it, and answer "yes" to a
  dialogue that warns of the dangers of running
  untrusted programs. (Microsoft)

22
Analyze three common computer viruses
ILOVEYOU

• How to prevent?
• Do not launch attachments in emails from unknown
  sources!
• Uninstalling the Windows Script Host.
• Check http//www.sarc.com/avcenter/venc/data/win.s
  cript.hosting.html for more information

23

• Antivirus Technologies
• How to detect virus?
• How to clean virus?
• Best Practices

24
Antivirus Technologies

• How to detect virus?
• Some Symptoms
• Program takes longer to load.
• The program size keeps changing.
• When run CHKDSK, it doesn't show 655360 bytes
  available.
• Keep getting 32 bit errors in Windows.
• The drive light keeps flashing when you are not
  doing anything.
• User created files have strange names.
• The computer doesn't remember CMOS settings.

25
Antivirus Technologies
How to detect virus? Some Useful Terms CMOS -
Complementary Metal Oxide Semiconductor A memory
area that is used for storage of system
information. CMOS is battery backed RAM. CMOS
memory is not in the normal CPU address space and
cannot be executed. A virus may place data in the
CMOS or may corrupt it, a virus cannot hide
there. MBR - Master Boot Record the first
Absolute sector (track 0, head 0, sector 1) on a
PC hard disk, that usually contains the partition
table. RAM - Random Access Memory the place
programs are loaded into in order to execute. TOM
- Top Of Memory the end of conventional memory,
an architectural design limit at the 640K mark on
most PCs. Checking this value for changes can
help detect a virus. TSR - Terminate but Stay
Resident these are PC programs that stay in
memory while you continue to use the computer for
other purposes they include pop-up utilities,
network driver, and a great number of viruses.
26
Antivirus Technologies

• How to detect virus?
• Check for any change in the memory map or
  configuration as soon as you start the computer
  in command mode. (If you dont have antivirus
  software)
• In MSDOS Prompt Type in Chkdsk
• Check

CHKDSK has NOT checked this drive for errors. You
must use SCANDISK to detect and fix errors on
this drive. Volume DATA created 01-04-2001
256p Volume Serial Number is 1CFA-2864
6,822,284 kilobytes total disk space
2,206,920 kilobytes free 4,096 bytes in
each allocation unit 1,705,571 total
allocation units on disk 551,730 available
allocation units on disk 655,360 total
bytes memory 602,160 bytes free
27
Antivirus Technologies
How to detect virus? Start your computer in
command prompt. In MSDOS Prompt Type in MEM /C.
Memory Summary Type of Memory Total
Used Free ----------------
----------- ----------- -----------
Conventional 655,360 53,168
602,192 Upper 0
0 0 Reserved 393,216
393,216 0 Extended (XMS)
66,060,288 ? 267,128,832
---------------- ----------- -----------
----------- Total memory 67,108,864
? 267,731,024 Total under 1 MB
655,360 53,168 602,192 Total
Expanded (EMS) 67,108,864
(64M) Free Expanded (EMS)
16,777,216 (16M) Largest executable program
size 602,160 (588K) Largest free
upper memory block 0 (0K)
28
Antivirus Technologies
How to detect virus? Start your computer in
command prompt. In MSDOS Prompt Type in MEM/C.
Memory Summary Type of Memory Total
Used Free ---------------
----------- ----------- -----------
Conventional 655,360 53,168
602,192 Upper 0
0 0 Reserved 393,216
393,216 0 Extended (XMS)
66,060,288 ? 267,128,832
---------------- ----------- -----------
----------- Total memory 67,108,864
? 267,731,024 Total under 1 MB
655,360 53,168 602,192 Total
Expanded (EMS) 67,108,864
(64M) Free Expanded (EMS)
16,777,216 (16M) Largest executable program
size 602,160 (588K) Largest free
upper memory block 0 (0K)
29
Antivirus Technologies

• How to detect virus?
• Integrity checkers or modification detectors.
• These tools compute a small "checksum" or "hash
  value" (usually CRC or cryptographic) for files
  when they are presumably uninfected, and later
  compare newly calculated values with the original
  ones to see if the files have been modified. This
  catches unknown viruses as well as known ones and
  thus provides generic detection.
• Use Debug Or Other Tools to check FAT Table, MBR
  and partition on your system.
• Use Antivirus Software to scan the computer
  memory and disks.
• A memory-resident anti-virus software can be used
  to continuously monitor the computer for viruses.
  
