Boot Sector Virus

1
Boot Sector Virus

• Feat. General Virus Information

2
Boot Sector Virus

• Gain Control of System
• Replace Bootstrap Code With Viral Code
• Hard Disks
• Floppy Disks

3
Code Action, Camouflage Technique

• Viruses disguise themselves from antivirus and
  other security devices using a host of complex
  techniques
• Stealth. Viruses that use this technique hide the
  normal characteristics that would indicate their
  presence.
• For example, the size of the file will normally
  increase when it is infected. However, by only
  inserting code in free file sections, this type
  of virus tricks the system by making it seem that
  the file size has not changed.
• During file infections the date and time are
  registered as file modifications. However, when
  these viruses infect a file, they do not make
  such changes and the file date and time
  information will remain as it was before the
  infection.
• To avoid suspicion, stealth viruses will hide
  some files and change their attributes so that
  they cannot be viewed.
• Tunneling. The 'tunneling' system is quite
  complicated, as these viruses try to avoid
  detection by the antivirus software by directly
  intercepting the interrupt handlers of the
  operating system and effectively 'burying' under
  the detection software.

4
also

• Armoring. Viruses that use the 'armoring'
  techniques disguise their code so that it cannot
  be read. To detect armored code, antivirus must
  use heuristic scanning techniques.
• Self-Encrypting. Antivirus programs search for
  certain tell-tale signs of virus activity such as
  groups of characters or instructions. These
  viruses encode or encrypt their code to make it
  more difficult for the antivirus program to
  detect them. However, modern antivirus solutions
  use algorithms to detect the encryption routine
  of these viruses.
• Polymorphism. Polymorphic viruses encrypt their
  code in a different way with each infection
  (their signature changes from one infection to
  the next). They take encryption one step further
  by also encrypting the way (routine or algorithm)
  in which their signature is encrypted. This means
  that a polymorphic virus is capable of creating
  different variants of itself from one infection
  to the next, changing its 'shape' with each
  infection.
• Fortunately, the virus cannot completely encrypt
  itself, as it needs to keep part of its original
  code unencrypted to be able to run. Antivirus
  programs can detect polymorphic viruses by
  locating the routine or algorithm that allow the
  virus to execute.

5
Anti-Virus Technique

• Identifying Virus Signature
• Unique Code
• Anti-Virus Software Searches For Specific Virus
  Code

6
Recent Example

• Chaos
• The Chaos virus flags the disk as being full of
  bad sectors upon activation, though most of the
  supposed bad sectors are still readable.

7

Big Chris and Geeeeeeeeee
8
File sector virus

• BY JAMES AND OMAR
• (TEAM MAN LOVE)

9
FILE VIRUS

• A computer virus that infects application files
  such as spreadsheets, computer games or
  accounting software

10
EMAIL VIRUS

• E-mail is now the most common way that viruses
  are transmitted between computers. The most
  common mechanism the form of an attachment to
  the message. The attachment facility is normally
  used for emailing documents, images and so on.
  However, it is possible for attachments to
  contain programs which get run when the
  attachment is opened.

11
VIRUS REPLICATION

• In order to replicate itself, a virus must be
  permitted to execute code and write to memory.
  For this reason, many viruses attach themselves
  to executable files that may be part of
  legitimate programs. If a user tries to start an
  infected program, the virus' code may be executed
  first. Viruses can be divided into two types, on
  the basis of their behavior when they get
  executed. Nonresident viruses immediately search
  for other hosts that can be infected, infect
  these targets, and finally transfer control to
  the application program they infected. Resident
  viruses do not search for hosts when they are
  started. Instead, a resident virus loads itself
  into memory on execution and transfers control to
  the host program. The virus stays active in the
  background and infects new hosts when those files
  are accessed by other programs or the operating
  system itself.

12
USE OF CHECKSUM

• A checksum of a file can be formed by adding up
  all the instructions used within that file. This
  is then added to the file. When the file is about
  to be run the checksum is recalculated and if
  there is an error then it is assumed that the
  file could be infected and a warning is given.

13
RECENT VIRUS

• Storm Worm Botnet Computer Virus
• The FBI issued a warning today about e-mails that
  purport to link readers to an article about the
  "FBI Verses Facebook". The FBI Agent says the
  link is a virus, part of the Storm Worm botnet (a
  collection of compromised computers under the
  remote control of a criminal) that can make
  readers vulnerable to identify theft -- and make
  government computers vulnerable to national
  security threats.
• Spammers spreading this virus are preying on
  Internet users and making their computers an
  unwitting part of criminal botnet activity. The
  FBI Agent urge net-citizens to help prevent the
  spread of botnets by becoming Web-savvy and
  making sure their computers are not compromised.
• The warning was issued by the FBI's Internet
  Crime Complaint Center, which focuses on cyber
  crime.

14
THE END

• BYE BYE WE DONT MISS YOU

15
Macro Viruses
A macro virus is a virus that is written in macro
language. They are the most common type of
virus. They are built into software applications
such as word processor, so that the programme
runs automatically when the document is opened.
This makes it easy to spread as it can be
embedded into emails.
16
TROJAN HORSE VIRUS

• BY AMANBER, MURDO, IRFAN ADEEL

17
Trojan Horse

• A Trojan horse, also known as a Trojan, is
  malware that appears to perform a desirable
  function but in fact performs undisclosed
  malicious functions. Therefore, a computer worm
  or virus may be a Trojan horse. The term is
  derived from the classical story of the Trojan
  Horse.
• The author claims it is a free waterfall screen
  saver. When run, it instead unloads hidden
  programs, commands, scripts, or any number of
  commands without the user's knowledge or consent.
  Malicious Trojan Horse programs are used to
  circumvent protection systems in effect creating
  a vulnerable system to allow unauthorized access
  to the user's computer.

18
Trojan Dropper

• Discovered February 2, 2000
• Updated February 13, 2007 115755 AM
• Also Known As Virus. Dropper, Trojan dropper
• Type Trojan Horse
• Systems Affected Windows 2000, Windows 95,
  Windows 98, Windows Me, Windows NT, Windows
  Server 2003, Windows XP
• Trojan. Dropper is a Trojan horse that drops
  Trojan horses or back door Trojans onto
  compromised computers.Wild Level Low
• Number of Infections 0 - 49
• Number of Sites 0 - 2
• Geographical Distribution Low
• Threat Containment Easy
• Removal Easy
• Damage
• Damage Level Low
• Distribution
• Distribution Level Low

19
Watching

• Other viruses can wait until a particular event
  happens before it attaches itself to a program or
  file.
• Usually some action or condition has to be met
  before the virus will attach itself.

20
Heuristic Detection

• Heuristic detection describes the technique of
  approaching a problem through previous
  experience. The technique is used to find unknown
  viruses that have not yet been identified by
  their signatures by looking for characteristics
  in a file that have previously been associated
  with a known virus.

21
THE END
22
Worm

• By Rebecca Liam

23
What is a worm?

• A worm is a program or algorithm that usually
  performs actions, such as using the computers
  resources and possibly shutting the system down.
• Worms only become noticeable once their
  replication consumes the memory to the extent
  that the system slows down or is unable to carry
  out particular tasks.
• Worms tend to use the parts of the computers
  operating system that is not seen by the user
  until its too late.

24
Delivery

• Infected disks brought in from the outside used
  to be the main source of viruses until e-mail
  provided the ideal delivery vehicle. Downloads
  from peer -2- peer sites are another common
  source
• Once delivery the virus will wait for the trigger
  to wreak its havoc, it can also attach itself to
  executable programs
• For Example Emails

25
Memory Resident Monitoring

• Programs are divvied into memory resident and non
  resident ones
• A memory resident program leaves its data in RAM
  after its finished and the operating system
  allocates memory for this programs operations.
• After that, the memory resident program operated
  in parallel with out programs.

26
Memory Resident Monitoring

• Non resident programs does not leave its code in
  memory after its termination, and the memory is
  then cleared
• Some anti-virus software can be memory resident
• Which means it can check any program that runs in
  ram when the computer is switched on
• The down side of this type of anti-virus software
  is it takes up RAM , which can slow down the
  usual functions of the computer.

27
Up-to-date virus

• This worm is called Stration
• And also known as W32.Stration_at_mm,
  W32/Spamta.A.worm, W32/Stration, WORM_STRATION.A,
  Email-Worm.Win32.Warezov.a
• It spreads via email subject line and messages