• Scan your hard disk with an anti-virus software.
  You should make sure that an up-to-date virus
  definition data have been applied.
• Use server-based anti-virus software to protect
  your network.

30
Antivirus Technologies

• How to clean virus?
• All activities on infected machine should be
  stopped and it should be detached from the
  network.
• Recover from backup is the most secure and
  effective way to recover the system and files.
• In some cases, you may recover the boot sector,
  partition table and even the BIOS data using the
  emergency recovery disk.
• In case you do not have the latest backup of your
  files, you may try to remove the virus using
  anti-virus software.

31
Antivirus Technologies

• How to clean virus?
• The steps to reinstall the whole system My
  Experience.
• Reboot the PC using a clean startup disk.
• Type in FDISK/MBR to rewrite the Master Boot
  Record.
• Use FDISK to recreate partitions (Optional)
• Format DOS partitions.
• Reinstall Windows98 or Windows2K and other
  applications.
• Install Antivirus Software and apply the latest
  virus definition data.

32
Antivirus Technologies

• Best Practices
• Regular Backup
• Backup your programs and data regularly. Recover
  from backup is the most secure way to restore the
  files after a virus attack.
• Install Anti-virus Software
• Install an anti-virus software to protect your
  machine and make sure that an up-to-date virus
  definition file has been applied.
• Daily Virus Scan
• Schedule a daily scan to check for viruses. The
  schedule scan could be done in non-peak hours,
  such as during the lunch-break or after office
  hour.
• Check Downloaded Files And Email Attachments
• Do not execute any downloads and attachment
  unless you are sure what it will do.

33
Antivirus Technologies

• Resources
• Antivirus Software
• McAfee Virus Scan
• F-Secure
• Symantec
• Trend Micro
• Shareware, www.grisoft.com
• Free Virus Tool, http//www.antivirus.com/free_to
  ols/

34

• Company Policy Issues
• Education
• Educate users to consider e-mail attachments and
  downloads potentially dangerous and to treat them
  very carefully. Open only expected attachments
  and download files from trusted sources.
• Updating
• Update the virus definition data for the users
  and the network at least once a month.
• Warning
• Provide computer virus alerts to users as soon as
  the infection is detected.
• Technical Support
• Provide technical support to help users detect
  and remove virus.
• Reporting
• Provide a communication and reporting channel to
  encourage users to report virus activities.

35

• Conclusion
• Be careful when use new software and files
• Be alert for virus activities
• Be calm when virus attacks
• We will be fine!

36
Reference http//www.cnn.com/2000/TECH/computing/
10/23/virus.works.idg/ http//www.itsd.gov.hk/itsd
/virus/general/whatis.htm http//www.infoplease.co
m/spot/virustime1.html http//www.itsd.gov.hk/itsd
/virus/general/type.htm http//www.itsd.gov.hk/its
d/virus/hoax/hoax.htm http//www.cai.com/virusinfo
/faq.htmhow_virus http//www.europe.f-secure.com/
v-descs/cih.shtml http//www.stiller.com/cih.htm h
ttp//www.webopedia.com/TERM/M/macro_virus.html ht
tp//office.microsoft.com/Assistance/9798/whtsvrus
.aspx http//support.microsoft.com/default.aspx?sc
idkbZH-CNq181079 http//securityresponse.symant
ec.com/avcenter/venc/data/macro.viruses.html http
//office.microsoft.com/Assistance/9798/o97mcrod.as
px http//www.data-fellows.com/v-descs/love.shtml
http//www.symantec.com/avcenter/venc/data/vbs.lov
eletter.a.html http//www.data-fellows.com/v-descs
/love.shtml http//www.microsoft.com/technet/treev
iew/default.asp?url/TechNet/security/virus/vbslvl
tr.asp
37
Reference

• http//www.cai.com/virusinfo/faq.htm
• http//www.itsd.gov.hk/itsd/virus/general/detectvi
  rus.htm
• http//www.itsd.gov.hk/itsd/virus/general/cleanvir
  us.htm
• http//www.itsd.gov.hk/itsd/virus/guide/guide.htm
• http//kb.indiana.edu/data/aehm.html